They did the file system scan. They just pointed at the wrong directory. So, is that the lack of knowledge? Is it pointing at the wrong directory? Or is it not knowing that that wasn't part of the scan?

Yeah, well, I mean, it's all of it, right? I mean, regardless of how you want to put it, or anybody puts it, it's an asset management issue, right? So, you have 10,000 assets on the internal network. These assets could be devices. Okay. All these devices, you're going to have an average of two to five services running. Okay. Technically, those could be considered assets as well. When you get an asset management software or framework or tool, what it will do is it will identify the software running on the assets, and then it'll look at all the services running on that assets, and then it'll do a port scan, do all these different things, and it'll create kind of like a big map of what your environment looks like. Now, if that doesn't exist on your internal network, then you're not going to know what's running on what? Now, because of that, you're going to end up with scenarios like this, where they're doing file system scans, but they don't know what maybe running on that systems, they may miss this exact one, but that's exactly what happened

here. Yeah. And so, the next one, I completely agree with poor password storage practices, the engineers keeping the passwords within the environment is a, there's no excuse for that.

Yeah, definitely some oversight. You know, a lot of organizations, especially like older, I would say, not older, but like legacy environments run by folks that have been doing it for quite some time. They've been there at the same business at the same, running the same number for 20 years. From their perspective, they've probably never been breached before. And because of that, there's a certain smugness like, well, we're not going to get breached. Like the attack would have to get in from the outside. How are they going to do that? We're behind the network intrusion detection system. We're behind an NDR. We're behind firewalls. Well, unfortunately, it still happens, right? And so they'll put emphasis on an external security and then kind of leave the internal as a wide open flat network. We've talked about that so many times, Chris. Yeah. Yeah.

No, that goes into the next one, the lack of network segmentation. So big issue with that one. Lack of rigor and patching process. Seems like they kind of missed out. I think that kind of fits into the asset management issue, you know, not knowing what's been patched and what needs to be patched. And then the lack of host based intrusion detection systems. So kind of tell the audience how this would have helped them in this scenario.

Yeah. I mean, this is a reference to what I kind of bore up a point earlier. I mentioned a product called Tripwire. It's very old. I'm not sure they're around, but there's other products like I think Tripwire is around. But there's other tools out there and their entire purpose, the purpose of this product is to sit on your file system or in some sort of service or process. And once a day or a couple of times a day, they'll scan through your file system and create a basically a database and inside the database, they have all your file names and some sort of fingerprint, usually a proprietary fingerprint. Maybe it's a SHA-256 hash, one-way hash of the file. And so if those files change throughout the day, then the tool is going to tell you those files have changed. Now, if new files are added to the file system, then the product is also going to find when you files are added to the file system. And yet again, it will be reported because it is an anomaly. Okay. Those systems worked very well for a long time, but now you have other tools, right? You have all sorts of endpoint protection systems and detection systems that can help you kind of deal with a whole space intrusion or at the very least notify you when something's a mess. And so this

is going to get a warning to the network engineers for the web shells being created and also probably the exfiltration payloads, those 10 megabyte files. Yeah,

right? So if you have a whole space intrusion detection system that's looking and monitoring at your file system, when all of a sudden you have 10,000 small files created on your web server. Yeah, that's a massive anomaly. That's a massive indicator of compromise. And someone somewhere if assuming the alert system is effective, someone somewhere is going to see a notification and they're going to

jump into it. So then the last point was the lack of alerting when security tools fail. Great one. Yeah. Who will

guard the guards, Chris? That's what I told Charlie Rose when I had an interview with him many years ago. And he seemed impressed by that quote. In fact, I got that from forgot which book. But who will guard the guards if you put security products on your network? And those security products are monitoring the rescue network, your active directory and other services. But they're not monitoring themselves. Then how do you know if your security products are doing what they're supposed to be doing? And that's that's what highlights that's that last point you just brought up highlights that exact point. Yeah,

