B (10:52)

The CISO series, it's cyber security headlines. These are the cyber security headlines for Tuesday, February 17, 2026. I'm Sarah Lane. Eurail stolen traveler data now up for sale. Eurail says data stolen in a recent breach is now being offered for sale on the dark web with a sample also posted to Telegram. The Netherlands based rail pass operator previously confirmed attackers accessed its customer database, exposing information including names, passport and ID numbers, ibans health data and contact details. The company is still determining how many customers were affected and says it will notify individuals with once the investigation is complete, while urging users to reset passwords and monitor bank activity.

A (11:50)

EU okay, so this is kind of interesting. Like I said yesterday, you know, it's just I, I literally said this yesterday and I stand by it like every single day there's a news story just like this and it's basically like insert like variable name, company variable name. Like the only thing missing from this title is the amount of records compromised. You know what I mean? Like insert variable name says, you know, insert data, variable type. The only thing you're missing here is threat actor name and amount. That's it. But your rail gets hit, everybody. I don't know about you guys, but like growing up in the United States, like if you had, if you had means, which I didn't. Which I didn't. But people with means you would like graduate high school or you'd graduate college and then you'd backpack across Europe and you get yourself a Eurorail pass and go do whatever, you know, people do over there. That's the only time I've ever heard of this. I'm sure it's much more popular as far as like, you know, you know, having a normal, a pass to get around. Like it's like a three mountain ski pass or something. They got hit. Threat actors leaked some information. A couple things that jump out of this. Number one, eurorail said it's going to contact each individual who is involved. That's going to be quite a bit based on how many people I'm understanding use it. What data was actually compromised. So how does this impact us? Full name, passport details, ID numbers, bank account ibins, health information, contact details. All right, so this is not good, right? I mean passport details and the bank account Ibins, that's, that's not like they can't necessarily rob you. The IBAN isn't like a Secret back door to your bank account. But full name and passport and contact information. Of course this is all of the ingredients in the identity theft F like social engineering cupcakes that you can bake. So of course end user, not end users, but basically anyone that you know used your rail could be a target and the threat actors would have some information to seem plausible or to seem like they are in fact the authority that they are pretexting that they are. Honestly, yesterday you should have been doing this anyways. Like today, this story, it doesn't make a difference. And I know that sounds cynical and cold, but like at this point everyone's data is out there. Like this is just another iteration of your data. So you know, best practices. Someone contacts you, follow up with them in a different out of band communication vehicle. Right? Like your bank account texts you and says there's a fraudulent activity on your account. Look up the phone number to your bank and then call them back. Don't call the number in the text message, right. Or don't reply to the text message. It could be legit. It also could be social engineering, right? It they said change your passwords. I don't that seems like a bit of a, you know, square box, circle peg here. Because passwords were not compromised in any capacity. Clear text hash encrypted, none of that was impacted. So like telling me to go change my password. Seems like if I had to guess y', all, if I had to guess, whoever released the PR statement didn't work in cyber or in it and just said like oh change, change your password. Like without any clue that passwords were not involved in this. Now if your password, your email address, I mean you got bigger issues, my friend. Another thing that jumps out to me or immediately I question here is what is the threat actors goal? Was it to sell this data as like a B2B like crime to crime, threat actor sale or they trying to extort your rail? That part wasn't made clear to me. Of course GDPR is going to play quite a, quite a role in this particular issue for Urail. Yeah, Urail suggests customers update their Rail Planer app account passwords and reset them on any platform where they use the same creds. So final thing I'll say on this one, either A your passwords were involved in the compromise and they're not telling you or B whoever's telling you this doesn't understand how like passwords work. One of one of the two. Right. They also did not point out how this compromise occurred. Like how did your rail get compromised in the very first place. So, not that it matters fully to us as the victims, right? But as cyber security practitioners, it would be nice to know if there's an uptick in like a, you know, phishing campaign or if there's like a technical exploit going on. But it doesn't say, hey, bulb akata bulbacata. Welcome to the party, pal. Welcome to the party, pal. Oh, and Daniel Lowry's in here. Holy crap. Welcome to the party. Daniel Lowry. Welcome to the. Guys, I don't know what happened. I feel like. Hold on. I feel like, Like, I feel like this is what happened. Hold on one second. Like this right here. I. This is a scene from Anchorman I'm showing. It's where he's blowing the concord. Like, Daniel Lowry's in the chat. Kathy Chambers is in the chat. Jessica Hyde's in the chat. Like, a lot of, a lot of good friends are in the chat. Sierra Montgomery's up in this piece. Guys, this is cool. All right, let's go.

B (17:52)

Parliament blocks AI features. The European Parliament has disabled built in AI features on work tablets and phones used by lawmakers and staff after its IT department said it could not guarantee the tool's data security. An internal email said some features send data to cloud services, even for tasks that could run locally. And the extent of shared data is still being assessed. Core apps like email and documents are unaffected, but officials were advised to avoid exposing work information to AI tools and to be cautious with third party AI apps on personal devices.

A (18:33)

