Learning lessons from the Uber and LA USD cyberattacks

Start listening

The Uber attack is huge. The initial penetration teaches about MFA, and how they were able to escalate their privileges from there is simply wrong, wrong, wrong. What can you learn from this? Well, we have a cybersecurity expert, and host of the Tech and Main podcast, on the pod this week to help us figure that out. We had planned to just talk about the Uber attack, but he also wanted to talk about what happened to the LA Unified School District. Do you have kids in school, or know someone employed in K-12 education? Shaun St. Hill makes a solid point or two about what they should be doing. All that and Curtis complaining about how much he spent on his vacation to Hawaii. Boo hoo, right?

Transcript

[00:00:34] W. Curtis Preston: Hi, and welcome to Backup Central’s Restore it All podcast. I’m your host w Curtis Preston, AKA Mr. Backup, and I have with me, my post vacation depression consultant, Prasanna Malaiyandi. How’s it going, Prasanna?

[00:00:49] Prasanna Malaiyandi: I am good. Jealous of your vacation. Also really upset that you decided to come back from said vacation rather than just like being like, yeah, I’m just gonna stay remotely and extend my vacation by another week or two weeks or a year, whatever it is.

[00:01:07] W. Curtis Preston: I had to come back because a, I was going broke. I was spending like $250 every time I got on a scuba boat, it was very, the diving is really expensive over there. Partly cuz I had to rent a wet suit.

I brought all my gear, but left my regulator behind like a moron. So I had to rent a regulator every time I dove. It was great diving. I was at the big island, so I was diving in Kona. I did a pelagic dive where you, you interact with like transparent and, and, and translucent.

And what, what do you call the bioluminescent creatures by diving over 5,000 foot of ocean? Oh, that was, that was, that was way cool.

[00:01:43] Prasanna Malaiyandi: So, so I think that you need a new profession, Curtis, in addition to Mr. Backup, I think you need to be like in the water all the time. Maybe there’s something about like backup in the ocean or like data centers in the ocean.

[00:01:56] W. Curtis Preston: I am so happy. Like, and it’s been so long since I’ve dove, like, because I, I, my, my gear on my last dive to, to Hawaii was my last dive and my gear broke and, um, you know, it’s, it’s expensive to replace that stuff. And so. Uh, so yeah, it was, I, I forgot like how happy I am when I’m in the water.

So I, yeah, so that was, that was really good, but it, but it was stupid expensive. Like, I mean, I, I spent, you know, close to a grand going out scuba diving, but it was, but it was great,

[00:02:29] Prasanna Malaiyandi: was well worth it though, to you look at how happy relaxed you are. And,

[00:02:33] W. Curtis Preston: Yeah. And

[00:02:34] Prasanna Malaiyandi: and hopefully, after this podcast, you will still continue to be happy and relaxed, but we shall see,

[00:02:40] W. Curtis Preston: We’ll see, we’ll see right now I’m in the, oh crap. I’m back at work this morning. I had to do some training. Now I gotta do a podcast and you know, it’s just, you know, welcome back to the real world. Um, Let’s bring on our guest today. Uh, I’m excited. He is a cybersecurity advisor who helps with assessment remediation and management of cybersecurity.

He currently leads an it services practice called Tech and Maine, and is also the host of Tech and Maine presents podcast. You can find both of them at techandmain.com. Welcome to the podcast, Shaun St Hill.

[00:03:18] Shaun St. Hill: Curtis. Thank you. It is an honor to be here, super excited and looking forward to our time together.

[00:03:25] W. Curtis Preston: And we’re not gonna get any, uh, sympathy from you

[00:03:29] Shaun St. Hill: well, I was gonna say, and I didn’t know how this would be taken, but let’s just jump right in. You went to Hawaii, sir, you get zero sympathy.

If you went to the bank and said, could I withdraw some sympathy for the trip that I took to Hawaii?

