January 27, 2025 • 36 mins
Discover the hidden risks of browser extensions, cybersecurity incidents, and more with hosts Eric Brown and Nick Mellum.
In this episode, we dive into the dangers of tools like Honey, the fallout from Proton’s global outage, and the ingenious tactics used by cybercriminals to target unsuspecting users. Eric and Nick also share their insights on using big data to enhance security, the role of AI in addressing threats, and practical tips for staying ahead of the ever-changing tech landscape in 2025.
We'll cover:
- The surprising risks behind popular browser extensions like Honey
- Lessons from Proton’s global outage and the importance of preparation
- How cybercriminals use voice phishing to exploit tech giants
- Practical steps to improve organizational security and educate users
- Balancing security and accessibility in modern systems
From practical advice to thought-provoking insights, this episode delivers actionable takeaways for anyone navigating today’s tech landscape.
#Cybersecurity #TechNews #DataPrivacy #RiskManagement #DigitalSafety
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Joshua Schmidt (00:04):
Happy New Year, happy 2025.
You're listening to the Auditpresented by IT Audit Labs.
I'm your co-host and producer,joshua Schmidt, and today we're
joined as usual by Nick Mellumand Eric Brown.
Happy New Year, fellas.
How you doing?
What are you drinking today?
I got a nice mushroom coffeehere.
Nick Mellem (00:20):
Happy New Year's, gents.
I'm rolling water and diet doWhiskey.
Joshua Schmidt (00:23):
Whiskey for the and diet do Whiskey, whiskey for
the man in charge, all right.
Nick Mellem (00:29):
I'm early today.
Joshua Schmidt (00:30):
I'm glad everyone's staying loose.
We're going to get right intoit here with a news brief, some
articles that jumped out to us.
This first one's from the Verge.
It's about Honey's deal-huntingbrowser extension.
It's been accused of rippingoff customers and YouTubers.
We scroll down here.
You can read the PayPal Honeybrowser extension is, in theory,
a handy way to find betterdeals on products while you're
(00:52):
shopping online, but in a videopublished this weekend, youtuber
Megalag claims the extension isa scam and that Honey has been
stealing money from influencers,including the very ones paid to
promote their product.
Eric, you found this article.
I'd love to hear your thoughtson this and kind of break it
down for us.
Eric Brown (01:09):
Yeah, actually I give credit to Jake, friend of
the show, who clued me into thisand it's like wow, yeah, that
is pretty interesting.
Paypal, back in 2020, spent $4billion to buy honey, which is
kind of a head scratcher of whywould they do that?
There's got to be somethinggoing on behind the scenes and
in fact there is, and that's inthe form of the click stealing
(01:34):
by honey.
So, josh, you talked abouthoney advertising, being able to
look for better deals when youhave things in your cart.
Well, a lot of the way in whichthese online services are
compensated.
So, for example, if you have aninfluencer who's recommending a
(01:55):
product, go to a URL.
Well, if the referral link iscoming from that influencer, to
say Sonycom, for instance, thenSonycom knows that the
influencer is the one who shouldbe monetized for sending
traffic their way.
(02:16):
Well, honey has ingeniouslycome up with a way to insert
themselves and grab that lastclick.
So by saying that maybe there'sa better coupon in the
available with a coupon code,and then that would take the
last click.
Or, if they don't find a code,then they say just close.
(02:41):
Sorry, we didn't find anything,you've already got a great deal
.
Click this button to close theHoney window, which that also
steals the last click or takesthe last click.
I think the term steal might beup for a class action lawsuit,
which is happening now, broughtforward by an influencer who saw
(03:04):
that their traffic was beingmanipulated by Honey.
The other interesting thing isbecause Honey was capturing some
of this or this revenue stream,they were actually making up
some of the discounts becausethey could afford to give some
money back to the consumer forstealing that last or inserting
(03:26):
themselves as part of that lastclick.
And then the nefarious thingthat it seems that they were
doing was if they were paid by acompany, they may replace a
coupon say that there was acoupon for 20% off of something.
Honey may replace that with a5% off or something else, so
(03:52):
that the savings would not bepassed on to the consumer.
So I thought it was aninteresting piece of tech.
Clearly there's a lot ofbrainpower going into capturing
revenue streams.
Certainly I admire it from atechnology just thinking through
(04:16):
how they would do that.
Of course I don't admire itfrom stealing revenue from other
folks who rightfully should bepaid for that revenue stream and
honey not.
But I don't know.
What do you guys think?
Joshua Schmidt (04:32):
Yeah, I first learned about this today, this
thing called last clickattribution or action, after
reading this article.
It says the steps kind of golike this the customer first
sees an advertisement for aproduct on Instagram, for
example.
The second would be later theyclick on a blog post reviewing
the product and third, finally,they click on a Google ad and
make a purchase.
So that last click attributionmodel would give Google ad the
(04:56):
full credit for the sale andgive them some kind of
commission and ostensibly thisis what the influencers are
doing, right, and they're makinga living trying to get that
last click so that they'regetting some money in their
pocket.
And that's kind of the game.
But it sounds like Honey's kindof gaming this and obviously
brings up moral and ethicalquestions and it'll be
(05:17):
interesting to see how it playsout.
One of my questions for youguys was is there a way that
consumers can protect themselvesfrom these tools designed to?
You know these tools aredesigned to save them money, but
is the way they can protectthemselves against people
quietly monitoring or monetizingtheir data or their actions in
a way that will conflict withtheir interests, don't install
(05:38):
shitty browser extensions.
Nick Mellem (05:41):
That's the best point yet I think thatic just
made.
But I mean, besides, likereading the privacy policy, you
know, reading that stuff, um,understanding consent, but I
think like also limitingpermissions, right.
So a lot of times when youinstall these web browsers that
can track you or not track you,right.
So making sure that you havethat stuff locked on.
(06:02):
That's not going to keep youfrom using a bad web extension,
but it's a way to protectyourself if that one that you
don't know is bad is bad.
Eric Brown (06:16):
I was working with a client, I think this came up
over the break.
We had a change freeze andwe're scratching our heads on
what could we do to do somequick improvements in security
over the holiday break.
And we went through and welooked at all of the browser
extensions that were installedin the Chrome browser in the
(06:38):
organization and there were, Ithink, 1,700 different browser
extensions.
Now, some were multipleversions of those browser
extensions.
Honey is an example of abrowser extension, but there
were games in there like Cut theRope I don't even know what
that is, but I saw a coupleversions of that.
(07:00):
There was password managers.
There was casino things.
There was password managers.
(07:28):
There was casino things.
There was probably some coinminers, but it was a good
reminder of like, let's go backinto our organizations with our
customers and let's cut thebrowser extensions from a Wild
West to a very limited view ofan allow list of browser
extensions.
And certainly that just isfurther to the right on the
maturity curve.
Right, mature organizations arenot going to allow users to
install all of these junkextensions that aren't needed
for business purposes in thebrowser.
But you know, I think this isclearly one that doesn't have a
business purpose.
(07:49):
People may think it does servethem as an individual user
perspective in their home lives,but we can see apparently
nefarious activity by thecompany Honey.
And back to what we weretalking about earlier, with
maybe Nick coming up with abranded line of these hairless
(08:11):
cat products.
I don't know.
I think you mentioned sunscreen.
Hey, that's my idea.
Oh, that was Josh's idea Alittle zip up vest for the
hairless cat.
I don't know what's going onover there, but going to Rover
Nick would not want to have hisrevenue stream interrupted by
honey because they stole thatlast click as somebody who's
(08:34):
going to get that vest.
Joshua Schmidt (08:36):
Yeah, this spells some kind of disaster,
perhaps in the future, or throwsome shade onto PayPal, which I
saw as kind of a trustworthyentity, business entity.
I've been using it for years, Idon't think twice about using
it and it actually makes iteasier for me to track a lot of
my expenses online, especiallyif they're for business.
(08:57):
So, yeah, not a good look.
Not a good look for PayPal.
Eric Brown (09:00):
I have a question for both of you.
Look for PayPal.
I have a question for both ofyou.
Josh, you mentioned PayPal.
Now, I too longtime user ofPayPal, but Venmo certainly not
newer on the scene, but newerthan PayPal.
Why?
