B (2:40)

Okay, so check it. We're gonna talk about a bunch of things. This was, this is a Jam packed news and opinion. A little editorial which seems to be what our listeners prefer.

A (2:53)

Oh yeah, we care about what you think for sure.

B (2:55)

I called this Tong Kong Tooks crash fix, which is a tongue twister.

A (3:01)

What's Kong Took?

B (3:03)

Unless you're a Klingon, in which case Kong Tuk Kong. Very much like. Yeah, very much like Klingon. It's the name that I can't forget. I can't remember the name. I mean I can't remember the security firm. We'll get to it. It's just that it's a bad guys moniker that one of the firms have. Have.

A (3:29)

They're obviously Klingon fans or Star Trek fans, right?

B (3:32)

Yeah, yeah. I mean where would Kong Tuk come from? Normally the names come from the reverse engineered code where some reference is found to like, you know, the Kong tuk.com domain or something. Anyway, we don't know. But there is a. It's been an evolution of this problem that Microsoft is going to have to, as they used to say, I don't know when belly up to the bar and fix.

A (4:01)

Not the best way to fix it. Maybe that's how the bug happened in the first place.

B (4:05)

Okay, so we're going to start with the lowdown on last week's no turns allowed picture of the week, which captured our audience's imagination like few others have. Although we've got another good one this week. We're going to look at whether an AI driven hacking campaign is a big deal now. And Claude used in multiple Mexican government attacks. Apple continuing to confront age restriction legislation. Got some on that. Also, it turns out that coppa, the Child Protective act is going to need an exception for the age collection which other legislation is now requiring. So it should be a hint that

A (4:56)

there's something wrong here.

B (4:58)

Exactly.

A (4:59)

Oh you. We don't want to protect kids online when it comes to that. Yeah, it's.

B (5:03)

Yeah, right, exactly. Also Meta is using an AI, which is I'm noticing also Leo this term AI slop just immediately achieved traction like everyone knows what AI slop is.

A (5:18)

It's.

B (5:18)

It's surprising how quick the adoption was. Anyway, we got AI slop Sam reports that are drowning law enforcement in false positives. We'll take a look at that. Also our favorite Internet watchdog, Ross Kumnor has been busy blocking VPNs. But you will, you will never believe how many the UK makes an effort at reporting on the success of their self scanning initiative. Although there's something fishy about their report which we're going to look at. And Leo, I knew. I actually, I. I knew when I saw this. You would remember that hacker who was extorting psychotherapy patients whose data has been exfiltrated from their psychotherapy center.

A (6:12)

How low can you get?

B (6:13)

We've actually heard back about this process that was in. Yeah, that was in two. In. In 2020. So six years ago. Anyway, he's back in the news. It turns out that Scattered Lapses Hunters is actively recruiting women and we're going to find out why. Cisco lands. Boy, no one does it like Cisco. Another breathtakingly rare 10.0 CVSS. Just, you know, duck and cover, as they used to say. Also, I'm into all bunch of. We've got Vol checks report on 2025 vulnerabilities and exploits. Just a little tip of the iceberg there. It's probably going to be our topic next week because there's lots of juicy information there. I have discovered a fabulous $72 hardware security module that does all my code signing, multiple certificates, open source. It's fantastic. I'll be talking about that a little bit because I know that from previous feedback from our listeners, anybody who needs to sign code needs something like this. We have a listener sharing an interesting AI service discovery. And then the very potent click fix exploit is evolving now being used by the Klingonese outfit Kong Duke for something called Crash Fix. And of course, what would a podcast be without a picture of the week? And I've already had a lot of feedback saying he should have used a different screw. A security screw would have been better. It's like, okay, thank you. That's true.

A (7:57)

You'll see. Yeah, for last week's picture, we got a confirmation from a number of people that that is a real picture from Canada. And that really did happen and the

B (8:05)

local government was embarrassed. I have a link to the actual story saying, we're sorry, it was a

A (8:12)

dumb thing to do. Hey, it's a very special Sunday security now with Mr. I didn't introduce you, but I think everybody knows that's Steve Gibson.

B (8:21)

If they're here, they're like, okay, they

A (8:24)

know who you are.

B (8:25)

Move on.

A (8:25)

Yes. And we are so glad to have you on the show this week. Glad you're watching. Those of you who are alive and figured out we were going to be doing this early, we're glad you're here. Our show today, those of you who

B (8:37)

are dead, you know.

A (8:39)

Yeah. You're not missing a thing, though, so. Well, maybe, I don't know. I think if you've passed, you don't have to worry about security so much.

B (8:47)

Opinions vary on that topic.

A (8:49)

Yes, we don't know. We don't know. We'll just have to wait and find out. This episode of Security now is brought to you by Meter, the company building better networks. I love this idea. Meter was started by two network engineers who realized the pain points as they built their own networks of legacy hardware. Legacy software not controlling the stack. ISPs who blame the router, the router companies who blame the security devices. And if you're a network engineer, I think you know this as well. You've got legacy providers, you've got inflexible pricing, you've got IT resource constraints. That's a permanent right stretching you thin. Then you also have complex deployments across fragmented tools. This is often the case when your company does acquisitions, right, and you got a warehouse in Muncie, suddenly has to work with the home office in, in, you know, Minnesota. And the thing is just a mess. And the funny thing is you and your networks are mission critical to the business, but you're stuck working with infrastructure that just wasn't built for today's demands. Enter Meter. They know your pain. That's why companies are switching to Meter. Meter delivers full stack networking infrastructure. They realized if we're going to make a good, solid, robust network for the future and the present, we got to control the entire stack. So they do it all. Wired wireless, cellular, they build for performance, they build for scalability. Meter does it all. They design the hardware, they write the firmware, they build the software, they will manage the deployment, they'll even provide support, even ISP procurement, they will help you with that too. Security, of course, routing, switching, wireless firewall, cellular power, DNS security, all the pain points, VPNs, SD WANs, multi site workflows, and it's all in a single solution from a single vendor. So that's one phone number to call if there's something wrong, one place to go for support. They take care of it all. Meter's single integrated networking stack scales, they're in major hospitals, they work in branch offices. That Muncie office they can handle at warehouses, large campuses, even data centers. Reddit uses Meter in their data centers. The assistant director of technology for Web school, another great customer, Web School of Knoxville, they had a problem, he said. We had more than 20 games athletic events on campus simultaneously between our two facilities. Each game was streamed via wireless and wired connections and the event went off without a hitch. We never could have done this before. Meter redesigned our network With Meter, you get a single partner for all your connectivity needs from first site survey to ongoing support, without the complexity of managing multiple providers or tools or the, you know, the provider handoff. It's not our fault, it's their fault. Meter's integrated networking stack is designed to take the burden off your IT team and give you deep control and visibility, reimagining what it means for businesses to get and stay online. Meter is built for the bandwidth demands of today and tomorrow. We're so glad Meter found us and I hope you will find them. I was really thrilled to talk to them. I didn't really know anything about them and I was so impressed when I met them. We thank Meter so much for sponsoring Security now go to meter.com SecurityNow book a demo today. That's M E T E R.com SecurityNow to book a demo. Meter is the future of networking and it's gonna be a LifeSaver for you. Meter.com Security now. Thank you, Meter. Welcome to the show. Okay, I'm ready for the picture of the week.

B (12:50)

So our caption on this photo, this is dad saying to because he's a dad, one of his kids, this is the last time I'm going to tell you to turn down the volume of what you call music.

A (13:06)

Oh, dad. Dad found a solution.

B (13:12)

Yes, he did. And, and given the location of the little volume indicator dot on the volume control, which is like right. At minimum, it looks like now doesn't look like Junior gets to turn this up very high. And now you can see why one of our listeners said you should have used us. He should have used a security screw. You know, where you can only screw it in. They but the Phillips head is unable to get a grip when you're trying to go in the other direction.

A (13:43)

It does look like somebody has tried to unscrew it.

B (13:45)

Actually I, I think that the drill skittered.

A (13:49)

Oh, maybe that's it. Yeah, yeah.

B (13:51)

So for those who are not looking at the video or don't have the show notes. I'm sorry. What we have is what we would call an old school volume limiter. They the problem of course, is that the kids have, you know, a stereo system which they just are unable not to turn up. So that it's bugging mom and dad who can't think not only due to the nature of the music, but its volume. So finally, at the end of his rope, dad has come up with a solution. He's drilled a hole in the side of the volume knob with a screw sticking out of it about an inch and then another screw in the face plate of this stereo such that the. The screw that rotates as you try to turn the volume up will hit these. The limiting screw preventing it from going. Looks like maybe more than maybe, you know, level two or three. Yeah. Yeah. Not very much. So clearly, regardless of the backstory here, this is obviously. And a. A someone's determined effort to prevent the volume control from being turned up very far. This is.

A (15:11)

Points out this. This would be good in a nightclub where patrons tend to go over to the sound system, you know?

B (15:17)

Yeah.

A (15:18)

Or your neighbor snuck into your apartment.

B (15:23)

As a frequent patron of restaurants, I've had the experience where I'm. I'm in early for dinner, and the. The. The crew of workers have been there. They turn the volume up and then leave it up, and they, you know, they just forget. And it's like, God, can you turn the volume down? I can't think.

A (15:43)

Don't, you know, it's early bird time. You got to turn it down.

B (15:47)

So a solution, kids. A solution has been found. I, of course, would have put a small resistor network in line with the speakers in order to take the energy out of the speaker line. And then Junior would think, God, what happened? Did I blow the amp?

A (16:03)

It's not working, so maybe I'm deaf.

B (16:06)

That's right. Okay. So I wanted to thank many listeners who were made curious by last week's picture of the week. And, Leo, you heard from many people, too.

A (16:15)

I did.

B (16:15)

Just to remind people that was the street which was the stem of a T intersection. So the street we were seeing was leading up to a T intersection in the distance. And signage was. Which would be encountered as the driver was driving toward that T intersection, indicated that neither turning left nor right would be legal. Thus, I gave the caption, but officer, to the picture. Thanks to listener research, of which there was much and some used, AI you know, asked AI to track this down. We now know that the photo, first of all, was. Was not synthetic. That was my. You know, a common thought was, oh, come on. That was just photoshopped. It was bizarre but authentic. And after the photo went viral a few years ago, it became a significant embarrassment to the local government who was responsible for its emplacement. The location was a town called Simcoe in Norfolk County, Canada. And a news report that one of our intrepid listeners found and shared explained that, quote, drivers please note that signs were installed this week which restrict left and right hand turns at the intersection of Crescent Boulevard and Queens Way in Simcoe. The intent of the new signs was to make Crescent Boulevard a dead end street. The signs have been removed. So anyway, in other words, the signage was technically correct and you were it was like up to you to come to this stop sign having seen the you can't turn left, can't turn right, and what do you turn as if it dead ended at that point rather than allowed you to cross into the the cross street.

A (18:11)

So it's crazy.

