More Secure Ways To Send Data (Transcript)

(Full Show Audio)

All right folks you have the download button on security assessment podcast
00:00:00,000 –> 00:00:04,840

brought to you by our company Lipani security if you’re interested go to the
00:00:04,840 –> 00:00:09,800

link in the show notes below and check out all of our services software that we
00:00:09,800 –> 00:00:14,240

offer as well as our blogs about security in all our past podcast
00:00:14,240 –> 00:00:19,680

episodes I want to thank you all for listening and let the show begin
00:00:19,680 –> 00:00:25,360

all right let the show begin our first episode of the security assessment
00:00:25,360 –> 00:00:40,040

podcast I am your host Brandon and this show is going to be we’re gonna try to
00:00:40,040 –> 00:00:45,960

do a weekly show about the security every week a lot of you guys might
00:00:45,960 –> 00:00:49,720

remember me from the technology geek podcast which I did for many many years
00:00:49,720 –> 00:00:54,720

but recently we don’t I have not done that show I’ve been concentrating more
00:00:54,720 –> 00:01:00,200

on the business and things that are going on in the security world and the
00:01:00,200 –> 00:01:05,240

hardware world all that kind of stuff so the show is gonna be a little bit
00:01:05,240 –> 00:01:09,560

different for those of you that remember me from the technology geek podcast but
00:01:09,560 –> 00:01:13,360

except we’re gonna be focusing more on security we’re gonna talk about other
00:01:13,360 –> 00:01:16,000

things trust me tech news gadgets all that kind of stuff but more security
00:01:16,000 –> 00:01:20,880

focused here now on this show and speaking of security news we’ll dive
00:01:20,880 –> 00:01:27,240

right in here so a lot of a lot of things really going on overseas right
00:01:27,240 –> 00:01:33,000

now we all know obviously about the Russia and Ukraine situation but
00:01:33,000 –> 00:01:39,320

apparently that there has been research done and people have found out apparently
00:01:39,320 –> 00:01:44,000

Russia has hacked over 10,000 security cameras in Ukraine and they’ve been
00:01:44,000 –> 00:01:50,600

using these cameras specifically to target attacks target specific cities
00:01:50,600 –> 00:01:58,640

just their their strikes on Ukraine get updates on what’s going on in Ukraine
00:01:58,640 –> 00:02:03,760

all that so recently they have went ahead and they have Ukraine’s shut down
00:02:03,760 –> 00:02:09,520

a lot of their security cameras really to protect themselves as well as you
00:02:09,520 –> 00:02:16,160

know Russia spying on them and things like that what’s concerning to me though
00:02:16,160 –> 00:02:20,040

is some of the camera vendors that they use over there are here in America
00:02:20,040 –> 00:02:24,120

Ukraine has not yet released a list of what camera vendors or what kind of
00:02:24,120 –> 00:02:31,360

cameras were infected I would really like to know that because the odds are
00:02:31,360 –> 00:02:34,680

chance some of those camera vendors are probably used over here I know they for
00:02:34,680 –> 00:02:41,160

the only thing we got so far about this was that the cameras are made by China
00:02:41,160 –> 00:02:45,120

North Korea and Russia so that could be a whole sort of whole bunch of brands I
00:02:45,120 –> 00:02:50,920

wish they would release it they have not yet I know people are trying to find out
00:02:50,920 –> 00:02:54,440

obviously it’s probably not the top thing on Ukraine’s list to get out there
00:02:54,440 –> 00:02:57,800

but is something very important if you see any weird activity or anything like
00:02:57,800 –> 00:03:01,480

that going on on your cameras it may be something worth taking a look at so just
00:03:01,480 –> 00:03:08,240

keep yourself you know you know kind of keep an eye on things just see what’s
00:03:08,240 –> 00:03:13,520

going on with your camera system and if you see anything obviously turn them off
00:03:13,520 –> 00:03:17,840

right away and then also to the news I think it’s important enough really to
00:03:17,840 –> 00:03:22,720

talk about because it’s still all stuff in Ukraine going on but apparently Russia
00:03:22,720 –> 00:03:26,760

hackers were inside Ukraine’s telecom giant for months and they haven’t
00:03:26,760 –> 00:03:32,320

Russian hackers were inside Ukraine’s telecom giant Kistar forgive me if
00:03:32,320 –> 00:03:37,320

I butchered that and apparently they’ve been in for by the last year doing cyber
00:03:37,320 –> 00:03:41,840

attacks all that kind of stuff so one of the things that I guess is concerning
00:03:41,840 –> 00:03:46,800

about that is if you do send any email or any information over to Ukraine your
00:03:46,800 –> 00:03:53,640

data possibly could have gotten hung up with this America obviously has been
00:03:53,640 –> 00:03:57,840

communicating with Ukraine for a lot of things so it’s very concerning now one
00:03:57,840 –> 00:04:04,040

of the things they said if people need to be worried about is people using SIM
00:04:04,040 –> 00:04:06,680

cards because of the attacks anybody that used used an ATM anything like that
00:04:06,680 –> 00:04:12,280

anybody who’s communicated to anybody overseas you know so there’s just they
00:04:12,280 –> 00:04:16,800

have the attackers wiped almost I mean wiped almost everything so it’s gonna be
00:04:16,800 –> 00:04:20,880

almost impossible to find out who did it but they said there’s thousands of
00:04:20,880 –> 00:04:24,560

virtual servers and PCs that they said that they got access to so like I said
00:04:24,560 –> 00:04:29,800

you just be very cautious if you are speaking to anybody over there as it you
00:04:29,800 –> 00:04:37,080

know you could have been exposed if you give any personal information so just be
00:04:37,080 –> 00:04:41,620

concerned about that also to anybody I wanted to bring this up because I get to
00:04:41,620 –> 00:04:47,120

get some people ask me about it 23 and me still a mess over there they’ve been
00:04:47,120 –> 00:04:51,840

hit with about 30 lawsuits since December the breach apparently what
00:04:51,840 –> 00:04:57,360

they’re saying is 6.9 million of their users were exposed to some point they
00:04:57,360 –> 00:05:04,160

see roughly about 14,000 accounts were compromised so I mean it’s a big deal
00:05:04,160 –> 00:05:10,240

over there I’m very skeptical about this the fact that I’m 23 and me is trying to
00:05:10,240 –> 00:05:18,080

say oh it’s not our fault it’s your fault and all that kind of stuff they’re
00:05:18,080 –> 00:05:22,400

gonna hit this is gonna be a big class-action lawsuit you know it’s going
00:05:22,400 –> 00:05:25,200

to be like I said they’ve already gotten hit with 30 lawsuits already and I just
00:05:25,200 –> 00:05:30,400

don’t like the way they’re handling this saying that well that if this setting
00:05:30,400 –> 00:05:33,520

wasn’t if you turn the setting off you your account wouldn’t have been breached
00:05:33,520 –> 00:05:36,480

so it’s your fault for not turning this thing off I just I don’t particularly
00:05:36,480 –> 00:05:39,600

care the way they’re handling this they’re not taking any responsibility
00:05:39,600 –> 00:05:43,240

and that is a rather concerning speaking of lawsuits if you remember in 2020 the
00:05:43,240 –> 00:05:52,040

