Check out our companion blog!
Sept. 26, 2022

Learning lessons from the Uber and LA USD cyberattacks

Learning lessons from the Uber and LA USD cyberattacks

The Uber attack is huge. The initial penetration teaches about MFA, and how they were able to escalate their privileges from there is simply wrong, wrong, wrong. What can you learn from this? Well, we have a cybersecurity expert, and host of the Tech and Main podcast, on the pod this week to help us figure that out. We had planned to just talk about the Uber attack, but he also wanted to talk about what happened to the LA Unified School District. Do you have kids in school, or know someone employed in K-12 education? Shaun St. Hill makes a solid point or two about what they should be doing. All that and Curtis complaining about how much he spent on his vacation to Hawaii. Boo hoo, right?

Mentioned in this episode:

Interview ad

Transcript
W. Curtis Preston:

Hi, and welcome to Backup Central's Restore it All podcast.

W. Curtis Preston:

I'm your host w Curtis Preston, AKA Mr.

W. Curtis Preston:

Backup, and I have with me, my post vacation depression

W. Curtis Preston:

consultant, Prasanna Malaiyandi.

W. Curtis Preston:

How's it going, Prasanna?

Prasanna Malaiyandi:

I am good.

Prasanna Malaiyandi:

Jealous of your vacation.

Prasanna Malaiyandi:

Also really upset that you decided to come back from said vacation rather

Prasanna Malaiyandi:

than just like being like, yeah, I'm just gonna stay remotely and extend

Prasanna Malaiyandi:

my vacation by another week or two weeks or a year, whatever it is.

W. Curtis Preston:

I had to come back because a, I was going broke.

W. Curtis Preston:

I was spending like $250 every time I got on a scuba boat, it was very, the

W. Curtis Preston:

diving is really expensive over there.

W. Curtis Preston:

Partly cuz I had to rent a wet suit.

W. Curtis Preston:

I brought all my gear, but left my regulator behind like a moron.

W. Curtis Preston:

So I had to rent a regulator every time I dove.

W. Curtis Preston:

It was great diving.

W. Curtis Preston:

I was at the big island, so I was diving in Kona.

W. Curtis Preston:

I did a pelagic dive where you, you interact with like transparent

W. Curtis Preston:

and, and, and translucent.

W. Curtis Preston:

And what, what do you call the bioluminescent creatures by

W. Curtis Preston:

diving over 5,000 foot of ocean?

W. Curtis Preston:

Oh, that was, that was, that was way cool.

Prasanna Malaiyandi:

So, so I think that you need a new profession,

Prasanna Malaiyandi:

Curtis, in addition to Mr.

Prasanna Malaiyandi:

Backup, I think you need to be like in the water all the time.

Prasanna Malaiyandi:

Maybe there's something about like backup in the ocean or

Prasanna Malaiyandi:

like data centers in the ocean.

W. Curtis Preston:

I am so happy.

W. Curtis Preston:

Like, and it's been so long since I've dove, like, because I, I,

W. Curtis Preston:

my, my gear on my last dive to, to Hawaii was my last dive and my gear

W. Curtis Preston:

broke and, um, you know, it's, it's expensive to replace that stuff.

W. Curtis Preston:

And so.

W. Curtis Preston:

Uh, so yeah, it was, I, I forgot like how happy I am when I'm in the water.

W. Curtis Preston:

So I, yeah, so that was, that was really good, but it, but it was stupid expensive.

W. Curtis Preston:

Like, I mean, I, I spent, you know, close to a grand going out scuba

W. Curtis Preston:

diving, but it was, but it was great,

Prasanna Malaiyandi:

was well worth it though, to you look

Prasanna Malaiyandi:

at how happy relaxed you are.

Prasanna Malaiyandi:

And,

W. Curtis Preston:

Yeah.

W. Curtis Preston:

And

Prasanna Malaiyandi:

and hopefully, after this podcast, you will still continue to

Prasanna Malaiyandi:

be happy and relaxed, but we shall see,

W. Curtis Preston:

We'll see, we'll see right now I'm in the, oh crap.

W. Curtis Preston:

I'm back at work this morning.

W. Curtis Preston:

I had to do some training.

W. Curtis Preston:

Now I gotta do a podcast and you know, it's just, you know,

W. Curtis Preston:

welcome back to the real world.

W. Curtis Preston:

Um, Let's bring on our guest today.

W. Curtis Preston:

Uh, I'm excited.

W. Curtis Preston:

He is a cybersecurity advisor who helps with assessment remediation

W. Curtis Preston:

and management of cybersecurity.

W. Curtis Preston:

He currently leads an it services practice called Tech and Maine, and is also the

W. Curtis Preston:

host of Tech and Maine presents podcast.

W. Curtis Preston:

You can find both of them at techandmain.com.

W. Curtis Preston:

Welcome to the podcast, Shaun St Hill.

Shaun St. Hill:

Curtis.

Shaun St. Hill:

Thank you.

Shaun St. Hill:

It is an honor to be here, super excited and looking forward to our time together.

W. Curtis Preston:

And we're not gonna get any, uh, sympathy from you

Shaun St. Hill:

well, I was gonna say, and I didn't know how this would be

Shaun St. Hill:

taken, but let's just jump right in.

Shaun St. Hill:

You went to Hawaii, sir, you get zero sympathy.

Shaun St. Hill:

If you went to the bank and said, could I withdraw some sympathy for

Shaun St. Hill:

the trip that I took to Hawaii?

Shaun St. Hill:

They would say, sir, you need to walk right back out because you'll

Shaun St. Hill:

get, you can take out zero sympathy

W. Curtis Preston:

I get it.

W. Curtis Preston:

I get it.

W. Curtis Preston:

You know, I got, I had a great trip to Hawaii, my wife had a great time.

W. Curtis Preston:

She, she hung out with her best friend who lives in Hawaii.

W. Curtis Preston:

It was a great all around trip, but oh man, it was, so it was a little

W. Curtis Preston:

warm and, and I had to spend lots of money while doing awesome things.

