All right guys welcome back to the show, Jeff, Dave we made it, we're on episode 2.
We sure are.
We're doing this thing.
It feels good
Chris Vincent - So guys welcome back to our show, this is our weekly podcast and it's our podcast where we chat about the weekly cyber and InfoSec news.
Getting to Know You
We're gonna kick off today's show with a little segment we like to call “getting to know” you and this week we're gonna talk to ourselves here, we're gonna speak amongst ourselves about why we got into cyber, so Jeff I'll start with you what got you into cybersecurity initially?
Jeff Marshall - You know really for me, I've always been interested in security and cyber security. I started in IT a long time ago when I was really young and you know really what got me into IT was more of the you know it's gonna date me a little bit but the BBS's and you know the attacks and things that were happening back then. So just kind of always been interesting to me. I've been an IT long time and it's kind of a natural progression for me it's just more out of curiosity and you know that whole unknown part of security
What keeps you engaged with it nowadays?
You know changes so much every day. It's never the same thing, so you know I can honestly say in the last you six or seven years I don't think I've had a day of rest. It's just continuous, but it's always different so it's easy to be engaged when nothing is ever the same
Sure, makes sense, Dave what about you? I know you obviously started out in the military, but I mean what got you into the commercial side of things?
Dave Norlin - Yeah well, I exited the Air Force. I went into the reserve and obviously needed to find a full-time job so…
It was this or McDonald’s?
Well yeah, I did work for McDonald’s for five years prior and I thought about going back, but no. They offered me a position at the Army, well it was called DCOD, but it was basically the incident response for all of the conus Army installations, and it was just kind of a first line analysis incident handler position and I just took that and ran with it. You know it was a giant leap out of active duty, which makes a lot of people nervous, so I kind of just took the first thing I could get. It just so happened to be that it was an excellent position for me to learn and really see security from the right perspective. Because before I worked for a base communication squadron and that was definitely an experience at the site level, but you never really had a broad perspective and working for the army really gave me that broad understanding of security especially on a technical level. So, I really immersed myself and on many late nights sat staring at packets and understanding what I would eventually go on to use here at DATASHIELD. That was mainly detection.
Detection has always been my specialty. I love writing rules and looking at packets. I think that's the interesting thing for me. When I'm not doing directorial stuff as I am nowadays, I do still love to get into the detection side and write a rule that will find something accurately with no false positives. There is definitely an art to it. It's something that I try to instill in all my analysts and content engineers. Really writing the perfect rule and you know, maybe it doesn't fire for two or three months and everybody thinks it's broken and ‘what value does this serve’, and then one day it finds that thing that you were looking for perfectly. I think that's, for me personally, one of the most rewarding things about security. - Dave Norlin
So, I'd say that's what keeps me going.
Well Dave, I've only known you a short period of time, but you strike me as the kind of guy who you know, who likes to be challenged at a high level intellectually. Like that guy if you weren't here you might be a grey hat guy out there hacking to see if you could.
Emmm, I definitely favor the blue team. I think it's an underrated side of security and everybody wants to be a hacker but…
We’ll do a segment on that.
That is a pet peeve of ours.
That's a whole episode in and of itself. No, I love blue team. I think it's, like I said it's underrated and maybe a little forgotten. As time goes on with so much focus on, you know everybody thinks they're a hacker, you ask people even here, “what do you do?” and the easiest thing to explain is well, I kind of hack, and look at other hackers. So, it's just yeah, I prefer blue team definitely.
I do that kind of facetiously with you because later on the show I want to chat about the hacker profile…
Oh, right okay.
Chris - So yeah, I'm just kind of curious. I've always been a grey guy myself and I actually, you totally strike me as a blue guy, so I wanted to see how you take that. I guess for me, and Dave I appreciate you humoring me, I guess for me, you know I never even thought about cybersecurity. I'm new to the company, I've been doing marketing forever and you know DJ, one of our colleagues for the listeners out there who runs sales here for North America, he came to me and said 'work at DATASHIELD because cyber is such a growing industry'. I sort of stepped back and I go ‘yeah you're right’.
