.png)
Privacy Please
Welcome to "Privacy Please," a podcast for anyone who wants to know more about data privacy and security. Join your hosts Cam and Gabe as they talk to experts, academics, authors, and activists to break down complex privacy topics in a way that's easy to understand.
In today's connected world, our personal information is constantly being collected, analyzed, and sometimes exploited. We believe everyone has a right to understand how their data is being used and what they can do to protect their privacy.
Please subscribe and help us reach more people!
Privacy Please
S6, E249 - Hackers Get Hacked
We explore how cybercriminals fell victim to their own security mistakes and examine major attacks targeting corporate SharePoint environments. Privacy legislation advances with new protections for children and groundbreaking AI accountability measures in Minnesota.
• Cybercrime forum exposes member data through database misconfiguration
• SharePoint under active attack with remote code execution vulnerabilities
• California passes enhanced children's privacy legislation requiring stricter parental consent
• Minnesota Consumer Privacy Act launches July 31st with human review rights for AI decisions
• Problem Lounge studio expansion announcement with new podcast launches
• Trust and anonymity requirements in criminal digital ecosystems
• Corporate IT challenges with ubiquitous software vulnerabilities
• Growing complexity of state-by-state privacy compliance requirements
All righty then, ladies and gentlemen, welcome back to Privacy, please. Cameron Ivey, here with Gabe Gumbs, as always, my sidekick, my friend, my homie, mr.
Speaker 2:Gumbs.
Speaker 1:My home skillet, home slice, how you doing. It's another Friday in the world of digital nonsense, right on Preparing for an above average weekend, are you Probably? Yeah, I mean, I'll have, we'll get on, we'll get some adventures and maybe that's above average. That's above average I'm excited right uh, yeah, um a lot going on in the world today, gay or in in busy in this cyber and privacy world.
Speaker 2:There's a lot happening. There are a lot of topics that are worthy of coverage, but there are a few things in particular that came up over the last week that we've been asked some questions about, so we wanted to make sure that we covered those front and center. Just bringing you the latest updates from around the community?
Speaker 1:Yes, we are. Let's go ahead and dive right in. Hackers be getting hacked.
Speaker 2:It's a thing. Being a hacker does not prevent you from getting hacked. No. One of the primary drivers of data breaches is misconfigurations, and it would appear that hackers are no less susceptible to such shenanigans.
Speaker 1:Well, I mean, you know that world more than me, so let's dig into it real quick. So the first topic is cybercrime forum exposes its own members. So a well-known cybercrime forum forum place where stolen data is bought and sold had its own massive data breach this week.
Speaker 2:If you haven't heard, so let's talk about how that happened. The bat. My first thought is you've got some pretty bad opsec. If you are a cyber criminal and you're like reusing usernames and other things that are tied to your identity in any meaningful way, it's just you know why because they're still human gabe uh, it's fair.
Speaker 2:That's a fair point. They are indeed human. They are indeed human, so they're gonna make human mistakes. They do, and they made a very human mistake. They accidentally misconfigured a database and left it wide open for the world. So this wasn't a hack so much as it was a breach, and breach was a literal byproduct of just pure misconfiguration. We talk about this frequently. We talk about this to folks directly in the security community, we talk about it on the show frequently, but just the basic hygiene of configuration, as you can see, leads to even breaches for the bad guys, and so there's been a whole lot of chaos in some of those forums because it breaks a bit of the trust.
Speaker 2:There's a strong requirement, even in the criminal world, for there to be a trust element between the administrators of these sites and the users of these sites. That element of trust is necessary both in terms of okay, is this guy a reputable vendor? If you give this person some Bitcoin, are you going to get an exchange goods and services that you find to be worthy of exchanging monies for? The only real difference between cybercrime and sanctioned or otherwise non-criminal business activities really is just the law aspect of it. So much else of it really just translates. Trust is a necessity for successful business operations and that's really no different for these folks. Anonymity is everything in the cybercrime world and anonymity being compromised completely ruins, in this case, this cybercrime forum in particular. How many people return to that forum? If I'm a cybercriminal, I don't go back at all. I don't even care if they tell me they fix things. Maybe I make my way elsewhere, maybe I do, maybe I don't.
Speaker 1:Dare I say a digital friendly fire, Little digital friendly fire.
Speaker 2:Little little digital friendly fire Indeed yeah.
Speaker 1:Did a robber accidentally shoot his own foot?