B (18:12)

Anyway, my favorite quip about last week's photo was provided to us by a listener, Joseph Rourke, who noted, despite the presence of the Tim Hortons in the background, we know this cannot be Canada, otherwise there'd be a line of cars sitting at the stop sign. So many thanks to our listeners among the more than 20,000 who received the weekly mailing and whose imaginations were captured and took time to do the research and or comment anyway. And also a big thanks to whoever it was who sent that to me in the first place. You know who you are and I ask our listeners to keep them coming because they're fun to share. Okay, so the headline in the news last week was this is the headline AI driven hacking campaign breaches 600 plus Fortinet devices. Now I'm going to first share the news report and I have a few things to say about it. The reporting says a Russian speaking, financially motivated threat actor used commercial AI toolkits to hack more than 600 Fortinet firewalls. The campaign began at the start of the year around January 11th. According to the AWS security team, the attacker did not exploit zero days or older vulnerabilities. Instead, they targeted fortigate devices that had their management ports. Oh lord. Exposed online, used weak passwords and didn't have multifactor authentication enabled. Okay, so just to interrupt here, Fortigate devices publicly exposed management ports, weak passwords, and no other authentication required. So no flaws were used, just very poor configuration hygiene. Story continues. Once inside, the attacker employed a collection of scripts that AWS says were written by AI tools. While AWS did not name products, researchers from Cyber and ramen and control alt int3 I identified them as being Claude and Deep Seq. Deep Seq was used to create scripts to perform reconnaissance and extract configurations from from the hacked devices, while Claude was used to generate scripts for vulnerability assessments and to run offensive tools against the networks. Since this is the intersection of AI and InfoSec, writes this story, the report generated a tornado of feedback and opinions on social media. The general consensus was that the threat actor was wasn't particularly sophisticated, which AWS Also believes AWS CISO CJ Moses said the attacker was more interested in scale than value. Every time they encountered errors caused by hardened or non standard internal networks, the attacker just moved on to a softer target. Once they did move laterally from the Fortinet device, the attacker compromised the victim's active directory environment, extracted database credentials and tried to gain access to backup infrastructure. This led everyone to believe the threat actor was a relatively low skilled initial access broker. Right. An IAB that gain initial footholds on corporate environments and then sell their access to the hacked to the hacked network on underground portals. Okay, so I think it's entirely expected that anyone who has any need for any sort of code or scripting for any purpose whatsoever will increasingly be using AI. That's just today's reality. Good guys are doing it and bad guys are doing it. And there's no reason to expect AI to be able to discriminate between the two. A high level language compiler doesn't know or care who's using it or to what purpose. The code it's helping to produce will be put right. That's not its job. So the fact that we have now chosen to give consciousness emulating large language models, the marketing label of artificial intelligence should not and does not automatically mean that these new tools somehow have responsibility for what they're being asked to produce. So, okay, but don't these tools make attackers more powerful? Yes, they do. And they also make the good guys more productive. That's why everyone, both good and evil, is now using them in the current instance. There's nothing inherently wrong with a script that performs a vulnerability assessment. White hat security researchers employ such tools to aid their beneficial research, much as bad guys may use the same tools to perform pre attack vulnerability assessments. My point is that any social media hysteria arising from the fact that AI was involved is now ridiculous. If you encounter it online, I would recommend meeting it with a shrug and clicking on the thumbs down button. This is just the way the future is going to look now. It may have surprised us a few years ago, but it should surprise us no longer. And AI should not receive any of the blame for the way its creators, we humans, choose to use it. It's a tool and nothing more. It has no social obligations or responsibilities. It's not accountable, we are.

A (24:15)

I like that, because that eliminates that whole issue of AI safety, to be honest.

B (24:20)

Yes. Which as I said, we might as well give up because we're not going to get it. And again, you know, we called it artificial intelligence. It's not intelligent. It doesn't know anything. It's. It's a very powerful new tool, but it's still a tool and it's not responsible for the way we use it.

A (24:40)

As usual, it's the humans who are the problem.

B (24:44)

Exactly. Okay, now I'm going to give everyone a quick self test to see whether the point I hope I've just made has had the chance to sink in. Perform a self self assessment to see how you feel about this next piece of news. It reads, quote, a hacker has stolen more than 150 gigabytes of data from multiple Mexican government agencies. The attacker allegedly used Claude to assemble scripts to gain access to government networks. According to Bloomberg, the attacker breached and stole data from Mexico's tax authority, National Electoral Institute and several state water utilities. The stolen data covers 195 million taxpayer and voter records, government employee credentials and civil registry files. Okay, should we care at all that AI was employed in these attacks?

A (25:47)

No.

B (25:48)

The fact that Claude was used in these attacks appears to be the highlight of Bloomberg's piece. Because they've got, they've got, you know, they're looking for clickbait, right? You know, it was certainly the headline which they attempted to make inflammatory. You know, eventually the world will get used to this and it will just be assumed, and I hope everybody listening to this podcast will be in the lead on that because again, that's the, that's the technical reality here. Another technical reality is that Apple appears to be feeling the pressure to respond to the growing legislation driven need for the providers of Internet services and online apps and app apps. You know, Apple Store apps to know and to respond to the age of their users. Last Tuesday, Apple posted an update to their developer portal addressed to their app developers. So this was written when, when, when you see the word like your app. So, so that this is written to app developers, they said. Today we're providing an update on the tools available to developers to meet their age assurance obligations under upcoming U.S. and regional laws, including in Brazil, Australia, Singapore, Utah and Louisiana. Updates to the declared age range API are now available in beta for testing for Brazil. Developers who are distributing apps in Brazil can use the updated declared age range API to obtain a user's age category. Age categories for users in Brazil will be shared when the user or a parent or guardian, where relevant, agrees to share the age category with you. The API will also return a signal from the user's device about the method of age assurance for developers distributing their apps in Brazil. If you identify that your app contains loot boxes through the age rating questionnaire, the age rating of your app on the Brazil storefront will be updated to 18 for apps rated 18 in Australia, Singapore and Brazil. And if this is all seeming like a big mess, you're getting that. You're getting the clue here. Yes, they say starting February 24th, which is. Which was last Tuesday, the date of this announcement. In other words, you know why this was posted. Apple will block users in Australia, Brazil and Singapore from downloading apps rated 18 plus unless they have been confirmed to be adults through reasonable methods. And boy, I hate that kind of language. Like, okay, you know, it's like any legislation that is written that isn't airtight, that you know is subject to interpretation. And it's like, oh, let's let the attorneys sort this out. Oh God. Through reasonable methods, whatever that is. They say the App Store will perform this confirmation automatically. Oh, that's good. However, developers may have separate obligations to independently confirm that their users are adults. To assist with this, the declared Age Range API available on iOS, iPad, OS and Mac OS provides developers with a helpful signal about a user's age. Okay, so they're being helpful for apps rated 18 +, Australia, Singapore, Brazil. However, for Utah and Louisiana. Oh, but not yet. Wait for it. For users with new Apple accounts in Utah as of May 6th. Okay, so okay, wait, fresh accounts. How new do they have to be? Are they accounts created after May 6th? We don't know. For users with new Apple accounts in Utah as of May 6, 2026. So a couple months from now and in Louisiana as of July 1, 2026. What a mess. Age categories will be shared with the developers app when requested through the declared Age Range API. The tools we previously announced have been expanded to help developers meet compliance obligations for Louisiana and Utah, including declared Age Range API Significant Change API under Permission Kit. That's that thing where if your app undergoes a significant change, you need to declare that because then that makes it potentially subject to all kinds of re evaluation. Then there's the new age rating property type. In StoreKit and App Store server notifications, they said new signals are now available through the declared age range API, including whether age related regulatory requirements apply to the user. What a mess. And if the user is required to share their age range. The API will also let you know if you need to get a parent or guardian's permission for significant app updates for a child. Developers can use the declared age Range API to present significant update notifications to adults in these states through the significant update action now in beta when releasing A significant update. Developers must follow the human interface guidelines and provide users with a meaningful description of the update. Leo, you know, on one hand I would be, I'm a little tempted to feel some empathy and a little sorrow for Apple. The same time I would say, guys, you brought this on yourself by refusing to do this five years ago, right? They could have so easily put a far simpler system in place that would, that would have satisfied people, that would have solved this problem and prevented all of this ridiculous fragmentation. I mean it, you're going to need a whole new building at Apple in order to like figure out what to do for who on what day, depending upon whether they're, you know, oh Lord, what a mess.

A (32:40)

This is what Meta wanted, by the way. They didn't want to do it, so they said, make Apple do this place. By the way, there is in California a law that goes in effect, you know, about this on the January 1st of 27 that will require operating systems, all operating systems to do this. And the Linux community is a little worried about it because nobody. The real issue is it's unenforceable. California can't make Linux do this. They can make Apple do it, they can make Google do it because they're gatekeepers, they can go after the companies.

B (33:14)

And this is part of the larger plot, right? Like the 3D printer restriction is also unenforceable. It doesn't work. You can write a law. It doesn't mean you could get what you want. Yeah, yeah, but Leo, we're going to let our listeners get what they want.

A (33:30)

What do they want? Do they want another commercial?

B (33:33)

I want some, I want some coffee.

A (33:36)

So whatever Steve wants. Steve. Guys, we'll be back with more security now. I know you really want that. I should tell you though, if you're in, if you're in, in it, if you're responsible for the security of your company, our advertisers here at Security now are always something you should be interested in. We have people. I think companies have realized if you want to reach these IT decision makers, you come to Steve.

B (34:01)

I am so impressed by who our listeners are, Leo. When I hear from them, it's just like, I mean, I'm, I'm embarrassed that they're listening to me.

A (34:11)

I know. Oh, I know. I have the same reaction constantly. Oh, you listen, it makes me a little nervous. We're going to meet a lot of our listeners in Florida, by the way. I'm very excited. Steve and I are headed to Zero Trust World. We'll tell you more about that in a little bit. And Steve's given a presentation on Wednesday. And usually when we do these things, Steve, we've done them a couple of times before. There is a long line out the door to get a selfie with Steve Gibson. So we're gonna have to.

B (34:37)

They wanted Leo too?

A (34:39)

No, no, no, they wanted you. I usually jumped in just so they had me in case they, they went home and said, oh, where's Leo?

B (34:48)

Oh, well, well, for what it's worth, I'm happy to, you know, smile into your phone.

A (34:53)

All of it'll be fun listeners. And we'll line up a photographer.

B (34:57)

If it doesn't break your camera, that's good.

A (35:00)

This episode is. Go ahead, get some coffee, Steve. This episode of Security now is brought to you by Guard Square. This is a relatively new advertiser, but boy, if you listen to this show, you're going to realize you need Guard Square. If you're doing mobile app development, you need Guard Square. Mobile apps today have become an inescapable part of life. That's part of the problem. Financial services, healthcare, retail and entertainment users trust mobile apps with their most sensitive personality data. But a recent survey showed 72% of organizations experienced a mobile application security incident last year. 92% of respondents reported rising threat levels over the last two years. That's obvious. Meanwhile, attackers who are, you know, desperately want your users personal data are constantly finding new ways to attack your mobile app. You don't want to be responsible for this. They reverse engineer it's, they repackage it, they distribute a modified app via phishing campaigns, sideloading third party app stores. Your end users don't know the difference as suddenly they've got your app plus some a little bit of malware thrown in. But you can stop it by taking a proactive approach to mobile app security. You can stay one step ahead of these attacks and maintain the trust of your users. And that's, that's really what's most important. That's where Guard Square comes in. And Guard Square delivers mobile app security without compromising, providing advanced protections for both Android and iOS apps. And it's more than just built into the app. It's also combined with automated mobile application security testing to find vulnerabilities, real time threat monitoring to gain insight into attacks. So if somebody's doing something to your app, you, you know, discover more about how Guard Square provides industry leading security for your mobile apps@guard square.com that's guard square.com you owe it to yourself, you owe it to your users. Check it out guard square.com we thank them so much for supporting security. Now Steve, now fully caffeinated will continue

