Steve Prentice (9:03)

Foreign.

Dr. Gerald Ozer (9:07)

Thank you to area for sponsoring. All right, quick note from Threat Locker. Reminder, I will be at Zero Trust World alongside Kimberly Can Fix it and Kathy Chambers in early March. Great conference. If you're going, come on by. We're going to be doing the show live from the conference floor for three days in a row. It's going to be bananas. Now, quick note from Threat Locker and then we're gonna get into the news. I want to give some love to the daily Cyber Threat brief sponsor, Threat Locker. Do zero day exploits and supply chain attacks keep you up at night. Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how Threat Locker can help prevent ransomware and ensure compliance. Visit threatlocker.com dailycyber. That's right. Now everybody do me a favor, sit back, relax and let's let the cool sounds of the hot news wash over us all in an awesome way. We'll see you at the mid roll security headlines. Oh, by the way, for you first timers, if you've been watching last week and getting caught up, you already know this. But for someone who just found us and is like, what's this all about? This looks interesting. Let me give this guy a shot. I don't research or prep for the show. I have no idea what stories are going to be coming. There's going to be eight. I have no clue what they are. I haven't seen them. I haven't researched him. I know nothing. Jon Snow. So we will. We will see. It hasn't been a problem 1048 episodes in a row.

Steve Prentice (11:02)

These are the cyber security headlines for Monday, January 19, 2026. I'm Steve Prentice. Cybercom, NSA leadership nominee to assess dual hat role. Army Lieutenant General Joshua Rudd, the presidential nominee for the director of the National Security Agency, Chief of Central Security Service, and command of US Cyber Command, stated in a confirmation hearing on Thursday that he would evaluate the efficiency of the dual hat leadership role between U.S. cyber Command and the National Security Agency. If he is confirmed to the job, end quote. He would replace General Timothy Hogg, who had been CyberCom commander and NSA director until his termination in April of last year, at which time he was replaced by current acting head of both organizations, Lieutenant General William Hartman.

Dr. Gerald Ozer (12:00)

All right, so, you know, I mean, this is basically, this is a government position, cybercom, nsa, dual hat role. So, like, you're in charge of both of them. Is that a good idea or is it a bad idea? Should there be two different people in those roles? Well, if this guy gets confirmed as that role, he'll confirm it. I mean, he'll investigate it. The nice thing is, again, even though this guy's like all military and stuff, this is basically like an appointed high, high level federal position. So it comes with all the nuances of Game of Thrones that, you know, playing at that level is. Now this guy is a three star general, so. No, no, no, you know, what's the word I'm looking for? No, not shy or not new to any of this, you know, chess moves and posturing, I'm sure. And the guy spent most of his career in Special Forces. His entire. What the heck, the guy's entire chest is covered in ribbons. Right? He probably, his jacket probably weighs like 8 pounds because all the gear he's got stapled on there. If you want someone to look at anything and determine the effectiveness and efficacy of the way it is built, I would recommend Special Forces. Now, I didn't serve in the military, but I do know some Special Forces people, namely Jax Scott, if you're familiar with her. These people, they are, you know, they execute. That's what they do. You know, I. I always say ideas are easy, execution's hard. Special Forces people, they execute with, you know, very high precision and very high efficacy. So I'm actually excited. I've never really. I don't know enough about the NSA and CyberCom to know if it makes sense to have a dual hat role, but I am kind of like in the nerdiest way possible, interested to see what this guy does. I hope he gets the job I love having, I love having military people like generals and you know, colonels and stuff in charge of, you know, federal, federal government stuff that has military applications. Right. Cyber common nsa. Yeah, we, we, you know, they break codes and they do stuff like that. But really at the end of the day it is part of the military, you know, defense industrial base of intelligence gathering, understand what adversaries are doing, having asymmetrical information to be able to, you know, continue to be a world power. That's what they do. And you know, military doesn't necessarily mean dropping bombs, it just means being a first world power and, and you know, exercising national power over other, you know, entities, whether it's countries or republics or you know, even organizations of sorts. So yeah, let's go again. I will tell you, for all those professionals in chat right now, like if you're a CISO somewhere, this isn't going to impact you really. And if you support the federal government in the NSA and cyber Command, sure it would. But like for someone who's working at a healthcare institute or a manufacturing company this morning, this is interesting, but not really, you know, disruptive of third party.

Steve Prentice (15:16)

Applications access sensitive data without justification says report.

Dr. Gerald Ozer (15:21)

Oh, surprise.

Steve Prentice (15:22)

Only data released month by researchers AT Reflectives analyzed 4, 700 leading websites over a 12 month period ending in November of last year. It suggests that 64% of third party applications access sensitive data without business justification, up from 51% in 2024. Government sector and education sites showed the most active compromise with Google Tag Manager, Shopify and Facebook Pixel showing up consistently as quote, specific offenders. The report highlights, quote, a growing governance gap termed unjustified access, referring to instances where third party tools are granted access to sensitive data without a demonstrable business need, end quote. A link to the report is available in the show notes to this episode.

