[00:25.140 --> 00:27.640]  Remember the message.
[00:27.660 --> 00:30.220]  The future is not set.
[00:57.180 --> 00:58.440]  Dateline.
[00:58.440 --> 01:00.560]  March 16th, 2023.
[01:00.560 --> 01:09.080]  An unnamed Madison organization lost $2.4 million to a fraudster who quietly had access to an employee's email account.
[01:09.080 --> 01:10.700]  This is my hometown.
[01:10.780 --> 01:12.180]  This is not my hometown.
[01:12.180 --> 01:25.100]  These are emails that were landing in the inbox of a Cisco executive extorting them about the release of some data if they do not pay them a ransom.
[01:25.100 --> 01:27.220]  How did that happen?
[01:27.220 --> 01:28.200]  How did this happen?
[01:28.200 --> 01:43.300]  And this is a picture taken on the side of a quick trip begging the customers not to be rude to the people who work there because their customer reward system had been down for the previous two weeks.
[01:43.300 --> 01:44.860]  This is a Wisconsin business.
[01:44.860 --> 01:46.820]  And how did this happen?
[01:46.820 --> 01:59.620]  Fraud is fun declares a teen hacker of DraftKings who managed to exfiltrate about $600,000 worth of funds from their customers.
[01:59.620 --> 02:10.160]  This teen hacker is the neighbor of a colleague of mine and he knows about him because when you deal in these realms, SWAT teams sometimes unnecessarily appear at your home.
[02:10.160 --> 02:16.680]  And when a SWAT team rolls into the neighborhood, you take your son that you're having a catch with and you take him to the basement.
[02:17.440 --> 02:19.680]  How did that happen?
[02:19.680 --> 02:23.300]  And at the same time, how did this happen?
[02:23.300 --> 02:28.620]  Security awareness has largely garnered a bad reputation.
[02:29.300 --> 02:46.900]  Boring slideshows with stupid quizzes that come around on the calendar once a year like some sort of negative holiday and instructed by people, and I include myself in this certainly sometimes, who have trouble relating to the other humans.
[02:47.660 --> 02:51.860]  Get a red hot poker and open up my eyes, it's so boring.
[02:51.860 --> 02:56.100]  These are the employee perceptions of cybersecurity training.
[02:56.640 --> 02:57.860]  How is that?
[02:57.860 --> 02:58.980]  How can that be?
[02:58.980 --> 03:00.060]  How did this happen?
[03:00.060 --> 03:09.880]  How is it that we can have difficulty garnering attention when cybercrime is so notorious, pervasive, impactful, and interesting?
[03:09.880 --> 03:12.240]  This is attention takeover.
[03:12.240 --> 03:24.580]  It's leveraging that hacker infamy to make yourself a trusted resource within your organization, whether that organization is a business you work at, or a club you're at, or just your family.
[03:24.580 --> 03:27.760]  People are desperate to talk about this stuff.
[03:27.760 --> 03:38.240]  And my objective today is to sort of open the possibilities of what security training is, and what it can be.
[03:38.240 --> 03:41.660]  The breadth of topics you can actually introduce to people.
[03:41.660 --> 03:42.920]  So my name is Brad Wagner.
[03:42.920 --> 03:56.040]  I'm going to spend a fair amount of time telling you about myself, because all this stuff is relevant to my life, and the way cybersecurity or failures in cybersecurity has been woven into it.
[03:56.040 --> 04:05.320]  So I went to the University of Wisconsin a couple times, I got a BS in computer sciences in German with a year abroad, a master's degree after that.
[04:05.400 --> 04:09.940]  Professionally, I've been working at the same small business for a very long time.
[04:09.940 --> 04:11.740]  It's called Christians and Associates.
[04:11.740 --> 04:14.200]  It's applied microeconomic consulting.
[04:14.200 --> 04:19.220]  It's essentially big data, since before big data was even a term.
[04:19.220 --> 04:26.980]  So I started there part time as an undergraduate student, and slowly devolved into a programmer, senior programmer.
[04:26.980 --> 04:31.220]  And I've sort of moved into the position of director of IT.
[04:31.220 --> 04:38.060]  But it's a small business, essentially the IT department of Christians and Associates is talking to you here today.
[04:38.380 --> 04:47.320]  So in that move, I went and picked up CISSP, which I'm really proud of, 10 days ago, GCFA, forensic analysts.
[04:47.320 --> 04:50.060]  Yeah, I was really excited about that.
[04:50.060 --> 04:59.640]  I got that through a grant from Homeland Security to the Wisconsin cyber response team, shout out to them.
[05:00.120 --> 05:11.720]  Here is me learning from Chris Hansen, that the Indiana National Guard on this live fire cyber exercise has hacked us really, really good.
[05:11.760 --> 05:16.620]  And yeah, we would work to remediate and get Indiana out of our systems.
[05:16.620 --> 05:30.760]  Really cool opportunity to help a county , city, municipal governments, and very often school districts respond to cyber incidents that had happened all at $0 cost to them.
[05:30.760 --> 05:37.840]  Wisconsin has the foremost civilian cyber core in the nation.
[05:37.840 --> 05:41.020]  I'm really proud to be a part of that organization.
[05:41.020 --> 05:45.380]  I'm also a recent board member for DC 608, check them out.
[05:45.380 --> 05:48.980]  The first Thursday of every month there's a meetup.
[05:49.180 --> 05:51.760]  And I am a volunteer for Ironman Wisconsin.
[05:51.760 --> 05:59.140]  I help volunteer the volunteers who then keep the athletes on the run course where they're pretty, pretty tired.
[05:59.140 --> 06:00.560]  So that's me right there.
[06:00.560 --> 06:04.120]  I am married to a middle school associate principal.
[06:04.120 --> 06:05.640]  That's her right there.
[06:06.680 --> 06:09.960]  I formerly played a lot of poker.
[06:10.020 --> 06:15.000]  I am perhaps the shortest tenured member of comedy sports in Madison.
[06:15.000 --> 06:21.160]  I did one show before that particular group folded, but it was a really great experience.
[06:21.160 --> 06:23.600]  I am a former 3D printing aficionado.
[06:23.600 --> 06:28.180]  Here is me printing out a party favor for a New Year's party.
[06:28.180 --> 06:31.220]  I was building this with the RepRack project.
[06:31.220 --> 06:32.900]  It was really fun.
[06:34.040 --> 06:37.840]  Nowadays, I consider myself a bit of an amateur dog trader.
[06:37.840 --> 06:42.740]  This is my dog Ada helping me live the dream.
[06:44.060 --> 06:45.680]  Here she comes.
[06:46.540 --> 06:57.340]  And nowadays, oh, I am a Civilization VI and Final Fantasy VII appreciator where I hold a platinum trophy in Final Fantasy VII Rebirth .
[06:57.340 --> 07:02.160]  If you know, you know, I probably put more time in that than I did for the GCFA.
[07:02.520 --> 07:05.560]  I'm also a recreational runner and triathlete.
[07:05.560 --> 07:10.040]  That's me and my wife at the finish of Iron Man Wisconsin in 2018.
[07:10.840 --> 07:15.740]  I am frustrated that she can still look photogenic after all of that.
[07:15.740 --> 07:19.900]  But that's really where I want to transition from me into cybersecurity.
[07:20.200 --> 07:23.860]  So I'm going to take us back to Garmin 2020.
[07:23.860 --> 07:25.940]  I've got a Garmin watch right here.
[07:25.940 --> 07:28.740]  It's tracking all the steps I'm taking back and forth.
[07:28.940 --> 07:31.520]  I am going crazy because the pandemic is on.
[07:31.520 --> 07:35.860]  I'm working at home for the first time, and it's not the right solution for me.
[07:35.860 --> 07:37.160]  I'm going a little nuts.
[07:37.160 --> 07:42.920]  But I declare I'm going to hit my step goal every single day for the month of July.
[07:42.920 --> 07:47.720]  And the way Garmin works is every time you hit your step goal, it gets a little tougher to hit it next time.
[07:47.840 --> 07:48.960]  So I'm doing great.
[07:48.960 --> 07:50.380]  I'm cruising along.
[07:50.600 --> 07:56.260]  And right around on July 23rd, I think it was, boom, Garmin, we're sorry.
