Seven Trillion Reasons to Drink, from Eric O’Neill

Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm Adam Roth. Hey, Adam. So today we have a very special guest. We have Eric O'Neill. How are you doing, Eric?

I am doing great, Joe and Adam. It's great to be on the show here.

No, it's great to have you on. You know, you are actually a bona fide famous person, I think. And I realized something as I was putting this together. You know what, the two, I would say, arguably most famous people we've had on are both lawyers. Is there something about a lawyer that like makes you, I don't know.

It makes you just want to achieve, I think. You spend all that time and effort on law school and you feel like I gotta make something of my life, otherwise I wasted all that money.

Yeah, I guess so. You know, I feel bad because I was reading about, you know, I read your book about how you're in law school and, you know, doing it at night and everything. I'm like, I didn't work when I went to grad school. I feel like such a, you know, such a lazy dude would have had it easy.

I tell people, I say, look, beg, borrow and steal. Go to day school. Enjoy your time. You know, just don't go to night school. You'll just be you won't like going. Right. It's just added work after work. But. But look, it paid off in the end.

So the only thing that we kind of have in common is, uh, I went from my master's while working with Joe at a law firm. And then as soon as I completed it, I said, goodbye, Joe. And that was it.

There you go. That's why he took off. And now he's always whining about getting a PhD.

I'm working on that literally right now.

Yeah. We never, we never really end unless you, you're ready to just pack it in. You never really end learning. You never, you never end progressing and making yourself better. It's, it's part of the, it's the best part of the human existence. I mean, there's always something to learn.

So, so before we started the show, we were talking about, um, Queens. As I was telling you, I don't think means you mean not like oh, yeah the borough of Queens Yes, maybe around the world right we have people in Israel and other countries so I went to Jamaica High School I ended up getting Kind of expelled and then I after that I forgot where I was going because Joe interrupted by whatever the case is But I don't remember. Sorry, Joe.

So the connection, my family's from Queens, from Jamaica.

Yeah, your family's from Jamaica. But I was going to add something about what happened to me when I was going to Jamaica and was

talking about that but let's let's move on i'll figure it out later well you know that's since you're having a memory loss that's a good time to bring up uh... today's cocktail sure i've even started yet and you already can't figure out what's going on that's true seriously what do you have there so this is a uh... so i got this this bottle very recently i did a trip to huntsville alabama i went to auburn university undergrad and uh... my best friend from college is a uh... aerospace engineer in huntsville While I was down there speaking at an event, he gave me this bottle of Eagle Rare. There it is, Eagle Rare. It's a 10-year-old Kentucky straight bourbon whiskey. I've been waiting for an excuse to open it. So, Adam and Joe, here it is. Cheers, cheers to you guys. Cheers, guys. Cheers.

There we are, cheers. I am drinking bootlegger, New York craft.

I got this great flask. Oh, nice. That's right.

Very nice. For everyone who wants to be cool, like our guests. There you go.

So the last podcast that we recorded, somehow or another, we came up with the idea of opening a bar. We're not further along with it yet, and we were going to do kind of a bar where we had the recording studio with the glass looking into the bar as we're recording. I like that. We're looking forward to doing that, but we're not sure.

So there's a TV show that I just filmed an episode of called FBI True, and the gimmick there is it's a CBS show. The hosts are former FBI, and they sit in a bar in New York and just have a discussion, and the whole thing's filmed there. If you look at the takeout with Major Garrett, he does it in a restaurant. It's loud as hell. I don't know how they deal with sound. But you can do it. It's kind of neat. It would be fun.

We had talked about doing an episode in a bar and like just the logistics of it are tough because it's crowded and it's noisy and everything. So someone said, oh, get it like, do it like one in the afternoon. I'm like, yeah, that's no fun. I mean, come on, you know.

And if there were big headsets and microphones and noise canceling and like, yeah, exactly.

If we employ the technology from GetSmart, we can get the cones of silence.

Or just talking to a shoe. There you go.

But wait, wait, I don't know. Are shoes encrypted these days? Do they have encrypted communications?

Isn't everything encrypted now?

Yeah.

If it's not, you're done anyway. All I know is when I was in the FBI working undercover, they would give us these radios, right? And now we're going back to like 90s, early, you know, zero and one, 2001, 2000, 2001. Of course, the reuse had to be encryption. And back then, encryption was a little bit more complicated, you know, with the devices encrypted, which just made it big. It made it big and it made it hot. So you're in a car, you're following your target. You know he gets out of a car he goes and walks in a direction you gotta jump out and you grab your radio you're already wired up cuz you're always ready to go with you know your your piece everything. And what you gotta do something with this big radio minutes like. What do you do with it? Well, if you're a guy, you shove it down your pants, right? Because then you pull your shirt over it, and now you're saying, and then what? Yeah, within like a good 10 minutes. And we used to say, every time they would ask, like, what kind of equipment do you need? It's like, I need a radio, field radio that doesn't burn my balls every time I got a piece of Russian into a shopping mall. Right.

What's up so i read your book and i talk about you so you ghosted people and everything so you saying that as you were going around. Follow these guys trying to be discreet you're basically walk with a car battery down your pants exactly like my god and any other equipment you needed to while you're going but it.

I couldn't imagine how much easier that job would be. You know, there's pros and cons. You know, technology changes everything. The more technology, the more the good guys can use it, the more the bad guys can use it. But just having the kind of smartphones we have today back in the 90s, I would be the most awesome surveillance operative in the world.

It would be just so easy. So when I was taking one of my classes at one of my schools, I was like, Maybe I should turn around and put one of those hidden ear mics in my ears. And technology wasn't 100% perfect that day, but I think maybe I can wear some earmuffs and hide it and then have somebody in the room next door giving me the answers. And I realized it's too much. But when you take tests today, certification tests, and you walk into these testing centers, especially some of these tests, they make you put your hands up. They want you to check for equipment. They make you turn around. They want you. They make you open your pockets. and pull your pockets out so you don't cheat. It's amazing. They know. It is.