Shaun St. Hill:

Sounds sounds very first world to me

Prasanna Malaiyandi:

I know seriously,

Shaun St. Hill:

world

W. Curtis Preston:

#firstwordproblems.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Meanwhile, you know, The world is fall.

W. Curtis Preston:

I, I left for a week and you know, the queen died.

W. Curtis Preston:

Uber got attacked.

W. Curtis Preston:

Like what, what happened while I,

Prasanna Malaiyandi:

Well, I remember asking you, I was talking to you.

Prasanna Malaiyandi:

What was it yesterday?

Prasanna Malaiyandi:

Yeah.

Prasanna Malaiyandi:

Yesterday, right?

Prasanna Malaiyandi:

I was like, oh, Curtis, did you hear about this Uber thing?

Prasanna Malaiyandi:

You're like I'm behind on everything.

Prasanna Malaiyandi:

I don't know what, yeah.

Prasanna Malaiyandi:

You're I.

W. Curtis Preston:

did a real vacation.

W. Curtis Preston:

Like I tried really hard not to look at my phone.

W. Curtis Preston:

Certainly didn't respond to any work emails.

W. Curtis Preston:

So I, I thought we'd take this opportunity since, you know,

W. Curtis Preston:

you're in that cybersecurity world to discuss the Uber attack.

W. Curtis Preston:

Um, and, and I'll, I'll mention that.

W. Curtis Preston:

Um, for five years now, uh, I, back when I was underemployed for a minute, I actually

W. Curtis Preston:

became an Uber driver, uh, five, six, actually, I guess it's six years now.

W. Curtis Preston:

And so, and, and I, I have stayed active, so I still, you know,

W. Curtis Preston:

occasionally drive for them when I want to get out of the house.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, . And so I am both an Uber passenger and an Uber driver.

W. Curtis Preston:

And then I hear that, you know, they got attacked.

W. Curtis Preston:

I, I guess the good news that we're hearing, uh, that you can either

W. Curtis Preston:

confirm or deny or, or whatever is that the no user accounts were affected.

W. Curtis Preston:

That's what I'm hearing.

W. Curtis Preston:

I don't know.

W. Curtis Preston:

What, what, what have you heard?

Shaun St. Hill:

Curtis I've I've heard the same thing.

Shaun St. Hill:

So this really, to me is very interesting.

Shaun St. Hill:

On a number of fronts.

Shaun St. Hill:

The first being back in, I want to say 2016, Uber had

Shaun St. Hill:

another cybersecurity incident.

Shaun St. Hill:

One that ended up costing the then CISO his job.

Shaun St. Hill:

And I believe there was some sort of lawsuit associated with that.

W. Curtis Preston:

Hmm.

Shaun St. Hill:

The other thing that always is interesting to me, When the

Shaun St. Hill:

company that had the security incident immediately comes out and says, oh,

Shaun St. Hill:

well, no, no customer information.

Shaun St. Hill:

Or, you know, P you know, PII was, was touched.

W. Curtis Preston:

yeah.

W. Curtis Preston:

And no code.

W. Curtis Preston:

No, you know, well, what did, what did they

Prasanna Malaiyandi:

well, I think I thought it's actually said, like

Prasanna Malaiyandi:

they were, I was reading a earlier, very specific about like no sensitive

Prasanna Malaiyandi:

personal data or some very specific term they were using to reference to

Prasanna Malaiyandi:

like what they said was not accessed.

Shaun St. Hill:

A, and so that's that, like I said is always interesting

Shaun St. Hill:

to me because it sounds very much like someone that was coached

Shaun St. Hill:

by a public relations agency.

W. Curtis Preston:

Well, you know, that they're coached by a

Shaun St. Hill:

Oh, of course of of course.

Shaun St. Hill:

So, so, so the, so the thing is one, what really happened

Shaun St. Hill:

and two, how soon will we know.

Shaun St. Hill:

The, the person that this hacker that was, or has, um, self-identified

Shaun St. Hill:

as the person that got in.

Shaun St. Hill:

It's interesting.

Shaun St. Hill:

There's a company, uh, a game company.

Shaun St. Hill:

I think it's rocket games.

Shaun St. Hill:

Maybe they put out grand theft auto.

W. Curtis Preston:

right.

Prasanna Malaiyandi:

rockstar that just got GTA six grant theft, auto six,

Prasanna Malaiyandi:

uh, Got released way ahead of time.

Prasanna Malaiyandi:

They, I think they had hacked in, they had basically stolen the game

Prasanna Malaiyandi:

that no one had knew was actually happening and leaked it on the web.

Shaun St. Hill:

So thank you.

Shaun St. Hill:

Prasanna.

Shaun St. Hill:

What's interesting is the same person has self identified as the hacker.

Shaun St. Hill:

So,

W. Curtis Preston:

And they're, they're connected to Lapsus$ by the way.

Shaun St. Hill:

ah, interesting.

Shaun St. Hill:

So, so, so here, so we here, we have this, these amazing

Shaun St. Hill:

connections and not amazing as.

Shaun St. Hill:

They're the right kind of connections, but it's just, it's

Shaun St. Hill:

it makes for an interesting story.

Shaun St. Hill:

The, the last thing is when you, when you think about a company, the size of

Shaun St. Hill:

Uber, going back to that 2016 security incident, you'd want to be sure that

Shaun St. Hill:

your name doesn't come up in the news.

Shaun St. Hill:

Also posted on one of the social media platforms, a screenshot

Shaun St. Hill:

of Uber's career portal.

Shaun St. Hill:

And so it looks like there's all of a sudden, you know, multiple openings for,

Shaun St. Hill:

you know, cybersecurity positions, which, which, again, Curtis it's like what.

Shaun St. Hill:

Do we not have the time and the money on the front end or on the back end?

Shaun St. Hill:

Like, you know, why does it always take an incident like this for you to

Shaun St. Hill:

be able to find budget and then open up these jobs and then spend millions

Shaun St. Hill:

of dollars to hire these amazing consultants to help you do what,

Shaun St. Hill:

according to what happened in 2016, you said you were doing or should have done.

Prasanna Malaiyandi:

So I think so I'll take a stab at that.

