• Ten are labeled critical

• Fifteen are high

• Twenty are medium

• The rest are low or informational

The report helpfully tells you to fix everything immediately.

This is where reality kicks in.

Most organizations cannot patch every vulnerability the moment it is discovered. Resources are finite. Systems cannot always be rebooted. Business operations still matter. In practice, this leads many teams to prioritize vulnerabilities strictly by severity. Critical first. Then high. Then medium.

That approach feels rational, but it often misses real risk.

So how do you actually prioritize?

The answer starts by moving beyond severity scores and focusing on real-world risk.

Start With Exposure

Vulnerability severity, including CVSS scores, provides a rough indicator. It does not tell the whole story.

A medium-severity vulnerability on an Internet-facing system is often more dangerous than a critical vulnerability buried inside a segmented lab environment.

Start triage by looking at exposure.

Internet-facing systems

If a system is reachable from the Internet, it should always be near the top of the list. Public exposure means attacker exposure.

Internal systems with broad access

Shared file servers, identity systems, and intranet applications. If many users can access it, it can quickly become a launchpad for lateral movement.

Systems with sensitive data

Even with limited exposure, the impact of compromise can be severe. Think HR systems, financial platforms, R&D environments, or regulated data stores.

Exposure often matters more than severity.

Use the KEV List. It’s There for a Reason

The Cybersecurity and Infrastructure Security Agency maintains the Known Exploited Vulnerabilities (KEV) catalog. This list identifies vulnerabilities that are actively being exploited in the wild.

If a vulnerability appears on the KEV list, it should be treated as urgent.

Patch it.

Mitigate it.

Isolate it.

Do not debate the CVSS score.

Adversaries do not rely on critical vulnerabilities alone. They exploit what is available, which is often what is left unpatched.

Attackers follow opportunity, not scoring systems.

Stop Thinking in Terms of Just CVSS

CVSS scores are theoretical. Attackers are not.

Many real-world intrusions begin with medium-severity vulnerabilities that are chained together. At the same time, some critical CVEs have never been exploited at all.

Instead of asking only “How severe is this?”, ask better questions:

• Is it being actively exploited?

• Is it exposed?

• What is the impact if it is compromised?

Risk lives at the intersection of exposure, exploitability, and impact.

A Practical Prioritization Model

Here is a simple structure that blends exposure, KEV status, and severity into something teams can actually act on.

In this model, sensitive data refers to vulnerabilities on systems that store or process sensitive information. Sensitive network segments refer to vulnerabilities on systems whose network position enables broader access or lateral movement.

Final Thoughts

Vulnerability management does not have to be overwhelming, but it does have to be intentional.

Focus on what actually matters:

• What is exposed?

• What is being exploited?

• What creates real risk to the business?

Patch with purpose.

Reduce noise.

And sleep better at night.

I will share more details on this approach in future posts. When I originally developed this model, I also built a set of simple prioritization calculators to help translate scanner output into actionable remediation tasks. The P1–P8 framework is a basic component of that work.

I will revisit those calculators, refine them, and share updated versions as part of a deeper series on practical vulnerability management. The goal is not more dashboards, but better decisions.

Stay tuned.

What most people don’t know is what surfaced after the heist. Reports revealed both physical and technology weaknesses at the Louvre. The museum’s director told French senators that the only camera near the point of entry was pointed west and didn’t capture the balcony itself. One report noted that across 465 galleries, only 432 CCTV cameras were installed in 2024, leaving 61 percent of galleries either unmonitored or only partially covered.

Investigations also found that parts of the museum’s video surveillance system were obsolete and protected by the password “Louvre.” The museum’s automation network included computers still running Windows 2000, which Microsoft stopped supporting in 2010. French cybersecurity audits dating back to 2014 had already warned the museum about weak passwords, unsupported software, and aging infrastructure.

Nothing indicates that these technology weaknesses played a direct role in the theft, but together they show a pattern many organizations will recognize, known issues, postponed upgrades, and slow progress toward modernization.

It’s a good time to learn from their mistakes. Especially when it comes to managing legacy technology inside an enterprise.

The Real Problem with Legacy Systems

Legacy systems don’t just exist in museums. They’re everywhere. The old file server no one wants to touch. The badge reader running on Windows XP. The cameras and lab devices that “still work fine.”

We all know why they linger:

1. They still work.

2. The vendor stopped supporting them.

3. They’re hard to isolate or replace.

4. They sit outside normal IT governance.

5. Audits identify them, but remediation gets deferred.

That’s how risk quietly becomes accepted and forgotten.

How to Fix the Problem

You can’t replace everything overnight, but you can manage legacy risk methodically. My approach is simple: Identify, Contain, Harden, Monitor, then Risk Register.

1. Identify

Inventory every system in your enterprise and identify those that are unsupported, unpatchable, or unmanaged. Label them clearly. If a device still uses a default password or runs on an outdated OS, treat it as critical. You can’t protect what you haven’t found.

2. Contain

Segment these systems on the network. Apply strict firewall rules that only allow necessary communication. Use a jump host or privileged-access tool for administration.

Even if your company hasn’t fully adopted Zero Trust, you can still apply some of its principles. Treat every device, user, and network as untrusted until verified. Apply least privilege and continuous validation.

3. Harden

Lock down what you can. Disable unused services. Remove default accounts. Turn off legacy protocols. Apply host firewalls and configuration baselines. A well-hardened legacy system is safer than a modern one left wide open.

4. Monitor

If a system can’t produce logs, monitor its network traffic. Watch authentication attempts, DNS lookups, and outbound connections. You can’t defend what you don’t see.

5. Risk Register: Retire, Replace, or Accept

Every unsupported system or unresolved vulnerability belongs on a formal risk register. Each entry should include a clear description, an assigned owner, a target timeline, and an executive signature confirming awareness and acceptance. Review the register quarterly with leadership. For each item, decide whether to retire it, replace it, or accept it.

This process identifies business risk and assigns ownership to those who can fix or fund the solution. It also documents which executives have accepted the residual risk on behalf of the business. Most importantly, it keeps those risks visible. Regular executive review turns quiet technical debt into an informed business decision.

If the Louvre had used a process like this, an entry reading “obsolete camera system – accepted risk since 2014” would have stood out long before the headlines did.

Building Toward Zero Trust

Even if your enterprise hasn’t officially adopted Zero Trust, you can start applying its core principles today. Zero Trust can seem abstract, but its fundamentals are simple.

• Verify everything: Never assume internal systems or networks are safe.

• Enforce least privilege: Users and systems should only access what they need.

• Assume breach: Design your network and access models as if compromise has already occurred.

Zero Trust doesn’t have to be an enterprise-wide initiative on day one. It can start with your legacy environments. The systems that can’t be patched or upgraded are the perfect place to prove the model works.

Summary

Legacy systems are not just old technology. They are known risks that have been allowed to remain. The solution isn’t always to replace them immediately. It’s to isolate them, harden them, monitor their behavior, and document the risk. When combined with executive ownership, this approach creates a defensible, transparent, and continuously improving security posture.

Executives understand business risk more than they understand patching cycles. A technical vulnerability becomes a business issue the moment it impacts operations or reputation.

In many organizations, the list of legacy systems is already known. The challenge isn’t discovery, it’s accountability. A formal risk register with executive signatures changes the conversation from “we know” to “we decided.” That single shift transforms a reactive security program into a proactive one.

The Louvre’s story is dramatic, but the problem isn’t unique. Learn from it before your own legacy systems make the news.

Venmo payments are public by default. Unless you adjust your privacy settings, your payment history is visible to others.

To make Venmo payments private, open the Venmo app, go to Settings → Privacy, set your Default Privacy Setting to Private, and change past transactions to private. It takes less than 60 seconds.

Most people never adjust the default visibility setting. As a result, their payment history becomes part of Venmo’s public social feed without them realizing it.

Imagine if your bank published a live feed showing who you paid, when, and why. It would feel absurd. Yet that’s essentially how Venmo works out of the box.

Sam paid Alex

🚗 Ride to the clinic 🏥

Pat paid Chris

🤨 questionable decisions 💸

It sounds ridiculous, but that’s exactly what Venmo works out of the box.