There's a lot of burgeoning technologies right now, like self-driving cars, Bitcoin, whatever you want to look at that’s new. But the landscape for those industries is kind of uncertain. We don’t know if they are gonna be up or down, the volatility is unknown, but I just don't see cybersecurity from an industry standpoint really going away. I see the need for it only increasing. - Chris Vincent
Jeff - Yeah quite a while ago, you know some of us may be familiar with it but being a defense contractor was a big thing. Everybody wanted to be involved in you know developing weapons or you know military things and now cyber security is everywhere. I think eventually it will be integrated into everything everyone does but you know as of now it's continually growing.
So, I think for me I was like yeah ‘If I'm gonna get involved in an industry, it seems like the right one to be in’. So anyways enough about me. Let the experts talk more about cyber. All right guys let's pop in and talk about news of the week.
So, I want to ask you guys that and I want to talk about it because an article popped up on my radar.
Headline #1 - Cybersecurity Programs Mushroom on Minnesota College Campuses
“Amid a steady drumbeat of headlines about major data breaches, Minnesota campuses are rushing to train professionals who will guard against cyberattacks in coming years.”
And so, I'm guessing this is happening note just in Minnesota, it's probably happening all over the country.
Yeah, it’s right down the road.
Jeff- In fact ASU, right here near and dear to our hearts, is a very large university that has done a great job of building a cyber program and starting to train professionals. We have some smaller colleges here doing the same thing. You know if you look at the industry statistics there are so many unfilled cybersecurity jobs right now and most of it is just because people aren't trained well enough and people have high expectations. So as you go more and more it'll be scattered through more and more top campuses and again I have a big driver in this myself where I think we need to start even at that younger level and start with high school programs but you know I think education is the key right now educating people more and more.
Right I mean the market, we have a negative unemployment rate right, because there's more roles and there are people to fill them.
And so, I heard that here, and maybe Dave you can speak to this, because I've heard that we have one of the better retention rates. I know it sounds like an infomercial all of sudden, but I've heard that it's of one of our core strengths, being able to retain people because it's tough. The market is so lucrative right now for an analyst you know.
Dave - Yes its definitely a challenge to find the right people, but we definitely hire for culture that's a big part of how we pick analysts and really any position. I think for a long time it's been kind of a wide-open field. That basically anybody could get into cyber if they were interested and have the aptitude and started studying and going down that route. But I think a lot of education programs have kind of corrected that in a way. They saw the opportunity and they realized that a lot of employers weren't able to find the people that they were looking for so that's why you see all these programs springing up.
Jeff - Personally you know I'm big culture person. If you can find the right people, intelligent people who have the ability to think articulately and learn and think outside the box. You can train anybody into cybersecurity. You know we take that approach. We hire very good seasoned security people from three-letter agencies and from Fortune 500 companies and then we have some lower-level people that we train up. You have to be willing, otherwise they'll never get there.
Dave - Yeah, could be that some days, just because of various forces within the market, that you're not able to find the person you’re looking for. And it is the reality of security, sometimes you do to take chances on people, and you give them a chance and you know if you have the right environment, they have the right amount of drive then usually they’ll succeed.
What would be a tip to a young person, along this same topic line? Someone who's thinking about going in the cyber security or someone who's thinking about majoring in that or taking a graduate level of that it. What would be a quick tip for them? What should they look for first? Are there certain certifications that they should be looking for that kind of thing? Jeff, you hire a lot of people, what do you look for when you see these guys and girls right out of college? What are you looking for on their resume, I guess?
