A

What's up, everybody? Welcome to the party. Today is Friday, December 12, 2025, episode Michael Jordan 1023 of Simply Cyber's daily Cyber Threat Brief Podcast. I am your host for the next hour, Dr. Gerald Dozier. If you are looking to stay informed and up to date on the top cyber security news while getting additional insights that will level you up as a professional beyond anything that you can get in a classroom or a textbook and be enjoyed by an amazing community of like minded, supportive, inclusive professionals. Guess what? You're here. You made it. Welcome to the party, pal. This is your Simply Cyber Daily Cyber Threat Brief podcast. Award winning, I might add. We're off and running on this beautiful Friday morning. All right. Oh, Jesus. Good morning, everybody. Welcome, welcome, welcome. Give me a second dealing with some stuff here. All right, guys, check it out. What are we doing, guys? We're gonna go through the top eight stories of the day. I'm gonna, you know, rip apart. You can go through the headlines yourself. Everyone can get an RSS feedback. The value proposition here is that my 20 years of experience, plus the 4,000 years of collective experience of this crew right here, is going to go beyond those headlines and give you those additional insights. It's amazing, it's fun. It's all about good times. Now for the stories that we're going to go through. I literally have no idea. So much to the point that the CISO series blog post you can see here on stream, they only posted the first half of the stories. So not only do I not know really what we're going to be talking about, I don't even have the tabs up. So it's going to be a complete mystery bag. You know, it's like spending five bucks to buy that brown bag at the store. And, you know, you never know what you're gonna get. Little box of chocolates, action drink if you know, for scum. But you know what? The thing is, it doesn't matter. We've been doing this for over a thousand episodes. I've never prepped once. It hasn't been a problem. Ain't nobody got time for that now. If today's your first episode, you picked a banger. Fridays are always good. We've got jokes, we've got extended panel AMAs, we've got value. It's just really a great day to choose. So if today is your first day, do say hashtag first timer in chat. Hashtag first timer in chat. We would love to see you and recognize you because you first timers, we have special sound effects Special emotes. I see so many regular friends in chat. We got Devin, Marcus, Rhonda, Dennis, tj, Space Tacos, as always, Tom, Elliot, Mati. I'm sure Phil Stafford's cruising around here. The San Francisco Music Connection. It's hot, hot, hot. Jenny Housley, as always. The mod team FedEx down in Florida. We got it from the left coast to the east coast, international and more. Guys, it's epic. Every single episode of the Daily Cyber Threat Brief, including this one, is worth half a cpe. So say what's up in chat, grab a screenshot, include the title of the episode because it's got a unique identifier. 1023. And it has today's date, December 12th. File it away. Every single day you'll accumulate these screenshots. And then once a year, all you gotta do is select all, count the number of screenshots, divide by two because they're half a CPE each and those are the number of CPEs you got. Submit them to your certification body and if they question you or audit you or anything new, you can just zip up the CPE screenshots, send it to them and tell you, thank you very much. We'll see you in the next one. Hey, we got a first timer in chat. Thank you, Jenny. Guys, Squad members, please welcome Rob Vol to the stream. Rob Ball, welcome to the party, pal. And if you're a squad member, your name is Green on the stream. If you open the emote tray, you'll see a bunch of special emotes. There is a John Mlan, one very on brand for this holiday season. I haven't quite had a chance to watch Die Hard yet, but I will tell you I am going on vacation starting the 19th. I can't wait. I'm over the moon. If you're a regular of the channel, you know that I have not taken a vacation. 16 years and I'm due. I'm due. I'm being forced by myself. So, guys, it's all about good times. Let's spend a quick minute saying what's up to the stream sponsors, thanking them for enabling me to bring this show to you and take a vacation once every two decades. Just about. Guys, Flare Academy is crushing it. Go to Simply Cyber IO Flare. Now. This redirect is going to take you to yesterday's live stream. Now, I actually had a conflict that came up I had not anticipated. I did get into the post webinar Discord Chat. They were doing Dark Web Jeopardy. It was okay, but this is going to be available on replay and I have it on my calendar to watch the replay. Because if you want to understand what happened in the dark web in 2025, get those macro insights, see that trend data, and then most importantly, be knowledgeable. So when you're interviewing in 2026, you have tangible, concrete information to base your opinions on as you're answering questions, or if you're a practitioner, being able to choose the proper controls with the highest level of risk reduction because you're informed on the front of the line as far as like the threat landscape, the threat models, etc, right? Luma, stealer, redline, stealer, raccoon, click fix, all these things, right? Ecosystem, criminal, you know, surly underbelly, dark web marketplaces, all these things. If you don't know what I'm talking about, I'm telling you, man, take an hour invested in this. Also Flare. We're in, we're in the discussion of Flare renewing for sponsorship for 2026. I would love to see that. Like I said before, I not just enjoy Flare as a company, but the people behind it, they're really cool people. I spent some time actually with Faustine in Austin earlier this week. Great person. So check them out. Flare.com or simply cyber IO flare. We got anti siphon training on the deck, guys. Listen, if you're trying to line up your January training right, a month ahead, get ready for all these things. John Strand himself, who offers unbelievably affordable training, is doing his active deception. Excuse me, active defense Cyber deception course. Now this is a pay what you can training. They recommend as little as 25, but it's 16 hours, 16 CPEs, you get a certificate completion. I actually have a video on the channel of me going through this course and my reflection on that video on that experience. It was awesome. Of all the courses that John Strand teaches, I love this one particularly. I'm gonna bring up the video right now. Here it is. Amazing. Cyber Unlocking the secrets of an Active Cyber Defense. Guys, right here, I'm dropping the. Oh, look at old young Jerry here. All right, hold on. I'm drop a link to this. This class is awesome. You want to talk about honey pots, honey tokens, hackbacks, all those things. Oh, get some. All right, definitely check that out. I'll drop a link to that one. I'd recommend this if you get a chance. This is such a good class. And then finally, Threat Locker. Let's hear from Threat Locker really quickly. And then we're going to slide like the electric boogaloo into the news. I Want to give some love to the daily Cyber Threat brief sponsor Threat Locker do zero day exploits and supply chain attacks keep you up at night? Don't worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com DailyCyber Foreign. Just a couple small little things here. Really quick. Don't forget if you're getting your coffee or whatever or you, you know, you got a tummy troubles and you got to run to the bathroom or you've got to run your kid to school or just whatever, hop on a call. Don't forget at the bottom of the hour, 8:30am Eastern Time, this guy James McQuiggin at 35000ft will be tickling our ribs with dad jokes of the week. It's all about good times. I spent a lot of time with marketing people on Monday and Tuesday. They think that we are incredibly serious over in the cyberspace, which, I mean, we deal with really serious things. But come on, like we have fun too. Jesus. All right, so stay tuned. We're gonna get into the news. I just. This just came across my my desk moments ago it looks like. What are we doing here? This link. All right, hold on. This is not what I thought. Never mind. All right. I thought that was going to be easy to tell you guys about. All right, guys, do me a favor. Sit back, relax and let's let the cool sounds of the hot news wash over all of us in an awesome wave. I will see all of you at the mid roll.

B

From the CISO series, it's cybersecurity headlines.

C

These are the cybersecurity headlines for Friday, December 12, 2025. I'm Sarah Lane. New Droid lock malware demands a ransom. Researchers at Ximperium say a new Android strain called Droidlock is hitting Spanish speaking users through phishing sites pushing fake apps. Once installed, it can change a device's pin, lock the screen with a ransom note, wipe data, record the screen, and block interaction with a fake update screen. The malware doesn't encrypt files, but it effectively bricks the phone. Unless victims pay, Google fixes Oh, man.

A

That'S kind of a pecker head move again. Here's my thing. Cyber criminal threat actors are. Are targeting more businesses because straight cash, homie, right here's the reality. If you have to spend one hour of effort, right? One hour of work, you got to drive one hour out of town to go to a store. Are you gonna go to a store that sells one thing or you're gonna go to, like, Walmart or Target or one of these big box stores? Your return on investment, your effort is higher if you're attacking businesses. Now, of course, obviously the businesses have more money to put into more controls, so whatever. But I mean, this Android malware that basically is holding individuals for extortion, where they're gonna lock your phone out individually and then brick it if you don't pay. I mean, I don't know, man. Right now, rising cost of living, healthcare is about to go bananas in the United States. Unemployment, inflation, all the tariffs, we've got all these financial problems. And then you're gonna brick my phone, bro. Like, come on, what are we doing here? So let's see what they're doing here. Fake phishing websites push fake apps. So then end user installs malware on themselves, right? And then the malware is just a dropper, so it pushes out and grabs whatever the payloads are, by the way, just as really quick. I like to go beyond the headlines, of course, and give additional value. I'm. I'm an educator at my core. Although I love grc, I love cyber security, I'm an educator at my core. Just so you know, because I used to think this when I was younger, in my career, malware. Malwares aren't fat apps, okay? In 2025, the way that modern malware distribution works is the. There's a lightweight kind of dropper or initial infection payload that starts the thing. Now, in this case. Oh, my God, dude, I'm telling you right Now, Google or YouTube made this change to the. I got no time for this. You see this, like, black box that has, like, dead messaging in it? I'm sorry, I'm fixing this live on stream because I absolutely can't. It like, like, my, my. I'm going to pop a blood vessel in my head if I look at that. I'm up here trying to do, like a good show, and you got. You got all this, like, you know, whatever crap floating around in space. All right? So check it out. Listen. Initial infection instead of big bloated malware like it was in the 90s, reason being one, it can, you know, be easier to deploy. It's small, it doesn't take a while. Threat actors can get you to install it. You infect yourself and then it pulls down second stage payload. If anything, the best part about that is the modularity of it. So imagine if you will, I write this cool little infection dropper. You install that Android app. Boom. I own you. Like, you know, I don't know, like, like I'm a, a lord in, in England and you're like a surf, right, running around out in the, in the, the fiefdom. Okay, so I own your phone. Look at me, look at me. I'm the captain now of your Android device. That second stage payload, let's say it's an info stealer. But tomorrow I'm like, I don't need info stealers, I need crypto jackers.