Speaker 2:I think so, I think so.
Speaker 1:I think that's what happened.
Speaker 2:I think it happened.
Speaker 1:Well, we'll keep. We'll keep our eyes on that one, but that's that one's. That one's funny to me, that one's funny.
Speaker 2:Yeah, yeah.
Speaker 1:The second topic is a code red for corporate IT. Sharepoint was under attack active attack. This past week we saw SharePoint getting attacked quite broadly.
Speaker 2:And as most folks in the IT world know, sharepoint is somewhat ubiquitous inside of organizations. You know, one of the biggest challenges is, even if you don't necessarily use SharePoint directly, a number of other Microsoft services are directly tied to SharePoint and so you likely have it in your environment, regardless of how intimately your organization may be using it. But for what it's worth, lots of organizations do use it quite heavily. They rely on it as a document repository, they rely on it as a core part of their overall data management strategy, and we've seen SharePoint get attacked before. Another reason why we see that continued attack pattern is, again, it is somewhat ubiquitous. Microsoft has bundled it with so much that there's a lot of it deployed, and so if I'm an attacker, it makes for a good attack surface because I'm likely to get my hands on more environments and more data, not less, just by sheer volume of users.
Speaker 1:Yeah, so this is, I mean, this is considered enormous because it's not just personal information, this is company stuff, this is like organizations, yeah yeah, we don't see that very often, do we? Yeah?
Speaker 2:No, we also don't see remote code execution flaws that are present in software that is. This ubiquitous right Like the attack surface of SharePoint can't be understated. It's huge. It's not a niche product, it's massive. And being able to exploit, run exploit code remotely means that they can take full control over of that server from anywhere, yeah, anywhere. That's a problem, that's a problem?
Speaker 1:Well, this is obviously ongoing, but what do you? I mean, this is so new, I mean this coming out now. Do you think this happened a while back, or is this happening, like just this past week? This was like. You know how we hear things later on.
Speaker 2:Yeah, I don't recall the specifics of when the patterns were started to be detected in the wild, but you know, suffice to say that quite frequently with these types of attacks, by the time we notice them, it has been going on for some period of time, right, Like even if this were a quote zero day attack. The amount of damage that can be done within a day, within a week, is quite huge. When, again, the attack service is this large, you can attack a lot of SharePoint servers in a short period of time just because of that. But you know, since this story has been breaking it's only been about a week so far since this story has been breaking, yeah, Well, we'll keep an eye on that one as well.
Speaker 1:Just wanted to update you guys here. We'll move on to the next topic. So we got Children's Privacy Act. There was a major movement in California this week. They passed a significant new regulation aimed at curbing how companies collect and use data from children and teens. So this is huge. I mean, they've been talking about this for a while, but it seems like it's not just California Gabe, this is a national trend that's kind of going through the wave here. Yeah, it's always protecting the children.
Speaker 2:I get it, I agree. I always struggle, though, with legislation that feels difficult to enforce. Yeah, I'm intrigued as to, in particular. So this regulation mandates stricter requirements for getting parental consent. Cool, great. How are you going to get that parental consent and validate that it was indeed a parent that gave the consent? It's another pop-up box where you simply check a box on a website. I don't think that type of enforcement really achieves the goal. That being said, it is still better to at least have the rules in place that do govern. Okay, you have that data. Now you have to take special care of that data, regardless of how that consent was granted, and that's kind of the side of the fence I fall on is I'm not particularly super anxious to further regulate how the consent is granted. I'm really more interested in what happens once the data is in the corporate hands.
Speaker 1:Yeah, that's a good point. I also think, like I feel, like even parents, there should be no information from kids, like you, shouldn't have to give any kind of information, even if and obviously, there should be guidelines around things that are used by kids, whether it be apps or learning apps and things like that. This is such a sensitive subject because, you know, even if our, you know, let's not get into the even even the government isn't the safest place for kids. Let's be honest, even if their, their goal is to protect children's privacy. I know that the CCPA is, you know that's the goal, but I think you get what I'm trying to say. I do, I do. That's a. That's a different show.
Speaker 2:And that's the challenge, right like there is the spirit of what is trying to be achieved with that new legislation. And then there is the real world. The messiness, yeah, is the real digital world well, a little shameless plug.
Speaker 1:Shameless plug on our new show. I might as well. I think it's a good time. The problem lounge.