[07:56.280 --> 08:01.040]  We're currently experiencing an outage that has taken down every single gosh darn thing we do.
[08:02.440 --> 08:06.300]  Every day, I'd go to bed and make sure that I had hit my steps.
[08:06.300 --> 08:09.160]  Otherwise, I'd go out and take a quick walk to get there.
[08:09.280 --> 08:15.080]  But now my watch can no longer communicate to Garmin HQ to tell them that my steps are happening.
[08:15.700 --> 08:25.640]  So when Garmin comes back, my watch was able to cache a certain amount of steps that I had, but it didn't have enough memory in it to cache everything.
[08:26.160 --> 08:30.620]  My objective to make this website all green had failed.
[08:31.820 --> 08:39.100]  That is the restore point, I surmise, because I went to bed on the 22nd having my steps, but it was gone.
[08:39.300 --> 08:47.160]  Garmin came back in five days, which is pretty good, considering they paid $10 million to the hackers to get themselves back.
[08:47.620 --> 08:49.780]  Pour one out for the yacht owners.
[08:49.820 --> 08:53.540]  They didn't know where they were on the planet during this section.
[08:53.560 --> 08:55.140]  But also, the U.S.
[08:55.140 --> 09:00.500]  military uses Garmin devices, and that information wasn't available to them.
[09:00.500 --> 09:02.680]  What did those attackers have?
[09:03.220 --> 09:05.660]  So that is the data that is lost.
[09:05.780 --> 09:08.280]  What happened here is I had some mild despondency.
[09:08.280 --> 09:09.560]  I abandoned the goal.
[09:09.560 --> 09:12.600]  That's a shame, but it became useful for this presentation.
[09:13.140 --> 09:15.080]  But that's just a simple little thing.
[09:15.080 --> 09:17.840]  This is a little bit more serious national public data.
[09:17.840 --> 09:21.340]  There's never been a better name for a breach than what we have right here.
[09:21.340 --> 09:22.780]  I didn't ask them.
[09:22.780 --> 09:27.480]  I didn't click any agree for them to collect data and then lose it on the internet.
[09:27.480 --> 09:34.580]  But this is stuff about me that made it out there, including every address that I ever lived in in the United States.
[09:34.580 --> 09:37.400]  They had all of that, including 821 West Johnson Street.
[09:37.400 --> 09:38.660]  That's Celery Hall.
[09:38.900 --> 09:44.100]  It turns out that my wife and I lived in the same dorm at the same time and never met.
[09:44.320 --> 09:46.640]  So hey, national public data.
[09:48.020 --> 09:55.580]  Their redactions way off on the right side of the slide, those are the last two digits of my social security number, and they've got it.
[09:55.660 --> 10:02.820]  And this website that I used to explore the breach redacted the rest of it, but in the real breach it's gone.
[10:02.820 --> 10:10.120]  This is actually the third time in my life that I know that my social security number has made it out publicly.
[10:10.420 --> 10:14.960]  The second time it happened was Equifax in 2017.
[10:14.960 --> 10:22.480]  The thing about this timeline that I really want to point out is the announcement of the vulnerability that hit Equifax was March 9th.
[10:22.480 --> 10:33.340]  Attackers knew about it on March 10th, and somehow Equifax didn't even realize that they had a problem until July 29th.
[10:33.340 --> 10:35.120]  And the breach happened May 13th.
[10:35.120 --> 10:43.860]  They had some time between discovering that the attack was possible there between when the attackers got there.
[10:43.880 --> 10:52.380]  So the country didn't learn 143 million people had all their Equifax data released until September 7th.
[10:52.380 --> 11:03.220]  The good news is, if you want to look at it with a silver lining, is the people who were indicted for this are all members of the Chinese army.
[11:03.280 --> 11:07.140]  This was an espionage organization, so it's China who's got the information.
[11:07.140 --> 11:10.220]  It hasn't been released entirely publicly yet.
[11:10.660 --> 11:25.760]  And the first time it happened was because I went to the University of Wisconsin, and in their infinite wisdom, they were using social security numbers as the student ID numbers, and they left a lot of that information exposed publicly.
[11:25.760 --> 11:26.900]  I changed the barcode.
[11:26.900 --> 11:29.560]  Those might be Rice Krispies there.
[11:29.560 --> 11:36.760]  But yeah, that what is redacted is that's my actual student ID with the redacted social security number.
[11:36.940 --> 11:45.040]  The good news, despite my social security number being essentially public now, is that my social security number has been revoked.
[11:46.020 --> 11:51.160]  I was known by I'm gonna have to go look at this to read it.
[11:51.500 --> 11:53.000]  It's really small.
[11:53.000 --> 12:09.320]  It's some Gmail address is telling me that the Federal Trade Commission has detected multiple instances of international wire transfers, and that my social security number was tied to narcotics trafficking.
[12:09.740 --> 12:12.000]  And the attachment, that's not even a PDF file.
[12:12.000 --> 12:13.060]  It is an attachment.
[12:13.060 --> 12:14.700]  The attachment is a JPEG.
[12:14.700 --> 12:19.640]  They don't even bother to put my name or any particular information in there.
[12:19.640 --> 12:22.140]  I mean, obviously, this is some form of phishing.
[12:22.260 --> 12:25.140]  Theft by deception is what they're accusing me of.
[12:26.300 --> 12:30.840]  These attacks that I'm talking about, they are everywhere.
[12:31.000 --> 12:35.180]  We are fish who do not see the water.
[12:36.660 --> 12:41.080]  The UPS notification, we've all probably seen this.
[12:41.080 --> 12:42.240]  I'm getting a lot of these.
[12:42.240 --> 12:45.500]  If you follow that link, you'll see something that looks like this.
[12:45.500 --> 12:51.780]  Somehow, the UPS knows my cell phone number, but they don't know my address.
[12:51.780 --> 12:55.540]  And that link we're doing is actually sent to multiple numbers.
[12:55.700 --> 12:57.000]  We can see there.
[12:57.200 --> 13:00.780]  Unpaid toll balances, there are lots of these going around.
[13:00.920 --> 13:03.120]  You are outstanding toll balance.
[13:03.120 --> 13:11.040]  I presume this is the British spelling of your, because the plus 44 means that this came out of England.
[13:11.800 --> 13:15.300]  Delia would like to be my friend on Facebook.
[13:15.720 --> 13:17.140]  And she's single.
[13:18.200 --> 13:35.760]  Whether she wants, you know, a gift for being such a good companion, or more likely she wants to tell me about how much money she's making with Bitcoin so I can download some sort of app that will tell me I'm making money on Bitcoin, not that I could ever get money out of that site again.
[13:35.760 --> 13:37.820]  It sort of remains to be seen.
[13:38.280 --> 13:43.880]  Amazon, Zelle, they're just, oh, we're going to just ask for the money.
[13:43.880 --> 13:45.540]  I mean, at least that's straightforward.
[13:45.600 --> 13:52.480]  But then in the contact information, they've got a second form of scam where I will get tech support from the 1855 number.
[13:52.740 --> 13:59.480]  And if I don't fall for that one, maybe I will accidentally connect my bank account to their email, which is order status 10.
[13:59.480 --> 14:01.740]  These things are everywhere.
[14:02.640 --> 14:07.460]  So these are attacks that are coming to me at work.
[14:07.460 --> 14:12.280]  Our domain is lrca.com or a daughter company, say energy.com.
[14:12.500 --> 14:15.100]  Access my performance report.
[14:15.100 --> 14:20.120]  Apparently HR is putting performance reports through genuinefoods.com.
[14:20.800 --> 14:25.960]  Bills that are sent to us by being stored on a Dropbox and then shared with us.
[14:25.960 --> 14:28.020]  That doesn't seem likely.
[14:28.220 --> 14:30.580]  These people want to pay us $40,000.
[14:30.580 --> 14:32.240]  That's not going to work either.
[14:32.240 --> 14:38.160]  PayPal, you ever accidentally send an email before you were done writing it and you accidentally hit control S.
[14:38.220 --> 14:40.800]  Thought you were saving it, but we're actually sending it.
[14:40.800 --> 14:42.600]  Attackers do it sometimes, too.
[14:44.140 --> 14:46.540]  Password systems, these happen all the time.
[14:46.540 --> 14:49.680]  Microsoft 365, Outlook.
