ransomware, vulnerability, interesting, called, talking, james, happening, thought, security, hackers, business, cybersecurity, sim, attack, factor authentication, log, day, code, home, crash
Damon Pistulka, James Grandoff
Damon Pistulka 00:11
All right, everyone. Thanks again for stopping by the face of the business, hey, I’m just dropping dry real quick today because my guest James grand off, had a little delay there, he had a board meeting that’s running over. So he couldn’t join us today. But I thought I’d jump on just for a minute and highlight a few things that I thought were pretty interesting this week, you know that if you missed it earlier this week, I got to talk to Andrew Deutsch. And man, if you have not talked to him about sales, and AI, and what he thinks is going on there. That was that was really an interesting discussion. And he, he just knows what the heck he’s talking about.
But I think there are some things that are going to be really interesting in that too, as we were talking this morning, that it’s going to come back to people are going to have to old school connect with connect with their customers are going to have to draw them on with actual content, not just stuff that’s going to try to get them to convert. So I think it’s going to be pretty fun.
And interesting as it is. If you didn’t see it earlier this week, or this week, or last week or recently, Google announced they’re going to phase out cookies. I mean, this is this is stuff that people are in digital advertising. And if you’re if you’re spending significant amounts of money on on advertising, Google pay per click this, this stuff between that and the the apples privacy changes. If your people aren’t talking about this aren’t figuring out what you’re going to do. And you’re spending significant amounts ad money, you may want to ask them what’s going on, because your life could change significantly here in the coming months.
Yeah, there’s a couple things that were pretty interesting. And I see that I was I was killed at time, but it’s good stuff here. I see James is coming on. So we’re gonna bring him on in just a moment. But if there’s any questions, let me know where you’re coming. Watching from if you’re on here on LinkedIn, and we’ll definitely do that. And I’m gonna get James here up on the stage. I don’t know if James is going to be able to use a camera or not, but we’ll get started there. And I’m going to bring him on. Are you there, James?
James Grandoff 03:00
Yeah, what’s up, man?
Damon Pistulka 03:01
All right. Good, good. Well, we’re on live now. I started it we got I was gonna start and talk to people. So how are you today?
James Grandoff 03:12
I’m tired. I’m tired. I’ve been up since five in the morning.
Damon Pistulka 03:15
Oh, yeah. Yeah, there you go. There you go. So so I’m glad I know. You just had a long board meeting and sorry. Sorry, to you know, kind of didn’t work out good today. But if we can get a few minutes, that’d be kind of cool. Yeah, yeah, of course, man. All right. Good. Good. Well, James, you know, it’s interesting. The last time we did this, you you we were gonna have this a while back and you got attacked by hackers. Yeah, that’s, that’s interesting. When you when you when you you’re in the cybersecurity business, and you’re getting attacked yourself, you must be doing something, right.
James Grandoff 03:51
Yeah, yeah. Yeah, exactly. As you start to make noise out there, you become a target of interest.
Damon Pistulka 03:56
Yeah. Well, that’s, that’s cool. So now, when we talk, you know, you had mentioned something and if people people know anything about you, or your company’s zero security, or their you do offensive cyber security, and that’s what really interests me, because I’ve never understood. I didn’t I don’t really understand that. So can you explain what that is a little bit.
James Grandoff 04:20
So essentially, to me, offensive security is a culture of its own. So, you know, this is where we write our own tools. This is where we have our own sub communities where essentially, we dedicate ourselves to writing what we call VS code or malware samples.
And so this actually helps out a lot of companies because what they do is they then, you know, want to hire us because we have a set of proprietary tools that, you know, other people don’t necessarily have. And so being from this culture gives us you know, access to resources that, you know, normal normal companies can’t have, which, in lieu, you know, makes us have those penetration tests which really give value to the clients.
Damon Pistulka 05:01
Okay, so so what you’re talking about is you’re trying to expose vulnerabilities in clients by essentially, in a good way attack them.
James Grandoff 05:14
Exactly, exactly. We have dedicated research teams that actually are part are partitioned off into their own kind of niche areas. So we have an iOS team, Android team, network, appliance team, you know, server team, all the above.
Damon Pistulka 05:30
Yeah. Yeah. So now let’s back up a little bit. James, you I mean, you’re, you’ve got a lot of experiences, and security and cyber security. And there’s a couple interesting things that we’ll talk about a bit. But But you started out on this at a very young age.
James Grandoff 05:48
Yeah, yeah. So it all started, when I was about seven or eight years old, I was playing World of Warcraft. This was a game that, you know, my dad, my sister, you know, everyone was involved in. And so we used to utilize something called Vin trio servers.
