0:00:04
You're listening to the shared security show, exploring the trust you put in people and technology with your hosts, Tom Eston, Scott Wright and Kevin John. Said. Welcome two episode two hundred and sixty five of the shared security show. And joining me this week is Cohost, Scott Wright from the great country of Canada who has jointly worked with the United States to shoot down UFO's which are protecting us from the alien and Chinese spy balloon threat. There you go. Happy to be part of that whole conspiracy. Thank God for Canada. That's all I gotta say. Yeah. Yeah.

0:00:56
We got some questions here though, you know. We all have a few questions, Scott's. I mean, if they're not UFO's, like, of the alien or extraterrestrial type. How come the US government isn't being forthright about that? Because they're not saying they're balloons. Yeah. That's already been confirmed.

0:01:18
If they're not balloons, then what are they? Well, my my theory on it is that, you know, the intelligence community never likes to get caught off guard. And so, I mean, if some foreign state -- Okay. -- comes up with some new technology and it becomes sort of publicly visible. You don't wanna say, wow, we don't know what that is. Or we don't wanna say, we think it's China doing this stuff. With a proper attribution. So What's interesting though is the the government did in the US here. They they did come forward that was last year And remember they release those videos from the fighter pilots and, like, the TikTok and these other things that they're, like, going to the public and saying, we don't know what these are. So I find it interesting, but yet they haven't released the video of these these objects that they shot out of the sky -- Yeah. -- recently. So But there's no reporting that they were moving at, you know, supersonic speeds or, you know, doing weird things. Right? Just they couldn't identify how they were being the propulsion system, apparently. So Okay. Well, you're here to hear first folks. We're gonna keep everyone updated on this breaking situation. We need a we need a flash fan or, you know, a flash thing like CNN used to have. Breaking news. That's right. That's right. Every story was breaking news.

0:02:40
There isn't much of a cybersecurity angle to that, at least not yet, but -- Yeah. I mean, my my first thought on it was if you there's a book, I can't remember who the author was. A novel I'm not too long ago called one second after. And it's all based on the the theory of electromagnetic pulse E and P attacks, right, where they explode a nuclear device. And I high atmosphere and it basically knocks out all solid state electronics. And in the novel, it's kind of funny because everything dies except for some old Volkswagen beetles. And an old war plane that was, you know, in for your shows, you know, kinda makes sense. Of course. Of course. Well, we don't have Kevin today. So Kevin is on an airplane, and I you know, I'm giving him some crap because, you know, airplanes have WiFi these days. So there's really no excuse. Why couldn't you do your podcast from Why not? Thirty nine a. You know? Exactly. Exactly. No. Kevin must be in first class. Because, you know, he's a classy guy. But Yeah. I forgot that. Yeah. That's right. We will we will have him again next week, but In the meantime, we do have some stories this week to talk about.

0:03:52
And first, Reddit, the big social network, suffered a Pretty big security breach that got a lot of attention. So they were actually a victim of a phishing attack that was targeting their employees. Which resulted in this attack or gaining access to internal documents, code, and some other types of business systems. What's interesting is that a single employee's credentials were compromised, but then the affected employee actually self reported that they were a victim of this. Yeah. So and and, of course, we it will link the article. And, of course, the the Reddit post about this, but they essentially used a a fake page to steal credentials and the two factor authentication codes very similar playbook like we normally see with these attacks. But to me, the thing that stands out is that the employee actually reported this Is there anything I mean? Yeah. I mean, you're never gonna be able to prevent a hundred percent -- No. -- employees doing the wrong thing.

0:04:59
And it's not that employees we got in this debate on LinkedIn on on post, you know, that I did saying, you know, employees are not the weakest link. I mean, you may think of them that way, and it's easy to think of them that way. But It's really a matter of, you know, they are the biggest target, and they're the most flexible and powerful, you know, communication or computing device that we have. And they can be tricked. And so any any layer of security can be bypassed at some point.

0:05:24
And so when they set in their article that, you know, well, we all know humans are the weakest link. Kinda set off a bunch of people. Yeah. I don't I don't like that. I don't like the way that we we or some people in the community still still do that. They blame the users and -- Yeah. -- I think that mentality is is dated. You need to blame somebody? You gotta blame management because they haven't trained people, they haven't layered security. It's funny. The post the post that I put out was basically saying if humans are your weakest link, then you don't have layered security. Yeah. That's true.

0:05:58
The other point I wanna make too about the Reddit breach in particular that I was impressed with is I I really liked how they were very forthcoming about what happened. They had a post. They did AMA on Reddit where you could talk to I'm not sure if it was their security team or somebody, but they were very open and transparent about what happened. And what they're going to do in the future to improve their security. So in in my eyes, this is definitely the a great example of how to handle a security breach like this. Yeah. For sure. And, you know, we used to see things like that from LastPass. Unfortunately, they don't anymore. Oh, well, yeah, man. We've talked in-depth about LastPass. We need to go back there yet. We're not going back there, and that's great.

0:06:47
Employee awareness of cybersecurity threats is critical to your organization. But most employees are bored by traditional security awareness training. The vast majority of employees are much more engaged when training is gamified. Click armor is the first fully gamified security awareness platform that reduces employee vulnerability by sixty percent. These days, we can't avoid cyber threats. They're everywhere and everyone is a target. Employees really need to get better at avoiding cyber threats, like phishing and social engineering. Most security awareness training solutions aren't effective enough to really change behavior.

0:07:27
Click Armor uses a very different approach that employees love We use proven gamification techniques with psychological drivers that keep employees motivated to learn and improve their skills Rather than using controversial live fishing tests that anger many employees and provide unreliable metrics, click armor's unique learning challenges help employees learn about cybersecurity in a fun, stress free way that builds up their confidence. And our engaging simulated threat scenario motivate employees to improve their skills in a safe and fun environment. Gamma fide simulators can also extend far beyond fishing scenarios to practice facing dangerous social engineering scams. Our weekly three minute challenges provide continuous reinforcement for employees motivating employees to participate willingly means higher assurance reporting for compliance and risk management. Simple integration with your employee directory means that deployment of click armor is a snap, and single sign on makes usage an ongoing management of click armor easy. ClickARMOR has been proven to provide better employee engagement, making IT managers lives easier. If you're tired of ineffective awareness training that hurts your corporate culture, find out how to gamify your security awareness training experience to prove employee resilience with click armor.

0:08:54
So our second story, thought it was a really interesting article about how to make sure you're not accidentally sharing your location when you're using different apps or when you're even using your web browser, you know, even on your desktop. Right? Yep. And it was a good article which will leak in the show notes that gets into specifically around Google account settings because that seems to be one of the biggest offenders -- Yeah. -- that that we see out there.

0:09:21
Because Google tracks so much information about you in addition to your location history, and they have a really good guide of walking you through that I was just gonna say there's an implied consent issue. Right? I mean, when you when you start to use Google stuff, you have to kinda check a checkbox sort of allows them to do whatever, you know, they're gonna do a lot of the time or, you know, at some point, it's in the fine print. But that's something it's it's on the it shouldn't be, but it's on the user to understand what they need to do. Yes. That's that's exactly right. So And I was gonna mention I I did a solo show at the beginning of the year on this exact same topic. Topic with some new ways that can be used to prevent sharing your location and your private data. So we'll again link that video in the in the show notes for you and that podcast.

0:10:11
But definitely a big issue and and something that everyone needs to be aware of. You just don't wanna hand out your location like Kandi. Unless that is something that you, in fact, want to do for maybe a -- Yeah. -- personal reason or you got a business or something like that. Or I mean, there's lots of legitimate reasons. And, of course, but it's one more guide you're gonna have to keep up to date, Tom. It's all Oh, that's my guide. I will just keep linking the video that I made until Google changes everything -- Yeah.

0:10:44
-- similar how Facebook did. Right? Back in the day, like, every couple months, they would change, oh, we're moving the privacy settings around. Well, Tom I'm I'm referring to Tom's guide to Facebook privacy settings. Right? You used to have a a very elaborate complete list of every setting that you could change, but then you had to update it every three every three months. I did. It just got too too much work to keep up with Facebook. So and there's so many other guides out there nowadays, but I think I was I was proud to be one of the first -- It was the first.

0:11:16
-- spy log I don't know who I was the first. It was -- Yeah. -- spy logic dot net. That's right. My blog that I haven't updated in. Wow. Ten plus years or more. I don't know. If you would like a bit of history, you can go to my blog. Spine logic dot Go back in time. Yes. Go back in time.

0:11:36
So our last story, this one I just find funny but not funny all at the same time. So a developer has pleaded guilty to hacking his own company after pretending to investigate himself. It's fascinating. So a former ubiquity, so that is a company. They make WiFi routers, you know, and typically enterprise level type stuff. This gentleman named Nicholas Sharp, he's pleaded guilty to multiple felony charges. As he was trying to extort almost two million dollars worth of cryptocurrency from the company. Yay. So The guy was a senior developer who used his access to the network to orchestrate a security breach back in December twenty twenty. Steel data then posed as some anonymous hacker from the outside and attempted to extort the company for fifty Bitcoin, which translated about two million dollars. The company did not pay this this money, so he leaked some private data that he found, you know, company data to the public. Mhmm. He was caught by the FBI for doing this And now he faces thirty five years in prison. Yep. Doesn't pay the Crime doesn't pay. Crime doesn't pay yet. No. And if only they could use their skills for good instead of evil. Greenfield. Yeah. Just like any hacker that goes to jail for committing a crime, I I agree with you.

0:13:12
This story in particular highlights kind of that insider threat that we've we've talked about on the show. It's it's more rare to have something of this significance. Yeah. That's quite elaborate. I mean, you must have he must have thought it was foolproof obviously. Right? And and of course. A lot of trouble to hide his tracks, but, you know, you don't know what, you know, forensic or surveillance technology might be used against you that could, you know, expose what you what you're doing. So Yeah. Maybe a hundred percent sure. Right. I mean, you know, the I I always look at insider threats these days, like in a typical example.

0:13:51
A lot of them are not always malicious. Like, we we have talked about, like, accidental mistakes. Like, mistakes that people make you know, not intentionally, but they end up taking a system down or causing an outage or accidentally exposing information to the public -- Yeah. -- misconfiguring a system. That not malicious, but that is still considered an insider threat. Yeah.

0:14:15
The the issue I have is that everybody has a different definition of what an insider thread is. And some include the accidentals, and some of them don't. And some of them may or may not even consider the fact that an insider may be under stress at extortion or have other, you know, mental issues or addictions and things like that that are just making it hard for them to to do the right thing. So, I mean, you have to consider, I think, all potential threat agents that are that are coming from somebody with access to be an insider threat. Great point. Great point.

0:14:47
Well, that's it. That's all the stories we have. We we whipped through those pretty quick. We were very concise. And is very concise. This is what happens when Kevin's now in the show. Yeah. Well, also, I'm I'm recovering from COVID. So -- Yep. -- didn't have the energy to come up with a good wear much segment. And, you know, we like to save those for when Kevin will fall off his chairless chairtime Tom says it. So Yeah.

0:15:10
Well well, first of all, we all well hope that you recover quickly from COVID. I think I'm I'm getting there. So Hope you feel better. Thank you. You're welcome. You're welcome. And know, like I said, there had been no tangents that Kevin would normally do on this show. Yeah. So that's why this episode may be a little bit shorter than a normal episode, but Had a lot of fun though, you know, just dive into the news and I think it was good. So Yeah. Awesome. Well, we will let everyone go, but thanks again, Scott, as always. Thank you, Tom, as always.

0:15:43
And thank all of you for listening and supporting the podcast is much appreciated. If you have not subscribed to us on your favorite preferred podcast app of choice. We would much appreciate that subscription. Just as that way, you're notified of episodes as they are released. And we would also appreciate subscribing on our YouTube channel. We are closing in on a thousand subscribers. So that is our next milestone. So we would greatly appreciate a a like and subscribe on -- Yeah. -- the YouTube. But till next time, we will talk to you all again next week Thanks for listening. If you enjoyed this episode and you'd like to help support the podcast, please share it with others. Subscribe on your favorite podcast listening app or leave us a rating and review. To catch all the latest from the show, visit our website sharedsecurity dot net for show notes in previous episodes, follow us on Twitter at shared sec and join our Reddit community on the shared security show subreddit Thanks again, and we'll see you next week for another episode of the shared security show.