16 Minutes on the News #9: All the Recent Phone Hacks

0:00:03 – Hi everyone, welcome to the A6NZ podcast.
0:00:06 I’m Sonal, and I’m here today with the ninth episode
0:00:09 of our short form news show, “16 Minutes,”
0:00:12 where we cover recent headlines, the A6NZ way,
0:00:14 why they’re in the news from our vantage point in tech.
0:00:16 Sometimes we cover multiple items,
0:00:18 sometimes we go deep on just one or two topics.
0:00:21 So this week, we’re doing one of our deep dives
0:00:23 connected to one huge topic,
0:00:25 which is what the heck is going on
0:00:26 with all the recent news around phone fraud
0:00:27 happening lately.
0:00:30 But first, you can subscribe to “16 Minutes” separately,
0:00:32 wherever you like to get your podcasts,
0:00:35 and also a reminder that after next week or so,
0:00:37 we will no longer publish “16 Minutes” here,
0:00:40 along with the regular A6NZ podcast.
0:00:42 So be sure to go and subscribe to it separately
0:00:45 if you still want the weekly take on news and tech.
0:00:47 As a reminder, none of this is investment advice
0:00:48 or intended for investors.
0:00:52 Please be sure to see a6nz.com/disclosures
0:00:53 for important information.
0:00:56 Also, the show notes include links to the article cited
0:00:57 or other relevant background.
0:01:01 You can find those at a6nz.com/16minutes.
0:01:02 Thank you.
0:01:03 Okay, so let me quickly summarize the news,
0:01:05 and then I’ll welcome our A6NZ experts.
0:01:08 One, just this week, the FBI’s Cyber Division
0:01:10 released a note, “Headline cyber criminals
0:01:13 use social engineering and technical attacks
0:01:15 to circumvent multi-factor authentication.”
0:01:17 And this matters in this context,
0:01:19 because phones are frequently used
0:01:21 for second factor authentication.
0:01:24 Two, the next piece of news is that just last week,
0:01:26 a telecom security firm reported on a vulnerability
0:01:29 called Simjackr that involves a SMS
0:01:32 containing a spyware-like code being sent to a mobile phone,
0:01:34 which then instructs the SIM card within the phone
0:01:37 to take over, literally, that phone
0:01:40 in order to retrieve and perform sensitive commands.
0:01:42 And the key here is that it’s platform agnostic,
0:01:45 which means it works across a wide range of mobile devices,
0:01:47 regardless of the hardware or software.
0:01:49 And then finally, another big piece of news
0:01:51 is that Google’s Project Zero team,
0:01:53 which is focused on finding zero-day vulnerabilities
0:01:54 and just to quickly define that,
0:01:56 those are unintended flaws in a system,
0:01:58 kind of like a tumor in the human body
0:01:59 that hasn’t been detected yet,
0:02:02 that can be targeted and exploited by cyber criminals
0:02:05 resulting in zero-day exploits or zero-day attacks.
0:02:07 And that team released a post titled,
0:02:12 “A Very Deep Dive Into iOS Exploit Chains Found in the Wild,”
0:02:14 sharing that they had discovered a small collection
0:02:17 of hacked websites using iPhone zero days.
0:02:18 And just to make this more concrete,
0:02:21 those sites were targeting China’s oppressed Muslim community,
0:02:22 though Google is not the one
0:02:24 who revealed the specific sites.
0:02:26 Apple did confirm that, though,
0:02:27 in their response a week later,
0:02:30 where they also shared that the attack was, I quote,
0:02:34 “narrowly focused, not a broad-based exploit of iPhones
0:02:35 and mass,” as described.
0:02:37 And they also disputed that the sites were out there
0:02:39 in the wild for the estimated two years
0:02:40 and that they were in the process
0:02:41 of fixing the exploited bugs.
0:02:44 So that’s a high-level summary of what’s been going on lately.
0:02:46 I’d like to now welcome our A6 and Z experts,
0:02:49 General Partner Martin Casado and Joel de la Garza,
0:02:51 our Chief Security Officer,
0:02:53 to help us tease apart the fud from the facts
0:02:55 and what to pay attention to.
