Podcast: Play in new window | Download
Subscribe: RSS
Tim Fulton 00:00
Tim, welcome to the confluence cast presented by Columbus underground. We are a weekly Columbus centric podcast focusing on the civics lifestyle entertainment and people of our city. I’m your host. Tim Fulton, this week, in July of this year, the city of Columbus experienced a massive data breach, what officials at the time referred to as some type of incident. Months later, the scope, damage and cost of the incident are still coming into focus. I sat down with Connor goodwolf, a cybersecurity engineer, to discuss the data breach and his role in the ongoing efforts to understand what happened and how to recover from it. According to goodwolf, despite his efforts to alert the city, he faced a restraining order and legal challenges in our discussion, he emphasized the need for better cybersecurity measures and proactive communication from the city. You can get more information on what we discussed today in the show notes for this episode at the confluence cast.com, enjoy the interview. Sitting down here with Connor goodwolf, cybersecurity engineer on the occasion of the data breach that happened here at the City of Columbus, before we get into sort of what happened. Connor, can you tell us about yourself?
Connor Goodwolf 01:30
Yeah, so I’m an engineer, multifaceted engineer, but for this, as I tell people like, I’m big into cyber security, so just refer to me as a cyber security engineers, like, I do software systems, hardware, I do CAD work to do silicone implants, like for medical says, like, I’m kind of all over the board. You’ve got all
Tim Fulton 01:50
kinds of stuff, and you came in to sort of at least my purview as a result of this data breach that happened in Columbus. And I’m probably going to get the timeline slightly off here, but in mid July, it was identified that there was a data breach in Columbus. It was framed in a couple of different ways, but then and multiple messages went out to the city that may be not completely untruthful, but possibly just unaware of the extent of this breach, of what happened, and then you took it upon yourself. Is that fair to say to sort of like, look into like, what is out there? Is that fair to say? Yeah, so
Connor Goodwolf 02:33
I came across breach. I monitor the dark web, different groups, everything from ransomware to trafficking to rather dark places on the net. Yeah. So I just seen the word city of Columbus come across. My radar on some of the dark web tracking is like, Oh, what’s this? Reseda, okay,
Tim Fulton 02:52
not a result. You didn’t go seeking it. You basically were doing, I don’t know, a daily perusal of what was out there and what was what people were looking at or offering up for sale. Is that? Is that correct? Yeah,
Connor Goodwolf 03:07
yeah. So I had seen the news, but I was like, okay, data breach, whatever, yeah. And then I seen the group responsible. Was like, Well, this is going to be good. So I just, like started looking through, like, the file list. I was like, Oh, the matrix database. And what does that mean? So the matrix database is a platform utilized by anything from law enforcement, attorney, prosecutors, civil, criminal courts. This data, this platform is sold primarily from what I’ve seen is there are quite a few municipalities across Ohio who utilize it, okay, so that’s why I’m aware of it, right? Is, again, I monitor certain groups and entities, so when something pops up, I’ve generally forwarded on law enforcement. Okay, so I’ve kind of already been like in the know, with some of the tech and software that’s utilized Gotcha.
Tim Fulton 04:02
And so these are, and I’m gonna ask you about some things, and basically just say, is that a term of art, right? Is that, like somebody who works in this space would be familiar with what a matrix database was? Oh,
Connor Goodwolf 04:14
matrix is just the platform, okay? So it’s a web database platform, and some of the other offerings they have, like, File Upload and you deploy these different platforms on, usually on premise, because these it’s you know, you want everything to be self contained right within each municipality or each data center. You don’t want like all together, okay?
Tim Fulton 04:35
And social security when you So, let’s talk about your intent. First of all, like you, you are not there to do crime. You are there to sort of like, there’s one, a little bit of interest, but two, it’s like, Oh, I could help stop this, or help make people aware of a problem or a breach. I think sometimes you may even reach out to an organization and say. It’s apparent that you have a weak link here that you can fix. Yeah?
Connor Goodwolf 05:05
Is that Yeah? And sometimes I’ve investigated some ransomware attacks to where it’s like, wow. And then I’ve reached out to organizations or other municipalities and be like, Hey, do you guys need help?
Tim Fulton 05:16
Yeah? So is it a bit of like, Business Development for you?