And so my exposure first exposure was, you know, I saw the movie hackers. And immediately, you know, I wanted to learn as much as I can. And so that actually drove me to write my first bot, which actually rated a ven trio server for a guild that I was in, because they wouldn’t let me raid because I was under age. Now, this whole rule about 18 plus after 8pm, or something like that. So, you know, I wanted to go against that and kind of show them who’s boss. So that was kind of
Damon Pistulka 06:31
That’s incredible. That’s incredible. So So when were you first, I mean, so you’re talking seven or eight. And you’re right in this spot to do this. So when were you first employed, I mean, to, you know, buy somebody to help with their cybersecurity.
James Grandoff 06:48
So I first got my, my, my learning hand from David Casa Blanca, actually, he. So at the time, I had a lot of a lot of problem finding work, because I didn’t have a lot of the certifications, you know, I hands on experience, etc. So what I did was I contacted him, and he actually helped me out tremendously. And, you know, gave me little intern jobs, let me tag along.
And so a lot of of the, a lot, a lot of my time when I was younger, was spent literally doing intern stuff, essentially just, you know, being that side person to help out wherever I can. But at the same time, you know, I would have multiple tabs open learning everything, essentially, that he’s doing. So then I could then assume that that same position.
Damon Pistulka 07:33
Yeah. Yeah. Very cool. Very cool. So now there’s, there’s when, when we were on a panel A while ago, on our Thursday Roundtable, where you and some other people were talking about things there. And one of the things that came up that was really interesting, and this is general question for the, the more for the personal people, not so much business, but you as a cyber security person. I mean, I’ve always wanted to know how much of our data is really even safe at all.
None of it. None of it.
Damon Pistulka 08:09
That’s what I thought because you were you were you’re explaining some situation where someone could, you know, overtake your sim in your phone and stuff like this. And I just started thinking about that. And, and it was a question that is often often crossed my mind. So what do you think in the last couple of years has really been able to help people with with personal security? Is there anything that that you see that’s going to be able to change us are we pretty much screwed, the lack of a better term, whether
James Grandoff 08:42
you can do certain things to help yourself, I mean, usually, when people try to attack you, they have some form of database already. So I always try to tell people to use different aliases. So you know, don’t always have stuff in your name, if you don’t have. And another thing, too, is always have have multi factor authentication. I mean, that’s probably the biggest thing no matter what it is. I mean, the main goal is you’re essentially giving yourself tiers of security. And, you know, obviously, if somebody wants to get you in there skilled enough, they’re going to get you but if you at least, you know, have that that basic security hygiene, then you’re going to be fairly well protected.
Damon Pistulka 09:14
Okay. So so we’re, we’re there, if they really want you, they’re going to get you but for, for the everyday hacker we’re using, using good basic practices will knock down a portion of those people anyway, at least.
James Grandoff 09:28
Exactly. Good. Good.
Damon Pistulka 09:30
So what do you think is most exciting for you right now, in cybersecurity?
James Grandoff 09:37
Um, for me, obviously, it’s zero day hunting, um, because in my opinion, that’s kind of the forefront of offensive security is, you know, you’re essentially out there debugging, reverse engineering, you know, you’re going over crash logs, and, you know, that’s essentially the forefront where, you know, most of the attacks occurs through zero days. And so that’s honestly to me been the best As part of cybersecurity or offensive security domain,
Damon Pistulka 10:03
yeah, so now you’re talking to somebody that doesn’t know what zero day hunting is. So what’s that?
James Grandoff 10:07
So zero day hunting is essentially where you take a application or operating system. And what you’ll do is you’ll try to make it crash, they’ll try to break it. And so what happens when you break it is you’ll get some kind of log, and then from that log, you’ll then analyze it and try to create what’s called a proof of concept code, which that proof of concept code will trigger that bug and then cause something to happen. So usually, something that happens is a crash, which most people are used to.
So you know, for instance, if you have, you know, Internet Explorer up, and you get that that little bar where it says it stopped working. Yeah, that’s what’s called a userland crash. And whenever your system fully stops, you get that blue screen of death. That’s called a kernel stop.
Damon Pistulka 10:52
Yep. So you’re trying to you’re trying to see how you can make that happen in different applications.
James Grandoff 10:58
Exactly. When there’s multiple ways of doing it.
Damon Pistulka 11:00
Yeah. So yeah. Is that is that a vulnerability that that hackers exploit as they try to get into indoor stuff?
