This week on the podcast, we cover the National Public Data breach that may have leaked every American's social security number. After that, we discuss research from TALOS on how attackers can abuse Microsoft applications on macOS to gain access to your camera and microphone. We end the episode by discussing recent research on how attackers are attempting to evade Endpoint Detection and Response (EDR) tools.
View Transcript
Marc Laliberte 0:00
Hey everyone, welcome back to the 443, security simplified. I'm your host, Marc Laliberte, and joining me today is
Corey Nachreiner 0:09
John Corey, social security number 556, 4287 21 Nachreiner, public now, although I did lie to
Marc Laliberte 0:24
today's episode, we will just be discussing the data breach that may or may not have leaked every single social security number in America. After that, we'll go over some research on how Microsoft is exposing you to risk on Mac OS, and then we will end with additional research on threat actors attempting to kill EDR technologies on the endpoint. With that, let's go ahead and, oh, man, I don't even know, breach our way in, super dumb hack our way in, leak our social security
Corey Nachreiner 0:58
numbers, our way in, feeling Monday is just crawl our way in. That sounds good. There's too much going on. Let's do so.
Marc Laliberte 1:15
Let's start with the first story for this week, where this one made some pretty big news, actually, over the course of, like, the entire first week of August, I think is where I started seeing it percolate up. But basically, earlier this week, a background check service called national public data confirmed that a unnamed attacker had breached their networks and stolen a database containing hundreds of millions of social security numbers and other sensitive data. This all started back in April when a user under the name us DoD posted the database for sale for three and a half million dollars on the breached underground forum. But it was re brought to the surface earlier this month when on august 6, a user called finice posted the entire database for free on breach forms. The collection contains everything you'd expect from background check services, like names, addresses, family relations, biometric information, like eye color, height, race, social security numbers like literally everything to the tune of like 2.9 or 2.7 depending on your source, billion records in this collection. We should
Corey Nachreiner 2:25
stop there just for a second, because my understanding is I don't understand why, because national it seems like it would be limited to the US, but I've seen some stories that say this includes UK and Canadian citizens too. But either way, just to get to that, to that 2.9 or 2.7 billion number, there's only about 333 million people in the United States, including kids. I think there's something like 40 million in Canada and 60 some million in the UK. So all together, I think that adds up to approximately 440 million records. So I just want to bring up that that 2.9 billion, even if it includes Canada and the UK, has to have a lot of repeated information, and it might be the same field for every address for one person, or something like
Marc Laliberte 3:20
that, I'm impressed. Corey, within 30 seconds, you've brought more accuracy to this than a lot of online news publications that were reporting on it. Like you pointed out, there's a few that I saw over the course of the last two weeks where they were saying it was 2.7 billion people, and a couple of them even said 2.7 billion Americans, which is impossible if you exactly understand anything about the US population size, like they would be implying that what like every generation dating back to, like the founding of the country, even then, actually, that's a good any history majors out there. How many weeks 2.9
Corey Nachreiner 3:58
billion? How many generations back do you need to go back for that many Americans? I bet you, we haven't even reached it, because before we took over this country, you know, the Native Americans were pretty wide spread out for their population, and it would only have gotten smaller and smaller as time goes back.
Marc Laliberte 4:16
Yep, exactly. And so you are correct on that one. It's not two point whatever billion people, it's two point whatever billion records. And as you're showing on the highlight there, the famed like security researcher slash breach expert Troy hunt even wrote a pretty long form blog post on this. There are a few takeaways from his like, he found 134 million unique email addresses. But he also pointed the majority of the records didn't actually have email addresses in them too, so there were even significantly more records. But like looking for just his name, he found like hundreds or 1000s of records of just like Troy hunt everything, including like previous addresses, phone numbers, things like that. So. So all of those add up to a massive number of records for a smaller subset of people.