Connor Goodwolf 05:20
It can be, it can be, yeah, some people, sometimes I do, you know, just like, Do you need help? You know, I can help out if you want. So sometimes to take it. Sometimes they don’t, whatever. I was, like, I I’m primarily, I do a load of consulting across the board against, like, different areas, okay, of course, you know, I have my full time job as well, doing engineering work. So it’s like, I love just taking on additional tasks.
Tim Fulton 05:45
Got it so when you discovered this set of data, both the matrix database and other things there, correct? Yeah, what did that tell you? Like, what the this was pretty bad. Well,
Connor Goodwolf 05:59
at first it’s like, okay, well, let’s download it and then see if it’s actually intact. Okay, if it’s actually there, instead of just making broad comments to where, saying it’s corrupted or encrypted, thus unusable. Okay, so which like what the city said at the time, correct? Okay. So I’m like, Okay, let’s just download one database, the one I’m familiar with, it was one of the matrix prosecutor databases. Okay, I download it, it takes like, eight hours because of Tor dung and router is slow, okay, so once I download it and restore it’s like, oh,
Tim Fulton 06:36
there’s always everything here, right? Everything that, like, was supposedly unusable or supposedly encrypted, and you weren’t using some magic way to decipher it or or come up with it. It was just there. Once you were able to open it, it was
Connor Goodwolf 06:53
unencrypted. All I did was restore to SQL Server and started just browsing different tables. I was like, wow, everything from 2014 on it’s, that’s, that’s when they the, the city purchased the the platform to utilize, yeah, search, fire. That’s when they purchased it and deployed it, you know, with the prosecutors, civil, law enforcement and other departments. And
Tim Fulton 07:19
so then what did you do with that information to start?
Connor Goodwolf 07:22
Well, first I was actually making sure, so I was looking at my information on it, and others I knew they were in there, okay, and verifying. And then once Monday rolled around, I did start calling different numbers within the city. And I think even that weekend, I tried calling others before, but everything’s closed on the weekends. Okay,
Tim Fulton 07:42
that’s fair. And did you? Did you get any response from these folks? No, the city,
Connor Goodwolf 07:47
no and one with the prosecutor’s office. And I did call a couple of times, and I was like, Do you realize that the database is out there and it’s more than just employees, current and former? And they were like, yes, we are aware. I’m like, and, but everyone is was basically given marching orders that department technology and the mayor’s office is handling it and all aspects of it. So I’m like, okay, okay,
Tim Fulton 08:13
it’s all done. And so then, and to be clear, did you reach out to the prosecutor’s office or to the city attorney’s office?
Connor Goodwolf 08:19
I reached out to the prosecutor’s office, okay, so, and at no point during this conversation, and with any conversation I had, whether it was with this Columbus Police Department, people I was actually able to talk to there, okay, or prosecutor office, or even City Council’s number, they were all told to forward any questions or comments to Department of Technology. Okay, no point was I told contact the city attorney. Got
Tim Fulton 08:48
it. Okay, got it. And then when you sort of weren’t getting basically the what you thought the response? Sorry, what did you think of that response? I don’t want to put words in your mouth. Did you think, oh, maybe they do have this handled. No,
Connor Goodwolf 09:03
no, I was expecting someone to call me back. Yeah, I did leave a voicemail on the HR, individual who is responsible for the Department of Technology. Okay, jobs, and that’s what you know, one of the channels had posted. But that one was from the HR because, I’m pretty sure, because, like, I mentioned, like, HR is there protect the company and this, yeah, you know, the department, but it’s like, everyone just seems to be completely like, Blackout, yeah. No one was talking to anyone. No one was reaching out. And here I had the information that really needed to be the public. Needed to be aware about
Tim Fulton 09:43
Okay, and what, and we’ll get into the why there. But your next step was based on the stories you were seeing the reporting on it. You knew that that wasn’t true, that there was that the dissemination of that information was wider, or at least it was a. Available. It was out there someone with your skill set what would have been able to steal it. And sometimes people with your skill set are sometimes bad actors, yeah, and so is that when you reach out to the media?
