A

All right. Good morning, everybody. Welcome to the party. Today is Friday, December 5, 2025, episode 1018 of your Simply Cyber Daily Cyber Threat Brief. Listen, if you're looking to stay current on the top cyber security news stories of the day while getting informed, educated, going beyond the headlines, you can take this information, assimilate it and actually make it actionable, transactional at work, strategic for your career, the whole gambit. This is a multi prong show of value. I'm your host, Dr. Gerald Oer. This is the Simply Cyber Community. You're locked in for a beautiful Friday morning. The next hour is going to be mad value. Strap in, get ready, get the coffee and let's cook.

That's right. Good morning, everybody. Happy to have you here this morning. Steve Young. Marcus Kyler Nerman. My man. Sierra Montgomery. Elliott Matai. So many familiar faces. Ad Tech, great to see you. I see Jenny Housley working for the weekend in Mod Chat. Guys, I got my coffee locked and loaded. Asked me at Jawjacking, if you will, about the coffee situation. Had a bit of a snafu, but got it all sorted out. Guys, if today's your first episode, you picked a banger. It's been a good week. It is the holiday season. Let us know it's your first episode with a hashtag firsttimer. I'm gonna extend it a bit. If you're a regular on the audio only like Spotify or Apple podcast, and you're tuning in live with us on the video streams, let us know. Hashtag firsttimer Live. Perhaps you're a team replay, but you're taking some time off for the holidays or you're playing hooky today, or you're in the car and typically you can't text and drive, but you're in car line dropping the kids off, let us know. Get your first timers up in here. Ad tech says, I'm right there with you. Hashtag first timer in chat. Now, whether you're a first timer or a long timer, because we are going to go through the news stories and I am going to use all of my expertise to go beyond those headlines and deliver additional insights that you're not going to get from a classroom or textbook, this podcast is worth half a cpe. That's about half an hour of educational, you know, continuing ed. But we do it every day, so it does stack up. Most people like E. Lucky and Jenny Housley, they're like, bruh, I'm not getting out of bed for more than for less than half a cpe. What are we doing here? Well, it stacks. You can get 120 a year up to. So just, you know, show up every day, get your CPEs and, you know, get some value. That's what we're all about in here. So take a screenshot, do include say hello. Right. Just like John Platt did. And real Bilbo Dennis Keith. Say hello. Grab a screenshot. You'll be in the screenshot. The title of the show has an in an individual unique ID 1018. It has today's date, December 5th. I we've taken care of it all for you. You don't have to sweat it. What we want you to do is, is get value and not sweat the small stuff. Live Beat Labs is in the house. Good to see you. Live Beat Labs. I also want to let you know, if you're a regular here, you already know, but we got eight stories we're going to go through. Do you know how many I know about? 0. Do you know why? Because I didn't research or prep for any of these stories. Now you might be like, jerry, that sounds like an awful podcast host. Why don't you do your prep work? Or why don't you do that? Because this is real life and cyber security practitioners, this is how we do it. You ingest threat intelligence and then you assimilate it into your workflows and keep on cooking. You don't have time to prep. If anything, I would look like a disingenuous prick up here if I, like did all the research before and then was like, oh, you know, this actually reminds me of this super obscure event in 2003. No, you know what the reality is? Ain't nobody got time for that. Ain't nobody got time for that. So that's what you're getting. Real life. What's up, haircut Fish? Good to see you as always.

Soap flavored says I am in need. So I have not gotten out of bed for half a cpe. I hear you. Soap flavored. Love it, love it, love it. Now remember, today's Friday, which means only one thing. This guy right here, James McQuiggin at 35000ft. Our very own dad joke generator is going to be sharing with us some rib ticklers at the mid roll every single day of the week. At the bottom of the hour, we take a little break. We have a little fun. Fridays is James McQuiggins Day with the jokes. It's great. And then at the end of the show, if you got time and you want some value, we're Going to do a jawjacking panel like we do every Friday. I know FedEx has asked to be on the panel, so we're going to get him up in here. A couple other regulars that we normally have. Perhaps. Perhaps the Kathy Chamber sighting. I don't know. I don't know. I don't know if we'll have time. We'll see. It'll be fun, though, no matter what. And then I just want to remind everybody it is the first Friday of the month, which means.

You probably don't know because I do an awful job of promoting it, but we have a live AMA on the Discord server at noon, I think. Let me see. Pull up my calendar here at noon. Noon to 1:00pm so if you're not part of the Simply Cyber Discord community, you're missing out on huge value to begin with. Second of all, go check it out. Simply Cyber IO Discord. Giddy up on that. All right, now. Allow me to pay the bills. Thank you. Also, shout out to all of you who showed up last night for the threat locker. Simply Cyber Fire sites. My guest, Yuri. I was a little nervous. I thought he crushed it. I thought there was mad value. And you guys just absolutely super supportive. I thank you. I genuinely thank you. Thank you. All right, guys, let's hear from the stream sponsors. Starting with Delete Me. Got Delete Me. Makes it easy, quick and safe to remove your personal data online. At a time when surveillance and data breaches are common enough to make everyone vulnerable, data brokers make a profit off your data. Your data is a commodity. Anyone on the web can buy your private details, which is pretty gross. This can lead to identity theft, phishing attempts, and harassment. But now you can protect your privacy with Delete Me. As someone with an active online presence, privacy is really important to me. I am a Delete Me user, subscriber, whatever you want to call it. Member. I told them to scrub everything that they possibly can. Go for it. I challenge you guys. I want to protect my private life. Right now, I'm in the studio in the backyard. Got the house up front. You know what I mean? Like, I'd like to know. I. I don't want someone showing up in my house that, you know, I like, that I didn't know was coming because they, like, bought my information online. That's crazy. Take control of your data. Keep your private life private. By signing up for Delete Me now at a special discount for our listeners. Get 20 off your delete Me plan when you go to join DeleteMe.com simply cyber Use promo code Simply Cyber Check out the only way to get 20 off is to go to join Del Cyber. Enter code Simply Cyber at checkout. That's join delete me.com simply cyber code Simply Cyber. All right, continuing to cook here with the anti Siphon training. I believe they're doing their Black Friday special through the month of December. Get access to their entire catalog. 50 plus on demand courses, a cyber range, a ticket, a virtual ticket to the Wild West Hacking fest conference in February 2026. This is a kitten caboodle of content. So whether you're looking to learn Red team, blue team, IR, cloud forensics, threat hunting, OSINT fundamentals, AI programming, they got you covered. It is 1500 bucks for that one year subscription. I would suggest, honestly, and I've said this the last couple days, if your employer has training money and it's going to expire at the end of the year, get this. I mean it's completely legit. This isn't some type of scam. It's completely legit. Get it. And then you can't, you know, pay for it now and then you can take it throughout the year, kind of double dip on those training dollars and then perhaps use the training dollars to go to, I don't know, Black hat, defcon Wild west hack and pass Simply Cybercon.

All right, so definitely appreciate that. Go to anti siphon training.com today. I'll drop a link in chat for it. Oh my God, bro. What are we doing here? All right, hold on. There we go. All right, let's just hear from Threat Locker right quick and then we're gonna cruise into the news. I am so pumped. Gonna take a slug of this coffee. I want to give some love to the daily Cyber Threat brief sponsor. Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night. But worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber.

Definitely love it. All right, what's up, Ms. Julian? Good to see you in chat as always. If you haven't checked it out yet, Ms. Julian has a newsletter on LinkedIn that is crushing it and very happy for her. Go check it out and I'll see if I can't pull a link to it or Ms. Julian if you want. If you can DM me it, I'll. I'll share it with everybody. Let people know about this. Sarah, hold on. Sarang Gupta, 70, gave a job interview for a GRC role today. First in four years. Waiting for the results. Wish me luck. Yeah, man. Congrats. Congrats. All right everybody. Steve Young, do me a favor, sit back. Marcus Kyler, relax. Brendan Corbin grabbed the handle and pull the lever. Kick those feet up. Sierra Montgomery grabbed the coffee. Let's all let a cool sounds of the hot news wash over all of us in an awesome wave. I will see you all at the mid roll.

From the CISO series.

B

It's cyber security headlines.

A

Larry Shervington with the gifted subs. Thank you Larry. And to the five people who just received those gifted subs like not a hacker 210 and Abraham Jason hall, you have Larry to thank. Get into that emote tray and scoop them up.

