How Cybercriminals Exploit Old Vulnerabilities and Use Past Scams to Target Us

San Antonio. Before I begin or Mr. Hendricks begins, I just give a quick shout out to our diamond sponsor USAA and also St. Mary's uh for helping this make make this event possible. Uh we are grateful for the support of Island Toyota Tushido Systems and Spectre Ops. I'm going to turn this over to Mr. Anthony Hendris. Uh just talk about to talk about Throwback Thursday. Uh please join me in welcoming the Mr. Anthony Hendris. >> Thank you so much. I'm really excited to be here this morning uh presenting Throwback Thursday. How cyber criminals are exploiting old vulnerabilities and using past scams to impact all of us. So, my name is Anthony Hendricks. I'm a cyber security attorney based in

Oklahoma City. So, while I am a lawyer, I am not your lawyer. And this presentation should not be considered legal advice. Instead, think of this as a conversation between friends. But if you need legal advice, please, please, please find a local lawyer that could help you. I also host a cyber security podcast that focuses on exposing underrepresented groups to the field of cyber security and data privacy. So, everyone loves throwbacks and I even included a throwback picture of baby Anthony at his graduation from Howard University. Uh so every Thursday people flock to on social media and they post throwback pictures. They post old memories and cyber criminals are doing the same thing. They are going after old

exploits that are that all have available patches that are unpatched in systems and they're going back to classic scams to target each and every one of us. So what exactly are we going to be talking about today? Well, I always like talking starting every cyber security presentation with just a quick discussion of cyber risk, cyber threats, and their legal consequences. Then we'll talk about throwbacks. We'll then talk about a few examples of throwbacks, and we'll talk about the Jay-Z rule, and we'll also play a game if everyone's okay with that. We'll then talk about why throwbacks work uh before we talk about ways to create better memories. And then if we have a little bit of time

left, I'll talk about how Oprah Winfrey can make everyone in here a little bit safer. Does that sound good? All right. So, let's rock and roll. So, cyber risk. So, let's look at last year. So, there was a slight decrease in the number of data breaches. So, you may be saying, okay, that's great, a slight decrease, right? But we actually saw a large number of victims to these breaches. So, a lot of people receive notices that their information was caught up in a data breach. And so, what's the reason for this large number of victims? Well, there's three kind of big factors. One, mega breaches, these large data breaches. Also, zero day vulnerabilities. And then finally,

throwbacks. So, mega data breaches, 85% of victim notices were because of six data breaches. So if we would have not had these six incidences last year, we would have saw a big decrease in the number of people who were impacted by data breaches. And so you're probably all aware of all of those big data breaches because they had all the headlines, right? Also, another reason for this number of increase of victims is zero day vulnerability. So when you hear zero day, it just means that you're probably going to have a bad day, right? The number of zero days was actually lower than 2023. Uh but it still was a primary cause for the number of victims who

received notices last year. So cyber security incidences create huge costs for businesses and organizations. Right? The average cost of a data breach globally uh in 2023 was 44 million plus. In the United States the average is almost $10 million. These are big big numbers. They have big consequences for businesses and organizations. But also cyber risk equal legal risk and that's where the lawyers get involved. Right? There's been a number of lawsuits being filed after cyber security incidences. There's been a number of enforcement actions from regulators and industries. And so cyber security risk equals legal risk for businesses and organizations. And so I often talk about businesses and everyone says, "Well, what about me?" Right? What

about me? Cyber issues aren't just a business issue. Uh it's costing each and every one of us so much money, right? Personally, so now let's get to our main topic, throwbacks. So throwbacks are causing a ton of chaos. 40% of vulnerabilities exploited by attackers in 2024 were from 2020 or earlier and 10% were from uh 2016 or earlier. Right? And so these throwbacks are simply vulnerabilities, exploits that are publicly known about where a programmer, developer, software creator created a patch and you apply a patch and you are no longer have that vulnerability and people are failing to apply those patches. So throwbacks and ransomware, right? They go together. While fishing attacks are probably the most common way that

attackers get into your system when it comes to ransomware attacks, 32% of ransomware attacks in last year started through throwback started through these uh unpatched vulnerabilities. And when we have throwbacks involved, it leads to more expenses for businesses. Why is that? It's largely because when the insurance company finds out that you had a vulnerability where there was a publicly available patch and you didn't apply it, we're not going to cover this incident. So now you're going to have to pay for everything out of pocket. So throwbacks uh are really really expensive for organizations. So what does this look like? Well, earlier this year, the FBI and SIZA issued a joint advisory about dose ransomware, and they've been

