Security Nation, Ep. 14

How Nick Percoco Built Chicago Security Conference THOTCON from the Ground Up

March 10, 2020


How do you turn a small security conference with friends into a phenomenon? Just ask Nick Percoco! In our latest episode of Security Nation, we sit down with the founder of THOTCON to chat about how he came up with the idea for the Chicago-based conference, the challenges he has faced over the years, and how the conference has evolved over time to become what it is today.

Stick around for our Rapid Rundown for a discussion of a new capability of the Emotet malware, as well as the importance of changing your passwords on webcams. 

Appears on This Episode

Jen Ellis
Vice President, Community and Public Affairs

Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.

Tod Beardsley
Research Director, Rapid7

Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at

Nick Percoco
Chief Security Officer, Kraken

Nick Percoco is the creator of THOTCON, an annual hacker conference in Chicago. He’s been an active part of the security community for over 20 years, is a member of the DEF CON NOC team, and been a speaker at dozens of hacker and security conferences. When he’s not doing hacker stuff, he spends his time as the Chief Security Officer at Kraken, one of the oldest and largest cryptocurrency exchanges, where he leads the global Security, IT and DevOps teams with a mission of protecting millions of clients' trades and assets from the forces of evil.

About the Security Nation Podcast

Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week. 

View all Security Nation episodes

Podcast Transcript

Jen Ellis: Hi, and welcome to this episode of Security Nation, the podcast where we talk to interesting people doing really cool things to advance security. I'm your host, Jen Ellis. I'm Rapid7's VP of Community and Public Affairs, and with me is my amazing co-host, Tod of the Beardsley. Tod?

Show more Show less

Tod Beardsley:  Hi, yes, I am of Clan Beardsley and I am here securing nations with you.

Jen Ellis: And you invited one of your very finest clansmen, who has one of the very best beards that I have seen in some time. The man, the legend, the beard, Nick Percoco. Hooray! Hello, Nick! How are you doing?

Nick Percoco: I'm doing great. Thanks for having me.

Jen Ellis: Thanks for joining us. I'm really excited to have you on. So, we haven't been around much lately, so sorry about that, for all three of you who are burning for episodes of Security Nation. Hi, Mum. But we are coming back strong with Nick Percoco, who is the CSO of Kraken, which is a digital assets exchange, but he's also the man behind THOTCON, which is a super-cool conference in Chicago that I've never been invited to, that Tod loves! Tod, tell me about your love for THOTCON.

Tod Beardsley: I do love THOTCON. I think it was five or six years ago and Nick asked me and Metasploit collaborator Egypt to come talk at THOTCON at a keynote, actually, so that's scored me a black badge, which I'm very happy about and which means I never pay Nick ever again.

 Jen Ellis: Just to be clear on that, guys, I haven't even been invited to attend and Tod got invited to keynote. I just wanted to make sure that everyone picked that up. No subtlety here. No nuance.

 Tod Beardsley: But instead of paying for a badge every year, I just pay what I would pay in a badge to the THOTCON charity arm, which I'm sure we'll get into. That was virtue signaling, from yours truly.

 Jen Ellis: Yeah. You also set Nick up brilliantly, so Nick, tell us about THOTCON. Why did you decide, you know what Chicago already needs? It needs a security conference.

 Nick Percoco: So, I think this goes back to 2009 is when I had the idea for THOTCON, so it's quite a bit of time back there. It's over a decade ago, I was actually coming back from DEF CON and after being in Vegas for, I don't know, 10 days, 11 days, very, very worn out on the plane and started thinking...

 Jen Ellis: That you wanted to kill everybody you knew?

Nick Percoco: Yeah. So, I was sitting in my seat, probably in 27B or something like that on a United flight back from Vegas. And I was just thinking, “Hey I've spoken at DEF CON and spoke at lots of conferences all over the world. But I've never really spoken in Chicago at a conference.” Which is where I'm from and where I grew up and there really wasn't anything substantial or anything sort of interesting going on in Chicago.

Nick Percoco: So, I essentially just was doodling on a napkin and came up with the idea. First, it was going to be called 3-1-2 Con, which for anybody who's from Chicago would obviously recognize that. But 312 was the only area code in Chicago for a number of years until the suburbs happened and cell phones happened and things like that. So, I was like, well let's call it 3-1-2 Con. And then it just sort of evolved into THOTCON cause the, T H for three and an O for one. And then T for two, is where the THOT part of THOTCON comes from. It just sort of happened. I had no idea on how to start a conference, literally no idea. And I just started that journey with inviting a bunch of my friends to a bar, basically for the first THOTCON.

