UnHacked

Welcome, everybody, to episode 9 of Unhacked. I love that name because it's kind of a misnomer on purpose. You can't get on hacked. That's kind of the point of the podcast. So, let me do a quick introduction.

We'll go ahead and review why we're here, what we're trying to accomplish, and then we're going to dig into the breach of the week. So, my name is Justin Shelley. I'm with Master Computing, and I'm here with Brian and Mario. Will you guys please introduce yourselves starting with Brian?

Yeah. Brian Lachepoe with B4 Networks, based out of, Niagara or Niagara Region in Ontario, Canada, and we do computer support for small businesses throughout Niagara.

Mario?

Mario Zaki with Mastech. We are a managed service provider in the New Jersey area servicing the tri state, area with, New York, New Jersey.

Alright. Like I said, I'm Justin with Master Computing, soon to be Phoenix IT Advisors. I've always hated my company name, and I finally pulled the trigger to change it. So, that's worth the longer conversation that doesn't really belong here. But, here we are.

So unhack is a breakdown of real data breaches that we find out there. We wanna talk about how they impact real real people, how they happened, what we can learn from them so that we can prevent the same damn thing from happening to us. Because here's the problem, guys, and you guys tell me if I'm wrong, but in our industry, we are charged with protecting all of our clients from the most god awful thing that can happen to a business. Because if somebody gets hacked, not only does it cost a fortune, it can put them out of business. Right?

Generally speaking, how much of this information is shared with the public or even inside the community on how, you know, the the real details of a breach? Do you guys know? Like, when and we're gonna talk about it today. This is one of our frustrations as we're prepping. Right?

There's just not that much information out there. So, point of the podcast is we're gonna get everything that we can, and, I think it's pretty safe to say that most of these breaches happen. There's there's a few ways that they happen. And if we take the the recommended measures that prevented them, we can prevent most of them. Fair?

Can somebody push back on that?

I agree.

Yeah. Absolutely. Yeah. Ironically, if they don't share the information on how, the hacks occur, it makes it very difficult for us to learn from them. So, yeah, we'll dive into that, I'm sure.

Yeah. A little frustrating part of our industry. So let's go and introduce today's topic. And, Brian, we're, we're moving up to Canada today.

Yeah. We're definitely moving into my territory. In fact, it's, literally in in my backyard. Just just last year, the end of the year around, October, November, December, 5 of the local hospitals in the region right next to mine, were hacked. These are government owned hospitals.

All 5 of them are sharing one local health integration network, and, they were breached, which caused everything we're about to discuss. So big big organization with big consequences.

And let me put one disclaimer out there, to our listening audience and lawyers who may be listening. We don't know anything. Alright? We're we're reading the news. We're we're making assumptions, and we're talking about industry best practices, industry standards.

Right. Because like we said, we don't know. And we're gonna talk about what we think may have happened. We're gonna talk about what other people think may have happened, but we don't have any true inside information. And we are not trying to say anything bad about the people who were the victims.

And I wanna remind everybody, these are the victims we're talking about today, not the perpetrators. We those assholes, by the way, are I'll probably talk about that more. But they're hidden. They're they're behind, cryptocurrency. They hide behind that.

So they're hidden behind government institutions sometimes. I mean, it's it's ugly trying to trace them down. So all we're really left to do is talk about the victims, and that sucks. But here we are. So in no way, shape, or form am I or is Brian or Mario saying anything negative about the victims of this crime, which is the hospital system, the government that runs them, and the patients that are a part of it.

Okay? So with that disclaimer, sick patients. Yeah. I mean, like, this is life and death. Literally life and death.

And we've got people out there taking advantage of it for a few bucks. Well, a lot of bucks. Spoiler alert, they didn't get paid this time. So, alright. Brian, since this is in your neck of the woods, tell me, like, give me just a couple of points to work with on what was the actual impact.

So it's it wasn't your hospital that you would have to go to in an emergency. Is that correct?

No. Like, we're I'm in a region right next door. So we're part of the Niagara Region Local Health Integration Network. This is the the Southern Ontario, Local Health Integration Network. So it's just, like, almost next door.

I could drive there in an hour and a half, 2 hours, and be and be over there. And so, you know, some of the impacts of this is that the staff, the hospital, they were unable to access any of the critical information that, that they needed access to, patient records and and appointments. In fact, they had to cancel, well over 3,000, I think it's 3,000. No. 20,000 patients.

Sorry. My apologies. 20,000 patients had their appointments canceled across the 5 hospitals. And some of these people could have had, and I'm I'm just guessing here, but surgeries or or life life, you know, altering procedures that needed to be done and, weren't able to have them done. And it's not like, you can just drive, you know, to the next hospital over.

Like, that's the entire region. They would have had to come into my neck of the woods.

Hospital got hacked too. Right?

Well, yeah, all the 5 of them in that whole area got hacked because they're all together, which means that, you know, they could certainly go to other regions, within Ontario, but they they've got their own backlog. And, you know, there there's no way they could have handled all those those patients. Yeah.

