WEBVTT 1 00:00:00.120 --> 00:00:03.640 You know, when military fighter pilots are prepping for combat, 2 00:00:03.640 --> 00:00:05.519 they don't just sit around in a classroom staring at 3 00:00:05.519 --> 00:00:07.799 the technical specs of their own jets. 4 00:00:07.679 --> 00:00:11.039 Right, That would be completely useless in a real dog fight, exactly. 5 00:00:11.080 --> 00:00:14.359 I mean, they practice against red teams, and these are 6 00:00:14.480 --> 00:00:18.920 highly trained squadrons whose entire operational purpose is to simulate 7 00:00:19.320 --> 00:00:24.600 the exact maneuvers, the communication styles, and really the aggressive 8 00:00:24.719 --> 00:00:26.839 mindset of enemy nations because the. 9 00:00:26.800 --> 00:00:31.640 Core philosophy there is incredibly simple. You cannot properly defend 10 00:00:31.640 --> 00:00:34.920 yourself from a threat if you don't intimately understand. 11 00:00:34.439 --> 00:00:37.920 It right, and that philosophy is our operational baseline for today. 12 00:00:38.079 --> 00:00:41.719 We are taking a deep dive into the modern digital battlefield, 13 00:00:42.079 --> 00:00:45.039 trying to reverse engineer the tactics of cyber criminals. 14 00:00:45.280 --> 00:00:47.280 Yeah, and we're doing that by looking through the lens 15 00:00:47.280 --> 00:00:51.880 of ethical hacking frameworks and industry gap assessments. 16 00:00:51.920 --> 00:00:54.039 So we're getting into the actual mechanics of how the 17 00:00:54.039 --> 00:00:56.920 offense operates, so you the listener, can understand why the 18 00:00:56.960 --> 00:00:59.240 defense has to think exactly like them. 19 00:00:59.079 --> 00:01:01.880 Which means, first off, we need to immediately discard the 20 00:01:01.880 --> 00:01:03.479 Hollywood mythology of hacking. 21 00:01:03.759 --> 00:01:07.000 Oh, you mean the lone teenager in a dark room 22 00:01:07.040 --> 00:01:08.040 wearing a hoodie. 23 00:01:08.120 --> 00:01:11.200 Exactly the kid chugging energy drinks and breaking into the 24 00:01:11.200 --> 00:01:13.480 Pentagon just for the thrill of it. I mean, that 25 00:01:13.680 --> 00:01:16.840 era of the digital joy rider is well, it's essentially. 26 00:01:16.480 --> 00:01:19.560 Dead, right, So let's unpack that shift. Because if the 27 00:01:19.640 --> 00:01:23.120 joy writer is dead, who are the actual enemies currently 28 00:01:23.159 --> 00:01:26.760 on this battlefield? That is the big question, because looking 29 00:01:26.799 --> 00:01:29.560 at the sheer scale of the attacks we're analyzing today, 30 00:01:29.719 --> 00:01:33.920 it sounds less like random vandalism and more like like 31 00:01:34.280 --> 00:01:36.879 we are dealing with Fortune five hundred crime syndicates. 32 00:01:37.040 --> 00:01:39.840 That's a much more accurate framework, though honestly, it might 33 00:01:39.920 --> 00:01:41.480 even understate their sophistication. 34 00:01:41.719 --> 00:01:42.079 Really. 35 00:01:42.200 --> 00:01:46.400 Yeah, the modern digital underworld is a highly organized, heavily 36 00:01:46.439 --> 00:01:51.959 profit driven ecosystem. The monetization strategies are They're incredibly complex. 37 00:01:52.000 --> 00:01:54.480 They aren't just stealing credit card numbers in bulk anymore. 38 00:01:54.519 --> 00:01:55.959 Okay, so what are they doing instead? 39 00:01:56.120 --> 00:02:00.959 Well, they're actively manipulating global financial markets. Take hack pump 40 00:02:01.000 --> 00:02:02.680 and dump schemes for example. 41 00:02:02.760 --> 00:02:05.280 Okay, so a traditional pump and dump is when someone 42 00:02:05.319 --> 00:02:08.479 buys cheap stock, hypes it up with fake news to 43 00:02:08.520 --> 00:02:11.840 inflate the price, and then sells it. How does the 44 00:02:11.879 --> 00:02:13.280 hacker version of that work. 45 00:02:13.800 --> 00:02:17.000 The mechanism is much more direct, actually, and it doesn't 46 00:02:17.039 --> 00:02:19.400 rely on tricking the public with fake news at all. 47 00:02:19.520 --> 00:02:20.159 Oh it doesn't. 48 00:02:20.319 --> 00:02:25.919 No, The hackers compromise online brokerage accounts belonging to everyday victims. 49 00:02:26.599 --> 00:02:29.879 Then they use the victim's own money to forcefully buy 50 00:02:30.000 --> 00:02:32.840 up massive volumes of worthless penny stocks. 51 00:02:33.120 --> 00:02:35.199 Wait, they just log in and buy the junk stock 52 00:02:35.319 --> 00:02:37.120 using someone else's cash. 53 00:02:36.759 --> 00:02:40.680 Exactly, And because of that sudden buying pressure, the stock 54 00:02:40.719 --> 00:02:42.159 price artificially spikes. 55 00:02:42.479 --> 00:02:44.199 Oh, I see where this is going, right. 56 00:02:44.400 --> 00:02:47.680 The hackers, who already quietly bought shares of that penny 57 00:02:47.680 --> 00:02:50.759 stock beforehand, sell off their own shares at the inflated 58 00:02:50.800 --> 00:02:52.159 peak for a massive profit. 59 00:02:52.360 --> 00:02:54.960 Wow. So by the time the market corrects itself, the 60 00:02:55.039 --> 00:02:57.639 victims accounts are drain and the hackers have just vanished 61 00:02:57.639 --> 00:02:58.159 with the cash. 62 00:02:58.319 --> 00:03:02.639 Yep, it's weaponizing them's own portfolio to alter market dynamics. 63 00:03:02.879 --> 00:03:06.039 That is a sophisticated financial crime, not a computer prank. 