C

These are the cyber security headlines for Friday, December 5, 2025. I'm Rich Dofalino. Predator spyware spotted across several countries Recorded Futures Insect Group reports that while U.S. sanctions against intel X's Predator spyware have seemingly slowed its over use, it's still in use internationally. Researchers found evidence of its use in Iraq, Pakistan, Saudi Arabia, Kazakhstan, Angola and Mongolia. Meanwhile, previous usage in Botswana, Egypt and Trinidad and Tobago have fallen off. The researchers noted that this might not reflect the decline in actual usage. Instead, intellect made significant infrastructure changes to make it harder to detect. Amnesty International revealed this week that Intellexa can remotely access Predator customer logs for further exposing the company to liability for misuse. Rush.

A

I mean, okay, so couple things. Number one, spyware like legit real espionage platinum level spyware is legit. Predator is one of the leaders in the clubhouse, if you will. You probably have heard of Pegasus, which is NSO groups version of spyware, which is excellent. And the reason that they're so excellent is because at least for mobile devices it's zero click. Meaning you know you can't stop someone from text messaging you, right? That's why you get these stupid you have an outstanding toll fine text messages or your UPS packages been rerouted or whatever. You can't stop someone from sending you the first one. You can block it once you know their number, but for the most part you can't block it. Which means a threat actor who has a zero click take your phone over Malware payload can, can send it to you and you can't do a damn thing about it. Okay, now I know that Apple has introduced some like super hardening versions of their Pro, you know, like these profiles that are super hardened. But like everything else, the more you harden something, the less usable it is. And when you start introducing friction and reduce of functionality, you've got, you know, executives and end users and power players who are like, ah, this phone doesn't do what I want it to do. Hey nerd, make this phone do what I want it to do. And it's like, well.

Well actually hold on. You're like, hey nerd, make my phone work. And they're like, actually it would, we could do that, but it would introduce excessive amounts of risk to you, ma'. Am. And power business executive is like, I don't give a damn. Make me use like give me access to my emoji keyboard and do it now or I'll find someone who will. And then you're like, all right, all right, all right. So that's not a practical approach right now. The US has sanctioned the crap out of these companies from using it. But I got to tell you guys, when you have a product that makes massive amounts of money.

And you live in a capitalism driven society, here are your choices. You can say, oh, okay, you got us. We'll stop selling this incredibly valuable, incredibly lucrative product and we'll just go back to the drawing board and we'll try to figure it out. Even though we have people with lots of money in very powerful positions who don't care about the sanctions and want the utility of this tool so they can get insight and espionage on their adversaries, on their political opponents or on their business, you know, opponents or whatever you want to call it, like you know, competitors. So what they do is what you would, the logical thing, what game theory would suggest they make their infrastructure harder to detect. They start stop targeting certain groups that probably could lead to visibility of, of the action still going on and they continue to run roughshod around the world. So here's what I would say. Number one, this should come as no surprise if you're just again like, just to take a step back. I'm go, I go beyond the headlines. All right? That's part of the shtick of what I'm doing here. And sometimes it took me a while in my career to figure this out. I love tech, I love getting my hands dirty. Hands on keyboard. Let's get into the logs, let's nerd out and Everything like that. But if you're so focused on the, you know, microscopic transactional details and you're not paying attention to the macro level goings on of governments and legislation and business, you're gonna miss the forest for the trees. And again, when we say that cyber security is here to enable the business, that's true. You have to understand it how you can enable your business. But by understanding how business works in general, it is going to enable you to be more effective at delivering your job at whole. And, and by the way, it's going to make you more awesome as a candidate when you're interviewing because they're going to see that you understand not just the zeros and ones, but also how that impacts the bigger picture on the world stage. Right. Or within the industry itself. All right, so what are you supposed to do about this guys tldr.

If you have high ranking executives, whatever.

I really don't know if there's any IOCs on this spyware, but just make them aware, you know, this is a whole thing.

And shout out to Recorded Future for discovering this and, and unminding that. I have a couple friends that, that are Dakota State University PhD graduates that graduated with me who are reverse engineers at Recorded Future and they're both, the two guys I know are both awesome. So I mean if they're doing really good work ripping apart these executables that are definitely developed by high ranking or high end software engineers. Okay.

Looks like they're using ads to deliver the spyware. I mean, whatever dude. Whether it's intellects is predator or it's just like some crypto jacker, they got to get it on the device. Now if it's zero click text message, you can't stop that. But if it's ads, if it's email etc, you know, you can do something about that, whatever. For me the TLDR is that spyware is still around despite sanctions. No kidding.

C

Blocks FaceTime. Russia's communications regulator Roscom Nadzor announced it blocked Apple's video calling app as part of its continued crackdown on foreign tech allegedly used for criminal activity. The country has also recently imposed sanctions on YouTube, WhatsApp, Telegram and Roblox without providing any evidence, the state regulator said. According to law enforcement agencies, FaceTime is being used to organize and carry out terrorist attacks in the country, recruit perpetrators and commit fraud and other crimes against Russian citizens. So far there's been no word from Apple on the move.

A

Draft you all right? I. Okay, so FaceTime is being used to coordinate terror Attacks in Russia. All right, I mean, here's the thing. Number one, you know, the Russian government has every right to block attack like this if they want. Right. I mean, we've done it in the United States with like Kaspersky antivirus on the federal systems. I, I still am confused if there was a tick tock ban or not. I like legit. Don't know. Don't know if there was a tick tock ban, but you know, whatever. Here's my thing. If Terrorists are using FaceTime to coordinate attacks, they're just gonna switch to signal. And if they block that, they're gonna switch to telegram. And if they block that, they're going to switch to WhatsApp. So like, like this shell game here seems a little silly even. Dude, they could even just jump in like a Battlefield 6 lobby and coordinate. You know what I mean? Like all you need is a medium where everybody can get there and have like voice. You could use discord. You could, I mean you could do it on this live stream if you want. I'm not suggesting we do that here, but my problem is I would suspect that there's actually a more insidious objective here. You could see that it's status censoring private communications. Yeah. Oh, look, yeah. Restrictions previously imposed on YouTube, WhatsApp and Roblox. So essentially it, to me it looks like Russia is kind again. I guess Elliot Matais should probably be hosting today's episode given the topics we're talking about. But like, it seems like Russia is like trying to like put a stranglehold on its citizens and the communications and you know, making sure that everybody's towing the state, state propaganda lines and you know, they're just banning tech left, right and center as opponents are using it for coordinating and communicating. Right.

Russia did launch a state backed rival app called Max, which critics say is used for surveillance. I mean, India is trying to do this right now in India and Apple's pushback on that. You know, I don't know if this is a coordinated effort between Russia and India. Kind of like tag teaming, kind of like, you know, whatever. Macho Man, Randy Savage and Hulk Hogan joining forces to kind of like push back on Apple and cause financial pain for them. I, again, that's a bit of a stretch here.

Yeah, I mean, I don't know.

Whatever. This is like an an. I don't want to say this is a nothing story, but like there's nothing for us to do here. You and I. There's nothing. I mean, I guess you could say, hey, it's possible for people to coordinate and share information.

Over facetime. But like, no kidding, like you can use any communication medium for coordinating and communicating. You know what I mean? Like it's, you could do it in Facebook, private groups, you can do it on DMs, like whatever.

C

Cyber strategy set for January release Cyberscube. Sources say the Trump administration plans to release a five page six part national cybersecurity strategy next month.

A

All right, BZ Baby Zaddy, super chat, thank you for the super chat. Says I need help. I have a cyber team but no cyber mission. We literally only exist for compliance. How do I prove value to the organization? That's a fun question. Hold on one second.

The easiest way to prove value to the organization is reporting. I know that sounds boring, af, but if you can work within the construct of your compliance objectives, you can start measuring and showing where you map on a cybersecurity framework your maturity level. You can show your risk exposure over time with trend data. Now, I will tell you.

Baby Zaddy, the one thing, and I've known some people who work at organizations like this, if your senior leadership doesn't give a crop about cyber, if they truly believe that they are too small to be attacked or it's not really going to happen or whatever, then you're going to have a tough time getting past like informal levels of maturity, like, you know, level two out of five kind of thing. But if you can show these things, it's good. And then if you can also show like, realistically guys, you're definitely having cyber attacks, whether it's phishing emails or malware payloads or bec business email compromise. Highlight those risks and you might even want to highlight, hey, we had this, you know, thirty thousand dollar business email compromise because of, you know, this happened, this happened, this happened. Suggestion would be if we invested $30,000 into an email security gateway, and I know that sounds like a big amount of money, but we could either spend 30,000 on a freaking email gateway or we could just give the Next threat actor 30,000. What do you say, boss? Huh? Huh? All right, so that's what I would recommend.

