B (4:11)

Thanks.

A (4:11)

Cryptic roses. All right, guys, Every single episode of the Daily Cyber Threat Brief is worth half a cpe. So say what's up in chat, grab a screenshot, include the show title, which has the date and the unique identifier of the episode, which is 1024. The megabyte episode. Ben, look at this. First timer. Well, gets welcomed moments later, becomes a squad member. Thank you so much.

B (4:38)

Great.

A (4:39)

Great to have you. Welcome to the party. Take advantage of all those squad emotes too. All right, guys. Yeah, Half a cpe. Just take a screenshot. You see how chat's right above my head? You can make an easy piece of evidence. I've tried to make it as super, super easy for everybody. And then once a year, count up the screenshots, divide by two. That's how many CPS you got. Simple as that.

B (5:06)

Yeah.

A (5:06)

Busting Justin. I got something. I don't really feel sick. I just have, like, crud in my throat. I woke up this morning like this and I'm like, ugh, what is this? So having a cup of tea. We'll see what happens. Big Richie, first timer. Big Richie's first timer. Welcome to the party, pal. And Ben, who's the new squad member? You can also welcome Big Richie to the party now that you have a access to the emo tray. There it is. Big Richie. Welcome to the party, pal. Love it, love it, love it. Yeah, I don't drink tea very often. Printer device. All right, guys. Hey, let's pay the bills so I can afford more tea. Starting with delete me. Oh, deleting makes it easy. Quick and safe to remove your personal data online. At a time when surveillance and data breaches are common enough to make everyone vulnerable, data brokers make a profit off your data. Your data is a commodity. Anyone on the web can buy your private details. This can lead to identity theft, phishing attempts and harassment. But now you can protect your privacy with Delete Me. My God, my voice. As someone with an active online presence, privacy is really important to me. Guys. I have a wife, I have kids. I'd like to prefer to choose who has access to my, my home address, my phone number, my kids phone numbers. You know what I mean? Like it's a thing. And, and data brokers, they just have access to all this data and they'll sell it to anyone. So if you can, you can request them to take it down or you can have a service like Delete Me requested for you. Which is great, which is why I use them. Take control of your data. Keep your private life private. By signing up for Delete Me now at a special discount for our listeners. Get 20% off your delete me plan. When you go to JoinDeleteMy.com simply cyber use promo code Simply Cyber checkout. The only way to get 20 off is go to joindeleteme.com cyber enter code/cyber checkout. That's join deleteme.com/cyber code Simply Cyber. All right. Is restream. No, it's not. It is not streaming to LinkedIn. I could try it right now. I don't even know if this will work. I don't know what happened. I don't know why it wasn't configured to go to LinkedIn unfortunately. So. Must have been a mistake on the configuration side. We'll take a look at it and make sure the rest of the week is good to go. I want to tell you guys about anti siphon training. Anti Siphon training offers cutting edge, high quality education to everyone regardless of financial position. They are running a Black Friday special. It's a one time fee for an entire year of access to their entire platform. Basically keys to the kingdom. If you have, if you have training dollars that gonna expire by the end of the year and you're not going to use them in the next two weeks. May I recommend scooping up this deal and then slow playing your training all throughout 2026. Just leveling up like an absolute boss. Whether you're trying to do, you know, programming, threat hunting, Red blue, they might even have some GRC in there. They got you covered. Okay. Holla atra. Go to anti siphon training.com for more. All right, let's hear from Threat Locker and then we're gonna get into the news. I want to give some love to the daily cyber threat brief sponsor Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night. Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cybersecurity and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com DailyCyber. All right, ladies and gentlemen, first timers, you may not know what to do, so let me, let me tell you squad members who are regulars, if you want to chime in, go for it. Big Richie. Sit back, Ben, relax. And I forget who the other first timer was. I'm sorry. Sit back, relax and let's let the cool sounds of the hot news wash over all of us in an awesome wave. Guys, I will see you at the mid roll. From the CISO series. It's cyber security headlines.

B (10:10)

These are the cybersecurity headlines for Monday, December 15, 2025. I'm Steve Prentiss. 16 terabyte MongoDB database exposes nearly 4.3 billion professional records. The data discovered by researchers at Nexus AI was discovered on November 23 and secured two days later. Consisting of mainly LinkedIn style data, the researchers suggest it would be useful in enabling large scale AI driven social engineering attacks. Although it is difficult to determine the age of the LinkedIn data, many records were collected or updated in 2025. But some may have been scraped from LinkedIn leaks that occurred in 2021.

A (10:57)

