This week on the show we’re discussing Cyber Security with Robert Rowley of Patchstack.
- Chart: How Safe Is Your Password? | Statista
- WordPress Vulnerability Database – Patchstack
- WP Last Modified Info – WordPress plugin
- WordPress 5.9.2 Security Update
This security and maintenance release features 1 bug fix in addition to 3 security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
- State Of WordPress Security In 2021 – Patchstack
- UA Cyber Help IT and cyber security assistance
- Jason Tucker – jasontucker.blog
- Steve Zehngut – zeek.com
- Sé Reed – sereedmedia.com
- Jason Cosper – jasoncosper.com
- Robert Rowley – patchstack.com
Are You Looking For Brand Awareness?
You could be a show sponsor. Let people know you’re still in business and supporting your products. Supporting podcasts is a great way to repurpose your in-person conference budget.
We have been sponsored by big brands such as Kinsta and Cloudways. Why not get your audience in front of the thousands of people who download this show every month?
Yes, WPwatercooler has thousands of downloads every month. We’re not just a YouTube Show.
[00:00:00] Se Reed: Hi,
[00:00:08] Jason Tucker: This is episode number 414 of WPwatercooler cybersecurity during global conflicts.
[00:00:15] Se Reed: welcome to the future.
[00:00:19] Jason Tucker: I’m Jason Tucker. You can find me at Jason Tucker on Twitter.
[00:00:25] Steve Zehngut: I’m Steve Zehngut. I’m the founder of Zeek interactive and I run the OC WordPress meetup.
[00:00:32] Se Reed: I’m Sé read, and I stand with Ukraine at SeReedMedia on all the things
[00:00:39] Jason Cosper: And y’all know who it is. It’s your boy, Jason Cosper, AKA Fat Mullenweg back at it again on the world’s most influential WordPress podcast.
[00:00:47] Jason Tucker: And you can go follow that podcast on apple podcasts, Google podcasts, Spotify,
[00:00:53] Se Reed: you could follow the podcast or the pod call.
[00:00:56] Jason Tucker: my pod cost.
[00:00:56] Se Reed: podcast,
[00:00:58] Jason Tucker: Look, we have a visitor. Hey Robert, how you doing today?
[00:01:01] Se Reed: recruited somebody.
[00:01:05] Jason Cosper: Robert
[00:01:05] Jason Tucker: to have you on again, Robert, we had Robert for those folks that watch or listen to both the show as well as Deb ranch, we had Robert back on back in December and it’s good to have you back on again. We really appreciate that. Robert works over at patch stack, and you’re a advocate of, is it.
[00:01:25] Robert Rowley: Security,
[00:01:28] Se Reed: Robert, this is totally, this is a serious topic, but I do want to be in honor of you being from patched doc. I did want to say to you patch deck skate on the flood patch, deck and secure. So the more you’re welcome happened.
[00:01:44] Robert Rowley: I guess.
[00:01:46] Se Reed: Yep.
[00:01:48] Jason Tucker: You should have told me, I could have put some music on while you’re doing that. Say here go for
[00:01:51] Se Reed: That’d be right.
[00:01:52] Steve Zehngut: the karaoke section of a, of the WPwatercooler.
[00:01:56] Jason Tucker: So for a 30 minute show let’s discuss a little bit about cybersecurity. Where should we begin?
[00:02:02] Se Reed: How about in Ukraine?
[00:02:05] Jason Tucker: All right.
[00:02:06] Se Reed: a random, a spot, random. I’ll wow. There are no good, like every analogy or metaphor I try to use is like just really inappropriate. So I will begin conversation just by asking when something like this happens when, when sovereign nations are invaded I don’t know how to phrase that.
[00:02:26] Se Reed: When something like this happens for all of the normal day to day businesses that are happening, they’re all the normal transactions. When you have an actor like Russia, who is known for their hacking capabilities and is have hacked Ukraine multiple times before now, it becomes a whole nother level of of attack really. I’m just going to shut up. Anyway. Point is how do we, like how important is it that all of those small avenues are secured? Not just the big ones.