Connor Goodwolf 10:10
Well, I reached out to the media, I believe was I tried reaching out Monday evening. Okay, then I tried reaching out Tuesday morning. Is like, when I wasn’t getting a response, and I knew it was urgent, so I started making my rounds to all the channels again, okay? And that’s when two of them had called me back, okay, and won an interview. And I did not know that morning, on Tuesday morning, that there was going to be a press conference with the mayor. Okay? They didn’t tell me until, like, right before it’s like, the mayor sent out this and this fact sheet,
Tim Fulton 10:45
yeah, and so then your interview is basically going through and saying, here’s this fact sheet, and based on what I know, here are the aspects of it that are either incorrect or maybe misleading. Let’s talk about, let’s, let’s step way, way back. What does a normal sort of like attack like this look like? Like, what are the, what are the things that happen? Because I would like to think that, like, there’s nuggets of truth in what was put out there, but maybe just the full story wasn’t put out there. So my understanding, some sort, some bad actor, gets access to something. They then they have a couple of different steps, right? One is locking down the system that previously was there, making it unusable, and then second, taking the data that was there and holding it hostage, holding it for ransom, right? And so what aspects of that did all of that successfully happen here?
Connor Goodwolf 11:50
So the data was exfiltrated, and generally in ransomware attacks or severe like breaches, you’re right, one or both of those things generally happen. So in this case with the city, six terabytes of data was exfiltrated, removed, like sent somewhere else. Okay, that was out of the control of the city. Okay? Now, yeah, generally, right afterwards, these groups will deploy tools on every resource, every machine, workstation, and then hit signal a button that says, encrypt everything. Okay? And that’s where you’ve maybe seen on TV, to where your common ransomware attack will pop up with a message, pay this amount of bitcoin or whatever, or we won’t restore your systems. And that is what the city successfully stopped.
Tim Fulton 12:40
Okay, so they there, and is it fair to say they may not have been aware that the data was taken.
Connor Goodwolf 12:49
They more than likely in that and in the beginning, I mean in the beginning, yeah, well, it Yeah, in the beginning, because right now, they don’t know the timeline, like, whether they’re in there for days or weeks or even months, okay? Because, again, generally, you get a foothold in a company or their infrastructure, yeah. And the more damage that you can do, the more likely they’ll the the
Tim Fulton 13:17
more they are, yeah, right, yeah. And so it’s possible that these bad actors, what’s the name of the group, Reseda, was in there, long before the breach actually happened. It’s possible, oh, yeah, right. And probably we’re looking to see how everything was architected, looking to see what is the best way to disable these systems, but they did have the data. Yeah, so is it fair to say that they may not have known that the data was gone?
Connor Goodwolf 13:50
Well, they detected, the City of Columbus, detected suspicious activity, okay, just looking from the file list, all of the all of the SQL or the database backups. Yeah, happened around the same time. So more than likely what happened was they had access, console access, administrator access, to all these database servers, and started initiating backups and then exfiltrating the data right there. Because that’s what it looks like. That was probably the red flag. That was likely the red flag. I do know that in one of the screenshots that were posted by Reseda that there were there was a screenshot of an admin account that was posted in the SQL Management Console. Okay, so more than likely that was one of the accounts utilized to infiltrate the network got
Tim Fulton 14:44
it. And so you talk to the media, you go through and you say this, this is the kind of things I’m seeing. I am here because I believe it’s important for the public to be aware of it. The city’s response to that was based. Basically, yeah, we know. Oh, turns out it is out there. They start offering more identity protection, which I will link in the show notes, their city is offering credit protection to any city resident and anybody that was at, I believe, City Hall. But again, there’ll be a link in the show notes, what was the city’s what was the city’s response? Then, to you, I
Connor Goodwolf 15:25
do have to clarify with the credit monitoring, please, that credit monitoring is for anyone, whether you’re interacting with the city directly or not. Okay, anyone is technically available to sign up for it, obviously due to the cost. Please sign up for only if you have been reasons. Yes please, because it literally anyone from California to New Jersey can sign up. But there is also credit monitoring for minors on that page. Okay, minors are victims of identity theft as well, believe it or not, so this does happen. Now, I tell people, it’s like, even if you’ve paid your water bill, if you’ve filed your taxes directly with the city, if you’ve done any sort of payroll or done business with the city, because the General Ledger was posted as well the databases, plus, basically the database that contained all the statements of everything. So if you’ve interacted with the city in any way, please sign up for the credit monitoring modular accounts. What I personally do is I rotate my bank accounts every so often, and that’s because if they do have all of information, and maybe you’ve looked at the loss the second lawsuit where officers accounts were being drained, but if you have, like the bank account, the routing account info and the proper info, and you sign up for some app like Cash App or Venmo, whatever, and you get all the information correctly, You can actually connect to someone’s bank account.
