Are We Losing the Cybersecurity War - Cyber Crime Prevention

February 8, 2021

The Cyber Rants Podcast

Episode 15 - Are we Losing the Cyber War?

Are we losing the cybersecurity war? What does winning look like? Where does the U.S. stand on a global spectrum of cybercrime prevention? This week the guys discuss these alarming yet valid concerns.

Pick up your copy of Cyber Rants on Amazon.
Looking to take your Cyber Security to the next level? Visit us at www.silentsector.com.
Be sure to rate the podcast, leave us a review, and subscribe!

welcome to the cyber rants podcast where we're all about sharing the forbidden secrets and slightly

embellished truths about corporate cyber security programs we're ranting we're raving and we're

telling you the stuff that nobody talks about on their fancy website and trade show giveaways

all to protect you from cyber security criminals and now here's your hosts mike rotondo

zach fuller and lauro chavez hello and welcome to the cyber rants podcast this is your co-host zach

fuller joined by lauro chavez and mike rotondo and this is an interesting episode today before

we dive into it into this topic that i am particularly excited to talk about let's

kick off with the news mike good morning and uh welcome to podcast in 2021 these are your

headlines for the week uh brought to you today from the slap and scratching in mobile alabama

mobile the place to be uh a new software supply chain attack targeted millions with spyware

um there's another one that's peggy backing onto solarwinds so enjoy it's hitting uh androids pcs

macs it's based on a android emulator enjoy google discloses a severe flaw in widely used lib

lib gcrypt encryption library that's a hard one to say it's a heat buffer overflow that will go ahead

and decrypt your data wordpress pop-up builder plug-in flaw plagues 200 000 sites so there's

another wordpress issue out there definitely tell you to look into it if you have a wordpress site

um malicious actors reserving their cyber cyber attacks for the hospitality industry um

so what they're doing is they're hitting the cyber industry or the hospitality industry

with cyber attacks stealing gas data um and this is becoming a bigger problem because

more people are going to biometrics or faster ways to check in so there's less interaction with

staff it's more electronic so when you lose your room key there's a way around that and now that

stuff is being that that chain is being broken i love this one malicious script steals credit

card info stolen by other hackers yep they are piggybacking on other hackers work to do steal

credit cards that they're already stealing on their own so it's um

hackers being hacked by the hackers to steal credit cards no honor between these people

no not at all no honor between thieves or pirates i guess oh i guess not it's crazy

linux malware backdoor super computers yep that super computer is no longer safe there's now a

malware called cobalos that will allow you to create uh terminals and we'll break into aix and

other high-end systems so got that going for us ransomware operators exploit vmware esxi flaws

to encrypt just the vm there's a lot of esx issues out there please patch them but because everybody

seems to forget that the esx host is vulnerable just like the vms are over a dozen chrome

extensions caught hijacking google google search results for millions google chrome extensions have

been backdoored being manipulated from the let's all be unified point of view microsoft defender

atp is detecting yesterday's chrome update as a backdoor obviously that's an issue uh make sure

you update your chrome and then for us mac users recent root giving pseudo bug also impacts mac os

that's the cde 2021-3156 so macs are now available are vulnerable to this threat actors capitalize

on copa 19 vaccine news to run campaigns aws is abused to host malicious pdfs a lot of bad

stuff out there this is a nice once again aws is being victimized in this kind of nice enhancement

microsoft defender now detects mac os system app vulnerabilities so if you are running mac os

have co-loaded it with uh windows os or somehow running it together

the windows defender will work with you on that one so that's all for the headlines guys

cool thanks for that mike uh to kind of add on to some of that with exploits this week um you know

the pseudo they're calling baron sem did it was featured by fantastic hacker and that's available

uh for download into metasploit so those that that exploits available right now in two parts

it requires a little uh ratchet tree to get it to work but um it is available so keep that in mind

make sure that you're you're treating that pseudo stuff pretty seriously another thing that i think

is interesting to see is that a recent kind of newcomer author to the market has brought

six solaris 10 uh privilege escalation vulnerabilities uh that work in in various

versions of solaris 1013 um so it's it's it's it's certainly an older version of solaris but