All right, Let me see what we're doing here. So, I mean, so it was an exposed database. All right, so there's your first thing. Seriously, like maybe six years ago when AWS was getting started, S3 buckets was like leaking everywhere. Like you, you could like fall down and hit an exposed S3 bucket. So you don't see this very often anymore because any architect who knows what the hell they're doing doesn't put a database Internet facing. That's ridiculous. It's a liter. Listen, I am old. I. I am old, okay? I am old. And when I went through undergrad, I learned design patterns and model view controllers which is basically like what a modern web apps architecture is. You put the app in the front facing the Internet and you put a database in the back end and then you put middleware in between it and that's how they communicate. So to have an Internet facing database means somebody messed up Carl. Undeniably Carl. Or, or maybe I'm giving too much credit here. Maybe someone just downloaded someone had like a database and like put it on a file share that was open to the Internet or something like public. You know what I mean? How you like Google Drive, you change the permissions to everyone possible any. All right, I wonder how they found it. Yeah, I mean here's the deal. LinkedIn is a massive social media platform for business users. You know, you guys all know this, right? I, I use LinkedIn, you use LinkedIn. Having all this data scraped allows you to do, you know, targeted communications, targeted marketing, social engineering, all sorts of stuff. Data, data is super valuable, right? And when you have this, you're not goofing around trying to like look, you know, like do OSINT on LinkedIn, you're just like got this database and you're querying it. Dennis Keefe is in chat. Dennis Keefe is an OSINT Jedi. Dennis, I'm sure. Can you comment? I mean there, there must be like repos of like LinkedIn data and stuff like that I would imagine, right? They're saying the leak is dangerous because massive data enables targeted attacks, including fishing and CEO fraud. Yeah, exactly. 100. But like, I don't know, here's my thing. I know people are like, people who don't work in infosec are like, oh my God, like the things you guys do, the things you guys see. Oh my God, how do you deal with it? How do you sleep at night? And it's like Bo, we just, we're just forged in fire. Like this is like a Tuesday for us. So when I see this, yeah, I mean it sucks, but like the data's out there anyways, right? Dennis Keefe is an ocean Jedi and he's saying in chat right now there's these resources out there. So here's my thing. Number one, 16 terabytes is an ass load of data. Especially if it's just text data. Text does not take up a lot of space. Like 4K video takes up a lot of space, right? DJB6DJ lighting configuration for a stream deck takes up a lot of space. JSON files full of data. Text data doesn't take up space. So this is a lot of records and it is, it is quite the treasure trove. But I'm not like, I'm not getting out of bed, I'm not selling all my technology and moving to like Alaska and starting to live off the land because of this. This is like, to me, this is salacious. For anyone that doesn't work in our industry, for anyone that works in our industry, we're like, that sucks.

B (15:11)

Apple posts updates after discovery of WebKit flaws. The two security updates are for iOS, iPad, OS, Mac OS, TV OS, WatchOS, Vision OS and the Safari web browser. And the two security flaws, both with CVE numbers and one of which was patched by Google and Chrome last week, may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 20, says Apple. Teams at Apple and Google have deduced that the vulnerabilities were, quote, likely weaponized in highly targeted mercenary spyware attacks, given that they both affect webkit. End quote coupang.

A (15:54)

All right, so Apple, Apple released patches. Okay, so you gotta patch it. Ah, you gotta patch it. And it was basically for everything iOS. Okay, so vision OS. I didn't even know they called it that. Damn. BW says they updated to 26.2 this morning. It took 25 minutes. I'm actually kind of curious what version I'm running right now. All right, everybody, take your iPhones out. This is a follow along. Oh, not now. Oh. I have to agree to new terms and conditions. Oh my God. Bruh. All right, I guess I won't do this live on stream because, you know, these things. I'm on 26.1. All right, I'll get that fixed after the stream ends. So what are we doing here? A use after Free Vault and WebKit may lead to arbitrary code execution. Okay. And then a memory corruption issue can lead to memory corruption. All right, so one of them is like a jerk thing to do, corrupting memory. And the other one is I take over your phone really quickly. Use after free vulnerability. This is a category of software vulnerability. And it really gets into computer architecture and like at the operating system level. And how when memory is allocated for, you know, a process to run, when the process is done running, it will free up that memory place in memory so more processes can be written to it. Well, there is a way where you can identify where that space is after it's freed, but before it's reallocated and then stick your own custom execution in there and off and run. So think of it as like a buffer overflow, except you're not overflowing a buffer. You're just taking advantage of known memory that was being used and then it was deallocated. All right, It's worth noting that this is the same vulnerability that Google issue patches for back December 10th out of bounds memory access. Okay, okay, so it sounds like some very, very sophisticated threat actors discovered this, which by the way, use after free bugs are not like trivial. You don't just. That's not a CVE that you get on, you know, a GitHub repo or something like that. This is pretty advanced. Now remember, a lot of VIP is a lot of, you know, a lot of VIPs, I guess, for lack of a better word, whether they're, you know, tech titans or politicians or whatever, they use Apple iPhones. Right? And on balance between Android and iPhone, I would argue just, you know, if you took two of them and just compared them, the iPhone would be more secure in the sense that it has less attack surface. The way apps get installed is kind of controlled. So I'm not saying it's not like I don't want to get into a culture war here between Android and iPhone. I'm just saying on balance, I think an iPhone is more secure. So you tend to see these individuals do it. So when this webkit vulnerability comes out, obviously very sophisticated in being weaponized and being sold for straight cash, homie. Straight cash, homie. So, all right, so you got to update your stuff. I guess the TLDR here is you should stay up to date on these things. If you have a VIP in your midst or whatever, just make sure they update their stuff. Right, I get it. It sucks. You're in the middle of playing, you know, Candy Crush and it says, oh, you got to do an update. You're like, no, later. I'm about to break a new record here on Candy Crush. Right? So I get it. But at the same time, just take their phone away from them, give them the heisman, hold their face back and then update their phone. You'll probably get fired if you do that. So not a best practice, but I would say, you know, encourage them to get their phones updated. I will be doing it. Oh, Lipsis throws a gauntlet down. Android is greater than Crapple. Wow. Not even mincing words there.

B (20:27)

Data breach traced to X employee. Following up on a story we have been covering all this month. The Seoul Metropolitan Police Agency now says the data breach at South Korean retailer Coupang that exposed the information of 33.7 million customers has been attributed to a former employee who its obtained access to internal systems after leaving the company Last Wednesday, as we reported, the company's CEO, Park Dae Jun announced his resignation and apologized to the public for failing to stop what is the country's worst cybersecurity breach in its history. The Suspect is a 43 year old Chinese national who joined Coupang in November 2022, was assigned to an authentication management system and left the firm in 2024. He is believed to have already left the country, end quote.

A (21:15)

Oh my God.

B (21:17)

Might.