Look, there's this sort of legendary story in the FBI where in New York City, so in Manhattan, for the ghosts who work there, they decided we really want to know the streets. And it's a little harder in New York. You really have to understand. So what they did is they sent them through the taxi school, which is probably the best, you know, you have to go through and you learn and then you take the test. And every single one of them was failing. Not a single one of them could pass the test. These highly trained FBI academy undercover operatives, experts in counterintelligence and counterterrorism, grew up in the city, knew the city, took the course and then couldn't pass the test. Not a single one. So that's what they did. So they sent in, using the FBI technology, some operatives wired up. and were fed all the answers from like guys sitting in a van, right? And they still failed. It turned out that it was just corrupt. They were giving the medallions to their friends and failing those they didn't want. So, I mean, this was decades and decades ago, but it sparked this whole investigation and yeah.

I will tell you nothing has changed because a couple of weeks ago, I took a cab get in the cab, I'm on Penn Station, you know, whatever. And I don't take a cab too often, I usually take the subway. It's the wife, she refuses to get on the subway. She's like, we're taking a cab. Going to the museum, get in, tell the guy, Metropolitan Museum, a landmark. You know, every cab driver should know where it is. Takes us to the MoMA. He pulls up there, I'm like, what are you doing? I had another guy drove by, going to Grand Central, He drives right by it, right past it on 42nd Street. I go, are you the only cabbie in New York who doesn't know where Grand Central Station is? I'm like, you gotta be kidding me.

Yeah, how do you miss that?

But you know what? It never occurred to me that the test is completely corrupt.

When I did EMS back in 1997, when I started doing EMS, and I worked for, we call it, more of a, it's not volunteer, but it's called voluntary, which means you're in New York city hospital. That's assigned to the 911 system. And one of the things they assigned us, you got to keep in mind, there was no GPS is really back then, no phones like they are today. And they would hand us two things. They would hand us a map and they would hand us a couple of pages of hard to know streets and how to get to them. And there was one time I'm going to be very careful what I say. I didn't know where the street was and I showed up. 12 minutes to a job that was really two minutes away. And the point I'm making is, is yeah, it counts when you're an FBI agent. Absolutely. It counts when you're in, you know, doing EMS. I might say it doesn't count when you do a taxi, but every moment counts, especially when you're doing EMS or following, you know, some kind of a person of interest that might be involved in terrorism or some kind of, Nefarious actions. Oh, absolutely.

Yeah, we had to we had to be able we didn't know the streets so well that I mean because you're moving in a pattern So you're trying to make sure that somebody's in front and you're moving around your target. You can't just be Like like a whole group of people following right behind like a bunch of ducklings. It's ridiculous So you have to know the street you have to know the ins and outs people hated being in DC because DC is Unless you really know the city, it's nonsensical, and every once in a while, there'll just be a one-way street that doesn't make sense. And we were issued those ADC map books, so the ones that the Postal Service use. And I learned that that stands for, you know, A-D-C, A Darn Careful. a darn careful map of, right. And I had them, I had, and there were these big books that were like, you know, that big, a good like 14 inches by, I don't know, 10 inches. And I had a stack of them in my backseat, everywhere from Baltimore all the way down to Richmond, every single county. And that's how you used to do it. You would have, you know, you would be in your car, you'd have the radio, you know, the push to talk in one hand, you would be driving with the other hand, You had the map book open on your leg and then you had another pad of paper and a pen, you know, sitting on your other leg so you could write your notes as you were driving. You know, the guy took a turn here, the guy did that. And then, you know, you had your coffee sitting there and you had to somehow juggle that. And my kids are amazed at how much I can do while I drive right now. This is because that's the training. You need to be able to do all those things while you're following a target.

Well, I was going to say, is that why like DC drivers are so bad? It's because like half of them are spies, like trying to do eight.

DC drivers are so bad because like most of the city is transplants that haven't been there long enough to really know where they're going, what they're doing or where they're going. And, uh, and I just think people shouldn't drive in cities. It's just, it's a nightmare.

Yeah. I find it interesting too, when I was doing EMS and. You're trying to make turns. I even once was going down a main street in in Brooklyn and I'm going up against traffic and I'm telling I'm signaling the car stop stop stop The people had to be if not, they're late 80s in their 90s and she's giving me this you're bad doing that and I'm like Everyone's running over to them like stop your car and I was going to an MI I was going to a heart attack a myocardial infarction. I'm like stop stop stop And I'm trying to get around them and I'm getting, and they didn't care. They kept an inching on me. Some people just don't care. They don't care. And they think you're wrong. Like sorry, I've never heard of them before.

Right. I mean, that's why you have them, right? Yeah. Especially in emergency services and law enforcement. I mean, you're counting on people to stop, pull over, get out of your way. It's like lesson one when you get a driver's license.

I got to imagine, it has to be hard for you following somebody knowing you can't use license or you don't want to be noticed.

Oh, you can't use any of it. And it can be so frustrating. Yeah. There's a lot of cursing that goes on.

I'm sure there's a lot of cursing, a lot of like, I have to imagine, I mean, None of my friends have told me this story. I have a lot of friends who are law enforcement, but you know, more like local, state, city cops. And I have to imagine like guys like you. You're like, crap, I have to run the light. And you run the light and you get pulled over by local law enforcement. I gotta go, I gotta go, you know?

Right, oh no, yeah, all the time. Well, first of all, you become like a law enforcement radar detector. You just, you can see where they are. You know where they're gonna set up. You've been doing it plenty of times. And you tactically run the light, right? Because you want to do it incredibly safely, but yeah, you can't let your target get away. Yeah. It's like a national security threat. You know, some dude is gonna go blow something up. You can't just be like, ah, there's a red light. You know, I guess he got away today. Yeah. So you, um, you tactically, and you know, my big trick is you got, you know, you got the number one, two, three, four lanes starting from the left, going over to the right. And, uh, you know, the number one lane to the left of that might be a turn lane, a left turn lane. I would jump into that at the red light. And as soon as it turned green, you know, I'd floor it. Right. Cause you know, I had the modified engine and it was held a lot faster off the, off of, uh,

Like oh Mike They're not making a turn and I like whatever just go.

