The Real Adversaries with Dan Card

Hello from Cybrary and Delinea, and welcome to the show. If you've been enjoying the Cybrary Podcast or 401 Access Denied, make sure to like, follow and, subscribe so that you don't miss any future episodes. We'd love to hear from you. Join the discussion by leaving us a comment or a view on your platform of choice or emailing us at Podcast@Cybrary.it. From all of us at Cybrary and Delinea, thank you and enjoy the show.

Joseph Carson:

Hello everyone. Welcome back to another episode of 401 Access Denied Podcast. I'm your host for the episode, Joe Carson, pleasure to be here, really excited. And we're always bringing really interested, amazing, talented people, who really are doing loads to make the world a safer place.

So I'm joined with an awesome guest today, we met quite a few years ago, interestingly in a bar, but I am joined by Dan. So Dan, over to you to give us a bit of background about yourself, what you do, what things you get up to, and what things you do to make the world a safer place.

Dan Card:

Cool. All right, thanks Joe. I'm Dan, and if you don't already know me, I am a consultant. I specialize in helping organizations improve their security postures and better enable their businesses through technology. Nice and simple, that one.

Joseph Carson:

Nice and simple. Any interesting fun things about yourself? Any things that-

Dan Card:

Well, what I also do is I do a lot of tweets. I mean, I'm a professional tweeter, I think the expression is.

Joseph Carson:

I think you got an award for professional tweeter, was it?

Dan Card:

It's pretty cool. I do a lot of stuff. I do lots of community work, I do lots of threat intelligence, I do weird, mad honeypots and spend loads of money on friends of Microsoft, keep them employed. I look at how we can better enable ourselves to defend against digital threats that we face, in ways that I don't think... like, I think people think we do already, but that actually aren't quite done in the same way. So I try and help people and share what I know or my learning experiences, because I don't know that much. So I try and share online what I do as best as possible, because what I do is very odd. Everyone always asks me, "What do you do?" And I'm like, "I do cyber stuff." But I try and take what I've learnt from the last 20 odd years in industry and what I do from a research and from a fun point of view. I'm really lucky in the sense that I got a job that's my hobby.

Joseph Carson:

Likewise. Which is our good thing and also can be our evil as well.

Dan Card:

Yeah. I said to someone earlier, I said that my business is very odd, it's niche, I set up a microservices company, so it's a similar model to larger companies, it's just that it's me and a load of robots in a server room and software. Someone said it's like an intelligence network, but me and my mates, as I call it.

And doing stuff to try and help people. So looking at how we can look at countries to see if we can make them safer, how do we help protect hospitals, how do we help protect critical services, and how do we do weird and wonderful things that may or may not work, right? Because you never get innovation or improvement by doing what someone else has done, you need to be looking into things and spaces and ideas that are new, novel, and often fail, so you end up spending a lot of time doing lots of weird stuff and going, "Oh, that doesn't work."

Joseph Carson:

You are a real life James Bond, aren't you?

Dan Card:

I mean, I tell everyone that I'd have to kill them, right? It is funny. I think that's a great, like the James Bond thing's funny. I obviously am a massive James Bond fan.

Joseph Carson:

Absolutely.

Dan Card:

You know, that's not exactly like-

Joseph Carson:

I couldn't tell that at all.

Dan Card:

Because real life and films are completely different, aren't they? So if we sat there and I'm like, "Oh, what am I doing today?" I do a lot of work on my own. I might be working with people but I work with myself. So I tend to find that if I'm going to share content or stories or do things that are interesting, it's a lot better to make them more interesting than they are. If I said to someone, "Oh, what we're going to do today is we're going to dump a million logs and we're going to sit there and stare through spreadsheets and not know what we're doing because we don't know what we're looking at until we've looked at it, and we might find something." Then, that doesn't sound as fun, does it?

Joseph Carson:

If people really knew. I always love the picture about... you know, the memes that shows you what your parents think you do, what your friends think you do, what in reality you do. I mean, I can't tell you how much of my life I've spent looking at log files and just mundane, having two screens side by side and just comparing numbers and looking for lost data, looking for duplication of something, sitting and looking for basically hashes and UIDs and GUIDs.

Dan Card:

Or it's tied to a bloody username, right?

Joseph Carson:

But the thing is, a lot of times it's great... you know, fast-forward to today, there's a lot of automation that can do things much faster than maybe 10, 15 years ago, when you had to do a lot of it manually. You bring up one thing I just wanted to go back on to, you mentioned a bit about hospitals and making the world... Can you talk a little bit about CV19 because I think that was important. Yourself and Lisa kind of introduced CV19, was back at the start of COVID. If you can give the audience a little bit of a background on what CV19 was, why it started, and what the motives and intentions was?

Dan Card:

Yeah, so, right. To go back in sort of my full process. When the pandemic started, I sat there and I was like, "Oh, this could be quite bad." you might be like, "Why was it? Obviously it's bad." But from a digital point of view, from a cybersecurity perspective.

