A

Good morning to you. How are you today? Welcome, everyone. It is Friday, March 27, 2026. This is episode 1098, I believe, of your Simply Cyber Daily Cyber Threat Brief podcast. I'm your host, Dr. Gerald Ozer, coming to you live from the Buffer Osier Flow Studio. Welcome to the party, pal. We got a great show for you. If you want to stay current on the top cyber news or get exposed to accelerated learning in the cyberspace, what the acronyms mean, how the pieces fit together. What the heck is grc? You got all that more coming to you today and I got to tell you, you will be expected as a practitioner or practitioner adjacent in cyber security to be current on what's going on. It moves that quick and that's what we're doing here every single day. Shout out to you for being here or catching us on replay. We're off and running. Get your coffee. Let's get ready to cook. I'll take you.

B

All right.

A

It's been a long week. Started in San Francisco, ending in Charleston. All about good times. I am excited, everyone. Not just because it's Friday. You're picking up what I'm putting down, but just feeling the vibes. The coffee's flowing. Loving it so much. Shout out to this Simply Cyber community members, James O' Quickin at 35000 feed making his jawjacking solo debut yesterday. Ms. Julian. Good to see you. Phil Staffer. Ms. Julian, I hope you're getting pumped for Magic Commander Games. I certainly am. I know it's like months and months away, but a guy can. A guy can dream, right? What's up? Doom Cracking and Nicholas. Vincent. Good to see you guys. All right, listen, hey, look, we're gonna go through eight top cyber stories of the day. I have literally no idea what they are going to be. I haven't researched, I haven't prepped. And I got news for you. I have no idea what I'm gonna say about them. Ain't nobody got time for that. That's right. But I do have 20 plus years of experience. Experience and a very burning passion for everything cyber security. I love talking about cyber learning, cyber teaching, cyber working cyber, all the things cyber. So I am ready and equipped to give you that knowledge. And beyond giving you the headlines and the obvious things that you would get from an RSS feed or just skimming Google News or something, we're gonna go beyond the headlines. We're going to take it to the next level. We're going to double click down into this mother trucker and And I'm going to give you insights that you won't get in a textbook or a classroom. Things that are not going to be written in the report. How do these pieces fit together? How can you use this information to drive risk reduction for your business? How can you take action today to be the absolute bee's knees at work on Monday? All that and more. Now, if you're here for the first time, I want to say, welcome to the party, pal. I got a special welcome to the party pal lined up here. Listen, if you are here for the first time, right, maybe you heard from someone at rsa, maybe you saw I started, like a new little shorts series that I'm happy to talk about if people are interested. But maybe you found us through that. However you got here, you're live with us right now. And that's awesome. Drop a hashtag first timer in chat. Hashtag first timer in chat. We have a special sound effect, a special emote, and we love welcoming people. It's as simple as that. Guys, listen. Cyber security is hard. Meeting people and learning about it doesn't need to be harder than it needs to be, right? It's difficult. A lot of terms, a lot of concepts, a lot of moving pieces. But this community right here, there's. You'll never hear anyone say, that's a stupid question. Nope, that doesn't happen here because we are supportive, inclusive, and we try to empower you to take action for yourself. So I do want to say a quick shout out. In the last couple days, I have met several people or been messaged by several people who are simply cyber community members. They listen to the show on the regular, but they'll never be in live because they don't get the show on YouTube. And I just want to give a quick shout out to Kim. I'm not going to give her the last name. Okay. But Kim sent me a DM and said she's new to the industry, loves the podcast. She is getting all sights of insights, but the thing is, she listens on Spotify and she's typically driving right now. So Kim might be driving right now up in the Virginia area. So for all those who are listening on Spotify right now, in the car, at the gym, getting breakfast ready. If you're listening on Apple Podcast right now, you know, working out, showering, whatever it is you're doing, I want you to know you're part of this community, too. Welcome to the party, pal.

C

Welcome to the party.

A

All right, so whether you're on Spotify, Apple Podcast, or You're live right now. Like Phil Stafford, Ad tech and Mar Le Kathy Chambers Media. Let me tell you, every episode is worth half a cpe. So it's very simple. Say what's up in chat. Grab a screenshot. If you can include today's episode which has March 27th episode 1098. This is called the unique piece of forensically sound evidence. It shows you were here. It's as close as I can get to like, like, you know, a check in table, like sign your name on the clipboard that you were here. It's as close as I can do to that without requiring you to register. All right, now we could get fancy pants and you could, you could, we could do registration and I could send you a email with like your CPS and stuff. But then you know, you'd be, there'd be extra friction for you and I don't know if anyone's got time for that. Ain't nobody got time for that. All right. All right. And by the way, if you are listening to this on Apple podcast or Spotify, like reach out somehow, put it on LinkedIn, put it on Discord, do something, let us know. I mean I, I like this community is freaking huge and it's awesome. All right, we got our CPEs, we got our first timers. Every day of the week has a special segment and I gotta tell you, this Friday, like every Friday is Dad Joke Friday with James McQuiggin at 35,000ft. Now, I have no idea what the jokes are. I also don't look at those. You get to see them right when I see him, which makes it a bit more authentic and fun. Plus I get a little rib tickling myself. So definitely stay tuned at the mid roll for that. Now before we get into it, I do got to say shout out, shout out. And thank you to the stream sponsors, those who enable me to bring this show to you every day without interruption, whether I'm in San Francisco or I am in the low country. Anti Siphon training. That's right. Black Hills Information securities training arm provides high quality, cutting edge education to everyone, regardless of financial position. And what I want to tell you is this Wednesday, April 1st. Not a joke. Although Dan Reardon will make you smile. Anti Siphon is promoting a webcast or putting on a webcast how to write sock tickets that build trust and drive action with none other than the same haircut fish that is this guy right here. I'm showing that what's your meme Thursday? Haircut fish is bringing the heat. So if you want to learn how to write sock tickets? Build trust, drive action and do it in a supportive, inclusive way. Oh yeah. Come on down at the haircut fish. Love it, Dan, I'm super pumped for you. Dan is demonstrating how to do personal branding and deliver value into the network and just have positive impact. I love watching Dan grow. Way to go, Dan. Also want to say shout out to Flair now. Guys, I told you I'm a huge fan. I like to think of Flair as a preferred partner of Simply Cyber. And right now Flare is running a special opportunity for you. You can get two weeks free of Flare, which basically allows you to try the full platform out. See all the data, go to Simply Cyber IO Flare. This is really like listen, if, if you work in sales, Flare is not going to help you so much. If you work I. Well, I mean your pen tester maybe not so much but if you're doing red team and it would certainly help because you can emulate the threat actor. But if you do security operations, grcc. So you're a one man band protecting an organization. You're a one woman party helping keep everything tampered down. This platform is a massive scale factor. Just blow you up. As an awesome practitioner, you do have to fill out this form in order to be verified that you are who you say you are, not a criminal. But once you get past that, which is fairly easy if you are legit, you get full access to their threat intelligence platform which has years and years of data as well as current current data of, you know, criminal telegram, channel activity, criminal dark web, underground activity, forums, all those things. Why do you want to see that besides it being cool? You can look for your organization, you can look for your domain names, you can look for your end points, you can look for chatter about your organization, you can see an incoming attack, you can find out that Carl's computer has been compromised and get it sorted out before that intelligence gets weaponized. Super cool platform. I really, really like Flare's platform. I've used it. This isn't just sponsor dollars, you know, keeping me like a muppet. Flare doesn't have their hand up my butt and making me talk. I'm saying this because this is what I believe. Definitely like that platform. And of course another long time sponsor of Simply Cyber who really believes in our mission here. Threat Locker. Love what they're doing. Zero trust at the endpoint and now at the cloud. Go check out Threat Locker. They are making moves in our industry. I love it. We'll hear from them and then I'm going to melt your face with the top cyber news. Let's go. I want to give some love to the daily Cyber Threat brief sponsor Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night. Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber. All right everybody. Whether you're in the car, Kim, or you're. Was that even English? Or you're at your desk space tacos about to activate lurker mode. Whether you're human or shall we play a game? Non human. A lot of people send their AI assistance to meetings now. I do so for our digital overlords or other our, you know, neighborhood meatbags. Do me a favor, sit back, relax and just let the cool sounds of the hot news wash over in an awesome wave. I will see you all at the mid roll for some jokes. Foreign. From the CISO series. It's cybersecurity headlines.

D

These are the cybersecurity headlines for Friday, March 27, 2026. I'm Sarah Lane. Alleged Redline dev extradited to U.S. an alleged developer of the Redline infosteeler malware Hambardsum Manassian was was extradited from armenia to the US and faces up to 30 years in prison on fraud, hacking and money laundering charges. Prosecutors say he helped run redline's infrastructure, supported affiliates and profited from selling access to the malware which has been used in thousands of attacks across more than 150 countries. The case follows a 2024 international takedown of Redline systems. Authorities continue to target its operators and ecosystem.

A

Yeah, red. All right, so this is great. 30. You know again in the United States it's innocent until proven guilty. So we'll see. I mean typically they're not going to extradite a dude on like what, you know, like, like just okay. Evidence. They likely have all of it. Regulators. All right, so they're coming for you. Yes. Y. And I see gib what 6012 saying Am I up this early? Good morning. Get your coffee, get going. But yeah, hey, you know what? Play stupid games, win stupid prizes. Redline Info Stealer was an absolute blight on our industry. Like it was definitely up there as like one of the top info stealer malwares. Like for, for. I would say it felt like a couple years, honestly, maybe it was only like six months, but it felt like a long time. You would see it all over the place. If you work in a SOC or security operations, you definitely know Redline Info Stealer. There were other ones around that time, like Raccoon Info Stealer was another popular one and a few other ones. But like Redline was absolutely the bell of the ball. Like you didn't, you know, it was, it was so hot, right, that Hansel

E

so hot right now.