64 00:03:06.639 --> 00:03:09.919 And speaking of sophisticated financial crimes, we have to look 65 00:03:09.919 --> 00:03:12.000 at the logistics of the Royal Bank of Scotland. 66 00:03:12.080 --> 00:03:14.800 Heighs oh yeah, they arebs incident. That's a big one. 67 00:03:14.919 --> 00:03:17.479 I mean, a group walked away with nine point four 68 00:03:17.599 --> 00:03:19.680 million dollars in just twelve. 69 00:03:19.319 --> 00:03:20.680 Hours in physical cash. 70 00:03:20.759 --> 00:03:24.919 Mind you right, how is that level of physical, real 71 00:03:25.000 --> 00:03:29.560 world coordination even possible across twenty one hundred ATMs globally? 72 00:03:29.800 --> 00:03:34.840 It's basically a masterclass in decentralized logistics. A highly coordinated 73 00:03:34.879 --> 00:03:39.400 group primarily Russian, Estonian and Moldovan operators, managed to break 74 00:03:39.439 --> 00:03:41.400 the encryption of the bank's payment processor. 75 00:03:41.560 --> 00:03:43.680 Okay, so they get inside the system. 76 00:03:43.560 --> 00:03:46.599 Right, But once inside, they didn't just transfer money digitally. 77 00:03:47.000 --> 00:03:50.919 They manipulated the database to drastically raise withdrawal limits on 78 00:03:50.960 --> 00:03:54.240 a specific set of compromised prepaid debit cards. 79 00:03:55.080 --> 00:03:57.879 So they essentially removed the ceiling on how much cash 80 00:03:57.960 --> 00:03:59.319 those accounts could spit. 81 00:03:59.039 --> 00:04:02.680 Out exactly, took the limits right off. Then they distributed 82 00:04:02.719 --> 00:04:06.319 the decrypted card data to a global network of what 83 00:04:06.319 --> 00:04:07.960 they call cashers or mules. 84 00:04:08.080 --> 00:04:10.159 And these are real people on the ground. 85 00:04:10.120 --> 00:04:15.639 Real people, physical operatives in dozens of cities worldwide. They 86 00:04:15.639 --> 00:04:20.279 had created counterfeit magnetic stripe cards using that stolen data. 87 00:04:19.959 --> 00:04:22.079 And then they just went to the ATMs. 88 00:04:21.600 --> 00:04:25.360 At a synchronized time, this entire army of cashers hit 89 00:04:25.439 --> 00:04:29.519 twenty one hundred ATMs, simultaneously joining the machines of physical 90 00:04:29.560 --> 00:04:33.199 cash before the bank's fraud detection algorithms could even register 91 00:04:33.279 --> 00:04:33.879 the anomaly. 92 00:04:34.160 --> 00:04:37.439 Nine point four million dollars gone in half a day gone. 93 00:04:37.519 --> 00:04:39.720 You know, you just can't execute something like that without 94 00:04:39.759 --> 00:04:42.199 a massive discipline organizational structure. 95 00:04:42.360 --> 00:04:42.959 No, you can't. 96 00:04:43.040 --> 00:04:46.120 But they don't always rely on human operatives, right. They 97 00:04:46.240 --> 00:04:49.759 heavily leverage distributed computing, like specifically botnets. 98 00:04:49.800 --> 00:04:51.759 Oh absolutely, botnets are a huge part of this. 99 00:04:51.839 --> 00:04:55.040 Yeah, because we see groups like the Russian Business Network 100 00:04:55.279 --> 00:04:59.000 pulling tens of millions from City Bank using malware, or 101 00:04:59.639 --> 00:05:03.079 the zoo juse botnet infecting three point six million computers. 102 00:05:03.160 --> 00:05:05.199 Zeus was a nightmare, But what really. 103 00:05:04.959 --> 00:05:08.360 Struck me was how Zeus managed to breach Amazon's EC 104 00:05:08.560 --> 00:05:10.399 two cloud computing service. 105 00:05:10.839 --> 00:05:13.879 Yet that was a critical escalation in the space. A 106 00:05:13.920 --> 00:05:18.000 botnet is essentially a network of compromised machines controlled by 107 00:05:18.040 --> 00:05:19.279 a single bot. 108 00:05:19.040 --> 00:05:22.120 Herder, like a zombie army of computers. 109 00:05:22.240 --> 00:05:27.079 Right, and historically they infected residential laptops. But when Zeus 110 00:05:27.160 --> 00:05:31.360 breached Amazon EC two, they weren't just hijacking some home 111 00:05:31.399 --> 00:05:32.759 computer's week processor. 112 00:05:32.800 --> 00:05:33.800 They were in the cloud. 113 00:05:33.920 --> 00:05:39.079 They were hijacking enterprise grade, massively scalable cloud infrastructure. They 114 00:05:39.120 --> 00:05:43.519 turned Amazon's own processing power against its targets, which is 115 00:05:44.199 --> 00:05:46.519 how they caused an estimated one hundred million dollars in 116 00:05:46.560 --> 00:05:47.879 fraud in a single year. 117 00:05:48.079 --> 00:05:51.079 That is insane. And it's not just brute force technical 118 00:05:51.120 --> 00:05:54.879 attacks either. It's psychological. The cube face botanet. 119 00:05:54.519 --> 00:05:57.519 Oh cub face. Yeah, that was entirely based on social engineering. 120 00:05:57.639 --> 00:06:01.199 Right. They hijacked millions of Facebook and MySpace accounts. They 121 00:06:01.240 --> 00:06:02.759 weaponize the trust network. 122 00:06:02.439 --> 00:06:04.560 Itself because you get a message from a friend, right. 123 00:06:04.480 --> 00:06:06.759 Yeah, linking to a video, but to watch it, you 124 00:06:06.800 --> 00:06:09.199 had to click on a fake video player update. 