So, in 2017 I responded to WannaCry inside a trust. And I've done quite a bit of work for the NHS and I've traveled over hundreds of businesses over the last 20-odd years. So, I've got some idea, and I've done this to huge and small orgs. I've got some idea about what the world looks like, probably, at least I hope I have. Some people may think I'm mad. So I sat there and I was like, "Oh, what happens if I ransomware," I don't mean me, but like if a hospital gets ransomwared during a pandemic when there's no beds or all these other kind of problems? And it was a real moment of uncertainty, I think, in the world. I think all of us felt like crap, what's happening? We're not allowed to leave our houses, this is like a bloody film, this is like being in contagion.

And so I sat there and it was me, Lisa, and Red online, I'm not even going to try and remember exactly, but I basically was like, "Oh, we should get some bags together and put some laptops aside and get ready to go in, if we need to." Right? Because that's literally what happened in WannaCry. I got a phone call and I ended up in a hospital, it wasn't like... I wasn't sitting there waiting for it, if that makes sense.

So, we did that and then suddenly there was loads of interest. And we had this conversation online in public, I think, or part of it in public. And from that concept of we should prepare, because we didn't think... You know, our guess was, have people really prepared for this kind of event? It's like a zombie film, isn't it? So I would say no.

Joseph Carson:

It was, indeed. Me being based in estonia, it was a little bit different from the rest of the world. Yes, we had of course the same restrictions as everybody else, but here we tend to do a lot of things online digitally anyway, and two meters is sometimes, for Estonians, is a little bit closer than they actually prefer to be anyway. So here, they actually was glad when the restrictions lifted because then they could go back to the normal distances of, like, 10 meters apart.

But here, everything was done digitally, so even schools and healthcare, a lot of the things were done digitally, but it really highlighted a lot of the things, I think around supply chains was probably the biggest issue here of getting things, you know, the supply chain interruption and getting goods and getting food and energy and all those things. There started to be the big realization of how dependent you are on supply chain, but I think even the UK, I think had similar challenges as well, getting stock of even medicines.

Dan Card:

Yeah.

Joseph Carson:

And getting people, maintenance and stuff as well.

Dan Card:

So this was the kind of thought process in my head. I was like oh, okay. And plus, I sound stupid, but I think I wasn't on a project at the time. So I was sitting there going, "Oh, I haven't got a..." I was like, "I can't really go out to a sales lunch anymore."

But yeah, so we sat there and we were like, "Okay, what should we do?" Then it got a lot of interest. It was in Forbes, Wired, and we had thousands of people wanting it. And that creates its own challenge in itself.

So essentially, my initial view was prepped for instant response support, get people that are vetted professionals, as in my friends, right, without being silly about it, get some of my friends together and get some... You know, I was like cool, we can get the kit ordered if we need to, we've probably already got all the kit anyway because of what we do for jobs, and just be available and set up a network to do that.

But as it obviously got bigger in terms of interest and stuff like that, we ended up doing threat intelligence, we did some advisory work. Trying to volunteer cybersecurity services in an actionable, meaningful, useful way, is incredibly difficult. It's difficult when people... I'd have hundreds of people message me asking if they can help but they don't know what to do. Even to the point they're like, "I'm not even sure what I can do." So it's really difficult from a logistics point of view alone.

So what we tried to do is we tried to do stuff that gave out advice, we tried to encourage... my message to people was generally like, "You don't need permission to volunteer. Go out to your doctors and GP surgeries, go and speak to your trust, et cetera, et cetera."

But also, we ended up doing lots of... I did some vulnerability analysis at scale, trying to look at where there are weaknesses and working out how we can try and solve those problems. So we had different people working on different bits. My stuff was very much less talking to people.

Joseph Carson:

I thought it was something that... You know, when I saw, then seeing the intelligence sharing that was going between people in order to be very proactive and rather than waiting for things to happen, about sharing what the user's seeing elsewhere and hoping that other hospitals and other practices would be able to take those and put controls or put mitigation in place before it spread.

Because WannaCry was very reactive, very almost kind of rushing, but for me this was it was what we should be doing as a community, as sharing intelligence and sharing knowledge and sharing experiences. So I felt that if something... this was for realization, when I saw the CV19, when I saw the amount of information, what people were contributing, I think the intelligence piece for me was really impressive because it's what we should be doing as an industry. We should be more open and not afraid.

Sometimes I get worried, like security researchers like ourselves, when we share stuff all of a sudden you sometimes get, maybe, people look at it from a criminal perspective, you were working on some type of exploit, and now all of a sudden organizations, law enforcement... I think that we should not be afraid and the laws should protect those... It all comes down to the motives. It all comes down to what your intentions are. Are your intentions to protect the system by sharing information, or are you looking at alternative models for financial base or...

So from your experiences with that, which I think is impressive and it was fantastic to see, who was the real adversaries? Who was really attacking us? I mean, should I be worried about somebody hacking into my home and stealing laptops, or should I be worried about somebody getting into my phone or losing devices, or should I be worried about going for a pee break when I'm on a train and not having to pack everything up and bring it into the toilet with me? I mean, should I be worried about the Russians and Chinese or hovering satellites and following me everywhere I go? Who is the real adversaries? What is the threat out there, what's the most likely thing that will happen and what's the least likely thing?

Dan Card:

So the first caveat on all of that lot, it depends how you are, where you are, what you're doing. There are a lot of variables. So for the purpose of answering this, I am talking about the average, everyday citizen. I'm not talking about someone who works for defense, who works in a VIP role or a high net worth individual. All of that stuff, that's not the majority, so I'm just going to caveat that.