Quick Fix:

1. Open Venmo → Settings → Privacy

2. Set Default Privacy to Private

3. Tap Past Transactions → Change All to Private

How to Make Venmo Payments Private in 60 Seconds

Here’s how to lock down both your future and past Venmo activity:

1. Open the Venmo App

Make sure you’re logged in on your iPhone.

2. Tap the “Me” icon (lower right corner)

This opens your profile panel.

3. Select Settings (the gear in the upper right corner)

4. Tap Privacy

5. Set Your Default Privacy to “Private”

This will ensure that future payments are visible only to you and the recipient.

6. Change Past Transactions to Private

Scroll down and tap:

Past Transactions > Change All to Private

You’ll be prompted to confirm. Once you do, your entire payment history will be made private.

Double-Check Your Feed

To confirm your changes:

• Tap the “Me” tab in the app

• Scroll through your transactions

• Ensure none of your past payments show up with public visibility

What Does Venmo Share by Default?

If you’ve used Venmo, there’s a good chance that:

• You didn’t realize your payment history is publicly visible

• Your past payments are still viewable, even if you’ve changed your settings

• You can see your friends’ payments, and they can see yours

When you pay someone on Venmo, unless you’ve changed your privacy settings:

• The payment note and recipient are visible to the public

• The dollar amount is hidden, but context clues can reveal a lot

• Anyone using Venmo can browse the public feed and make inferences about your social habits, spending behavior, and connections

Journalists have used Venmo’s public feed to track high-profile individuals, including members of Congress.

This Isn’t Just a Quirky Social Feature. It’s a Privacy Problem.

Venmo’s default setting makes your payment history public, often without you even realizing it. While Venmo privacy settings can be changed in seconds, most users never adjust the default visibility setting.

Payment metadata tells a story.

Even if dollar amounts are hidden, transaction notes can reveal:

• Medical visits

• Travel plans

• Relationship details

• Social networks

• Spending patterns

In cybersecurity, we call this contextual exposure. Individually harmless data points can become powerful when aggregated.

Privacy is not paranoia. It’s basic hygiene.

Share This With Friends and Family

Next time you see a friend publicly paying someone, let them know their Venmo is wide open.

Better yet, send them this article.

Venmo doesn’t make this obvious, and most people have no idea their history is on display. A 60-second privacy fix can go a long way.

Every June, you'll see cybersecurity professionals, advocacy groups, and government agencies talking about National Internet Safety Month. But where did it come from? Who started it—and why June?

Let's rewind the clock.

Born from a Growing Concern

National Internet Safety Month was first recognized by the U.S. Senate in 2005 through Resolution 193. It was championed by organizations like the National Cyber Security Alliance (NCSA) and i-SAFE America, which were seeing an alarming rise in cyberbullying, online predators, and internet scams, especially targeting children and teens.

This was the MySpace era. YouTube was brand new. Facebook hadn't even opened to the public yet. But even then, policymakers saw the writing on the wall: the internet was becoming woven into daily life, and digital risks were growing just as fast.

The goal was simple: raise awareness, encourage safe online behavior, and equip families, educators, and individuals with practical tools to protect themselves.

Fast Forward to Today

Two decades later, the internet is everywhere. Our refrigerators have IP addresses. Kids grow up with smartphones. And cyberthreats? They're more advanced—and more personal—than ever.

What started as a safety campaign for kids has evolved into a national call for better digital hygiene across all ages. From phishing-resistant authentication and device patching to securing home routers and using password managers, the basics still matter.

And the risks? They've moved from chat rooms to cloud infrastructure, from stolen AIM passwords to ransomware hitting entire hospitals.

Why It Still Matters

National Internet Safety Month might not trend on TikTok. But it's a good reminder that online safety isn't a one-time setup, it's a habit.

Whether you're helping your kids recognize scams, checking your software updates, or segmenting your smart home network (yes, that's a thing), now is a great time to tighten up your digital defenses.

So while June may be officially Internet Safety Month in the U.S., the message is global—and timeless.

Stay safe out there. 🔐

It's Sunday morning. You're in your pajamas, scrolling through your phone, probably ignoring that software update notification that's been pestering you for weeks. Here's the thing: those 10 minutes you'd spend updating your phone could save you from becoming the star of next month's data breach headlines.

I know, I know, cybersecurity feels like homework. But you don't need to be a CISO or an IT wizard to protect yourself. You just need 10 minutes, a cup of coffee, and maybe the willingness to admit that "password123" isn't cutting it anymore.

Consider this your cybersecurity spring cleaning, except it's way less work than reorganizing that junk drawer.

☐ 1. Check for software updates (2 minutes)

Phones, laptops, tablets, that smart TV you bought three years ago, make sure everything's running the latest version. Updates don't just bring new features, they patch the security holes attackers love to exploit.

📱 iPhone or Android? Go to Settings > Software Update and make sure auto-updates are on.

💻 Windows/Mac? Update your OS and check your browser while you're at it. Yes, your smart toaster probably needs updating too. I know, I know, what has the world come to?

☐ 2. Enable Multi-Factor Authentication (MFA) (3 minutes)

If you're still logging in with just a password, you're one phishing email away from trouble. Even cybersecurity experts like Troy Hunt fall for sophisticated phishing attacks so we all need to be diligent!

Add MFA (text, app, or better yet, a security key) to your important accounts: email, banking, work, and cloud storage.

🔐 Start with 2fa.directory to find out which services support it.

☐ 3. Give your router some attention (2 minutes)

Your Wi-Fi router is the front door to your digital home. Here are the big three things that actually matter:

• Change the admin password (yes, from "admin/admin"!)

• Make sure WPA3 or WPA2 is enabled (not WEP…WEP is from the stone age)

• Update the firmware and enable automatic updates if possible (if not, remember to check this at least monthly or buy a new router that gets automatic updates)

Bonus points if you replace that ancient router that came free with your ISP in 2017. That thing has seen some stuff.

☐ 4. Scan your passwords (2 minutes)

Use a password manager like 1Password, Bitwarden, or Apple Keychain (great if you use all Apple products) to check for reused or breached passwords. If you're still using "password123" anywhere, we need to have a serious talk.

The password manager will do the heavy lifting—you just need to look at the scary red warnings and fix them.

☐ 5. Play "What's Connected to My Wi-Fi?" (1 minute)

Open up your Wi-Fi router's device list and see what's hanging out on your network. That mystery device might be your smart doorbell that you forgot you connected, or it could be your teenager's friend who guessed your Wi-Fi password. Either way, it’s worth investigating.

Don't recognize something? Time to change that Wi-Fi password.

☐ 6. Back up your files (Set it and forget it)

Ransomware's favorite victims are the ones without backups. Use a secure cloud service or an external hard drive. Just make sure external drives are disconnected when not in use, ransomware is sneaky and will encrypt your backups too if it has access.

If you're already backing up to the cloud, give yourself a pat on the back and move on.

☐ 7. Lock your phone's SIM (1 phone call)

Most people don't realize attackers can clone a SIM and steal SMS-based MFA codes. Call your carrier and add a PIN to your account. Yes, you have to talk to a human. Yes, it's worth it.

Reality Check: The Big Three

Look, if you only do three things from this list, make them: updates, MFA, and backups. Everything else is gravy, but these three will save your digital bacon when things go sideways.

What NOT to Panic About

While you're feeling motivated, don't go overboard. You don't need to:

• Buy a $500 enterprise firewall for your home

• Memorize 50-character passwords (that's what password managers are for)

• Unplug every smart device in your house (just keep them updated)

🚀 That's it. You're already more secure than 90% of people online.

Security doesn't have to be overwhelming. A few simple habits, done consistently, go a long way. It's like flossing, but for your digital life.

Send this to your team, your family, or your least-secure friend. (You know the one.)

And if you're feeling ambitious after crushing this list? Take a victory lap. You've just done more for your security than most people do all year.

Stay safe out there. 🔐

Tip of the Week: Set a calendar reminder to do this checkup quarterly. Future you will thank present you when you're not frantically trying to remember passwords during the next major data breach.

betweenthehacks.com

What if your next remote hire wasn’t a developer, but a North Korean spy?

No, it’s not a Netflix plot. It happened. And the story is wild.