Dr. Gerald Ozer (16:15)

Okay, so a couple things. Number one, this is GRC governance all day, every day. Number two, you know, this is an infographic using big font for the numbers, which I'm a big fan of. Okay, I, I'm a huge fan of using large font for numbers. So it really grabs your attention. If you're watching on video, the infographic has a title, the Crisis. Listen, I'm not, I'm not for, you know, right click share all or right click grant everyone access. You know, I am reasonable. But, but crisis, dude, CR I don't know, crisis seems a bit of a overreach. You know, to me words have meaning and you know, if we're talking about what's going on globally in certain Countries. If we're talking about what's happening in parts of our country right now, that might qualify as crisis. 64% of third party apps accessing data without justification. The crisis, like calm, calm down first of all, okay. Second of all, 64% as I said again, I don't research or prep, I don't know these are coming. I'm stunned. It's only 64%. Guys, check it out. Here's the deal. In 20, 23, 24, 25, 26, data is gold. I don't know what else you want me to tell you, right? I know the attention, economy and all this other crap, but data is gold. Data can be used for all sorts of purposes. It can be used to target marketing, it can be used, you know, to, you can sell it to other businesses and stuff like that, right? And these third party apps that have, you know, data all over the place and getting access to data, it can be weaponized. So it's super valuable. So therefore obviously getting all this data and then, you know, using it for whatever means you want is highly, you know, highly coveted by these businesses. They point out one of the, the largest, two largest violators are Google Tag Manager right at 8% and Facebook Pixel. Hello, Google and Facebook or Meta last time I checked are Fortune 5 companies. Yeah, Fortune 5 companies. So I'm not super stunned about this. I think that this situation stems from two things. Number one, business is just saying yolo, get as much as you can, we'll pay the fines if we get caught ever. And number two, yeah, I'll share the shirt here at the mid roll. And number two, it lazy developers, guys like I was a software engineer, you know at one point it's, it even think about when you're setting up like sock or logging. It's easier to just grab all the things and then sort it out during analysis than it is to try to figure out what to grab and then hope that you did it right. And then you know, if you come to find out later that you didn't grab the right stuff and you, you like missed some things, well now you're screwed because you can't go back and get it. So I think that that's what's going on now. What, what, what do we do about this? We're not okay with it right now. They got their hands stuck in the cookie jar. So let's figure out what they. Let's see how we solve this crisis. All right, All right, let's see what we got here. Improper PII access comes from tag manager, sure. Public CDNs. Okay. So last year was 51. This year at 64, for sure. Increasing. So Gartner has deemed a new category for data, I mean, for security products, called Web Exposure Management, where they've coined it. Here, let me look at this really quickly. Okay, hold on one second. What are we supposed to do about this? All right, so I mean, they're pointing out what the problems are. Okay. Yes. 0roi, of course. Like, they're taking data that you don't need them to take. And there's no return for you. Of course. Shadow deployment. Yes, of course. Over permissioning. That's a problem we have all over the place. So. All right, so they're talking about the marketing department being the problem because they're the ones who are. Yeah, I would agree with this. Right. So the problem here is most of these tracking pixels and the tag managers, those are going to be deployed by your marketing department. Here's the thing. You can't go to your marketing department right now and be like, hey, what's up? You can't use Google Tag. You can't use Facebook pixel. The marketing department is going to tell you to, like, go away. Because that's how the whole. Listen really quickly because I only know this now because I run a business. I own a business. The whole reason that they use these things is because they set up tons and tons of landing pages. Right? So like simply Cyber IO AI A. Right. The thing I've been telling you about. Right. I'm going to go to it right now. Okay, this is it. This is the Simply Cyber landing page for area. They're. They're track. When I say if you click on it, they'll know and they track it. That's how they're doing it through these, you know, pixel tag things. Which is fine. It'll say, oh, yeah, you know, we had all this activity. It looks like we've got a lot of people from Illinois coming in during the morning and all this other stuff. Right? It's fine. It helps marketing target and focus what's working and what's not working. The problem is that it's potentially grabbing more information from us than we need. Right. So we are. We are the problem. Not we are the problem with the victim in this instance. I mean, this story has tons of information, but not really anything to do. Oh, here we go. Audit trackers. Inventory every pixel and tracker. Good luck with that. This is like inventory inventorying every workstation in your environment or every, you know, endpoint in your environment. People come, people Go. Marketing department can add remove. I would say if you can, here's what I would do. If you really want to take action on this, right. If you're looking for an opportunity to partner with the marketing department, here's the news. I'm going to drop a link in chat. Okay? There's three quick wins. You can meet with the marketing department and say, hey, listen, this is an increasing risk. The problem is it's not like ransomware or business email compromise. It's not good that extra data is being lifted. But again, it's not a crisis. Like they're pitch framing it. Implement automated monitoring. I'm sure whoever paid for this report can sell you a solution that does this and then address the marketing it divide. Yeah, this is the thing, right? Marketing and it, this is like, this is the point. You, this is an opportunity for you. Get with a marketing team and talk about cyber security. Right. You could download the full report. There we go. This is the call to action. This is why they're calling it a crisis. They want you to get that report. Check it out. I would just say, listen, if you want an opportunity to party with your marketing department and have have something to bring them of value, this is it. You do need to better understand what the risk is here. Because if you're going to ask them to take any energy and spend it on inventorying pixels and trackers, they're going to want to know why. So you can frame it as a GRC exercise. But I don't know, to me, again, I don't say it's a crisis. All right, so Kitchen Infosec is saying that the DOM or document object model, which is part of like a web page, could be manipulated. So that is bad for sure.