B (37:17)

as if I need more caffeine. And speaking of online web based services, there is apparently been some concern, I would say justified, you know, if you want to follow the rules over the intersection of child's privacy enforcement and the apparent explicit need to violate that very privacy for the sake of complying with legislated age determination. Last Wednesday, on the heels of Apple's begrudging update to their age related APIs and their download, you know, their app Download enforcement, the U.S. federal Trade Commission, our FTC issued a formal policy statement with the headline FTC Issues COPPA Policy Statement to incentivize the Use of Age Verification Technologies to Protect Children Online. They wrote. The Federal Trade Commission issued a policy statement today announcing that the Commission will not bring an enforcement action. I don't know if I would call that incentivizing. It's like de. Threatenizing will not bring an enforcement action under the Child's Online Privacy Protection Rule. Coppa. COPPA against website and online service operators that collect, use and disclose personal information for the sole purpose of of determining a user's age via age verification technologies. The COPPA rule requires operators of commercial websites or online services directed to children under 13 and operators with actual knowledge that they are collecting personal information from a child to provide notice of their information practices to parents and to obtain verifiable parental consent before collecting, using or disclosing personal information collected from a child under 13. And what a pain in the butt it is to actually do that, right? So we see the problem here, right? The emerging age restriction regulations are placing the burden upon online services to, you know, to whatever they must do to determine their visitors ages. But doing this could force the site to run afoul of other regulations, specifically coppa, which are already in place to protect the privacy of their underage visitors and users. In this instance, it's necessary to carve out an explicit privacy exception so that online services will be able to collect the data that they must without fear of tripping over coppa's restrictions. So the FTC explains, age verification technologies play a critical role in helping parents as they monitor their child's online activities. Since COPPA was enacted in 1998, so it's been around for a while, there's been an explosion in the use of Internet connected technologies by children to help parents navigate the challenges associated with their child's online activities. Some states have started requiring some websites and online services to use age verification mechanisms to help determine the age of users. But as noted at the FTC's recent workshop on Age Verification Technologies, some age verification technologies may require the collection of personal information from children, prompting questions about whether such activities could violate the COPA rule. Christopher Mufari, director of the FTC's Bureau of Consumer Protection, said, quote, age verification technologies are some of the most child protective technologies to emerge in decades. Our statement incentivizes operators to use these innovative tools. Again, I would say, you know, doesn't, you know, suspends disincentivizing them because that's the threat of being of of action under COPA that is causing them to say, wait a minute, which empowers parents to protect their children online, unquote. The policy statement states that the Commission will not bring this is the the statement from the FTC will not bring an enforcement action under COPPA rule against operators of general audience sites and services and mixed audience sites, services that collect, use or disclose personal information for the sole purpose of determining a user's age without first obtaining verifiable parental consent if they comply with certain conditions specifically that they and we've got six bullet points do not use or disclose information collected for age verification purposes for for any purpose except to determine a user's age. Two, do not retain this information longer than necessary to fulfill the age verification purposes and delete such information promptly thereafter. Three, disclose information collected for age verification purposes only to those third parties. The operator has taken reasonable steps and here again, I hate that kind of language. But okay, so to determine are capable of maintaining the confidentiality, security and integrity of the information, including by obtaining certain written assurances from those third parties. Okay, so at least transferring responsibility, hopefully legally enforceable. Fourth, provide clear notice to parents and children of the information collected for age verification purposes. Fifth, employ reasonable security safeguards for information collected for age verification purposes. And finally, sixth, take reasonable steps to determine that any product, service, method or third party utilized for age verification purposes is likely to provide reasonably accurate results as to the user's age. Again, does that mean, you know, facial recognition, which we know is really prone to error, whatever. Finally, they say the policy statement indicates that the Commission intends to initiate a review of the COPPA rule to address age verification mechanisms. The policy statement will remain effective until the Commission publishes final rule amendments on this issue in the Federal Register or until otherwise withdrawn. Okay, so this policy statement is intended essentially to provide interim cover for online sites and services that do need to enforce privacy breaching age restriction measures today which would otherwise expose the site to COPPA infringement. This suggests that COPPA itself, as they said here toward the end of this FTC announcement, COPA itself will require amending to provide a permanent and clear path for privacy respecting age verification for minors. So, again, well, one piece of legislation colliding with another Surprise. The Guardian reports that Metas CSAM detection AI is flooding law enforcement with low quality unactionable, which is, as we'll see here, it's like, it's really sad false positive reports of online child sexual abuse that are seriously hampering law enforcement's ability to function. Under the Guardian's headline, Meta's AI Sending Junk Tips to doj, US Child Abuse investigators say. Here's what the Guardian reported. They said officers from the US Internet Crimes Against Children ICAC Task Force said that Meta's use of artificial intelligence to moderate its social media platforms is generating large volumes of useless reports about cases of child sexual abuse which are draining resources and hindering investigations. Benjamin Zweibel, a special agent with the ICAC Task Force in New Mexico, said last week during his testimony in the state's trial against Meta. So this is New Mexico versus Meta, he said, quote, we get a lot of tips from Meta that are just junk. The state's attorney general alleges the company's platforms are putting profits over child safety. Okay, now at first I have to say I'll take a break here from this to say I was puzzled by that. But what I believe New Mexico's attorney general is saying is that rather than employing humans who would be able to use, you know, usefully discriminate between what is and is not actual child exploitation and abuse, Meta is endeavoring, they allege, to save money by using AI, which is not actually doing the job. So Meta is failing in their obligation, but they're failing in a way that's causing lots of trouble. The report continues saying Meta disputes these allegations, citing changes it has introduced on its platforms, such as teen accounts with default protections. The ICAC task Force is a nationwide network of law enforcement agencies coordinated with the U.S. department of justice to investigate and prosecute online child exploitation and abuse cases. Another ICAC officer, speaking on the condition of anonymity to discuss internal matters, said, quote, meta is providing thousands of tips each month. It's pretty overwhelming because we're getting so many reports, but the quality of the reports is really lacking in terms of our ability to take serious action. The ICAC officer added that the total number of cyber tips their department had received doubled from 2024 to 2025. Both Zwible and two ICAC officers said that unviable tips from Instagram, Facebook and WhatsApp often contain information that's not criminal. The anonymous officers added that in other cases, tips sometimes contain information indicating that a crime may have occurred, yet vital images, videos or text are missing or redacted. The ICAC officer added unviable tips from Instagram have really skyrocketed recently, especially in the last couple of months, and that's one of the biggest places where we're seeing important information not being provided in those cases. He said, we don't have the information to further the investigation. It weighs on you to know that this crime occurred, but we can't identify the perpetrator, unquote. So just to clarify that point, you know, these investigators are saying that what they see are clearly crimes which Meta's use of AI happened to have found. So not a false positive, it's true, but that the evidence that's needed to take any action about it is missing, which would not normally be the case if it were a human driven investigation. So Meta's use of AI is not only flooding law enforcement with crap, but it's also serving to obscure the necessary details of actual crimes it detects. You know, if we didn't know better, we'd be inclined to think this had been deliberately designed by criminals for criminals. It wasn't. I'm not suggesting that, but it's having that effect, right? The story says. Asked about Zweibel's testimony and the ICAC officer's remarks, a Meta spokesperson said, quote, we've supported law enforcement to prosecute criminals for years. The DOJ has repeatedly praised our fast cooperation that has helped lead to arrests. And NCMEC has praised our streamlined and improved TIP reporting process. In 2024, we received over 9,000 emergency requests from US authorities and resolved them within an average of 67 minutes. And even more quickly for cases involving child safety and suicide consistent with applicable law. We've reported a parent child sexual exploitation imagery to NCMEC and support them to prioritize, to prioritize reports from helping build their case management tool to labeling cyber tips so they know which are urgent. Okay, so I'll just note that while this sounds great, it doesn't appear to be responsive to the question of AI's use. That meta spokesperson appears to be referring to the work of humans employed by Meta, not their cost saving AI. The Guardian's reporting then shifts gears to provide some background on ncmec, which is the national center for Missing and Exploited Children. The Guardian writes, by Law Social media companies based in the United States are required to report any detected child sexual abuse material CSAM on their platforms to the national center for Missing and Exploited Children, ncmec. It serves as a national clearinghouse for reports which it forwards to the appropriate law enforcement agencies across the United States and internationally. NCMEC does not have the authority to filter out any tips that may be unviable before they're sent to the relevant law enforcement agencies. So 100 has to flow through Meta is by far the largest reporter to NCMEC and its Data report for 2024. NCMEC said Meta made 13.8 million reports across Facebook, Instagram and WhatsApp. Okay, so you know 13.8 million, right? We have 12 months in a year. So simple math tells us that's over a million reports per month is coming from Facebook, Instagram and WhatsApp. And that that that 13.8 million is out of a total of 20.5 million tips that NCMEC received in total. So you know well over half NCMEC and NCMEC said that in 2024 more than 1 million cyber tip line reports were linkable to a specific US state and those reports were made available to the ICAC task forces around the country as well as other federal, state, local law enforcement agencies for investigation. Meta and other social media companies use AI to detect and report suspicious material on their sites and employ human moderators to review some of the flagged content before sending it to law enforcement. The Guardian has previously reported that tips generated by AI that have not also been reviewed by a social media company employee or often cannot be opened by a law enforcement officer without a warrant because of Fourth Amendment protections. This extra step also shows investigations of slows investigations of potential crimes, lawyers involved in such cases have said and met. A spokesperson said it's unfortunate that court rulings have increased the burden on law enforcement by requiring search warrants to open identical copies of content. We've already reviewed and reported. Our image matching system finds copies of known child exploitation at scale that would be impossible to do manually and we work to detect new child exploitation content through technology, reports from our community and investigations by our specialist child safety teams under the Report act, where report is an acronym for Revising Existing Procedures on reporting via technology. So report, which came into force in November 2024. Online service providers must broaden and strengthen their reporting obligations by notifying NCMEC Cyber Tip Line not only about child sexual abuse material, but also about planned or imminent abuse, child sex trafficking and related exploitation. They must Also preserve evidence for a longer period and face higher penalties if they knowingly fail to comply. Excuse me. Since the act passed, the number of unviable tips supplied by META has increased dramatically, which should be. Excuse me. Which could be because the company is acting to ensure it is not falling foul of the law, two ICAC officers said. So in other words, META is, is, is complying because they're being forced to comply. The result, however, is a lot more noise among the signal. They said many of these tips could not be construed as a crime, such as adolescent girls talking about which celebrity they find most attractive. Special Agent Benjamin Zweibel said in court, quote, based on my training and experience, it appears that they are being submitted through the use of AI, as these are common mistakes that an AI would make that a human observer would not. Swible added that his department receives significantly fewer tips on legitimate cases of child sexual abuse material distribution from META than in previous years. So, in other words, not only has the noise gone up, but the signal, the quality, has gone down. Every tip that reaches an ICAC division must be reviewed and the influx of unviable tips is taking time and resources away from investigating legitimate cases of child abuse, said two officers. One ICAC officer said, quote, it's killing morale. We're drowning in tips and we want to get out there and do this work. We don't have the personnel to sustain that. There's no way that we can keep up with the flood that's now coming in, unquote. So I want to chalk this up less to Meta being evil, which I don't think is the case, than to the growing pains of effective AI deployment. We're still very much learning how to best use the new and surprising capabilities of large language model networks. And I suspect that a strong case could be made for there truly being far too much content for humans to manually inspect. In other words, you know, and we've talked about this, right? With the legislation that the UK keeps circulating and trying to make happen, where it's just like, you know, how are we going to do this? Apple has proposed doing on device CSAM image comparison, and nobody wanted that. I mean, they're the. The actual volume of content is beyond human management. So, you know, although the specter of having overlord AIs examining everything, excuse me, examining everything that's transacted over social media, you know, it feels very Orwellian. Our legislators are requiring a level of oversight from social media companies that likely has no other workable solution. It's, you know, AI it will be. We just need to continue figuring out how to best use it. And again, all evidence is we're, we're making headway and we're going to get a lot better than we are. You know, we, we can clearly see how much better we are now in using AI for code than we were a couple years ago. I, I, you know, this is going to get better and I, and I don't, I think we're just gonna, in the future, the legislators are going to force it to be the case that, that some machine intelligence, it's going to be watching dialogues and we're just, you know, users are going to have to put up with that as a, as a cost of the privilege of being able to communicate with encryption. I just saw a short mention blurb that surprised me. The news was just that wonderful that Russia's wonderfully named Internet watchdog Ross Cubnadzor has now blocked Russian citizens access to, you're not going to believe how many. 469 LEO individual VPN services, of course, inside Russia.

A (60:08)

All of them, in other words, all of them they could find.

B (60:11)

Yes, I mean, and which means, but none of the ones that have sprung up since then.

A (60:17)

Right, right.

B (60:18)

It seems to me that the fact that they, that there are 469 VPN services inside, you know, discrete individual VPN services inside Russia to be blocked in the first place, that's the real story here, you know. Right. Talk about a citizenry that's desperate to escape the shackles of their own state's filtering and tampering and, and management. This is a citizenry that is desperate for contact with the outside world and a repressive government that's doing everything it can to prevent that. It's becoming increasingly clear why Russia has been experimenting with completely disconnecting from the global Internet. They want the ability to just go, you know, internal sovereign and cut off all outside contact. In other Russian news, I saw a report that indicated that the Kremlin had decided to fully block Telegram starting in April of this year. Right. Okay. Next month. That's puzzled me since I thought the telegram was already being fully blocked. We talked about that just recently, but this reporting stated that Telegram was currently only 55% blocked. Okay. It's not clear to me what a 55% block might mean. The only thing I can figure is that perhaps access to Telegram is currently being limited to specific regions or sectors or industries and that additional regions are being added to the master block list so that by the end of this month of March Nothing will be left. Okay. Whatever the case, Russia appears to be quite intent upon controlling its citizens access to information. Information.