125 00:06:09.240 --> 00:06:11.920 And of course the update was the malware payload, which 126 00:06:11.959 --> 00:06:16.040 really highlights the fundamental economic advantage of modern cybercrime, the 127 00:06:16.079 --> 00:06:20.959 automation of exploitation. Once the malware architecture is built and deployed, 128 00:06:21.240 --> 00:06:24.279 the marginal cost of infecting the next million victims is 129 00:06:24.399 --> 00:06:25.680 essentially zero. 130 00:06:25.959 --> 00:06:29.319 It requires literally no additional effort from the attacker, none 131 00:06:29.319 --> 00:06:33.120 at all. Okay, let's unpack this. I understand the profit motive, 132 00:06:33.360 --> 00:06:36.439 and I see the sophistication of the attacks. But here 133 00:06:36.519 --> 00:06:39.720 is what I am really struggling with. What's that If 134 00:06:39.759 --> 00:06:43.160 these syndicates are this organized, we really need to understand 135 00:06:43.199 --> 00:06:46.000 why it is so remarkably easy for them to penetrate 136 00:06:46.079 --> 00:06:49.360 corporate parameters in the first place. Like why is the 137 00:06:49.399 --> 00:06:51.720 defense always seemingly on the back foot. 138 00:06:51.920 --> 00:06:56.000 It comes down to an uncomfortable mathematical reality. Yeah, yeah, 139 00:06:56.120 --> 00:07:00.000 it is the massive, almost incomprehensible complexity of modern software. 140 00:07:00.680 --> 00:07:04.040 The foundational code that runs our operating systems and enterprise 141 00:07:04.120 --> 00:07:07.639 applications is simply too vast for human comprehension. 142 00:07:07.720 --> 00:07:09.839 Okay, let's look at the sheer scale of that, because 143 00:07:09.839 --> 00:07:13.240 the numbers are wild. A basic Linux operating system has 144 00:07:13.360 --> 00:07:16.839 roughly two million lines of code, but a Windows operating 145 00:07:16.879 --> 00:07:21.199 system can have upwards of forty million lines of code exactly. 146 00:07:21.600 --> 00:07:24.920 Now, apply the industry standard defect rate to that, which 147 00:07:24.920 --> 00:07:29.319 is what even with rigorous quality assurance, good developers mathematically 148 00:07:29.480 --> 00:07:32.839 lead between five to fifty bugs per one thousand lines 149 00:07:32.879 --> 00:07:33.399 of code. 150 00:07:33.560 --> 00:07:37.000 Wow. So just doing the basic math on a forty 151 00:07:37.040 --> 00:07:40.279 million line os, you are looking at an environment that 152 00:07:40.319 --> 00:07:42.600 could harbor over a million bugs. 153 00:07:42.560 --> 00:07:45.600 A million distinct flaws straight out of the box. 154 00:07:45.639 --> 00:07:46.519 Straight out of the box. 155 00:07:46.680 --> 00:07:46.959 I mean. 156 00:07:47.040 --> 00:07:49.160 I like to think of this as a real estate problem. 157 00:07:49.240 --> 00:07:52.959 It's like developers are building these massive, one hundred story skyscrapers, 158 00:07:53.000 --> 00:07:55.560 but they are leaving thousands of windows unlocked on every 159 00:07:55.560 --> 00:07:58.240 floor simply because the tenants enjoy the breeze. 160 00:07:58.439 --> 00:08:01.800 It's a compelling analogy, but honestly, it's actually worse than that. 161 00:08:01.920 --> 00:08:05.120 How So, it's not just that the tenants enjoy the breeze, 162 00:08:05.240 --> 00:08:07.800 it's that the tenants demand the windows remain open so 163 00:08:07.839 --> 00:08:08.800 they can do their jobs. 164 00:08:08.920 --> 00:08:09.639 Oh, I see. 165 00:08:09.759 --> 00:08:13.720 This brings us to the eternal grinding conflict between security 166 00:08:13.759 --> 00:08:14.639 and functionality. 167 00:08:14.839 --> 00:08:16.560 The mister no dynamic. 168 00:08:16.439 --> 00:08:21.160 Exactly, The mister no dynamic. Users require seamless functionality. They 169 00:08:21.240 --> 00:08:24.360 want to share massive files instantly, They want remote access 170 00:08:24.399 --> 00:08:27.560 from their personal devices, and they want integration across dozens 171 00:08:27.560 --> 00:08:28.240 of platforms. 172 00:08:28.279 --> 00:08:30.079 They want it all to just work right. 173 00:08:30.720 --> 00:08:34.679 But from an engineering standpoint, securing a network inherently means 174 00:08:34.960 --> 00:08:38.960 turning off those convenient features, closing those open windows, which 175 00:08:39.039 --> 00:08:43.000 nobody wants nobody. This is why chief information security officers 176 00:08:43.039 --> 00:08:46.080 are often the most unpopular people in a corporate structure. 177 00:08:46.519 --> 00:08:49.840 They get labeled mister no or security nazis, because their 178 00:08:50.039 --> 00:08:53.000 entire job is to introduce friction into a system that 179 00:08:53.120 --> 00:08:54.639 users want to be frictionless. 180 00:08:54.960 --> 00:08:58.519 But the financial cost of allowing that frictionless environment is 181 00:08:58.720 --> 00:09:01.159 just ruinous when a hack actually happens. 182 00:09:01.240 --> 00:09:02.559 Oh, absolutely rowinous. 183 00:09:02.720 --> 00:09:05.639 I mean. Looking at downtime analytics from firms like a Linian, 184 00:09:06.120 --> 00:09:08.840 the average cost of a computer network going down is 185 00:09:08.919 --> 00:09:10.679 forty two thousand dollars per hour. 186 00:09:10.879 --> 00:09:12.440 And that's just the average, right. 187 00:09:12.519 --> 00:09:15.600 It scales drastically depending on the critical nature of the system. 188 00:09:15.720 --> 00:09:18.720 If a supply chain management application goes dark, that costs 189 00:09:18.720 --> 00:09:21.080 company eleven thousand dollars per minute. 