Loading summary
A
What's up everybody? Welcome to the party. Today is Thursday, December 18th.
B
Wow.
A
2025. This is episode 1029 of your Simply Cyber Daily Cyber Threat Brief. If you're looking to stay current on the top cyber news stories of the day while engaging with an supportive and inclusive cyber security focused audience full of practitioners and kind hearted people going beyond the headlines, yes, you can get an RSS feed, yes, you can have chat, gbt, aggregate you a little bit of cyber news and dump it in your email inbox or even, hell, at this point read it to you. But you can't get the insights of sitting in a chair for 20 years and just getting bamboozled by threat actors and the business. And with the collective experience of about 6,235 years of practitioner experience among the community, you're going to get all those insights and more coming up. Enjoy it. We are live with Simply Cyber's Daily Cyber Threat Brief. Yes, people, good morning. I hope you're having a great start of your day. Whether you're in the kitchen, got this on in the background and getting the coffee going, getting the kids going, perhaps you're in bed still listening to the show, but you're already on holiday break, whatever it is, maybe in Carline, wherever you are, whatever you're doing, flipping the lights on part of your day. Thank you, thank you so much for making the Daily Cyber Threat part of your day. I, I sincerely, personally appreciate it. Guys, every single episode we go through about eight stories and I have no idea what they're going to be. So, you know, I, I don't know what, what we're going to be talking about. I don't know what my hot takes are going to be, but I promise you I will do everything, this is my commitment to you. I promise that I will do everything in my power to not only give you the story itself, but give you additional value so you can utilize it and not have to experience it or learn it on your own a hard way, which stinks. So, yes, I don't research or prep for the show. Ain't nobody got time for that. Ain't nobody got time for that. I do want to say quick shout out. We always kind of identify different slivers of our population, different dimensions of our population in the Simply Cyber community. And today I wanted to say what's up to the solo operators, ad tech being one of them? Joey. Listen, guys, if you are, you know, you're at a small business, a midsize business or whatever, and you're the IT person But you're also the cyber person. You're also the app person. You're also the field engineer. You're the help, break, fix person. I get it. It sucks. But you know what? It's a great opportunity. Silver linings, right? You are getting a wide swath of different experiences which might suck in the moment, but I got to tell you, that's going to serve your career in the long term. Definitely believe that. But just know, because you're operating alone at work, team solo. You don't have to be alone because the Simply Cyber community is always here at 8am Eastern and always there 24. Seven in the Discord server. So don't be shy. Shout out to you team Solo operators. Every episode, guys is worth half a cpe. So say what's up in champ? And champ and champ. What a. Hello. At least you know I'm not AI up here. AI wouldn't. I mean, that wasn't even close to a correct mistake. Say what's up in chat, right? Every episode's worth half a cp. So say what's up in chat, right? Right above my head. You're. You're part of the stream. And grab a screenshot. Include. Include the show title, which has today's date and the index number of 1029. File it away. You got a folder on your desktop, call it cpes. Throw it in a folder once a year, count up those cps, and you know what? You got the number divided by two, and that's how many CPEs you have. So don't worry about cyber security certification, maintenance. We got you covered here at Daily Cyber Threat Brief. It just takes time, okay? That's why you got to show up every day. All right, what else you got? Oh, first timers. Hello. Hello. I'm Jerry. Who are you? If you're here for the first time, you're like, I don't know. I'll give this guy a shot. We'll see what's cracking. Chat's popping off. Listen, welcome to the party, pal. That's what I gotta say to you. What's up? Say, hey, if you feeling it, drop a hashtag first timer in chat. Just go to your phone, go to your keyboard, open the chat window, type in pound first timer. Okay? Pound or hashtag first timer. I'm old. We used to call it pound in computer science. So drop a hashtag first timer in chat. Let us know you're here. We will absolutely welcome you with welcome arms. There's a whole little ritual we have we'd love to show you Nothing. Nothing weird. Okay. All right, guys. Every day of the week has a special segment. Dennis Keefe, ad tech, saying hello to haircut fish. Whose haircut fish, you might be asking yourself? It's this guy right here. This phenomenal piece of. This phenomenal specimen, the haircut fish. This guy, for years, years has been developing custom memes for the show. And he does. He doesn't miss. He. He doesn't disappoint. And I want. I. I haven't said this in a while. I don't censor, approve, deny nothing. I think maybe one time I had some feedback and I think it was because it was politically related. But listen, I. The reason I bring up the disclaimer today is because this is one that does definitely have some fun with me. So if you like to play the game. Some people like to play the game in chat of trying to guess kind of what the vibe is of the meme. Elliot Matice typically leads that crew. Go for it. But we gotta. We got one today. You may want to sit down when I show the meme of the week because you don't want to fall over laughing. Okay. All right. I am feeling better. Thank you all. It's been a. It's been a slog this week, but you know what? I put my head down and grind. All right, here we go, here we go, here we go. Quick shout out and love to the Stream sponsors, those who enable me to bring this show to you in all its retro synthwave glory. Oh, let's talk about Delete Me first. Yo. Hello. Delete me. Delete Me makes it easy, quick and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable. Data brokers make up. Data brokers make a profit off your data. Your data is a commodity and anyone on the web can buy your private details. This can lead to identity theft, phishing attempts, harassment. But now you can protect your privacy with Delete Me. As someone with an active online presence, presence, privacy is really important to me. I use Delete Me. I've used it for over a year. I like. Basically, it helps scrub my personal data off data broker sites. They shouldn't have it anyways. I find it deplorable that they have it and can sell it.
C
Just.
A
You know what I mean? Like, it's gross that that's a market, but it is. And Delete Me helps me manage it. Take control of your data. Keep your private life private by signing up for Delete Me now at a special discount for our listeners get 20 off your delete me plan when you go to JoinDeleteMe.com simply cyber and use promo code Simply Cyber at checkout. The only way to get 20% off is to go to join delete me.com simply cyber and enter code Simply Cyber at checkout. All right. By the way, as always, I want to point out that all the sponsor links are in the description below and whenever you click on them or go check them out and I, I wouldn't take a sponsor that I thought sucked or was scammy or whatever. If you go check them out, it does help the channel, even if you don't purchase just because it shows that you know they're getting some engagement. All right? So I'm not saying you have to do anything. I'm just giving you the, the lay of the land on how this relationship with the sponsors works. Speaking of sponsors, guys, I've been telling you all week about John Strand's active defense and cyber deception course. I'm going to keep telling you about it because I think it's awesome. Awesome, awesome, awesome. If you want to learn from one of the industries, one of the industry's best, John Strand, this guy right here. Love him. Black Hills Own. He does teach this class. Even though he's the CEO of like 47 different companies, he is actively engaged in the community and educating. His teaching style and his speaking style is like not intoxicating but like you want, you want to listen to him. I don't know what the word is. He's like, John Strand is like a sirens call. Like he, you know, lash me to the mast of the boat as we drive through the silling Charybdis or, or the Narrow Straits or whatever it is in the Iliad. Strap me to the, the, the mast as John Strand siren calls me from the cliffs about active defense and cyber deception. This class, four days, 16 hours, 11 to 3am to 3 a. 11am to 3pm Eastern Time. So basically the cool thing is you can do your work in the morning, get sorted out, go take some training and then by the, you know, before the day ends, get, you know, any fires put out. It's very, very cool. I love it. Go here, I'll drop a link in chat. I've taken this course and have done a full review video on my channel that is unsponsored. Spoiler alert. I love the class. It's great. It talks you Honey tokens, honey pots, Hack back. The ethics of hack back. Best practices. Things not to do. Yeah, no, he's good. I will tell you. Before I became friends with John Strand, I saw him speak and I was like, oh my God, this guy is an absolute stud. Like top three speakers of all time. Like when I, like if I see him on an agenda, it's a must attend session. Same with Patrick Wardle. He's another one that's just captivating. All right, quick word from Threat Locker and then I'm gonna melt your faces with news. Let's go. I want to give some love to the daily Cyber Threat brief sponsor Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night, worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com DailyCyber. Hey, just as a quick side note, special thing. Hey, what's up? Vic Damone 40. I know you're not a first timer, but first time live session will account it. Welcome to the party, pal. Hey, really quick. Just this doesn't happen like ever really, but really quick. Today at 9:30am we do this annually, so if you've been with the community for more than a year, you'll remember we did this last year, the year before. The year before Chris Luft from Lima Charlie. Which is, it's not really an EDR company, it's like a securities code company. It's, it's a really cool company. But anyways, Chris Luft over there, he also partners or runs Cyber Security Cares, which is like a non profit fundraising thing. And he does a live stream telethon once a year and today's the day and I'm kind of like kicking it off or whatever at 9:30. So today we'll do the show, Dan Lowry will do the jawjacking and then I invite you and hope you can raid over to the Cyber Security Cares. In fact, I even have my Cyber Security Cares shirt on today. The shirt's dope by the way, so more, more details about that later. But it's a, it's a good time, it's fun, it's got a great cause. So anyways, I just wanted to share that. All right, now let's cook. Do me A favor. Everybody sit back, relax. Marcus, Kyler, hit that recline, and let's let the cool sounds of the hot news wash over all of us in an awesome wave. I'll see you guys at the mid roll.