A (62:18)

Go.

B (62:19)

Good luck.

A (62:21)

If you want to do that, you got to get rid of VPNs.

B (62:24)

Yes, as we know, information wants to be free.

A (62:27)

Yeah, it's pretty.

B (62:28)

That has been said. It's very difficult. I mean, you know, we got satellite now too. Okay, this one. Oh. About 14 months ago, in January 25, we reported that the UK was launching a plan to begin continuously and proactively scanning its own national public facing network segments for the purpose of preemptively detecting vulnerabilities and alerting those owners of the IP addresses where vulnerabilities were found. Our listeners may also recall that I was jumping up and down over how much I thought this made sense and suggesting that this was something every nation should be doing to its own public facing Internet address ranges in its own self interest. I think this is just a great idea. So we're talking about this again today, 14 months later, because last Tuesday. I'm sorry. Last Thursday the uk, out of a celebratory press release used the headline Government cuts cyber attack fix times by 84% and launches new profession to protect public services. A new profession, huh? Okay. The press release led with three summary bullet points. They said critical cyber weaknesses across the public sector will now be fixed six times faster than before. Ministers are determined to go further with first ever dedicated government cyber profession. That's in caps, capital C, capital P. Cyber profession to give the state the skilled staff it needs to protect UK's key services from cyber threats. And finally, the number of serious unresolved cybersecurity weaknesses across government cut by 3/4 as part of government wide efforts to strengthen Britain's digital defenses. Wow, Sounds great. Before I share what the press office of the UK said, allow me to preface this by noting that we're going to encounter something that makes no sense whatsoever to me. But regardless, here's what they wrote. They first said public services, public services millions of people depend on, from the NHS to the legal aid agency, are becoming significantly safer and more resilient thanks to major improvements by the government to identify and fix cyber threats.

A (65:26)

Great.

B (65:27)

A specialist government monitoring service introduced as part of the blueprint for modern digital government published in January 25, means serious security weaknesses in public sector websites are fixed six times faster, cutting the average time from nearly two months to just over one week. Okay, so far so good. But then this appears to go off the rails. The release next says the vulnerabilities in the Domain name system. DNS, the Internet's address book that turns website names into numbers computers use to find them. Weaknesses in DNS can allow attackers to redirect users to fraudulent sites, steal sensitive data, or take services offline entirely, with potentially serious consequences for anyone relying on government services. Okay. They said. The press release says before this service was in place, a weakness in a government DNS record could go unnoticed for nearly two months. Long enough for a hostile actor to redirect someone trying to access a government service to a fake site designed to steal their personal details, intercept sensitive communications or disrupt services that people rely on. The Vulnerability Monitoring Service has closed this window down to eight days. It alerts the right people with clear, practical guidance on how to fix the problem and tracks progress until each issue is resolved. Okay, what the hell are they talking about? What is a weakness in a government DNS record? What? In this day and age, when I see something that sounds entirely plausible and reasonable to a layperson, but which is actual nonsense, the first thing I think is that some AI somewhere was having a bad day. The press release said before this service was in place, a weakness in a government DNS record could go unnoticed for nearly two months. Again, what? What? What is a weakness in a. Like. Just like it makes no sense at all. There's no such thing. Okay, so let's just play along and see what else happens. The release continues. Speaking at the annual Government Cybersecurity and Digital Resilience Conference, Digital Government Minister Ian Murphy will outline how this will sharply reduce. Right. The reduction in weak government DNS records, apparently. What will sharply reduce something? Oh, the risk of hackers targeting essential services like the nhs. Well, that's good. If you've got a weak DNS record, you don't want that. So by all means reducing its effect somehow from almost two months of weakness down to just eight days. That's a big improvement, no one would argue. He'll also outline how the government has reduced its backlog of these weak DNS vulnerability records.

A (69:19)

Okay.

B (69:20)

By 75%, significantly shrinking the window for cybercriminals to target essential government services due to weak DNS records. Okay. From GP surgeries and ambulance trusts to hospitals and social care providers, today's announcement marks a decisive step in closing the door on such threats, whatever they are, with the government. Going even further with the launch of the first ever dedicated government cyber profession, apparently we're going to have a cyber profession, capital C, capital P, that focuses on the weakness, I don't know, of what. DNA. What are they? DNS monitoring? What are they?

A (70:09)

I.

B (70:10)

Okay, so the press release says this program will recruit and train the top tier cyber experts needed to keep public services safe. Oh, good. Minister for Digital Government Ian Murphy said, quote, cyber attacks aren't abstract ideas. Oh, no, we know that they delay NHS appointments, disrupt essential services, almost put Jaguar out of business. And that's me, not him. And put people's most sensitive data at risk when public services struggle, its families, patients, and frontline workers that feel it. The vulnerability monitoring service has transformed how quickly we can spot and fix weaknesses before they're exploited so we can protect against that. We've cut cyber attack fixed times by 84% and reduced the backlog of critical issues by three quarters. And as the service expands to cover more types of cyber threats. What beyond weak DNS records? Whatever those are, fixed times are falling there, too. But technologies alone aren't enough. Today, he says, I'm launching a new government cyber profession, Capital C, Capital P. To attract and develop the talented people, we need to stay ahead of increasingly sophisticated threats. Making government a destination of choice. That's right, baby. Government is a destination of choice for cyber professionals worldwide who want to protect the services that matter most to people's lives. Dr. Richard Horn, CEO of NCSC, said cyber security is more consequential than ever today with attack. It does sound like maybe some good AI wrote this part. Ever today.

A (72:10)

Are there bullet points with attacks in

B (72:13)

the headlines showing the profound impacts they can have on people's everyday lives and livelihoods? As our public services continue to innovate, it's vital that they remain resilient to evolving threats. And Volcke. Blah, blah, blah, blah, blah. So they finally said the VMS. This is this new system that's been online for 14 months, continuously scans 6,000 UK public sector bodies, detecting around 1,000 different types of cyber vulnerabilities. When a weakness is identified, the service alerts the relevant organization with specific actionable guidance and tracks progress until the issue is resolved. Okay, now that finally makes sense. That is what we would expect. They have a continuously running Internet scanner that's scanning 6,000 UK public sector agencies and entities looking for 1,000 different types of cyber vulnerabilities at each of the IPS of the configured targets. Yay. Unfortunately, the presence of that Looney Tunes nonsense about weakness in government DNS records cast the entire announcement into question. Just where does you know where? Where does the AI brain fart that apparently occurred end in this announcement and reality begin? If that. If that's in there, it's hard to know what else is just fuzzy. But we do now appear to be, you know, back on track. The release finishes up writing by automating and detecting and streamlining remediation. The service has bullet point reduced median time to fix domain related vulnerabilities from 50 days to 8 days. A6 an 84 improvement. Okay, now we're back to crazy town there. What is a domain related vulnerability and how can it have been reduced from taking 50 days to fix down to just eight days? How could it take any days? You know it, it really does seem as though an AI had a hand in the preparation of this release, which is too bad. The other three bullet points seem more reasonable. They are reduced median time to fix other cyber vulnerabilities from 53 days down to 32. Okay, not great. But better cut the backlog of critical open domain related vulnerabilities, whatever that is, again by 75%. Processed and resolved around 400 confirmed vulnerabilities each month. So the article, the, the, the press release finishes saying the new government cyber profession is co branded with the Department for Science, Innovation and Technology and the National Cyber Security Center. It will introduce a competitive total employee offer, establish a dedicated cyber resourcing hub to streamline recruitment and create career framework aligned with UK Cybersecurity Council professional standards. It will also include a government cyber academy for training and deployment, a new apprenticeship scheme to build future talent and structured career pathways to strengthen long term capability across the public sector. The Northwest will serve as the primary hub for the profession, building on Manchester's growing digital ecosystem and the forthcoming government digital campus. So all that sounds great and reasonable too. The UK has clearly implemented, although they seem unable to describe what it is, they have an extremely useful service. And I do seriously hope that other nations pick up on this idea and put it into practice. Is the idea of a country scanning its own Internet infrastructure preemptively for known problems. I mean this is what SISSA should be doing. And then finding out who owns those IPS and letting them know they've got problems there. That's a win. Win. I don't know what a soft government DNS record is. Wow. And I don't think anybody else does either because you know, we would know what that was, right? We know, we understand this stuff and like what. What are you talking about? You know, really, it's just a mystery. Leo, let's take a break.

A (77:19)

Okay?

B (77:20)

For a sponsor who's not a mystery.

A (77:22)

No mystery to you or me because we're about to head to Orlando for zero Trust World, Threat Locker's big security conference. Steve's going to give a presentation Wednesday, last event of the day. So it's right before the cocktail party. In fact, it might even overlap a little bit. But it'd be worth sticking around. And Steve and I will stick around afterwards to talk to you.

B (77:46)

And you're going to be in costume, right?

A (77:48)

Not for this.

B (77:49)

Oh,

A (77:52)

there is Thursday. They're very famous for. Every year Threat Locker has a costume party. And the. I think the theme this year is 60s space, something like that.

B (78:05)

Oh, thank goodness. I thought I was going to be the only person not in costume.

A (78:09)

On. Not for the cocktail.

B (78:10)

For the Wednesday evening cocktail party.

A (78:13)

No costumes, no costume. Just be normal.

B (78:16)

Okay.

A (78:17)

Which is black, right? You're going to wear black of some kind.

B (78:19)

I'll be wearing black even though. Or Orlando is hot and black absorbs heat just like it does for the crows, Leo.

A (78:26)

Ah, yes. They absorb the energy focused upon them, whether by the sun or some other third party. Actually, let's talk about Threat Locker since we're, we're here, our sponsor for security. Now, for this segment of security. Now, I'm, I'm a big fan of Threat Locker because they do Zero Trust, right? ThreatLocker, Zero Trust platform takes a proactive, and this is the key. These are the three words you want to hear. Deny by default approach. That means every unauthorized action is blocked unless you specifically explicitly say, yeah, that program can do that or that user can do that. It can't. And it's as simple as that. That protects you from both known and unknown threats. The problem, of course, is modern threats. Modern attacks hide inside endpoints. Your employee brings the laptop home, gets malware on it, brings it back. Now it's inside the network. A lot of networks just assume, hey, if it's inside the network, it's an employee. It must be. Okay, we know better, don't we? Attacker controlled virtual machines, sandboxed environments. Attackers are very smart these days. They hide inside, right? That VM based malware will evade traditional antivirus software. So even if you know, your employee brings in the laptop and your antivirus says, oh, well, I see the bad guy here, you don't know what else is going on in there unless you're using Threat Locker Zero trust. It prevents these VM based attacks before they can launch because you've not explicitly permitted it. ThreatLocker's innovative ring fencing, that's what they call it, constrains tools and remote management utilities. That's another big threat, right? People are logging in through a VPN or something. Attackers cannot weaponize them for lateral movement or mass encryption that stops ransomware cold. Threat Locker works in every industry. Max PCs provides 24.7us based support. That support is great. And with it one of the real benefits of Zero Trust, you also get comprehensive visibility and control. It's great for compliance. Ask Emirates Flight Catering. It's a global leader in the food industry. 13,000 employees. Threat locker gave full control of apps and endpoints, improved compliance and delivered seamless security with strong IT support. All of the above. The CISO of Emirates Flight Catering said this quote. The capabilities, the support. Oh, and the best part of threadlocker is how easily it integrates with almost any solution. Other tools take time to integrate, but with Threat Locker, it's seamless. That's one of the key reasons we use it. It's incredibly helpful to me as a ciso. End quote. Threat Locker really works. It's affordable, it's effective, it works with what you're already using, and it's trusted by companies that just can't afford to be down for even one minute. Like JetBlue. Heathrow Airport uses Threat Locker. The Indianapolis Colts, the Port of Vancouver. Threat Locker consistently receives high honors and industry recognition. Their G2 high performer and best support for enterprise. Summer 2025 report peers spot ranked threat locker number one in application control. GetApp gave them the best functionality and features award in 2025. Get unprecedented protection quickly, easily and cost effectively with ThreatLocker. Visit threatlocker.com twit to get a free 30 day trial and learn more about how ThreatLocker can help mitigate unknown threats and ensure compliance. That's threatlocker.com twit on we go with the show.