[00:03:02] Robert Rowley: Yep. It’s critically important, right? I don’t have a ton of experience in state nation, state actors technique other sovereign nations. Cause I don’t think it’s happened very often in our life. But we’re finding out, we know a lot about previous cyber attacks where the small little out of date device in a corner, I think it was target was an eight AC or HVAC system.
[00:03:24] Robert Rowley: There was a casino once that got hacked via. But I think the story was an aquarium, like a pump and automated pump that was connected to the internet. So all of these little things that are
[00:03:35] Se Reed: the internet
[00:03:35] Robert Rowley: within infrastructures. Yeah. Especially IOT, but WordPress sites are not exempt. They are allowed to they run code and if they get compromised, they get access to a little bit more network.
[00:03:46] Robert Rowley: They get access to a little bit more secret information and that could be the stepping stone or the pivot point for a more serious. So all aspects of security are important, I think is my point.
[00:03:59] Se Reed: really fun episode.
[00:04:01] Jason Cosper: Yeah.
[00:04:02] Robert Rowley: can be happier. Sorry.
[00:04:03] Se Reed: No, there’s no need for you to be happier. I’m just literally taking what you say. Our tone is usually, a lot lighter, but this isn’t light. So there’s, don’t got to face.
[00:04:14] Jason Cosper: Now, Ukraine is under cyber attack. There are a lot of attacks going on. We were talking a little bit in the pre-show. Robert, you said that attacks, you saw a surgeon attacks on Ukraine when the actual. Water started happening. I’m like, but we’re saying that maybe that wasn’t like the biggest push.
[00:04:36] Robert Rowley: Yeah. I think you guys were talking about how, like that first weekend after it was announced that, Russia had began advancing in Ukrainian territories that we started hearing news, right? Like people were hacking stuff like, this going went down that went down. I think there was a cool story.
[00:04:51] Robert Rowley: I read about a I think it was at a gas station or an electric charging station. That all of the words on the billboard for it were, or the charge ports, like the role changed with, to, anti, I think it was anti-Russian or into Ukrainian phrases. This is like a form of hacktivism.
[00:05:05] Robert Rowley: So that first weekend we saw a lot of hacktivism, a lot of people you know, just taking whatever they could get and putting up notices. Cause they felt passionate about what. What was going on in the world. A lot of people did. And then we also saw a lot of internal threat actors, or internal threats, which was people defecting in the cyber underworld. There was actually a very popular spyware group Conti, which some of the people were Ukrainian. Some of the people in that group were brushing and they did not see eye-to-eye what happened with. I believe that Ukrainian side got upset and began leaking basically the biggest leak of cyber like bad guys.
[00:05:43] Robert Rowley: It was all there Jabber logs, it was all their communications. And there was, yeah, completely unprecedented. We’ve never seen that. Typically people don’t affect like that. And that was the first weekend and people were talking to, then they was like, this is. The new avenue of cyber war, but I know a little bit more about how cyber attacks work.
[00:06:02] Robert Rowley: That was just the first step. That was all the low-hanging fruit, right? That
[00:06:06] Se Reed: Yeah, it was just, that was just cyber rad or cyber rattling.
[00:06:11] Robert Rowley: yeah.
[00:06:11] Se Reed: Saber rattling.
[00:06:13] Robert Rowley: Save their site, saber cyber, saber rattling. I like it.
[00:06:16] Se Reed: Exactly.
[00:06:17] Robert Rowley: I have one. What it was is yeah, people began to defect and they started just taking whatever, low hanging fruit, if they had access and they wanted to just stick it to somebody. They were upset. They were angry, emotional. They did something and they found insecure systems, things that were already vulnerable. That’s the first lower layer though. The next layer is actually the more serious. Because it’ll take imagine you’re out there scanning all the network and everything is secure. Not everything’s perfectly secure as insecure. We can say no known vulnerabilities.
[00:06:47] Robert Rowley: It takes a couple of weeks to go find some vulnerabilities. So right now we’re in the middle of it. Yeah. They’re poking, they’re getting intelligence and we may see some more bigger events in the next few weeks at. Who knows what we could, hopefully not, but it would be the next few weeks where people could start identifying what systems they want to target, start getting that software themselves and start looking for undisclosed vulnerabilities.