Google had Google got a lawsuit against them for claiming that the incognito
00:05:52,040 –> 00:05:56,520

mode apparently they’re still tracking you in incognito mode they apparently
00:05:56,520 –> 00:06:00,760

settled that with five billion I don’t know exactly how it’s gonna be dished
00:06:00,760 –> 00:06:04,440

out yet they haven’t talked about it yet but I’m sure there will be a lot anybody
00:06:04,440 –> 00:06:08,240

I guess it’s using cognitos give me a title to a few bucks so we will have to
00:06:08,240 –> 00:06:12,200

kind of to see what happens with that and keep an eye on that going forward
00:06:12,200 –> 00:06:18,120

and then also to that big class-action lawsuit was settled with that company
00:06:18,120 –> 00:06:22,360

home advisor apparently they were selling people saying hey you know you
00:06:22,360 –> 00:06:25,880

can get great leads from our company and apparently they were selling garbage
00:06:25,880 –> 00:06:29,600

leads to people and people were I mean losing money because you’re getting all
00:06:29,600 –> 00:06:33,480

these leads and and all that and you’re collecting tons of leads and stuff like
00:06:33,480 –> 00:06:37,120

that and the most you you pay per lead but get a lot of leads were garbage so
00:06:37,120 –> 00:06:43,280

apparently there was a big class action lawsuit with that and apparently
00:06:43,280 –> 00:06:47,560

everybody’s going to be entitled to so much money I mean it won’t be you’re not
00:06:47,560 –> 00:06:50,920

gonna get back everything you lost but I’m sure they’re they dished out at
00:06:50,920 –> 00:06:54,000

checks I know some people I saw on the internet got you know 30 40 50 dollars
00:06:54,000 –> 00:06:58,000

it really depends on how much you lost with those particular that class-action
00:06:58,000 –> 00:07:03,360

lawsuit but that was another lawsuit like I said it’s a lot of lawsuits are
00:07:03,360 –> 00:07:05,760

getting settled here early in this first part of them you know the month so but
00:07:05,760 –> 00:07:10,680

like I said I wanted to bring that up as well there there’s been so many of these
00:07:10,680 –> 00:07:14,480

lawsuits and it’s gonna keep going on but yeah 20 like it’s 23 in May home
00:07:14,480 –> 00:07:19,080

advisor Google all these lawsuits got settled this week so we’re moving moving
00:07:19,080 –> 00:07:24,880

forward so last pass the the largest I think password management company in the
00:07:24,880 –> 00:07:29,460

world I think anyway announced on their blog that they’re going to be making
00:07:29,460 –> 00:07:33,360

some serious changes to their system as you guys know they got hit a few times
00:07:33,360 –> 00:07:38,760

with a bunch of cyber attacks things of that nature last pass I actually have
00:07:38,760 –> 00:07:43,960

lost confidence in them there’s been too many attacks all and stuff over the last
00:07:43,960 –> 00:07:49,200

couple years I think it’s not all their fault as a company gets bigger and
00:07:49,200 –> 00:07:53,760

bigger it’s hard to sometimes to keep the security locked down well I mean it
00:07:53,760 –> 00:07:57,140

is their fault but it’s harder for them to lock it down and their their system
00:07:57,140 –> 00:08:01,400

is closed source so they don’t have people can’t review their code and some
00:08:01,400 –> 00:08:05,000

of that so but they are now trying to tighten things up a little bit on their
00:08:05,000 –> 00:08:10,520

blog they said they’re gonna be there asking customers to update their master
00:08:10,520 –> 00:08:15,080

password to make it longer and more secure they are going to be enforcing
00:08:15,080 –> 00:08:18,880

and enrolling multi-factor authentication and all these changes
00:08:18,880 –> 00:08:23,840

are going to be rolling out as they are trying to go ahead and make their
00:08:23,840 –> 00:08:29,600

systems more secure they should have been doing I know you know there’s
00:08:29,600 –> 00:08:34,000

always been a fine line in security between usability and secure you know
00:08:34,000 –> 00:08:40,640

secure ability in a sense of you don’t want to make something too secure that
00:08:40,640 –> 00:08:44,120

it’s so complicated that people don’t want to use it especially if you’re a
00:08:44,120 –> 00:08:47,140

for-profit business but you also don’t want to make it income you know too
00:08:47,140 –> 00:08:51,600

simple and insecure because then you’re not really doing your customers a
00:08:51,600 –> 00:08:55,000

service so that’s a very tough line to walk and specifically in the password
00:08:55,000 –> 00:09:00,800

management business it’s extremely difficult just because of the way things
00:09:00,800 –> 00:09:05,880

are you know it generally in this world people tend to take convenience over
00:09:05,880 –> 00:09:11,280

security and that’s perfectly normal but when you’re running a password
00:09:11,280 –> 00:09:15,520

management that has access to everything for people to get you have to be really
00:09:15,520 –> 00:09:20,480

secure and I think they’ve really dropped the ball on it I personally
00:09:20,480 –> 00:09:25,680

recommend that everybody use bitwarden that’s what I use they walk much fine
00:09:25,680 –> 00:09:32,040

they walk it’s much I like the way they run their company much more all their
00:09:32,040 –> 00:09:36,320

code is open source so hackers and things like that can look and see hey
00:09:36,320 –> 00:09:40,560

there’s a bug or report to them and they can patch it I like the fact that they
00:09:40,560 –> 00:09:44,840

have third-party audits done regularly that are public knowledge so they can
00:09:44,840 –> 00:09:50,280