Corey Nachreiner 5:05
And I feel like a so what here, although that is 134 million email addresses Equifax, if I if I should do a look up to find out for sure, but I think it was something like 130 435, million social security numbers that Equifax leaked a long time ago was that in like 2017 2019 but either way, you know that data from Equifax, here we go, 2017, I guess they say 147 million social security numbers, but that, if you think about about approximately 333 US citizens, and you get rid of the children, they already leaked all our social security numbers a while ago. So, I mean, I hate that this data is out there, but in a sense, I feel like this is data that's been out there for ages, like if you if you thought you had privacy, you should have known better from at least over a decade ago, because all of this stuff is leaked over and over before, I will say having all your previous addresses in one place might be useful to identity thieves. So there might be extra useful stuff, but everything to this speaks to identity thieves having information, and hopefully you mitigated that a decade ago by freezing your credit.
Marc Laliberte 6:30
Yeah, and so I think you have a good point there. The difference that I've seen is, well, it was 140 whatever million Americans for Equifax. This one, they're claiming is just about every social security number ever in the US is included in this set. So 134 million emails, but there's always an email to social
Corey Nachreiner 6:53
security number. So this should have about 333 million social security numbers, if that is true,
Marc Laliberte 6:59
potentially more for deceased people. I'm assuming that's a good point. So there's, like, a few other things, like, first off, NPD finally did, or national public data finally put out a notice to, I'd say, their customers. But in this case, it's not even their it's not really their customers. It's the people they've collected information on that their customers will then use to do background checks. But they said that the incident occurred in December of 2023, they were became aware of it in April, and it's just now in August that they're disclosing that this breach had occurred, which is not ideal. This even before the august 6 posting date by finice. There's actually a class action lawsuit filed on october 1 that claims that NPD and their parent company, Jericho pictures, basically failed to adequately, adequately protect the PII and failed to provide victims with a timely notice. There was actually a lot of really interesting stuff from that lawsuit, like enough that I think it's worth talking about. First off, they had an entire section of basically the stuff you and I, Corey are going to talk about in a few minutes of, like, what could companies do to protect against breaches? They had literally, like, four and a half pages in this class action lawsuit, basically saying, here's all the things that national public data could have and should have been doing to prevent this breach, like everything from, you know, security awareness or spam and phishing filters and patch management is like, there's actually some pretty good security advice in this class action lawsuit, which was interesting. But So the really interesting one, at least interesting to me. Maybe you have a different take on this Corey. But in their damages, they listed out the obvious stuff, like, it's gonna cost time and money for victims to react to this and like, implement identity theft monitoring services. Like, there's both the cost of those services the time to set them up, the cost of future credit monitoring, things like that. But they had a really interesting takeaway in the as a damage that they're trying to seek money for. And so it was on page 25 of the actual notice, and the section was titled diminution, diminution. I think that's the right word, a value of PII. They basically say PII records have value. They pointed to, like a research study from 2009 from InfoSec Institute, saying that they can sell for as much as $363 a record. They pointed to, there's both illegitimate and totally legitimate marketplaces for PII. Like in 2019 there was a report that the data brokering industry was worth $200 billion and they're arguing that the plaintiffs in this case, the value of their PII has been damaged because it's now been leaked out there totally I thought that was an interesting take, basically saying, you know, if I were to want to sell my own PII on one of these marketplaces. Is I would now get less money because it's all out there. I hadn't heard that argument. I'm sure it's been in a lot of data breach lawsuits, but that's the first time I had actually read through one of these and seen that. And I don't know, I thought it was interesting seeing people acknowledge that our data is worth money, and when a threat actor steals it and leaks it, technically, that's money maybe we could have gotten. Yeah, I
Corey Nachreiner 10:22
thought, by the way, the diminutive, I don't know if that I thought you the other thing I feel like is the value of elite information drops over time, meaning, if they have information of for me, at a certain time period, 10 years later, that is less valuable information. So yeah, but it is interesting, by the way, I'm not trying to harness the value of my own PII. I'd rather just keep it private if that were actually a possibility, although I don't think it exists anymore, but you didn't
Marc Laliberte 10:55
exactly have a say in national
Corey Nachreiner 10:58
No, no collect. No one does. And that's, by the way, the fact that this is even legal and we're not their customers, and yet they're gathering all this information. I did in one of the articles I [email protected] someone seems like they've hosted this database where you can search your own name if you want to. One of the interesting things, by the way, is, well, my name, it'd be interesting to see if anyone could even do it right. But my name is in this database. Things like the date of birth are not exactly right. And the other interesting thing is they don't have my current address. This would be great for me to remember addresses I had long time ago that I've forgotten about, but interestingly, it seems to be five or six years out of date. The information that I found,
Marc Laliberte 11:51
both VX underground and Troy hunt both pointed out the same thing too, that it looks like this may have been like an archived, older database and not necessarily their most recently fresh data. There was also a lot of really, like, raw and probably unvetted records in there too. So, like, it sounds like this is, I wonder if they're gesture. Oh, good.