Joseph Carson:

Everyday working citizen.

Dan Card:

Yeah.

Joseph Carson:

Who's working at a supermarket or driving a bus or a taxi driver, the hairdresser.

Dan Card:

Someone who's not of particular interest in terms of... like, they haven't got state secrets or any weird security research sitting in their pockets that they don't want someone to take.

I think that the biggest threat, I would say, I'll use myself as an example of this. My biggest threat is me. Like, I am definitely going to be losing something way, way, way before someone's going to be coming up and probably stealing something from me. I mean, it's really odd, isn't it? So I did some stuff and it's online, so this isn't news to the world, like I'm open with the research I do and with the fun conversations I have. I sat there looking at it and I was like, "Okay, if I'm a normal person, which I am," so I might be a little bit more beefed up on the security front, but that kind of makes not too many odds in the sense of what I'm thinking about-

Joseph Carson:

We're little bit more, let's say conscious about things around us than the average person.

Dan Card:

If you can pwn my mail, I'm not asking anyone to try by the way, unless you're a friend, DM me, that's okay. I've got an Office 365 E5 license, I've got MFA, I've got conditional access, I've got everything logged, I've got a decent security score. Like, that stuff is hard to get into. Not impossible but if you're remote and you're trying to pwn my mailbox, you're probably not going to. That's probably where it is, from a hardening, at least I hope so. Whereas the average citizen doesn't have that, right? So you're going to get phished. I think it's almost guaranteed if you operate on the internet.

Joseph Carson:

Every day. Every day. I've got all my alias emails set up and they're just nonstop. The moment you subscribe to one thing, it's only a matter of time before that gets on an opportunistic target list that they just basically bombard it with... And some of it's legitimate marketing, some of it's legitimate sales, they're just trying to get your information, they're trying to get you to do something, they're trying to get you a good deal. And then a very small amount of it does get into... is a phishing attempt.

I think some of the impressive ones that I've seen recently are the ones that look like... you know, you get an email saying, "Your account looks like it has suspicious activity. Did you log on from this location?" I mean, they're getting pretty good, and for the average person looking at that, I don't think that they'd be able to tell the difference between the real and the fake one.

Dan Card:

I mean, I don't understand, this, I think, is nuts. Our security messaging has been, for many years, don't click on dodgy links. How would you know? Obviously we get some scammers who are terrible, they don't do any real targeting, they don't use a native language person, they use sloppy trade craft, it's crap, right? They're just throwing stuff out into the world. They're probably still getting hits, because that's life.

But like, it's not that difficult. If you wanted to start upgrading your phishing capability, what you do is you sign up as a legitimate customer, get yourself a password reset link or try and hack your own bank account and get an alert, and then you copy it. I mean, I know, big trade secrets I've just given away there.

Joseph Carson:

I mean, that's the techniques, if you want to get it to look as legitimate as possible but having them... by replicating the same experience you would get signing up for something, so that they will see all the same details.

Dan Card:

I mean, I obviously don't do this, so the phrasing I'm using is just common language, rather than me. But if you're going to go and steal stuff, I'm like cool, let's go and visit your brand, I'm going to email you, I'm going to talk to you, I'm going to steal all your footers, I'm going to steal your PowerPoints, you're Word documents, I'm going to... I mean, I would go to a local area, I would go somewhere if I needed to. But you can digitally, online, just try and yoink as many assets as possible, and then you're going to craft your wares. I got told off by Rick for saying craft, so I don't know what to say in fear of that.

So you're going to put together this stuff, and I think that the messaging around being able to spot stuff, I've got a view which... And again, language is odd because people read it in different ways or hear it in different ways, I don't really care what people click on, personally, because I'm sitting in a world where if I've designed and built a computer platform that everything goes to shit if you click on a link, I've failed, right?

Joseph Carson:

It's a very bad design. I mean, the things is that the internet was created to click on, the application we use to actually interface into that world, the browser, was made to click on. We're all using our fingers and mouses or whatever it is to interact with that, and it's to click on things, it's to type in stuff and click on things. So to tell people to be careful about don't click on those things but click on these things, and how to tell the difference, absolutely. When we were depending on the people to make the best security decisions possible, we're in a failure at that point. We're not going to be successful.

Dan Card:

Yeah. And I think people, some people anyway, I think because we've brainwashed the world into hearing things like, "Rotate passwords every 30 days, have eight characters with upper case, lower case," and all that crap which doesn't work, and we tell people, "Oh, don't do this, deploy MFA because it's really easy." It's not easy to deploy MFA. I'm not saying don't do it, but I've gone to taxi drivers while I'm in the taxis, or I've gone to family members, and I can tell you this. They are not sitting there going, "Dan, this is really fun, I really, really want to do this." They're like, "Dan, I use the same password for my mobile, I've got no pin code on it, I've got the same password for Facebook," and all this stuff. Generally speaking, they want to do the thing, not protect the thing. They are not security consultants, they're not pen testers, they're not thinking like they've got the NSA or the CIA or the Gru or FSB after them.

Joseph Carson:

And they're not too worried about having TikTok on their phone either.