Steve Prentice (25:17)

Ghost Poster browser extensions up to 840,000 installs. Following up on and updating a story we covered one month ago, 17 more malicious extensions linked to the Ghost Poster campaign have been discovered in Chrome, Firefox and Edge stores and have currently accumulated 840,000 installations discovered and reported by researchers at Koi Security. That's Koi. Last month, the Ghost Poster campaign delivers malicious JavaScript code inside its logo images. This code monitors browser activity and implants a backdoor and quote, hijacks affiliate links on major e commerce platforms and injects invisible iframes for ad fraud and click fraud, end quote. These newly identified extensions are no longer present in the add on stores belonging to Mozilla and Microsoft. Okay, police.

Dr. Gerald Ozer (26:15)

All right, so it sounds like they. If you've already installed this browser extension. And they, you can see Here they have 17 listed in the story. So for yourself, okay, you can check this out if you want to. You can share this with people in your environment or, you know, like your end user base and say, hey, if you've installed any of these 17 Chrome extensions, you're running malware, delete that, Remove the extension immediately. Don't explain the impact or what the malware does and everything like that. Just get it off the machine. It does say that it installs a backdoor, but they're not, the threat actors are not using it to log into your computer. So I don't even know why they have a backdoor, honestly. But I mean, the fact that there is persistence in the ability to access your machine is a very big problem, obviously. But ultimately the, you know, again, I, I don't condone or promote threat actor behavior, but as a student and as an academic, I do respect and acknowledge like hat tip when they do things that are clever or innovative. So this thread here, let me ask you, like, let's be real for a second. The way this thing works is it gets into your browser and whenever you're clicking on affiliate links, it over, it basically like overwrites the affiliate link with their own affiliate link. Okay, that's it. So I put together a huge post about my stream deck. Oh, here's my entire YouTube studio setup. Note, if you click on any of the links, simply Cyber could receive a, a commission for sending you over there. It's, it's affiliate marketing. There's like a thousand, you know, content creators out there talking about side hustles and affiliate links and all this other crap. It's fine. Spoiler alert. I don't, I have all that in place and I don't really promote it or do anything with it. I probably make like 60 bucks a year off of affiliate marketing. So just let you know the real, real from these, you know, tick tockers who are like, I just got this Ferrari with my affiliate link money. All right, let me ask you this. If you had an extension on your machine that overwrote someone's affiliate link with their affiliate link, would you, Would you care? Would you prioritize it? You're. It's not good. And you are trying to support the creator themselves, but at the end of the day, it doesn't impact you personally. And I think that that's an important distinction to give consideration to. Because if only, I mean, if it hurts you, you're definitely going to do something about it, right? But if it's not necessarily hurting you right away. Now you have to be empathetic and you have to take action to help someone else make affiliate link money that they, you know, deserve because they made the blog post or something like that. So it's just, to me it's a little clever because, because it doesn't necessarily hurt you. It's not like ransomwaring your company or stealing your money. It's the same thing. Like when you have an Iot device get compromised by Mirai Botnet and it's involved in a denial of service attack or a bot, you know, a huge botnet, you're like, I don't care. Someone rings my doorbell, I can still see the, the postman or the neighborhood kid. Even if my Amazon ring doorbell is hammering some website out on the Internet. I do want to point out someone said it in chat. There has been a massive, massive expose going on. If you didn't know it's cat. It's like low key gross. Called Honey. Hold on one second. I'm sure, I'm sure you've seen your favorite influencers. Except me because I, because I, I'm not an influencer and I suck. But you get to see my curated feed a bunch of magic stuff. But there is a company called Honey. This guy's done some amazing work on. It's like a three part. He's being sued by them now, but he doesn't care. Mega lag. If you want to check this out, these three videos, it's incredible. There is a company called Honey that was basically doing exactly this, except they weren't doing it maliciously. They were very overt. And it's crazy how much money they were making. They were making ridiculous amounts of money with some of the biggest YouTube creators on the planet. Mr. Beast, Marcus, these other guys, Linus tech tips. So go check this out. I can't really link to it, but it is wild.

Steve Prentice (31:18)

Screws on Black Basta. Ukrainian and German law enforcement authorities have identified two Ukrainians suspected of working for the Russia linked ransomware group Black Basta and have placed the group's alleged leader, a Russian national, on an international wanted list, end quote. This according to officials speaking on Thursday. The two suspects were described by police as hash crackers responsible for recovering passwords from stolen data using specialized software. End quote. The hunt is now on for oleg Nefedov, a 36 year old Russian national identified as the group's ringleader who may also have ties to the Conti gang.