A

So, you know, obviously law enforcement took down the infrastructure. I didn't know, I guess I forgot. Maybe that had to have been news that we covered. But law enforcement took down the infrastructure. Obviously. This guy. When law enforcement takes down your infrastructure and basically kneecaps the way that you make money, you have two choices. One, you try to rebuild the infrastructure, which is pretty common, or you go underground. And then, you know, you basically are running for the rest of your life hoping law enforcement doesn't catch you. And in this case, Hamburg, he got, got bruh. And now he's in Austin, Texas and he's. He's probably gonna go to jail now. They said 30 years. We'll see. I. I don't know how the law system, the judicial system works. It seems like, it seems like a lot of people don't go to jail for as long as they're supposed to. But yeah, it just goes to show you too. Another thing is that like this guy was running Redline Info Stealer, but his victims, he didn't care about like he, he was a business to business dealer. He was selling access to compromised assets, not exercising that compromised access himself. Right. So that's the deal. I will say that right now. Okay. Kneecaps the band. Thank you, Sierra. I do want to point out really quickly that, You know, according to Hayden Covington, who is, you know, like, well, well respected security operations, professional initial access is kind of the, the, the long pole in the tent as far as threat actor operations go. Like getting, getting the access is kind of the bigger challenge. And then once they get the access, moving around, deploying malware, second stage payloads, persistence, all that is fairly straightforward operations, processes. So, you know, a platform like Redline Info Stealer was hugely valuable to criminal undergrounds as well as massively disruptive to, you know, to, to victims and to people like us, like Normal people who are just trying to like live our life, et cetera. So way to go law enforcement Redline info Steeler. You know, you'll, you'll never know how good you had it before you got, you got taken down. All right, good. I'm loving the number of stories where high ranking criminals are getting arrested. We need more of that because really quickly, this is an editorial, I have said it a few times. The only way to curb cyber criminal activity is going to be through like a multifaceted approach. Law enforcement takedowns, obviously higher education on end users to prevent successful compromises and arrest, you know, arresting the people behind those and having harsh penalties. So someone who's kind of on the fence about becoming a criminal or they're going down that path of being a criminal, gets basically scared straight.

D

Mention uses BPF door to spy China linked threat group Redmention has infiltrated telecom networks to conduct long term espionage using stealthy kernel level implants like BPF door to maintain persistent access. Researchers at Rapid7 say the malware operates as a passive backdoor that activates only via specially crafted network packets, allowing covert surveillance, credential theft and lateral movement with without typical detection signals. This targets network infrastructure from vendors like Cisco and Fortinet with new variants hiding commands inside HTTPs traffic.

A

Okay, former. All right, couple things really quickly. And this is like a perfect example of like me trying to give additional insights and value. So if you remember, it wasn't, you know, it was just recently that salt, salt typhoon, like salt and pepper, like salt and pepper salt typhoon. Not to be confused with salt and pepper. Like ooh, push it, push it real good. Like not that one, just salt typhoon. They went ham on telecommunication networks in the United States. They got into the top nine telecommunications like Verizon, Attorney and all those. They went into the telecommunication networks, I believe of Japan, maybe Germany as well. Like they've been doing it kind of all over the place. Yeah, that's right. Dan Reardon. Dude, you know what, I gotta just tell you really quickly, just as an editorial, because if you're old, you know, like Salt and Pepa, they were, they were, they were live. Like they were, they were like good. They had mad energy, right? I feel bad for them. Go look into what's happening with them right now. They're in like court battles over their catalog just like every other music act who's gotten screwed by agents in the 90s. But anyways, salt and Peppa. Well, welcome to the party, pal.

C

Welcome to the party.

A

1098 episodes in and I Think this is our first salt and pepper reference. So anyways, salt typhoon's all up in the place. And I had suspected that the entire reason China was doing this was to set up a forward operating base or forward operating positions in an, you know, asymmetrical war where they're into all of the different telecommunications. They also hit a bunch of ISPs in the United States. I want to remind you, ISPs are Internet service providers. These are the people that actually deliver network traffic to allow businesses and you to go on the Internet. So it was, you know, hey, if they're going to attack or there's some type of global conflict which, you know, appears to be closer and closer to reality every day, they could shut down the network, they could spy all these other things. And now it seems like, yes, that is in fact the case. Not only are they in the networks, but they've installed installed stealthy implants for persistence, which means they can come and go as they please. And for espionage, like info stealing and sniffing and stuff and like that. So the fact that they have found this BPF door is great. That means that now that we know it's there, we can go and tell the other telecommunication companies, hey, go look for this. If you work in telecommunications, like, you know, you're in one of the bigger ones. Those companies are massive enterprises, so they have huge IT teams, distributed infrastructure, etc. You are going to want to look for this stuff. Now, one thing, that or two things I want to give you. Oh my God. Okay, so hold on, just the technical details of how this works. They abuse Berkeley packet filter functionality, bpf, right? To basically look at network traffic. Look at network traffic inside the kernel. Okay, that's weird. I don't, I mean, whatever. I don't typically think of network traffic in the kernel. The kernel is like the brain of the operating system, right? Think, think about this really quickly because this will make sense in a hot second. When you use a computer like Windows or Linux or your Mac os, you're like click clacking on the keyboard and interfacing with applications and stuff, okay? You live in user land, that's what that's called. Underneath that is the kernel and underneath the kernel is hardware. You're click clacking and writing a very important email and then you save it, right? When you save it, it has to do it in memory. Maybe it's writing it to disk, maybe it's displaying it on the monitor. These are hardware pieces and you don't click clack on hardware. I mean, I guess the keyboard's hardware. But you get what I'm saying. You tell the computer what you want to do and then the kernel tells you, takes your inputs and then interfaces with hardware to make those things a reality. Okay, I'm completely oversimplifying this, but for this discussion, it's a perfect level. Okay, so when it says it inspects the network traffic inside the kernel, I mean, I guess because the kernel is going to be interfacing with the network interface card, like where. Or the wireless access card, right? Like where the ethernet jack plugs into the computer, like the actual hardware chipboard that has the network interface card on it. There would be network traffic in there at. Between the layer 1 and layer 2 on the OSI stack. Listen, if they're looking at traffic there, more power to you, my guy, because like that's, that's deep. I will say that if the data is encrypted, I. E. It is a, you know, SSL connection, HTTPs at that layer, it hasn't been decrypted yet, so it doesn't get decrypted until it gets up to layers five, six and seven. So, or, or maybe, maybe layer four, like the transport layer. I'm not entirely sure where it happens, but I think it's at the data layer. So anyways, all of this is to say I don't get this particular thing. Okay. If someone wants to educate me on what inspecting traffic inside the kernel means, I would love to hear it, because to me that doesn't entirely make sense. Okay, now the other thing I want to point out that is worth noting for you is that they said that China. Okay, so Daniel Lowry. Thank you, Daniel Lowry. Good to see Daniel Lowry in the chat. By the way, Daniel Lowry says bpf, the back Berkeley packet filter allows promiscuous. Promiscuous mode on the network card. Now, promiscuous mode, for those who don't know, promiscuous mode is basically like letting you see all the traffic that's flying by if you're going to do like wireless attacks and stuff. Promiscuous mode or monitor mode is what you want to get into. And you actually need a special network card that has those protocols enabled and all that other crap still. Here's my thing. If the network traffic is encrypted, you can inspect it all day long, but like it's still encrypted. You're still going to see the destination, the source ports or destination ports and all that other stuff. But like the actual meat, the potatoes, what's inside the. To Go bag. You're not gonna see that. You can see its doordash and you could see it came from Popeye's chicken. You don't know if it's a six piece tender in there or two wings and a thigh. You don't know what's going on inside that bag. So again, inside the kernel. I don't know how I feel about that. I'm pushing back. We will talk about inside the kernel in at Jawjacking. Okay? By the way, just quick shout out to Daniel Lowry, who's a speaking of promiscuous mode. Daniel Lowry is a promiscuous boy. All right, all right, final thing. Threat actors, they mentioned Chinese use an HTTPs to send this data out. But basically every business in the world allows Port 443 outbound of their network. This is the Internet web traffic that's encrypted. Most websites are encrypted. You're. You have to allow your end users to go on the Internet or else your business is going to suffer incredibly. So threat actors know this and they just hide in the noise. Okay, this is no different than saying like the highway is open for evacuation, right? Or no, no, actually, I'm sorry, really quickly. China using HTTPs to exil data. It's no different than dressing up like a firefighter after you've like broken into the the bank or whatever and pulled the fire alarm. And then a bunch of firefighters are there and they're walking out. And you walk out like every other action movie does, where you like hide in the noise. That's the same thing, right? You're going to allow firefighters in and out of the bank. If you dress like a firefighter, you're going to go in and out of the bank too. Okay? Daniel Lowry, what do they call him? What's his tech neck? Is it technic Techn. The promiscuous boy.

D

NSA chiefs worry US cybersecurity is slipping. At RSAC 2026, former National Security Agency leaders warned that the US is losing its offensive cyclone cyber edge.

A

All right, Brexy. Brexy says EBPF can inspect encrypted traffic. How. How is it decrypting it? Like, we're gonna have to talk about this at Jawjacking. Okay? Because what is. Why, why does it say stay tuned for Jawjacking. What are we doing here, bro? If. Oh my God. All right, I gotta figure this out.

D

Amid rising threats from China, from AI and from cybercriminals, officials including Paul Nakasone and Mike Rogers said repeated attacks have Led to complacency while political division, lack of major cyber legislation and weakened public private coordination are slowing response efforts. They also warned China has pre positioned inside critical infrastructure and without stronger action, a major cyber crisis could be inevitable.