[14:49.680 --> 14:51.940]  These attacks happen all the time.
[14:51.940 --> 14:59.240]  This is a text message on a personal cell phone of a new hire I had just onboarded.
[14:59.620 --> 15:06.460]  Someone is pretending to be the CEO and sending him a text message saying I'm in a conference right now, of course I can't talk.
[15:06.560 --> 15:08.660]  But let me know if you get my text.
[15:08.660 --> 15:11.080]  Thanks, name of CEO.
[15:11.420 --> 15:19.480]  I love this because this is his first week and he thinks the CEO is earnestly sending him a text message.
[15:19.480 --> 15:21.860]  It's like, are you available for an urgent task?
[15:21.860 --> 15:23.600]  Let me know as soon as possible.
[15:23.780 --> 15:26.740]  He tells the CEO maybe I can get to it later.
[15:27.000 --> 15:31.480]  I'm currently getting something for blank, a project we were working on, by the end of the day.
[15:31.480 --> 15:33.680]  If it's quick, I might be able to help you.
[15:33.680 --> 15:38.300]  Once he saw that the issue was gift cards, he knew this was up.
[15:38.300 --> 15:45.880]  And now this text message is part of our onboarding because this happens to a lot of our new hires, and I bet a lot of your new hires, too.
[15:46.280 --> 15:51.860]  All these threats, all these things I'm going through are just incredible free training material.
[15:51.860 --> 16:01.360]  These are the attackers giving you the information you need to improve security in your organization because they're all relatable.
[16:01.380 --> 16:10.300]  It demonstrates purpose for the org that you're trying to protect, and it prepares you for these specific attacks most relevant to your org.
[16:10.300 --> 16:19.080]  Whatever your security setup is, the stuff that gets through is the stuff that's most important to create a shield at the user level for it.
[16:19.080 --> 16:21.360]  And I think this is the most important point.
[16:21.360 --> 16:30.680]  When you talk about these with your organization, it publicly acknowledges the excellent work that those employees did to report the messages.
[16:30.680 --> 16:34.440]  So how did Dev know that this email was a phish, for instance?
[16:34.660 --> 16:48.560]  The thing I like about this one is if they use the actual phone number, the AI tools that Microsoft has will flag this as being malicious, so instead of using zeros, they use capital O's.
[16:48.560 --> 17:00.000]  It's just a little bit off, but I think this is why AI will do more to improve security than it will to be used against us.
[17:00.080 --> 17:03.420]  I'm on the positive side of that.
[17:04.060 --> 17:05.720]  Here's another email.
[17:05.720 --> 17:13.000]  It came to the president of the company, ostensibly from me, using my NetP 3151 Gmail address.
[17:13.000 --> 17:14.860]  I have no address.
[17:14.860 --> 17:16.500]  Someone's pretending to be me.
[17:16.500 --> 17:24.320]  Sending it to the president, requesting that my salary account information be changed from its current status to new account information.
[17:24.320 --> 17:25.920]  What do you need from me?
[17:26.580 --> 17:33.560]  Well, what this attacker really wants is for the president to be like, Brad, you've worked here for so long, how do you not know how this business works?
[17:33.720 --> 17:36.640]  Forwards it to the person who actually does payroll.
[17:36.640 --> 17:42.680]  Now it's a legitimate message from inside the company, seemingly vouching for it.
[17:42.800 --> 17:45.800]  But no, instead he reported it.
[17:45.800 --> 17:46.920]  That was great.
[17:47.900 --> 17:56.820]  This is a real email that came through to us from the real address of a company that we do business with.
[17:56.820 --> 18:04.000]  They are pleased to extend to us a mutually advantageous chance for partnership on our next financial project.
[18:04.000 --> 18:05.940]  Really not what we do.
[18:05.980 --> 18:08.800]  The job description and frame of work.
[18:08.800 --> 18:13.160]  So a job description is a thing, but that's about what an individual does at an org.
[18:13.160 --> 18:15.680]  It's not really a scope of work.
[18:16.320 --> 18:20.160]  And we've never dealt with something called an access proposal before.
[18:20.160 --> 18:21.900]  It's all very weird.
[18:21.900 --> 18:24.360]  We're going to talk more about this one later.
[18:24.380 --> 18:35.880]  But if you followed that attachment, you get a PDF file that inside it said requestforproposal.pdf and give you an opportunity to view it in OneDrive.
[18:35.880 --> 18:39.340]  So if you click on that, you don't go to OneDrive.
[18:39.340 --> 18:41.340]  You do go to a Microsoft product, though.
[18:41.340 --> 18:46.500]  You go to Microsoft Forms, telling you that it's a new secured document.
[18:46.500 --> 18:49.580]  The comma is coming after July instead of 23.
[18:49.580 --> 18:51.440]  So they've got that a little wrong.
[18:51.660 --> 18:53.600]  But there's that link at the bottom.
[18:53.600 --> 18:55.660]  I think we know what's behind that.
[18:56.040 --> 18:56.780]  There it is.
[18:56.780 --> 18:57.800]  It's the sign-in message.
[18:57.800 --> 19:03.140]  This is the phishing that is collecting our username and password.
[19:03.140 --> 19:05.440]  This is how they get into our systems.
[19:05.440 --> 19:12.840]  And if they're using they're also going to collect the two-factor token because they'll just be right in the middle talking to Microsoft.
[19:12.840 --> 19:17.540]  So this is the part of our presentation where I was working on it.
[19:17.540 --> 19:21.680]  And I got this email from Casey Schuster, a colleague of mine.
[19:21.760 --> 19:23.760]  And it came from her phone.
[19:23.760 --> 19:27.340]  She seems to be taking a picture of her company laptop.
[19:27.340 --> 19:29.640]  And this is what that picture looked like.
[19:29.800 --> 19:31.660]  Five different pop-ups.
[19:31.680 --> 19:33.240]  Five different phone numbers.
[19:33.240 --> 19:40.600]  Now, what you can't see in this picture is the alarms, the shrieking alarms that are coming out of this laptop.
[19:40.600 --> 19:41.600]  And let's go back to this.
[19:41.600 --> 19:45.180]  This is an email that came at 10 27 p.m.
[19:45.920 --> 19:53.340]  And you also can't picture in this laptop her husband screaming at her to shut this computer off.
[19:53.340 --> 19:54.880]  He's trying to sleep.
[19:55.400 --> 20:03.220]  Everything about this is trying to get her to act instead of think about what's happening.
[20:03.220 --> 20:11.560]  All these pop-ups, and if the phone numbers don't work, you can always enter a username and password there, are trying to get people to act.
[20:11.560 --> 20:16.340]  So, hey, can I add this picture to a presentation I'm working on?
[20:16.340 --> 20:19.540]  I got the credit, and the photo credit for this is Casey Schuster.
[20:19.540 --> 20:20.360]  Thank you.
[20:21.380 --> 20:26.540]  The attackers sometimes don't even take themselves seriously, as I kind of mock them all.
[20:26.600 --> 20:28.620]  Schneider Electric is a French company.
[20:28.760 --> 20:37.100]  They got ransomware, and the ransom demand was $125,000 worth of baguettes, which is just a fun thing to consider.
[20:37.560 --> 20:42.640]  This bank was coming at one of the founders of Christian City Associates.
[20:42.640 --> 20:48.360]  At least, they were saying they were a bank, and they were pretty aggressive about it, and they really want us to visit their website.
[20:48.360 --> 20:50.000]  So we're going to visit their website.
[20:50.780 --> 20:51.520]  Here it is.
[20:51.520 --> 20:52.980]  It's Sun Capital Bank.
[20:53.120 --> 20:56.180]  Let me tell you a couple things, because we can't really engage with it right here.
[20:56.180 --> 21:01.860]  If you click on call now, you don't do anything.
[21:01.860 --> 21:03.480]  It's just a graphic there.
[21:03.480 --> 21:08.440]  If you click on these social media links, it just reloads the page you're on.
[21:08.460 --> 21:14.520]  If you try to change the language from English, your other options are USA, UK, Canada, and Australia.
[21:15.280 --> 21:18.000]  Anyone else see any other problems with this?
[21:18.780 --> 21:19.960]  Up to?
[21:19.960 --> 21:21.340]  That's not a word.
[21:21.340 --> 21:22.880]  That's two words.