Tim Fulton 17:01
Okay, proactive things that folks should do? Yeah, to me,
Connor Goodwolf 17:05
I’m going to be rotating my bank accounts out, opening another one where I currently bank, moving everything over. So I have to do everything for my credit card payments. And of course, if you utilize your debit card anywhere online, you shouldn’t. You should pipe that through credit card and pay it off at the end of the month.
Tim Fulton 17:22
Yeah. Okay, so what was then the city’s response to your basically going to the media.
Connor Goodwolf 17:31
So at first they were hesitant, and then some time later, they had came out and said, you know, okay, it’s more than just employees, current and former, yeah.
Tim Fulton 17:43
But then also they got a temporary restraining order against you as well.
Connor Goodwolf 17:48
Yeah, on the 28th that was how many days that was, I was, I was going to the media. That was on, I believe, the 13th. So they only took offense when I started talking about the law enforcement database, the Okay, not the prosecutors, but the crime matrix, crime database, okay, but everything else was okay, so that so you’re someone’s Is
Tim Fulton 18:13
that why they reacted? Was that you started talking about a set of data that they didn’t want out there, that could have the awareness of out there,
Connor Goodwolf 18:24
that could have can potentially contained extremely sensitive materials relating to under confident undercover officers, okay, and confidential informants,
Tim Fulton 18:36
okay. And so then you got you were served, right and served? What were the terms of the restraining order they got against you? Oh,
Connor Goodwolf 18:50
so the terms of the original restraining order were rather obtuse. So they’re basically telling me I cannot do what I love doing. I can’t do my job, like as far as my can. The work I do is more than just a hobby. It is work, right? It’s learning. It’s cybersecurity, engineering for a lot of us, it is ingrained in us. Well, it’s
Tim Fulton 19:14
exploration, right? It’s poking things.
Connor Goodwolf 19:16
It’s knowledge. I mean it there they the judge had basically granted this motion, saying, I cannot be myself,
Tim Fulton 19:25
okay, which, well, let’s be explicit about that. Though basically you’re I think it was not allowed to be in possession of disseminate or discuss accessing,
Connor Goodwolf 19:37
downloading, disseminating. And there was another,
Tim Fulton 19:43
any data, or just this data,
Connor Goodwolf 19:47
any data related to the city of Columbus, breach, okay,
Tim Fulton 19:51
and so you, based on how you work and what you do, you may not have even been able to prevent yourself. From having some access, or is that fair to say? Yeah, well, when
Connor Goodwolf 20:05
it comes to the cybersecurity engineering research, it’s common, for certain, there are some cybersecurity engineers who take the path of just don’t download the data. Okay, that that’s up to them. But when it comes down to it, when you’re developing like machine learning or AI models, etc, and like when you’re being able to develop technology and software in order to help people post breach, okay, that’s literally telling me I can’t do my job,
Tim Fulton 20:32
okay? But you were not to be clear and fair. They were not you were not contracted to Duke any correction here, right? No, no, no,
Connor Goodwolf 20:41
no. This is all just like, oh, you know, I was just curious. It was like, Yeah, I do a lot of like, OCR machine learning work. This is like, okay, I can actually, you know, kind of branch off on this. This is, like, a few months ago, and work on developing like technology to do post breach work, like E discovery and whatnot. Okay? Because again, if you look at the statistics, there is an increase in these breaches and attacks and everything, yeah. But yeah, it’s like, but for the City of Columbus, it’s like, okay, it’s just going to be extra data. Is like, I wasn’t expecting this amount of data or the impact. It’s like, generally, with breaches, it’s like the social security number breach from NPD, okay, it’s not, you know, generally, multiple databases every single thing for the past 20 years with
Tim Fulton 21:32
records intertwined with each other. Oh, mind blowing. And so the current status of things is that that restraining restraining order is sort of, it’s much more limited now, like you wouldn’t, you wouldn’t have, not have been able to have this conversation with me, if that original order was standing, it
Connor Goodwolf 21:52
would be limited in conversation. Got
Tim Fulton 21:54
it got we could talk about a myriad of things, but not this,
Connor Goodwolf 21:57
yeah. Well, the way they word it is, like, okay, and the word disseminating is, you know, in legal is still kind of gray, absolutely, yes, I looked it up because I do a lot of work on the side for criminal investigations. It’s like, I’m just an independent investigator. But, you know, again, disseminating is kind of gray in the legal space. Yeah, it can be interpreted and a few different ways. Yeah, like, are you disseminating by talking about it or saying what’s in there? Or are disseminating by taking the actual data and like, here’s what the contents, here you go. And so how are you limited now? Right now,
Tim Fulton 22:37
the you can’t show anybody anything good that basically
Connor Goodwolf 22:41
digests. I cannot sit there, open up the database on my laptop and say, Look at this. Great.