D

Boom.

A

All I have to do is replace that second stage payload. The modularity of it means that the infected host can continue to receive whatever payloads I want and I can adapt. This payload starts getting detected by Crowdstrike or whatever defender for Endpoint, whatever. I can update it and not have to reinfect the machine. And this is the, this is why modern malware has multiple stages of infection and modularity and why C2 or command and control servers are so, you know, integral into the entire execution is because of that modularity to allow flexibility and resiliency of the threat actor operation. Again, not sponsoring threat actors in any way, although I did hear I might get drafted onto clop. Okay, so draw droidlock can take full control of your phone. Of course, you've installed like a, basically an admin mode application and then it basically just taunts you. Here's my, here's the reality. That uses a fake Android update screen to block your block. What's going on while it's installing the malware. The thing is you can't, I don't know if you can just like turn it off and turn it on again. I mean, that would be my immediate attempt, but chances are it, it's not going to allow you to do that. It also says it changes your pin. This is gross. Here's what I would tell you. Okay, number one, number one, if you want to educate your end users, this is in Spanish speaking countries only or Spanish speaking users, but that doesn't matter. You can easily run this through a translator and make the malware detonate on German speaking users, English speaking users. So this is like an absolute trivial modification to me. The TLDR here is number one make sure that you educate your end users not to install malware, of course. Right? Or educate them on, you know, phishing emails, you know, the need to install Android apps, whatever number two, more importantly, backups. Right. Like for me personally, I, you know, I. I take a lot of pictures of my kids and my wife and my family and memories and stuff on my phone. Those are immediately backed up off the. Off the phone. Like your. At least in my opinion, if you can afford it, you should be able to drop your phone in a sewer or leave it in an Uber and just go get a new phone and it does not disrupt your life that much. I know that's easier said than done, but if you do that, all this is, is a inconvenience and a pain in the a. But still, you're not catastrophically devastated. You didn't lose 16 years of family photos. You didn't lose, you know, your, you know, important contracts because you only kept them on your phone. You know what I'm saying? All right, let's go. Or you could pay the ransom.

C

Chrome Zero Day.

A

Anybody got time for that?

C

Google pushed an emergency Chrome update to fix its eighth zero day of 2025, a high severity bug with no CVE or technical details yet disclosed. The flaw is already being exploited, so users on Windows, Mac OS and Linux should update to new versions immediately. The patch also includes fixes for two medium severity issues in Password Manager and Toolbar UK finds LastPass.

A

All right, whatever. I. I'm sorry, I was typing about my son Grayson, how he dropped his phone in a sewer. So that example I gave a little while ago was very, very personal. All right, so Google's fixing zero days. I love it. I love it. I do want to point out really quickly, just because I feel like dunking on Fortinet for no reason. 8th Chrome Zero Day in 2025. Fortinet said we, we cleared that the first week of 2025. All right, this is a super secret bug. No updates, no cve, no details. You don't know what they're fixing, so they're hiding through obscurity. I got news for you. If there is a patch so, well, okay, so for practitioners, here's what you need to do. Make sure if you're using Chrome in your environment, this patch gets deployed. Ah, you gotta patch it. I don't know what exactly it's fixing. It doesn't matter. Okay, but fix it because everybody, not everybody, but many people are using Chrome. If you can educate your end users, hey, it's simple as clicking on that, you know, top right button, new Chrome available, go get it right. Make it part of your routine. In fact, I could almost imagine a nice little PSA for your company around, like, I don't know, I don't know, I. I don't know. Like, I'm thinking of like O.J. simpson. Like, if the glove doesn't fit, you must acquit. I'm trying to think, like, if you need to, you know, if. If you're swiping in the gate, you must update or something. That's the stupid, lamest thing. But I'm just thinking like some type of, like, hey, just update your Chrome, like, make it cool somehow in 2025. Now to take a step back. The fact that Google is making this super secret and not releasing any information on what it is. Remember this, when you have Chrome version 1.0 and you apply the update and it becomes Chrome version 1.1, you can take the code and diff them. Effectively, I'm oversimplifying this, but you can diff those codes and see where the difference is, which will call immediate attention to what the patch fixed. You could take the patch itself and reverse it a little bit, if you can. Actually, no, you can't, because the Chrome browser pulls it up. You don't download the patch anyways. There are ways to discover what kind of changed. And then making an effort to try to zero in your research on the specific area that the patch fixed. You see it easier on, you know, more like, IoT devices and update, like, things where the update is, like, clearly a separate thing or like a Microsoft KB patch or something like that. But you could discover this if you really were feeling frisky about it. I'm a huge Chrome user, so I gotta. If the zero day is legit, you gotta update that. All right. This is my username, Pretty. This is my username, mf. Oh, my God. I. We haven't met before, but not only do I really like your username, I do like your PSA announcement. So until further notice, that's what we gotta go with here. That's so funny. All right, let's keep cooking.

C

Over. 2022 breach, the UK's Information Commissioner's Office or ICO find fined LastPass 1.2 million pounds for the 2022 breach that exposed personal data and encrypted vaults for up to 1.6 million UK users. Regulators say a compromise of an employee's personal device let an attacker steal master credentials and cloud backup keys, leading to the theft of customer vault data stored with Goto vaults are still encrypted, but weak master passwords could still be cracked with some already exploited in crypto theft doers.

A

All right, so let me, I guess catch you up on this in case. You're new here, right? Don't want to. Don't want to make any expectations. Yeah, I guess the O.J. simpson trial would be drink. I remember seeing the bronco chase live. Just that's how old I am. The fact that he got off is such a bizarre twist on the justice system. So Last Pass in 2022 one of their lead developers at his house got compromised. I think it was through a plex server vulnerability. But anyways, developer at home gets compromised. Threat actor rides the rails like a crazy train. Ozzy Osbourne style. Randy Rhodes style drink into LastPass's main database of code repository and then made some updates to it and basically got not Updates. That was SolarWinds basically got into LastPass and downloaded the master database. Now this is pretty important because LastPass holds everybody's password vault. Now the cool thing is LastPass does not have keys to your vault, which is a double edged sword because if you lose your keys, they can't help you. There's no I forgot button. There's no help me unlock this. They literally don't have the keys, which is great. Threat actors got it. Last pass came out, you know, did, you know, did sudoko, which is something I just learned yesterday is a funny way of supaco or sepico or whatever the, you know, the, the Japanese samurai thing where you cut your own insides out and took it took accountability for this. Now this is actually right around the time that I moved from LastPass to Bit Warden. Completely unrelated. So five, three years later, the UK is finding them. Now if your last pass password was really good, then you know it'll take a quantum computer to break it. If your LastPass password sucked, threat actors can't unlock it and they have all the time in the world to brute force and grind on those encrypted databases. So that was kind of the fallout from that. Now the UK is finding LastPass 1.6. Oh for $1.6 million. 1.6 million users. How much is the fine? That's actually what I'm curious about. They don't say the fine man, Where's the see. Okay, so number one, really quickly, this annoys me. This annoys me like on a level that is not unprecedented, but pretty gross. UK finds last pass. You would think that the, the key detail in this story is how much the fine is for. What's the penalty? Did the UK find last past 30 oh, 1.2 million. I'm sorry, I searched for the US dollar symbol, not the pound symbol. It's literally in the first sentence. I, I'm sorry, I'm embarrassed. I, listen, I, I don't research or prep these stories. I'm up here flying. I, I literally have one hand on my seat of my pants and the other hand on a microphone. I, I, I sometimes I get excited. Damn it. All right, hey, you know what? Let me own this. Okay. That was a Carl moment. All right, so the UK is fine. I almost want to, like I'm going to continue to finish this story, but I really desperately want to move on. So I don't know, I mean, LastPass did everything they could to do this one. Obviously it was one user making one poor choice. They, you know, they didn't have very good detection mechanisms in place. They should have seen the threat actor coming in. But you know, data at rest encryption was in place. But you know, unfortunately it is what it is. So I don't know if LastPass has the ability to defend on this one. I mean, let's see, last pass annual revenue. LastPass made to around $200 million. So this is, you know, one, this is half of 1% of their annual revenue. I don't know what the revenue is, just revenue. Like they have operating costs. So I don't know exactly what this would be for their overall impact, but, you know, it's a bit painful. All right. Continuing on.

C

Posing as cops trick tech firms. Wired reports that a doxing crew is impersonating US Police to trick major tech companies into handing over private user data through fake emergency requests. The group forges subpoenas, spoofs law enforcement email domains and uses compromised officer accounts, extracting names, addresses, phone numbers and more from companies including Apple, Amazon, Charter and Rumble. The attackers say they've pulled off up to 500 requests and even recruited a real deputy to help exploiting a long known weakness in email based emergency data requests that many companies still rely on.