[21:23.020 --> 21:24.400]  Any other problems?
[21:25.720 --> 21:29.940]  Well, if you're a bank, it's very important to put units on your loans.
[21:29.940 --> 21:30.980]  Are these yens?
[21:30.980 --> 21:32.500]  Are these doll hairs?
[21:33.400 --> 21:35.900]  Yeah, that doesn't seem right.
[21:35.900 --> 21:44.220]  The one, though, is they really want us to know that Sun Capital Bank is based out of Phoenix, Arizona, which is not adjacent to Lake Michigan.
[21:44.840 --> 21:47.080]  That is the Willis Tower.
[21:48.340 --> 21:52.240]  That up there, that little icon, we'll talk about that later, that's foreshadowing.
[21:52.240 --> 21:55.360]  Anyone want to guess what on this website works really, really well?
[21:57.320 --> 21:59.160]  It's a ploy here.
[21:59.520 --> 22:01.260]  How much money do you need?
[22:01.260 --> 22:03.400]  Okay, now we're going down the path.
[22:03.400 --> 22:04.520]  But that slider?
[22:04.520 --> 22:06.180]  That slider is broken.
[22:06.400 --> 22:12.040]  The blue doesn't follow it along, but they are getting ready to collect some information from you.
[22:12.040 --> 22:17.340]  So I was wondering about that address, that 2550 West Union Hills Drive.
[22:17.340 --> 22:19.460]  You get to see what these addresses are.
[22:19.460 --> 22:21.960]  Google has collected all this information for us.
[22:22.480 --> 22:23.940]  It's a shared workspace.
[22:24.520 --> 22:37.900]  For a mere $207 a month, you can set up a place where you can run your phishing campaign out of and try to appear like you're a legitimate bank and then take business owners for as much money as you can, I guess.
[22:37.900 --> 22:40.680]  You get to see the kind of space that they're working out of.
[22:40.680 --> 22:42.180]  It's really something.
[22:43.340 --> 22:57.140]  So all of these attacks, they're relatively simple, and yet when we read about this stuff in the news, and this is the article I started the presentation with, every cyber attack is complex or sophisticated or advanced.
[22:57.280 --> 23:06.360]  You never read an article about a business getting taken in by your bog-standard phishing attack or your standard business email compromise.
[23:06.360 --> 23:08.200]  It just doesn't happen that way.
[23:08.440 --> 23:15.360]  But let's consider what Ed Trelevan is telling us here, that this was a complex wire fraud scheme.
[23:15.360 --> 23:18.900]  Let's read the article and see how complex it is.
[23:18.940 --> 23:26.620]  So sort of boiling it down here, employees of the Madison organization said that invoices are normally received from vendors by email.
[23:26.620 --> 23:28.880]  That's common in a lot of places.
[23:29.940 --> 23:35.780]  Any email containing the words invoice, wire transfer, or bank was automatically forwarded to a different folder.
[23:35.800 --> 23:37.460]  That's just rules and Outlook.
[23:37.460 --> 23:39.700]  I do that to declutter things.
[23:39.700 --> 23:41.340]  Gmail's got a similar feature.
[23:41.340 --> 23:43.260]  It's extremely simple.
[23:44.020 --> 24:05.620]  And the scammers, upon getting a document in that box, would find the invoices, they would change the routing number and the bank account number to one that they controlled, and then they'd just forward that invoice to the next person in the chain who would pay it out to the wrong location.
[24:05.620 --> 24:15.880]  And you wouldn't find out that the money was gone until the person who was supposed to receive the money would notice, you know, after your 30 days or 60 days that they didn't get paid.
[24:16.120 --> 24:18.280]  This isn't that difficult.
[24:18.360 --> 24:22.480]  Somebody had just logged in to their email account and had gotten it.
[24:22.480 --> 24:28.160]  That's why, and I couldn't find a source for this, everybody seems to say hackers don't break in, they log in.
[24:28.160 --> 24:29.320]  And that's what they did here.
[24:29.320 --> 24:32.640]  And that's where I'm going to move the rest of this presentation.
[24:32.640 --> 24:36.200]  How are these attackers logging in?
[24:37.080 --> 24:40.140]  So we've already talked about phishing.
[24:40.200 --> 24:41.580]  Done that one to death.
[24:41.580 --> 24:43.800]  How are they taking over our accounts?
[24:44.420 --> 24:54.860]  The other ones I'm going to talk about here, and these are things that I don't think we're talking about with our co-workers and our family enough, are credential stuffing, password spray, and hash cracking.
[24:55.640 --> 24:58.820]  It's not too tough, but I'm going to take us back in time.
[24:58.860 --> 25:11.520]  Surprisingly long ways, 2010, Gawker Media, it's this website that's been sued out of existence, but they had a sign-in form and they stored their passwords in plain text, and those passwords are now public.
[25:11.520 --> 25:15.500]  Same is true of Sony, where I played so many hours playing video games.
[25:15.620 --> 25:23.060]  The passwords they used with Sony were plain text and are now out on the internet, which creates an opportunity for security researchers.
[25:23.060 --> 25:37.260]  In particular, this security researcher, this is Troy Hunt, he wanted to know, of the users who had accounts at Gawker and at Sony, in both, how many are using the same passwords for both of them?
[25:37.260 --> 25:38.180]  Any guesses?
[25:38.840 --> 25:40.060]  Shout out numbers.
[25:41.060 --> 25:44.920]  Oh, 63 is really good.
[25:44.920 --> 25:46.540]  It's 67%.
[25:46.540 --> 25:50.040]  Two-thirds of people who have an account at both of these are using it.
[25:50.040 --> 25:53.900]  So now you've got a list of people that you know reuse a password.
[25:55.700 --> 26:02.860]  So you ask yourself this question, hey, how many Gmail or eBay or Facebook accounts are we holding the keys to here?
[26:02.860 --> 26:06.340]  And of course, we is a bit misleading, because it's all public.
[26:06.340 --> 26:08.740]  Anyone can grab it off the net.
[26:08.780 --> 26:19.860]  One of the questions that we might ask ourselves in this point of the presentation is, if you go to password breaches that we have nowadays, how many DraftKings accounts can you get into?
[26:19.860 --> 26:22.540]  And the answer is 60,000 of them.
[26:22.540 --> 26:28.460]  And that's all this teenager, this Madison-based teenager, did to get into that many accounts.
[26:28.460 --> 26:40.780]  He was so overwhelmed with access to DraftKings accounts, he stopped trying to drain the money from them and instead sold that access to other people so they could put that work in.
[26:41.100 --> 26:44.620]  There were other conditions that needed to be met to get the money.
[26:44.680 --> 26:51.500]  So about 1,600 accounts were drained, but that was to the tune of $600,000.
[26:51.500 --> 26:52.820]  So that's credential stuffing.
[26:52.820 --> 26:53.920]  That's all it is.
[26:53.920 --> 26:56.840]  It's password reuse being leveraged against you.
[26:56.840 --> 26:59.100]  So now I'm going to talk about password spray.
[26:59.460 --> 27:06.140]  And this website, this social media website that I didn't hear of until I got involved in cybersecurity called RockYou.
[27:06.860 --> 27:19.480]  They lost 32 million plaintext passwords for their service to basically make the same posts across all your favorite 2009 social media websites, including Bebo and Orkut and Friendster.
[27:21.260 --> 27:33.260]  That word list is now a favorite for hackers and security researchers because it's a lot of passwords and it's enough to give us a sense of the kind of passwords that human beings choose the most.
[27:33.260 --> 27:34.320]  And here they are.
[27:34.520 --> 27:35.820]  A hundred passwords.
[27:35.820 --> 27:40.180]  These are the ones that are selected by humans the most, at least in 2009.
[27:40.200 --> 27:43.460]  You can see a lot here that sort of screams 2009.
[27:43.700 --> 27:45.380]  Spongebob is in there.
[27:45.380 --> 27:47.540]  Eminem is in there.
[27:48.380 --> 27:51.360]  Lots of number strings are in there.
[27:51.360 --> 28:02.420]  It feels very 2009, except from 2020 to 2022, all of these ones shaded in red were still in the top 200, according to NordVPN.
[28:02.420 --> 28:16.180]  I thought my data was bad when I was collecting this, but I noticed lots of people were using RockYou in the RockYou list, which doesn't seem great, but if they weren't in the NordVPN list, this is really how it is.