B (82:17)

Okay, so I mentioned this at the top as somebody I knew, Leo, you would remember I. I was just scanning the news and I encountered a piece of news declaring that Vastamo hacker disappears. And I thought, okay, I have no idea what that is. But then reading a bit into the story, it mentions that a Finnish hacker lost his appeal and will have to go back to prison after a court increased his original sentence. Okay, so again like, okay, nothing stands out there, but we'll recall this event from six years ago. The report explains that this Finnish hacker was sentenced to six years and three months for hacking the Vestamo Psychotherapy center in 2020 and then extorting its patients. Which is what made that stand out. Both as I was reading this and of course I remembered we talked about this at the time. This creep obtained the psychotherapy centers very Personal and highly confidential medical psychotherapy records.

A (83:35)

That's just awful.

B (83:36)

Including of course, the contact information that would be needed for them to be contacted for the sake of extorting them, which he then did. He threatened them with public exposure of their mental illnesses unless they paid up. So beyond this, as I also recall, Leo, you and I were shocked when we saw the sheer number of patient records that that Vestamo Psychotherapy center had maintained online. Which were stolen. That was the other part of the scandal. We noted that not only were they at fault for not better protecting their data, but they should not, you know, they should not have had that much old patient data around. They should be held accountable for leaving the data of years and years of previous patients in hot storage online and readily accessible. You know, I understand they might have felt they needed to retain records for some possible future need, but those could be archived offline for retrieval on demand, not sitting on the same server with all of the current records, all of which this hacker sucked up. So.

A (84:52)

I agree. 100.

B (84:53)

Yeah, just a weird little aside. I mean I'm like, remember that guy? Yeah, we talked about him. Funny how we seem to catch all the important bits. I'm. I'm happy about that. So in there. Cyber intel brief. The cyber intelligence firm Data Miner. They left the E out so it's D a T a M I N R. Data Miner reports that the scattered lapses hunters which we're now abbreviating slh. Although I don't know if anyone's going to remember what SLH is so I'm going to keep saying scattered lapses hunters but because it's fun that they've begun recruiting female individuals for their voice phishing campaign. SLH is offering upfront payments, big ones for social engineering calls targeting it. Help desks Data Miners report offered three key takeaways. They said under tactical evolution, SLH is diversifying its social engineering pool by specifically recruiting women to conduct voice phishing attacks likely to increase the success rate of help desk impersonation under large incentives. They said the group is offering significant financial incentives between 500 and $1,000 upfront per call, which stuns me and providing pre written scripts to their recruits and high profile risk. They said SLH is a supergroup alliance of lapsus, scattered spider and shiny hunters known for compromising major global corporations and stealing over 1.5 billion records so far and counting. The the Dana Minor posting then walks us through their discovery of SLH's online recruitment postings and ends with some useful advice to any potential enterprise Targets under their heading. Organizations should adopt a heightened defensive posture against social engineering. They enumerate four points. First, help desk training immediately brief it. Help desk and support personnel on this specific recruitment trend emphasize that attackers may be using pre written scripts and polished voice impersonation. And that if it's the fact that it's a girl on the phone doesn't mean, you know, it's not your typical hacker attacker guy. So don't be fooled by that. Strict identity verification enforce out of bound, out of band as they say, identity verification, you know, a video call or secondary internal verification of some sort. You know, it's like not like when you receive email that says phone this number. If you'd like more information and pretending to be your bank, you need to, you know, go look up your bank's phone number yourself rather than using the number that came in the email, that kind of thing. So harden MFA policies, they said move away from SMS or push based MFA multifactor authentication, which both of which are vulnerable to SLH's known TTPs like SIM swapping and fatigue bombing. Implement FIDO2 compliant hardware security keys wherever possible. And finally, monitor anomalous access audit logs for new user creation or administrative privilege escalation immediately following all help desk interactions. Meaning, you know, check your logs after a help desk interaction to see whether there might be anything going on that the bad guys immediately launched into following that interaction. So the point being, you really do need to be proactive. I remember

A (89:05)

a phishing attack some years ago where a woman called a customer service, remember, remember the customer service is the first two words in their title. They want to help customers. So the way this phishing attack, this social engineering attack worked, the woman was frantic saying, my husband left his phone at home and he's on a business trip and he's going to desperately need and I need to reach him. And they played a baby crying in the background on a recorder. I mean it was this whole scenario.

B (89:42)

So you would really get sucked in and believe.

A (89:45)

Yeah. And of course you can't do that with a guy. So yes, a woman's voice is going to in some cases really be more effective. Because I think you're right, people don't assume expected a woman to be social engineering them.

B (89:58)

Yeah. So you. So again it just knocks your guard down a notch. Yeah, yeah.

A (90:03)

And of course it was a sim jacking attempt. They just want, all they wanted to do is get the phone number transferred so that they could get those sms.

B (90:12)

Yep.

A (90:12)

You know, and text messages.

B (90:14)

Good night.

A (90:15)

Good night. Yep.

B (90:17)

So Last Wednesday, Cisco released the news of CVE 2026201 27, once again achieving that rarest of rare CVSS 10.0 scores.

A (90:36)

Good old Cisco. You know what? They always come in strong.

B (90:41)

Used to be oh Newman, now it's oh, Cisco. This was an actively exploited zero day, first discovered while it was being abused in the wild. The title Cisco gave their disclosure was Cisco Catalyst SD WAN Controller Authentication Bypass Vulnerability. Yep, you heard it right. Surprise, surprise. An authentication bypass vulnerability. Cisco wrote a vulnerability in the peering authentication in Cisco Catalyst SD WAN Controller, formerly SD WAN vsmart and Cisco Catalyst SD WAN Manager, formerly SD WAN vmanage could allow right could allow an unauthenticated remote attacker to bypass authentication, that pesky authentication and obtain administrative privileges on an affected system. They said this vulnerability exists because the peering authentication mechanism in an affected system is not working properly.

A (91:54)

Huh?

B (91:55)

Not working properly. Okay, no one would disagree with that. Although calling it catastrophically defective might be more accurate. Okay, this one is so bad that both the US NSA and CISA in, you know, here in the us, the Australian Signals Directorates, Australian Cybersecurity center, the Canadian center for Cyber Security, New Zealand's National Cyber Security center, and the UK's National Cybersecurity center all published patch or parish announcements in a desperate attempt to bring the need to patch all systems to the attention of their owners. The SD in SD WAN stands for software defined. So it's a software based networking platform that connects branch offices, data centers and cloud environments together through a centrally managed system. It uses a controller to securely route traffic, securely in quotes, of course, air quotes between sites over encrypted connections. This is another instance where any company that recognized that simple authentication can never be relied upon for security and had therefore taken the trouble to preemptively separately restrict, for example, incoming SD WAN connections to only known endpoint peers. Well, they'd have. They'd never have anything to worry about. They wouldn't have anything to fear from these authentication failures and a would not have suffered a potentially devastating network compromise and B could therefore update their SD WAN instances with something less than pants on fire emergency at their leisure. Once again, Cisco's own announcement moderately underplayed the consequences. They wrote an attacker could exploit this vulnerability by sending crafted requests to an affected system. Of course, all systems are affected. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD WAN controller as an internal high privileged non root user account. Using this account, the attacker could access netconf, you know, NET configuration, which would Then allow the attacker to manipulate network configuration for the SD WAN fabric. It was the Australian Signals Directorate, I'll note, who first discovered and reported these attacks being used in the wild. Not surprisingly, they paint a somewhat less rosy picture of the consequences. Writing this is Australia, malicious cyber threat actors are targeting SD WANs of organizations globally. These actors exploited a Cisco Catalyst SD WAN controller authentication bypass vulnerability CVE2026 20127. After exploitation of this vulnerability, the malicious actors add a rogue peer and eventually gain root access to establish long term persistence in SD WANs. So sorry Cisco, not just non root user accounts.

A (95:46)

I like that new term, rogue peer. I'm going to keep that around.

B (95:49)

Rogue peer. Yeah, yeah. Again, we, we. It's a, it's one of our main themes here. You cannot rely upon authentication. You and, and more importantly, you don't need to. You can apply additional factors of authentication, not allow somebody to get to a port. You know, you, you've got, you have a bunch of offices scattered around what the world they have. They're in networks. You know what their ips are, they're, they're even their IP blocks, probably the specific IP of your peer sdwan. Why not take the time to put a rule in the firewall so that you only accept incoming traffic from that IP to your sdwan? Why?

A (96:43)

Can you, can you spoof an incoming ip?

B (96:46)

No.

A (96:47)

How interesting.

B (96:48)

No, because it requires a connection.

A (96:49)

It's a, it's a conversation, it's best. Yeah, right.

B (96:52)

Yes. And so like all anybody has to do is not assume that. I mean, first of all, I was about to say not assume that. Cisco is perfect. Who would assume that?

A (97:02)

Well, that's a good thing to not assume.

B (97:04)

Please.

A (97:06)

Safe bet.

B (97:07)

So, you know, protect yourself, put firewall rules in. So because you're talking to fixed endpoint IPs only allow the conversations from them. Why would you ever want China or Russia or North Korea to connect to your SD lan? You don't.

A (97:24)

Right? I mean, I do that with my freaking synology. It's not. I mean, how hard could it be?

B (97:31)

Exactly. Exactly. I mean, you know. Yes.

A (97:35)

Yeah.

B (97:36)

Okay, so volume checks, annual report on the in the wild use of known security CVEs. Like, you know, CVEs about security breaches is interesting. All I have, I, I have the entire 41 page report. It will probably be next week's topic because it looked like in a quick glance through it there was just so many, so much juicy stuff there. But the teaser summary, which is all you get until you, you Know, give them your name and email address so they can market to you for the rest of your life. It was interesting too. They said in 2025, barely 1% here. This is what was interesting. 1% of disclosed vulnerabilities were exploited in the wild, which might not be what we think it means that the distribution of exploits is not uniform. It is very peaky. Of course, it's the juicy exploits which were exploited. Right? They said. But yet those that were exploited were operationalized quickly, attracted diverse threat actors and often caused outsized damage before organizations had a chance to respond. Just like this SD WAN nightmare, they said. This report identifies which vulnerabilities mattered, why attackers targeted them and where. Timing failures left organizations exposed. Like I said, that's going to be fun to talk about this, to look at this, this analysis. They said Volchek tracked exploitation patterns, threat actor behavior and weaponization timelines across hundreds of thousands of vulnerabilities in 2025. The data revealed how quickly new vulnerabilities became bona fide threats. How AI proof of concept code is polluting risk assessment pipelines. Interesting. And which threat actors ramped up vulnerability exploitation amid geopolitical tension. Then we have three bullet points. VulCheck identified 55,0 routinely targeted vulnerabilities from 2025 that had elevated risk profiles by the end of the year, drawing interest from ransomware, threat actors, botnets and researchers, often all at once. Second, proof of concept exploits for new CVEs increased 16.5% in 2025, inundating organizations with risk signals that often turned out to be false or misleading. AI generated slop again, AI slop is a term which has taken hold. And finally, China nexus threat actor attributions increased 52% year over year while ransomware groups shifted towards zero day exploitation at accelerating rates. With 56.4% of ransomware, CVE is discovered through zero day activity. So the landscape is changing. These guys have analyzed everything that happened in 2025, produce a 41 page report full of information, and I suspect that's how we're going to start next week. We're going to start our listener feedback, Leo, but I think we should take one more break because then we'll have one before our final coverage.

A (101:13)

That sounds good to me. You're watching Security now, special edition, in a sense, because we are doing this on a Sunday. Steve and I, as I mentioned, are going to Florida tomorrow and we'll be gone all week. I've got people covering the shows for me. We will put this show out in the normal Tuesday time slot. And if you're a security outfan, good news because this week we'll have have two security now as a second show which will be the presentation Steve's giving at Zero Trust World, what's it called?

B (101:44)

The call is coming from inside the house.

A (101:48)

I'll leave it to you to speculate as to what.

B (101:51)

I'm just thinking you have people covering your shows and we've got people covering our squirrels needs to continue being fed while we're gone.

A (101:59)

I, I have Micah, you have a squirrel sitter. It makes sense.

B (102:03)

House sitters that are going to keep the squirrels fed because Lori said what about the squirrels?