Tim Fulton 22:47
And so how? But there is still a case pending. You are still technically being sued. Is that correct? That is correct. Are you being sued for damages or just for limiting your behavior?
Connor Goodwolf 23:01
So as it stands, the original suit has not been modified, damages greater than than $25,000 for a variety of reasons, invasion of privacy, causing panic. And how am I causing panic? The breach already happened, right? Right? As like making people aware that their data is out there on the dark web. Is me causing panic? Excuse me.
Tim Fulton 23:26
So how do you I guess my question is, how do you think the city should have handled it?
Connor Goodwolf 23:32
Well, let me just put this way, that morning the TR Oh was being filed, an officer from who was affiliated with an Ohio Department, a law enforcement department, actually reached out to me through an acquaintance, okay, um, that was the appropriate step they should have taken, was to reach out and say, What, what’s going on?
Tim Fulton 23:56
Could you tell us more about what it is you found? Because they never did that, right? Like the your first proper contact with the city was a other than casual. You reach out and you said, Hey, I found this stuff. What should I do? That was very like, Hey, this is all being referred to this department. The first real interaction could be said, was that temporary restraining order? Unfortunately,
Connor Goodwolf 24:22
okay? And that was the most inappropriate action they could have taken. Okay? I don’t know if you know who Barbara Streisand is. I
Tim Fulton 24:30
am familiar. Are
Connor Goodwolf 24:31
you aware of the Streisand effect?
Tim Fulton 24:32
This is the photo that she took, or she sued somebody for taking a photo of her house, of
Connor Goodwolf 24:39
her mansion, saying, on the cliff side. And so, okay, just general gist strides. And so then what’s this? What’s the effect? So, okay, this person took a photo of her mansion on the cliff side. She didn’t want it on the net, and she sued the person to have it removed. Well, everybody’s seen this on the net and decided to repost that photo everywhere. Therefore call, it was therefore, since then, called the Streisand effect.
Tim Fulton 25:04
Okay, so basically, you’re, you’re pursuing against the one actor, that is. It’s not a takedown notice, because, like, that one actor doesn’t even have control at this point over the dissemination of that information. Yeah. So what put setting you aside. What do you think the city should have done? Do you think that the messaging that they put out could have been more thorough? Do you think that they should have been more proactive about saying we are investigating, we do not know what we do not know. What do you think would have been a better course of action?
Connor Goodwolf 25:42
They should have hired people who browse the dark web, who understand the dark web, and tour the onion router. Okay, my observations is Ginther was told information that was incorrect. Okay. Again, you cannot expect a CEO or mayor or whatever to be a tech person, right? So he was lit, he was given information, incorrect information, okay, then he decided to run with it, which, again, he could have waited, but okay, he was excited, I get that and he wanted to get something out there, yeah, but someone along the line messed up.
Tim Fulton 26:25
Is it possible this is Devil’s Advocate, totally, or maybe Angel’s advocate? I don’t know how you would say it. Is it possible that the folks that were giving in from him information either didn’t know or were making assumptions in and in either of those cases, they weren’t telling him what they knew to be untrue, or is it your opinion, it was just a CYA, Oh, no. Situation. So
Connor Goodwolf 26:50
I had actually sat down with an officer who was asking me questions about Tor and whatnot and the data, and I’ve been using Tor for so long, I do actions that are just second nature to me now, yeah, like using command line tools? Yep. And when it comes to large files, I never use the browser, so it didn’t dawn on me that someone may actually try to download 200 gigabyte, 200 gig file with a browser with with the Tor browser. So he actually, the officer asked me, is like, I tried downloading this file and it completed, but it was corrupted. Yeah, and I just slapped my face right there. Was like, Oh my God. Now I don’t know what analogy
Tim Fulton 27:33
they’ll use here, but it is sort of like you didn’t they could have down use the Tor browser to download that data. Of course, it’s going to be corrupted. It’s not meant to be downloaded in that way. Yeah, and then it was and maybe they did it twice.