no, it's an excellent point. So, so that was a great story. Thanks for sharing the Hector. I really enjoyed digging deep into the how a breach happened and once we find out, you know, it's a shame that it takes what six years to find out all these great details. But but sometimes it takes a little bit time for litigation to pass. So the next story is retool blames breach on Google Authenticator MFA cloud sync feature. So Google Authenticator MFA cloud sync was just recently turned on. And they're saying that it caused them to be hacked into. So let's let's get digging into that actor. So retools a software company that their development platform is used to build business software. And their clients include Amazon, Mercedes-Benz, DoorDash, NBC, and Lyft. So they had accounts of 27 different customers were compromised, filing a targeted attack with a multi stage social engineering attack. Um, oddly here, Hector, I say that facetiously, the hijacked accounts all belong to crypto currency industries. Oh, okay. So they were going after one type of people, one type of company. So all 27 were attacked on crypto. So did you read about this attack? Yeah,

absolutely. In fact, I mean, referenced with last week, we were kind of going through different stories. And I think we had a we had an audience question that asked us. The question was, you know, which attack did you find to be interesting that was out of the box? I mean, I want to give an old, old example, a new example. And the new example goes back to this story. This story is interesting because it changes a lot for a lot of people and organizations. In fact, the researcher on Twitter, Florian, he basically made that exact point. He said, well, based off of the stories, and it's not verbatim, but based on the story, now, now companies and the security teams have to also be worried about what their employees are doing with their personal accounts. Right. If you are using your own personal phone, and that personal phone is in some way, in any way connected to your business accounts by means of Google authenticator, right? And you're synchronizing your MFA tokens on the Google backend from your personal account. Now you have become a major asset to any attacker is looking to breach organization without having to breach organization. That makes any sense. Now they just have to attack the people personally, the employees personally.

So that's, yeah, that's how this works. So the attackers went after employees and used URL impersonating their internal identification protocol. And they targeted employees. And they mostly employees, they ignored the phishing text message. But one employee clicked on it on the embedded phishing link and redirected to a fake login with the MFA on. And then they attacker deep faked an employee's voice. I'm not really sure they didn't get any details with that deep fake was there's AI, because we've done stories about AI used to get people's voices. But and then they called the targeted IT member and tricked them into providing an additional MFA code. And so this additional MFA code then allowed the attacker to put on a device that they control onto the targets account. And so now retool is blaming the success of the hack on the new feature in Google authenticated that allowed users to synchronize their two FA codes with their Google account. So this person was using a now they didn't say it was a personal Google account. They may have been using Google Enterprise as part of retools email systems. But it's the two FA was directly connected to their Google account and allowed the multiple devices to use the same two FA. And so retool doesn't like that. I will say though, Google came back and said that the off codes synced by the Google authenticator doesn't have to be turned on. It can be disabled. So they came back on that. But what are your feelings on this?

Well, I think part of the story is true. I think part of the story is bullshit. Part of me, I don't want to be controversial today. I don't want to be that guy. But I'm have to be that guy for a second. The use of AI in social engineering, the guy, the target for the second token. I don't know, man. That seems kind of iffy to me is possible, but we're going to be wrong. And there is money involved. Yeah, the, the, the, I would say the end victims, the people that were really targeted with crypto folks. And there's money in crypto. Well,

there is, there is reportedly a $15 million loss from one of those crypto companies.

And if I was an organized bad actor, let's say out of North Korea or whatever, and I had the technology and the money to use AI, sure, I probably would. But come on, man, you know, how for effects that that part of the story is. Now, I'll leave it at that, right? I don't want to sit here and say these guys are bullshitting, but here's the reality. The reality is that these sort of attacks happen all the time. Social engineering campaigns. Now, apparently, you know, you have employees that are sinking the MFA codes to deal to their accounts, their personal accounts, whether it's Google Enterprise or not, it brings up a point that we brought up in the past, which is if you are a business and you want your employees to, to fall within your policies, then it would be who for you. It would be who for you rather, to get a laptop, a company computer, make sure to use that. A company phone, make sure to use that. And anything that is business related should should should only happen to the, to that phone and to that laptop or work, workstation. Anything that's personal should be segmented into their own personal workstation, laptops and phones, right? Now, some details in this, like you're right, there's, we don't know whether it was like a Google Enterprise account, what is happening. We're not really sure where, you know, if this happened with the guy's personal, you know, Gmail account, but regardless of how you look at it, Gmail accounts are now going to be prime targets, assuming the attackers actually logged in in the first place for breaches into corporate environments, because it regards to how we want to put it, regardless of what happened here,