B
From the CISO series, it's cybersecurity headlines. These are the cybersecurity headlines for Thursday, December 18, 2020 25. I'm Lauren Verno. FTC orders crypto company to pay. The Federal Trade Commission says crypto bridge operator Nomad must repay users for funds lost in a 2022 breach that drained roughly US$186 million. According to the FTC, the company pushed a inadequately tested code that introduced a critical vulnerability despite marketing the platform as security first, leaving customers out nearly 100 million after partial recoveries. Under a proposed settlement, Nomad would be required to repay about 37.5 million, implement a comprehensive security program, and stop misrepresenting the security of. Of its products.
A
Okay, so on the surface, I mean, first of all, this is a win for the customers, right? The. The true victims, the ones who lost their money. I got some. I've got some cynical hot takes on this one, so get ready. All right? Someone call the sensors. About to go off the rails. All right, so listen, in the United States, at least we have fdic, which federally insures your money in a bank, right? If you've ever seen the movie Heat, Robert De Niro brilliantly lays out this proposition that the FDIC holds whole. Insures your money. Okay? By the way, Heat, such a good movie drink. Listen, blockchain, cryptocurrency, all of that, that is completely unregulated at this time. I know there's been some movement, but it's not backed or insured or anything. So when you. When you convert your USD money into whatever crypto and it gets stolen, good luck. Like, you know, in fact, it's so. It. It was so pervasive. I don't know how pervasive it is today. We'll have to ask Jay Crypto, if. If Jay Crypto's in chat. Can you chime in on this? It used to be so pervasive that there was this, like, ridiculous toxic norm that, like, you weren't really a true crypto bro, until you had been ripped off at least once, which is absurd to me. Okay, so the ftc, who is responsible? Remember? Well, that's the Federal Trade Commission. I think the Federal Trade Commission is responsible for basically being customer advocates or consumer advocates, right? So they're looking out for us to make sure that large businesses don't just take advantage of us. And this company got hacked, got stolen, or got robbed and the FTC somehow stepped in and find them $186 million. Now a couple things here. The reason that they said they did that is because the company marketed themselves as security first and they pushed code to production without adequate testing. Now this is in 2022. Okay, I'm going to say two things about this, okay? Number one, This $186 million, okay, so customers lost about $100 million total, right? So say the simply cyber community. Totally. We had $100 million. It appears that the victims are only going to get about $37 million within a year or 30 days after the end of litigation. So you're going to get 30 cents on your dollar like four years after the incident. Okay. Which again, whatever, I'll take, I'll take something from nothing, but like, this is like, whatever, it's just a bad taste in everybody's mouth. Now, now that we've covered the main story, let's go deeper. Okay, So I actually, there isn't enough detail in here. So they say, quote, unquote, inadequately tested code. Does that mean they didn't test it at all? They just had some hot shot Carl, like operating in production and just pushing code changes and being like, like, you know, just sick shooting, looking like Newman from Jurassic park or, you know, oh my God, like, you know, oh, this guy. Hold on. If you're, if you're listening on stream, I'm pulling up that classic hacker meme of the guy jamming on his keyboard and then the guy with the banana comes up like, is, is this, like, is this Nomad's dev team putting codes to production? Is that what we're doing here? And it just, is just a vintage, like, so this is them? If this is them, then yeah, I agree, that's pretty reckless and pretty inappropriate. If they just did light testing or they ran, you know, Burp suite against it, or they ran some type of static code analysis tool against it. Inadequately. Inadequately tested. Feels subjective to me. Okay, now introduce significant vulnerability again. What does that mean? Obviously it got exploited right away. I, I kind of want to side with the company on this one. Like, they must. All I could say is they must have been egregious for the FTC to come in and smack and spack them with $186 million thing. If you work in fintech. If you work in fintech, grab this story. I know it's three years old from when the attack actually happened. But grab this story and, and use it as a reference for people in your organization leadership and whoever the, either the development team or the tech leads team as. Hey guys, like there, there can be serious consequences. Oh, shut up, you nerd. Well, whatever. Take it or leave it. As a cyber security professional, I'm here to advise and I'm advising you that if you make, you know, if you f around, you're gonna find out just like this company did. Okay, so slow and steady wins the race. Make sure that you're testing code changes at least somewhat recently. I know in like modern DevOps pipeline cycles, they're doing micro changes and micro testing and all that stuff. That's fine. Just don't go yolo, which is probably what this company did because I tell you right now, it's gonna go bad. Especially because it's a friggin cryptocurrency business. Like there's money involved. It's not even like you got to go A to B to C to D to get money. It's like A to money.
B
New exploit of React to shell a ransomware gang has been observed. Explaining the critical REACT to shell vulnerability to gain initial access and deploy ransomware in under a minute. A quick picture pivot from the espionage and crypto mining activity reported when the flaw first emerged. Now, according to researchers, attackers used the bug to remotely execute JavaScript on a vulnerable React server components endpoint. Before dropping the wexer ransomware strain, the attackers quickly disabled a Windows Defender deployed Cobalt strike for command and control, encrypted files, wipe shadow copies, and cleared logs, all without moving laterally. Researchers also warn that patching alone isn't enough.
A
All right, so a couple things here. I mean, you heard the story. If you haven't patched React to Shell and fix it, as she said, patching is not enough. Right, Because I believe it can be. I believe it can be embedded in other software like, like, as a component. So essentially think of like the way that log 4J was. One minute from compromise to ransomware. Now I, I do. Okay, so let's look really quickly. Weax extension is the ransomware file type so that you'll know if you got hit by this. Obviously they drop a note on the desktop telling you how you can get your money or you can get your stuff back. All right, Strong indicator of compromise. Spawning Command EXE or PowerShell from Node EXE. Yeah, put those detections in. All right. They don't offer any other options. I'm not 100% sure what you have to do besides patch it. But you should patch it. Ah, you gotta patch it. As far as additional value goes, I want to just let everybody know, like this. React to Shell for sure. For sure. You want to 100% get smart on and do something with. I think it actually has its own little website, right? I think someone made a website for it. Yeah. So here's the React to Shell website. Go ahead and get that. But let me give you additional value. Okay, so the reporter said they compromised the vulnerability. And then this is exactly what she said. Deploy ransomware, then disable Windows Defender, then establish or pull down. I don't know if she said cobalt strike, but C2 and establish persistence. Okay? And all this without moving laterally. She said all those things, okay? She said it. It compromises. Hold on, because, listen, I'm gonna. I'm gonna go a little long on this one. Only because what she said is 100% accurate. But. But the order she said it in is not correct. And I feel like it's very confusing for people who don't know. With all due respect, I'm not trying to be, you know, like, speaking down, okay? But, like, if you don't know and you just hear what she said, it's wrong. Okay? Secondly, I know people, like, get overwhelmed by, like, the acronyms and the different terminology and stuff like that. So let me break it down for you, all right? You exploit the reactive shell vulnerability and you pop onto this REACT server. Okay, fine. You're on the server. She said at the end, she says all this is done without moving laterally. All moving laterally means is going from the server to another system on the same network and. And doing some. Something malicious there, okay? That's what moving laterally is. So all this done without moving laterally. All that means is the react server is the one that's being affected. That's it. It's. This isn't like full environmental takedown like call in the National Guard. It's the machine. The one machine infected is the one infected. Okay? So, yes, lateral movement. Like I didn't guess what. I do this whole show every morning from Buffer Oer Flow studios, all without lateral movement because I don't go to my neighbor's house at any point during the show. Okay? Second thing, she said exploitation, then ransomware, then disable Windows Defender, then pull down C2 payloads or whatever and establish persistence. I pro. And then delete shadow copies. I promise you that's not the order it's happening in. There's no way you detonate Ransomware first and then disable the security tools. That's stupid. I. If it was me, the first thing that you're doing is disabling the security tools. Okay. Like basically, you know, put like knockout gas or steaks with sleepy pills and throw them over the fence so the Doberman pinchers eat them and then they pass out. That's what knocking out the defenses is. Then like, why would you want to pull like, I don't know, to me, like the next obvious thing is pull down second stage C2 payloads. So now you can interact as you pull down your ransomware. And I would suggest deleting their backups before encrypting. Right. So I mean, you could encrypt and then delete backups in any order you want. But okay, so that's the order of operations. All right, So I just want everybody to know because again, I came up like without streams and community to talk to and I had to like figure it out the hard way. And frustrating.