0:02:56 Let’s first begin by talking about the scope
0:02:58 of the phone hacking problem overall.
0:03:00 Can you break it down for us, Martin?
0:03:01 – There’s two pretty significant topics
0:03:03 that are worth taking in.
0:03:06 The first one is we’ve been relying on the phone system,
0:03:09 which isn’t a secure system in order to secure ourselves.
0:03:12 But the second one is the most predominant device maker
0:03:15 for phones is Apple.
0:03:17 And this has been the worst year for them,
0:03:20 probably on record when it comes to problems, right?
0:03:22 So we all know that there’s this FaceTime bug.
0:03:24 I could call you on FaceTime
0:03:25 and you didn’t even have to pick up
0:03:27 and I could hear what was going on.
0:03:28 And that happened in January.
0:03:31 And then of course, this project is your stuff out of Google.
0:03:33 Who knows who else was using it?
0:03:36 And so you’ve got these two pretty significant topics
0:03:39 that reduced to the same implication,
0:03:42 which is we’ve trusted our phones for security
0:03:44 and now we’re paying the price.
0:03:45 – Let’s address the first one
0:03:47 and then we can go deep on the second one.
0:03:48 So you’ve actually said in fact
0:03:50 on a previous episode of 16 minutes,
0:03:52 we should absolutely have two factor,
0:03:55 just don’t use your phone as a second factor.
0:03:57 And so can you talk a little bit more
0:04:00 about this trend of the phone being used in authentication?
0:04:01 – So unfortunately,
0:04:03 this is actually a fairly complicated topic.
0:04:04 What does two-factor mean?
0:04:07 Two-factor means that you don’t just use a password
0:04:08 because somebody can steal your password
0:04:09 or fish your password,
0:04:11 but you use some other factor,
0:04:14 whether it’s I use an authenticator on my phone or–
0:04:15 – So it’s not just something you know,
0:04:18 the password is something you have that you uniquely have.
0:04:19 – Yeah, yeah, yeah.
0:04:21 Now there are many options for a second factor.
0:04:24 One of the most popular has been texting.
0:04:27 That text will go to whoever has the phone number on record
0:04:32 and that phone number who receives it
0:04:33 is dictated by the phone companies
0:04:36 and phone companies have lots of employees.
0:04:38 And so anybody that can trick any employee
0:04:40 in the entirety of T-Mobile or Sprinter AT&T,
0:04:45 anybody at all to move that phone number to their phone
0:04:46 will get that message.
0:04:47 – Let me just quickly pause on that
0:04:51 because I until now had understood the vulnerability
0:04:53 of it being me losing my phone
0:04:55 and someone getting that text.
0:04:57 But you’re actually saying the entire surface area of attack
0:05:00 is all those employees to transport
0:05:02 that phone information to you, the attacker.
0:05:03 That’s huge. – That’s right, yes.
0:05:05 – Can you actually break down the details
0:05:07 of simporting in specifically
0:05:09 and then we can talk about the other variations of this?
0:05:11 – Yeah, so sims, it comes by many names,
0:05:13 simswapping, simporting.
0:05:14 The way to think about it is someone’s able
0:05:16 to get your phone number on their phone,
0:05:17 normally by social engineering,
0:05:20 someone in the phone company.
0:05:20 You don’t need a SIM card,
0:05:21 you don’t need the phone, you don’t need anything.
0:05:24 This happens every day, all the time.
0:05:26 And the way you think about it, this like,
0:05:28 there’s some rural T-Mobile store
0:05:30 where they have the ability to change the phone number
0:05:31 ’cause people get new phones.
0:05:33 Somebody walks in there, convinces a store representative
0:05:35 who doesn’t know better, maybe using like fake credentials
0:05:38 or a fake ID to get the phone number ported.
0:05:40 They reset your passwords,
0:05:41 they have access to your accounts,
0:05:43 this is financial accounts, this is crypto accounts,
0:05:44 and then they have access to whatever you have.