Dr. Gerald Ozer (32:01)

Oh yeah, come on. Give me, give me. Regulators, everything just Froze. Yikes. Oh, oh. What is happening right now? My computer is just like, All right, I don't know what just happened there. My computer just like decided to have like a. It's not good when you hear physical things going, all right, let's do it again. German and Ukrainian law enforcement. Get it? I get it. All right. Hey, you know, f around and find out. Black Boston was, is a very prolific ransomware gang over the last couple years. Many of these ransomware gangs operate out of Eastern Europe. So I'm not surprised to see Ukrainian and Russian nationals involved with this. The, the, at the end of the day, law enforcement and you know, federal, you know, national security. People like FBI, nsa, right. They, they know who these people are. Right. But you've gotta, you gotta, you have to orchestrate getting them. So this, I'm, I'm telling you, this operation, it was probably in the works for quite a while. I'm super pumped. They're on the, they're looking for the ringleader now. Oleg, what's this guy's name? Nefetov, 36 year old Russian national. Now that the cat's out of the bag, I'm sure this guy is like run to ground. He's gone to the mattresses. He's, he's hiding, he's gone to his, you know, I'm sure he has a very comfortable panic room, like panic house, you know, from the amount of money that they've stolen. But they, yeah, they're starting to get these people and, you know, get him to flip. Right? So they arrested two lower level guys, crackers. I'm sure they did more than just crack hashes, of course, but, and, and they're like, listen, we're going to throw you in, you know, a really terrible jail for the rest of your lives. Or you can tell us everything about your operation. Done and done. So I gotta tell I've said this before. The only way to really curb the ransomware threat. Ransomware has been the top threat in our industry for about nine years, going on nine years now. So it's been bad. The only way to do it, of course, we've increased our ability to defend through technologies that you have immutable backups and can detect, you know, large volumes of files being encrypted and, you know, kill processes. We've done awareness training that, you know, keep people from clicking on silly stuff. We do tabletop exercises. We, we've had Microsoft do takedowns of infrastructure. We've had the FBI blow out the emotet, which was not necessarily Ransomware initially, but it would run the Ryuk ransomware payloads. Go, you know, go look at Emotet Trickbot Ryuk if you want a history lesson. But the final thing is you have to get these. You have to get the snake's head, period. Right? Because as they mentioned earlier, they believe that the guy who's on the run here was part of Conti. Conti was a prolific, like the number one ransomware threat actor gang for a minute there. And when in 2022, when Russia invaded Ukraine, half the gang was Ukrainian, half the gang was Russian, the gang officially declared pro Russia, the Ukrainians got pissed off, and Conti imploded. And we actually found out quite a bit because the Ukrainians released all the internal messages. Go check out Brian Krebs's kind of breakdown of all those messages. It's a great little blog post to give you insights into how sophisticated these ransomware threat actor gangs are. But the point is, we didn't arrest anyone. So this guy goes off, and when you can make millions and millions of dollars doing ransomware, you're going to go do ransomware. No one's going to be like, oh, I have this skill that can help me make millions of dollars, but I'm going to go take a 9 to 5 job doing, you know, whatever, a break fix at a small manufacturing company. Like, no one's doing that, right? They, they, they've got a taste for the goods. So until you rest these people and throw them in jail, they're going to keep spinning it up. You can change the name of a ransomware threat actor. You can't change the ringleaders. So I hope they get them. I really, really do. I hope this guy, this Oleg guy is uncomfortable this morning wondering if every single person is looking at him sideways and everybody's an undercover agent. Let's go. Also, Davy, crack it. Boo. Boo to the Broncos. Go Pats.

Steve Prentice (37:13)

Huge thanks to our sponsor, Dropzone AI. Here's a security tip. Most vendors want to tell you your SOC analysts aren't slow, they're drowning. The average enterprise faces tens of thousands of alerts daily. And even your best analysts can only investigate so many before burnout wins. Dropzone AI changes that math. Their AI SOC agents autonomously investigate every alert, no playbooks or code required, in 3 to 10 minutes flat. So stop triaging, start defending. Book a demo at Dropzone AI that is D, R O P Z O N E AI.

Dr. Gerald Ozer (37:57)

All right? I don't know what a B did, but he did something. People are congratulating him. Congratulations. 77 miles on a treadmill.

Steve Prentice (38:04)

Damn.

Dr. Gerald Ozer (38:08)