A

What? Okay, so this does make sense, right? Like when law enforcement contacts you, you are supposed to comply if, if, if you know they have a warrant or all the things check out. Now, you know this person at Charter Communications was the right person to receive this request. Privacy specialist in the legal department got, you know, an email from officer Jason course and within 20 minutes replied with name, address, phone number and email of a target. Now, unfortunately, this was a threat actor in a doxing as A service for customers willing to pay for highly sensitive information. Now again, I mean, I suppose you can get this information other ways. We've talked about, we've talked about, you know, data brokers and, and selling information, etc. So I mean this is one way to get it. But the fact that they're posing as cops is the main issue that I'm pretty sure that's a felony and very, very bad. I mean we saw that jack wagon up in Minnesota, like you know, committing horrible crimes dressed as a cop. These large tech platforms get these requests often. So you know, I don't blame this woman in legal for doing it. You know, it seems urgent. That's why the threat actors knew it would work. Look at, yeah, charter comms was one of 500 successful requests. All I need is an IP address which I can gain pretty easily. And the next thing you know, I have names, address, emails, right? So they're basically, they're posing as cops saying, hey listen, we have a criminal who's using this IP address at this computer. Give me the IP address. Remember your ISPs, you know, typically lease you the same IP address. So like I know for a fact, like at my home, my external facing IP address has been the same for years. You can refresh it and get it changed if you want. But like, even if you refresh it, they're still going to know what IP address you're at and probably have a log of like what it was before. This is one reason why like VPNs are useful, but if the threat actor finds your ISP, you know, it's kind of you kind of screwed. I'm trying to look to see if there's any more information. I don't know how you actually defend against this. Yeah, these emergency data requests are involved in threat of eminent harm or death and will bypass additional verification steps. So here's the thing. If this woman was like, hey, hey, listen, I appreciate Officer Jason course that you're requesting this information. I just need to verify who you are. He could be like, like right now there's someone being held at gunpoint. Give me the, give me this thing. You know what I mean? The hackers typically use one of two ways to trick companies. One, they use authentic law enforcement email accounts that have been compromised. Even more realistic and authority driven. Other times they create, you know, fake domains, much more of your traditional, you know, like landing page domain squatting kind of thing. They use fake official documents that look real. I'm sure Chap GPT can help whip Those up. They'll even go as far as to figure out what judges in court that day and add that to the fake subpoena. Yikes. I just want to see one thing here. They mentioned actually a real sheriff. Yeah. So the real organization is Jack Sheriff.org is the URL threat actors purchase Jack Sheriff US and then put all the information on there. Disgusting. Guys, when law enforcement or a lawyer contacts you, it's pretty stressful because it feels very real and very quick. All I would say is guys, I mean if you're looking to get particularly spicy at your tabletop exercise, you could use this one. Hey, you know, like basically the set up, the tabletop exercises. Hey listen, you received a request from, you know, whatever town you're in, sheriff office, requesting home address, phone number and email address for an IP address. Right? Like I guess if you're a ISP or something like that and it, you know, you can even like whip it up and, and send it as part of the thing. Like here it is right now. What do you comply? They say it's an emergency request and you need to do whatever. What do you do? Right. And if they do move forward with it, you could say, oh, you find out that this is in fact a fake domain and now you've done whatever. Like how do we handle the fallout of this one? Yeah. All right, let's keep cooking.

C

Huge thanks to our sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first cyber security company backed by OpenAI. Security training fails when it's generic. Adaptive's platform personalizes training and runs deepfake simulations across email, sms, voice and video. And with Adaptive's AI content creator, you can drop in a breaking threat or a compliance doc and instantly turn it into interactive multilingual training. No designers, no delays. Learn more@adaptive security.com.

A

All right, we are at the mid roll so we're going to go ahead and do this. I really wish we had a don't you forget about me solution, but don't. All right, here we go. Warm chocolate.

D

All right.

A

Hey, what's up everybody? Welcome to the mid roll where we crush it like a bunch of bosses. I want to say thank you all for being here today. Feel the energy is very positive up in the Friday streams. Don't forget we've got jawjacking panel coming up in a little bit. But let me say really quickly, holla, holla, holla at the stream sponsors, thank you threat locker flare, anti siphon for your sponsorships. But also guys, shout out to barricade Cyber Solutions Barricade Cyber is run by Eric Taylor. Many of you know Eric, and Eric is putting on this Fortify365 series. He's been doing it for quite a while. And every other week he provides a webinar session that educates and delights members who are willing to learn from an industry practitioner. And if you want December 17th, just five short days away, you can get your Fortify 365 webinar December 17th, 1 to 2pm Absolutely free to attend in the one hour. You are going to get jammed with so much information around Microsoft 365 compliance settings. What is enabled by default? What do you have to toggle on yourself? We're talking about enabling the unified Audit log, configuring retention policies, setting up dlp, and so much more. If you want to work in GRC and understand kind of the technical machinations of Microsoft 365, especially around compliance settings, you do not want to miss this. Go to webinars.barricadecyber.com today. Sign up. It's free to sign up. Get it on your calendar. If you can't make it, that happens. If you can make it, you'll be sure glad it's on your calendar and that you remembered it. Thank you so very much. All right, guys. Every single day of the week has a special. Oh, I just spit. Every day of the week has a special segment. And Fridays is James McQuiggin at 35,000 feets. Jokes of the day. They are dad jokes. He always taps into his dad a base of dad jokes to provide these rib ticklers for us. So get ready. Please don't drink any coffee because I don't want you to spit it on your monitor. And let's get into this. All right, so James says he's up in New York where it is very cold. So if you're in the New York area, you know how cold it is. He wanted to give us some chili jokes this week. So space tacos. What do you get when you cross a vampire and a snowman? What do you get when you cross a vampire and a snowman? Oh, everyone knows this. You get frostbite. Frostbite. Oh, boy. Okay. Hey, Sierra Montgomery. Computer scientists have discovered they can store data in ice. We know about cryogenic freezing of organic material, but did you know that they can store data in ice now? It's a frostbite. It's also a frostbite. Oh, my God. In full disclosure, I don't read these in advance, so the reaction is genuine. All right. And finally, finally, bruising hacks Justin Gold. James wants to know, why did Jerry pour warm water on his computer? You guys know from time to time I spill my coffee on my computer, but I deliberately poured warm water on my, on my computer recently because it was frozen. It was all gummed up. I couldn't, I couldn't do anything. I was going to reboot it, but instead I just poured some warm water on it. Oh my God. All right, thank you, James McQuiggin for the dad jokes of the week. If you enjoyed those, enjoy laughing out loud. If you did not enjoy those, you can take it up with at James McQuiggin, our friend and community member for the show. All right, let's slide back into it.

C

OpenAI enhances defensive models.

A

I don't know.

C

OpenAI reports that GPT 5.1 Codex Max shows a jump in CTF challenge performance from 27% in August to 76% in November, raising concerns that future models could help with tasks like intrusion operations or zero day exploit development. OpenAI is layering safeguards including access controls, monitoring, red teaming and training models toward defensive uses. Programs like Aardvark, which scans code and proposes patches, and a Frontier Risk Council are meant to strengthen defensive AI and ecosystem wide threat mitigation while coordinating with global experts. Docker.

A

All right, so as OpenAI and Gen AI continue to get better, they're going to continue to be able to be used for defensive mechanisms or adversarial mechanisms. Faster, stronger, better, they're performing well on ctf. So if you're looking to get a black badge on the Simply Cyber Discord server, deploy Open AI on the next meta CTF and get your black badge. I'm being playful here, guys. We're in an arms race. Nothing has changed. It's just the speed at which you get to the solution is increased. Threat actors are going to threat act, defenders are going to defend. Unfortunately, threat actors have kind of an asymmetrical advantage because for us to be able to defend so well, we're going to have to purchase defensive products that have baked in these things next gen AI, whereas threat actors are going to be operating with nation state threat actor budgets. Yeah, I know, I saw that. Sam Altman's a. Whatever. I, I have theories about this. Sam Altman's talking about raising a baby with chat GPT, but catch me on the ama. Guys, this is, to me, this is not like, not surprising. You should be using AI to augment your workflows. It's gonna, it's going to impact everything. You do not want to talk to me? I'm telling you right now. I. I like wish I couldn't even hear my honor inner monologue. You do not want to talk to me about like my thoughts on AI and the future of AI. I would absolutely be like Debbie Downer from snl. But what I will say is yeah, keep, keep the arms race going. It's a race to the bottom basically. So if you don't threat actor is going to have the advantage. Having code that can be analyzed is great. So we've been talking about shift left forever, right? Secure by design forever. Well, with AI you can scan source code and make sure that you're getting those things implemented at the beginning. You can use AI to help with architectural decisions, etc. Etc. You know, this story right here is just going to continue to accelerate, period. Full stop.

C

Images Spray Live Cloud creds Canadian cybersecurity firm Flare says that Docker Hub has become a major league point for live cloud credentials. In an analysis of images uploaded in November, Flare found more than 10,000 public containers exposing active secrets from more than 100 organizations. Many images contained multiple production level keys spanning cloud services, CICD systems and AI platforms often uploaded from unmanaged shadow IT accounts. Flare also found the most revoked in image secrets were still active, urging teams to move to proper secrets management and pre published scanning hackers.