I don't want you in DC everyone Oh my god, what you know, or I just blow through the law. That's normal. It's a kick. Yeah they came up with all the speed like cameras and the red light cameras and that screwed everybody because now you know in when you're working undercover and and you run a light or you run a speed camera, and then the bill comes to the office, right, the field office, then you got to get some poor Justice Department attorney who has to go down to the local courthouse and say, this was a national security investigation. There's a purpose for this.

If you want, I can provide some current FBI agents training. In New York City, especially Staten Island, since I live in the number one area of New York City with active law enforcement, NYPD, I've seen all the tricks. The tricks are put a leaf in your cover over your plate, get a Sharpie and make it an eight instead of a six. I've seen it all. I've seen, they even had one guy they caught recently that had a James Bond thing. As soon as it detected a light, it shot the light back. They had some crazy, they even had one guy that was evading tolls, his plate flipped like James Bond also. It's all over the local news, like everyone's doing all these things.

Yeah, right. I don't know, I have three kids, I got older, I just don't speak anymore.

No, me either. I'm just being, we can save the government a lot of money just by altering the plates. Let's just go do that.

Exactly. Well, okay. These are going to make great Instagram reels. Eric's tips on how to run red lights, but moving up a bit. So these days, obviously you've been out of the FBI for quite a while. Right. And, uh, you know, something I wanted to ask you about was, I know you're doing a lot, um, really in cybersecurity and everything now, And, you know, back, back over the summer, like maybe five months ago, that now feels like an eternity with everything that's going on lately. We had one of our good friends on and he was talking about cyber crime. He was an incident, he was an incident responder. He was talking about ransomware and everything. And he was saying, You know, the primary thing out there that the bad guys are doing, or at least that he sees, was really financially motivated. They're going after the money. They're going after the money. Now, the crazy thing is, since then, He's Israeli, a lot of things have changed. And I was curious with what you're seeing now, do you have that same kind of perspective, even in the past few weeks even, has that been shifting quite a bit? Like, how's the landscape looking?

Right, well, I am a thought leader, whatever you want to call it, in cybersecurity. And part of that is I need to do a lot of future prediction in the world of cyber threat and where I think I see and where many of us who do this work think it's going. Look, for a long time, cyber criminals have eaten our lunch using cyber attacks, right? And there are a couple of reasons for that. One was the pandemic, which changed everything about the way that we work, the way that we live, and it forced this sort of by-the-seat-of-our-pants embrace of technology We've never seen in society before. I mean, I call it a tell everything world. We've been thrust into it where our first means of communication is through technology as opposed to, I mean, when's the last time you've walked over to your neighbor and knocked on the door and just had a conversation? And people are more prone to text than to actually have a phone call, right? And so in this world that we were thrust into before we were ready, we changed the way we communicate, we changed the way we work, we changed the way we entertain ourselves. And criminals got wise to it. At the same time, cryptocurrency gave them a way to collect money that is difficult to trace. And they created whole cloth technologies to move that money quickly before law enforcement can catch it. So there's this big cat and mouse game of moving money through different cryptocurrency wallets and their entire business verticals on the dark web, for example, that will do that for criminal enterprises. So in all those flaws, in the new way that we live, in the new way we've embraced technology, criminals inserted themselves. And using the dark web, which is a system of anonymous servers all over the world that allow them to do what they want and get away with it. what I call these new cyber crime syndicates have grown up and they're very business savvy. In fact, they've started hiring intelligence officers from different services around the world. And you think of some of the countries, I mean, if you're in Russia and you're an IO working for a cyber threat unit, you might want to go, you know, in-house at a cyber crime syndicate and you can make twice as much money as you did on your government salary and give them all their learning. They're developing their own code, novel code. They've developed their own AI that's helping them scale their operations. And the cost of cybercrime, as this threat has grown over the last few years, has risen to above $7 trillion. So I think that's very important to note. $7 trillion, I mean, that's a lot of money. That's the cost of dark web cybercrime. So cybercrime that is being launched from and moving through the dark web. If you consider that in terms of GDP, gross domestic product, Right now, the dark web is the third largest economy on earth. So it goes the US and then China and then the dark web as far as how much money is moving through that. And so we can't shut the dark web down. It exists as partitioned parts of servers and legitimate companies. It sits in places with no extradition and no cybercrime laws. It sits on islands that people like these pirates have literally built and created server farms that can't be touched by any law enforcement. So we're not going to stop it. And if you want to think of the dark web itself, you can buy and sell anything there if you know how, right? I call people who go into the dark web, dark web spelunkers. Those who are on the good side. Those who are doing research, right? Because it's like going down into a cave, getting really dirty, doing something dangerous. You can buy everything from novel malicious software, malware code, to hire an attacker who will launch a DDoS attack for you or help you with a toolkit. You can buy toolkits so you can learn how to become a ransomware attacker. I mean, then you get into the macabre, right? There's something called the body parts bazaar. If you want an eye, it's about $2,000. If you want to buy a heart, it's about $100,000. Yeah. You can buy a hand. So a hand or a foot goes for $500. You can't transplant it. So what good is it? And so much more. Any Druaga weapon you want, it's all for sale.

So let me ask you this. I'm hearing that, you know, there have always been illicit markets and trade and, you know, organs and body parts and odd curiosities and everything. Is this where that existing stuff has moved and facilitated, made it easier or is it spawning more, more of this stuff? I think it's spawning.

Yeah, it's spawning more of it and a lot of it has moved. So you can, I mean, if you're just a normal person, you know, where are you going to go into the underbelly of some city, I guess, and find, like a body parts bazaar? You're not, but now you can just have it shipped to you through US mail, right? And somebody's hand shows up packed in dry ice.

