The UNSECURITY Podcast – Episode 60 Show Notes – 2019 Year End Review

Goodbye 2019. It’s been real.

Where did the time go?

A common question, we ask ourselves. This year I decided to take a stab at answering it.

Here’s where my time went, for what it’s worth (roughly):

  • 38.58% (or 3,380 hours) working
  • 27.09% (or 2,373 hours) sleeping
  • 23.90% (or 2,094 hours) personal (family, friends, etc.) quality time
  • 10.42% (or 913 hours) other

I spent ~15% more time working than I did making memories with my family in 2019. Some priority adjustments are overdue for me in 2020.

Thank God for the gift of reflection.

The end of the year is a good time to reflect. Reflection is healthy. As I reflect on 2019, I can think of many good things about us like improved industry diversity, great personal growth, business accomplishments, and amazing people working round the clock for our collective benefit.

Unfortunately, there are also bad things. Since we’ve got plenty to cover, both good and bad, we’ll use this episode (#60) to discuss the bad. We won’t want to leave a sour taste in your mouth for too long, so we’ll cover the good things, and the things to look forward to in 2020, in next week’s episode (#61).

Now, the bad.

I already mentioned one of the bad things I discovered from 2019, that my priorities are out of whack, but I also learned things about the sad state of our industry. I learned that we’re (still) losing the war, and we’re losing it on multiple fronts.

Are you wondering what war?

The war where the bad people take advantage of the good people. The war where the immoral ones take advantage of the decent ones. Where the informed and corrupt beat the ignorant and noble every single time.

Let me preface the rest of this by saying I’m not a doomsayer. I’m a realist. I’m a realist with a deep desire to share the truth. If you’ve been paying attention, and can be objective, you’ll find it easier to predict our future. Predicting where a path leads is easier when there’s no (or little) change of course.

Our discussion points for episode 60’s year-end review:

  • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
  • Front #2 – Our local governments and schools are losing their battles.
  • Front #3 – Our homes are part of the battleground and we’re not prepared.

All is not lost, and there’s hope. There’s good news too. We’ll cover good news next week. 2020 is the year for you, me, and our industry to get real. It’s time for us to tackle our most significant issues head-on, together!

I am (Evan) leading the show this week, and these are my notes.


SHOW NOTES – Episode 60

Date: Monday, December 30th, 2019

Show Topics:

Our topics this week:

  • Opening
  • The year (2019) in review.
    • Priorities and life adjustments
    • Front #1 – Breaches are more common than ever, but we seem to care less than ever.
    • Front #2 – Our local governments and schools are losing their battles.
    • Front #3 – Our homes are part of the battleground and we’re not prepared.
  • Closing
Opening

[Evan] Welcome to the last UNSECURITY Podcast episode of 2019! We’ve got a great show planned for you. The date is December 30th, and this is episode number 60. Joining me as (almost) always is my guy Brad Nigh. Hi Brad.

[Brad] Early morning version of Brad…

[Evan] No guest today. It’s just me and you. How you doing?

[Brad] More early morning version Brad things…

[Evan] When I put together today’s show notes, I felt like I was a little harsh, maybe even depressing. It’s not like I was depressed when I wrote the notes, but when I take an objective look at what took place this year, it’s sort of depressing to me. 2019 brought with it a record number of breaches, a record number of records disclosed/stolen, ransomware everywhere, etc. Crap man. Do I seem depressed to you?

[Brad] He’s got something to say.

[Evan] Maybe I take this too personal, but I HATE seeing people get taken advantage of. There were too many times this year that we read about people being taken advantage of, and it sucks. Ugh. Maybe I am depressed.