targeting schools. They've been targeting hospitals. And they've been doing this by just looking for known vulnerabilities that have a patch and looking for organizations that have not applied the patch. And so, the best way to talk about throwbacks is to look at actual examples, right? And every time I use realw world examples, people come up to me after the talk and they say, well, why don't you talk about this example? Why did you pick on this organization? You know, why are you being mean to this company? And I am not attacking anyone. Instead, I am following what I like to call the Jay-Z rule. So, what exactly is the Jay-Z rule? Well, Jay-Z once wrapped. Ho did that. So, hopefully you

wouldn't have to go through that. And so we're going to talk about some of these examples so that hopefully no one in this room will have to go through what they go through. Sounds good? All right. So let's look at an example. Equifax data breach 2017. You saw this all the headlines, right? Uh 140 million consumers had their information stolen. Uh two Chinese nationals were charged with exploiting a vulnerability in Apache Struts uh that allowed them to get into the system. And so this was a unpatched vulnerability that allowed them to get in the system. And so some of you who are probably more familiar with this may be saying, "Hey, that's a little bit unfair. That patch came out

pretty close to when the incident happened." You're being unfair. You're picking on them. All right? So let's look at another example. And I want to play a game that anybody who's on social media, you have kids, they probably done this. You probably heard about this trend. It's called we listen and we don't judge. All right. So, I'm going to talk about uh another example. We're going to talk about the city of Baltimore in 2019. Uh they were a victim of a ransomware attack that kind of decimated all of their city services, right? They were unable to do many things in the city for a large period of time. And so, there was some debate about whether the stolen NSA exploit

internal glue was used. But the city of Baltimore did something. They did a report about how this happened. And in the report, it talks about how they had a number of legacy systems, how they hadn't applied patches for years and years and years. So even if that exploit wasn't used, they admitted, hey, we didn't even apply that patch that was given 2 years ago that would have stopped. So it could have been this exploit because we hadn't patched uh our system in almost 2 years, right? All right. So let's talk about another example. But remember, we listen and we don't judge. All right. So January of this year, Oracle Health, formerly another company purchased by Oracle, uh

they had a cyber security incident where they were able to get into their system and access servers and copy patient information and the criminals used an unpatched vulnerability in Oracle Access Manager from 2021. So that that looks really bad because the company was purchased by Oracle and they didn't apply the Oracle taxes from 4 years ago, right? So this is still happening uh all the time. And so let's talk about it from the scamming perspective. So what I did is I went to the FTC's website and they have these wonderful charts for various years of the top kind of scams, right? And they're all different years, but they largely look the same because they are

the same scams, the same exploits. You probably heard so many articles and read so many things about how scammers are using AI to trick us and all those things. And yes, that is happening, but a lot of these people are just going old school. So, I wanted to talk about one specific example because a lot of times when we talk about these scams, people are like, "Oh, we're not taking this serious, right? Gift card scams, right? No one falls for that. That's the simplest thing. Uh but it's cost us millions of dollars every single year. And it's not just, you know, uh older Americans falling for it. It's all types of people. It's CEOs. It's even fraud

professionals who fall for it. ARP has this article about how one of their leaders of their fraud division actually fell for one of these gift card scams. So if someone who teaches people how to do it falls for it, means that it's a serious issue. Uh so in 2023, card draining and gift card scams uh made up 217 million of the record high $10 billion in in issues. And so this is a big problem and it's a very very basic how they go about it. And so here are some headlines showing that this is still an issue and they aren't using anything very very uh uh tricky here. They're using the same thing they used in 2020, 2021, 2022,

2023, and this year. Yeah. So, why do throwbacks work? Right? You may be saying, "Hey, why aren't people falling for these throwback scams? Why are we falling for these throwback attacks, right?" Well, uh it's us, right? We're the problem. And because we're the problem, we are also the solution, right? And so before we can get to solutions, we got to talk about our problems. So the first is that we fail at training. And I always like to use this gift of LeBron talking to Austin Reeves. And you can see his face. He looks really, really confused when LeBron is teaching. And that's usually the face that people make when I give cyber security trainings at companies. They

look pretty confused, right? We often fail at training. And studies have found that employees who receive traditional training on cyber security issues only perform marginally better than people who haven't taken training at all. So we have a training problem. Also fundamentals, right? The majority of us fail at just the basic fundamentals, right? Uh a majority of online adults can identify strong passwords. That's great. But they really can't go beyond that and things that are common place right now. things that can help us and we don't get the basics right. Right. 80% of successful data breaches are the result of compromised credentials. Right? It's just the fundamental basic things that we fail at. Also, cyber security culture, right?