 Jen Ellis: How all the best things start.

 Nick Percoco: Yeah, I contacted a bar in Chicago and said, “Hey, I want to have this conference. And I don't have any money to spend but we can pay for beer and we could pay for pizza and wings.” And so, they essentially gave us the venue for free with a food and beverage minimum. I charged some money for admission that paid for the swag pack that you get and it's very similar to THOTCON 0x1 swag pack is very similar to what you get still today. Everybody gets a T-shirt, everybody gets stickers, everybody gets paper and pen. That's where it all started. It started, 120 something people in a bar basically.

Tod Beardsley: Wow. That's a big bar.

 Nick Percoco: Yeah, it was a place called Joe's on Weed Street in Chicago, which is a country bar, which after the first THOTCON was also having a cage-fighting match that was going on. And so we had to be out of there by 6 p.m. or something. We had to cut it off at 6 p.m. or 7 p.m. and this literally, as soon as I said goodbye, maybe we'll see you next year at THOTCON 0x2, people came streaming in with these chain-link fences and were assembling a cage in the middle of the conference floor. Yeah. 

Tod Beardsley: I'm sad that there isn't a THOTCON cage match now.

 Nick Percoco: We could have one.

Jen Ellis: Oh my god, I might finally get invited!

 Tod Beardsley: That's right. Jen Ellis, MMA master.

 Jen Ellis: This is my moment. So, you started out by going and hanging out in a bar. By the way, nod to the T-shirts. I frequently see people wearing THOTCON shirts at other conferences. They are always very high-caliber shirts. Always a lot of compliments from a lot of people, so kudos on all of that. I think THOTCON has definitely developed its own voice and brand in a pretty impressive way and has a culture that feels very sort of hacker OG but without being too bro-ey or too far over the crazy line.

Nick Percoco: I would agree. I don't necessarily know if THOTCON 0x1 and 0x2 were not too far over the crazy line. There's some interesting stories from back then, but we have matured in the last decade and now it's a very safe and friendly place for anybody to come and either speak or attend. 

Jen Ellis: Tell us more about that. What was the process for maturing, and what drove it? We've seen some other conferences come up and move aside and some that have evolved over time and some that really haven't, some of them have devolved. What was the process for you guys? 

Nick Percoco: I think it was, in some sense, a little more mindful. We had run into some issues early on. THOTCON early on was very much my idea of, I want to have some fun, I want to invite a bunch of people. I want it to be noncommercial. I want it to be not on the record. People can say whatever they want onstage. That was sort of the incarnation of THOTCON. But the pure, the nature of us having it at a bar in the first couple of years lent itself to some very bad situations with some speakers and attendees and people well overindulging in alcohol because the bar was 10 feet from the stage. And I would say that in itself, that changed a little bit when we moved to the next venue after that. But we still kept some of that culture there, which was okay. And we still have it today. So there's still a bar in the venue and people still have a beer here and there, but it has definitely evolved away from, "Hey, let's stand in the back of the room while a speaker's speaking and do shots and start yelling really loud and not pay attention to the speaker." Right? That's, that was early THOTCON, which was a real big problem for me to try to solve. And we've, I guess we've moved past that and we now have places where people can go and have their hallway con conversations in real hallways and not interrupt talks and things like that.

Jen Ellis: For somebody to come at it who has never organized an event before and has a full-time job doing other stuff. How long has THOTCON been going? 

Nick Percoco: It’s our 11th year this year.

Jen Ellis: Amazing. Congratulations. So, when you started at presumably you, you with SpiderLabs?

Nick Percoco: Yeah. I was the senior vice president of SpiderLabs at the time. Yeah. I had a full-time job. Had 140 people around the world working for me.

Jen Ellis: So then presumably it wasn't all plain sailing. Right? It wasn't all smooth sailing. There were some bumps along the way.

 Nick Percoco: A couple of things that come up when you're trying to start a con or trying to take something like this on yourself is one, underestimating how long it's going to take for certain things, and two, finding reliable people to help you is sometimes difficult, right? We all have day jobs, we all have families, we all have things going on and someone says, "Hey, do you want to help me with this part of a hacker conference?" It sounds really awesome and it sounds real, real interesting. And then sometimes life happens. And so, having people sign up for things and then not being able to deliver is okay in a volunteer world, but at that level, it's not okay for the show-must-go-on kind of mentality when you're putting on a hacker conference. So I learned early on that if I was going to have THOTCON succeed, one, I needed to find reliable people but then two, in certain areas of the organization and just doing things, I had to take it on myself and I had to do it in the most efficient way. And so, finding vendors for things, just sort of streamlined and a lot of what I did over the years has really, really helped out. Right? I have a spreadsheet with a bunch of tasks in it that essentially with dates in it of when I have to do something and some of the stuff, there might be 10 or 15 items like order swag for THOTCON. I actually have a bunch of tasks and there I have vendors already lined up that I've worked with and literally all I do is send them new logos and they know me and things just go into motion.