I mean, we've got real consequences. Go ahead, Mario.

20,000 patients now trying to travel, you know, an hour and a half, 2 hours out of the area. And this is and those were, be essentially, like, emergency room patients actually that would be traveling. You know, people that broken their arm, people, you know, with chest pains and stuff like that, you can't you know, the patients that cannot move somewhere else, like a surgery or people, you know, waiting for their chemotherapy or radiation, you can't just go to another hospital and say, hey. I'm here for my, you know, my daily radiation. You know?

Like, you have to speak to your oncologist. They have to put you on a special plan and all that stuff. All that stuff is documented in your chart that is not now available to anybody because everything is now, you know, locked down and encrypted. So you they can't even look up your dosage and see what kind of medicine you need for that day or kind of radiation you need for that day.

Right. But and I'm gonna skip around a little bit, Mario, but, you talk like you might know have a little inside information on how the hospitals work. Because I'm an IT guy, and I don't know anything about what you're talking I mean, you know, common sense, but, you got a little inside scoop there maybe.

Well, yeah, I my, my wife works as a lead PA in a hospital in New York. And when we decided that we were going to have this as our topic for our podcast, I kind of, interviewed her and asked her some questions. She actually told me to look up to watch like some episode. I forgot what show, but she essentially told me that, you know, even though their her hospital has never been hacked with something like this, there has been times where the entire infrastructure, the, entire IT has been down and it it just completely is becomes a nightmare for the entire staff to look up charts or even to document charts. You know, the nurses are not able to go to what she calls, what they call the pick system and dispense like medicine just for, you know, being just in the emergency room.

There are, you know, you know, sometimes also when you're wanna dispense a medicine, you're not even able to see if that medicine's conflicting with another medication that you're on. And she was telling me like, you know, there's times where, they had to turn patients away or, or even, you know, they're only able to limit to what they can do, you know, the broken arms, the, you know, you know, the doing EKGs and stuff like that. But, even then, sometimes all those other systems are networked to their main infrastructure and even basic stuff like monitoring and stuff like that, they weren't able to to be, used, you know, and reschedule, you know, they have to reschedule whatever they can and, you know, waiting rooms backed up, like, 4 or 5, 6 hours at a time.

Yeah. Crazy stuff. I've got a, kind of a former client, but we help them with, radiology implementation. We get the system up and running, and then, it would go down. There was major problems with the manufacturer.

But, yeah, we had patients who were coming in for cancer treatment, like you're talking about. And, you know, they want their results, or they want their next treatment, and they can't get them. And this is, again, not a breach, but still, when when you can't get access to that information, there's a a life and death toll on on in play. There's a huge emotional cost. And then, you know, speaking to the hospital, their perspective, 20,000 appointments, like, that that's money.

And people love to complain these days about businesses who wanna make money, but I'm sorry if you're not making money, you're not a business. If the hospital's not there, they can't treat you. So, you know, that that's a another real significant factor here is the cost. The emotional, the physical, the health cost, and the financial cost is just devastating for something like this. So

In this particular case, these hospitals don't run as a business because they are government owned. Right? It's all paid for for the most part. But they still would have to pay all those those doctors and all of the the staff to continue to pay them even if they're not working, which means there is still a significant cost on the organization as a whole. And then you still gotta catch up on all of those procedures at some point or another.

Pay overtime to do them all. Right?

The people think that because the government's paying for it, that that isn't endless money.

Yeah. Right.

I mean, that money's gotta come from somewhere eventually. So Exactly. The the cost the financial cost is very real and very significant. Absolutely. Whether it's a government or or private.

And, you know, I know none of us really.

Yeah. And and if

Yeah. I probably don't care about government, but, you know

Yeah. Yeah. In this particular case, there was, approximately 267,000, patient information leaked, which, you know, some of them had to get some sort of credit monitoring done. That was one of the things they were talking about in the news, about how they're paying for credit monitoring. Now I'm not gonna assume all 267,000 people were, but let's just say they were.

That's 1,000,000 and 1,000,000 of dollars just to pay for credit monitoring for for those folks. Right? And then there was, of course, you know, over 3,000 staff members that had their information leaked who wants to work for a company that doesn't necessarily treat their information, you know, with with the utmost care. And, again, I'm not blaming the hospital or the hospital staff, but the the perception in the public and you alluded to this, Justin. The perception in the public is always to blame the victim in this particular case.

Right? Cyberattacks, they always look at the the the victim and blame them and say, like, well, you could have done more. You could have done this. You could have done that. And, you know, in some cases, they can.

But the reality is is that, you know, they're not entirely the ones to blame. The criminals are. But from the public perception, they're the ones who are gonna get blamed.

Yeah. So And

and we are. Just just to be fair, we are gonna come back and we're gonna poke at them a little bit. Right? Because that's what we do. With the disclaimer that I'll say again, we don't have any inside information.