[28:16.200 --> 28:21.940]  Eminem is a grandfather now and he's still in this list.
[28:23.380 --> 28:27.760]  You can find people using these passwords even today.
[28:28.040 --> 28:34.840]  Even Kanye in the Oval Office using one of the RockYou 100 to open up his iPhone.
[28:34.840 --> 28:36.460]  There he is right there.
[28:37.380 --> 28:44.800]  So if we know the kinds of passwords that people choose, you can just try those passwords against a whole bunch of people and you'll get a lot of them.
[28:44.800 --> 28:53.620]  If your password dictionary is just 25 and you do a good job of selecting them, you've got a 1 in 40 chance of getting into one of those Sony accounts.
[28:53.660 --> 28:58.280]  If you use a bigger password dictionary, 1.7 million, you've got a 1 in 3 chance.
[28:58.360 --> 29:03.460]  Because humans are bad at picking passwords, you can get in pretty easily.
[29:03.600 --> 29:07.840]  Now, we know all this because those passwords are stored in plain text.
[29:08.060 --> 29:26.180]  If you put the RockYou 100 into NTLM hashes, and we're getting a little computery here, but I trust that even our non-computery friends and family and coworkers can get this, you can store them and you can't see immediately what those RockYou 100 passwords are.
[29:26.760 --> 29:28.440]  This is called hashing.
[29:28.440 --> 29:29.680]  It's just math.
[29:29.680 --> 29:37.560]  Every time you hash Taylor using the NTLM process, which you can find in Wikipedia, it doesn't matter here, you get that same output text.
[29:38.120 --> 29:51.240]  And every time you log into a Windows machine, or every user who logs into a Windows machine, will get their NTLM hash stored in that SAM file, or at least the last 10 is.
[29:51.240 --> 29:55.220]  But how many computers do you interact with that have more than 10 people logging in?
[29:55.220 --> 30:00.260]  Basically, anyone who's ever logged into a computer has their hash stored there.
[30:00.260 --> 30:11.580]  If you have a domain admin account and you log it in to a workstation of someone who might be vulnerable to phishing, that hash for your domain administrator gets put in that file right there.
[30:12.240 --> 30:21.400]  If they get the domain administrator password and they get to your domain controller, that file right there has all the hashes for the entirety of your domain.
[30:21.540 --> 30:26.880]  That is where attackers make a beeline to once they have domain admin.
[30:26.880 --> 30:30.480]  They get that information and they start to get to cracking.
[30:30.620 --> 30:33.500]  So I want to talk about what cracking is just in general.
[30:33.500 --> 30:50.080]  If you made a list of every possible password, it's way too long, but it's called brute forcing for a reason, you can figure out what the hash is just by using the NTLM algorithm and then comparing it to the list of hashes to be cracked to figure out the password.
[30:50.300 --> 30:57.520]  And because we know people always choose the same sets of passwords, you know which passwords to put in the dictionary.
[30:57.920 --> 31:05.860]  And the bigger your dictionary gets, the larger the number of passwords you can crack.
[31:06.300 --> 31:11.680]  And Troy Hunt has been at work for the last 15 years collecting this stuff.
[31:11.680 --> 31:16.500]  That list had 847 million when I started this presentation and then he added a bunch more.
[31:16.500 --> 31:20.480]  It's got 1.1 billion passwords in it now.
[31:20.600 --> 31:22.520]  He's got all of them.
[31:23.120 --> 31:25.120]  Is a billion a lot?
[31:25.120 --> 31:28.320]  There's actually two really interesting ways to look at it.
[31:28.320 --> 31:40.580]  If you're a human being and you're choosing a password and you want to be safe, you know, for some website out there, there are 1.1 billion options that are already known to sprayers, stuffers, and crackers that you have to avoid.
[31:40.580 --> 31:48.420]  You have to dodge all 1.1 billion of them because the attackers will know to try those because they're essentially public.
[31:48.600 --> 31:58.760]  On the other hand, if you choose a random password, you're going to have a very hard time getting one of those 1.1 billion out of it.
[31:58.760 --> 32:03.580]  You are going to be choosing a password no one has ever used in the of passwords.
[32:03.580 --> 32:06.200]  And that history is actually pretty long.
[32:06.720 --> 32:09.680]  Because humans are bad at choosing unique passwords.
[32:09.960 --> 32:16.880]  There are 37 million, million, million, million, million passwords that are possible out there.
[32:16.880 --> 32:25.980]  And if you chose a random one, the odds of getting one out of that 1.1 billion are about the odds of winning the Powerball lottery three times in a row.
[32:26.960 --> 32:35.700]  So Troy Hunt's got this website called have I been pwned and it shows you which breaches include your email address and it will tell you without showing you what data was in there.
[32:35.700 --> 32:41.240]  Whether it has passwords, whether it has your birthday, whether it has your address, stuff like that.
[32:41.240 --> 32:44.120]  And they also have this pwned password section.
[32:44.120 --> 32:46.360]  I urge caution directing people to this.
[32:46.360 --> 32:50.360]  You don't want to teach people to put in their best passwords in some random website.
[32:50.420 --> 32:54.620]  But if you want to explore and see what's out there, it's a really useful tool.
[32:54.620 --> 32:56.420]  So I did this with a couple of mine.
[32:57.500 --> 32:59.560]  That's my Gmail account right there.
[32:59.880 --> 33:09.160]  My time playing poker got me in a couple of MGM grand leaks and my time 3D printing got me into a Thingiverse leak.
[33:10.560 --> 33:15.880]  My pwned password, you can't see it in there, but one of my favorite passwords was donkey wheel.
[33:16.060 --> 33:18.060]  A little bit of elite speak in there.
[33:18.260 --> 33:24.960]  At some point, I don't know who, they got breached and they lost that password and it started getting used and it was gone to me forever.
[33:24.960 --> 33:29.280]  Anyone know which TV show I was a fan of with the password donkey wheel?
[33:30.860 --> 33:31.800]  It's lost.
[33:31.800 --> 33:32.900]  It's season 6.
[33:32.900 --> 33:34.740]  Not a lot of people watch that one.
[33:35.240 --> 33:37.620]  But one last bit on password cracking.
[33:37.620 --> 33:40.920]  I helped organize the Capture the Flag for Secret Con in St.
[33:40.920 --> 33:42.100]  Paul last year.
[33:42.100 --> 33:44.000]  And this was one of the questions on it.
[33:44.000 --> 33:47.560]  And it took the Secret Con attendees about five minutes to figure this one out.
[33:47.560 --> 33:49.540]  And I thought this was one of my tougher ones.
[33:50.060 --> 33:53.400]  If you learn that a user's password, you know, that's pretty good.
[33:53.400 --> 33:54.660]  Daenerys Targaryen.
[33:54.780 --> 33:57.560]  But now you know they're a Game of Thrones fan.
[33:58.660 --> 34:04.740]  If that is the password hash on their new password, what's the new user's password?
[34:04.740 --> 34:08.880]  Well, you can build your own password dictionary with the information you already have.
[34:09.360 --> 34:11.760]  You can just take characters from Game of Thrones.
[34:11.760 --> 34:13.740]  You can put special characters in the middle.
[34:13.740 --> 34:15.440]  You can check the hashes for all of them.
[34:15.440 --> 34:20.620]  And oh, Joffrey, close, brace, Baratheon, that's the one.
[34:20.720 --> 34:24.280]  And people were pulling that out just amazingly fast.
[34:24.460 --> 34:33.420]  If you think adding an exclamation point or incrementing a number or just moving the character at the beginning and moving it to the end is going to protect you, the attackers are onto you.
[34:33.420 --> 34:36.540]  They will get to that password very quickly.
[34:36.720 --> 34:45.260]  The message that I'm trying to deliver to this is that it's so much easier to get access to people's passwords than it should be.
[34:45.440 --> 34:52.980]  And the reason I know this is the first version of this presentation was presented to middle schoolers I have access to via my wife.
[34:53.420 --> 34:57.800]  And I was telling them how this works, and they were grasping it.
[34:58.560 --> 35:00.560]  Why would you teach us this?
[35:00.560 --> 35:06.200]  These kids were thinking, this is exactly the stuff that I can go and do my kid's life.