All right. Hey, check it out. Let's go. All right. Hey guys, I want to say hello and thank you. We are at the mid roll. Thanks so much Alpha Sierra. I know, I know, I know. I miss it too. Alpha Sierra. I want to say thank you to the stream sponsors Threat Locker, Anti siphon Area and Flare. Guys Flair. Love myself some Flair. They are sponsors for the entire year 2026. Go to simply Cyber IO Flare. Check this out. Speaking of black bosta and ransomware threat actors, come join me on January 29th I will be live in chat 11am to 1pm eastern time for a two hour session talking about inside the life of a ransomware operator. If you want to know what, where is it? You want to know what this guy right here whose face is covered up and is being arrested. You want to know what his day to day looks like before he got arrested. Come join us. It's gonna be good. I'm super excited. I will be. I've kind of like. I didn't ask anyone but I basically just appropriated this and I'm, I'm running like a, like a watch party inside this. It's free to register. It's two hours January 29th. I hope you can come join. Let me, let me know in chat if you're going to be there. I do wanna, I'd like to know who's going to be there so I can get pumped up and you know, be excited about who's going to be there from the the community. But come check it out. Flair. Flair's doing great stuff and I really appreciate this webinar series that they do. All right. Every single day of the week has a special segment and Mondays is Simply Cybers Community Member of the Week presented by Threat Locker. Threat Locker takes a deny by fault, deny by default approach to cyber security for businesses. They've got a great track record and they got a great track record sponsoring this segment. So I'm super pumped to give a hundred dollar Amazon gift card or $100 in merch to the Simply Cyber Community Member of the Week. I'll give you a hint. I am a huge MFA champion and someone had a idea and then they took, they took it and made a shirt. Now this is one of only two. I bought one and sent it to him as well. For the woo. Ladies and gentlemen, you can't even buy this because the place I used to do it made this before they realized that it looked too much like the Wu Tang symbol. But mfa, it's the woo. MFA forever. Ladies and gentlemen, your Simply Cyber Community member of the week is none other than Sean Washington. Sean Washington, who developed this shirt very quickly. He's also going to be involved in the sock analyst job interview series. If you've, if you've been following the channel, you know, I did this GRC interview three different levels. I'm going to do it for pen testers and sock analysts. And Sean has contributed to that video series. So this guy's just killing it as far as community support. So I do want to say thank you. He shows up in chat as cyber shin and gummy. But Sean Washington, respect, man. Thank you for being the Simply Cyber community member of the week. Dude, I'll get with you for your prize. Let's keep cooking, y'. All.

Steve Prentice (41:45)

Anchorage Police Department suffers a cyber attack. An incident that occurred on January 7th appears to have been the result of a cyber attack on a third party vendor conducting a software upgrade. The vendor, Utah based White Box Technologies, supports multiple agencies nationwide. Representatives of the Anchorage Police Department state they do not believe any systems were compromised or sensitive data stolen by the event Canadian investment reg.

Dr. Gerald Ozer (42:16)

Okay, hold on. Okay, so I love. One of my value propositions to you as a listener is I try to give you additional insights beyond, you know, you can read this story. Okay, Anchorage Police Department. Compromise. Okay, what, like, what do I do with that? Check it out. This could have happened to anyone. The lesson here is they were this company, which is the Anchorage Police Department. It doesn't matter that it's law enforcement. This could have been your company was doing a software upgrade and they got hit with a cyber attack. Now what, what, what do I want to call. This is. Sometimes during maintenance, Windows or software upgrades, it's not uncommon for the configuration and infrastructure of your environment to be configured to be less secure. So you're doing a big upgrade and you move, you know, the test environment into prod, or you're doing some testing and you have a secondary environment that becomes publicly facing and it has less security on it because you're just testing. And your idea is like, oh, what's the big deal? It'll only be a few hours. No one's gonna find this in a few hours. That is not true. Jason Haddocks gave a talk at Wild West Hack Infest last October where he talked about how him and his hacker buddies have scripts that run constantly looking for infrastructure that comes up. And, and then they'll, they'll like get an alert right through automated, like an automated Slack channel message that says hey, we got a new domain or do a dev domain or something. And they'll drop everything because they know that they only have about an hour to compromise it. So if you're doing software upgrades, don't sleep on thinking about what does this look like. When you're doing upgrades or maintenance or, you know, new deployments, you should be doing some type of change control and, and discussion around how does this impact things, what does this look like, how long, who's involved, you know, are we going to be exposed? Do a risk assessment on that. Be the voice in the room and more. And most importantly, okay, this is a huge one to take with you because I've seen this before. Most importantly, after they've done the maintenance or the upgrade or the new tech deployment, confirm that you have gone back or rolled back or whatever, anything that you did make. Just make sure that your environment is back to a known good secure state. It's not uncommon for, you know, basically not to clean up your mess. Right? Let's say you're. You're making a cake, right? Just. I love using analogies. Okay, Say you're making a cake, okay? Or you're, you're making bread. Remember how making bread was like a huge thing during coven? Let's say you're making bread, okay? You got the flour, you got the yeast, you got the water. Everything's good. You're cooking, baby. This is good. You open a window and you put your dough over by the windowsill so I can get some fresh air. Maybe get a little like, organic fermentation. Because you're, you're like thinking you're like a French brewer. Hey, code brew, right, Ryan? Piercing a bruising ax, you're gonna get a Sison style sourdough bread. So you put it in the window sill, let some of that natural organic bacteria creep in, and then you, you bake it. Okay? That's you doing the full upgrade. Now. After your upgrade's done, you clean the pan, you clean the counter, you put all your tools away, and you're like, look at this, we got bread. We're fully upgraded, everything's hot, good to go. Good night, everybody. But you didn't close the window. You didn't bring down that dev system that got a public IP address. And then you just go on your way and a threat actor slides on by is like, oh, what's this? An open window? And then they creep in like a spider. That. That's like a metaphor. So just don't. This is, this is a. Your. The IT infrastructure Is constantly changing. As security professionals, this is why we get paid. If it was a static environment, they could just have a script look at it. We must ensure that it gets back to a known secure state. Okay, yeah, Dream logic. I was using a baking example to make an analogy or metaphor. I don't know. Elliot Matai says a prior company used to require two member team for changes. One person would implement, the other person would verify, test, and sign off. 300 plus changes a month. Less than 1% failure rate. Let's go. All right, let's keep cooking, y'. All. Let's keep baking, y'. All.