Speaker 2:You're talking about digital messiness yeah, a little digital messiness so we're launching, launching a new show launching, launching a whole new podcast network. So we've been now studio delivering studio. We've been delivering privacy please now for five and a half years or so, and we've long wanted to expand into some other areas. We've had a lot of requests to cover some other topics, but they don't neatly fit into this show. So we're launching the Problem Lounge studio, which will be the overall umbrella org that produces and brings forth Privacy Please. So nothing's changing there. You will still get access to your Privacy Please, but we are launching two new shows under that banner, the first of which I'm happy to announce today the Problem Lounge.
Speaker 2:So those episodes I think they're going to drop the week of Black Hat, right, like we're going to start dropping. We're going to drop the week of Black Hat, so that's August. I think the week starts on like the 5th. We're going to be dropping on the 6th and the 7th, so stay tuned for that. We have a new website launching with that as well too. We'll announce that website here shortly. Well, it is theproblemloungecom, but it is soft launched at the moment. So again, don't at me, don't at me.
Speaker 2:Yeah, yeah, shameless plug indeed, and so why don't you tell listeners what exactly is the problem lounge and what are we going to be covering on?
Speaker 1:Oh, that's a good question Gabe.
Speaker 2:Well, I mean the census of it is, or is that?
Speaker 1:the right word, the consensus, the entirety of that podcast is to kind of highlight the messiness of being human in a digital world, being human in a digital world. So we're going to be covering tons of content on just like life and it's still going to kind of mix in, you know, privacy and security and but it's going to kind of hit on more life situations and interpersonal, personal, yeah, yeah versus the, the business topics that we cover exactly yeah, we're really excited about.
Speaker 2:We're going to get a little looser on that show. That show is definitely. It's PG-13 if the year is 1995. The year is 2005. You know, it's NC-17. Yeah, yeah, yeah.
Speaker 1:Yeah, we're going to be showing some stuff.
Speaker 2:Yeah, yeah, we're saying some things.
Speaker 1:We're going to say some things.
Speaker 2:We're going to say some things. We're going to say some things, we're going to say some things.
Speaker 1:We're going to keep it real and just continue to be us. So, if you want to keep supporting us and tell your friends and family.
Speaker 2:Come support the new show. Come support the new show. You'll be able to catch that show biweekly, same place. You pick up your privacy, please. So we're launching across all the platforms Apple Podcasts, spotify, you name it Everywhere you go to get your podcast YouTube the whole night. You can come check out the Problem Lounge there, as well, we might even be on TikTok.
Speaker 1:We'll see, we'll see. But yeah, anyways. Last topic, gabe. Next week on Thursday, the Minnesota Consumer Privacy Act goes live on the 31st of July, and this one's really cool. There's a couple things that's very different about this law compared. It's not just a copy and paste of other state laws, so if you're a Minnesotan, hold my hot dish, you know what I'm saying. So they're joining a group of other states, of course, with this comprehensive privacy law. So it gives citizens the rights to access, delete, correct and, crucially, opt out of their data being sold or used to targeted ads and profiling. For any business that operates nationally, they now have to navigate another, slightly different set of rules, definitions and obligations. Compliance is becoming incredibly complex, obviously because of all these different state laws. It's like having different allergies for each human. We're getting real. What's the word?
Speaker 2:Not compartmentalized, but specialized.
Speaker 1:I'm specialized, but like granular, Granular granular. Yeah, these state laws are all getting so granular and just they have little different things about them. That notable feature for Minnesota is a right for consumers to question and get human review of automated decisions, a key protection in the age of AI. That is huge. That's a pretty big one, yeah.
Speaker 2:That's awesome one. Yeah, that's awesome If and when the implementation of AI expands further into making decisions for us, whether those be health insurance coverage, and that's probably one of the biggest ones, really right, like an AI agent makes a decision to deny or approve a procedure, for example, you should be able to question that and get an answer from a human why that is a thing.
Speaker 1:I agree, 100%, absolutely. Well, that's pretty much it for this week, though I mean that's a big one, so look for that to go live on the 1st and that's it for Privacy. Pleased this week. We appreciate you guys. Thanks, gabe.
Speaker 2:Always a pleasure, Cam Good to see you.
Speaker 1:Don't forget everyone. Come check out problem lab, pull up a chair. Yeah, you get an exclusive early look. Problemloungecom, the problemloungecom. We'll see you guys soon, peace.