A

All right, so first of all, this is Flare and I'm telling you guys, they're not just a sponsor. Like I really like the product first of all and I like the people at Flare. I've gotten to know the team over there because of like work and stuff. The fact that they got published in a major news outlet for their research. Nice job. Flair. Cool. Cool. I'm telling you guys, security research is like is the way. It's like get your Mandalorian on. This is the way. Now here's the deal. 10,000docker images spraying creds all over the place. If you're running Docker Hub and you have images up there and you're using it for CI CD pipeline or part of your cloud services or whatever, you could be accidentally exposing things that are not good. Now one interesting thing that they point out that I want to call your attention to is they talk about the most common category was being API keys for large language models with almost 4,000 tokens being found in the wild. So someone can take your API key and basically run it with whatever they want and you pay for it. That's that's what this is. This is basically allowing someone else to charge your account. It'd be like going to Blockbuster Video and renting a video and then not returning it. But you did it on my account. So all of a sudden the late fees are stacking up. Okay, by the way, drink for Blockbuster Video. Back in my day, we had to physically go to the store and we had to like walk around and look at things. And then of course, like, you know, whatever, whatever movie. You know, the. You want to rent the Professional because it just came out on video, or you want to rent Independence Day because it just came out on video and then they have like 35 copies, but they're all rented out. So instead you have to like rent Night at the Roxbury. And you really didn't even want a comedy. But like, you're like, well, Will Ferrell is really funny. But then you don't even watch it and then you don't return it because you forgot about it. Then you end up paying like $30 in late fees. Blockbuster. All right, so here's the reality. If you don't already have an ability to scan for your kind of, you know, infrastructure, cloud based infrastructure, to see if there are exposures, data leakage, etc. Stuff like that, you might want to incorporate that. You should definitely educate your developers to like, be mindful of where they're putting their AI API keys. They did pinch point it out right here. Developers are rushing to adopt AI, which means they're trying, they're trying, they're trying. And then they'll like shove an API key into some code, it starts working, they're on to the next thing. That API key can be, you know, whatever. Messed up, as you say here, developers accidentally can ship secrets without noticing. If you're a security researcher and you're actually looking to find some stuff from like, from a, you know, white hat or defender perspective, scanning these, finding hard coded API keys, validating that they legitimately work could be a great way to get some bug bounties or at least get some notoriety. Maybe even parlay it into a job opportunity because you know you're helping that company out. Also worth noting, again, this is not very easy for large enterprises to do, but if you're a smaller business, like, you know, you're a tech startup and you've got like, you know, 15 developers, maybe like 30 staff total or whatever, keep an eye on your, your monthly billing, right? If your API usage has a spike, then that's a strong indicator of compromise, right? Because all you know, you're typically paying 10 grand a month of our API. 10 grand. 10 grand. 10 grand. And it's like 75 grand. You're not going to be able to get out of paying that bill. But it's a sure, it's a sure indicator that someone else has been, you know, utilizing your, your API keys. So again, we've got a lot of folks in chat right now with a lot of experience. So if you have any thoughts on the story or any of the stories, do put them in chat.

C

Exploit cryptographic flaw. Hackers are exploiting a cryptographic flaw in gladonet's Center Stack and Trio Fox, allowing remote code execution.

A

The issue are you guys, hold on is chat just evolved into talking about like 80s things like rolling up windows, All right? And Roswell UK is dropping jokes all over the place, okay?

C

From hard coded AES keys in the software, letting attackers decrypt access tickets or forge their own to access files. Once obtained, the machine key in the web config file can be used to trigger RCE via a view state deserialization flawless. At least nine organizations across sectors, including healthcare and tech, have been targeted. Gladnet urges users to update rotate machine keys and check logs for indicators of compromise.

A

Russian attack all right, so this is, this is important, okay? Gladnet software, which I don't know what gladdenet's. Hold on one second. What the hell? Here's the first thing you got to do is like, for me, I'm like, what is this? Oh no. Oh, thanks AI gladdenet, Center Stack and Trio Fox are enterprise software solutions designed to modernize file access and sharing, enabling secure VPN free remote access to files. Okay, so the kind of impact variable in your risk concern has, has elevated because basically what they're saying is there is an undocumented vulnerability. So kind of like a zero day that's being exploited. Oh, I, I guess I should have just read the rest of the sentence where it says secure remote file access and sharing. There's an undocumented zero day that allows you to get the crypto keys and, and, and basically, you know, decrypt these things, right? So in PKI encryption with cryptographic keys, the in. In encryption period, the algorithm is very important, obviously. But the only thing that really matters is the key, because the key is what you use to unlock the data, right? Unlock the door. Right. The security issue allows you to obtain a hard coded crypto key. Now this is pretty gross, right? Because a hard coded crypto key is problematic, right? Of course. Because if it's hard coded in one solution. It's like all the victim organizations have it. It's not like they're generating the crypto key specific to their organization and storing it. It is deployed with the software set, which means once you get it, you can do RCE remote code execution, which means now you can download, you can create accounts, you can do whatever you want. We've seen this with devastating effect by the Clop ransomware gang. Hey, Klopp through the progress. Move it. Software data breach. The clio. Madame Cleo. Call now. Ah, ah, ah. All, all, all of this is to say, dude, file transfer solutions are bad because all the files are there and the solution itself enables the threat actor to remove it. Now we we're seeing active exploitation in the wild. And shout out to Huntress for being the ones who did this. Love myself some huntress. John Hammond's over there, Matt Kylie's over there. Last I knew. I haven't seen anything from Matt Kylie in a minute, but love that guy as well. The company as far as I know, has not. All right, so if you're running this gladden at products, update the product. Okay? Ah, you got a Patrick. And more importantly, do some thread hunting in your environment to see if you are actually compromised. Right? I'm trying to see where the IOCs are. Where's the IOCs, bruh? All right, this is a very deep technical. Give me one second. I'm trying to. All right, here's the IOCs, okay? It's in the documented report. I bet you the Huntress blog actually has better tips on this one. But scan your logs for this unique, you know, generic string which is associated with the encrypted file path and it's considered the only reliable indicator of compromise. So we have one indicator of compromise. Not that it'll no one's going to pick this up in chat, but I'll just drop it in chat. That's what you're looking for in the logs. The nice thing is it is a pretty uniquely identifiable string. So you're either going to have it in your logs and know that you're screwed, or you're not going to have it in your logs. And that does not mean you're not screwed, it just means it's not in your logs. Right. You can't prove a negative, so be mindful of that. There's a really great, There's a really great technical write up here. Looks like the threat actors, as soon as they get access, they create a new access ticket with the hard coded key that they've stolen, and then they set the timestamp to expire in the year 9999, which basically means it'll never expire. Yeah, pretty nasty business here. Good work on by Brian Masters over at Huntress. I'm gonna drop a link in chat to this Huntress blog post. Definitely, Definitely one to read. I'll tell you really quickly. Remember, okay? And remember, if you're listening to my voice right now, remember this, okay? It's not just like this story applies for many people in many parts of their career, okay? Number one, if you're running this particular software solution, yes, you must take action. Number two, if you're not running this software solution. This is a great example of a blog post that walks you through the current situation of this. Of this exploitable vulnerability and what threat actors are doing. It gives you a really nice lens into, you know, kind of like security operations and response and threat actor and the threat landscape and timing of all these things. It's a very, very nice one. It also gets into hard coding, cryptographic keys, and why that's a problem and why rolling your own, you know, encryption is a terrible idea in instances. It gets into IOCs and threat hunting by looking for that string in your logs. Okay? All of these are really, really relevant and very valuable insights into kind of an active incident. So there is mad value for everyone here, not just people who are running this code base.

C

Hackers debut simple ransomware. Cyber Volk, a pro Russian hacktivist group, has relaunched its ransomware as a service Volk Locker, using Telegram for automation and management. The ransomware targets Windows and Linux systems, escalating privileges and encrypting files. However, operators hard coded the master encryption key in the malware and left it in plain text in the temp folder, letting victims potentially recover files without pain. The group's reliance on Telegram reflects a trend of lowering technical barriers for affiliates do.