A (21:18)

So this story was covered last week. This Coupang company, I don't know what they do, but they're in South Korea and they had a data breach and the CEO, like fell on his own sword and you know, called it, you know, like taking all the shame, saying he's gonna quit. I, I said it was a. Him getting fired or being forced to quit or quitting himself was all a, a bag job, right? I had this hot take. And for you first timers here today, there's a squad emote that I'm going to use. It's a tinfoil hat. Anytime I go off the reservation, we use the tinfoil hat. But I told you guys, this guy, he quit or got fired because there was a, there was like some Game of Thrones stuff going on already, no question. Right? Companies get breached all the time in it. Like, okay, this was the worst one in South Korea's history. Like, just wait, wait, there'll be, there'll be a worse one, right? Companies in Australia, companies in the United States, Russia, Germany, Denmark, France. Like, pick your point. Like, choose a country here. Well, look at Marcus Kyler's GitHub map here. Right? Like, oh, oh, God. Oh, Turkey. I, I click Turkey randomly. I bet you I could find a story of a data breach at Turkey. Okay, so like the fact that this guy and the CEO of the company didn't quit. Okay, so a modern rogue is here. My man. Welcome to the party, pal. Brian Bushwood. That guy. Good times. We actually got to get a call, me and him. My plan was to connect with him today. If set up something later this week. And if you don't know Modern Rogue, go check it out. It's on YouTube. It's pretty sweet. All right, so here's the deal. They did point out that this guy was a Chinese citizen, and now he's like, left the country or whatever. Fine. I don't think that this was some type of diabolical, you know, like, I'm a sleeper agent laying in wait. Listen, okay, I am not. I, I. The practical use of a sleeper agent inside an organization has Been seen before. Okay? If this Guy started in 2022 with the entire intent of causing a data breach at coupang, I believe me, he wouldn't have waited three years to do it. Okay? The guy had already like been like performance evaluated promotions, maybe did like Secret Santa last year. Like what? You don't go that long. You get your access, you do your thing and then you take action on objective. Okay? So my thought is this guy probably got fired. They didn't disable his access and he, he like went YOLO before he boogied out of the country knowing that he basically would have to get out of the country. He was going to get arrested for a crime. Right? The TLDR here for everybody is insider access and insider threats is a real thing. I get it. Listen, AB, I love AB's in chat right now. I love myself some AB. I have no question I that AB is not going to cause massive harm to simply cyber. All right? But that doesn't mean that I just give him domain admin rights to everything because he's a great guy. AC6, AC7, let's go back to our NIST 853 days. Okay? Least use least privilege. If you don't need access to things, you don't get access to things. Like let's just all agree that that's a normal. Okay. Second of all, when you have an employee leave, whether they're fired, which always gets done correctly, by the way. I have never seen someone get fired or involuntarily terminated, as we like to use in business speak. I've never seen someone get fired and all of their access doesn't immediately get revoked. It's like all hands on deck. Hey, listen, listen. Greg is being walked to HR right now. I need you to shut everything down. Nobody getting fired leaves their stuff off. So this guy obviously quit, I would imagine. But you have to make it a process of disabling everyone's access, period, full stop. And also GRC people, you got to keep this in mind. The reason that we like single sign on federated authentication is because when you someone leaves the company, you can turn off their active directory credentials or their entra ID credentials and they lose access to all the things there. This is quite possible what happened here. Okay. And I just want to point this out as a reality again. I haven't gone past the headline. I didn't research this story. Here's my thought, okay? If I had to guess, this dude had his access terminated, but he still had access to some type of cloud system that wasn't federated. And they didn't disable that access because they didn't know about it. Right. It wasn't organized. They didn't have asset inventory. Oh, my God. Did he just mention asset inventory? Isn't that something that we study in textbooks and then never use? Yes, that's the same thing. The reason you need asset inventory is because when this dude quits, you can go through all of the applications in your asset inventory and make sure this dude doesn't have access to him anymore. Very difficult to do. Very important. How important? Well, this company's being dragged through the mud repeatedly and the CEO had to quit, so I'd say it's that important. The guy was probably pissed. He probably got passed over for promotion or someone was stealing his. His. His IP or something and then took off. Okay, that's it. I don't know. Maybe they'll continue investigating. I don't know why they would, but anyways. All right, let's keep going. TLDR have a plan to disable people's access. Thank you, Luke Canfield. Saying it loud enough for the people.

B (27:17)

In the back To Hear shares 2025's top 25 most dangerous software weaknesses released in collaboration with.

A (27:26)

Before we hear this. Before we hear this list again, I don't research or prep for any of this, so I have no freaking clue what's about to happen. I swear to holy hell. If the top 25 most dangerous software weaknesses are weaknesses that we have known since 1995, I am going to go full hulk on this.

B (27:48)

Homeland Security Systems Engineering and Development Institute and CISA. The list contains 25 of the most dangerous software weaknesses behind more than 39,000 security vulnerabilities disclosed between June 2024 and June 2025. Topping the list is Cross Site Scripting followed by SQL Injection.

A (28:09)