C

This could also be followed by an executive order that would spur implementation. The six pillars in the document continue to focus on offensive cyber operations, making cyber regulations more uniform, strengthening the federal cyber workforce, streamlining procurement, protecting critical infrastructure, and planning for emerging tech. Currently, the administration is soliciting feedback on the strategy from industry stakeholders, so the final text may change. Brothers.

A

All right, what are we talking about here? This is, I would like to read this. The thing, the thing with these like, executive orders or, you know, key pillars for, you know, executive branch administration. Right. Like every president. And I don't care if you're a Republican or a Democrat or a Libertarian or an Independent or. Although I mean, presidents are always Democrat or Republican, unless you want to go back to like the Whig Party or whatever the hell that was.

The politics don't matter. Almost every single president since.

Obama, maybe, maybe the first Bush has a, like some type of cyber direction. Right. I think Obama might have been the first one. Right. So for me, I don't want to read it until I'm not. They didn't ask me to contribute to it. Right. So I don't want to read it until it's final and published because things change. There's all sorts of, you know, like, squirreliness going on. So I, I look forward to reading it. I'll probably do a breakdown on it personally.

The six pillars in this executive order focus on offense in deterrence, which is funny. I'm sure they're using. Well, hold on. Aligning regs to make them more uniform. That's a good point. Fine. Bolstering the cyber workforce. That's good for us, right? Straight cash, homie. Let's get paid. Straight cash, homie. Federal procurement. We'll see. We'll see what that is.

And then critical infrastructure protection, which has been a thing for 20 years. Right. And then emerging technology, which should just be read as AI. Okay.

All I would say is we have made as a. Again, this has nothing to do with you at your work today. You know what I mean? Like, this is.

Every story is just nation state, federal level politics, man. Like, I guess it's refreshing than, than having a story about, you know, insert variable name company here suffers. Insert variable ransomware attack from. Insert variable threat actor for. Insert variable number of million of people records impacted. Right. I guess I, I can't complain because I complain if it's the other thing. But like, whatever.

They do say emerging tech, I mean, that could be quantum computers as well, but I think quantum computers, much like the Metaverse. Okay, do you remember the Metaverse, like three years ago was like the rage everyone was talking about. I feel like that's quantum computers. Like everybody's like, oh my God, quantum computers. And now it's like, like everybody's on to the next thing.

For me personally, I guess I'll just share my approach. I like to read these executive orders, see what the focus is from the executive branch, and then just kind of keep it in the back of my mind, I don't put a lot of stock into it as far as, like, impact, because, like, think about Biden's executive order a couple years ago. It's like, oh, I want multi factor authentication on everything in the next 90 days and zero trust architecture 30 days after that throughout the federal government. It's like, bro, are you that, like, I get it, Biden's not a technologist or, you know, he's a politician. Same with Trump, right? Like, what you're asking for sounds great. And like, yes, you put your stamp on it, but like, it's ridiculous. No one, you're not going to overhaul the entire federal IT infrastructure in 120 days. Even if you had infinite money, which we don't. You can't do it that way. It's too disruptive. All right, hey, really quickly, wait. Well, really quickly, holler. We mentioned Ms. Julian's newsletter earlier in the show. Here it is uncertain to unshakable. I will drop this link in chat. It's been going gangbuster. She has over 1300 subscribers to the newsletter. Congratulations, Ms. Julian. Continuing to pump it out and maintain consistency, which is.

The hardest thing and the most important thing.

C

Arrested for deleting government databases. The U.S. department of justice arrested twin brothers Muneeb and Sohib Akhtar on charges related to insider threat activity against several government agencies. Both brothers worked as engineers at the federal contractor Opexus, using their access to allegedly delete up to 96 government databases impacting the IRS and General Services Administration back in February. In an even more bizarre twist, both brothers had previously pled guilty to charges tied to a US State Department data breach back in 2015, with each serving multi year prison sentences. Both brothers denied wrongdoing in an interview with Bloomberg earlier this year.

A

Yeah, I don't know what these clowns are up to.

I don't know if they were involved with the DOGE thing. This, this.

They were in the news like, like literally a year ago.

Basically, they just deleted databases, right? Like caused havoc, chaos. Right? I mean, I don't know. Like.

There'S not much of a story here. You know what I mean? Like, hold on.

All right, hold on. Let me see really quickly. I mean, obviously the lesson here is.

The lesson here is insider threat for sure.

Yeah. Look at this. This is the. This story's from 2015. From the Department of Justice. October 2015. Twin brothers were sentenced today for conspiracy to commit wire fraud, access protected computers for two years. Okay, now here's my thing. Can I get.

Can we get. Are these felonies?

Are these felonies?

Hold on, I want to know if these are felonies.

Are these felony. Hold on, I gotta ask AI here, are these felonies?

Because if they are, this is ridiculous. Conspiracies to commit wire fraud and unauthorized computer access are almost always federal felonies. These guys went two years in jail for felonies.

And somehow.

And somehow they got jobs as federal contractors accessing sensitive federal government databases, like at the IRS and stuff. This makes no freaking sense to me, okay? Like, I know not a lot, but I've known over the last couple years with simply Cyber, several felons who have wanted to get into cyber security. And it's like, absolutely, you know, uphill battle into the wind. Like, it. It's so difficult that most of them just kind of abandon it. And these two go, like, guys got.

Not just got jobs, but then immediately exploited their access to do more malicious stuff. So I. Can we like, throw the book at him harder maybe? Like, I. I'm so confused.

Okay, so allegedly on February 18, he deleted 96 databases. So he just, you know, right click select all delete and then called it a day. Not even clean, dude. Like, obviously there was logs on this, I guess. Here's my thing. Here's my thing. Two. Two things for everybody. Number one, insider threat is a thing. Hey, we're all a family here. Yes, that's true, but at the same time, you only should have access to what you need access to. And you should absolutely have backups, right? So you can recover to a known good state. And you should have.

Like, auditing turned on for abuse of access. Right? Conditional access. So people only access the things they need. Like, if this guy had legit access to this database, that's fine. I have no idea why he had access to delete the database. That. That's not a function that most people who are doing analyst jobs.

Would have access to. So, I don't know. We'll see. I mean, at. At a minimum, I'd like to follow this story and just see if these guys get the. The justice that or the, the punishment that they deserve as, you know, immediate repeat offenders.

C

And now, a huge thanks to our sponsor, vanta. What's your 2am Security worry? Is it do I have the right controls in place or are my vendors secure? Enter Vanta. Vanta automates manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. Get started@vanta.com CISO that's V A N-T.

A

A.com CISO yeah, you know, I'm looking at chat. There is like definitely some great comments in chat right now. Like Adtech is talking about how long it takes to get a clearance in the, in the government. Yeah, 100. Like I had a clearance. It was not, it was not clean and quick and it was actually quite invasive. And again, I don't have a felony charge associated with me. Again, I don't know how that was. And then Roswell UK talks about how the employer themselves didn't discover the problem. The actual FDIC did, which is even more interesting. But then that is slightly.

Indicative of.

You know, the levers here or the incentives. Right. So like these companies are getting paid for having bodies and seats, right? They're federal contractors, so they, they are might be open to looking past a problem in order to get, you know, basically straight cash, homie. Straight cash, homie.

All right, let's go. What are we gonna do here? I guess.

We still haven't cracked the code on getting around the copyrights. So here we go. Guys, I want to say a quick shout out and thank you to all of you. Nick Dowd, Boju 188 Jost x 80 Penguin Michael Sutherland. What's up, guy? We got John.

In here. So many squad members, so many friends. Jose, Alfredo, thank you for being here. I hope you're getting value from the show. We are at the bottom of the hour. Want to say thank you to the stream sponsors again. Delete me, Anti Siphon Threat Locker and Barricade Cyber Solutions. Guys, Barricade Cyber Solutions is disrupting. I'm. No, they're not. Barricade Cyber Solutions does digital forensics and incident response like a bunch of bosses. But one of the other things that they do is they provide value to the cyber security community through educational webinars. Very practical webinars.

Around managing and configuring your Microsoft 365 environment. And if you would like to go and follow the. Hey, Brandon Corbin. Proud to be a member of the Simply Cyber community. Thank you, Brandon Corbin. Happy to have you in here. Guys. If you're free on December 17th and you like GRC. Oh yeah, let it wash over you. I'm actually excited to watch Eric Taylor talk for an hour about GRC and compliance.