Jeff - You know that's the thing. When they're right out of college, we have a perfect individual went to ASU through the program, didn't have any certifications but you know the way you interview these people have to be different. You have to interview understanding that they can get there but they're not there yet and you have to build both an internal and an external training program for them. You have to send them to some training, you got to have internal training, you got to give them the knowledge. We do a lot of ride-alongs with our L1 analyst with L2 analysts to try to get them you know up to speed on specific things. Really, I think it's, be different, standout show… you know resumes, I've looked at so many resumes, you start to you start to go numb to looking at resumes. But for me it's really makes sure the details there. When you write your resume read it over and over again, make sure it reads well, make sure it has the right articulation of your abilities outside of just technical and for heaven's sake everybody use spellcheck.
I'm guilty of that as well. So, you're saying, I guess it to sum up - details in the resume, stand out in the interview.
Okay cool perfect. Dave, have anything ad add on that?
Dave - Know packets, study packets because we give everybody a packet test. Packet analysis is the lifeblood I think of security in a lot of ways. It's literally how information travels over the network and the more you look at packets the more you'll understand what programs and what applications send them and why and how. So, I think if you know that you will stand out considerably.
Jeff - Yeah, I think network security is kind of missing in a lot of these programs, they're teaching ethical hacking skills, they're teaching maybe policy and procedure. They are not teaching true networking which that makes every IT job better, not just cybersecurity, it makes you know help desk, the more network knowledge you have the more you understand the fundamentals of how things work and why they work that way.
Dave - Yeah if all you did was open up Wireshark on your desktop and just started looking at packets and took every request step-by-step, you would know more than a lot of people who are supposedly in security.
Probably to be honest on your resume, right?
Yes, honesty is important.
Chris - That would be my tip even though I don't hire any analysts, because it’s a different industry but I remember I did supply chain in school. When I went to work, I was interviewing, and I was really good with Excel. I still am okay at Excel, but when you're an analyst you have to be really good at pivot tables and crunching data, running formulas and stuff. I remember they were doing mass interviews on campus at ASU. I think was Ferguson or one of companies was like ‘you know how to use pivot tables?’ that’s what they would ask the people and people were lying. Then the interviewer would turn their laptop around and say, ‘okay show me how’, right there on the spot.
Jeff - So yeah interviewing is tricky. I mean you know everybody makes mistakes with hiring people. I mean we've hired people that have supposed twenty years of experience and then they can't type on their keyboard. I mean it happens, you know I think developing the right interview strategies, understanding their thought process and how they work through problem solving and you know it goes a long way in understanding whether they can truly do it. But yeah people don't lie on your resume please.
Yeah, no you will be found out some way or the other right.
Well cool, shifting gears guys into the next headline here...
Headline #2 - New Phishing Campaign From 'FBI Director Wray'
So, I had to put this one here because it made me, look because I get phishing emails all time right and…
I prefer the ones from the Prince of Nigeria that's gonna wire me a ton money…
So, let me read a couple quotes from this, well my favorite is it's from the email address, the one its spoofed from is official FBI director at usa.com.
That sounds legit…
It's probably USA Network, they probably own that domain. This is my favorite line from there…
“We the Federal Bureau of investigation (FBI) through our intelligence-monitoring network have discovered that the transaction that the bank contacted you previously for was legal.”
That's a good one, that one and then well I got a read one more sorry, this cracks me up. So, the other one that came through, hold on let me get here, this is some good podcast, but we'll edit this out in post.
He says the FBI, I'm not gonna edit it, just kidding this will be in the podcast. He goes ‘FBI is seeking to wiretap Internet’ so as the article wrote that's a big wiretap.
You know that's probably real right
Yeah, they are probably really doing that
Jeff- You know we look at millions of phishing emails a year between all the customers that we have, toolsets internal, I mean these things just get sillier and sillier. The thing is though that people fall for them. I mean it's legitimate, we have people who come to us, we have current customers, they get hit with these things. Sometimes they get through all the defense they have, and you know people click them. Or people send money, or people you know download the file. I remember when I was younger, I had one that they sent a spoofed one for me to my parents telling them that I was overseas and [unintelligible] away and they want to send money and luckily, they got ahold of me. I think my stepmom probably would have wired the money to them. So, it happens.