Prasanna Malaiyandi:

And Curtis, I think we should throw out our disclaimer first.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

out our disclaimer, uh, Prasanna and I work for different

W. Curtis Preston:

companies, uh, he works for Zoom.

W. Curtis Preston:

I work for Druva.

W. Curtis Preston:

We're not representing either company and the opinions that you hear are ours.

W. Curtis Preston:

And also, uh, you know, if you'd like to rate us, we'd love to,

W. Curtis Preston:

you know, see your rating, just go to your favorite podcatcher.

W. Curtis Preston:

And, uh, you know, give us, give us all the stars and comments.

W. Curtis Preston:

We love comments.

W. Curtis Preston:

In fact, we're currently running a comment promotion, uh, that

W. Curtis Preston:

if we get I, I went and checked.

W. Curtis Preston:

It's gotta be 25 comments by the I'm.

W. Curtis Preston:

I'm gonna push it.

W. Curtis Preston:

I'm gonna push it out.

W. Curtis Preston:

I'm gonna push it out to the end of October.

W. Curtis Preston:

Uh, if we get 25 comments total, by the end of October, I will continue to grow

W. Curtis Preston:

this beard and I'll do my best to look like Santa Claus by come Christmas time.

W. Curtis Preston:

So, um, and if you'd like to join the conversation, please reach

W. Curtis Preston:

out to me @wcpreston on Twitter or wcurtispreston at Gmail and Prasanna.

W. Curtis Preston:

You're probably gonna mention that maybe you work a little

W. Curtis Preston:

bit in the, in the privacy area,

Prasanna Malaiyandi:

Yeah.

Prasanna Malaiyandi:

Well, that's one of the things I wanna talk about.

Prasanna Malaiyandi:

And even before I got into privacy, right?

Prasanna Malaiyandi:

I think the challenge is security is seen as a risk reduction

Prasanna Malaiyandi:

function of an organization, right.

Prasanna Malaiyandi:

It's to protect the organization now, uh, I'm not saying this

Prasanna Malaiyandi:

is how it is everywhere.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

But in some places that's kind of how it's seen.

Prasanna Malaiyandi:

And so one of the challenges becomes you have this tension between

Prasanna Malaiyandi:

security, privacy compliance, right?

Prasanna Malaiyandi:

All of these sort of risk reducing.

Prasanna Malaiyandi:

Organizations which wanna keep the business protected versus sort of

Prasanna Malaiyandi:

your revenue driving parts of the business, which are like, we gotta ship

Prasanna Malaiyandi:

something, we gotta ship something, we gotta get it out the door.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

We gotta get more money.

Prasanna Malaiyandi:

And so there's this tension because the revenue side wants to go fast.

Prasanna Malaiyandi:

Right?

Prasanna Malaiyandi:

Wants to innovate, wants to get things out there quickly.

Prasanna Malaiyandi:

And the security side.

Prasanna Malaiyandi:

Doesn't always have, like you said, the budget, the number of people, right.

Prasanna Malaiyandi:

To be able to look over all of the things that the revenue side is doing to make

Prasanna Malaiyandi:

sure it's being done the right way.

Prasanna Malaiyandi:

And so you kind of have to pick and choose what you focus on.

Prasanna Malaiyandi:

And sometimes it's accepting the risk, right?

Prasanna Malaiyandi:

It's like saying, Hey.

Prasanna Malaiyandi:

I can only cover 30 or 40 or 70% take whatever number you wanna take

Prasanna Malaiyandi:

of the products going out the door.

Prasanna Malaiyandi:

And that's what I'm gonna be focused on and making sure that at least

Prasanna Malaiyandi:

those are good enough and there are no major vulnerabilities.

Prasanna Malaiyandi:

Now it could be done better where you get security, privacy compliance.

Prasanna Malaiyandi:

Earlier on in the process.

Prasanna Malaiyandi:

So it's sort of privacy by design security by design, right, where

Prasanna Malaiyandi:

they're working hand in hand as product is being developed.

Prasanna Malaiyandi:

So you make sure that security is baked in, right?

Prasanna Malaiyandi:

All of these other processes are baked in rather than having to

Prasanna Malaiyandi:

worry about it at the end, but it's always that tension, right?

Prasanna Malaiyandi:

People will always wanna spend more on R and D and not necessarily more

Prasanna Malaiyandi:

on security and privacy in other compliance parts of the business.

W. Curtis Preston:

by the way, and, and this is not in any way, a defense of Uber.

W. Curtis Preston:

The problem for Uber is that they have I'm, I'm just gonna say dozens, but I

W. Curtis Preston:

think it might be well over a hundred different versions of the same product

W. Curtis Preston:

for those of you that aren't Uber drivers.

W. Curtis Preston:

They run different features and different functionality.

W. Curtis Preston:

And they're constantly AB testing.

W. Curtis Preston:

What if we did this for drivers?

W. Curtis Preston:

What if we did this for passengers?

W. Curtis Preston:

And they're like, let's do it for everybody in San Diego for two weeks.

W. Curtis Preston:

Right?

W. Curtis Preston:

So they're, it's not just one product that they're releasing out across the world.

W. Curtis Preston:

They're constantly tweaking the algorithm.

W. Curtis Preston:

And so, so they've got that push, like you were saying to spend a lot of money on R

W. Curtis Preston:

and D and perhaps a little bit less on, on the things that you're talking about.

W. Curtis Preston:

I, I just wanted to mention, by the way, um, Shaun, the.

W. Curtis Preston:

The I, I, I pulled up the breach, the, the old breach, uh, and it was actually 2014.

W. Curtis Preston:

The reason why you're thinking 2016 is they didn't tell us about it until 2015.

W. Curtis Preston:

Uh, and that's, and so that's why.

W. Curtis Preston:

And then, and then they talked to the, the FTC in 2016, um, Yeah.

W. Curtis Preston:

And so, so the, basically this is referred to as the data breach

W. Curtis Preston:

and coverup timeline, which goes all the way until 2020, right?

W. Curtis Preston:

Yeah.