Nick Mellem (09:28):
is it that people are using Venmo and Zelle these
days more than PayPal?
What's going on there?
I think it's a conveniencething, I think it's all it is.
I think that Venmo I'm a userthey have captured the market in
a way that it's almost a socialmedia platform where they pull
you in there.
People got their pictures.
Whatever you can find yourfriends, you can see what
they're doing, right, Liketransactions.
(09:49):
Like if Josh and I are friendson there, Eric, you go on there,
you can see us, ourtransactions.
Eric Brown (09:54):
You can also hide it , but hold on.
Why would I want to see yourtransactions and why would you
want to show me yourtransactions?
Nick Mellem (10:03):
I don't disagree with you.
I'm saying the average person.
You're not the average person.
People that are not in ourindustry.
They like to be nosy and seewhat's going on and they don't
think about.
I shouldn't show that.
Anytime that I send money to afamily member or a friend
there's a private function.
Always hit the private function.
But to your original question,it's all about convenience.
(10:25):
So the first part was about thesocial media aspect.
People love that, obviously.
The second part is theconvenience.
You go on there and it's liketwo clicks.
I find this person that I wantto send money to, type, put in
the money and I put a funnyemoji or whatever, put a little
cat in there and then hit sendand I'm done.
Joshua Schmidt (10:42):
It's a way to kind of be quickly funny and I
think they've captured differentsegments of the market.
I think PayPal is more in linewith e-commerce activity and I
think Venmo is more of a socialthing, like sending money
between friends after going outto dinner, for example.
I also use Zelle.
That seems to be a little bitmore transactional in terms of
(11:03):
business transactions.
So, yeah, I think it's justkind of like why do people use
Instagram over Facebook and whydo they use X over Instagram?
And it's just market segmentsand yeah, I think.
Venmo is a little bit moreuseful to Gen Z, perhaps younger
people.
Nick Mellem (11:19):
Do you guys use web browser extensions, any of them
that you like to use?
Joshua Schmidt (11:23):
Password managers Just Bitwarden.
Nick Mellem (11:26):
Same.
I use an ad blocker and apassword manager.
Yeah, Right now I think I'musing was it Privacy Badger?
Joshua Schmidt (11:34):
One quick question I had before we move on
to the next article.
Would an ad blocker or a Protonor VPN protect from these types
of malicious protect from thesetypes of malicious ad blockers
or maybe not at all, don't relyon VPNs or ad blockers to be
protecting you from bad browserextensions.
Nick Mellem (11:53):
You could rely on a pie hole.
Joshua Schmidt (11:56):
Pie hole's coming up.
I'll be coming up in the nextmonth or two.
We're going to switch over tothe next article.
This one was brought to us byNick.
This is frombleepingcomputercom.
I love the title of this outlet.
Proton worldwide outage causedby I can't remember how to say
this.
Right, nick, kubernetes,kubernetes.
(12:17):
I always have to do this speechthing Kubernetes, kubernetes.
Eric Brown (12:22):
No, it's Kubernetes.
Joshua Schmidt (12:23):
Kubernetes.
Nick Mellem (12:26):
Well, I was led astray by the uh, the browser on
air he did.
Joshua Schmidt (12:30):
I don't know if.
Okay, I thought I heard thatsomething like a cat in the
background anyways says herethat swiss tech company proton,
which provides privacy focusedonline services, says that a
thursday worldwide outage causewas caused by an ongoing
infrastructure mitigation byKubernetes Kubernetes, if you
will and a software change thattriggered an initial load spike
(12:51):
tomato, tomato.
As a company revealed yesterdayin an incident report published
on its status page.
The outage started around 10 amEastern Nick, were you affected
by this?
I know you're a Proton user.
Nick Mellem (13:01):
I am a champion of Proton, so when I saw this
article pop up today earlier, Iwasn't directly affected, but I
knew it was going on because myVPN didn't connect and also my
Proton calendar wasn't loading.
But I use them native on theapp.
So they were loading but Iwasn't getting any updates, like
if there was a calendar inviteor something like that.
(13:23):
I wasn't able to see it.
But I wanted to bring this upjust because we've been seeing
different outages and it's justthe nature of the beast, right,
we're going to see outages everynow and again, but luckily this
one was just a couple hours.
But I do use Proton for allthings Proton Pass, proton Drive
, vpn and obviously this justhappened yesterday.
(13:45):
We're hearing about it today.
Obviously a lot of people wereaffected yesterday, yesterday,
we're hearing about it today.
Obviously a lot of people wereaffected yesterday, but I think
it just kind of shows thatreally redundancy is the best.
So maybe having a secondary VPNthat you could connect to, if
you're an organization and youdo use Proton, have a way for
your people to connect or have ameans to if they're traveling
(14:07):
outside the country or are yougo into a coffee shop, but just
real quick there.
You know there's a lot here.
A lot of people do use Protonbut luckily there hasn't been a
lot of outages from them thatI've seen.
This is the most notable ormost recent.
Obviously it just happenedyesterday, but I know you guys
(14:27):
don't use Proton, do you.
Eric Brown (14:29):
I, like Proton, I was a little disappointed, if
I'm honest.
Right, it's sloppy.
First of all, what are youwhacking in a big change like
that in the middle of the week?
That's stupid.
So that was annoying.
Why weren't you doing that onthe weekend, like at 2am?
And I get it.
It's a global company, but lookwhere all of your users are and
you make those changes in thattime zone and I, I know they're,
(14:50):
you know, maybe it was uhmiddle of the night for them,
because I think they're what inswitzerland.
But I mean, come on, that's,that's just sloppiness and like
I expect that from microsoft,you know who's making bns
changes at.
You know two in the afternoon.
But um, this to me it took themdown a rung in my book.
Nick Mellem (15:11):
So I think what I was thinking too, Eric, when I
was reading through this is Ithink they need to call IT
Outlet Labs for changemanagement.
We'll make sure they make thatchange on a Saturday night at 2
am, not on a weekday.
Eric Brown (15:24):
The tinfoil hat side of me also was like well, was
it really a Kubernetes change orwas it something else that we
should be a little bit more?
Nick Mellem (15:34):
concerned about.
Do you have any thoughts onwhat they could be trying to
cover up, something other thanKubernetes?
Totally, I didn't have thatthought.
I think I was giving thebenefit of the doubt.
But hey, just like the lastarticle, paypal is nefarious
right now.
We'll see.
Who knows, we might hearsomething about this in a little
bit.
Joshua Schmidt (15:55):
Yeah, it's interesting the connection
between these two articles.
Proton has built its reputationon privacy and security, so
I'll kind of take it here foryou guys to think about.
When a privacy-focused companylike this faces downtime, or
when anyone faces downtime,shout out to the people in LA
right now dealing with horrificfires.
(16:15):
There's a lot of people losingpower and so, for whatever
reason that things are goingdown, how do you guys step in
and communicate with anorganization when tools are
failing to mitigate any kind ofthreat that might be coming in,
because people are probablytrying to get online, get work
done.
It just turns into a huge mess.
(16:37):
So how would you step in andkind of help an organization?
Eric Brown (16:42):
I think you got to rewind the clock several months
as to when they were planningwhat the overall migration is
and what that migration mightentail.
Are they moving data centers?
Are they moving systems?
Are they re-IPing, like what isthe entire big scope of the
(17:02):
change that's being made, andthen testing out if they're
thinking they can do it withzero downtime, which is
interesting?
How are they doing that?
Have they tested it a few timesto make sure that that's
actually true?
Or is it better to just take anoutage and say, hey, we're
going to be down at X timebetween this time and this time
(17:24):
on this day, so folks can planfor it and you're not then just
scratching your head of like,hey, why isn't this thing that I
bought working?
That's probably more annoying.
If they took a scheduled outageto do it, we probably wouldn't
even be having this conversation.
Nick Mellem (17:41):
Absolutely.
I think.
If we're in front of a clientright now and this is something
that you know taking Proton outof this, if it's, whatever
application it is, if this issomething that, uh, you know
taking proton out of this, ifit's, whatever application it is
, if this is something that wetruly believe in or the client
truly believes in and we've allaligned on it, I think, then it
just becomes a communicationsright acknowledge the issue and
then we want to communicate thesteps of how we're going to
(18:02):
rectify it or try to mitigate itin the future and then just
reassure stakeholders on whythis is the right plan forward,
using Proton as the example.