But we will talk about, you know, what what should be done in our cases, what we can kind of guess at what probably was part of the cause here. But yeah. So we'll we'll come back to that. We'll dive into that a little bit more. What else as far as hospital impact or patient impact do we have?

We caught everything or we missed some

Well, there's now oh, go ahead, Mario.

Sorry. I believe, Brian, correct me if I was wrong. They were down for over a week. Right?

A lot longer than a week. To my knowledge, it it was it was a couple weeks. Now they were able to recover and and some systems and be able to continue servicing the general public for for certain items. But by and large, from my understanding, they decided, and we'll touch on this a little bit later, to rebuild the entire system from scratch, which means, you know, there there's obviously a lot that they were not able to access. So how long?

I, you know, I I don't even think they're fully

under still rebuilding. I'll tell you that. Yeah. If they rebuilt from scratch, they're still rebuilding. You don't you don't do that in in a few weeks or even months.

But here here's a here's a little, you know, tidbit. There's a class Shimano suit now for 480,000,000, alleging that the cyber, criminals or sorry. The the, the hospitals didn't do enough to protect the data. And so even if they they weren't to blame, there's this now this, like, looming lawsuit on them. And if, you know, you are a private corporation or private entity, you're on a hook for that.

Right? There is no insurance that's gonna cover $480,000,000 worth of of a lawsuit. Right? So

who shot? Sad because that like, since it is a government off government facility, who's gonna be paying the you know, that half a $1,000,000,000? You know, it's gonna be the taxpayers. That's all Yep. You know, taxes are gonna go higher and all of a sudden.

Now everybody that's being or, sorry, suing is now going to actually be paying for it. So it's, kind of crazy if you ask me. That's a good point. Just. You know, like, you're pretty essentially paying for the lawsuit yourself if

if this I mean, yeah. You're spreading it among more people, but that's Yeah. Pretty solid point. That's kind of fun. Okay.

So let's let's kinda transition into and let's let's poke a little bit and see if we can figure out, what happened or at least what lessons we can learn. Because, again, we're just here trying to figure out how to make this not happen to us. Right? And and not happen again. If we can learn something Yeah.

Then we we want to. So, we've already talked about it being 5 hospitals were attacked. And my understanding and Brian, you're the expert on this case. This was a ransomware attack. They they come in, they hold hold money.

And and I'm gonna give Mario give you a little bit of a airtime here. In, like, three sentences or less, define a ransomware attack. What is that?

A group of criminals that go in and either extract or encrypt your data and request for money.

And if I've never been a victim of a ransomware attack, I walk into my office, my company's been ransomed, I turn on my computer and what somebody's holding a gun. Like, what what does that mean? What what do they see? What's the experience?

So, essentially, you know, you're not gonna be able to open up any of your data, your programs, your documents, or anything. You walk in. A lot of the times, they have, like, this bright red, you know, background on there that's in a in a word document or a, you know, notepad document that's open. This says we've encrypted all your data. If you wanna, you know, see it again, you have to give us, x amount of Bitcoins, you know, sent to this untraceable, you know, link.

And, once we receive it, we'll give you a code that will let you unencrypt your data. Now when that happens, it's a 5050 shot if they're gonna give it to you or not. If they're gonna give you the, you know, the code to unencrypt your data. They can Yeah. Because they have no money at that point.

You know?

There's no honor in criminals.

Yeah. Exactly. No. No. No.

Hold on right there. In my in-depth research into this industry, there actually is a code amongst criminals because Yeah.

I heard that. Well, hear me.

This is a business. If if they gain the reputation that you pay them 1,000,000 of dollars that they're asking for and they don't deliver, you think anybody else is gonna pay? So you're goddamn right. They they deliver. And I don't know what the statistics are.

I'm guessing you made up the 50.50 because I think it's pretty much I think it's quite a bit higher than that. And what I also know is that they have, support lines. If if they can't unencrypt, they go into whoever wrote the software and like, hey. Help me out. You know, we've we've got a customer emergency here.

They do want your they do want you back up and running because not just for their reputation, but now you're a repeat customer. You've raised your hand and said, hey. I have weak security, and I have money.

Yeah. Yeah.

That is true. They That is very true.

Cheaper to it's cheaper to repeat business with a customer than it is to go find a new one. So, of course, they wanna pay, they want you to pay, and they want to deliver amazing customer service. These are good guys, guys. Come on. Come on.

Yeah. The other component here that, that was missed is is, you know, a lot of business owners out there will say this and they'll they'll they've I've heard it said to me many times, say, well, you know, I don't really care if I get my data back. I'm backing it up. And even if I don't get it back, who cares? You know, it's not that important to me.

Well, the rebuttal of that is these criminals have caught on wind of that as well. And now they don't just not give you your information back. They might release it to the public, through a data dump. And now that information, you might not care about it, but your customers, your patients, your, you know, the people that the data pertains to, they might care, and they might be extremely upset by the fact that you have now been compromised and, you know, your data was their data was released because of your actions or lack thereof. So it's important to note that, yes, there's a ransom, pay me or you don't get your data back, but it's pay me or you don't get your data back, and we'll release it to the public.