A (102:07)

It's like, okay, anyway, we're glad if you're watching live. We're so glad that you figured that out. Twit will be coming up in about an hour and we'll get to that. But first, a word from our sponsor. Our show today brought to you by Adaptive. This is I think a new sponsor, really cool product. It's the first security awareness platform specifically built to stop AI powered social engineering. We were just talking about this, right? The time is right, here's the shift, here's what's changed. And if you've listened to the show, you just heard about it attackers really, they don't need malware anymore. They just need trust. A cloned voice, a convincing deep fake on zoom, an AI written fish that looks like it came from your IT team. It's really very effective what people can do. Right now, Adaptive prepares your organization for this kind of attack with simulations across of course, email, but also now SMS and very important voice. Deep fakes vishing, you know, that's voice phishing, AI generated phishing including scenarios that can mirror your own brand and executive. And when employees report something suspicious, Adaptive can help you triage it fast so security teams aren't buried by false alarms. If you need training fast, with Adaptive's AI content creator, you can turn a threat and incident report or a compliance doc into interactive multilingual modules in minutes. No design team required. With Adaptive, you can build, customize and monitor every part of your training with complete personalization. You personalize it just like the bad guys are personalizing them. The result is a more resilient security culture, which is absolutely essential because guess what, the calls coming from inside the house. Companies like Plaid use Adaptive. Plaid's platform powers thousands of digital finance apps and links consumers, developers and institutions using. You better believe they need help with adaptive security with sensitive data as core Plaid security and compliance are absolutely non negotiable. Plaid's Head of security, grc, says quote, adaptive has equipped our teams with cutting edge tools and build a smarter, more resilient security culture across the company. Adaptive really works. Trusted by Fortune 500s and backed by Nvidia and OpenAI, Adaptive is building the defenses we need for the AI era. Learn more more@adaptive security.com that's adaptivesecurity.com it really works. Cool.

B (104:58)

A listener David Benedict he said hi Steve. Not to pull you back, but he's going to into the whole code signing discussion again. It's a lot of interest. We've a lot of our listeners have expressed a strong interest, he said. But what if we simply don't buy those code signing certs? What if we simply start self signing code? Is there anything to stop us from self signing and building our own reputation that way? Thanks, Dave Benedict so okay, that's an interesting idea. The moves that the CA browser form have been making on the code signing front feel entirely different from their earlier squeezing on the TLS certificate side. The reason let's Encrypt was able to effectively replace and displace the traditional certificate authorities for the world's web server domain validation certificates is that let's Encrypt is only providing what its name suggests encryption let's Encrypt. It's making no assertion of any kind about the reputation of the domain name holder. And when you think about it, where strong assertions of identity are needed and are being made about the owner of a certificate, you know, whether for a web domain, maybe the digital signer of a document, that matters too, or the authorship of code, we do need entities such as certificate authorities standing by to do the necessary work of verifying identity and carefully issuing certificates, which attest to what their research has found. Unfortunately, while we've been going about our lives, the certificate authority business has been quietly consolidating. This has sometimes been triggered, as we've covered on the podcast, when an irresponsible certificate authority so flagrantly abuses its position of trust that the various root programs are finally forced to revoke their trust. In those cases, the disgraced CA is forced to sell off its certificate authority business assets to another certificate authority. In other cases, it's just a bigger fish swallowing up a smaller fish. Reducing the competition While I was scouting around for a new code signing certificate authority, I noticed that many of the smaller looking companies had exactly the same pricing as Digicert. It turned out that many of them have simply become fronts for Digicert's products. They're just resellers. The upshot of many years of CA industry consolidation is that the world no longer has a this is sad but true. The world no longer has a competitive certificate authority industry. We are watching the formation of a monopoly that has the gall to charge its customers per signature. We can see the writing on the wall. There are already plans like that happening. It's where we're headed. Dave began his note writing hi Steve, not to pull you back into the whole code signing discussion again. It's not your fault Dave. This whole thing obviously rubs me the wrong way. One of my personality hot buttons happens to be bullying. I've never been okay with the abuse of power, which is what I believe anyone observing the actions of the CA industry would conclude is happening. I don't see any way out of this, but I will gladly share any solutions I find to that end. During this research I discovered that all of the various CAS certificate authorities who offer code signing certificates remember that now any code signing certificate must be in hardware. You do no longer get a software certificate. All of the code signing offering CAS provide the option of installing certificates into a customer provided HSM a hardware security module rather than selling the certificate pre installed in their own dongle token. You know typically they charge another hundred dollars for that, but that's it. That's all it can do and period. The reason I'm mentioning it is I found a gorgeous $72 form factor USB a HSM dongle that I love. It's called the smart card HSM Space 4K 4K because it can handle 4096bit RSA keys which is now what's necessary. It also does elliptic curve keys which can be much smaller. I have a link to this device in the show notes to one particular retailer of this advice. It's got its own website at smart card hsm.com and most significantly all of the cards multi platform support is open source. So this is a fully open source $72. Beautiful little hardware security module. I've got a link to its GitHub page in the show notes. One of the very cool features of this for me is that HSM and you know having a hardware security module enables secure and encrypted cross hsm, private key and certificate transfers. In other words I have multiple machines where I want to be able to sign code. I've got two working locations and GRC servers in the Level 3 data center. So I first had the first HSM securely generate a 4096bit RSA key pair. The private key never leaves the device, which is what the certificate authorities require. But the public key is exported in a csr, a certificate signing request. I uploaded that CSR to identrust to receive for it to receive their signature. They promptly returned the resulting certificate which I used, which is then used to verify any signatures that the HSM generates for my code, since it'll be doing the code signing. One of the many cool things about this solution is that each of these HSMs includes its permanent device, its own permanent device certificates that enable it to establish a secure key sharing key among others of its kind. This allows one HSM's private keys to be securely duplicated across many other devices, as many as you may wish, as well as being externally backed up for export without ever being able to expose its private key. So it is it, is it? It meets all the requirements first for security, yet gives us as HSM users and code signers, way more flexibility. Each HSM also has a large amount of storage with room for hundreds of keys and certificates and whatever you want to put in there. Pgp, gpg, all of that stuff is supported. All of the platforms are supported so. And everything is Open source on GitHub. So for example, if an enterprise might have a number of trusted developers, work from home, satellite offices or whatever for the price of $72 each, as many developers can be given the ability to securely sign code as needed. Anyway, there's much more than what I've shared so if you have an interest or need, check out smartcard-hsm.com the retailer I used Cardlogix L O G-I X.com I got a link in the show notes. They're the retailer which I found it happened to be near me in the US. The where to Buy page at SmartCard HSM.com also lists a German and a Taiwanese reseller. So you're if. If you're over in Europe you can find someone near you or in Taiwan

A (114:07)

I have a nitro. I have a bunch of nitro keys. It works on that too which I didn't realize.

B (114:11)

Yes, Nitro key is also supported by all of this software. Yeah, since My original DigiCert EV code signing certificate does not spire until expire until November 20th as it happens of this year. But I wanted to remember that I wanted to obtain a three year certificate before they were no longer available. My plan has been to see whether I can pre establish a reputation for the new now 3 year duration iden trust certificate by having IT Co sign GRC's freeware that's now in place. GRC's most popular freeware, for example valid drive which is now being downloaded a thousand times a day, is now co signed both with DigiCert's original certificate and the new Ident Trust certificate. So I'm hoping that once we get to November, I'll be able to drop the DigiCert certificates. I'm sorry, the DigiCert signatures because my stats that DigiCert certificate code signing certificate will have expired and like and that my newer ident trust certificate which will by then have 10 months of exposure to Windows Defender and smart, whatever the hell you know it Microsoft will have seen this and gotten used to it. And I'm hopeful, hopeful that it will be able to stand alone and keep Windows, you know, trigger happy, gatekeepers happy. Okay, so, and then finally, just to see whether I could, because I had so much fun playing with this new technology last week as I mentioned talking to DigiCert, I also reissued my existing DigiCert certificate into in instead of in. They provide me with a dongle, which they did the first time two and a half years ago. I did it in this customer provided HSM mode that allowed me to add DigiCert's certificate into my new HSMS alongside the newly minted Ident trust certificate. It all worked perfectly. Now I have HSMs containing both the existing expiring in November digicert code signing certificate and the new IDENTRUST code signing certificate which goes for three years. So okay, believe it or not, I haven't forgotten about David. He started me off on all this by asking about the possibility of coders sidestepping all this nonsense by using self signed certificates. Now the use of self signed certificates has been common practice for web developers for many years. I have a self signed certificate for local host sitting in the trusted root stores of my various workstations. I run a web server on those machines which uses that certificate and I use it for local web development. Having a self signed certificate for local host allows me to use HTTPs URLs starting with you know, HTTP HTTPs://,/, local host slash and then whatever, without the web browsers that I'm using pitching a fit, you know. So it's just very handy. Okay, so let's explore how this might be extended for code signing if rather than having DigiCert or Identrust or whomever sign my code signing request, if I could instead use my private key to sign the certificate, creating a self signed certificate which would then be installed into the system's trusted root store. How would that work? Well, from that point on, any code I signed would carry that root certificates matching public key and any check on the validity of my code's signature on this machine would show its signature to be valid. But the reason this is not a useful solution for a software publisher unfortunately such as GRC is that these code signatures would only be valid on machines that had previously installed the its matching root certificate. What DigiCert, Identrust and all the other CAs have going for them is that their root certificates are already pre installed wherever any certificates they have signed might need to be trusted. Since Windows has now developed the practice of deleting on site any executable that appears on its drive without a valid and trusted signature, Especially one downloaded from the Internet. And that's probably why people are able to compile their own code is it came from them. Although I've compiled my own code too and and Windows has immediately stomped on would be necessary for GRC. If I was using a self signed cert, it would be necessary for GRC to tell its customers that before attempting to download, let alone run any of our software, they must first Download and install GRC's own trusted root certificate. Well, since I would never install anyone else's root certificate into my machine's root store, I would never ask anyone else to do that for us. In order to download and run my code, the burden of making my code acceptable to someone else's machine should be on me, not on them. So while signing one's own code for use on our own machines would work just like using a self signed web certificate for local use of a web browser and web server. I don't see any way to break our certificate authorities stranglehold on developers for code signing that needs to be universally trusted. And and as I said before, I get the need for certificate authority, you know, for just for encrypting web domains, we don't need them. That's why let's encrypt is a viable alternative and that's why it works. Because all we're saying is encrypt this traffic to wherever I'm going and I'm not sure where I'm going, I'm going to this domain name certificate authorities we need a third party like a CA when we need to have the ability to digitally sign a document and have that signature mean something because we proved who we word of them or to sign our code or if, if we want an organization validation certificate for for TLS web Servers, not just a domain validation certificate. So I'm not saying that certificate authorities aren't don't have a place and we don't need them. I've got a problem with that abuse. Now there is one place where self signing could make sense because everything I said about individual developers like me that does not apply to enterprises, right? Enterprises might choose to use they they could buy a cert from DigiCert, they could use a publicly trusted code signing certificate for their internal use. But within an enterprise it might also work to sign code with a certificate that is only trusted within the enterprise's own enterprise machines. Remember that many enterprises already install their own TLS web root certificates on all internal workstations so that their networking middle boxes are able to intercept, decrypt and scan everything that enters and exits their network. You can't get on the enterprise LAN and get out to the outside world unless you have one of, you know, their own TLS cert in your in your enterprise workstation machine. So I could see that it would make sense to add a private code signing root certificate to all enterprise machines for use, you know, for their own internal use. On the other hand, if you're an enterprise, you may not care that much about what that you know. The very CAs have now chosen to charge for their for the privilege of signing code, although it does appear to be escalating over time. DGC wrote. Hey Steve, long time listener, but I'm a few episodes behind right now. In episode 1062 you said quote, we also see employees in positions of trust on internal enterprise networks being tricked into clicking malicious links and inviting malware inside the house. No form of fancy coding AI is going to fix any of those things. Then he writes, that may not be entirely true. I recently came across a new solution, Charlemagne, which runs on a desktop and monitors privately locally what the user is doing. It uses an slm, a small language model, to detect potentially malicious actions like lookalike websites, malicious links the user might click on, etc, and then warns the user not to do those things. So an AI agent helping a user avoid accidental bad actions could be helpful, no? To which I say could be helpful, yes, and I very much like the idea. As we were saying, you know, the talk that Leo and I will be holding during the Zero Trust World event is titled the Call is Coming from Inside the House. You know, that is obviously a metaphor for what I believe to be the biggest and most intractable problem facing today's enterprises. You know, stated as succinctly as possible the problem is over privileged users making mistakes? Though the term over privileged is typically used in a derogatory context, I don't mean it that way at all. I'm using it in its strict computer science context, where over privileged is the result of not following a strict least privileged model. The beauty of describing the problem as over privileged users who make mistakes is that it points us toward two solutions to the problem. Either we no longer over privilege our users, or we somehow arrange to prevent them from making mistakes. Whereas it might be possible to constrain what the employees of an enterprise might be able to do on the enterprise's network, a large part of the joy of using a personal computer is that its use is personal, which is to say, almost entirely unconstrained. We can do anything we want with our own machines. Since operating within a least privileged environment is no fun and would not be tolerated by personal computer users, that suggests that the solution for personal computer users lies in somehow arranging to prevent their mistakes something previously not thought possible. So to that end, I love the idea of some form of active client side local AI agent that carefully scrutinizes everything the user is seeing and doing and interposes itself between the user's actions and the computer system. Leo I and our listeners know how to examine a URL to detect trickery, but even the best of us are not always paying 100 attention. And even when we are, we might miss the use of of embedded Unicode characters to create a lookalike URL. Or in our haste, we might click a link without first carefully checking all the way back to the right of its domain portion to make sure that its top level domain is what we expect. So by all means, the idea of having an AI agent peeking over our shoulder and watching our back to help detect the things we might well miss. I think it makes all kinds of sense. And needless to say, I hope that it would totally, you know, freak out if its user were getting ready to paste the contents of the clipboard which was pasted from their web browser into their Windows Run dialog. So you know, if, if Microsoft wants to deploy AI Leo I would so much instead of having something recording everything I do, I would much rather have something watching, you know, running locally, not phoning home, but making sure I don't click a link in email. That could get me in trouble. I, I, I am 100 bullish and I'll bet you we're going to end up seeing that. You know, you and I have complained for years that that antivirus software has essentially become Passe, obsolete. You know, I don't know anybody who would install it now, except that they have a, have, you know, a loyalty to packages that they were using in the past. And so that has, has endured. I don't run any. I just, you know, I'm careful about what I do and I assume that Windows is going to find something and it never has, except it's found my own code, which is really annoying because, you know, that's just what it does. So I have, I've had to isolate a whole tree in my directory system in order to say, leave it alone. And in fact I discovered that in Windows 11 there's something coming called a dev drive because their, their own, their own AV has become so intrusive and such a problem that they've created. They said, okay, we're going to create a thing in Windows 11 called a dev drive where we're going to give you responsibility for what's there. Because they've had no choice. They're driving anyone developing on Windows crazy by their. Because in order to protect them, they have to delete anything on site.