0:05:46 – And they don’t even have to go into the store, right?
0:05:48 You can use the data that you buy on the black market
0:05:51 that’s been taken from the credit rating agencies.
0:05:52 So I can call yourself from provider,
0:05:54 I can say, I’m you, here’s my address,
0:05:57 and they’re gonna say, well, we need to authenticate you.
0:05:58 What’s the first car you bought, right?
0:06:00 I look at your credit report,
0:06:02 or they ask for the last four of your social,
0:06:03 and I’ve got your whole number for you.
0:06:04 And I can authenticate myself.
0:06:06 – Which is a Capital One breach.
0:06:06 – Absolutely.
0:06:07 – ‘Cause we talked about that,
0:06:08 how they actually had like what,
0:06:09 like 100,000 social security numbers in there.
0:06:11 – Absolutely, I mean, we should just assume
0:06:13 that all American social security numbers
0:06:14 are out there being sold.
0:06:16 And there’s clearly evidence based on the FBI alert
0:06:17 that came out today,
0:06:21 that criminals are using social engineering techniques,
0:06:23 as well as technical methods to steal phone numbers
0:06:25 and put them to new handsets.
0:06:26 There are large criminal organizations
0:06:28 that are doing this at scale.
0:06:29 – And by the way, just to be clear,
0:06:31 this is really about having convenience,
0:06:33 because the only reason these people would give up
0:06:35 that information is because you could legitimately
0:06:37 lose your phone and want that number back
0:06:39 because you can’t live without your phone.
0:06:41 So it’s not like they’re trying to aid abusers,
0:06:43 they’re actually trying to be helpful.
0:06:46 – There’s a phenomenal medium post from someone that lost,
0:06:51 I think $100,000 in cryptocurrency due to simporting.
0:06:53 He does a very good job of detailing
0:06:54 and breaking down the attack.
0:06:56 And I think it’s important that everyone
0:06:59 listening to this realizes how common this is.
0:07:01 But like you don’t actually have to simport to pull this off.
0:07:03 So there’s a whole another type of attack
0:07:04 called active phishing,
0:07:08 where you social engineer somebody with a phone number
0:07:10 to tell you what the passcode is.
0:07:12 – Can you give me an example of how that actually works?
0:07:13 – Sure, I want to get into Joel’s account.
0:07:15 And so I’m like, oh, I need to know
0:07:16 whatever passcode that it sent me,
0:07:18 ’cause I got his password somehow, I phished it.
0:07:21 So what I do is I text Joel and I’m like,
0:07:23 hey, listen, I used to have your phone number.
0:07:24 It’s been a while.
0:07:26 That’s the number that’s registered with my account.
0:07:27 I’m trying to reset my account.
0:07:29 Can you tell me the passcode that came in?
0:07:30 – I feel like that’s kind of dumb
0:07:31 that people would fall for that.
0:07:35 – Right, however, it turns out this is a very effective attack
0:07:37 for people that aren’t educated on cybersecurity.
0:07:38 You could try and educate everybody.
0:07:41 But the reality is if because you’re all connected
0:07:42 and anybody can reach anybody,
0:07:43 every sociopath on the planet
0:07:45 is somehow your next door neighbor.
0:07:47 – So pin porting, is that the same thing as this
0:07:48 or is that something different?
0:07:49 – So a number of the carriers
0:07:51 in response to some of these activities
0:07:54 have set the ability for you to establish a pin
0:07:55 on your SIM card.
0:07:58 And so this means that if I want to change my phone number
0:08:00 to a new handset, I have to provide this pin.
0:08:03 What we’ve actually found is that the cell phone carriers
0:08:04 aren’t honoring those pins.
0:08:06 They’ll actually just ask you
0:08:08 for the last four of your social in place of that pin
0:08:10 and then switch the number over.
0:08:11 – Because as a best practice,
0:08:12 they’re just looking for a way to know that it’s you
0:08:13 or they think it’s you.
0:08:15 And in fact, they really need to be asking
0:08:16 for this additional layer of the actual pin.
0:08:18 – Well, even then, because consumers legitimately
0:08:21 forget their pin because passwords are really horrible.
