Introducing Qwiet AI AutoFix! Reduce the time to secure code by 95% Read More

Season 1  |  Episode 5

Episode Transcript

Stuart McClure (00:08.673)

Alright, welcome everybody. We’re back to Hacking Exposed podcast, Quiet Edition, where we’ve got a whole bunch of incredibly interesting attacks. Some very boring, but interesting because they’ve been reapplied and just some huge attacks that have been in the news in the last couple of weeks. So with that, welcoming my team here, my cohorts, Chetan, Gabe, and Ben. Hello, Gents, how’s it going today?

 

Chetan Conikee (00:36.288)

Hello, how are you?

 

Stuart McClure (00:37.049)

All looking so darn good. Gosh. Yeah, thanks for making it like, look, I think the biggest topic we’re gonna have, and you’ll probably see a trend of all of this in a lot of the attacks we talk about, is social engineering attacks. So good old fashioned, you know, Kevin Mitnick, like old school calling up somebody and get them to do something that they really shouldn’t be doing. But let’s kick it off with the MGM hacks.

 

Ben Denkers (00:37.294)

Doing great.

 

Gabe (00:39.016)

Hey y’all, yeah it’s great to be here.

 

Stuart McClure (01:04.809)

And of course there have been some peripheral hacks too with Caesar’s and others, but MGM has been such a dominant force in the headlines. I mean I’ve gotten, my phone was blowing up for weeks after that first event. I thought that the whole world was melting down with how many inbounds I was getting. But I mean, you know, starting with the social engineering attack I think, you know, to me it’s one of the oldest tricks in the book and it just seems to work over and over and over again and we can’t really fight it. I mean you know us at silence we had built a pretty interesting tool to try to thwart this with our identity solution but other than that you know we’re old-school like username password username password or you know some T key or token or something but those are all effectively passwords just hidden and embedded.

 

So what do you guys think about this? Now I know they’ve been back up for five days now. What, it’s September 26th right now. They were back up in the 21st. All reports were sort of like eight million dollars a day is what they lost. Obviously, just a drop in the bucket. I think total loss or cost was something like 80 plus million to 10 days or something down. I think it’s more the…

 

Chetan Conikee (02:25.184)

Thanks for watching!

 

Stuart McClure (02:26.213)

And they had other properties obviously that were impacted too, not just MGM proper hotel, Mandalay, and a whole bunch of other properties. So yeah, Balaj. So I mean all of these clearly there’s going to be a, you know, an impact in the market with the, you know, questioning of well, are their systems secure? Are they, you know, keeping my data secure, et cetera, with this even more so than before dramatically. But what do you think it’s doing? What do you think it’s done to the industry?

 

Gabe (02:33.939)

The light’s on, yeah.

 

Stuart McClure (02:55.893)

And I actually felt really bad for him. I mean, I know a lot of the guys at MGM and all the guys there, I just felt super bad. You know, all it takes is one crack in the dam for a bad guy to get in. You could have a billion and one preventative solutions in front of a billion different vulnerabilities, but man, just this one comes in and just exploits and then just cracks open the whole thing. And now involving Okta and everything else. So I don’t know, what was your take on all this, guys?

 

Gabe (03:10.931)

Right?

 

Ben Denkers (03:25.058)

You know, my thought is, again, we’re talking about an attack vector that’s been around since essentially the age of… But more importantly, look at how effective it still was. And what do you do in those types of situations, right, where you have a lot of technical controls in place, whether it be technology or equivalent to help identify those attacks, but ultimately you still fall subject to somebody having the right set of answers to then provide you with access to a VPN in this case, right? And for me, if I’m an attacker, I’m looking at how effective that is. I’m going to double down and try my luck with the next MGM or equivalent, for sure.

 

Gabe (04:12.135)

Yeah, something that I think I saw this conversation taking place on Twitter and where sometimes a little bit too quick to go and blame the user. Oh, this person shouldn’t have access or, you know, they don’t they’re not trained. They don’t understand. But at the end of the day, it’s all we can do is mitigate, right? Reduce risk. And we take, you know, different approaches to do that. But we cannot depend on just.

 

Chetan Conikee (04:28.448)