👨‍💻 “Steven Smith,” Software Engineer (and Spy)

In October 2023, the hiring team at Kraken, a U.S.-based crypto exchange, received an application from someone named Steven Smith. On paper, he was a strong candidate, a Computer Science degree from NYU, 11+ years of experience, and stints at companies like Cisco. But something felt off.

🎃 Red Flags Everywhere

Nick Percoco, Chief Security Officer at Kraken, wasn’t ready to toss the application just yet. Sensing something deeper at play, he decided to move “Steven” forward in the hiring process—not to hire him, but to test him.

So they set up what looked like a casual cultural interview. In reality, it was a trap.

And “Steven” walked right into it.

Said he liked “food,” but couldn’t name a single favorite. (Suspicious behavior for a self-proclaimed foodie.)

Claimed to live in Houston, but when asked about local restaurants, he blanked.

Had no idea what Halloween was. A tough sell for someone supposedly living in the U.S.

And when asked for ID, he produced one… with an address hundreds of miles from where he said he lived.

You don’t need to be a detective to spot something wrong here. It sounded like a spy movie, and honestly, it kind of was.

💣 Why It Matters: The North Korean Threat

North Korean operatives have been posing as remote IT workers to infiltrate U.S. companies. Their goal? Fund the regime’s weapons programs and, if possible, steal from inside.

📊 The stats:

• Fortune reports, Thousands of North Korean IT workers have infiltrated the Fortune 500.

• CrowdStrike reported a North Korean IT workers group called Famous Chollima were behind more than 300 incidents last year.

• The Lazarus Group has pulled off some of the largest crypto heists in history.

Kraken may have dodged a bullet, but many others weren’t so lucky.

🎥 Watch the Interrogation

Want to see what this looked like in action? Here’s CBS coverage of the story and “Steven” being asked about his favorite restaurant:

🔍 Tips to Spot a Faked Identity in Remote Interviews

Here’s how you can tighten your interview process:

1. Location-Specific Questions

Ask about:

• Local holidays (like Halloween!)

• Favorite places to eat

• Regional slang or events

2. Ask for Real-Time ID Verification

• Use video to ask for government-issued ID.

• Compare the location on the ID to their resume and story.

• Watch body language. Stalling might be a red flag.

3. Behavioral Consistency

• Do answers match the resume?

• Do they sound rehearsed or copy/pasted?

• Ask open-ended questions to gauge authenticity.

4. Technical Checks

• Check social media accounts and compare LinkedIn profiles against the resume.

• Contact references and check their LinkedIn and social media accounts too.

• Check IP addresses if possible.

• Verify timezone activity in collaboration tools.

• Use background screening vendors that flag known fraud patterns.

🎯 What This Means for Hiring Teams

Kraken didn’t just dodge a bullet, they turned a threat into a teachable moment that we can all learn from.

🔐 Remote hiring isn’t going away. Neither are social engineering threats. In fact, they’re evolving. With AI-generated avatars and voice cloning tools becoming almost indistinguishable from real people, verifying identity in virtual interviews is only getting harder.

That means it’s time to rethink how we screen candidates, especially for remote roles with access to sensitive systems. Companies need stronger identity verification practices, not just background checks, but real-time, human-led vetting and technical testing.

Go Deeper

• North Korea Stole Your Job: Wired (More wild North Korean remote IT job stories)

• Read the fascinating book, The Lazarus Heist by Geoff White to learn more about the Lazarus Group

Big thanks to my buddy Chris Young, who casually mentioned this story and accidentally triggered a full blog post. Honestly, this one’s kind of your fault.

Want more stories like this?

Subscribe to Between The Hacks and follow us for more practical cybersecurity with a human twist.

Happy World Password Day! 🎉

Or… maybe “happy” is a stretch. Because the truth is, passwords are still the #1 reason most people get hacked, and most of us still kinda stink at them.

We reuse them.

We forget them.

We store them in Notes apps like it’s totally fine.

We know better. We just haven’t gotten better. Yet. So let’s change that today.

🔑 The State of Passwords (Still Not Great)

Despite all the breaches and all the warnings, bad password habits are still alive and well.

According to a recent analysis by Cybernews, people are still using gems like:

• 123456

• qwerty

• 111111

• and yes… password

Some of these have been cracked millions of times—and people are still using them.

But there’s hope.

More people are finally adopting password managers.

Multi-factor authentication is becoming the norm (not the exception).

And best of all—passkeys are finally giving us a way out of this mess.

✅ What You Should Do Today

If you do nothing else this Password Day, do one of these:

• Switch to a password manager (Bitwarden, 1Password, iCloud—just pick one)

• Turn on MFA for your most important accounts

• Delete any saved passwords hiding in your browser

• Set a calendar reminder to reset old, bad passwords, monthly.

• Try logging in with a passkey instead of a password

Need help with that last one?

Check out my blog on passkeys to see why they’re better in every way.

🔁 Want to Go Deeper?

Here are a few past Between the Hacks posts worth revisiting (or reading for the first time):

• 📝 World Password Day 2021 – A look back at bad habits and how to break them

• 🔐 Passwords Part 1 – Why password security still matters

• 🧠 Password Managers – How to pick one and why you should

• 🧬 Rainbow Tables – How your weak password can be cracked in seconds

• ✅ Why MFA Isn’t Optional Anymore – Seriously, just turn it on

• 🔑 Passkeys: The Future of Logins – The better, safer alternative to passwords

🔒 TLDR

Passwords are still around, but they don’t have to be painful.

Use a password manager.

Turn on MFA.

Try a passkey.

And please—retire iloveyou123 already.

Laptops are our mobile command centers. They carry our work, our memories, and sometimes even our deepest secrets (looking at you, 10-year-old folder named “Taxes”). If you lose one, or worse, if someone gets into it, it’s more than inconvenient. It’s a digital disaster.

Here are 10 simple ways to secure your laptop physically, digitally, and privately.

🔒 Physical Security

1. Use a Kensington Cable Lock

It’s old-school, but it works. Especially in coffee shops, coworking spaces, and conferences. Lock it or lose it.

2. Keep It Out of Sight

Leaving your laptop in a car? Lock it in the trunk. Use a cable lock there too if you can. Smash-and-grabs are still a thing.

💻 Digital Security

3. Encrypt Your Drive

Whether you’re using BitLocker (Windows) or FileVault (macOS), encryption ensures your data is unreadable if your laptop is stolen.

4. Set a Strong Password

Yes, you still need one, even with biometrics. Use a long, unique password and avoid reusing it across accounts.

5. Back Up Your Data

Cloud, external drive, or both. Backups protect you from ransomware, hardware failure, and accidental “whoops” moments. Check out this Between The Hacks blog for tips about backing up your system.

6. Keep Your Software Updated

That update you keep postponing? It probably includes security patches. Update your OS and apps regularly.

🕵️‍♂️ Privacy

7. Add a Privacy Screen

Prevent shoulder-surfers from reading your screen on planes, in cafes, or in open offices.

8. Use a VPN on Public Wi-Fi

Coffee shops and airport Wi-Fi are not your friends. A VPN encrypts your internet traffic and helps protect sensitive info from snoopers. Pro tip: using your mobile phone as a hotspot is even safer.

9. Cover Your Webcam

Cheap fix. Creepy problem. Use a slide cover or a piece of tape, just make sure it’s not the translucent logo sticker from your last conference.

🔟 Enable Device Tracking

Most operating systems offer tools to locate, lock, or wipe your laptop if it’s lost or stolen. Turn it on!

Laptops are expensive. Your data is priceless. Take a few minutes to lock things down, you’ll thank yourself later.

I was at a taco place recently, the kind with metal chairs, a chalkboard menu, and indie music playing just a little too loud. Instead of physical menus, they had a paper sign taped to the table with a QR code that said, “Scan me for magic.”

And because I’m a functioning adult with questionable curiosity and a decent data plan, I scanned it.

Thankfully, it went to the menu.

But it got me thinking.

I have a car wash subscription at one of those self-serve places. No employees, no kiosk. Just a high-powered wand, a set of dials, and a QR code on the wall. To activate the wash, I open their app on my phone and scan the code. That’s it. The system turns on instantly.

But what if someone tampered with that code?

What if a threat actor placed a rogue QR code over the real one? Not to start the wash, but to trigger malware or a spoofed login page? Just like that, what felt like a simple scan becomes a security breach.

Welcome to the world of quishing, where convenience meets compromise and attackers count on you not thinking twice.