Dan Card:

They don't care. Literally, this is my experience with speaking to people, I do that a lot, that's, I think, a useful skill in life. Most people say to me, who are not in the spy games, as it were, they're like, "Dan, I've not got any money. Dan, what's someone going to do? They're probably not going to be able to do that much to me. I haven't got millions of pounds in my account. Like, okay, my Facebook gets hacked, I just create a new account. I don't think the impact levels..." They can be wrong, again, we're looking at a curve. I don't think the impact levels for some of this stuff to some people are at a point where the likelihood and impact means that they are going, "Do you know what I need to do every morning is I need to wake up and I need to make sure the reflection in my eyeball on my selfie doesn't show my location."

Which is stupid shit that we do, right, because we live in a constant state of paranoia and a constant state of fear. And it is fear, right? And especially if you're a security consultant and expert, you don't want anybody saying that you don't know what you're doing. You must be the most secure James Bond spy person in the world.

Joseph Carson:

You must be perfection. And I think... I loved John Hammond's recent one where he did a talk, I think it was in the last year, on imposter syndrome. Because we, it's impossible for us to be perfect. It's impossible for us to know everything. And that's why we surround ourselves with people who know things that they specialize in and they had to go to, where we can actually go to them and ask for questions. So I think it's always about we shouldn't be trying to set up that to be in info security, that you have to be perfect, you have to know everything, because it's not possible, and there's going to be things that I don't... I write things down because I can't remember everything, and I have to go to my notes in order to remember certain commands or certain practice... Exactly. I can't remember half the passwords.

Dan Card:

Yeah. I've got digital password managers, I've got offline ones, I've got cloud services, I've got books. I love the books. I'm not kidding, my books are for stuff I care about that really I don't want getting burned.

Joseph Carson:

Because I think it's important. Let's talk about that context part of it. Because there's one thing, we see a lot of people online on social. It's like oh my goodness, taking pictures of password books in the shop. It all comes down to the context, is what are you putting into it, where are you storing it? I think the difference is, is because I think we're thinking about 10, 15 years ago when people, yes, used to put sticky notes on their monitor and write their passwords down, or used to keep it on the keyboard.

Dan Card:

They still do.

Joseph Carson:

They still do. But there's a difference between somebody putting a sticky note or having a password book sitting on their desk, to somebody who's sitting at home, the average person who's... it's to protect their personal stuff, and they're keeping it in the drawer in their home. I mean, how many people are going to get access to their home and be able to get into that drawer? What's the likeliness of somebody going and stealing your password book?

Dan Card:

I'll be honest, if you can get here you've got to get through here, and I'm not huge, but good luck. The probability of someone getting here, I mean, Joe, what are you going to steal? Are you going to steal my password book or are you going to steal my watch?

Joseph Carson:

I think the chances, your car would probably be a bigger target.

Dan Card:

Yeah. It's just really odd. And I've struggled with this, in a nice way, I've had such a blast. I've obviously been having fun and engaging the community and creating content around this subject, and it's not particularly about the thing, the thing was just the catalyst, an excuse to explore. The thing is around looking at risk and looking at probability and looking at threat and the easy thing everyone can say is, "Oh, your threat model isn't my threat model." But it is, largely. I'm just a normal dude, okay, I work in the industry and do some stuff so you could say it's slightly different, but I've largely got the same threats.

To be honest, I don't generally get phishing emails. I don't know why. It's a bit like some of my honeypots, I think people just see Dan and they're like, "Shit, I'm not going after him, because he's going to start tweeting about me and making jokes." I think that's the reason. It's not that I'm going to cyber them, it's just they're worried that I'm going to start taking the piss out of them on Twitter.

But I do think we largely do have the same sort of views. Some of my customers do not have that. Some of them are like, that's a different story. But for me I'm like, okay, what do I need to care about, what's the context, what's the likelihood of this happening, and what's the impact if it does happen? And then you end up in this really strange space.

So like, the list that I... bear with me, I won't be able to remember it now, but the list was like threat actors phishing, financial fraud. The marketing emails, I actually consider them to be threat actors.

Joseph Carson:

They're trying to get your information.

Dan Card:

Phishers, here's a tip from me, if you copy marketing teams you will get a better click-through and a better credential rate. I think when you look through it, it's like the probability of stuff happening, is like a software bug. And I don't mean a vulnerability, I mean failure. Failure of something, loss of something. I cannot tell you, and I'm not a complete klutz, but I lose stuff sometimes. I lose stuff in my office, I can't find stuff, I've got AirTags on all my kit and stuff that's important so I can find it when it's two seconds away from me. I look in the fridge and I can't see the thing in front of me. Maybe that's just a dude thing.

So I think we've got this hierarchy of risk scenarios and threats that we need to protect against, and then when you start looking at the stats, the stats could be wrong, I'm not God, but I started going into the likelihood of this stuff and I'm sitting there going like, "Okay, so what's the likelihood that I lose something?" I would say very low, but more than someone's going to steal it. I cannot remember the last time, and I'm touching... well, not wood, but yeah, touch wood. I can't remember the last time someone stole something from me, especially physically. And that doesn't mean it can't happen, doesn't mean it won't happen.