0:08:22 – But even, yeah, and just remember,
0:08:24 like even if you’re required to show up
0:08:26 with a driver’s license or whatever,
0:08:28 that is not a hard thing to do.
0:08:30 Given how much money is at stake
0:08:32 and like how much is the cost to get a fake ID?
0:08:36 – $100 and you can get $100,000 like in that medium post.
0:08:37 And the reason why we’ve gotten here
0:08:39 is because consumers are just so averse
0:08:41 to the friction created by security, right?
0:08:44 Like in the past, we’ve generally had very horrible
0:08:46 two-factor authentication experiences, right?
0:08:50 You had a bunch of dongles, tokens, yeah, right?
0:08:52 And even then the Chinese managed to reach them with.
0:08:54 – I say with like the VPN tokens, right?
0:08:55 – Oh, absolutely.
0:08:58 – Yeah, and you probably had five of them.
0:08:59 Instead of a ring full of keys,
0:09:01 you had a ring full of tokens and that was the problem.
0:09:03 And so what companies did was,
0:09:05 rather than roll out more tokens,
0:09:07 they decided, well, let’s use phone numbers
0:09:08 as an authenticator,
0:09:11 which then pulled everything to the cell phone.
0:09:13 The cell phone became this really core anchor of trust.
0:09:16 Now that phone numbers are starting to fall away
0:09:17 and becoming problematic, they’re saying,
0:09:19 well, let’s start to use the authenticated software
0:09:22 on a cell phone to get you into your account.
0:09:24 Well, now the attackers are just breaking the cell phones,
0:09:25 right?
0:09:27 – You’re making the observation that the phone connects us
0:09:28 and it makes it convenient,
0:09:29 but it also connects us sociopaths.
0:09:31 What is the way out of this?
0:09:36 – So what we like to advocate for a second factor
0:09:40 is to reduce the trust to a set of atoms,
0:09:42 something physical as opposed to bits, right?
0:09:44 There’s no way you could be social engineered out of
0:09:47 from somebody that’s in a separate country
0:09:48 ’cause they would have to have physical access
0:09:49 to those bits.
0:09:50 – But a phone is physical.
0:09:53 – So if it requires the physical hardware
0:09:55 to be there of a phone,
0:09:57 that’s not just knowing the number that showed up
0:10:00 on your SMS or a certain phone number,
0:10:01 which is not physical.
0:10:02 These are logical entities.
0:10:04 So for example, you know,
0:10:07 most phone devices have secure hardware
0:10:10 and that secure hardware can be verified that it exists.
0:10:12 There’s also of course security keys,
0:10:14 which is a very similar thing that you plug in,
0:10:15 which is hardware.
0:10:17 So we like the idea of reducing security
0:10:19 to something physical that you have
0:10:20 as opposed to something logical,
0:10:22 which you can be social engineered out of.
0:10:24 – I think there’s another kind of meta issue here
0:10:25 at the higher level,
0:10:28 which is that you don’t want the thing
0:10:29 that you’re using to log in,
0:10:32 be the thing that also authenticates you, right?
0:10:34 You want to have a delineation of responsibilities
0:10:37 and putting that kind of a load on one single device,
0:10:39 especially a device that based on the news
0:10:42 that we’ve heard recently is going to be heavily targeted,
0:10:43 means that you’re probably blending
0:10:45 two different threat surfaces together
0:10:46 that you don’t want to have intermixed.
0:10:47 – Joe’s exactly right.
0:10:50 And I do think this is kind of the second reason
0:10:51 this topic is so interesting is, okay,
0:10:54 so it’s important to have something physical
0:10:56 if you really care about security on the internet.
0:10:59 But what we’ve learned recently is, you know,
0:11:01 one of the most major players in device manufacturing
0:11:05 has this terrible track record this year
0:11:06 with device security.
0:11:09 So Android exploits right now
0:11:11 are more expensive than iPhone exploits.
0:11:13 So it’s like 1.5 million to one.
0:11:16 Apple’s basically, their posture on security
0:11:17 has been to say there’s no problem.