If you're working in an M365 environment and you haven't configured it properly, what are you doing? Come for an hour. It's absolutely free to register and get there. And you can learn how to configure retention policies for both Exchange, SharePoint, OneDrive. You can enable and customize DLP policies. You can discuss use cases, sensitivity labels, verifying compliance, related settings. All this and more in one nicely tightly packaged webinar. Come on down. December 17th, 1pm Eastern. Go to webinars.barricadecyber.com to sign up. And as I say, every day, guys cost nothing to sign up. Just get it on your calendar. I have a couple things on my calendar that I put there, and if I, you know, something happens and I have a free slot, I'm like, yes, I've got something to do. And if I have to.

Skip it, well, that's okay. I'm not out anything, right? All right. Every single day of the week has a special segment, and my man, my man James McQuiggin, who also just gifted 10 gifted subs. So if you're one of the members who picked up those gifted subs, you have James McQuiggin to thank. Not just for these jokes I'm about to riff on you, but also for the squad membership. Thank you very much, James.

Great to see you, James. And I hope to play Battlefield 6 with you at some point in the near future. All right, guys, here we go. Get ready to giddy up on this one.

Another crazy week. And here. And here are the dad jokes for today. We're dealing with gift giving, y'. All. Guys, why is a coffin the worst gift to give someone? Now, listen, if you're trying to search for a gift for that hard to buy for person in your life, I'm telling you, do not get them a coffin. James is letting us know it's literally the last thing that they'll ever need. Okay?

Okay. Hey, why is the fridge the best gift to give someone for Christmas? So we know the coffin's the last thing that they need, so don't give them that. But do you want to know the best gift? Get them a fridge. Do you know why? Because you can watch their face light up when they open it. Oh.

Oh, my God. Zing. All right. And finally, James wants you to know, why is a broken drum the best gift to give someone? Listen, if a fridge is, like, slightly out of your price point, consider a drum. I mean, consider a broken drum. All right, Why a broken drum? Because they just can't beat it.

C

Oh.

A

Oh, my God. Okay, so just to run down this again, do not get them a coffin, because it's the last Thing they'll need, get them a fridge, because they'll face a light up when they open it. But if the fridge is too expensive, get them that broken drum, because honestly, even better than a fridge, you just can't beat it. Oh, my God. All right, let's continue to cook here. Thank you, James McQuiggin. Be sure to tip your waitress. He'll be here every Friday.

C

Arizona Attorney General Chris Mays announced the state filed a suit against the Chinese online retail giant, claiming it collects large amounts of sensitive consumer information without consent. This includes GPS location data and apps installed on mobile devices. The state also alleges that temu's app code is deliberately designed to obfuscate security reviews. This isn't the first state to take such action. Kentucky, Nebraska, and Arkansas also filed similar suits in recent months. All of this data collection comes against the backdrop that TEMU is required to hand over data requested by the Chinese government, sparking potential national security concerns.

A

All right, I mean.

I feel like we've all known for a while that temu, like, which is, like, basic, like timu, is so successful that it took me a while. I think Nadine had to explain it to me. Like, Amazon Hall. I think Amazon hall is like, like, legit. Supposed to be, like, a competitor to teu. Hold on, I'm on Amazon right now. Where's the hall button? Here it is.

Right? Amazon Hall. This is all supposed to be, like, TEU competitor stuff. I don't know. O.

I don't know. Magic. The Gathering Commander deck box that.

I'll have to leave this. Leave this tab open. All right, so whatever the argument here is that tons of people are using temu and that the company is harvesting all the data and doing things with it. Two things. One, they say that the source code of the app is deliberately obfuscated. Okay, I'll say the following. Number one, like every company, Amazon, Google Meta, is harvesting the crap out of your data. Okay, So.

I. If they're saying that, like, they're harvesting it and giving it to the country of China, like, all right, I mean, sure, but I don't know if it's a national security concern. Maybe I'm not here to decide that one way or the other. Again, this is the Elliot Mati hour, apparently. But here's my thing. Every company is harvesting data. This is how you, like, make tons of money in 2025. Okay? So. And then secondly, the. The source codes obfuscated for analysis. Bro, if it's their source code, it's not malware. Okay? As far As I know it's not malware. Like, I'm not saying that they need to obfuscate it, but. But.

There'S nothing illegal or wrong or concerning about obfuscating your code. Sure, it makes it more difficult to maintain the code and it's a silly idea for software engineers to obfuscate the code if there's nothing weird happening. But it, it's not by itself, it's not.

Illegal or anything wrong with it.

So there's that. Let's see what they say in the story. It can detect everywhere you go, doctor's office, public library, political event, et cetera. So the scope of the invasion is enormous. All right, well, I will tell you, if my temu app is asking for my contact list and my geolocation and stuff like that.

That is problematic. Okay. And without the consent of the users, I didn't realize. Hold on. I was under the impression that at least on iPhones apps had to request access to that data. They can't circumvent.

This information. So maybe this is on Amazon device. Excuse me, Android devices. Only if I could get a fact check from anyone in the chat. To me, I'm under the concern, under the impression that this is not how it works with.

Ios. Now I will tell you, like Predator. Going back to our first story, the Predator spyware knows where you are and it definitely doesn't.

Follow Apple's guidelines. So if we're talking about that level of.

Abuse, then that is malware. That, I mean, that's literally spyware. Right? It just happens to be able to sell you $4 yoga mats also. So that would be a problem and I would totally back.

Okay. And then also teemu is selling like basically knockoff.

Copyrighted material, like, you know, Arizona cardinal stuff or you know what I mean, like, like, hey, this is a Nike, you know, Nike shoes or whatever. Okay.

Similar lawsuits in recent years. TEMU hasn't slowed down. So I don't think this is going to do anything other than a lot of like whatever. Honestly guys, it's the holiday season. Economy is, you know, if you look at the. If you look on paper, the economy is the best it's ever been. But that's like four.

C

All right. Reporters Without Borders targeted by Star Blizzard. Researchers at Sequoia report that the Russian linked apt Star Blizzard carried out a phishing attack against a core member of Reporters Without Borders or RSF using a ProtonMail account that was posing as a trusted contact. This email mentioned an attached document for review, but it was intentionally left off when the contact Asked for it. They then sent a malicious PDF hosted on Proton Drive. The attack was only unsuccessful in this case because Proton blocked the user's account. Sequoia found this a familiar pattern for Star Blizzard, seeing the approach used against other nonprofits as well, ultimately trying to inject malicious JavaScript into a victim's ProtonMail sign in page to steal credentials. All right, Ghost Frame.

A

So this is very cool. All right, finally something I can do.

Finally something I can do to help you secure your business and your business stakeholders today. Jesus. All right, so Russian apt, Star Blizzard, which, by the way, love this, love this graphic right here.

Is there.

Yeah, I was hoping for like a process diagram and an infographic. Okay, so check it out. Threat actors are sending an email to nonprofit organizations. So I mean, there, there's an opportunity there.

To, to like, you know, help that particular user population. But this attack technique is going to work regardless of the industry, right? So what they do is they send an email saying that they've got something, right? Review the attached document, but then they don't attach the document, right? Hey, who hasn't sent an email at some point and forgot to attach the document? It's so common now that in Google, when you go to do it, it'll actually stop you. Google or Outlook, I can't remember, but it'll actually stop you and say, hey, dude, you said in your email that you're attaching a document but you haven't attached anything. Are you sure? You sure about that? You sure about that? Right? So that's another sound effect I'm going to add to the board, by the way, for 2026.

So they lure victims into replying to the email and saying, hey, you didn't. I didn't see the attachment. Can you resend it? And honestly, it's kind of a psychological trick where now they've got the end user expecting an attachment and kind of like bought in on wanting to see the attachment instead of just sending it where their, their alert goes out, right? It's almost like one of those ones where you psychologically, if I wanted to equate this, this is where someone tells you like, hey, tomorrow there I'm going to come by and give you a big deal, right? So if someone knocks on your door today and they're like, hey, I have a big deal for you, and you're like, nah, get out of here. But if they come by and they're like, hey, I don't have anything for you today, but tomorrow I'm gonna have a big deal for you. Like you're, you're almost primed to want to know what that big deal is, Right? So Russia's Star Blizzard definitely aware of this. The PDF file.

Is basically linked to a Proton drive. It could be Google Drive, OneDrive, you know, whatever. At some point they don't attach the document itself directly. It is linked to a shared drive. And then I'm assuming it doesn't say it here, but I'm assuming the PDF is actually not a PDF, it's malware. Yeah. Okay, so there's a zip archive that looks like a PDF and then I'm sure once they detonate the.