Right?

That's some sort of they would they wanna bear it's extortion. Right? No matter how they frame it, it's some version of extortion. It's reputation. It's the the ability to operate.

Because even if you can restore that process, like we talked about, what's the process to restore an entire network from backup? Good luck.

Very expensive.

And we're assuming that all the backups are working flawlessly. How many times when you go to restore from backups? I want you to both throw out a number percentage of times, and and not yours because I don't want you to point you know, don't don't give yourselves away. But when you go into a prospective client and you say, okay. Let's test your backups.

How often do they work?

Prospective clients? Perspective clients. It might be a shot in the dark, like 5050. If they were looking at their log files and they say that they're they're they're working, if they're not looking at their log files, then in most cases, I find that it hasn't been running or hasn't been working at all. And or it has been working, but not everything was covered as part of that backup.

Yeah. Exactly. Sometimes sometimes they they think the whole thing was being backed up, but it was only backing up a certain partition or certain folder, and it wasn't backing up the whole thing. Yeah. I would I I would tend to agree with Brian.

I would say about 50 to 60% of the time, it it's working.

I'm at 0%. I have never had a customer or a prospective customer come in or a new customer come in and say, hey. I've had system failure. Here's my backups. Help me.

I've never had that work in 25 years of doing IT work. I've never had it work once. Now to be fair, I don't get a lot of those. Right? That's that's not a daily thing.

It's happened a handful of times, but not once has it been successful.

Yeah. In most cases, they're backing up the files, but they're not actually backing up the operating system, which means that, you know, it's still gonna take weeks or months to be able to reinstall everything from scratch, reinstall the software, reconfigure it, and then restore the data. So

And then But also keep in keep in mind, restoring that data, you may just piss off the the the the criminals more because they probably already have a back a backdoor or you actually backed up right and restored whatever the way they came in from. And I've seen it where if you this is not one of my customers. You know? This was, somebody, I knew. They actually wiped everything out, restored from backup.

3 days later, they got hit again by the same group, and the got doubled because they knew that they tried to to they they tried to, to they thought the backup was gonna be safe and whatever, and they move on with their day 3 days later. They got hit

again. Yeah. That I I think I've already said it on here, but that's what switched my brain from I'm a computer repair shop to, no. I'm, fighting cybercrime. Was a client got breached on my watch.

We did restore from backup Before I even drove back to the office, they were encrypted again. We kept going back farther and farther on the timeline with the backups until we finally realized, they've been on here for a long time, you know, and and we did end up rebuilding from scratch a network of 15 computers. And I have no idea how many are in this hospital system, probably just a touch more than 15. It took us 3 weeks to rebuild a network of 3 computer or, sorry, 15 computers with 3 technicians. Good luck, guys, on this hospital.

You wanna know a really Shit. Wanna know a really funny story? We once had somebody call us in because they got ransomware ed. And we go in there, and they had backups. So we take a look at the backup.

So we we find a backup. We restore it. And oddly enough, there there was still encrypted data. So we look at it. It's it's not the same encryption.

And we go back further in a timeline, and they had, you know, another, encryption. And we're thinking like, jeez. What's going on here? They were encrypted. Then another virus came in and encrypted them, and then another virus came in and encrypted them a third time.

They had three levels of encryption before they even and, apparently, they didn't access this data very often, thankfully. But three levels of encryption, three different groups encrypting your information one after the other, like, weeks apart. And they didn't notice until then. And we're you know, we we let them know, like, there's not much we can do here. We can go back all the way to, you know, when the original one was done.

But if you're if you've been backing up over top of the old stuff, like, you're overriding all that good stuff with all the bad stuff. Right? So

I feel getting encrypted at 3 levels. Like like, what are they clicking on? What are these guys

Okay. Exactly. That's I wanna take it to the transition.

Yes.

This is a segue to Yeah. What are we doing wrong? Because I'm I I do try to be pretty fair to the people who get breached. They are victims. However, Brian, the one you just cited, like, come on.

Okay. So I could I could tell you the story. This particular, organization, had a server, and the the owner's son had access because he's, you know, the the local guru in the family. And he was running a Bitcoin mining farm on the server using pirated software. And, of course, you know, when you're doing stuff that's not necessarily legal you know, not that Bitcoin mining is is illegal, but, you know, doing it on somebody's network, corporate network, that's even if it's your parent or or or somebody you know, I'm pretty sure they weren't intending for them to do that.

Right? And so that somehow allowed other bad actors to get in because they were using software that wasn't vetted. It was just software that was put out there by the public or or by somebody online. It was like, hey, this software looks good. I'm gonna use that to mine Bitcoin.

And next thing you know, bad actors had access to it multiple times in different ways. So Yeah. So any difference.

Is it safe to say fair to say that any, so called IT expert could have looked at that scenario and identified it as not a best par practice? I

think that's safe to say.

So anybody who's yeah. Anybody's worth their their yeah. They they would not Okay.