Right, if we want to continueusing Proton, you know, is it
sloppy?
Right, it is absolutely.
But have they had recent issuesin the past?
Not that we know of or haveseen.
So one-offs like this could beexcusable, right, this could be
(18:23):
an accepted risk that we mighthave a discussion with the
client.
This is something we know couldhappen, but we have failovers
for reasons like this.
Eric Brown (18:32):
We work with a lot of public entities private too,
but the public ones are the onesthat the public has put their
trust in elected officials andthen services are being
delivered through those publicentities.
And one of the biggest thingsfor those public entities is
trust and reputation of brandand it's that communication out
(18:54):
of what they're doing and whythey're doing it.
And the community may notalways agree with what they're
doing or even the why they'redoing it, but the communication
is absolutely paramount tomaintaining that public trust.
And you know I'm glad they cameout, or Proton did, and said
you know it was a Kubernetesissue.
Hopefully it was, and you knowthey got in front of it.
Nick Mellem (19:17):
But there's probably more things that they
could have done to mitigate itor take an outage and plan for
it and maybe Proton's waiting tocome out here in the next
couple days after they do alittle bit of after-actions
report, that battlefieldassessment, and they'll see what
happened and they can brief us,the users, on what happened.
(19:41):
They've come out with thisright.
They said it's Kubernetes.
They're going to probably cometogether and then maybe we'll
hear a lot more on what theactual issue is or what they're
going to change going forward toso this doesn't happen again
I'm still going to go withkubernetes kubernetes hey,
that's a cat name.
Joshua Schmidt (19:57):
There you go that's the cat you guys are on
fire today.
I love it and and I love howyou're connecting this to you
know your work withorganizations.
It's really fun to hear.
So let's move on to the nextarticle, this one Eric brought
in.
This is from Krebs on Security.
We're talking about a day inthe life of a prolific voice
fishing crew.
(20:18):
This is kind of an interestmalicious actor story.
Here.
It sounds like Besieged byscammers seeking to phish user
accounts over the telephone.
Apple and Google frequentlycautioned that they will never
reach out unbidden to users thisway.
However, new details about theinternal operations of a
prolific voice phishing gangshow the group routinely abuses
legitimate services at Apple andGoogle to force a variety of
(20:40):
outbound communications to theirusers, including emails,
automated phone calls andsystem-level messages sent to
all signed-in devices.
So, eric, what are yourthoughts on this?
Why did this stand out to you?
Eric Brown (20:52):
It's just another example of the ingenuity by
which the threat actors aregoing after us, are going after
us and they're doing it 24 by 7.
They're in war rooms.
(21:13):
They're whiteboarding out thesethings.
It's not somebody in theirparents' basement with their
hoodie up, like you know, doingsome sort of DDoS with some
borrowed machines.
This is high level, high level,highly intelligent, well
(21:33):
executed, well thought outorchestration and it's
impressive from that perspective.
But it's it just from the whitehat side.
We've got to up our game.
We've got to get in front ofusers, got to make sure that
they're aware of this.
They don't need to know thedetails of the ins and outs
about how it's done, but simplythe fact that it can be done and
(21:57):
it is being done until Appleand Google put a fix in for it.
But I mean, I wasn't expectingto see something like this,
where it's a essentiallyspoofing Apple's number reaching
out to the user, sending the,the, the, the.
(22:17):
This is you know what are wecalling it?
The MFA prompt?
Yeah, the prompt, Thank you.
Sending the prompt to theuser's phone, getting the user
to accept that while they'repatched in to a fake call
service.
It's crazy, and you know we'restill dealing with customers
(22:42):
that are sending passwordsaround or storing passwords,
like in a in a in a text file.
And it's like, well, we gotnotebooks on in a text file over
here and we're saying, hey, youknow, you got to put your stuff
in a pam, you got to rotateevery eight hours, you got to
rotate when that that password'schecked back in.
And then we have thesophistication of these threat
(23:04):
actors who are spoofing numbersfrom Apple sending the prompts
down to the phone.
It's like, wow, you know we'reoutgunned here and we've got to
do a better job of protectingour organizations with more
rigor in how we control thedevices, because it's tough.
Nick Mellem (23:31):
I feel like I just left church on a Sunday, or
pastor right there.
Eric Brown (23:36):
No, am I wrong?
I mean like oh no, you'retalking about with with
passwords and spreadsheets.
I mean, come on.
Nick Mellem (23:44):
You're, you're spot on.
I think I was shaking my head.
Yes, the whole time.
I agree with everything.
I mean, come on, you're spot on.
I was shaking my head, yes, thewhole time, I agree with
everything.
I think, like you said before,these are career professional
nefarious actors.
They have dedicated their craftto this activity, to getting
whatever they can get, and hereit just shows how they are
willing to do anything andeverything.
(24:04):
It shows again that a lot oftimes, different organizations
you know the security landscape,we're on our heels, right, we
want to play more offense, butthis just shows that they are
driving in on every aspect theypossibly can and it kind of
leaves a lot of us with ourhands up in the air.
But we need to drive in andfigure out how do we fix this
(24:24):
problem, and a lot of it.
You know we keep talking abouttraining, training the staff,
education, and that's what thisboils down to.
Those checks and balances, thepolicies and procedure is not
going to fix something like this.
We need to continue to educateyour staff, whether that's
reports coming or likenewsletters coming out on
Fridays.
Hey, this is what we saweducating people.
(24:45):
There's so much we can grabonto here.
In my personal life.
I just talked to a familymember yesterday that received a
phone call from Bank of America.
I think it was.
One of the two, somebody hadtried to open a credit card in
their name yesterday.
So what we've talked about inmany episodes locking your
(25:06):
credit, strong passwords.
So I spent some time on thephone yesterday with this
individual and going through toall the major credit bureaus
locking their credit.
So also, you know, continue tolock your credit, good passwords
.
But also a shout out to thebanking industry by flagging
this, because what they said wastheir the address didn't match
(25:28):
up.
Where they're trying to openingit in illinois, and uh, this
family member lives in texas.
So uh, didn't add up right, sothey stopped it.
And then uh phoned uh, thisfamily member.
So it, you know they'reattacking us on all fronts.
Uh, you know, here, here at ITILabs, we spend a lot of time
playing offense right andteaching and helping our clients
(25:49):
play that same role too, withmany different tools.
We facilitate, but it justshows they're willing to do
anything and we need to do thesame thing by educating, you
know, not only our staff butfamily members and everybody.
It's just a matter of awareness.
Joshua Schmidt (26:04):
Are there ways to redesign these systems so
they could be more securewithout sacrificing
accessibility, you know, kind offrom the back to the drawing
board position, or maybeexploring like additional steps
to verify or for high riskactivities or something like
that.
Eric Brown (26:20):
It's tough right, it's that chicken or the egg and
I think it's always the how doyou make it easy to consume and
easy to use and secure?
And unfortunately sometimesthat's a dichotomy.
I don't know if there's a goodanswer, If you figure that out,
josh.
Nick Mellem (26:35):
You won't be on this podcast anymore.
Joshua Schmidt (26:38):
But that's what you guys do, right?
You step in and kind of helpbalance those scales and talk
through these things wherepeople aren't thinking about
this every day.
You kind of maybe shine aspotlight on some dark areas
that they might not be thinkingabout and kind of explore the
whole terrain with anorganization, correct?
Eric Brown (26:54):
Yeah, on the corporate side there's a lot you
can do where you can manage thedevices and a mobile device
manager and you can make surethat the devices are at a
certain level before they'reconnecting to the organization.
You can limit what they coulddo.
There's a lot more that you cando with the corporate tools
(27:14):
than you can for the home userand unfortunately the home user
is probably 99% of the attackvector for these types of things
.
Nick Mellem (27:27):
I think one.
You know, josh.
I don't know if this directlyanswers your question or not,
but I think you know.
One thing that I see workingwith customers and clients and
reading these articles is, a lotof times, security
organizations within a bigger,you know department, any big
organization, their securitydepartment is usually stuffed
away in the back in the closet.
It's a few guys or whoever.
It is right, they're small, Iyou know, and they keep them
(27:49):
close to the vest.