0:11:19 Therefore, there’s no third party ecosystem
0:11:21 around them to actually patch the problem.
0:11:23 And so like a very direct result of this is like,
0:11:26 actually now it’s cheaper to buy an exploit for iPhone
0:11:27 than it is for Android.
0:11:29 – Yeah, and by cheaper to buy an exploit,
0:11:30 you mean that it’s like essentially the market of ways
0:11:31 to essentially do. – You go to an open market.
0:11:32 Yeah, yeah, yeah.
0:11:34 I actually got this quote from a Wired article
0:11:36 where the guy was like,
0:11:38 we see so many exploits in like I messaged an iPhone,
0:11:39 we’re starting to turn them away now.
0:11:42 – I get that this is a tension between open and closed
0:11:44 and like sort of all the innovation that that provides,
0:11:46 but I still don’t quite get why Apple
0:11:48 may be particularly vulnerable here.
0:11:51 – Apple’s design philosophy has been to bundle as much stuff
0:11:53 into the platform as possible
0:11:55 and to send it at the center of so many ecosystems.
0:11:57 So not only does it hold your personal data,
0:11:59 it also acts as your authenticator,
0:12:01 it acts as your communications device.
0:12:03 And whenever you have any kind of concentration like that,
0:12:06 it really just sort of makes it a really ripe target.
0:12:08 – Not to mention being the center of this ecosystem
0:12:10 of all the new services they just announced.
0:12:12 Like we just did a podcast on 16 Minutes Last Week
0:12:13 where we talked about the fact that
0:12:17 you’re now also connecting in card and TV and games.
0:12:19 I mean, you’re essentially living your life on your phone.
0:12:22 – And every new sort of spoke you add
0:12:24 to the hub of your life is basically another way
0:12:25 where people can get at you.
0:12:28 – And Apple does a really good job in isolation
0:12:30 designing specific features that are highly secure.
0:12:33 So like parts of Apple Pay are actually really admirable.
0:12:35 They’ve done a really great job in figuring out
0:12:37 how to do e-payment and e-commerce in that regard.
0:12:40 But when they combine it into this multifaceted ecosystem
0:12:41 and you get increasing complexity,
0:12:43 you get increasing risk.
0:12:45 So what we’re seeing with phones
0:12:46 and what we were talking about earlier
0:12:49 with the pin porting is they’ll go after things
0:12:50 like your email account,
0:12:51 they’ll go after your phone number
0:12:53 to try to take over those things.
0:12:55 As you work your way up the stack.
0:12:56 So you have to think of this
0:12:59 in terms of the sophistication of your adversaries.
0:13:01 Fraudsters, people that are just trying to steal money,
0:13:03 they’re gonna just go through the window
0:13:05 that gets left open.
0:13:07 They’re not gonna deconstruct your house.
0:13:09 Nation states will because they have the kind of money
0:13:10 that they can spend on doing that.
0:13:13 And so what we’ve seen recently is that nation states
0:13:15 have been obviously spending a lot of money
0:13:17 finding ways to deconstruct the iPhone.
0:13:20 You can visit a community action website
0:13:21 for a cause that you’re interested in
0:13:23 and I can infect your phone with malware
0:13:25 that will listen to everything you do,
0:13:27 take all of your data and surveil you in real time.
0:13:29 – Yeah, they built pretty secure things for sure
0:13:30 to give them credit.
0:13:32 But here’s what to me is so worrisome
0:13:36 about Apple’s general demeanor around security.
0:13:38 They don’t want to admit that you require a third party.
0:13:41 It’s part of their design ethos per Joel’s point.
0:13:43 Their posture in the past has been
0:13:45 to deny any security issues
0:13:46 ’cause they thought it would kind of tarnished
0:13:50 the reputation of whatever it was like Mac OS, et cetera.
0:13:52 So now here we are.
0:13:54 We have two like startling examples
0:13:58 and yet there’s very little actual mature ecosystem
0:14:00 around Apple products to provide solutions to it.
