In Episode 279 of the Defensive Security Podcast, Jerry Bell and Andrew Kalat discuss the latest cybersecurity news and issues. Stories include Transportation for London requiring in-person password resets after a security incident, Google’s new ‘air-gapped’ backup service, the impact of a rogue ‘Whois’ server, and the ongoing ramifications of the Moveit breach. The episode also explores workforce challenges in cybersecurity, such as the gap between the number of professionals and the actual needs of organizations, and discusses the trend of just-in-time talent versus long-term training and development.

Links:

• https://www.bleepingcomputer.com/news/security/tfl-requires-in-person-password-resets-for-30-000-employees-after-hack/


• https://www.securityweek.com/google-introduces-air-gapped-backup-vault-to-thwart-ransomware/


• https://arstechnica.com/security/2024/09/rogue-whois-server-gives-researcher-superpowers-no-one-should-ever-have/


• https://www.cybersecuritydive.com/news/global-cyber-workforce-flatlines-isc2/726667/


• https://www.cybersecuritydive.com/news/moveit-wisconsin-medicare/726441/

Transcript:

Jerry: [00:00:00 ] Here we go. Today is Sunday, September 15th, 2024. And this is episode 279 of the defensive security podcast. My name is Jerry Bell and joining me today as always is Mr. Andrew Kalat.

Andrew: Good evening, Jerry. Happy Sunday to you.

Jerry:  Happy Sunday, just a reminder that the thoughts and opinions we express on the show are ours do not represent those of our employers or.

Andrew: present, or future.

Jerry: for those of us who have employers, that is not that I’m bitter or anything. It’s,

Andrew: It’s, I envy your lack of a job. I don’t envy your lack of a paycheck. So that is the conflict.

Jerry: It’s very interesting times right now for me.

Andrew: Indeed.

Jerry: All right. So our first story today comes from bleeping computer. And the title here is TFL, which is transportation for London requires in person, password [00:01:00 ] resets for 30, 000 employees. So those of you who may not be aware transportation for London had suffered what I guess would has been described as a nebulous security incident.

They haven’t really pushed out a lot of information about what happened. They have said that it does not affect customers. But it apparently does impact some back office systems that did take off certain parts of their services offline, like I think. They couldn’t issue refunds. And there were a few other transportation related things that were broken as a result.

But I think in the aftermath of trying to make sure that they’ve evicted the bad guy who, by the way, apparently has been arrested.

Andrew: That’s rare. Somebody actually got arrested.

Jerry: yeah. And not only that, but apparently it was somebody local.

Andrew: Oops.

Jerry: In in the country which may or may not be associated with an unknown named [00:02:00 ] threat actor, by the way, that was involved in some other ransomware attacks.

Andrew: Kids don’t hack in your own backyard.

Jerry: That’s right. Make sure you don’t have extradition treaties with where you’re attacking. So what I thought was most interesting was the, their, the approach here to getting back up and going they, they had disabled. So TFL had disabled the access for all of their employees and the requiring their employees to show up at a designated site to prove their identity in order to regain access.

This isn’t the first. Organization that’s done this, but it is something that I suspect a lot of organizations don’t think about the logistics of, in the aftermath of a big hack. And if you’re a large company spread out all over the place, the logistics of that could be pretty daunting.

Andrew: Yeah. It’s wild to me that they want in person. [00:03:00 ] Verification of 30, 000 employees. But given the nature of their company and business, I’m guessing they’re all very centrally located. Used to going to physical offices, but man, can you imagine if you were a remote employee and you don’t have any office anywhere near you, how would you handle that? I’m not, I’m probably not going to get on a plane to go get my password re enabled.

Jerry: Exactly.

Andrew: You know what it did, remind me of though is, remember back PGP and PGP key signing?

Jerry: Oh, the key parties. Yes.

Andrew: Yes. Where, You basically, it’s a web of trust and people you trust could verify and sign another key. Like at a key signing party, because we were fun back then, that’s what nerds used to do. And then that’s how you had the circle trust. So maybe they could do something similar where verified employee could verify another employee, then you’ve got the whole insider threat issue, et cetera. Yeah. It

just reminded me of,

Jerry: No, nobody trusts Bob’s.

Andrew: [00:04:00 ] It’s true. Your friend, Bob, how many times has he been in prison?

Most recently, like where Rwanda? I think I heard,

Jerry: He’s got the frequent visitor card.

Andrew: but yet has some of the best stories.

Jerry: He does, he definitely does. so apparently they make reference to a similar incident that happened at Dick’s sporting goods. I will emphasize the sporting goods. They had a similar issue and that is a nationwide retailer here in the U S at least, I don’t know if they’re they’re outside of the U S and so that really wouldn’t be possible, with transportation for London.

I assume that most of the people associated with it are local or. Or within a reasonable driving distance or commuting distances, the case may be. But in the situation with a retailer, a nationwide retailer, I think they had to go with virtual in person. So they basically had zoom meetings [00:05:00 ] with employees and I assume had them show like pictures of their government ID and so on.

So the logistics of that is interesting. And. It isn’t really something I’ve spent a lot of time thinking about. And but I know in the aftermath of a big attack like this, establishing, trust and certainty and who has access to your network would be super important. So I think it’s I think it’s worth.

Putting into your game plan,

Andrew: Yeah, it is. It is a wild one. And what do you trust? Especially in the age of, deep fakes and easily convincing AI copies of other employees. And I don’t know, it’s an interesting one.

Jerry: right?

Andrew: Ciao.

Jerry: our next, yeah, it was it was certainly a an unfolding story, which I don’t think is over yet based on everything I’m reading.

Andrew: I did see one quote in here that made me chuckle, which is this is a quote from the transport [00:06:00 ] agency added on their employee hub. Some customers may ask questions about the security of our network and their data. First and foremost, we must reassure that our network is safe. Okay, define safe. That’s just us

being

Safe ish.

Jerry: safe ish, safe now,

Andrew: Safe, safe y. It resembles something that is sometimes called appropriately safe. Based, based on the criteria that we came up with, it’s completely safe.

Jerry: which I’m sure is true because they they had also had a clop. Ransomware infection, I guess a couple of months prior to this. So

Andrew: What do you use for clop? Is that like a cream? Is that like a, how is

that treated typically?

Jerry: every time I hear clap, I, it takes me back to the Monty Python, the coconut horse trotting.

That’s what I think about when I hear the word clap,

Andrew: That’s

fair.

Jerry: [00:07:00 ] which is oddly appropriate given that this is in the UK, which is where where Monty Python hails from.

Andrew: I thought you say where they have coconuts.

Jerry: Only if they’re if they’re transported by swallows.

Andrew: You youngins will just have to go.

Jerry: Gotta go watch that movie. Alright, it’s worth it. I, by the way, I remember making my son, both my sons watch it, and they protested. And now, I think they’ve each seen it like 30 or 40 times,

Andrew: so when you say process, did you like have to duct tape them to a chair and like pry their eyes open and

do a whole, yeah, train spotting situation?

Jerry: I think they thought it was like an actual movie about the Holy Grail.

Andrew: Which, why would they be opposed to that? That could also be interesting.

Jerry: I don’t know.

Andrew: Indiana Jones did a fine movie on it.

Jerry: It’s true. But it, that does not hold a candle to [00:08:00 ] the Monty Python Holy Grail movie. Let’s just be

Andrew: We, we learned a lot. We learned about facing the peril. We learned that Camelot is a silly place. And we learned how to end a movie when you don’t have a better plan. Again, way off topic, but you young’uns will just have to go discover. Do you,

Jerry: So back on topic, our