W. Curtis Preston:

So there were, there was a lot because it, it, because basically

W. Curtis Preston:

they tried to cover it up.

W. Curtis Preston:

So I will say at least Uber has learned that lesson.

W. Curtis Preston:

The,

Shaun St. Hill:

good for them.

W. Curtis Preston:

it looks like they've learned that lesson they've come out

W. Curtis Preston:

right away as far as that's what we think.

W. Curtis Preston:

Of course they may not have been given a choice because

W. Curtis Preston:

this person did it publicly.

W. Curtis Preston:

Uh, anyway, sorry.

W. Curtis Preston:

I,

Prasanna Malaiyandi:

Now the, the one other thing I wanted to bring up too

Prasanna Malaiyandi:

is I think, I know I was talking about product security, but if we look at the

Prasanna Malaiyandi:

Uber side of things and what happened, it was more of an operation security,

W. Curtis Preston:

Yeah.

Prasanna Malaiyandi:

breach, right?

Prasanna Malaiyandi:

It was, uh, contractor who basically got fooled into sharing their

Prasanna Malaiyandi:

multifactor authentication codes, right.

Prasanna Malaiyandi:

With the hacker, which then allowed that hacker access into Uber's environment.

Prasanna Malaiyandi:

Now the fact that the, uh, the hacker was able to laterally

Prasanna Malaiyandi:

move within the environment.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

Isn't great.

Prasanna Malaiyandi:

right.

Prasanna Malaiyandi:

That they were able to access the AWS infrastructure and hacker one systems

Prasanna Malaiyandi:

and their VMware infrastructure.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

That things weren't isolated and alerts weren't going off right.

Prasanna Malaiyandi:

Is worrisome.

Prasanna Malaiyandi:

But I, I think it's less about the product side, right.

Prasanna Malaiyandi:

And more about the operation side

W. Curtis Preston:

What do you think about the contractor aspect, John?

Shaun St. Hill:

So this honestly is something that you would think

Shaun St. Hill:

companies have a better handle on.

Shaun St. Hill:

And that is who has access to the kitchen, so to speak, who

Shaun St. Hill:

has the keys to the kingdom.

Shaun St. Hill:

You, you hear so much about zero trust and the need to make sure that whoever

Shaun St. Hill:

has access to the source code or to, you know, some other part of the environment,

Shaun St. Hill:

you know, they, they need to verify going in and then as soon as they come out,

Shaun St. Hill:

you make sure that, you know, they're not able to go back in, you know, pry the door

Shaun St. Hill:

open, so to speak and for a company, the size of Uber's for that to be the case,

Shaun St. Hill:

I think there, there needs to be, there needs to be some comeuppance for that.

W. Curtis Preston:

That's a good word.

W. Curtis Preston:

I like that word.

W. Curtis Preston:

Um, now you, there was something on the pre-call.

W. Curtis Preston:

You, you talked about you, the companies are very quick to throw

W. Curtis Preston:

the contractor under the bus.

Shaun St. Hill:

Yes.

Shaun St. Hill:

So before we actually started recording, we were talking about colonial pipeline

Shaun St. Hill:

and a number of other organizations.

Shaun St. Hill:

And again, this isn't

W. Curtis Preston:

target was one of them.

Shaun St. Hill:

target.

Shaun St. Hill:

Right?

Shaun St. Hill:

So these are.

Shaun St. Hill:

Stories and information that's out in the public domain.

Shaun St. Hill:

We're not throwing shade at any one particular company we're just

Shaun St. Hill:

stating what's already out there.

Shaun St. Hill:

And so these companies during their security incidents made sure to tell

Shaun St. Hill:

you that, oh, it was the intern or, oh, it was the HVAC contractor as a,

Shaun St. Hill:

as a person who now has to go through signing up for whatever credit monitoring

Shaun St. Hill:

you're throwing out to me that doesn't give me the warm and fuzzies, nor does

Shaun St. Hill:

it as a shareholder or an investor.

Shaun St. Hill:

Give me the warm and fuzzies to know that the money that we've

Shaun St. Hill:

given either through stock purchase or through, you know, a round of

Shaun St. Hill:

funding that that money was used for.

Shaun St. Hill:

Offsite leadership retreats or something other than securing and locking down the

Shaun St. Hill:

important things, customer data, whether that customer's internal or external.

Shaun St. Hill:

So, so for me, there's, there is this need to own the situation.

Shaun St. Hill:

Like my, like my daughter and her teenage friends will say, I own that.

Shaun St. Hill:

There needs to be that aspect of it.

Shaun St. Hill:

And then again, the, the, the comeuppance, so to

W. Curtis Preston:

Prasanna mentioned about lateral movement?

W. Curtis Preston:

We don't know what type of contractor this was, but I hope it was like an it

W. Curtis Preston:

admin contractor, because if he wasn't an it, she wasn't an it admin contractor.

W. Curtis Preston:

The fact that they were able to modify the open DNS configuration

W. Curtis Preston:

that by the way, if, if one of the things that happened was.

W. Curtis Preston:

They modified the open DNS configuration so that if anybody went

W. Curtis Preston:

to any webpage, what they got was a pornographic image and message.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, so, so either this was an admin level contractor, or they had a

W. Curtis Preston:

serious, least privileged problem,

Prasanna Malaiyandi:

well, I think what happened though, was I believe that

Prasanna Malaiyandi:

the hacker got in, he then found he, or she then found a share, which contained

Prasanna Malaiyandi:

passwords for other parts of the system.

W. Curtis Preston:

I can't.

W. Curtis Preston:

I just can't even with this, I can't, you know, the last one, the last

W. Curtis Preston:

was an open S three bucket, right.

W. Curtis Preston:

You telling me inside your company is a share with admin passwords.

Prasanna Malaiyandi:

I don't know what type of passwords they were, but I think I

Prasanna Malaiyandi:

did read in an account in one of the blog posts, that there was a, uh, a share that

Prasanna Malaiyandi:

the attacker used that had the passcodes.

W. Curtis Preston:

can't Shaun, stop me.

W. Curtis Preston:

Just an editor's note here.