Corey Nachreiner 12:15
I was gonna say, I wonder if they just pulling from public sources and other databases, because I often lie about my date of birth if it's not, like a legal form, if it's someplace where they're just asking me to put something. So just based on some of the things that are slightly incorrect, I wonder if what you know, I'm sure they're gathering this from all kinds of different publicly available record we can't forget just like our address and stuff like that. Every time we make a home, you know, we buy a home, that kind of data is actually public. So there are places to get this information.
Marc Laliberte 12:52
To your point, I think if anyone ever breaches like Steam, the video game service, they're going to see that my date of birth is, like, 100 years ago, because that's just what I select from the drop downs by default.
Corey Nachreiner 13:02
Yeah, anyways, I cut you off on a thought.
Marc Laliberte 13:07
I've since lost that thought, and so it must not have actually been important. But like, the last takeaway from this, and it's something you know, I've discussed a few times, but it really feels like actually two takeaways. First off, I think this is just absolute proof that we need privacy regulations in the US. Like, if a company can go and collect all of this data against our will and then leak it out, all of it because of a cyber incident that proves there aren't enough incentives and controls around protecting that data within the United States. And agree, like, if this had happened in Europe, that company would most likely no longer exist from the lawsuits and the regulatory fines from the EU, thanks to GDPR, yeah. The second point, though, is it really does feel like social security numbers as a authenticator, it's it's over.
Corey Nachreiner 13:56
It never should have happened in the first place, but I don't understand why it wasn't over 10 years ago. I don't understand why hospitals in particular are the idiots who keep on trying to use them. Social Security number is a meaningless validation that no one in their right mind should ever use to validate a person. I couldn't agree more, and they weren't created for that in the first place, which keeps being repeated over time, and yet idiot companies continue to still use them as a validator. I
Marc Laliberte 14:27
mean, weren't they literally printed on, like, military IDs until just a couple of years ago, like, front and center on them, like it's it was never supposed to be a authentication factor for someone. It's just a national ID. And
Corey Nachreiner 14:39
if they want to do that, they need digital versions of that, and losing yours would be a big deal. The problem is, like,
Marc Laliberte 14:46
what is the replacement solution for this? Like, some form of, like, I like, once you've the government has validated your identity, maybe you get, like, your driver's license, has some cryptographic
Corey Nachreiner 14:57
driver's license or a pass. Passport. I mean, it's what we do in our passports, but it has to be assigned to people at birth and follow them. And maybe they have to update them every 10 years to get a new certificate from the government, but they have to be followed. Have to have smart processes for being lost and revoked. Does
Marc Laliberte 15:17
everyone just get like a YubiKey at birth now and then that's what you use to authenticate and sign up for credit cards. I
Corey Nachreiner 15:24
don't want to give you bikia free money for the rest of their life. I think it can just be a NFC inside of ID or something like that,
Marc Laliberte 15:34
but like something other than what
Corey Nachreiner 15:37
is it? Something that has a digital key pair? Yeah, and you get yours when you're born that your parents will hopefully take care of.