You're wondering why an organization isn't patching up their systems with uh patches that are available, right? This is a culture problem, right? you're not getting a lot of buy in from the top. Uh that's creating a culture where cyber security is appreciated, cyber security is important and so that leads to issues. We also lack security policies and basic programming. 47% of small businesses don't have any type of cyber security policy in place. Uh according to a number of sources, nearly 60% of organizations don't have a patch policy, right? And so you can't blame someone for not applying patches if you don't have a policy in place telling them that who's responsible for applying the patches. And when companies do apply

patches, they wait, right? And on average, it's 102 days for you to apply a patch. And so if it is a critical patch, uh you're not going to have it in place because you take so long to apply those patches. Uh, another issue is we let fear and we let pressure win, right? And so when companies do have policies in place, people are reluctant to apply patches because your fear is, all right, I'm going to apply these things or I'm going to do these updates and it's going to mess up everything that I have in place and I'm going to have to spend all of this time fixing it when right now my system is running absolutely perfect.

Um, also it's time consuming, right? From a business standpoint, no one wants their computers down, right? Sometimes applying these patches requires you to shut down for a period of time. And business owners will tell you, "No, no, no, no, no, no. We don't want to do that. We need to be up and running. We need to be making money." And so, we allow this fear. We allow this pressure to control. And that leads to issues for all of us. So, how do we create better memories? How do we create better throwback cases? Right? Well, the first thing we do is understand that it's not all doom and gloom, right? Uh we can do little things

right now to make ourselves and our organizations safe. So, the first thing we do is train better. And so, we started with the picture of LeBron and Austin Reeves where Austin Reeds was confused. And then the next year, it's Austin Reeves training the rookie on the team, giving him advice, and he looks confident. And so we need to train better based on how people learn things, how people memorize. And so when we want to talk to people about cyber security, about staying safe online, we need to remember that people can only focus on six to nine new pieces of information before there's a steep drop off. And so understanding how people think and how people learn uh makes us better

trainers. And so it's a slow process but if you do it right people who taken training can become leaders where they can talk to other people about cyber security issues. Uh we also need to focus on riskbased training right we need to understand what our risks are. Um we should have personalized training based on topics based on job responsibilities uh so that everyone is prepared to deal with these types of issues. Well, the next is healthy skepticism, right? That's one of the things that they talk about for cyber security where you're going to be asking questions. So, everyone needs to channel their inner soldier boy and say, "Yeah, I don't believe that. That's fake. Uh, that's

photoshopped, right? You need to be a little bit more cautious. You need to take that one extra step to ask a question." And so, social engineers often leverage psychology and our natural decision-m process. They want to speed us up, right? They want to get us to make quick decisions. And so if you can just take a extra moment and ask an extra question, figure something out that helps you combat that, right? And so we're going to look at an example and about asking questions. And we're going to talk about romance scams. And so romance scams cost consumers tons and tons of money, over a billion dollars uh last year. And uh that's a huge sum of money. And so you

should be saying in your head, well, maybe she's just not into you, right? If the person you're dating online keeps making excuses about why they won't meet you in person, well, maybe maybe she might not be into you. If you're getting requests for money and you've never met in person, you should be asking yourself, hm, that sounds funny. Maybe she's just not into you. You know, if you're being asked by the person you're dating online for money via gift cards or cryptocurrency, you should be thinking in the back of your head, maybe she's just not into you, right? Asking those extra questions, having some healthy skepticism can keep us all safer online. Um, also, when we talk about uh

um patching, we should have a patch management program. I'm not here to sell you anything, but it is just a process of allowing you to balance your cyber security needs with your business needs. If you have a policy in place, that means everyone's on the same page about what you need to be doing, when you need to be doing, and who is responsible for doing it. And so, there are several steps in patch management. I won't talk about all of them, but I want to talk with step number one, which is probably the most important thing, right? You need to create an inventory of your software, of your systems. Um, the thing about it is when I looked at

the report from the city of Baltimore about patch management, uh, and they talked about creating a policy, they found out when they started to do an inventory that they didn't know what all systems, all software they actually had on their system. And they were just like, I would have never patched this up because I didn't know we were still using this. And so there were some some systems and some software that hadn't been patched in 10 years because they just didn't know about it. And so the most important step is to do an inventory. Find out what systems you're using. Find out if you're using any legacy software. Is there some way that you can use something else instead?