Once they open the zip archive, it runs some type of malicious payload. Right?

C

Foreign.

A

I'm sure it does. It doesn't say it in here. Tldr, if you're an NGO and you support Ukrainian based entities, you are in the, you're like in the, in the target here for Star Blizzard apt. But the bigger picture that this approach to infecting an end user system will work regardless if it's politically motivated or it's financially motivated. So what I would say is just educate your end users. This is a great opportunity for a little nugget of knowledge. Hey, just be on the lookout. There's an activity where a threat actor will send you an email saying that they have an attachment, but they won't attach it and they'll wait for you to respond back saying, hey, send the attachment. Just be aware. Don't you know, like if you don't recognize who it is, you know, have your. Have your guard up. And by the way, like, PDFs are not zip archives.

C

TLDR a novel phishing framework. Iframe abuse is nothing new, but a new report from Barracuda details this new phishing framework built around Barracuda ghostframe uses an HTML file to spoof as a landing page with malicious behavior hidden in an iframe. Using the iframe allows attackers to quickly swap out phishing content and evade scanning while keeping its outward facade intact. And the same. The landing page uses dynamic code to generate a new randomly generated subdomain every time a new visitor arrives. This then loads the iframe to harvest credentials. The lures to get users to the pages range from contract notices to HR updates research.

A

All right.

So here we go.

All right.

All right. So Ghost Frame is this phishing as a service platform? Pretty mature here. Phishing as a service means that the threat actors are doing like B2B sales where they're selling Davy, crack it for my Barracuda Reference drink. Pretty, pretty advanced here, honestly. It every user gets their own domain name. So you can't block a domain, you know, in DNS or at the firewall because it's unique for every victim.

Let's see here.

So the outer page that you're actually looking at, it doesn't have anything that would be fishy on it, but there's an iframe that I'm assuming you can't.

B

See.

A

That contains the credential harvesting components.

All right, so the way it works, threat actor sends an email saying, hey, here's an HR update or here's a secure contract. Here's an annual review. Here's your password reset request, invoice attached. Here's your bonus structure. Happy holidays, enjoy your jelly of the month club, whatever it is. And it is a URL to something. Now this URL probably looks dodgy AF, right? So educate your end users on dodgy URLs. But it could be not obvious. Like it could just say annual review and then they've, they've mapped the link, you know, behind it, right? So you know, you don't have to show the whole URL. You can make text like invoice clickable, right? This is, you know, common. Everybody knows this, right?

So the best practices here, this is just basic. Educate your end users, right? Keep your browser updated. Obviously, as I'm looking at my browser right now where it says new Chrome available, update available, I should do that myself. Email gateways, web filters for sure. EDR solutions, guys. Because it's going to detonate on your box if it's just harvest credentials, which is what they said, Multi factor authentication would be a huge opportunity for you, right? And then of course.

Conditional access to environments. That way if the threat actor gets it and then they try to log in from Belarus, it, it will flag it as not okay. Of course, reusing passwords is not good. There's a lot of opportunity to educate your end users here. I feel like you should almost do like the 12 days of Christmas, except the 12 days of like crap use. You wouldn't name it this, right? But like the 12 days of crappy end user password stuff.

All right, interesting. This platform mature enough to have everybody victim have their own domain name that gets domain generated. But also anti analysis techniques where you can't analyze the code itself. Like it prevents you from doing that. Which is kind of, kind of a nice feature if you're a threat actor.

Ah, you got flushes.

C

Kohler's end to end encryption claims earlier this year, Kohler Launched a smart camera for toilets called Decoda, designed to analyze contents for gut health in all of its.

A

Mark, Stop. Stop it right now. Stop it. Did. Who asked for this? Who. What, what think tank was like, you know what, you know what?

C

People needing it Claims that images sent for analysis were end to end encrypted. Security researcher Simon Frondy Teltier recently pointed out that based on Kohler's privacy policy, these were actually transmitted with TLS encryption. So they're encrypted in transit, but Kohler can access the camera images. The researcher also pointed out that this opens the door for Kohler to use the images to train AI models. However, Cola responded that its algorithms are trained on de identified data only.

A

What, bro?

Okay, so.

This is.

I mean this, this story stinks. Am I right? Technic? This story just really going down the drain, if you know what I mean, right? This is, this is really.

Really interesting. So just, let's.

Let'S just remove the fact, let's just remove the fact that it's a camera that looks at your.

Your organic waste that you produce from your body. Okay? Let's just remove the fact that it, that's the function of it in order to help you assess health. Okay.

That the product manufacturer claims that they do end to end encryption which they slapped on the side of the box, right? Well, someone tested it and it does TLS of encryption in transit, right? So it's, it's not encrypted technically on the endpoint or when it gets to where it's going.

Now. I, I don't know, man. When I think end to end encryption, obviously, obviously at some point it has to be decrypted, right?

So, you know, I don't know. I think we're, we're mincing words here.

I don't know, man. In the world of cybersecurity and you know, where we are with privacy and civil rights and erosion of privacy and stuff like that, I don't know. I don't know if.

An IoT device that takes a picture of, of, you know, last night's Taco Bell is really like where I'm putting my, my, my resources. Okay, now I will say shout out to Simon Fondre teler, the researcher who discovered this because there's a great opportunity for all of you in here. This was like super the rage in 2015 when IoTs were exploding. But guys.

Oh my God. Daniel Lowry, AKA Technic, right? AKA the, the author of the pen test plus complete course at Simply Cyber Academy instructor. He has ripped apart IoT devices. He has whole curriculums on this. I've taken it. Right. You could rip a firmware apart. You don't even need to buy this toilet camera. Right. And find some vulnerabilities. This is a great opportunity for kind of like getting your name out there and personal branding and stuff like that.

Again, I will say as a developer, as a cyber practitioner, whatever, you should be using the right terms. If you say that it's end to end encryption, that means a thing. If you say the backups are encrypted, that means a thing. If you say real time operating system, that means a thing. Okay, so words do matter because if they're being used and you're using them incorrectly, you do open yourself up to liability. Unfortunately, salespeople and marketing people, not to dog on them, salespeople especially will use terms that they do not understand.

To describe their product and their service. And sometimes the people on the other end of the table do understand the words and are making decisions based on those words.

You know, like complete visibility. All right, well, that would mean something. All right, so anyways, if you're looking for that hard to get, you know, person who's got, who's very difficult to shop for this holiday season, may I, may I suggest a, A toilet camera? You know, I guarantee you no one else is going to get it for him.

Jesus. All right, have you put in a.

C

Calendar reminder to join us for the department of note on Monday?

A

No. All right, all right, guys, we really ended on a. We really ended on a low note there.

We're really, we're really scraping the bowl down here. The bottom of the bowl, the bottom of the barrel. Nasty. All right, all right, hold on. I gotta, I'm. This, the whole thing derailed me.

All right, guys, we, we pulled up from the, we pulled up from the.

From the nosedive there, but don't go anywhere because we got a great show lined up for you coming up immediately. Guys, this has been episode 1018 of Simply Cyber's daily cyber threat brief podcast. I was your host, Dr. Gerald Ozier. I hope you got value from the stream. I want to shout out to all of you who showed up today. I know it's the holidays. I know it's hard to get up on a Friday morning, but I do appreciate it. And more importantly, I hope you got value. My 13 year old told me I should start saying this. If you are not subscribed to the Simply Cyber channel, consider subscribing. It helps people discover the channel. It tells YouTube that people like the Channel, and it'll help reach more people. And we can help more people. Don't go anywhere because we've got Jawjacking coming up in a hot minute, which is going to help you get to the next level. I'm Jerry from Simply Cyber. Until next time, stay secure. Let's go, Jawjack. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up together. It's not time for some Jawjacking.

All right, what's up, everybody? Welcome to the party. I am Jerry Guy, your host for Jawjacking, the AMA show in cyber security where you ask questions, we give answers, and we do the best we can to hook you up. We mentor at scale. Joining me on the panel today because it's Friday and we do panels on Friday, is none other than Daniel Lowry himself, the man who's helping others with his Cybercast, IRL and Cybercast After Dark. Let's go. Daniel Lowry, how are you?

D

I'm good. Jerry, how's it going today?

A

I love it. Dude. Talk about that last story, huh? Jesus.

D

Dude, dude. I didn't know there was a market for, like, cameras to watch you stock the lake with brown trout. You know, it's like, yeah, exactly.