A

Yeah, okay, so this is 100% true. There's a lot to this. Okay, so this was at rsa and these are, you know, very high ranking, you know, federal. Basically former national security directors. Four of them. Okay. Speaking at rsa, including multiple star generals. Right. General Paul Nakasone. Now it doesn't, it says general. So unless that's a typo, that would mean a four star general. Four stars, like you only get a fifth star if you're in a active war, which I suppose we are. This dude is a big dude, okay? This guy looks like when he goes to the beach, it looks like he's pushing a bicycle. You know what I'm saying? So, and I'm not going to explain that. If you know, you know. All right, so I 100% agree to this. The thesis statement is that the United States has been getting absolutely bamboozled and we've become numb to it. Right. And this is true across many countries. But I'm going to stick to the US because these are the national security directors for the United States. Oh, he was a four star military official. Yes, exactly. So here's the reality, yo, we have become known to it. We. And here's my thing. I don't even think we're numb to it. We are out there. We were, we're out there doing the work guys and we're just getting clobbered over the head over and over and over and over again. And it, that's why there's a job for it. That's why it's so important. What we do is. And I wouldn't say that we're numb to it. I would say that the, like, the institutional attitude towards it is flippant. So I don't think we're numb to it. I just like, I think that we as a, I mean now we're getting into more like political and Phil. Philosophical conversations. But like my, my take on this guys is like, well, two things. One, we continue to invest in cyber as a nation, you know, whether it's President Trump or President Biden. Right. Like, we're not, we're not, we're bipartisan here. We're not choosing sides and flipping out at anyone on the other side. But all the presidents, starting with Obama, right? And maybe even before Obama, have been making executive orders around hardening you know, federal systems, which, which you know, trickles down to other, you know, private sector businesses. NIST Cyber Security Framework, a perfect example. It's a voluntary framework that anyone can use, right? FISMA compliance, NIST 837, 853, enabling that like these are things that have been put in place. Critical infrastructure, executive orders around Zero Trust architecture and mfa like doing all the things. So it's not like we're numb and we're, we're. Hold on one second, bro. It's not like we're numb and we're just like, oh, like eff it, I'm just gonna roll over and die. I'm just gonna stick my head in the sand and play magic the Gathering and just let the bombs fall. Like, that's not what's going on. We are doing all the things. What I would say is that like in a, in a real organization, right, if you work at a company right now, okay, if you work at a company right now, whether you realize it or not, the tone at the top sets the tone and the governance vibes for the organization. Do not underestimate the value of this. If your organization, senior leadership thinks cyber security is a cost center and an absolute waste of money and your executive teams constantly violate policy because we're the executives and that's going to trickle down just like this. Okay, I would argue again, please, if you're a squad member. We haven't done this in a minute, but there is a tinfoil hat. Jerry Emote. This feels like one of those times that we should exercise it. Listen, when China, when China attacks via Volt Typhoon. This is not alleged, this is confirmed energy sector and attacks a bunch of those. And then right afterwards, China attacks all the telecommunications players in the United States, which we just covered in a different story. And the ISPs and North Korea attacks Sony Pictures and you know what I mean? Like, and, and there's China floats of hot air balloon over like a third of the country. We had no idea what the payload is in the damn thing. Like when these things happen and it's just like, ah, you know, whatever, it's cool. Let's just, let's, let's not worry about that and let's focus on, you know, political division and infighting, right? Like, how are you not supposed to be numb? To me, this is like an example of tone at the top, but seen at a macro scale of a federal government being the organization and we as citizens being the end users, it's the same thing, all right? It's the same thing. So I 100 agree with these four generals. I. I disagree that we are the. We are the. We're numb to it. So we're not doing anything. It's just, you know, I mean, if you do the same thing over and over again and get the same result, what do you expect? The librarian 10 in the chat. What's up, Christina? I was actually happy to see you in the chat, Christina. I was wondering how you've been. I hadn't really heard from you since Deadwood in October. November. So good to see you in the chats. All right. So anyways, I don't think we're numb to it. I think we're doing all the things. We're just. We're just getting beaten down by the sheer volume of it. All right? That. That's it. You got to keep the. Hey, you got to keep the fight up, all right? The second you lay down and die, they're just going to steamroll over us anyways.

D

Cyber threats on the rise. In more news coming out of rsac, automotive cybersecurity is a big deal as vehicles become increasingly connected and autonomous. Kamal Gali, vice president of Car Hacking Village, and Julio Padilla, CISO of Volkswagen and Audi South America, say that modern cars with millions of lines of code and extensive wireless connectivity face rising threats. Similar to the 2015 Jeep Cherokee hack by Charlie Miller and Chris Belasek, which allowed remote control over vehicle functions. Galley highlighted ongoing research at Car Hacking Village and warned AI and post quantum encryption will reshape vehicle security. Padilla emphasized continued investment to secure autonomous systems.

A

All right, holy crap. A bunch here. Number one, I didn't know rsa. By the way, she called it rsac. Again, she's a reporter, not a cyber practitioner. I don't know about you guys. Like, I have never called it rsac. It's rsa. Mad Destroyer Coffee Zone, sending five gifted subs. Thank you, Mad Destroyer.

E

Just become best friends.

A

All right, I'm just going to run a quick poll. Call it RSA or rsac. And I know it's rsac, but, like, I don't know. And. And, you know, it's anonymous, so you can vote and not sweat it. But, like, I. I just. Here's the thing. I say rsa. Most people say rsa. I want you to hear the.

E

The.

A

The right way to say it, because I don't want you to. I don't want you to say it in a meeting with other people and be like, oh, I went to rsac. You know, like, just. I don't know, Hold on. Fine. TJ says xxxx. Is it now rsa? Oh, oh, I see, I see. No, the, the C stands for conference. RSA conference. As far as I know. Yeah, I know they write it rsac. It's just as a, as a. Okay, so anyways, I didn't know they had a car hacking village. Yes, machines or machines. Automobiles are becoming more and more connected. Digital, I mean, Tesla as a, as an example. Tesla doesn't even identify as a car company. They identify as a technology company that happens to have wheels. You know what I mean? So hyper connected. You can start your car all, you know from anywhere. Check things. You know, airplanes are kind of like this, right? You know, drive by wire, fly by water wire, all these things. So whenever there's a computer on board that controls things, there's going to be hackers out there trying to break it, understand it. Now if you are new here or you're not familiar with this. They mentioned the Charlie Miller and I feel bad because I always forget the other guy's name, but the Charlie Miller, Jeep Cherokee research, like basically blew the lid off of automobile cybersecurity research a couple years ago. Maybe 20, they say 2015. Like no one had been really looking at automobile hacking. And wired did this thing. Yeah, July 2015. So 11 years ago. Good grief, dude, I can't believe it's been 11 years. Charlie Miller and his co researcher remotely took over a Jeep Cherokee and they were able to do way more than change the volume on the radio, although they could change the volume on the radio, they could lock the doors, put the windows up, kill the car, meaning turn it off. Charlie's on the left there. They could see where the car is. They could speed the car up. So, so how, what does this mean? It becomes quite real if you're driving the car. I could literally take it over and drive it into a tree at 80 miles an hour and kill you. Okay. That's the level of, of visceral impact that could happen on this. Of course, I could also disable the car so you can't get to wherever you're going. And therefore I have like an availability issue. I make you miss your flight and then I'm the only one who shows up to the business meeting and I win the deal, whatever this is. Eleven years ago, on the heels of this, DEFCON started getting a car hacking village. It became an entire discipline within itself and rsa. All RSA is doing here is saying, listen, we, we recognize this and it's coming. And you know, they're continuing to support it. I, I don't think there's much story here other than to like, make you aware of automobile security and the whole thing. Like, basically there's a, there's a, a controller in the, it's like a, I think it's called the Can Bus. Bow tie Security is going to join us for Jawjack and I feel like this is something he's probably tinkered with. But like we, you can control all the things with that can bus. And then, you know, because you have OnStar and wireless connections, there is an access point into the vehicle and once you get that, you're good to go. Now, just as a quick side note, they mentioned with the, with the coming development of, you know, accessible quantum computing, this is particular, particularly interesting. I would, I would disagree. Maybe it's my ignorance, but dude, there's no way I'm thinking that, like, there's a lot of things that can be done and research that can be completed sans quantum computing. Like, I don't know if they're throwing quantum computing around just because it's like a buzzword right now, but yeah, right here. Automotive cyber will need to continue to evolve. AI is already reshaping the threat landscape and post quantum encryption protections will be a must. Like, post quantum encryption protections will be a must. I don't know. I don't know. Like, I don't know if they just put this in the buzzword bingo generator and hit the button and the, this paragraph popped out. But like, I don't, I don't think post quantum encryption protections is what we need to be worrying about with someone accessing our Can Bus on our vehicle.

D

Huge thanks to our sponsor, ThreatLocker. Security controls fail when they break the business. Successful teams phase in protections gradually, starting with visibility, then moving to enforcement. That approach allows organizations to reduce risk without overwhelming IT teams or disrupting critical workflows.

A

Learn more more@threatlocker.com all right, hey, guess what? We're at the mid roll. For those listening on replay and Spotify, you're not probably going to be able to hear the jokes. I will pause it when we do the jokes, but guess what we're doing right now. All right. Hey, I know that it's a little played out and I know it triggers, I think it triggers Zach Hill. So let's go ahead and trigger Zach Hill right now. But this, when I hear this song drop, this is what I think of immediately. Okay, Come on, tell me, tell me. Do you resonate with this? Like when the, when the song Drops. It's absolutely this all the time, Guys, thank you so very much for being here. Thanks for being part of the show. Thanks for just making Simply Cyber a special community to be part of. I could not do it alone. I promise you. It is special because of you. All right, ending the poll, 83 say RSCC. I mean, excuse me. 84 say RSA. 16 say RSAC. So there is a contingent out there saying RSAC. Shout out to you guys. All right, hey, listen, every day of the week has a special segment. And this right here, this is James McQuiggin at 35, 000ft. And if you're wondering why he's smiling in this photo, it's because the guy's got jokes. And I'm gonna share him with you, dad. Jokes for days. Go ahead and check out James McQuicken at 35, 000ft at your local laugh factory or the chuckle closet on 7th Street. Doors open at 8. All right, it is baseball season, everybody, and baseball season has officially kicked off. So here's some rib ticklers about America's pastime. I'm killing the music. So Kim in the car and Nick on Apple podcast can hear the jokes, too. One time at a baseball game, James wondered why the ball kept getting bigger and bigger. One time, James, this true story. One time, James is at a baseball game, Fenway. He was actually sitting up in the monster seats, and he was wondering, like, why the hell is the ball getting bigger and bigger? And. And then you know what? It hit him. It hit him. It hit him. While the ball was getting bigger. It was. It physically hit him also. Hey, did you know that zebras play baseball? I didn't know that. Right. We hear about baseball being popular in the Caribbean, but there is kind of an Africa Serengeti contingent that's growing, and it's zebras playing baseball. They have three stripes and they're out. Three stripes and they're out. Get out here. All right, which player on the baseball team carries the water? Okay, we're humbly gonna skip this one because I like. I can't groan enough. Which player on the baseball team carries the water? Go ahead. And let's call in the left pitcher. Let's call him the lefty. Get that pitcher out. I don't listen. I don't read these in advance, and I don't censor them. I must read them. That's part of the deal. That's the social contract I've made with you. James is putting me through the ringer today. Okay, why did the Baseball player join the music band. The baseball player joined the music band because he had perfect pitch. He had perfect pitch. And which animal is the best at baseball?