[35:06.200 --> 35:13.260]  Well, the reason why I'm teaching you this is because this is what the attackers are doing, and this is what you need to do to protect yourself.
[35:14.120 --> 35:16.840]  That's why Dad couldn't get his QuickTrip rewards.
[35:16.840 --> 35:21.620]  These kids are living a life with hackers going all the time.
[35:21.620 --> 35:25.500]  I hope that her father was respectful of the QuickTrip employees.
[35:25.740 --> 35:32.200]  There was one particularly security conscious child who said, this is why I always apply a Caesar cipher to my passwords.
[35:32.200 --> 35:33.640]  I was just floored.
[35:33.780 --> 35:38.240]  And I didn't have the heart to tell him that once the attackers know, oh, you just do a Caesar cipher on it?
[35:38.240 --> 35:41.040]  Well, I'll just create a new dictionary using that instead.
[35:42.900 --> 35:56.660]  I was heartened a little bit that these students were putting their usernames or their email addresses into Have I Been Pwned to find out how many times that, you know, sixth graders, seventh graders had been pwned.
[35:56.660 --> 35:58.600]  And it's really not so much.
[35:58.600 --> 36:00.160]  That kind of felt good.
[36:00.220 --> 36:05.260]  They don't have much money to steal from, and they're probably not signing up to too much, but that's good.
[36:05.500 --> 36:19.300]  But then they did something I did not expect, and they started putting their parents' email addresses into Have I Been Pwned, which is when one young lady shrieked, my mom has been pwned more than 50 times.
[36:21.060 --> 36:22.840]  It's not her fault.
[36:22.840 --> 36:27.740]  These businesses are not doing a good job of protecting our data.
[36:27.960 --> 36:43.400]  So I want to pivot from that into these attacks to the password guidance that Microsoft, I'm using Microsoft just as an example here, you get this guidance from a lot of places, what they're telling us, and to kind of develop a sensation for how we should feel about it.
[36:43.400 --> 36:50.100]  So we're going to start with creating strong passwords, at least 12 characters long, but 14 or more is better.
[36:50.380 --> 36:54.940]  Combination of letters, numbers, uppercase, lowercase, symbols.
[36:55.240 --> 37:02.240]  The new NIST recommendation says you should still recommend it, but you shouldn't necessarily require it, which is subtle, but it's important.
[37:04.120 --> 37:07.400]  Yeah, I mentioned that passwords have been around for a long time.
[37:07.400 --> 37:13.220]  And that is what an authentication portal during prohibition looks like.
[37:13.260 --> 37:14.520]  That right there.
[37:14.520 --> 37:16.660]  And it went pretty much like you'd expect.
[37:16.660 --> 37:21.660]  People would go in and have a good time, and then eventually there'd be a breach.
[37:22.020 --> 37:26.620]  That's what a breach looked like during prohibition on your password portal.
[37:28.120 --> 37:31.320]  Wisconsin actually hides a secret restaurant.
[37:31.820 --> 37:36.240]  And the joke is only fools don't know the password to enter the restaurant.
[37:36.240 --> 37:40.960]  There's no sign there, but everyone knows it's a restaurant and everyone can get in.
[37:41.140 --> 37:45.160]  That's actually the location of the first CypherCon, as it turned out.
[37:45.160 --> 37:47.900]  So I'm kind of pleased to have that there.
[37:48.060 --> 37:50.200]  Passwords go back even further.
[37:50.800 --> 37:57.380]  Shakespeare wrote Hamlet right around the year 1600, and his characters chose that the password long live the king.
[37:57.640 --> 38:00.760]  Seems like a pretty thing, pretty easy thing to guess.
[38:00.760 --> 38:03.100]  That doesn't really fit Microsoft's password guidance.
[38:03.100 --> 38:05.440]  We can check it and have Ivan pwned.
[38:05.440 --> 38:08.240]  It's been seen 410 times before.
[38:08.440 --> 38:09.960]  Really not ideal.
[38:09.960 --> 38:11.360]  We can go back further.
[38:11.500 --> 38:13.140]  This is right around 0 BC.
[38:13.140 --> 38:15.600]  I think about this Roman stuff all the time.
[38:17.080 --> 38:31.140]  People would need to authenticate themselves around Roman camps, and once a day they'd have a password that they'd use, and if you didn't know that password and you were caught lurking around one of these camps, things wouldn't go very well for you.
[38:31.220 --> 38:33.760]  I had AI generate this picture for me.
[38:33.760 --> 38:41.400]  I didn't tell AI that the Romans called this a watchword, but they sort of got most of the way there.
[38:41.400 --> 38:45.360]  I was kind of wondering if waswarid was an okay password.
[38:45.360 --> 38:47.060]  Hey, that one actually passes.
[38:47.420 --> 38:49.160]  So they're not all bad.
[38:49.680 --> 38:54.240]  So that's what it takes to choose a strong password, and we can move.
[38:54.240 --> 38:55.260]  All right.
[38:55.260 --> 38:56.960]  You've got to secure your password.
[38:57.820 --> 39:00.260]  Anyone recognize this picture right here?
[39:00.260 --> 39:02.540]  It's a clip from a video.
[39:02.760 --> 39:04.580]  Laramie Tunsell, does that name ring a bell?
[39:04.580 --> 39:07.020]  He is an offensive lineman.
[39:07.020 --> 39:09.440]  I know there were rumors about him going to the commanders.
[39:09.440 --> 39:11.800]  I forgot to check if that actually happened.
[39:11.940 --> 39:16.600]  This is a picture that was released on his own Twitter account.
[39:16.780 --> 39:23.320]  He was expected to be drafted sixth by the Baltimore Ravens in the 2016 NFL draft.
[39:24.280 --> 39:35.700]  But the very morning of that draft, this video got released of him smoking a bong gas mask combo on Twitter.
[39:35.700 --> 39:38.340]  He fell to 13 where he's drafted by Miami.
[39:38.340 --> 39:44.920]  It is believed that this loss of his password cost him $7 million in contract information.
[39:44.920 --> 39:50.620]  I can't find a better example of a reason to not share your password.
[39:50.620 --> 39:51.940]  I don't feel so bad for him.
[39:51.940 --> 39:55.100]  He sold that video as an NFT for charity.
[39:55.100 --> 39:56.900]  He's very good-natured about it.
[39:56.900 --> 40:00.540]  And he recently signed a three-year $75 million contract.
[40:00.540 --> 40:01.860]  He recovered is my point.
[40:01.860 --> 40:03.220]  Don't feel that bad.
[40:03.720 --> 40:06.280]  But yeah, don't share your password with anyone.
[40:06.480 --> 40:19.020]  But Microsoft has a lot of nerve telling us that, because they've shared hundreds of millions, businesses have shared hundreds of millions of passwords with their breaches.
[40:19.640 --> 40:23.260]  And they had this particular vulnerability in Outlook.
[40:23.280 --> 40:31.180]  Essentially, this is from 2023, if you sent a specifically crafted meeting invitation, that meeting would go into Outlook.
[40:31.180 --> 40:35.320]  Even if you didn't accept it, it would automatically ping your reminder.
[40:35.320 --> 40:45.280]  And when the reminder uh launched, bing, it would send your NTLM hash straight off into the internet to the computer that was controlled by the attacker.
[40:45.280 --> 40:49.300]  So now they've got your hash and they get to work on cracking.
[40:50.100 --> 40:53.700]  And Microsoft is telling us not to share our passwords.
[40:53.800 --> 40:55.460]  So some more advice we got.
[40:55.460 --> 40:57.500]  Use a unique password for each website.
[40:57.500 --> 41:03.000]  We talked about credential harvesting for that.
[41:03.000 --> 41:07.960]  I currently had logins and I try to keep it down at 137 websites.
[41:07.960 --> 41:14.520]  There's no way for that to be unique without some kind of vault or some sort of... I can't remember 137 different passwords.
[41:14.520 --> 41:20.740]  So the way that works is there's me, I've got a password, let's say I want to sign into some Microsoft service.
[41:21.080 --> 41:28.120]  Instead of giving it directly to Microsoft, I also give it to a password manager.
[41:28.660 --> 41:33.400]  Anyone know why Ben Franklin is featured so prominently on this slide?
[41:33.400 --> 41:34.560]  Any guesses?