[00:07:10] Robert Rowley: And we’re not at that point yet.
[00:07:11] Steve Zehngut: So if my WordPress credentials are admin password, I should probably,
[00:07:16] Robert Rowley: Did you turn on to a.
[00:07:19] Jason Cosper: sure.
[00:07:21] Steve Zehngut: what if it’s, what if it’s password with a zero instead of the, oh, was that,
[00:07:27] Jason Tucker: Robert’s never heard of this. This is such a.
[00:07:30] Robert Rowley: I think that’ll buy you like a 0.0005
[00:07:33] Steve Zehngut: I saw a chart this week, there was a chart that came out that showed how fast a password can be hacked. Like a plain text password can be hacked instantly. And then it went from there based on how many characters And how many odd and how many symbols you had. I was an eyeopening chart.
[00:07:49] Se Reed: And just to be clear, the end of that chart is all. Han tak KA tak. And then it’s industrial level, enterprise level passwords where it stops hacking. Like it could have probably hack like
[00:08:02] Steve Zehngut: Yeah, my passwords were definitely in like the hundreds of years that would take the hack. So
[00:08:07] Se Reed: Good.
[00:08:08] Steve Zehngut: I felt safe there.
[00:08:09] Se Reed: You won’t have to change your password for a hundred years.
[00:08:11] Steve Zehngut: Yeah.
[00:08:13] Se Reed: great.
[00:08:14] Steve Zehngut: My grandkids will inherit my passwords.
[00:08:18] Jason Cosper: So to dovetail on what Robert was talking about how attacks are gonna start ramping up. It’s okay. I’m sure it’s some of our viewers are thinking and some of our listeners are thinking like, oh, okay, I’m not in Ukraine. I’m probably cool. And
[00:08:35] Se Reed: One’s cooler than Ukrainians, but
[00:08:37] Jason Cosper: no you’re not getting shelved, but your sites are.
[00:08:42] Jason Cosper: Not really in the best. If you stay up to date, if you there was a security release of WordPress last night,
[00:08:50] Robert Rowley: Yeah.
[00:08:51] Se Reed: Otherwise. Oh my God. This is I turned on my computer to come on the show. So thank you for updating.
[00:09:02] Steve Zehngut: Yeah.
[00:09:04] Jason Cosper: I didn’t find out about it until eight or nine last night, because I quit the work day at six o’clock. It came out at six 30 and then I started getting auto update. Now I haven’t turned auto updates off on some of my sites. I started getting auto update notices in my email and went, oh crap, let me go look at the rest of my sites right now,
[00:09:27] Se Reed: I would say that it’s not just about Ukraine, right? We’ve seen before old word press sites get strung together into botnets, right? And that’s been done before and then it uses this is a little far out of my wheelhouse, but in layperson’s terms, it basically uses all of that computing power to do other stuff.
[00:09:49] Robert Rowley: Yep.
[00:09:50] Se Reed: Basically. So we know that Russia, for example, is extremely proficient in technology and they probably know about WordPress specifically in that 40% of the web. They may have heard of it. I’m just saying like the white house’s website is on WordPress,
[00:10:08] Steve Zehngut: We’re pressed runs 40% of the internet.
[00:10:11] Se Reed: Yeah. I wonder what the built with is in Russia, like built with that was probably not appropriate,
[00:10:17] Steve Zehngut: I think it’s pronounced exactly like that.
[00:10:19] Se Reed: yeah, I’m going to keep shoving my foot in my mouth. My point is that with those continuing it almost puts. The impetus more so than it’s just protecting our sites and our client sites and they need to not be hacked in a way it’s a form of security more for the world, or at least when you’re not going to participate in that.
[00:10:44] Se Reed: If you have all of these sites that they could use those resources, like by not by hardening your site, putting on, upgrading to five nine, whatever, you’re preventing that avenue from being impossible.