E

If you.

A

If this was like some version of Looney Tunes Basketball with Michael Jordan, but baseball version, post Michael Jordan taking a break for not gambling. Which animal is the best at baseball? If you're going to draft one, go ahead and draft that baseball bat. The bat. All right, there you go. That is your James o' Kagan jokes of the week. Let's go ahead and skip to La la la. And if you have a problem with those jokes or you want to hold James accountable, he will be at jawjacking. You can tell him yourself about those jokes. All right, everybody get those. La la la la's on. Let's go. Let's la. Man, that song just never ceases to deliver. It just hits over and over again.

D

Ajax hack exposed data ticket hijack. Dutch professional football club Ajax Amsterdam, also known as AFC Ajax, disclosed a breach where an attacker exploited vulnerabilities to access email addresses of a few hundred users and limited personal data of fewer than 20 banned fans. Journalists at RTL confirmed the flaws, allowed ticket transfers, modification of stadium bans, and potential access to hundreds of thousands of accounts via exposed APIs. The club says it's patched the issues, notified authorities, and found no evidence of large scale abuse. The full extent of prior exploitation is unclear.

A

All right, length. If I had to guess. If I had to guess, okay. This hack was done by young people, okay? And I'll tell you why in a second. One second. You know, whatever. Sports club. Again, it doesn't matter if it's a sports club or if it's a, you know, retail business or whatever. They sell a product. The product is entertainment and they have to sell tickets. They have to manage all the things. And they got hacked. Okay? Now the. What is it? The. The impact of this hack is not really that bad. I mean, you don't want to get hacked at all. But, like, they got the email address of a few hundred people and twenty of those people are banned. Banned fans, which includes name, email, date of birth. Okay? That, that information's. I mean, widely available in a lot of hacks anyways. So again, I'm not underplaying it, but, like, it's not that we're numb to it, it's just that, that. That impact. Listen, in the world of cyber security, when we talk about impact, we talk about what, what. What happened, right? Like, what. What is the impact if bad happens, what is the impact that's how we calculate risk and figure out what protections to put in place. In this instance, bad did happen. What is the impact? The impact is a few hundred people's names, database and emails got compromised. Threat actors have that. That information is in several attacks, several hacks. And because we kind of assume that that data is going to be out there anyways, we educate our end users personally and, you know, organizationally around, hey, watch out for phishing emails, watch out for domain squatting. If, you know, have multi factor. We already educate people all the time because we know that the, the impact is going to be realized like this. So, you know, if, if the impact was systems are down or the soccer players can't play soccer or like the stadium can't open now, we have a much higher impact because there's financial elements to it. Right? And of course they're probably going to give these few hundred people, you know, identity theft protection for a year.

D

We

A

like. Okay, really quickly, allow me one moment. This is like, I don't know if you guys know this Geico commercial, but like, this is what I think of when I think of getting my identity theft protection. We, we throw it on the. Throw another one on the tire fire. This hulking, burning mass of identity theft protection. All right. Also Doom Kraken, kind of like out of nowhere with a System of A Down reference. I do love System of a Down. They were so awesome in the early 2000s. Okay. Other than that, there's nothing else to do, by the way, like, this is like a. Oh, the final thing. Why, why do I think these are young people who did this? The, the actual impacted organization didn't even know. The hackers called journalists and like shared their hack and then the journalist called the victim organization, Ajax Football Club and told them they had been hacked. Listen, I don't care if it's because I'm old or whatever, but like, if I committed a crime, do you know what I wouldn't do? I wouldn't call the Journal. I wouldn't call anybody and tell them like, guess what I did. Like, that just oozes arrogance and like, like the desire to have people know what you've done so you can bask in the glory of, you know, having it known that you did this thing. Right? That's. I don't know. I mean, again, maybe I'm being ageist. Maybe an older person would want that clout too. But like, for the most part, if I'm gonna commit a crime, you better believe I don't want anyone to know that I committed a crime. Spoiler alert. I didn't commit crime. Also, also, bonus, bonus, when I first looked at this picture, I had no idea what the hell this graphic was. This thing. And over the course of me talking about this story and by the way, for those listening on audio only, I'm looking at the Ajax Amsterdam logo. I think it's like a, a Gandalf wizard looking guy with left facing profile. That's what I think it is. It took me a while to get that, but that's what I see. It's like a warshack painting.

D

API platform attacked attackers started exploiting a critical code injection flaw in the Lang Flow AI framework within hours of disclosure, using an exposed API endpoint to execute arbitrary code without authentication. Sysdig researchers say the bug allows data theft and lateral movement by accessing API keys and credentials tied to services like OpenAI and AWS. CISA has flagged the flaw as actively exploited. Users should Upgrade to version 1.9.0.

A

We play a game. All right, you know, hey, get ready, dude. This is going to become more and more the norm. Okay? AI hacked, like as much as it's like ransom company ransomware. Like for the last three, four years it's been company ransomware, company ransomware. Like I could literally close my eyes, fall down right now, and I would hit a story about a company getting ransomware. Now there is a shift, the winds are changing and now I could fall down and I would land on a AI tool or AI agent or AI function or LLM that's being exploited. Like that's the new normal. Which by the way, is scary AF because AI like the speed at which we're moving with AI is borderline reckless. But, you know, oh, got to get to the end of the line before everybody else. I've got a lot of thoughts. Okay, so critical vuln in Langflow, which is an open source framework for AI agent development. I've never heard of Lang Flow till now. It's been exploited. Cease is letting, letting people know, here we go. Go ahead and use DJ BSEK's EPSS tool since he's in the jawjacking chat today. By the way, shout out to DJ B sec. I do like the font choice that you've used here. Is this, is this typewriter. Ben, go ahead and get some insights on that. Oh, also, he's reduced the spin up latency issue that I really didn't like. I think he got some feedback. He read my email. All right, so EPSS score 6%. EPSS percentile, 90% how do you read this? The way you should read this is if you're running lang flow, you have a 6% chance of getting compromised in the next 30 days. Here's an idea. Do you want to know how you can reduce this score to 0%? 0% sounds pretty good. Guarantee not to get your lang flow punched or this vulnerability getting exploited. Let's go ahead and take a look. Patch. Nope. All right. It doesn't say to patch. It just says if you are not patching immediately, you're going to get knocked down. All right? Oh my God. Okay, so this is not good. So this EPSS score may increase. Just so you know, 90. This EPSS percentile is of all the hundreds of thousands of vulnerabilities in the EPSS catalog. How bad is this one? If it does get exploited, 91% is very bad. Like you do not want this exploited in your face. So even though this has a low chance, this is the kind of volume you want having 0% chance in your environment. So you know, ah, you got to patch it. You got to patch it. Also want to point out a little bit reckless. You know, this is another whole philosophical discussion in our industry on whether this is appropriate or not. And people will passionately argue their opinion on this one. Lang flow, their advisory to let people know that this vulnerability is out there and that they need to patch it. Their advisory contains enough information to develop an exploit for it. Yeah, here we go. So look, this is the GitHub repo for it. And they basically say, you know, this API allows flows without authentication, so you already know what API it is and which and it doesn't need authentication. I mean, that alone is enough information to exploit it. They even give you additional insight that the code is passed to the exec function with zero sandboxing, which means it detonates on the box. It doesn't check anything first. For what it's worth, I mean, yes, this advisory does include all the information you need to exploit this, but there isn't much to it. It's like it's a. Basically an endpoint that wasn't secured properly. I'm not going to say it was vibe coded, but. Oh my God, look at this. Holy crap, dude. They actually show you the entire code execution. When attacker supply data is provided, it flows through the following way. Look, start, float, like it shows you all the stuff, dude, where arbitrary code execution goes. You typically don't see this level of detail like ever. Wow. All right, so it is a GitHub repo or PI PI repo it looks like. See how it's, it's a pypy repo, right? So just if you're using this one you have to patch it, right? And ah, you gotta patch it. All you gotta do, you can use PIP to do it. So go ahead and what's the command? It's been a minute since I did pip. Was it PIP update package? I think it's PIP update and then the package name, PIP update Lang flow. Oh no, it would be PIP install lang flow, dash dash upgrade. So just educate like basically tell everyone who might be a power user integrating LANG Flow into their environment to update their stuff. Okay. Period. Full stop. That's it. Update. Update your lang flow.

D

CC cracks down on ROBO have a good one. Linda Smith the Federal Communications Commission approved new proposals to crack down on robocalls by tightening requirements for obtaining phone numbers and increasing transparency around caller identities. The rules target abuse of resold numbers and tactics like number cycling which help scammers evade detection across telecom networks. A separate proposal would restrict the use of foreign call centers and potentially require disclosures or US based routing as regulators link non US operations to a significant share of activity.

A

US Official all right, for the sake of time and an amazing jawjacking segment, we're going to continue to just, we're going to speed run this like listen, yes, new rules. The fact that like my phone now says spam caller when I get a phone call from a spam even though I don't answer unknown phone numbers. Anyways, I love this. Robocallers have been a problem for a long time and yeah like more of this. Crack down on it a lot. I'm telling you a lot of people get victimized because they don't know, especially older people. They'll pick up the phone and then it's like hi, like your, your computer is screwed or hi, like I'm calling from the bank, I'm calling from the irs, I'm calling from the local district court, county courthouse. You miss jury duty, there's a rust out for your warrant unless you give me a $500Amazon gift card.

E

Right.

A

Like people, people, this is, it is a blight, right? And Robocallers allows it to scale. So thank you fcc. I hope new rules take effect and we never notice. It's just our phone doesn't ring as much.