Connor Goodwolf 27:50
What generally happens is the download will stop again. Tor is a loose set of servers, route like just computers that are all set up across the world in order to anonymize someone. So sometimes those larger downloads, they stop midway, you can resume, but that’s where sometimes the corruption happens. So it didn’t dawn on me, is like the officer wasn’t the one who told Ginther anything, but it made me realize, like, oh, just someone along work in that space, someone along the line did the same thing and then told Ginther, it’s corrupted.
Tim Fulton 28:27
Yeah. And so do you think the decision to present the temporary restraining order is simply short sighted?
Connor Goodwolf 28:37
The motion itself was full of falsehoods and lies. Oh, okay, so the website, for example, if you’ve read the restraining order, okay, so basically, there were several falsehoods in there. I don’t know who gave them the false information, but it’s almost like someone who may be the same person who went the Ginther and reported the, you know, the the fake, you know the, yeah, the falsehoods to him, but it’s like the website that I’m creating. It’s about doing, like, have I been pwned, or a check to whether or not your information is in there not to make the information searchable. Okay, so, and the other sorry,
Tim Fulton 29:16
is that your intent is that what you were planning on doing at the time. Well, like I
Connor Goodwolf 29:21
am, I am doing it okay, but I will be reaching out to people within the city this time. Now I have communication and contacts. Yeah, the intention is to sit people in a room, explain what it does and even get additional input, yeah, okay.
Tim Fulton 29:36
And I guess I would hope maybe bring in somebody else that’s up to your level, and say you should show them that it can’t be accessed, that it because that’s, that’s the fear, right? It’s like, so is that maybe where? Sorry, I didn’t know this part of it, and I didn’t want to read the restraining order. Basically, an outsider’s perspective would be, well, if. Creating something that is at all searchable, then there’s got to be some access to that data on the back end, or somebody could find it, and they were feared that you would create something that would potentially easily disseminate that information. Yeah,
Connor Goodwolf 30:17
so this all the data would be taken from the breach and just very specific snippets of data that would be hashed, whether it’s like the full name and date of birth, yeah, and then in one table, and it’d be mathematically hashed. It’s what’s called a one way hash. It’s not encryption, so you can’t decode it, okay?
Tim Fulton 30:36
And it Okay, got it. And so that that action or statement of that and the intent of that action may be what scared them? Yeah,
Connor Goodwolf 30:46
the tro motion, it makes it look as if they had feared that I was gonna just basically take the data and say, Here you go. Here’s all the data that was there that that’s how it reads, at least to me and others. Okay, got it. And then, you know, the evasion of privacy and the fear basically create, creation of fear or whatnot. I’m just like, the data’s out there and you’re not telling anyone. From the very start, my intention was to make sure people are aware so they could take steps and precautions, because credit monitoring only goes so far. Yeah. And like I said, personally, I’m going to be rotating all my bank accounts because I can’t take the risk that my account and routing info right is attached to something within the city at this point, right?
Tim Fulton 31:37
And so what do you think now that sort of things are settled basically? Do you think that the city is taking the necessary action? Do you think that there are still more unanswered questions about what’s happening? Where do we stand now? So
Connor Goodwolf 31:57
right now, we need answers. Okay, what happened within the Department of Technology? And
Tim Fulton 32:04
so to be clear, we are talking on Monday, September 16, before the city council meeting tonight. Yeah, the head of sorry, what’s the office at the mayor’s office, the data, Department of Technology, Department of Technology, the their head spoke last week at a council meeting. It was not a proper investigation at that point. It was just answering some questions. But they are going to start, we believe this evening, start investigating basically every week until it all comes out, there
Connor Goodwolf 32:35
will be a series from what they stated last time. There will be a series of just statements about the ongoing investigation, okay, without, without, as far as like, divulging any pertinent information. Now, right afterwards, there will be a series of hearings performed by the city council, an actual investigatory hearing, yeah, but I do not know when that’s going to occur.
Tim Fulton 33:05
Okay, got it.
Connor Goodwolf 33:06
It’ll probably occur after the investigation is complete.