[Brad] More things…

[Evan] Alright, let’s get to it. The 2019 year-end review…

The year (2019) in review discussion
  • Priorities and life adjustments
  • Front #1 – Breaches are more common than ever, and we seem to care less than ever.
    • Another record year for breaches, do we care?
    • Sources; https://www.cnet.com/news/2019-data-breach-hall-of-shame-these-were-the-biggest-data-breaches-of-the-year/ and https://lifehacker.com/the-worst-data-breaches-of-2019-1840616463
    • “total number of breaches was up 33% over last year”
    • “medical services, retailers and public entities most affected”
    • “5,183 data breaches for a total of 7.9 billion exposed records”
    • Risk Based Security stated that 2019 is/was the “worst year on record” for breaches
      • January – Marriott breach (383 million)
      • February – 617 million accounts, from 16 websites and for sale on the dark web
      • March – 100s of millions of Facebook and Instagram accounts
      • April – 540 million Facebook records
      • May – 885 million First American Financial records
      • June – 20 million patients, bill collector American Medical Collection Association
      • July – Capital One and 100 million credit card applications
      • August – MoviePass and 160 million unencrypted/unauthenticated records
      • September – 218 million Words with Friends accounts
      • October – 4 billion social media profile records (???)
      • November – Facebook again…
      • December – we’re still waiting…
    • Breach fatigue.
    • Are we getting better at finding/reporting breaches? Are breaches happening more often? Are we getting worse?
  • Front #2 – Our local governments and schools are losing their battles.
    • Ransomware nails our local governments and schools.
    • A great article by Michael Mayes at CPO Magazine; the Top 10 Ransomware Stories of 2019.
      • “As the year ends, it’s time to declare 2019 the Year of Ransomware Escalation.”
      • Baltimore was “just one of 82 cities and municipalities to publicly report being struck by ransomware” in 2019.
      • “By December 1, a total of 72 US school districts have fallen victim to ransomware, impacting 867 individual schools and over 10,000 students.”
      • Nine “school districts representing 98 individual schools have been attacked by ransomware just in November. They include:
        • Wood County Schools, Parkersburg, West VA
        • Port-Neches Grove Independent School District, Port Neches, TX
        • Penn-Harris-Madison School Corporation, Mishawaka, IN
        • Livingston New Jersey School District, Livingston, NJ
        • Chicopee Public Schools, Chicopee, MA
        • Claremont Unified School District, Claremont, CA
        • Sycamore School District 427, DeKalb, IL
        • Sunapee Middle High School, Sunapee, NH
        • Main School Administrative District #6, Buxton, ME”
      • Louisiana declared a state of emergency twice in 2019
    • Do we just accept it?
    • We started a civic duty push in 2019, calling for citizens to inquire about ransomware protections from their local government officials. We’ll need to pick this up again this year, and include schools too.
  • Front #3 – Our homes are part of the battleground and we seem ignorant about it.
    • Security, privacy, and safety at home.
    • We still don’t emphasize information security, privacy, and safety enough at home.
    • Did this problem get worse in 2019?
    • Will this get worse before it gets better?

[Evan] That wasn’t too depressing, was it?

[Brad] Gives his honest opinion.

[Evan] We’ve got a lot of work to do, and there are no easy answers. No easy buttons. I think the answer is found in learning and applying information security fundamentals. We spent 2019 working hard at SecurityStudio and FRSecure to reach people with simple, but practical information security solutions like our vCISO, S2Org (information security risk assessment for all organizations), S2Vendor, S2Me (information security risk assessment for all people) and others. We even made some of our tools free! We’ll continue our quest to reach people and help wherever we can!

Got anything to add Mr. Nigh?

[Brad] Adds if he wants to add.

Closing

[Evan] That’s a wrap for another show. Heck, not just another show, but another year!

Thank you and Happy New Year to our listeners! Be sure to tune in next week, when we’ll cover some positive developments from 2019 and maybe a prediction or two. We love recording these shows for you, and we hope you enjoy them. Send us your questions and feedback at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and this other guy is @BradNigh.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 59 Show Notes

If you’re an information security consultant, you know how crazy the end of the year is. It’s crazy!

We’re trying to wrap up all the projects that needed to be completed before the end of the year, and it’s always a challenge. Thank God for Project Managers and a top-notch operations group!

If you missed last week’s episode, we talked about information security in schools with Mike Dronen, the Executive Director of Technology for Minnetonka Public Schools (District 276). Mike shared some great insight and advice for addressing the unique information security challenges facing K-12 schools. If you missed the episode, give it a listen here!

It was no coincidence that last week I also gave the keynote at the East Central Minnesota Education Cable Cooperative (ECMECC) School Security Summit. The Summit was held at the Braham Event Center on December 19th, and was attended by a few hundred K12 school administrators, technology coordinators, facilities staff, and law enforcement. Met a ton of cool people and my keynote was well-received.

If you’d like a copy of the ECMECC presentation, you can go grab it here.

This is Christmas week! For those of us working this week, please take some time off to spend with your loved ones. Merry Christmas to all of you!

Brad is leading the show this week, and these are his notes.


SHOW NOTES – Episode 59

Date: Monday, December 23rd, 2019

Show Topics:

Our topics this week:

  • The SecurityStudio Roadshow Recap (not all the questions, but I have some surprises)
    • Let’s talk about who we met on the Roadshow; different roles, titles, experience levels, etc.
    • Anyone stand out in particular?
    • Was there a specific event that really stood out to you, and why?
    • What was something you learned that surprised you?
  • News
Opening

[Brad] Welcome back! This is episode 59 of the UNSECURITY Podcast, and I’m your host this week, Brad Nigh. Today is December 23rd, and joining me is my co-host, Evan Francen. Good morning Evan.

[Evan] Lots of words of wisdom I’m sure.