🤔 What is Quishing?

“Quishing” is short for QR code phishing. It’s a terrible name for a terrible tactic, like putting a sticker over a traffic sign and hoping someone drives into a ditch.

But instead of a misleading road sign, it’s a QR code. Instead of clicking a suspicious link in an email or text, you’re scanning it with your phone, often without thinking twice. And that scan could lead to a spoofed login page, a malware download, or a website designed to steal your credentials.

QR codes are everywhere now: restaurant tables, parking meters, flyers, job postings, taped-up posters on telephone poles, even car washes. That ubiquity makes them the perfect tool for cybercriminals who count on one thing, your curiosity.

📲 How Quishing Works

Here’s how it usually plays out:

• The Setup – The attacker creates a malicious URL that leads to a phishing page or file download.

• The QR Code – They embed that URL in a QR code, then print it on a flyer, slap it on a sticker, or drop it into an email.

• The Bait – The QR code promises something useful or urgent: “Parking info,” “Free Wi-Fi,” “Claim your gift card,” “Secure your account.”

• The Trap – You scan it, tap the link, and you’re redirected to a fake site or unknowingly install malware.

A particularly clever threat actor might tape their malicious QR code over a legitimate one, like the “free drink” coupon at a conference booth, and redirect you to a perfectly spoofed Microsoft 365 login page designed to steal your credentials the moment you sign in.

🧠 Why QR Codes Are the New Short URLs

Although QR codes have been around for years, their use exploded during the COVID-19 pandemic. They became the go-to solution for contactless menus, payments, and check-ins. In many ways, a QR code is just a modern version of a shortened URL — like bit.ly or tinyurl. You can’t see where it leads until you click… or in this case, scan.

Fun fact: we covered the risks of shortened URLs all the way back in our very first blog post, The Anatomy of a Phishing Attack, published on December 5, 2012. More than a decade later, the delivery method may have changed, but the deception game is still going strong.

And that’s what makes QR codes dangerous.

They’re incredibly useful and convenient — but they’re also perfect tools for threat actors. By hiding malicious URLs behind QR codes, attackers can trick people into scanning codes that:

• Infect their devices with malware

• Redirect them to fake login pages to steal credentials

• Impersonate trusted sites like Gmail, Office 365, or mobile payment platforms

And because scanning QR codes has become second nature, it’s easy to fall into the trap.

Think of it as phishing 2.0 — slicker, quicker, and easier to disguise.

🎯 Who’s Falling for This?

Short answer? Everyone.

Quishing is the perfect storm: it feels modern, it’s frictionless, and we’ve all been trained to scan QR codes without thinking twice. It’s a dream for attackers and a nightmare for the rest of us.

Here’s who’s getting caught:

• Office workers scanning a parking validation code taped next to the elevator

• Conference attendees scanning for swag or Wi-Fi (those branded lanyards? Not helping)

• Restaurant diners just trying to order tacos, not realizing the QR code leads to a fake payment page

• Small business owners clicking QR codes in fake invoice emails

• Literally anyone who’s distracted, in a rush, or running on caffeine and vibes

You don’t have to be careless. You just have to be human.

📰 Real-World Examples

🚗 Fake Parking Meters

Attackers placed QR code stickers on parking meters in cities like Austin and San Antonio, redirecting people to fraudulent payment sites. Victims thought they were paying for parking — but they were actually paying a scammer.

🧾 Invoice Emails with QR Codes

Phishing emails are going QR-first too. Instead of a suspicious-looking link, they now include fake invoices with a message like:

“Scan this code to view your bill.”

You scan it, and bam — you’re on a perfectly forged Microsoft 365 or Google Workspace login page, ready to hand over your credentials.

🧑‍💼 QR Codes on Job Posters

Some attackers are slapping malicious QR codes on job flyers posted in public spaces. They look like legit hiring ads or application portals — but scanning them leads to phishing pages designed to harvest your resume, personal info, or login credentials.

🔒 How to Stay Safe (Without Boycotting Every QR Code)

Look, I’m not here to cancel QR codes. Some of them really do lead to tacos. But here’s how to scan smarter, not scared:

✅ Preview the URL

Most phone cameras (especially on iOS and Android) will show you the link before you open it. Take a second to actually read it.

If it says something like secure-google-login.yourinfo.badguy.biz — yeah, maybe don’t tap that.

✅ Don’t scan codes from strangers

That sticker on a parking meter? The flyer taped to a light pole? Probably not your best move.

✅ Be extra cautious with QR codes in emails

If an invoice email includes a QR code instead of a link, it’s already suspicious. Trust your gut.

✅ Look for HTTPS — but don’t rely on it alone

A padlock icon means the connection is encrypted, not that the site is trustworthy. Scammers can get HTTPS too.

✅ Use mobile security apps

Some mobile security tools can flag malicious links before they open. Think of it as backup for your eyeballs.

TL;DR

Quishing is just phishing with a glow-up.

It’s sneaky, simple, and surprisingly effective, but not unstoppable.

You don’t need to swear off QR codes forever.

You just need to scan smart, check the link, and never trust a piece of paper taped to a parking meter.

Want more tips like this? Subscribe to Between the Hacks

I decided to find out the hard way.

The Experiment: Restrict Everything, Then Allow What’s Needed

I have two popular smart thermostats in my home. A few years ago, as part of a personal project, I wanted to see if I could restrict their outbound network access—essentially, implement a basic form of Zero Trust.

Using my home firewall, I blocked all outbound Internet traffic from the thermostats. They immediately dropped offline in the mobile app and stopped reporting any data. So far, so good: obviously, they were cloud-dependent.

The Support Spiral Begins

Next, I contacted the vendor’s technical support to ask for a list of IPs or domains the thermostat needed in order to function properly.

Me: I’m trying to limit Internet access. Can you provide the IP addresses or domains the thermostat uses?

Support: Uh… just make sure ports 443 and 80 are open.

When I pushed for specifics, they eventually said:

“Just put it in the DMZ so it can talk to everything.”

That’s not Zero Trust—that’s zero security.

Turning to Packet Captures

I mirrored the thermostat’s traffic to a monitoring port and ran packet captures over a few days. Here’s what I found:

• NTP (network time) servers

• Cloud services—probably AWS or Azure

• Analytics and telemetry domains

• Push notification systems

I built an allow-list based on this traffic and updated my firewall rules. But things were still flaky: mobile commands failed, firmware updates didn’t apply, and the sensors would randomly desync.

What I Learned

This experience confirmed three things:

1. Vendors rarely provide visibility into their products’ network dependencies.

2. Packet analysis is tedious and fragile—it’s not something most users can (or should have to) do.

3. Device behavior is dynamic, especially with third-party cloud services. Today’s domain could change tomorrow.

The Bigger Problem

If I, a security professional, struggled to lock down two thermostats without breaking them, what chance does the average homeowner or small business have?

This is why I started working on a solution: the Network Bill of Materials (NetBOM). Think of it as a companion to the SBOM (Software Bill of Materials), but for network behavior. A NetBOM provides a structured, vendor-supplied list of the domains, IPs, and services a device needs to communicate with on the Internet.

With NetBOM, instead of doing manual captures or begging support for documentation, you just import a NetBOM file into your firewall or security gateway and the system automatically builds the right policies. In a pinch, you could do it manually, but at least you have the information you need to secure your network.

Final Thoughts

IoT security isn’t just a big-company problem. It’s everyone’s problem—from homeowners to hospitals to high-tech manufacturers. We all deserve transparency and control over the devices we rely on every day.

NetBOM is a step toward making that vision real.

Want to learn more? Check out the NetBOM white paper.

If you want more details about my attempt to lock down the thermostats, read this blog.

You know that feeling when your laptop freezes and you whisper a silent prayer to the tech gods?

Now imagine it wakes back up with a note that says:

“Nice files you got there. Shame if something happened to them.”

That, my friends, is ransomware.

It’s not new. It’s not subtle. And it’s not just your boss or your parents clicking on a shady link anymore (although let’s be honest… it’s still very much that). Ransomware has become one of the most profitable business models in cybercrime and one of the most frustrating threats for everyone from Fortune 500s to grandma’s cookie recipe collection.

Let’s break it down.

🤖 What Is Ransomware?