190 00:09:20.799 --> 00:09:25.440 Per minute, which is precisely why ethical hacking and aggressive 191 00:09:25.480 --> 00:09:30.120 vulnerability management exist. Because the software environment is infinitely complex 192 00:09:30.159 --> 00:09:33.720 and riddled with a million mathematical holes, you need specialized 193 00:09:33.759 --> 00:09:36.840 tools to map those vulnerabilities before the syndicates map them 194 00:09:36.840 --> 00:09:40.480 for you. Makes sense, but this introduces a fascinating and 195 00:09:40.639 --> 00:09:44.759 often uncomfortable reality regarding the tools of the trade. 196 00:09:44.559 --> 00:09:47.879 Which is that the tools are entirely dual use. Exactly 197 00:09:47.919 --> 00:09:50.840 the exact same software used to secure a network is 198 00:09:50.919 --> 00:09:53.279 used to destroy it. It's like a lock pick, I 199 00:09:53.320 --> 00:09:55.879 mean a lock pick is just a shaped piece of metal. 200 00:09:56.000 --> 00:09:57.759 It is inherently neutral. 201 00:09:57.519 --> 00:09:58.799 Right, it doesn't have a WORL compass. 202 00:09:58.919 --> 00:10:01.799 Exactly In the hands of a licensed locksmith who you 203 00:10:01.840 --> 00:10:04.000 called because you're locked out of your apartment, it's a 204 00:10:04.000 --> 00:10:06.600 life saver. But put that exact same piece of metal 205 00:10:06.600 --> 00:10:08.840 in the hands of a burglar, and it's a weapon. 206 00:10:09.120 --> 00:10:13.480 And that neutrality applies across the entire digital spectrum. Consider 207 00:10:13.600 --> 00:10:17.600 password cracking software. Okay, a malicious hacker uses brute force 208 00:10:17.679 --> 00:10:23.159 algorithms or massive dictionary attacks to steal user credentials, elevate 209 00:10:23.200 --> 00:10:27.120 their privileges, and compromise an entire network. But an ethical 210 00:10:27.159 --> 00:10:32.919 IT department deploys that exact same cracking software internally to 211 00:10:33.039 --> 00:10:36.720 test their own active directory. It is the only functional 212 00:10:36.799 --> 00:10:39.559 way to enforce a strong password policy. 213 00:10:39.639 --> 00:10:42.720 Because you can't just walk cubicle to cubicle and awkwardly 214 00:10:42.799 --> 00:10:45.120 ask your employees to whisper their passwords to you to 215 00:10:45.159 --> 00:10:47.799 make sure they aren't using password one, two three exactly. 216 00:10:47.799 --> 00:10:50.519 That would never work. You have to attack your own infrastructure. 217 00:10:50.600 --> 00:10:54.440 And because these tools and architectures are inherently neutral, it 218 00:10:54.519 --> 00:10:58.679 creates massive legal and ethical gray areas. Huge gray areas 219 00:10:58.799 --> 00:11:01.480 take a peer to peer file sharing protocol like BitTorrent. 220 00:11:01.919 --> 00:11:06.159 The underlying technology is brilliant for decentralized data transfer. 221 00:11:05.879 --> 00:11:06.399 It really is. 222 00:11:06.720 --> 00:11:09.840 And the tracker sites, the indexes like torrent, spy or 223 00:11:09.879 --> 00:11:13.039 mina Nova, they don't actually host any files themselves. They 224 00:11:13.039 --> 00:11:16.120 don't have stolen movies or proprietary datas sitting on their 225 00:11:16.120 --> 00:11:16.759 servers right. 226 00:11:16.799 --> 00:11:19.480 They just provide a directory that points to files hosted 227 00:11:19.480 --> 00:11:21.200 by individual. 228 00:11:20.759 --> 00:11:24.279 Users, which creates an absolute nightmare for cyber law regarding 229 00:11:24.320 --> 00:11:25.559 secondary liability. 230 00:11:25.679 --> 00:11:28.159 It really does. If you build a window that only 231 00:11:28.159 --> 00:11:30.679 looks at a crime, are you complicit in the crime. 232 00:11:30.960 --> 00:11:33.720 It's a tough question, and we see the same friction 233 00:11:33.840 --> 00:11:35.440 and search engine optimization too. 234 00:11:35.600 --> 00:11:38.039 Oh. SEO is a mine field for this. 235 00:11:38.600 --> 00:11:43.320 Because the line between legitimate SEO where a company optimizes 236 00:11:43.399 --> 00:11:47.039 its metadata to rank higher on Google, and malicious spamdexing 237 00:11:47.159 --> 00:11:51.000 or building automated scraper sites that steal content to manipulate 238 00:11:51.039 --> 00:11:53.159 search rankings, it's incredibly thin. 239 00:11:53.320 --> 00:11:57.279 The technological mechanism is essentially identical. It is strictly the 240 00:11:57.320 --> 00:11:59.320 intent that defines the crime, but. 241 00:11:59.480 --> 00:12:03.759 Intent is notoriously difficult to prove, especially when we look 242 00:12:03.799 --> 00:12:04.480 at activism. 243 00:12:04.960 --> 00:12:06.799 That's where things get really complicated. 244 00:12:06.960 --> 00:12:11.120 Yeah, When political activists launch a distributed denial of service 245 00:12:11.159 --> 00:12:14.720 attack ADIDAS against a government website during an election dispute 246 00:12:14.759 --> 00:12:19.399 or a geopolitical conflict, it forces a really difficult conversation. 247 00:12:18.960 --> 00:12:21.399 Because they are essentially flooding a server with so much 248 00:12:21.519 --> 00:12:22.559 junk traffic that it. 249 00:12:22.679 --> 00:12:25.879 Collapses exactly now. To be clear, we are just looking 250 00:12:25.879 --> 00:12:28.000 at the source materials breakdown of this. We aren't taking 251 00:12:28.039 --> 00:12:32.320 a stance here, but the debate is fascinating. From one perspective. 