Marc Laliberte 15:47
Either way something's gonna change. Because, like you said, like my credit is just permanently frozen now, and I unfreeze it for 48 hours if I do need to go do a credit poll somewhere, it is
Corey Nachreiner 15:57
irritating. I like that they have the one or two week option when I don't know exactly when someone's going to do a check. But yeah, I did. I like in this day and age, I just don't think you have live credit. Mine is frozen all the time, and I have to go to and really, this is another that should be regulated. Why are there only three different places that have this type of validation? And if there are three different places. Why do I have to go to all of them to unfreeze there should be some coordination among them. The government needs to step in. And frankly, those credit agencies were the ones that started all this leaking, at least Equifax, so they screwed up on our behalf a long time ago, which we had no control over. So I it was really irritating that we have to use them to protect ourselves too. When they don't have any regulated, easy process, they're all different.
Marc Laliberte 16:51
Should run for president, or maybe like President of like the consumer, whatever Bureau to at least make some of these changes.
Corey Nachreiner 17:00
It'd be nice. I don't know if I'm the right person to do it, but, man, I'm sick of it something. But yes, free. I mean, the takeaway is, freeze your credit. It sucks. It sucks when you want to take out a loan or get a different credit card, if you're established and not young, it's less a big deal because hopefully you're not doing that often, but it's worth the pain in the ass with all of this data out there, 100%
Marc Laliberte 17:25
so moving on, there was a cool research post that came out literally this morning as we're recording this from the folks over at CD Talos, where they posted a blog describing eight vulnerabilities in Various Microsoft applications for MacOS that could allow adversaries to gain the app's permissions, including things like microphone access, camera access, file system access, or even sending emails on the victim's behalf without them knowing. So they started by going over how MacOS does permissions. They call it the transparency consent and control or TCC framework. If you've got an Apple computer, you've definitely seen this before. When you launch a new application, little
Corey Nachreiner 18:07
screen in teams or in, I don't know, VNC or something, or, yep,
Marc Laliberte 18:13
really, any they've got a list of like, sensitive resources, and if a application requests access to one of those resources, you'll get a little pop up where you have to explicitly provide consent for that application to access that resource.
Corey Nachreiner 18:28
No, hopefully apps are not often called malevolent apps, as is the example in their
Marc Laliberte 18:34
blog, exactly
Corey Nachreiner 18:38
something weird is going on.
Marc Laliberte 18:41
There's a whole list of these resources, yeah, at least it's malevolent. Under your security and privacy settings, you can see all them. It's things like microphone and camera, screen recording, file system access, Bluetooth, mail, yeah. Even like accessibility, which is a pretty powerful one, too, all of them are things where you have to explicitly grant permission to an application before it can access that resource. Now, when a user grants that permission, they either do it by hitting allow on that pop up, or by going into the settings and toggling the little toggle box for it that then allows that access to or that app to perpetually have access to that resource. One other bigger background information on macOS apps, especially ones delivered through the app store, they require something called sandboxing, where basically these sandboxed apps have a manifest of what are called entitlements. Those entitlements are things like com, dot apple, dot security, dot device, dot camera, which says this app is entitled to access the camera. These manifests of entitlements are notarized by Apple, basically cryptographically signed once they verify the app doesn't have any malware in it, and only after then are they allowed to be delivered through the Apple Store. So. That entitlement controls what permissions the app can request. It doesn't like directly give them access to the camera. As soon as you install it, it just says the app is allowed to ask the user for permissions to access the camera. Once the user has consented to those permissions, the app can now use that so there's that manifest includes all sorts of different entitlements. There's even additional entitlements, if the app is running in a hardened runtime, which includes some additional protections against like common application exploit techniques, for example, under hardened runtimes, any apps that have like higher risk actions, like any just in time compilation or loading untrusted libraries must explicitly declare these capabilities in the entitlement manifest the apple reviews and signs before the app can be delivered. So basically, long story short, an app can't even make a request for one of these protected resources unless it has that entitlement notarized. And as Cisco noted, the effectiveness of this whole TCC framework really depends on applications reasonably handling the permissions they receive, because MacOS trusts applications to self police all of their permissions they've been granted. So their research focused on a form of attack called library injection, basically tricking an