Nobody really knows what thoseguys are doing.
Having more transparency,they're showing what they're
doing, that could be a newsarticle from them every Friday,
like I mentioned earlier, havingthem give a training, in-person
training, a virtual training sopeople can see their faces.
Showing what they're doing.
They could present how we areright now, a news article and
(28:09):
things that they're seeing underthe threat landscape and that
you know.
It does two things it showswhat the security team is doing
and what they're seeing andthey're actively trying to
protect your organization andit's educating the staff and I
think you get two of them.
That can strengthen anorganization in itself.
Joshua Schmidt (28:24):
I love that because I learned by doing
better than I do when I'm givenlike an e-book, for example, or
those are great ways to learn,but just with the amount of
content coming at us these days,it's great to have hands on a
human being to kind of help youthink through and talk through
some of this stuff before itbecomes a problem.
So that's great advice.
Fellas, any New Year'sresolutions?
(28:47):
This year, as we enter a newyear, a new podcast year, I'm
trying to read more books.
This year I got a stack ofbooks some nonfiction, some
fiction and just trying to setaside a little bit of time each
night, put the phone away andget into a book.
So that's my New Year'sresolution.
How about you guys?
Nick Mellem (29:05):
You took the words from my mouth on the putting the
phone down.
I find myself reading too manyarticles, listening to too many
podcasts, and I've got a youngdaughter, so I'm trying to put
the phone away, trying to listenmore, talk less.
So those are kind of my twothings.
Joshua Schmidt (29:19):
On the plus side .
Nick, you're going to read like2,000 books this year like the
Cat in the Hat.
Nick Mellem (29:24):
Out of Fish.
I'm cool with that.
Franklin Goes to School, thatwill recharge the batteries so I
can get into the fight everymorning again.
Joshua Schmidt (29:33):
How about you?
Eric Brown (29:34):
Eric, I'm trying to do at least a book a week.
So I'm right there with you,Josh, trying to get that done.
I do a lot of audio booksbecause I have a bit of drive
time here and there and I liketo listen to audio books, like
you know, say, if I'm on thePeloton or whatever get a little
workout in, I might as welllisten to a book while I'm doing
(29:55):
it and then using some AI tosummarize the findings and keep
it tucked away in the library,but easily available.
Nick Mellem (30:03):
Do you have a favorite book you've read
recently, Eric?
Eric Brown (30:07):
The Elon Musk book was really good by Walter
Isaacson.
You know, politics aside, aboutElon Musk tongue in cheek there
, I know you like that term.
For me it was more about thejourney of the individual and
what's been done.
I mean in a disruptor inseveral industries, right going
(30:30):
to space and shining a light onthe inefficiencies of the
programs that the US taxpayershave been purchasing for years
from like a Boeing who you knowthey've got I don't know, 30,000
people over there buildingthese rockets or whatever
they're doing.
But their contracts are costplus.
(30:50):
So whatever their cost is plusa small margin, is what the
government pays, what we astaxpayers pay for that rocket.
With SpaceX the idea was, well,let's compete against a cost
plus model and come in with afixed bid model.
(31:11):
So, yeah, we can build X numberof rockets for this fixed fee.
And why you see all of thelaunches from SpaceX coming out
of Florida and Texas previouslyCalifornia is because Boeing
can't compete.
They don't know how to figureout how to cut so much cost and
(31:32):
be effective in building rocketsthat can compete with the
Falcon 9 and the.
Joshua Schmidt (31:39):
Merlin rockets.
Eric Brown (31:41):
So the book just highlighted that.
You know, and I really like oneof the things, that kind of the
principles where Elon's goingthrough the factory and talking
about, just you know, delete,delete, delete, like, take out
all of this process, all of thisheavy crap that is not needed.
(32:06):
And if you don't essentiallybreak the process when you're
doing that, you didn't cutenough stuff out.
And I see that all the time indifferent accounts and even at
IT audit labs with, like youlike, well, why do we do it that
way?
Working with an accountrecently, somebody on my team in
the account we have a modelsometimes where we'll go in and
(32:29):
we'll run a securityorganization for a customer and
their teams report into us.
And in one of the accounts wehad somebody new join the team.
Their name was spelledincorrectly.
So you can imagine all of theactive directory assignments and
whatnot is all associated withthe incorrect name.
Then to get that name changetook three days, right, you put
(32:55):
in the ticket.
It's got to go through all thismonolithic stuff to get the
name changed because you can'tjust bang the change into Active
Directory.
It's got to come from the HRsystem and that's on a batch
process, right All of this stuffand I'm like, okay, yeah, the
guy's new, he's getting set up,annoying, not a big deal.
But what happens if you're anemployee at that company or a
(33:19):
contractor working with thatcompany and you've recently gone
through, say, an exit from anabusive relationship and you're
going through a name change?
Or say you're going through atransition and you're changing
your name and you've changed itlegally or what have you, and
referring to your past namecauses you pain.
(33:43):
Well, for those three days, thecompany, the organization, is
not giving that person threedays off.
While they figure out how tochange a name, that person has
to come and enter the name.
That is painful to them.
So it's like, why are we doingthat?
Changing a name should take 30seconds and if it's longer than
(34:04):
that you're doing it wrong.
So when I think about the Muskbook by Walter Isaacson, going
through and making thosedeletions to be more efficient,
to be faster, to put out theModel S, to put out the Model 3,
the Model Y, the Falcon 9rockets, the Merlin rockets, all
(34:24):
that good stuff, that couldonly be done by getting rid of
the crap and really just beingtight and judicious and clean,
and sure there's pain along theway.
I'm not saying there wasn't.
People worked lots of hours todo this, but there's nobody else
(34:45):
doing it right.
And that's why, at leastaccording to the book and
according to Walter Isaacson,why Elon Musk has been so
successful with I'm not going tosay all, but many of the
companies that he's beeninvolved with.
I mean, I know it's kind ofinteresting that they can't get
(35:05):
a robot to walk straight, youknow, with that robot that
they're trying to build.
But the point being, if we justthink about, how do we delete
the crap, the 80% of the crap,from everything that we do?
Everything would be better solong tangent, but that is one of
the books that I enjoyedreading at the end of last year.
Nick Mellem (35:26):
I also read the book and I have one call out in
the book and I could beexplaining this wrong, but Elon
also had an issue with SpaceX,their parts being super
expensive to get, and there wasa part where he was explaining
some like AC unit to coolsomething down.
It was like a hundred grand fromthis vendor and Elon said why
(35:49):
does it need to cost that much?
They went and got an AC unitfor like a house and they
re-engineered the hookups and itcost $5,000 and it worked so
and then I was thinking tomyself when I was driving back
to Texas from Minnesota overChristmas is how does that
connect to our industry?
Eric already talked about acouple, but I was thinking to
(36:10):
myself we have all these highhorsepower tools.
We need those, but we also needthe high horsepower individuals
, smart individuals willing todo the work, to read after hours
, to understand the industry,and to me the people are the
$5,000 AC unit that can workwith these high horsepower tools
.
So the book just connects in somany different areas, but I
(36:34):
have to agree it's an awesomebook.
Joshua Schmidt (36:36):
I love it.
I'll put that on my toread listthis year 2025.
Maybe we can get a couple offlamethrowers up in the IT Audit
Labs office.
The Boring Company, yeah, yeah,yeah.
So you heard it here.
Folks, if you want to stayefficient and cut all the red
tape, check out IT Audit Labs.
You've been listening to theAudit presented by IT Audit Labs
, by IT Audit Labs, today we'vebeen chatting with Eric Brown
(36:59):
and Nick Mellom, and I'm yourco-host and producer, joshua
Schmidt.
Like, share and subscribe andplease share us with your
friends.
We'll be doing podcasts everyother week through the year of
2025.
Eric Brown (37:07):
Thanks for listening and see you in a couple weeks.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact, while our security
(37:30):
control assessments rank thelevel of maturity relative to
the size of your organization tothe size of your organization,
thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
(37:51):
subscribing to this podcast onApple, spotify or wherever you
source your security content.
Happy New Year, happy 2025.
You're listening to the Auditpresented by IT Audit Labs.
I'm your co-host and producer,joshua Schmidt, and today we're
joined as usual by Nick Mellumand Eric Brown.