Yeah. Like the dark web is a bad neighborhood. It's like, you know, place downtown where you go into a basement and

Yeah, but it's virtual. So what you're doing is you're using a specific tool, a specific browser. You have to know the site you're going to. And when you go there, you're going to that seedy neighborhood where everybody's ready to knife you. It's a bad idea. When you're doing dark web thread hunting or research, the first rule is never do it from home. So if you're going to splunk into the dark web, never do it from home, do it from a secure environment, an office that is not tied to you. Because the moment you're on there, people are going to try to be figuring out whether you're law enforcement, whether you're a lurker, a tourist, or whether you're a legitimate criminal who has a reason to be there. And if you're not legitimate, then they are going to attack you.

So to add to that, I realize there's so many services that are spawned. Is violence as a service? You can literally hire somebody online to go beat the living crap out of somebody, even kill somebody. And I'm not saying it's happened, but I'm sure it has, because I've never seen any indication of that. But there's articles about violence as a service. And then as far as... Talking about malware and other such things, I know without a doubt, I've seen people that say, hey, guess what? If you hire me, I will put child porn on somebody's machine so that they get jammed up and I will make the calls to law enforcement so they're found. They'll never even know that the child porn is on there. So they set people up and whether or not it's happening often I'm not aware of it, but I was at an onion site and yeah, I kind of did something like I kind of had a clean laptop with a USB with a Tor browser and I went to an onion site on a MiFi probably at the best thing to do but I've done it and I've seen a lot of these crazy sites. Yeah, I haven't been on in a while, but

Yeah, so we do threat hunting research into the dark web to see what's there. I mean, there are things that will just make you feel horrible. Like, for example, you can buy a person. You wonder what happens with all the people who are sex trafficked. Well, a lot of them are bought and sold through a specific dark web marketplaces. And I mean, they'll even, you know, even with message boards to communicate to what hotel should she be dropped off at and here are instructions you can buy to build your dungeon in your basement. It's just horrible, horrible things. And of course, in getting into pornography, the most obscene, horrible things in that world, obviously you're not, you know, you wanted to see normal stuff. You don't need to go into the dark web. So you can imagine how, how purient and terrible that can be. And I mean, my point with this is that, you know, it's $7 trillion, and by 2025, it's going to exceed 12. So it's growing at an exponential rate. These cybercrime syndicate kits are getting more sophisticated. They're making a ton of money. Ransomware is one of their top vectors. And a lot of us who are looking at this are starting to think like, you know, there's going to come a time pretty soon when they're not even going to encrypt your data, because cybersecurity has gotten pretty good at data restoration. The downtime isn't as bad. We have cloud-based AI that is doing backups that are secure using blockchain, so you can restore your data. You might lose a little bit, but it's better than paying millions in ransomware. And they know that, so a lot of the more savvy attackers aren't even bothering to encrypt, because if you want to think of cybercrime as espionage, right, which is the way I like to get people to think about it, because these aren't just some kid in a basement. These are sophisticated syndicates of individuals who have been trained, often by top intelligence agencies. Why do you spend the time to expand your footprint in a target system and increase the malware exposure to the point where you can bring down a large enough amount of the system to cause a pain point and say now pay me or you can't restore? That takes a lot of time when it takes a lot less time to get into the system and then start, you know, gaining more and more credentials, finding more information and steal the information. Because the real ransom, the child that's stolen is your data. I mean, data has become the currency of our life. That's what drives businesses. Money is even data. So steal the data. You don't even have to encrypt it. You can just say, I have all this data. I'll give you a sign of life. Here's the file tree of what I stole. Pick 10 files and I'll send them to you to prove that I have it. And if you don't give it to me, then I'm going to give it to your competitor. I'm going to sell it online. I'm going to publish it on the dark web. I'm going to put all these things. We are going through the data now. We have all your email. your emails, you know, for the CEO going back 10 years and we're, we're scrubbing through it now to find every embarrassing thing, you know, and, and if there is an embarrassing thing in there or it is real sensitive, or it's this new IP that hasn't been protected yet, that organization is going to have to pay.

And that, and that's another, you know, thing that we've spoken about before with sextortion, you know, you know, there are people who have killed themselves over that. It's horrible, but you know, If you can embarrass somebody enough, obviously you won't make the amount of money unless it's a celebrity or somebody, but even some celebrities have said, guess what? I don't care. I'll put my own pictures on the internet. I don't care. It's a different world, but I know we're in terrible times right now, and I don't want to get into the politics of it, but the reason why I'm bringing up the terrible times is part of these malware and all these other attacks is worrying about that third World War III, where it's not kinetic, it's more cyber. Do I shut down the electric? Once I shut down the electric, the food chain gets corrupt. Then we have sanitation issues and then we have disease. So that's what also I fear. And I actually wrote a paper on that for my master's about ethical warfare. How far do you go? Cyber warfare to me is almost like flying a drone. You're removed from the emotional point a lot, not completely. So if you stop something, you don't necessarily see the effects. Whereas in a kinetic war, if you're firing maybe a gunfire, you're firing tanks, you're doing something like that. You're in it. Now you're sitting in a room like boom, boom, boom, boom, boom. And now you just shut down a major electrical grid that probably is going to take two months if you shut it down the wrong way to bring it back up.