application that has a certain set of entitlements to load up a another library under the attackers control, or at least one that they had delivered to the endpoint. So the all the applications in question, which were basically every Office application, and then three apps related to Microsoft Teams, all of them had this special entitlement called like, load untrusted libraries or something along those points, basically, by default, an application cannot, can only load libraries that are either signed by the application's author or signed by Apple themselves, unless they have this special entitlement. What is it? Disable library validation. That's it. And if they have that one, then they can load other libraries potentially. So it's a bit of a risky one to have in the manifest, and Microsoft had it included in basically all of their MacOS apps. Now, Cisco Talos found that you couldn't just, you know, drop a library in the Applications directory on Mac OS that's actually protected as soon as the application executes. You can't modify anything in there without, uh, without having a specific entitlement as well for whatever app is trying to do it. But what they found, though, is that, here's the overall scenario. So Corey, let's say you go and download Microsoft Office onto your Mac you go ahead and open up Word, and you grant it permissions to access your file system and maybe your photos and maybe a few other interesting or sensitive resources. That app, when you install it, goes into the Applications directory on macOS, same as all other apps, and as soon as you execute it, you can't modify any libraries in there. It loads libraries relative to the application, so from that directory, but you cannot modify any of them. Or when I say you I mean a malicious application can't do that. What they found, though, is a malicious application can copy Microsoft Word to the temp directory, modify the libraries in that copy, and then run Microsoft Word out of the temp directory. That copy of it still has the original permission set, but now it loads up a library the attacker was able to modify, and now that attacker controlled library has all that permission set. So word may not have been the best example, like teams obviously has microphone and camera access and screen sharing access, even screen control access in some cases. And so just following this simple attack path could grant any application on a machine that has Microsoft applications installed to gain those permissions, pretty trivially. So funny enough, Microsoft said this is a low severity or low risk issue, and we're not going to fix any of them. They did secretly go fix a handful of them, so the teams one specifically and OneNote as well. But Excel, Outlook, PowerPoint and Word are all still vulnerable to this type of attack where a malicious app can just copy them into the temp directory, modify them, run them, and their malicious DLL they injected in there will be able to have all their permissions. Thought this was interesting, like I, I disagree with Microsoft's assessment that this is low risk. I think there are some caveats to it. So you do still need permissions, at least locally, to copy those applications, maybe not elevated permissions, but you still need access to the system, and this, at the end of the day, really only grants access to resources that were in that entitlements manifest which are. Hopefully somewhat limited, but at the same time, all this can be fixed by just removing that disable. But
Corey Nachreiner 25:08
don't they say they need it? I am trying to find where I claim somewhere Microsoft
Marc Laliberte 25:15
didn't say anything, but Talos assumes that they need it to support like plugins signed by third party developers. But they pointed out that as far as Talos was able to find, the only plugins available for Office applications are web based. They're called Office add ins, and they are not libraries specifically. And so this entitlement should have no impact on these plugins because they're they're strictly not libraries being loaded. They're just like web based add ons to the application. Now that said obviously, maybe not obviously, but if it was just as easy as disabling it, Microsoft would have done it. So clearly, something in their process still needs it, or they just haven't released an update for it, but it seems like a extremely risky entitlement to have on, like your application that hundreds of millions of people worldwide use on Mac OS, like unnecessarily large attack surface, I don't know agree, but I mean, at the end of the day, it's a minor privilege, escalate, a minor meaning narrow scoped permissions escalation. It's not, you know, this doesn't elevate you to like the equivalent of like system level. Root Access just means that a malicious app can get access to like your camera and microphone. It also
Corey Nachreiner 26:34
feels like it needs some local like you need to be able to run things locally in the first place. But it is a big deal. I do like that we have operating systems that have, I feel like mobile started this with the privilege for every different setting, but it's nice to have operating systems that are trying to do this, even though it is a pain in the eye. But when you launch teams for the first time on an update and have to give permissions, I
Marc Laliberte 26:59
still like that over the alternative of that app just can do whatever the heck it
Corey Nachreiner 27:03
was, whatever it wants, yeah, would be nice if Microsoft fixed this by getting rid of that one setting.