Steve Prentice (47:25)

Later. Suffers data breach. The Canadian investment regulatory organization Ciro confirmed on Friday that approximately 750,000 investors were impacted by a cyber incident last year. The organization oversees all investment and mutual fund dealers in the country, alongside trading activity on Canada's debt and equity marketplaces. It is not an arm of the Canadian government. The data breach followed a sophisticated phishing attack that was detected in August. The data at risk includes PII and financial information, but not login details.

Dr. Gerald Ozer (48:05)

Okay. I mean, what. It's a day that ends in y company had your PII stolen, company not impacted financially. They'll continue to be able to do what they do. And your passwords weren't compromised, which means they're not gonna be able to log in to your account or wherever you reuse that password, which is probably happening all over the place. Of course, there's no evidence at this time that the information's been misused. I laugh constantly about this because, of course there's no evidence. Threat actors aren't that. What, like, what threat actors can be like, I'm stealing your money now? No, I'm sending phishing emails now. No one's doing that. Like, of course there's no evidence that it's been used. All right, now, the good news is the chief executive said we're intent on doing right by those people affected. Take our public interest seriously. Matters of privacy and security are extremely important to us. This is, you know, I guess they're mixing it up a little bit because normally this is the first sentence in those your date has been breached letter. Privacy and security are extremely important to us. And for that reason, here's a year of identity theft protection. Thank you. How are they compromised? Jesus. They had 9,000 hours of forensic examination. That's quite a bit. And all they were able to confirm is that the perpetrators may have compromised data. All right, so there's no evidence here as to what happened. The reason I wanted to know Is anytime a company gets hit and they say privacy and security is extremely important to us, I want to know like if it's some like low hanging fruit compromise, like, you know, they had RDP open to the Internet, I call shenanigans. Because if it was really important, you would have not had that problem. But it could be legit. Remember, you can never eliminate all cyber risk. You cannot eliminate all cyber risks. So even the most secure companies can have a compromise. Solar Winds, believe me, Solar Winds is not messing around when it comes to cybersecurity. And they got compromised in a very rough way. Okay, so can't pass judgment on this group. But just know this is a pretty standard story. So if you're new to industry breaking in, getting used to acronyms and whatever, just know that this story does not make me. This. This is not like this is just like a day. Like a normal day.

Steve Prentice (50:52)

Grubhub confirms data stolen in recent security breach.

Dr. Gerald Ozer (50:57)

See what I mean?

Steve Prentice (50:57)

The food delivery platform says hackers accessed its systems and are now sending the company extortion demands further details about the breach, including when it occurred and what data may have been taken, have not been released. And it is also unclear as to whether this incident is related to a wave of scam emails that had been Sent from its b.grubhub.com subdomain Promoting a cryptocurrency scam. Carlsberg Brewer Visitor.

Dr. Gerald Ozer (51:25)

All right, I mean, see what I mean, dude? Like literally the next story is a hack company hacks stolen data. Whatever. Looks like it's Shiny Hunters. Shiny Hunters Lapsis Group and the. What's the other one there? There's three of them. What's the third one? Shiny Hunters Lapsus and. Oh my God, What's the third? I think the third one begins with an L. Scattered spire. Oh, Scattered Spider. Yeah, yeah, Scattered Spider Lapsis and Shiny Hunters are like young and they've been like, I guess, partying together. It looks like Shiny Hunters is own. Is owning this particular compromise. The threat actors are demanding Bitcoin. Oh, that's not good. Grubhub said that. Hold on one second. Okay, so looks like the. The threat actors got credentials, which is not good, and then downloaded a bunch of data, which is pretty standard. They got financial information and order history. Oh, no, they did not. That was not included. For what it's worth, grubhub says that they investigate and stop the activity quickly. That's a very subjective statement. Grubhub's not answering questions. Thanks. Oh, they're not answering any questions. Like what data was stolen. The thing is, don't worry about it because shiny Hunters will tell you exactly what data was stolen. Right? Shiny Hunters. If you. If you want to know, if you're concerned, Okay, they took over some infrastructure with that subdomain. I don't. It. Okay, it's unclear when the breach occurred, but the bleeping computer who's reporting this was told that it was through secret credentials stolen in the recent sales loft drift data theft attack. All right, so. Oh, my God. Dude, listen, if you. Here's the tldr, it's suspected here that during the. The sales loft data breach, the drift one here from mid-2025. Okay, sales loft drift. I didn't really understand what kind of data was installed was stolen here, but apparently like oauth tokens were stolen, credentials, API keys, all that stuff, and that basically the threat actors stole it all. And now they can turn around and utilize it to, you know, break into other companies and cause problems. Now, this was an attack from six months ago, which tells me grubhub had their data in there, got compromised, and then didn't change anything. That was credentials that had data in there. Guys, whenever a system is compromised, it's a pain in the butt for sure. But you have to refresh creds. You. You have to. You are. It's like losing. Imagine this, if you will. Okay, you lose your keys, and on your keys, there's a little tag that says, you know, your house number or a PO Box or a safe, right? You have a key that opens something sensitive or important to you, and you lose your keys if all you do is go get another key made. Yes, someone isn't walking into your house now, but you are now exposed. At any point, there's a key that can unlock your door, your safe, your P.O. box. It's incredibly painful to rekey your house. To rekey a P.O. box. I get it. But guess what? That's the plan. That's the play. Sticking your head in the sand and being like, oh, what's the likelihood someone's going to find the keys and then use them? Well, pretty good, considering. When you lost the key, it was because a criminal took it from you. So there. Therein. By itself, the likelihood value in the risk calculation goes way up. Now, the impact. You tell me, what was it a key to? Is it a key to your tool shed out back and the best thing they can steal is a wheelbarrow? Or is it a key to your safe where you keep your go bag and $18,000 in cash, passports and important certificates, right? Is, you know what I mean? Like, you tell me the impact, but grubhub, I don't know. Gotta refresh creds and guys, I get it. It can be very, very painful, very time consuming.