have accountability so what they do is they have we have the security audits
00:09:50,280 –> 00:09:54,720

done once they fix the problems and all that they post the security audits up to
00:09:54,720 –> 00:09:58,960

their customers to show hey we had an audit done we found problems we fixed it
00:09:58,960 –> 00:10:03,440

so it keeps us honest the worst kind what really what last pass did that
00:10:03,440 –> 00:10:07,840

really upset me about them was they had an issue they knew they had an issue
00:10:07,840 –> 00:10:13,200

they kept it very hush-hush and then when they finally did have a breach
00:10:13,200 –> 00:10:17,160

because the issue they never patched they they didn’t react to it well they
00:10:17,160 –> 00:10:22,480

didn’t hate they they didn’t hand in quick didn’t react to it quick enough
00:10:22,480 –> 00:10:27,080

their response times were terrible with it you know the whole thing with them is
00:10:27,080 –> 00:10:32,000

just I just don’t particularly care for the way they’ve handled it and I do like
00:10:32,000 –> 00:10:36,640

the way last pass I’m sorry excuse me I do like the way bitwarden has handled
00:10:36,640 –> 00:10:41,440

any issues they’ve had quickly they’ve open sourced everything like they should
00:10:41,440 –> 00:10:45,600

for a company like that they have done everything the way I would have done it
00:10:45,600 –> 00:10:50,200

and the way I think is responsible to do it when you’re looking at you have
00:10:50,200 –> 00:10:54,200

people’s whole lives in their database and I know you’re saying what whole lives
00:10:54,200 –> 00:10:58,200

well yeah because most people use these passwords man for their bank accounts
00:10:58,200 –> 00:11:01,320

for all that kind of stuff very sensitive data that really needs to be
00:11:01,320 –> 00:11:07,240

overly secure you know it’s one of those things when you are when you’re storing
00:11:07,240 –> 00:11:11,840

people’s passwords to their personal information it needs to be tight and
00:11:11,840 –> 00:11:17,320

fortunately last pass I think they’ve just I think at the beginning they were
00:11:17,320 –> 00:11:21,160

ahead of their time with password managing and I think they just grew too
00:11:21,160 –> 00:11:25,060

fast grew too big and just you know they’re they they just got bigger than
00:11:25,060 –> 00:11:29,720

what they could handle they didn’t patch the code right they didn’t handle
00:11:29,720 –> 00:11:33,040

security audits and everything properly and sometimes that happens bitwarden is
00:11:33,040 –> 00:11:38,160

a lot smaller company they’re open source so that they can put the stuff
00:11:38,160 –> 00:11:42,200

out there if you want you know their their attitude is well here’s the code
00:11:42,200 –> 00:11:44,640

you know take a look let me know what you think if you want to run your own
00:11:44,640 –> 00:11:47,520

password managers you can here’s our code to do it so you’re safe and secure
00:11:47,520 –> 00:11:51,920

with it you run your own or you can buy our service I mean I think everything
00:11:51,920 –> 00:11:56,400

the way bitwarden has done it is is appropriate and compared to last pass
00:11:56,400 –> 00:12:01,920

they really stepped up their game so I am very very much pro bitwarden it’s the
00:12:01,920 –> 00:12:09,080

one I recommend they are not a sponsor of this podcast I want to point that out
00:12:09,080 –> 00:12:12,800

I’m recommending them because I personally use them I personally had
00:12:12,800 –> 00:12:16,680

good experiences with them also – they have iOS support they have Android
00:12:16,680 –> 00:12:22,280

support so if you’re using it on your desktop and you say hey I would like to
00:12:22,280 –> 00:12:26,000

use this on my phone as well you can use it on your phone as well and they have
00:12:26,000 –> 00:12:30,880

browser extensions it’s really really well done they have they’re actually
00:12:30,880 –> 00:12:35,160

adding passkey now which is a very important thing it’s in beta it should
00:12:35,160 –> 00:12:39,120

be out where instead of just using a password use a long key they support
00:12:39,120 –> 00:12:43,520

biometric so if you’re on a Mac or on your phone it can use face ID you can
00:12:43,520 –> 00:12:46,880

use ID your thumb ID your fingerprint ID like I said everything about them is
00:12:46,880 –> 00:12:53,360

being done properly for a password manager and that’s why I am very very
00:12:53,360 –> 00:12:57,560

pro bitwarden they are not a sponsor if they would like to I would be more than
00:12:57,560 –> 00:13:01,440

having to take them on as a sponsor but like I said the way they are handling
00:13:01,440 –> 00:13:05,080

the password manager I am very very for I actually have had companies in the
00:13:05,080 –> 00:13:09,320

past that wolf said to me you know we’re not comfortable hosting on bitwarden
00:13:09,320 –> 00:13:13,000

we’d like to host we like bit wouldn’t like to host it ourselves on our own
00:13:13,000 –> 00:13:16,400

server so we don’t have a big bill because they got a lot of users because
00:13:16,400 –> 00:13:19,000

you pay by the user with their their hosting count so you can actually take
00:13:19,000 –> 00:13:23,680

bit wardens code and host your own server and I am and it’s really cool like
00:13:23,680 –> 00:13:28,520

I said I I really like it because like I said if you’re a big company and say hey
00:13:28,520 –> 00:13:32,200

you know we don’t want to spend you know two three thousand a month on on you
00:13:32,200 –> 00:13:36,440

know password but we want something secure and safe you can actually use bit
00:13:36,440 –> 00:13:40,640

what it actually has the software and everything built out for you all you
00:13:40,640 –> 00:13:44,360

have to do is load it on your own server and you can manage it yourself so I
00:13:44,360 –> 00:13:47,600

really like the way they do this kind of twice that they’re really as a password
00:13:47,600 –> 00:13:51,240

manager they are right where you’d want to be and that’s why I really think if
00:13:51,240 –> 00:13:55,240

you are going to use a password manager I strongly recommend using bitwarden
00:13:55,240 –> 00:13:59,600

because they do they’ve got they are on the right track they handle incident
00:13:59,600 –> 00:14:03,920

response properly I’ve looked into the way they secure stuff with encrypt stuff
00:14:03,920 –> 00:14:08,320

like I said everything is being done right like I said I think last passage
00:14:08,320 –> 00:14:13,720

become too big of a company and they are putting their profit over people and
00:14:13,720 –> 00:14:17,800

insecurity you cannot do that you have to put security over profit one of the
00:14:17,800 –> 00:14:23,200

other companies that I used to recommend that I don’t anymore is to to know to
00:14:23,200 –> 00:14:27,140

to know to them and proton proton mail I used to be really pro both of these
00:14:27,140 –> 00:14:34,880

companies they run they’re running encrypting email services so in other
00:14:34,880 –> 00:14:38,540

words if you wanted to you could send an email to somebody with that was
00:14:38,540 –> 00:14:42,260

encrypted and so they can only open if they had the password or if they had the
00:14:42,260 –> 00:14:45,800