[Brad] We have an in-studio guest today. FRSecure and Security Studio President, John Harmon. Good morning John.

[John] John says something I hope.

[Brad] Before we dive in, we like to check-in. John, how you doing? How was your week and what do you expect this week?

[John] John wonders why he agreed to do a podcast again this early in the morning but is a good sport and says something.

[Brad] And Evan. How are you and what’s up?

[Evan] Probably isn’t sure what to do with himself since he isn’t traveling all the time.

[Brad] Sounds like everyone is ready for the holidays to recharge and prepare for the next year.  We thought it would be fun to answer some questions and hear from Evan and John their thoughts on the recently completed roadshow, so without further ado let’s dive in.

SecurityStudio Roadshow Recap
  • Some surprise questions will be asked…
  • Let’s talk about who you met on the roadshow, roles, titles, experience levels, etc.
  • Anyone particular stand out?
  • Was there a specific event that really stood out to you, why?
  • What was something you learned doing this that surprised you?

[Brad] Great discussion.  Always fun talking with Evan and John.

Let’s do some news…

News

[Brad] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Closing

[Brad] That’s it. Episode 59 is a wrap. Thank you to John for joining us again, although this is the first time I’ve been here for it.

Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh, and Evan is @evanfrancen. John, is there a way you prefer for people to interact with you?

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 58 Show Notes

We welcome Mike Dronen to be our guest in episode 58 of the UNSECURITY Podcast! Mike is the Executive Director of Technology for Minnetonka Public Schools (District 276), and he’s joining us to talk about information security challenges facing K-12.

In case you missed the past couple of weeks, we talked a ton about legal and privacy stuff with our favorite data privacy and “cybersecurity” attorney, Justin Webb. Justin works for Godfrey & Kahn, S.C. in Milwaukee, and here’s what we covered:

Lots of good content and advice in these past couple of episodes. This week with Mike Dronnen is sure to be great too!

I’m leading the show this week, and here are my notes.


SHOW NOTES – Episode 58

Date: Monday, December 16th, 2019

Show Topics:

Our topics this week:

  • Information Security Challenges in K-12
    • Article: The Cybersecurity Threats That Keep K–12 CIOs Up at Night
    • How does information security work in K-12?
    • What makes K-12 different than everywhere else?
    • What are there differences between large school districts and smaller ones?
    • What tips do we have for administrators?
    • What tips do we have for educators?
    • What tips do we have for parents?
  • News
Opening

[Evan] Welcome back! This is episode 58 of the UNSECURITY Podcast, and I’m your host this week, Evan Francen. Today is December 16th, and joining me is my co-host, Brad Nigh. Good morning Brad.

[Brad] We’ll see how awake he is this fine Monday morning.

[Evan] We’ve had a couple of great shows the past couple of weeks. We learned a lot from our guest, Justin Webb. We talked a ton about privacy things and legal things. This week we’re going to shift gears a bit, and talk about information security in K-12. To help us navigate these waters, I’ve invited the Executive Director of Technology from Minnetonka Public Schools to our show. Minnetonka is my alma mater, and Mike Dronnen is a good friend. Welcome Mike!

[Mike] Mike’s a good guy. He’ll surely say “hi” or something.

[Evan] Mike, we’re excited to have you on the show for a number of reasons. You’re a good guy, I’m a Skipper, and Brad’s got some kids in your district too. Thank you for joining, especially on short notice.

Before we dive in, I like to check-in. Mike, how you doing? How was your week and what do you expect this week?

[Mike] Mike shares what he’d like to share.

[Evan] And Brad. How are you and what’s up?

[Brad] Sharing is caring.

[Evan] We’re all busy. Hopefully, health busy. My quick recap…

Alright, let’s talk about information security in K-12, shall we?

Discussion about information security challenges in K-12
  • Article: The Cybersecurity Threats That Keep K–12 CIOs Up at Night
  • How does information security work in K-12?
  • What makes K-12 different than everywhere else?
  • What are there differences between large school districts and smaller ones?
  • What tips do we have for administrators?
  • What tips do we have for educators?
  • What tips do we have for parents?

[Evan] Another great discussion. There are some real challenges for K-12, and I think we’ve all got some skin in this game to do the best we can. Thanks Mike!

Let’s do some news…

News

[Evan] Always plenty of things to talk about in the news, and here’s a few stories that caught my eye this week:

Closing

[Evan] That’s it. Episode 58 is a wrap. Thank you to Mike for joining us and for sharing your perspectives on K-12 information security!

Thank you to our listeners! Keep the questions and feedback coming. Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen, and Brad’s @BradNigh. Mike, is there a way you prefer for people to interact with you?

Lastly, be sure to follow SecurityStudio (@studiosecurity) and FRSecure (@FRSecure) for more goodies.