Ransomware is a type of malicious software that locks your files using encryption. Everything from your work documents to your vacation photos gets scrambled beyond recognition.

Then it hits you with a demand: Pay up or lose everything!

What if someone broke into your house while you were away, changed all the locks, and said you need to pay them in Bitcoin if you want all of your things and access to your house again?

That’s ransomware in a nutshell.

💼 How Does It Work?

There are a few common ways it spreads:

• Phishing emails – The classic “click this invoice” trap

• Drive-by downloads – You visit a compromised site and get infected silently

• Software vulnerabilities – Unpatched apps leave the door wide open

• RDP brute force attacks – Hackers guess weak remote desktop passwords

Once it gets in, ransomware encrypts your files and flashes a ransom note. Sometimes it also copies your data and threatens to publish it unless you pay. This is called double extortion and yes, it’s as gross as it sounds.

🎯 Who Gets Targeted?

Honestly? Everyone.

Purposeful targets:

• Hospitals and schools

• Local governments

• Law firms, media companies, manufacturing plants

• Infrastructure like pipelines and power companies

Accidental targets:

• A small business running Windows 7

• Your aunt’s yoga studio website

• That one guy in your fantasy football league who never updates his laptop

• Anyone caught in a broad phishing campaign

You don’t have to be important. You just have to be unprotected.

📰 Real-World Stories

Let’s start with a personal favorite.

🖨️ The Printer Invasion (2020)

In a ransomware attack straight out of a dark comedy, hackers used networked printers across multiple businesses to spit out physical ransom notes. Yes—actual paper. This story was so wild I covered it in a Between The Hacks blog post back in 2020. The ransom demand printed line by line in bold font on conference room printers, lobby printers, even cash register receipt printers. If it hadn’t been real, it would have been hilarious. (Well… it’s still hilarious.)

🚨 Colonial Pipeline (2021)

Shut down one of the largest fuel pipelines in the U.S. Panic buying and gas shortages followed. They paid over four million dollars.

🏥 Change Healthcare (2024)

Massive ransomware attack disrupted pharmacies and billing systems across the country. Ransom rumored to be over twenty-two million dollars.

🎰 MGM and Caesars (2023)

Hackers used social engineering to gain access. Caesars reportedly paid quietly. MGM didn’t but lost more than $100 million.

💣 NotPetya (2017)

Disguised as ransomware, NotPetya was actually a wiper—designed to destroy, not profit. It started in Ukraine but quickly spread globally, crippling major companies like Maersk, Merck, and FedEx. Damages exceeded ten billion dollars. There was no ransom to pay and no key to recover your data. Just chaos, outages, and a very expensive lesson in global cyber risk.

🛡️ How to Protect Yourself

Good news: you don’t need to be a cybersecurity expert to protect yourself. Most ransomware protection boils down to smart habits and digital hygiene.

✅ Back up your files

Use cloud backups or external drives that are not always connected. If you have clean backups, you can tell ransomware to take a hike.

✅ Keep your software updated

Yes, those annoying popups matter. Patches fix the vulnerabilities ransomware uses to get in.

✅ Don’t click on sketchy stuff

Emails with urgent attachments or links? Think twice. Call the person if it seems fishy.

✅ Use strong passwords and MFA

Especially for email and cloud accounts. Password managers help.

✅ Use security software

Even free antivirus can catch common threats.

✅ Be suspicious

If your “CEO” emails you asking for gift cards, maybe call them first.

🧠 TLDR

Ransomware isn’t going anywhere. It’s big business now. But that doesn’t mean you have to be an easy target. A few smart habits can go a long way.

And if nothing else, please back up your files. You do not want to be explaining to your spouse why you just paid two thousand dollars in crypto to get your wedding photos back.

Stay safe. Stay patched. Share this with someone who could use a little ransomware reality check.

If you’ve been visiting this blog for a while, you might have noticed a small but important change: we’ve switched our default domain from ckd3.com to betweenthehacks.com.

For years, ckd3.com served as the primary address for Between The Hacks. Alongside it, domains like betweenthehacks.com and bth.news redirected to the same content, but the browser’s address bar would always display ckd3.com. However, as of this past week, betweenthehacks.com is now our main domain. That means when you visit the site, you’ll see betweenthehacks.com in your address bar instead of ckd3.com.

Why the change? It’s simple: we wanted to better align the domain name with the blog’s branding and focus. “Between The Hacks” is how most people know the site, so making betweenthehacks.com our default domain just felt right.

What does this mean for you? For the most part, nothing should feel different. The same articles, resources, and updates are all still here. If you type ckd3.com, bth.news, or follow an old link, you’ll still end up on the correct site—just under the new domain. That said, we’re aware there may still be a few lingering links out there that don’t work as intended. If you come across any broken links, please let us know so we can fix them.

In the meantime, enjoy the same great content, now more directly connected to our name. Thanks for reading, and happy hacking!

A few days ago, I posted about Troy Hunt getting phished, a cautionary tale if there ever was one. If a cybersecurity expert like Troy, who created Have I Been Pwned, can fall for a phishing attack, then what chance do the rest of us have?

This is exactly why I’m excited about passkeys.

🔐 What Are Passkeys?

In plain English: passkeys are a passwordless way to sign in that’s both more secure and easier to use. They’re built on public key cryptography and replace your password with a unique key pair:

• The public key sits on the server.

• The private key stays securely on your device.

When you log in, the server sends a challenge that only your private key can answer. No shared secrets, no password to steal—just cryptographic magic that can’t be phished or guessed.

Passkeys replace passwords with a simple, secure authentication experience.

✨ How It Works in Real Life

Using a passkey feels as simple as Face ID, Touch ID, or your device PIN—but that’s just one way to authenticate.

You can also use passkeys stored in your password manager (like iCloud Keychain, 1Password, or Bitwarden), or even on a hardware security key like a YubiKey. Some platforms even let you approve login requests on one device (like your phone) for another (like your laptop). Either way, there’s no password to type, and nothing for an attacker to steal or phish.

Passkeys simplify the login experience while keeping your credentials secure.

📊 Why Passkeys Win

Let’s break it down:

Why passkeys win on every front: phishing-resistant, unique, and seamless.

📱 Real-World Usage

You’ve probably already seen passkeys in action. Companies like Google, Apple, PayPal, Amazon, and others have already rolled them out.

When you see the option to “Use a passkey,” take it. It’s not just easier—it’s far safer.

🛠️ What’s the Catch?

We’re still in a transition phase. Not every site supports passkeys yet, and enterprise adoption takes time. But it’s moving fast—and password managers are now helping bridge the gap by syncing passkeys across platforms.

Whether you’re on iOS, Android, macOS, or Windows, support is growing every day.

🔚 The Bottom Line

Troy Hunt’s phishing story is a reminder that even the best of us are vulnerable. But passkeys change the game. They remove the single weakest link in almost every breach and compromise we’ve seen over the past 20 years: the humble (and all-too-human) password.

It’s time we move on.

Try passkeys the next time you see the option. You might just feel the future of authentication in your fingertips.

For years, I’ve preached the value of network segmentation.

Break your network into zones. Isolate IoT devices. Limit lateral movement. The usual.

But recently, I had a breakthrough. One so simple, so obvious, I’m frankly embarrassed I didn’t think of it sooner.

I cut the Ethernet cable.

A Revolutionary New Approach to Cyber Hygiene

It started with my smart thermostat acting up again. I asked myself: Why does this thing even need to talk to the printer? Then it hit me:

If devices shouldn’t talk to each other… maybe they just shouldn’t be connected.

So I grabbed my wire cutters and got to work.

• The thermostat cable? Snip.

• The smart TV? Unplugged, wrapped in aluminum foil, and relocated to a Faraday cage (a.k.a. my shed).

• The printer? Now lives in the freezer, isolated and cold, but very secure.

I call it Physical Zero Trust™.

No network, no problem.

What About Wi-Fi?

Don’t worry, I didn’t forget wireless.

To prevent rogue devices from reconnecting, I wrapped my Wi-Fi router in two layers of copper mesh, just to keep it humble.

Then I wrote a script that rotates the SSID to a new random 32-character string every 60 seconds.

Sure, nothing can actually connect anymore, but that’s the point.

This isn’t just segmentation, it’s Wireless Evaporation™.