They would not have approved. So so let's let's talk about best practices, and let's start throwing some theories around what happened at this hospital. What we we know a couple of things that really are conjecture by somebody else. But let's let's look at what probably or possibly happened here for the bad guys to get in. Sure.

Yeah. I can I can dive in there? Just the just the first part there, how how we suspect, because I did read, up on this a little bit. And according to a couple of experts I won't mention names. You can certainly look through through news articles if you're really interested.

According to a couple or one of the experts anyway, it's possible that the the hospitals, and he's worked with hospitals in the past, avoided installing updates because they're 247. So they avoided installing security updates to prevent any kind of system downtime because they're 24 hours a day. They didn't wanna risk that. And he says he's encountered hospitals that hadn't installed security patches for years after they were released. Right?

So we all know that any software made by human beings is flawed, and they're constantly being updated by the software developers because they're constantly finding holes and bugs. I couldn't imagine having systems with no security updates for years. I mean, you talk to one of those suckers anywhere, and then we get infected within matter of minutes.

They're called security updates for a reason. You know? There's obviously somebody identified that there's an issue with whatever program out there, and they're releasing a security update. So, you know, it's bad when you don't really when you don't install a security update, you know, beyond, like, a week or 2. But when you go for years, that's that that is a little,

nutty reminds me a lot of WannaCry. You guys remember WannaCry? I do. Yeah. That was huge.

And and I this is, it listen. This is, like, 7 years ago, and I'm an old man, and I don't remember stuff the way I used to.

But It's 1 year. To my knowledge

1 year. Well, but that the the patch had been out

for a year. Right? The patch had been out for over a year before it was released, and then millions and millions of people were infected. That means millions and millions of people didn't install patches for over a year.

Right. Right. Crazy. Okay. So that's, there's one key takeaway.

Again, we don't know that that's what happened here, but, we know that it is a problem. We know that, and and by the way, I'll I'll come to their defense a little bit. When you do have an operation that runs 247 and you as the IT guy who's been charged with the security of your whole network because it's your job and your boss just says do it, and then you go to your boss and say, hey. In order to make the place secure, I've gotta take your servers down overnight. And they're like, no.

You can't do that. Okay. So now what? Right? And whose job is it?

Who who gets the ultimate say, and who's ultimately responsible, and especially when you've got, large organizations, when you've got government, AKA politics. And it it sounds simple. Just patch your stuff, but it really isn't always that simple.

Right?

Yeah. I mean, for the same same things that we mentioned earlier, you know, when the system is down, what happens? You know, waiting room builds up. You know, you can't do, you know, charts. You can't do the spend.

So the that's why they're hesitant to bring the system down. But Yeah. You know, at least they're bringing it down in a controlled environment. The reason True. You know, they're they're doing it.

And, you know, with a conversation with my wife, you know, the it happens. You know? Like, it doesn't happen on a weekly basis, but every couple months, they will schedule, say, hey. You know, on Tuesday you know, they try to pick the slowest time. You know, like, usually in, you know, middle of the week where it's not, you know, it's not a weekend.

It's the middle of the week. In the middle of the night Not far from yeah. From 2 AM to 5 AM, the system will be unavailable while we do some routine maintenance. Everybody has heard those words before. It needs it needs to be done.

You know, if it's, you know, once every 3 months or once every 6 months, it needs to be done. You know? And then not even just at the hospital level, even local, You know, smaller businesses need to do something like that.

Real quick. All the IT guys in the room who have applied a patch to a server and had that server not come back online, raise your hand. Yes. Yes. Yes.

And for those who aren't looking at video, that's all of us. So, again, this I just wanna make sure we're looking at all angles of this because I don't wanna make anybody the villain. We can point at the IT guys who didn't do their job right. We can point at the administrators who are, you know, looking at a different agenda. All of these things weigh into decisions that are made, and sometimes those decisions work.

It's like trying to, you know, armchair quarterback. Right? You're looking at at the replay, and saying, well, I would have done this. Well, of course, you would have because you have the you you know, like, you have the proverbial crystal ball right now. But the ones making these decisions, they don't always we assume bad things aren't gonna happen.

Right? That's really the problem here. So, okay, that high horse. I'm a step down off the soapbox. Go on, Brad.

What what else what else we got here?

Well, we're gonna talk a little bit about, you know because we don't know exactly what happened, and this information wasn't released. And I'm gonna go into my own little soapbox here. You know, when information isn't being released on how a hack occurred, right, these are these and and I'm gonna say this gently. These are doctors, like, maybe not the people running the organization, but, like, you know, in in a medical environment, when when an accident occurs, when a problem occurs, they do a form of debrief to identify what went wrong and what what can we change to make sure it never happens again. And then they release that information to the wider medical community so that all doctors can learn from that mistake and they don't have to make the same mistake.

In this case here, we have no idea what happened, how it happened, how they got in, how they were able to infiltrate, what are the the ins and outs. And so as IT providers, we have no idea how to protect for that type of attack specifically because they're nobody's sharing that information. And in a lot of cases, they don't share the information because they're afraid of being looked at as incompetent. Well, it's even more incompetent not to share that information. Right?