[41:35.520 --> 41:38.940]  Because three may keep a secret if two of them are dead.
[41:39.800 --> 41:41.740]  It didn't work out.
[41:41.740 --> 41:43.840]  That's last pass over there.
[41:45.440 --> 41:51.480]  That was what was on the slide from the work account that I was looking there.
[41:51.480 --> 41:56.640]  That was sort of unpleasant the day I learned that that had happened.
[41:57.240 --> 42:04.520]  But password managers are such undeniable improvements, I don't want to get too down on it.
[42:05.060 --> 42:14.100]  And the thing that password managers do really well is they won't autofill that password unless you're on the site where it belongs.
[42:14.100 --> 42:20.420]  So if you're on that one Teola phishing page, your password isn't going to go into that, which is extremely valuable.
[42:20.420 --> 42:24.280]  It makes you look, it slows you down because something is broken.
[42:25.220 --> 42:29.960]  But come on, they got all the backups from last pass.
[42:30.580 --> 42:44.000]  It was because somebody was working from home on a computer that had an unpatched version of Plex, unpatched for 71 patches, and the thing was exposed to the internet.
[42:44.160 --> 42:49.640]  And when I read that, I thought to myself, didn't I install Plex a couple years ago?
[42:50.780 --> 42:53.700]  All right, I wasn't exposing mine to the internet.
[42:53.720 --> 43:01.260]  But it sort of makes you realize, like, hey, there's a lot that you need to do right every single time to protect yourself.
[43:01.260 --> 43:13.900]  And it's not just last pass, that Cisco extortion attempt that we saw at the beginning, that started with an employee who was working from home and had his Cisco VPN credentials in his Google Chrome password manager.
[43:13.900 --> 43:18.100]  So when his personal account got popped, bam, off goes the VPN credentials.
[43:18.100 --> 43:19.460]  Now that's valuable.
[43:19.460 --> 43:22.680]  A lot more valuable than some individual's Google account.
[43:23.400 --> 43:30.420]  They got into that, and Cisco told us about it because they were spiking the football at having stopped that attack.
[43:30.500 --> 43:38.020]  Any case, that's been a lot for password guidance, but we finally get to move on to what I really enjoy in this presentation.
[43:38.020 --> 43:39.400]  And we're not there yet.
[43:39.400 --> 43:42.780]  Don't be tricked, is the next advice that Microsoft is giving us.
[43:42.780 --> 43:45.700]  Don't be tricked into revealing your passwords.
[43:45.700 --> 43:47.620]  People are trying to trick us all the time.
[43:47.620 --> 43:49.580]  How is this good advice?
[43:49.580 --> 43:50.760]  It's really not.
[43:50.760 --> 43:52.800]  Let's just be straight about that.
[43:52.960 --> 43:54.880]  Let's take a look at this phishing message.
[43:54.880 --> 43:57.300]  This is a lot better than any others we've seen.
[43:57.340 --> 43:59.180]  Sending privileges restricted.
[43:59.180 --> 44:06.540]  If you have a Mailchimp account, it's important that you follow the rules and that you don't send messages to people who have opted out.
[44:06.540 --> 44:08.260]  Bad things can happen.
[44:09.580 --> 44:15.320]  I collected that from a blog post from Troy Hunt on March 25th.
[44:15.320 --> 44:16.920]  This was just ten days ago.
[44:16.920 --> 44:20.780]  This was getting posted as I was taking my GCFA exam.
[44:21.400 --> 44:22.820]  He got phished.
[44:23.160 --> 44:28.440]  Troy Hunt, a security researcher, is not immune to phishing.
[44:28.440 --> 44:29.520]  And he admits it.
[44:29.520 --> 44:37.780]  I'm so glad that he did that because this was a point that I wanted to make in this presentation and I couldn't get a better way to do it.
[44:37.780 --> 44:39.180]  He's not immune to phishing.
[44:39.180 --> 44:40.560]  I'm not immune to phishing.
[44:40.560 --> 44:42.180]  You're not immune to phishing.
[44:42.180 --> 44:43.520]  And it's okay.
[44:43.920 --> 44:49.520]  But it does need to get into how we understand risk.
[44:50.000 --> 44:57.060]  Now, I want to mention right here, there's a note in the Microsoft guidance about out-of-band confirmation.
[44:57.600 --> 45:00.660]  And that brings me back to this email.
[45:00.920 --> 45:02.520]  They were very insistent.
[45:02.520 --> 45:05.920]  Don't hesitate to ask me any questions if you have any.
[45:05.920 --> 45:10.080]  We did ask some questions, except we didn't use the email to do it.
[45:10.080 --> 45:11.300]  You get on the phone.
[45:11.300 --> 45:16.580]  You use some other mechanism to say, hey, we got a very suspicious email from you.
[45:16.580 --> 45:18.700]  Did this actually come from you?
[45:19.140 --> 45:24.940]  And we had a very grateful contact who, you know, we didn't say things are bad.
[45:24.940 --> 45:25.520]  You've been hacked.
[45:25.520 --> 45:27.300]  We just said we got something suspicious here.
[45:27.300 --> 45:28.600]  Would you look into it?
[45:28.820 --> 45:30.060]  Very grateful.
[45:30.740 --> 45:36.960]  No better way to do business than to just sort of, you know, casually mention, hey, check in on this.
[45:36.960 --> 45:37.920]  Very happy.
[45:37.920 --> 45:39.080]  Good for us.
[45:39.580 --> 45:42.560]  So there is a lot of guidance on this screen.
[45:42.560 --> 45:44.540]  And that text has gotten very small.
[45:44.540 --> 45:46.060]  And it's a very bad slide.
[45:46.060 --> 45:48.520]  But there's something that I skipped right over.
[45:48.520 --> 45:49.920]  Does anyone know what it is?
[45:49.920 --> 45:51.020]  Any guesses?
[45:51.600 --> 45:54.800]  I've done this a couple times and no one's caught it.
[45:54.800 --> 45:56.480]  I'm kind of surprised by it.
[45:56.480 --> 45:58.040]  But here it is.
[45:58.860 --> 46:01.240]  Enable multi-factor authentication.
[46:01.740 --> 46:04.240]  Except that's not password guidance.
[46:04.240 --> 46:06.580]  That's passwords are not enough guidance.
[46:06.660 --> 46:13.140]  That is tacit acknowledgement that passwords alone do not provide an adequate level of security for many accounts.
[46:13.140 --> 46:16.020]  And at this point, I'd probably say most accounts.
[46:16.320 --> 46:18.820]  Passwords are insufficient.
[46:20.680 --> 46:32.400]  This password authentication that we've been so committed to for so long, and you might note if you go to the con here and you go to the historical computers they have up there, how many of those have passwords?
[46:32.400 --> 46:36.880]  We tacked passwords that we've been using since 0 A.D.
[46:36.880 --> 46:39.720]  on the computers relatively recently.
[46:40.360 --> 46:45.860]  And it is assigning to users too much responsibility for account security.
[46:46.380 --> 46:49.820]  It creates too many opportunities to fail.
[46:49.820 --> 46:51.940]  Look at that slide.
[46:52.680 --> 47:08.680]  So the Office of the National Cyber Director said something in March 2023, you hear this echoed from Microsoft and Google and other as well, that we have to rebalance the responsibility to defend cyberspace by shifting the burden for cyber security away from individuals,
[47:08.680 --> 47:16.980]  small businesses, local governments, and on to the organizations that are most capable and best positioned to reduce risk for all of us.
[47:16.980 --> 47:18.680]  That is the cyber security people.
[47:18.680 --> 47:22.500]  That is us having conversations with our friends and family.
[47:22.500 --> 47:36.880]  But it's also acknowledging that the people we work with, the people we are, are in an adversarial relationship with nation-state attackers who do this for a living.
[47:36.880 --> 47:41.260]  We have to expect that eventually we will be breached.
[47:41.260 --> 47:47.720]  And if you have an org of any significant number of people, you absolutely have to expect that those breaches are coming.
[47:47.720 --> 47:52.140]  And that brings us into risk management and thinking about risk management.
[47:52.140 --> 47:55.220]  Our objective is not to maximize security.
[47:55.220 --> 48:04.540]  There's a lot of attitudes that I hear from IT folks that are a little bit frustrating, but it's a frustrating position to be in.