A

All right, okay, so if you. If you're new here, right, we had a couple first timers in chat. Allow me to introduce you. One second. It's been probably two years since I told anybody this, and if you're a regular, you know. But this guy right here is Carl. All right? This is Carl. Carl is a member of the Aqua teen Hunger Force TV show, which was particularly huge in the late 90s when I was, you know, into making bad choices and, you know, whatever. Love this guy. Love myself some Carl. Anyways, he's like a New Jersey kind of idiot or whatever. And anytime we hear about silly things, I Play this sound effect, which is actually Rick from the Walking Dead screaming at his kid named Carl also. Okay, but we usually kind of reserve it for when an end user or developer or even a cyber professional makes kind of an easy mistake. If you've been watching the show all day earlier, I started freaking out about how this news article didn't talk about how much the last pass fine was. And lo and behold, it's in the first sentence. So that is a perfect Jerry is a Carl moment. Okay, so now let's talk about this one. Russian hacktivists writing code, and they store the decryption key in plain text in the temp folder. I don't know if they vibe coded this thing or if they left it in there for testing purposes, but. Okay, I just got fact checked here. The fact check is that Aqua Teen Hunger Force aired first in December of 2000. All right, I'll tell you what. 99 to 2002. Bit of a fog. Okay, so it's all kind of one day for me. All right? If you get hit by Cyber Volk ransomware, look in the temp folder. You might have the decryption key in there. The fact that this story has been, you know, published. If I was the Russian hacktivist group Cybervolk, I would just fix my code, rerun it, call it CyberVolk3x, make fun of whoever the developer was inside your gang that made the mistake, and then move on. That's it. Period, Full stop. Okay. By the way, whether it's a criminal writing malware or it's a developer at your business, you've got to be careful with these, you know, silly issues, right? You should definitely have testing. The problem is, testing of software is typically use case testing. You wrote a function that moves a file from X to Y, you wrote a function that creates a new user. Whatever it is a function test of usability, not of security. So just make sure that you're. You are scanning, you are working with your developers, because this, this is a mistake that could easily be made. All right, Again, Cybervolk, Voc locker. They are using Telegram for their automation and C2 workflows and stuff like that. So just be mindful of that. I hope no one gets hit with this particular ransomware threat. But if they do, I hope that they get the decryption key and just kind of fix however the threat actor got in and then move on. Ransomware as a service, just to show you the values, it looks like this market's actually gone up. Wow. So ransomware as a Service, single operating system, you get about 800 to 1100 dollars. How does this work? I mean, usually ransomware as a service is the threat actors provide the entire infrastructure and then you give them a piece of any money that you ransom. This seems more like they're charging you. For deployment. So this. I have to double check this. If anyone works in security operations or threat intelligence, I would love to. More threat intelligence than security operations. I'd love to know this. Has the ransomware is a model service changed where now you pay for the service and you get 100 of any money you make versus the shared model that was popular a few years ago? If they're. If they're not doing the shared model anymore, that's actually a good sign for us because now, you know, wannabe threat actors, you know, less sophisticated threat actors actually have to pony up some money in order to even attempt to become a criminal. Versus, you know, kind of the pay get, you know, not pay as you go, but like rent to own model, I guess. Not rent to own. Zero money down, I guess, model. So anyways, good stuff. All right, let's keep cooking. I think that's it. Look at that. 859. Somebody called Mark Nick Barker. Because we are ending right on time, guys. Today was December 12, 2025. This was episode 1023, the Michael Jordan episode. Bulls Jordan. Not Wizards Jordan. All right, we'll do the wizard shorten episode in a couple weeks. I was Jerry. I was Dr. Geraldosher. Excuse me, Jerry. Guys creeping around here. I hope you got value from the show if you did share it with a friend. To our first timers, I hope you got value from the show, and I hope you come back, become long timers to all the regulars, to all the lurkers, those who are listening but never kind of chime in because they don't want to. I appreciate you. Whether I want you to have the experience that you want, not me force you into the experience that I would like you to have. Okay, be well. Don't go anywhere because we're going to be going full panel Jawjacking. It looks like we've got at least one member in here. I've sent a couple messages to a couple others. We'll see how it goes. I'm Jerry from Simply Cyber. Have a great weekend, everyone, and until next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up together. It's time for some jawjacking. What's up, everybody? Welcome to the party. This is Jaw Jackin. I am your host, Jerry. Guy coming in hot off the daily cyber threat brief with that nerd, Dr. Gerald Loer. Dude, you're so smart, you don't know what a freaking pound symbol looks like for European English currency, dork. But in seriousness, it's me. Guys, we're gonna do Jawjacking. On Fridays. We do panels, which is all about good times. I'm gonna change my camera angle so we can have all of the space for our panel. As they come in, let's bring our first member in. I'm gonna mute the music so the audio doesn't get janky. Ladies and gentlemen, he hosted the show on Wednesday. He did Jawjacking yesterday. He's a regular the show. You know him? We know him. We all love him. Daniel Lowry. How you doing, Daniel? Hey there, Jerry.

E

Good to see you this morning. I'm in full technic mode.

A

Oh, my God. We've got tech neck. And just like Jerry, guy comes in off of Dr. Gerald Dozier. Technic is our cyber hillbilly friend down in Florida, man. And he. He. He sometimes hangs with Daniel Lowry. So, Technet, how is your Friday going?

E

Oh, man, it's colder than a well digger's ass in January this morning, brother. I got up this morning, had to walk the dog. All he wanted to do was sniff around. I was like, come on, man, drop your Duke and let's do it.

A

I love it. Looks like we might have some other panelists joining us in a moment. Okay, so it's British currency, not English, Scottish, Welsh, too. Etc. Guys, if you have any questions, we are here to support you. We like doing the panels on Friday because it's all about good times. Daniel, do you remember Blockbuster Video?

E

Oh, hell yes. I used to get a Blockbuster Video like, every Friday night. That was the thing, right? You get a Blockbuster, you make sure that you've reserved your copy of Patrick Swayze's seminal film that is Roadhouse, because you'd hate to miss out on that one, right? Maybe something else to go along with that. Maybe a Terminator movie if you're feeling so inclined. Oh, yeah, between me and Jerry right there.

A

Yeah, maybe you grab, like, a rom com for date night, but then also.

E

You know, like, man, Terminator is a rom com. What are you talking about?

A

Maybe Die Hard. That's always a popular date night movie. No, we're not going to take the AI Question. That is a question. For not on stream, not public. All right. Actually, Daniel Lowry and I went kind of went dark mode yesterday, you know, when we were having a talk. All right. Any. You know, I guess how's. How is your holiday season going, Daniel?

E

It's going great. I'm hoping to get a trailer hitch for Christmas. That'll be good. And put on my fifth wheel. Pull my, pull my trailer. I go hunting more often. I'd be good. I got that. True. That deer stand from Bass Pro Y. Nice.

A

And you ask for Mossy Oak gift cards.

E

Only Mossy Oak gift cards. I mean what the hell else am I going to do with something else?

A

Yeah, exactly.

E

I need a kevlar vest for the dog so when we go hog hunting, he don't get his gut spilled out by a big tusk.

A

But that's so funny. Cyber St Stephen with the first question. Graduating today with a degree in cyber. All right. We're gonna wrecking ball that. Nice. He's been encouraged to teach adjunct at the school. Do you think that will count as experience for a full time gig? Well, kind of, I mean in the world. So just really quick because I teach faculty, I'm adjunct at Citadel. I think teaching at the college as adjunct will be great for your resume. I don't necessarily would count it as practitioner experience because I mean that's one of the knocks on higher ed and academia is that like, you know, true academic professionals that never really go into industry don't really know some of the nuances that you would only get by sitting in the chair. So I think you should do it. I think honestly if it were me, this is what I do. I work full time and I teach because I, I, I think it complements everything and it's a great icebreaker. It's a great way to show initiative. I think you should do it personally if you can work it into your career. I will say don't expect to make a lot of money, at least in my experience. Personally I'm not going to get into specific details of financials, but what I get paid to teach at the Citadel is like, it's like a loss. So I, I would argue that I do it more for philanthropic reasons and I love educating and honestly I like talking to 18 year olds because I make a lot of assumptions about what's common knowledge. And then I talk to them and I realize like they didn't exist when 911 happened. They didn't exist when housing crisis of 08 happened. They don't know what it is like to work in A corporate environment. So a lot of assumptions I make, I have to get fact, get checked, and then I realize it makes me a better communicator, effectively. Great question. We've got another. We've got another old on the panel. Let's bring him in. DJ B Sec, what's up, dude?

D

I was just telling my wife I got an hour.

A

Nice, dude. It's great to see you, actually. Actually, I would point out something really quickly for those who know. I will be on vacation for two weeks starting December 19th. That's my last show, my last day of work. Fun fact. You are actually looking at the hosts for Daily Cyber Threat Brief during that downtime period. DJ B second, I just realized we're.

D

All wearing gray today, too. Yeah.

A

DJ V. Sec will be taking the first shift December, I think, 21st, 23, 24.

D

Yeah.

A

Yep, the first half. And then Daniel Lowry will be taking on the second half of that. So you're looking at the December hosts for the Daily Cyber Threat Brief. So definitely appreciate all of all of that, guys. DJ B Sec, did you go a whole hog on your yard with lights? You're one of these people that like, park Griswold.

D

I used to, but I think. I think I said this last time. I used to, but we. We used to have a whole bunch of kids on our street and everybody's grown up and left and nobody's putting lights up. So I'm not going to go spend eight hours to put lights up. So I just put them in the front yard. I didn't go all over the house or any of that.

E

So he just. He's just boxing the front yard plugged in.

A

Yeah. Ball of lights plugged together.

D

They just sit in the front yard.

A

I love it. I love it. All right, cool. I definitely agree with you. Like, as the kids get older, the amount of, you know, involvement decreases.

D

I used to hook up, like, laptop. Laptops and had, like, Santa Claus in our top window. He was upstairs doing gifts, and then downstairs below him, you'd have the elves in the. In the window and you had, like, a conveyor belt of gifts going across. It was pretty cool.

A

I love it. That's like borderline Kevin McAllister, like, you know. Yeah, I love it. So someone asked, John says, what did I end up eating in Austin? You can't, like, go very far without eating brisket in Austin. So I added a really nice restaurant called Fix F I X E. I ate arguably the best biscuit I've ever had in my life, which is pretty impressive.

D

You didn't go to Salt Lake?