Cross Site Scripting is number one. Cross Site Scripting is number 1. Do you want to know a famous instance of cross site scripting? Sammy Cam car in like 1998. Hold on, let me get the right dates on this one. Okay, hold on one second. I got to get the right date on this one. What is the date on this one? What is the date on this one? I don't want to misrepresent it. 2005. 2005. Okay, still 20 years ago. Okay, let me resume full freak out. Cross site scripting. Do you know where. Do you want to know an instance of cross site scripting? Sammy cam car on MySpace used a cross site scripting vulnerability in 2005 to become friends with every single person on the MySpace social media application. Again, if you're young, you might not know what MySpace is, but MySpace was basically like the precursor to Facebook. You've heard of Facebook, I'm sure. And Sammy actually got arrested by the FBI and I think he did some jail time. He's, he's, he's a really well known cybersecurity professional. In fact, he was the technical director on Mr. Robot series to make sure that all the hacks were legitimate. But I digress. Cross site scripting number one in 2025. Okay. Null pointer to reference. Okay, there we go. Missing authentication. Okay. See some of these, I'm, I'm okay with cross site script and SQL Injection. All right. They're all web app ones too, which shouldn't surprise anyone because web apps are like going bananas right now. And with Vibe coding, guys, listen. Vibes. Vibe coding. It's my understanding I attended some Vibe coding talks at that conference I went to in Austin the other day. But my understanding from people who have been using Vibe coding tools and know what they're doing. The Vibe coding tools do not write secure code. They write code that works. This is like 1999 all over again. Like with the dot com boom and the bubble and just get, get it out to get it to market quickly as possible. Microsoft's whole adage, ship it on Tuesday, patch it on Wednesday. So whatever. Guys, I will tell you this. If you're an aspiring, if you're aspiring cyber security professional and you're like, oh, it's too late. I got to the game too late. No, don't worry. The game's been waiting for you because cross site scripting, SQL injection, cross site request forgery reign supreme in 2025. These tools still work. It's insane, dude. Not to mention cross site scripting, like was triple. Excuse me, double number two. SQL Injection. Yeah. So SQL Map, great tool. Should look at it. Cross site scripting. I don't know if there's like an obvious tool to find cross site scripting opportunities, but anyways, thank you, Miter Attack. I'm glad I'm not feeling great because like, I need to be like muted right now. Like, I haven't had coffee fortunately. I appreciate Miter does this. You should absolutely use this information at work to make sure that your, if your team is building software that you're looking for these type of vulnerabilities, if you hire a pen tester, you know, ask them to look for these vulnerabilities, the chances are higher and more likely that you're going to find these than not find these, right? And the same goes for threat actors when they're looking for vulnerabilities. Listen, I'm not a threat actor, but if I only had five hours to hack into your business or your company, it would behoove me to spend that time looking for the most likely, statistically speaking, problems with your tech stack. Obviously, if I only had five hours to break into your company, I would probably use social engineering, cross site request.

B (32:50)

Forgery, missing authorization and out of bounds rights. With new entries this year being variations on buffer overflows, a link to the full list is available in the show. Notes to this episode Huge thanks to our sponsor Adaptive Security. This episode is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI. Deep fakes aren't science fiction anymore. They are a daily threat. Here's a quick tip. If your voicemail greeting is your real voice, switch it to the default robot voice. A few seconds of audio can be enough to clone you. Adaptive helps teams spot and stop these AI powered social engineering attacks. And you can learn more@adaptivesecurity.com that is adaptive security. One word.

A (33:46)

All right. Bruising hacks is saying zap is a tool to automate finding cross site scripting. I'm sure Burp can do it as well. Listen, we're gonna blow the copyright out today. I don't feel good. I want a little pick me up. Plus Modern Rogue who's who's my buddy that we met up in Austin is here. We got a couple of first timers, right? So let's show them what we do normally. All right. Happy Hanukkah everybody. You celebrate Hanukkah. I guess the first night was last night. You guys are off and running with a holiday season. Love it, love it, love it. Guys. Thank you to the stream sponsors Delete Me, Anti Siphon Threat Locker and Barricade Cyber Solutions guys blowing it out. Cryptic Roses Because I'm playing this song right now. This whole video is going to be copyright striked and any revenue from AD will be. We'll go to the whoever owns the rights of this song. All right. Barricade Cyber Solutions guys. Barricade Cyber Solutions does many things but they also do the Fortify365 webinar series. Webinar series go to webinars.barricadecyber.com now. You can check out this bi weekly series that they're doing. Let's go. Yeah. Cryptic Roses. I'm originally from Boston. We say all sorts of Wild stuff. All right, check it out. December 17th. Tomorrow's tomorrow, this Wednesday. Session nine, compliance settings. Guys, if you are running Microsoft 365 or looking to or looking to work for someone who has an M365 environment, this is a great way to get your GRC on.

B (35:58)

You.

A (35:59)

You do this, you'll enable the Unified audit log. You'll talk about how to configure retention policies. Hey, you know that insider threat issue with the coupang story? I mean, the guy still had access, but wouldn't it be nice to make sure that your retention policies for all the things that guy had access to was disabled?

B (36:14)

Be cool.

A (36:14)

DLP policies. It's a whole thing. It's one hour long and he's covering like 15 bullets. So you can tell that this is going to be a massive amount of learning in a very short window. So scoop it up. Go to webinars barricade cyber.com every single day of the week as a special segment. And Mondays is Simply Cyber's Community Member of the Week, sponsored by Threat Locker. I do want to let everyone know Threat Locker has contractually signed off and agreed they will be sponsoring next year 2026. They're an official sponsor and they have. They love what we're doing with the community Member of the Week. Thank you, Jonathan. We just become best friends. Thank you. So here's the deal. Threat Locker loves the community Member of the week and they've continued to sponsor this segment as well. So we will continue to be able to give prizes out for everybody. Threadlocker takes a deny by default approach to cyber security, just like we take a village approach to community. This week's Community Member of the Week is Luigi Roloda. Luigi. Now, if you don't know Luigi, Luigi is out of Vegas. I got to meet him two years ago at the Simply Cyber Community meetup. He showed up. I actually gave him my DEFCON badge because I was done going to defcon and he didn't have one yet. Gave him the badge. He took full advantage of it. He showed up at the meeting last year. He's just an active member of the community. And I saw he's active in the cyber community in Vegas. Just a great guy, good energy. So, Luigi, thank you for being you. Thank you for being supportive and setting a good standard. And we recognize you, dude, as a Simply Cyber Community Member of the week. Now, Alpha Sierra, Marcus Kyler, first timers, all we're going to do is say la la la la. Okay, lead us off. Drop Majors.