That’s it! Talk to you all again next week!

The UNSECURITY Podcast – Episode 40 Show Notes

Another week in the books (almost). Speaking of books, I’m working on one with two more in the works. So much writing to do, and not enough time! I’m sure that lack of time is not a problem that’s unique to me. Time is precious, and nobody’s got enough of it.

In case you missed it, this week was “Hacker Summer Camp” in Las Vegas. Thousands of information security people descended upon Sin City this week for Black Hat, BSides Las Vegas, and DEF CON. These are three of the best known and well-attended conferences in our industry. David (aka “System Overlord”) writes a good summary, you can read it here.

Instead of going to Hacker Summer Camp, I took this week to get away. A few people were surprised that I wasn’t going, but to be honest, it’s not really my jam. It’s too much noise, too much BS, too much drinking, and too flashy for me. Maybe it’s just a different stage of life for me now. Some people thrive on being where the action is; I’m just not one of them. To each his/her own.

We sent 10 people from FRSecure, people with more self-control.

While Black Hat was kicking off, I took off to Duluth, MN and the North Shore for a few days. Did some catch-up work and some writing. It was good soul time.

This slideshow requires JavaScript.

Alright back to the grind. In the office this morning, putting together episode 40’s show notes, and getting face time with some of my favorite people. Hopefully, you enjoyed last week’s show, with the return of “Ben”. As I write this, Ben is neck deep with FRSecure’s Team Ambush competing (and winning?) in their DEF CON CTF.

This week, Brad’s back!

On to the show notes…


SHOW NOTES – Episode 40

Date: Monday, August 12th, 2019

Today’s Topics:

Our topics this week:

  • Catching up; Brad’s Back
  • More Incident Response(s)
  • Hacks & Hops
  • warl0ck gam3z
  • Industry News

[Brad] – Welcome to episode 40 of the UNSECURITY Podcast! My name is Brad Nigh, and I’m your host this week. I’ve had a couple of weeks off from the podcast, but it’s good to be back! Joining me as co-host this week is Evan Francen. Hi Evan.

[Evan] Hi Brad. Welcome back!

Catching up (a little)

[Brad] So, jumping right back into things this week. We received a couple of interesting incident response calls. I’d like to talk about them, how we handle them, and then we’ll segue into Hacks & Hops and a great tip/question we received from one of our listeners this week.

[Evan] Sounds good. Let’s do it.

Incident response discussion

Discuss real security incidents that we’re working on/investigating.

[Brad] Incident response is the theme for our next Hacks & Hops event coming up next month at US Bank Stadium.

[Evan] Yep. We’ve got an amazing event planned with an all-star panel.

[Brad] Who’s on the panel? Tell me about them.

[Evan] We have three panelists joining us, and I’ll be moderating. All three panelists are people that I have deep respect for; Jadee Hanson, Mark Lanterman, and Chris Roberts.

  • Jadee is the CISO at Code42, and she’s done an amazing job building a world-class security team. She’ll bring the perspective of an expert security leader. Jadee’s bio is here.
  • Mark is the CTO at Computer Forensic Services. He’s one of the best incident investigators I know, and he’s got some amazing stories to share. He’ll bring the perspective of an expert security investigator. Mark’s bio is here.
  • Chris is Chris. Two things I like most about Chris is his truth and his style. He scares most people by telling them the truth, he’s got some incredible stories, and he’s blunt. Chris will bring the perspective of a hacker. Chris’ bio is here.

All in all, this is an incredible panel. I’m pumped!

Hacks & Hops discussion

[Brad] Since we’re on the topic of incident response, let’s address a question that came in from one of our listeners this week. This is from Jeff. Jeff asks:

Incident Response – what is minutia and what is a real incident?  It seems contradictory to say that some companies may not use their IR plan in a year – and to also say that every suspected attack, malware, scan, etc. is an incident.

Let’s tackle this quick.

[Brad] Alright, moving on. Last week was “Hacker Summer Camp” in Vegas. Neither you nor I went this year, mainly because of workloads and other priorities. We did send ten (10) people from FRSecure though, and eight of them belong to a group that calls themselves “Team Ambush”. These guys competed in the warl0ck gam3z CTF at DEF CON. Two years ago, they took 3rd place. Last year, they took 2nd place. This year they claimed that they were all in!

How’d they do.

Discuss warl0ck gam3z and Team Ambush

[Brad] OK. I’ve only got one news item to discuss this week. I think one is enough because of it’s significance. Let’s talk about the security incident(s) at AT&T that were announced recently.