Yeah, I mean the last time I heard from the FBI director he just picked up the phone to call me.
Chris – So the reason I wanted to talk about this today, obviously this one was poorly written right and it probably didn't work that well. It was in the news and I wanted to really talk about it because you know I've almost got caught on one back when I was renting out a condo. I had one that was really extensive, ‘I'm gonna rent your condo out’ it was really well written, good English and then we got to the end and she was sending photos of herself, that was like you know I was young guys so I kind of fell for it. That was the first flag or should have been for me, ‘why is this girl sending me photos and why is she so attractive?’
I should have maybe thought first and then it got to the end and it was I need you to send me money before I give you a rent right. Then my red flag went off and I’m like this is a phishing scam…
You're like oh my god I spent a year of my life getting catfished!
Catfished hard right, and I've heard of the parents ransom one a million times, so like from a cyber standpoint, they obviously work right and a lot of them are well written so…
User education is key. I mean the end users are now, and will always be, the number one problem from an organizational standpoint. - Jeff Marshall
Without good training, good teaching lessons, and doing it the right way. You have to have the right policies, procedures, security awareness training, and practice your phishing exercises.
Dave - I think one of the things that always helps me, and this is going back to even when I was doing analyst work full-time, just take a giant step back and look at the contents of the email. One I'll never forget, a company was in a heavy industry and they received an email from another foreign company that was also in a heavy industry. But, the sender of the email, supposedly was like the CEO, and this was like a gigantic state-owned corporation in another country. They sent it to us asking if it was malicious, and I just had to take a giant step back and put myself in their situation and thought “would this low-level person at this company, receive an email from the CEO of a gigantic foreign multinational corporation, and expect to get that”. That’s my advice to people who get phishing emails, or you get something that that's unusual. Open Microsoft Word, or whatever you choose to write it down in, type out this thing that you think you received, and just look at and imagine if it's real.
Jeff - It sounds like a lot of work Dave
Chris – Just copy and paste it in...
Dave - Whatever tactic works for you. But I think if people just wrote it down and imagined if that were actually happening, I think they would see that maybe the majority of these are too good to be true.
Jeff - There's still the very tricky things, that are business oriented, that get past or get tricked. I'm big on education. I think education is a big key portion of this. Especially anybody who touches sensitive data, touches money, or admins for executives. I was at an organization where the admin actually did something with an email that came in and compromised the executive’s accountant because she wasn't trained well.
Chris – So I got to a couple points here. Dave, 100% you're right, and the thing is a lot of people get into fire drill mode. They go, 'oh this is from the CEO they gotta run'. So, I agree with you. And Jeff, to your point we see that even today. We've seen it was the CEO’s wife who got compromised. We’ve definitely seen that. I have two questions for you guys on this, because this is educate Chris segment here. So, number one, we have the tools, the email tools that are out there, the security tools. The Mimecast, the Proofpoint, and Office 365 has some stuff built in as well. How much of the heavy lifting are they doing? Obviously, the user has to do some. But that's where the failure mode always is right. Howevver I really want to know how much of the lifting those tools do? I’ve seen the infographics and I’ve seen some of the stats. But when it comes down to these phishing emails coming down the pipe, is Mimecast, Proofpoint, and these guys, are they doing what they say they’re doing?
Jeff – Yeah, they're doing a good job. This is kind of like cloud security right.