They would say, sir, you need to walk right back out because you’ll get, you can take out zero sympathy

[00:03:58] W. Curtis Preston: I get it. I get it. You know, I got, I had a great trip to Hawaii, my wife had a great time. She, she hung out with her best friend who lives in Hawaii. It was a great all around trip, but oh man, it was, so it was a little warm and, and I had to spend lots of money while doing awesome things.

[00:04:17] Shaun St. Hill: Sounds sounds very first world to me

[00:04:19] Prasanna Malaiyandi: I know seriously,

[00:04:21] Shaun St. Hill: world

[00:04:22] W. Curtis Preston: #firstwordproblems. Yeah. Yeah. Meanwhile, you know, The world is fall. I, I left for a week and you know, the queen died. Uber got attacked. Like what, what happened while I,

[00:04:38] Prasanna Malaiyandi: Well, I remember asking you, I was talking to you. What was it yesterday? Yeah. Yesterday, right? I was like, oh, Curtis, did you hear about this Uber thing? You’re like I’m behind on everything. I don’t know what, yeah. You’re I.

[00:04:48] W. Curtis Preston: did a real vacation. Like I tried really hard not to look at my phone. Certainly didn’t respond to any work emails. So I, I thought we’d take this opportunity since, you know, you’re in that cybersecurity world to discuss the Uber attack. Um, and, and I’ll, I’ll mention that.

Um, for five years now, uh, I, back when I was underemployed for a minute, I actually became an Uber driver, uh, five, six, actually, I guess it’s six years now. And so, and, and I, I have stayed active, so I still, you know, occasionally drive for them when I want to get out of the house. Right. Um, . And so I am both an Uber passenger and an Uber driver.

And then I hear that, you know, they got attacked. I, I guess the good news that we’re hearing, uh, that you can either confirm or deny or, or whatever is that the no user accounts were affected. That’s what I’m hearing. I don’t know. What, what, what have you heard?

[00:05:51] Shaun St. Hill: Curtis I’ve I’ve heard the same thing. So this really, to me is very interesting. On a number of fronts. The first being back in, I want to say 2016, Uber had another cybersecurity incident. One that ended up costing the then CISO his job. And I believe there was some sort of lawsuit associated with that.

[00:06:20] W. Curtis Preston: Hmm.

[00:06:20] Shaun St. Hill: The other thing that always is interesting to me, When the company that had the security incident immediately comes out and says, oh, well, no, no customer information. Or, you know, P you know, PII was, was touched.

[00:06:40] W. Curtis Preston: yeah. And no code. No, you know, well, what did, what did they

[00:06:45] Prasanna Malaiyandi: well, I think I thought it’s actually said, like they were, I was reading a earlier, very specific about like no sensitive personal data or some very specific term they were using to reference to like what they said was not accessed.

[00:07:02] Shaun St. Hill: A, and so that’s that, like I said is always interesting to me because it sounds very much like someone that was coached by a public relations agency.

[00:07:14] W. Curtis Preston: Well, you know, that they’re coached by a

[00:07:16] Shaun St. Hill: Oh, of course of of course. So, so, so the, so the thing is one, what really happened and two, how soon will we know. The, the person that this hacker that was, or has, um, self-identified as the person that got in. It’s interesting. There’s a company, uh, a game company. I think it’s rocket games. Maybe they put out grand theft auto.

[00:07:54] W. Curtis Preston: right.

[00:07:55] Prasanna Malaiyandi: rockstar that just got GTA six grant theft, auto six, uh, Got released way ahead of time. They, I think they had hacked in, they had basically stolen the game that no one had knew was actually happening and leaked it on the web.

[00:08:09] Shaun St. Hill: So thank you. Prasanna. What’s interesting is the same person has self identified as the hacker. So,

[00:08:18] W. Curtis Preston: And they’re, they’re connected to Lapsus$ by the way.

[00:08:22] Shaun St. Hill: ah, interesting. So, so, so here, so we here, we have this, these amazing connections and not amazing as. They’re the right kind of connections, but it’s just, it’s it makes for an interesting story. The, the last thing is when you, when you think about a company, the size of Uber, going back to that 2016 security incident, you’d want to be sure that your name doesn’t come up in the news. Also posted on one of the social media platforms, a screenshot of Uber’s career portal. And so it looks like there’s all of a sudden, you know, multiple openings for, you know, cybersecurity positions, which, which, again, Curtis it’s like what. Do we not have the time and the money on the front end or on the back end?