252 00:12:32.639 --> 00:12:35.639 Some argue it's a digital sit in, an act of 253 00:12:35.679 --> 00:12:39.000 civil disobedience in the modern public square. But from a 254 00:12:39.000 --> 00:12:41.120 strict legal perspective. 255 00:12:40.600 --> 00:12:45.080 Well, from a strict legal perspective, unauthorized access and intentional 256 00:12:45.080 --> 00:12:49.679 disruption of services is a federal cybercrime. Regardless of the 257 00:12:49.679 --> 00:12:51.320 ideological motivation behind it. 258 00:12:51.320 --> 00:12:52.919 It's just a crime on paper. 259 00:12:53.480 --> 00:12:56.960 The law does not typically recognize a political protest exemption 260 00:12:57.000 --> 00:13:00.240 for destroying digital infrastructure. But you are right that it 261 00:13:00.320 --> 00:13:03.840 highlights the immense complexity of defending these networks. You aren't 262 00:13:03.879 --> 00:13:06.759 just defending against profit driven syndicates. You are defending against 263 00:13:06.759 --> 00:13:10.639 ideological actors utilizing the exact same dual use tools. 264 00:13:10.720 --> 00:13:15.080 Here's where it gets really interesting. Given this threat landscape, 265 00:13:15.120 --> 00:13:18.519 the million bugs, the dual use tools, the syndicates, the activists, 266 00:13:19.200 --> 00:13:22.799 how do companies actually deploy these lock picks to defend 267 00:13:22.799 --> 00:13:24.600 their one hundred story skyscrapers. 268 00:13:24.639 --> 00:13:26.159 It's a multi layered approach. 269 00:13:26.320 --> 00:13:28.720 There seem to be two distinct layers to this, actually, 270 00:13:28.879 --> 00:13:31.200 vulnerability assessment and penetration testing. 271 00:13:31.440 --> 00:13:34.399 They are distinct, and confusing them is a very common 272 00:13:34.440 --> 00:13:39.559 corporate failure. A vulnerability assessment is fundamentally an automated process. 273 00:13:40.360 --> 00:13:44.159 Think of a software scanner probing your network architecture, checking 274 00:13:44.159 --> 00:13:47.360 the versions of your software against the known database of flaws. 275 00:13:47.840 --> 00:13:50.559 So it's essentially a security guard walking down a massive 276 00:13:50.600 --> 00:13:54.320 hotel hallway just rattling every single doorknob to see if 277 00:13:54.360 --> 00:13:57.559 it's locked, and writing down the room numbers of the open. 278 00:13:57.320 --> 00:14:00.799 Ones precisely, and at the end it's out a massive, 279 00:14:00.960 --> 00:14:03.960 terrifying phone book sized list of potential vulnerabilities. 280 00:14:04.039 --> 00:14:05.320 So uns helpful though. 281 00:14:05.200 --> 00:14:10.120 It is, but automation lacks contextual awareness that scanner might 282 00:14:10.159 --> 00:14:14.200 flag a low risk internal issue like say an outdated 283 00:14:14.279 --> 00:14:16.600 driver on a printer in a locks basement, as a 284 00:14:16.639 --> 00:14:20.159 high priority, sending the IT team on a time wasting wild. 285 00:14:19.879 --> 00:14:22.519 Goose chase, which brings me to my next question. If 286 00:14:22.519 --> 00:14:25.720 computers can process data and scan networks millions of times 287 00:14:25.720 --> 00:14:29.320 faster than a human, why do companies pay human penetration testers. 288 00:14:29.559 --> 00:14:31.519 Doesn't the scanner just find the bugs faster? 289 00:14:31.759 --> 00:14:34.679 The scanner finds the ocillator bugs faster. What the scanner 290 00:14:34.759 --> 00:14:36.080 lacks is human cunning. 291 00:14:36.320 --> 00:14:37.000 Human cunning. 292 00:14:37.279 --> 00:14:42.279 Yeah, a vulnerability scanner sees one thousand isolated unlocked windows. 293 00:14:43.080 --> 00:14:46.799 A human penetration tester, the ethical hacker, looks at the 294 00:14:46.879 --> 00:14:49.679 architecture and realizes that if you climb through low risk 295 00:14:49.720 --> 00:14:53.159 window A, it gives you just enough access to reach 296 00:14:53.360 --> 00:14:56.360 the fire escape, which allows you to bypass the firewall 297 00:14:56.759 --> 00:15:00.360 and access the ventilation shaft which drops you to directly 298 00:15:00.360 --> 00:15:04.120 into the domain. Controller. Penetration testing is the act of 299 00:15:04.200 --> 00:15:09.960 chaining seemingly boring low level vulnerabilities into one massive catastrophic attack. 300 00:15:10.159 --> 00:15:14.159 So it's establishing the real world risk exactly. And the 301 00:15:14.159 --> 00:15:16.679 methodology for this is highly structured, isn't it. You have 302 00:15:16.720 --> 00:15:19.200 the red teams acting as the aggressive attackers and white 303 00:15:19.240 --> 00:15:20.759 teams setting the rules of engagement. 304 00:15:20.879 --> 00:15:22.840 Right. They establish the boundaries first, and. 305 00:15:22.759 --> 00:15:25.879 Then they passively and actively scan the target. They fingerprint 306 00:15:25.919 --> 00:15:29.200 the operating systems by analyzing how the servers respond to 307 00:15:29.240 --> 00:15:32.480 specific packets, so they know exactly what architecture they're dealing. 308 00:15:32.240 --> 00:15:34.080 With yep mapping the territory, and. 309 00:15:34.000 --> 00:15:37.240 Then they execute privileged escalation. They start as a low 310 00:15:37.360 --> 00:15:40.480 level guest user and systematically trick the system until they 311 00:15:40.480 --> 00:15:44.200 have administrative control. But the most fascinating part of this 312 00:15:44.320 --> 00:15:46.159 dynamic to me is trophy hunting. 