B
Ukraine based fraud ring taken down European law enforcement has dismantled a network of fraudulent call centers operating out of Ukraine.
A
So Jay Crypto says what if all you do is deploy the ransomware? Sure, that is an option, but she said they do all of these things. The order she said it in makes no sense.
B
That scammed hundreds of victims out of more than US$11.7 million. According to Eurojust, the group posed as police officers and bank employees, pressuring victims into transferring funds to so called safe accounts or installing remote access software to take over their banking apps. Authorities believe roughly 100 people were involved and the true financial impact is likely far higher than currently known.
A
Oh my God. So these call centers, I mean, call center scamming people has been a problem for a while, but this is like a new level. So instead of basically modern slavery like they're doing over in Cambodia with the call centers, this one, the callers get 7% of the victims that they extort. So there you go, you know, so they're, they're sharing the revenue with the people on the phone, including cash, bonuses, cars. Daniel Lowry. We can get an apartment in Kiev if we're the top performers. You want to join forces like Wonder Twins? Oh, never mind. The incentives were actually never paid out. Oh. All right. So these deplorable miscreants pose as police officers or bank employees and then trick victims. So whatever. I mean, dude, anyone, anytime someone calls, calls you on the phone. They can be anyone from anywhere, right? So I don't start the show until I'm in the studio FedEx. All right, 400 victims lost $11 million. Okay. Like there's nothing. Two things. One, this doesn't look like it's going to attack U.S. citizens. This seems much more like, you know, Lithuania, Latvia, Czech Republic, like European space type attacks. So if you are in Europe and you are, you know, this, this is not really attacking businesses so much as it is like individuals. Right? So you're Nana, you know, your Grammy, you know, like, so those people are the ones who are getting hit in general. Even though this isn't in our backyard today, there's no reason that this can't just be rinsed and repeated into the United States or into, you know, insert country here. So I am happy that European police busted these guys, regulators. So definitely appreciate that. I will say one interesting thing that they, they did was the, the threat actors moved the call center as close to the front lines of the Russia, Ukrainian conflict in order to use like the military theater as some type of like ward to keep police from wanting to go in there just for their own safety. So kind of clever, but also whatever. I mean this is just, honestly, to me, this is just a modern day racketeering, like mob, you know, scam thing.
B
French Interior Ministry confirms brief also just.
A
For me personally, I always tell people, any official, any official thing like that law enforcement's going to call you or, you know, your bank or whatever, like text message and phone is not the way they're going to get you. You'll get like a certified letter in the mail or you'll have a sheriff show up at your door speaking. I've heard that. So each.
B
France's Interior Ministry is investigating a cyber intrusion that gave an attacker access to several internal email accounts and dozens of confidential files, including records tied to judicial cases and wanted individuals. According to the Ministry, the intruder remained in the network for several days, though officials say no ransom demand was made and there's no indication the breach put lives at risk.
A
That is not cool. Okay, all right, so someone got creds and logged into email accounts for. The Francis Interior Ministry. Now, I don't know what the Interior Ministry does. Hold on one second. What does the French Interior Ministry do? Tell me. AI all right, Internal security, police, immigration, territorial administration, overseeing day to day law enforcement, like national police, identity documents, managing elections. Okay, so they're kind of like CISA or they're kind of like Department of Homeland Security. Okay, so let's get back to this. So they're saying that like France's Department of Homeland Security's email servers got Hacked and someone was in there for multiple days. Initial investigations have determined that the access was allowed an attacker to view a limited number of professional email accounts. Dozens of content confidential files related to court cases were accessed in wanted persons. Okay, so they, here's my thing, okay. I'm glad that they, I'm glad that they, you know, discovered the threat actors access and got him out of there. I don't like personally that they mentioned, you know. No, no, like nobody was hurt from this information. Allow me, like, let me be the voice of reason or like I feel like I'm, I'm preaching to the choir at this moment. But it does need to be said when you access information and then someone ends up getting hurt from it, either physically or financially or emotionally. It, this isn't kinetic warfare. You don't pull trigger and then get instant results. So the information in this email, what if it had, you know, basically like, so some of the emails had wanted persons involved. What if somebody who's a wanted person was the one who accessed the emails? Again, just a hypothetical. All right, so like this guy's wanted for murder or whatever. Okay. He buys access to these things because he needs to know the heat is on. He wants to know who's after him. He gets in the emails, he sees the full briefing on the op to take him down and who the officers are in charge of it, Their names. Do you know what you can use with names? I don't know. Data brokers. What is it again? The data brokers sell? I can't remember. Oh yeah, personal information. So I, it just, to me it's like reckless reporting to like there's no reason to add the statement at the end that no one's been, no one's hurt from this data breach. Like it's all oh, like everybody gets a lollipop. It's just a little exercise. No, like the, the, the impact of this attack has not yet been realized or its potential. Now obviously there's a degrading long tail on this one that the further we get away from it and, and you know, the more nothing happens, the likelihood of it being no impact is greater. But to say it right after the attack is totally. Poppycock, if I may use a word that I don't use often but is completely appropriate at this time. So anyways, remember data governance. Okay guys, GRC mafia. Data governance number one. If you have sensitive information, make sure you, you tighten it up and, and control it to the level it's needed, commensurate with, you know, what would happen. If it got breached, that's. Honestly, if I was like a, you know, a lawyer or law officer who's involved in one of these cases, I'd be. I'd be very upset, very concerned.
B
Huge thanks to today's episode sponsor, Adaptive Security. This episode is brought to you by Adaptive Security, the first cybersecurity company backed by OpenAI in deepfake scams. The tells aren't glitchy video anymore. It's behavior. Do this right now or keep it a secret. If you hear urgency and secrecy together, stop and verify through a second channel, call a known number, start a chat thread, or ask something only the real person would know. Adaptive trains teams against exactly these tactics. Learn more@adaptivesecurity.com.