Like, you know, why does it always take an incident like this for you to be able to find budget and then open up these jobs and then spend millions of dollars to hire these amazing consultants to help you do what, according to what happened in 2016, you said you were doing or should have done.

[00:09:56] Prasanna Malaiyandi: So I think so I’ll take a stab at that. And Curtis, I think we should throw out our disclaimer first.

[00:10:02] W. Curtis Preston: Yeah. Yeah. out our disclaimer, uh, Prasanna and I work for different companies, uh, he works for Zoom. I work for Druva. We’re not representing either company and the opinions that you hear are ours. And also, uh, you know, if you’d like to rate us, we’d love to, you know, see your rating, just go to your favorite podcatcher.

And, uh, you know, give us, give us all the stars and comments. We love comments. In fact, we’re currently running a comment promotion, uh, that if we get I, I went and checked. It’s gotta be 25 comments by the I’m. I’m gonna push it.

I’m gonna push it out. I’m gonna push it out to the end of October. Uh, if we get 25 comments total, by the end of October, I will continue to grow this beard and I’ll do my best to look like Santa Claus by come Christmas time.

So, um, and if you’d like to join the conversation, please reach out to me @wcpreston on Twitter or wcurtispreston at Gmail and Prasanna. You’re probably gonna mention that maybe you work a little bit in the, in the privacy area,

[00:11:05] Prasanna Malaiyandi: Yeah. Well, that’s one of the things I wanna talk about. And even before I got into privacy, right? I think the challenge is security is seen as a risk reduction function of an organization, right. It’s to protect the organization now, uh, I’m not saying this is how it is everywhere.

Right. But in some places that’s kind of how it’s seen. And so one of the challenges becomes you have this tension between security, privacy compliance, right? All of these sort of risk reducing. Organizations which wanna keep the business protected versus sort of your revenue driving parts of the business, which are like, we gotta ship something, we gotta ship something, we gotta get it out the door.

Right. We gotta get more money. And so there’s this tension because the revenue side wants to go fast. Right? Wants to innovate, wants to get things out there quickly. And the security side. Doesn’t always have, like you said, the budget, the number of people, right. To be able to look over all of the things that the revenue side is doing to make sure it’s being done the right way.

And so you kind of have to pick and choose what you focus on. And sometimes it’s accepting the risk, right? It’s like saying, Hey. I can only cover 30 or 40 or 70% take whatever number you wanna take of the products going out the door. And that’s what I’m gonna be focused on and making sure that at least those are good enough and there are no major vulnerabilities.

Now it could be done better where you get security, privacy compliance. Earlier on in the process. So it’s sort of privacy by design security by design, right, where they’re working hand in hand as product is being developed. So you make sure that security is baked in, right? All of these other processes are baked in rather than having to worry about it at the end, but it’s always that tension, right?

People will always wanna spend more on R and D and not necessarily more on security and privacy in other compliance parts of the business.

[00:12:56] W. Curtis Preston: by the way, and, and this is not in any way, a defense of Uber. The problem for Uber is that they have I’m, I’m just gonna say dozens, but I think it might be well over a hundred different versions of the same product for those of you that aren’t Uber drivers. They run different features and different functionality.

And they’re constantly AB testing. What if we did this for drivers? What if we did this for passengers? And they’re like, let’s do it for everybody in San Diego for two weeks. Right? So they’re, it’s not just one product that they’re releasing out across the world. They’re constantly tweaking the algorithm.

And so, so they’ve got that push, like you were saying to spend a lot of money on R and D and perhaps a little bit less on, on the things that you’re talking about. I, I just wanted to mention, by the way, um, Shaun, the. The I, I, I pulled up the breach, the, the old breach, uh, and it was actually 2014.