313 00:15:46.519 --> 00:15:51.799 Ah trophy hunting. That is a psychological mechanism used to 314 00:15:51.840 --> 00:15:56.519 bridge the gap between technical reality and executive complacency. 315 00:15:55.919 --> 00:15:57.639 Because executives don't always listen to the. 316 00:15:57.600 --> 00:16:00.639 IT folks exactly. A security professional can stand in a 317 00:16:00.639 --> 00:16:04.600 boardroom and talk to a CEO all day about misconfigured ports, 318 00:16:04.639 --> 00:16:08.039 buffer overflows, and protocol flaws, and the CEO's eyes will 319 00:16:08.080 --> 00:16:10.320 just glaze over. It's too abstract, right. 320 00:16:10.240 --> 00:16:13.120 It doesn't feel like a business problem until it physically 321 00:16:13.200 --> 00:16:14.840 hurts exactly. Yeah. 322 00:16:14.879 --> 00:16:17.960 So the ethical hackers deliberately extract a trophy during the 323 00:16:18.000 --> 00:16:21.000 pen test to make the invisible threat undeniable, Like what 324 00:16:21.159 --> 00:16:24.200 kind of trophy they might exultrate the company's proprietary R 325 00:16:24.240 --> 00:16:27.440 and D data or the secret recipe for their flagship 326 00:16:27.480 --> 00:16:32.799 product or incredibly effectively, they present the CEO's actual password 327 00:16:32.840 --> 00:16:33.320 to the board. 328 00:16:33.440 --> 00:16:34.000 Oh miss. 329 00:16:34.039 --> 00:16:37.559 Yeah. When an executive realizes that a hacker just bypassed 330 00:16:37.559 --> 00:16:41.320 a million dollar firewall because a VP used I am 331 00:16:41.399 --> 00:16:45.679 wearing panties as a password, the abstract technical issue immediately 332 00:16:45.720 --> 00:16:47.120 becomes a boardroom priority. 333 00:16:47.200 --> 00:16:48.600 I bet it does? It forces action? 334 00:16:48.799 --> 00:16:48.960 Yeah. 335 00:16:49.159 --> 00:16:52.440 Now, what's really chilling is that the unethical, malicious syndicates 336 00:16:52.519 --> 00:16:57.279 use this exact same methodology standing fingerprinting privileged escalation. But 337 00:16:57.360 --> 00:17:01.480 their post breach behavior is where the tree true insidiousness shows. 338 00:17:01.559 --> 00:17:02.240 Oh. Absolutely. 339 00:17:02.279 --> 00:17:05.119 They don't just take a trophy and leave. They dig in. 340 00:17:05.480 --> 00:17:09.759 Yes, the persistence mechanisms are deeply complex. They will route 341 00:17:09.799 --> 00:17:13.640 their connections through multiple compromised intermediaries, bouncing from a server 342 00:17:13.759 --> 00:17:18.319 in Brazil to a router in Ukraine to obscure their origin. 343 00:17:18.119 --> 00:17:19.400 Just bouncing all over the globe. 344 00:17:19.480 --> 00:17:21.960 Right, and more importantly, they deploy rude kits. 345 00:17:22.640 --> 00:17:25.599 Now, a root kit isn't just a standard virus, right, 346 00:17:26.039 --> 00:17:29.160 How does it actually hide from the antivirus software that 347 00:17:29.279 --> 00:17:30.599 is actively looking for it. 348 00:17:30.599 --> 00:17:33.279 It's a matter of hierarchy. A root kit embeds itself 349 00:17:33.279 --> 00:17:36.559 deep within the operating system's kernel, essentially sitting below the 350 00:17:36.599 --> 00:17:41.799 antivirus software. Yeah. When the antivirus asks the operating system, hey, 351 00:17:41.839 --> 00:17:44.839 are there any malicious files in this directory? The root 352 00:17:44.920 --> 00:17:48.640 kit intercepts that request and forces the operating system to 353 00:17:48.759 --> 00:17:54.000 lie and say nope, everything is clean. Wow. It subverts 354 00:17:54.039 --> 00:17:57.240 the very tools designed to detect it. They also meticulously 355 00:17:57.359 --> 00:18:00.400 scrub the audit logs to erase any digital food prints 356 00:18:00.400 --> 00:18:01.000 of their entry. 357 00:18:01.440 --> 00:18:05.119 And then there's the ultimate irony, the hostile monopoly. 358 00:18:05.279 --> 00:18:06.279 Oh, this is fascinating. 359 00:18:06.400 --> 00:18:09.400 Once a malicious group compromises a server, they will often 360 00:18:09.480 --> 00:18:13.599 harden the system like they will actually patched the vulnerabilities 361 00:18:13.599 --> 00:18:14.720 they exploited to get. 362 00:18:14.599 --> 00:18:17.039 In, not out of the goodness of their hearts, of course, no. 363 00:18:17.480 --> 00:18:21.759 To lock out rival hacking syndicates. They basically become the 364 00:18:21.880 --> 00:18:24.880 aggressive it support for the system they just hijacked, so 365 00:18:24.920 --> 00:18:27.920 they maintain exclusive control over their stolen real estate. 366 00:18:28.319 --> 00:18:32.200 Which perfectly illustrates why defensive strategies are so difficult. You 367 00:18:32.240 --> 00:18:35.799 are fighting an adversary that understands your infrastructure better than 368 00:18:35.839 --> 00:18:39.000 you do and who is highly motivated to protect their 369 00:18:39.039 --> 00:18:40.119 illicit investments. 370 00:18:40.240 --> 00:18:41.960 It's a nightmare scenario. 371 00:18:41.839 --> 00:18:45.880 It is, but inevitably technical defenses will fail, breaches will occur, 372 00:18:46.640 --> 00:18:50.079 and when the digital perimeter collopses, the physical world has 373 00:18:50.119 --> 00:18:52.079 to step in to establish accountability. 