um a lot of organizations are still using those older versions of spark because they work

um so i think that's kind of interesting and then to tag on to what mike was saying about wordpress

wordpress fibo image remote code execution is available has an exploit plug-in for in php4

metasploit so again um if you got wordpress running make sure that you're you're getting those

modules updated so that you're not vulnerable to this uh this irc and that's um that's it for

exploits keep patching great thank you both interesting times that we're in these days a lot

is happening out there and really for the topic of today's discussion it's it's certainly a valid one

i think and it's it's a question that we i think a lot of us ask on a regular basis and that question

is you know are we losing the cyber security war that's out there and and or or what is our status

in this this worldwide you know battle of the giants but then also the the small and

medium-sized threat actors i mean everybody's kind of in this together everybody's um

seemingly against each other like you just talked about mike hacker's hacking hackers right it's uh

it's a why it's kind of the wild west out there and so the big question is are we are

we losing the war on cyber security and a recent support uh discussed in detail the um chinese you

know military backed hackers going in and and going after um consumer credit agencies large

corporations and small the dod supply chain all of that the uh the chinese uh nation-state-backed

hackers basically are you know coming up over and over and over again and so we're in this

continuous warfare cyber warfare really right and and um we have to ask you know where do we

where do we stand in all this and and you know in my opinion uh we have a lot more to do and this

is something that we're not going to conquer overnight and and i don't know if there is a

end-all be-all or some definitive end to all of this i it could certainly be a long-term

war of attrition right kind of like the the war on terror right or the war on drugs i mean it's

just a it's it's something where i don't know if there actually is an end state but the idea

in my mind is really to subdue it as much as possible and protect ourselves as much as possible

um what do you guys think where do we stand today this day and age i don't think we're

i don't think we're losing um you know i think we've got a long way to go to determine

a winner or a loser in this specific epic battle right um we're certainly the disadvantage now

i think my my reason for thinking that is is kind of kind of two-fold um the the first part

is is really just because of a i think you know it's it's a it's a different culture

in the united states um you know most of the youth and most of the populous here

leverage technology for um um for leisure you know cyber security and the technology

i guess core of job families isn't something you know or that profession or or even as a

hobby isn't just something that occurs to them right they're very good users the rest of stuff

doesn't really doesn't really matter to them and and you know the other the other second part is

that you know the fabric of what we know is the internet of everything today wasn't built on

security it was fabricated in the method to share data it was meant to be a public library of sorts

and so because of that kind of i guess off-footed approach to to to building what we know today

as you know the fact that the internet of everything uh unfortunately we're in a race

to to resolve mistakes that we made early on that we didn't see um so we're we're kind of

doing both right we're trying to fix at all times the things that are not in place for you know what

we consider to be a cybersecurity configuration right to be abused and two we have a populace that

is you know not getting not not kind of driven towards that heavy use of technology from an

engineering perspective that other countries do and um that are just kind of users of the tech

versus engineers of the tech which i think we kind of see in greater populous more hackers come out

of other countries than come out of the united states i guess there's an easy way to say it

and the irony of that is that most of the hacks that are being used have been developed in the

us yes yeah absolutely it is this is a strange dichotomy right i mean i i think it's the u.s. is

primarily a consumer class right there we're consumers we're not we life has been very easy and

soft for us to last what 50 years or so or however long or whatever your point of view happens to be

so we tend to take these things as you know these great blessings that have made our lives easier

without ever considering you know the ops options of that and i tell people all the time it's like

everything that makes your iphone easier to use or your computer easier to log in makes it easier

easier for us to break into and they just that they don't always connect the dots on that

yeah and it it comes down i think that you're right you know we we've had a relative level

of comfort in our country compared to elsewhere in the world that really just scraping to get

to get by um and it's very very hard for them to get ahead so it's it's almost not an option to

even create um new technologies or new methods um they're there but they can certainly steal

ours right and use it against us um so it's kind of a sad situation also i think comes down to

values within different countries so um you know with china for for instance you know their

their government is it's run much differently and the government fully believes that

um there should be visibility on everything and and going on at all times um there there

shouldn't really be things like privacy right and and very much free will are very much focused on

um monitoring everything going on including their own people right but um and you know the