[00:10:57] Jason Cosper: Everybody, it’s a, it’s like the the gift that goes around from a Starship troopers where people just turn to the camera and say, I’m doing my part, like staying on top of this stuff, you are doing your part
[00:11:11] Se Reed: I’m not I’m, it seems really minor, but you speak to that? What could be done with something like that? Like a web of WordPress servers? Could that be. Used for a cyber attack on a state. I don’t really know. So I’m really
[00:11:25] Robert Rowley: Good start with misinformation, right? A compromised news avenues, our organization or journalists who use WordPress and their sites to get compromised. Suddenly there could be misinformation on their website with
[00:11:37] Robert Rowley: people at once.
[00:11:39] Se Reed: favorite, little fun thing to
[00:11:40] Robert Rowley: all about. It’s all about trust, right? You trust that organization to give you the information.
[00:11:44] Robert Rowley: Somebody hacks them. Now they’re giving you the wrong information. And that can be terribly bad. Of course that’s easier to clean up because it’s obvious that
[00:11:51] Se Reed: Not when he gets out there because he can’t reach all those minds.
[00:11:55] Robert Rowley: But then the
[00:11:56] Se Reed: for the mind.
[00:11:59] Robert Rowley: so I wonder read snow crash again. But the other thing too, is that, they can compromise and just, you mentioned it just use it as a resource, right?
[00:12:05] Robert Rowley: It can be used as a pivot point, like a VPN like basically a tunnel to attack other resources and you ever dealt with DDoSs right? Like a lot of the times DDoSs it just means they had a lot of bots and all those bots just pointed at one source. Things started going down. And we saw that, I think at the first weekend voluntary DDoSing people were recommending like, Hey, go hit these websites.
[00:12:46] Robert Rowley: Like it’s just wastes so much resources because you’re angry and you want to shut something off that you don’t agree with.
[00:12:52] Se Reed: But if that were being used as a weapon in a state if someone’s resources were being tied up with managing,
[00:12:59] Steve Zehngut: No.
[00:13:00] Se Reed: The system that they’re trying to fix, then they’re not doing other things. So it can just be like busy work, keep everyone distracted, keep everyone can, like in a spy movie where they’re like, oh, there’s a fire over there.
[00:13:12] Se Reed: And they like, I’ll sneak past on the side,
[00:13:14] Robert Rowley: Yep.
[00:13:14] Se Reed: Just like that.
[00:13:16] Robert Rowley: Just like that. It is exactly like that.
[00:13:18] Se Reed: So what I mean? All right. So we individually can do something by keeping herself up to date. What else are we
[00:13:27] Jason Tucker: What about the vulnerabilities? Yeah. What about the vulnerabilities that are out there? I know that I’m just looking at the stuff that you guys are doing over a patch stack. You guys are collecting the vulnerabilities that are there. And even during our pre-show, we were talking about just like how many of them are just the same damn thing over and over.
[00:13:46] Jason Tucker: And there’s a reason why for that. So how do we start looking at that Robert.
[00:13:51] Robert Rowley: Yeah, I, so what patch I recently did, we just released our security white paper. We reviewed 20, 21 for WordPress security concerns and we found some really interesting stuff and I wanted to start with what’s a vulnerability and what’s a security bug.
[00:14:05] Se Reed: Oh, that’s Steve’s job. He has to read that out of Wikipedia. Sorry. Oh, you’re going to let him do it this time. Okay.
[00:14:12] Robert Rowley: But the patch. Passed back in 2021 started this what we call it, patch stack Alliance. It was originally called the red team, but we’re calling it the Alliance now because we’re trying to bring together security researchers who find security bugs. You could also say vulnerabilities, but I say there’s security bugs because then we report those to the developers and the developers patch, those security bugs.
[00:14:32] Robert Rowley: And in 2021 week, there was an increase of 150% of the number of security bugs fam. In WordPress components, open source WordPress components. Now you would think this is more vulnerabilities, but that’s think of it this way. It’s more bugs found that already existed. They were unearthed and they were reported to the developers so they could get addressed and secured better for the whole community.
[00:14:55] Robert Rowley: And this is something that, yeah.
[00:14:56] Se Reed: is it that there were more bugs or just that you found more bugs? Is it just a matter of perspective that you’re saying that? Or did you just really just find more bugs because you had a better team or something?
[00:15:06] Robert Rowley: don’t think we know how many bugs are in the code base. We don’t know that until we look and we’re finding more now. The vulnerabilities
[00:15:13] Steve Zehngut: I know.