D

Uses China of exploiting cyber scam crisis Reva Price, a US official from the US China Economic and Security Review Commission has accused China of tacitly supporting cybercrime syndicates in Southeast Asia. Alleging links between scam profits, state backed projects and selective enforcement that spares groups targeting foreigners. The schemes are said to generate tens of billions of dollars annually and increasingly target Americans. With losses rising as China cracks down mainly on domestic victims, US officials are calling for stronger diplomatic pressure and coordination to disrupt the ecosystem.

A

Okay, sure.

E

Like,

A

okay, yeah. So this is a problem. Cyber scams, call centers, I mean, this robocaller story kind of plays part in this. And it's a big problem. They're making tons of money. They're going to continue to do it. There's tons of like, it's like a cottage industry. There's a lot of really popular YouTubers that make scam bait information content around this stuff. You know, Cambo, there's humanitarian crisises, right? Cambodian, I think it's. Cambodia is like, you know, basically luring Vietnamese into Cambodia and then taking their password away and like making them work in these like effectively like slave labor camp call centers. It's a thing. Now US accusing China and then asking China to like fix it or do something about it. And it's, it is laughable. Like, dude, this is a real problem. But like in, in case you haven't been paying attention, like there's, we're not like bff, like, why would China. I guess, here's what I would say. Why would China help us with this and us be the US like, why would they? What's in it for them? You know what I mean? Just to me it's like, I guess you gotta try. But like we're, we're like choking off like semiconductor tech to China. Tariffs are like a thing, you know, like the bricks versus NATO. Like there's no whether China's supporting it or. I bet you China is supporting it because it's, it's undermining the United States. Right? And China, by the way, like, again, this is not a cyber story, but like, in my opinion, this will be about as close as I get to like a political hot take. It would appear that, you know, there's you know, been a push, you know, a very long term, long term strategic plan by China to kind of, you know, change the world order. And you know, why would they, why would they, you know, support the United States in any capacity? Like, like it's actually in their interest to not. Okay, all right, let's do this. All right. Yo. Love it, love it, love it. This was simply Cyber's daily cyber threat brief podcast, Friday edition. I know some of you had to bounce, but let me just say thank you so much for being here, I hope you got value from the stream. As always, share it with a friend. I don't know if the industry is getting more depressing or what, but like our overall community, numbers on the live have been declining somewhat over the last six months or so. Again, there's a lot of factors at play. But for everyone who showed up today and our regulars, thank you so very much. And if you are a first timer here, I hope you come back Monday. We do this every single weekday morning at 8:00am Eastern Time. Now, I'd like to tell you, you might think the show is over, but we got value for days. Let me introduce you to Jawjacking. Jawjacking is a 30 minute ask me anything, essentially allowing you to ask your questions. What does this mean? How do we do this? What's going on? Whatever. And we got a panel on Fridays. We got a great panel today to hook you up. So stay tuned. Don't go anywhere. If you got to hit the head, go hit the head and come back. But either way, we're going to be doing it. I'm Jerry, your chat until next time. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered and totally free. Let's level up together. It's time for some Jawjacking. Foreign. What's up, everybody? Thank you for joining us. This is going to be Jawjacking. We got a huge panel for you on Friday. For sake of time, let's just get to it. He's a newcomer to the simply cyber community, but he's already made massive impact. Ladies and gentlemen, bow tie security. Robert. What's up? Robert, good to see you.

C

What's going on? Jerry, how you doing?

A

Oh, it's. I'm good, man. We got another one. He's a regular. He told the jokes today. So if you want to throw tomatoes, get them out, get them ready and get ready to throw. James quiggin at 35 000. James, what's up?

B

Oh, somebody throwing tomatoes there.

A

Got a dodge and I love it. And then finally, coming from his sterile office, not two turntables and a microphone, more of an executive. Ladies and gentlemen, DJ B Sec.

E

Good morning.

A

I love it. I love it. And with the reflective vest, very nice. DJ B Sec.

E

That's what happens when you work in warehouses.

A

Seriously, dude, the room you're in right now, is that a virtual background? Did you ask chat GBT to make a sterile.

E

No, this is my Office.

A

I was, I was playing like you're like, hey, chat, gbt draw me a sterile background. Like that's so funny.

E

There's literally nothing in here. It's just a little office that I come in.

C

You're not allowed to put photos on the wall. Is it, is it doesn't come in here?

E

No. We moved into this office like three years ago or four years ago during COVID and we didn't put anything in here. We just turned into the IT room.

A

I love it. You got to do what you got to do. And honestly, if you don't spend a lot of time there, like no reason to personalize it. So. Hey, one quick question. Not question. Earlier today there was a story about inspecting network traffic at the kernel level using the Berkeley packet filter. Now I'm going to drop a link in chat. James McQuiggin actually provided a link to me to, to demonstrate how to inspect that traffic with EBPF DJ B Sec. Even though he's an executive now and uses Apple products, he was at one point quite a talented network engineer. He still is. I'm being playful. Ben, talk to us like what's up with EBPF at the kernel level? What, what are we talking about here?

E

So what I told you when I put that in chat, somebody said that you can or you can decrypt that. I said the only way to decrypt that, which you 100% can, the firewalls do it, right? So information comes in, the firewall decrypts it, tears it down, inspects what's in there and then repackages the encryption and sends it off. But the only way for that to happen, successful point where the stuff is at is you have to have the certificate from that device on that endpoint. So for instance, if I'm going to have traffic come in and I'm going to inspect that traffic at the firewall, it's going to decrypt it. But that firewall itself will create a self signed certificate or whatnot. And that certificate is on there. You rip that off, you go that, you push that through group policy or whatever into all the machines. So when that traffic then hits the machine can then decrypt and see what was in the packet and showed stuff on. On the web page.

A

Yeah, well, Teris asks, does this have impact on performance?

E

I don't know. That would be. Isn't it so built in for that? Not there's not an impact on. But I don't understand if somebody said that they're able to do that for them to believe that they would have to have been able to send something or they would have to have a certificate of something that's already on the machine where that's being sent somewhere. Right. So otherwise that traffic wouldn't ever be able to be decrypted.

A

Right. And that, that, that just because I don't want to, like, I get popsicle headaches with all the math of cryptography. But like the whole point of why PKI and like asymmetric encryption works, or it's because you can't decrypt it without the cert. Without the, without the private key. So anyways, all right, now that we got that question answered, first question, would a GitHub project on GRC help me get a job or it'd be better to discuss my knowledge from studying frameworks on LinkedIn. So Robert, who mentors a lot, right. Should. Should mariah get a GitHub project and put her stuff there or should she share it on LinkedIn?

C

It really depends on what jobs you're looking for. I mean, I'm all about sharing on social media. So the more you engage on social media, if you're posting, if looking for a job and you're not posting every day and connecting with 100 plus people and building that network, the algorithm is just going to ignore you. So people aren't going to see your stuff. So I'm all about posting as often as humanly possible. Will it help you get a job? Probably not. But if you are going for a specific job, maybe a coding role or something like that, and you have a manager or a leader who is actually technical, which is relatively rare, they may actually look at it. Like, I'm somebody who would probably take a look at it, but most leaders would not.

A

Yeah, and we'll go to the next question, but just I would point out, Mariah, don't think of this as which one to choose. Like do the GitHub project, use that as your ground zero and then share it on LinkedIn. Send people back to your project.

B

Do both.

A

Yep. All right, next one. What are your thoughts on Vibe coding from a security perspective? James McQuiggin, if you're using Vibe coding, how do you address potential security risks?

B

See, for me, Vibe coding has been a lot of fun just to kind of make some fun apps and, and see what I can do with it. But yeah, there are going to be. The security concerns still go through and do the static code analysis. Review it. There's. There was an article I read the other week where a VP comes into the group of developers and goes, hey, we got a way to make you all 40 more efficient. We're going to do the, you know, use whatever widget tool. But the problem was, is great, we can create more code. That's never been the problem. It's the qa. It's the QA aspect. It's going through and verifying, checking for vulnerabilities, checking for exploits, whatever. But if you're not going through and doing that QA aspect, then you're basically opening yourself up to a whole lot of issues, whole lot of problems. That's why the Vibe coding tools that I've made have pretty well just run locally. I haven't put it out on GitHub or anywhere else like that, but if I did, I would make sure that I would be putting it through some sort of scrutiny to make sure that it is secure and, and yeah, not, not exploitable.

A

100 I want to share something very timely with everybody. So many of you know I went to RSA recently and I interviewed a bunch of Cisco people and I interviewed a guy named DJ Sampath who's like basically the number three guy at Cisco. And he is awesome. He is like, he's like a straight up nerd and I love it. And we talked about Open Claw and I want to share this with everybody because like Vibe coding Open Call, you can do. You can Vibe code in a lot of platforms. But a lot of people are using Open Claw and I have been very vocal that I think I'm afraid to like really unlock the power of openclaw because it's absolutely a cesspool in the skills community in the mcp. DJ Sempath shared this with me. Check this out. I'm actually making a video about this. Cisco put, put money into this. This is a free open source project and you can tell openclaw to go pull it. It's called Defense Claw and it has like, you get all of this. It has a Skill scanner so it'll check the security of those skills. MCP server scanner. This is the Defense Claw which does all the things. It has an AI bill of material so it'll tell you what projects are inside the skill itself. I'm like I said I'm making a video for this right now. It's a little complicated because whenever you do a technical video you have to catch your screen and you have to make sure it's the right size and I'm going to install it, but it's just anyways you like there are, there is a Increase in activity of like security hardening and security wrappering around a lot of these AI tools that are popular. So for the Vibe coding stuff, you know, try to introduce, you know, pick one of these other AI tools and have it look at your vibe coded app before you push it to prod.

E

Maybe.

A

Yeah.

E

All right.

A

DJ B sec, you got something on this one?