Sources:

Closing

[Brad] – There you go, that’s how it is. It’s great to be back. Thank you Evan, and a special thank you to our listeners. We’re sort of blown away by the number of people who listen to our podcast each week, and we love getting your feedback. Please keep it coming. You can reach the us on the show by email at  unsecurity@protonmail.com.

If you’d like to be a guest on the show or if you want to nominate someone to be a guest, send us that information too.

As always, you can find me and Evan on Twitter. I’m @BradNigh and Evan’s at @evanfrancen. Talk to you all again next week!

The UNSECURITY Podcast – Episode 35 Show Notes

Happy (belated) Birthday America!

Hope you all had a great 4th of July holiday! Both Brad and I (sort of) took the week off last week. We got some much needed rest for the 2nd half 2019 push. Brad spent time with his family, catching some huge fish with his kids. I made a road trip on my bike from Minnesota to Ohio. My wife and 14-year-old daughter joined me and we spent the week celebrating our great country.

This slideshow requires JavaScript.

The first half of 2019 has been wildly successful on multiple fronts, and both Brad and I are grateful.

I left Brad alone this week. I didn’t even reach out to him for our podcast show notes, so I’m not sure if he was planning to write some. Out of respect for his time away from the office, I’m writing this week’s notes.

Haven’t run this past Brad yet, but I think we’ve got the next three shows planned. We’ll see if he’s game. Here’s my plan:

  1. This week (episode 35) – Transfer of Wealth
  2. Episode 36 – The Money Grab
  3. Episode 37 – Project Bacon

Are you intrigued? Yeah, maybe.

OK, let’s get to it…


SHOW NOTES – Episode 35

Date: Monday, July 8th, 2019

Today’s Topics:

  • Civic Duty? – An update
  • Transfer of Wealth
  • News

[Evan] Hi everyone, this is Evan Francen, your host for episode 35 of the UNSECURITY Podcast. Welcome back from last week’s 4th of July holiday. My security bestie, Brad Nigh is joining me. He’s my co-host and stuff.

Welcome Brad.

[Brad] Brad probably greets me/us here. Assuming that he’s polite and engaged.

[Evan] How was your week off?

[Brad] Brad shares stuff about his time off.

[Evan] I’ll share some brief things about last week.

The meat of the show starts here.

[Evan] Over the past couple of weeks, we’ve been talking about ransomware. We haven’t been talking about the technical details related to how ransomware works because the attack vector essentially hasn’t changed drastically over the past, I don’t know, 20 years!

What we’ve been focused on is the destruction that ransomware is causing organizations, specifically local government organizations. We talked about cities that are suffering millions in losses and those that have chosen to pay ransoms to attackers. These things really strike a nerve in us, and we’ve encouraged people to do something about it.

For reference, see other related posts in chronological order:

Let’s catch up quick on this Brad.

Open Discussion – Civic Duty? – An update

[Evan] So, before we get too heated and deep into the ransomware discussion again, let’s talk a little about the money. The money in terms of how much attackers steal from us and in terms of how much money we steal from each other. We call the latter the “money grab”.

[Brad] Let’s do it! (and other stuff probably.)

[Evan] I was revisiting some of the research about our industry this week, and I wanted to talk about two things.

  1. The transfer of wealth – the money the attackers steal from us.
  2. The money grab – the money we steal from each other, or maybe “spend” is more politically correct.

We won’t have enough time to discuss these two topics with any depth in one show, so we we’ll need to split this up across multiple shows. Whatever, let’s discuss what we can now.

[Brad] Sounds good (hopefully).

[Evan] According to a study/predictions conducted/made by Cybersecurity Ventures, “Cybercriminal activity is one of the biggest challenges that humanity will face in the next two decades.” You’ve seen this study, right?

[Brad] Oh yes, of course!

[Evan] We know the source of the study, so we need to take it with a grain of salt, but listen to some of the claims:

  • Cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind. The impact on society is reflected in the numbers.
  • In August of 2016, Cybersecurity Ventures predicted that cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.
  • Cyberattacks are the fastest growing crime in the U.S., and they are increasing in size, sophistication and cost.

Let that sink in a little. Are these numbers and claims accurate in your opinion. Do these numbers and claims just feed our scare tactics? Let’s discuss.

Open Discussion – Money – Transfer of Wealth

[Evan] Good talk Brad! We certainly have our share of opinions on this. Let’s hold off on the “money grab” discussion until next week, then we’ll contrast these issues. Sound good?

[Brad] He’ll agree because he’s a very agreeable man.

[Evan] Just two newsy things this week. We’ll cover them quick.

News

Just two quick stories today.

Closing

[Evan] That’s how it is. Thanks again to our listeners and thank you Brad! Have a great week friends. Don’t forget, you can follow me or Brad on Twitter; @evanfrancen is me, and Brad’s at @BradNigh. Email us on the show at unsecurity@protonmail.com if you want to be one of the cool kids.