Nick Percoco: But early on, that wasn't the case. I was running around like crazy, stumbling, having vendors not—actually, we do electronic badges every year and until I found the team, Jay and Rudy who teach at DePaul here locally in Chicago, until I found them and the team and the students that helped build the badges, it was super stressful. I had one year when we did an Atari badge, every year I come up with the idea for the badge and I draw it up and I have all the components and everything and then I find people to make them, and I did an Atari cartridge badge, which literally was a vintage Atari cartridge with our logo on it, stickers, everything, and played a real Atari game that we developed. If you plugged into Atari. That was a pretty ambitious project to pull off in about two and a half months, including creating a 1,000 of those. I think it was 900 or 1,000 of those. I found a really great guy to help me out online. I had never met him before and he basically outsourced part of some of the stuff that I was hiring them for to some students and they forgot to ship two boxes of badges. And so I got all these badges four days before the conference, counting them all and I realized we were short 250 badges. What do I do? And the guy was on vacation and it was just real stressful. And finally he got ahold of some kid who was working in his garage for him and was putting stickers on badges and essentially he said "Oh yeah, we forgot to put these two boxes out for UPS." And so I think they arrived the morning of the conference.

Jen Ellis: Nice. No, it's too stressful. I cannot believe that developed a game for your badge. That's kind of amazing.

Tod Beardsley: There is a certain level of crazy when it comes to badge design. I am not a big part of #badgelife. Until now, I'm trying to help out on a badge project for yet another conference and yeah, it's bonkers. It's bonkers crazy.

Nick Percoco: Yeah. It's, it's difficult. Just trying to get it because you've got to imagine a badge in itself. There's one thing of putting on a conference, the badge in itself for me is essentially bringing an electronic product to market in a span of just a couple of months and hoping that the production run you're doing is going to work. We have had years where like there's a failure rate and we make enough badges and some of them don't turn on because things weren't soldered correctly on the badge. And then we have a hardware hacking village where people bring their badges and we help them fix those kind of things. But that kind of stuff happens. It goes from a sketch on a piece of paper and a bunch of drawings with arrows about components and things I want. I slide it across the table to some professors at DePaul and then they go to town on it and literally we get those badges, I'll get them to my house two days before the conference and sort of hoping that they fire up and work. And we've had some mishaps over the years, but...

Tod Beardsley: That is some faith-based fabrication.

Nick Percoco: That's just a side thing. Right? That's a thing that people get at the conferences has nothing to do with... 

Jen Ellis: Yeah, it's just the entry point.

Nick Percoco: Yeah. It's not like the catering and the AV companies and the...

Jen Ellis: And the program of content!

Nick Percoco: And paying taxes! It's an organization, so you've got to have your accountants and all that. So it's quite a little bit of an operation, but it also bursts, right? It happens for a couple of months at the beginning of the year and then I don't do anything. I don't even think about it, really. 

Tod Beardsley: I have a question for you, Nick. When in the last 11 years did it shift from being a hacker con that is basically Nick invites a bunch of his friends to a conference that is a 501(c)(3) organization and has a staff and—it's a volunteer staff, but it's still a staff, it's not just the Nick Percoco show. Right? And I'm kind of curious when that transition happened for THOTCON?

Nick Percoco: It was never just me. Even from the beginning, we always had volunteers and we have some lead op-ers. It's basically me, folks that you may be familiar with in the security industry, like Jaku and VideoMan and Sakebomb and Mocuta. We have a core group. It's like the board, basically. But that actually came a little bit later into a formal board, but essentially I would say around THOTCON 0x3 or 0x4 is when it actually got ... it was not as viable. It was actually an LLC, non-for-profit for a little while. I've always chartered that there was nobody on payroll. Right. It was always the money was just going to go roll, right back into the business. 

Nick Percoco: But then we started growing. We started growing to a place where the accountants for THOTCON were like, your revenue, ticket revenue is growing to a place that's over a certain amount and now you're going to have to start paying some serious taxes on this stuff. And well that doesn't really make sense because we're not-for-profit. And if there was some recommendation there that we'd be better if we spun it to a 501(c)(3) because then we can get charitable contributions. We always had people that would make pseudo donations to us here and there. They'd be, “Hey this is awesome, I want to send you guys an extra, $100 or something,” but no one could ever get any value. They can't tax write-off giving me and a couple of guys $100, right?