the other side of it is that we also have the intelligence operations that have been going on

forever really you know since since for since before our country was even a country

right we have these intelligence operations going on and so now

the cyber warfare is an extension of that that's another piece of it right like when the

office of personnel management attack happened right unfortunately um that resulted in a lot

of our intelligence operators overseas getting killed it's just there's no there's no way to

to sugarcoat it that's what happened and it's because that data is being used uh not just for

um uh you know ransomware and collecting payments and that sort of thing that's a huge piece of it

right financial gain but the other piece of it is uh actual physical attacks physical war

and uh this kind of cat and mouse game uh within the intelligence community so they're they're

looking at this as as really a um a means of survival you know i know a lot of threat actors

are they operate out of uh out of a survival mentality where i like to think you know here

in the us we're much more focused on a mentality of growth and and hoping to work toward peace

and such but not everybody thinks that way so it's it's i think the very root of this even boils down

to uh culture and values uh within companies and how people how people were brought up you know and

not necessarily at a fault of their own right it's it's it's a very much product of their environment

in a lot of cases so stealing from other countries uh you know or war of attrition

um to them that's just that's just life it's not it's not something that's wrong or good or bad it

just it just is uh unfortunately it comes down to survival and i think you know there's two things

that i want that i want to touch on first the american business model is to make money right

it's capitalism we're driving the share price we're driving you know whatever maximizing

profit and security costs money and you don't see 100 see a direct correlation between profit

and security um although i think there was some cyber security company called solid sector that

came up with the risk to revenue model but we'll talk about that another time um but anyway uh

we do have i mean you see that and we see it all the time in our conversations with companies they

well that costs too much or we don't want to do that we can't afford the security guy or we can't

do that and you know they fail to understand that it costs four to ten times what to fix a breach

than it would be to put the resources in place to prevent a breach and this drive of making profit

and don't get me wrong i love profit i like making money but you have to take into account

the risks that are out there so companies like or countries like china have more of a holistic view

where it's for the company whereas in the u.s it's for the uh excuse me china is more for the country

whereas the us is more for individual companies and there's no true standard

and china has then now taken in weaponized um technology is meant as a means of control they're

creating a social credit score based on your social social posts your social media posts how

your spending habits are what you know on and on and on and all these various factors and they're

using that to determine what apartment you can get what job you can get whether you can get a loan

or not etc etc and it's it's becoming a control fund factor which you know used to have to happen

by you know kgd agents sneaking around corners now they just do it by eavesdropping on social

media and what's concerning is is the us move into that because there seems to be a whole lot of um

a whole lot of cancellation on social media of people that do not adhere to the dominant um the

dominant paradigm of the day the dominant message of the day and it's you know free speech is under

attack you know from all ends so that's my soft box that was a that's a good soapbox i like that

that stealthy little plug you you you jabbed in there that was that was brilliant yeah i like that

yeah you know it's really interesting i i hope and i think i think this is uh this is a problem of um

these these are all problems that i think have stemmed out of something that's that's good by

nature right it technology technology just is right it can be used for good or it can be used

as a weapon right it's it's really it really comes down to the human element uh behind it and the

societal values a lot of different factors go into this but we can't we certainly can't blame

technology as being the problem i think that the big picture is is how do we how do we create a

culture that that understands the the fight that's in in a lot of other cultures right and understand

how to protect ourselves how to drive forward then and then hopefully he used technology to to

come together as a world not split apart and and uh i won't get all soft and mushy on us here but

you know when we when we talk about culture we look at things like uh that you know the app

uh tick-tock for example right that was that was it's it's it's clear that it's

you know chinese uh entities in government are using this as surveillance software right and

collect data on people and it's not it's not even so much about just having the data on people that

scares me it's the predictive algorithms that they create um that you know these these ai based um

methods of pre-cognitive crime you know like it's like a hi-fi movie yeah um minority report

minority report yeah thank you um you know it's it's like a real life world a real-life version of

that you know and and um so it'll be interesting to see what what happens but the the thing that

scares me the most is not that yeah that tick tock is being used as as as chinese surveillance the

thing that scares me is that our youth doesn't care they say oh well what who cares if if um