CALL TO ACTION UPDATE – Doing your part about civic ransomware

Does the all caps “CALL TO ACTION UPDATE” get your attention? It’s supposed to.

The facts:

  1. The call to action still stands.
  2. Our municipalities are still under siege.
  3. The ransomware threat has far from abated.
  4. Too many communities are under-prepared.

You aren’t powerless. You have options.

  1. You can sit there and do nothing, playing the victim.
  2. You can point fingers and complain, playing the critic.
  3. You can wait for somebody else to do something, playing the sluggard.
  4. You can be part of the solution by doing something constructive, playing the responsible citizen. In my opinion, this is the best option.

If you choose (or have chosen) option 4, pen an email to your local government officials. Respectfully ask them how they’ve prepared for an eventual ransomware attack. If you are willing and able, offer to help them if they need it. If you aren’t willing or able to help them, refer them to one of us who is willing and able to help them.

Follow the guidance in my previous CALL TO ACTION article or follow your own charge.

For those of you who choose to do nothing, you have no right to play the victim card or complain. You give up those rights, in my opinion.

UPDATE

Now for the update. Many of you have taken me up on the CALL TO ACTION. You have emailed your local government officials and you’ve shared some of their responses with us at unsecurity@protonmail.com.

Kudos to you for choosing option 4 (above)!

Here are some of the responses that have been shared with us, protecting the names of the innocent/guilty.

Response from small city in a rural area:

We are familiar with these attacks on cities and we utilize network security professionals to protect our systems.  We also utilize a firm to audit us and test for gaps or issues proactively as well as routinely backing up and storing our data off site to protect against ransom demands and other risks.

Not too bad. The resident followed up with the city to gain more insight and offer help. Nice work!

Response from a medium-sized U.S. county:

Thanks for reaching out. No organization can claim with 100% certainty that they are protected from any cyberattack. However this is a very front and center topic for <REDACTED> County, and many efforts have been taken to reduce our risk and exposure to various kinds of cyber attacks, including Ransomware.

The County does not have a defined policy regarding what they would do if faced with this decision (in fact none of the metro counties have one, last time I checked), but in my conversations with Administration I do not believe paying a ransom would be an option they would choose.

Hope that helps answer your question.

This is good to know, yes? Someone (why not us/you) should work with this county to address the issue, and while we’re at it, address the issue with all “metro counties”. Kudos to this county official for responding with some transparency!

Response from a mid-sized suburban city:

Thanks for the email. For the security of the City’s network and systems, we follow the recommendations set by the <REDACTED – state’s criminal justice system>. We also use a third party vendor that does penetration testing against our firewall to try to stay ahead of the malicious attacks. We conduct staff cybersecurity training with this third party vendor to ensure our staff is behaving appropriately as well.

OK, maybe not a great response, but a response nonetheless. Didn’t really address the ransomware preparedness question directly, but a conversation has begun. The resident will be following up. Making a difference!

Response from another mid-sized city:

Thank you for your email. The City of <REDACTED> has a multi-faceted approach to cybersecurity.  We have improved security both internally and externally.  While no system is immune from attack, we are actively scanning and patching for vulnerabilities.  A specific key to protecting against ransomware is to have good, frequent, and tested backups.  We maintain a healthy backup system and in the case of a ransomware attack being successful, could restore lost data as needed. It is our policy to not pay ransomware demands.   Our <REDACTED> has made security a top priority, and has taken many steps to enhance the City’s security posture.  This includes revamping the firewall and anti-virus infrastructure.  We continue to take cybersecurity very seriously, and are constantly striving to keep our data secure and protected against attack.

Not bad. Another conversation starter and another difference made, even if a small one.

Final Words (for now)

Responses from good citizens continue to come in to our mailbox (unsecurity@protonmail.com) and we’re encouraged by the actions some of you are taking! For those who haven’t yet reached out to your local government officials, get on it! Again, you can follow the guidance here if you want.

The problem isn’t going away. Here’s some recent news about ransomware and our local communities:

My other related posts in chronological order:

OK, the rest is up to you (or not). That’s the way it is.

The UNSECURITY Podcast – Episode 34 Show Notes

Happy Friday!

2019 is almost half-gone. The midpoint is coming next Monday/Tuesday, and that’s crazy to me. Hard to believe that half the year is already gone, but holy cow it’s been a good first half!

Hope yours was too!

Lots of things happening as usual, but I’ll spare you the details and get right into this week’s show. My (Evan) show this week, so my notes. 😊


SHOW NOTES – Episode 34

Date: Monday, July 1st, 2019

Today’s Topics:

  • “Let’s get real”
  • News

[Evan] Hi everyone, this is Evan Francen, your host for episode 34 of the UNSECURITY Podcast. Joining me is my right-hand man, Brad Nigh. Good afternoon Brad!