So what did we learn? Right? As we talked about earlier, people forget about half of all new information uh as soon as they get it. And so you're probably going to go back home and people are going to be like, "Hey, you spent your Saturday going to Bides." And they'll look through kind of the agenda and they'll say, "Oh, oh, there's somebody talking about throwbacks. Uh, what exactly did you learn?" And you're going to be like, "I can't remember, but he did a great job and I love his tie." Right? But I am here to help. So, here are six things right in that sweet spot uh that we learned today so that hopefully when someone asks you what did

you learn at Bides, you're able to talk about at least just one thing, right? So, while new tools and exploits garner a lot of headlines, criminals often target known unpatched vulnerabilities. Two, every year the same scams cost Americans billions of dollars. Three, cyber risk continues to grow and it is costly for all of us. Four, throwbacks are one of the leading causes of the increase in data breach victims. Five, these throwback scams and vulnerabilities work because of our weaknesses in training, missing policies, and fear. And then finally, better training, healthy skepticism, and creating patching policies are key. All right, so I think we still have some time here. Uh so here's if you like to

talk you can scan a QR code it'll take to my website uh and this afternoon the slides will be loaded up when I get back to the hotel uh so that you can have it uh but it'll also be the place where you can see some of the slides from other presentations. So we have more time so let's talk about Oprah. All right. So, Oprah is one of my favorite speakers. And what I love the most about Oprah is that she gives free stuff, right? You get a car, you get a car, right? So, what I did is I came in a little bit earlier and I put under somebody's seat a free gift. So, if you can all just

look under your seat, right? I'm joking. I'm joking. I ain't got the budget for that. Right. I I don't have the budget. You scammed me. >> Hold on. Hold on. I didn't scam you. I didn't scam you. I do have something for free, absolutely for free. If you scan the QR code, it'll take you to my website and you can get the five cyber security mistakes that you are probably making. Uh absolutely free of charge. You don't even have to give me your email address. That's why I say it is free. It is absolutely free. Uh because like Oprah, I like to give free gifts. Um, and so every presentation I end with this slide because I always like to

thank the lawyers that work with me because they allow me to go out and come to these conferences and talk about cyber security, especially the young associates who work on the cases with me because they are working. Uh, which allows me some extra time to kind of get away to come to these conferences. And so, uh, if we have any questions, I'm here to answer them while we still have a few minutes left, uh, with our time together. If not, I'll be around hanging out and you can bump into me. I'm easy to find. I'm the one guy in the suit at this whole conference. All right. Well, thank you so much. I have a question. How do you take what

you're saying and apply it to to this or your personal computer? >> Easy. When Microsoft tells you, hey, we have an update for you. And you have that option to click ignore or to update. What do we do? we stop what we're doing and we update, right? Uh we we have that all the time. People will click ignore, ignore, ignore. Even when it comes to like phone updates, they'll wait till the last moment uh and you'll tell them, "Hey, you can't use our system anymore until you apply that up last up most recent updates. Uh and then we'll allow you access back." And so if you just say, "All right, I'm going to stop what I'm doing and I'm going to

apply these updates as they pop up." uh then you've gotten yourself a little bit safer at no cost for yourself. Anyone else? Kind of potentially related, but um what do you think about the ethics of delaying victim notification in data breaches and the recommendation of like breach response teams? So, >> so like you have, I don't know, large university school hospital whatever it is, they have a data breach of some kind. They call their crisis response team, which is a whole bunch of lawyers, etc., etc., etc., and they say, "Don't tell anybody. They don't get notified for like 6 months that that their credentials are out there." So largely the delays at least for the

the good ethical lawyers is based off what your breach notification laws actually say. Right? A lot of times those breach notification laws >> talk about the ethics of it aso as opposed to legality. >> All right. So let's talk about ethics, right? Sure you want to tell people as soon as you find out, right? But what are you telling them? You're usually not telling them anything. Are you saying we had an incident? I don't know if it involves you. I don't know what information was, right? I have a huge I have a huge data breach. Your credentials are out there now. If if uh the notification had occurred, I can go on have I been and find out, right? But

now I've got credentials that didn't reach for 6 months and I'm still using them. Right. >> Yeah. No, no, no. So, I always try to balance, right, for from my standpoint, it's you should notify people as soon as you're able to tell them something that is we know what happened or at least a little bit and we know that you were impacted so that they can protect themselves, right? And so that's what it is is as soon as you're able to kind of tell them that because often times people will be like, "Hey, I want to tell them that we had an incident." And I'm like, "Well, what are you going to tell them?" "Well, that we're