We need to know what other people are doing and missing so we can all learn.

Let me clarify just a little bit so that we don't get too stupid here. When you say we have no idea, I'm gonna rein that in, and I'm gonna say that.

Right. But let

me finish. Let me finish. You're you you said all the things I would have said. But as I'm listening to it, we have a really good idea. But in the moment and this is kinda what I set you up for failure saying.

In the moment, we don't know. With all the intricate details of every situation, we we don't have any idea. But what we wanna take away from this is we can on almost every one of these breaches, there are similarities that we can take those. We call them industry standards, best practices, whatever, and we can put those in place, and we can stop almost all of these attacks.

Correct.

Almost all of them. Right?

And if if I could add something to what you guys are saying, you know, in our episode 8, we we went over the MGM, breach, and we learned that this the the way that breach happened wasn't a typical breach. It was a hacker that called the help desk, and then the help desk person then For social engineering. Yeah. Now that is not a typical everyday hack, but what we learned because they released how it happened, we learned, like, listen. As IT experts, we need to take certain precautions.

We need to make sure when somebody calls in the help desk and asks for a password reset, if you don't, if you're not a 100% sure who this person is, because you have not speaking, spoken to him before you need to take these proper precautions. You need to either, you know, hang up with them and call the office back, dial his extension, make sure he picks up. Or if you have, you know, the, cell phone on file, you know, you text them a code and stuff like that. There are certain things that we've learned from the way the breach happened that we then pivot accordingly in this situation, we didn't really, they weren't, they didn't release how it happened. So as experts, we're going to do an educated guess of how we thought something like this can typically happen.

Correct? Yeah.

Correct. We do know a couple of things. So what we do know is that the group that allegedly attacked them and got into their system, were in there for a week before launching the attack and that their claims and, again, this is the criminal's claims, so take it for what it is. They claim that a lot of the passwords were similar across all of the systems, which made them vulnerable. And in their from their perspective, it was once they got in, the network is almost completely transparent.

They can go pretty much anywhere and any anywhere on that system. So we do know those things, but we can take educated guesses. And I'll refer back to my colleagues here to go over some of those educated guesses as to how could have happened.

Real quick on that information that you just shared. Where where did we get that from?

It was from a news article. It was CBC, a CBC news article. I can certainly, give you the the link to share.

Well, no. And I'm just I'm just curious, the hackers are are claiming this. How do we know? Do do they publicly

They came straight.

Humiliate, and they're like, hey. It was me. I did it, and here's how I did it. Is that Yeah. Is that what you're saying?

Particular group came forward. I won't mention their name because a lot of these people love the kudos, and they love the the the attention. So, you know, this particular group came forward and took, they they admitted it was them. Now whether it was them or not, they were just looking for, you know, the glorification or or whatever. But they they claim it was them, and we have no reason to believe otherwise, that they're the ones who took over the system.

And that those are that's what they released to the public. Why? I have no idea. Again, they love they love I like the

attention like you said. Yeah. Yeah. Okay. Alright.

Mario, were you gonna say something?

No. I was pretty much just gonna clarify, like, by having that same password on multiple systems, it's equivalent to like having a master key in an apartment building, you know, like the super, you know, if he, if his key can open up multiple apartments, he can go anywhere. And 1, by going anywhere in that building or on that network, he's they're able they get free range to do whatever they want.

Well and so this is a great example of you know, I'm I'm constantly referring to best practices. Right? Best practice is you do not share passwords. Right? And that sounds great on paper until you're an overworked, undertrained, underpaid, no vacation schmuck who's responsible for security because your boss just came to you one day and said, oh, by the way, I don't wanna hack make that happen.

Right? So the the reality of having a different a unique password on a local admin password on each workstation without a tool to do it manually, somebody take that off. How how realistic is that, Brian? Mario?

Oh, not. Unless you have a tool that will help you do it as difficult we when we do. But if you don't Yeah. You're not doing it.

Yeah. Short of having a tool that automatically Go ahead.

Yeah. You won't be able to unless, like, you're you're you come up with your own, like, way of of do either putting a a sticker, like a, of, like, a number on the computer and having a combination of different things or just walking around with a big Excel sheet, you know, like, you you you're really not gonna be able to to create a unique password for for all systems, especially thousands of computers across 5 different hospitals.

There are there are tools that are available for it.

There are. And that Which is why it's specified without a tool.

Yeah. That will document the passwords as well. But then the dichotomy there is that that password or that tool

use the key.

Now becomes a security risk. So you then you have to make sure that's locked down Yeah. Really, really well.

There's no perfect solution. There's no perfect solution. Right? We can agree on that. This is all a matter of taking making a best effort, not being a low hanging fruit, whatever.