Tim Fulton 33:10
Is there more that the city, either be that council, be that Mayor, that should be doing at this point, or is there more there can do? I don’t
Connor Goodwolf 33:20
think there’s anything more that they can do at this point. Okay, the date is gone. Yeah, the day is gone
Tim Fulton 33:26
when it’s out there. And,
Connor Goodwolf 33:27
yeah, it’s out there on the dark web. And right, right now they’re still, according to the Department of Technology, they are still working on restoring the rest of the systems, right, so and
Tim Fulton 33:41
so they, I guess here’s kind of a big question. So they, the group that hacked the city, came back and asked for roughly $1.9 million in Bitcoin. I can only put it this simply, given everything that’s happened, given the amount that we’re now, we the city, are paying for credit monitoring for folks. Should we have paid it? And I’m asking you this as a professional in the space of like, yeah, sometimes you just gotta clean up the mess, and that’s or would that just have invited other bad actors?
Connor Goodwolf 34:27
That is an ethical question. Okay, so there are some who feel like, yes, sometimes you should pay it, especially since the city does not have cyber security insurance, okay, which maybe that would have been a good idea to have before this hack. Okay? Now, according to the FBI, some organizations have paid the ransom, and law enforcement has been able to claw some of the funds back, and this usually occurs after they end up catching up with specific bad. Actors in the group like you may have seen passed in the news to where some ransom group, individual, those members have been arrested and charged. And you know that’s exactly so sometimes that does happen, so sometimes victims are able to get their money back. Okay, but seeing as how it was whatever, $2 million yeah, that’s a drop in the bucket compared to what’s happening now, yeah, the lawsuits, plus anything else. So it’s like, yeah, I guess, and yeah, but these sorts of groups, they act like a professional organization, that
Tim Fulton 35:40
was my follow up is, are you incentivizing them to continue acting that way, to continue to try and breach again? And frankly, from an insurance perspective, it’s probably pretty hard to get cybersecurity insurance for the city at this moment, right. So yeah, it is a moral, legal and ethical sort of conundrum. Of, like, what should we have done when this happened? Anything else that we should like, Should we just have been more thorough in terms of investigating what actually happened here?
Connor Goodwolf 36:18
Well, we’re talking post breach, yeah, honestly, there could have been more that should have been done pre breach. Okay, I when I’m working with companies like a part of what I do is go in, get a list of systems services, work on what’s called, rather SOC type two compliance, or ISO compliance, and it’s how, basically an full audit, like for me, I get together all this information, system services, how they’re secured, even do the work of locking down systems and services and adding in the software or policies to enhance the security, even limiting access that employees have, even admin access. It’s like I don’t have the keys to the kingdom. I split the responsibility up to others that way, if one person is, you know, hacked, no, it’s not single point of failure. Exactly, right? Exactly. So what the work I do, and a lot of people like me do, is then do all that, take the documentation, give it to a CPA, and then they work on getting the company the approval to be certified
Tim Fulton 37:34
version of that report they put together. Yeah. Now
Connor Goodwolf 37:38
the question is, does the city do this yearly? I do not know. There’s no mandate. Okay, State of Ohio, there is a federal mandate, but only for federal organizations, like when it comes to Stig guys, Stig guidelines, as far as like the standard technical implementation guidelines and the FISMA certification processes fed feds, they have it like they know how to do this. Yeah, right. We need something that says, if, like, for example, like, I don’t expect you know your township of 300 people to implement this, but for a city like Columbus or Cincinnati, yeah, Cleveland, we should have some state laws passed to where we say, okay, you need to follow this standard.
Tim Fulton 38:30
Yeah, okay. And so you think this is both a both a city issue and a state issue to sort of help get things in line. There’s,
Connor Goodwolf 38:38
there’s no guidelines to it. There’s no There’s no law, there’s no guidelines of how you should secure a city. Just like, here you go do whatever, huh?
Tim Fulton 38:45
Well, and it’s not, it’s not sexy, right? Like, it’s not like the city is not going to proactively do it to the extent that it needs to be done and then get any sort of pat on the back. It’s just like, oh, we, you know, maybe their insurance is cheaper. Someone
Connor Goodwolf 39:06
actually asked me, Why don’t I work for the city? You don’t work for the city for money, right? That’s fair. If you’re someone like me, you’re not working for for a municipality. Yeah, it’s not about the money, though. It’s about, you know, people who work for the city, yeah, they sure they do go in for a paycheck, yeah, but they may even enjoy their job. But you know, people like me do tend to work for larger organizations like Google, Amazon, or, you know, companies, banks, etc, who are looking to secure their infrastructure, right?