A

I mean. Yeah, like, again, who was like, who? You know, like, who was like, you know what? Like, like, yeah, what's the pitch meeting for that?

D

Listen, here's. Here's what's happening. It was in the back of the. There's the back of the shop and said, billy, I got an idea. Listen, listen, you're gonna love it. A turlet cam. It's gonna be awesome, right? We're gonna take pictures, we're gonna post them on Internet. It's going to be called Only Turds.

A

It's just.

D

That's it. That's how I go, right? And Billy was like, hell, yes.

A

Only the world needs only turds. That's so funny. All right. Hey, we're doing Jawjack and just put a question in chat with the queue. We'll get the answers. James Blender wants to know what's the best encryption for a toilet camera. I gotta go. AES 256.

D

It's still good. It's still the best on the market right now. You can't mess with it, man. AES on things. And don't forget, you got to have that encryption on them pictures while they're sitting there on the disc. Or the driver, wherever they're held as well as. As they cross the wire. Right at rest and in motion. It was in motion for a second, but then it hit.

A

Yeah, I mean a question, Daniel. Like when you hear end to end encryption, like what, what, what do you, like, what does that mean to you?

D

Like it means that from the time that the data is created, it is encrypted and then through transit it is encrypted and then it is encrypted when it hits to wherever it's going to land. And it's not decrypted until the time for data in use.

A

There you go. So when the app opens it and you do things. So there you go. That is the problem with the toilet camera. Roswell UK. So many of us know the IoT acronym, but now we are iOS. Thank you Roswell UK. Lot of.

A lot of. A lot of people dunking on the story. I'll have to send Rich Stroffolino a note that was like a very highly politicized group of stories but then ending with quite the. The ringer.

D

Yeah, good one there, Jerry.

C

That was a good one.

A

Yeah. So Jenny Housley does bring up a good point. I, I will say that I have seen basically there's a product called Cologuard or whatever where.

D

What can Brown do for you? Oh, that's not the right one.

A

Right where I think you have a bowel movement in a box and then you mail it to them, which I don't. Again, I don't know what we're doing here, but I do need to get my first colonoscopy just to give everybody a little tidbits. Tuesday on Friday.

D

Cologuard's thing is that they say that unless you have pre existing genetic conditions, like your family has had colon cancer, so you're more predisposed genetically to having colon cancer. Then a simple check of your stool can put off the colonoscopy for some time. So you can just take a duke in a box.

Funny story, man. I used to. This guy was a, was a registered nurse and he, he said, I gave a guy a cup of a school a stool stand, but you know how to Q tip and everything. I said, yeah, we need a stool sample on that. He said, yeah, no problem. He comes out, he goes, you could see that he had shoved the top on it kind of like mushroom down the sides because it was to weighed 10 pounds.

C

I go, where's the Q tip? He goes, it's in there.

A

Oh my God. Like you can't make that up. You can't make. I will tell you all just. And then we have some questions, like legit questions coming in. But this is such a funny thing. My Uncle Gregory, who is a nurse and worked in healthcare his whole life, had a dart team up in Campello, if you're familiar with the Brockton, Mass. Area, and that all the, all the members on the dart team were nurses. Right. And the name of their dart team was the Loose Stools. And the idea is that it looked like a penguin on a bar stool that was like, you know, like a bar stool, loose stool, but like obviously loose still. There we go. Yeah.

Shout out to Uncle Gregory. Never knew that story would come up in Simply Cyber. So Nick DNA says what would your top five search skills be to break into team A Blue team or cloud and how is the entry level job market? Like all right, let's take a couple runs at this one.

So I think certs and skills to break into blue or cloud and those are both different things. Although you can, you can be a SOC analyst for cloud environment. But I would say SEC plus for sure. Not that that's necessarily going to make you great at blue or cloud, but you said to break in SEC plus is still considered like an hr, you know, thing.

Skills for sure. Understanding how to use a sim, understanding what logs are for cloud. It depends on the cloud platform frankly. So like AWS is going to be much different than M365. If it was my kid I would tell them to focus on M365 since a lot of corporate entities use that for their back end infrastructure. Whereas AWS to me is much more around like delivering tech product to businesses, less about managing their business and then entry level job market. To me it is a mixed bag right now. It's certainly tough. For sure it is tough right now. There's a lot of factors playing in on why it's tough, but it's not impossible. I would say you need to network and develop a personal brand. Even though I know that might make some people cringe. It's the right answer. Now Daniel, reset the question and give us your thoughts.

D

Yeah.

I mean I, I think you hit the nail on the head when you started talking about Microsoft 365. I mean it's just being, being handy with administration of O3 or M365 at this point is kind of like you want to go cloud. That's what's up. I would start also messing around a little bit with kubernetes like and you can kind of get into any of your cloud platforms to kind of start getting your hands dirty with that. It just having some familiarity with how to work with pods and things of that nature and spin that kind of thing up and just is going to go a long way. Then when you start talking about certifications. SEC plus is always a really good cert because it's 81408570 compliance spans across the government.

I would if it were me if Daniel's looking at like hey man, I want to do like blue team defensive stuff and cloud I'm probably going to look pretty heavily at the Microsoft like Azure Sentinel AZ was it 900 series or whatever it is type of certs. They have some cloud security certs with Microsoft because that is the soup du jour. Right. Anything associated with Active Director or entra ID getting into that, understanding the security that that is a part of making that type of environment secure. That's gonna. That's gonna really be a good way to go. At least that's what I think.

A

All right. Excellent analysis and question. Thank you. What's the weather like in Denver during Wild West Hacking Pass? I did not go last year because it was my wife's. It was around the time of my wife's birthday and I prioritized family. Daniel, did you go to Denver last year?

D

I did. It's colder in a well digger's ass in January.

A

There you go. There you go. It is cold. There you go. Also Denver's beautiful. I used to have to go to Denver for work and the Rocky Mountains are just.

Overwhelming. How, how what they look like. E Lucky says I attended Gartner Security and Risk Summit last year and was thinking of attending again. Is there another security conference you would recommend instead in the Northeast D.C. area? Well, let's see. It depends what you're going for. I mean if you got value from Gartner Security and Risk Summit then it seems like you're more interested in kind of that executive level, you know, like less community, more like vendor products and stuff like that. Yeah. Business related.

I'm trying to think off the top of my head. I know there's one in Boston that.

Becky Gaylord spoke at recently. Yeah, I'm not sure when it is or what it is unfortunately like Schmoocon was a good one. I. I typically try not to go to the like Gartner Security and Risk Summit. Personally I'm more about community like the things that I would get at Gartner. I. I can just get asynchronously from like, YouTube replays or. I like, virtually attending. Honestly, I like the Aspen Security Summit, which just happened, actually. But I've always enjoyed the conversations that have been presented there. They're much more macro level and stuff like that.

Daniel, any thoughts?

D

Yeah, man, you got the wrong guy on that one.

A

No problem. All right. Hey, we got another panel member coming in. He might have an idea here on a conference like this. Ladies and gentlemen, it's been a minute. Welcome FedEx to the channel. Hey, FedEx.

B

Hello, everyone. How you doing today?

A

Excellent, man. Good. Any thoughts on Elucky's question here about a conference that might be an alternative for something like Gartner's. Gartner Security and Resummit. That would be in the Northeast or.

B

D.C. area.

To be honest with you. Not really. I. I'm always the same thing. Community driven type of. I. I get more value. I. I'm just gonna point it out this way. I love going to a vendor conference when the. It's paid by the company, and I know I'm gonna get some swag, but there's less value on those than the actual ones that are community driven. When I'm gonna actually interact with people, when I'm actually gonna make meaningful connections. I mentioned recently that even the job that I currently am, I met the guy a year ago at a conference, at a local conference. And so it was just, you know, I struck a conversation with somebody, and then all of a sudden he became my boss. And that's what I found the most minimal. Valuable.

A

Yeah, 100. I'm right there with you. I just feel like, personally, like, I've been doing this for 22 years now. Like, it used to be like, there weren't all these YouTubes. There weren't all these, like, replays. They weren't all this virtual stuff like Covid, really, if you want to say there was something positive that came out of COVID like, this is the new norm, right? So you don't have to go to those events in order to get access to that type of information anymore. It's just out there. So for me, it, like, time is my most valuable asset. And to allocate it to go to one of those events when I can get it asynchronously a different way. And personally, like, sometimes you go into a talk or something and it sucks, and you're like, oh, my God, like, I can't now. I've got to waste an hour here. So to FedEx's point, making relationships which will have longer tails on the value is much more important to me. Question from Crystal Technical question Is split tunnel VPN still recommended strategy with Microsoft 365 let me just define this for everybody. So when you do a traditional vpn all your network traffic is going directly into the VPN and then if you want to go out on the Internet you go through your company front door essentially or the VPN's front door. A split tunnel means you have access to company resources but also you're going out your own front door for the Internet. I did not know that the recommended strategy was to go Split tunnel for Microsoft 365 I've never been a fan of split tunnel personally. If you need to do it because you have bandwidth constraints and you don't have enough hardware and you're getting overwhelmed at your Internet facing firewall because there's so much traffic jammed in there, then do it. But other than that, personally I wouldn't any thoughts FedEx on architectural approach on split tunnel VPN versus dedicated systems has.