these these other uh you know large governments that have ability to cause do a lot of good or

cause a lot of harm in the world uh you know have have all this they're they're almost just

not wanting to hear it because the the uh endorphins that these apps create for them and

that the addiction that they create is something that they're not willing to let go of and that

that's the scariest thing to me it's not it's it's just it is a drug i think you bring up a good

point it's probably a great topic to have another type but you know you're right there's there's

certain things in the brain that are happening when these individuals when individuals are using

these apps and it becomes an addiction um you know the infinite scroll right it's for a reason

it's so that it never ends it can never end for you if you want it to right you know what i mean

oh yeah so it's super interesting well i can't remember the guy that came out with a facebook

engineer that came out so this is all about driving dopamine right huh yeah totally i know

you're talking about i can't remember either but it is it's a um it's it's a it's a version of a

you know fixed from a drug and when you've got artificial intelligence and it's it's

weird because you know you know the chinese we we know they have all the intelligence on their own

people already right they're running this weird social social scoring system that's going on if

it's out of a sci-fi movie too they did an episode of that on that i can't hear that sci-fi movie um

that was on netflix but uh anyways go to a planet that's like completely driven you have a score

that you know that was from uh that seth uh seth mcfarlane uh that's right uh what was that called

what the heck anyways that's seth macfarlane sci-fi anything today we should it's you know

what i've only had 16 cups of coffee so i i've got to get to 20 before my memory starts really

kicking in from that far back but yes they did a they did an exact episode on that one that's weird

right the truth is stranger to fiction but i think the chinese are bored they have all the data that

you know they got this really cool i mean i think they probably built this fantastic data center to

do all this with us ai it's probably a marvel like i don't care i mean their purpose is bad of course

but i'd still like to look at the technology i imagine it's impressive right imagine it's a

sight to be seen um but they they did all that and now they can't they've got everything there what

what's next well let's gobble up the rest of the world uh the orville that's the name of the show

the horrible thank you yes what happened to it i think it's on netflix now but anyway yeah but that

that episode man where they had that they had to visit that planet where that you know he made

a snide remark and they were gonna banish him you know they were punishing him through their

social system yeah and reprogram them yeah super interesting that the lady couldn't order coffee

because she didn't have enough um you know social clout right or whatever she'd have enough likes

exactly it's such a such a random how random it applies and that's exactly what the chinese are

doing almost like they watched the episode and was like that's a brilliant idea let's do that

it you know in the on the cyber warfare side of things i what i mean

is people ask what does winning look like right how do we win what do we do

to get ahead of it and that's that's an extremely hard thing to answer i mean winning looks like you

know world peace and everybody loves everybody but what's what's the reality of that happening

it looks it's not gonna happen but winning for the united states and you know in our in our you know

kind of cyber battle would look like much like an organization that's successful at aligning to

any given framework right where the people are all trained right that's a cultural change inside of a

corporation that has to occur right that everybody has software on the machines right there there's

certain things that they they're made aware of and what tactics and what you know software is

vulnerable and shouldn't be used and so we would have a cultural shift where all of the american

youth and and people and it would be a massive effort right to educate the youth and educate the

you know the elderly um to assist them in their homes and you know in in their places of uh you

know kind of um you know not a rest home i guess what you call that like sort of um supervised

adult supervised living or whatever assisted living but you know they're they're victims too

right i mean we've seen we've seen right here in local um local municipalities these elderly people

kill themselves because they fall victim to scams that have taken their last of their savings um so

they're victims too and um i think it all starts with that education right that cultural shift but

i that's what i think it would look like it would look like a corporation that's been successful to

aligning to like nist 853. where and and that that that part of the people specifically right where

they're they're they're getting a training program right we're free or they're getting it on their

own they're updating their computer they're not installing random apps they're not letting kids

there they're running in a user shell and not an admin shell right until they need to do something

um you know i mean there's a but that's what i would think that would give us an advantage over

you know and this and it would it would include companies actually all organizations operating

united states doing the right things to software development right making sure that they're

they're they're eating their own medicine right these companies that are offering these

um you know trusted software deployments that are need to be running their stuff through bug