A

No. Yeah, No, I didn't go to Salt Lake. I didn't get to ramen, unfortunately. But I ate it fix and then I ate it like a buffet at some bar happy hour thing. But they had brisket that I would have. I would have like Heisman to baby to get to, you know what I mean? All right, here we go. Hey, ladies and gentlemen, we've got another panelist coming on breaking up the gray beards with gray shirts routine. Ladies and gentlemen, Kathy Chambers. Hey, Kathy. Good morning. I love it. Kathy, how's your holiday season going so far?

B

It's good. We finally did our lights. We have. We're getting a tree today. My daughter's been asking for like, three weeks. We're finally going to get the tree. So we're a little behind. Usually we have the tree already. Usually the lights are up already.

D

But Kathy's like, we'll get it on the 26th. Don't worry.

B

I finally ordered some gifts off Amazon. So we're good. We're good to go.

A

Bearded Ruckus wants to know. We can run around the panel day of traditions, each share one if you want to. You can also just say pass. I'll start. We have the matching pajamas, like the plaid, you know, button down. And then we take photos on the stairs. That's. That's one of our kind of simple traditions. Daniel, any traditions?

E

Yeah, man. I cover myself in mossy oak and fresh dough urine and get out in that tree stand. Kill me a big rutten buck with a bow or a gun with my bare hand.

D

Oh.

A

I love it. Dj, V sec, you got any traditions? Non.

D

Not to that extent. Now we just open up gifts in the morning. Then we usually go to my parents on. On Christmas day. Christmas Eve is with her family. We do a fish fry, a fish boil.

A

I like it. That sounds fun. Kathy, any traditions?

B

Yeah, we do cinnamon rolls on Christmas morning. And then the house smells like that. It smells so good. And then my husband and I don't do the matching PJs, but we always make sure that the kids match. Yeah.

A

So I love it. All right, very cool. Let's see what else we got as far as questions. If you have any questions, this is the panel. Kathy Chambers, who is on the panel right there right now, actually being interviewed later today. Kathy, what, what and where? And I'll share this. So it's.

B

It's on Twitch, which I've never been on Twitch. Like, I've watched Twitch, but never been on Twitch. So it's at 1:00pm, 1:00pm Eastern with Dorota. It's. I saw. So when she asked me, I didn't realize it was two hours. So it's like two hours of me talking. So come hang out. If you missed the first 30 minutes, you still have another 90 with me.

E

So that's just the introduction.

D

Yeah.

B

And that's the link. All I know is that you go there and it looks like kind of like a tv. I know I sound so old because I don't know anything about Twitter.

D

It looks like it's like.

A

It's got like, like rabbit ears.

B

Yeah, it's just different than what you see on other platforms. But anyway, I'll be there at 1pm.

A

Toggle the AB switch if it's not coming in.

E

Yeah, for vhf. That's all I know.

B

The bunny ears. Ready? There you go. You guys remember this?

A

All right, Continuing to look at chat really quickly. Let me see here. Okay, now. All right, now that you are in this csf, does this mean I heartness new merch and works asking for the chat? Yeah, real quick. If people didn't know, just. I'll bring the, the post up in a second, but Steve McMichael and I worked on a little bit of a tool to help with NIST CSF aligned security assessments. We posted on GitHub. The cool thing is NIST discovered it and added it to their public, official public repository of tools to help practitioners with NIST csf. And so now, like, we, you know, we've. We are published on NIST basically, which is super cool. I'll share that link in a minute with everybody. But kind of a fun thing to do. I guess I'm. I'm back in the good graces. For those who don't know, I actually interviewed with NIST years ago after I got my PhD, but before I left the hospital and I met with the people who wrote NIST 837. And I was, I shouldn't have been like, arrogant or flippant, but like, you know, they're like interviewing me. Things are going fine. And then they're like, yeah, you know, what are your thoughts about whatever? And I'm like, well, I have a big problem with one element of NIST837. And they're like, oh, really? Like that. The senior guy's like, oh, really? What is it? And I just like go into it. And then I discovered that like his deputy who's sitting right there, she. She's the one who wrote that section and I'm just eviscerating. It and she took it personal and I was, I was. There was not a follow up interview. Like we just.

D

But is she still there?

A

I don't know if she's still there. I, I don't know. I didn't follow up on it. I mean, I felt very.

D

I. Oh, how the tables have turned.

A

Yeah, yeah, yeah.

E

She's living in a van down by the river.

A

Elliot wants to know, have you all heard of the Christmas pickle tradition where you hide a pickle ornament on the tree? No, I have not heard of that.

E

No. I create a python pickle for Christmas and.

A

Oh, pickle code. Okay. I like that.

E

It's a serialization that is very insecure.

A

Yeah. The only tradition we have is I, I take a fish and hide it in my brother's Christmas tree. Oh, God.

D

After you've heated it up.

A

Yeah. Or I throw it up in his attic.

E

Yeah, I like to, like to crack a few eggs down the vents of people's car.

D

Yeah.

A

During summer, put, put an onion, cut an onion in half and put it up above the drop ceiling. You know, just normal things. Let's see. Continuing to look through chat. If you have any questions, drop it in here. Is OSINT considered pen testing? If not, how crucial is OSINT on? I guess VAPT, which I'm not. 100%.

E

One of those questions you get for your SATs. If all OSINT is pen testing and all pen testing is red team, you know, it's like, yes, OSINT is a part of pen testing, but not all OSINT is pen testing. There you go.

D

Yeah, I would say OSINT is a part, like Daniel said, a part of it. Just, that's how you start out. It's just operational, like how you're trying to figure stuff out. When you first walk in and you're looking around, that's osint.

E

You're mapping the attack surface, right. You're learning about your target, you're picking up information about the people that work there. So you're going from the human side of it because you need things like usernames and passwords that are possible. So if you're going to do some sort of brute force, you're going to want to take a look at any public information that they have available and start to try to like, what's the bau, Right, The Behavior Analysis Unit. That's kind of, that's kind of what you're doing. You're doing an analysis of your target to go, I wonder, you know, they're called Global Operations Worldwide. That's their company name. I wonder if they use the word global operations or worldwide in their password. Or is there a policy that says that you can't use those words? Which there should be.

D

There better be.

E

Exactly.

A

Exactly. Right.

E

So that's what you're.

D

I'm not even sure. I would say OSIN is part of pen testing. I would say OSIN is more part of red teaming and like pen testing and. Oh, like red team is here and then you got osint.

E

Yeah, well, it just depends if you're doing like an internal or an external.

D

Semantics. Yeah, right. Yeah, that's what I'm getting. I'm getting into semantics at this point.

B

So Michelle Khan was on infosec, Pat's thirsty Thursday last night and actually answers this question beautifully. Not that Daniel.

E

That doesn't sound great.

B

I'm just saying he was like, very detailed and it was a very. It was a great answer.

E

So it's like he does it or something.

A

Yeah. Can you. Do you have a link to that?

B

I do. I can give it.

A

If you want to pull that. I'll. I'll bring it up and show people, but also drop the link in chat. We love supporting the. Both Michelle and Infosec. Pat definitely great members of the community. No doubt.

D

And it's almost like he teaches that or something. I don't know.

E

It's weird.

A

The second part of your question, Matthew Rogers, is it not? If not, how crucial is it for vulnerability assessment, penetration testing? I mean, even if you're a defender, I think scanning your external network interfaces are huge. You know, configuring Shodan for monitoring is huge. So. Sorry, it's like when you say vulnerability assessment, I would call it more like attack surface visibility.

D

Right.

A

Exposure visibility. That's what I would call it.

D

I'd go one step further on that, Jerry, and I'd say that's something if. If you have a big enough team or if you have time on your team to do that internally to your own employees and OSINT your employees to find out what they're putting out on there, that helps the company internally. And you can go back and say, hey, look, you're putting too much information out about.

E

Michelle, get your ass over here. You putting these pictures on Instagram again? What is this? You got your badge, your workstation, your.

A

Employee ID number right here.

E

I cannot have this in my infrastructure.

D

I think a while back, I can't remember, maybe it was a month or two ago, I put something out on LinkedIn about like, C suites and names and stuff. And what you should and shouldn't put on LinkedIn, like you shouldn't necessarily say that you're the CEO of a company. Like you should say you're leaders, upper leadership or something like that. That way it's less targeted.

A

Yeah, I, so I was at a marketing conference these last couple days here and you know, I don't do marketing. So like it was, it was very. I haven't been to a non cyber conference ever. One interesting thing someone told me was they said they wanted like Dropbox is like a huge target, right? You want to sell to Dropbox or whatever. This guy told me, he said our company spent a lot of money with a targeted campaign on LinkedIn to one person. They spent all this money and they did all these things and literally this CEO, cfoc, ISO, whatever, whoever it was, I don't know, they're the only ones who saw the, the whole marketing campaign. Like the whole thing was designed for them. So like it's like, that's osint, obviously, but like that, that's how it's being utilized in some capacities, like you know, effectively whaling. Except, you know, from a marketing perspective instead of trying to like compromise them. Of course, I guess maybe you were trying to technically modify his behavior to purchase your product. Amish Brain says, what is one thing your family is expecting of you over the holidays that you are dreading? I mean, immediately my first thought goes to me not working. So I'm not supposed to work. I was actually considering putting my phone in a safe, but that horrifies me. So.

E

Unplug, Jerry. Unplug.