The reason why you’re thinking 2016 is they didn’t tell us about it until 2015. Uh, and that’s, and so that’s why. And then, and then they talked to the, the FTC in 2016, um, Yeah. And so, so the, basically this is referred to as the data breach and coverup timeline, which goes all the way until 2020, right?

Yeah. So there were, there was a lot because it, it, because basically they tried to cover it up. So I will say at least Uber has learned that lesson. The,

[00:14:37] Shaun St. Hill: good for them.

[00:14:38] W. Curtis Preston: it looks like they’ve learned that lesson they’ve come out right away as far as that’s what we think. Of course they may not have been given a choice because this person did it publicly.

Uh, anyway, sorry. I,

[00:14:51] Prasanna Malaiyandi: Now the, the one other thing I wanted to bring up too is I think, I know I was talking about product security, but if we look at the Uber side of things and what happened, it was more of an operation security,

[00:15:04] W. Curtis Preston: Yeah.

[00:15:05] Prasanna Malaiyandi: breach, right? It was, uh, contractor who basically got fooled into sharing their multifactor authentication codes, right.

With the hacker, which then allowed that hacker access into Uber’s environment. Now the fact that the, uh, the hacker was able to laterally move within the environment. Right. Isn’t great. right. That they were able to access the AWS infrastructure and hacker one systems and their VMware infrastructure. Right.

That things weren’t isolated and alerts weren’t going off right. Is worrisome. But I, I think it’s less about the product side, right. And more about the operation side

[00:15:44] W. Curtis Preston: What do you think about the contractor aspect, John?

[00:15:48] Shaun St. Hill: So this honestly is something that you would think companies have a better handle on. And that is who has access to the kitchen, so to speak, who has the keys to the kingdom. You, you hear so much about zero trust and the need to make sure that whoever has access to the source code or to, you know, some other part of the environment, you know, they, they need to verify going in and then as soon as they come out, you make sure that, you know, they’re not able to go back in, you know, pry the door open, so to speak and for a company, the size of Uber’s for that to be the case, I think there, there needs to be, there needs to be some comeuppance for that.

[00:16:52] W. Curtis Preston: That’s a good word. I like that word. Um, now you, there was something on the pre-call. You, you talked about you, the companies are very quick to throw the contractor under the bus.

[00:17:03] Shaun St. Hill: Yes. So before we actually started recording, we were talking about colonial pipeline and a number of other organizations. And again, this isn’t

[00:17:15] W. Curtis Preston: target was one of them.

[00:17:16] Shaun St. Hill: target. Right? So these are. Stories and information that’s out in the public domain. We’re not throwing shade at any one particular company we’re just stating what’s already out there.

And so these companies during their security incidents made sure to tell you that, oh, it was the intern or, oh, it was the HVAC contractor as a, as a person who now has to go through signing up for whatever credit monitoring you’re throwing out to me that doesn’t give me the warm and fuzzies, nor does it as a shareholder or an investor.

Give me the warm and fuzzies to know that the money that we’ve given either through stock purchase or through, you know, a round of funding that that money was used for. Offsite leadership retreats or something other than securing and locking down the important things, customer data, whether that customer’s internal or external.

So, so for me, there’s, there is this need to own the situation. Like my, like my daughter and her teenage friends will say, I own that. There needs to be that aspect of it. And then again, the, the, the comeuppance, so to

[00:18:50] W. Curtis Preston: Prasanna mentioned about lateral movement? We don’t know what type of contractor this was, but I hope it was like an it admin contractor, because if he wasn’t an it, she wasn’t an it admin contractor. The fact that they were able to modify the open DNS configuration that by the way, if, if one of the things that happened was.

They modified the open DNS configuration so that if anybody went to any webpage, what they got was a pornographic image and message. Right. Um, so, so either this was an admin level contractor, or they had a serious, least privileged problem,

[00:19:35] Prasanna Malaiyandi: well, I think what happened though, was I believe that the hacker got in, he then found he, or she then found a share, which contained passwords for other parts of the system.