All right, well, hey, I, for one, like, I'm, I'm, I'm happy that somebody did something like this. Okay, so European Parliament is, has set a policy. They, they've smacked their hand on the desk and they said, no AI for you. All right, so this has been a hot topic for. And not to be confused with the, not to be confused with like the goth clothing store from the 90s. Hot topic. This has been a hot topic for a minute around AI governance, the use of AI tooling, shadow AI, etc, and I do know in some federal government, US Federal government spaces, you're not allowed, like, they're, they say you're not allowed to use AI, but guess what, guess what? Microsoft co pilot is like, built in to these things. So an EU parliament blocks AI tools because I, the IT department says we can't protect data security. That's, that's fine. You do that. Okay. And we'll see how well this works. Because number one, I guarantee you that the EU parliament people are using Windows computers Right. I. I've never even been to the eu. I don't know a single, you know, you know, limey Brit or whatever, pip pip, cheerio or whatever. Why is Hot Topic changed his Hot Topic rebranded, But Microsoft Co Pilot's baked in all these things. So like, how are you stopping that now? Second thing. Okay, really quickly, second thing to point out. You can block, like, say, like you can. Dude, there's like so many freaking AI apps at this point. I don't know how, I don't know how you block them. Like at the perimeter, right? Like you can block open AI and Claude A. You can block those. But like, have you seen the. The market for AI charts? It. It's like insane. I saw this at Wild West Hack and Fest Deadwood. He last year, James McQuiggin at 35, 000ft gave a talk. I was there and like, like, look at this. This is probably an old one too. Like, this is like an old graphic. I'm showing a graph on online right? Or on stream right now. But like, dude, like, look at all of these. So yeah, you can block Claude AI, but are you blocking in moment? Are you blocking Senti Sum? Are you blocking Bloomfire? No, probably not. So now this is going to turn into one of those, like administrative policies, right? You know what an administrative. Like, I love grc, but let's be real. Technical policies take action and block things. And administrative policies are security theater, right? If the door has a sign on it that says emergency exit only, you're probably still going to go through it. If your car is parked on the other side instead of walking all the way around the building, right? But if the door says emergency exit only and there's like one of those alarm siren things attached to it that will go off because of a technical capability, you. You're not going to go through that door because it's going to set an alarm off. You see what I'm saying? That's the difference between an administrative policy and a technical policy. So yeah, you can be a great, great citizen, corporate citizen and not use AI tools. But guess what? I guarantee you copilot's going to be used. These individual lawmakers have personal phones. AI is going to be up on that. They have personal devices. AI is going to be up on that. Like, this is not. This isn't going to work, frankly. So we'll see how it goes. I don't know, man. To me, to me, trying to shut down AI at work is like trying to hold like water by hugging it like it's not going to work. And yes, your data is going to get out there. We just saw this in, we just saw this last week in the news. January 27, 2026 Acting Deputy Director of CESA Upload sensitive files into chat GPT. This is like you can't put the toothpaste back in the tube on these things, okay? So shout out to the IT department at the EU Parliament. You have thrown a gauntlet down and now you know, you got to follow up with it. I'll tell you this, the final thing and this is like, this is lessons learned in the, in the forges, you know, in Mordor, right? Forged in the fires at Mordor like the one Ring Guys, writing policy is trivial and anyone I could, Anyone can write. AI can write a policy at this point. Anyone can write a policy. It is enforcing the policy that's challenging. It's dealing with exceptions of policy that's challenging. It's having the policy be reasonable enough that like the business buys into it. If you have a policy that is so stringent or so over the top or so ridiculous, do you know what the business does? They ignore it. It doesn't matter. You it like you don't matter. It doesn't matter. They that's what happens with like this overarching over restrictive policy making. You're making it in a vacuum and it looks great for you, but implementing it will be impossible. And this right here, this is going to be a tough one for them to implement.

B (24:28)

Hands Washington Hotel discloses RANSOMWARE Hits Washington Hotel, a 30 property business hotel chain in Japan run by Fujita Kanko, says it was hit by a ransomware attack on February 13 after hackers breached its servers. The company disconnected affected systems and is working with police and external security experts confirming that business data was accessed. It says customer data is likely safe because it's stored on separate systems, though some operations, including credit card terminals were temporarily affected.

A (25:07)

Google Pat all right, Washington and Japan ransomware infection. All right. I wonder if the Washington Hotel brand in Japan has lost like market value just because of its name. Let's see. All right, so hospitality, of course, this falls clearly in the Hospitality Group. Restaurant Travel Administration. Hotel Restaurant Travel Administration. That's the hospitality trifecta. Japan's been getting hit a lot lately. If you guys remember, Japan has had several high profile ransomware attacks in the last 12 months. This one, this one group has 11, 000 rooms in its entire portfolio. 5 million guests a year. That's quite a bit of people. Friday at 10pm local time they get hit by the way. Spoiler alert. Threat actors. They're not. Not. Not all of them are idiots, okay? There's a lot of really smart threat actors. This is not uncommon. Friday night, they know that you're at the bar tipping a couple sakis back in Japan, right? They know that you're at the bar tipping a couple beers back in the U.S. like, whatever. That's when they attack. Okay? Like, and honestly, this is part of the. The rub of working in incident response. Threat actors like to attack on holidays, they like to attack on the weekends. They like to attack in the middle of the night. Jessica Hyde, I don't know if Jessica Hyde's still in the chat. She's probably. Jessica Hyde can attest to this. Eric Taylor's gonna be doing jawjacking later. He can attest to this. It is, you know, so, like, seeing this right here, completely on brand. Let's see what else we got here. Consumer data is unlikely to be exposed because of the company storing their information at a separate company. Okay, so sounds like the threat actors are just trying to disrupt operations. They were able to screw up the credit card terminals, which obviously that directly impacts hospitality. Right? If you can't run a person's credit card to charge them for the room, what do you do then? Do you, like, let them take the room and hope? Oh, yeah. See what I mean? I just said this again. I don't research these stories in advance, so thanks, Jessica, for chiming in on that. I don't research these stories in advance, so I don't know what they're going to say. But this is echoing what I just said. Multiple companies in Japan have been targeted by hackers lately. Yeah, huge telecom giant, large brewer, Nissan automaker. Okay. I mean, I. It doesn't explain how it happened or what happened. Like, I hate when stories do this just to, like, get more words into the story. Like, although not necessarily related to the breach, here is a fact about something else. Like, okay, if I had to guess, it's probably, you know, Japan. I don't know why. Okay. I don't know why. I don't know if it's because Japan's like, you know, buddies now with the United States. And the United States is a hot topic for ransomware threat actors. So they're doing some of that. Or if Japan's just got a lot of vulnerabilities, I'm not sure. But if you. If you work or defend Japanese companies, obviously you're well aware and should be that you. Ransomware is a major attack. Vector, Right. As always with ransomware, you should be doing tabletop exercises in order to identify how, who's going to be involved with what, who's responsible for what, what gaps are there? What are you going to say to the media if they call? What's the number? Are you going to pay ransoms, et cetera, et cetera.

B (29:19)

Just Chrome zero day exploits surface. Google issued an emergency patch for Chrome's first zero day of 2026, a high severity use after free flaw in the browser's CSS handling. The bug could let attackers run code inside the browser sandbox via a malicious web page. And Google says it was already being exploited in the wild before the fix. Security researcher Shaheen Fazeem reported the issue on February 11, and patched versions are now rolling out for Windows, macOS and Linux.