[48:04.540 --> 48:16.320]  Our objective is to balance trade-offs between security, flexibility, usability, and cost in a way that's understood and endorsed by leadership.
[48:16.320 --> 48:18.380]  And that means communicating that.
[48:18.380 --> 48:21.360]  It means some basic risk management analysis.
[48:21.360 --> 48:26.860]  It means putting risk management on your resume, because if you're working with this stuff, it can be on your resume.
[48:29.200 --> 48:40.340]  There's not enough time to talk about IT in its entirety, at least as I experience as the sole IT practitioner at an organization protecting data from the U.S.
[48:40.340 --> 48:42.600]  Postal Service and antitrust litigation.
[48:43.360 --> 48:48.040]  We are doing tech support and risk analysis and management consultant.
[48:48.040 --> 48:49.420]  We're a security guard.
[48:49.500 --> 48:56.740]  I have had people cry near me, and it's because of the situation they find in me.
[48:56.740 --> 49:05.320]  It's because they feel comfortable talking to me and that I sort of understand, and there's no blame associated with the situation we're in.
[49:05.320 --> 49:11.650]  But we're also incident responders and emergency managers, and so, so tired sometimes.
[49:12.590 --> 49:24.950]  So, in improv, they say show, don't tell, and that's what I tried to do with a cybersecurity presentation that I have stuck into this right here.
[49:24.950 --> 49:27.090]  I'm now telling you some of the things I tried to do.
[49:27.090 --> 49:30.650]  Heap bountiful praise on people who are doing a good job.
[49:30.650 --> 49:33.890]  Welcome, invite, or initiate cybersecurity discussions with anyone.
[49:33.890 --> 49:36.870]  People are desperate to talk about this stuff, I find.
[49:37.650 --> 49:44.750]  Athletes and random dog videos, because it's fun.
[49:44.970 --> 49:48.130]  The last one I haven't done yet is public gratitude.
[49:48.770 --> 49:51.130]  There are so many people to thank.
[49:51.130 --> 50:02.730]  My journey to CypherCon and this presentation has been assisted by so many different people, not all included, but I mostly want to thank you for listening.
[50:02.730 --> 50:08.570]  So, if there's any clapping that happens during this presentation, I really hope it's on this slide right here.
[50:14.270 --> 50:17.710]  And I appreciate it, but I'm not quite done.
[50:18.350 --> 50:21.270]  So, this question, how did this happen?
[50:21.270 --> 50:31.650]  This whole presentation happened because I was on a volunteer incident response for ransomware behind one of these red stars.
[50:31.650 --> 50:41.470]  These were 2024 incidents through about September, and a senior member of leadership sat down right next to me and said, hey, how did this happen?
[50:41.890 --> 50:44.490]  And I really botched the answer.
[50:44.490 --> 50:46.230]  I felt bad about it.
[50:46.230 --> 50:53.830]  I started talking about this specific stuff about what was happening and what we were finding and what we weren't finding, and none of that really mattered.
[50:53.830 --> 51:03.990]  So, I was driving home and I was thinking, if I had an hour in a room with senior leadership and they couldn't get out, and I got to tell them anything I wanted about cybersecurity, what would I tell them?
[51:03.990 --> 51:06.470]  And it was really this presentation.
[51:06.530 --> 51:14.550]  But if I only had 20 minutes, if I was in an elevator, if that person sat down next to me again, it would be this slide right here.
[51:14.590 --> 51:16.390]  20 seconds, I mean.
[51:16.430 --> 51:20.790]  Passwords alone are never enough to secure remote access to any system.
[51:21.270 --> 51:22.690]  All systems.
[51:22.770 --> 51:27.130]  But particularly those exposed to the internet need monitoring for installation of critical updates.
[51:27.130 --> 51:32.870]  The attackers will be there in a day or less, sometimes even before you know that it's vulnerable.
[51:32.990 --> 51:36.210]  And finally, prepare your colleagues for phishing.
[51:36.670 --> 51:41.890]  So, getting these things right are the base level.
[51:41.890 --> 51:44.790]  When I'm on a CRT engagement, this is what I'm talking about.
[51:44.790 --> 51:47.830]  This is the message that I decided I wanted to deliver.
[51:47.830 --> 51:50.530]  I am, again, really grateful you came to listen.
[51:50.530 --> 51:54.830]  I've had a blast putting together this presentation and presenting it.
[51:55.510 --> 51:56.450]  That's it for this.
[51:56.450 --> 51:57.890]  Thank you very much.
[51:58.030 --> 52:00.370]  Joy, the rest of your CypherCon.
[52:00.730 --> 52:02.610]  And yeah, please say hello.
[52:02.610 --> 52:04.090]  That's my LinkedIn right there.
[52:04.090 --> 52:07.070]  LinkedIn has suffered a scraping breach, so to speak.
[52:07.070 --> 52:07.950]  All that information.
[52:07.950 --> 52:11.150]  That is how they are attacking our new hires.
[52:11.170 --> 52:12.430]  They post on LinkedIn.
[52:12.610 --> 52:14.370]  They cross list the data.
[52:15.010 --> 52:15.710]  Yeah.
[52:16.530 --> 52:17.490]  I've been Brad Wagner.
[52:17.490 --> 52:18.650]  Thank you very much.
[52:21.810 --> 52:22.410]  I
[52:36.450 --> 52:39.170]  will give questions if there are none.
[52:39.450 --> 52:40.210]  Yeah.
[52:45.590 --> 52:47.890]  Did you say magic links?
[52:48.670 --> 52:51.510]  I don't know what a magic link is.
[53:00.850 --> 53:03.450]  Oh, I like that better.
[53:04.510 --> 53:10.770]  This is me ranting about passwords for about half an hour with giving you no solutions.
[53:11.190 --> 53:14.990]  So, to the extent that that's a solution, I really, really like it.
[53:14.990 --> 53:22.050]  I have implemented Windows Hello for Business in my org, and that has been phenomenal.
[53:22.050 --> 53:26.810]  It is currently in a state where it's optional, but the uptake has been great.
[53:26.950 --> 53:36.270]  For those who don't know, this is a passwordless solution that combines something you are with something you have, which is the TPM check.
[53:36.270 --> 53:39.010]  Note that neither of those items is something you know.
[53:39.010 --> 53:42.090]  It's totally passwordless, and it's easier than passwords.
[53:42.090 --> 53:57.890]  You put your finger on the fingerprint reader, or you put your face in front of the IR camera on this laptop, and our uptake on that is something like 93% of our logins now are multi-factor in that fashion.
[53:57.890 --> 54:05.530]  So, it's so weird for something that is more secure to also be easier to use, but that's what that is.
[54:05.530 --> 54:16.110]  So, start looking for ways to get passwords out of your workflow, and you've got fewer opportunities for attackers to put login pages in front of your users and steal those credentials.
[54:16.110 --> 54:19.530]  So, to the extent that a magic link helps with that, I love it.
[54:21.010 --> 54:22.030]  Yes, right.
[54:22.430 --> 54:26.450]  Oh, okay, we'll do one more, and then I will be in the hall.
[54:27.430 --> 54:28.690]  Go over there.
[54:42.970 --> 54:45.490]  Yeah, you're right about the disconnect.
[54:45.490 --> 54:55.770]  The attack that was in the newspaper article we talked about was less an attack on IT than it was an attack on a business process.
[54:55.790 --> 55:11.070]  So, it's not IT that puts together most of the business processes, but when a cybersecurity department or a cybersecurity-minded IT professional sees that communicating, that's the way to go.
[55:11.070 --> 55:18.170]  One of the things that happens at my org and many orgs is an email that says, hey, it's United Way campaign season.
[55:18.170 --> 55:20.270]  Click here to donate.
[55:20.550 --> 55:23.890]  And, you know, we communicate it.
[55:23.890 --> 55:35.730]  We're small enough that we kind of have an opportunity to do that, but I am kind of surprised I don't see campaigns that match that, because that looks like a vulnerable process to me.
[55:36.010 --> 55:41.290]  So, yeah, happy to have more conversations on this out in the hall.
[55:41.290 --> 55:43.030]  I've had a lot of fun putting this together.
[55:43.030 --> 55:44.090]  Thank you all again.
[55:44.090 --> 55:45.170]  Enjoy the rest of the con.