James Grandoff 11:10
Yeah, yeah. So they’ll, they’ll take that zero day, and they’ll chain it into an exploit. So that’s where you have different stages of exploits. So usually, it starts with some kind of remote code execution, or some kind of zero day, that’s remote code execution. And then they’ll download what’s called a stager onto the system, and then further infect.
Damon Pistulka 11:27
Wow. Wow. Um, yeah. So the Oh, and I forget the name of it. As soon as I was thinking about the the big hack the sun something hack here that happened in the government. Now, how ugly was that, really?
James Grandoff 11:45
It was really ugly. But I think that they, they kind of over exaggerated on the amount of people that it took to conduct this, this attack, you know, they’re claiming 1000 people, but honestly, a sophistic, a sophisticated Team 10 people could have done this super easily.
Damon Pistulka 12:02
Yeah. Can you explain? I mean, because this is, this is something I had it wasn’t allowed to to be in the systems for quite a while, or is that how it propagated as far as it did? or How was that really able to do what I did?
James Grandoff 12:18
Yeah, so what they did is they funded an initial vulnerability. And then from there, they essentially Did, did internal pivoting. So they they went around different areas, different Active Directory structures, and then they found, you know, essentially their clients. And then from there, all they got exfiltrated.
Damon Pistulka 12:34
Huh, huh, this, it’s so it’s interesting how, how this happens, you know, and in today’s world, we, one of the industries that I work a lot with is manufacturing. And it’s, it’s interesting. Now, these, these ransomware errs are really becoming quite widespread with some of these people where, you know, they’re getting hit with ransomware.
And they really have no choice, you know, in some instances, but to pay it, and it’s, you know, that’s just one form of how this stuff is happening. And on a on a more common scale. But what do you see are some of the, the more expensive, for lack of a better term kind of things that are happening to people beyond something like happened at the government level there.
James Grandoff 13:23
So in general, I think it’s ransomware, the the CIS community or Commonwealth of Independent States is so so tightly bound that they essentially all work together. And we’ve we’ve seen this in the past where all the government can really do is throw indictments, but these people are making millions and millions and millions of dollars.
And, you know, on second thought, as well, the same thing with with sim swapping attacks, that’s also something that’s very, very expensive as well, because we’ve seen attacks where people steal 300 million 500 million, and it’s gone from thin air, you know, though, they’ll tumble the money, though, they’ll clean it, and then that’s it, it’s gone. It’s not they’re not able to trace it.
Damon Pistulka 14:03
So Sim, explain. I understand the ransomware. But explain the SIM, the sim swapping.
James Grandoff 14:10
Yeah, yeah. So essentially, what happens is a hacking group or hacking collective will get some kind of database, for instance, by Nance, right, a very big exchange. And so what they’ll get is username, phone number, account balance, and, and sometimes passwords or hash IDs. And so what they’ll do is and they’ll launch campaigns on, you know, mobile stores to mobile, at&t or to, you know, if you’re in the UK, wherever, and they’ll try to infect the employee system. And so by doing that, they’re then able to access all the employee tools.
So while they’re able to access that they can essentially port your port your phone number over to another phone and essentially assume your your number your text messages and everything. And now typically for a lot of exchanges, they do multi factor authentication through SMS, or something like authy. And so essentially, these attackers are then able to take over your multi factor or they’re able to use the SMS, then log into your account, and then they drain it.
Damon Pistulka 15:13
Yeah. Wow. Wow. And that’s that, that, to that that’s not just a straight step to do that. I mean, they really had to think to get around and figure out that if I can get ahold of the phones, by going through the employees, to change the phones, for those people that they have the information out, I mean, that that takes a we just get from from point A to point B there to get the money in your hands is a hell of a thought process.
James Grandoff 15:40
Exactly. And what’s very interesting is if you look online, as well, most of these tasks are conducted by 15 1619 year olds. And so, you know, that’s essentially what they do all day. You know, they, they they sit at home, you know, the parents don’t really know what’s going on, or they don’t care. And, you know, they’re just, they’re just collecting and cashing out, essentially.
Damon Pistulka 16:00
Hmm. Yeah. Yeah. Interesting. Interesting. So what do you think’s? So when we go back to business and ransomware? What do you see anything interesting that that people are doing that’s starting to whack these people that are doing the ransomware.
James Grandoff 16:17
So there is one person that I that I know, Dennis Underwood, cyber crucible, he has some really interesting software, that that does some form of key sniffing and process injection for ransomware. And so that’s been the only prominent solution that I’ve seen.