Marc Laliberte 27:10
And to be to be clear, Talos also recommended maybe Mac, like Apple, can implement a change where anytime a application wants to load a third party plugin, maybe request permissions specifically for that one. Then I think that does get a little messy. And like, the average end user has no idea what library XYZ is going to be doing. So there'd have to be some like, dumb human, not dumb human, but dumbed down human, readable description of what the heck's going on. But maybe there is some middle ground that also involves an update from Apple to lock this down as well, too. I don't know either way. Cool research, and I expect to see a huge amount of bug bounties for that in the future from everyone else that read Talos a blog post now, because that typically is how things go. So the last story I wanted to talk about came from researchers over at Sophos on this new tool that they found called EDR kill shifter that they found threat actors were using to target EDR systems while deploying ransomware. They discovered it in an attempted ransomware attack back in May, where attackers used this tool to disable the EDR tool on the affected endpoint before trying to execute the ransom hub ransomware variant. The reason I want to talk about this, I don't know, Corey, did you go to any of the EDR killer or EDR evasion talks at blackout or DEF CON?
Corey Nachreiner 28:36
I went to one in DEF CON, although I think it was 15 minutes late because I didn't like when I picked before, but yes, I went to one end at DEF CON.
Marc Laliberte 28:47
It seems like an interesting topic because these, like EDR technologies, are designed to catch the threats that your traditional endpoint miss. So they need, like, a lot of visibility on the endpoint, and they can be that really final backstop against a successful attack. And so if a tool is able to go and disable EDR, they're potentially disabling, literally, the last line of defense on that endpoint.
Corey Nachreiner 29:12
So this, although they typically, I mean, we talked about this with the CrowdStrike issue, but that's one of the reasons they typically have some sort of kernel mode driver, because they have to watch and thus protect themselves at a much lower level than the average user land application, yep, if they're trying to protect themselves, Well anyways, correct?
Marc Laliberte 29:34
So EDR kill shifter is a quote, unquote loader executable that really just acts as a delivery vehicle for a type of attack called Bring Your Own vulnerable driver attacks, where it takes a legitimate driver that's been signed by their author, notarized by Microsoft at some point, but has a vulnerability in it that allows an attacker to either execute arbitrary commands or at least a limited set of. Really privileged commands within this driver. Maybe that driver's already been updated, or hopefully it has, and the latest version isn't vulnerable, but that old one that is still cryptographically signed. If an attacker brings that onto an endpoint, from Microsoft Windows perspective, like it's a legitimate driver, it's signed, it all checks out, and as soon as it's the attackers able to load that into the system, they can abuse the vulnerabilities in it. Wasn't
Corey Nachreiner 30:25
necessarily a driver, but one example i What was the MSP attack that happens through PSA, yeah, and similar like, if you think about that, they brought their own vulnerable version of Microsoft defender that was old. So kind of the same concept or placing a legitimate thing with the older version, either to exploit a vulnerability or to get past something the older version didn't do. Yep.