Happy New Year, fellas.
How you doing?
What are you drinking today?
I got a nice mushroom coffeehere.
Nick Mellem (00:20):
Happy New Year's, gents.
I'm rolling water and diet doWhiskey.
Joshua Schmidt (00:23):
Whiskey for the and diet do Whiskey, whiskey for
the man in charge, all right.
Nick Mellem (00:29):
I'm early today.
Joshua Schmidt (00:30):
I'm glad everyone's staying loose.
We're going to get right intoit here with a news brief, some
articles that jumped out to us.
This first one's from the Verge.
It's about Honey's deal-huntingbrowser extension.
It's been accused of rippingoff customers and YouTubers.
We scroll down here.
You can read the PayPal Honeybrowser extension is, in theory,
a handy way to find betterdeals on products while you're
(00:52):
shopping online, but in a videopublished this weekend, youtuber
Megalag claims the extension isa scam and that Honey has been
stealing money from influencers,including the very ones paid to
promote their product.
Eric, you found this article.
I'd love to hear your thoughtson this and kind of break it
down for us.
Eric Brown (01:09):
Yeah, actually I give credit to Jake, friend of
the show, who clued me into thisand it's like wow, yeah, that
is pretty interesting.
Paypal, back in 2020, spent $4billion to buy honey, which is
kind of a head scratcher of whywould they do that?
There's got to be somethinggoing on behind the scenes and
in fact there is, and that's inthe form of the click stealing
(01:34):
by honey.
So, josh, you talked abouthoney advertising, being able to
look for better deals when youhave things in your cart.
Well, a lot of the way in whichthese online services are
compensated.
So, for example, if you have aninfluencer who's recommending a
(01:55):
product, go to a URL.
Well, if the referral link iscoming from that influencer, to
say Sonycom, for instance, thenSonycom knows that the
influencer is the one who shouldbe monetized for sending
traffic their way.
(02:16):
Well, honey has ingeniouslycome up with a way to insert
themselves and grab that lastclick.
So by saying that maybe there'sa better coupon in the
available with a coupon code,and then that would take the
last click.
Or, if they don't find a code,then they say just close.
(02:41):
Sorry, we didn't find anything,you've already got a great deal
.
Click this button to close theHoney window, which that also
steals the last click or takesthe last click.
I think the term steal might beup for a class action lawsuit,
which is happening now, broughtforward by an influencer who saw
(03:04):
that their traffic was beingmanipulated by Honey.
The other interesting thing isbecause Honey was capturing some
of this or this revenue stream,they were actually making up
some of the discounts becausethey could afford to give some
money back to the consumer forstealing that last or inserting
(03:26):
themselves as part of that lastclick.
And then the nefarious thingthat it seems that they were
doing was if they were paid by acompany, they may replace a
coupon say that there was acoupon for 20% off of something.
Honey may replace that with a5% off or something else, so
(03:52):
that the savings would not bepassed on to the consumer.
So I thought it was aninteresting piece of tech.
Clearly there's a lot ofbrainpower going into capturing
revenue streams.
Certainly I admire it from atechnology just thinking through
(04:16):
how they would do that.
Of course I don't admire itfrom stealing revenue from other
folks who rightfully should bepaid for that revenue stream and
honey not.
But I don't know.
What do you guys think?
Joshua Schmidt (04:32):
Yeah, I first learned about this today, this
thing called last clickattribution or action, after
reading this article.
It says the steps kind of golike this the customer first
sees an advertisement for aproduct on Instagram, for
example.
The second would be later theyclick on a blog post reviewing
the product and third, finally,they click on a Google ad and
make a purchase.
So that last click attributionmodel would give Google ad the
(04:56):
full credit for the sale andgive them some kind of
commission and ostensibly thisis what the influencers are
doing, right, and they're makinga living trying to get that
last click so that they'regetting some money in their
pocket.
And that's kind of the game.
But it sounds like Honey's kindof gaming this and obviously
brings up moral and ethicalquestions and it'll be
(05:17):
interesting to see how it playsout.
One of my questions for youguys was is there a way that
consumers can protect themselvesfrom these tools designed to?
You know these tools aredesigned to save them money, but
is the way they can protectthemselves against people
quietly monitoring or monetizingtheir data or their actions in
a way that will conflict withtheir interests, don't install
(05:38):
shitty browser extensions.
Nick Mellem (05:41):
That's the best point yet I think thatic just
made.
But I mean, besides, likereading the privacy policy, you
know, reading that stuff, um,understanding consent, but I
think like also limitingpermissions, right.
So a lot of times when youinstall these web browsers that
can track you or not track you,right.
So making sure that you havethat stuff locked on.
(06:02):
That's not going to keep youfrom using a bad web extension,
but it's a way to protectyourself if that one that you
don't know is bad is bad.
Eric Brown (06:16):
I was working with a client, I think this came up
over the break.
We had a change freeze andwe're scratching our heads on
what could we do to do somequick improvements in security
over the holiday break.
And we went through and welooked at all of the browser
extensions that were installedin the Chrome browser in the
(06:38):
organization and there were, Ithink, 1,700 different browser
extensions.
Now, some were multipleversions of those browser
extensions.
Honey is an example of abrowser extension, but there
were games in there like Cut theRope I don't even know what
that is, but I saw a coupleversions of that.
(07:00):
There was password managers.
There was casino things.
There was password managers.
(07:28):
There was casino things.
There was probably some coinminers, but it was a good
reminder of like, let's go backinto our organizations with our
customers and let's cut thebrowser extensions from a Wild
West to a very limited view ofan allow list of browser
extensions.
And certainly that just isfurther to the right on the
maturity curve.
Right, mature organizations arenot going to allow users to
install all of these junkextensions that aren't needed
for business purposes in thebrowser.
But you know, I think this isclearly one that doesn't have a
business purpose.
(07:49):
People may think it does servethem as an individual user
perspective in their home lives,but we can see apparently
nefarious activity by thecompany Honey.
And back to what we weretalking about earlier, with
maybe Nick coming up with abranded line of these hairless
(08:11):
cat products.
I don't know.
I think you mentioned sunscreen.
Hey, that's my idea.
Oh, that was Josh's idea Alittle zip up vest for the
hairless cat.
I don't know what's going onover there, but going to Rover
Nick would not want to have hisrevenue stream interrupted by
honey because they stole thatlast click as somebody who's
(08:34):
going to get that vest.
Joshua Schmidt (08:36):
Yeah, this spells some kind of disaster,
perhaps in the future, or throwsome shade onto PayPal, which I
saw as kind of a trustworthyentity, business entity.
I've been using it for years, Idon't think twice about using
it and it actually makes iteasier for me to track a lot of
my expenses online, especiallyif they're for business.
(08:57):
So, yeah, not a good look.
Not a good look for PayPal.
Eric Brown (09:00):
I have a question for both of you.
Look for PayPal.
I have a question for both ofyou.
Josh, you mentioned PayPal.
Now, I too longtime user ofPayPal, but Venmo certainly not
newer on the scene, but newerthan PayPal.
Why?
Nick Mellem (09:28):
is it that people are using Venmo and Zelle these
days more than PayPal?
What's going on there?
I think it's a conveniencething, I think it's all it is.
I think that Venmo I'm a userthey have captured the market in
a way that it's almost a socialmedia platform where they pull
you in there.
People got their pictures.
Whatever you can find yourfriends, you can see what
they're doing, right, Liketransactions.
(09:49):
Like if Josh and I are friendson there, Eric, you go on there,
you can see us, ourtransactions.
Eric Brown (09:54):
You can also hide it , but hold on.
Why would I want to see yourtransactions and why would you
want to show me yourtransactions?
Nick Mellem (10:03):
I don't disagree with you.
I'm saying the average person.
You're not the average person.
People that are not in ourindustry.
They like to be nosy and seewhat's going on and they don't
think about.
I shouldn't show that.
Anytime that I send money to afamily member or a friend
there's a private function.
Always hit the private function.
But to your original question,it's all about convenience.
(10:25):
So the first part was about thesocial media aspect.
People love that, obviously.
The second part is theconvenience.
You go on there and it's liketwo clicks.