[Brad] Spews wisdom, the kind you can’t find anywhere else…

[Evan] If you were paying attention to the opening, you might have heard me say “afternoon”. That’s because we’re recording on Friday afternoon for Monday’s release. Both Brad and I will be out of the office next week doing some vactiony things. Right Brad?

[Brad] Spews more wisdom. He’s a wisdom spewer.

[Evan] Should we share our vacation plans or should we keep ‘em confidential? We tell others to keep vacation stuff non-public for privacy and safety reasons, so maybe we should follow suit. Whatya think?

[Brad] Brad confirms because of he’s like a wisdom volcano. Hot wisdom.

[Evan] So the last few weeks, we’ve talked about ransomware attacks.

A couple of weeks ago we talked about ASCO, the Belgian aircraft parts maker that was hit with ransomware and lost production for some undisclosed amount of time (globally, so likely lacking proper network segmentation/isolation as well as proper response processes). That news has sort of died out.

Last week we discussed the City of Riviera Beach and how their city council voted unanimously to pay the $600,000+ ransom. This one ticked me off. So, I wrote a blog post about it; DON’T SUCK – STOP PAYING RANSOMS.

We also talked about the fact that we’re not powerless to stop these things, so that prompted another blog post; ASK QUESTIONS – GET ANSWERS (HOPEFULLY). We discussed in reaching out to our local government officials in episode 33, so I gave instructions on how to do so (including an email template). Some people reached out to their local governments and shared their responses! To those who did this, kudos and thank you for making a difference.

Next, we read about another Florida city (Lake City) that voted to pay the ransom. Sunnuva!

So, what did I do? I wrote yet another blog post; CALL TO ACTION – DO SOMETHING ABOUT CIVIC RANSOMWARE. I also reached out to one of our local news stations. The declined the story. No skin off my back, but when are we going to get serious?!

My reply:

“OK. I’d expect the next one to hit within a week. Cities are under siege right now. Have a great weekend and 4th of July!”

All of this leads us to now. The good: there are good people who want to help. The bad: most don’t seem to give a rat.

My question for our discussion is:

Do people even want to be secure?

Open discussion.

[Evan] Good talk. Jason Dance, one of our loyal listeners had some good advice to share:

  1. The same things apply at schools. Reach out to schools and ask questions too.
  2. If you don’t get answers:
    • Ask during a town/city meeting.
    • File a FOIL for the specific information.
    • Ask by Facebook/Twitter/Other social media.

Awesome advice! Thank you, Jason.

We must get our sh_t together, or the pain will only get worse. Now for some news.

News

Just two quick stories today.

Closing

[Evan] That’s how it is! Thanks again to our listeners and thank you Brad (the wise)! Hope you have a wonderful week and a safe 4th of July. God bless America for crying out loud! Don’t forget, you can follow me or Brad on Twitter; @evanfrancen is me, and Brad’s at @BradNigh. Email us on the show at unsecurity@protonmail.com if you want to be one of the cool kids.

CALL TO ACTION – Do Something About Civic Ransomware

Another city ransomware attack, another payment to the attackers. Another win for the bad guys, and another loss for the rest of us. The question is, are you going to do anything about it?

This time the news comes from Lake City, Florida. The 12,000+ citizens of the small(ish) northern Florida town will foot the 42 bitcoin (~$500,000) bill for the city’s poor preparation. Actually, insurance will cover the direct cost and the city only pays $10,000. Chalk up another loss up for U.S. cities (and their citizens). The money the attackers walk away with will most certainly be used to attack other victims, including other cities. Oh, and as far as insurance goes, we all pay a price in higher insurance premiums and limited coverage options. Insurance companies aren’t in the business of losing money.

The quote of the day; “I would’ve never dreamed this could’ve happened, especially in a small town like this” – Lake City Mayor Stephen Witt.

(BTW, I don’t view this as his fault. We, the information security community, obviously failed in reaching him with the message)

Additional details of this latest ransomware payment:

So, what are YOU going to do about this? Yes, you! When I refer to “you”, I’m referring to everyone/anyone, security people and non-security people alike. All of us are in this together.

Should we wait until your city gets hit, or maybe we believe in the false narrative that it will never happen to you/your city?

Will your mayor or local government official be quoted on the news, having “never dreamed” that such a thing could happen?

DO SOMETHING – START HERE

Earlier this week, I posted an article about an email that I was going to send to my city and county officials. I sent the emails a couple of days ago, but haven’t heard anything back yet. Not to worry, I’m determined (and so should you be).