Steve Prentice (57:11)

Wristbands expose visitor data Visitors to the Carlsberg exhibition in Copenhagen, a popular attraction for beer lovers, are being warned that photographs made of them as part of a memento service may not be secure. Offered as a complement to beer themed activities for visitors, the photos of the visitors themselves were intended to be made available by entering visitor wristband ID onto the company's website for a fixed period of time. However, researchers revealed that through a brute forcing technique, anyone could access the names and images belonging to the many hundreds of beer enthusiasts who visit the brewery each month. This fact was discovered by one visitor to the attraction, Alan Mone of Pen Test Partners, who succeeded in performing a brute forcing exercise and submitted a report to the brewer on August 19th. According to the Register, Carlsberg has yet to resolve this issue.

Dr. Gerald Ozer (58:09)

Okay, like, okay, two things. One, If you're interested in, you know, getting some personal branding, getting your company or yourself kind of some public, some, you know, pr, some good stuff, you know, doing a hack and then blogging about it or sharing it is one good way. And don't think that there aren't opportunities out there, okay? This is a very simple hack, okay? And I'm not even, listen, I'm not even an offensive security professional. I don't even play one on tv, okay? And I could have done this. If you're, if you're looking, if you're, if you're watching the video of this, essentially this is, this is the equivalent of you go to an experience and they snap some photos and they allow you to look at them online, share them with your friends or whatever. This, this is very, very similar to like when you go to an amusement park and they take your picture as the, the roller coaster goes down. Like, I, I feel like a lot of people have done that, right? Where you go to the zoo and like, you know, hey, you want a picture with you with like the giraffe behind you, whatever. Okay? It's part of the experience. It's fun. Now this brewery in Copenhagen, Carlsberg, which, by the way, I'm a huge beer lover and Carlsberg beer is not my jam, but I like that they do this for their people. What they were doing was they were allowing you to take pictures and they would put them online and you could use your bracelet ID to look them up. But if you're watching on stream right now, The URL is homeofcurls carlsberg.commemories/c496 691. Whenever you see a URL that has some type of number, don't be shy. Go up in the URL, click in there, back out, delete the. The last digit, and increment it by one. See what happens. This is brute forcing. You're basically just doing a. Like, I don't even. This is an idor. Indirect object reference or insecure direct object reference. This is just iterating. They're probably putting the photos in a directory on a file server and using an automated naming convention that just increments the file number to make it easy. Okay, so you can. You can look at other people's pictures. I mean, honestly, guys, to me, this is kind of fun and splashy for them to do this, but this is like, whatever. And the fact that Carlsberg hasn't responded yet, I'm not surprised. They're like, dude, we're just trying to have some fun here. And you're like. You're like a wet blanket or sand in my shorts at the beach. Like, they can take this down and not do it anymore. They can simply include a disclaimer that your photo. Like, to me, this is no different than the company itself taking pictures and posting it on their official Tik Tok or their official Instagram. Hey, look at people here enjoying the Carlsberg brewery. We're in public. This isn't really any rights to privacy, so I. You know what I mean? Like, this is not. This isn't photos from an exam room in a. In a hospital, whatever. But, hey, it's cool. It's a cool little hack. And, you know, welcome to the party, pal. We have a first timer. Dalman. Dalman, Roach. Probably saying it wrong, but welcome to the party. Diamond. All right, let's cook. I do want to say happy Martin Luther King's day to everybody for those who are getting the day off. Hope you're enjoying it. I am. Working, working, working. Will not be doing Georgia. I'll spend a few minutes on jawjacking, but not the whole time. I have. I've just got a ton of work. My kids are out of school today, so I was not wanting to work all day. So I'm trying to just knock out some of the things I have to. So we won't do jawjacking, but don't go anywhere because I have two prizes to give away. And, you know, I want to give some prizes away, bruh. You got up here early on a. On a Martin Luther King day to hang out. Let's reward you. I'm Jerry from Simply Cyber. Don't go anywhere. In fact, I'm not even going to do the Jawjacking thing. Let's do this. All right. All right. There we go. Check it out. Do me a favor. Jason Haddock. The same awesome dude I told you about a little while ago. He runs Arcanum Security. Now. Arcanum Security is celebrating two years in business, and Jason reached out to me and gave me some prizes to give away. So do me a favor. I'm going to open Nightbot right now. I'm going to give Everybody, you know, 