[00:19:48] W. Curtis Preston: I can’t. I just can’t even with this, I can’t, you know, the last one, the last was an open S three bucket, right. You telling me inside your company is a share with admin passwords.

[00:20:04] Prasanna Malaiyandi: I don’t know what type of passwords they were, but I think I did read in an account in one of the blog posts, that there was a, uh, a share that the attacker used that had the passcodes.

[00:20:18] W. Curtis Preston: can’t Shaun, stop me.

Just an editor’s note here. I researched what persona was talking about and what it appears happened was that there was a PowerShell script with admin credentials hard coded in it. So after they got the mFA hack. They then scanned the internal network and they found this PowerShell script, which was unprotected from those that did not have admin credentials, and that’s what they used to escalate their privileges to, which I just want to go. Ugh, I I’m back to, I just can’t. I, I, I just don’t understand how that happened.

[00:21:03] Shaun St. Hill: There seems to be this common theme of slackness no pun intended. Slack was thank you. You know, slack being one of the tools that was named, um, and abused in this particular incident.

But there, there, there seems to be this indifference and this, oh, no one will ever find out no one will ever be able to access. Right. It’s it’s that, it’s that virtual sticky note under the keyboard, if you will. No, no one will ever think to look under the keyboard, to see all of the passwords that I’ve written.

[00:21:44] W. Curtis Preston: So how, how about this? Let’s talk about what we, what we can learn. What, so here, the, the thing that we’re sort of dancing around is this concept of least privilege, right? I’m thinking about there was a GDPR breach in Europe. I’m thinking Spain. I can’t remember exactly. And it was a hospital we’ve talked about it on the podcast. This was a couple years ago. It a hospital. And when the, the breach, what the breach was, was it was an investigation.

And the investigation showed that. They didn’t understand the concept or they just, they just didn’t care about the concept of Lee’s privilege. They gave doctor level access to every single employee in the, in the, uh, hospital. That, that was, that was the easiest thing to do. So it didn’t matter if you were the janitor or if you were a surgeon, you had access to everything, including medical records and such. The, the big thing I would say is to, to make sure like use Okta, right. Okta isn’t evil and, and it’s not, I’m not picking Okta, but it’s just, it’s the one that’s off the top of my head, use something like Okta, but then don’t just give everybody access to everything, give them access to the things they need access to.

Another editor’s note here, because we ultimately found out after the recording, that the big breach here was that there was a PowerShell script with admin credentials. The other big thing that we can learn here is don’t do that number, number one, right? Don’t put admin level , credentials in a script.

We had to do that 20 years ago maybe, or. You know, I, I, I don’t, I don’t know if that’s that shouldn’t ever have to be the case. There are other ways to get credentials or to require that the script be run as an administrator. There are ways around that issue. And if. You can’t get around that issue. And again, I don’t, I’m not a PowerShell expert.

I’m not a Windows expert by any means, but if you can’t get around that issue, then make sure that any script like that is stored in a way that only people that already have admin credentials can get access to it. But again, I don’t think you should have to write a script like that.

The other thing I would add to that is internal pen tests, right? Why is it only the hacker that was able to scan around to see if there were scripts that, that an ordinary person is able to access that have admin credentials? Why didn’t they do that? You should be doing that. So.

Again, if you don’t have that internal access, there are services, there are SaaS services. There are consultants, there are all sorts of people that you can hire or pay for a service to do penetration testing, both externally and internally. so that you can find out these vulnerabilities before they bite you the way that Uber got bit.

[00:24:49] Shaun St. Hill:

So the, the thing that comes to mind for me, Curtis, if you don’t have the people internally that care and, or have the skill set necessary to help put those controls in place, then please. For the love of God, reach out to a managed security service provider who is literally frothing at the mouth to be able to add you as a logo.

[00:25:20] W. Curtis Preston: Right.

[00:25:20] Shaun St. Hill: and then take that responsibility that could or should be assigned to a full-time employee, allow them to come in and take that excuse away from you.