PGP key or anything like that but apparently recently there was a recent
00:14:45,800 –> 00:14:50,920

document that somebody sent me back from late news late November to donota is
00:14:50,920 –> 00:14:58,740

actually they were there they were supposed to be always okay crit you
00:14:58,740 –> 00:15:03,940

know encrypting email keeping your email safe and stuff that and apparently when
00:15:03,940 –> 00:15:07,720

you send an encrypt email it still is encrypted in their systems but because
00:15:07,720 –> 00:15:14,080

of a law that came out in Germany now there is a case right now they’re being
00:15:14,080 –> 00:15:19,580

required to be able to allow law enforcement to monitor mailboxes and
00:15:19,580 –> 00:15:25,880

this is kind of concerning to me because one of the things they are saying this
00:15:25,880 –> 00:15:29,680

is the way they responded to us I asked them a question about it they shouldn’t
00:15:29,680 –> 00:15:33,480

change anything for other users their emails should continue to be encrypted
00:15:33,480 –> 00:15:38,300

by default nevertheless to de nova sees a one-time bypass of encryption as a
00:15:38,300 –> 00:15:43,160

security risk to all customers now that’s what they said however he goes
00:15:43,160 –> 00:15:48,600

nothing I want to say as we emphasize surveillance measure only affects newly
00:15:48,600 –> 00:15:55,180

received unencrypted emails so in other words if somebody sent you an email from
00:15:55,180 –> 00:16:00,360

say Gmail or wherever you’re coming from those emails are not encrypted so if
00:16:00,360 –> 00:16:06,360

they sent if they sent you an email like say from your Gmail account they would
00:16:06,360 –> 00:16:10,140

capture it and read it or allow the law enforcement people to read it the
00:16:10,140 –> 00:16:14,900

company cannot decrypt data that is already encrypted so any of your emails
00:16:14,900 –> 00:16:19,120

that are there are safe also to they’ve added this if you send any encrypted or
00:16:19,120 –> 00:16:26,240

end-to-end encrypted emails through to to through to to note out those messages
00:16:26,240 –> 00:16:30,800

will still be encrypted so that’s a bit concerning so basically if I send you an
00:16:30,800 –> 00:16:37,280

email from to to know that’s encrypted they can’t read it but if you would just
00:16:37,280 –> 00:16:41,400

you know log into your Gmail your outlook or your Yahoo AOL whatever you’re using
00:16:41,400 –> 00:16:45,800

and send me a message to my to know account they could read it so kind of I
00:16:45,800 –> 00:16:51,660

mixed feelings about this now because they’re there I used to recommend them
00:16:51,660 –> 00:16:56,440

to people because they’re in sending encrypted safe email you still can send
00:16:56,440 –> 00:16:59,440

encrypted emails but before this all email sent to you was encrypted they
00:16:59,440 –> 00:17:03,720

did not keep logs they did not keep anything like that now they’re kind of
00:17:03,720 –> 00:17:07,560

changing their tune saying that you know if an email is sent unencrypted we can
00:17:07,560 –> 00:17:11,280

you know we can catch it so I am a little upset about that that is not the
00:17:11,280 –> 00:17:17,000

service they sold that is not the service that they used to have them as
00:17:17,000 –> 00:17:22,880

well as ProtonMail bunchies encrypted email services now are starting to do
00:17:22,880 –> 00:17:29,400

this and it’s rather concerning like you sold the fact that you know if I
00:17:29,400 –> 00:17:35,400

somebody sent me an email it would be received and encrypted no matter what
00:17:35,400 –> 00:17:39,760

now so only the emails I send from your company are encrypted so any emails I
00:17:39,760 –> 00:17:44,920

get back or not I mean it’s it’s just basically saying like oh if you you know
00:17:44,920 –> 00:17:48,920

it’s if you use our service you’re safe but if you’re gonna use receive email
00:17:48,920 –> 00:17:52,140

from companies outside it’s different and that that’s a big problem to me
00:17:52,140 –> 00:17:55,840

because if you’re running a bit you know it’s one thing to say email other
00:17:55,840 –> 00:18:00,280

friends that are using Tutanota but the problem is if they offer business level
00:18:00,280 –> 00:18:05,640

encrypt this is actually what’s on there say business level encryption all your
00:18:05,640 –> 00:18:11,640

emails encrypted and secure yes all your emails are encrypted and secure but if
00:18:11,640 –> 00:18:16,200

you’re running a business all these other companies are going to be sending
00:18:16,200 –> 00:18:19,040

you emails not all those emails are going to be encrypted so that’s actually
00:18:19,040 –> 00:18:23,280

kind of a lie because it means that any email that you get somebody if a
00:18:23,280 –> 00:18:28,480

business logs on to their Google Google workspace account or somebody logs on
00:18:28,480 –> 00:18:33,640

to their office 365 and shoot you an email to your Tutanota account first of
00:18:33,640 –> 00:18:37,280

all they don’t know you’re on Tutanota because they’re just sending it to your
00:18:37,280 –> 00:18:39,280

domain but like and then all of a sudden that email now is can be read because it
00:18:39,280 –> 00:18:44,120

was sent unencrypted it’s just not it’s not that’s not what they sold and the
00:18:44,120 –> 00:18:48,800

fact that they made a tool that can hang out there and catch these email so in
00:18:48,800 –> 00:18:51,760

other words the catch they’re catching the emails before they go to the
00:18:51,760 –> 00:18:55,000

encryption so that’s that’s a breach of security and I am not for that now
00:18:55,000 –> 00:19:00,880

they’re even posting on their website now they’re keeping count amount of
00:19:00,880 –> 00:19:05,640

reports that they’re asking law enforcement is asking for and stuff like
00:19:05,640 –> 00:19:08,320