[00:15:13] Se Reed: point was, I guess my point was, were they new bugs or were they old bugs? Is what I mean? Were they new things introduced by new versions or were they old things?
[00:15:22] Robert Rowley: Yeah. These are bugs that are there in the code base that I do not know. We didn’t look into when were they introduced, but these are bugs that typically have existed for some time. It wasn’t like we found a new feature and we’re just hacking those new features. It’s we’re just looking at the code base.
[00:15:36] Robert Rowley: And the WordPress plugin repo. It’s just one code base that has tons of source code. I have, what is it? 40, 50,000 plugins, 60,000 maybe. I don’t even know how many I guesstimated the lines of code is like in the 10 million, 12 million. I’m sure, but it’s just so much code and
[00:15:55] Se Reed: of that is dashboard admin notification? Sorry,
[00:15:59] Robert Rowley: 20%.
[00:16:00] Se Reed: we could save a couple million if we just took those out.
[00:16:03] Steve Zehngut: By the way I know how many bugs are in the in the code base. All the bugs.
[00:16:08] Jason Cosper: Sure.
[00:16:09] Se Reed: last one.
[00:16:11] Jason Cosper: so what’s w let’s look at a recent a recent security issue in some WordPress plugins. There was that issue with freemium and plugins that utilize a freemium in their code base. Robert, do you remember offhand? How many
[00:16:27] Robert Rowley: I think it was between 600 and 800 plugins were utilizing the freemium SDK library. So these are the developers built their code and the freemium Steph SDKs is a good thing. He makes it simpler and easier to build robust plugins. Unfortunately, the code base also included one or more, actually a few vulnerabilities.
[00:16:46] Se Reed: One known.
[00:16:48] Robert Rowley: Yeah, one now. And there was actually, I think, three known in the end and it ended up affecting every site that was reusing this library, I think times three, so 600 times three. So it was like 1800 vulnerabilities. And we patch stack. We had to have eight to 1800 or whatever the number was vulnerabilities into our database all at once. Now, the big problem there is. The responsibility. They were talking about responsibility earlier. The responsibility there was on the developer to be aware that they need to update this library, they need to go and update the library and then they need to inform their users. Hey, please update the plugin.
[00:17:23] Robert Rowley: So it’s this that’s I think when we say supply chain attacks or supply chain security, that’s where we’re talking about. We’re talking about how many people need to know down the line that they have to perform an action.
[00:17:34] Se Reed: also like to say that as that line progresses, people care less and less like this person, like the security person who finds it really cares. And then maybe the developer cares and then they tell her person, their client and then their client tells their client, their customer target.
[00:17:50] Robert Rowley: It’s a game of telephone everywhere along going.
[00:17:52] Steve Zehngut: it’s somewhere in that chain is going to be a, an abandoned place.
[00:17:56] Robert Rowley: Yes. And that’s a big issue we found.
[00:17:59] Se Reed: Ridiculous.
[00:18:00] Jason Cosper: Now I was going to say not to pick on freemiums as much as I like to pick on freemium, not to pick on freemiums. However you can go back to classic examples where there was Ben and plugins that were running Tim thumb or,
[00:18:15] Se Reed: Oh my God.
[00:18:16] Jason Tucker: they’re
[00:18:16] Jason Cosper: or abandoned. Yeah. Or. Yeah, I was going to say abandoned like code canyon themes, running revolution, slider.
[00:18:25] Robert Rowley: Yep.
[00:18:25] Steve Zehngut: that I know that a hundred percent of all WordPress sites have updated And they’re not using temp them anymore. So we can all sleep at night. All of them have updated their code.
[00:18:33] Jason Tucker: Got rid of sliders years ago.
[00:18:35] Robert Rowley: How long ago did that? How long did that take
[00:18:38] Jason Tucker: Oh, like 200 episodes.
[00:18:41] Steve Zehngut: obviously making a joke.
[00:18:42] Jason Tucker: It took 200 episodes. Robert.