And the reason I kinda make this point, one of the things that's the most frustrating to me when I'm working with prospects is and I just had a conversation this morning with a guy who is the IT, for his company of 50 employees. So not a huge company, but big enough company. And he's the director of IT, which is his title. He's also like everything else in that company. He wears a 100 different hats, and, you know, he's looking god bless him because he's looking for help to not have to do this anymore.

But right now, today, holy shit. If I go into that network and do an audit, it's gonna be a mess. Right? Because one guy who's wearing multiple hats without all the tools that we're talking about, it can't be done. This is not a DIY scenario.

Right? For everybody listening, if you're if you're the guy, and you don't have specialized training and specialized tools, get out. Like, go work somewhere else. Because, you know, somebody's gonna point the finger at you. We're talking about lawsuits here.

Who Who else gonna be named in that lawsuit? I mean, we don't know, but we can sure guess. And and it'll be the guys at the top, but it's also gonna be the people who, were responsible even if it's just on paper to do this stuff. Even if they weren't given the budget, even if they weren't given the resources to do it, if it's their job, somebody's coming after them. Right?

So,

I If I could add add something, you know, we have those tools, and we've locked them down, but it's, you know, and I'm sure you guys, you know, as well as us, we have multiple layers to those tools. Like, you know, our our our toolset, you can't can you can't you can log in to our system unless you're using our VP or, sorry, our IP address in our building or VPN into our building and use it. Like, if somebody's from the outside tries to log in to our RMM, you can't you can't use it. So not only do you have to have the tools and you have to have it protected, but you have to have different layers protecting those things too. Once you log in, you need 2 factor authentication.

So now you need a VPN. You need the username. You need the password, and then you need you'd need to also, have the 2 factor authentication. You know? So there's multiple layers.

I I like to tell my clients and my employees that if security isn't a giant pain in your ass, it's not being done right. And it sucks, but I'm just telling you, if it is not a pain in your ass, then you you are about to have some problems. So Yeah. Deal with a small problem now of the 2FA where, you know, multifactor authentication you just mentioned and various other things that we have to do, hoops we have to jump through. But we we always wanna be in compliance with the best best practices.

Right? So what else do we have, Brian, as far as the the the reasons to how this happened?

Well, we don't have anything else. We can the only thing we can do now is just, you know, go through likely scenarios. So I'll go through a couple of them, and then maybe you guys can, you know, jump in with your some of your knowledge. Likely, could be, maybe, social engineering. Maybe they they reached out to somebody, at the hospital, who is in the service department, and we don't know.

They may have just known an employee at the place and and were able to hack their password. Maybe they saved the password on some website somewhere. You know, 2 very likely scenarios. Email, maybe.

Yeah. And, we were talking about this earlier. Like, I know I visited, you know, relatives that were in the hospital and were sitting there in, next to their bed, and the nurse comes in to look up something in their charter, give them medicine, and they log into the computer, at least hospitals by me, there's a computer in every room. And they they have in in the system where it would automatically lock them out after, say, 5 minutes, if they if they're idle. But I've seen that, you know, I saw with my own eyes, the nurse will come in, log in, do whatever she needs to do, and then she just walked away, and left the computer unguarded for, you know, the before it locked.

Now, obviously, I wouldn't do something like that, but, you know, somebody is malicious and or knows something, you know, maybe there's a award, you know, or reward for, you know, doing this. They could've put in a USB key into that computer and gave the hackers access right there.

Yeah. And I'll I'll pivot on well, I'm gonna, go off of that and say that one of the best things, one of the most important things that we can do in the world of security is educate our users. Because no matter what we put into place in the technology, all it takes is one selling mistake like that to undo everything.

Doesn't have to be malicious either. They could be hoops and didn't realize it.

Right. So that that ongoing education is is critical. It's boring as hell. Nobody wants to do it. Nobody has time for it.

But we also don't have time for these massive breaches either. Right? So We

have time to do it once, but not twice.

Yeah. Or I've heard it said, there's never time to do it right, but always time to do it over. You know? So Yeah. Take a minute and educate your people.

And and then culture is another thing that I like to talk about is, if we we have to not just force security on people, but reward them for it. You know, find a way to make this something that is, there's there's a carrot versus a stick. Use a stick if you have to, but, find ways to to reward, to acknowledge, hey. I don't care. Give them a Starbucks gift card every time they say, hey.

I saw this little, thing that could be a problem. But find a way to get that information from the front line up to the ones who are making the decisions so that they have more information to work with. What else do we have as far as I mean, we kinda went over likely scenarios. Is there anything else that you guys wanna talk about there?

I think we've covered most

of them.

Just you, you know, mistakes happen. You know, people it could have been just a clicking in the email. It happens, you know? And, you know, it could it could have been somebody that they know that got breached and, you know, the email looks like it's from a legitimate source. Then, you know, click you know, they click on something.

It could have been, you know, somebody in the HR department that, you know, received an email, like, please see my attached, you know, termination papers or something. If they click on it, you know, because they look legitimate, it's and the important thing is to have the tools in place in case somebody actually does do a miss make a mistake. Like you don't want to take down an entire infrastructure with one click. So if somebody does accidentally click, you want to have it, have those security tools thereafter that can stop it. You know, like, you know, lock down the computer, have, you know, a security operation center monitoring and shut down that system or isolate it.