that and apparently they’ve had 121 requests for data requests for real-time
00:19:08,320 –> 00:19:16,000

traffic they they’re listing on and that’s great that they’re listing at all
00:19:16,000 –> 00:19:19,560

but that doesn’t it doesn’t really fix the problem it just you know make you
00:19:19,560 –> 00:19:27,680

can make you more concerned you see how many how many people are asking for it
00:19:27,680 –> 00:19:30,640

how many people they’re complying with so for those of you that do work in the
00:19:30,640 –> 00:19:34,800

enterprise the there’s two big security vulnerabilities that came out this past
00:19:34,800 –> 00:19:42,480

it was just Friday Thursday or Friday came out apparently Juniper Networks
00:19:42,480 –> 00:19:47,360

apparently their firewalls has a critical remote code execution
00:19:47,360 –> 00:19:53,040

vulnerability which they are have flaw apparently it’s well it’s substantial
00:19:53,040 –> 00:20:00,200

flaw in the census it goes way way back to all even older versions so they have
00:20:00,200 –> 00:20:04,760

released a patch for that and then also to Avanti or Pulse Secure had a zero day
00:20:04,760 –> 00:20:14,640

vulnerability that they released a patch for it’s not really a patch more of a
00:20:14,640 –> 00:20:19,840

fix for right now so they can patch it but so that is another one that there’s
00:20:19,840 –> 00:20:25,080

been two big ones that came out last week and like I said luckily enough they
00:20:25,080 –> 00:20:31,000

have mitigation take not so much patches but mitigation techniques that you can
00:20:31,000 –> 00:20:35,940

go ahead and look that up as well anybody who got hit with the black
00:20:35,940 –> 00:20:43,940

basta in Bubba torrent illa ransomware if you were lucky enough that you
00:20:43,940 –> 00:20:53,080

haven’t saved the hard drive or just got hit with it recently Cisco has
00:20:53,080 –> 00:21:00,400

announced as well as a vast that they have a decryption tool that you can run
00:21:00,400 –> 00:21:08,080

and it will actually decrypt the data that those guys have put on your stuff
00:21:08,080 –> 00:21:15,480

that’s what ransomware is they encrypt your data so you can get to it but these
00:21:15,480 –> 00:21:19,560

guys actually have a tool now both of them the vast has one and now Cisco has
00:21:19,560 –> 00:21:25,160

one as well and you can actually run this and it will decrypt your data so
00:21:25,160 –> 00:21:28,800

you can get it back like I said it was always glad to see when they get these
00:21:28,800 –> 00:21:33,480

tools they don’t always happen but it was really nice to see somebody finally
00:21:33,480 –> 00:21:37,760

have a tool that can get your data back in those situations those of you by the
00:21:37,760 –> 00:21:45,000

way don’t forget to run your Microsoft Windows update because it’s past Tuesday
00:21:45,000 –> 00:21:49,400

was Microsoft’s patch Tuesday they patched 48 vulnerabilities on computers
00:21:49,400 –> 00:21:55,760

I know they have some of the vulnerabilities they patched did break
00:21:55,760 –> 00:22:01,080

things for some something IBM broke something with them and I think Adobe as
00:22:01,080 –> 00:22:05,520

well so love updates coming out for those things but yes they have had over
00:22:05,520 –> 00:22:10,960

48 patches came out this past week so that’s a pretty heavy patch Tuesday for
00:22:10,960 –> 00:22:16,800

Microsoft but I think I said at least they at least they got that done also to
00:22:16,800 –> 00:22:22,680

Adobe had some vulnerabilities with cold fusion that came out D link has some
00:22:22,680 –> 00:22:28,200

issues a couple of them that were released that have csv’s from the CIA
00:22:28,200 –> 00:22:33,840

say the cybersecurity infrastructure security agency so that was in the news
00:22:33,840 –> 00:22:39,720

this week as well coders if you use JIT lab don’t forget they also had a
00:22:39,720 –> 00:22:46,240

vulnerability this week you have to patch against so quite a bit of patching
00:22:46,240 –> 00:22:52,000

going on this week I mean it always does a second week second Tuesday of every
00:22:52,000 –> 00:22:56,040

month is always patched Tuesday from Microsoft and most companies go ahead
00:22:56,040 –> 00:22:59,800

and follow suit with that sort of stuff also – I do want to bring up as well we
00:22:59,800 –> 00:23:08,680

have a big piece on our website about signal really did a real deep dive into
00:23:08,680 –> 00:23:15,480

signal on our website because I felt it was important I know a lot of people
00:23:15,480 –> 00:23:20,200

especially recently friends of mine are looking for more secure messengers not
00:23:20,200 –> 00:23:26,720

just for personal use but for their businesses and signal is is about as I
00:23:26,720 –> 00:23:33,640

mean about as secure as you can get as far as a messaging platform meant that
00:23:33,640 –> 00:23:38,760

it was created by the guys who invented whatsapp and when whatsapp got bought by
00:23:38,760 –> 00:23:43,680

Facebook apparently Facebook said they weren’t going to compromise the
00:23:43,680 –> 00:23:47,960

integrity of it but apparently they have they do collect metadata and stuff like
00:23:47,960 –> 00:23:51,640

that on whatsapp even though it’s supposed to be a secure messenger again
00:23:51,640 –> 00:23:55,480

profit over people and so now these guys went out a bunch of years ago and
00:23:55,480 –> 00:24:00,680

started signal and it really is quite a you know it’s it’s a 501 nonprofit was
00:24:00,680 –> 00:24:07,960

founded in 2018 and unlike all the other messengers out there they actually do
00:24:07,960 –> 00:24:15,120

encrypt and and nobody can read it but you and the guy person that’s receiving
00:24:15,120 –> 00:24:18,440

it that’s not by the way Facebook messenger Snapchat Skype Google chat
00:24:18,440 –> 00:24:23,840

text messages they are not and and encrypted the only ones that are end to
00:24:23,840 –> 00:24:27,760

end encrypted right now are whatsapp allegedly signal definitely and I
00:24:27,760 –> 00:24:34,660

message definitely so those are two important things to remember if you’re
00:24:34,660 –> 00:24:40,540

going to send somebody a message you need to be safe and secure I guess it I
00:24:40,540 –> 00:24:45,080

message or the signal I recommend either or either or if it’s fine and whatsapp
00:24:45,080 –> 00:24:51,600

is supposed to be secure and I’m not exactly sure how much I trusted there’s
00:24:51,600 –> 00:24:55,360

a lot coming out about Facebook collecting metadata collecting phone
00:24:55,360 –> 00:24:59,920

number linking that to people’s Facebook accounts so they can figure out who’s
00:24:59,920 –> 00:25:03,640

sending these encrypted messages and all that so I would be I’m hesitant I like
00:25:03,640 –> 00:25:08,920

whatsapp I do use whatsapp but if I’m gonna send something safely and securely
00:25:08,920 –> 00:25:12,280