B (38:08)

Sing.

A (38:38)

All right. Solid mid roll, everybody. Let's finish strong, shall we?

B (38:44)

Germany summons Russia's ambassador over alleged air traffic control cyber attacks. This action was taken after a formal accusation against Moscow of the cyber attacks against Germany's air traffic control authority in August along with a disinformation campaign ahead of February's election. The German government stated it has clear evidence linking the air traffic control attack to the Russian Nexus Group APT28, also known as Fancy Bear, a Russia based disinformation campaign tracked as Storm 1516 was also accused of the election interference attack. This group has also been active in other divisive campaigns in Europe as well as in the U.S.

A (39:25)

All right, so Germany has had enough. Dude, listen, I'm. This isn't an editorial on Germans, but like, they don't. They don't f around. Like they're just like straight business. Like, let's talk about this right now. Like, I'm dead serious. And you're like, all right, Germany, like, like, I love the schnitzels and the. In the Hefeweizens, but can you calm down? All right, I digress. Listen, air traffic controllers don't. Hey, listen, do not screw around with air traffic control or just, you know, aviation operations, right? Germany summon. Dude, the. The. The. The writing of this story. Germany summoned Russians ambassador. What is this? Magic. The gathering. Germany cast a one, red, two colorless mana in. In Russian ambassador. Creature or plains walker. It's crazy. Dude, summon's a strong word. That's like your dad summoning you for doing a bad thing. Okay, Space Talk is agreeing that Germans don't f around Code brew doing his part. All right, so Germany, you know, casts a Russian ambassador onto the battlefield after accusing Moscow of cyber attacks against its ATC authority and running disinformation. So Germany's kind of getting bamboozled here, left, right and center. In a coordinated operation, they have clear evidence linking to a cyber attack. Now here's the thing that's really tricky. Listen, this is over a year and like a year and a couple months ago. So 16 months ago attack. I'm sure Russia's like, whatever at this point. There's a really good book. I don't have it here, but here, let me look at this book. Hold on. Book. Yeah, right here. This book right here. Scott Jasper, Russian cyber ops, if you want. Listen, this book is not a light read, okay? This book is. This book is work to read. It is not. It is not a. This is not a beach book, okay? But if you want to read about how Russia approaches cyber operations, with asymmetric warfare and how they can attack Germany and just be like whatever. This book answers it perfectly. This is a really, really interesting book. You could see coding the boundaries of conflict. It's really around how cyber attacks and cyberspace is a, a battle theater doesn't qualify for any of the traditional, you know, Geneva, not Geneva Conventions like United Nations, Article 5 type things or whatever. What is considered an act of war in Russia definitely takes advantage of all that. All right, so Fancy Bear is one of Russia's like well known groups. But by the way, Fancy Bear is the crowd. Crowd strike naming convention. That's another thing I always like to tell people. I'm going to Miter Attack framework. I didn't know this until I was old, like older in my career. No one told me because I didn't want to look like an idiot. I didn't want to say that the emperor had no clothes on. So I'm going to share this with everybody right now and maybe you know that the emperor has no clothes on, but we're going to talk about it. Apt28 as you can see on stream right here, I I'm on Miter Attack. If you're listening on audio. APT28 is a threat actor group attributed to Russians General staff of main intelligence. Kind of like the CAA, I guess or the nsa. And you'll see associated groups. Iron Twilight, Snake, Mackerel, Swallowtail, Pawn Star, Pond Storm, Fancy Bear, Strontium. Okay, now here's what I want to point out. Apt 28 is Fancy Bear, Fancy Bear and Apt 28 are also pawn Storm. Now Storm is Microsoft's threat. Microsoft threat naming convention. Okay, normally I just say this, I'm going a little deeper. So if it is a weather system then it is Microsoft threat Intelligence. You can see here like you know, North Korea is Sleet, Sandstorm, Blizzard is Russia, China is Typhoon. Oh, Russia's Blizzard. Hold on one second. For Forest Blizzard. I made a mistake. So you can see here on chat, Forest Blizzard would be the APT28 naming convention for Microsoft. So don't get confused by all the different names. It's just different threat intelligence groups call them different names for multiple reasons. Sometimes it's because they want the notoriety to be like, oh, it's, you know, it's our naming convention. Another time it's because they have different levels of. I'm fine. They have different levels of confidence. Right? So maybe Microsoft says we have like a 50 level of confidence that this is in fact, you know, Russia and crowd strikes like no based on what we have, we have high confidence that it is in fact this particular threat actor. Okay? So just know that that's why they have different names. Okay. Frustrated me for years. I'm like, why? Why? Who are all these freaking names, dude? Okay, so anyways, I'm sure Russia. Listen, I haven't read this story. If I had to guess, Russia's just like denies and that's it. Russia's embassy in Berlin has not commented and has previously rejected similar accus accusations as baseless. From the office of Shocking comes this final paragraph. So Germany again, go read this book. This book right here. Scott Jasper, Cyber Russian ops will answer everything. But to, to no one's surprise, especially me, Germany has evidence to suggest that Russia's meddled in their air traffic control and elections. And Russia's like, nuh. The logs say it right here. You were here. Yes, you were. Ah, you're so frustrating.

B (46:12)

Russia Mass affiliated APT targeting Middle east and Morocco. A group allegedly affiliated with the Palestinian organization Hamas is accused of using malware laden documents to breach government and diplomatic entities tied to Oman, Morocco and the Palestinian Authority. This is according to Palo Alto Networks unit 42, which issued a report on Thursday about a group called Ashen Lepus. That is a S H E n and then Lepus. The group is allegedly using a new strain of information stealing malware called Ashtag Canada.