0:14:01 – Okay, so let me just push back
0:14:03 because if I were in Apple’s shoes,
0:14:05 when you have this very vertically integrated
0:14:06 top-down approach to design,
0:14:08 that’s actually the thing that makes you more secure.
0:14:10 It would seem that letting third party players into this
0:14:13 is actually the thing that makes you more vulnerable
0:14:16 or why is a third party ecosystem the thing,
0:14:17 like is that really the thing they need to do
0:14:19 or just do they need to do a better job at security?
0:14:21 – So maybe I’ll just use an instance
0:14:22 and then we’ll back into it.
0:14:26 So it’s broadly understood and I certainly believe
0:14:31 that the most secure way of acting on the internet
0:14:34 and authenticating is having a hardware key.
0:14:36 It doesn’t matter who makes the hardware key
0:14:37 and you use that in conjunction
0:14:39 with whatever device you’re using, right?
0:14:41 So I can store it in separate places.
0:14:43 So if I lose my phone,
0:14:45 somebody else doesn’t have access to it.
0:14:47 I can put it in a safe.
0:14:50 It’s a single purpose device with not a big attack surface.
0:14:50 – It’s like a real key.
0:14:51 – It’s like a real key, right?
0:14:54 We understand the security properties of physical things.
0:14:56 So that’s the most secure way,
0:14:59 which is broadly recognized.
0:15:02 So Apple because of its closed design philosophy
0:15:06 has been very resistant to interoperating
0:15:09 even though it costs them nothing
0:15:12 to allowing people to use security keys.
0:15:13 And it’s just part of their ethos.
0:15:16 We have seen some positive movements in Safari.
0:15:19 We have seen some positive movements in NFC,
0:15:20 which is the protocol that they use
0:15:21 to kind of connect with these.
0:15:22 – Near field communication.
0:15:23 Didn’t they just announce this week
0:15:26 that you can actually now use Ubiquiz and NFCs with them?
0:15:27 – Yeah, so they change it so you can read and write,
0:15:29 which allows you to implement Vido and U2F,
0:15:33 which are protocols needed for this stronger authentication.
0:15:35 So we’re seeing good movement,
0:15:37 but boy, it can’t come soon enough.
0:15:39 – Okay, so before we go back to the whole hacking
0:15:42 and securing phones in general topic,
0:15:43 I wanted to actually ask you guys
0:15:45 what you made of the whole Google Project Zero,
0:15:47 which I summarized at the very beginning.
0:15:48 I mean, we have one company
0:15:49 that’s professing to be helping everyone
0:15:50 in the ecosystem,
0:15:52 but then they also have their own stake in it.
0:15:54 And then you have Apple responding
0:15:55 that Google was being alarmist.
0:15:59 And so I want you guys to take on this whole exchange
0:16:02 that played out over the last few weeks between them
0:16:05 and help me tease apart the facts from their interests.
0:16:07 – I respect that Google has taken the initiative
0:16:10 to try to up-level the security of the ecosystem.
0:16:12 I think it’s a really important thing to do.
0:16:15 I have issues with going after competitors
0:16:17 and finding security vulnerabilities in their products.
0:16:19 – There’s something very performative about that,
0:16:20 isn’t there?
0:16:21 – So I’ll do the counterpoint to that.
0:16:23 I think Apple’s history security is so atrocious
0:16:26 because they have not been open
0:16:29 that you need real muscle and a real public display
0:16:31 to shame them in to do something right.
0:16:33 And so I’m so glad for Project Zero.
0:16:35 I think it was a great thing for all of us.
0:16:36 – Okay, so just to sum up,
0:16:37 we’ve covered new types supporting SIMs
0:16:39 and phone numbers and PINs.
0:16:40 But now let’s go back to SIM Jacker,
0:16:43 which I described earlier in the intro.
0:16:44 Why is that one Muse?
0:16:46 And why is the carrier side of that
0:16:47 in particular something to pay attention to?
0:16:50 I mean, that’s what really felt different in you to me
0:16:52 in thinking through what were the interesting news headlines
0:16:53 for this episode.