A (29:55)

All right, we've got that classic use after free bug. Basically, memory gets freed up but not cleared. So that space is quote unquote safe for a threat actor to write to. This is in Chrome's cross sites, cross site scripting, cascading style sheets, handling that could allow a remote attacker to execute arbitrary code. See? All right, so Google pushed out an emergency patch for this. So obviously you got to patch it, you gotta patch it. But I do want to point out that this will only not, not that you want this to happen, but the, the exposure of this is just the compromise of the browser itself, right? So a threat actor can run code in the browser's container or the, the scope of the browser. Now that's not great, right? They could do crypto jacking. They could. If you store your passwords in the browser, I hope you don't. They could probably dump that. If you have active session tokens, they could dump that. So again, you don't want this. But they're not, they're not running like as the kernel, not to be confused with Colonel Sanders, they're not running at kernel level on the operating system. On the endpoint, they're just running inside the browser. But again, a lot of people use a lot of things for the browser nowadays. So obviously you don't want to do that if you're a Google Chrome user, just patch it, simple as that. Especially since basically a threat actor, if they send you a janky web page, it looks like that's how it exploits or detonates the payload. So this could be done through a phishing email. You know, basically that's pretty much where I think it is. Right. I guess if you wanted to be super clever, you could pay. We're seeing now where threat actors are, you know, basically doing SEO for AI engines. We saw in the news yesterday that Google Gemini is returning, you know, AI results, but it's got threat actor links in it. So you could do that. We'll see. Justin Gold J Crypto is saying in mod chat that if they have access to the browser, they could then push you to any site and get you to auto fetch files. Possibly. I'm not, possibly. I'm not sure if that is an attack vector. That's quite concerning then because like obviously if they can get you to fetch files, they'll just pull down second stage payloads and then you're going to be glad you wore your brown pants to work that day.

B (32:36)

Huge thanks to our sponsor Conveyor. Here's a fun question. Would you rather support more enterprise deals or answer fewer security questionnaires? Moving up market usually means more scrutiny and more security questions. Instead of hiring more people or slowing sales, Alteryx use Conveyor's AI to automate customer security reviews like questionnaires, sock two requests and all the back and forth. They supported 200 growth and over half a billion dollars in pipeline with a four person team. If you're tired of choosing between growth and sanity, check out conveyor@conveyor.com.

A (33:20)

All right, let's go. We're not going to do the I have to do the flare ad read and I don't want to have to remove it. Okay. All right guys. Hey, we're at the mid roll here at 8:34am Eastern Time on this beautiful Tuesday morning. I want to say thank you to all of you. Thank you for being here today. It's great to see this community coming together as always, supporting each other, being inclusive and dropping jokes of course. Shout out to the stream sponsors, Threat locker, anti siphon material and Flare. Now check it out. I'm trying to do something new here. Flare has asked me to try to do this. As always, I'm not going to let perfection get in the way of progress. So guys, Flare is a cyber threat intelligence platform and I've got like a video to play while talking about it. Here it is. All right, so check it out. This is actually what Flare looks like, the Flare interface. So this has been pre screened information to you know, it's been authorized to be shown. So as you can see the Flare threat intelligence platform shows you basically all the events, all the information that you can see that they have pulled from the dark web, allowing you to quickly identify assets in your environment, endpoints that have been compromised through info stealers. Right? You can see here. Here are collections of named breaches. So if you want to see if your passwords have been involved in a breach, that information's in here. Not like, have I been pwned? Like, this is straight up. Here's your password again. If you want to sign up and check out Flare threat intelligence platform, I strongly recommend it. I, I got to use it and I loved it now because this level of information is so, so valuable, they don't want a threat actor to get it right. Would basically be like a complete starter bundle for a threat actor. So if you go to Simply Cyber IO Flare, you'll be dropped into this landing page where the first step is verifying your identity as a legit cyber professional, not as a criminal. So it does take a few days. Some of the members in the community have gone through this process already. I went through this process. It's not painful or anything, but they just want to make sure that you're legit and not a liar. So Simply Cyber IO Flare, guys, thank you also very much. Every single day of the week has a special segment and Tuesdays is Tidbits Tuesday where I share a little bit about myself. Sometimes it's like, you know, really, you know, I don't know, like deep, like here it is. And sometimes it's not. I will tell you this. I think I may have shared this one in the past, but I'm just gonna share it again because I, I did it today. Actually, you know what? I'm gonna switch it up. I was going to tell you guys that like, in the last year I've started using like Face moisturizer because my wife, like got it for me and like, just became part of my routine. And now I use like Korean based face moisturizer. Korea's got it on lock. All right, Face moisturizer out of Korea is legit, y'. All. Now what I wanted to tell you is it is Tuesday and I'm going to be getting a Greek recovery bowl from Cairo's Mediterranean for lunch day. But, but I wanted to let you everybody know if you are more of a meat and potatoes person, you don't really get out of the, your, your swim lane when it comes to eating. Like, you're like, I just eat burgers and fries. Occasionally I'll eat fried chicken. Right? Like, if that's you. Listen, let me, let me turn you on a little bit to Vietnamese food. Okay? There's a restaurant nearby called Bon Bon Me, but basically a five spice pork sandwich with fresh Cucumbers and fresh carrots.

B (37:12)

It's.

A (37:12)

It's good. It's good. I'm not talking about faux. I. I'm not a big fan of faux ever since I stuck jalapeno in my eye. But bon bon me sandwiches is where it's at. So if you get a chance to grab some Vietnamese food, don't be shy. Don't be shy. A lot of people are reluctant to try new cuisines. What's your favorite kind of unusual cuisine? Drop it in chat. That's what I wanted to share on Tidbits Tuesday. Kind of a fan of unusual cuisines. And by the way, if you did not know, final fun fact, I am a massive, massive curry fan. Okay? Like, my wife sometimes jokes that, like, I married her because her mom makes, like, bomb curry. Okay? But I'll put curry. I'll eat curry all day, and then I'll put curry sauce on my breakfast sandwiches the next day with leftover. I'll put curry on a pizza instead of tomato sauce. Get out. Oh, just talking about it's making my mouth water. All right, let's finish strong, y'. All. Computer, play the news.

B (38:21)

Starlink restrictions hit Russian forces. Ukraine's new national verification system for Starlink terminals is disrupting Russian forces after it confirmed Russia was using Starlink equipped drones for real time control. Only registered devices now work in Ukrainian controlled territory, and officials say the change has already reduced kamikaze drone attacks and disrupted coordination. Ukrainian authorities warn Russia is trying to recruit civilians to register terminals on its behalf, while a hacker group claims it tricked Russian soldiers into revealing locations and paying to restore blocked devices. Operation Doppelbrand.

