It's five o'clock somewhere, time for the Security Cocktail Hour. I'm Joe Patti. For over 20 years, I've been working in information security and knocking back martinis all over New York.
I am Adam Rohr from Staten Island, locksmith, EMT, love to box, and on rare occasions, I've been known to engage in cybersecurity. Let's go! Look, before we start, I just want to say, you and I have had some off podcast conversations about information, how it's redacted. So I feel like I don't want to let people know where I am and who I am. As a matter of fact, we're going to talk about this after, and maybe I'm going to use a pseudonym. I want to keep anonymous. Go ahead.
Yeah, it's a little late for that, but I got news. As far as where you are, everyone figures you're either from Staten Island or Brooklyn. It doesn't matter what, you know, what you do. Unless you're going to put on some fake accent or something.
Yeah, he's not, though.
He's not, though.
All right. So, yes, a little lighter tone today. We've been dealing with some heavy stuff lately. in recent episodes. However, there is a little bit of a lighter side to security. You know, Adam, you and I have both been in security for a long time, a time counted in decades, not even between the two of us, each of us. It's been quite a while. And, you know, I kind of feel like Han Solo, as he said. I've been from one end of the security galaxy to the other, seen a lot of strange things. you do see some very interesting stuff. It's not all bits and bytes and hackers and everything. A lot of it actually has to do with the people you're dealing with. And so we're going to talk a little bit about some of these stories that we've managed to accumulate over the years. And this is just a small smattering of them, just to give people a little idea of what it's like to work in security day to day as things pop up.
You know, it's kind of funny also, I was reading this whole thing on LinkedIn, probably the only real social media I have, and not that it was cybersecurity, but it was an attorney speaking of some of the things that she's interacted with, and how she doesn't want to really talk the specifics. due to, you know, client attorney privilege. And as people in security, right, we don't want to give real specifics, but oh my god, the things that we could talk about if we could really say specifics.
Oh yeah, no specifics there, just general kind of things, little nuggets of stuff that happens. And you know, especially if you want to go into security, like I said, you got to realize it's not all bits and bytes. There is actually Sometimes you feel more like a psychologist than anything else. There's the psychological aspect of it when it comes to things like phishing and social engineering, but then there's just dealing with people. People have a lot of feelings about security. They love it. They hate it. They love it until you ask them to actually do something. Then they hate it. They freak out over it. You get a lot of different reactions.
It's one of those things like when people talk about building something, not in my neighborhood. So what I mean by that is, is that people will confess to you or profess to you and tell you, no, I don't wanna do this. No, I don't want this type, I don't want the security on me. It's okay for everybody else, but not for me. I don't want you limiting my emails or my contacts or my exfiltration of data, meaning removing data from the organization. I don't want you locking down my USB drive. I need to copy my files. But when it comes to the stories, there's a lot of them. And there's a lot of them because people just do things that they don't think about. I mean, I can start off one if you want me to.
Go right ahead. No names.
No, no, no names. So this actually relates directly to me, but then back to an organization. You know, we, I think at one point were involved in speaking to a team about something. And then I personally, out of nowhere, got an email that was probably about two pages long. And in that email, it was basically telling me how they compromised my machine, my personal machine. They had access to my cameras. And they were watching me do certain things. And the first thing that I said was... Certain things. Oh, certain things, you know. Maybe I was a little bit busy.
Maybe you had some time on your hands.
Or maybe my hands were busy. I don't know. And what bothered me about the whole thing was... For a person who's been in security for a long time and seen a lot of the tactics and techniques people use to socially engineer people, I was like, wow, is this a joke? Is this a game? Because I've never seen this type of email before.
And I went to- And this is going back a little ways though. Now these are more common. These are more common.
I was the first person that not only did did the team I work on see this email. I was the first person that that incident response team, that third party team, has ever seen that email. So I was a pioneer in the sexploitation email recipient deals.
That's right, because the attackers obviously had plotted you out as a good first victim, someone likely to be.
So I'm sitting there, I'm sitting there.
And actually, we should explain just to be clear. It's one of those emails, it's called sexploitation, where you get a random We get a random email and it says, I've hacked your computer. I'm in control of it. I've been using your camera and I've been recording you while you watch pornographic sites.
Pleasure yourself.
Yes. Pleasure yourself and pay me a ransom or whatever. And I'm going to, you know, send it to all your friends, your family, that, that, that kind of thing. So yeah. So that's what we're talking about here. And it was new at one point a few years ago.