But like, I've got nice watches, I've got cool phones, I've got gadgets everywhere, I've not had someone steal anything from my physically ever since... I got mugged at knife point when I was a kid, and I think that's the last time someone... And even then, I did try and... like, that wasn't a, "Here you go." I think I was quite resistant given that I shouldn't have been, I should have just said, "Here you go, mate." I didn't manage to not get my stuff nicked.

That's the last time. I think I must have been 17, 18 years old. Tara's had a phone stolen out of her bag in London once. So we've been together 12-ish years, I think, and she has had something stolen once. I had a bike nicked. That's not really a cyber-y thing. I don't think... I've never had a laptop nicked, I've never knowingly, at least my memory doesn't recall ever having a high-end phone nicked.

Joseph Carson:

I think really also, to that point, it comes to sometimes the community where you are. You know, if you're in a city which has got a higher crime versus a city... or living in... You know, sometimes your proximity... I remember, I grew up in Belfast, so you never left your door open and you always parked your car next to a nicer car and then you wrapped chains around your steering wheel. Those were the days where you used to take your radio to bed with you at night from the car.

Dan Card:

I used to do that as well, like take the head unit off and then put it in your glove box because you didn't want to take it into the cinema, or you'd take it into the cinema and the person you were with would look at you like you're a weirdo, like, "What have you got?" It's like, "Oh, it's my radio."

Joseph Carson:

The things that we used to do in order to reduce the risk. And it gets really kind of to where... a lot of the things that the media and news, what we see amplified out there is things like nation state attacks. And to be honest, most of them are stealthy. We don't hear about that. That's the thing, is they don't want to be detected, they want to stay hidden. Versus us losing devices, to the point where I think the most, for me, probably the most is those opportunistic attacks where it's somebody who is in a criminal gang and they've decided to basically move from one criminal activity into doing more digital, online scams. And they're looking to do basically invoice fraud or try to get you to buy things that don't exist that you'll never receive.

Dan Card:

Like crypto scams, right?

Joseph Carson:

Exactly. I think the biggest scams is the crypto scams, those are the ones that people are... quick money when there's no value that exists.

Dan Card:

Okay, so, and I've got to be careful what I say here because of the world, and someone who I spoke to might hear me say this. People that want money quick, they get scammed. They get scammed really easily. I get asked loads, and I'm not into cryptocurrency, I'm not into NFTs, I'm glad for everyone who is, whatever, fill your boots. But it's people that want money quick or it's people that want games for free or films for free and stuff like that. And don't get me wrong, I'm lucky I get to pay for my stuff, I don't sit there downloading weird stuff. I do, but that's like for actors and breachers and stuff like that. The typical people, the stuff I see in normal people's lives, it is. It's them getting scammed. "Oh, I won the lottery," that you didn't pay for. Or, "Oh, I can buy this crypto and they're going to give me a bazillion pounds back." Or just really weird stuff that is largely financially driven where you've said to someone, "I'm going to make you money for basically not doing anything." And them going, "Okay."

That, to me, is the issue for most people. I think when we look at... Obviously we can't ever have 100% view, right? And I know that, I know that I know that I don't know everything, I know that my view is not perfect. I don't let perfection get in the way of me at least helping. I manage to protect myself roughly okay, and some systems that are holding some sensitive stuff. We didn't get anyone in there, that we know of, so that's good.

So I try and take a pragmatic but a realistic and a scientific, where you can, view, and it's hard. But if you're a nation state and you want to get in somewhere, you can just get a job there or you could pay someone off to put a USB key in.

Joseph Carson:

And that's what a lot of the espionage and agents have done over the years. They went and moved into countries and spent years undercover getting into organizations.

Dan Card:

And this is the thing, who are you and what are you protecting against and who are you protecting it against? And it's like okay, so you can look at some of this stuff's online, go and google your hearts out, but go and look at... we talk about operational security in the industry. It's OpSec, it's everything. No one talks about PerSec in our industry, which is weird, because that's mainly what we're concerned with, but anyway.

And then you go and look at the threat actors that we know about, and I'm talking up to nation state level, their OpSec's terrible because they don't care. What they care about is speed and effect. They don't care about oh my god, I must be a super spy.

And how we think about how this stuff works is so different, I think, from what a defender from an attacker point of view, even when we think about our attacker stuff. I worry, I was talking to... it was part of the CyberUp Campaign, but I was talking to some MPs or something, and I was like... I had to turn around to say to people, "Can you please reform the laws in this country because I'm fairly sure that I break the law because I write software sometimes that is basically malware." Or you end up doing weird stuff with it and doing stuff in threat intelligence that is-

Joseph Carson:

I know in the US they've been trying to get around changing the laws because the Computer Abuse Act has... they're trying to change it. But it comes down to, you have to prove your motive. You're assumed until you've proved that your motive had other intentions. So it is improving. I think they are starting to look at these laws because ultimately...

I mean, hacking itself, we always say it's not a crime, it's a way of life, it's a mind state, it's about curiosity. And we want to make sure that, by default, those minded people are not basically being criminalized, because ultimately their motive is actually good intentions. It's all about helping, it's about making the world a safer place, it's about using their skills to identify weaknesses and then ultimately to resolve those, to mitigate them.