W. Curtis Preston:

I researched what persona was talking about and what it appears happened was

W. Curtis Preston:

that there was a PowerShell script with admin credentials hard coded in it.

W. Curtis Preston:

So after they got the mFA hack.

W. Curtis Preston:

They then scanned the internal network and they found this PowerShell script,

W. Curtis Preston:

which was unprotected from those that did not have admin credentials, and

W. Curtis Preston:

that's what they used to escalate their privileges to, which I just want to go.

W. Curtis Preston:

Ugh, I I'm back to, I just can't.

W. Curtis Preston:

I, I, I just don't understand how that happened.

Shaun St. Hill:

There seems to be this common theme of slackness no pun intended.

Shaun St. Hill:

Slack was thank you.

Shaun St. Hill:

You know, slack being one of the tools that was named, um, and

Shaun St. Hill:

abused in this particular incident.

Shaun St. Hill:

But there, there, there seems to be this indifference and this,

Shaun St. Hill:

oh, no one will ever find out no one will ever be able to access.

Shaun St. Hill:

Right.

Shaun St. Hill:

It's it's that, it's that virtual sticky note under the keyboard, if you will.

Shaun St. Hill:

No, no one will ever think to look under the keyboard, to see all of

Shaun St. Hill:

the passwords that I've written.

W. Curtis Preston:

So how, how about this?

W. Curtis Preston:

Let's talk about what we, what we can learn.

W. Curtis Preston:

What, so here, the, the thing that we're sort of dancing around is this

W. Curtis Preston:

concept of least privilege, right?

W. Curtis Preston:

I'm thinking about there was a GDPR breach in Europe.

W. Curtis Preston:

I'm thinking Spain.

W. Curtis Preston:

I can't remember exactly.

W. Curtis Preston:

And it was a hospital we've talked about it on the podcast.

W. Curtis Preston:

This was a couple years ago.

W. Curtis Preston:

It a hospital.

W. Curtis Preston:

And when the, the breach, what the breach was, was it was an investigation.

W. Curtis Preston:

And the investigation showed that.

W. Curtis Preston:

They didn't understand the concept or they just, they just didn't care

W. Curtis Preston:

about the concept of Lee's privilege.

W. Curtis Preston:

They gave doctor level access to every single employee in

W. Curtis Preston:

the, in the, uh, hospital.

W. Curtis Preston:

That, that was, that was the easiest thing to do.

W. Curtis Preston:

So it didn't matter if you were the janitor or if you were a surgeon,

W. Curtis Preston:

you had access to everything, including medical records and such.

W. Curtis Preston:

The, the big thing I would say is to, to make sure like use Okta, right.

W. Curtis Preston:

Okta isn't evil and, and it's not, I'm not picking Okta, but it's just,

W. Curtis Preston:

it's the one that's off the top of my head, use something like Okta,

W. Curtis Preston:

but then don't just give everybody access to everything, give them access

W. Curtis Preston:

to the things they need access to.

W. Curtis Preston:

Another editor's note here, because we ultimately found out after the

W. Curtis Preston:

recording, that the big breach here was that there was a PowerShell

W. Curtis Preston:

script with admin credentials.

W. Curtis Preston:

The other big thing that we can learn here is don't do

W. Curtis Preston:

that number, number one, right?

W. Curtis Preston:

Don't put admin level , credentials in a script.

W. Curtis Preston:

We had to do that 20 years ago maybe, or.

W. Curtis Preston:

You know, I, I, I don't, I don't know if that's that shouldn't

W. Curtis Preston:

ever have to be the case.

W. Curtis Preston:

There are other ways to get credentials or to require that the

W. Curtis Preston:

script be run as an administrator.

W. Curtis Preston:

There are ways around that issue.

W. Curtis Preston:

And if.

W. Curtis Preston:

You can't get around that issue.

W. Curtis Preston:

And again, I don't, I'm not a PowerShell expert.

W. Curtis Preston:

I'm not a Windows expert by any means, but if you can't get around that

W. Curtis Preston:

issue, then make sure that any script like that is stored in a way that

W. Curtis Preston:

only people that already have admin credentials can get access to it.

W. Curtis Preston:

But again, I don't think you should have to write a script like that.

W. Curtis Preston:

The other thing I would add to that is internal pen tests, right?

W. Curtis Preston:

Why is it only the hacker that was able to scan around to see if there were scripts

W. Curtis Preston:

that, that an ordinary person is able to access that have admin credentials?

W. Curtis Preston:

Why didn't they do that?

W. Curtis Preston:

You should be doing that.

W. Curtis Preston:

So.

W. Curtis Preston:

Again, if you don't have that internal access, there are

W. Curtis Preston:

services, there are SaaS services.

W. Curtis Preston:

There are consultants, there are all sorts of people that you can hire or

W. Curtis Preston:

pay for a service to do penetration testing, both externally and internally.

W. Curtis Preston:

so that you can find out these vulnerabilities before they bite

W. Curtis Preston:

you the way that Uber got bit.

Shaun St. Hill:

So the, the thing that comes to mind for me, Curtis, if you don't

Shaun St. Hill:

have the people internally that care and, or have the skill set necessary to help

Shaun St. Hill:

put those controls in place, then please.

Shaun St. Hill:

For the love of God, reach out to a managed security service provider who

Shaun St. Hill:

is literally frothing at the mouth to be able to add you as a logo.

W. Curtis Preston:

Right.

Shaun St. Hill:

and then take that responsibility that could or

Shaun St. Hill:

should be assigned to a full-time employee, allow them to come in

Shaun St. Hill:

and take that excuse away from you.

W. Curtis Preston:

Yeah, absolutely.

W. Curtis Preston:

Cybersecurity.

W. Curtis Preston:

Has a different problem than data protection.

W. Curtis Preston:

So data, the problem with data protection backup.

W. Curtis Preston:

So nobody wants to do it right.

W. Curtis Preston:

Nobody, nobody wants to do that job that, that, you know, I've been in this

W. Curtis Preston:

business coming up on three decades.

W. Curtis Preston:

That part has never changed.