Nick Percoco: So, we spun it to a 501(c)(3). I lose track of time, but I think it was like kind of 0x8 I think or 0x9 is when we spun it, we basically shut down what was called THOTCON NFP and started an organization called THOTCON Infinity NFP and started to open it up so where we can get donations and we started and we get a handful of donations every year from folks and also some organizations. And then started being able to offer VIP tickets that would have a tax-deductible portion of it, started to be able to offer some sponsorships for the party and for the students. So for students get this kind of tickets and have, be able to have people get tax deductions for that.

Nick Percoco: And that's where things sort of accelerated a bit from an interest perspective with either individuals or other people. And that's what we sort of spun a little bit into being and trying to be more outwardly focused into the community outside of just THOTCON itself. Right? It was all 100% focused on THOTCON and bringing speakers in and giving people opportunities to speak and first-time speakers and all of that. But then it started getting a little bit more of, let's look outside of the THOTCON bubble and see what we can do. And that happened a couple of years ago.

Jen Ellis: That's awesome. I like the THOTCON Infinity. It's very Avengers and smart. So, tell us about the nonprofit a little bit more.

Nick Percoco: So basically THOTCON, the conference is produced by an organization called THOTCON Infinity. That is a 501(c)(3) tax-exempt, federally recognized tax-exempt organization. And just like any other charity, people can make donations that are tax-deductible for that. But beyond that, the charter changed a little bit. Not only do we produce THOTCON as a conference, but we also want to do more community-based, giving-back activities. And so we did one a couple of years ago where I had an idea and I approached the president of the Chicago Public Libraries in Chicago and said, during Cybersecurity Awareness Month, what if we had a cybersecurity essentially action day where it all the Chicago Public Libraries across the whole city, in every neighborhood, in every part of the universe, 79 of them or 78 of them.

Nick Percoco: We staffed it up with people from THOTCON that would set up a table and basically give free security support basically. For basically passwords, patching and privacy was the three P'S of focus. And we advertised it and got a bunch of people and it was a great, rewarding experience. We did that once, we tried to do it this year, but unfortunately, the Chicago Public Library wanted to greatly reduce the footprint down to just the locations where they thought they would get the most foot traffic. And in talking to the volunteers, some of the most rewarding experiences people had were where they sat there for four hours and only three people came by. Because there's some Chicago Public Library branches that are in underprivileged areas of the city.

Nick Percoco: And so they said they had people come in that had their only computer for their entire family and wanted help patching it and helping them and their kids, with their privacy settings. So they could be more secure, right? And they can get 2FA enabled on their accounts and all those kinds of things. It was just one person and his two kids. But it was incredible experience versus having it be the one that's in the Gold Coast where you get in tons of foot traffic. Forty people came by, but they asked one question and they walked away. And so that was a real bummer for us. Even though we had the most foot traffic during the first year, the people said the foot traffic there was almost meaningless compared to the high white-glove touch experiences they were having with the underprivileged areas.

Jen Ellis: Yeah. It didn't feel as impactful even though you're talking to more people. 

Nick Percoco: Yeah. And it wasn't what we wanted. Right. So, then we said, “Okay, well we're not going to do it this year and we're going to think of something else.” And at the same time, we were spinning up an effort to do a scholarship fund. That was something I wanted to do for a while. But it takes money to do that. Because that's what it is. And so I then had to figure out , can we just give a scholarship to somebody, can we just like write a check to somebody, and found out that's not such a great idea. And working through a scholarship management organization is a better idea legally. And also from a selection standpoint. And so then we had to shop around and find who was the best one for that for us.

Nick Percoco: And we found one and then it took a little while, but we kicked that off and I actually just got an email 10 minutes before we jumped on to record this, that we have selected the student for that. I don't know who that is yet because that's part of the whole model is I'm not able to select. It has to be unbiased and it's by a panel kind of thing. So I don't know who that is yet, but the criteria for the scholarship, it's a $5,000 scholarship the first year. That's what we are doing this year and the criteria is, someone who goes to a Chicago public school, has interest in cybersecurity or related things, has demonstrated some interest in it and has a financial need as well.