A
All right, let's go, let's go. All right, guys. Hey, hey, hey. Shout out to all of you. We are at the mid roll OR Wow, it's 8:38. We're way over. But that's okay. Guys, thank you so much for being here. Appreciate all of you. What's up? Daniel Lowry, Goat in the Machine Z Myth. Brian Groose is in here. Taekwondong my man. Marcus Kyler, Mara Levy. As always, space tacos in lurker mode. I'm sure an Alpha Sierra is in the house. Guys, thank you to the sponsors. Threat Locker, Anti Siphon, Delete me and Barricade Cyber Solutions. Guys, you know Barricade Cyber Solutions, not only are they digital forensics incident responders, but they also run the Fortify 365 webinar series. It's in every other week. Webinar series led by Eric Taylor. The next one was yesterday, so you'll have to wait until 2026 to giddy up on the next one. But you can get it on your calendar now. There's no reason you can't register. Session 10 Entra ID identity. Ooh, listen, you want to configure self service, password reset. Boom. You want to understand how to apply user risk and sign in risk policies, conditional access type things. Oh yeah, you want to require mfa. Probably the most important thing you could do. Eric will show you all this and more like a live, live walkthrough demo. Practical skills learning. Go check it out. Fortify365.com Great value. Absolutely free. You can register for it today. Get it on your calendar today. And when January 7th rolls around, you'll be hot to trot. Every single day of the week has a special segment. Thank you, Bustin Justin. We'll look into it. Hold on. Is Cowboy new here? Do we Have a new cow. Hey, if. If you're the cowboy user cowboy c1q, I'm looking at you. Is this your first time here, cowboy? Or is this your first time here? Hey, Cryptic rose. Hey. Every single day of the week has a special segment. And Thursdays is Dan Reardon's what's your meme. Now, Dan Reardon, also known as the Haircut fish, has been a community member forever. And he's just a phenomenal guy. Multi talented, but one of his talents is making memes. And I know that might sound kind of obscure, but he's very good at it. And he makes a custom one for us every Thursday. So what I want to show you. Hey, no problem, fake human. You're here for the what's your meme? All right, so some of you may know I'm going. Tomorrow's my last day for the year. I'm taking two weeks off. I can't believe it. I haven't taken a vacation in like 16 years. So let's go with the meme of the week. So Dan thought, what would Jerry be doing on his vacation? Hold on one second, I'll read the actual caption that he gave for this one. All right, this is the caption. Future Jerry, one week into vacation. Ladies and gentlemen, your meme of the week, Future Jerry, one week into his vacation. There we go. Oh, my God. In case you can't tell it, those are stacks and stacks of magic cards. I'm holding a looks like it's a PSA graded DM reared in Haircut fish magic card, and I have just absolutely let myself go full, full tilt. So, ladies and gentlemen, this is your meme of the week. All right? Take a picture, take a screenshot. Enjoy. I told you, I don't censor these things. Thank you, Dan. This has been great. I appreciate you. All right, let's go. Keep on cooking.
B
Malicious Firefox extensions Hidden malware in plain sight. Researchers have uncovered a malicious Firefox campaign dubbed Ghost Poster, where malware was hidden inside the browser extensions logo images. The extensions posing as VPNs, ad blockers, translation tools, and weather apps were installed more than 50,000 times and quietly deployed a delayed multi stage payload that tracked users, stripped browser security protections, enabled remote code execution, hijacked affiliate links, and injected tracking code. Mozilla has since removed the affected add ons from its marketplace.
A
They might be removed from the marketplace, but if you've already installed them, I suspect that that wouldn't change your particular situation. So you could see here the full list of browser add ons are here. If you're personally using Firefox and install browsers kind of frequently, you may want to take a look at this. Drop a link in chat, Free vpn, get out. Like dude, that alone should scream like problem. Okay, 50,000 downloads. So again, these threat actors are going to keep on cracking as long as they can. Essentially these Browser add ons be Remember, here's the thing. JavaScript as a language runs on the browser side, so the client side. So when you install a browser extension that runs JavaScript, it's executing on your machine. That's why the threat actors can detonate malware effectively on your machine is because JavaScript's detonating client side. Okay, this particular one hijacks affiliate links. So you click on, you know, whatever, you click on one of my Amazon affiliate links to go buy a camera and then they hijack it in transit and then they get the little referral bonus. I will say that I don't know if they were trying to go for. Like being quiet and slow, but like, I mean, I don't know. I, I do affiliate links. Amazon, I probably, dude, I get so little money from Amazon affiliate links that pretty much every month I get an email from Amazon talking about, hey, Amazon affiliate member, here's your monthly like you know, P and L report. And it's, and then it just says like actually you didn't do any business so. Or you didn't do enough business to warrant a report. So keep at it slugger. So my point is I don't even know how much money they're making from this versus, you know, like big, big paydays, right? But you know, I guess there's a market there and if you go wide enough, right, if you had 50,000 people each using your things and affiliate links are getting cracked, you know, for $1 a day, I mean 50 grand a day. I don't know about you, I mean I, I'm not going to commit crime but like if I had a job that paid 50 grand a day, I'd be up for the challenge. Like I wouldn't be like, oh, this isn't a, you know, a big payday type job. This is just a whatever. So anyways, be careful as always, the, the TLDR here for everybody, including my Aunt Dorothea. So general end users is to be mindful installing extensions, especially you know, if they don't come from like official approved sources. In addition to doing that stuff, they actually deliver a multi stage payload that monitors everything you browse and allows a Backdoor for remote code execution. Well, that's quite a different story. That's like actually detonating on the operating system. It's like going beyond the browser. All right, I'm looking. Oh, here's an example. And by the way, like, look at this. This does not. This is in the Firefox browser Add ons. Official repository, Official store. This looks legit, man. 16,000 users, 33 reviews. Cool graphics. Ah, now this is interesting. So the malware is programmed to only work 10% of the time. So really, 90% of the time it looks like it's working correctly. And then occasionally something odd happens and you can't figure out why because it doesn't happen consistently. Smart. Oh my God. It's basically like a proc. It's acting like a proxy. Yeah, it's acting like a proxy. Here you can see it strips security headers off of the session, so then you can be exposed to clickjacking and cross site scripting, hidden iframe injection. So they can basically farm ad click revenue. Wow, this is pretty, pretty sophisticated, dude. I'm telling you, threat actors, given enough time, they'll do it, man. Yeah, I don't know personally, I guess in 2026, I, I, I don't know how to solve this, but I would love to see like a higher, a higher standard for browser extension, like review approval, like, whatever, like, it seems more and more that these extensions continue to be a reasonably common attack vector for threat actors. And because, hey guys, honestly, think about it like the Internet, the way that we operate, it's basically through a browser, right? There's tons and tons of SaaS, apps, even apps on your phone. Most of them are just like wrapped browser interfaces. So with this becoming more and more, I guess, the platform of main use, it needs to have a higher level of stringency that's being reviewed and held to.
B
Microsoft Update breaks MSMQ Microsoft's December 2025 security update is breaking message queuing or MSMQ. On older Windows 10 and server systems, queues fail apps can't write messages and IIS throws misleading insufficient resources errors, all thanks to stricter folder permissions. Uninstalling the update can fix it, but at the cost of losing security patches. The choice is up to you.
A
All right, so we talked about this yesterday. Continue to talk about it. Microsoft released patches. It screws up the MSM queue, which basically kind of dorks up iis. My understanding is here's the deal. She said the fix is you can do the fix, but then you have to Roll back the security patches. The question would be which security patches? If it's just the December 2025 patches, I'm not saying you're supposed to go, okay, so listen, this is literally, this is a perfect real life example where you have to, oh, Steve Young said this one impacted them. Here's the reality of this situation. You have to figure out. Like, what, Apply the patches, right? What does it break? Does it break a lab machine? Does it break the CEO's little pet project? Does it break an Internet facing revenue generating application? Right, These are three different kind of examples with three different, you know, backgrounds around them. But the point is you can't say, oh, you just gotta patch it. I don't know what to tell you. We're cyber security. You gotta do what we say. No, that's not right. If it is an Internet facing, okay, this is only for Windows 10 machines, that's fine. So the impact could be lower. But my, my point remains the same. Whether it's this MSM Q Windows 10 or if it's like next week, it's like some big patch that breaks whatever on whatever, right? It, like I'm, I'm taking this, I'm, I'm extracting back to give a lesson here because this is an important, this is a perfect example. You can fix the problem and get the technology back up, but then you lose the security patches. So now it becomes a question. And this is a perfect example of where it's the business versus cyber the business. So listen, if it's, if it's a lab machine, I'm sorry, like, no, we're not like, I mean, and honestly, if you can roll the patches out everywhere except to the lab machine, fine. Because the risk isn't really that bad there. If you, it's the CEO's pet project or whatever, you could be like, you know, you're kind of a high value target. Like really, like, you know, rub their back. Oh, you're a high value target. We'd really like to just give us a couple weeks. Microsoft's working on a fix. We'll get you sorted out. Hey, take the holidays off your pet project to be here when you get back. Okay, that sounds good. All right, good. On to the next thing. Apply the patches there. Internet facing business, revenue generating. You can't. Listen, you can't stop making money for the business. So in this instance or whatever instance, you need to begin to look at compensating controls. Can you put extra detections on, can you, can you figure out like anything alternative that can be done. Maybe upgrade from Windows 10 to Windows 11, right? I mean, again, you shouldn't be using a endpoint client OS for Internet facing revenue generating thing, but you get my point. Okay. Also, it is worth noting you should give consideration to sometimes you here, this is another example where like this is a hill you might choose to die on. Okay? So if you. Oh, my eyes hurt. If you say it's Internet facing, business makes money off of it and they're like, no, we're not gonna. We're not going to stop making money. Jerry. If this is like not being exploited in the wild. If it is just like a privilege escalation thing, right? Like it. Like if the attack is complicated, the impact isn't that high.