W. Curtis Preston:

Right?

W. Curtis Preston:

Cyber security, at least people wanna sign up, but there is a global skill shortage.

W. Curtis Preston:

And you may not have anyone at your company that, that

W. Curtis Preston:

knows what they're doing.

W. Curtis Preston:

Right.

W. Curtis Preston:

And so I, I wholeheartedly concur with you to, to use an MSP, to use, you

W. Curtis Preston:

know, you know, consulting companies.

W. Curtis Preston:

The episode that we published today was with Horangi, which, which

W. Curtis Preston:

automates cloud security and, um, you know, and specifically for the

W. Curtis Preston:

Asian market, but they're broadening into the, into the rest of the world.

W. Curtis Preston:

Uh, and Horangi is apparently the Korean word for tiger.

W. Curtis Preston:

So there you go.

Prasanna Malaiyandi:

or the other thing is if you are running in the

Prasanna Malaiyandi:

cloud as a SaaS service or whatever else, reach out to the cloud company,

Prasanna Malaiyandi:

because they have well architected reviews, they have best practices.

Prasanna Malaiyandi:

They have tools already, right.

Prasanna Malaiyandi:

To sort of help you cover the basics to make sure you're not

Prasanna Malaiyandi:

doing something obviously wrong, like making a public S3 bucket.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Can you think of any other big lessons from this particular, um, hack Shaun?

Shaun St. Hill:

The other big lesson is make sure that what is

Shaun St. Hill:

done internally is, is checked.

Shaun St. Hill:

Right?

Shaun St. Hill:

So.

Shaun St. Hill:

sure that if someone does have responsibility for a particular tool

Shaun St. Hill:

or particular part of the environment, make sure that there's someone

Shaun St. Hill:

that, that follows up if you will.

Shaun St. Hill:

And I forget the exact saying, but what, what gets inspected?

Shaun St. Hill:

Uh, it, it slipped my mind.

Shaun St. Hill:

It's, it's the one where if you, if you wanna make sure that it's

Shaun St. Hill:

done, it has to be inspected.

W. Curtis Preston:

right.

Shaun St. Hill:

So that, that would, that would be my thing, you

Shaun St. Hill:

know, make sure that there is some follow through and some, you know,

Shaun St. Hill:

coming behind the person or behind, you know, the tool to make sure.

Shaun St. Hill:

What is to be protected or, you know, what is to be passed

Shaun St. Hill:

has a, has in fact taken place.

W. Curtis Preston:

Right.

W. Curtis Preston:

And I will also say one lesson I would say is that, you know, we, we talk about

W. Curtis Preston:

MFA a lot and I'm a huge fan of MFA.

W. Curtis Preston:

And if you don't have, if you don't have MFA, then What

W. Curtis Preston:

What at this point, but it's not infallible.

Prasanna Malaiyandi:

in fact that's what happened here again,

Prasanna Malaiyandi:

right?

Prasanna Malaiyandi:

Just like, yep.

Prasanna Malaiyandi:

Just like with Okta.

Prasanna Malaiyandi:

That's what happened.

Prasanna Malaiyandi:

So just be careful,

W. Curtis Preston:

Yeah.

W. Curtis Preston:

I mean, I don't understand this concept of, I, I get 57 MFA requests and so

W. Curtis Preston:

I just approve it to make it stop.

W. Curtis Preston:

I don't understand that person.

W. Curtis Preston:

Like I would be calling it going.

W. Curtis Preston:

What the hell

Prasanna Malaiyandi:

so what happened in the case of Uber though, is that

Prasanna Malaiyandi:

the person, uh, pretended to be Uber it and pinged them on WhatsApp and

Prasanna Malaiyandi:

said, oh, by the way, I'm, Uber's it.

Prasanna Malaiyandi:

Please accept the MFA.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And so they kept doing that.

Prasanna Malaiyandi:

If you wanted the MFA to stop.

Prasanna Malaiyandi:

. Yep.

Prasanna Malaiyandi:

And so then eventually the person's like, okay.

Prasanna Malaiyandi:

And then they just said, yep, good to go.

W. Curtis Preston:

Okay.

W. Curtis Preston:

I'm I'm done talking about this.

W. Curtis Preston:

I want to go onto your second subject, Shaun.

W. Curtis Preston:

You, you, you, it's still in the same area, you in our pre-call you

W. Curtis Preston:

had talked about, um, you know, K through 12 funding and specifically

W. Curtis Preston:

funding for, uh, this kind of thing.

W. Curtis Preston:

Why don't you, why don't you talk about that.

Shaun St. Hill:

Sure.

Shaun St. Hill:

Mid-September of 2022, LA unified school district had a massive security incident.

Shaun St. Hill:

LA unified school district is the second largest school district in the nation.

Shaun St. Hill:

And so along with the security incident, came a request from some high ranking

Shaun St. Hill:

government officials in California, along with the leadership from the school.

Shaun St. Hill:

Asking the FCC to immediately consider allowing eRate to be used eRate funds.

Shaun St. Hill:

So just

Shaun St. Hill:

for a quick, yeah.

Shaun St. Hill:

So for, uh, for those that may not be familiar, eRate is a government program

Shaun St. Hill:

where each year school districts across the country can basically petition the

Shaun St. Hill:

government for services like internet.

Shaun St. Hill:

Access points.

Shaun St. Hill:

So things that will help from a technology standpoint within the district.

Shaun St. Hill:

And so interestingly enough, cybersecurity is not one of those technology services

Shaun St. Hill:

that they can get government funding for.

Shaun St. Hill:

And so they're asking the government to issue some sort of waiver that would

Shaun St. Hill:

allow for that to take place immediately.

Shaun St. Hill:

And as I was mentioning before we talked, or before we started

Shaun St. Hill:

the podcast, The cares act.

Shaun St. Hill:

And then the follow up, which was the American rescue plan, allocated billions

Shaun St. Hill:

of dollars to school districts for them to use, to spend on technology.

Shaun St. Hill:

And one of those technology expenditures could be in the area of cybersecurity.

Shaun St. Hill:

So what I was saying is not that school districts don't deserve or need.

Shaun St. Hill:

The money from E-Rate, but I would first ask what have you done with

Shaun St. Hill:

the funding from cares and from art to upgrade your cybersecurity?

Prasanna Malaiyandi:

And I wonder actually, if they were even thinking about

Prasanna Malaiyandi:

cybersecurity, when they were looking at that funding that came in, right, maybe

Prasanna Malaiyandi:

they were like, Hey, we need more laptops.

Prasanna Malaiyandi:

We need to worry about remote education.

Prasanna Malaiyandi:

We need to put all these other equipment in place.

Prasanna Malaiyandi:

Maybe cybersecurity didn't even like, come to mind.

Shaun St. Hill:

And, and Prasanna.

Shaun St. Hill:

I think that is a wonderful that's.

Shaun St. Hill:

That is a, that is a reasonable assumption.

Shaun St. Hill:

However, if you dig into K12 and the number of security incidents, it's

Prasanna Malaiyandi:

it's on the rise.

Shaun St. Hill:

it's it's, it is, it is very much on the rise.

Shaun St. Hill:

And so me being the cybersecurity and data nerd that I am.

Shaun St. Hill:

There are websites and different tools available to show that this

Shaun St. Hill:

has been a thing before the pandemic.

Shaun St. Hill:

And so, again, your, your, your question or your, your concern is very reasonable.

Shaun St. Hill:

We, we needed to get laptops and People out in the community

Shaun St. Hill:

to help distribute that.

Shaun St. Hill:

We had to, you know, make sure that our teachers had what they needed.

Shaun St. Hill:

And so yes, there were very legitimate, immediate concerns

Shaun St. Hill:

that needed to be addressed.

Prasanna Malaiyandi:

no one focused on this at all.

Shaun St. Hill:

this, this, this is such a critical thing that.

Shaun St. Hill:

if, if this was 2008 or 2009, we could give you a pass

Prasanna Malaiyandi:

Yeah.

Shaun St. Hill:

and say, you know what?

Shaun St. Hill:

There's so much to this.

Shaun St. Hill:

It's, you know, not only do we not have the employee or the staff, we don't have

Shaun St. Hill:

the budget there again, 14, 15 years ago.

Shaun St. Hill:

Totally get.

Prasanna Malaiyandi:

Times have changed.

Shaun St. Hill:

Times times have changed so much so that these school districts

Shaun St. Hill:

are partnered with other providers.

Shaun St. Hill:

So think of illuminate is, is a big one that was in the news recently where

Shaun St. Hill:

these companies provide software to the school districts and every parent,

Shaun St. Hill:

every child in the school district, every administrator, every teacher uses.

Shaun St. Hill:

This software to help with a particular function, you know, um, within the school.

Shaun St. Hill:

And so it's, it's, it's not as though you aren't aware that

Shaun St. Hill:

these things are happening again.

Shaun St. Hill:

The, the very reasonable question that you asked.

Shaun St. Hill:

Well, we have all these other priorities.

Shaun St. Hill:

Yes.

Shaun St. Hill:

But you also have this awareness that you need to take care of.

W. Curtis Preston:

Right.

Shaun St. Hill:

Your your kids and their parents and your staff.

Prasanna Malaiyandi:

Speaker:

One of the things is I.

Prasanna Malaiyandi:

Speaker:

If you think about the disruption that could happen at schools, right?

Prasanna Malaiyandi:

Speaker:

It's not just, I think LA unified, right.

Prasanna Malaiyandi:

Speaker:

They had a ransomware attack, right.

Prasanna Malaiyandi:

Speaker:

That kind of took down their infrastructure.

Prasanna Malaiyandi:

Speaker:

Right.

Prasanna Malaiyandi:

Speaker:

And that's disruptive because just imagine, I, I can't

Prasanna Malaiyandi:

Speaker:

remember the exact number.

Prasanna Malaiyandi:

Speaker:

Right.

Prasanna Malaiyandi:

Speaker:

But hundreds and thousands of kids no longer in school because they

Prasanna Malaiyandi:

Speaker:

can't go, they can't get attendance.

Prasanna Malaiyandi:

Speaker:

They can't check in.

Prasanna Malaiyandi:

Speaker:

If they're doing remote learning, they can no longer access things.

Prasanna Malaiyandi:

Speaker:

Right.

Prasanna Malaiyandi:

Speaker:

That's so disruptive.

Prasanna Malaiyandi:

Speaker:

The other side though, is I know a lot of time when we talk about ransomware,

Prasanna Malaiyandi:

Speaker:

we also talk about exfiltration of data right now, kids' data, right?

Prasanna Malaiyandi:

Speaker:

Imagine that you now have access to kids' records, you're stealing

Prasanna Malaiyandi:

Speaker:

their social security numbers, or other pieces of information.

Prasanna Malaiyandi:

Speaker:

Right?

Prasanna Malaiyandi:

Speaker:

These are kids who don't have credit.

Prasanna Malaiyandi:

Speaker:

Imagine now starting using that for identity theft and other purposes.

Prasanna Malaiyandi:

Speaker:

It's a lot of sensitive, sensitive data that could potentially be

Prasanna Malaiyandi:

Speaker:

exposed that you may not find about.

Prasanna Malaiyandi:

Speaker:

Find out until the kid turns 18.

Prasanna Malaiyandi:

Speaker:

Right?

Shaun St. Hill:

Prasanna there are 10 year olds right now who have

Shaun St. Hill:

Maseratis and Porsches in their name.

Shaun St. Hill:

They have homes in Hawaii, Connecticut that are in their name and they

Shaun St. Hill:

won't know it until many years.

Shaun St. Hill:

Hence, and it's because of what we're talking about now, the, the,

Shaun St. Hill:

the need to take cybersecurity seriously is, is way overdue.

W. Curtis Preston:

A thought did occur to me and I do wonder about at what point.

W. Curtis Preston:

So like I locked down my, my, um, credit reports, right?

W. Curtis Preston:

So, uh, so at least minimizing this risk personally, uh, on my side.

W. Curtis Preston:

And I'm wondering at what age.

W. Curtis Preston:

Would could, should you do that with a minor,

W. Curtis Preston:

right.

W. Curtis Preston:

Like,

Prasanna Malaiyandi:

when you're still in the hospital.

W. Curtis Preston:

well, like when can you CA you know, can you, can you do this?

W. Curtis Preston:

Like, as soon as they have a social security number, I would think

W. Curtis Preston:

you would be able to do it, right?

Shaun St. Hill:

You can So it's, it would be, it would be

Shaun St. Hill:

incumbent on the parent to do that,

W. Curtis Preston:

Yeah.

Shaun St. Hill:

to go ahead

Shaun St. Hill:

and

Shaun St. Hill:

lock

W. Curtis Preston:

gonna talk, I'm gonna talk to my kids.

W. Curtis Preston:

I'm gonna keep my, keep my granddaughter from owning a Mo home in, well, maybe

W. Curtis Preston:

I'll let her have that home in Hawaii.

Prasanna Malaiyandi:

I think the challenge though, is like, we're

Prasanna Malaiyandi:

talking about it now and you're you were aware of credit freezes, right?

Prasanna Malaiyandi:

Curtis.

Prasanna Malaiyandi:

But there are a lot of parents who aren't even aware of a lot of the tech or possib

Prasanna Malaiyandi:

process and possibilities that they might be able to leverage like credit

Prasanna Malaiyandi:

or freezing the credit of their child.

Prasanna Malaiyandi:

Right.

Prasanna Malaiyandi:

And so what do you do for those parents?

Prasanna Malaiyandi:

Right?

Prasanna Malaiyandi:

How do you.

Prasanna Malaiyandi:

Inform them or let them be aware that, Hey, there are these other

Prasanna Malaiyandi:

options that you should be thinking about to protect your kids.

W. Curtis Preston:

Well, I can only help the lucky few that are smart

W. Curtis Preston:

enough to listen to this podcast.

W. Curtis Preston:

So go do that, right.

W. Curtis Preston:

I, I think, and I've never, I never thought about it myself.

W. Curtis Preston:

I am well aware of the concept of freezes, but I never thought of

W. Curtis Preston:

freezing my granddaughter's credit.

W. Curtis Preston:

She doesn't need.

W. Curtis Preston:

You know, an open credit report right now.

W. Curtis Preston:

Um, what, you know, what's really weird, you know, it's a bit of a non-sequitur,

W. Curtis Preston:

but what's really weird is there are like, if you Google, should I, or how

W. Curtis Preston:

could, how do I freeze your credit?

W. Curtis Preston:

You will find.

W. Curtis Preston:

Um, blogs that tell you that don't do it because it's, uh, it makes getting

W. Curtis Preston:

credit cards, inconvenient and such.

W. Curtis Preston:

And I will agree.

W. Curtis Preston:

It absolutely did.

W. Curtis Preston:

When we got our first new car in a long time, uh, but you

W. Curtis Preston:

know, what else is inconvenient?

Prasanna Malaiyandi:

Having your identity stolen?

W. Curtis Preston:

Having your identity stolen?

W. Curtis Preston:

Um, yeah, it's just, you know, it's, it's like security,

W. Curtis Preston:

security is never convenient.

W. Curtis Preston:

Right.

W. Curtis Preston:

Um, you know, having to unlock my front door when I come to

W. Curtis Preston:

the house, not convenient.

W. Curtis Preston:

Right.

W. Curtis Preston:

But it minimizes the number of yahoos running through my house.

W. Curtis Preston:

Um, Shaun, we're about to wrap this up.

W. Curtis Preston:

Uh, any, any final thoughts regarding the school system.

Shaun St. Hill:

There are a number of things that I'd yet say about security

Shaun St. Hill:

and the, the school districts, the one that I will put out there is, again, the,

Shaun St. Hill:

the amount of funding that is available through the sources that we mentioned, you

Shaun St. Hill:

know, cares and the American rescue plan.

Shaun St. Hill:

But beyond that, there are local and state grants available for technology

Shaun St. Hill:

upgrades that include cybersecurity.

Shaun St. Hill:

What am I saying?

Shaun St. Hill:

There really isn't an excuse, right?

Shaun St. Hill:

Until you have turned over every stone and exhausted every

Shaun St. Hill:

possibility, you don't have an excuse.

Shaun St. Hill:

There is no reason that your school district should be easy pickings.

Shaun St. Hill:

For someone to come through and get tens of thousands of, you know,

Shaun St. Hill:

student records and parent records.

Shaun St. Hill:

There's, there's just no reason for it.

W. Curtis Preston:

Yeah, that sounds about right.

W. Curtis Preston:

, I would suggest anybody that, you know, wherever you live, reach

W. Curtis Preston:

out to your school district, find out what they're doing.

Prasanna Malaiyandi:

Ask how they're securing your data.

W. Curtis Preston:

Maybe they're completely clueless, right?

W. Curtis Preston:

Maybe you should volunteer.

W. Curtis Preston:

I don't know.

W. Curtis Preston:

I don't know what the answer is there, but starts with this is a represent.

W. Curtis Preston:

Our podcast is listened to in more places than there are representative governments.

W. Curtis Preston:

But if you have a representative government you gotta represent

Shaun St. Hill:

Exactly.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

Yeah.

W. Curtis Preston:

All right.

W. Curtis Preston:

Well, uh, thanks Shaun.

W. Curtis Preston:

For, for coming on.

W. Curtis Preston:

It's been great

Shaun St. Hill:

Prasanna Curtis.

Shaun St. Hill:

Thanks for your time.

Shaun St. Hill:

Appreciate being on you guys are doing a great job.

W. Curtis Preston:

and, uh, Prasanna, thanks for not giving any care

W. Curtis Preston:

about my post vacation depression.

Prasanna Malaiyandi:

That that's the least I can do, Curtis, you know, it

Prasanna Malaiyandi:

was nice talking to you too, Shaun.

W. Curtis Preston:

And thank you to our listeners.

W. Curtis Preston:

Remember to subscribe so that you can restore it all