B

Changed a lot in the past. I mean we had new firewall nest gen firewall systems that are capable of actually decrypt and encrypt all that traffic faster. But prices and bandwidth has changed. Yes. In the past you do paid a lot of money. I mean and I'm talking like you pay upwards of the 10x just for 100 megs connection because you're a business rather than a house. Like if you get in in a house. And so that was the reason why we do split tunneling now with Zero Trust Architect we actually do encrypt everything now. Go through the proxy and do full encryption. No split tunneling. So it architecture has changed a lot in the.

A

There you go. All right. I. I like it.

All right. Uni395 says what are your thoughts about Papa the practical AI pen test associate by TCM Security I haven't, I don't know anything about it. Haven't heard about it.

D

You know I literally just saw this last night.

A

Yeah, I mean seeing this. I mean whatever. To me this is like a first to market like revenue generator because AI is so hot and no one's really doing pen testing. There is the OWASP top 10 AI things personally, whatever. If I can get my employer to pay for it, sure. I, I probably wouldn't go after it on my own though because I'm not quite sure that there would be a return on investment.

D

Yeah, I think that probably CompTIA's SEC AI is going to be more popular than this out of the gate. But, you know, knowing. Knowing tcm, it's. It's going to be fire. Right? They've always put out great certifications. They've never put out something that people were like, well, I don't know.

A

It's kind of.

Right.

D

So it's going to be pretty good, most likely. But it's going to be for those people that already have some kind of understanding. I. I would guess it already has understanding of AI at that point. So I can see people going the SEC AI route and then going for the practical AI pen test. Associate.

B

I mean, and they say associates. It does say associate. It could be just an entry level.

D

Could be.

B

But. But if you notice, I mean, and this is just probably the only way I find out it was because Chris Young on our, you know, DNFC member, he actually posted out. And. And they. The actual way that they put it is like, oh, you know, you want to be called papa. You want to be a certified papa?

D

No.

A

Marketing it.

B

That was part of the marketing instruction. Like, hey, we got this thing. And, you know, you want to be a certified papa.

A

Oh, my God. Like, I almost hope that they didn't, like, in the military or whatever they call them backronyms, where they come up with the acronym first and then they make it work. That way you can have a cool thing like lightsaber or vector, but. And then you back into what the acronym stands for. So I hope they didn't do that there. Just for full disclosure, I'm not gonna. I don't want to comment on this personally, but in full disclosure, Heath Adams did is leaving TCM. It was. He published this publicly. I think December 31st is his official last day at TCM. It is called TCM because that is his name, the cyber mentor. But he is leaving TCM Security, or TCM Academy. TCM Security effective.

D

I wonder if they're going to keep the TCM moniker for.

C

They.

D

They probably will for a while, but it is now educate360, if I'm not mistaken. Like, that is the company.

A

Yeah, I. I would think. I mean, there's so much brand value in that.

D

Well, listen, I. I've been through that. Right. We were it pro TV, then it was it pro. They dropped the TV because they didn't like, they said, oh, the TVs a dated thing. That was marketing got involved, and then now it's just. It's just ACI learning.

C

Yep.

B

Companies change names all the time. I mean, acquisitions happen, mergers happen, change happen. It's just keeping the value to be honest with you, if the value is still there, then it will still hold value and it will still hold the weight that they currently have. If the value starts, if the water, you know, if it start murky and, you know, if you put too much water in your chocolate, does it. Is it really chocolate? And so at that point we just gotta wait and see.

A

Yeah, 100%. And.

Yeah, I mean, just as another example, I'm. I'm flirting with changing the name of Simply CyberCon to SCCON. Just, you know, I know that's not like a bridge too far, right? Like, I'm not.

D

Yeah.

A

But if you know me for a minute, I'm very deliberate and very slow and very conformist. So, like Se Con is like a wild revolutionary idea to rename it. All right, Robert Hendrickson says there is a page called the Infosec Conferences that has a list of different conferences. All right, so he's just sharing that he put the queue there to socially engineer me to pull that right up. But hey, thank you, Robert. Go check that out.

Has there been any reports of React NextJS exploited in the wild? This is a story we covered yesterday. I believe this is a story that I said. This is a, you know, stop what you're doing and go find out if this is in your environment. I have not heard of any exploitation in the wild. Gentlemen, have either of you heard of any exploitation in chat? Comment on this one chat. If you have seen it at your work.

D

I know there's USD available, but I don't know about exploitation yet. Okay.

B

Yeah, and I can tell you that we stop what we're doing and start scanning to it as well. So there's already an actual advisory that went out to the company, to the devs and everything.

Yeah, it's there, but it's not publicly facing.

A

There it is. I like it.

Justin says I started learning cloud as a way to get into cyber, but then I was told I need to assist admin experience. Then the sysadmin says I need networking experience. So how do I get into cyber before I have to retire? Good point. You know, it is what it is. I mean, this is. I, I'm. I want everybody to work in cyber. I love cyber security. Like it. It has provided for me and on multiple levels and. But it's not easy, right? It's. It, there's, it's. If you ever seen that meme of the kid taking a step and it's like nine steps and he's like, like walking up. It really is fundamentals, right? Like operating systems and networking are kind of like how you would break it down at its absolute base. And I actually have a course at Simply Cyber Academy that's free for everyone that goes through all these fundamentals because I, I know that this is a recurring thing. All I could say, Justin, is it's, it's, It's a big commitment. It's a big commitment. And it's another reason why I say that cybersecurity is a lifestyle. Because even after you do all this right, and you get the job, you still have to keep learning and leveling up. Like, this is just preparing you for, like, what the actual career path's going to be anyways.

It's hard. It's a lot of work.

D

The burnout is real.

A

Yeah, yeah. So I will tell you, like, you don't, don't get wrapped around the axle too much. Like, you should know what subnetting is, but you don't have to be able to do it in your head. Okay. Like, things like that.

D

You don't have to be like a Cisco network jockey necessarily. You just need to understand the fundamentals of networking and that should just take you a few.

B

And know how to Google. Know how to Google use the resource and tools that you have at your disposal. I mean, let's be honest, fundamentals are important, but you're not going to remember everything in life. So you just got to know how to get to the research and get to the answer.

A

So. Right.

D

We just can't have you. Like, it would be really difficult for you to become a cloud admin and then start talking about split tunneling and you go, what's that? Yeah, what's the networking thing? Really? I didn't know anything about networking things. What's the IP on that? I don't know what that is. Okay, see, they're cart and horse. Wrong spot. So someone was just trying to like, let you know that this is the, the beaten path we typically take because it's assumed knowledge at that point. Point.

B

Now, we did talk this recently on, On After Dark. The best way to start a job is you got to start somewhere. You know, get the job. If you're already in it, you already have half of the battle. If you're not in it, then, you know, MSSPs are always hiring juniors and you know that kind of stuff. Get that job, get that service desk job and then try to pivot it from there. But you got to get somewhere. You gotta start with the first step.

A

There you go. I don't want. I'm Gonna share this with everybody and then we're just gonna move on. Classic Roswell uk. Talking about that last story about the toilet cam packet. Sniffing is a thing. So he wants, if anyone wants to get in on that. Okay. All right. And then I'm just gonna skip every Roswell UK going forward.

Okay. Oh my God. All of his comments are toilet related. Gabriel says, can you please tell me where I can get comprehensive ISO 27001 risk register that allows me to combine both asset and scenario based assessments in one Excel document. So I have never. This GRC question. I've never really worked with ISO 27001. I, I know about it, you know, and that's about it. I do know that ISO is a paid. It's paid, right? You have to pay to get access to the resources. So as far as a tool that has all these things, I don't know if we're wandering into like licensing issues or copyright issues or you know, you know, just things that we don't want to opt into. If anyone has worked in ISO, which I know several of us have, can you please let Gabriel know? But personally I can't comment on this one. Short of creating your own tool, I mean it sounds like a pretty straightforward Excel spreadsheet you can put together.