E

Yeah. So both you and James touched on it. But when you go to vive code, the whole whole deal with Vibe building and building these applications is simplicity. Like you're able to simply do this, realize you can simply add security into it. You can tell it. For instance, I've built an application and part of my application is create an SBOM of everything and put it on my admin dashboard. Only admins have the ability to see that. And what I want you to do is every time something is pushed, I want you to run through that and scan it and tell me what version of what package do I have, is it up to date? And if it is, if it's secure or if it's got a CVE attached to it. Like if we're running version 1.1.3 and it has a vulnerability on there, but 1.1.6 is there, then I know that and I go, hey, can we check out and make sure that if I put 1.1.6 on here, is it going to break anything? It'll come back and go, hey, no, I've checked everything, it looks good. So let's go ahead and update it. You can build the security into it and put that, and James talked about it in the CICD pipeline. You can put that in the pipeline itself so that scan. So you have the dynamic and you have the static analysis as it's running cloud code. Put out the security stuff in there. Don't just sit there and go, okay, let's use Claude code security for everything. You can put other thing in the pipeline, but there's the ability to create quote, unquote, secure stuff to start off with.

B

Yeah, with actually you bring up a good point because one of the things I did do was grab some of that cloud code security, some of the tips and I dropped it into the chat that I had with through cloud code about developing. I think it was the. My fake maker app to secure it and it went through and was able to make the changes. But yeah, you can get claude code or one of the other ones to add more security in it. But a lot of times people don't think about that. But it's always a good thing for for you to go back afterward.

A

Well, all right. Hey, we got a first timer dashboard

E

on the back is a good thing.

A

We got a first timer in chat. Itchy beef. Itchy beef. Sorry, that was a misfire. Itchy beef, first timer.

C

Welcome to the party.

E

All right.

A

Welcome to the party, pal. Good to have you. And also I dropped a link in chat, or I pinned a link in chat to this short and I dropped a link to the GitHub repo. This is the little short where I'm interviewing DJ and explains what the defense claw is. If you're interested in learning more about that specifically. It was really, really cool. It was like one of my favorite things I got from rsa. All right, if you have questions, this is jawjacking. We have an amazing panel of very seasoned practitioners who love helping other people. Put your question in chat with a queue. We'll get the questions answered. Robert, the Cyber Lorian is ready to interview for a different consultant role. What's the best source to review in preparation?

C

Yeah, so for, for D4 specifically, it's going to be a lot of like, question based type scenarios. Preparation is going to be difficult. It's really gonna, it's gonna look on how you think, how you respond, that what, what I tell everyone is go into chat gbt, type in the role that you're looking for, and ask common interview questions. It'll then scour the Internet. It'll pull down all of the most common interview questions that people posted on Reddit and other places. Make sure you know those inside and out in the most. There are two critical things in an interview. One, how you answer a question you don't know is more critical than how you answer a question you do know. So if you don't know it simply say, I don't know. Here's how I would find it out. Or you can say, I don't know, but after this call, I'm going to research it, because I can't just let that go. And then the other one is the about you question. Practice it, master it, get it down to around maybe a minute or two and then stop talking. So many people that I interview, I'll say, tell me a little bit about yourself. And then it's like, well, I grew up in a small town and it was like, whoa, hang on, you know, really just keep it simple and then make sure that the interviewer has time to ask you questions. A lot of technical people tend to ramble.

A

Yeah, 100. Also, you should expect the question like, you know, what, what are you Bad at or what? Like what, what are some of the struggles you have? Do not say that you work too hard or you're a perfectionist. Like, actually say something that you're not good at. And I would assume that you're doing something to work on that. So be honest about what you're bad at and then explain how you're working on it. That will go much further for you.

C

And don't use ChatGPT. We've, we just interviewed for a senior role. We had seven people out of the 15 we interviewed using Chat GPT.

A

Like in the interview.

B

Oh, in the interview. Oh, geez.

A

Yeah, so.

C

And I ask questions that I know what the prompt response is as a trigger, and they, they literally read it verbatim. And I got so frustrated, I, I, I probably was not as professional as I should have been. Because anytime you're taking away an opportunity from somebody who actually has the skills and you've done it by using trickery to gain access, I am banning you from my company for life from interviewing.

E

You're going to get exposed.

C

Yeah.

E

Like when, when the, when the S hits the fan and you don't know what to do and you're sitting there relying, like, what are you gonna do if the Internet's down and you can't use chat GBT to get this Internet back up?

C

Oh, man, I've, I've busted managers who use chat, which I was blown away by. I've busted coders. I had somebody wearing an AI face in the first round, and I'm like, bro, come on. Like, like, get your nation state skills in check. Like, use real tools.

A

I, I will tell you, I, I, I, I haven't experienced this yet, but it's obvious that these things are happening. The one, one technique I've heard to detect this or blow this up. Well, yeah, you can do this for the AI stuff, but I know of one organization that suspected that they were having a chat GPT Speaker 1 and they said, hey, for the next question, turn around. Like, we want to see the back of your head. And the person's like, no. And they're like, well, then this interview's over. Like, all right.

C

It's to a point that I actually start the interview with like, hey, this is going to be a little weird. I need you to look left, I need you to look right. I need you to put your hand in front of your face. And, and that's only going to work for so long, but it still works now.

B

Yeah.

E

And smile.

B

They're getting there. They're getting it.

A

Well, we'll come up with another detection. I mean, like, we'll always. The human. I mean, AI is great, but there's human things, you know, so it's gonna

B

get to the point where you're gonna have to go visit your local library, a UPS office or something, a notary, and get there.

E

Right.

C

Well, my company only hires in person now. Like, we just, we don't, we'll, we'll do a video interview. But in order for you to be hired, you actually have to show up.

B

Come to the interview.

A

Yeah. Cyber Risk Rich with a quick question, I'll answer. How did you come up with Simply Cyber? What other names did you consider? I never considered any other names for the channel. To me, Simply Cyber Captured. Exactly. It was the first name I thought of in it. To me, it captures the essence of what I wanted to do. The original, like, tagline was making information security accessible. Like, I like it is complicated and I'm very passionate about it. And a lot of people want access to it. And then it's frustrating because they don't know how to do it. So I wanted to make it simple. Simply Cyber.

B

Didn't you have another name for the show, though, originally?

A

The Daily Cyber Threat Brief was originally called First Things first, but I, I, I, you can go back and find it. But I, I realized within, like, a few weeks, people didn't know what the hell First Things first meant. So I, I literally named it as descriptively as I could. It's daily, it's cyber, and it's a threat brief.

E

Like, Yep, First Things first from the garage.

A

Yep, First Things First. All right, Scanning chat with. This is Jawjacking. If you have a question for our panel, put it in chat with a Q and we will answer it to the best of our ability. Itchy Beef said you went to Dakota State. Yes, I did. I got a master's and a Ph.D. from Dakota State. Go Trojans. All right, next question. If you get a chance to go to Dakota Con, by the way, if you're in that eastern South Dakota area, it's a great conference. They get great talent. Continuing to look through chat. Let's see.

B

So I'm curious. Did the Simply Cyber was that kind of like a late night thing, Jerry, or were you, like, scribbling out names the whole time? Because for me, apparent security came as I was falling asleep one night. It's like my body was relaxed, my brain was relaxed, and I went, apparent security. That's what I should name my tech company.

A

No, I mean, so I Was doing an audio only podcast with a guy named Steve Cardinal internally for Muscle. And, you know, I was learning how to do podcasting correctly and stuff. And then I was leaving Musc and I still enjoyed it. One of the things was MUSC put a lot of restraints or constraints around what I could talk about and what I couldn't talk about, which I thought was absolutely annoying. Hot trash. So for me, I was like, oh, I'm gonna do my own thing. And it's just simply cyber. Like it's.

E

It's.

A

It is what it is. It just. It just fit. I kind of like grooved into it. I vibed into it before vibe coding

B

was even Vibe Cody's weird term. Anyway.

A

All right, here we go. I think this is a question. Eve's Bytes, will there be a time they will be able to use AI on the other side to understand the commands? Maybe the other side of the interview. I don't know. Eve, spites, you'll have to qualify.

C

I mean, in theory, if we could install a client or something on a desktop. But no. So the other thing too is like, people don't need to type anymore. You can use the voice prompting and stuff like that. Within OpenAI and the people I busted who owned up to it, they had a laptop to the left of them. So even if I would have said, hey, show me your screen, there's Also a couple GitHub repos where you can get something that puts it into a dockerized container. When you do a shared desktop, it creates a false desktop. I don't even waste time with that. I can spot people who don't know what they're talking about. Even if you think you're super convincing, I can easily hit you with a few questions that'll kind of unravel your. Your. Your perfect scheme.

B

If a train leaves Chicago at 150 miles an hour and a train leaves.

C

Yeah.

A

You know, I wonder too. Now I'm just thinking, like, we have questions, but now I'm thinking I'm like workshopping ideas on how to attack this control. I could also see writing a very simple question and saying, don't read this out loud. Answer this question like that. Another one. Because then there's no audience. Yeah.

C

No, I love that. That's brilliant.

A

Yes. All right, so Team PCP is on the war path again. Any tips? Sending this up to C suite. So Rich464 is talking about team PCP. This is a story that's very hot right now. It is about them infecting either the trivia security scanner which got into Light LLM or they got just compromised Light LLM. Whatever it was, it is a supply chain attack and it is quite real because they basically took over this LLM. DJ B Sec, you're an executive now. What, how, how would someone bring this to you? I'm joking. I'm being.

E

You hit it, but you hit it on the head. Right? It's it, it's a supply chain attack. So we all know what happens with the supply chain attack. That's kind of. It goes back to what we were talking about before when we were talking about vibe coding. You have to have an S bomb. You got to know what's in there if you're using it, if you know what version you're using, you've got to as, as the IT person, as the security person. You need to know what's in the company, what's being. Oh, now what, what, what, what people need to understand, what the C suite needs to understand. What your developers need to understand is there is no getting around a zero day like it is what it is. This was, for lack of a better term, a zero day when it came out. But I think, I think we saw in the article it was like there for like four to six hours before they, up, before they cleared it out and put a new one in there. But in those four to six hours, I think there's like 3 million, if you go look, 3 million downloads a day for Light LLM. So if you were in that span of four hours, you may have been infected. And I mean there's stuff out there that shows how to, how to clear it out. But as the, as the question poses to bring it up to the C Suite, you just need to explain to them, we've got to have somewhere, something that shows us all the materials. We can't have tons of shadow it or shadow this or shadow that that we don't know about because it's going to lead to an issue.

A

All right. Okay.