A (39:06)

Oh, my God.

B (39:07)

Weaponizing Fortune 5.

A (39:08)

On. Hold on, hold on. Computer's getting sassy this morning. All right, this is a continued developing story. By the way, thanks for everybody dropping these things in chat. I love roti. I know I don't say it correctly. I love ramen. I've never had ramen with blood cubes. I might have to. I might have to put a line in the sand here, Elliot. All right, so we've been watching this for a few days. Russia basically is sending drones with, like, effectively C4 attached to them and flying them directly into Ukrainian soldiers and blowing them up. This is horrible, horrible, horrible graphic stuff, right? Like, I don't. Like I. I'm saying it, and I don't even fully appreciate it because, fortunately, I've never had to be in a military theater and see horrors of war. But, yeah, I mean, effectively, they are blowing up people and blowing up valuable Military targets. Well, you can use jammers to stop that from happening. So then Russia started using Starlink for Internet service. Ukraine last week, in response to that, started effectively allow list only certain Starlink terminals inside the Ukrainian airspace, disrupting Russia's ability to use Starlink for sending these drones into there and. And killing Ukrainian people. So what. What's happening now is Russia is trying to recruit citizens as basically proxies to sign up for Starlink, which I think is wild. If I lived in Ukraine, I guess you have to find Russian sympathizers. I'm just thinking, like, for real, if I lived in, like, if, If. If North Carolina has been invading South Carolina for the last four years, and then a north. Like somebody out of Raleigh is like, hey, what's up there, low country guy? Would you like to register for a Starlink So I can send a drone into South Carolina and detonate it? No. Like, who's signing up for that? But whatever. Yeah, you can see here you need this. Ukraine rolled out this national verification for Starling terminals. Very, very difficult to roll this out. But I mean, I guess when you're in war and your entire country's on board with it, you're able to move mountains effectively and it's working. Right. Ukrainian officials claim the crackdown's already affecting Russian operations. The number of kamikaze drone attacks. Again, the number. So what this really should read, if you want to, like, get dark about it. It says the number of Ukrainian soldiers not being effectively, you know, unalived has increased, which would be good if you're, you know, pro Ukraine. Right. All right. So, yeah, obviously there's a greater impact. Russian. Russian bloggers have lost Internet access too. Okay. So I guess this story is interesting, and it's kind of wild to see how cyber capabilities are playing out in military theater. Again. I was always in the camp that the next world war would be a, you know, digital Pearl Harbor. Cyber capabilities everywhere. Pew. Pew. Maps all over the place. And in reality, that's just not the case, especially if one of the invade. If the invading country wants to claim the land, you need to put soldiers on the ground. So cyber is just a complimentary capability. And, you know, it's. It's making the battle space more complicated. But, you know, it's. It's tried and true practices on fighting a war. Right. They're disrupting the communications and undermining the drone capabilities of the Russian soldiers. So that's. That's all that's happening here. The. The going beyond the headlines for people here. I Want you to think about this for a second. Everybody, for a second just put aside the fact that it's Starlink and Russia and Ukraine and military and people dying and explosions and stuff like that. Just for a second think about when you make a decision in your environment that is a massive enterprise affecting decision. So in this instance, Ukraine has said they're going to like basically only the only way to use Starlink in Ukraine is if you get on this national verification allow list. Okay? That means that if you're, if you were just using Starlink as a general person, maybe you lost Internet access because you can't get it on this list, right? Maybe it's, it's, maybe it's difficult to get, you know, get to the right person. You're a completely legitimate user and you completely legitimately should have Starlink access, but you can't now. So when you roll something out enterprise wide, okay, whether it's like we're rolling out multi factor authentication, we're rolling out mobile device management, we're rolling out whatever like you know, digital. Oh, how about this one? Virtual desktops. Everybody's going to be using Office 3, Microsoft Azure for your desktop. You'll use a thin client and connect in like that is fine, but you have to think through the like 80% of them are going to be fine, right? It solves 80% of the problem, what we get paid to do and unfortunately no one wants to hear it from us IT people. Also in this case, we need to think through the 20% fringe cases. Who's going to be impacted by this? Right? So for the, we're going to roll out virtual desktops everywhere. What about the person who lives in rural Oklahoma? That's super important to the business that has crappy Internet. Like are they like, is there an exception to them? What about the CEO who uses a MacBook? We're not virtualizing the MacBook. All right, so now you got to think through how are exceptions handled? How do you manage those accepted and accepted endpoints and workflows? Do you inventory them like the devil is in the details when you make wide enterprise affecting decisions. So I just want to remind everybody that because this is the final thing I'll say and if you've got gray in your hair, you've been around the block more than once, you're gonna feel like you're seen, right? A lot of preaches probably in chat. The reality is when someone comes up with some big brain idea, typically an executive, and they're like, we're gonna do this, we're gonna save money and they smash the champagne bottle off the hull and everything. They aren't thinking about the bull crap of what it takes to actually operationalize this and implement it and handle all of the nonsense that they weren't thinking of. They're just like, might as well be a 500 word blog post. Like, I'm saving money, I'm doing business. Look at my bar chart. Oh, and then they just move on to the next project and we are left implementing a massive thing, right, that they like. So anyways, that's the reality of it.

B (46:29)

Okay, Socrate, our researchers say a financially motivated group dubbed GS7 is running a phishing campaign called Operation doppelbrand that impersonates Fortune 500 brands to steal credentials. The operation, active since at least late 2025, targets major financial institutions and other high value companies using more than 150 spoofed domains and highly accurate login pages. Stolen credentials and device data are sent to telegram bots and victims may have remote management tools installed, suggesting GS7 may sell access to ransomware groups as an initial access broker.