Yeah, well, here in the United States, look, I never thought that we would see, I thought that we were beyond what we see now in Ukraine and Israel. And, you know, even in my book, Gray Day, I write that the next large scale war will be fought not with tanks and guns, but in cyberspace. Now, for a global war, I still think that's true. I still think that if anyone wants to harm us in the US, and they very much do, that it will be a large scale cyber attack. And the proof of that is that they have been trying. I mean, you can find any number of research releases, threat reports from CISA, the FBI, NSA about Russia, China, Iran, launching what's called probe attacks in our SCADA networks, in our networks of power distribution throughout the world, throughout the US. What makes it really hard for them is we're such a crazy distributed system for power. I mean, we've got all these power companies, some are public, some are private, some are public private, and they're not, it's somewhat disjointed, right, which makes it a lot harder than, for example, if you want to go back to, you know, the independent state for Ukraine in the middle of the winter right near the Christmas holidays when Russians shut them down, shut down the power grid during one of the coldest nights. And the poor people, this is years before the war. I mean, Russia was hitting them for years. But it's possible. And we really have not done anything in our critical infrastructure to future-proof us. Whereas China and Russia have. So, you know, we're going to get the short end of the stick in that battle. And it doesn't have to be a large scale national attack. It can be, you know, the East Coast or it can be California. You can cause devastating problems just by knocking one large chain in a state. And it doesn't even have to be a cyber attack. If you recall, there were recently, I think in North Carolina, kinetic attacks where people were just shooting at substations and took a substation out and caused wrecked havoc. Did you know that you only have to take out nine substations to cause a large-scale power outage? I don't shoot at nine of them, or slam your cars into them and coordinate it. That's not that hard. Domestic terrorists can do that. So we're vulnerable. And I think if we want to look at a futurist attack, because ransomware is so incredibly successful, the bad guys have just turned ransomware into a service. It's a whole business model. And they're very good at launching those attacks and leveraging them. I think in the future, we're going to call we're going to see what I call ransomware without a kill switch. So ransomware attacks that attack critical infrastructure, cities, town, municipalities that have no decryption key, that spread. And there's no way to get out from under it other than to rebuild or restore.

You know, I think that gets to the motivation, you know, I mean, on the defender side, on the corporate side, that's really where I come from. You know, we think in terms of these ransomware operators as yes, they're going after money. And yes, for the past, maybe two years or so, they put a lot less emphasis. You're very right on the encryption and some have abandoned it because they go, look, it's the extortion. That's the thing. And their motivation is money. And frankly, you know, it's like, It's like, as the Emperor Tiberius said, we don't want to kill them. We want to fleece them. Yes, exactly. But with these skills, if they want to kill us or really hurt us much more badly, you're right. The tools are there.

But just real quick, also think of the, which is sort of my background, the issue with trusted insiders. We're not done with that threat, even though it's easier to launch an attack over a keyboard from Moscow or Beijing or Tehran or whatever to attack the United States, that doesn't mean that there aren't trusted insiders who can also be leveraged to attack from within.

Yes, like sleepers, people that have clean backgrounds and eventually get into organizations that embed themselves for years and then if they're asked to activate, they activate.

Exactly.

It could be that simple. I've had this argument with one of my former colleagues. And I'm one of those guys that says, you know, you can get to anything physically if you really try. And he's like, Adam, I'd rather be in my underwear, sitting in front of my keyboard, launching an attack, than walk into a building. I'm like, I'd rather walk into a building. I think it's that easy. If I turn around and I put one of those, you know, commercial devices that you can buy online and connect from outside in a van, I can pretty much do whatever I want. You can bypass the NAC and you can bypass The extra layers of segmentation, you can bypass everything. Get in and do what you gotta do, and you're right there. You're almost on site. But talking about ransomware as a service, I wanted to bring up one other thing. The way it works now, if I understand correctly, is ransomware as a service, you hire affiliates. Someone says I want to be an affiliate I will get into stuff and they say look at 20 of what we get and then they get Wired to them or bitcoin and the funny part about ransomware as a service now for the people that get affected They can call customer service. Hey, i'm having a problem. Can you help me? Yeah, i'm happy to help you. My name is john, you know, so they actually have people Answering calls for customer service, and then they go like… These are businesses.

Yeah, you can't afford it.

We'll give you a 10% discount.

Let me tell you another story. Here's a good one, because this was a pretty brilliant dark web scam. On May 2nd, the city of Dallas was hit by a large-scale attack. And they did pretty well. I mean, they're a large city. They were prepared for it. The cyber attackers are called Royal Ransomware. And it's not as much of what they did. And they were able to bring down EMS, police dispatch, court system. They made it impossible to pay bills for a little while. They caused all sorts of havoc. But it's not what they did or how long they were able to dwell. It's really how they did it. They were very clever. So they did research into the city administrators and they would send emails to certain city administrators with invoices attached. And the invoices would be for different services. So as an example, you're working in the city and you get an invoice for catering services. And it lists a bunch of events which, you know, they just went through and found, you know, by doing research. And that were actual city events and, you know, a cost that seemed reasonable. And then everyone's trained now, right? Don't just pay an invoice, get some sort of authorization, do some research, right? You get something over email, don't trust it. But it all looks good. And so what do they do? They scan the invoice to see if it seems real. And these are people who are processing like dozens of them a day, hundreds of them a month. And they call the number. And I don't recognize this, but they call the number. So they get a very polite person who seems to know who they are and who their boss is and is able to describe some of the events. And it sounds all legitimate. They say, okay, great, we're ready to pay. And then the person on the phone, the very helpful person says, okay, well, we moved to an app-based payment system. So let me direct you to where you download an app. You getting it? Yeah. Yeah, and so they've installed the malware themselves. You've social engineered a person. You didn't even have to launch any code anywhere, right? You fooled the person and launched code. And what she called was a dark web call center, where these people speak English really well and are trained with scripts to answer. So this is the kind of effort that they're putting into screwing us over, and that's why they're being so successful.

But here's what gets me, because there is always a defense. And when I hear that, my ears prick up right away, because I say, yes, it's a social engineering attack. But why in the world in 2023 could someone download an app? You'd be surprised. I know you'd be surprised. It's so basic.

There are plenty of companies that still allow you to plug in USB into your system.

Oh, that's what's so frustrating. So Joe, so many of these things we know how to fix.

So Joe, I'm not going to mention the EDR company that he works for. Cause I don't want to say that company name on the, on the show. But we measure they're okay. Yeah, I like them. Okay, i'm not saying Listen, I don't like I don't mention names. You can mention we don't like but we like that You can mention them. So so the point I'm making is that at the end that edr Blocks usbs being plugged in as most stuff do so if you use it correctly if someone didn't say You know

I couldn't plug in my thing, whatever, and I need this now, and someone turned it off. And maybe they made a mistake and turned it off.

Well, yeah, but look, so I'm the national security strategist for VMware Carbon Black, and that EDR system uses, so if you're configuring it all correctly and you're using the cloud-based AI that's looking at what looks good and what looks bad, known good versus known bad, now we've moved to XDR, which is like, If EDR is just locking the doors, XDR is like the doors, the hallways, the bathroom, you know, we're looking around the corner everywhere.