Lateral Movement? Not on My Watch

In the past, I worried about attackers moving laterally across my flat home network. But with each device now physically relocated and completely offline, they’d need to:

1. Break into my house

2. Know which drawer the gaming console lives in

3. Hope the smart lightbulbs boot up

4. Reverse-engineer the thermostat using a flashlight and a coat hanger

5. Get past the Post-It note that says “Not today, threat actor.”

It’s a bold move but one that has eliminated all east-west traffic, all telemetry, and (accidentally) all convenience.

Downsides

Okay, I’ll admit a few trade-offs:

• The toaster no longer gets firmware updates.

• I can’t remember where I put the router. It may be under the couch.

• My wife says, “You’ve gone too far.” I say, “You can never be too segmented.”

Final Thoughts

In an age of sophisticated cyber threats, we need bold, disruptive solutions.

You can keep your VLANs and firewall rules. I’ll be over here, living the air-gapped dream, with a network so secure, even I can’t use it.

Happy April Fools’ Day!

(And seriously… go segment your network.)

Back in 2018, I wrote a post called Home Network Segmentation: A Must in the IoT Era. It walked through how to isolate your smart devices, like TVs, thermostats, and cameras, from your laptops and phones. The goal? Keep the questionable stuff away from the critical stuff.

Nearly seven years later, the need for segmentation hasn’t gone away. If anything, it’s become more urgent.

Because here’s the truth:

Every device on your home network can probably talk to the entire Internet.

And most of us have no idea if these devices are talking to the correct servers, or to threat actors, or if those devices need to talk to anything on the Internet at all!

Everything is connected.

When you connect a new smart device, like a lightbulb or a smart plug, it typically:

• Gets full access to the Internet.

• Has permission to connect to anything.

• Can often talk to every other device on your network, too.

That’s the default. And unless you step in and change it, it stays that way.

This isn’t just an IoT problem. It’s a visibility problem. And a trust problem. We trust these devices to do what they need to in the background, and nothing more.

Spoiler alert: that’s not always the case.

Why Flat Networks Are Still a Problem

In a flat network:

• There is no segmentation.

• No boundaries.

• No meaningful control.

A flat home network is like having a house where every room shares the same key, for both the front door and every interior door.

Once a visitor (or an intruder) gets hold of that single key, they immediately have access to everything: your bedroom, your home office, even the safe in the back room.

In this house, once someone gets through your front door (like a hacker breaching your router), they can move freely between all your connected devices. Your smart TV can talk to your work laptop. Your gaming console can reach your security cameras. And that cheap smart light bulb with outdated firmware? It can communicate with the computer that stores your tax returns.

Just like you wouldn’t give the delivery person access to your bedroom, you shouldn’t give unrestricted access to every device on your network.

And attackers know this.

Many botnets and malware campaigns rely on phishing attacks to infect a system inside of your network, or they scan open ports and compromise devices, then move laterally through your network. If your smart plug gets compromised, your laptop might be next.

But What About My Firewall?

A lot of people assume their firewall is blocking threats from the Internet.

And that’s technically true, if the threat starts from the outside.

But here’s what most folks don’t realize:

Once a device inside your network makes a connection out to the Internet, the firewall allows that conversation to continue in both directions.

This is called stateful inspection, and it’s how most home firewalls, and even many business firewalls, work. The idea is simple:

“If a device inside the network started the conversation with a system on the Internet, it must be safe to continue.”

Sounds reasonable… until your smart device reaches out to a malicious server.

Or your fridge downloads a sketchy firmware update.

Or you click on the wrong link and infect your laptop with malware that connects to a malicious IP address.

Because your network allowed the outbound connection, it now trusts the inbound replies.

And that’s where risk lives.

Most home routers don’t log or flag this behavior. They just keep the door open.

But Here’s the Bigger Problem

Let’s say you do segment your network (and if you haven’t, please read that earlier post and make it happen).

The next question becomes:

Do you know what your devices are actually doing?

Do you know:

• What domains your thermostat is connecting to?

• If your smart TV just reached out to an unknown IP in another country?

• Whether that firmware update really came from the vendor?

We can’t defend what we can’t see.

And right now, most of us are blind.

We Need More Than Isolation…We Need Insight

Network segmentation is an excellent first step. It limits exposure and buys you time. But it doesn’t give you visibility.

You still need to know:

• What’s on your network

• What it’s doing

• What’s normal, and what’s not

Because segmentation without insight is like putting your devices in separate rooms… and never checking what’s going on inside them.

Coming Soon…

This is a problem I’ve been thinking about a lot lately.

Not just at home, but across supply chains, small businesses, and global enterprises.

We need a better way to understand device behavior, especially in a world where every smart toaster has a direct line to the entire Internet.

More on that soon.

Let’s clear this up right away: falling for a phishing email doesn’t mean you’re clueless, lazy, or bad at your job.

Even Troy Hunt, yes, the guy behind Have I Been Pwned, recently clicked on a phishing link. And not just clicked… he entered his credentials and a multi-factor authentication code into a spoofed website.

This isn’t about dunking on Troy. In fact, it’s quite the opposite. I appreciate that he went public with the story, because it gives all of us, security folks, business users, and IT teams, a reality check.

What Happened

Here’s the quick version: Troy received an email that looked like it came from Mailchimp, his email marketing provider. The message claimed his account had been flagged for spam and that his ability to send emails was restricted.

It contained a link to a site at mailchimp-sso.com (which sounds just real enough), and when Troy followed the link, he was taken to what looked like Mailchimp’s login page. He entered his username, password, and a one-time passcode.

Then the page stalled out.

That’s the moment he realized something was wrong.

He immediately went to the real Mailchimp site, changed his password, and saw that his mailing list, about 16,000 email addresses, had already been exported by someone using an IP address in New York.

It was a well-crafted phishing email, sent at the perfect time (he was traveling, tired, and distracted), and it got him. You can read his account of the phish, here.

Wait… Who Is Troy Hunt?

If you’re not in the security industry, you might not recognize the name. Troy Hunt is the creator of Have I Been Pwned, a service that lets you check if your email or password has ever been exposed in a data breach. He’s a respected voice in the cybersecurity world, and he’s helped millions of people understand digital risk.

So yeah, he’s one of the last people you’d expect to fall for a phishing attack.

Why This Matters

We’re long past the days when phishing emails were filled with typos, fake Nigerian princes, or cartoonish grammar. Today’s attacks are:

• Polished – Clean branding, real-sounding alerts, perfect English.

• Timely – Triggering you when you’re most distracted.

• Hyper-specific – Sometimes using scraped data, breached info, or even generative AI to add believable context.

What got Troy wasn’t a lack of knowledge. It was a moment of humanity, one all of us are susceptible to. A split-second decision made while multitasking. That’s all it takes.

What We Can Learn

Troy’s transparency gives us a chance to pause and revisit our own habits. Here are a few reminders that might help:

1. Slow down. The best phishing attacks create a sense of urgency. That’s intentional. Pause before clicking.

2. Hover and verify. Look at where a link really goes before clicking. mailchimp.com is legit. mailchimp-sso.com is not.

3. Use a password manager. They won’t auto-fill on fake sites. If you’re not using one yet, here’s why you should.

4. Enable MFA. It’s not bulletproof, but it helps. And if you’re still unsure what that means, check out my post on multi-factor authentication (MFA).

5. Normalize mistakes. The more shame we attach to “falling for it,” the fewer people will report incidents quickly.

Want to understand how attackers use leaked credentials? Take a minute to read about credential stuffing. It’s more common, and more dangerous, than most people realize.

And if you’ve ever wondered how phishing links might redirect you even when you type the right address, pharming is a threat worth learning about too.

Final Thoughts

The next time you start to say, “I would never fall for that,” remember Troy’s story. You might not fall for that one, but there’s always a more convincing phish right around the corner.

Phishing doesn’t care how smart you are. It cares how distracted you are.

And if it can fool someone who literally teaches the world how phishing works? It can fool any of us.

Curious, I clicked play, and what I heard was incredible. Two AI voices (that sounded eerily human) were having a full-on conversation about me! They dove into my blog, discussed a few posts in surprising detail, and even brought up one of my patents. Now, here’s the kicker: the patents are only listed on my LinkedIn profile. So, in those few minutes, the AI not only found them but also looked them up, read through them and summarized one—all within the few minutes it took the AI to create the podcast!