[00:25:34] W. Curtis Preston: Yeah, absolutely. Cybersecurity. Has a different problem than data protection. So data, the problem with data protection backup. So nobody wants to do it right. Nobody, nobody wants to do that job that, that, you know, I’ve been in this business coming up on three decades. That part has never changed.

Right? Cyber security, at least people wanna sign up, but there is a global skill shortage. And you may not have anyone at your company that, that knows what they’re doing. Right. And so I, I wholeheartedly concur with you to, to use an MSP, to use, you know, you know, consulting companies. The episode that we published today was with Horangi, which, which automates cloud security and, um, you know, and specifically for the Asian market, but they’re broadening into the, into the rest of the world.

Uh, and Horangi is apparently the Korean word for tiger. So there you go.

[00:26:32] Prasanna Malaiyandi: or the other thing is if you are running in the cloud as a SaaS service or whatever else, reach out to the cloud company, because they have well architected reviews, they have best practices. They have tools already, right. To sort of help you cover the basics to make sure you’re not doing something obviously wrong, like making a public S3 bucket.

[00:26:55] W. Curtis Preston: Yeah. Can you think of any other big lessons from this particular, um, hack Shaun?

[00:27:03] Shaun St. Hill: The other big lesson is make sure that what is done internally is, is checked. Right? So. sure that if someone does have responsibility for a particular tool or particular part of the environment, make sure that there’s someone that, that follows up if you will.

And I forget the exact saying, but what, what gets inspected? Uh, it, it slipped my mind. It’s, it’s the one where if you, if you wanna make sure that it’s done, it has to be inspected.

[00:27:48] W. Curtis Preston: right.

[00:27:49] Shaun St. Hill: So that, that would, that would be my thing, you know, make sure that there is some follow through and some, you know, coming behind the person or behind, you know, the tool to make sure. What is to be protected or, you know, what is to be passed has a, has in fact taken place.

[00:28:12] W. Curtis Preston: Right. And I will also say one lesson I would say is that, you know, we, we talk about MFA a lot and I’m a huge fan of MFA. And if you don’t have, if you don’t have MFA, then What

What at this point, but it’s not infallible.

[00:28:26] Prasanna Malaiyandi: in fact that’s what happened here again,

right?

Just like, yep. Just like with Okta. That’s what happened. So just be careful,

[00:28:36] W. Curtis Preston: Yeah. I mean, I don’t understand this concept of, I, I get 57 MFA requests and so I just approve it to make it stop. I don’t understand that person. Like I would be calling it going. What the hell

[00:28:49] Prasanna Malaiyandi: so what happened in the case of Uber though, is that the person, uh, pretended to be Uber it and pinged them on WhatsApp and said, oh, by the way, I’m, Uber’s it. Please accept the MFA. Right. And so they kept doing that. If you wanted the MFA to stop. . Yep. And so then eventually the person’s like, okay.

And then they just said, yep, good to go.

[00:29:14] W. Curtis Preston: Okay. I’m I’m done talking about this. I want to go onto your second subject, Shaun. You, you, you, it’s still in the same area, you in our pre-call you had talked about, um, you know, K through 12 funding and specifically funding for, uh, this kind of thing. Why don’t you, why don’t you talk about that.

[00:29:36] Shaun St. Hill: Sure. Mid-September of 2022, LA unified school district had a massive security incident. LA unified school district is the second largest school district in the nation. And so along with the security incident, came a request from some high ranking government officials in California, along with the leadership from the school.

Asking the FCC to immediately consider allowing eRate to be used eRate funds. So just

for a quick, yeah. So for, uh, for those that may not be familiar, eRate is a government program where each year school districts across the country can basically petition the government for services like internet.

Access points. So things that will help from a technology standpoint within the district. And so interestingly enough, cybersecurity is not one of those technology services that they can get government funding for. And so they’re asking the government to issue some sort of waiver that would allow for that to take place immediately.

And as I was mentioning before we talked, or before we started the podcast, The cares act. And then the follow up, which was the American rescue plan, allocated billions of dollars to school districts for them to use, to spend on technology. And one of those technology expenditures could be in the area of cybersecurity.