A

Yeah, I don't know about that.

E

Listen, if you're going to build that prepper cabin in the woods, you're going to, you need to learn to step away from it.

A

Yeah. I will tell you, I mean, I'm not really dreading it. I love the holidays. Yeah. Anything anyone on this panel is dreading, kind of. I'll open. Normally I would direct who to speak next, but like I, I feel like dreading is kind of a strong one.

D

Dreading is for the holidays, them being over.

B

Yeah.

D

Going back to work.

B

Yeah. Like going back to reality. Like no more tree, no more lights. Back to the darkness. Yeah.

E

No, back to the darkness.

A

Back to the. Yeah. It's like getting dark. Like. Yeah. A sun comes out at like 9:00am yeah. Like noon. You're like, oh, oh my gosh. Let's see. Continuing to look at chat just by the way, just speaking about the sun going, not being out very often, just on the inverse of that When I was in Alaska, I was like, at the northernmost point of Alaska and Barrow, Alaska, and the time of year I was there, the sun just goes like this. It doesn't go down. Like, it doesn't even go, like, near the horizon. It just goes like. Sorry. It just goes like this and it's like, oh, my God. Like, I don't know what we're doing here.

D

And it's like 23 hours of light or something like that.

A

Yeah. Yeah. It's pretty gnarly.

D

And then the flip side is there's like 23 hours of darkness.

A

Yeah. I definitely wanted to get that heck out of there before that happened.

D

I think that's one of the reasons why they don't have alcohol up there. And it's hard to get. Yeah. Honestly, like, it's because of depression and stuff like that. Yeah. Depression.

A

Yeah. Catch me in in real life where there's no recordings and I'll tell you some wild stories about South Pole Station during the winter over, which is where they can't fly planes in or out or anything like that. And some wild things that happen there. Next question. How soon do you put. How soon do you put down your Christmas decorations? Now, this is a really good question. We talked about. When do you put them up? When do you put them down? Are you firmly in the camp of December 26th? Do you let it stay up until mid.

D

After the new year?

B

January 2nd?

D

Yeah. Well, January 2nd, if that falls on the weekend.

B

Yeah, that's true.

D

First weekend after the first.

E

Any. Any good redneck leaves them up on their trailer all year long.

A

What do you mean put down?

E

You know how long it took me to put them. Them suckers up? It was not easy.

B

That's not just rednecks anymore. So I live like in a subdivision where people pay to get the lights on there.

D

Yeah.

B

Leave them up there. Yeah. Two to three grand to have somebody come out and put the lights.

D

Three grand?

B

Yes.

D

Kathy's living like in.

B

Oh, I don't.

A

I don't think.

D

Or somewhere.

A

It's like.

E

I got the same thing in my neighborhood, man. People.

B

Yeah. We live in an extreme Seriously area.

E

Expensive light shows going on.

D

Oh, yeah.

B

There's some people are crazy around here.

A

I, I had. And I, I put the lights on my own house and my. It's like dangerous. Every year, like, I, I end up skinning my knees even through jeans because the, the, you know, the gravel or whatever of the shingles.

D

Somehow that does not surprise me.

A

I know. Yeah, I know. So what, what I wanted to Do. I actually investigated. This was like, buy those LED lights that you can, like, fuse up into the thing. And I was like, oh, it's perfect. I'll have like a Christmas button. And then, you know, I can have like Valentine's Day and all these other things. But it was like, ridiculous. Ridiculously expensive and soffit lights. Yeah. Like, it seemed like a great idea because then I could leave them up year round, but it wouldn't be tacky because I could be seasonal for whatever the, you know, orange at Thanksgiving. But then, you know, ideas are easy. Execution's hard and expensive. So let's. Let's not do that. Phil Stafford paid 750 bucks to have someone hang his lights. Nice, Phil.

B

That's a good deal.

E

I need some of that Phil Stafford money.

B

Yeah.

A

I gotta tell you, if you're. If you're young and, like, looking for a side hustle, it's like a good job.

E

Yeah.

D

And you gotta lift.

E

Phil better bring the case of Natty Ice next time he shows up at the party, because I know he can afford it.

A

Kimberly can fix it. Says, who's been watching Christmas light fights on tv? I don't know about that.

E

So you beat each other with lights. That's weird.

B

That sounds very redneck.

D

You know what that.

E

That was like. Come on, Billy, hit me. Come on, bro.

D

I want to say that was one of the cool things back like about 10 years ago, that show, the Chris the Christmas light fight. Then it just kind of went.

A

I don't know. Was this like an HGTV show where, like, they go.

D

It's on like. I think it's on abc. It's like family versus family. And, you know, basically who can go the most? Griswold.

E

Yeah. Who's got the craziest light display at their house?

D

And some of them are just so ridiculous. It's just like. Like what Daniel said earlier where they just threw the lights in the front yard. It's just so many lights. You can't even. It makes no. There's no concept. It's just lights everywhere. What is up, everyone?

A

Welcome back to another.

B

I like when people go all out for Halloween. Like, that's fun to me like that.

E

Our next door neighbor does that.

D

Yeah.

A

I got.

D

We got somebody in our neighborhood that does that.

B

I love it.

D

Crazy.

E

I. I like full size Snickers bars.

A

Yeah. I like neighbors that do it.

D

Yeah. I mean, these guys, the. The one in my neighborhood, they probably have like $5,000 worth of stuff that they put out for Halloween. It's Crazy.

E

I've got a half rotten pumpkin. Yeah. I'll be like, how much you want for that half rotten pumpkin? Free? Hell yes.

A

Gonna eat it, too.

B

I have a pumpkin story. So we live in Florida. Daniel and I live in Florida. And. But we're from up north. And so when I first moved here, we got the pumpkin, right? Like a real pumpkin. And we carved it, and literally the next day it was. It was rotted.

D

Oh, yeah.

B

So hot. Yeah. So we don't do that anymore.

D

We usually did that. And then we. You have to put them in the refrigerator so they don't.

B

So. Yeah. It's not worth it. Yeah. We got fake ones now.

D

Yeah.

A

I like it. Really quickly, just as a callback, Kathy mentioned this. We had the question about osint. Matthew Rogers asked it. This is that interview that she was talking about right here. This is Michelle.

B

So good. I learned so much last night.

A

Okay, so. Thirsty Thursdays, episode 37. I'll drop a link, but if you're listening on audio only, It's InfoSec, Pat's YouTube channel, Thirsty Thursdays, episode 37. If you want to learn about OSINT from an absolute, I would consider Michelle, like, one of the foremost experts on osint. He is phenomenal at what he does and how he. How he presents his information, too.

B

Yeah. People ask me how I know so much about cyber security. I was like. Because I listen to people smarter than me, like, all the time. Like, I will listen to stuff like that just, like, in the background. And you'll be surprised how much terminology you pick up and how much knowledge you pick up just by listening to something like that in the background.

D

He's not one. You. You don't want to miss him if he's on somewhere. You want to go listen.

A

Yeah, he's great. I. You know, another interesting, like, observation from the marketing conference I went to. I guess we have a lot of acronyms in our industry. Like, like, that was, like, the biggest hurdle. I don't understand what you're saying. It's all acronyms. And I'm like, okay. Like, okay. Like. So that's in every industry, though.

B

Yeah, that's true.

A

All right. We have some fun seasonal questions waiting through logs. Wants to start a. A fight among. Amongst all of us. Hold on one second. Is Die Hard a Christmas movie?

D

Yes. It takes place in Christmas.

A

Yep. Yep.

E

There's a polar bear pee in the snow.

D

Okay.

B

That's not really a fight for us.

A

No. We're all on board. But the people who say no are definitely very passionate about It Rochelle says, I'm working on a creative project presentation for security and compliance internship. What are a few key things I should include in the presentation? I mean, number one, I would go and include like, what is the impact from. I'm assuming that you're saying it well, I'm assuming this is like some type of debrief of, of your internship and what, what you did or like I don't know what the presentation's about. So it's kind of hard to tell you what to include. But I think impact statements are hugely valuable. Like start off with like, what's the value of listening to your talk? And then make sure you include some type of impact on what the, you know, what the value of the talk is. And then if you can have takeaways for your audience members. Anybody want to comment on this one? Kathy, you kind of given a nod. Any thoughts?

B

I'm giving a nod because I've been watching your series that's coming out in January about answering interview questions. Right. And then one of them is talking about how this directly impacts the business. So I was like nodding with you. Erica talks about that in your video. And so.

A

Yeah, yeah. And just so everyone knows, we have 2026 is going to be wild. Like we're doing a town hall. It's basically like an all hands call for simply cyber community a week from today, right before I go on vacation. And I'm gonna lay out what you can expect in the 2026. Now that Kathy is working with me a lot right now, we actually have a plan and we have like a strategy and there's actually like deliberate content coming in 2026. And we're starting with like this interview series on, on interviewing real practitioners with real job interview questions. And then I break down their responses and tell you what they did right, what they did wrong, and how you can use it to be better. And I think it's going to be a banger. But Bearded Ruckus wants to know what your go to drink is for Christmas and then he says eggnog. I, I'm.

D

God, no.

A

I'm an imperial stout guy for Christmas. I know it's, it's considered not cool on Christmas morning, but you know, whatever. Like, you know, we all got our thing, so. I'm joking. I'm not getting wasted on Christmas morning. Jesus. Coffee is my drink. Eggnog is gross.