So I think definitely the laws definitely need to be... Some countries are moving that direction, some are a bit slower than others, but I think the realization... I think when we get into where there's more collaboration between government officials and lawyers and organizations, law enforcement, and researchers, when we have all of those communications together we definitely can move much faster.

I think for too long they were in silos. They were all shouting over the wall at each other hoping that the other would hear or act, but we're getting to the point where that collaboration is much, much better. It is happening and the realization is there.

Dan Card:

Yeah. I mean, intent, for me, is a huge thing. I think people... I'll be honest, I think this is a time thing. I think there's still a lot of people that think these computers are weird, scary, magic things, and that people like myself and Joe and our friends and the community, I don't think they understand it. I don't think they realize that there are so many, probably more people with good intentions than bad intentions.

Joseph Carson:

Absolutely. The majority, I believe the majority of us is good intentions.

Dan Card:

This goes back to the same thing, the probabilities. The probability of loss is massive... Well, the probability of something happening to this laptop I'm on at the minute, the likely probability, I think, would say that nothing's going to happen to my laptop.

Again, if we leave it on a train unattended, I don't think something's going to happen. It's not saying it won't happen, I'm just saying it's more probable it won't. And you go through and you go into this... If everyone is a criminal and there's such a high risk of everything and people aren't doing things with good intentions, the whole world would be on fire, more so than it is, right? It would be absolute chaos, wouldn't it? The system wouldn't work.

Joseph Carson:

Absolutely.

Dan Card:

So I think there's this whole... I think people are scared or unsure about what digital looks like, I think we've got a time lag, and I do think that people are starting to realize this stuff, for all the stuff I say about okay, let's not try and FUD everyone to death and let's try and communicate properly and in a way that's meaningful, that helps drive change and helps drive improvement.

There is a serious side, massively, which is some of our critical infrastructure, some of our lives, the services our lives depend on are at risk from digital threats. That isn't me FUDing it up, there are things that I won't say, but you can... it shouldn't be the way it is. We've deployed technology as a human race faster and cheaper without making it safe.

Joseph Carson:

Yeah. It's been about convenience versus... And I always get, kind of from my side, seeing it as convenience, then the only thing is, we talk about it a lot, security by design. I think that's a great initiative but we really need to get to where it's security by default. It's built into it. It's something that's already turned on. You have to... And we have to make it zero friction, where it's all about making it something that everybody can use.

And I think you've brought up an important point here, is that we sometimes, we put cyber all into this one massive category, and we try to treat it all equally, all the same. We try to make it look like all these nation state attacks and critical infrastructure and the ransomware gangs and the everyday person who was getting phished.

We all put it into this one big category, and we're not really good at really separating it and having it properly defined where it's applicable. And that's where, further to your point, is that when all of a sudden we hear about the critical infrastructure and the media bring it out, and then all of a sudden you're getting called by family members saying, "Should I be worried?"

I think that's the interpretation. I think we're having a communication problem about really that definition of what it is we're protecting. And that's why I felt it was important today to talk about who is the real adversary? And sometimes it is us, sometimes it is a criminal gang who's doing that, where sometimes it is somebody who's looking to make quick money by putting some type of digital scam. But we have to make sure that we have clearly defined who should be worried about different types of threats? Who's it applicable to?

Dan Card:

I think your point about communication, what is it? It's 2023, right? We're at risk, like the way our technology is at the minute isn't that great. But I phished myself this week using a new build laptop and I used the technique that I was amazed my PDF got through, but whatever, cool. I didn't try. I got blocked on my first attempt, my second one I didn't.

And I went to do an SMB hash capture, and because I was using Windows 11 and I was using a Microsoft account, I didn't have an NT11 hash sent. So a technique that's good, that's valid, that works across a lot of stuff to get creds, and obviously it's relating to the latest CVE for the Outlook client, slightly different. But you can generally send someone a link, and as long as you put it in the right level of nesting, you can get them to send their hashes. But technology, they're changing the systems. It's a bit like when SMBv1 was disabled out the box in Windows. There is a long tale on these protocols and changes.

Joseph Carson:

You still find a lot of them. Even internally. They removed them from the internet-facing kits and stuff, but internally there's so much old systems. If you did an inventory internally you're going to find old dusty machines from the 2000s that somebody's just hanging onto their desk, that was meant to be decommissioned 15 years ago, and they're still using it because some old application that doesn't support certain file formats, or that isn't made anymore, and they've got loads of old applications on that machine, and they're still using it. It might be running really, really old software, unpatched, and no one knows about it.

I've seen even companies, a lot of advertising companies who do graphic designs and stuff, they've got some old machines sitting there just because the file formats, so the versions, all applications that have disappeared, and they're still depending on them. There's no visibility they're going to change them anytime soon.

Dan Card:

So, right, you were saying about comms, right? And communication. This is the kind of bit that I am obviously playing this week with the world in a jovial, hopefully encouraging debate and encouraging thought.

Joseph Carson:

Absolutely.