So what I was saying is not that school districts don’t deserve or need. The money from E-Rate, but I would first ask what have you done with the funding from cares and from art to upgrade your cybersecurity?

[00:31:45] Prasanna Malaiyandi: And I wonder actually, if they were even thinking about cybersecurity, when they were looking at that funding that came in, right, maybe they were like, Hey, we need more laptops. We need to worry about remote education. We need to put all these other equipment in place.

Maybe cybersecurity didn’t even like, come to mind.

[00:32:04] Shaun St. Hill: And, and Prasanna. I think that is a wonderful that’s. That is a, that is a reasonable assumption. However, if you dig into K12 and the number of security incidents, it’s

[00:32:24] Prasanna Malaiyandi: it’s on the rise.

[00:32:25] Shaun St. Hill: it’s it’s, it is, it is very much on the rise. And so me being the cybersecurity and data nerd that I am.

There are websites and different tools available to show that this has been a thing before the pandemic. And so, again, your, your, your question or your, your concern is very reasonable. We, we needed to get laptops and People out in the community to help distribute that. We had to, you know, make sure that our teachers had what they needed.

And so yes, there were very legitimate, immediate concerns that needed to be addressed.

[00:33:14] Prasanna Malaiyandi: no one focused on this at all.

[00:33:16] Shaun St. Hill: this, this, this is such a critical thing that. if, if this was 2008 or 2009, we could give you a pass

[00:33:28] Prasanna Malaiyandi: Yeah.

[00:33:29] Shaun St. Hill: and say, you know what? There’s so much to this. It’s, you know, not only do we not have the employee or the staff, we don’t have the budget there again, 14, 15 years ago.

Totally get.

[00:33:49] Prasanna Malaiyandi: Times have changed.

[00:33:51] Shaun St. Hill: Times times have changed so much so that these school districts are partnered with other providers. So think of illuminate is, is a big one that was in the news recently where these companies provide software to the school districts and every parent, every child in the school district, every administrator, every teacher uses.

This software to help with a particular function, you know, um, within the school. And so it’s, it’s, it’s not as though you aren’t aware that these things are happening again. The, the very reasonable question that you asked. Well, we have all these other priorities. Yes. But you also have this awareness that you need to take care of.

[00:34:46] W. Curtis Preston: Right.

[00:34:46] Shaun St. Hill: Your your kids and their parents and your staff.

[00:34:49] Prasanna Malaiyandi: One of the things is I. If you think about the disruption that could happen at schools, right? It’s not just, I think LA unified, right. They had a ransomware attack, right. That kind of took down their infrastructure.

Right. And that’s disruptive because just imagine, I, I can’t remember the exact number. Right. But hundreds and thousands of kids no longer in school because they can’t go, they can’t get attendance. They can’t check in. If they’re doing remote learning, they can no longer access things. Right. That’s so disruptive.

The other side though, is I know a lot of time when we talk about ransomware, we also talk about exfiltration of data right now, kids’ data, right? Imagine that you now have access to kids’ records, you’re stealing their social security numbers, or other pieces of information. Right? These are kids who don’t have credit.

Imagine now starting using that for identity theft and other purposes. It’s a lot of sensitive, sensitive data that could potentially be exposed that you may not find about. Find out until the kid turns 18. Right?

[00:35:50] Shaun St. Hill: Prasanna there are 10 year olds right now who have Maseratis and Porsches in their name. They have homes in Hawaii, Connecticut that are in their name and they won’t know it until many years. Hence, and it’s because of what we’re talking about now, the, the, the need to take cybersecurity seriously is, is way overdue.

[00:36:26] W. Curtis Preston: A thought did occur to me and I do wonder about at what point. So like I locked down my, my, um, credit reports, right? So, uh, so at least minimizing this risk personally, uh, on my side. And I’m wondering at what age. Would could, should you do that with a minor,

right. Like,

[00:36:49] Prasanna Malaiyandi: when you’re still in the hospital.