They added an X, so it's better.

Yeah, because it's network plus end point, right? And I guess XDR, look, I don't do marketing for cybersecurity. But those are the sort of systems that companies have to go to. 99% of attacks that are successful are known and avoidable. 99%. So part of this is being informed and preparing. You have to prepare. And I tell audiences all the time when I'm on stage, Don't wait until you're in the pressure situation until you're thrown into the fire to start examining your security. Now, when things are chill, that's when you examine your security, go get a vendor, have something installed, have somebody who's there to support you, have threat hunters that are on speed dial. Because otherwise, when it happens, you're already dead in the water because you don't have time to catch up to the attacker. He's going to always be a step ahead of you.

So since you're an attorney, and Joe and I have done this before as well, not only do you have to have an IDR team or an incident response team ready, and you have to have a third party, maybe EDR, MDR, XDR support ready, you have to have attorneys ready too. They tell you what you can't do and you can't not do. So people forget that aspect of it. You have to have publicist, attorney, everything.

Well, a lot of this will be driven by your cybersecurity insurance. So you start there. You get a good cyber insurance plan. If you can get it. And they will inform you what you need to have. And part of that is if you want to lower your rates to something that you can pay, you need to bring up your cybersecurity and data protection to a standard that is going to make you less of a target. Because look, it's like in law enforcement. A lot of this is just deterrence, right? You want to be the harder target. so that somebody kind of goes right by you. Exactly. So I'm going to the next one. Right. Yeah. Right. That's what you want to be. You want to be, you know, it's like you trip your friend when you're being chased by a bear. You want to be better than the other people on the street.

And you don't have to be faster than the bear. You have to be faster than the other guy.

Yeah, exactly. So part of this is you have to at least come to a standard where you make it difficult for the bad guys. And that's where a lot of organizations and individuals go wrong. I mean, when you just aren't thinking about this, then you're just not in the mindset to prevent it.

I have two beliefs. One, everything can be exploited. And number two, everyone has a threat actor already on their business network. You just don't know about it.

Yeah. Well, there is a lot of that happening and people are the easiest way that I mean, time and again, if you look at what happened to Colonial Pipeline, right? So that was a pretty big critical infrastructure attack. And that was a cybercrime syndicate called Dark Side because they have stupid names too and bad marketing. They all like comic book characters, bad guys from comic books. And I mean, they just bought a bunch of usernames and passwords off the dark web. And we're like, I've listened to some of your other podcasts. I like your podcast. So I can say, holy shit, we got them, right? They just randomly in a bunch of usernames and passwords, and they probably got a thousand usernames and passwords for like a buck 50. They found a disused VPN account for someone who was working from home, a contractor who was able to dial in. And that's how they got in. And that account didn't have two-factor authentication. Look at MGM. Or MGM, right. Or like in Vegas, using a fish tank to get into a casino. There's so much we have to think about. But that's why I think technology is starting to do a lot of that for us. So part of it is understanding, you want to get really esoteric and technical, understanding your data architecture. Where's the data that really matters? If I'm thinking of this like a counterintelligence agent, right, and I want to protect information, I want to know where that information is, all right? Is it sitting in a safe house? Is it in a safe in the safe house? Does anybody know where the safe house is? Is anyone going in and out of the safe house so someone can follow them in there? Like, how am I protecting that core data that matters to me the most? Because that's where you want to focus your efforts.

Here's the challenge, and this is where defense gets so hard because it's, you know, the old thing, we only have to slip up once and something happens. I can't tell you how many times I've been doing something, you're doing an assessment, you hear about stuff, or even in your own organization, you say, we've done our data, we've searched through the data, we think we know where the crown jewels are, we have all this stuff, we have our defenses there. And I mean, Adam, how many times would I say, did we find that? We would go searching, we would go threat hunting and find stuff and say, Why in the world is there a spreadsheet with this over here or wherever? Why in the world is this other thing over here? Who bought this cloud account and went through a lot of trouble to circumvent everything we had? That's the kind of stuff that keeps me up at night when I'm on the defense side. And I say the bad guys will find it.

Yeah. Or, you know, in part of just data confidentiality training as a lawyer to organizations, There are so many examples of teams who are real excited about their product and they go to a conference and they do this whole presentation that could be recorded or is downloadable and it's IP that hasn't been protected. You haven't tried to reserve the rights and patents, you haven't done anything to protect the information, and now you've just shown it to an entire conference. And that's just a bad mistake. People aren't thinking. That's why I like to say, you have to think like a spy to understand the threat, but you have to think like a spy hunter. to defend against it. You have to be in that mindset, which is why I hate the word hacker. Like hackers to me are the good guys. You know, it's probably the three of us screwing around in the 80s and grew up into this, right? And, you know, we're wearing the white hats now. The bad guys are cyber attackers, they're cyber spies, they're cyber criminals, they're cyber terrorists. Because if you think, oh, a hacker is coming after me, I mean, Hollywood has put this vision in everybody's head of some kid in a basement pounding away the keyboard. And if all you're thinking is, oh, some doofus teenager is trying to steal my data, then you're done, because it's actually a very sophisticated group of individuals with the top training and equipment who are coming after you.

So I wanted to add, it's funny, like, you know how, I don't, I mean, I'm lucky enough, I can have a cleaning person come in and clean my house, right? And before we have the cleaning person come in the house, what do we do? We do a little bit of cleaning. Yeah, kind of the same thing when we had purple teams We were like, oh, let's use our regular standard generic tools to search for passwords. Let's just put password. Oh my god You have a notepad with all your passwords on there and we would find this And we're like get this off the network and by the time the red team came in they still found other stuff So people there's a hundred percent chance in a middle to a mid to large enterprise organization Passwords are being stored unencrypted on a hard drive and if and if you can find it yourself Imagine how the hackers and I say hackers. I'm talking about black Hat hackers, right? I'm talking about the back. Let's talk about threat actors. Let's use that word Threat actors are actually doing that they're gonna be able to find stuff and they not only do they do that They go into memory. It's it's a memory I've used tools where we use deception technology to write fake passwords into memory, onto drive, into recycled bins. So when people utilize that, I would know about it and I would know a threat actor was truly on there because they're using tradecraft. They're using those type of tools.