C
You.
A
You can increase detections on the box, you can put compensating controls around mitigating down the impact. Okay? If you can do all these things, then let it fly. If you can't, if it's like a unsophisticated, non like or unauthenticated. No. Oh my God, my head is starting to hurt. An unauthenticated remote code execution. And there's active exploits in the wild. Like we're seeing it all over the place. Like Eternal Blue.
C
We're.
A
Eternal Blue came out, that thing could punch. It looked like the juggernaut from the X Men movies from the 90s where you could just like run through walls like that is shut it down. And that's one where you. You have to be confident to say, listen, this is one that we can't ignore. We can't just say, oh, we need to make money like this one is a problem. We will have serious problems if we don't do this. But if you say that every time you look like Chicken Little or the Boy who Crawled Wolf and you can't get all the credit you need, right? Yeah, exactly. I guess this was in the 2000s. Whatever. I don't. I'm old. Here we go. Justin Gold's gotten it for us. J. Crypto. This right here is Eternal blue in the 2017. 2017. Eternal blue. Just going through your machines. Okay, let's keep going.
B
Takes over. CMMC credentialing. The US Department of Defense has appointed ISACA as the exclusive organization to train, certify and credential professionals under the Cybersecurity Maturity model certification, or CMMC program. Starting now, all DoD contractors handling sensitive data must meet CMMC standards. With a full rollout expected by 2028. Over 200,000 organizations, including European suppliers, will need certification as ISACA takes over from the Cyber AB.
A
Okay, this is wild. Okay, so ISAC has been around for a while. They're the ones who are responsible for the cisa, the system C risk certifications. I think they're phenomenal certs in what they, you know, what's required to get them? I want to know in mods. Can you check? Is there like a story out there about how much ISACA is getting paid to do this? This is like, this is like a dream. Like whoever, whoever, like scored this deal for ISACA is definitely given more than jelly of the month club for a Christmas bonus this year. This is bananas, bro. Okay, so check it out. I want to know. So really quick, if you don't know. CMMC Cybersecurity Maturity Model certification has been around for a few years. It has a mired and jaded and messed up history. There's got to be a YouTube video documentary on it. I won't get into it. I'll just tell you. There was corruption. All the, all the juicy drama bits, Corruption, nepotism, all these things. Okay? And finally 2.0 came out. I don't even know if they say 2.0 anymore, but it is 2.0. And if you want to do business with the US Federal Department of Defense, okay, if you are part of the defense industrial base and you want to do business with them and you're going to be controlling, sensitive, or there's a whole category on like what is considered controlled, unclassified information or cooey, but it doesn't matter. Most businesses are going to need to become CMMC compliant. Now what you need to know about this, and I've been banging this drum for years, frankly, is all of those businesses, all of those businesses, the US DoD is one of the biggest, I guess cost centers or whatever, like biggest spend of the US Federal government. And the defense industrial base is all those fish eating off that coral. All right? So all those contractors want to do that work, but now they have to be CMMC compliant. There is going to be an absolute ridiculous explosion there already has started but of GRC people. Yes, grc. We've got our day. The sun has rose, right? Here comes the sun. Listen, all those companies are going to have to be first get readiness assess. Well, first they're going to need someone to come in and like actually help them get their crap together so, so they can align with it. Then you need a readiness assessment team to come in and actually like make sure that you're going to pass the audit first. Right? Like that. You, you Wouldn't do a CMMC audit unless you were going to get passed. And then you have to hire independent third party auditors to come in and actually do the audit and then pass you. And then you can bid on contracts. Okay. Now this is still not mired with all sorts of MM. Because in order to become one of those auditors that can independently verify. To me that's an entire racket and no one's asked my opinion on this. And I. I might get. This is like one of those things that could get me blacklisted. But like. Like in order to become a third party independent auditor, you have to basically pay to get the certification. And you can't get the certification unless you do all sorts of things, which includes go get training from a very special organization. And this is the really tricky one. You have to shadow already existing authorized or certified professionals on like a couple audits or something like that. How do you get that? That sounds. That sounds interesting. How do I get that? Yeah. No, no, it's. No company is out there going, hey guys, we're doing an audit next week. Does anyone. Anyone want to Shadow anyone? Oh, 40 of you. Come on, come on. No, no, no, no, no, no, no, no. Do you know why? Because if I let you shadow me, right? If I let. If I'm one of the few authorized certified independent auditors and I let you shadow me for 40 people, right? All of Chad, how many we got? 299. If I let you all shadow me right, that means 299 more people can bid on the same work that I'm gonna bid on next week. Oh, no, no. That doesn't sound good. No, no, no. So the only people that I'm gonna let shadow me are people that work at my company. So there's a bit of a chokehold on this whole thing, which kind of sucks, but whatever. They're getting serious. They've removed it from the Cyber AB to isaca. I'm sure it's just to manage operations and maintenance. We'll see how it goes. It's not going anywhere. So Kyle, Kyle says 200, 275 fee, maybe. I've definitely heard other numbers. And it's definitely not just. You don't just Kyle. As far as I know, you don't just take an exam and then you can go audit anyone you want. Like there's definitely a control around it. It's 3 CPAO. 3 CPAO right here. 3 CPA. A CMMC third party assessment organization, or C3PAO is what you're going to be looking for, okay, is an organization authorized by the CMMC to authorized to conduct and deliver assessments. So you have to be a C3PAO organization. I'm telling you, there's much more than a couple hundred bucks. If it was a couple hundred bucks, I would be making video after video after video on how to get part of this. Because it's going to be, it's going to be big. This is going to be big. I'm telling you Right now, 20, 26, this is going to be big. Mark, tape.
B
Privacy concerns surround meta AI.
A
All right, we're going to speed run.
B
The rest because privacy experts are warning about a new Meta policy that uses AI chat interactions to tailor ads. The change, rolled out Tuesday, automatically affects users of Meta AI across Facebook, Instagram, WhatsApp and Messenger. There's no opt out option. So what's this all got to do with cybersecurity? Well, AI chats often include sensitive personal information. Health, religion, finances, mental health. And feeding that into ad targeting could expose users to profiling, scams or other exploitation. Even if meta filters some topics, proxy signals could still reveal private details.
A
Yeah, I don't know why this, I don't know why this policy should come as any surprise to anybody. This is like what meta's business model is. They don't make money off of us. They make money selling to businesses to market to us. And if you could say, hey, listen, we could take it to the next level. We can have AI chats analyze these conver. We can analyze these personal conversations and really dial into your icp, your ideal customer Persona, whatever. With these things. I always, I always think of worst case scenario. I think of the person who's like alone. They're like, listen, I'm just gonna say this, then we're move on. I always think of the person who's like alone because they're degenerate gambler. They're, they lost everything. Their wife left them, their kids hate them, they lost their job because they got caught stealing. And, and they're just in a really dark place and they're talking to AI. They, they're on, you know, it's like their only friend because their friends don't like this person and AI is always there answering questions, whatever. And the guy, you know, the guy's having a tough day and he's talking to AI all of a sudden, like freaking, you know, chat GPT is like, you know what would make you feel better? Like FanDuel is running a special right now. No money down $500, free bets, super bowl weekend. Why don't we watch the super bowl together and win some money? You know, like, just like, sorry, I'm sorry. Stuff like that. Anyways, I just always think of marginalized, you know, exploitable populations when I think of exploiting stuff like this. Yes.