60 seconds. See how the sausage is made here? So the keyword is Arcanum. A R, C A, N, U M. Enter Arcanum in chat to enter. Let's go. You can see here. Look. Phil Stafford's in. Give me some more people. Come on. Code bruising. All right, cool. Davy Crack it. And his Denver Broncos. All right. Soul Shine. Welcome to the party at work. Well, hey, I can empathize. All right, so go ahead and enter. What I'm giving away is a. A voucher for one of Arcanum securities trainings. Any training for it. The training is yours for free. Now, you can take the On Demand training, or you can take one of his live trainings. And I just want to show you this one. Red, blue, purple, AI. This training is insane. Insane. And can I just show you the price tag really quickly? $2,000. So what we're doing right now is. Well, I'm raffling off $4,000 worth of product right now. For real. You don't have to take this one. But this. This training is ridiculously awesome. Wade Wells took it and talked very highly of it. So we're just over here casually throwing away or throwing out thousands of dollars in product, and this is why you got to show up? Because I'm not organized enough to say, oh, hey, like. And subscribe. Leave a comment, and on January 19th, I'll be giving away. Show up. I. I'm not doing that. I'm just like, YOLO all over the place. We got 63 entries. I'll give it another minute. Let's see. Listen, I'm gonna set this song, all right? When the song ends, we're gonna pull the raffle prizes. 46 seconds remaining. All right, guys. Hey, I want to thank all of you for being here. Definitely appreciate it. Again, please, do me a favor. Do me a solid. Whatever you want to call it. Simply Cyber IO, Slash, Flare. Come join me for the. For the flare webinar on January 29 for the watch Party. Super excited about that. Click on the link in chat and click on the Area 1 areas just for the month of January. So give it a shot. Go check it out, at least see what it's all about. All right, four seconds. Three, two, one. All right, we're gonna raffle off this. Arcanum Security, here we go. Winner, winner, chicken dinner. Our first winner is. Oh, Mad Destroyers here. What's up, Mad D? First one is Carrie. Yes. Oh, man. Boom. Man. Hell yeah. Carrie. Carrie. Congratulations, Broseph. Connect with me on the Discord server so I can get you your W's. All right. And our next winner is. Berlin DAB9694. Berlin DAB9694. Now, I know Carrie, so Carrie, get with me. But Berlin Dab, I'm not. I don't. I'm not familiar with. With you, but if you can ping me on the Discord server. Hit me on the Discord server. What I'll do is I just need you to show me, like, some evidence. Like, just a screenshot of, like, your YouTube or whatever. Like, I just. I want to confirm it's you, so I don't. Some. Some. A hole doesn't try to steal it. Now, the cool thing is we. The cool thing is we don't have a lot of jerks in the community, so it's. It's. It's awesome. Yeah. Berlin Dab, you're a winner, baby. Come on. For all those who entered, thank you very much. All right, guys, I'm gonna get. I gotta get out of here. Just. Hey. For Berlin Dab and Carrie, go to the Simply Cyber Discord server, the general chat channel, and just. At Gerald Ozer, PhD, just say, hey, Gerald, or whatever. That way, I. It's. It's easy for me. I'm 46 years old. I barely can Discord. Well, so make it easy for me. A I R. A I R I A. LinkedIn. Oh, you're hitting me up on LinkedIn. Hold on. I'm getting pings. I'm getting pings. What is this? Hold on one second. I'm doing this in real time. Also, Sean Washington. Hit me up, flaming donkey. Okay, hit me up here. Let's. All right, I don't see any. I don't see anything on LinkedIn. So just get with me. We'll figure it out. Okay, guys, I'm Jerry from Simply Cyber. Thank you all so very much for being here. Today. I hope you had a good experience. I certainly did. Shout out again to Sean for the Woo MFA forever. Oh, it's not Berlin Dab, it's Berlinda. Okay. All right, guys, be well. I'll catch you tomorrow, 8:00am Eastern Time. Oh, oh. Just as a quick reminder, if you guys didn't know, I'm. I've been releasing videos on YouTube on Sunday at 4pm this was the third in the GRC interview series. So if you're looking to be a GRC analyst and you want some feedback on job interviews, come on. Check this out. You can see his Chimeria Gonzalez, community member, answering the question. My man, Jesse Johnson, cosmic cowboy. Where is he? There he is. Jesse Johnson, the cosmic cowboy, answering questions. And then you can see I'm providing real time feedback in the middle of the interviews to help you be better at crushing those job interviews. And then finally, our very own Erica McDuffie, who is just slaying it as a senior GRC professional. And I'm going to break down her answers and everything too. So the idea is giving you value. That's what's up. I'm going to share a link in here, as always. I don't say it very often, but my. My son says I should. If you like the videos, the lives, the produced videos, whatever, like, hit the like button. It does go a long way to help the algorithm subscribe. Hit the bell for notifications, all the things. All right. I'm Jerry from Simply Cyber. Until next time, stay secure. See ya.