Nick Percoco: And then also gets decent grades in school. So there's a default criteria for a scholarship. And that was the goal and kicked it off a bunch of Chicago public schools, high school seniors applied for it. And a couple of weeks later, we selected somebody and so out of that, obviously once we find out we're going to notify them. We're going to invite them to THOTCON, they probably want to bring a parent or something like that with them.

Jen Ellis: They probably don't! You might want them to bring a parent—

Nick Percoco: We'll have to figure this out. But hopefully be able to give them a reward. Maybe print out a large, THOTCON check that has black background with white lettering or something on it with, our V trooper logo on it. And then award them that scholarship onstage.

Jen Ellis: And so can they use that money for anything or is it specifically to be used for specific things?

Nick Percoco: Yeah, it's specifically for higher education. That's the criteria. It does not go directly to a student. We don't write them a check and in fact we actually send the money to Scholarship America and then when the student is going to a community college or a four-year university or whatever they're going to, that sort of fits into that criteria. Then scholarship America basically sends the money to that place in their behalf.

Jen Ellis: And do they have to be in enrolling in a program that relates to cybersecurity?

Nick Percoco: Yeah, that's the criteria. Yeah. So, it was your interest in it and also going to explore some sort of cybersecurity. Now it doesn't have to be, you're going to a four-year university getting a bachelor's in computer science and that would be awesome. But it could be, hey, I don't really know, but I'm going to go to one of the city colleges in Chicago and start taking some classes and oh, by the way, there's a computer science intro class, some cybersecurity stuff. So it can be computer science, right? It doesn't have to be just cybersecurity.

Jen Ellis: That's super cool, Nick. It's a huge thing and really great to hear about initiatives like this happening. I just was talking to some people from the Diana Initiative who have created a fund to provide sort of mini scholarships for 10 students to go attend hacker summer camp. And just for people who are interested in that, I think there's some information online. If you look up Diana Initiative, the scholarships are not gender biased or anything like that. Anyone can apply. You just have to be a student who is doing something that relates to cybersecurity in some way. It could be policy, it could be law, it could be science and it's money towards covering expenses to attend the sort of plethora of security conferences that happen within that first week of August in Vegas. And they'll also try and help you get passes to get into things like DEF CON and that kind of stuff. So we're checking out the students who are interested. But yeah, I think it's great that there are more of these things happening and that more people are investing in the next generation, both on a government level, you see on a corporate level, companies doing this as part of their corporate social responsibility efforts. And also you're starting to see it on an individual income and community level, which I think is really inspiring. So big props to you guys for doing that.

Nick Percoco: Thank you. Yeah. We're not stopping there with the scholarship. This was a trial essentially to see if this actually can work. Next year we hope to do two or maybe three scholarships, award that many and then personal milestone would be really great for us to be giving out 10 of these a year, kind of thing.

Jen Ellis: I love the fact that you never rest on your laurels. That you always look for how you can push farther. I think that's a really awesome thing. Good for you. Really inspiring. It's been so fun hearing about this stuff. If only I'd been invited to THOTCON, I feel like I would have had ... I can't help it, it's just so fun. You're used to me trolling you but no, it's really cool stuff, Nick, and it's so great to hear about what's going on with you and how THOTCON has evolved over time. It is a super highly regarded conference and people speak about it with great affection and respect and I do hope that I will get to some point, all joking aside. Tod, did you have anything else that you wanted to at throw Nick other than just your undying love or…?

Tod Beardsley: That's basically it. I tell people, THOTCON is my favorite regional conference. And I say that as someone who has organized a regional conference for several years. You should go. Also, probably tickets are sold out I assume by this point for this upcoming May.

Nick Percoco: That's the difficult part when it becomes popular. There's limited size of venues in Chicago and all things related to that. We've been exponentially selling tickets out faster every year. So in THOTCON A right, we sold tickets out in three days and the time before that we sold them out in three weeks. And the time before that we sold it out in two months, I think. This year we sold out in 13 hours. So next year it's going to be like three hours or four hours and it'll end being like the F5 of thing. So, and that's difficult, right? I don't want it to become like this out-of-control lottery. And then at the same time, we don't really have the capacity to take on a much larger.

Tod Beardsley: You work at a digital currency company, why don't you just make a THOTCON coin?

Nick Percoco: We can mine a coin. THOTCON will do an ICO and then we'll raise a few billion dollars and open up like a THOCON arena in Chicago.

Tod Beardsley: Maybe. Or maybe don't do that.

Jen Ellis: What number are you sort off tapped out at the moment?