One of the things I didn’t really expect was for people to follow my lead. It was impressive to read and hear about people who took this as a call to action. They’ve been inquiring of their local governments about ransomware protections too! That’s great news! So far, more than a dozen people have told me that they have written their city and/or county government. Some are even getting good responses back.

Here’s what I’m asking you to do:

  • If you haven’t emailed your city and county government officials (inquiring about their ransomware readiness), PLEASE DO IT.
  • If you’ve emailed your city and/or county government officials, but haven’t received a response within a few days. PLEASE EMAIL AGAIN. Stay engaged until you get an answer.
  • If you’ve emailed your city and/or county government officials, and have received a response PLEASE SEND THE RESPONSE TO US. You can send it to us through the UNSECURITY Podcast email address (unsecurity@protonmail.com).
  • No matter what you do, please follow these rules:
    • DO – Always be courteous.
    • DO – Always be respectful.
    • DO – Help if you can.
    • DO – Remember the goal, we are trying to help and we are trying to prevent more occurrences of the Atlanta, Baltimore, Riviera Beach, and now Lake City ransomware events.
    • DO – Ask us questions and make suggestions (unsecurity@protonmail.com).
    • DON’T – Try to answer questions that you don’t feel (or know you’re not) qualified to answer. Email unsecurity@protonmail.com, and we’ll find a good resource/answer for you.
    • DON’T – Use threatening language or insinuate threats of any kind.

EMAIL TEMPLATE

Feel free to use this sample email template that I used or create your own.

———-START EMAIL———-

Dear <INSERT NAME>,

I’ve been a resident of <CITY/COUNTY> since <YEAR>.

I have a quick question for you.

How can you assure me and other city residents that the <CITY/COUNTY> has taken the appropriate measures to protect its systems and data from a ransomware attack?

I ask you because there have been a rash of ransomware attacks that have hit city governments recently. The most current ones being the City of Baltimore (https://arstechnica.com/information-technology/2019/06/a-tale-of-two-cities-why-ransomware-will-just-get-worse/), the City of Riviera Beach (https://www.palmbeachpost.com/news/20190621/in-depth-how-riviera-beach-left-door-wide-open-for-hackers), and Lake City, Florida (https://www.cbsnews.com/news/ransomware-attack-lake-city-florida-pay-hackers-ransom-computer-systems-after-riviera-beach/). I hope we’ve planned well and will not pay a ransom (even through insurance) if/when an attack was to occur. Rather than reacting for such an occurrence, I’m hoping that our <CITY/COUNTY> has planned ahead.

Although I work in the information security field, I have no interest in selling anything. I’m just a concerned/interested citizen. If I can help, I will.

Thank you for making <CITY/COUNTY> a great place to live!

Respectfully,

-<YOURNAME>

———-END EMAIL———-

Let’s make this a way we can start fighting back against criminals who are fleecing our cities and our friends. This is only the start. Next steps come after getting responses.

Again, we are all in this together. Please be helpful, respectful, and courteous.

 

Ask Questions – Get Answers (hopefully)

Yesterday I wrote a pointed blog post about ransomware (Don’t Suck – Stop Paying Ransoms) and how it ticks me off when people pay a ransom to an attacker. This morning we recorded episode 33 of the UNSECURITY Podcast about the same subject. During the discussion with Brad on the show, I made the comment that I was going to email my local government officials to inquire about how they will avoid the same mistakes that the City of Baltimore and the City of Riviera Beach made.

Here’s the email that I wrote. I encourage you to write your local government officials too. Accountability is good for everyone.

I sent this email to my City Administrator and the County Administrator where I live.

———-START EMAIL———-

Dear <INSERT NAME>,

Hope you are well.

I’ve been a resident of <CITY/COUNTY> since <YEAR>.

I have a quick question for you. How can you assure me and other city residents that the <CITY/COUNTY> has taken the appropriate measures to protect its systems and data from a ransomware attack? I ask because there have been a rash of ransomware attacks that have hit city government recently. The most current ones being the City of Baltimore (https://arstechnica.com/information-technology/2019/06/a-tale-of-two-cities-why-ransomware-will-just-get-worse/) and the City of Riviera Beach (https://www.palmbeachpost.com/news/20190621/in-depth-how-riviera-beach-left-door-wide-open-for-hackers). As a citizen, I hope we’ve planned well and will not pay a ransom if/when an attack was to occur. Although I work in the information security field, I have no interest in selling anything. Just a concerned/interested citizen is all.

Thank you for making <CITY/COUNTY> a great place to live!

-Evan Francen

———-END EMAIL———-

I’m sharing this because I hope it will motivate you to do the same thing in your city and/or county. Please be helpful, respectful, and courteous. Once I get an answer back, I will probably offer free help. We’ll see.