I usually use I message or signal yet the one thing that stinks about I
00:25:12,280 –> 00:25:17,060

message is the person has to be on an iPhone or you know you can’t you can’t
00:25:17,060 –> 00:25:23,740

get it I mean that’s the only thing I mean I wish I wish Apple would open up I
00:25:23,740 –> 00:25:29,260

message to to Android just because I think it would be I mean RCS eventually
00:25:29,260 –> 00:25:35,820

might fix this but it would make end to end encryption much safer and much
00:25:35,820 –> 00:25:41,580

better I think anyway but I mean Apple’s never gonna do that they’re a
00:25:41,580 –> 00:25:47,140

for-profit company they’re they’re not gonna give I message out to just anybody
00:25:47,140 –> 00:25:51,820

because they they want people to be locked into their platform with the blue
00:25:51,820 –> 00:25:55,100

bubbles and all that so they’re not going to they’ve already talked about it
00:25:55,100 –> 00:25:58,800

many a time saying that well if we put I message on Android it might make it so
00:25:58,800 –> 00:26:02,700

easy for people to get off of Apple so they’re not going to do that I wish they
00:26:02,700 –> 00:26:06,940

would though because it would just be so much better because I message it the way
00:26:06,940 –> 00:26:11,460

the way they store stuff the way they message I go it’s just so much safer
00:26:11,460 –> 00:26:15,180

than than Android I mean RCS is going to make it better but it’s not going to
00:26:15,180 –> 00:26:20,580

make it it’s gonna make it a little bit more secure but not as much as it
00:26:20,580 –> 00:26:25,060

because SMS messages are unbelievably insecure but like I said specifically I
00:26:25,060 –> 00:26:30,160

wish they would but so what I do is if I know the person has an Android I tell
00:26:30,160 –> 00:26:35,260

them I want to use signal talk to them because signal is cross-platform it even
00:26:35,260 –> 00:26:38,760

works on the desktop and all that kind of stuff it works on your desktop it
00:26:38,760 –> 00:26:42,480

works on Mac or Windows or it’s pretty much like since it’s since it’s just an
00:26:42,480 –> 00:26:46,940

app it’s it’s cross-platform which is very nice but the one thing I am
00:26:46,940 –> 00:26:51,940

concerned about signal though is they have made it public on their blog this
00:26:51,940 –> 00:26:55,820

is they are a nonprofit you know they are they do burn through a lot of money
00:26:55,820 –> 00:27:00,220

so they are looking for donations so I actually donate a few bucks a year to
00:27:00,220 –> 00:27:05,700

them because I do use signal I know it’s not much but if you all donated a few
00:27:05,700 –> 00:27:08,780

dollars to them you know it would help them out they are a nonprofit they are
00:27:08,780 –> 00:27:12,460

really my whole issue is I well I do like signal and I think they are a great
00:27:12,460 –> 00:27:19,340

platform I don’t know if enough of their users care enough about security that
00:27:19,340 –> 00:27:25,900

they’re willing to pay for it that’s the issue with security sometimes is you
00:27:25,900 –> 00:27:30,700

know somebody may use signal and say oh this is a wonderful great platform it’s
00:27:30,700 –> 00:27:34,340

very secure they do everything to you know authenticate they do everything
00:27:34,340 –> 00:27:39,260

right but the problem is the majority of people that use it probably don’t care
00:27:39,260 –> 00:27:46,140

enough about it to pay for it I know specifically a lot of journalists use
00:27:46,140 –> 00:27:50,820

signals so they can talk to their sources securely I know a lot of
00:27:50,820 –> 00:27:56,020

countries are using it right now especially in well actually some
00:27:56,020 –> 00:28:00,560

countries actually signal is gonna pull out of because they can’t get like I
00:28:00,560 –> 00:28:05,580

think it’s England wants them to make it eat you know want them to decrypt the
00:28:05,580 –> 00:28:10,280

messages so they can read them and signals like no that’s not what we do
00:28:10,280 –> 00:28:14,180

we’re not decrypting our messages we’re pulling out of England like so but I
00:28:14,180 –> 00:28:18,740

know over like Ukraine and places like that they have been using signal to
00:28:18,740 –> 00:28:22,420

communicate securely between whatever they’re doing over there with all that
00:28:22,420 –> 00:28:26,700

stuff so I do know a lot of people links in America thought of journalists use it
00:28:26,700 –> 00:28:30,900

I do know a bunch of people use it for communicating with their company if
00:28:30,900 –> 00:28:37,220

they’re sending around trade secrets stuff like that but I know but like I
00:28:37,220 –> 00:28:40,380

said my whole issue is is signal saying well we need you know we need to raise
00:28:40,380 –> 00:28:44,140

money we’re gonna keep this going we’re a nonprofit and my whole issue with that
00:28:44,140 –> 00:28:49,740

is well you know I don’t know if enough people using it care about it enough to
00:28:49,740 –> 00:28:56,460

pay for it I mean I pay five bucks you know I’m which is nothing when you’re
00:28:56,460 –> 00:29:01,100

looking at I think they said their runway cost runway cost is how much it
00:29:01,100 –> 00:29:04,500

cost to run the company nonprofit I think they’re saying it will cost like
00:29:04,500 –> 00:29:08,020