0:16:54 – This is unbelievable.
0:16:57 SIM Jacker’s an attack, it’s a legend attack,
0:17:00 which involves me sending an SMS to you
0:17:02 with some spyware.
0:17:05 And with that, I can basically take over your mobile phone.
0:17:09 And the reason I can do that is because the SIM cards,
0:17:10 I think the firmware for the SIM cards
0:17:13 has an old browser with an exploit in it.
0:17:17 So the more software that the telcos install
0:17:19 on your phones, they’re not security companies.
0:17:21 – The interesting thing about cell phones
0:17:24 is that ultimately your device is controlled
0:17:24 by someone else, right?
0:17:27 Your carrier, they have to have the ability to access it.
0:17:28 They have to update carrier settings.
0:17:31 They have to be able to push baseband software
0:17:34 and other software unbeknownst to you, to your devices.
0:17:37 Wherever you have backdoors or God keys,
0:17:39 that’s where attackers target.
0:17:42 And I think there’s a whole surface area of carrier tools
0:17:45 and baseband tools that we don’t even talk about
0:17:48 that are probably where really sophisticated adversaries
0:17:49 are spending some time right now.
0:17:52 Once we figure out the SIM porting,
0:17:54 and once we figure out some of the software stuff,
0:17:55 carrier tools is where this goes next.
0:17:57 – Okay, so guys, bottom line it for me.
0:17:59 – So from my perspective as a security geek,
0:18:01 the thing that’s really interesting to me
0:18:04 is thinking about this in terms of what we call the kill chain.
0:18:07 So where an attacker goes from targeting
0:18:09 who they’re gonna get to getting and acting on the intent
0:18:10 and getting the information they want.
0:18:13 And for me, the really important thing is understanding
0:18:15 and figuring out the quickest way an attacker can go
0:18:16 from deciding who they wanna target
0:18:17 to achieving their outcome.
0:18:20 We have this concept called defense in depth.
0:18:21 So we wanna have a lot of little walls
0:18:22 that you have to get through
0:18:24 before you can actually get to where you wanna act
0:18:25 on your intent.
0:18:28 And the entire security industry is predicated
0:18:31 on building these little walls along that kill chain,
0:18:34 finding ways to force the disclosure of an attacker.
0:18:37 What we’ve seen with some of these device makers
0:18:40 in the last year has been a way to short circuit
0:18:41 a lot of that kill chain.
0:18:44 These attacks that we’ve seen in the last year are direct,
0:18:45 they’re to the point,
0:18:47 they’re immediately acting on their intent
0:18:49 and they don’t have any of those little checks
0:18:50 that we wanna have in place.
0:18:52 And generally this is where nation states
0:18:54 kind of focus on applying the gasoline.
0:18:55 – Honestly, my takeaway is like,
0:18:57 I should just throw my phone into the water.
0:18:58 – It’s not that bad.
0:18:59 I think we know the answer.
0:19:02 And unfortunately, it’s kind of our human nature
0:19:03 that we don’t wanna pursue it, right?
0:19:05 Like we know that the key to health is eating right,
0:19:08 exercising, not smoking, doing things in moderation, right?
0:19:10 When it comes to online behavior,
0:19:12 we actually know that the answer
0:19:15 lets use a valid strong factor of second factor authentication.
0:19:19 And if we have to like engage with someone on the internet,
0:19:20 let’s trust but verify, right?
0:19:23 – The good news is it’s actually not very hard
0:19:25 to be incredibly secure on the internet.
0:19:26 And it’s just following best practice.
0:19:28 Things like use a password manager.
0:19:31 We believe it’s good to use a security key.
0:19:32 Use a Chromebook.
0:19:35 If you have a physical thing you wanna protect,
0:19:37 you use a safe to protect it in.
0:19:38 Have good physical security.
0:19:41 Don’t ever click on links that come in SMS and so forth.
0:19:45 So there’s a very small list of things that if you follow,
0:19:47 we think that you’re in a good spot.
0:19:48 – Well, thank you for joining this week’s episode
0:19:50 of 16 Minutes. – Thank you.