Nick Percoco: The capacity we're at now, we'll have about 1,700 people at THOTCON this year. The venue that we're at now, which is top secret, so I can't tell you where it's going to be. It's always top secret. We've never put the name of the venue on our website ever. But we can't really go beyond that. And the problem in Chicago is that it's, unfortunately, your choices are once you get to that size, your choices are to stick at that size or you have to step up to the hotel kind of convention, kind of venues.

Nick Percoco: And there's plenty of those, right? We have, massive, massive convention hotels in Chicago similar to Las Vegas and convention centers. That's a completely different animal and I'm not sure I want to approach that because then you get to the place where get to a world where you can't run your own power strips and each power strip is $250 right? Things get wildly out of control and we wouldn't be able to just charge $150 to $200 for a ticket. We have to charge like $1,500 a ticket and it sort of evolves pretty quickly there.

Jen Ellis: That's really hard. So, when I said maybe I'll get to go one day, maybe I won't get to go.

Tod Beardsley: I've changed my advice, don't go to THOTCON, just ignore it.

Jen Ellis: What we're saying, you sold out for this year, when is the conference this year?

Nick Percoco: It's in May.

Jen Ellis: And I'm assuming that means that the CFP has already been gone.

Nick Percoco: The CFPs, we do things really early. I guess we sort of take maybe a cue from RSA in that regard. We sell tickets, as tickets go on sale Oct. 1 every year for the next year. And so, it used to take us until February or March or something like that to sell out tickets. And now, unfortunately, we sell it out in a couple of weeks, a couple of hours after they go on sale. And then the CFP opens Oct. 1 as well. And it closes Jan. 1 and we just notified all of the speakers last week I think is when we notified them. And so now we have a really awesome lineup of folks that we'll be announcing soon.

Tod Beardsley: So basically, if you want to go to THOTCON, speak at THOTCON. It seems to be the easiest way to get a ticket.

Jen Ellis: All right, cool. Well thank you so much for coming on. It was really lovely to catch up with you and to admire your beard. I look forward to seeing you in Vegas, if not sooner.

Nick Percoco: Yeah, definitely. Yeah. Well thank you, guys. 

Jen Ellis: So Tod, what have you got for us in the Rundown today? Is it all the excitement that came out of RSA?

Tod Beardsley: It is not. As you might know, I don't typically go to talks at RSA. I'm usually busy with booth stuff and of course we recorded a pile of podcasts really, actually at RSA, which was pretty fun.

Jen Ellis: And people could look forward to the corridor noises coming to them soon.

Tod Beardsley: Yes, it's awesome. It was actually a pretty good setup despite being in hallways around Moscone Center. But it was great. It was a bunch of face-to-face podcasting that we did, but-

Jen Ellis: I know and don't you wish we could do that all the time?

Tod Beardsley: Well, I don't know. As long as we keep our social distancing and are constantly washing our hands during, then yes.

Jen Ellis: Okay. So less time with me, but more face-to-face podcasting. Got it.

Tod Beardsley: Mm-hmm (affirmative). Yep.

Jen Ellis: Okay. And also for those who missed it, Tod is our most glamorous booth babe.

Tod Beardsley: I don't know about that.

Jen Ellis: You should definitely check out Rapid7 booth events for Tod.

Tod Beardsley: They're pretty fun.

Jen Ellis: All in the hair.

Tod Beardsley: I make it very clear that I'm no longer technically in marketing and I'm also not sales, so I'm super bad at selling our products, but good at talking about research.

Jen Ellis: Hooray!

Tod Beardsley: So people seem to like that.

Jen Ellis: It's almost like that's your job.

Tod Beardsley: Mm-hmm (affirmative). And speaking of research, the thing I do want to talk about is the Emotet malware delivery system. It's pretty neat and it's yeah, yeah. There's a new capability that got announced somewhat recently. It was February and it's pretty cool. If you want to talk about that, I'm happy to give you the quick 411 on that.

Jen Ellis: I mean, let's talk about it. It sounds like it's the most goth of all the mummies. Emotet.

Tod Beardsley: It's a shoe-gazing mummy. It's not typically goth.

Jen Ellis: I couldn't come up with another like equivalent without saying emo, so yeah.

Tod Beardsley: So yeah, Binary Defense is a company and they do malware research. I don't personally do a bunch of malware research, so this is all kind of news to me. And it was pretty fun to learn about it. But here the big news is that Emotet, which is a downloader, and we'll get into that. It typically spreads through malicious docs and email. So it'll come in on an email and it'll say like, "Hey, click here for your latest invoice." It often masquerades as financial email and then you click here and then you get a Word doc and it prompts you 15 times to like, "Do you really want to run these macros?" And you say, "Yes, yes, yes, yes, yes, yes, yes, yes, yes and then you get compromised. And then it spreads around. And typically the way it spreads is that it'll rummage through your local Outlook contacts and then start emailing everyone you know, as you.