A (129:41)

Right? I mean, it's becoming universal. Apple's going in that direction, Google's going that direction. Everybody's doing that. Code signing is the future, I think, unfortunately. By the way, I use Claude now to do security audits on everything and it's, it's very good at finding security flaws and fixing them. It's.

B (130:03)

We, we covered a couple instances of that last week where, where there was a guy who was running Claw. He had his, he had a WordPress site and server and had a bunch of WordPress add ons and had Claude checking them before he put them online. And in one case it found many problems and in one, it was a really bad problem that he was like, you know, really glad for. So we're gonna see a lot of cleanup on aisle nine, I think.

A (130:35)

Claude, clean up on aisle nine. Bring them up. All right, we're gonna take a break and then we're gonna go tong tuk do a little Klingon in just a bit. You're watching Security now, the early edition of Security now don't get your hopes up. This is, we're not, we're going to go back to Tuesday after this week. But for those of you who have a free Sunday and can watch the show, it's great. I'm glad you're watching live. We do this stream on YouTube and Twitch and X and Facebook and LinkedIn and Kick. And of course in our club, lots of people do like to watch live, but you can always download copies from a variety of places. I'll tell you where at the end of the show. Our show, this segment of the show brought to you by Out Systems, the number one AI development platform. This is for enterprises and it is so cool you see it happening. The agentic shift. I mean this, that's all we've been talking about since, since Claudebot. Right? We're moving beyond simple chatbots.

B (131:38)

Yep.

A (131:39)

Well, you know what? Outsystems is right there with you leading the agentic conversation. Outsystems helps businesses build AI agents that can actually do work, take actions, make decisions and integrate with data rather than just, you know, answer questions. Outsystems is solving the talent gap because there aren't, there just aren't enough AI engineers in the world. Outsystems empowers the developers you already have, the smart people you already have to build at an elite level. Outsystems is the secret weapon behind the world's most successful companies. And not just for, you know, small apps. They are for massive complex systems. They run banks, insurance companies, government services. Outsystems even helps companies with aging IT environments bridge the gap to the AI future without a rip and replace nightmare. And that is nice. They helped a top US bank, for example, deploy an app that lets customers open new accounts on any device, delivering 75% faster onboarding times. A global insurer. This was an in house app. They helped a global insurer accelerate the development of a portal and app for its insurance agents, giving them a 360 degree view of customers, enabling those agents to grow policy sales. And it really worked. Outsystems combines the speed of AI with the guardrails that you're going to want of low code. It's kind of a match made in heaven. It's the safest and fastest way for an enterprise to go from we need an AI strategy to we have a functioning AI application. Stop wondering how AI will change your business and start building the agents that will lead it. Visit outsystems.com twitch to see how the world's most innovative Enterprises are using AI powered low code to transform. That's O u t s Y-S-T-E m s.com twit to book a demo and see the future of software development. Very cool. Outsystems.com TWIT thank you OutSystems for supporting security now and now.

B (133:56)

Kong took so yes, I wanted to finish today's podcast by sharing a newly arrived spin on the click fix Attack, which we've discussed previously and which I, you know, has me really worried. Remember, that's the attack where the familiar captcha prove your human test is maliciously extended to ask its victim to please paste the contents of the Windows system clipboard into the run dialog and just press enter. Just trust us. Prove you're human by doing that. Right. In the newer form of this, which its discoverers. Huntress Labs. That's the name I couldn't remember at the top of the show. Huntress Labs, they dubbed this crash fix because the victim's web browser is made to appear hung, broken or defective, thus crashed. And as for the Klingonesque tongkuk. Wait, Kong Duke, Kong Tuk. It's the name Huntress Labs has given to this threat actor as which they've been tracking for the past year. So Huntress wrote. On January 26th, Huntress Senior Security operations analyst Tanner Philip observed threat actors using a malicious browser extension to display a fake security warning, claiming the browser had stopped abnormally and prompting users to run a scan to remediate the threats.

A (135:39)

That looks very credible. I would fall for that.

B (135:42)

Yes. That is that. That is why this is so compelling. This could come up and you would think, oops, okay, yeah, it's exactly what Microsoft pop up looks like. It says Microsoft Edge stopped abnormally. Then it says Microsoft Edge has detected potential security threats that may compromise your browsing data. Oh, that's not good. You would believe that. And then there's a run scan button and you think, oh, scanning is good. And then down below there's a checkbox checked by default. Help make Microsoft Edge better by reporting current system information. And of course you would think, oh, I, you know, got to prevent this from getting other people. So, I mean, again, is this all it takes?

A (136:30)

If you hit that button, you're done.

B (136:32)

No, no, no. Not. Not yet. Okay, so that's the good news. But. But it does, it does get you involved, right? They said. Our analysis revealed this campaign is the work of Kong Tuk, a threat actor we've been tracking since the beginning of 2025. In this latest operation, we identified several new developments. A malicious browser extension called Next Shield that impersonates, get this, leo, the legitimate U Block origin light ad blocker, but impersonates it by stealing its source code. A new click fix variant we've dubbed crash fix that intentionally crashes the browser, then baits users into running malicious commands. I, I forgot to mention, I don't. It doesn't make it that clear. Here they have script which, which does just bring the browser down.

A (137:33)

So that was a real crash.

B (137:34)

It was a. Yeah. Well, no, it was. No, because it invokes their dialogue next.

A (137:42)

Oh, but.

B (137:42)

But they do crash the browser.

A (137:44)

Your browser is dead. Your browser get their dialogue and it's credible because your browser's dead.

B (137:50)

Exactly. Yeah, exactly. So they said, ironically, the victim was searching the. The victim in who got effect who got infected by this. The victim, they wrote, was searching for an ad blocker when they encountered a malicious advertisement. The ad directed users to the official Chrome web Store's Next Shield Advanced web filter. Then they said the deliberate targeting of domain joined machines, which is what, what, what this thing ends up doing suggests Kong Tuk is is after corporate environments where a foothold means access to active directory internal systems and lateral movement opportunities.

A (138:38)

Home. Terrifying.

B (138:39)

Yes, it is. And look at this next page where you see the next stage of this attack, which is what you get after you click the. The sk. The scan button. Then you get the. The familiar Open Win, you know, press Win R, press Control V, press Enter. Bing, bing, bing.

A (138:59)

So that's interesting. So they put on your clipboard the malicious code.

B (139:04)

Yes.

A (139:05)

Oh, so you don't even see that text?

B (139:08)

Nope. All you do is follow the instructions.

A (139:10)

Oh, and the. But. Oh, there. Here it is again. Edge Fix browser hash.

B (139:14)

Yep.

A (139:14)

Huh?

B (139:15)

Yep. So they said home users on a standalone workstation receive a separate infection chain. So the infection chain they had. They have an enterprise INF chain and a home user infection chain. They said they received an infection.

A (139:28)

Sophisticated as hell.

B (139:30)

Yes.

A (139:31)

Good lord.

B (139:32)

It appears. Oh, and. And they said that the home infection chain appears to still be in testing. They said. When we got through all the layers, the. The C2, the command and control infrastructure responded on a home environment with test payload. Meaning it didn't do anything yet, they said. Whether this means non domain targets are lower priority or the campaign is still being built out. One thing is clear. Kong Tuk is evolving their operations and showing increased interest in enterprise networks. They said. So what are Crash Fix and Next Shield? The malicious Next Shield app is all the more diabolical by being a fully functioning working clone of the authentic open source UBlock origin Lite browser extension. So its users will be pleased with the ad and annoyance blocking behavior of the extension they've just found and installed. But after using their browser for a while, the bogus Microsoft Edge stopped abnormally. Display will appear with its Run Scan button. Upon pressing that, the user will be presented with a fake security issues detected alert and instructed to manually fix the issue by Opening the Windows Run dialog with Win plus R pasting from their clipboard Control V and pressing Enter, the malicious extension silently copies a PowerShell command to the clipboard, disguised as a legitimate repair command. When the user follows these steps, they unknowingly execute the malicious command. They said we were not about to blindly paste from the clipboard, so we tried copying the displayed command, which starts with edge xe fix hyphen browser space hyphen hash equals blah blah blah. Like civilized malware analysts, that's what they're calling themselves. Of course they are, they said. The browser's response a complete freeze. When your fix causes crashes, the name rights itself. Thus they named this crash fix before we go deep diving into how we ended up with a malicious pop up message, let's take a step back and look at how it got delivered. You've probably heard the recommendation to install an ad blocker to protect yourself from malvertizing malicious advertisements that deliver malware through legitimate ad networks. Our victim likely just wanted to get rid of annoying ads. Instead they downloaded a malicious one Next shield while searching for an ad blocker for Chrome. This header falsely attributes the code to Raymond Hill, the legitimate developer. As we know of UBlock origin and references a non existent GitHub repository. This tactic exploits the trust users place in well known open source projects. The actual UBlock Origin Lite repository is located at GitHub.com ublockorigin ubol Home not the URL referenced in this malicious extension. The Next shield extension is almost entirely they write a clone of Ublock Origin Lite legitimate extension by Raymond Hill. The threat actor likely ran a few find and replaces to replace every instance of U block with next shield. Okay, so then Huntress continues with their analysis of this latest discovery of theirs, but for us the takeaway is that the malware community at large has stumbled upon a fundamental security weakness of Microsoft Windows, which is its users comparatively script following level of understanding of Windows when set against Windows increasing power and sophistication, it's no longer useful to ask what can be done with PowerShell and. Net. The question is what cannot be done? That pairing you know powershell and dotnet comes to mind because you know, while I was assembling today's podcast I encountered other exploits which did exactly that and this one is also using a powershell command. It used native users invocation of powershell with a command they did not understand. They are just following instructions. Now that we're encountering a proliferation of similar abuses of powerful commands escaping the browser with Unwitting users blindly pasting and executing these commands that they did not write and do not understand. It should be clear that this story only has one ending. Sooner or later, Microsoft will need to step up to protect users from themselves, much as they did with the Mark of the Web, which flags files that were downloaded across a network. Files containing the Mark of the Web are treated much more cautiously and with skepticism by Windows. You know you're asked, are you sure you want to run this? This was downloaded from the Internet. The system's clipboard needs to be handled. Similarly, contents that were sourced by any web browser need to be quarantined. Like I said, there's only one possible ending to this trouble. This, this problem is not going to go away because users are not going to get better or smarter suddenly. Let's hope Microsoft does not wait too long before updating Windows with this change. I wish I believed they would act responsibly here. You know, we can hope. And I'll just note that creating a third party utility to fix this because I kind of thought well maybe this, I should fix this. That won't help.