374 00:18:52.920 --> 00:18:55.880 So what does this all mean, which brings us to 375 00:18:56.000 --> 00:18:59.079 the collision of Internet packets and the physical courtroom. 376 00:19:00.359 --> 00:19:00.480 Law. 377 00:19:00.640 --> 00:19:02.960 Yes, the legal battlefield. 378 00:19:02.599 --> 00:19:06.480 And the stakes here are evolving rapidly because business leaders 379 00:19:06.519 --> 00:19:11.680 are increasingly facing personal liability, regulatory fines, and shareholder lawsuits 380 00:19:11.680 --> 00:19:13.319 for failing to secure user data. 381 00:19:13.519 --> 00:19:16.440 It's getting very real for executives when we look at 382 00:19:16.480 --> 00:19:19.039 the legal framework in the United States, A massive pillar 383 00:19:19.119 --> 00:19:22.559 of this is eighteen USC twenty twenty nine, commonly known 384 00:19:22.599 --> 00:19:24.359 as the Access Device Statute. 385 00:19:24.400 --> 00:19:27.359 It is the foundational text for prosecuting digital financial crimes, 386 00:19:28.079 --> 00:19:31.240 but the nomenclature is deceiving. The term access device makes 387 00:19:31.279 --> 00:19:33.799 it sound like a physical key card or a hardware token, right. 388 00:19:33.839 --> 00:19:37.440 It sounds tangible, But how broad is the actual legal definition? 389 00:19:37.599 --> 00:19:41.079 Incredibly broad. Under the statute, an access device is any 390 00:19:41.160 --> 00:19:45.279 card plate code, account number, personal identification number, or telecom 391 00:19:45.319 --> 00:19:48.200 service identifier that can be used to obtain money, goods, 392 00:19:48.359 --> 00:19:49.000 or services. 393 00:19:49.319 --> 00:19:52.559 So a string of texts a password is legally an 394 00:19:52.599 --> 00:19:53.480 access device. 395 00:19:53.720 --> 00:19:56.400 Yes, a credit card number sitting in a database is 396 00:19:56.440 --> 00:20:01.119 an access device. The federal law criminalizes the production, use, 397 00:20:01.279 --> 00:20:05.880 or trafficking of counterfeit or unauthorized access devices. 398 00:20:05.480 --> 00:20:08.000 And the real world applications of the statute read like 399 00:20:08.039 --> 00:20:11.720 scripts from heist movies, bridging that gap between digital data 400 00:20:11.799 --> 00:20:15.400 and physical hardware, they really do. We've seen syndicates deploying 401 00:20:15.440 --> 00:20:18.960 Bulgarian operatives to Atlanta who were ultimately sentenced to federal 402 00:20:18.960 --> 00:20:23.160 prison for ATM skimming. They were physically attaching overlay devices 403 00:20:23.200 --> 00:20:26.440 to ATMs to read the magnetic stripes, paired with hidden 404 00:20:26.440 --> 00:20:28.559 pinhole cameras to record the keystrokes. 405 00:20:29.000 --> 00:20:32.359 We've also seen insider threats like rings of waiters in 406 00:20:32.400 --> 00:20:36.400 major cities using handheld skimming devices to swipe patron's credit 407 00:20:36.400 --> 00:20:39.759 cards before returning them, stealing hundreds of thousands of dollars 408 00:20:39.759 --> 00:20:40.359 over months. 409 00:20:40.599 --> 00:20:42.960 And now the hardware evolution is removing the need for 410 00:20:42.960 --> 00:20:46.720 physical retrieval altogether. Hackers are breaking open the housings of 411 00:20:46.759 --> 00:20:50.680 gas station pumps, installing wireless skimmers deep inside the machinery, 412 00:20:51.039 --> 00:20:54.559 and stealing the pin ins and card data remotely via Bluetooth. 413 00:20:54.920 --> 00:20:56.759 They never even have to return to the scene of 414 00:20:56.759 --> 00:20:58.039 the crime to collect their harvest. 415 00:20:58.200 --> 00:21:00.640 That is wild, and the pedal to use for these 416 00:21:00.640 --> 00:21:04.359 crimes under the statute are designed to be devastating. Fines 417 00:21:04.400 --> 00:21:07.359 can range from ten thousand to fifty thousand dollars or 418 00:21:07.519 --> 00:21:09.960 up to twice the financial value of the crime itself. 419 00:21:10.559 --> 00:21:14.279 Prison sentences for trafficking these devices can easily stretch from 420 00:21:14.400 --> 00:21:15.519 ten to twenty years. 421 00:21:15.680 --> 00:21:19.039 The legal system is casting a very wide, very heavy 422 00:21:19.119 --> 00:21:22.359 net to create a deterrent effect, but de terns only 423 00:21:22.440 --> 00:21:25.160 works if the law can catch the innovator. 424 00:21:25.000 --> 00:21:28.000 Which brings up a fundamental paradox I look at the 425 00:21:28.079 --> 00:21:31.200 mutation rate of malware. The source mentioned that at one point, 426 00:21:31.240 --> 00:21:34.440 security firms like Symantec reported having to write a new 427 00:21:34.519 --> 00:21:37.039 virus signature every eight seconds just to keep up with 428 00:21:37.079 --> 00:21:39.359 the influx of new threats. Every eight seconds. 429 00:21:39.480 --> 00:21:42.039 Yeah, that's driven by automated polymorphism. 430 00:21:42.119 --> 00:21:42.759 What does that mean? 431 00:21:43.279 --> 00:21:46.519 The malware is programmed to constantly rewrite its own underlying 432 00:21:46.599 --> 00:21:50.319 code while maintaining its malicious function. It changes its digital 433 00:21:50.359 --> 00:21:54.480 signature every time it replicates, so standard antivirus software, which 434 00:21:54.480 --> 00:21:58.160 looks for known signatures, can't recognize it exactly. 