A (47:15)

All right, so this shouldn't come, I mean, this, this type of attack has been, this has been around since like websites existed. So like, for all my, you know, for everybody who was in corporate America in 2000, like, we know this, okay? The dot com, boom. The dot com bust two years later. All right, so threat actors. This is a ton of work for threat actors. Okay, Ton of work for threat actors. Hold on one second. I just got to get this, I got to get this off my screen. Hold on one second. I can't, I can't look at this. DJ B sent a gif that I just can't look at. There is a lot of setup on this. They have to clone the websites, they have to make it look legit, they have to register the domain names, et cetera, et cetera. But they're targeting Fortune 500 companies. And, and I think the customers of those companies, not the, not the employees of those companies. I'm trying to figure it out. All right, so they're, I, I mean, they're targeting Fortune 500 companies, but like, in what capacity? Like am I, Is it like Pfizer? Like in what? Okay, yeah, I'm not entirely sure, like how they're. Okay, so if they are, if they're impersonating a financial institution, but then that makes sense, right? I'm going to get your creds and I'm going to rob you, period, full stop. That's not targeting Fortune 500, that's targeting like well known financial services companies like to me that's makes a lot of sense. Targeting like Unilever, like what are we doing here? All right. GS7, though they've been around for a hot minute, they are very effective at what they do. It's believed they're selling initial access to other threat actors as well. TLDR guys, like, the fact that this is effective is worth noting. But at the end of the day what you need to do is. I hate that I have to say this. Okay, Number one, make sure that you are using multi factor authentication for all of your accounts. Number two, make sure, if you have a service, make sure your workforce, family, friends, loved ones, make sure they have MFA on third, if you can get it, make sure that your entire company is requiring MFA for all the things, especially things that are Internet facing. Okay, Citrix gateways, you know, Office365, Google Workspace. Like it shouldn't be your VPN concentrator. It shouldn't be optional. It should be required. First of all, right, secondly, don't reuse passwords. I know that this is a tough, a tough hill to get over, but like dude, password vaults, protect yourself at least. And then if you can get friends, family, loved ones, workforce on it, get them on it. So you're not reusing passwords. So the exposure, the blast radius of having your creds compromised is minimal. Also, educate people on phishing emails. Right? It looks like they're using domain name typo squatting too. So like, you know, whatever Chase.com is Chase-Support.com like just also if you can, again, just to protect everybody from all the things all the time. I, I personally do this. But. Let's see. Is it cloud flare? I, I like this. Cloud flare is not a sponsor or partner. This is just something I use. I use, I think it's this one. 1111 for my DNS resolver. Essentially what this does is it blocks out malicious websites. Thank you. And adult websites. Right? So yeah, see right here, two flavors. One. This is it right here. 1112 is no malware. 1113 is no malware, no prawn. Okay, So I mean, if it's wild. When I worked at the Healthcare Institute, we could not block adult content because some researchers had to watch it. I'm not joking. I'm not joking. There are people whose job it is at MUSC to, to watch adult content for reasons. But what we can do is block malware. So why not do that? All right? You've got to do defense in depth, y'.

B (52:31)

All password managers, maybe not. Researchers from ETH Zurich and Universita della Spezzera Italiana found multiple weaknesses in Bitwarden, LastPass and Dashlane that could expose passwords if the service's servers were compromised, despite their zero knowledge claims. Using a malicious server model, the team demonstrated 12 attacks against Bitwarden, seven against Lastpass and six against Dashlane, with some leading to password disclosure or vault changes. The researchers said legacy cryptography and unclear threat models contributed to the issues.

A (53:15)

Info not good. Like, literally, I was just talking about get them on password vaults, and I still stand by it. Okay. It is software, though, so you got to be careful. I like Bit Warden quite a bit. So the fact that Bit Warden gets trashed in this story is quite concerning for me. Researchers can demonst like. So I'm not going to dismiss this, this information. This is quite important to me. Like, I'm going to follow up on the story after I get back from teaching today to understand more about it. But you, you got to remember, sometimes academic research is, you know, you know, everything's kind of like set up just right so it can be done. If this is being done in the wild, that's, you know, a different thing. Is it the. It could be the Chrome extension, it could be the FAT app, it could be the Apple version. Right? So again, understanding the details is important in this one. All right, so the research. Right away. So part of the limitation or the detail of this, right. The attacks don't exploit weaknesses that remote attackers could exploit. Okay, so right away, the title of the story we made assumptions on, but now the details are revealing that it's not what you may have assumed. They could retrieve encrypted passwords from the user and in some cases change the entries. Okay, so if you have a good password, right, or good encryption, then that's what they get. They don't. So then they'd have to crack it using like Hashcat or not Hashcat. Friggin. What are those crackers you need like a rainbow table, right. Essentially, I think Cane Enable. I don't even know if that's still used or not. But. Seven of Bit Warden's 12 successful attacks led to password disclosure. That's awful. That's awful. Again, you know, this is another reason why multi factor authentication is super important. Right. I do want to know how, how this attack worked, if there are patches for it, et. So I will be looking into this personally. If you use a password vault, which I suspect many of you do, you may want to look into this as well. I'm a huge champion of bit warden. I've, I've. I've enjoyed it. I used to use LastPass and then I got off of it, so we'll see. This is great work, though. You know, we can't. Nothing's perfect, man. We can't just assume security. It's. It's software, right? And the fact that so many people are using password vaults makes it more sensitive and a more desirable target for. Oh, yeah, John the Ripper. Thank you, Brown Coyote. Think about this, guys. Like, if only a couple people, fringe people, were using password vaults, it. It wouldn't necessarily be worth a threat actor's time to develop, research, and find a vulnerability and then exploit it. But if everyone's using it just like Microsoft Windows, then it becomes highly valuable and worth the effort because you make the weapon once and you can use it over and over and over and over again.

B (56:48)

All right, Stealer malware found stealing Open Claw secrets Hudson Rock researchers say an info stealer, likely a Vidar variant, exfiltrated configuration files from an Open Claw h. AI agent, including gateway tokens, cryptographic keys, and the agent's court behavioral rules. The data could let attackers remotely access the agent or impersonate it in authenticated requests. Security scorecard also found hundreds of thousands of exposed OpenClaw instances vulnerable to remote code execution. While other researchers uncovered malicious skills and undeletable AI agent accounts on the malt Book platform, some are warning info stealers will likely add dedicated modules to target AI agents as they become more widely used. Being a.