Everybody's afraid of the cloud because of all these cloud breaches. Well the cloud breaches are occurring because people aren't doing their due diligence to secure their cloud. So, anything that you put somewhere, or configure, you gotta put security into it. I think Mimecast and Proofpoint do a fantastic job of getting all the low level, basic stuff – impersonation, having good threat intelligence in there. The part that they won't fix is the stuff that does get through, you still gotta educate users. That's a big key for me. - Jeff Marshall
But I think if you look at your email server, if you just have an exchange server up or any email gateway is better than none. But some of these guys spend a pretty hefty amount of money making the products, hopefully, as dummy proof as possible for your end-users.
Chris - So when you say train the users too, I'm curious, does that have to always be internal? Do you hire an outside firm to do that? What's the most effective way in your opinion?
Jeff - You can do it internal, if you've got the staff to do it. If not, you can outsource phishing and the education, the testing, the phishing simulations, the reporting. That can all be outsourced if you don't have the staff to do it.
Chris - Before I started working here, I was like, yeah whatever there’s phishing emails. I didn't really realize until I started working here how much this impacts businesses every single day. Is it in the top five of where the entry point happens at?
Jeff – I can tell you that across our customer base, 60% of all actual infections, breaches, whatever you want to call it, that we investigate, are phishing related.
Dave – Yeah. It’s easily the best way to attack an organization. And it's also, from a difficulty standpoint, it's probably the easiest. Because you don't have to attack some kind of web application or some kind of database. Really all you need to do is send an email. You could even use your own email client. It’s just the matter of crafting the message in a way that will solicit the right kind of response out of the target. And in a lot of ways you don't even need an email to do it. You can pick up the phone. If you are able to call the right person, and sound confident and present yourself as someone who they're either expecting to hear from or think they might expect to hear from. Or if you get the right kind of emotional response. Then it can be done.
Chris – Interesting. Almost like the PBX hacking that I've been learning about recently… There's more than one way to skin a cat.
Jeff – Way back in the day it was very easy to con and convince people over the phone. I think that's getting less and less often, but it still happens. We'll have to do a segment some time on that, Ben Johnson, who's our Chief Security Officer, he's got some very good stories about social engineering and getting into buildings that you're not supposed to.
Chris - I'm trying to rope him in here. But whenever he sees me; he avoids me. He runs the other direction.
Maybe if I take my hair out of a bun and let him know I'm a long hair guy with him.
Jeff – That might help.
Chris – Okay cool. I wanna talk about phishing, but we can get into that on a later episode maybe. We talked enough about that part for today's show.
Headline #3 - Docker breach of 190,000 users exposes lack of two-factor authentication
So, this one just popped across my radar. Jeff you sent this over to me. The Docker Breach. So, let me do a little read off on this.
"Docker has asked 190,000 developer users to change their account passwords after hackers gained access to a database containing personal data. According to the advisory on the company's website, the incident happened on April 25th and went for a 'brief period' attackers accessed a single Docker Hub repository used to store the accounts."
So basically, they got everyone's information, and this exposes a lack of two-factor that's going on in organizations.
Jeff - We talked about that a little bit last week. I think if a site doesn't support two-factor then they're behind the times. Docker hubs always been kind of a sketchy, iffy thing, in the first place. I mean docker is fantastic. I really believe in docker. I run a lot of docker stuff at home and for different projects and things. It's a great platform, but basic hygiene when it comes to portals and access, two factor should be a part of that. Whether SMS text and email is a great form of two-factor or not, it's still better than nothing.
Dave - I think the scary thing is, how many people are going to see this? I mean obviously this is in a security community, it's gonna reach a wide variety of users and people who hopefully will read this. But inevitably there will be someone who doesn't see it, and if you consider it's just a hundred and ninety thousand different users, presumably, who are developers, that's an enormous attack surface of companies who might now be affected. I think there are a lot of implications for this, and it sounds to me like a supply chain attack in the making.
Jeff - Yeah, I think it's interesting too. Open-source is always one of those areas. I mean open-source adoption has been getting better and better and better over the years. When you've got a tool like Docker who now is across every cloud platform, it's across every SOAR and automation initiative, you know everybody's using Docker. Recently they had an API issue - I know that that they ended up patching. But when you're relying on open source as a company, you have to ensure that you're tracking, and keeping track of these things, and that you know where you're putting your information and your data.