435 00:21:58.480 --> 00:22:00.880 So if the digital threat is shape shifting its own 436 00:22:01.079 --> 00:22:05.160 architecture every eight seconds, through automation. How can a sluggish 437 00:22:05.200 --> 00:22:09.039 physical legal system, where debating, drafting, and passing a single 438 00:22:09.039 --> 00:22:13.400 piece of legislation can take years ever possibly keep up. 439 00:22:13.559 --> 00:22:16.599 It can't, and that is the harsh reality of cyber law. 440 00:22:17.079 --> 00:22:21.119 The legal system is inherently and fundamentally reactive. It observes 441 00:22:21.119 --> 00:22:23.880 what has happened, argues about the damage, and tries to 442 00:22:23.880 --> 00:22:25.119 penalize it after. 443 00:22:24.920 --> 00:22:27.599 The fact, while technology just keeps racing ahead. 444 00:22:27.839 --> 00:22:32.759 Technology is proactive and exponential. This asymmetry is exactly why 445 00:22:32.759 --> 00:22:36.599 the security industry relies so heavily on continuous vulnerability assessments 446 00:22:36.720 --> 00:22:39.960 and the ethical hacking frameworks we've been discussing. The defense 447 00:22:40.000 --> 00:22:42.119 has to operate at the speed of the attack, not 448 00:22:42.200 --> 00:22:43.119 the speed of the courts. 449 00:22:43.279 --> 00:22:44.160 That makes total sense. 450 00:22:44.240 --> 00:22:46.000 Relying on the law to protect your network is like 451 00:22:46.039 --> 00:22:48.599 relying on a homicide detective to prevent a murder. They 452 00:22:48.640 --> 00:22:50.480 only show up after the damage is done. 453 00:22:50.680 --> 00:22:53.759 Wow, it really reframes the entire concept of security. 454 00:22:54.119 --> 00:22:56.319 Well, we've mapped out quite a journey today for you. 455 00:22:56.759 --> 00:23:00.599 We started by discarding the hoodie myth, exposing the global 456 00:23:00.920 --> 00:23:05.720 profit driven syndicates manipulating markets and coordinating massive ATM heists. 457 00:23:06.000 --> 00:23:09.240 We looked at the terrifying mathematics of software complexity too, 458 00:23:09.680 --> 00:23:13.279 where millions of lines of code guarantee a porous perimeter. 459 00:23:13.400 --> 00:23:16.039 We explored the dual use nature of the lock picks 460 00:23:16.359 --> 00:23:19.640 and how human cunning is required to chain those vulnerabilities 461 00:23:19.680 --> 00:23:23.279 together to break into the boardroom. And finally, we looked 462 00:23:23.279 --> 00:23:26.400 at the sluggish, reactive nature of the legal system trying 463 00:23:26.400 --> 00:23:29.119 to govern a landscape that mutates every eight seconds. 464 00:23:29.240 --> 00:23:32.359 It really reinforces the core philosophy you have to understand 465 00:23:32.400 --> 00:23:34.920 the offense to build a functional defense. 466 00:23:34.920 --> 00:23:38.119 And looking to the horizon, the stakes of that defense 467 00:23:38.160 --> 00:23:41.680 are moving far beyond financial fraud. The gap between digital 468 00:23:41.680 --> 00:23:43.759 code and physical consequence is closing. 469 00:23:44.000 --> 00:23:47.200 It is we've seen instances where actors use cheap, commercially 470 00:23:47.240 --> 00:23:50.680 available software to intercept the live classified video feeds from 471 00:23:50.759 --> 00:23:52.319 military predator drones. 472 00:23:52.079 --> 00:23:55.680 Which is terrifying on its own, but more concerningly, malware 473 00:23:55.759 --> 00:23:57.960 is increasingly targeting SKATA systems. 474 00:23:58.240 --> 00:24:01.960 SCATA being the operational technology that bridges the gap between 475 00:24:02.079 --> 00:24:04.839 software and physical infrastructure. 476 00:24:04.240 --> 00:24:08.160 Right supervisory control and data acquisition. It's the code that 477 00:24:08.200 --> 00:24:10.799 tells the physical valves at a water treatment plant to open, 478 00:24:11.200 --> 00:24:14.480 or the centrifuges at a nuclear facility to spin, or 479 00:24:14.519 --> 00:24:17.400 the switches on a regional power grid to flip. The 480 00:24:17.480 --> 00:24:21.640 software is literally integrating into the physical mechanisms of society. 481 00:24:21.960 --> 00:24:24.000 So the blast radius of a breach goes from a 482 00:24:24.039 --> 00:24:28.240 stolen credit card to a compromised municipal water supply exactly. 483 00:24:28.640 --> 00:24:31.240 So I'll leave you with this to consider. As our 484 00:24:31.240 --> 00:24:34.960 physical infrastructure grows exponentially more reliant on millions of lines 485 00:24:34.960 --> 00:24:38.279 of inherently flawed code, will we eventually reach a point 486 00:24:38.279 --> 00:24:42.119 where these systems are legally and functionally too complex to secure? 487 00:24:42.359 --> 00:24:43.160 That's a heavy thought. 488 00:24:43.400 --> 00:24:46.799 Will you, as a digital citizen in a hyper connected society, 489 00:24:47.160 --> 00:24:50.519 have to simply accept a baseline level of continuous, invisible 490 00:24:50.519 --> 00:24:53.839 compromise as the unalterable cost of living in the modern world. 491 00:24:54.119 --> 00:24:57.240 It makes you look at every piece of technology around 492 00:24:57.240 --> 00:25:00.000 you and wonder just how many windows have been left 493 00:25:00.200 --> 00:25:03.920 wide open. Keep questioning the systems you rely on every day. 494 00:25:04.160 --> 00:25:06.200 We'll see you next time for our next deep dive.