A (57:43)

Okay, whoever drew this, I appreciate that. They drew it with, like, comic sans font. All right, guys, here's the reality, okay? Open Claw is so hot right now that Hansel's so hot right now. Right back here. As I've told you guys repeatedly back here, this TV right here is a monitor for my Open Claw instance. Now, I like to think that I've hardened the crap out of my Open Claw to the point where it's not as vulnerable, right? We can't reduce all risk, but I. I've definitely hardened it quite a bit, but so many people are watching YouTube videos with zero technical understanding of what's going on. And many of the YouTube channels are directions on setting up virtual private servers out in the cloud because those YouTubers are getting affiliate fees from the cloud service providers, which is fine. I don't care. Get yours right? Get your affiliate money here. But the problem is, I've watched like three of those videos just while I was doing My initial research on rolling out my own Open Claw instance, none of them, zero of them talk about hardening. It's like, it's like, it's almost like watching a video on how to, like, how to like set up your jet car. It's like step one, get your golf cart. Step two, get your jet engine and put it on your golf cart. Step step three, start it and go, woo. Right? Like there's nothing about like securely attaching the rocket seat belts, ensuring that you don't go over a certain speed, testing it on a, a parking lot, not on the highway. Right. Like none of the things, at least in what, the few videos I've seen show you how to harden it reasonably. Because of that, so many Open Claw instances, and there are tens of thousands of them are basically exposed to the Internet just sitting out there. Now, if you don't connect the Open Claw to an LLM, it's a little less powerful if you, you know, I mean, it's just not good. But it is, it is. I do want to point out that they talk about malicious skills. Okay? So one of the things that OpenClaw has is this like skill ecosystem. Think of it as like the App Store. The problem is that there's like zero verification or validation of the skills. It's like anyone can put a skill in there. They did set it up where there's like a virus. Total lookup. But most of the skills in the openclaw skill library are malicious. Meaning you install it and then, you know, like they steal all the things or they have your instance do all the things. It's not good. Okay, so Open Claw, super powerful. But until they get some like guard rails around the skill tree stuff, I don't know, it's not good. I will tell you also, just for those who have been following along, like, basically, here's the deal, if you're running Open Claw, you should be very heightened risk awareness that there are likelihoods that it could be compromised. Okay. Just be aware of that. Number two, they make it incredibly easy to deploy. So you're probably having people in your, in your environment deploying Open Claw without any permissions or authorization to do it. So be looking in your, look in your, in your, in your logs, in your sim for. Hold on. This is how you install it. Okay, where's the command? Right here. If you're, if you're listening, if you're listening to this podcast, not watching, basically look for openclaw AI. Look for that domain name in your environment. Because the one command to bring it down is openclaw AI slash, install ps1. I do want to point out that it's not as, you know, elegant and as seamless as they make it out to be. Like, if you're, if you're installing it on a Mac Mini, you have to install Brew like the Pip for Mac and you have to install that using an admin account. Like it's not, it's not like one button and you know, it looks like the commercial. Okay, anyways, yeah, Open Claw. Finally, really quick, just a bonus tidbits Tuesday. If you've been following me and my Open Claw work, I'm actually going to be deploying my own a local LLM. The, the Opus 4. 6 is powerful by anthropic, but I'm like, I'm burning money effectively. So I'm going to take a small hit and just have a little less performance. But then roll my own. Not roll my own, but deploy my own local LLM on this, a computer I have with a gpu and just get rid of that expense altogether. All right, guys, holla. I want to say thank you. Thank you all so very much for being here today. Shout out to all the friends, Simply Cyber community members who came today. We had a banger of a crew today. All about good times. Guys. Remember, today is Wednesday. Just remind everybody that tomorrow Simply Cyber Firesides, we're getting a takeover. Kathy Chambers will be hosting Simply Cyber Firesides. I will not be. And it's going to be an all female panel talking about imposter syndrome in cyber security. Come have fun, hang out. You know, it's very on brand for Simply Cyber. Supportive, inclusive, all about good times and helping people level up like a bunch of bosses. Remember, for all content coming down the pike for Simply Cyber, go to Simply Cyber IO schedule and you can see it here. Here's that Firesides right here. You just click on it and you can register for free. Get a calendar invite. Very simple SimplyCre IO schedule. Don't go anywhere because Eric Taylor is going to be doing jawjacking for Simply Cyber Media Group. He'll answer your questions if you drop them in chat. I'm Jerry from Simply Cyber. Gotta go teach now. Have a great Tuesday. Until next time, stay secure. Oh, today's Tuesday. All right. Hey everybody, just a reminder that on Wednesday, on Wednesday, the day after is when this will be happening. This is on Thursday. Simply Cyber Firesides. I got my head all the way up my butt right now, this Thursday. So enjoy your Tuesday. We'll be back Wednesday. Sorry for the confusion, everybody. That's why you go to Simply Cyber IO schedule. So you can get straight talk instead of listening to me make mistakes. All right, guys, be well, have a good jawjack and I'll see you. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered and totally free. Let's level up together. It's time for some jawjacking.

C (65:31)