I just did a keynote in front of this huge audience of attorneys from all over the country. I just threw out there and people came up to me later and were like, I was terrified. I couldn't believe it. I said, the password is dead. If you're relying on a password, you've already lost. I said, in fact, a password is useless. I don't even bother with complex passwords because I don't rely on them. You know, I've moved completely to OTPs, to two-factor authentication, to second layers of security, most of it authenticated through an encrypted app on my phone. Because if you're relying on a username and password, then you just, you're already compromised.

But here's the frustration. I mean, I'm totally down with you on that. You know, our first episode was actually passwords must die. Yes, they must. We must get rid of them. They must. And they just won't. And you know, for even guys like us, we know what we're doing. I mean, there are sites and there are things that. They got a password. And I mean, you go to their support, you know, like, can you please get, you know, when are you going to have two-factor? Like, well, that's on our roadmap, but you know. Right. I don't use those companies. It's very frustrating.

I just don't, I don't use those companies. And I tell people all the time, if your bank isn't using two-factor authentication at a minimum, please move your money somewhere else. Right. And there are small banks who still aren't there because cybersecurity tends not to be, it doesn't tend to be top of mind until there's an attack. And then everybody thinks about it and gets worried about it. But the smart companies, the ones that are surviving, the ones that aren't getting burned out by a large scale attack are the ones who are investing, thinking and preparing ahead of the attack. So they're ready when it happens.

I've seen exercises where, you know, purple teams, The red team goes into an app, changes your SMS, points that towards one of their drop phones or one of their Google Voice things where they get the number. So having SMS or SS7, I guess I call them attacks, having those numbers go to your phone, it's crazy because all they have to do is change your number.

Yeah, and they can clone your phones and there are ways to do that if they're targeting you specifically, right? You're already kind of in trouble.

Of course, law enforcement does it all the time too. I understand that.

Yeah. But if it's just targets of opportunity or targeting a company or you're just living your life and no one's really out to get you specifically, Adam or Joe, right? Or me, Eric. Everybody tries to get me all the time. You probably see it too. You know, using a text-based two-factor authentication is a hell of a lot better than relying on your stupid password that you've used for everything and you can't remember how many places you used it and you used it for the stupid ice cream store and they got attacked and now it's on the dark web and now everyone's trying it with everything that you own.

So that leads to another conversation which we might have to do a part two one day is, yeah, if you use a different password in every single site and you're using a password manager, can you trust that password manager?

Well, I've never used a password manager, and I always think about it, and part of it is the time to get it up and running and get it useful, right? I haven't invested, but then a few of them have been attacked, and it led to large-scale attacks. Now, I gotta say, I do have a friend who had a really clever reason for using a password manager, and I've thought about this, and it's something everyone really does have to think about, He did it because he and his wife share the same app, right? So that she has access to all his passwords. And the reason he did it is because if he gets hit by a bus or falls out of the sky, I mean, imagine how miserable it's going to be for a spouse who now has to try to get into your Facebook account and shut it down and get into your bank accounts and all these things that require a password and become a huge hassle if they can't get in.

Yeah, I do the same thing for exactly the same reason. You know, my wife and I, we share now that my kids are getting older. Yeah. I'm starting to share. I'm starting to share with them, but I can also say there are a few passwords that are not in there. Right. Encrypted on a couple of, uh, you know, USB drives, um, you know, so it's, you know, it's the old balance of. Yes, we want to be hardcore and protect everything, but we need to be realistic also. But I think it's realistic to get rid of just passwords, really. With everything out there, there's no excuse that any site should not have at least a rudimentary 2FA, at least as far as I'm concerned.

Yeah, I can't wait till we just go to a one-time code for everything. Nobody is ever separated from their phone. You know, and the biometrics are really good. I should be able to look at my phone every time I want to log into something. Um, now, okay. Yes. I know what you're going to say. So somebody grabs you and they have your phone and they pointed at your face. Sure. Then you're already done.

I see that like that woman turns around and she thinks her, uh, her boyfriend's cheating on her. He's sleeping. She grabs the phone, puts it in front of his face. Like, Oh, look, you've been chatting with, but that, that wasn't it. Um, do you use virtual, do you use virtual credit card numbers?

I don't, no, I don't have, I just don't have any. I thought about it, but I have two credit cards. I have my business credit card and my family credit card, and I just don't have a lot of them. But yeah, I've seen that done. My daughter recently, because she's really smart and eager, she was like, I need a credit card. I'm like, you're not even 16. She's like, I need a credit card so I can start my credit history and I can have good credit. Oh, wow. I'm like, honey, right now your credit's pristine. You're a target for attack because of that. And you'll have plenty of time to build that later. Yeah.

My kids have the Apple Pay credit card. They have my credit cards on their Apple Pay. I think it's OK. It's encrypted. They have passwords on their phones. Hopefully it's OK.

Yeah, they use their phone. I did that too with my one daughter who's 15. One of my banks has what they call a youth checking account. So we set that up, it's monitored, everything has to go through me, but she gets a debit card she can use. So she's learning how to... She already was compromised. And this is an interesting story. She calls me, I says, dad, once they turn 14, it goes from daddy to dad. It's sad, but dad, I have no money in my account. I'm like, really? She's like, yeah, it's all gone. I said, OK. So because it's monitored, I log in, and I take a look. And I'm like, yeah, you're right. It's cleaned out. And I look, and it's just purchase after purchase after purchase after purchase after purchase, a lot of it DoorDash. I was like, this is really interesting. So I called DoorDash. And of course, they're like, we can't give you information. I'm like, lady, look, this is my daughter's account. Technically, it's my account. And technically, I bought these things, and I want to know where I sent them. And they're like, we can't give out any information like that. I'm like, Let me talk to your general counsel." And they're like, okay, we're going to give you the general counsel's office. So because I'm a lawyer, they get me to a lawyer quickly, right?