12 to 15 million a year that’s that’s a lot of money to run a nonprofit but
00:29:08,020 –> 00:29:12,220

again they’ve got server costs they’ve got server hosting things of that nature
00:29:12,220 –> 00:29:16,460

so you know that’s kind of part of it and also to authenticating the phone
00:29:16,460 –> 00:29:21,700

numbers and things like that so there’s there’s a lot going on there and it’s
00:29:21,700 –> 00:29:24,900

not cheap to make a secure service and since they are open source and since
00:29:24,900 –> 00:29:30,340

they are you know nonprofit you know it’s a little more complicated again
00:29:30,340 –> 00:29:34,660

they’re not a for-profit company they’re putting security over people so that’s
00:29:34,660 –> 00:29:38,180

why I’m very much pro you know giving them money because they are actually
00:29:38,180 –> 00:29:42,980

creating a wonderful service and putting the security over profitability but
00:29:42,980 –> 00:29:46,660

unfortunately they rely on donations like I said I don’t know if there’s
00:29:46,660 –> 00:29:51,140

enough people that care about that service or care enough about what’s
00:29:51,140 –> 00:29:55,300

going on behind the scenes to be able to you know keep going I would imagine
00:29:55,300 –> 00:30:00,900

probably the founders they did very well selling to Facebook what’s app and
00:30:00,900 –> 00:30:04,620

imagine that they may actually put more money in to keep it going but there’s no
00:30:04,620 –> 00:30:08,340

guarantee with that I hope signal doesn’t go out of business because they
00:30:08,340 –> 00:30:10,900

have been done a lot of good work recently and help protect a lot of
00:30:10,900 –> 00:30:15,260

people and I just I don’t think they’re gonna be able to come up with enough
00:30:15,260 –> 00:30:19,540

money and keep going the same thing goes for Firefox you know Mozilla Firefox is
00:30:19,540 –> 00:30:27,180

like the alternative to Chrome they’re the alternative to a lot of other
00:30:27,180 –> 00:30:32,860

browsers and you know Mozilla is another one putting security over everything
00:30:32,860 –> 00:30:38,820

else they are a nonprofit organization but the problem is is again when you’re
00:30:38,820 –> 00:30:44,500

making a browser that’s pro security you know pro putting people first in your a
00:30:44,500 –> 00:30:49,840

nonprofit you have to rely on people donating and I don’t know if enough
00:30:49,840 –> 00:30:53,860

people I mean Mozilla has a big user base but again I think people just
00:30:53,860 –> 00:30:58,340

download it and use it and I don’t think enough people care about the security or
00:30:58,340 –> 00:31:02,500

what Mozilla is trying to do here to be able to to get enough donations to pay
00:31:02,500 –> 00:31:08,980

for their you know tens of millions of dollars a year and cost of running so
00:31:08,980 –> 00:31:13,580

you know it’s a it’s a very weird situation we’re in right now when it
00:31:13,580 –> 00:31:18,820

comes to you know security in the sense of you know these companies are trying
00:31:18,820 –> 00:31:23,780

to be nonprofit so they can put their put users first but it’s also tough when
00:31:23,780 –> 00:31:28,220

you’re trying to you know gain you know trying to earn money you know it’s it’s
00:31:28,220 –> 00:31:33,020

a different it’s a different situation I know specifically places like I think I
00:31:33,020 –> 00:31:39,140

know I know Firefox has run into some really tough issues and even signal as
00:31:39,140 –> 00:31:43,260

well and in places like China Egypt Cuba Iran places like that where they’ve
00:31:43,260 –> 00:31:49,900

actually banned Firefox and banned stuff like signal because of they don’t like
00:31:49,900 –> 00:31:54,060

the end-to-end encryption stuff and all that and again you know it’s I mean it’s
00:31:54,060 –> 00:31:59,220

a fortune for those people that yeah they can’t use a service because their
00:31:59,220 –> 00:32:02,660

country is against it especially in places like China and stuff where they
00:32:02,660 –> 00:32:07,460

are companies are must provide you know a way for them to read data and so that
00:32:07,460 –> 00:32:13,420

that’s that’s kind of the whole controversy behind tick-tock is you know
00:32:13,420 –> 00:32:18,220

the people are using tick-tock and toasted over there and and since it is a
00:32:18,220 –> 00:32:22,620

Chinese company you know they do have you know the the right in China to look
00:32:22,620 –> 00:32:29,620

through data and stuff like that of their people but since that is since
00:32:29,620 –> 00:32:34,500

Americans and other countries are using him that’s kind of where the security
00:32:34,500 –> 00:32:38,780

issue comes in is if it’s somebody who’s an American citizen do they have the
00:32:38,780 –> 00:32:42,940

right to look through it and it says it is hosted over in China do they have or
00:32:42,940 –> 00:32:50,100

you know are they looking through you know Americans data and so that so that
00:32:50,100 –> 00:32:54,380

that’s kind of why they did the ban on tick-tock because you’re dealing with a
00:32:54,380 –> 00:32:58,300

country that is is allowed to you know spy on their people but we don’t allow
00:32:58,300 –> 00:33:04,300

that in America well the problem is you have politicians and stuff like that
00:33:04,300 –> 00:33:07,660

that have tick tock on their phone and they’re in all these private discussions
00:33:07,660 –> 00:33:11,100

and stuff like that so that’s kind of where the controversy kind of came in
00:33:11,100 –> 00:33:15,660

with tick-tock and like I said you also have other companies as well other
00:33:15,660 –> 00:33:20,740

countries as well that like like I said like Egypt and Cuba and places like that
00:33:20,740 –> 00:33:26,340

where you know they don’t they’re allowed to spy on their people too and
00:33:26,340 –> 00:33:30,300

then when it’s an Americans data that’s where the kind of the controversy comes
00:33:30,300 –> 00:33:33,420

in so like I said there is that I feel that security and encryption is a human
00:33:33,420 –> 00:33:39,840

right but a lot of other countries don’t feel that same way so that’s like I said
00:33:39,840 –> 00:33:45,780

that’s part of the problem also – one of the others I wanted to bring up as well
00:33:45,780 –> 00:33:50,300

with tuna tuna Noda and proton mail one of the other issues I have with this
00:33:50,300 –> 00:33:56,760

whole situation with them capturing encrypted email and and the reason I do
00:33:56,760 –> 00:34:00,780

have a big issue with this is because a lot of places news outlets will say well
00:34:00,780 –> 00:34:06,900

hey use you know email us at this website and it’ll be an attitude to know
00:34:06,900 –> 00:34:10,740

the address or at a proton mail address that if you’re a whistleblower and
00:34:10,740 –> 00:34:15,720

you’re going to email them from an email address that’s not a to denote account
00:34:15,720 –> 00:34:20,280

we’re not a proton mail account um you’re you’re exposing your information
00:34:20,280 –> 00:34:24,580

out there if you’re trying to silently whistle blow something you’re not going
00:34:24,580 –> 00:34:30,440