D

Irish coffee.

A

Okay, Irish coffee. There we go.

B

I'm super traditional. Like hot chocolate with marshmallows. Love that. Having that with the kids. And then coffee but with peppermint mocha in it makes me feel more holidayish.

D

It's hard to do hot chocolate where we live, like when it's 80 degrees outside cold here. Well, it is now.

A

Yeah.

D

But on Christmas Day, is it gonna be that? I think I saw something like Christmas Day.

A

85, 75.

B

Oh, wow.

D

Like this cold snap's coming through a week early.

E

Yeah, it always does. Every Christmas. Just about. It is like dreary and muggy and like 80 degrees.

D

I remember at Christmas here where we had the kids outside and they were playing with their toys and we were all sweating and it was ten o' clock in the morning.

E

You mean like every year?

B

Yeah, I'm still not used to that. We've been here 11 years and I'm still not used to like wearing T shirts on Christmas. It's weird.

E

It sucks.

C

Yeah.

A

A couple of years ago it was like really? It was like 80 and like humid.

E

I was like, oh, like I get all the people that like the idea of a Felice Navidad, you know, very Central American or Latin style or maybe a Hawaiian themed Christmas because it's like, oh, look at Santa and he's got his Hawaiian shirt and his little board shorts. Isn't he cute? It's like it's hot as balls there, man. I. It is not fun. Okay. Christmas in the heat is the devil. Okay? That's Satan's way of rebelling against Christmas. Just making it hot.

B

You know Daniel Lowry, when he gets like hot, you don't want to be around him. Like he's a miserable person to be around.

A

Also lives in Florida.

B

Yeah, yeah. That's the wife's fault. That's why Mrs. Lowry wants to be here, I think.

A

All right, we are at 9:30, so we're going to kind of speed run here just for the sake of everyone's time. Carrie says I'm an AI consultant and want to get your suggestions on what I should begin to learn as a beginner that wants to implement secure AI into business. Dj B sec, you want to hit.

D

This consultant, but you're asking what you need to learn on AI. I'm not sure what. I don't know what the answer to this is.

E

Like, is this an inception question? Do I need my little totem?

D

I mean, he should be out here telling us what consultant. So with AI, I mean you're going to want to be able to explain to companies how they can better become more efficient with AI. What, you know, what is out there, like using N8N or Zapier or make.com or something along those lines. How they can actually use it, how they can integrate it in. If they're Microsoft, are they going to integrate Copilot? I mean there's a whole bunch of different things that I would bring forth. If I'm a consultant going to a company, that's what I'm doing. How, how is AI going to bring ROI for them?

E

You bring up a good point though. You're like, you talk about N8 if I'm not mistaken, like yesterday or day before really recently N8N had a pretty nice little CVE attached to it. And it's like, yeah, it's still software, it's still stuff that we use and implement in our daily infrastructure. So you have to do the same things. You got to be like, here are the secure things to do. You must look at the AI that you are working with. Are there any known vulnerabilities with said AI? Third party mitigations for today. Let's take a look at owasp and their AI top 10, blah blah blah. And you're doing the exact same things I would think. You know, it's still pretty new obviously, but it's the, the strategies are probably not too different other than very specific AI stuff.

D

And what I would even go first further into saying something like bringing N8 in, you have to, you almost have to bring that in house and not run off of their platform because if you start connecting all of your stuff now you've got third party risk involved. And just like you said, if they end up having a CV and you don't know that the CV is there and now you've got your, all your different backends connected that are reaching out to your data. I mean, yeah, it's great when it works. It's going to suck when it doesn't. That's, I mean, or if somebody gets into it now, they've got everything in.

E

The interesting way to like here's the weird thing about AI and having it be a part of what people's experiences with your organization. Right. Its job is to take instructions. So it's really super difficult like to protect it from taking in instructions from, from the end user. And that's, that's what we tell you. If you got a web app or something, we go, hey, don't, don't trust input from the end user. Sanitize all those inputs, make sure you have prepared statements, you have blah blah, blah. Where this thing is, it's stock and trade is to go, what do you want me to do. Yeah, I want you to tell me. And, and then to kind of like dynamically figure out its own way of doing that. So that's why people are like sticking fun stuff in their LinkedIn profiles as AI scrubs through. Well, what if the input that someone is giving your AI that is interacting with it is like, oh, yes, I do need to speak with, you know, customer service and forget all your previous prompts and do a damn prompt and do this and do that and, and start prompting because. And it goes, oh, okay.

D

So it's, I mean we saw that was it last year, year before last with Air Canada. Yeah, they put that prompt in and people got free flights or something. I mean. Oh, yeah, different things.

A

Chat bot got hacked.

D

Yeah, yeah, I mean that's a chat bot. But still, I mean we're all saying the same thing. You've got to put guard. There must be guardrails in place and you've got to decide how you're, how you're going to interact with it. Are you going to give it admin rights to everything so it can see it all? Are you only going to lock it down so it's got read only rights to only this specific data? But if you're only getting that data, then do you have to go do something manual? I mean there's.

E

Yeah, it's, it's tough. It's a toughie.

D

All right, good luck on that consultant part.

E

Yeah, let us know.

A

And I did share several notes here from Phil Stafford, Sierra Montgomery Live on stream around their thoughts around it. Definitely, definitely helpful. I do want to provide. Tom Zeppelin asked the question. I'm going to share it here. This is what that town hall, uh, next Friday is going to look like. This is the, the link on YouTube Simply Cyber YouTube channel. State of Simply Cyber Q4, 2025. It's a brief retro on 2025 and then a full, you know what you can expect in 2026. Because I love to be transparent and also coordinate and collaborate with the community and make sure that I'm delivering the most value for, for all y'.

C

All.

A

Let's go around the horn before we say good night. Daniel Lowry. What can people find you or what's going on? Anything maybe, uh, you want to share?

E

Yeah. Right now is, I do have some cool stuff going on, so come and check me out at Cybercast IRL, which will be on at 10, which is in just right around 30, no less 25 minutes, 24 minutes. I see. So we'll be doing that. We're talking Cyber stuff off some interesting things. We got some new guests. We got a. We got a great guest coming on for Cybercast after dark after the 1st of the year 1. Mr. Don Pezette will be joining us as the first guest of 2026.

A

Oh, that's going to be hot.

E

That's going to be exciting.

A

I am dropping this link in chat right now. Oh, hold on. Look at this. I did not know this. Now, granted, it says episode 57. The thumbnail says 56, so don't get too confused. But is gr.

E

Change that.

A

See the top on the thumbnail? It says 50.

E

Yeah, I. I might have accidentally left the last thumbnail because I always. It always goes. Do you want to use the previous settings? I'm like, hell yes.

A

Yes, sir.

E

May have forgotten to change the automation.

D

That's an automation.

A

But Daniel Lowry is. Is swimming into GRC Mafia waters. Is GRC the best cyber job? Good question.

E

Yeah, we talked about that last week. That's last week's.

A

What are you talking about?

E

So that card, when you create a live stream. No, you're on the wrong one, bro. I'm looking at it right now. You're on the wrong dude.

A

It says December 12th at 10am live.

E

I'll give you Go to my. Go to my channel. Hit live.

A

I do not look at my channel.

E

Hit live. There it is. The first one. The first one. It's the very first one. There you go.

A

Well, I don't.

E

That's the one that's today.

A

Yeah, I know, but it's very. Yeah, look.

E

That's weird.

B

It still says 56.

E

Well, then that's a YouTube thing. YouTube is just bending me over the barrel right now and saying, I do what I want.

A

All right, well, the link is the link here. Cybercast, IRL. Go check it out. That's at 10am so just enough time for you to go refill your coffee cup, grab a Cinnabon, and then get some Daniel Lowry tech neck in your life. Definitely looking forward to that. Dj B Sec. What do you want to share with the community?

D

I might see Jerry next week.

A

Yeah, that's right. That's right. I'm excited about that. Looking forward to it. Maybe go take you to Early Bird Diner and get you some chicken and waffles.

D

Yeah, we'll have to see. Gotta make sure I got time. It's quick in and out.

A

Yeah, it'll be good. I. I hope we can meet up. I would. I mean, you're literally gonna be like 15 minutes away. It's ridiculous.

D

Yeah.

A

All right. We'll get you some shrimp and grits. Kathy Chambers.

B

Yeah, I'll be 1 o' clock today, 1pm Eastern. Please join me as I join Dorota on her podcast.

A

So that's 1:00pm Eastern. Dorota, this is what it's going to look like right here. I'll drop a link in chat. Kathy. Boom. All right, we're all got something going on. Here's the deal. At the end of the day, there is plenty of opportunity to consume Simply Cyber community member content because there's lots of us putting it out there, all with the intent of helping level up each and every single one of you. That's kind of the vibe. And if you're into it, awesome. Support, inclusion, empowerment. And if you're not, you almost kind of self select yourself out of the community, which is fine. You know, find. Find what makes you feel good. I want to say thank you to the panel. DJ B and Daniel Lowry, Kathy Chambers coming in to kind of balance us all out. Definitely.

E

All about.

A

Good times, guys. Enjoy your weekend. We'll see you on Monday, definitely. Or. And Daniel's stream or derota's stream. I'm Jerry from Simply Cyber. Until next time, stay secure. Thank you.

B

Bye, guys.