[00:18:46] Robert Rowley: just everyday a PSA. Please update your Tim thumb and rich slider versions. Now, once in the
[00:18:50] Steve Zehngut: Just
[00:18:50] Se Reed: It is.
[00:18:51] Steve Zehngut: update our tag, our tagline of the show should be update your shit.
[00:18:56] Se Reed: saying like, what on the, what show is it that at the end, they would say Spain, new to your pets.
[00:19:01] Jason Tucker: Yes.
[00:19:02] Se Reed: At the end of this note, please update your.
[00:19:04] Robert Rowley: Yeah. Please update. Except for when there’s no update available and that’s,
[00:19:08] Se Reed: know what? There’s always an update available. Something’s always been updated
[00:19:12] Steve Zehngut: Actually there’s not, And here’s the problem. We’ve talked about this on the, in the past, if a plugin has been abandoned, and it’s just sat for however long, it actually doesn’t show an update. You don’t,
[00:19:23] Se Reed: it doesn’t show a flag either.
[00:19:24] Steve Zehngut: doesn’t show anything. It just shows. Hey, it’s got the latest version of this.
[00:19:28] Steve Zehngut: You’re good.
[00:19:30] Se Reed: It does say this has been tested up to this and may not work, but you only get that if you go into the repo. So if you already have it installed.
[00:19:38] Steve Zehngut: doesn’t show that in your updates data area.
[00:19:40] Se Reed: So
[00:19:41] Jason Cosper: I used to actually have a plugin that Pete mall WordPress developer extraordinary made a name for a throwback name for a lot of folks. Pete made this plugin called plugin last updated that added.
[00:19:57] Steve Zehngut: I use
[00:19:59] Jason Cosper: Yeah, that added a field on your plugins page to say, here was the last time your plugin was updated.
[00:20:06] Jason Cosper: However, that plugin has now not been updated in
[00:20:09] Steve Zehngut: it
[00:20:09] Jason Cosper: eight or nine years.
[00:20:11] Steve Zehngut: actually marks itself as red, if you put in that plug in it. And if you even look at that, it caused a rift in the space-time continuum.
[00:20:21] Se Reed: I think that’s it. Didn’t Pete win like a million dollars playing poker or something and
[00:20:25] Steve Zehngut: No, there is a there’s a new version of that, plus there’s a new, a whole of the plugin that does exactly that cost for I’ll dig it up.
[00:20:32] Jason Cosper: Please do.
[00:20:33] Jason Tucker: Plugin last modified info,
[00:20:35] Steve Zehngut: Yeah. It’s something. Yeah. There’s another one that does that. What I’m amazed that is, is, Robert, I went to the patch stack database just to look at the vulnerabilities, expecting to see a whole bunch of plugins. I didn’t recognize right. That are just random plugins in the That’s not true. And I’m not going to name names here on the cooler, but if you go look Yeah.
[00:20:55] Steve Zehngut: go to the link. These are plugins that I use.
[00:20:58] Robert Rowley: Okay.
[00:20:59] Jason Tucker: It’s some little small one, that’s like a
[00:21:02] Steve Zehngut: We’re not going to rename.
[00:21:04] Robert Rowley: Only got one or 2 million installs.
[00:21:06] Jason Tucker: we have our favorite one though, which is contact form seven, which we’re allowed to say all the time.
[00:21:12] Steve Zehngut: That’s our other tagline or the show don’t use contact form seven.
[00:21:17] Jason Tucker: I’m holding up from a contact form eight.
[00:21:20] Se Reed: So I was getting back to the global security kind of thing. Can you put on your wizard, fortune telling hat for a minute, your predictability hat. Are you looking for when you’re looking for
[00:21:33] Robert Rowley: have a cat bed.
[00:21:34] Se Reed: He’s hold on.
[00:21:38] Robert Rowley: It’s just a cat.
[00:21:40] Steve Zehngut: Trashcan.
[00:21:41] Robert Rowley: It’s my cats bed. My bald head is now full of hair.
[00:21:46] Se Reed: Kind of looks like a conflict.
[00:21:48] Jason Cosper: Yeah.
[00:21:53] Se Reed: so you got your hat on loud. So obviously this answer’s going to be correct, but
[00:21:57] Jason Tucker: Found the thumbnail.