Tod Beardsley: But now it has this new capability, which is fascinating, wherein it takes a hold of your wireless network and then scans around for all the wireless networks that you can see right now. So if you're in a busy office building or in a work-share space, or even if you're at home and your neighbors have really loud WiFi networks, it will notice those and then try to log into those. And then once it logs into those, it does a bunch of kind of traditional just spamming around that new network that you're now on, looking for other victims.

Tod Beardsley: And so this is interesting because while it used to spread on the local network, which malware does, or spread via spam, which malware does. This is as far as I know, the first one that actually takes control of your WiFi network, necessarily kicking you off of your network, getting you on to other networks and then trying to spread that way. So if your neighbor gets owned by Emotet, you might get owned by Emotet if your WiFi password is super weak. Now I don't know what weak passwords means. It's probably something like password or guest or things like that. You know, the kinds of things that guest networks tend to have because a lot of companies they will run their WiFi, the real WiFi, corporate WiFi and then the guest network for people who show up and just need to log in.

Tod Beardsley: And those guest passwords tend to be pretty easy and pretty common. I'm trying to get a hold of what the actual password list is. This is my complaint at Binary Defense. When they published this research they failed to mention what the list of passwords is. So we will know, well what are the passwords that we shouldn't be picking specifically? Because it doesn't do brute forcing and it's not smart. It's just kind of a dumb malware thing. It just goes off of this list. And so having that list would be super helpful. But the other thing that I find interesting about this is that it kind of opens the door to a bunch of other stuff, right? Like, if Emotet is able to do this, I foresee a time where it will start using exploits against WiFi, right? Because Emotet targets consumers, end users, people at home, corporate networks, government networks, all kinds of stuff. And so I can see this trying to use old Linksys and d-link bugs to try to just pop other networks and then get on that way.

Tod Beardsley: And so that's something that I'm cautiously predicting will be in the future of malware, specifically Emotet. And then probably others. If this turns out to be useful, I see no reason why malware authors wouldn't try to use this capability somewhere else. As we use more and more WiFi, I would expect to see that this would be a pretty sound tactic for malware.

Bri Hand: Hey, Tod. So we lost Jen.

Tod Beardsley: Oh no.

Bri Hand: So we just let you go and it was perfect. But I'm going to stop the recording and then we're going to try to reload her and continue the convo.

Tod Beardsley: Alright.

Jen Ellis: So yeah. So I dropped and missed your entire magnificent rant about Emotet. I'm really looking forward to listening to the podcast now so I can hear all about it and being edumacated.

Tod Beardsley: I was wondering why I was allowed to go on.

Jen Ellis: Right, you were like, "She's not interrupting me for once. I am going to make the most of this opportunity." Yeah.

Tod Beardsley: So anyway, TLDR, Emotet, Wi-Fi. Make sure your Wi-Fi passwords are reasonable and not things like guest or Linksys.

Jen Ellis: Cool. Oh, actually this makes me think of something. So the U.K. government just, and as we know, I have a bit of an affinity for the U.K. government.

Tod Beardsley: Oh, don't we all.

Jen Ellis: Well not so much in Europe right now.

Tod Beardsley: Oh yeah.

Jen Ellis: But the U.K. government issued guidance last week about cameras. Not anything that we didn't already know. We have put out research extensively in the past about the risks of cameras and we have seen them being used in bot apps like the Mirai attack. But I think they're also being used by people to spy. And there was this great BBC article, we'll include a link on it in the podcast write-up. But this great BBC article that included a video of this incredibly normal British couple who despite being incredibly normal had seven security cameras around their house. So maybe not that normal but relatively just standard couple. They're not famous. There's no reason to think that people would want to spy on them. And the BBC had some security researcher take a look at the cameras and discovered that they had been viewed by, I think it was something like 5,000 people around the world in 45 different countries or something. And one person in France had just watched for nine hours. That's super creepy! It was a total of 320 hours of viewing time that people had just been watching them on their camera.

Tod Beardsley: It's a genre and not even the creepy genre of "I'm watching people who don't know I'm watching," but even just go to Twitch and sort by least popular and then just watch people just live their lives. It's so weird.