A (146:23)

No.

B (146:23)

Since it's all of the people who would never know about such a utility.

A (146:28)

Right.

B (146:28)

Who need it the most.

A (146:30)

Right.

B (146:30)

You know, we don't need it. We listeners of the podcast. The only fix for this is to come. It's got to come from Microsoft as an integral part of Windows.

A (146:39)

Yeah. It's got to be built in.

B (146:40)

Yeah.

A (146:41)

Yeah. Or it's not gonna. Not gonna happen. Give your, give your folks Chromebooks, kids

B (146:48)

and I just had a neighbor as a matter of fact Laurie and I encountered him while we were taking a walk yesterday. He was, he, he, he's an ex engineer. He said I just got a Chromebook. He says I love it. And he said I can't believe how everything imported into it. I mean he was just blown away by it.

A (147:07)

It's all most people need, honestly.

B (147:09)

He is an Android user and so when he explained that he connected his Android phone, I said okay, well that helps to explain its importation at least.

A (147:18)

But Microsoft considered this with Windows S, they really, and they really. I wish they'd follow followed through. I think Apple, Microsoft should both offer Chrome OS like very restricted environments and then they can let those of us who know what we're doing use the less restricted environments. Yeah.

B (147:38)

Windows is way too powerful for most people. They don't need all of this. They get lost in directory hierarchies and directly privileges and basically you're, you're, you're running a machine you don't understand the operation of at all. And really today, who among us does? We have a deeper understanding. But I don't. I remember. We remember the day, Leo, when we actually knew what the files were on our own hard drive.

A (148:08)

We were editing our autoexec bats.

B (148:12)

And you remember my very techie friend Bob? You know, he was like, he was complaining. He like, I still know what everything does. And I said, well Bob, good luck with that.

A (148:22)

Not for now. Yeah, yeah. I mean basically that's what's mobile oss are, are highly restricted operating systems. They're not truly general purpose operating systems. Anything that's general purpose is going to be able to do anything, including run.

B (148:38)

I can't even use my iPhone anymore, Leo. No, it's got, you know. Oh well, there's just so much in there. You hold this. Oh you, you, you, you.

A (148:47)

It is, it's too complicated.

B (148:48)

You like slide something, you go three times to the right and click your heels and then you get a. There's a magic dialogue.

A (148:56)

Too many hidden things. Yeah. I spend many, many hours of my life looking through the settings trying to find, yes, setting that I want to change. And you know, it's just so hard.

B (149:08)

And remember that was the breakthrough from Xerox PARC of the menu.

A (149:12)

Right.

B (149:13)

The commands were discoverable. You could browse around and see everything and in fact that's one of the big changes coming in. The next version of the DNS benchmark that everybody will get for free is I put a traditional Windows menu on it instead of just overloading the system menu underneath the icon in the upper left left. It's so much better. It's like Gibson. Come on. Why did that take so long?

A (149:41)

Nice. Well, we'll look forward to that. That's a good reason to go to GRC.com that's Steve's website. It is where you find the two programs he sells his in. This is entirely how he makes his living is with of course the wonderful Spinrite, the world's best mass storage maintenance recovery and performance enhancing utility. And the new one which is the DNS but Benchmark Pro. It's only 10 bucks. 9.99 but boy, it really can make a big difference in speed. I've noticed lately. I gotta run it again because our, our DNS has become slow and it feels like the whole Internet slowed down. But it's not. It's just the lookup and fixing that can really speed up everything. So check those out@grc.com while you're there. You can get a copy of the show. Steve has a bunch of unique versions because he's a iconoclast. He's a. He goes his own way. He's got the 16 kilobit audio version which doesn't sound great, but it's small. Has the virtue of being small. He has the 64 kilobit audio version which does sound great. Is all you really need. He also has the show notes there which he prepares. I mean these are really complete. Highly recommend reading the show. Show notes around 20 pages, states 21 of. That's all the stuff you hear on the show with the links and everything in the. And the pictures. Highly recommend that. That's all. @grc.com he also has transcripts written by a human. Our transcripts are all AI generated because we're lazy. Steve is not. He gets Elaine Ferris who is a very talented transcriptionist to write it all down. And you can get those transcriptions a day or so after the show@grc.com you should also go to grc.com email if you want to register your email address. Steve will whitelist it and that way you can send him those great pictures of the week or ideas or questions. Grc.comemail and that's where you would sign up if you wish for the two newsletters. He sends out the weekly newsletter which is the show notes and then the very infrequent newsletter probably will send one out I imagine when you update the DNS Benchmark Pro. That's the product announcement newsletter. Both of those. Grc.comemail we have copies of the show at our website twit tv sn we have 128 kilobit audio. For technical reasons to having to do with Apple we have to make it a little bit bigger. So if you want a smaller get it from Steve. We also have the video which is unique. There is a website dedicated to that. Twitter TV SN our website. There's also a YouTube channel with a video that's a great way to share little clips. Do us a favor. Steve is now the number two most subscribed YouTube channel in the Twit universe. And I know he'd like to be number one. So subscribe.

B (152:32)

I was last week I was number one.

A (152:34)

Well Twitter, the general Twitch channel is number one. You're number two. You beat the Twitch show though, which is pretty good. Yeah, that's what I was telling you. Yeah. The Twitch channel itself is like the central channel that has 280,000 subscribers subscribers. So that's going to be a hard one to beat, but you're 76,000. I don't know if everybody subscribes. Who's listening right now? You get right up there. There's also, of course, it's a podcast, so it's in every podcast directory. Every podcast app should have security now, and you can subscribe there and you get it automatically, and that's nice. We do the show live for your entertainment, if you want the freshest version. Every Tuesday, normally not today, but every Tuesday, normally at 11am Pacific, 2pm Eastern. Now, the next time we do it, we will be in daylight saving time, will be summertime.

B (153:23)

So, yes, that happens next Sunday then.

A (153:27)

Yeah. A week from Sunday. Yeah. A week from today. Yes.

B (153:31)

Oh, today, yeah.

A (153:32)

March 8th. Yes. Right. Today is Sunday. So, yeah. So the next Tuesday we're going to be at 1800 UTC. We don't. We change UTC. It doesn't. But. But the math is so crazy, it's not rational, it's irrational. So watch us live if you want. We stream, as I mentioned, on Twitch and YouTube and X.com, facebook, LinkedIn, kick in, of course, in our club Twitt Discord. If you are not a member of Club Twitter, I do want to urge you to join because that is how we stay alive. It is not. It is not. It is not a luxury by any means. It's a matter of life or death. The club supports everything we do, about a third of our operating expenses. And it's a way of saying, hey, I appreciate what you're doing. I want to support it. And we do like offering it for free, ad supported for free because we want everybody to get it. So nobody has to pay. But if you can afford to, it'd be nice to support that that way. You're supporting Steve, you're supporting our team and you're supporting it for the free version for people who can't afford to pay. You do get some benefits, access to the club Twit Discord, which is always a hoot, if you will. A lot of fun in there. Some very fun people. You will also find yourself listening to special shows that we only put out in the club. But mostly you'll get. I get that great warm and fuzzy feeling that, you know, you've made some people at Twit very happy and you're keeping these shows on the air. Steve, I did find the clip that Anthony Nielsen made. He created this with a local AI, not even one of the big frontier models, but a Chinese model qn. That does a very good text to Speech. He says he only trained it with about two minutes of my voice and was able to make this little fishing recording. Hey, Burke, this is definitely not Leo asking you to buy gift cards, but seriously, can you grab me 100 Apple gifts cards? Just kidding. This is Anthony testing text to speech. How's it sound? Hey, Burke, is that. Does that sound like me?

B (155:38)

The. Definitely you a little bit different, but.

A (155:44)

But if you weren't paying attention or you got that on the phone.

B (155:47)

Yep.

A (155:49)

Pretty amazing.

B (155:50)

Yeah.

A (155:52)

Burke says order more again. Fools him every time. Hey, thank you, Steve, for doing a very special edition of Security now on a Sunday. I appreciate that. Thank your wife Lori, too, for letting us have you. No mimosas today. We had to do a show, but you can go have some now. Stay tuned. If you're watching live, 15 minutes away from this Week in Tech, our roundtable news show. We will be in Florida for the week. If you're going to Zero Trust World, catch us Wednesday, 5pm at the end of the day for a very special Steve Gibson presentation. It's coming. The call's coming from inside the house. I will be there as well. And we will stick around afterwards if you want to say hi, we'd love to see you. We'll also make a recording of that available on the Security now feed. So all you fans, you'll get two Security Nows this week. Steve, safe travels. I'll see you in Orlando.

B (156:48)

Thank you, my friend. Will do. See you on. Well, I guess we'll probably see each other Monday night or Tuesday morning, so.

A (156:54)

Yeah, the burgundy's on me Tuesday night for dinner. Okay, sounds great. We'll see you later.

B (156:59)

And everybody else on back on Tuesday per our regular schedule.

A (157:03)

Cool.

B (157:04)

Bye.

A (157:06)

Hi, I'm Leo laporte, host of this Week in Tech and many other shows on the Twit podcast network. Can you believe it? 2026 is around the corner. So this, my friends, is the best time to grow your brand with Twit. Nobody understands the tech audience better than we do. We love our audience and we know how to effectively message to them. We develop genuine relationships with brands, creating authentic promotions that resonate with our highly engaged community of tech enthusiasts. You know, over 90% of Twitch audiences involved in the their company's tech and IT decision making. Can you believe that 90%, 88% have actually made a purchase based on a Twit post read ad. No one comes close. We're the best at this. As one Twit fan said. I've bought from Twitter sponsors because I trust Leo and his team's knowledge of the latest in tech. If Twit supports it, I know I can trust it. You cannot buy trust like. Like that. Well, actually you can. You can buy an ad on Twitter. All our ads are unique. They're read live by our expert host, Micah Sargent. Me. We simulcast all during the shows on our social platforms so everybody could be watching live. You know one of our customers, Harun Meer, the founder of ThinksCanary, he's been with us since 2016. Since 2016, he said we expected Twit to work well for for us because we were longtime listeners who over the years bought many of the products and services we learned about on various Twitch shows and we were not disappointed. The combination of the very personal ad reads and the careful selection of products that Twit largely believes in gives the ads an authentic, trusted voice that works really well for our products. 10 out of 10 we'll use again. Thank you Harun. We love you. And it's been nine years. That's kind of. That's the proof, right? Partnerships with Twit offer valuable benefits including over delivery of impressions. You get presence on show episode pages. So there's a link right there that our audience can click on. We're in the RSS feed descriptions a link there too. And social media promotion. Our full service team will craft compelling creative to elevate your brand and so support you throughout your entire campaign. I work on the copy myself to make it authentic, to make it real. If you want to reach a passionate tech audience through a network that consistently over delivers, please contact us directly. PartnerWIT TV that's the email address. PartnerWIT TV. Let's talk about how we can help grow your brand. Or just go to Twit TV add advertise for more information. I look forward to working with you. Thanks for listening.