Marc Laliberte 30:54
So in this case, the loader executable starts with a password the attacker has to enter to decrypt the contents of it. Without that password, they can't decrypt it. It stops executing that password, decrypts the first stage binary payload, and then executes it. That binary payload is responsible for grabbing the final payload, which is written in Golang and a driver, a vulnerable driver, drops them into a temp folder and then creates a new service, starts the service, loads up that driver and then endlessly loops through the currently running processes and uses the driver to terminate processes if their name appears in a hard coded list of targets. Now you do need, oh, go ahead, that's this last bit. You do need elevated privileges on the endpoint in order to load that driver like a normal user, that the non administrative user can't just load random drivers on Windows. You have to have local admin in order to do that. So this assumes they've at least elevated the privileges. But this is one way to then evade further detection by killing EDR endpoint software, using this driver. What was your question? I
Corey Nachreiner 32:04
was going to say they mentioned a hard coded list a lot. They being Sophos, as researchers did, they have any list that they shared. I do notice they shared also. This isn't the first time this type of AV or EDR killer existed. They shared places on the underground, where people have sold them before, and I have found lists of the targets for some of them, but I'm not sure if they're the same targets for this particular one. So the question is, did they share a list of targets for this specific EDR killer?
Marc Laliberte 32:39
They did not, not in any of their threat intelligence sources that they maintained.
Corey Nachreiner 32:45
I'd have to see I mean, they did the same old folks. I mean, luckily we haven't shown up on the list I've seen online before, but a lot of the common products do show up there. Yep.
Marc Laliberte 32:58
So there's actually some good news for WatchGuard epdr customers, and technically, 8360 customers. The next agent update, which is currently in beta, includes a new feature specifically designed to block vulnerable drivers as a protection feature. Basically just as a protection feature, we maintain a list of known vulnerable drivers, and we do not allow them to be loaded onto a machine and executed if you have that turned on now, it's in beta right now, and that's, I think, probably the best protection you have against something like this, because at the end of the day, it is our job to maintain and make sure that you've got the right knowledge updates for your protection software so we can keep that list updated instead of you having to manually Go in, and, I don't know, block it with App locker or something, if that even works on drivers
Corey Nachreiner 33:47
and Sophos, I think mentions, I agree it's probably the best not to let these drivers load, so making sure only sign known good drivers load, but the programs can have tamper protection, which our product does you know even a malicious user could try to kill our processes, but I we have tamper protection to protect against that, even from a system user, and to have for the process to monitor itself and to restart blah, blah, blah. So hopefully no security software on endpoint has tamper protection like that, yep,
Marc Laliberte 34:20
and then reiterating that you do still need admin privileges to load a driver, so protecting administrative credentials on the endpoint is important too. So maybe don't give local admin to your users. That'd be a good step. But either way, I mean, it seems like attackers are really focusing on killing EDR now, because it is becoming a more widespread and widely
Corey Nachreiner 34:44
used mouse, cat, mouse, every time there's a new tool, they try to find a way around it.
Marc Laliberte 34:51
Where does this end? Corey. Does it end with Microsoft Windows being like Mac OS, where they don't expose kernel space, they expose APIs, and now it's need to find. Like a group level, like jailbreak to even
Corey Nachreiner 35:02
maybe it never ends and it's just machines doing the attacking and defending. So we it's constantly cat and mouse in the background, hopefully unsupervised.
Marc Laliberte 35:12
Hey, if the AI cyber challenge was anything to go off of, maybe that future is coming at some point.
Corey Nachreiner 35:20
But either way, interesting week so far, very
Marc Laliberte 35:23
interesting week, and cool research from a couple of those folks. Hopefully. I don't know about you, Corey, I'm hoping the rest of this week is boring. When it comes to cybersecurity,
Corey Nachreiner 35:33
I need to do my my other my governance day job. So yes, it'd be nice if we had a little boring break for once 100%
Marc Laliberte 35:44
Hey everyone, thanks again for listening. As always. If you enjoyed today's episode, don't forget to rate, review and subscribe. If you have any questions on today's topics, suggestions for future episode topics. Or if you know how many human beings have lived in the United States since its inception, because I am curious on that you can reach out to us on Instagram that we're at WatchGuard underscore technologies, thanks again for Listening, and you will hear from us next week.