C

Yeah. When somebody brings stuff like that to me, really just honesty. The biggest thing we're looking for is exposure and risk. And what is that? That's all I really want to know. Hey, a perfect example, like if you don't have software, bill of materials, a lot of organizations may not be that. There's lots of ways to get it. And it's incredibly critical for your development pipelines to know what open source tools you're using, what plugins you may have. There are a lot of ways that you can be insecure from a supply Chain attack like that. And like you said, it happens so quickly. It's how you respond. And then what is our current impact and risk? That's all we really care about at the C suite level.

E

Well, the other thing is, you know, we're all here right now. Follow Jerry. Listen to this. In the morning. These are the things. This is the whole reason that it's done in the morning, right, Is to understand what's going on. So if you were here yesterday or actually what last week was when Tivoli hit or trivially hit, so you would have, you have already known that that was going on and then saw that it happened in here. And you can see, you can extrapolate that. Hey, they're trying to get into all kinds of different things. So now we really need to be aware. Maybe you got a, a C suite, like sent something over to the security team saying, hey, what's. What about this? You would have been notified. You already know about it. You can say, hey, yeah, this is what's going on. I'm checking with developers or checking with anybody else to see if this is even used in our company, and hopefully we're fine if not. And it has been. There's remediations out there already that we can look at to clean this.

B

Two things.

E

So being in.

B

I was gonna say two things. One, Jerry's gonna need double doors on the ozer buffer overflow studio now to get his head through after that awesome comment of watching the show, getting it bummed up. But also we've got S bombs. We're gonna have to start talking about AI bombs.

D

Right?

B

You know, what, what's in, what's in within. Great. Integrated within that and that Cisco Defense had a tool for it. But yeah, the AI, the S bombs, the awareness, the risk aspect.

A

James, can you quickly define a bomb bill of materials?

B

Kind of like the ingredients that you have inside your software. What DLL libraries is it calling? What type of, you know, where's all the software coming from? It's kind of like ingredients that you have. When you look at the side of the box of your Cheerios and you look at all the stuff that's in there, that's kind of the easy way to explain it. So whether it's a software bill of materials, a hardware bill of materials, or an artificial intelligence, you know, vibe coding or that aspect. Bill of materials, getting to understand what's in there.

A

All right, we got a lot of questions here, so let's keep cooking. Yeah, let's see. Robert, GRC guardrail. Any recommendations for router for both replacement of the stock one that you get from your ISP and for home lab budget friendly one. You're a resident tinkerer.

C

Yeah. Honestly, any of the Netgear routers are quite good. You can install open source firmware and stuff on them too. Open WRT is one that I like to utilize. Tomato is another open source that's quite good. It's updated more frequently than your normal ones. Look at specifically what's in your budget range and then see which one supports either one of those. And then if you're looking to tinker, they give you a lot of flexibility. It really unlocks the potential of what it can do and it gives you a lot more security. Functionality

E

you also need to be aware of. Does your provider actually allow you to that out and if not, then ask them if they have bypass where or pass through.

C

Yeah, they normally. Yeah, that's the biggest thing. A lot of the providers are nickel and diming people with like a subscription to keep the router. So they, they. It's only by request.

E

Yeah. And a lot of them, like if you're one that has high speed Internet at your house and you're running a static IP address like you have a static ips, you have to use their equipment.

A

Yep. Be careful. And there was just a news story earlier this week that like the sale of like Chinese based routers is going to be illegal. So you might have to, you might have to scoop these up sooner than later. I don't know what's happening with that.

C

Don't buy them used. They can come pre installed with all kinds of stuff. Crypto miners, a bunch of other things too.

A

Yeah, but even if you wipe the firmware and put in like DDWRT or whatever, is DDWRT still relevant? Is that a thing still?

C

I. I think it is, yeah.

A

Okay. If you wipe the firmware, are we okay?

C

It should be, but it really depends it. So I've seen devices where they've put small hardware separate from it, but it's. It's pretty rare. But it is something that happens and it's not, it's not as uncommon as we wish it was. Another thing that they do, Jerry, is they'll. They'll have like a second software or a second hardware system inside the box and then it, once you connect it to the Internet, it reaches out and downloads the payload. So until then.

E

Yeah.

A

All right. Yeah, that's a key and peel. Substitute teacher. Desk clearing. Son of a. Kyle wants to know where should he host his personal brand website DJ B Sec has used Githubs. He recently found Cloudflare. I gotta tell you, I will be moving Cyber IO to Cloudflare pretty soon. But DJ B Sec, you know, do you have a like it or hate it on the GitHub?

E

I. Right now I. It's all about traffic, right? So it's just a matter of if I have so much traffic that GitHub stops, then maybe I'll go find a hosting like hostinger or something like that. But right now GitHub, it's free. Why wouldn't I not just continue to do that? But I do. I did pay for my, my domain name and I use Cloudflare, so it's backed by Cloudflare.

A

And like I said, I'll be moving to Cloudflare soon from wix.

E

And with Cloudflare you get to see all your traffic and find out what's going on and how much you're getting per day and so forth. So you can see if you're starting to get 10, 15,000, 200,000 that hey, maybe it's getting to the point where I do need to move it to something, something that's more, more user friendly.

A

All right, we are at 9:32. We can go a couple minutes over. If any of the panelists have to drop, just drop it in chat so we can make sure we do a little shout out for you. Fleetus post in the third wants to know, are we getting better at security as an industry or just getting better at reacting? Ooh, good question. Robert, thoughts on this one?

C

Yeah, I would say we're getting better at reacting. Security hasn't changed much from what you need to do. Protect your perimeter, ensure the vulnerabilities are patched and updated. Our response capability has gotten better, our ability to adapt quickly has gotten better. And our understanding of what happens when you fail that I think because we've seen all of the breaches, because we've gone through all the tabletops and things, you get that kind of experience and once you've seen it happen, you go, okay, I don't ever want that to happen to me. So I think just with knowledge and the way we share things, we've just gotten kind of smarter at responding.

A

I love it. Another question coming in. Well, I don't want to spend a terrible amount of time on this one because it doesn't resonate with everybody, but I have started a business. I know James McQuiggin is flirting with this. Roswell UK basically says, how do you know? How do you start a Business, you know, how do you start a company? How do you know when it's ready for business? Etc? You know, I, I guess I was

B

gonna say Kathy Chambers wrote an awesome article yesterday about starting with one client and kind of what it was like for her. Find that article, check that out.

A

Yep. It's called authentic feedback on LinkedIn. Kathy Chambers, definitely a good suggestion on that one. The one thing I would say is don't start a business if you're not like into it because it's going just like a PhD. It is a very demanding enterprise. And the first, you know, there's a reason most businesses fail in the first year. It's because they don't have the momentum in the stick. So just, you know. All right, Robert, this is a hardware question. Carrie, who's a long timer here in the community, got his A plus and SEC plus and he's got troubleshooting skills and he wants to go, he wants to know if he should go into hardware hacking and how he can look into that and build skills.

C

Oh, I mean, that would be cool. There's, there's a, I would say the viability of it in the job is very slim. I've built a few devices when I did social engineering, like I built a, a, it was a power strip that had a WI fi adapter in it that I could then basically connect. And anybody who plugged in their, their laptop to it with the cord, I would get their traffic. Other than that, you're not going to have too many uses for hardware hacking unless it's just personal. From a business perspective, I don't see too many values, but there's all kinds of hardware hacking stuff on YouTube. It really just depends on what you're trying to do and what you're trying to get into. But I would say for work, it's limited value. I've used it maybe 10, 15 times in 20 years.

A

Yeah, hardware hacking, you're not going to find a lot of work number two,

E

unless you find somebody that has like a old bitcoin hardware that they need hacked.

C

Yeah, somebody is like, I got four coins on here

A

real quick. Matt Brown on YouTube is an incredible hardware security content creator. And Daniel Lowrey known for a lot of things, but Daniel Lowry is sleepy good hardware hacker. He's got, you know, he's got his bus pirates and his uarts ready to go. So check with Daniel Lowry, who's also going live here in 24 minutes on the YouTubes. Next question coming in one second.

C

Yeah, and anytime that I've ever Done an operation like that, it was just to prove viability and to prove that it was possible. It was never like, somebody's like, I need you to do this. I just wanted to prove that, hey, if an attacker got in, they could do this.

E

Yeah.

A

100 and even. I mean, I will say Carrie, like, and everybody in chat, like, there is an opportunity here where you do something really wildly interesting. Doing hardware hacking, and that gets you a lot of publicity, and then you ride that wave into something else. But, like, on balance, if you just got good at hardware hacking, no one's going to pay for that because it's just. It's not. It's not a business imperative.

B

Right.

A

Like, they'll just kind of.

E

What Ryan does. Ryan Montgomery. Right. With his. With his. With his little

C

number.

A

Ryan's great at, like, presentation, though, in stage presence. So. All right. Bad child. Cat says, how much should this. How much should one disclose to a government employer, considering your sordid past? I'm interested in applying a Lucky, but I know they have a date, a deeper background check. All I would say about this is answer the questions honestly.

B

Yeah.

A

Yeah.

E

I mean, especially if you're going for a government side. You will.

C

Or clearance of any kind. Any of us. So I've gone through clearance for ts.

A

Yep.

C

It's intrusive. They will call your neighbors. They will. They will talk to people you haven't talked to in 10 years. They will find everything. So it really just depends on the role.

A

Yeah, I. I also had a clearance. I just. This is like, a personal story to share. There was another question here about how to get a clearance without joining the military. You have to have an employer sponsor you. There's no pay to play. You can't just go get a clearance. But to this point right here. I also had a security clearance at one point in my life, which I did not like having. When you sit down with a federal officer who's interviewing you, they don't want to talk about all the great stuff you've done. They just want to talk about all the bad stuff you've done. So you leave that meeting feeling awful about yourself. Awful.

E

I don't think I know anybody that's had a clearance. That's like, I. I love having my clearance.

A

Oh, no.

C

And there's rules around it, too. Like, there's a lot of things that can cause you to lose your clearance. I won't go into them, but there's a lot. Like, you have to be mindful of how you represent yourself, who you interact with, who you have conversations with. There's a. There's a whole lot. It's super annoying.