I couldn’t help but think, “Wow, did this thing just casually do a week’s worth of research in minutes?” The voices didn’t sound like your typical robotic narrators either—they felt like real co-hosts chatting about my work and personal brand. Talk about efficiency!

This experience really made me reflect on how fast AI is evolving. Tools like this are moving way beyond simple automation, becoming more sophisticated in understanding and summarizing complex content. It’s a bit like having an overachieving intern who doesn’t need sleep, caffeine, or bathroom breaks—and who actually reads what you send them. Impressive, right?

So, yeah, the future’s looking pretty cool if you ask me. Next up: convincing the AI to write my next blog post…or maybe even interview me for real. ;)

Please note that the podcast contains some inaccuracies, such as incorrectly identifying Merryl Goldberg as a code breaker, when in fact, she was more involved in code-making. I have kept the podcast in its original, unedited form to demonstrate how effective the tool is, even without specific guidance—simply by uploading two links.

In August 2026, Merryl Goldberg’s book will tell the full Cold War story behind the sheet music cipher that stunned the cybersecurity world. This post is the origin story of how that history moved from a Southern California birthday party to the keynote stage at the RSA Conference.

In 2021, at a birthday party in Southern California, I met someone whose story would soon echo across the cybersecurity world. At the time, she seemed exactly what she was. A warm, approachable music professor with an infectious smile. What I did not know was that decades earlier, she had helped outsmart the KGB using sheet music as a cipher.

The Birthday Party

It was the summer of 2021. After more than a year without travel due to COVID, my wife, Kim, and I were eager to attend a close friend’s birthday gathering and spend a few quiet days in Southern California. The party was held at our friend’s home, and the weather made it easy for guests to drift between the house and the patio. We knew only a handful of people, so introductions came naturally. Names were exchanged. Conversations unfolded.

One of those introductions would soon matter.

At dinner, a woman at our table introduced herself as Merryl Goldberg, a music professor at California State University San Marcos. We quickly learned she was also an author and a boxer. The range alone made her memorable.

When Kim and I mentioned that we worked in cybersecurity, the conversation shifted. I noted how many security professionals are also musicians. The balance of creativity and logic is more common than most people realize. Merryl listened, smiled, and said she had a story for us.

What followed left our table stunned.

In the 1980s, she and fellow musicians encoded sensitive information into sheet music, allowing messages to pass the KGB and helping Soviet defectors escape. It sounded improbable. It was not.

Her story has since been told in detail by Wired and many others, and now in her forthcoming book. But that night, around a dinner table in Southern California, it was simply a remarkable story shared among new friends.

When the conversation resumed, I asked whether she had ever considered telling that story to a cybersecurity audience. She had not. She smiled again and said she would be open to it.

Call For Speakers

When Kim and I returned home, the story lingered. The more we thought about it, the more it felt like something the cybersecurity community needed to hear. We began drafting a submission to the RSA Conference Call for Speakers, outlining the unlikely intersection of music, cryptography, and Cold War history.

With Merryl’s approval, we submitted the proposal and waited.

In early October, I received an email from Britta Glade, the RSA Conference’s Senior Director of Content and Curation. She wanted to hear the story firsthand. The keynote team, she explained, had ideas about how it might be presented. If everything came together, she wrote, “it will rock!”

RSA Conference

By the time the conference was rescheduled from February to June, the keynote plan had solidified. When the final details were confirmed, I booked my flight to San Francisco.

The night before the presentation, Merryl and I met for dinner. She was curious about the cybersecurity industry and asked thoughtful questions about the field that would soon hear her story. The parallels between music and technology resurfaced in our conversation. Patterns. Precision. Improvisation within structure.

The Presentation

On the morning of the keynote, the room filled quickly. Britta opened the session by reflecting on the relationship between music and programming before introducing Merryl to the stage.

The format was conversational. The story unfolded deliberately. A young musician in the 1980s. Sheet music passed between hands. Messages hidden in plain sight. The KGB listening, but not hearing.

The audience was riveted.

Earlier that day, I had mentioned Merryl’s story to Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency, and encouraged her to attend the keynote. As it happened, Jen was speaking just before Merryl, which gave them a few minutes together backstage. Their brief introduction would later grow into something more lasting. In the years since, Jen and Merryl have stayed connected, and Jen has invited her to participate in multiple events and discussions bridging history, music, and cybersecurity.

After the Talk

After the talk, a crowd gathered at the front of the stage. Among them were Bruce Schneier and Wired reporter Lily Hay Newman. Conversations quickly turned to the cinematic quality of the story. It felt less like a conference session and more like the beginning of something.

Later, I walked Merryl through the vendor floor. The IBM booth featured a mixing board installation that illustrated a simple truth. Focus on everything at once, and you get noise instead of music.

At the NSA booth, a working Enigma machine drew a steady crowd. Given the reason we were there, it felt fitting to stand in front of one of history’s most famous encryption devices as it operated once again. Cryptography, past and present, seemed to converge in that moment.

After the Keynote

The momentum did not end when the lights came up.

In the weeks that followed, Merryl’s story appeared in Wired, Dark Reading, podcasts, and international publications. The cybersecurity community embraced it. What had begun as a conversation at a dinner table was now part of a broader dialogue about creativity, courage, and the unexpected paths that shape our field.

Conversations that began backstage extended well beyond the conference. Relationships formed. Invitations followed. History reached new audiences.

Years later, as Merryl prepares to publish her book, it is striking to look back at where this chapter of the journey began. Not on a stage. Not in a newsroom. But at a birthday party, where a story was simply shared among new friends.

References/Appearances

Wired - How a Saxophonist Tricked the KGB by Encrypting Secrets in Music June 8, 2022

RSA Conference 2022 Keynote - How a Musician Used Sheet Music Encryption to Help Soviet Defectors June 8, 2022

Dark Reading - How 4 Young Musicians Hacked Sheet Music to Help Fight the Cold War June 10, 2022

Tweet by CISAJen June 10, 2022

Hacked Podcast - The Phantom Orchestra June 16, 2022

[PODCAST] Smashing Security Podcast #279: Encrypted notes and a deadly case of AirTag syping June 16, 2022

SpamChronicles June 20, 2022

JACK article (French) June 22, 2022

[VIDEO] Dr. Goldberg's RSA Conference presentation on YouTube August 12, 2022

[PODCAST] Click Here podcast: The Musicians Who Came In From The Cold August 23, 2022

[VIDEO] A Reunion Performance from the “Phantom West" August 23, 2022

[VIDEO] Evading the KGB with Sheet Music with Merryl Goldberg August 25, 2022

[PODCAST] NPR podcast and radio show, The World (starts at 23:40) August 29, 2022

[VIDEO PODCAST] Spying Through Music September 28, 2022

Other References

[VIDEO] Professor Packs a Punch: Beyond the Classroom with Merryl Goldberg April 19, 2018

Merryl Goldberg on Twitter

Merryl Goldberg, Ed.D Faculty Page at CSUSM

A NetBOM is a network bill of materials. It is a list of the Internet servers that a device needs to connect to. Currently, when we buy products, we connect them to our network and give them unfettered access to the Internet. This means that even if a device is behind a firewall, if it becomes infected with malware, the malware can connect out through the firewall to communicate with a threat actor. One way to limit this, it to create firewall rules that only allow the device to connect to the servers that it needs to connect to.

The NetBOM can be an important tool in implementing devices in a zero-trust environment.

The name is a play on the term SBOM which is a software bill of materials. An SBOM is an inventory for software that make up software components. This is similar to the list of ingredients that we see on food products, except the SBOM would list software components and their versions.

While an SBOM informs end users of the software and versions that are running on their devices, a NetBOM informs the end user of the Internet servers that the device needs to connect to.

What is in the NetBOM?

The NetBOM file includes:

• Version number of the NetBOM file

• Date of release

• NetBOM server address(s) - this is where the device can get updates to the NetBOM

• IP addresses and ports of Internet servers that are used by the device and an explanation of the purpose of the server

  • e.g. 9.9.9.9:9953, 9.9.9.9:53, DNS servers

• Fully qualified domain name addresses and ports (if necessary) of Internet servers that are used by the device

  • e.g. https://dns.quad9.net/dns-query, tls://dns.quad9.net, DNS servers

The NetBOM could include addresses for:

• NetBOM server

• SBOM and vendor patch servers

• cloud-hosting servers

• time servers

• advertising servers

• mapping servers (e.g. Google Maps)

• API servers

How is the NetBOM used?