[00:21:58] Se Reed: how do you see this playing out? Obviously you said you’ve used the word on the underground street is that attacks are ramping up, but what would you expect to see? What would you be really freaked out to see? What is the hat’s name?
[00:22:15] Robert Rowley: What does that say? That says I have an itchy head.
[00:22:19] Se Reed: You’re not
[00:22:19] Robert Rowley: The likelihood we’re going to see is more hacktivism. We’re going to see a lot more people working outside of, but next to state actors. Like they’re going to represent states. I think each side and they’ll compromise and put up a, a defaced page support Ukraine or sport Russia.
[00:22:35] Robert Rowley: We’re going to see a lot of that. It’s going to be mostly because it’s mostly the news newsworthy stuff. What I think is going to happen, like definitely is going to also be happening is more leaks. And we’re going to see those come out a lot slower tech, even in the U S thinking back, just think about 10 years ago, the office of personnel management and all of the military personnel like social security numbers and et cetera, leaked.
[00:22:56] Robert Rowley: So I don’t know what further information, us military people can lose, but I’m sure this will also happen in Europe and other countries. We’re gonna, we’re gonna start seeing big leaks. We’re probably gonna see chat log leaks. And a lot of that intelligence is going to come basically come through that.
[00:23:11] Se Reed: Do you what impact will, a lot of hosting companies have cut off Before for Russia. And I’m, I haven’t been tracking all of the different things that have been happening, but Russia already had to use the Russians have already had to use VPNs to access a lot of Western or just other information sources.
[00:23:29] Se Reed: So do you feel that the digital pertinent as it were is enough to block stuff or is there just, enough access already?
[00:23:40] Robert Rowley: Oh. As if, as long as we live in countries that have free and open internet, we’re also exposed and some countries have locked down when their internet, so they’re going to be a little less exposed, but I appreciate you being in with the more free and open and dangerous part of the internet, but you get as much information as you can this way.
[00:23:57] Se Reed: Yeah. So basically they’re going to be like on a boat right outside of the U S like trying to get Wi-Fi.
[00:24:03] Robert Rowley: We’re Starlink, right? Like we can
[00:24:05] Jason Tucker: Starlink.
[00:24:06] Robert Rowley: lots of
[00:24:06] Robert Rowley: styling
[00:24:07] Se Reed: what’s up with Starlink,
[00:24:08] Robert Rowley: I just wish I had, I wish I had a note on links there so I could monitor all the traffic that’s targeting that network right now. That would be fascinating to me.
[00:24:15] Se Reed: Cause they’re mad officially about Starlink. I believe Russia is right. They said specifically you have to stop that. I didn’t get a ton of information on that, but is something, I’d like to think that the giant satellite in the sky is safe. From being hackable.
[00:24:36] Jason Tucker: there’s just a lot of them now.
[00:24:38] Steve Zehngut: Yeah.
[00:24:39] Se Reed: Cool.
[00:24:39] Steve Zehngut: what space force is for.
[00:24:41] Robert Rowley: Yeah, that actually might be what it’s for.
[00:24:44] Se Reed: Oh God. And so have you what else is the, what’s the like what are people in the security industry doing either to. To respond to this. And I don’t mean like activism or joining up to help people. For like their own companies, like what are there those best actions happening? Are they pulling, like stuff off the internet or detaching from certain countries or.
[00:25:11] Robert Rowley: They’re doubling down on all. I think the basic security hygiene is like, step one, right there, making sure that they’re aware of the assets they have accessible to the internet. They’re patching those assets. They’re patching those systems. Like we mentioned earlier, hopefully they’re looking to see when the last patch was issued.
[00:25:26] Robert Rowley: Is this project being actively updated and. Is there a known vulnerability for it? Is it, is it something that’s unfortunate that got, has a vulnerability and was never patched and they’re going to be basically redoing all that. And they’re going to get a very fast to lesson in cybersecurity if they get targeted by any sort of state actors.