A (46:51)

All right, let's keep looking. I just realized I have a split V in this room. It's. Guys, it's like 20 degrees out. I have a split V in this room that's just permanently set to cold because I live in the low country. I'm gonna. Let me turn the heat on. Like I'm freezing right now. Okay, computer, make it warm in here. All right, we'll see how that goes. All right, so Palo Alto's unit 42, definitely a legit threat. Threat intelligence outlet. I love what they're doing. I know people that work there. So do you. And just stand up people all around. Let's see. So years of profiling this group has attributed them to Hamas. I shouldn't be surprised that Hamas has an AP or apt. Hamas has a cyber capability. Right? All major. All major, like, you know, power, you know, entities, whether they're nation state or they're, you know, groups. If you don't have a cyber capability, I mean, what are you doing at this point? Okay, I don't really know what's going on here. I mean, it's malware. Looks like it's attacking Turkish citizens. It starts with an infected PDF Decoy file that guides the target to download a RA file containing a malicious payload. Guys, I don't know who these people are. I am so sorry. Here's what you need to do if you don't want to get, if you don't want to get attacked by Hamas linked APT threat actors. Two things. One, get an email security gateway that's worth a damn. And two, educate your end users not to fall for phishing emails that have, you know, fake old PDF like archives attached to them. If you're downloading a RAW archive, it's not a PDF. Like, I know that it's difficult for, you know, my Aunt Dorothy to, to understand the differences between the two, but just, you know, like, just look, look realistically. If you can somehow have an email security gateway, just not deliver the email at all to your, your end users, that would be preferred. Also worth noting if they check their email on their phone, right? Their iPhone or whatever. Less likely to get caught. I would assume less likely to get compromised since I don't believe when you explode a RAW archive and execute the malicious payload, it would necessarily work on iOS. More desirable to work on Microsoft Windows operating system. Okay, the, the, the TLDR here for me. So like, yes, this is like good to learn and everything, but to me, the actual important value that I'm getting out of this or like it's news to me. Although, like I think I knew it, I just, it's like reaffirming is that like you don't have to be a nation state in order to have an APT cyber capability. Right. Hamas, you know, has one just like, I don't know what would be another kind of example. I don't, it's too radioactive. I don't want to give an example.

B (50:41)

Privacy regulator to probe face scanning billboards. The probe focuses on billboards located near Toronto's largest train and subway station, Union Station, which, which allegedly analyzes the age and genders of passersby owned by the movie and media company Cineplex Digital Media. Cdm, they quote, use cameras, large databases, and in some cases artificial intelligence to survey people in public. End quote. CDM has reportedly said that no personal data or images are kept and that the billboards process data within milliseconds.

A (51:19)

All right, that's, that's interesting, man. That's interesting. So, all right, so this is a face scanning technology on an advertisement at one of Canada's biggest, busiest train stations. Couple things here. Ready? Number one, from a privacy perspective, you scanning my face and storing it. Listen, I'm not I don't typically. Well, two things. All right, let me take a step back. Two things. I literally took a step back physically. Two things. One, privacy and cyber security overlap with each other, just like I T and cyber overlap with each other. But cyber and privacy do not have all the same goals. Privacy is concerned with a few other things. And. But there is overlap around confidentiality, okay? So this is why we should care about it as cyber professionals. Now, check this out. They said that don't worry, data isn't stored. As far as I'm concerned. That's not the. That's not the. That's not the main concern, okay? There was an example. All right, what was it? Rockettes lawyer, facial recognition. Let me give you an example. This is 2022, this time, three years ago, okay? The guy who owns Radio City Music hall was being like, he was going through some court case, okay? And the lawyer team that was responsible for, you know, his adversity, like, whatever you want to say, like, he was a defense in the prosecutor in the. The case, whatever. Like the lawyers that were on the other side of him, right? One of the lawyers took her daughter and her Girl Scout troop to a Radio City Music Hall Rockettes event. Okay? So unrelated from work, unrelated from legal, unrelated from anything. She literally just bought some tickets and was going to take her kid to this holiday event, right? Very special. Well, guess what? Radio City Music hall also implements a very similar technology as this, okay? It's not that they're saving it locally. Hello. Like, think about it for a second. What do you think it's scanning against? They don't need to save it locally because they already have a database with all your face on it. Like, all that data is already saved off somewhere else. Of course they don't need to save it, okay? So anyways, this woman walks in, she doesn't even get to her seat before she's escorted out and barred from setting foot on the venue, ruining the entire trip for the Girl Scouts and everything. But the guy was like, oh, it's my. It's my business. And I'm deciding that you can't be here. Completely petty, completely asinine. But this is what I'm talking about. When I think of concern or stuff like this. It's not about saving the data. Like, they already have the data. They already have your face. If you've taken a driver's license photo, this. The. The state has it right now. This is a private company, but as we've talked about, data brokers from all over the place. They Got your phone, they got your data. Okay, so for me it's more about weaponizing this from like authoritative control. Again, I hate to get like super, super, you know, dystopian on you, but like, the problem with this is that you're walking in a group and you, you know, they, they can identify you, right? And to what end? Like, what are you doing there? When were you there? And then also it's worth noting that this facial recognition technology isn't perfect. So unfortunately, innocent people are being arrested because facial recognition tells law officers that they are in fact this person that has a warrant out. And then it's not. And they're like, nope, the technology said it's true. So there you go. Luke Canfield says the DMV sells your data. So again, this is what I'm saying. Also want to point out it's not going anywhere. London is like out of control with the CCTV and the facial recognition.