Good morning, good afternoon, good evening, wherever the world you are. Thank you so much for joining. Sticking around. I see you, I see you. Sierra Montgomery. Thanks for hanging out. Zmif42. Pleasure to see you. Let's see if we can get some. Some music going. I am here to answer your questions as fast as humanly possible. Like Jerry said, My name is Eric Taylor. I'm with Barricade Cyber Digital Forensics, dude. And definitely try to get salty and a little spicy from time to time. The dolphin. Oh, the dolphin will be coming back soon. I definitely have it on my stream deck. All that dolphin sound is not going away. I do need to be. I do. I'm talking great this morning. I have plans to get with. Try to get with DJ B Sec to get obs set up. I gotta talk to him soon. So if you're watching, expect a message from me. I'm gonna be getting. I got. Getting a call scheduled with. His name just escaped me. 30,000 foot dude. But I'll be getting with him. Trying to work out lighting because you can tell it gets a little thing a little dark man doesn't do well right. So. But anyway, so I will have a much more professional look like Dr. Gerald Ozier like DJ P Sec and be able to up my game. Trying to teach an old dog new tricks, ladies and gentlemen. So if this is new to you, definitely put a Q and a colon into chat and go into. Or type your question. I don't know why I'm tongue tied this morning. I've been talking fine for the past three freaking hours. But I type your question in and we will work our best to get it done. Let's see. What do I have on my radar? While we're waiting on questions, let's check. Check my world monitor app here. Oh, this is actually a interesting story. Let's. Let's do this. Let me minimize this. Let me. I do see a question coming in. Give me one second. I'm just moving a window around and I will answer that question for you. Okay. From BB5542 what is your understanding and reaction to the story today about password vault. Yeah. Remember James McQuiggin's name? Exactly. Thank you. I don't know why I keep forgetting your name. I'm so sorry, sir. I will have to look it up. I was knee deep. I was listening kind of passively. Let me. Sorry. Let's do this real quick. Bear with me why I catch up. I tell you what. I can multitask with the best of them. Let me do this. Let me do this. I will come back to your question a second. I'm going to bring it up on. On another window here. So a story. How's the music vibe been with everybody? Do not share system audio because I haven't had a chance to shut all that down. And I as normal, I will put move over restream. Thank you. In fact, make me smaller so that way this shows up a little bit better. Y' all read that? Okay. James just sent me a private message and signal. But anyway, so I just posted in there. It'll come over as the host, Dr. Gerald Ozier. But from your most ransomware place playbooks address don't address machine credentials. Attackers know it. The gap between ransomware threats and defense and defenses mean to stop them from getting worse, not better. Avanti's 2026 State of Cyber Security report found that the preparedness gap widened by an average of 10 points year over year across every threat category the firm tracks. Ransomware hit the widest spread of 6 and 30% of security professionals hit by the high or critical threat. But just 30% say they were very prepared to defend against it. That's a 33 point gap up from 29 points as of last year. Now I know my definition of machine passwords. Resetting everybody's password after an incident is standard practice, but does not stop ladder movement through the compromised service accounts. Exactly that. That's what I was wanting to see. The compromised service account threat actors will leverage service accounts all the time. That's one of the steps of privilege escalation is that they can get to a service account that they are able to determine is a domain admin. They have the gates of the kingdom. And a lot of IT people do this and I mean not bashing IT people for doing that, but it is because it's a way to get things going up and running and run Bob's widgets and you know, makes Carl and accounting happy. So music is a little loud. Okay, let me turn it down a little bit. It's a 20. Let's do come on. Okay, so 16. So job four. All right, so, yeah, definitely. Look at that. You know how when's the last time you rotated your service accounts passwords? So that's a good story to go up on while I'm doing that. Let's see. Try to bring up CISO series. I'll stop sharing, look for questions. Because I do want to answer the question about the password story because that's always a hot butt topic. And I can literally go on a soapbox for probably right three days on that. Did they change their. It's been a long time since I've looked at their site. I really don't. What is this garbage? Like, you open up the story. I know it's user error. I'm doing something wrong. I'm not bashing CISO series, just to be clear, but I open up the story and it goes straight to the transcript. I know I'm doing something wrong.

A (73:24)

But.

C (73:24)

What am I doing wrong? Yeah, I can't find the. This is not even the right link. Let me just try this. Sorry, ladies and gentlemen. So, so, so sorry. I'll share with the class where I'm struggling again. Like I said before, trying to teach an old dog new trick sometimes can be a little hard. Come on. So I wish Jerry didn't, but, you know, you go to the CISO series site. This is the CISO series podcast that air that we read from. This is today's right and just a transcript. So I've come here before and done like this CISO series link. I don't know, there's maybe something's janky on my. On my browser or something, but for some reason I cannot find that story. So sorry about that. I'll keep looking. I'll keep looking, but let me try to see if there's any other questions.

A (75:33)

Real quick.

C (75:43)

What question from Easy E does it. Is that like a play on the old rapper Easy E? Maybe. Oh. But anyway, question was, what is the most interesting. What is most interesting to you about df digital forensics versus other areas of security? It's just what clicks with me, and this is what I talk about a lot, you know, especially in here, is finding what clicks with you. You know, I've done the msp, I've done pen testing, and pen testing is cool. You know, if you didn't know, I was busted many, many years ago when I was a teenager for hacking and, you know, the whole FBI SWAT team, blah, blah, blah. The. I'm getting a message from FedEx to hit the yellow button. Oh, that's right.

A (76:40)

So.

C (76:41)

Okay, I can go back to your story in a moment. Sorry. Thank you so much. FedEx. I didn't realize it was different. Anyway, I'll show you where I was messing up for those who don't visit the website very often. But the. You know, when Covid hit and I was doing a lot of pen testing at the time, so, you know, I have my CEH and you know, I'm just. I'm bug bouning it up because at that time I really wanted to get back into cyber security. And those have been around for a while. Knew Storybot Hunter and you know, he was getting into some. Some delicate times. And we knew the road ahead. It wasn't immediate back then by any means, but we knew in the next couple years there was going to be a lot of stuff that was happening. And like any good typical dad, I wanted to make sure that I can do something without getting arrested. Right. I have a. I have a. A problem even to this day. And I equated to not saying I'm the same as an alcoholic, but I have a problem when I get bored. I start hacking and causing mischief and mayhem even to today. That's why I try to stay very busy so I don't get bored and start tinkering. The right wing. Covid was starting to. I think it was already in, but we had a couple MSPs come and say, hey, you know, we could really use a fresh pair of eyes on some of this stuff. And they were doing the forensics themselves and you know, we just can't figure this thing out or whatever. Or one was like, you know, we just. One was. One MSP was like, look, we only deal with the larger matters. You know, these smaller ones. We just want somebody to be able to handle this stuff. Is this something that you can do? And I was like, yep, you know what? I'll try a couple matters out. I'll try going through that. And I really found my love for hunting evil. Quite honestly, I just love hunting evil. That's my thing. I love digging through the logs. I love uncovering or trying to uncover the hidden gem. It's just. It's just not to sound dirty, but it's what really makes me happy. Right. And it's just. Just my thing. So, you know, a lot of people say they want to get into I T. They want to get into cyber, they want to do this. And my story is just like that.

A (79:19)

Right.

C (79:19)

I've went through several. In several verticals of cyber and in it Until I found my thing, you know, I didn't just fall into it. Like I woke up one day like I want to hunt evil. And that's just all I did, right? Went through a lot, a lot of different industries, different things before I stumbled across it. So don't be scared to go down that path and try to go and try to find your thing. Hopefully that answers your question. All right, back to the other one and then I'll look for some some other questions. I know we're running tight on time, but if you are like me. And thanks again to FedEx for sending me a message and signal. Apparently this button up here and I forgot again, like I said, I knew it was a me issue. I knew I had to be doing something wrong. But I always looked at the CISO series, the red button. But it's the cyber security headlines and that's where I was screwing up. So thanks again to DJ Beast or to FedEx for showing that to me. Washington the hotel Yep Starlink Yep Weaponizes for compromise password managers maybe not okay, Give me one moment. Just do a cursory because I do believe I was on a phone call when Jury was covering this because I came in at the hotel. Story. Of servers to behave attacked versions test release of password disclosure Whereas the only three of last best text into the same and one for dash lane Yep. The majority of the text require simple interaction with users such as logging in. So this is one thing and I don't. This is something I do research on okay, the full paper PDF. Let's see what this is real quick before oh, this is definitely going to take some time to digest this. Okay so I will put it on my notes to do and I will research this more and this is something that I also need to do research on. I know the browser the passwords are able to be easily dumped and threat actors do that all the time.