That's back to the hygiene thing, right? You always have to make sure that you're clean, or at least clean as possible.
Headline #4 - ProfilingHackers: Defining the Good, Bad, and Ugly Personas
So, this is the last part guys. This headline came out this week from Readwrite.com. They were doing a profile on hackers. They call the good, the bad, and the ugly personas. I just want to chat about this a little bit. We were joking on the top of the show Dave, about how everyone thinks they are a hacker. But I wanted to kind of break down the different hacker categories based on this article, and sort of get your feedback. And tell me where you would be. You're already a blue guy, Dave, we know that. So, it's funny too, this terminology gets used in in marketing as well. I've been using this white hat, black hat, grey hat, for years. It gets used across the board.
So, there's what they call the hat hackers.
Where you have your white hats, these are your good guys. They're hired to protect an organization, and they look for breaches and vulnerabilities in the process. I mean technically, do you guys think that you are white hat hackers then since you work for an organization?
I’m gonna say no.
Jeff - You know this kinda goes to the team mentality right. You’ve got the blue team, the red team, and now they've added the purple team in there. Labels are labels, I guess. It’s good versus evil, like any good story.
Dave – I think it goes back to people not wanting to be on the defense. People want to feel like they're on the hunt for something. It makes blue team a bad word.
Jeff - I have a great blog article, maybe I’ll have you throw it up there. [READ IT HERE] But I think in today's world, everybody sees the word hacker, and all they envision is the CSI shows and different TV shows where these people are pounding on keyboards and things are flying across the screen and they're enhancing video images of people's license plates 7,000 feet away.
Do you guys remember that 90's movie, Hackers?
Oh my god. My buddy that I was telling you about, Alan. We used to laugh, because I was in basic CSS class, and he was already way more advanced than me. But we'd watch movies like Swordfish...
Thats a great movie...
They’d be showing him hacking, and we would be like 'that's not a command that exists in any language'. There’s just random stuff on a DOS screen, you know. That's what the Hollywood version of hacking is right?
Okay so the next kind of category that they had is the blue hackers. They’re hired to test software and look for bugs that could create vulnerabilities.
Dave - This is always just called QA to me. But now it’s blue hat hacker.
Jeff - I actually have never seen them put blue hat on something. Usually they just say white, gray, or black.
Chris – Same. What is that? Is that them just trying to be sexy? Is that what that is?
Jeff - I think it's, everybody wants more labels to things. I think they're just trying to expand the label set.
Dave – They want to feel better about themselves.
Chris - So then there’s gray, who are challenging their own abilities without ill intent. But that’s a gray area.
Jeff – You’ve got the security researchers out there who port scan and do various things on random people and stuff. I mean that's why they call it grey hat, that kind of grey area. I guess you could say everybody in here are white hat hackers based off these labels. But it’s kind of a pet peeve of mine. Every time Dave and I interview people the first thing we usually hear when we say where do you want your career to go or where do you want to be, I'd say 99% of the time they say Pentester. If they don't say Pentester, I hire them immediately.
Dave – The one guy that I can remember that said that. He hired. I think pretty much on those grounds.
Yeah, it’s great to be a Pentester, don’t get me wrong. It’s fantastic skills. It's needed. We need to test and test and test the fine things. But we call ourselves the detectives of the network. So, we're really going to different lengths, than a white hat hacker, to find the things that are occurring. You still need both sides. Which is why now there's the coined purple team. So that you’ve got somebody who sits in the middle to help both sides. - Jeff Marshall
Dave - I have another set of thoughts on the Purple Team. But, yeah.
Chris - That's your new nickname. Jeff Marshall, Cyber Detective.