C
Carl.
B
Carl.
A
All right, guys, let's move on. Guys. We've had a. Oh, we've had a real banger today. It's been good. I love it, love it, love it, love it. As I mentioned earlier, I hope you had a great time today. Good, good show. Sorry that I cussed a little bit. I know we have youngs in the chat or listening at home and I, you know, I, I have kids myself. I do. I literally try to make this a family friendly show to the best of my ability. And I'm sorry if I sometimes make a mistake. Don't go anywhere because Daniel Lowry is going to be joining us in just a minute. He's been patiently waiting in the green room, watching me go over time and just being like, jerry, why'd you ask me to do jawjacking if you're just gonna flap your gums all the way through 9:00am all right, so check it out. And reminder, I hope you can join me. I'll share the links with the team here. But 9:30am today, live stream telethon just for good cause. Cyber Security Cares. You could see all these different organizations involved. This was actually part of the Becky's fund last year. Was the fund the one that we raised 12 grand for at Wild West Hack Infest. Cyber Security Cares. Love the shirt, love the organization. Hope you guys can make it even for a minute just to say, hi, I'm Jerry from Simply Cyber. Don't go anywhere until next time. Stay secure. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered and totally free. Let's level up together. It's time for some jawjacking.
C
Well, hello, good morning, good afternoon, good evening, wherever the heck you are. Good, that's. And welcome to Jawjacking. We are going to have some fun stuff going on today because we get to do jawjacking today, which is an AMA style. I was just hitting Jerry up, was like, what is that Cyber Security Cares thing? This is at 9:30 raid that bad boy, right? So when we get done, I'll make sure that right at the 9:30 tick, we done, you can jump over to Cyber Security Cares. And Jerry, if you've got a link to that, drop that in the. In a private chat and I'll put that in there so everybody can go hit that up. Cool beans. All right, well, everyone, thanks for joining me today. If you've got a question, I've got an answer. It's probably inappropriate, but that's totally fine. We like to talk that cyber security here. Hello, Chris Young. Good to see you today. And you know what I like to do? I like to do this right here. That way we can all see it. If you're like, Daniel, your voice is very, very white today because the dog woke me up at 3am he had a great time last night as he escaped from his cage while we were out at church. When I came home, he had eaten about five pounds of dog food and took. Took an equally large amount of defecation to get rid of it. Then he woke up, he's like, no, I'm not done, bro. I gotta go again. I'm like, you son of a gun.
A
Yay.
C
Some tech neck news is Carrie Jason? Yeah, it could be. It could devolve into that. Could devolve into that really, really easily. So let me take a look and see what you all got going on when it comes to those questions. If you got that question, put a big Q next to it. I'm looking at the restream chat. If you put some like QQQ or just something to catch my attention, let me know you want ask me something or tell me something, that's going to be super helpful, me finding it. So I think I found our first question. All right, I think this is our first question right around here. Comes from Sean Sailors. Always a pleasure to see old Sean Sailors in the. In the chatola. Is it worth it to keep my security plug plus active if I have five plus years experience and plan to get my CISSP in 2026? You know, that's a really good question. And the answer is absolutely, positively maybe. And I say that because. So here's the thing. Maybe right now I would probably lean toward yes because of how tough the job market is when it comes to cyber security. And you never know that. You could wake up tomorrow morning and they'd be like, so listen, Sean Sailors, here's the thing. You don't work here no more, so best of luck to you. And if that happens, you'll be like, dang, I should have got that stinking Security plus renewed. And now I gotta go do that. And you're behind the eight ball. And the last Thing you want to do in a, in a bear market for employees is to not be ready for another job. So right now, because the market being total, A total dumpster fire. Steve Young. Hey there, Bob. I, I would stay as razor sharp ready for the next job as much as possible. So if you've got the means and the time to do it, I would say keep it, keep it up to speed. Okay, that's, that's my. If it was a little less, you know, if there was more jobs out there and people really, you know, the market was really good for cyber security workers and I T. Workers in general, where you're just like, oh yeah, no problem, I got another job, you know. But that doesn't seem to be the case right now. So because of that, I would say keep the edge sharp as possible. Good question though. Great question. I love that question. Very relevant.
A
Moving on.
C
Who do we got here? What do we got? Looking for the questions because the questions fuel this show. Here we go. This one comes from Reach. Chris Young, did Dr. Ozer give you admin privileges to end the show on time? We'll see, we'll see. I'll do my level best. I do have the ability to end the show on time is going to be the trick of it, right? Chris Young, he's a jokester, that Chris. Let's see here. Looking for your questions. Throw those questions in there, put a big cue in front of them so I can see it. I can. Justicle says my SEC plus is expired. Yeah, fun fact. I never even got SEC plus so I can't get it expired.
A
Ha.
C
I went straight to CISA and then pen test. So there. Even though I've taught SEC plus. I mean, obviously. Oh, this is interesting. Roswell uk. Have you had a look at Naham Khan's ctf? I have not, but I, I totally forgot about it. Honestly. I'm writing that down. Ctf. Yeah, I'll go have a little look. See, I don't know if I have the time for it, but I'll at least look, I'll probably start. Be like, I don't have time for this and I'm going to start, fiddle with it just to plan. Then you know, 10 hours later and I'm still like, okay, so I've tried double encoding and it's not happening. You know, it's like, what is going on here? Let's see. Here's one from Carrie. Gary Chasing says I have an old 6 7th gen HP. Envy or on. Is it Envoy or is it Envy? I don't know and getting to going to attempt to make it into a NAS with Linux. Wonder what Distro Daniel would use. Well, 600 7th gen isn't that bad. I've had really really good performance out of Linux Mint. If you, if you need something that's, that's lighter than that there is Linux light I've enjoyed Zorin os. I've had that on some older hardware a little depending on I think you should be fine when it comes to like WI Fi and Bluetooth tends to be a little sketch even with something like Ubuntu I've. I've had nothing but trouble with Ubuntu or Bluetooth on it works but it doesn't just depends on your Bluetooth hardware Honestly I've got a bunch of Mac or Apple Bluetooth products and there's just like nah, nah, I'll give you like basic functionality. It's a real bear to get everything to work. That's the kind of thing that turns people off to Linux. But for what you're doing, you're probably pretty solid with going with any one of those things and it should work pretty well. Should work pretty well. So good question. Love it. Get that Linux out there, man. Big Linux fan. Let's see here. Questions? Oh my goodness, there's a question here. Doom cracking just made me go full technic. I've recently gotten my Security plus certified a couple months ago. I'm having a hard time landing an interview, let alone a job in the C sec space. Any tips on how to stand out, man? Brother man, I hate to hear that for you. Tips you can do to stand out. Get, get like cyber security, get some code tattooed on your. No, don't do that by the way. I'm just kidding, I'm just kidding. But that'll make you stand out though, right? Be like Billy, Billy got face tattoo right? He make jelly roll look like he ain't got nothing on him right post. Malone ain't seen enough face tattoos to cover what Billy's got going on. So yeah, there you go. That's a way to stand out. Maybe not the best way to stand out, but it will stand you out. I'm trying to copy this link that Jerry just sent me. Thank you, Jerry. So one of the best things you can do and in this market is know somebody. Build your, build your network of people you actually know. I know Billy, he don't do much for me but I mean he's a good guy to have in a bar fight. I ain't gonna lie. The Boy don't feel pain or something. He got like that Sipa disease where he ain't feel no pain because I seen him straight up take a beer glass to the eye socket and just keep rocking like it never happened. But in that cyber security market, knowing people that they might not have work per se, but they might know someone that has work per se. Know what I'm saying? You hear what I'm. You feeling it? You're picking up what I'm putting down. Gold Leader, right? So that's, that's one of the best things you can do, is develop your personal network of people that you. That know who you are not. I'm not just talking about go onto LinkedIn and YOLO, a bunch of like, connection requests. You got to be real. You got to be you. You got to make real connections with people that know who you are. You got to hang out and haunt with them. You got to talk with them. Do stuff, man. Go deer hunting, go bass fishing, Talk about how you know, you. Your 1986 F150, 302 can't be killed. It's basically immortal, right? That's the kind of stuff you got to do be. You got to get some real connections going on. Once that happens, people are gonna be like, man, my boy Doom Kraken needs some work. I know this guy. Let me you know, he need to hire Doom. Cracking boy. Smart. Smart as a whip. And of course you got to be smart as a whip. And that's why you have those conversations with people like interests, start groups, start stuff like that. Let me tell you what best learning I ever did was in a Linux user group. I, I started because there wasn't one. We did a bunch of cool stuff, learned a bunch of stuff about Linux, learned a bunch of stuff about cyber security. And this was back in the early 2000. I'm talking like 2001, right? Really good thing to do. And then maybe it grows and you, you get the word out, hey, come check out our stuff. It's just free information. Y' all come to the trough. I'm. I'm throwing out cyber slop for the piggies. It's delicious. I can't wait to roll in it. And then everybody comes and hangs out. It's