A (82:06)

Time.

C (82:06)

The one thing I have not tested recently or maybe even ever to be honest with you, now I'm thinking about it is if a threat actor has say a remote access tool, Screen Connect, TeamView or any desk whatever, pick your remote access tool of choice and they're able to watch what you're doing and see that Carl is logged into the workstation and Carl has already entered the password into the browser plugin to essentially decrypt the password manager and make it usable. If a threat actor was in there at the right time, could that use could that threat actor exfil trait the decrypted password vault from the browser or wherever, wherever the database is stored and then be able to view that information that I don't know. I do use a zero trust password vault. You know, I'm not going to o sense what we're doing, but that is definitely something that I have not looked into a whole lot and arguably I probably need to to be quite honest with you. So I will definitely do that. All right, from the Kyle. Kyle, the real analyst. I use Socradar CTI at work. Would you recommend open CTI or MSP for home lab? OpenCTI thousand percent. I've used MSIP before and it's okay. But this is going to be one of those kind of like what I was talking about with the industry stuff. You gotta find, try them both out. See what jives with you Kakao and see what makes sense to you. I personally like open cti. It makes the most sense to me and the way I digest and I can frame things in there. But I know a lot of people swear by Emma Misp to be completely honest with you, I don't see there is a downside to either platform. I think it really just comes down to use case or what works best for you and your team. All right, again try go through this. Any thoughts, suggestions on tools for continuous pen testing? Red teaming My organ considering an internal red team. Okay, any thoughts, suggestion on continuous pen testing? Red teaming. Pen testing can be continuous, continuously searching, looking for stuff. Sorry, I keep seeing a hair for my beer popping up and it's driving me nuts. But red teaming to have that consistency constantly going. It doesn't exist even with the AI tools. A real red team is simulation, a base attack. They're coming in and they're simulating scattered spider lapses, scatter spider lapses, whatever. You know, they're going to simulate Akira. They're going to simulate and enter a threat actor name here or they're going to simulate all the threat actors that go against the MITER framework. Like you want to, you want to test for, you know, privilege escalation, lateral movement, remote access, things of that nature depending on what your scope is. And the red team could do that. But it's a very targeted, very deep and hands on. Like a true red teaming is. They are trying to compromise your network. Like they will get to a certain point before they bring you down. Right. They're not going to deploy a ransomware payload in your environment, but pretty close to that. And that's a full on red teaming engagement. Like they are going at you. All right, So I don't have any real suggestions on pen testing to be what I would say though. You know, definitely talk to Black Hills Information Security, talk to some other folks, find out a team or a vendor that would work for you in the pen testing. I think they even have some, you know, routine scans like a NESSUS or whatever. But definitely talk to them, talk to a couple other people. And I know Black Hills can do a full on red teaming. What I would say though is use like a tool like Shodan or something like that and try to get set up your, you know, your domain, your firewalls, things of that nature and try to find the low hang fruit, get that cleared up before you get in involved and that will help minimize the, the noise in a report and you're cleaning up your environment already. So that's what I recommend at least for first steps from Ross the Boss Knot. I may be moving from a management role to an IC role. Congratulations. Due to org restructuring. Okay, I'm assuming IC role is incident Commander. Kind of a lateral movement. When I see ic, that's what I'm thinking of. Hopefully I'm taking the, I'm picking up what you're putting down. Any tips on how to navigate the transition? Don't mind the technical work. Just want to stay strategically relevant. Dude, you're, you're staying strategically relevant by being that instant commander. You're going to be bringing value to all the clients. You're going to have a more hands on role. Yes, you're going to be helping because an incident commander does a lot of the reporting from the team that's doing the work. Granted the team is putting in, you know, what they did and stuff like that, but the incident commander is correlating that data and presenting it to the client. Kind of like a, a project manager, if you will, and being able to go through that process. So just what I would tell you in that situation is when you're going through your cadence calls and things like that, just keep asking them. Did I answer all your questions effectively? Do you have any additional questions? Remember that. Did I answer all your questions effectively? And do you have any additional questions? Ask that ad nauseam. Like they're going to know you're going to ask those two questions. All right. The rich Rich. Have you ever had someone on a team who was not using the correct language like saying breach or something prior to, to evidence and should, should have been saying security? Yeah, we, we had that once and I had to pull them aside and tell them very politely to never speak again until they realized where they messed up the term breach, especially when we're in incidents that are leveraged by breach counsel, AKA the lawyers, they are the ones that, that make that determination of a breach. When you say board breach, you are triggering notification requirements to start at a certain time. All right? So I am so sorry, ladies and gentlemen. We are at 9:30. Don't want to run long for that. I know there's some questions if you want to go to ask barricade.com I know it's a little bit of long of a thing, but go ask your questions there or come back next Tuesday and ask your questions again. Thank you all so much for tuning in. I do greatly appreciate every last one of y' all hanging in there hanging out with me, asking your questions. I do really do enjoy this and being able to hang out and I will see y' all hopefully on Friday. I'll try to come for the panel. I think I got some availability, but if not, I will see y' all same that time, same BET channel next week. Take yours, my friends.

A (90:21)

Hey everybody. I hope you enjoyed that content. Keep the cyber security train going by connecting with the other Simply Cyber community resources. We have the Discord server that's lively and always keeps the conversation going. You can connect with me directly on LinkedIn and also every single weekday morning on the Simply Cyber channel. We're doing live daily Cyber threat briefings, 8am Eastern time as well as Thursday at 4:30pm we're doing live stream interviews with industry experts and we produce videos that we push out every Wednesday morning. I'm Jerry from Simply Cyber. I hope you enjoyed the content and we'll see you in the next one.