investigating." And I'm just like, okay, you know, but it's not helpful to the person because they start to panic because you can't tell them, you know, whether they've been impacted. So you may be saying, oh, I'll just go on to that have I been ped that your information might not even be there yet, >> right? But that person, I mean, not just personally, but I think in a larger context, the the risk balance for the individual to just change their password even if it's just a regular basis. >> Yeah. If it's just credentials, then I told people to push those out. If it's just credentials, but it's like your actual kind of data that we have, I kind

of wait until we figure that out. If it's just all just passwords, then I tell them kind of, hey, send that out or do a force where everyone has to update their passwords when they log in the next. And so that's what we'll do um until we're able to kind of send out actual notices that tell people like here's the full scope of what happens. So, so if there was a legal requirement based on legislation, do you think that is a reasonable thing to put out there for legislation to require for that to be pursued legally? Here's a requirement. Here's a data breach notification to such and such. >> Yeah. They don't just leave people

giving notice if they don't tell anybody. >> Yeah. It would be stuck like I had a chance. Yeah.

>> I got one question just out of curiosity. Correct. >> So the law firms have been targeted recently for sensitive data. What's the industry doing to like you know large firms, small firms, what are you all doing to protect yourselves? >> Uh it depends on what firm you're talking to. Some firms do a lot and some firms do very very little. And and so a lot of it is like buy in like every time you talk about technology. A lot of my law partners think about it as cost as how much money is Anthony asking you for. And so when they think about it as cost, it makes them reluctant to do uh the things that are right. But when you

kind of balance it and say, "Hey, if you don't invest in this, if we do have an incident, you know, it'll be $10 million when you can pay, you know, for these kind of mechanics." And so, uh, uh, our focus has really been on helping these smaller firms because a lot of times they don't do it because of resources. Uh, and so it'll be about resources with them and then for bigger firms, it'll be getting buy in from all of the partners about how why this is a good investment. So, it's two different conversations that are happening uh, right now. And so, I think a lot of the bigger firms are kind of realizing it once there's

been some lawsuits, law firms getting sued, they were like, "Oh, okay. Yeah, we need to be kind of focused on it." But for the smaller organizations, it's it's a different conversation because they're just like, you know, I'd love to, but I just don't have the resources because we're a five person firm or two person firm or solo practitioner. And so you talked about the small things that they can do to make themselves a little bit safer. >> And that's because small firms don't normally have like an extended recovery plan or like you had mentioned earlier, policies correct? >> Yeah. >> Yeah. If you're a two person firm, like you're like a policy for what? Well,

I'll just go and ask my other law partner and we'll have a quick conversation about what we're going to do. So, yeah. >> So, what do you got? >> So, go back to your first slide. This is not legal advice. >> Yep. >> Um, >> you're walking into a situation. What's your idea situation and what's the one where you're just drunk? >> So, when you're walking in like no one calls me on a good day, like I never get phone calls where it's like, "Hey, we're having a company barbecue. Why don't you come through and get a plate?" Like I never get those phone calls. So anytime they call me, it's a bad situation, right? And so when you're walking into a

bad situation, they're all bad. Uh for me, the best situation is where everyone wants to work together and they aren't adversarial to the lawyer, right? Because anything else we can fix, right? We can figure it out. We can get you to a better place. Um, but if I'm walking in and people are pointing the finger at each other, nobody wants to talk to the lawyer because they think that they're going to get in trouble, then that's a bad situation. Um, but if everyone has a good attitude, we can figure it out, right? Uh, we we we can resolve, you know, almost anything, right? And so that's kind of the the ideal situation is where everyone's willing to work

together. >> So, in your experience, most likely you wear two hats. You're the legal and sometimes you're the PR person. >> So I am not PR. Uh so I am legal. Now they will send a statement to me uh that their PR person has written and I take my pen and be like yeah don't say that we don't know. N try again. And so that that's my rule. So I'm not going to draft a statement. I'm going to be looking at it and be like well what does that even mean? A lot of times people will say and we're going to give you an update on everything that happened tomorrow. Like are we do you think we're going to be

done? You know, uh maybe we'll have another kind of statement come out with some updates, but you know, that's kind of my job and I won't write kind of the PR statement. I'll just look at it and make sure people aren't, you know, being a little bit ridiculous. So, >> all right. Well, thank you so much. It was really fun. Thank you.