Tim Fulton 39:38
Absolutely. And so do you feel at this point? Do you feel vindicated to an extent, or do you feel because at one point you were telling the press like, Oh, I’m gonna reach out to ACLU and say, like, I will. I, apparently I need to go and get counsel, right? So where does that? Stan, do you still feel maligned? I guess is the is the question, or do you feel vindicated a bit? I
Connor Goodwolf 40:06
do have a lawyer on standby. Should I need them? Okay, the EFF is actually in tech. It’s seen as the Tex version of the ACLU, yeah,
Tim Fulton 40:19
covers this the Electronic Frontier Foundation for those that are familiar? Yeah,
Connor Goodwolf 40:23
so the EFF they cover a wide range of topics. Generally, privacy is a big one, and it’s relatable because of we’re talking about people’s data and security, they have tried to push forward when they do the FF work is incredibly important, from pushing new laws in place to proposals to help people understand their online privacy. They’re one of the organizations who endorsed Tor The Onion Router, okay, which even you know, have been brought up by others who have made incorrect statements that imply that Tor is only utilized by criminals. But just to clarify, when it comes to Tor and the dark web, it’s used by journalists, whistleblowers, privacy advocates, sure, there’s always going to be a criminal element to well, anything, even the internet, not right on tour. I mean, that’s just the nature of the beast, but its intent for tour is not to hide the criminal element.
Tim Fulton 41:33
Okay,
Connor Goodwolf 41:33
so
Tim Fulton 41:34
where we’ve talked a little bit about some of the things that the city could have done to rectify the situation, but where do you think, either you personally or the city in general, like, where do we go from here?
Connor Goodwolf 41:47
So quite honestly, I know there is a lack of resources, and this is really any municipality when it comes to cyber, again, you’re not working for the government for money, right? But pulling in some of those individuals and pulling like some of the resources from the city or other departments of law enforcement or whatever, helping create these cyber units within rather the city or law enforcement pulling them in so they can help secure the infrastructure of our local municipalities. It’s like the National Guard Cyber unit, for instance. I had remembered hearing about them some years ago. I think it was, what, 2019 Okay, they’re created, and I completely forgot. It’s like, man, that would have actually been cool to even just join in, because I technically could now. But it’s like, Man, that is actually a good idea to help, to, like, help educate a lot of these individuals who work for the government, whether the tech departments or whatever, just have seminars and educate and really just pull people into cyber because that’s what we are going to be needing. Yeah, this onslaught of these increase of attacks. And you look the majority of attacks do happen in the US, okay, from actors abroad. Okay.
Tim Fulton 43:10
I end every interview with the same two questions, what do you think Columbus is doing well? And what do you think Columbus is not doing so well?
Connor Goodwolf 43:19
I don’t know what they’re doing. Well, okay.
Tim Fulton 43:22
I mean, it can be this can be even just community related, like, I love that, the food scene, the, you know, the art, oh, anything. Okay, yeah. So
Connor Goodwolf 43:32
I’ll tell you why I live in Columbus. Sure, I live in Columbus for the green spaces, the festivals, the people. That’s why I live in Columbus, and that’s what they’re doing. Well, that’s what Columbus is fantastic for. It’s like, I’m a nature person. And I disliked my time in Pittsburgh. It was a concrete city that did not have the amount of community and green spaces that Columbus has. And it’s so attractive. It’s like both, you know, again, nature person, also Hunter, yes, like it kind of has this mishmash different attractions for people like me. And what do you
Tim Fulton 44:08
think Columbus is not doing so well
Connor Goodwolf 44:13
right now, at least to me, I think they need to do better on notifying people who are potentially at risk. Okay, sure, they did comply with the Ohio law by posting the breach notification on their website, and that was an alternative notification. However, I think we can do a little bit better. Yeah, I want to work with them on the website and also potentially follow up via contacting individuals who are more at risk, at least letting you know, giving the persons a heads up, whether it’s by email, call or sending a
Tim Fulton 44:52
letter. Yeah. Okay. Connor, thanks for your time.
Connor Goodwolf 44:55
All right. Thanks so much. You. Music.
Tim Fulton 45:08
Thank you for listening to the confluence cast, presented by Columbus underground. Again, you get more information on what we discussed today in the show notes for this episode at the confluence cast.com, please rate, subscribe, share this episode of The confluence cast with your friends, family, contacts, enemies, your favorite cybersecurity engineer. If you’re interested in sponsoring the confluence cast, get in touch with us. We can be reached by email at info, at the confluence cast.com, our theme music was composed by Benji Robinson, our producer is Philip Cogley, I’m your host. Tim Fulton, have a great week. You.