bounty programs and and initiating that type of security so that we have a more security culture

and i think that's probably where it would would start and that would fend off a lot of what's

happening i think well i remember a couple years ago there was actually a study done that most of

these like payout apps that are out there uh it was something only like 20 were actually tested

for security and they're still being launched and still being out there i mean and it's just this

lack of accountability right because really what was the recourse if you got hacked there really

wasn't any until um was it west i can't remember the bank uh the hotel agency that got sued by

the fcc because they claimed they had all these security measures in place got hacked and turns

out they didn't have any of them uh yeah i really can't remember anything this morning either um

um been a lot of data to like chew through the past week you know i mean it's it's been a it's

been a bit with stuff going on so i'm only on day two of my vacation and so i'm assuming

that by by the time i return on wednesday i'm going to be dumb as a post so um yeah

you know i think and i think we're i think perfection is is you know is not the uh is not the

focus right or zero hacks zero attacks anything like that i think that's just something that's

going to continue to happen unfortunately like war itself right uh like terrorism like things

things like that that we want to get rid of the world i think that's going to continue to happen

but how do we minimize it how do we mitigate it i think that what we have to do as a nation we have

to make ourselves harder targets than those around us so it becomes more and more costly to perform

cyber attacks now that's not going to stop the big you know nation-state backed threat actors right

but that's going to stop a lot of the activity and it's going to make it more costly for them um

and and by doing that you know the more we protect ourselves the more we can continue to innovate

continue to drive forward get ahead and not have that information stolen and then hopefully use

what we create out of that for for good and and continue to grow and and thrive really and then

and then hopefully help others others do the same right and so it's going to be one of these ongoing

ongoing situations but i think right now that you know we are

we're failing to protect this this nation from you know from cyber attacks there has to be

done more there's a lot of people working hard on it but i think it somehow we have to spread

this message to the general the general public that's not in this business that's

not thinking about these things i i would venture to say that 90 probably 99 95 of

the uh nation's population cyber security doesn't cross their mind for themselves personally

unless they see uh you know something on the news that happens right but they're probably day to day

people aren't really thinking about this at all kind of like you you talked about earlier laurel

so well what's what's interesting is that you know as a country here in the united states we we we

have the second amendment right the right to bear arms and so there's a lot of americans that have

weapons you know so they're they're we're physically protected you certainly don't

want to start a land war here but the same people that protect themselves physically have

little to no protection in in the cyberspace um so we i think you're right i think it starts with

awareness if their their default passwords on their on their routers right yeah well i

also think that we need to start having real world consequences for hacks for these companies because

i can't tell you how many cios that i've spoken to it's like i saw our stock dips for a while

you know we'll be back kind of thing and and they just don't have there's no consequence for their

lack of activity i i agree 100 and i also think that we should have real world consequences for

foreign governments that don't that don't regulate um attacks coming from within their

country or even try to go after them i mean not i'm not talking about go to war with them but

i'm talking about you know whether we need trade embargoes or we need something that that causes a

little bit of um it creates an incentive for them to actually do something about it because a lot of

a lot of uh nations are just just letting it go without any any any consequence whereas

other crimes within their country they would they would penalize heavily um the the cyber attacks

are almost not taken seriously in a lot of places yeah and i really think they should be so i we you

know this is a fascinating topic we could go on and on but we're we're coming up on time here so

just to recap you know i think it's it really comes down a cultural shift to

education to focus on this to really taking it more seriously as a nation than we we ever have

i think people are starting to wake up on in that sense i think we're certainly headed in the right

direction and and and working harder toward that than ever before uh but there's a long way to go

so you could spend an hour on linux a day there you go not playing video games

well thank you very much for joining us today thank you for listening be sure to rate us

on your favorite podcast platform let us know your thoughts comments questions so we can answer those

in future episodes and always feel free to uh to reach out so thank you very much have a great day

take care everybody take care pick up your copy of the cyber rants book on amazon today

and if you're looking to take your cyber security program to the next level visit us

online at www.silentsector.com join us next time for another edition of the cyber rants podcast

Episode 15 - Are we Losing the Cyber War?

Send Us Your Questions & Rants!

Categories

Archives

Transcript