like what we're doing right now, right? So we gotta know who you are, we gotta know what you're doing. You gotta put it out there into them interwebs. So start writing blogs and things of that nature so they got something to sink their teeth into once they hit that Trough, you know what I'm saying? To go, hey, Doom Kraken's got some like, good stuff. That's, that's a good dude, man. He got stuff make, you know, he knows what he's talking about. That's, that's a really good way because yeah, your security plus loan. It's very unlikely this is going to land you some work other than Earl's tire shack. You know, he'd be like, oh, you know how to retread a tire? And you got your security plus. Sweet. You're my new computer guy and get on that tire retreader. Right. So it's a tough market right now knowing people gonna help you out the most. Just gonna throw that whether it's good, bad or indifferent. That is beside the point. The point is, is that's going to be your number one option right there. And give them something to like go, oh yeah, you do know what you're talking about. You don't just have your sec plus, you actually know things because that's the unfortunate side effect of people that cheat on certifications and things of that nature. Like Billy, right? He don't know. You don't know to pour piss out of a boot. He dumber in a tree stump, that kid. Like I said, he don't feel pain. So he's good to have in a bar fight. But you know, or if you need to like break a lug nut loose, I mean, I seen him lift up a fully dressed out Chevy 350 small block and just put it on the back of a truck. I was like, this kid is, I don't know, if he grabs something, it's his. So there you go. That's my, that's my advice. Technic. Booyah. All right, we got about 10 minutes left. Reach. Chris Young says, have you had anyone tell you they passed Pen Test plus yet exclusively using your training course? Well, I don't have a bazillion people that have taken it. I have had people tell me from my previous Pen Test plus courses that they have done that. So I'm the same trainer and I'm doing it better than I've ever done because I have more experience, more knowledge, more understanding the more I do it. So. But I couldn't tell you that I've had anybody exclusively tell me that my training course was all they use. Nor would I suggest that. Honestly. Right, like, honestly, training, no matter what you do, you should follow. You should, you should follow the rabbit trails, right? Kind of eat, eat what's on your plate. So consume the course and then you go back to the trough and you say, okay, what was it that I really just didn't get? And then you're gonna. You're gonna supplement. Okay, maybe I need to slow this down. Maybe I need to, you know, it's not. It's not sinking in for whatever reason. And now I gotta go do some Internet searching, do some aiing, grab a study guide, whatever the case is, right? Heck, you know, have a community of people that are doing contest plus and study together. You could start one in my Discord or Jerry's Discord or whatever the case is. You know, get a group, start your own discord and then that. So, yeah, I wish I could be like, oh, yeah, everybody that takes my course that's going to pass, blah, blah, blah. I cannot make that claim nor right. There are plenty of people out there that'd be like, I. I don't care if I was in the testing booth with you giving you the answers. You're not passing that test. It's just not happening. Right?
A
So.
C
That I wish I could, but that just ain't the world we live in, my friend. Something about the GRC is. This comes from Tyler Scott. Is the GRC Master Class a good starting point for a beginner? Very limited experience, but want to make a career change? You know, I would say so because Jerry is a phenomenal instructor. He knows his business. So if I were going to recommend one, it would be the GRC Master Class. So I think it would be. That's my personal opinion chat. Chime in. Anybody that's taken Jerry's GRC Master class, let Tyler Scott know whether you think that that would be a good first stop for the. For him as a beginner. Good question. Thanks for reaching out. Cryptic roses. How would you start in cyber AI get into that area? Well, first you got to understand AI a little bit, right? It's the foundations stuff. Then I would go to like La Cara AI, right? Like, hold on. It's called Gandalf. Gandalf Lakira AI. Yeah, there you go. Let me grab this and this will be fun. Copy pasting it in paste based. There you go. I can't post messages. Dang it. I don't have that level of access anyway. Go to Gandalf Lake R AI baseline and that will take you to Gandalf and you can start to play and learn about the different methods for like, prompt injection. There's also the OWASP AI Top 10 if I'm not, or LLM Top 10 OWASP LLM Top 10. Right? A great place to start when it comes to security stuff. So let's see here it is called the OWASP Top 10 for Large Language Model applications. So you're going to get to learn quite a bit about the different common attacks that go along with AI and the vulnerabilities therein. So good stuff. There's also the OWASP Gen AI Security Project that's@geni owasp.org Lots of, lots of great stuff out there that's going to get you going so you'll understand a little bit about AI and how that works and then you can just dive right into the security side of stuff. So really fun. Really cool. You'll have a good time. You will have a good time. Thinking of the the mummy, I asked him this question. He said, I was just looking for a good time and then they were going to kill him. He said apparently he had a. A very good time. All right, where are we at? Hide my message. Oh, it jumped. Stupid thing. Take me to the river. Lead me to the water. Okay, we got seven minutes. Oh, here we go. Cool question. Cryptogrows hopefully helps you out. Daniel Hour has joined add to the stream. That is weird. Oh, is that. That's Jerry. Whatever in the bunny.
A
No, no, don't put me on stream.
C
Sorry, I didn't know. That's not what he wanted. He never rejoins the stream. That's why it's like, oh, he's got something to say. You're not on the stream anymore. It's just me. All right, thank you, sir. Thank you, sir. Appreciate that. He's private chatting me now. All right, let's see here. Awesome. Thank you, sir. Appreciate it. Appreciate it. He's just pinning the. The cool thing about the cybersecurity cares thing. Y' all check that out. Y' all got to raid that. We got six minutes. All right, hitting it up. Looking forward to questions. Billy ain't the brightest, but he works like a mule. He is indeed, boy. 10 hour days ain't nothing for him, for old Billy. He just don't know no better but to keep going. He's like a dog after a laser, you know what I mean? You ever see that when you got the little laser beam and he just, he just, he's like. Heart is bursting out of his chest, tongue just dragging, but he just keeps chasing that laser. That's Billy. All right. Let's see here. This is from Space Tacos, but says it's from Abu. I'm new to GRC Cyber Security graduate. I have a GRC off officer interview and want to do revisions for the important topics and interview questions. What do you recommend? Well, JRC is not my forte, but I would recommend getting in some, like some groups that that's what they're studying for. Ask AI. That's a. That's another really great way you could use AI is go in and tell AI, hey, your role is as an interviewer, a hiring manager. You're going to interview me for a GRC officer position. Give it all the little details that you need to give it and tell it to act as that in that role and then tell it to interview you. And then go through a mock interview with AI and then ask some people that you know that are in into that kind of thing and see if they can help you out. Maybe do a mock interview with you or just like go over strength and weaknesses. Ultimately, at the end of the day, as long as you know the subject matter. Interviewing is about personality. It's about being a good interview. You want to make them feel like that was fun. I, this guy was, or lady as it may be, they were greats. I enjoyed talking with them. I would love to do that more. That's what you want to do, so. And it's okay if you don't know everything. That just, that might be the thing. You just might be the better culture fit even from someone that does know everything. Not always the case, but you never know. So do your best to study up, do some stuff, do some mock interview stuff. But when it comes to getting into the actual seat itself, that's where you just got to kind of let you shine and be cool and be genuine and just have fun. Don't be, don't be goofy, don't be in there like I'm a dancing clown, blah, blah, blah. You know, that's not what you want to do, but you want to, you know, fun little, just joking with them. Yeah. Little quips, that kind of stuff. Keeping it light, keeping it fun, talk about relevant things. I would read up on a bunch of relevant things to GRC right now within like the last couple of months so that you're up on those topics. So if that stuff comes up or if a topic about, you know, if some, if something gets brought up in the interview that those, you know, real life stories are relevant to, you can attach them together and they go, wow, you're really on this. You are. You actually understand you're in this business, you're paying attention and that goes a long way. That's a big thing to do. Let's see here. Hide that message. Okay. I'm looking for the question questions. Looking for those questions. You guys are just chatting away. I'm loving it. Oh, here we go. This comes from the haircut fish. What's up, Dan? How many energy drinks is too many energy drinks? I don't understand the question. That doesn't. It's not making any sense. Just. You're just. Are you. I mean, you've been hitting the Boone's farm a little too much this morning there, Dan. Is that what's happening? You just got a little. Little hair of the dog this morning and you just babbling all. You just didn't. It's leaning on the keyboard with your elbow because that's all I see there. Oh, my goodness. We got one minute. Okay? It's almost time. It's almost time for all of us to jump over to the Cyber Security Cares. Check out that link. Get it ready. It is in the chat. Okay. Yeah, I don't think we have time to go for another question because I want us to raid that Cyber Security Cares thing. So Everybody grab the YouTube link and get ready to rock and roll. It's going to be awesome. Let's go check it out. Thanks, everybody, for joining me this morning. I appreciate all the great questions. And until next time, if I can do this correctly, stay secure.