Jeff – Hacktivist. That's an interesting one. I worked at Koch Industries, and that was their number one concern, were Hacktivists. You know they had anonymous shut them down for a while. People protesting outside. Various different things like that. And Hactivism, that is a whole other level.
Chris - Is that grayish then? That’s black right?
Jeff - I guess in mentality it's grayish, but they are causing damage. Yeah, they're causing damage in a lot of cases.
Chris - The article kind of went white, blue, gray, black. Gray’s weird too, I just wanted to add on to gray. I've done gray marketing for a long time. What I found is, it works in the short run, but it'll bite you in the long run . And that's the mentality with the gray, I think. But yeah, the Hacktivists. Let's jump back to that. That’s interesting with Koch right, because they're kind of considered the evil conglomerate with Anonymous and all that. I mean is that more prevalent nowadays? Wasn't there just an article recently about anonymous spin-off going after a foreign government? I mean that happens regularly?
Dave – Yes. This constant. When I was in working for the army, they were always concerned about that. Because a Twitter account for a various agency or individual might be hacked, and then you have all kinds of propaganda posted by whatever middle eastern group. Same thing with some of the assets at the time, that they were just concerned about that being compromised and then, being used to host those kinds of propaganda messages for whatever the organization wanted to promote. So, it is a concern.
Chris – Would we consider like Russian troll farms to be the Hacktivists or the black hat?
Dave – Depends on your point of view, I guess. Depends if you're sitting in the Kremlin or not.
Chris - I like how the mainstream media, not to go political, but just to stay down the line. They always focus on the Russians trolls. But, isn’t there more Chinese troll farms that I’ve heard of?
Jeff – So this is an interesting one to me. Because the two biggest targets you always hear about is China and Russia. Right. Now you're starting to get some spring cleaning of North Korea and Iran. Israel kind of plays the good and the bad. But the reality is, every government is after every government. I've been in the situation where we actually had stuff come from a different government, of a country who's supposedly a friendly country and I think it's wider spread than people think. There's just that known focus on Russia and China, for various different reasons.
Dave - You don't think we're conducting our own cyber operations? And that Great Britain isn’t doing their own cyber operations? Every other country is of course doing it against everybody else, because that's what countries do.
Jeff - There's jokes about it. Movies about it. But it really is just as much cyber warfare as it is physical warfare.
Chris – Interesting. So last thing on this. And we can probably close it for today guys. I want to know what are script kiddies? Did you guys read that in the article? What is that? It says they are graffiti artist for the cyber environment.
Dave – That’s a way to put it.
Jeff - I guess you could calculate a lot of people early in their career, maybe we're kind of messing with some of this stuff. I know I was as a young kid. But really the script kiddies are the people who just point predetermined things at things, and hope it happens. They're running other people's tools and scripts. And they're really just trying to take things down, or you know do it for monetary gain.
Dave – I watched a great short biography. And for the life of me I can’t remember the name of it. But it was about a whole town, I think it was in either Croatia or Romania. And every single one of these people, it was like completely normal people, it was a little farm town, and they were all running these malware campaigns because it was a lucrative thing that was keeping them afloat. It was actually providing them a decent lifestyle, as opposed to becoming these subsistence farmers in an ex-soviet country. So, it's kind of a fascinating thing. The mindset that drives people to embrace these really prepackaged off-the-shelf malware and exploit kits.
Jeff - I mean it's really as easy now as, if you're some gang or crime syndicate, and you want to get into cyber. You go to a website, put a stolen credit card number in there, and download your pick and choose malware banking Trojan and start emailing it out to people. And some of them you can even pay them to email it out to people. Any time there's monetary gain in something, you're gonna have every type of person trying to get it.
Chris - Like the Anarchist Cookbook - cyber version.
Jeff - Yeah
Chris - Well that's cool. Guys, I think that’s all the time we have for today's show. Thanks for joining us. And check back, subscribe, and we'll see you guys next week.