Jen Ellis: It is super weird. But I think the point is that people that you think would never really be an interesting target are being spied on. And so I would say, not to be sort of alarmist about this, but if you have kids then definitely think about whether or not you've got cameras around your house. And if you have, please, please make sure that you are changing passwords, that you're not making them remotely accessible unless they really need to be. Actually, do you really need the cameras? Just think about it in terms of weighing the good against the potential risks because there are nasty people out there who are using this technology not for the purpose it was invented. Quite the reverse.

Tod Beardsley: Yeah. As far as I can tell there is no such thing as a secure-by-default IP camera. So you always need to monkey around with the settings. It may be as simple as changing a password. Sometimes there's some hoops to jump through for updating firmware and all that, but a password change. If you don't remember changing a password, you haven't changed a password. That's the trick.

Jen Ellis: Right, right. And so I have a question about this. So if you have a sort of Internet of Things camera, right, and it comes with a shiny app for your mobile so that you can check on it and, I don't know, maybe you've got one of those ones that's motion-activated and it sends you alerts to your phone or whatever it is.

Tod Beardsley: You want to watch your dog when you're not home or something.

Jen Ellis: Right, right. That is a great use case, yes. Lots of people have the doggy cam or a kiddie cam, right? Or a nanny cam or whatever it is. So if you change the password on your app, is there also a password that you need change on the device itself, for the camera? Typically, do you know?

Tod Beardsley: Oh boy, that's a good question. Typically no. Typically what the camera does, in that case, usually it's the camera is sending data to the cloud-hosted app. You get that via the cloud-hosted app. So your login password controls the... I'm just, I'm trying to think through it, right? Is there a good way to even find out? It comes down to the documentation, right? Because the camera has to authenticate somehow, too. And a lot of times that machine-to-machine communication kind of escapes the notice of developers. This is like, "Well I mean only machines are doing this so why do we even need a password?" And it's like, "Well you kind of need one." We found that in the recent BloomSky disclosure we did. What was that, two or three weeks ago? With Andrew. And yeah, anyone could log in and start uploading things. They couldn't see the camera, but they could fake in their own image streams on that thing.

Jen Ellis: Did we name him as the discoverer in the research?

Tod Beardsley: We absolutely did.

Jen Ellis: Then, in which case, since I know he actually does listen to this, we'll just say that was Andrew McPherson. Hi Andrew. But yeah, I mean I think that's exactly the problem, right, is that people change the password on their app thinking that they've now done what they need to do from a security point of view. And meanwhile, the developers actually kind of made it impossible to secure by not-

Tod Beardsley: It may be impossible. It may be a pre-shared key or something like that, but they use the login and so the security is only as good as far as no one else extracts that key from the firmware. There's a lot of ways to do it. But first and foremost, I would say that if you have not, again, if you haven't remembered changing your password, you probably haven't. If you change the password on the mobile app, that may be good enough. But it may not and I don't want consumers to think they have to be security engineers and reverse engineers and IoT hackers in order to just use these devices. That's kind of ridiculous. So I would say look at it. And if you have any questions, hey, ask your manufacturer. They might have a privacy policy, so find that out. If they don't have a privacy policy or you can't get a hold of them, that's a super big red flag that you might not want to be using this device anymore.

Jen Ellis: Yeah, and I think that's an important call-out is that as consumers, as buyers, you guys have power. Perhaps you don't think so on an individual level, but it's like voting, right? You need people to basically exercise that individual power and then cumulatively it creates an effect and it starts to apply pressure on vendors. And so, let them hear from you and know that this is something that you think is important and that you care about. Otherwise they'll continue to deprioritize it and you are the ones who pay the price for that.

Tod Beardsley: Well and sucking up minutes on support calls is an excellent way to get their attention because that is something no one wants to do.

Jen Ellis: Right, absolutely. And if, like me, you have questions that you want to ask Tod, then you can email info@rapid7 and just put "Security Nation" in the subject line. Send us your questions, or you can tweet them at @Rapid7 and we will be happy to address them in future Rapid Rundowns. When I say we, I really mean Tod, since he's the one that knows things.

Tod Beardsley: Well.

Jen Ellis: All right. So Tod, thank you so much for extensively educating me on Emotet.

Tod Beardsley: Emotet? You will learn that in the future and then IP cameras you have learned that right now.

Jen Ellis: I want to just thank our guest again, Nick Percoco. Thank you so much for coming on, Nick. It was great getting a chance to catch up with you. Tod, thank you as usual for being awesome and educating me and putting up with me, and as ever thank you to our amazing producer, Bri, who actually got to participate today.

Tod Beardsley: Yes.

Bri Hand: Big day!

Jen Ellis: So, yay, thanks Bri.