Theme:
In this fast-paced episode, Gerald (“Jerry”) Auger, Ph.D., leads a lively walkthrough of the day's major cybersecurity news, pulling in his decades of practical GRC and security operations experience. The show aims to equip listeners—from solo operators to aspiring GRC professionals—with real-world context, actionable takeaways, humor, and community insight. The second half features “jawjacking” Q&A with co-host Daniel Lowry, bringing career advice and practical tech talk.
[13:19 - 20:29]
What happened?
The FTC is forcing Nomad, a crypto bridge, to repay $37.5 million after a 2022 hack that drained $186 million, due to "inadequately tested code" being pushed to production.
Key details:
Jerry’s take:
“This $186 million… customers lost about $100 million, total, right? …you’re gonna get 30 cents on your dollar, four years after the incident.” (15:52)
Jerry critiques both the company’s lax code processes and the slow, partial restitution, warning fintech listeners that “if you f around, you’re gonna find out just like this company did.” (17:31)
Advice: Use this as a warning in your org: even “subjective” failures in code testing can provoke major regulatory action.
[20:29 - 26:28]
What happened?
Attackers are exploiting an unpatched React to Shell bug, landing ransomware within a minute—disabling protections, deploying Cobalt Strike, encrypting files, and deleting logs, all without lateral movement.
Insights:
Jerry’s breakdown:
“There’s no way you detonate ransomware first and then disable security tools. That’s stupid. …First thing you’re doing is disabling security tools—knock the Doberman Pinchers out.” (22:41)
Clear explanation of lateral movement and root cause, urging listeners not to “YOLO” production code and to audit detections for key attack behaviors.
[26:28 - 30:08]
What:
European law enforcement dismantled Ukrainian call centers scamming over $11.7 million by posing as police and bank officials.
Takeaways:
Jerry’s reaction:
“This is just a modern day racketeering, like mob, you know, scam thing.” (28:14)
Advice: Remind friends/family that real banks/doctors/police will never request urgent actions via phone or text.
[30:08 - 35:43]
What:
Attackers accessed internal email accounts, confidential files, and wanted persons data for several days; no ransom asked.
Jerry’s concern:
Downplays official statements that “no lives were at risk,” arguing impact is not always immediate or obvious:
“The impact of this attack has not yet been realized or its potential… To say it right after the attack is… poppycock.” (34:23)
Lesson: Practice robust data governance and proper incident disclosure—don’t make unproven assurances in the early aftermath.
[40:50 - 47:52]
What:
Campaign “Ghost Poster” hid malware in logo images of extensions (VPNs, ad blockers, weather, etc.), deploying user tracking, backdoors, and affiliate hijacks.
Takeaways:
Jerry’s reflection:
“Given enough time, [threat actors] will do it. …I would love to see a higher standard for browser extension review approval.” (46:34)
Advice: Only install essential, highly-vetted browser extensions—malicious add-ons are a mounting risk vector.
[47:52 - 53:47]
What:
December 2025 update broke the Message Queuing System, halting services unless patch is removed (but then systems lose security updates).
Jerry’s counsel:
“This is a perfect real-life example where you have to… figure out, what do you do? You can fix the problem and get the technology back up, but then you lose security patches.” (48:30)
— Importance of risk-based decision making: business-critical functions may need compensating controls if a patch disrupts core ops, while low-value systems can wait.
Compare with notorious “EternalBlue” situation—use severity and exploitability to decide where to “die on the hill.”
[53:47 - 60:48]
What:
DoD appoints ISACA as the exclusive organization to train/certify/credential contractors under the CMMC program.
Over 200,000 organizations need certification by 2028.
Jerry’s analysis:
“Whoever scored this deal for ISACA is definitely given more than Jelly of the Month Club for a Christmas bonus this year. This is bananas, bro.” (54:32)
Details the “racket” nature of how to become an authorized auditor (C3PAO status hard to obtain and tightly controlled).
Key Point:
“There’s going to be an… explosion of GRC people… our day has come!” (56:15)
— Listeners in GRC: prepare for opportunity, but beware of gatekeeping and high barriers to entry.
[60:48 - 63:25]
What:
Meta changed policy—AI chat interactions now used to customize ads across Facebook, Instagram, WhatsApp, Messenger. No opt-out.
Why is this risky?
Jerry’s view:
"This is like what Meta's business model is… I always think of marginalized, exploitable populations when I think of exploiting stuff like this.” (61:42)
Warning: Users already in vulnerable states could be targeted even more invasively.
Format: Rapid-fire Q&A, career coaching, tech troubleshooting, playful banter.
“Is it worth it to keep Security+ active if I have 5+ years and plan on CISSP?”
“Right now I’d probably lean toward yes because of how tough the job market is… you want to stay razor sharp ready for the next job.” (66:50)
Job search advice for new Security+ grads:
“One of the best things you can do… is know somebody. Build your network.” (72:29)
Don’t just blast LinkedIn; make meaningful connections.
Start a study group, join Discords, write blogs—give people a chance to see your knowledge.
GRC career starter:
Jerry’s GRC Master Class is recommended by Daniel as a great entry-point for those with limited experience.
Breaking into AI security:
Learn the foundations of AI first (try OWASP LLM Top 10, Gandalf), then move into security aspects.
GRC interview prep:
Leverage AI for mock interviews, be personable and up to date on current topics—success is often about culture fit and knowledge of recent trends.
| Segment | Start | End | |---------------------------------------|----------|----------| | Opening & Community Intro | 00:01 | 13:19 | | Crypto FTC order - Nomad | 13:19 | 20:29 | | React to Shell ransomware | 20:29 | 26:28 | | Ukrainian fraud call centers busted | 26:28 | 30:08 | | French ministry breach | 30:08 | 35:43 | | Meme of the Week | 36:30 | 40:50 | | Malicious Firefox extensions | 40:50 | 47:52 | | Microsoft MSMQ patch breakage | 47:52 | 53:47 | | ISACA and CMMC certification | 53:47 | 60:48 | | Meta AI privacy policy | 60:48 | 63:25 | | Jawjacking Q&A | 65:17 | End |
“Every single episode we go through about eight stories and I have no idea what they’re going to be. …I promise…to not only give you the story…but give you additional value so you can utilize it and not have to experience it or learn it on your own the hard way.” — Jerry (03:12)
“Knowing people is going to help you out the most. Just going to throw that—whether it’s good, bad, or indifferent. That is beside the point. The point is, that’s going to be your number one option right there.” — Daniel on job hunting (72:29)
This summary captures all the mission-critical insight and memorable moments from Ep 1029, December 18, 2025. Ideal for cyber practitioners, newcomers, and leaders seeking actionable context—and a daily shot of cyber camaraderie.