B (55:50)

US sues ex Accenture manager over Army Cloud Platform the US Is suing a former senior manager at Accenture for quote, allegedly misleading the government about the security of an army cloud platform. End quote. In a court action, the United States of America versus Daniel Hilmer, the US alleges that between March 2020 and November 2021 obstructed federal auditors and falsely represented the security of the company's cloud platform, which was used by other government customers beyond the Army. The defendant, Hilmer, claimed to work for Big four consulting firm Accenture during the stated timeline. According to a now deleted LinkedIn account, the platform in question is described as a non appropriated fund integrated financial management system, a cloud based payroll, pension and benefits system. According to the indictment, Helmer, quote, made efforts to represent the NIFMS platform as having enabled security controls that met the Fed ramp high baseline and the Department of defense's impact levels 4 and 5, end quote, which are now being described as falsehoods.

A (57:02)

Wow.

B (57:02)

If you enjoy.

A (57:03)

All right, so this is wild. I have never seen this before. Okay, so I worked at a, you know, big four consulting firm for federal it. Okay. Normally, I mean, Deloitte just did this the other day. Deloitte was in the news for delivering a AI slop report to the tune of like 400 grand to some, to some client. It doesn't matter. Like Deloitte, they didn't say Tom Pine, you know, delivered an AI slop. It's always kind of like, it's always business to business type stuff. The US Justice Department's going after this dude specifically, so that's awfully. Awfully nefarious. Now I'm sure he doesn't work at Accenture anymore. I gotta tell you guys, honestly, getting NIST moderate baseline, fed ramp high. And I don't know what these DoD level 4 and 5 are, but I assume that they're kind of commensurate with NIST 853, moderate baseline. It's not easy. And a lot of authorizing officials, a lot of authorizing officials will accept that certain security controls are not implemented. So, like, this is the work. I don't know if this guy was trying to hit the easy button from Chantilly, Virginia and just be like, ah, just do the best you can and we'll say it's secure or what. But dude, $30 million and this guy might go to jail. I hope that extra boat was worth it. Hilmer. Oh, what kind of things? Here we go. Let's see what his actual abuse was. Right. Hilmer knew the platform had not implemented required security controls related to access, IR and continuous monitoring, auditing, logging, monitoring, alerting, not managed environments, not monitored, not governed, not secured. Oh, didn't have an and okay, so this jack wagon. So there's a thing called an SSP or system security plan, and it's basically like the bible of a system's security implementation. It's like you go to the SSP first to see like, what, how any control is implemented. This guy basically speed run an SSP that would be perfect and then didn't implement any of them, which is completely ridiculous. Numerous voices from inside the company said that he shouldn't do this and from outside consultants. So, all right, let's see. I just want to know where the. I got to tell you a couple things after this. Oh, this is a woman. I made a mistake. I guess Chris Hillmer is a woman, dude. All right, so here's the deal. Listen, don't fall into this mistake, all right? As a professional. Listen, seriously, don't fall into this mistake ever. Do not. Like, sometimes you may not want to admit to your bosses that things aren't going as well as you had suggested. But what you can't do is lie. Because what ends up happening in security is it starts compounding because you tell them, oh, we have these things in place. And then everybody starts looking at the next thing. Because logically, if you have A, B and C done, the logical thing is, let's do D and F. Well, if you don't have A, B and C done, and you say A, B and C are done, and then you start marching towards D And F, guess what? You're going to have to start lying about D and F when those don't get implemented. The fact that this dude, the fact, or this lady, excuse me, did all of this over the course of years and every, and people in the company and outside the company knew that she was lying. It blows my mind, dude. Normally people who choose this path do it in secrecy and then they get in over their head and they don't know how to get out beyond just continuing to make it worse. If I had to guess, this person is going to, you know, be, you know, held accountable, dragged out in front of the public square so everybody can see made an example. You're not going to get your 30 million back, though. That's the thing. It's not like this person took the 30 million for a fake job, like a contractor telling you that they're gonna put a shower in and they, they just leave. So, you know, I could see them trying to sue Accenture. I don't know, I just don't, I just don't see how the United States is going to get any, any compensation from this person for a, for, if anything, they should sue Accenture and then have Accenture have like, improper controls. Because the thing is for this person to be everybody in their company, to know that they were lying and then to not do anything, that's pretty crappy governance if I'm not mistaken. Hold on, let me check, let me check. My H, My split V broke. Okay, I, I, I forgot where I was going with that ridiculousness. All right, holler, holler, everybody. Don't go. Well, hold on. All right, don't go anywhere because we're gonna do Jawjacking. But really, I don't want to do jawjacking very long. I feel not great. And I just wanna, I'll switch over to Jawjacking. I'll say hi to everybody and then I'll say bye to everybody. No Jawjacking today. I need to get some more tea, guys. Today was episode 1024, the Megabyte episode for Simply Cyber's daily cyber threat brief. We had a bunch of first timers in here. Modern Rogue Benji, I think it was, or Ben and DC Big Richie. All about good times, guys. If you got value from the show, hit the like button or the subscribe button. My 13 year old told me that I need to tell people to hit subscribe. Subscribe. But either way, I just hope you come back. I hope you come back and have a good time. I'm Jerry from Simply Cyber, wishing you all the very best this beautiful Monday morning. Go crush it. Till next time, stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your question. Burning questions about the cyber security field. Live, unfiltered, and totally free. Let's level up together. It's time for some jawjacking. All right, what's up, everybody? Welcome to the party. I'm Jerry Guy, your host for the next two minutes as we do a speedrun. Jawjacking. I just didn't want to miss a jaw jacking segment, but I hope everyone had a good show. I certainly did. Looking forward to it. Remember, this is my final week of the year. DJ B SEC will be running the show for a couple days next week. And then Daniel Lowry will be taking us through the start of the new year. We do have. Jesus. I just realized, like, I was definitely pushing now that I'm kind