to be able to you know it’s there they’re catching non encrypted emails so
00:34:30,440 –> 00:34:36,060

kind of ruins the whole point of being a whistleblower and the privacy you know
00:34:36,060 –> 00:34:41,420

these companies think oh hey we’re using you know tuna Nova or proton mail so that
00:34:41,420 –> 00:34:46,220

we’re getting these things securely you’re not actually and that that’s kind
00:34:46,220 –> 00:34:51,660

of what the concern is is you have a source that is coming to you thinking
00:34:51,660 –> 00:34:58,500

they’re sending it to you securely via an encrypted email message but it’s not
00:34:58,500 –> 00:35:01,900

it’s actually getting caught because it’s unencrypted what you with the best
00:35:01,900 –> 00:35:06,620

way to do would be to go ahead and create a to denote account or a proton
00:35:06,620 –> 00:35:09,900

mail account and send it to that address from so sweet stain because if it stays
00:35:09,900 –> 00:35:14,540

to denote a to to denote our pro time at a proton mail it’s encrypted so that
00:35:14,540 –> 00:35:18,340

would be the only way you’d be able to protect yourself but the problem is a
00:35:18,340 –> 00:35:20,980

lot of people most people don’t know that and that’s kind of the the dangerous
00:35:20,980 –> 00:35:26,800

and the scary part of the whole situation they do have open source
00:35:26,800 –> 00:35:32,900

software out there stuff like global leaks which is a open source software
00:35:32,900 –> 00:35:39,160

completely free for a company to put in place and what it actually does is it
00:35:39,160 –> 00:35:43,260

actually allows your source to submit data to a news organization securely
00:35:43,260 –> 00:35:49,980

anonymously and safely I’ve actually looked into this I’m actually gonna
00:35:49,980 –> 00:35:53,700

write something up for the web plate eventually about this I haven’t gotten
00:35:53,700 –> 00:35:57,040

to it yet but I will and I’ve actually really done an in-depth look into their
00:35:57,040 –> 00:36:01,120

systems and what it does is it actually sends you actually upload completely
00:36:01,120 –> 00:36:05,880

anonymously they don’t save any logs on the server or anything like that and
00:36:05,880 –> 00:36:09,440

then what it does you upload the actual data to the server and encrypts it only
00:36:09,440 –> 00:36:15,580

the person on the other end that’s in charge of looking at you know that data
00:36:15,580 –> 00:36:20,480

can actually open it and view it nobody else and even the server admin can look
00:36:20,480 –> 00:36:25,400

at that data because it’s encrypted it’s only available to the person that’s in
00:36:25,400 –> 00:36:29,580

charge of that server as far as the person that’s in charge of reading it
00:36:29,580 –> 00:36:34,080

whether it’s legal or a report or whatever like that it’s much more
00:36:34,080 –> 00:36:37,160

secure way of doing it like I said it’s called global leaks I’ll put a link in
00:36:37,160 –> 00:36:42,000

the description below they’re not a sponsor it’s completely free it’s open
00:36:42,000 –> 00:36:44,900

source and like I said it actually is a much more secure way for your contact or
00:36:44,900 –> 00:36:51,380

your whatever whistleblowers whatever to send data to a reporter or to news
00:36:51,380 –> 00:36:57,740

organization and they’re completely it’s completely anonymous there’s no logs or
00:36:57,740 –> 00:37:02,340

no nothing and this way they can get it up to you securely without risking their
00:37:02,340 –> 00:37:06,680

lives or their jobs or whatever they’re trying to leak out to you just sending
00:37:06,680 –> 00:37:11,900

an email through to to Nova proton mail is not a secure thing anymore unless you
00:37:11,900 –> 00:37:18,020

do it through you know through proton mail or through to to note I and most
00:37:18,020 –> 00:37:22,580

people don’t know to do that so it’s actually quite a not as a secure way of
00:37:22,580 –> 00:37:26,460

doing it sending it via email but like I said global leaks is a it’s a completely
00:37:26,460 –> 00:37:32,420

open source piece of software any company anybody can use it you could set up be
00:37:32,420 –> 00:37:36,740

set up the server takes me 20 minutes to set up and then like I said somebody can
00:37:36,740 –> 00:37:40,900

go right to the site whatever upload stuff and then the person that’s marked
00:37:40,900 –> 00:37:46,700

as the receiver or the reviewer can go ahead and review it and see if what
00:37:46,700 –> 00:37:50,460

they’re gonna do with it but like I said the even the server admin cannot see it
00:37:50,460 –> 00:37:54,380

it’s all encrypted all the database stuff is all encrypted all the passwords
00:37:54,380 –> 00:37:57,460

or everything is the software was done so well and with the thought of
00:37:57,460 –> 00:38:01,300

protecting sources it’s a really great I wish more people would use it
00:38:01,300 –> 00:38:05,320

unfortunately it’s one of those things where it was created I don’t know how
00:38:05,320 –> 00:38:09,020

many people are actually using it but I wish more people would because it is
00:38:09,020 –> 00:38:12,700

such a great piece of software and again that is global leaks if you don’t know
00:38:12,700 –> 00:38:17,380

how to install it reach out to us we can always help you out with that this isn’t
00:38:17,380 –> 00:38:20,660

an ad but it is something that most news organizations really should know about
00:38:20,660 –> 00:38:25,140

and like I said they’re what it amazes me to is like I said it is open source
00:38:25,140 –> 00:38:30,340

it is completely free and I like I said I wish more more organizations would
00:38:30,340 –> 00:38:35,180

would use it I think it will be eventually it’s just gonna take time to
00:38:35,180 –> 00:38:38,780

get people on board with it so and that is like I said global leaks I will put a
00:38:38,780 –> 00:38:43,260

link in the show notes as well so folks I’m gonna wrap it up on our first
00:38:43,260 –> 00:38:47,780

episode like I said if you you can listen to all of our old shows which we
00:38:47,780 –> 00:38:51,460

don’t have yet this would be the first one like I said at the panty security
00:38:51,460 –> 00:38:55,460

calm also to check out all of our services and everything we offer at our
00:38:55,460 –> 00:39:00,220

site like I said lapani security calm and I want to thank you for listening
00:39:00,220 –> 00:39:05,220

and we will talk to you on the next episode thank you very much
00:39:05,220 –> 00:39:12,660