[00:25:43] Se Reed: What about the government governments? Do you monitor? Like ours, like ours, like mine United States are we. Or other countries also, what are they doing? Are they like all just hiring a millions, like doubling up security efforts or they’ve already been hardening when you,
[00:26:00] Robert Rowley: I think most of the security forces worldwide have some sort of cyber like version, right? They’ve got cyber security as a concern. Unless you’re in some weird backwards country, like they know communication, internet is communicating. Communication is key and being able to secure your communication channels is probably what their.
[00:26:19] Robert Rowley: Priorities are now I feel
[00:26:20] Se Reed: it’s everything, basically. It’s everything. can take your hat off.
[00:26:24] Robert Rowley: Yeah. I get too serious there for having a cat bed on my head
[00:26:28] Jason Tucker: I’m totally going to donate some money to whatever. Cause Robert wants me to donate to, if he wears that for his next call,
[00:26:38] Robert Rowley: as long as my cat’s out of it. I get double if my cat’s still
[00:26:41] Jason Tucker: it’s like just going all crazy.
[00:26:43] Se Reed: have one more question.
[00:26:45] Robert Rowley: All right.
[00:26:45] Se Reed: Are you individually, personally, in your professional context, but are you concerned or are you well, or are you concerned or are you something else?
[00:26:55] Robert Rowley: I’ve been doing cyber for years. I’ve been concerned about stuff every day in my life. I have ulcers and stress like stress response constantly. This is a Tuesday and it was a Friday. I’m not sure what day it is, but basically this is all the same stuff for me. And it’s appreciated that more people are concerned about it.
[00:27:13] Se Reed: Is it the same or it’s just like
[00:27:15] Steve Zehngut: just
[00:27:16] Steve Zehngut: It’s more of it. It’s ramped up. Yeah.
[00:27:19] Robert Rowley: More people are.
[00:27:20] Jason Tucker: before we close out here, I wanted to make sure that we do we do mention UAA cyber help.
[00:27:27] Jason Tucker: Could you just give us a quick overview on.
[00:27:29] Robert Rowley: Yeah. Yeah. UAA cyber health is a website where people can Ukrainian organizations can request a free cyber support. So information security support for the organization, if they are in Ukraine or they’re supportive of the Ukraine, like people things like journalism is really what our target is.
[00:27:45] Robert Rowley: We’re not going to go doing a tax for anybody, but also it’s a resource for if you are willing to do. To donate resources for Ukrainian organizations. We already have a handful of cybersecurity professionals, as well as some organizations which are willing to assist. And I’ve compiled a list of a bunch of cybersecurity vendors that are basically having free services for Ukrainian organizations that need help right now.
[00:28:09] Robert Rowley: Basically they meet the the concern is yes, they may get targeted. So let’s make sure that they’re doing the best security. They have the best help people tend to, or, decades of experience giving them advice and guidance for what they can do. Those organizations can sign up there. And if you’re not one of those organizations, but you just want to help, we’ve also have a list at the bottom of the page for organizations you can donate.
[00:28:28] Robert Rowley: Okay.
[00:28:29] Jason Tucker: awesome.
[00:28:30] Se Reed: for Ukraine. My sister-in-law has worked with since far before this war, so I can vouch for their authenticity. Obviously they’re pretty big at this point, but
[00:28:41] Robert Rowley: yeah.
[00:28:42] Robert Rowley: we were honestly small in, in for the UA cyber health, because these are tons of resources are being out there. And it’s great to see. I’ve seen a lot of independent journalists in Ukraine get a ton of support already from the few that I’ve looked into. So it’s quite nice.
[00:28:55] Se Reed: That’s awesome. Thank you for being a part of that.
[00:28:58] Jason Tucker: Thank you for bringing this to our attention and that we’re able to discuss it today. I want to say thank you all for hanging out and here’s our.
[00:29:04] Robert Rowley: Yeah.
[00:29:07] Jason Tucker: Go over to court prior to this content or an apple podcast, Google podcast, Stitcher, Spotify, and YouTube.
[00:29:16] Se Reed: At your website,
[00:29:18] Steve Zehngut: Yeah.
[00:29:19] Jason Tucker: please,
[00:29:20] Jason Tucker: do
[00:29:20] Se Reed: please update your websites.
[00:29:22] Steve Zehngut: It’s time. How many times do we have to say this?