FedEx, you got anything on this?

B

Yes, I actually did. There's an Open project on GitHub.

Open GRC. I had to find the whole link. But it's a good project that actually, you can actually spawn it yourself locally or in the cloud and then you can actually pull the ISO 2701 requirements and it's just start going from that and it will pull the reports and everything. It's actually pretty neat format. I mean let's be. To be honest with you, I'm still, I know the guy who built the project and I still don't know why he hasn't even marketed or put it for price. Because it beats the big competitors like Banta and all those, I mean the 50, $70,000 programs.

A

Wow. All right. Yeah. If you could dig up that link, that sounds like a really big value for the community. So please. All right, we're going to continue here.

All right, let's see. Rich464 says he's transitioning from an appointment setter into internal sales on site audit person for the msp. Any recommendations for inside sales books on in it?

I don't know of any. Off the top of my head, I haven't read the Phoenix Project, but I've heard multiple people Tell me that. It's a really great way to understand IT and IT operations out of business. So not necessarily sales per se, but it does give you that awareness and visibility into IT operations. So perhaps the Phoenix project could be good. Lowry, any thoughts on this one?

D

Man, what's a book? I've never heard of that.

A

Okay, there you go.

D

Reading's dumb reading stuff.

A

Hey, if anyone in chat has thoughts on answering rich464, go ahead and tag him at the rich464 and that'll be good. So looks like FedEx has got this.

B

Yeah, I just dropped you the link right there. I can tell you I know Dr. Lee Manglo personally. James actually know him too. He's here local from central Florida. The guy who actually put this resource.

And I implemented this in my previous company.

Did it locally because we didn't want to put it in the cloud and then we, you know. Yeah, it was just, I mean I brought the company to a framework. Super simple, super easy.

Yeah, I can tell you that the tool is there and you can follow the steps and it's simple. And again and again the guy is local so he any questions, he'll work it out for you.

A

That's cool. Crystal applied to WGU and got approved. Congratulations Crystal in their cyber program. Any opinions about the school and programs there? Well, I will tell you several Simply Cyber community members are actively enrolled or have completed WGU and I haven't heard any of them complain.

I know that many of them have jobs in industry with very good companies. So it certainly isn't seen as a bad move. I know you can speed run it as well, which is something that a lot of people like.

So my, I guess my opinion is I've heard other people say good things about it. I, I, I, you know, I, I've gone the more traditional like you know, hard route as far as getting degrees go. So probably not a great person to comment on this.

Gentlemen. FedEx, did you go to WGU or no?

B

I had not but I know a couple people that had gone and people here on the community, I mean we know our own casually. Joseph just got his message from wgu. So yeah, yep, it is a legit. A lot of people has gone there. I personally the fact that they make you take all the certifications and everything is nice but at the same time I would say the same thing. Passing a certification only proof that you can pass a test now that you can do the job. So you gotta put your work on it. You have to do the work on Not a question.

A

But what I feel like has been working for a lot of people is doing home labs, making your own nas, set up security on it. That will speak volumes. So, Daniel, talk about, I mean, this is kind of a jumping off point for a conversation here. Home labs and how to utilize a home lab to make yourself marketable.

D

Right, that. I love that you, you put the two little things together because that's exactly. Making the home lab is just like one side of the equation. Where you have home lab, it's, it's like an algebra, right? It's home lab times N equals possible job or interview. Right. And the N part is you actually showing that you've done it, not just putting it on your resume that I built the lab. Not that you don't do that, you absolutely do. But now you're basically going to market what you've done. You're going to put it out there into the community. It's going to become a resource for people. And you never know what's going to catch fire in the community. Kind of like what, what FedEx just showed us. He got this open GRC project and now he passed it along to other people. You're going to pass along to other people. That was a project that people were like, you know what? This could be really useful. Even though this information is freely available, you can go, but I'm just going to kind of put it all together in one nice package, bow it up, make it look pretty and put it out there. You do the same thing with whatever you're labbing with, right? You make a medium article. You put stuff in LinkedIn. You're constantly kind of like feeding it out there. That, here's what I'm working on. Here's, here's where it's going. And then you send people to go check it out. And then people check it out and you have something tangible that you can point to. And this is what makes you marketable. This is what sets you apart from someone who says they've got a home lab and you going, oh yeah, I absolutely have a whole lot here. Here you go. Here it is right here. Check it out. I did this whole write up. It's got step by step instructions. We got this, that and the other. I ran into some real issues with that, which was actually my favorite part of going through that lab. Now you've got stories and experiences to start having conversations with whomever you're talking with to build rapport and let them know I didn't just kind of follow somebody else's. Lab and do it. I actually worked my way through issues and problems and I learned from it. And that's what they really want to see is that you're passionate so you are doing stuff and what you learned from it and can you apply that to what we're trying to get you to do here?

A

All right, thank you, Daniel and I love it. So we are at 9:28. We got just a couple minutes left. Let's take one more question and then we're gonna do the around the horn send off here really quickly. A lot of people commenting in here about WGU and good things. All right, final question here. Joe Schmo, pivoting Java Software Engineer, focus on AppSec. Is this mixed strategy a viable path for your first AppSec offensive role in the market?

Well, I'll, I'll quickly say I think it's a good, it's a good approach since like a lot of offensive security is attacking web apps. You can do bug bounty and stuff like that. But I'll turn it to Daniel Lowry, who's much more offensive.

And I, I do need that in a, in a place offensive.

D

I've got, I've got the whole red seed shirt that says it. I am offensive. Yeah, I wear it all the time.

A

Daniel, what do we got for Joe here?

D

Yeah, I think it's a great strategy. I've told many people we've had this conversation, Jerry, I'm sure I've talked with FedEx about this. I'm a big proponent of people learning software. If you're going to get into security at all anyway, so the fact that you're already a software engineer, I think that that is going to really help you because it's going to give you an insight into the applications that you're going to be hacking on. That's, I mean, how many times have you heard it, right, that the best red teamers came from blue team, Right? The, the best, the real red. Like if you're actually going into app security, well, you've built the stinking things. You know exactly why X, Y and Z is going to be made and built that certain way. And what happens like, oh yeah, I've seen this before. That experience is going to set you apart and give you some of those insights that people that just came strictly in through, even with the same certifications as you, that came strictly into that, they're not going to have some of those experiences that you have because of that job that you've done. It's going to make you more valuable in My opinion.

A

Perfect. Daniel, we are going to be going around the horn. Where can people get more Daniel in their life?

D

Well, you want to talk to the old head tech neck man, there's plenty of places you can run down to Earl's Tire Shop. I'll be hanging out there most days. But we got this cybercast IRL thing we do on Fridays and in the last 10, 15 minutes I turn into this redneck from central Florida and we do a cyber article and it kind of gets fun and I get silly and we have a good time. We also have Cybercast after dark on Wednesday nights at 9. I'm flirting with the idea of reduce because once a week is getting a bit much for me on that. So I might do once or twice a month, but we still have that going on. Plus we have the Discord. The Discord link should be. I think I have to update that for today, but that'll be in the description of today's episode. So if you want to join us on Discord, we'll be hanging out.

A

Perfect. And I just dropped a link for everybody to this live stream AMA that's happening at 10am today. So just 28 minutes from now. FedEx, what would you like to share with the community?

B

I just keep learning. I mean there's a lot of opportunity for you to learn. There's still a lot of opportunity right now with deals to get really good training for cheap. I mean we do have two people right here that actually have academies and they have programs that are, I mean, excellent for you to learn and to get basics on and then move on to more specialized as well. So I mean just keep the decide cybersecurity and it. And what we do is a life learning thing.

A

I love it.

B

You gotta have passion.

A

Yeah, absolutely. And don't forget today at noon Eastern time. So just two and a half hours from now, we're doing another AMA live on Discord. It won't be streamed, it won't be public, a little bit more intimate. So if you're kind of nervous about asking things in more of the public zeitgeist, that's why we do this. And it'll be on the Simply Cyber Discord server at noon Eastern time today for an hour. Come hang out, help others or get your own questions answered. Either way, it's a community event and we welcome you. I'd like to say thank you to FedEx or hopping on. It's great to see a FedEx. Daniel Lowry, thanks for being here as always and we'll see you at 10am over on Cybercast IRL to everybody in chat. Thanks for coming out today. It was great to see you guys. As always. Have a great weekend and I hope to see you at noon in the Discord server. Until next time, stay secure.