of like, off the daily cyber threat brief. I'm like, oh, I need to chill. I just want to point out this, this Friday, it's basically the last thing I'll do before I leave for the year. State Of Simply Cyber 2025 Q4. We'll briefly look back at 2025. Some wins, some accomplishments, things that we're doing. But more important, looking at 2026 and what you can expect from. From the channel and from the community, from the media group, from the academy. We got some big things cooking for you guys. We are planning on doing the show tomorrow. Yes. Brute. Big Richie with the first question. I'll answer Big Richie's question since Big Richie's a first timer. All right, hold on one second. My toes are cold. Give me a second. Big Richie, I gotta find your question so I can bring it up on stream, bro. Okay. Big Richie says I come from the world of analytics and software engineering. Just passed SEC plus last month looking for a job. Yeah. So the two things that you need to do, number one, you need to develop practical skills. Big Richie, like, SEC plus is fine, but, like, you need practical skills as well. And then you need to make sure that your resume highlights those demonstrable practical skills. Also, you need to network being here with the community. It's an excellent, excellent first step. I would recommend trying to learn some stuff and then document them in, like, a blog or some type of, like, ground zero place that you control. Right. So, like, if you create a blog or GitHub repo or something like that, you can post about it on LinkedIn, but reference back to your main site. That you control. Relationships are incredibly valuable, believe me. Cryptogrozes how does a new grad use their knowledge from cyber to earn? How does a new grad use their knowledge from cyber to earn while trying to upskill? Don't fully understand the question. Cryptic roses. But what I will say is one of the benefits, double edged sword of cyber security is that you're never, you're never not learning, right? If you're, if you find yourself working in cyber and like you're not developing, you, you're doing it wrong. With all due respect, right, you should either be upskilling at work like looking at the person next to you who's like, you know, if you're tier one sock analyst, look at tier two sock analysts and you know, ask them like oh hey, like can I shadow you? What are you doing? Can you explain this to me? I heard threat hunting, I heard detection engineering. Show me what that is. Being here, you know, go like again like say you're not, say you're a GRC person. Well, it doesn't hurt to go download a free like, like a try hack me account and like learn that way like you can upskill yourself, right? When you say knowledge from cyber to earn, I mean get a job, right? I mean that's the easiest way to earn. So I guess I wouldn't say like don't let, don't focus so much on upskilling that you're not going to take a job or whatever to do it. You should be upskilling as part of your job and your employer should be supporting that. Tom Lavin here. Hey Tom. Hope everything's well up there. That, that football game last night or yesterday, huh? Am I right? That was a, that was a humdinger. Tom says what are your tips or, or references for world class tabletop exercises? You know, I gotta tell you, Black Hills Information securities Backdoors and breaches is a phenomenal way to do a tabletop exercise. Now the, the one thing, the one I guess knock, the one knock about back doors and breaches. If, if you, if I needed to knock it is that by virtue of its format, it's on a table and it's small and people are actively engaged. Like a board game. Well, if you're going to do a tabletop exercise with like 30 people or the executives are there and it's there and the insurance companies there and all that, you can't have them all huddle around a table, right? It's just not going to happen. So I would use backdoors and Breaches if you can, more for the IT team and maybe bring in some app owners and stuff like that. If you're going to do a world class tabletop exercise with like the executives or the larger group, carve out a day. Make a rule at the beginning that, you know, you'll. There'll be time for your phones every one hour or something like that. Kind of put it in. You have to get leadership's buy in on this one before you make it, but like some type of embargo on mobile devices so they're not tempted to be distracted. Have a solid. Have a solid scenario. I mean, if you want, you could just use ransomware, but then have injects where you can have the executives break off and talk about like what is their PR response going to be or are they going to make the payment and have the IT people break off and talk about recovering from backups or vulnerable like closing the vulnerability that was exploited and then having get back together. Don't just try to treat one scenario, one, one line and then, and then hope everyone stays informed or stays engaged because they won't. Thank you, carly. All right. Cyber risk. Witch. Adopted cat. Black domestic, short hair. Needs a cyber name. Anyone's got some? Alfie. That's funny. Bruising axes. Alfie. Oh. So Cryptic Roses. I mean, doesn't have a job yet. I mean, I would just continue like scaling up. Here's the thing. You have to. If no one knows what you're doing, no one's going to know what you're doing. I know that sounds so obvious, but it's a reality. So what you have to do is upscale, but then document it. Right. And share it. Talk to other people. Yeah, Real Kyle. Kyle says take another job and keep learning. Absolutely. I mean, if you got bills to pay, you got pills to pay. I mean, not that like I'm saying, oh, do what I did, but like, I mean, I literally like carried bricks for, you know, four months or something until I got my first job. Oh, how to get money for resources. Dude, Cryptic roses. There is an unbelievable amount of free. There's an unbelievable amount of free out there. I hate, I hate to. I'm not trying to poo poo you or anything, but like, I have multiple videos. I gave a keynote talk at Wild west hack infest 2 years ago about living in the golden age of access to free cyber security education. The. The trade off is that you have to, you have to collate and organize it yourself. Okay, Toasty Pops is here. Hey, Toasty Pops. Good to see you. It's been a minute. Hope you're well. Tough break about Patrick Mahomes. Although he is. He is running the Tom Brady playbook, so, I mean, you kind of could have expected him to get injured. Same injury, too. Same, same. You know, eight years in, same injury. All right. The Patriots do have an easy schedule. All right. All right, guys, I am tired and cold and want to get another hot tea. I also have to investigate my split V because it looks like it broke. Sorry to cut jawjacking short, guys. I know. Easy does it. The problem is I. I feel like a jerk. The whole reason I started the YouTube channel is because people were asking me questions, and I. I felt like a jerk telling him I didn't have time for them, so. But let me get out of here. Thank you all so very much. We'll be back tomorrow at 8am I'm Jerry from Simply Cyber. Until next time, stay secure.