Dan Card:

But part of what I'm trying to say is, if we have been telling people for 20 years to not leave their machines unlocked for 10 seconds while they go to the toilet or to not do these things with passwords and to... If we keep telling them the same thing, I'm getting so bored of it, they must be going nuts. Or they're probably not, they're probably like this, "We're not listening you weird security people, you think that Russia or China or North Korea are going to come after me, but actually I'm Joe Smith from Hull and all I want to do is go to the chippy and buy a bag of chips with my iPhone."

I think we've got a huge communication problem, and I might be wrong about that but the stuff we talk about is not new, it's not novel, and the risk landscape has changed hugely. The level of technology we're deploying is everywhere, it's getting smaller, it's getting more integrated, but I think we need to do better at communicating. I mean, if you look at some of the stuff, like we were talking about the Computer Misuse Act and stuff. The idea of breaking encryption is idiotic. Like the other one, the idea if you handle breach data you're a criminal. That would be me, probably Joe.

Joseph Carson:

I've had a few slaps on the hand in the past for that.

Dan Card:

We're talking about destroying our industry hugely and the ability to defend and understand threats because someone has decided to say, "Oh, I think it's a good idea to make someone a criminal if they touch breach data." We're failing at comms, policies aren't right, general people and policymakers... we're failing. We're doing better than we were, maybe, and I say maybe. We're not getting it right.

Joseph Carson:

We definitely need to know our audience better. I think that's ultimately, to start understanding really who it is and rather than just assuming, we had to get to the point where we had to put ourselves in those situations and try to better understand what it is we're trying to achieve.

Any recommendations you would have, anything you would suggest for people just to get started? Where is a good place for them to go for information that would be applicable to them?

Dan Card:

Well, in the UK go and visit the NCSC website because I think that that is an impartial... it's got clear guidance, it's not vendor-aligned, you've got the 10 steps to cyber, you've got guidance for every vertical, from critical national infrastructure through to personal and small business and third sector. And obviously it's from the UK, so go and see the UK.

The NCSC site, at least to me, is a really good, sensibly grounded space. I think the thing I would tell people is... The biggest risks I see are people using the same password and their passwords are terrible.

Joseph Carson:

On many devices, yeah, and many websites.

Dan Card:

Loads of people I know don't protect their phones. If you get their phone then you've got access. I mean, this is... Telling everyone to set a complicated password to log into their phone, I would use biometrics, but not everyone's got a 1500 quid phone or several of them sitting in their pockets. So it's put in place controls to prevent against likely threats. The password reuse and the crap passwords is such a problem still, and that's a problem in enterprise, and that's a problem for people.

The stuff like social media accounts and stuff like that, turn on MFA, put barriers in place against the things that you really want to protect. So think about what... I mean, banking apps. I had to do some stuff on this, hopefully next week. But look at your devices, look at what could go wrong and then look at what's likely to go wrong, and then start thinking about how they improve.

If they do little bits, they're going to be in a better place than if they try and do everything at once. I think the problem with saying to everyone that everything's a massive threat and risk, is that… "Oh, well, we can't defend against it."

Joseph Carson:

It dilutes the real threat, the real risks.

Dan Card:

Yeah, but I also think people say, "I can't do it." They say, "Oh, that 72 billion pound company just got ransomwared, so how am I going to be able to protected my stuff?" And I think that comes through-

Joseph Carson:

Common scenario. And everyone's sophisticated hackers.

Dan Card:

Yeah, but I think it comes from this idea you have to be security perfect, and none of us are. No one knows everything. And it's like, what do you want to do, what's going to happen to you, what's likely, what are your... Your context and surroundings do play a huge amount of it, as you said before. So I think people should just be more mindful around what they've got, what they need to defend against. I think it's important that, as security practitioners, that we help people in an organic fashion as well as a grand marketing fashion as well. Because, like I said, I do this quite a lot, because if I'm in a taxi and they ask me what I do, I say I'm an accountant. Because of the meme, right?

But if I tell them what I actually do, I get weird responses. Which are, "Can you break into a bank for me?" I get asked to do crime. They don't mean this, but it's just the thing because they watch... Basically Hollywood has brainwashed a lot of us, including me. But I think people need to sit there and I'm like, well, what do they actually have? What's the easiest way a threat actor would take them out? The first thing is, it's online, it's phishing, it's credential theft, it's social engineering, it's scamming. And then you've got to work your way down through that chain.

If you go and follow... I've got blogs I've written with big, long lists of hardening steps. I cannot ask my mum to go and look at the Windows 10 hardening guide or the iPhone hardening guide. This is not going to happen. She's going to be like, "That's complicated." So it's about doing things that you can... You know, don't reuse passwords, if you need to use a password book, cool.

Joseph Carson:

Just make sure you're aware of where you're putting it. That's the simple thing, is just don't leave it in public.

Dan Card:

If you use a password manager, make sure you can recover it. I can tell you this, not from bitter experience but from obviously doing some research, like being able to recover from events like a lost phone. Lost phones must be, if I'm wrong, losing your phone's really easy, and then you've got to think if you lose it, what's going to happen to it? The worst case is someone gains access to your device and then gains access to all of your data, all of your contacts, all of your records, your stored credentials. That is a big problem if that happens.

You need to look at where you are today before you start going, "I need to have a dedicated physical security team follow you around and have a consulting services team do regular vulnerability assessments on your person." You need to take the right approach to it. So small steps, stop reusing passwords, don't use crap ones, use passphrases. Again, bolt on MFA where you can.