Vendor:

NetBOM file:

• The vendor includes the NetBOM file in the device before the device is sold.

• The NetBOM file is signed with the vendor’s code signing certificate.

• The device will not load a NetBOM unless the file is signed with the vendor’s code signing certificate.

• If any changes are necessary, the vendor changes the NetBOM file and adds the new version to their NetBOM server

NetBOM server:

• The vendor hosts a NetBOM server (e.g. netbom.domain.com) that serves updated versions of the NetBOM. This is important because some vendors may change hosting servers over time.

• The NetBOM server uses the current standard for secure hosting (e.g. TLS/HTTPS)

  • The domain name used by the NetBOM server must be owned by the vendor

  • Hosting certificates must be registered to the vendor by a trusted third-party

End-User:

The end-user can use the NetBOM information to create rules in firewalls and security tools that will limit the ability of the device to only the Internet servers that are needed and approved by the vendor and the end-user.

Possible NetBOM Automation

Here are some possible ways to automate NetBOM which could be useful for small office and home use, where network security expertise is limited or non-existent.

• A device can publish it’s NetBOM with the firewall.

• A firewall would verify the validity of the NetBOM with the NetBOM server and create firewall rules based on the NetBOM.

• Proxy servers could create rules based on the NetBOM

• IPS and security tools can also create rules based on the NetBOM and report on anomalies.

If you are reading this, you likely have heard about Log4Shell, the December, 2021 critical zero-day remote-code execution vulnerability, and subsequent vulnerabilities in the popular Log4j software library that is developed and maintained by the Apache Software Foundation. Apache has patched these vulnerabilities in version 2.17.1, however vendors who use this library will need to patch their affected systems. Amit Yoran, CEO of the cybersecurity firm Tenable, called it “the single biggest, most critical vulnerability of the last decade” – and possibly the biggest in the history of modern computing. In addition to the remote-code execution capabilities of this vulnerability, one of the reasons this is so critical, is that Log4j is being used in systems all over the Internet that will not be updated automatically.

According to Matthew Prince, the CEO of cybersecurity company, Cloudflare, the earliest evidence of exploitation was on December 1, 2021, which was 9 days before the vulnerability was publicly disclosed but since the disclosure, the flaw is being widely exploited in the wild.

Which Versions of log4j are vulnerable?

• Versions up to and including 2.0-beta9 to 2.14.0 are vulnerable to CVE-2021-44228 (CVSS 10)

• Versions up to and including 2.15.0 is vulnerable to CVE-2021-45046 (CVSS 9.0)

• Versions up to and including 2.16.0 is vulnerable to CVE-2021-45105 (CVSS 7.5)

• Versions up to and including 2.17.0 are vulnerable to CVE-2021-44832 (CVSS 6.6)

Version 2.15.0 was released to patch the vulnerability but according to the Apache Software Foundation, “…the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations” so they issued CVE-2021-45046 and released version 2.16.0.

Version 2.16.0 was originally rated as low severity CVSS 3.7 but this has been changed to a critical severity 9.0 score when it was shown that an attacker could abuse the vulnerability and execute code remotely.

Version 2.17.0 was released on Friday December 18 to patch a vulnerability in all previous versions of Log4j 2, which “…did not protect from uncontrolled recursion from self-referral lookups.” according to Apache.

Version 2.17.1 was released to patch a remote code execution vulnerability in all versions prior to and including 2.17.0. However, as of this writing, it seems that an attacker would need permission to modify the logging configuration file, so install this patch when you can.

NOTE: If you are running any version up to and including 2.16.0, upgrade to at least version 2.17.0 of Log4j as soon as possible and since you’re upgrading, you should probably just go right to 2.17.1.

As of the writing of this blog, there is no evidence that version 1 of Log4j is vulnerable to these CVEs, but running old, outdated software is not recommended so if you are using version 1, you should consider upgrading to at least version 2.17.0 of Log4j.

How The Attack Works and How to Defend Against It

In simple terms, an attacker can enter a specially crafted string into the input field of a java-hosted application that will be passed on to Log4j and executed, resulting in a system takeover.

It’s actually a little more complicated than that, so to show how this attack could be implemented, and prevented, here is a brief overview of a blog that was written by the Swiss Government Computer Emergency Response Team (CERT).

Stage 1

• Attack: An attacker inserts a JNDI lookup in the header field of an input that is likely to be logged

• Defense: Block with a Web Application Firewall (WAF)

Stage 2

• Attack: The JNDI string is passed to Log4j for logging

• Defense: Disable or patch Log4j

Stage 3

• Attack: Log4j interpolates the string and queries the malicious LDAP server

• Defense: Disable JNDI lookups

Stage 4

• Attack: The LDAP server responds with directory information that contains the malicious Java class

• Defense: None

Stage 5

• Attack: Java deserializes (or downloads) the malicious Java class and executes it

• Defense: Disable remote codebases

For a more in-depth dive, this Naked Security blog provides a great technical walk-through of the the exploit and how to mitigate a vulnerable system.

This is the type of vulnerability that will take months or years to effectively mitigate across the Internet. To stay informed and follow the latest developments, you can reference the CISA Log4j Guide or review the additional references at the end of this blog.

If you are testing systems to see if they are vulnerable, Huntress Labs created a Log4Shell vulnerability testing page. This won’t execute code but still be sure you have permission to test your target system.

Call for SBOM

The past four days have been very busy for IT Security and IT teams around the world. Part of the problem with responding quickly is that most organizations have a poor inventory of the systems and software that exist in their enterprise. Even organizations who are good at keeping inventory will likely struggle to manage this vulnerability because so many of the products and services that we use are made up of a combination of open source and proprietary software but vendors tend not to reveal the code that they use. If vendors were required to share a Software Bill of Materials (SBOM), then organizations would be able to take a quick inventory of the software that runs in, and supports, their enterprise and make quick risk assessments to determine what is vulnerable and how to mitigate the risks.

While SBOMs are not widely available and used today, there are efforts to move in this direction. Earlier this year, President Biden signed an executive order that called for the U.S. government to publish minimum elements for an SBOM. You can learn more about this effort from the National Telecommunications and Information Administration’s (NTIA) SBOM site. Additionally, CISA is hosting a 2-day webinar called SBOM-A-RAMA on December 15th and 16th, 2021.

References:

• CISA Log4j Guide

• CISA Log4j Affected Product Database

• Swiss Government CERT: Zero-Day Exploit Targeting Popular Java Library Log4j

• Naked Security: Log4Shell explained - how it works, why you meed to know, and how to fix it

• Log4shell Repo: Great repo of operational information about log4shell, including a list of vulnerable software

• Blue Team Cheat Sheet Log4Shell

• Cheat Sheet and Reference Guide

• Another Apache Log4j Vulnerability Is Actively Exploited in the Wild (CVE-2021-44228)

• National Telecommunications and Information Administration’s (NTIA) SBOM site

• CISA’s SBOM-A-RAMA

• Huntress Labs: Open source Log4Shell vulnerability testing page

• Bleeping Computer: List of Vulnerable Products and Vendor Advisories

• SecurityWeek: Log4Shell Tools and Resources for Defenders

• check-log4j: This tool will try to determine if the host it is running on is likely vulnerable

• The Hacker News: Apache Issues 3rd Pact to Fix New High-Severity Log4j Vulnerability

• Center for Internet Security Log4j Response Page

• CISA Log4j Scanning tool

Change Log

• December 28,2021 Added CVE-2021-44832

• December 22, 2021: Added link to CISA log4j scanning tool

• December 20, 2021: Added CISA Log4j Affected Product Database

• December 18, 2021: Added information about CVE-2021-45105 and link to The Hacker News article covering the CVE

• December 17, 2021: Added link to the check-log4j script

• December 16, 2021 - Added information about CVE-2021-450446, added links to BleepingComputer and SecuirtyWeek

• December 15, 2021 - Added Log4Shell Repo link and Huntress Labs Log4Shell testing page