The rest of them. I mean, they’re, they’re getting around them left and right. You know, I’ve heard multiple stories where, you know, these, these hackers from the CIS will literally call the company, and, you know, they’ll, they’ll just make fun of their software, you know, they’ll tell them exactly how it works, how they bypass their protection, and all the obfuscation and have essentially what it is is rewritten source code of their product.
Damon Pistulka 16:58
Yeah. Wow. Wow, that’s, that’s scary. So these, the, you know, in the business community, people really need to be careful about this. And I’m assuming, as you know, the COVID hit last year, and we had this mass exodus of people going out into their homes to work and things like that. I bet that that even increase the vulnerability.
James Grandoff 17:19
Yeah, yeah, a lot of people lost their jobs. And so I think that entice them to essentially go online, start joining these communities. Because you know, being stuck at home, what else are you gonna do other than read a book and go on your computer? You know, it’s kind of the only place we have to go, essentially.
Damon Pistulka 17:34
Yeah. Well, and I also think two of the people that that went from working to offers to remote working to, you know, you don’t know that their systems at home are set up for it, or secure, you know, so you take your laptop out of the office, who’s who’s connected to a secured connection, you go home, and you know, you’re on your wireless, and you don’t know how secure that is?
James Grandoff 17:56
Yeah, exactly. Exactly. And people being able to very big target, especially at their homes, because, you know, now they can just simply take your VPN config, and then log into your company network. Yeah.
Damon Pistulka 18:08
Yeah. Yeah, it’s interesting. Yeah, my wife for years were to, you know, as always work remotely. And that was, that was one of the things I always wondered about is how secure that really is, as you move around, and, and even like, so many people, even just that they connect their computers into the, you know, the Wi Fi, wherever the hell they’re at, without thinking about it.
And they do that, not only for personal, but they do it for business. I mean, personal. Yeah, I mean, I hurt you too bad. But for business, that’s always been a scary thought to me too, as well. But what else is happening in your life in cybersecurity, that’s been interesting for you.
James Grandoff 18:49
So as for right now, I’ve been mainly focusing on my company and growth that’s taken up pretty much the majority of my life everyday has been, you know, meetings and meetings. Something interesting that we still do is also vulnerability acquisitions. So we buy zero days from researchers. So that, to me has been kind of the most interesting part of my life recently. You know, I get to learn a lot from it.
Because, you know, we also get to see the proof of concept code and verify it. So, inherently, we get to learn a lot from just seeing that code. So it’s been really interesting to dive deep into different kinds of vulnerabilities within, you know, things like iOS, Android network, appliances, Windows Server, etc.
Damon Pistulka 19:28
Yeah, I bet. I bet because that’s it, you’re kind of on the forefront of keeping their stuff working. Right.
James Grandoff 19:35
Damon Pistulka 19:37
Yeah. That’s really cool. So if there is one thing you could tell other than two factor authentication, I got that down. For the people that are listening today. That’d be one thing I could do. But if they’re in their business, what is what is the one thing they could do that could help them? You think more than anything,
James Grandoff 19:56
use virtual machines and take snapshots. That’s the most efficient thing even with my work system, everything I do is snapshotted just for security purposes, because if something happens like a ransomware, then you know, I can immediately just jump back. And you know, it’s taken care of. Wow.
Damon Pistulka 20:13
I’ve never even heard of the snapshots before, but the virtual machines that have so virtual machines and snapshots, that’s awesome, man. Well, good, good. Well, James, I appreciate you coming on and talking about this. Because like I said, I had never heard of the offensive cybersecurity like you’re doing and or the zero day stuff, but they, you know, in the fact that you’re writing code to try to help people build better applications and software. It’s really cool. It’s really cool. So if people want to get a hold of you, Jason, or James, sorry, I was just looking at someone else’s name, James. What’s the best way to do that?
James Grandoff 20:53
Either through email, J grand off at zero dash sec. dotnet. Or just on LinkedIn.
Damon Pistulka 20:59
Yeah. All right. All right, James. Well, we will, we will get them there. And your stuff will be in that in the comments when we this goes out. But I appreciate you being here today, man. And we’re gonna we’re gonna sign out for now. So everyone, thanks for listening. Well, thanks for all the comments on LinkedIn. And if you want to talk to James, go ahead and reach out to him and, man, thank you so much. And yeah, it was a wealth of information in a very short time, and I appreciate it.
James Grandoff 21:27
Of course, brother, no worries. Okay, have a go and then we’ll talk soon. You bet. Thank
Damon Pistulka 21:30