I find this person that I wantto send money to, type, put in
the money and I put a funnyemoji or whatever, put a little
cat in there and then hit sendand I'm done.
Joshua Schmidt (10:42):
It's a way to kind of be quickly funny and I
think they've captured differentsegments of the market.
I think PayPal is more in linewith e-commerce activity and I
think Venmo is more of a socialthing, like sending money
between friends after going outto dinner, for example.
I also use Zelle.
That seems to be a little bitmore transactional in terms of
(11:03):
business transactions.
So, yeah, I think it's justkind of like why do people use
Instagram over Facebook and whydo they use X over Instagram?
And it's just market segmentsand yeah, I think.
Venmo is a little bit moreuseful to Gen Z, perhaps younger
people.
Nick Mellem (11:19):
Do you guys use web browser extensions, any of them
that you like to use?
Joshua Schmidt (11:23):
Password managers Just Bitwarden.
Nick Mellem (11:26):
Same.
I use an ad blocker and apassword manager.
Yeah, Right now I think I'musing was it Privacy Badger?
Joshua Schmidt (11:34):
One quick question I had before we move on
to the next article.
Would an ad blocker or a Protonor VPN protect from these types
of malicious protect from thesetypes of malicious ad blockers
or maybe not at all, don't relyon VPNs or ad blockers to be
protecting you from bad browserextensions.
Nick Mellem (11:53):
You could rely on a pie hole.
Joshua Schmidt (11:56):
Pie hole's coming up.
I'll be coming up in the nextmonth or two.
We're going to switch over tothe next article.
This one was brought to us byNick.
This is frombleepingcomputercom.
I love the title of this outlet.
Proton worldwide outage causedby I can't remember how to say
this.
Right, nick, kubernetes,kubernetes.
(12:17):
I always have to do this speechthing Kubernetes, kubernetes.
Eric Brown (12:22):
No, it's Kubernetes.
Joshua Schmidt (12:23):
Kubernetes.
Nick Mellem (12:26):
Well, I was led astray by the uh, the browser on
air he did.
Joshua Schmidt (12:30):
I don't know if.
Okay, I thought I heard thatsomething like a cat in the
background anyways says herethat swiss tech company proton,
which provides privacy focusedonline services, says that a
thursday worldwide outage causewas caused by an ongoing
infrastructure mitigation byKubernetes Kubernetes, if you
will and a software change thattriggered an initial load spike
(12:51):
tomato, tomato.
As a company revealed yesterdayin an incident report published
on its status page.
The outage started around 10 amEastern Nick, were you affected
by this?
I know you're a Proton user.
Nick Mellem (13:01):
I am a champion of Proton, so when I saw this
article pop up today earlier, Iwasn't directly affected, but I
knew it was going on because myVPN didn't connect and also my
Proton calendar wasn't loading.
But I use them native on theapp.
So they were loading but Iwasn't getting any updates, like
if there was a calendar inviteor something like that.
(13:23):
I wasn't able to see it.
But I wanted to bring this upjust because we've been seeing
different outages and it's justthe nature of the beast, right,
we're going to see outages everynow and again, but luckily this
one was just a couple hours.
But I do use Proton for allthings Proton Pass, proton Drive
, vpn and obviously this justhappened yesterday.
(13:45):
We're hearing about it today.
Obviously a lot of people wereaffected yesterday, yesterday,
we're hearing about it today.
Obviously a lot of people wereaffected yesterday, but I think
it just kind of shows thatreally redundancy is the best.
So maybe having a secondary VPNthat you could connect to, if
you're an organization and youdo use Proton, have a way for
your people to connect or have ameans to if they're traveling
(14:07):
outside the country or are yougo into a coffee shop, but just
real quick there.
You know there's a lot here.
A lot of people do use Protonbut luckily there hasn't been a
lot of outages from them thatI've seen.
This is the most notable ormost recent.
Obviously it just happenedyesterday, but I know you guys
(14:27):
don't use Proton, do you.
Eric Brown (14:29):
I, like Proton, I was a little disappointed, if
I'm honest.
Right, it's sloppy.
First of all, what are youwhacking in a big change like
that in the middle of the week?
That's stupid.
So that was annoying.
Why weren't you doing that onthe weekend, like at 2am?
And I get it.
It's a global company, but lookwhere all of your users are and
you make those changes in thattime zone and I, I know they're,
(14:50):
you know, maybe it was uhmiddle of the night for them,
because I think they're what inswitzerland.
But I mean, come on, that's,that's just sloppiness and like
I expect that from microsoft,you know who's making bns
changes at.
You know two in the afternoon.
But um, this to me it took themdown a rung in my book.
Nick Mellem (15:11):
So I think what I was thinking too, Eric, when I
was reading through this is Ithink they need to call IT
Outlet Labs for changemanagement.
We'll make sure they make thatchange on a Saturday night at 2
am, not on a weekday.
Eric Brown (15:24):
The tinfoil hat side of me also was like well, was
it really a Kubernetes change orwas it something else that we
should be a little bit more?
Nick Mellem (15:34):
concerned about.
Do you have any thoughts onwhat they could be trying to
cover up, something other thanKubernetes?
Totally, I didn't have thatthought.
I think I was giving thebenefit of the doubt.
But hey, just like the lastarticle, paypal is nefarious
right now.
We'll see.
Who knows, we might hearsomething about this in a little
bit.
Joshua Schmidt (15:55):
Yeah, it's interesting the connection
between these two articles.
Proton has built its reputationon privacy and security, so
I'll kind of take it here foryou guys to think about.
When a privacy-focused companylike this faces downtime, or
when anyone faces downtime,shout out to the people in LA
right now dealing with horrificfires.
(16:15):
There's a lot of people losingpower and so, for whatever
reason that things are goingdown, how do you guys step in
and communicate with anorganization when tools are
failing to mitigate any kind ofthreat that might be coming in,
because people are probablytrying to get online, get work
done.
It just turns into a huge mess.
(16:37):
So how would you step in andkind of help an organization?
Eric Brown (16:42):
I think you got to rewind the clock several months
as to when they were planningwhat the overall migration is
and what that migration mightentail.
Are they moving data centers?
Are they moving systems?
Are they re-IPing, like what isthe entire big scope of the
(17:02):
change that's being made, andthen testing out if they're
thinking they can do it withzero downtime, which is
interesting?
How are they doing that?
Have they tested it a few timesto make sure that that's
actually true?
Or is it better to just take anoutage and say, hey, we're
going to be down at X timebetween this time and this time
(17:24):
on this day, so folks can planfor it and you're not then just
scratching your head of like,hey, why isn't this thing that I
bought working?
That's probably more annoying.
If they took a scheduled outageto do it, we probably wouldn't
even be having this conversation.
Nick Mellem (17:41):
Absolutely.
I think.
If we're in front of a clientright now and this is something
that you know taking Proton outof this, if it's, whatever
application it is, if this issomething that, uh, you know
taking proton out of this, ifit's, whatever application it is
, if this is something that wetruly believe in or the client
truly believes in and we've allaligned on it, I think, then it
just becomes a communicationsright acknowledge the issue and
then we want to communicate thesteps of how we're going to
(18:02):
rectify it or try to mitigate itin the future and then just
reassure stakeholders on whythis is the right plan forward,
using Proton as the example.
Right, if we want to continueusing Proton, you know, is it
sloppy?
Right, it is absolutely.
But have they had recent issuesin the past?
Not that we know of or haveseen.
So one-offs like this could beexcusable, right, this could be
(18:23):
an accepted risk that we mighthave a discussion with the
client.
This is something we know couldhappen, but we have failovers
for reasons like this.
Eric Brown (18:32):
We work with a lot of public entities private too,
but the public ones are the onesthat the public has put their
trust in elected officials andthen services are being
delivered through those publicentities.
And one of the biggest thingsfor those public entities is
trust and reputation of brandand it's that communication out
(18:54):
of what they're doing and whythey're doing it.
And the community may notalways agree with what they're
doing or even the why they'redoing it, but the communication
is absolutely paramount tomaintaining that public trust.
And you know I'm glad they cameout, or Proton did, and said
you know it was a Kubernetesissue.
Hopefully it was, and you knowthey got in front of it.