It, you know, you can't, you know, educating is is the first step. You're 90% there if you if you educate your employees. But, you know, the other 10% is what happens if this if they do click or they do whatever. So it it's, there's multiple layers. And we we tell our customers all the time.

We don't we don't take security. We don't just put one tool in place. We stack them up. It's an entire security stack. This happens, then what's the next level?

What's the next level? What's the next level? Last resort is to restore from backup.

Well, on top of that, Mario, is so number 1, you're right. It's multilayered. We have to hit this from from multiple angles. And number 2, the approach changes all the time. My my security stack today, my toolset today is completely different than it was a few years ago.

You know, and it might change on a quarterly basis. It sure changes on an annual basis. And so, you know, back to my point that this is not a DIY, a do it yourself scenario. If you're not living in this world, you're you're you just got you're asking for problems. And my my personal reason for doing this podcast is to keep me sharp.

So I wanna go out. I want to have, you know, on my calendar, I've gotta go out, and I've gotta dig into a breach, and I've gotta look at it. I'm gonna try to figure out what happened. I've gotta try to figure out what could've done a bit, and I've gotta try to figure out how to fix my own shit, by the way, so that I'm not the one somebody else is breaking down on their podcast. Right?

Right. Right.

If people are gonna pay me to protect them, damn, I wanna make sure I'm on my game. And so I'm I'm gonna pivot now. We're gonna we're gonna wrap this up, And I'm gonna say, like, the number one thing that this hospital could have done, in my opinion, or that anybody could do that myself included does do is getting another set of eyes on the security measures. So, I live and breathe this every day. I lose sleep over it every single night.

I do this podcast with you guys every single week. I've got, you know, emails coming in with articles. I'm reading. I'm studying. I'm learning.

I'm always here, and I still am not convinced I know what I'm doing. Right? So I still want somebody else to come in and audit my work and point out my my flaws. And that's that's our offer for everybody listening today is, you know, the the company we all coincidentally do use, a third party to review our own work. Right?

And I believe we all have the I yeah. Because we said this last week. We all have the ability to do that for our clients as well. So, that that is the standing offer. It is limited.

You know, it takes time. It takes resources. So we don't have these available to everybody. 1st come, 1st serve, or at least get in line, but reach out to us, and we can put not just our eyes on your network and your security, but we actually get our eyes plus this 3rd party review company that we use to to back us up as we're backing you up. The the worst thing you can do is not know where your blind spots are.

Yep.

Any final thoughts on that, guys? We took the words out of my mouth.

No. I I completely agree. And, you know, we we we've known each other for a while. We meet each other. You know, we we're meeting on a weekly basis, and we're always bouncing, you know, ideas and tools off each other and mentioning different things.

So we're constantly learning and adding and learning from each other as well. Right.

Ironically, so are the criminals. I'm sure they're getting together once a week and, you know, figuring out how to improve their business, quote, unquote. Absolutely. Right? Yeah.

Yeah. Yeah. No. They're they're they're planned for keeps. This isn't a game to them.

You know? This is their business. It's their livelihood, and it's it's disgusting. But it is what they do. And we've gotta do better.

You know?

Yeah. And and these guys these guys are not just, like, they're they're not just criminals. They're they're terrorists when they're doing stuff like this, for for, you know, ill patients, people that are could be possibly under deathbed. They're not just trying to make a couple quick bucks. They're murderers, in in my opinion.

A 100%. Yeah. Absolutely. But criminals are. Right?

Maybe the whole correctional system. That's a funny term. Sorry. Full of these people who, do intentionally harm to get gang. Right?

And that's that is what we're doing. We are, I did not go to, it's not called law enforcement school, but a criminal justice. I don't have a degree in criminal justice. I did not get into technology because I thought I wanted to fight crime, but here we are.

But here we are.

You know? Yep. Yeah. So so guys, take us up on the offer. It it it can't hurt.

Just get get somebody else's eyes on your system. We are, at the moment, giving these away for free. At some point, that dries up, and we do have to start charging for them. That's first come, first serve. So, best way to contact us, you can go to unhacked dot live.

That website will put all of our contact information on there. But just so it's here on the recording, Mario then Brian, then then I'll go. Let's wrap up with our contact

Yeah. So, Mario Zaki with mastech.com, or you can reach us at 973-272-2324.

Brian Lashkar with B4 Networks. That's letter b, the number 4, networks with an s dot c a. And you can call us at 905-346-4966.

Alright. And I'm Justin Shelly. And like I said, my company is Change in Master Computing, but soon to be Phoenix IT Advisors. Just put a dotcom on either one of those and you'll find me. Thanks for joining us.

Audience, Mario, Brian, always a pleasure. Look forward to a repeat next week. Take care, guys. Thank you, guys.

Bye, everybody.