I'm surprised they didn't say, what's a general counsel?

Yeah, no, no, no. They were very professional and cool about it. Now they couldn't give me the information, but I said, look, I'm not asking you to divulge any information. I just want to know if it's any one of these zip codes, right? And I said, just tell me hot or cold. And they said, it's one of those zip codes. I'm like, okay, I don't need anything else. I don't wanna get you in trouble, thank you. And then I went to my daughter and I said, okay, everybody knows my background, caught the biggest spy in US history, was undercover for the FBI for years and years. And you text all your friends, every number you have, and let them know that your father is on the case, is very close, is gonna find the person who stole their money, and they'll be hearing from the police in like 20, 30 minutes. And even before I went down all my channels and figured out who it was, got the address, her friend owned up. I said, yeah, I borrowed your credit card. And it was like an initiation with this mean group of girls, and I'm so sorry. You know, they kissed and made up, but then, you know, I'm talking to the dad, I'm like, you're gonna have to pay this.

Wait a minute, I've heard teenage girls can be, you know, mean. I hope we don't get a flag for that or anything, but you know, the initiation is credit card fraud. This is a new thing.

Apparently this is a new thing. These girls get together and they, uh, you know, they steal their parents' credit cards. They steal their friends' credit cards. They, you know, and they, they have to buy some things. And, you know, my daughter's like at the time she was what, like 14, she didn't have any money in there and it was all gone in an instant. But, uh, But yeah, it was devastating, and they're still friends. They worked it out. There was a lot of talking and understanding why this is a terrible thing.

I'm sure the family was shitting bricks that you were gonna press charges.

Yeah, but I wasn't. I said, look, this is a learning experience for everyone.

You said earlier, if you were a ransomware attacker, you'd be giving discounts and stuff. Now we understand why.

Yeah, right. I'm a nice guy. Look, if I'd be, that's why I said we were talking earlier and I'd be, I would be a terrible attacker because I'd feel bad for everybody that I compromised. So like, look, I know you're so nice. I'm going to give you a 30% discount on the ransom. You know, just, just, just get me that current big currency soon.

And yeah, I think, uh, speaking of, um, I think we got to start wrapping up Joe.

Yes, we do. We are getting to last call here, as we say. So, and actually when we do that, so, you know, Eric, this has been absolutely fascinating. We could talk for hours.

Oh, yeah, certainly. This is the kind of stuff that I love. And clearly you are both well-versed and steeped in this world as well. So this has been a great time.

Well, this is what we do. So also we kind of do at the end, um, do you have any plugs besides your obvious one on your wall back there?

Right. Well, my book, my book, gray day is available. Um, it was published a few years ago, but it's still very relevant. If you want to learn the inside story, how I caught Robert Hanson was the most damaging spy in us history. And also our first cyber spy in the FBI. Uh, I am. If you're willing to wait about nine months, I just signed with HarperCollins to publish my second book, which is called The Invisible Threat. It's all about cyber crime. And if you've listened to this podcast and enjoyed it, well, a lot of what I'm writing has come out of my face during this conversation. And the book is premised on thinking like a spy and then thinking like a spy hunter to defeat cyber criminals.

So well, we're going to look forward to that. I'll definitely pick it up. And I have a confession to make. Unlike Gray Day, which I read, I promise not to take it out of the library. I will actually buy it.

That's okay if you take it out of the library. If people want to follow up with me, the easiest way is probably on, what's it called now, X, which is just E-O-N-E-I-L-L. Come over there and I'm pretty good about responding to people who ask me questions.

So I have two things for last call. The first thing is, I don't recall in the book, but I do recall in the movie, did Robert Hanson really say, pray for me?

He didn't in, so he didn't in real life, right? That elevator scene in the movie Breach where I'm leaving the FBI, I'm done, I got my box, Ryan Philby playing me, the box in my hands and I'm on my way out and the elevator opens and there's Robert Hanson. And then he says, pray for me. And I say, I will. Didn't really happen. Probably would have said I will, because like I said, I'm a nice guy. I did take his pen. I do have it. That's my war souvenir. That's an actual true scene. And in fact, if you watch the scene, Ryan Phillippe, who plays me in the movie, his hair is a little bit darker brown. It's because after they finished shooting, I was hanging out with Billy Ray, who's the director, and he rewrote the original screenplay. And I was just telling him that story. He's like, why didn't you tell me that before? That's such a great ending. Like you, like I didn't make it in the movie. So we brought the actors back and reshot and added that. Wow. Exactly. Yeah. Cause it's a cool scene. Right. And I still have the pen click, click, click. It's like, nice. Right there. It is right there. Oh, nice. Oh, there it is. There's the palm pilot from breezy. Yeah.

Oh, you had the actual pump out too. Yeah, absolutely. So the second thing I wanted to clear up when I was stuttering, I forgot what I was saying. When I went to school, after I got let go out of Jamaica High School and I went to Cardozo High School, I barely made it out of high school. My father basically said, you know, please help me get out of school. My father was a school teacher. But ever since then, I've been trying to make up for everything. And that's why my average was barely a 65. That's why I went for a master's. And that's probably why I'm gonna go for a PhD. I've been compensating for that since I'm 17. So I know I was stuttering and we moved on to the alcohol and the drinks, but I wanted to clear that up.

Well, there you go. Well, I think you've done quite well for yourself. So I think you can let yourself off the hook for that one back then. That was a tough environment. I heard stories from my grandfather, my grandmother, and my mother about that area and what it was like growing up. So we can give you a pass on that one.

Thank you, sir. You're good, Adam. Okay. Well, Eric, thank you so much for joining. This has been a lot of fun. Good luck with the book and the TV show.

Joe and Adam to the Security Cocktail Hour. Cheers. Cheers. Thank you. Okay.

Thanks, everyone. Please like, subscribe, follow us on Spotify and be careful out there. All right. Thanks, everyone.