Nick Mellem (19:17):
But there's probably more things that they
could have done to mitigate itor take an outage and plan for
it and maybe Proton's waiting tocome out here in the next
couple days after they do alittle bit of after-actions
report, that battlefieldassessment, and they'll see what
happened and they can brief us,the users, on what happened.
(19:41):
They've come out with thisright.
They said it's Kubernetes.
They're going to probably cometogether and then maybe we'll
hear a lot more on what theactual issue is or what they're
going to change going forward toso this doesn't happen again
I'm still going to go withkubernetes kubernetes hey,
that's a cat name.
Joshua Schmidt (19:57):
There you go that's the cat you guys are on
fire today.
I love it and and I love howyou're connecting this to you
know your work withorganizations.
It's really fun to hear.
So let's move on to the nextarticle, this one Eric brought
in.
This is from Krebs on Security.
We're talking about a day inthe life of a prolific voice
fishing crew.
(20:18):
This is kind of an interestmalicious actor story.
Here.
It sounds like Besieged byscammers seeking to phish user
accounts over the telephone.
Apple and Google frequentlycautioned that they will never
reach out unbidden to users thisway.
However, new details about theinternal operations of a
prolific voice phishing gangshow the group routinely abuses
legitimate services at Apple andGoogle to force a variety of
(20:40):
outbound communications to theirusers, including emails,
automated phone calls andsystem-level messages sent to
all signed-in devices.
So, eric, what are yourthoughts on this?
Why did this stand out to you?
Eric Brown (20:52):
It's just another example of the ingenuity by
which the threat actors aregoing after us, are going after
us and they're doing it 24 by 7.
They're in war rooms.
(21:13):
They're whiteboarding out thesethings.
It's not somebody in theirparents' basement with their
hoodie up, like you know, doingsome sort of DDoS with some
borrowed machines.
This is high level, high level,highly intelligent, well
(21:33):
executed, well thought outorchestration and it's
impressive from that perspective.
But it's it just from the whitehat side.
We've got to up our game.
We've got to get in front ofusers, got to make sure that
they're aware of this.
They don't need to know thedetails of the ins and outs
about how it's done, but simplythe fact that it can be done and
(21:57):
it is being done until Appleand Google put a fix in for it.
But I mean, I wasn't expectingto see something like this,
where it's a essentiallyspoofing Apple's number reaching
out to the user, sending the,the, the, the.
(22:17):
This is you know what are wecalling it?
The MFA prompt?
Yeah, the prompt, Thank you.
Sending the prompt to theuser's phone, getting the user
to accept that while they'repatched in to a fake call
service.
It's crazy, and you know we'restill dealing with customers
(22:42):
that are sending passwordsaround or storing passwords,
like in a in a in a text file.
And it's like, well, we gotnotebooks on in a text file over
here and we're saying, hey, youknow, you got to put your stuff
in a pam, you got to rotateevery eight hours, you got to
rotate when that that password'schecked back in.
And then we have thesophistication of these threat
(23:04):
actors who are spoofing numbersfrom Apple sending the prompts
down to the phone.
It's like, wow, you know we'reoutgunned here and we've got to
do a better job of protectingour organizations with more
rigor in how we control thedevices, because it's tough.
Nick Mellem (23:31):
I feel like I just left church on a Sunday, or
pastor right there.
Eric Brown (23:36):
No, am I wrong?
I mean like oh no, you'retalking about with with
passwords and spreadsheets.
I mean, come on.
Nick Mellem (23:44):
You're, you're spot on.
I think I was shaking my head.
Yes, the whole time.
I agree with everything.
I mean, come on, you're spot on.
I was shaking my head, yes, thewhole time, I agree with
everything.
I think, like you said before,these are career professional
nefarious actors.
They have dedicated their craftto this activity, to getting
whatever they can get, and hereit just shows how they are
willing to do anything andeverything.
(24:04):
It shows again that a lot oftimes, different organizations
you know the security landscape,we're on our heels, right, we
want to play more offense, butthis just shows that they are
driving in on every aspect theypossibly can and it kind of
leaves a lot of us with ourhands up in the air.
But we need to drive in andfigure out how do we fix this
(24:24):
problem, and a lot of it.
You know we keep talking abouttraining, training the staff,
education, and that's what thisboils down to.
Those checks and balances, thepolicies and procedure is not
going to fix something like this.
We need to continue to educateyour staff, whether that's
reports coming or likenewsletters coming out on
Fridays.
Hey, this is what we saweducating people.
(24:45):
There's so much we can grabonto here.
In my personal life.
I just talked to a familymember yesterday that received a
phone call from Bank of America.
I think it was.
One of the two, somebody hadtried to open a credit card in
their name yesterday.
So what we've talked about inmany episodes locking your
(25:06):
credit, strong passwords.
So I spent some time on thephone yesterday with this
individual and going through toall the major credit bureaus
locking their credit.
So also, you know, continue tolock your credit, good passwords
.
But also a shout out to thebanking industry by flagging
this, because what they said wastheir the address didn't match
(25:28):
up.
Where they're trying to openingit in illinois, and uh, this
family member lives in texas.
So uh, didn't add up right, sothey stopped it.
And then uh phoned uh, thisfamily member.
So it, you know they'reattacking us on all fronts.
Uh, you know, here, here at ITILabs, we spend a lot of time
playing offense right andteaching and helping our clients
(25:49):
play that same role too, withmany different tools.
We facilitate, but it justshows they're willing to do
anything and we need to do thesame thing by educating, you
know, not only our staff butfamily members and everybody.
It's just a matter of awareness.
Joshua Schmidt (26:04):
Are there ways to redesign these systems so
they could be more securewithout sacrificing
accessibility, you know, kind offrom the back to the drawing
board position, or maybeexploring like additional steps
to verify or for high riskactivities or something like
that.
Eric Brown (26:20):
It's tough right, it's that chicken or the egg and
I think it's always the how doyou make it easy to consume and
easy to use and secure?
And unfortunately sometimesthat's a dichotomy.
I don't know if there's a goodanswer, If you figure that out,
josh.
Nick Mellem (26:35):
You won't be on this podcast anymore.
Joshua Schmidt (26:38):
But that's what you guys do, right?
You step in and kind of helpbalance those scales and talk
through these things wherepeople aren't thinking about
this every day.
You kind of maybe shine aspotlight on some dark areas
that they might not be thinkingabout and kind of explore the
whole terrain with anorganization, correct?
Eric Brown (26:54):
Yeah, on the corporate side there's a lot you
can do where you can manage thedevices and a mobile device
manager and you can make surethat the devices are at a
certain level before they'reconnecting to the organization.
You can limit what they coulddo.
There's a lot more that you cando with the corporate tools
(27:14):
than you can for the home userand unfortunately the home user
is probably 99% of the attackvector for these types of things
.
Nick Mellem (27:27):
I think one.
You know, josh.
I don't know if this directlyanswers your question or not,
but I think you know.
One thing that I see workingwith customers and clients and
reading these articles is, a lotof times, security
organizations within a bigger,you know department, any big
organization, their securitydepartment is usually stuffed
away in the back in the closet.
It's a few guys or whoever.
It is right, they're small, Iyou know, and they keep them
(27:49):
close to the vest.
Nobody really knows what thoseguys are doing.
Having more transparency,they're showing what they're
doing, that could be a newsarticle from them every Friday,
like I mentioned earlier, havingthem give a training, in-person
training, a virtual training sopeople can see their faces.
Showing what they're doing.
They could present how we areright now, a news article and
(28:09):
things that they're seeing underthe threat landscape and that
you know.
It does two things it showswhat the security team is doing
and what they're seeing andthey're actively trying to
protect your organization andit's educating the staff and I
think you get two of them.
That can strengthen anorganization in itself.
Joshua Schmidt (28:24):
I love that because I learned by doing
better than I do when I'm givenlike an e-book, for example, or
those are great ways to learn,but just with the amount of
content coming at us these days,it's great to have hands on a
human being to kind of help youthink through and talk through
some of this stuff before itbecomes a problem.
So that's great advice.
Fellas, any New Year'sresolutions?
(28:47):
This year, as we enter a newyear, a new podcast year, I'm
trying to read more books.
This year I got a stack ofbooks some nonfiction, some
fiction and just trying to setaside a little bit of time each
night, put the phone away andget into a book.