And look, this is going to get me some grief, but if it means using a text message, at least in the UK, sim swapping in the UK is not, to my knowledge, a huge risk, unless you are holding a lot of cryptocurrency.

Joseph Carson:

Every little step, even though they're not perfect, makes a difference. It just means you're a little bit more costly to the attacker to be successful. And ultimately, the attacker doesn't want to have high costs. They're operating a business in many cases, so they want to have a good return on investment.

Dan Card:

I don't know, apart from people that are motivated for lulz or people that are motivated for revenge, et cetera, or just maliciousness. Almost all of this stuff is they want to make money. That's why I was like, "What are you going to steal from me, Joe? Like, would you grab my..." Well, you probably would grab my phone as well, but are you going to take my watch or are you going to take my phone? You're going to take my watch, right?

Joseph Carson:

It's ultimately, for most criminals it's monetary, financially focused motives, and they're going to be looking at the most valuable thing. And it's quick as well, so we're going to do it the quickest and the least amount of effort, that's what they go after.

Dan Card:

It's like now, I'm not saying literally now, but let's say I can launch a cyber attack against, like, many, to many many, to whatever the range is, I won't go try and... but probably thousands, if not more. You can probably start attacking stuff with certain skills and prep and motivation. But you can phish people forever. Every day you can phish. You can just keep phishing.

Joseph Carson:

It's the skill of things. The skill of doing it digitally is so much more effective than doing it at a one-to-one basis.

Dan Card:

Yeah, like A, I mean this is the bit I cannot... Again, I might just be a weirdo so I'm happy to be wrong. If I'm going to go and want to make money, I can do it drinking a Capri Sun from my living room or in my case my office or where I'm at at the minute, the kitchen. The kitchen's loving it this week. And I could do that and I could attack hundreds, thousands of people. If I go physically somewhere to do something, I need to spend money, I need to spend time, I increase the risk of me getting caught massively, and then I've got to go and go through all this exercise of chancing something and then actually pulling it off. I mean, the probabilities-

Joseph Carson:

It's so much lower.

Dan Card:

I've been passing contact details for an insurance company, right? And if anyone wants to help me, please feel free to get in contact. I want to... There must be science that's better than my math, because my math is rubbish, but there's got to be science that says, "Here's the probability of this event occurring." Because the insurance-

Joseph Carson:

It has to be worth the claims. They have the claims data and it'd be great to be able to have a little bit more transparency into where the pay is traveling and why are they happening. And ultimately, with your point, one of the things is that for anyone who's doing the criminal side, they also want to do it from a country where they may not even consider it being illegal. They're doing it in a place where it's actually perfectly fine to do it.

Dan Card:

Where do we see all the stuff come from? We see it come from India, Africa, South America, Russia, and then China. And then some stuff in Iran. Like, literally, we can do this in honeypots. Again, this isn't anything secret. I literally put maps out showing what servers are attacking, and you can bounce traffic everywhere, and you can use VPNs, but that isn't what we see. The data doesn't tell us that. We know we can do it, I do it, Joe does it. We sometimes will jump around, and that's in targeted, purposeful stuff.

Joseph Carson:

It's when you want to stay hidden. That's ultimately the purpose.

Dan Card:

Yeah, like if we're trying to move around and not be... But, if you're doing scams, we watch it all the time, even when they do use VPNs, they mess it up and they forget and then you've got the IP of theirs. OpSec and baddies, for the mainstay, doesn't exist. They don't care, they're in countries we can't get to, they're using connections that we're never going to be able to do anything with.

Joseph Carson:

The only reason they do use some type of proxy or VPN is because the ones they're actually attacking from has been blocked. That's the purpose.

Dan Card:

Or they're doing something where they want to be in the same area as you, so they've worked out where you live.

Joseph Carson:

They want to be a pure local. Absolutely.

Dan Card:

Yeah.

Joseph Carson:

So Dan, it's been fantastic chatting with you today. It's been way too long, we should not leave it this long again. And many thanks for all of the insights. For the audience, I think we really have a good insight and a good conversation on what's the real adversary. I think it really comes down to your context of yourself, is what you do, your social sphere around you, and what your motives and interests are. I think it really comes down to that's the definitely.

And we as an industry have to get better at communicating. We have to get better at knowing our audience better and not putting everything into one category, not making all attacks appear that they're applicable to everybody. We have to make sure that we categorize them, we separate them where they should be, and who it impacts, ultimately.

So Dan, it's been fantastic having you on the show. If anyone's looking to contact you, I guess Twitter and social media is probably the easiest way to reach out?

Dan Card:

Yeah. And if you can find me you can have a cup of tea but please don't try.

Joseph Carson:

Absolutely. It's been fantastic having you on and many thanks. So for everyone out there, Dan Card, it's fantastic having a chat, aka mRr3b00t, your alias. So definitely connect out, Dan's a great thought leader, sharing information, sharing knowledge, and you'll definitely get a lot of value from connecting with him.

So again, this is the 401 Access Denied Podcast, tune in every two weeks to get the latest episodes, the latest trends and latest news about what you can do in order to make the world and make the people around you a little bit safer. So thank you, take care.