So I went back to that third party team. I'm like, guys, did you do this? They're like, well, we have done stuff like that. Not exactly sexportation. in other countries where it's legal for us to do that, but we did that to you.
Is that legal?
When I say legal, they have social engineer people's personal email accounts. They said it, not me. I'm not saying they gave my sexploitation email. I'm scared the living crap out of them. So I'm having a conversation with them. I go, What do you think? They go, were you doing something? I go, that's not even the point. I go, my cameras are all covered anyway. I'm saying why? I've never seen.
Did you ever forget?
What?
Did you ever forget to cover it?
Only when I want to. So, so they were like, they're like, nah, we didn't worry about it. I'm like, I'm not worried about it. That's not the point I'm making. The point I'm making is. where's this coming from? Because it's never been out in the wild. I Googled it. No one ever saw it. So I was one of the first people. And the reason why I think I got this besides the fact that I think I'm so good looking. Okay. I'm not, but, but I think is because I've been compromised so many times due to all the accounts that I have. So if you are on a list, that's it. You are on a list. What I mean by a list, I mean is that, If your LinkedIn account, your LastPass account, and any other accounts you've ever been compromised on, and I mean compromised with LastPass, I don't want to go too far into that whole conversation, but the more times that you've been compromised, the more times that you're going to appear on lists that people use these lists for other nefarious reasons. I might see everything. It's a sales list.
Sales list. Yeah. And, and, and we're going to tell everyone this, this stuff is fake. I mean, someone just, you know, gets your email address. Well, it's safe for most people.
Some celebrities have actually gotten real stuff. Some celebrities have had their pictures, take a picture, take it out of their private Files and saying if you don't turn around and give us money We're gonna release the pictures of you topless and these in these in these celebrities about least them Well, that's a little different because yes, you know actual, you know blackmail someone's targeted.
They're going in and you know the typical What we call sexploitation stuff is yeah where they claim. Oh, I got control of your camera and you were watching porn or doing something and whatever. And those, I mean, it's fake, but it's amazing how, you know, we would get calls when I was a security manager and, you know, people, it really freaks people out. It totally freaks people out. They're just like, what's this? How can that be? It's not true. You know, when they start going, and you can kind of play with people a little bit too sometimes. And you're like, well, Yeah, but what are you worried about? Don't you know it's fake? This would never happen. They go like, yeah, but you know, what if it's what if they have something that's AI generated or something?
So, so, so, so, look, I, I knew was fake after the first 20 days. So that was good. I mean, I, I realized right away, no, but in all seriousness, we were involved in a purple team with that organization. And we do have some serious back and forth banter. So I thought they were playing with me. And I guess they weren't. I mean, I guess I shouldn't have paid them, the bitcoins. And they was actually whole bitcoins.
Did you pay them bitcoins?
Two bitcoins. No, I didn't pay them.
Sorry. Anyway, to avoid this stuff, of course, don't do bad things. But, you know, otherwise, seriously, do cover your cameras. Cameras come with little slots, even if you just put a post-it up. I mean, you know, you never know when someone's looking in at your house or your office or whatever. So you should kind of... You know, just, just practice good stuff. But generally these things are lies. They're just to scare you and get some money.
Everybody just does it on their computer. And I'm, I'm included. They don't do it on their cell phones. They don't do it on their TVs. They don't do it anywhere else. But the point I'm making is they know how to work your feelings. And, and, and before you go crazy, first of all, never answer them.
Never, ever, ever. These tricks are actually not even technical tricks at all. They're not hacks. It's social engineering. It is playing on your fear. you know, something where it's something potentially extremely embarrassing that, and it's so effective, people are so afraid that, you know, they start to wonder, it's like, you know, did I really do something wrong? I don't think I did, even if they're innocent, they make you feel guilty over it, you know?
So mine was not only was it, was it that we saw you, it's that we injected a one-by-one hidden pixel in your email and we know when you opened it and you have 24 hours to respond And I'm like, wow, I go, that really, that really made me think that's so much about this exploitation. How can I start using one by one pixels and, you know, like for marketing, but send it to people and then start scaring my friends with their IP address, which I stopped after three days.
Well, you know, Adam, yeah, you know, when you get these kinds of attacks, whatever, you know, it's not supposed to inspire you to try it on your friends.
I did, but not exploitation. I didn't send them an email. I'm like, I'm like, I'm like, I was sending an email. I'm like, shit, this stuff really works. I got your IP address. And it's not even super technical either, but I never thought about sending hidden one by one pixels. And what that really does is when you open the pixel, when you open the email, assuming that you have, HTML turn on, meaning that you get pictures and images, that HTML goes out to a server and reports the IP address, because basically what you're doing is viewing a website within the email. It's really a cool technique and tactic.
Yeah, yeah. And there are ways where with a lot of clients and even a lot of web-based email, it'll disable that, like it won't render the, you know, draw the HTML or it won't load remote images and stuff. That's a good thing to use. But yeah, so this stuff is psychology. The other psychology that's really funny is the whole gift card scam, which has been going on for years. We keep seeing it. And that's where, I mean, it's amazing because how people who can be extremely intelligent will fall for it. And again, this is not a technical thing at all. It's just someone sends an email to someone and You know, it's often like will come from your boss or like from, from like an executive, like someone important. And they'll create a Gmail address that, you know, kind of looks like the person's Gmail address has their name in it somehow, or, you know, whatever, Gmail and office.com, whatever. And it says, you know, I'm, I'm in the airport or I'm in another country. I'm traveling. I don't have my work laptop or something's broken. I'm about to do this big presentation. I'm in a spot and you got to help me out. Right away, I need this and you know, we got a big client and of course what he needs is you need to go out and like, you know, send me, buy a bunch of like, you know, iTunes gift cards or something and give me the numbers from them that somehow this will be, this will be able to help someone's, you know, business problem or solve a client need. It sounds ridiculous when you step back, but this is, this is playing on, you know, psychology, even for really smart people, for really smart, you know, even aggressive, you know, high achievers, people looking to, you know, move up in their, in their company or whatever, this hits them right where they live. They don't, even if they think it might be fake, they don't, they don't want to say no. And that would be the end of their career. You know, it's amazing.
I realized it was fake.
Well, when you think about it, it's ridiculous. I mean, think about it. Someone calls you up and it's not like, I need cash, call my wife, call the police or something. It's like, no, send me gift cards. Like what the hell is anyone going to do? Like iTunes is going to save your life or something? You know, it's preposterous.
Well, let's touch on a couple more things. First, guess what? There are other people out there that will also ask for gift cards. Like, this is the IRS, you owe money. And if you don't give us money right away, the easiest way to give us money is to buy two $500 worth of gift cards. I've seen that.
Yeah, that's right.
And then another thing that people also do is it will come from a real email address.
Yeah, well, sometimes it is compromised like that. That's true. That's true. That is a hack and that's a little more sophisticated, but we've seen people fall for this so hard. I mean, I remember one case where a guy like, I think he went to, you know, he went to like a CVS or Walmart or something. And they would only sell him like a certain amount, like a hundred bucks worth. And they go, you know, we have to, and he gets all pissed off. And they say, well, you know, we do it because it's fraud. And he goes, this isn't fraud. So it goes to another one down the street. I mean, it was like, it's so effective that it gets people even to circumvent the protections that are put on it. It's just amazing how much this works.
The cashier and the manager know me. They know exactly how it is. I'll tell you this. This is not a war story from security, but a war story in my own house.
My wife, about a week ago- There is a constant war at your house from what you tell us.
Well, that's true too. But my wife got a contact from what appeared to be her cousin's husband, and actually in Israel, of all places, And he said, I need you to do me a favor. I need you to wire me money. I'm like, stop it right there. That is a scam. She goes, yeah, I think so too. I go reach out to your cousin, your actual cousin, not the cousin's husband. So she reaches out to her cousin's husband and she goes, yeah, honey, this is real. We actually need you to do us a favor. We can't wire money from Israel to Venezuela. So apparently you can't send money. from Israel to Venezuela using Western Union. They don't allow it to happen. So what she said was, so I said to my wife, I said to my wife, tell your cousin's husband to go on camera just to visualize and make sure it's really him. He goes, yeah, it's me, I'm not dressed well, I had to put on a shirt. He goes, it's like four in the morning, but my son needs money, and the only way we can get him money is that you don't have a bank account in Venezuela, and Western Union's the only place, and since my cousin has you as a person in the US that can do it, we're gonna give you the money via PayPal, and you're gonna send the money via Western Union. True story, but it looked exactly like a scam. Exactly like a scam.
Yeah, well sometimes things are. Actually we had a case where my boss was like on vacation or overseas or someone and we knew she was out of touch and she had really limited connectivity. Like we were trying to get in touch but like the Know the cell coverage is bad. She was out and God knows God knows where I don't know. So so we get this email From like a personal account, you know, not the regular work account and it says like, you know Joe I need you to do this for me. Send me send me this or something and whatever so as soon as I get it I'm like, this is dodgy, you know And so I'm like, you know, what do I do? But like, but it could be her. And it was actually something kind of, kind of important and seems legit. But the more legit it seems like, you know, then the more, uh, what's the divergency. Yeah. Anything with a sense of urgency, you gotta, you gotta worry about. So we're sitting there, we're trying to figure out what to do. I got the whole team, whole security team together. And I said, wait a minute. I go, hang on. She says, she's got no, cell coverage, but that she's in this resort that has Wi-Fi, or some Wi-Fi, and I knew she had an iPad. So I said, you know what, let's try FaceTiming her. So I FaceTime her, and the FaceTime comes up, and she comes up, and I could see it was her, but it was like, you know, really scratchy, bad video. But as soon as it pops up, she goes, it's me, it's me, it's me, send the thing. So you always got to check. So it helps if you can check.
Yeah.
She knew that to us, it looked totally dodgy, you know?
And that's the thing that we always, we always talk about when people call the call centers, you know, you really want to ask the person who's calling in something only they would know or something or some way prove to them. That's usually a video or a video verification. You know, we've seen...
But that's tough too. And that's why the identity theft and things are so, you know, so bad. Because you might think, you know, some of these random facts or whatever aren't important. But, you know, the truth is things like, you know, mother's middle name, a lot of these things, you can get that, that information often without great difficulty and some of them then they become so obscure. You know, some of these questions like, what was your, what was your, like your first pet's name? I'm like, I don't know. Was that, that was five years old. Was it the, was it the fish or the hamster or what the hell was it?
You know, I mean, I like the ones that do the, do the validation based on your credit union stuff. In 1920, what was the car that you were driving? What was the model? Who do you have an account with or a loan? You know, what, you know, like things that only you would know.
Yeah, those are good, but I don't like the credit bureaus have that. You see, not everyone has access to that stuff.
Well, that's why, that's why I say like, I love the, the, the push to validate. Cause if you have your phone with you. Yeah, if you lose your phone, you can get screwed too. But you know what? What about those scams where people say, hey, can I borrow your phone for a second? And as they're on their phone, they're sending money from Zelle to you or one of those things. You got to be careful who you give your phone to.
Yeah. These days, don't let anyone borrow your cell phone. I mean, it sounds kind of rude, but you're like, say like, look, can I call you? Yeah. I'll call for you or I'll put it on speaker with you. Yeah. Something like that. Or I'll send someone a text for you. Yeah. Giving someone your phone that's unlocked. I mean, even if it's for, you'd be surprised how quickly people can swipe through that and get stuff. It's really, it's, it's frightening. And especially if it's a corporate phone, don't, please don't get into, you know, that can cost you your job, unfortunately. Um, but yeah, so, you know, some of the social engineering stuff can be can be kind of funny. Some of the other funny things are the calls that you get when like someone got a phishing email and they click something and they call and they say, I think I might've clicked something. And we go, really? You think you might've clicked something?
I mean, you clicked it and you think something happened. I wanna tell you this story about this, right? It's kind of security, kind of not, right? Every once in a while, working in an organization, somebody will report to you, they got an email and they're concerned about it. So we used to get those conspiracy emails, um, that says, hi, my name is blah, blah, blah. And I think I'm being, and I'm not even making this up. I think I'm being chased by aliens or I think, or I think, I think, um, the government is after me. And they put something in my food. And I want you to help me. And we have to sit there and tear that PDF apart before we even look at the PDF. we have to see whether or not the PDF has been weaponized, the Adobe Acrobat. So once you find out whether or not the old Adobe Acrobat's been weaponized, then you gotta take it to the next level and work with the physical security people, because now you're worried about whoever got that, that they're a target physically. What comes as a simple PDF or any email or a Word document becomes very complicated now, because now you're looking at it in different aspects.
Yeah, and those can be really uncomfortable too, at least for InfoSec guys like us. We don't really do physical security. Some people in information security do both. But what happens with a lot of those is you get something, sometimes you get a threatening email. It's like, okay, you get a threatening email. If something's clearly threatening, it's like, if you call your physical security person, you just call the police. And hopefully, and if you're in a company where you have people at risk, you will have a physical security. Detail protection detail service that that could that kind of thing and you know, you let them you let them deal with that You know, but it's the in-between things that it that can be messed up and you know, sometimes you have people you know, sending things like they'll say, oh, I'll send to the, you know, to the CEO or something. You know, I have seen some in some cases where you can tell the person is, you feel bad. The person is, you know, disturbed sometimes as people who are just, you know, probably need more sympathy than anything else and get some help. That's kind of, that's kind of screwed up. These are the things that come your way. You think you're signing up to fight off hackers and instead you gotta deal with stuff like this. That's the biz.
So one of the fun things that we engage in, that really creates a lot of enjoyment, but can be dangerous, is when we do our purple team exercises. And for those who don't know what a purple team is, it's when you have the red team, or the adversary, and the blue team, the protectors, Red and blue make purple. So yeah, both teams form a purple team. And we do things sometimes that can kind of get a little bit out of control. What do you think?
Well, yeah, you got to be careful because, you know, you got to remember the way these things happen. Whenever you're doing a, you know, like a penetration test, you know, a regular test where you test the network, you're trying to attack it. You know, you got to make sure that you're not disrupting things for real, which, you know, very often you'll do those kinds of things on a test site, not the actual production site, not the real one, but a copy of it. But there are some things that you have to do. on the real site. So you have to be really careful. And purple teams especially, you know, very often you have to do them on the real network, on the real systems, just because, you know, you need the defenders really defending their real turf or it's not very realistic at all.
Plus it's very hard.
Yeah, it's very hard. It's very expensive to get a simulated environment that's going to be worth anything. So you're working on on the real, you know, on the real network. So they have to be plenty when you when you hire. Whether you hire someone, which you really should to do this as the adversary, whether you hire someone or whether you do it yourself, you need to really know what you're doing and plan very, very carefully and have very clear, you know, what we call rules of engagement or like, you know, don't, don't touch this. Don't touch that. You know, something that's a little too business critical. You just say, look, we're not even going to pretend that we're going after that. Do not mess with that because mistakes can be costly and even in an exercise like this, you know, you have a lot of back and forth, it's fun, you know, it's competitive. And things can get a little out of hand sometimes. Right.
So I'm, I'm the wise guy who decided to go after these really accomplished incident response pen testing people. Yeah.
In fact, I, in fact, when I was sponsoring these, I used to say like, you know, Anyone who manages to hack back and get into the attackers, gets a convertible for the weekend or something.
Well, I mean, and that's the point I'm making. I did it, but I'm not going to claim to be that accomplished where I did something crazy. But what I decided to do was I didn't like the fact that the red team started a little bit early. And unbeknownst to a certain person, which I won't say his name on a certain podcast, I did something a little bit earlier that I shouldn't have done. And I used a service account to get on the Threat Actors computer and whatever hashes they gathered, I changed.
A service account is like a maintenance account that we use to investigate machines or like do maintenance, install software, whatever. So Adam was kind of cheating a little bit that he had access to it.
But they were cheating too, so I cheated.
Then again, there's no such thing as cheating in this kind of exercise. There's that aspect of it all.
So a certain person told on me, and then a certain person made me put the hashes back the correct way. And after that, when the red team found out, they decided to go after me. And they thought they knew my ID on the network. But they were wrong.
And this is why you got to be careful with these kinds of exercises. Yeah.
So what happened, Joe, after they went after the wrong ID?
If I remember how this played out, basically, they left a little Easter egg for Adam to find, just to show they could. These guys were pros, so nothing harmful. But they put it in the wrong place, where someone other than Adam might have noticed it. Again, it wasn't anything harmful or disruptive, but it would have been embarrassing. It especially would have been embarrassing to the sponsor of the exercise, which was me, who told everyone we wouldn't have any disruption over this. So it got fixed. Nobody noticed it, no harm done. But I did have a minor freak out over it. After that, we get together and the team, we have a little talk about, let's tone it down a bit. The things that we do, Yeah, but nothing, nothing very bad. Just, you know, like I say, you got to be careful and you also design it so you can't cause any real trouble. Like, you know, you wouldn't, you don't do these things if you're a bank on your, on your payment systems or on your, you know, e-commerce websites and stuff. You know what's funny?
Netflix does chaos engineering purposely. They do. They purposely have, you know, bots that go out there and shut down their production stuff to ensure things fail over. And if it doesn't, then the team has to respond. So they actually purposely cause chaos.
Well, they purposely cause chaos, but they're also testing mechanisms that are, you know, supposedly working, that are supposed to be resilient to that. you know, a purple team is a little different, I suppose, because, you know, you're going and really deliberately exploiting unknown gaps and discovering them.
Yeah.
So gotta be careful. You need to hire people, people you trust to implant carefully. Um, so yeah, some crazy things can, can happen.
Well, I mean, we've had things where
Well, yeah, I mean, you always find stuff. I mean, it's, it's funny, it can be frustrating, especially when you're a, when you're a security manager, because very often, you know, you have policies and a policy is a piece of paper that people supposed to follow. People don't always follow it. And you even put in, you know, and you educate them on the rules, and you make them sign up. You know sign off on the rules and everything but people still then manage to You know, it's it's it's amazing the creativity that people can have in choosing horrible passwords that somehow managed to like you know, satisfy your policy. So you can be constantly, you know, over time. If you ever wonder why, like you're at work or someplace and the password policy seems to change, you're like, wasn't it good before? You know, it seems okay and tight and crazy now. It's probably because somebody figured out how to use the world's worst password that is still somehow within the bounds of that. It sounds ridiculous and it is ridiculous and it's just infuriating when it happens. Sometimes the lengths that people will go to to get around stuff like a password policy. or to write down a password, and not only write it down, but write it in the worst possible place that they can put it. It just makes you bang your head against the table that you've got to spend time on this again. Things like that are just nuts.
Yeah, or when we talk to the other teams and they say, come on we're not stupid we know what we're doing and they put down we put a complicated password capital p a s s w o r d one two three exclamation exclamation it's got uppercase it's got lowercase it's got numbers it's over eight characters and it has special characters it's all good don't worry yeah or you know it's sorry no no go ahead and you know it gets this stuff um if when you if you're like doing consulting or if you're doing something internally and you do assessments
And there are very often, depending on how you do it, there can be like two stages. The one stage of the interviews where you're like, you talk to the IT people and you talk to people and they say like, like, Oh, so how is this? So using like, you know, two factors? Oh, yeah, we're using this. Oh, do you have the machine set up like this? Like, oh, yeah, we do that all the time. Yeah, that's in our, that's in our runbook. You know, that's in our manual or operation. Oh, yeah, we do all this. And then you get access to the network and to their stuff. And there are different, now there's a lot of automated systems that do this too. So it's gotten a bit better in a lot of places, but then you like, you know, check up on them and oh boy, you can find some interesting stuff. Then you have the, you know, the post, the post-test interview. You're like, can we have a little talk? That stuff can get a little crazy. Although that, again, that is getting better because more places have automated systems now that continually check the configurations and when they work right, they eliminate a lot of that. But again, you'd be surprised. It almost seems like people will go to incredible lengths to get around things that you put in place to protect them.
Or when they tell you, don't worry, we are exercising best practices and security. And they open up 3389, which is remote desktop to the internet. Don't worry, we have a password and username in place. It's complicated.
That's right. But I put a password on it. It's like, that doesn't quite work. You know, or, or, or some of the other funny things are when someone says, yes, I've been doing this for, for 20 years. And I, and I know it's tight. It's like, did it ever occur to you that the stuff you're doing 20 years ago, maybe doesn't work as good as it used to be? Cause there's a lot of stuff like that.
Well, I also like the people that, um, attach documents to your Outlook email and say, don't worry, you know, It's in a document, and I password protected the document, and then they send the password in the email itself. Well, you should be really encrypting the email, not just putting a PDF with a password and then putting the password in the email in the same place.
Yes, so everyone knows if you password protect a document, which generally encrypts it, If you put the password in the same email as you're sending in the document, that's not very helpful. But the other thing is people that think they're being clever and they go, yeah, but I sent it in a separate email. They go, oh, so you sent two emails, one right after the other. Yeah, I'm like, yeah, that's really gonna trick the hackers. That's good. You have to send the passwords and the text or call or by another means. I mean, yeah. Or better yet, don't use those mechanisms. There are better ways to send things.
Or how about when we go and we check, we already know it's bad enough that people put their passwords on notepads, on their desktops. But when the people actually put the passwords for their computer, literally on a post-it note on the machine itself.
Oh, God.
Yeah, that's...
And that still happens. And that's yet another reason. We didn't get into it on that podcast, but that's another reason why passwords suck. If you get rid of passwords, you can't even do that. That's the best way to stop people from writing down passwords, is to not have passwords. To have biometrics or keys or something else. That's my rant for the day. That would eliminate so much stress. It would eliminate a lot of funny stories too. I'd rather give up the stories and have things be tighter.
I know this is not necessarily a funny story, but it makes me laugh. Right. I went into a doctor's office and they are still creating, uh, DVDs of, uh, or wanting to look at DVDs for looking at imaging. And I said to them, you know, I I'm one of your patients and I'm a little bit concerned. you're using a machine that not only has the password posted on the monitor to access the machine, you're using Windows 11. I mean, sorry, Windows XP.
Wait, you mean you, you were like in the office, like, like a patient and you can see on the machine, the password stuck there.
Yeah. The password to access the machine. Not only that, they also have Windows. And I said, you're using Windows XP. They go, yeah, we, All the other machines are Windows 11, but we need the DVD player in order to get images.
Yeah, because it's probably an ancient machine. When you said DVD player, I'm like, where did they even get a DVD player? And yeah, it's an ancient machine.
I said, that machine has not been patched in like six years, I think. And I said, why don't you just get rid of the machine? Well, we need a DVD player. I go, go on Amazon. Let's buy a USB DVD player. And they said, oh, you know, I don't know about that. I go, oh, so you're going to leave my data able to be compromised. Not only is the password there, but there's null shares on the machine. Anybody can get into them.
Yeah, well, that gets to something that's a whole subject that we got to do at some point, that's patching and the legacy systems problem. But you do see that in a lot of small offices, especially like doctor's offices, where they have a machine, it's got some special equipment, or it's got some special software that's old, that'll only run on something old, and it's got a lot of security issues. It basically can't be patched, it can't be updated. That's not good. That's not good at all.
I mean, for things like you and I, I know we're going to probably hit final thoughts here. But for things that you and I have been involved in, we understand that, unfortunately, there is a time when proprietary software must remain on a system that's out of date. But you use compensating controls in order to protect that machine, whether it's doing something called microsegmentation, which literally means that you're making sure that only a certain machine can talk to another machine based on its source address, based on its destination address, and ports. In real life terms, that means that only one person can walk into your house based on, you know, who they are. and nobody else can walk in to your house other than that certain person with that certain ID. So you can use compensating controls and mitigate risk, but I know they weren't. They just had to sit in on their network.
They weren't. Well, you see in the doctor's office or something like that, it's even scary, you know, small, and we're going to be talking about this soon, you know, small businesses, tough, you know, they don't have, you know, they could sell these legacy things. They don't have access to a lot of, you know, resources and expertise and, Hell, that, you know, that thing could be accessible from their guest wifi in the waiting room or from, you know, the street or something. And that, and that's for real, you know, that's not. That's not as being paranoid. That stuff really is for real.
You know how many hotels I went to where I was able to see their security cameras on the network because I scanned the network. I might say they had, I didn't even try to do right access. I literally just pull up the browser. Cause that's not illegal. And you're looking at their IP address. Are you looking at their cameras in their office, in their hotel?
Adam, this was supposed to be the light episode. Now you're freaking me out.
Well, I'll just tell you this. As long as there's no camera in your room and you're the entertainment for all the other hotel rooms, it's okay.
Yeah, that's right. You don't want that. Well, then that's not a very good hotel if you stay in there. It's like that. All right. I think that brings us to last call. This one's been fun. Everyone, if you like this, we got plenty of tales we can get into.
Or tell us your tales.
Tell us yours, yes. Yeah, emails. Even tell us tales about the crazy security people who drive you crazy. And you know what? We can tell you either there is a good reason for this, and here's what, or they're completely nuts, tell them off.
But please don't give us anything proprietary that can identify.
Oh yeah, nothing, yes. Don't tell us any secrets or anything. We don't want to know that stuff.
Or names, or companies.
That's right, no names, no companies, no dates.
And if you want, you can redact your name and call yourself by a different name like I do.
Which is a whole other story. All right.
This has been great. This has been great.
Adam, this has been a fun one. All right. Thank you. Thank you. We'll see you, everyone. Take care. Bye.