So that's my New Year'sresolution.
How about you guys?
Nick Mellem (29:05):
You took the words from my mouth on the putting the
phone down.
I find myself reading too manyarticles, listening to too many
podcasts, and I've got a youngdaughter, so I'm trying to put
the phone away, trying to listenmore, talk less.
So those are kind of my twothings.
Joshua Schmidt (29:19):
On the plus side .
Nick, you're going to read like2,000 books this year like the
Cat in the Hat.
Nick Mellem (29:24):
Out of Fish.
I'm cool with that.
Franklin Goes to School, thatwill recharge the batteries so I
can get into the fight everymorning again.
Joshua Schmidt (29:33):
How about you?
Eric Brown (29:34):
Eric, I'm trying to do at least a book a week.
So I'm right there with you,Josh, trying to get that done.
I do a lot of audio booksbecause I have a bit of drive
time here and there and I liketo listen to audio books, like
you know, say, if I'm on thePeloton or whatever get a little
workout in, I might as welllisten to a book while I'm doing
(29:55):
it and then using some AI tosummarize the findings and keep
it tucked away in the library,but easily available.
Nick Mellem (30:03):
Do you have a favorite book you've read
recently, Eric?
Eric Brown (30:07):
The Elon Musk book was really good by Walter
Isaacson.
You know, politics aside, aboutElon Musk tongue in cheek there
, I know you like that term.
For me it was more about thejourney of the individual and
what's been done.
I mean in a disruptor inseveral industries, right going
(30:30):
to space and shining a light onthe inefficiencies of the
programs that the US taxpayershave been purchasing for years
from like a Boeing who you knowthey've got I don't know, 30,000
people over there buildingthese rockets or whatever
they're doing.
But their contracts are costplus.
(30:50):
So whatever their cost is plusa small margin, is what the
government pays, what we astaxpayers pay for that rocket.
With SpaceX the idea was, well,let's compete against a cost
plus model and come in with afixed bid model.
(31:11):
So, yeah, we can build X numberof rockets for this fixed fee.
And why you see all of thelaunches from SpaceX coming out
of Florida and Texas previouslyCalifornia is because Boeing
can't compete.
They don't know how to figureout how to cut so much cost and
(31:32):
be effective in building rocketsthat can compete with the
Falcon 9 and the.
Joshua Schmidt (31:39):
Merlin rockets.
Eric Brown (31:41):
So the book just highlighted that.
You know, and I really like oneof the things, that kind of the
principles where Elon's goingthrough the factory and talking
about, just you know, delete,delete, delete, like, take out
all of this process, all of thisheavy crap that is not needed.
(32:06):
And if you don't essentiallybreak the process when you're
doing that, you didn't cutenough stuff out.
And I see that all the time indifferent accounts and even at
IT audit labs with, like youlike, well, why do we do it that
way?
Working with an accountrecently, somebody on my team in
the account we have a modelsometimes where we'll go in and
(32:29):
we'll run a securityorganization for a customer and
their teams report into us.
And in one of the accounts wehad somebody new join the team.
Their name was spelledincorrectly.
So you can imagine all of theactive directory assignments and
whatnot is all associated withthe incorrect name.
Then to get that name changetook three days, right, you put
(32:55):
in the ticket.
It's got to go through all thismonolithic stuff to get the
name changed because you can'tjust bang the change into Active
Directory.
It's got to come from the HRsystem and that's on a batch
process, right All of this stuffand I'm like, okay, yeah, the
guy's new, he's getting set up,annoying, not a big deal.
But what happens if you're anemployee at that company or a
(33:19):
contractor working with thatcompany and you've recently gone
through, say, an exit from anabusive relationship and you're
going through a name change?
Or say you're going through atransition and you're changing
your name and you've changed itlegally or what have you, and
referring to your past namecauses you pain.
(33:43):
Well, for those three days, thecompany, the organization, is
not giving that person threedays off.
While they figure out how tochange a name, that person has
to come and enter the name.
That is painful to them.
So it's like, why are we doingthat?
Changing a name should take 30seconds and if it's longer than
(34:04):
that you're doing it wrong.
So when I think about the Muskbook by Walter Isaacson, going
through and making thosedeletions to be more efficient,
to be faster, to put out theModel S, to put out the Model 3,
the Model Y, the Falcon 9rockets, the Merlin rockets, all
(34:24):
that good stuff, that couldonly be done by getting rid of
the crap and really just beingtight and judicious and clean,
and sure there's pain along theway.
I'm not saying there wasn't.
People worked lots of hours todo this, but there's nobody else
(34:45):
doing it right.
And that's why, at leastaccording to the book and
according to Walter Isaacson,why Elon Musk has been so
successful with I'm not going tosay all, but many of the
companies that he's beeninvolved with.
I mean, I know it's kind ofinteresting that they can't get
(35:05):
a robot to walk straight, youknow, with that robot that
they're trying to build.
But the point being, if we justthink about, how do we delete
the crap, the 80% of the crap,from everything that we do?
Everything would be better solong tangent, but that is one of
the books that I enjoyedreading at the end of last year.
Nick Mellem (35:26):
I also read the book and I have one call out in
the book and I could beexplaining this wrong, but Elon
also had an issue with SpaceX,their parts being super
expensive to get, and there wasa part where he was explaining
some like AC unit to coolsomething down.
It was like a hundred grand fromthis vendor and Elon said why
(35:49):
does it need to cost that much?
They went and got an AC unitfor like a house and they
re-engineered the hookups and itcost $5,000 and it worked so
and then I was thinking tomyself when I was driving back
to Texas from Minnesota overChristmas is how does that
connect to our industry?
Eric already talked about acouple, but I was thinking to
(36:10):
myself we have all these highhorsepower tools.
We need those, but we also needthe high horsepower individuals
, smart individuals willing todo the work, to read after hours
, to understand the industry,and to me the people are the
$5,000 AC unit that can workwith these high horsepower tools
.
So the book just connects in somany different areas, but I
(36:34):
have to agree it's an awesomebook.
Joshua Schmidt (36:36):
I love it.
I'll put that on my toread listthis year 2025.
Maybe we can get a couple offlamethrowers up in the IT Audit
Labs office.
The Boring Company, yeah, yeah,yeah.
So you heard it here.
Folks, if you want to stayefficient and cut all the red
tape, check out IT Audit Labs.
You've been listening to theAudit presented by IT Audit Labs
, by IT Audit Labs, today we'vebeen chatting with Eric Brown
(36:59):
and Nick Mellom, and I'm yourco-host and producer, joshua
Schmidt.
Like, share and subscribe andplease share us with your
friends.
We'll be doing podcasts everyother week through the year of
2025.
Eric Brown (37:07):
Thanks for listening and see you in a couple weeks.
We are experts at assessingrisk and compliance, while
providing administrative andtechnical controls to improve
our clients' data security.
Our threat assessments find thesoft spots before the bad guys
do, identifying likelihood andimpact, while our security
(37:30):
control assessments rank thelevel of maturity relative to
the size of your organization tothe size of your organization,
thanks to our devoted listenersand followers, as well as our
producer, joshua J Schmidt, andour audio video editor, cameron
Hill, you can stay up to date onthe latest cybersecurity topics
by giving us a like and afollow on our socials and
(37:51):
subscribing to this podcast onApple, spotify or wherever you
source your security content.
Popular Podcasts
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy And Charlamagne Tha God!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Decisions, Decisions
Welcome to "Decisions, Decisions," the podcast where boundaries are pushed, and conversations get candid! Join your favorite hosts, Mandii B and WeezyWTF, as they dive deep into the world of non-traditional relationships and explore the often-taboo topics surrounding dating, sex, and love. Every Monday, Mandii and Weezy invite you to unlearn the outdated narratives dictated by traditional patriarchal norms. With a blend of humor, vulnerability, and authenticity, they share their personal journeys navigating their 30s, tackling the complexities of modern relationships, and engaging in thought-provoking discussions that challenge societal expectations. From groundbreaking interviews with diverse guests to relatable stories that resonate with your experiences, "Decisions, Decisions" is your go-to source for open dialogue about what it truly means to love and connect in today's world. Get ready to reshape your understanding of relationships and embrace the freedom of authentic connections—tune in and join the conversation!