[00:36:51] W. Curtis Preston: well, like when can you CA you know, can you, can you do this?

Like, as soon as they have a social security number, I would think you would be able to do it, right?

[00:36:58] Shaun St. Hill: You can So it’s, it would be, it would be incumbent on the parent to do that,

[00:37:04] W. Curtis Preston: Yeah.

[00:37:05] Shaun St. Hill: to go ahead

and

lock

[00:37:06] W. Curtis Preston: gonna talk, I’m gonna talk to my kids.

I’m gonna keep my, keep my granddaughter from owning a Mo home in, well, maybe I’ll let her have that home in Hawaii.

[00:37:16] Prasanna Malaiyandi: I think the challenge though, is like, we’re talking about it now and you’re you were aware of credit freezes, right? Curtis. But there are a lot of parents who aren’t even aware of a lot of the tech or possib process and possibilities that they might be able to leverage like credit or freezing the credit of their child.

Right. And so what do you do for those parents? Right? How do you. Inform them or let them be aware that, Hey, there are these other options that you should be thinking about to protect your kids.

[00:37:44] W. Curtis Preston: Well, I can only help the lucky few that are smart enough to listen to this podcast. So go do that, right. I, I think, and I’ve never, I never thought about it myself. I am well aware of the concept of freezes, but I never thought of freezing my granddaughter’s credit. She doesn’t need. You know, an open credit report right now.

Um, what, you know, what’s really weird, you know, it’s a bit of a non-sequitur, but what’s really weird is there are like, if you Google, should I, or how could, how do I freeze your credit? You will find. Um, blogs that tell you that don’t do it because it’s, uh, it makes getting credit cards, inconvenient and such.

And I will agree. It absolutely did. When we got our first new car in a long time, uh, but you know, what else is inconvenient?

[00:38:33] Prasanna Malaiyandi: Having your identity stolen?

[00:38:35] W. Curtis Preston: Having your identity stolen? Um, yeah, it’s just, you know, it’s, it’s like security, security is never convenient. Right. Um, you know, having to unlock my front door when I come to the house, not convenient.

Right. But it minimizes the number of yahoos running through my house. Um, Shaun, we’re about to wrap this up. Uh, any, any final thoughts regarding the school system.

[00:39:01] Shaun St. Hill: There are a number of things that I’d yet say about security and the, the school districts, the one that I will put out there is, again, the, the amount of funding that is available through the sources that we mentioned, you know, cares and the American rescue plan.

But beyond that, there are local and state grants available for technology upgrades that include cybersecurity. What am I saying? There really isn’t an excuse, right? Until you have turned over every stone and exhausted every possibility, you don’t have an excuse. There is no reason that your school district should be easy pickings.

For someone to come through and get tens of thousands of, you know, student records and parent records. There’s, there’s just no reason for it.

[00:40:05] W. Curtis Preston: Yeah, that sounds about right. , I would suggest anybody that, you know, wherever you live, reach out to your school district, find out what they’re doing.

[00:40:14] Prasanna Malaiyandi: Ask how they’re securing your data.

[00:40:16] W. Curtis Preston: Maybe they’re completely clueless, right? Maybe you should volunteer.

I don’t know. I don’t know what the answer is there, but starts with this is a represent. Our podcast is listened to in more places than there are representative governments. But if you have a representative government you gotta represent

[00:40:35] Shaun St. Hill: Exactly.

[00:40:36] W. Curtis Preston: Yeah. Yeah. All right. Well, uh, thanks Shaun.

For, for coming on. It’s been great

[00:40:42] Shaun St. Hill: Prasanna Curtis. Thanks for your time. Appreciate being on you guys are doing a great job.

[00:40:49] W. Curtis Preston: and, uh, Prasanna, thanks for not giving any care about my post vacation depression.

[00:40:57] Prasanna Malaiyandi: That that’s the least I can do, Curtis, you know, it was nice talking to you too, Shaun.

[00:41:05] W. Curtis Preston: And thank you to our listeners. Remember to subscribe so that you can restore it all


%d bloggers like this: