Hey, say, you know, my doctor told me I need to get more exercise.

As if right's I didn't never?

Yeah, so I started running.

And your running is good for you, but it can be dangerous.

For example, today somebody threw a jar of mayonnaise at me.

I mean, what the hell?

Man?

O my god, I prefer hines.

Of course, of course you do.

All right, So we're going to open with a kind of a funny one here.

The password for the Louvers video surveillance system was louver.

Well at least it wasn't a foreign language.

All right.

You need a special keyboard for that one.

Oh man.

There's not much more to say about that.

It's just no, that was bad.

This is things not to do, what not to do.

Although I will tell you this is it's it's common.

We can laugh at it, but it's common.

We have done countless pen tests and I can't tell you how many times we find like domain administrative passwords be the name of the place that we're testing, the mascots colors, yeah, the street that they're on, and or the you know, the the number of the street address.

So if they're like.

Mister Robot was right, Remember that episode from mister Robot.

I thought you were right.

That's the title of.

Mister Robot.

We met mister mister Robot or mister Roboto?

Which one are you talking.

Talking about the TV show Mister Robots.

Not the song from the eighties but the nineties.

All right, So, you know, every time I talk to somebody about don't you have a password manager?

They say something like, oh, I'm not that sophisticated.

I'm like, yeah, well you're gonna be poor.

Yeah, you're gonna You're gonna lose everything if you don't have a password manager.

Could literally lose the crown jewels.

Well, the problem is the the poor man's password manager is the path is the password stored in the browser.

And unfortunately that's kind of serving them up on a plate because all you have to do is click on the wrong thing and the bad guys get all your password.

You could do, I know, it's shock, it's a shocker and crazy.

How about a pad and a.

Pencil, Yeah, honestly I agree with that.

If you're not and killer bees and dogs, just write the beams yep.

Used to do that, right, Patrick, He used to carry a on a pad and a pencil.

I did, Yeah, yeah, until you found you know, first pass or whatever it is.

Well, I I had my password.

I had a strategy with passwords where there were three levels.

And they still still play this game to some extent, which is there's the passwords I really don't care about, Like there's there's sites that don't have any information that isn't public, that don't have a password.

Yeah, your Starbucks points don't have a credit card.

Yeah, map Quest was a great I care if you knew where I was going because I typically announced it in my schedule.

I'm sorry, did you just say map Quest?

Is that what I've just heard a long ago, long ago when I was searching on Avista.

But no, no, Back in those days, I mean I had a lot of a lot of passwords, so i'd have a password that was low stress, and you probably find those out on the dark web all the time.

I get notified all the time, Hey, you've got a password out there.

I'm like, yeah, there was a password I didn't care about.

So that's the low password, and I don't mind using those repeatedly, okay, because there's no risk there.

Then there's the medium security, where you use a password you know, for each one, and then the higher security are where I remember those passwords, but they're really long and hard, so they're like a good password with a phone number attached that isn't attached to my to me in any way, or zip codes added in the middle, things that are much much.

More an ex girlfriend's phone number.

Is that what it is?

I will not confirm or deny, but the thing is it's But that's very useful because they're not associated with you, and unless they get found in a breach, they're not going to be associated with you.

But now it's we're beyond that.

That system is only workable if you're a luddite of sorts, which is you need a password manager.

You need to avoid putting sensitive passwords in the browser.

Now you can ply the same play the same game a little bit.

You can have one password you use for things you don't care about, and it can be a stupid password like dragons Gate or something you know, some game or something like that.

It can be easy.

Then the next level is the passwords you allow your browser to save.

Dragons Gate mark that down.

That's in the word list.

Note guarantee that is no password I've never used.

Okay, So now then that and then the browser you can let that save passwords that are not that important low credit cards associated with them.

You wouldn't want anybody logging in all normally, but they're a little bit higher security.

And then the password manager maybe for everything else.

But I even have some passwords I won't put in the password manager for like bank accounts and things like that.

I know those passwords, they're solid, they're not re used anywhere else, and I don't write them down anywhere.

I might put a hint in the password manager, but the password will never be recorded anywhere else.

Okay, and I'm paranoid.

Yeah, I was going to say, I mean, if if you have a very good master password, which is a phrase usually for your password manager, then like I do I trust it?

Yeah, you know, because I can always change that and then change all the passwords if they were breached.

But it's not a bad idea to change the passwords on a rolling basis.

Yeah, So like if every week you change one password, right, just one, just pick a password and say, you know what, this one's been around for a while, and to change it, maybe even put the date in so you can like know how old your oldest passwords are.

That helps that.

That's good because but the problem is it's inconvenient.

Yeah, and I don't know, like I do really like using the password managers.

Yeah, you know, the browser password manager is better than no password manager then using the same password over and over.

There's a little bit of a bear to entry there, and and you know Google and Microsoft are constantly trying to make it more and more secure.

So but yeah, I would go with that.

We're still waiting for past keys to hit their stride.

But the problem is right now, everybody's doing them different.

There's no standardization yet.

Yeah.

I mean I've started switching over as many loggins as I can to pass keys.

Yeah, and you're right.

Eventually everything will go either pass keys or password lists authenticate back to my device types.

And my big question for every implementation is, Okay, what happens if my device dies?

Do I get back?

And now, when they integrate with the password manager, that's that's the best thing because then the password manager keeps the key and it's not tied to the device.

But if you change phones, you change tablets in some cases, if you're naive about it, the pass key goes away.

Yeah all right, I like, I just want them all to use Microsoft Authenticator, because that's the most that's the first one that I started using.

And it's easy, you know, and it's required for all the Azure stuff in Microsoft.

And it's resistant to someone just sending you a bunch of requests.

Yeah.

So we've talked about stories in the past where somebody just keeps getting a thousand requests to validate and they just hit a lout out of by accident or out of.

Exhaustion, sheer exhaustion.

You can't do that with that.

It gives you a number, and if you don't know the number, you can't type it in, right, So it foils that type of attack.

And so that's a really good, good example.

Yep, all right, we moved on now that we've had a laugh at the Louvers expense.

This is the story is new attack chains, ghost SPNs and Kerberos reflection to elevate SMB privileges.

And there's some alphabet soup right there.

Oh yeah, yeah, SPN service principle name.

So okay, let's say you have a SEQL server on the network and it's you have an enterprise active directory domain that you're running that SEQL servers account.

There should an account that's running the sequel service that has rights of some sort right, and generally that's elevated rights to the sequel server.

So you can publish that account as a service principal name so that it can get its tickets and all that other good stuff from Kerberos without having to do all sorts of weird user name and passwords and tokens and all sorts of other word stuff.

So you get to follow the sort of ticket granting ticket and ticket service ticket and all the other sort of kerberos D things or I'm sorry, kerb rost thing roast.

We'll talk aboutkerber roast in a second.

I like kerberos D.

Like that, yeah, KERBEROSTI maybe because I'm hungry.

So it's funny because because I've been.

Running all the afternoon here.

I'm know, kerber roasty sounds deliferent.

I like to happen.

So kerber roasting is actually a way of requesting the ticket for the service principal names and then you can take them offline and crack them.

That's not what they're talking about here, but that is that is an attack on Kerberos.

So I always call it curber roasting.

But it's okay, it's actually is the authentication mechanism, Yeah, absolutely, But with this particular one, we've talked about Windows authentication and NTLM to the Network Land Manager authentication, where if I can coerce a server into reaching out to me, I might be able to relay those credentials over to another server.

So Server A reaches out to attacker ME because I coerced it into doing so, and it reaches out with an account.

I then reload those to server B, and server B doesn't know that it's not coming directly from server A, right, And a lot of that is turn on SMB signing, shut it down, that sort of stuff.

There's a and in that.

In around twenty fourteen twenty sixteen, you got Tim Medeane and a whole bunch of people working with him on well we can do this with NTLM, Can we do this with kerbros?

Can we relay tickets?

And they found ways to do those types of things where you could actually do Kerbos relaying, and a lot of that was shut down, especially if there's not a service principal name that you can manipulate.

In this particular attack, what what attackers or researchers have found now is you can actually take a defunct SPN.

Right.

So let's say we had a SEQL server on the network and that was five years ago, and we've now declmed that server.

Nobody goes into active directory and typically removes the service principle name.

So there's an SPN for a server pointing at a server that doesn't exist.

Oh okay, so now you say to yourself, well, how can I then pretend to be that server?

Right?

Because I mean, if you try to make a request, wouldn't it say that's a bad request that server doesn't exist or something.

I mean exactly you would think still does this request?

Well?

Yeah, now now it still exists an active directory though.

Yeah, so the service principle name exists an active director, but the computer doesn't.

Now a little a lesser known fact, and one of the things that allows this attack to happen is low priv users on a Windows active directory network work can make registrations in DNS.

You know what, I think my cousin Bob qualifies as as a low you know.

And I just want to say that it's been at least three minutes since I made a joke, and I'm doing that on purpose because my drummer Tom, who listens to the show, says, sometimes you guys get a little silly.

A little bit.

What that's crazy from a drummer.

So that last three minutes was for you, Tom.

There you go.

It was just straight just straight talking.

All right.

So a low privilege you said, Yeah, a low privilege user.

So imagine I have my computer and I rename my computer in essence to the same name as the sequel server that's not there anymore.

When my computer comes online and I log into it, it's going to register with active directory, and it's going to register with DNS as that name.

Now, when I go to coerce a particular server, when it reaches out to the service principal name, it's actually going to talk to me now because it thinks I'm the server that doesn't exist anymore, and then I can relay it.

So this is a new spin on kerbos relaying.

Moral of the story here, there's always the authentication is a difficult thing to manage.

We have been chasing our tails in whether it's NTLM authentication past the hash redirecting with NTLM, relay x relaying, curbose we've been doing this since you know, two thousand and nineteen ninety nine.

It's been a long long time that we've attacked these days.

Would you say the older technologies, Dwayne, are a little more at risk because they've been around for so long and because they may tend to get neglected, whereas if you're using something more modern, you know, some OIDC stuff for example, that maybe that it'd be a little bit safer because people are watching it.

Well, that's a good question, and I'll say I don't know, because what we're find, what I at least have seen, is give it time and we'll find that whatever we're using today is probably as exploitable as what you know.

Because we thought NTLM would is awesome back in the day, right, and then we found out there's so many holes it's insane.

And then we were like, well, let's switch over to Kerbros.

And Cerbros was awesome, right, And now we're looking at kurb Ros going well, I can relay, and I can do this, and I can crack the ticket offline and I can do whatever.

And now, you know, so as we see these switch I think we'll find periods of time where we think they're just the best of the best.

We used to love fire and then we'll find exploits, and then electricity came along.

Thank you for that perspective, Patrick, Well, actually I think we should call this the Prince attack because it's the server formally known as Prince.

Oh my god, Oh my god.

So before language, we used to just go ooh.

Them.

Then language came along and we were screwed.

So moral of this story, you should make sure you go patch.

This was patched by Microsoft in October.

However, there are other mitigations you need to put in place as well, and always auditing to make sure nobody's doing weird things like registering servers and DNS.

Ad itself is getting to be a passive passe and a liability.

I'm seeing more and more security conscious organizations are getting away from single sign on, going more to zero trust.

It's I hate you know, it's my catchphrase, and I'm starting to get sick of it myself.

But it's too convenient.

There's too much convenience in the single sign on paradigm, and the hackers are using it.

I just wired that up for one of my customers whose customer required it.

Single sign on and you know, okay, yes there, but but I you know, I did warn them against the sort of convenience versus security thing.

They don't really you know, it's their customers called, not theirs.

But we've gotten to the point where, like active, where exchange on premise is just not tenable period.

It's just no human being can keep a secure exchange server on premise.

I don't know when we're going to get to the point where active directors are the same.

When you and Richard Campbell got rid of your home exchange servers, I knew it was.

On as long as I physically could, and then it was like not, it's.

Just and I fought you so hard.

I like we got to move it.

We got to move it or organized isolated.

Listen eventually listen eventually really takes about eighteen months.

All right.

So that so that was a go patch.

But thanks for the education there, Dwayne, Yeah, glad to do.

All right.

So this one's from Cybersecurity News new EDR dash reader V two blinds Windows Defender on Windows eleven with fake program files.

So this is kind of like the vulnerability we talked about down in Florida, Dwayne, where where but the the it was a Linux vulnerability where they created their own version of the directory structure to fake things out.

Yeah.

Absolutely that, I mean that's a and I think we had talked about it on the show as well.

That Yeah, you're absolutely right.

Oh you meant down in Florida on the show.

Yes, yeah, so yeah, absolutely, it's very similar.

It's it's an interesting thing.

They're manipulating a bind file system call to say, oh, by the way, anything that's going to see colon backslash program data.

Right, And for those of you who haven't sort of examined the Windows filesystem, this is where all of your program special they used to be in program files or program files x eighty six.

You have your programs and that sort of stuff.

But the problem there is they wanted to make that area read only, read and execute only, not be able to write in those particular directories.

Well, the only way to do that is to have transient data put somewhere else, and that's where program data came from.

They said, listen, program files so that we don't get viruses and that sort of stuff.

We're going to keep that where you need administrative privileges to write to there.

But as a normal user and user land space right, you can write to see colon backslash program data.

Well, unfortunately, because Windows Defender updates its you know, av understanding and virus definitions and that sort of stuff, it needs to write somewhere, so it writes to program data slash Microsoft slash Windows Defender.

So what this attack is doing is it's binding all the directories under program data slash went micro Soft to a temp directory.

And then when you go to load up, you know, and with Defender loaded, if you write click on a file and click scan for viruses, it doesn't find any viruses because it can't load its own definition.

So that's one.

That's one sort of side effect.

The other side effect is now the the EDR defenders actually looking for all of its DLLs.

It's dynamically linked to libraries in a directory that's controlled by the attacker.

That's not good.

So that means I can take a DLL it's looking for, create one that's named the same thing, and put it in this temp directory, and when when Microsoft's EDR goes to run, when Defender goes to run, it will load my DLL and run it with the privileges of the EDR.

That's even worse, right, So at that point, yeah, at that point you're kind of in trouble.

Yeah, absolutely, So it is definitely an interesting attack.

I think you'll see this more often.

So what's the score on this one?

So for me, this is more of a privileged escalation, and you have to have the ability to run something on the computer.

So the user has to have done something absolutely wrong, right, downloaded an ISO file that you know that Best Buy sent them quote unquote that was a bill and then they extracted it and ran it and did a whole bunch of stuff, right.

So human error must have been involved at some point.

Absolutely.

The only other way I see this being executed is if I were to compromise a server, I could then put a tool like this and rebind all of the directories so that I could continue to compromise that server.

But for the most part, I would say getting hit with this would be hard.

But the privileged escalation is super simple.

It's nothing complicated, and it's not generally anything that's going to trigger on a normal antivirus.

They're not going to see rebinding directories.

Okay, so be careful.

But it really comes back to the basics of blocking and tackling and cybersecurity.

Right, very good, All right, and what do we got one more and then we'll take a break.

So this is O off device code phishing Azure versus Google compared.

Sounds interesting?

What is this all about?

I love device token fishing.

This is actually there's a fun tactic and there's one of the reasons we put this in here.

This is not a new sort of tactic, but we wanted to sort of remind people that this is still a thing.

There was an attack framework called token Tactics that came out a while ago, maybe a year year and a half.

So you ever, you're viewing Netflix or you're you know, trying to pull up YouTube on a TV.

Obviously you don't have a keyboard, right, So it pops up that six code character thing on the TV and says, can you just go to your browser and go to Netflix dot com, slash you know, device or whatever it is.

You log in on your browser, whether it's your phone or whether it's a computer, and you type that code in, you click okay, and now that TV has access to your Netflix account.

Right.

That can happen with Microsoft Windows or Microsoft Office three sixty five and can happen with Google.

Sure, So, okay, I can have a printer at my organization that prints and can send emails to other users.

It obviously needs to log in to send emails.

Did you say the printer can send emails to other users?

Yeah, yeah, absolutely, like most of the multifunction devices.

If I'm going to do it, Let's say I'm going to scan a contract, right, Well, that scan has to go somewhere.

Most people aren't plugging in a USB stick to get it on a PDF except in my house.

Yeah, thanks for your house.

So you would select you know, the email address.

I would say, oh, email it to me, right, and it would email it to me as a PDF.

Well, for it to do that, it needs access to active directory as a user account, and it can't use multi factor authentication because you can't.

That scares the hell out of me.

I would never do that.

You can't put a token in there, right.

So what you do is you hit on the printer, You go to log in, and the printer displays a code, and you go to the website and you type that code.

You log in as you or as that account, You type the coding.

Click okay, and now the printer is authenticated for however long it needs to be authenticated to send things, and that's usually months, right.

Refresh tokens are every ninety days.

So what's really neat about that is then I can fish you.

I can send you an email that looks exactly like Microsoft, like a Microsoft email need his code for a really bad and when, and it says it says yeah, I know, right, it would say yeah.

I would say something along the lines of like, oh, you know your Microsoft account, you need to click this to approve whatever.

Or I can even say, you know, hey, uh, there's you need to log into Microsoft.

Click this link and you're gonna, you know, just click next on the code that pops up.

And what's gonna happen is you're gonna literally go to Microsoft dot com.

You're not actually going to a fake site.

You're not going to a hacker site.

Right.

So if I went to this site and it said hey, can you log in as you know, Duane a Pulsarsecurity dot my one password would submit the user name and password because it is legitimately Microsoft site.

Right then when you click next on this you know, allow access token that everything to say, it just closes and says thanks, that's it, And you're like, okay, cool, awesome, And what you've done is you've actually given an attacker access to tokens for your account, which means they can read your emails, they can do all the things that you normally would be able to do on the network on you know, in Office three sixty five.

That's no boy, no.

So it's it is an interesting tactic.

And I love the fact that it it legitimately goes to Microsoft site or legitimately goes to Google site.

Right, So there's no way for somebody the classics of looking for phishing.

Right, look at the url, hover over it, right, you know when you if you click on it, go to the go to the URL bar and look at it, and does it actually say Microsoft dot com?

All this would pass all muster.

The only thing that would be weird is that the email would have come from somebody else, so be like Microsoft dot Gmail dot com.

Right.

So, a long time ago we talked about people using cyrillic substitute letters and they're so hard to h to to figure out if they're actually real.

But didn't you guys have a website where you could paste in an email address or a U R l and it would tell you if it was all asky or if there was some cyrillic in there.

Yeah, there wasn't.

There are several sites out there that will do that.

You know, for me, I just used cyber chef and you can throw a we can put a link in the show notes.

Is that a Windows app or a web app?

No?

No, no, no, it's actually a website.

If you type cyber chef, uh cyber chef and then go, you can paste anything in there and say I wanted to decode it as hex's and you can actually see what all the characters are.

There's all sorts of new things you can do with that, think like really awesome Hex's editor, slash decoder, slash whatever.

Online that's great cyberchef dot or yeah, there you go, fantastic.

So that the interesting thing A part about this is you we really would be going to Microsoft and or Google site and you really are authenticating somebody else to view your stuff.

Here's the thing I would tell you, though, this sounds like really scary, right.

I could receive an email that looks like it comes from Microsoft that when I click okay, my password manager is not going to save me from it's actually going to submit the password because I'm on the real site.

When you get one of these emails, the attacker has you have fifteen minutes to click on that email and submit the code or it gets disabled.

So if you're really concerned about one of these emails and you're like, I'm not sure what it is, wait fifteen minutes or twenty minutes or half an hour, and then click on the link and it'll say Nope, this code's been expired, right, and you go, okay, cool, this was somebody else trying.

Did you just say, click on a link in an email.

Did you just say that, well, if it goes to Microsoft, absolutely, I mean you could do it.

You could, but I would wait.

I would wait the thirty minutes so that it's actually a defunct code and be like, okay, that's what they were doing.

Okay, but it's an interesting tactic.

So just be careful.

If you see an email coming in from these, wait three days, and.

If someone you really care about calls you and tells you they need you to do something, yeah.

That's you know, that is a really good strategy in general.

Patrick, You know, if if your credit card has expired and you're like, oh no, I got to call these services.

No, you don't.

They'll call you, don't worry.

Yeah, yeah, they want their money, they'll call you.

They'll they'll get in touch with you.

Yeah yeah.

All right, on that happy note, let's take a break.

We'll be right back after these very very important messages.

All right, we're back.

It's security this week.

I'm Carl Franklin.

That's Dwayne and that's Patrick.

All right.

Next story, hackers claim breach of senior employee account at viz Media.

That's the i z viz And there's actually audio for this story too.

What happened here?

So that that the hackers claim that they've stolen two hundred and fifty gigabytes of data, including emails and DA's employee credentials.

It's it's the same thing.

You're only as secure as your least secure user.

It's it's security through obscurity doesn't work.

So if you think, well, they don't know who our employees are and they don't know what their email addresses are and they don't know, that's just crazy.

It osend.

It is open source intelligence, and it's the first thing that hackers do in order to find a target, in order to take down a target, and a lot of times they're not even worried about, like they don't even have to know you.

It's just that you exist.

You have money, you have servers, you have the things they want, and so there's this hubrist that people have.

Well, well, we don't have anything the hackers want, or if the hackers wanted us, they don't know who our users are, and they don't know the email addresses of our users and all.

That's just wrong.

And so I doubt this was, Hey, we're going to get this executive and we're going to get it.

No, they probably sent the email to everybody.

Yep, could have been a device fish what exactly.

Yeah, And so it's human risk management.

We have to manage the risk of humans because they produce about two thirds a user has to make a mistake in about two thirds of the exploits that we see.

Yeah.

Absolutely, yeah, and that's where that's where we always push, you know, user education, user training, drip training done right, that sort of stuff.

So you know, and it's interesting in this particular case, if you are a manga subscriber and love that, I just realized that if you're using viz media and or their networks.

They say there could have included customer information in this particular breach.

So you want to be careful.

And if you followed our news on credit locking, you should definitely do that just in case some of your account data might have been stolen.

Yeah, that's what I would do.

Go look yourself up at have ibenponed dot com.

Yeah yep, also one of our very oft subscribed okay, weaponized putty and teams.

Ads deliver malware, allowing hackers to access network.

I don't click on ads anymore.

I mean, ads are.

Just they're so good.

But Google and Microsoft are really good about putting those ads right up front.

They look like search results.

I know, the top four or five are always going to be ads, a little wit of your search results.

It's just whispered.

It's that tiny.

Yeah exactly.

I never follow those.

Yeah, I always look for the union label.

Yeah.

Wait a minute, don't we have some ads on Google?

No, okay, except for those don't click.

Yeah click on those ads.

People click click for a friend too.

We just get our bots to do that.

Yeah.

So so this is this is an interesting article in multiple sort of for multiple reasons.

One, when we start to see mass exploitation of technical tools.

So Putty is a technical tool.

Putty allows you to terminal control usually like remote Linux servers and that sort of stuff.

Right, So it's more for administrators, like a normal the normal user on the planet is never downloading Putty, So you always ask yourself, well, why are they targeting highly technical users who may have administrative access to servers?

And part of it might just be for you know, monetary gain.

Part of it might be while this is, you know, the precursor to an attack of some sort and they're trying to get initial access to an organization who knows.

Secondly, the other thing that's interesting with Putty is for those of you who have ever downloaded Putty before, you know that Putty comes from the weirdest url ever.

Like if you go to search for putty dot com and if it doesn't come from www, dot C H A I r K, dot, green End, dot org, dot UK, then it's not putty and you're like, well, that's weird.

So because the ads were for putty dot com, dot which is not where you get it, yeah, exactly, dot org, which is not where you get it.

So it is interesting to see this is one of the places where you might actually look at the real you are on and go, well, that's got to b bs.

We had that same thing with one of the one of the compression tools rare for a while.

Oh yeah, oh yeah, yeah, yeah, the same kind of thing going on.

You know, my brother and I were kids and we were putting in windows.

We learned how to weaponize putty against each other.

Yeah uh yeah, especially with putty knife and bend it in the split weaponized puddy.

Sorry, Tom, it's like shaking his head out there.

You come on, guys, the kind of kids that used to eat the putty.

No, never silly putty maybe, but I was really only taking a tooth the mold.

All right, So don't click on ads, especially those that are sponsored.

Just be careful.

The only thing worse than clicking on ads is paying ransomware, yes, foreshadowing.

And foreshadowing zd net.

This is where we say, Patrick, you are right, and we're talking about the fact that no one pays ransomware demands anymore.

So attackers have a new goal.

And before we explain what that new goal is, we just need to get Patrick credit.

Because way back in the early days of security this week he says, I have a solution.

Make it illegal to pay ransomware, right, yeah, never pay it, pay ransoms right yep.

And it was.

So here's the thing.

So what we're seeing is a drop off in people paying ransomwa attacks from eighty five percent in twenty nineteen to like low double digits now I think it's twenty three percent.

Twenty three, yes, twenty percent, which.

I'm happy about.

Less money for them, but we've already fed this industry.

If we stopped it early, it wouldn't have thrived, it wouldn't have flourished the way it did, it wouldn't become a billion dollar enterprise.

So we're still paying this price.

So they've changed their tactics.

Now they're mostly trying to get something to extort you, so the like locking your files and making you resort to backups.

One of the services they've done is they've made people actually pay attention to their backups, which way and I've been doing for twenty plus thirty years now almost, and so backups are important.

Ransomware has made us aware of that.

Bats backups have to be offline and secure.

But we still have this thing where well, they got your emails and they got your you know, your sensitive information.

Well, how about not saying things in emails that shouldn't be said?

How about that that's a good idea, you know, you know, how about not having secret files that you wouldn't want the irs or someone else or your customers to see.

Of course, that would be a good thing.

I've always, ever since I started using email, my policy was, if it's not something that I would call my mother and tell her, then don't.

Put it in an email.

Don't put it in an email.

Absolutely, that's what signals for.

But I think this is progress, but it's still you still have to defend.

And if we had just done it the right way in the beginning and just said no, you can't, you can't pay a ransom, it's illegal, they never would have gotten to the point that they're at now where they could even do this.

So it's kind of like we built our own enemy.

We do that over and over again.

So what are the ransomware people turning to as opposed to extortion?

They're trying to, Oh, Carl, I got files and I know secrets that you don't want public, and I'm going to make them public if you don't pay me.

I know, you don't care about restoring your files, but you care about these secrets.

It's basically a breach.

We're back to breaches.

Okay, back in the old days, we had breaches, before ransomware was really big.

We had Hey, I stole your data and for a million dollars, I won't release it to the world.

I won't put it up on pace spin.

Back when we were kids, right, yeah, well back in the day, kids were kids at least, so you know, that was the way it was.

And now we're getting back to that and ransom is just a part of it along the way.

Okay, well, it's an interesting story.

But another ransomware story has come across our desk, and this is that there's a ransomware surge in Europe.

Cyber criminals are exploiting GDP are penalties and targeting key sectors, which is really fascinating to me.

And this is this is an addendum to the last story.

They're not related, but they really do play well together.

This is CrowdStrike saying, look, we've been watching these trends and Europe is finally catching up to the United States.

So Europe is about twenty five percent of the world's economy, and so.

Is the United States.

The United States leads in ransomware attacks, whereas Europe is starting to catch up.

There are still only twenty two percent of global ransomware, even though they're twenty five percent of the goal global economy.

But one of the things that the bad guys are doing is they're using threats to report the company to GDPR because if you get hacked, then you violate GDPR rules, right, and you need to report it immediately.

And they're like, it's like the essay, we had some of this in the US with SEC notifications.

There was a hacker group I think it was last year or maybe earlier this year that breached a company and then notified the SEC that they hadn't reported they've been breached.

Yeah, And basically they basically told mom, ye yeah, so that's this is this is again the gdp R aspect is just an angle on the you got breached, and I'm going to use that to extore you.

Yep.

Awesome.

All right, Well that's our show for this week and we will see you next week on Security this week.

Bye bye, Thanks bye, guys,