a retool, that sinking capability just opened up a whole new attack path for attackers. So I don't know, we talked about this before the show. And I mean, sort of my approach to this, and I don't know if it solved this exact case, but I, you know, there are plenty of, you know, MFA authenticating apps out there, you know, and I don't have two different phones, but I do have the ability to use two different apps. You know, I use one authenticator for my personal things, and I use a different authenticator for my work things, so they don't really cross dreams. Is it the best? I don't know, it seems to work for me, and I'd recommend it, but you know, it's funny, you know, we talk about Google authenticator, and Google makes this, and you know, they're saying that they don't promote sync, the sync feature, and it's not required. The quote for this one for this article is fishing and social engineering risks with legacy authentication technologies, like ones based on one time passwords, or why the industry is heavily investing in these Fido based technologies. Ah, Fido. We've been talking about it for almost a year now, Hector. Hector and the Fed has been pushing it hard. So Fido based technologies and having Fido here probably would have saved this hack.

Yeah, absolutely. It probably would have mitigated it, right? Because now the attacker would have to figure out a way to get the victim to click on the physical security key, or interact with the victim's personal devices. Okay, so it would go from a social engineering attack to actual breach or compromise, and then it would require an extra step, which is, let's use our magical AI phone call dialer thing, and then let's have a click on a button and say, press one if you want to click on your security key, or press two if you want to don't or you don't want

to, right? This is Hector. Please read me your MFA code. Yeah, exactly right.

But no, yeah, it's it's, oh man, I said the button. Oh damn, I did it. Yeah, so you know, we want to make sure that as we kind of deal with our security program and policies, we want to make sure that they're consistent across the board. And when we consider authentication and authorization moving forward, we want to look at what's out there, what's effective. Yes, but one time codes work, right? They work fine. But you know, as we kind of progress as a culture, as a culture as a society, as a community, you know, we got to take a massive voice out there, right? We have past keys now. We also have the physical keys that you said, Chris, the final keys. So again, this could have been avoided, but it probably was not expected. And this kind of brings up another point. And I tell this to everyone when I'm especially going to speech and I'm meeting up with folks, I'm having a presentation or meeting. I asked the audience, I look around the audience, I say, Hey, what was the last time you guys sat down for like a tabletop exercise? And the quiet the room usually goes quiet, completely dead silence, right? Because usually they don't know what I'm talking about. Or two, they feel like a tabletop exercise, for example, some complex big thing. And it's not, it could be as simple as me asking Chris, Hey, Chris, it was the last time you changed your passwords. Oh, by the way, Chris, if you were to be breached, what's the worst case scenario? If you're breached in your home office, are they as the attacker to be able to move lattery across your internal network? Are they going to be able to access your wife's devices? Right? Those questions are very important in helping identify potential gaps in your internal network. And I think that's that's enough. Let me get off the soapbox. Let me just stop. But I hope it made some

good points there. So I don't know, you know, this tactic that's being used to hack into these companies, you know, we're seeing it all the time here with the social engineering and, you know, yeah, I mean, look at Cisco, Uber, you know, MGM, all these have reportedly done through the same tactics. But so last week, we had a question about MFA and whether you use the same advice for your password management and your your tokens or your one time passwords. And you and I kind of both agreed to have that separately. And we thought it was best. But I heard you got into a crazy debate in your personal life about this. This is weak.

Yeah, yeah, yeah. Okay. So this is a good one, right? So I did have a conversation with someone about that episode. And they were very adamant that the responses that I gave, and you know, Chris is always right. So they always leave Chris out of that when they have a complaint. The response that I gave was, yes, I'm for segmentation, but it really depends. And they felt that the really depends part was not necessarily. They felt that what I should have said was, by no means should you ever keep, especially using like a password manager, would you keep the password plus the MFA token generator code within the same, you know, password manager, right? And so again, Chris, you and I pretty much agreed that, yeah, segmentation is legitimate. That should be your goal. But it was that, well, but it depends that that upset this person. And I want to give him a big shot off because, you know, in a way, they're right, right? We're always about segmentation. I'm big with segmentation. I would never have an account and an MFA code in one password manager, unless it had no significant or pose, no, it's no significant risk to me. Right. It was like some, you know, a sports betting site, right? And the log in is there and having a password manager, they both, you know, have the MFA codes in there as well. I don't really care. What's the worst thing I'm going to do? You're going to spend my hundred bucks to bet on a bad game. You know, so I look at your

Jets.