A

Gabriel wants to know, and this one's for DJ B Sec. How are you managing incessant vulnerabilities? Like, what AI tools or procedures do you leverage? He's got M365, Barracuda, and Rapid7. So, yeah, thank you. What are your thoughts on Gene?

E

I mean, right here, every day we come and watch, find what vulnerabilities are out there. You have scanners, M365. I don't. I don't know what. What version you have or what licensing you have, but that they have their own threat capabilities inside M365. There's all over the place.

A

Making you. Yeah. I guess the one thing I would say to Gabriel here is, like, this is the job. Like this. Like, so I want everybody who wants to work in cyber security to work in cyber security. But I do have videos out there where I'm like, listen, it's not for everybody. And I'm not gating it. What I'm saying is, if you don't, like, constantly being challenged, if you don't like, constantly learning, constantly staying current, it's not a good job for you, because you will absolutely get trucked by the momentum of this. If you. If. If this is, like, overwhelming you.

E

It's.

A

It's. You know, it. It is the job.

E

I mean, I had that same conversation the last two days. People have asked me, like, they've asked me about something, and I just, off the cuff, told them what was going on. And, like, how do you know all this?

C

Because I read.

B

I watch Jerry's show. Constant reading.

A

That's right. Like 24 7.

E

Some people can't do it. And then you get it in the afternoon, in the middle of the day, you're working.

A

Yeah. Yeah. Go ahead, Robert.

C

No, any. Anytime I have a moment. I'm looking at my phone, reading RSS feeds on security. I run a vulnerability management program for Fortune 500. So it is imperative that I know every threat that's coming, because the regulators are going to come ask, my customers are going to come ask, and I need to be able to have answers to my executive, my senior executives, and they're like, hey, what are we doing about this?

E

Like, I do the same thing. I have a RSS feed that's pulling all the vulnerabilities, and then I have part of that feed where it's stripped down and it's filters for just the industry.

C

Yep, same.

A

Yeah. And, like, this is why this is a perfect example. I tell people, like, cyber security is a lifestyle and people are like, oh, what? Like, I don't get it. It's like, I mean, you can do it and just punch in and punch out nine to five, but like, realistically, if you want to be successful and, and develop and grow and get higher salaries and all that stuff, it's a lifestyle and it's, you know, if you're into it, great. And if you're not, you just got to be real with yourself, even, even

C

at the executive level. I was working till 1 o' clock in the morning dealing with an incident. So I worked for 20, 20 plus hours. And that's just part of the job. And you know, I was at my kid's game and guess what? I had to leave. Like, it's, that's the one thing that

E

irks me is everybody trying. Like it's a personal pet peeve of everybody trying to get in and like, oh, how do I get in and do this and, and make, you know, this, these big six figures that I hear everybody's doing. It's like you're gonna work 20 plus hours a day. You're gonna figure out, I mean, it's not just like you leave college and you got the book smarts to do it and all of a sudden it's in your brain literally every single day. And I had this conversation because of the way AI is. The way AI is adapting so fast and moving rapidly so fast. I mean, anthropics, dropping stuff, three things every day and it's like, oh, well, what is this one doing? What is this one doing? You have to understand what's going on.

C

Yeah. And you have. AI is creating zero days too. Like they're, they're finding them, identifying them, and then posting about them, you know, very. Like, that's a, it's going to become a larger issue in response and the way you respond and constantly being engaged is the lifestyle.

E

So I don't know if y' all saw, I don't know if y' all saw this one, but Claude had, or Anthropic had a, basically a post that was supposed to be hidden that actually got seen. It was, it was on a public forum that was hidden behind the wall, but basically it got seen and shows that they've got a new, a new model. Not Opus anymore, not Sonic, but there's a new model coming out. But Anthropic internally is afraid of this model because they think that it's a cyber security risk. And now people, I mean, I just read that this morning. I was surprised it wasn't on CISO series, but Just read that this morning.

A

Hold on. You were surprised?

B

Well, it'll be on Monday.

A

Yeah, but that.

E

But I mean, Anthropic themselves. Not only is anthropic, did the. Did it show internally that Anthropic was a little scared of their own stuff and. And how they believe it could be used to create threats, but they actually had somebody from Anthropic verify that it was written, it wasn't somebody else. Like, this is an actual internal message from within Anthropic. So I was like, oh, okay, yeah, yeah.

A

Catch me outside at simply Cybercon for my dystopian AI future thoughts.

C

There's some great books on it too. I won't plug them here, but there's a couple that are kind of if you build it, they'll come type books that are fantastic. There you go. Phil.

E

Just. Phil, just put it in the chat.

A

Mythos. Yeah.

E

What dropped?

A

Chimeria Gonzalez, squad member, 31 months H. Town's own, by the way. DJ B Sec. She said, hey, guys, thanks for all you do. Where could someone go to build up themselves to lead and run the GRC at a company while still being new? Who? Like, I guess James. It's been a minute since you spoke. Let's hear from you.

B

Yeah, because I'm Mr. GRC, right?

A

Yeah, I mean, well, I mean, I could. Okay, I'll answer. I feel bad answering these questions because it's a panel. I want other people to get time in the sun. All right, so here's what I would do, Shamira, like, number one, just start absorbing all of the, you know, GRC stuff. If you wanted to, start crushing it. I personally am all about NIST csf. You know this already. But for everybody, NIST Cyber Security Framework. Go look at it. Whatever your organization is using for its information security program, framework and structure, you should align to that. So if it is ISO or cis, get familiar with that. But if you don't have one, or whatever you're looking to introduce one, start mapping an csf. This will give you a long term vision, a kind of a plan on how to get to where you are to where you want to be. It'll give you visibility into your overall gaps and weaknesses. Then you could start doing like, risk calculations, which is another GRC function on where are your current gaps? Right? Like you don't have mfa. That's a massive gap. You don't have mdr. That's a massive gap. Mdr is going to be an expensive proposition to correct. That's like, you know, I mean, you could do in house SEC ops, but realistically there's a huge hurdle between outsourcing SecOps and then having in house likely you're going to do mdr. That's like, it could be like a hundred thousand dollars. So that's a big budget ticket item. But like getting what the risk is of not having visibility and able to respond is huge. So start saying that. In order to become the lead, what I recommend doing is basically being the lead or taking initiative, taking action, being the person that people natively go to and just naturally and organically become the lead, people are going to start coming to you and being like Shimeria, what do we do here for this? Or where are we with that? And then be ready. Yeah, be ready, be ready. And honestly, like, I know this sucks, a lot of people hate this in industry, but like, basically you need to start doing that job before you get recognized and paid for that job. And once you're doing it, you know, then you'll have position of power where it can be time for review. And you can be like, hey, I know I got hired to do awareness training, but like, I'm kind of like low key running the information security program. Which is fine. I love doing it, but I think that my salary or my title needs to align with what I'm currently doing. Or, you know, that's fine. If you don't want to do that, we can go back to me just doing awareness training or you can go look for another job because now you have all those skills that you can market yourself as. Thank you for the question.

B

Way to go, Jay.

E

Whoa, Jesus Christ.

A

What just happened there? Like, hold on, go first.

E

Ben, I was gonna say, I know you love nist, but why not? Maybe if they have nothing, why not start with CIS or maybe CMMC?

A

Yes, you can absolutely start with CIS 18. That's a, that's a much more. I like to call CIS18 training wheels for an information security program. Not, not belittling it as childish or unprofessional. It's just stripped down and much easier to implement. I'm just, just such a dork for NIST CSF that I'm.

E

I know you're Mr. Mr. Love of NIST.

A

James, you had something you wanted to say?

B

I was gonna say. That's exactly what I was gonna say, Jerry. Way to go. Good stuff.

E

Okay.

A

Soul Shine says, what hardware do I need for your Master GRC class? You just need a Internet connection and a computer. You could literally take the class on your phone if you wanted to. All the. All the resources and tools you would use are Internet accessible. SaaS, apps like, you know, Excel or, you know, Google sheets, Google Slides, everything like that. So I would recommend doing it on a real computer, not a phone, but you can do it looking through Chad here. What are we at on 9:48? Okay, DJ B Sec, before you go, you probably have, like, you got some rounds to do around the jail there. What? What. Yeah, what do you.

E

What are you gonna go find the warden?

A

DJ V Sec, what do you want to share with folks?

E

Hey, just keep on keeping on. That's all I got to say. But pay attention every day, like, we've already talked about it. Today is, you know, if you want to. Want to be in this industry, be in the industry, you. You're gonna have to put the time in there.

A

There you go. Thank you, DJ B Sec. Thanks for taking time out of your day to come join the panel. Enjoy your weekend, bro.

E

Yep. Everybody have a great weekend. I'll see y'.

A

All. All right. All right, couple more. Oh, now we got, like, look at us getting. You know, I feel like that that was the opening act and now this is. While we've got people, if you have any questions, we have a few more minutes left over to answer questions, so drop them in chat. But as an opportunity. Robert, can you share? Like, you know, what. What would people like to. What do you want to share with people?

C

Yeah, check out Bowtie Security guy. Just. I'm on all social media platforms. If you need a mentor, if you're struggling, if you're looking to break in, feel free to reach out. I'm very approachable. I'll tell you like it really is. A lot of my videos are very much what the reality of Cyber is on YouTube. So if you. If you go there, I've got my podcast, Bow Tie Security Guy After Dark, that's being shown right there, which is very much catered to new people. It tells you what the job is really like. Explains kind of. I talk to professionals and we talk about the struggles and what the job is so you can get a really good understanding. And that's about it. You know, we're here to help. A lot of us Cyber professionals are approachable. Really. If you're looking to get into cyber, you need to break out of your comfort zone, and you need to start talking with people. You need to engage, you need to have conversations. Thank you, Jared. I appreciate the love. I work with A lot of people, so. And I don't charge for this. Like, I'm just trying to help out. I know how hard it is to find anyone who even cares. But don't be upset if I respond to you with a bunch of videos to your questions because I've already answered them previously.

A

Exactly. That's that. I mean, that is why Simply Cyber, that was its original inception. Reason is because I couldn't answer people's questions and I felt bad being a prick to them. Like, oh, get out of here, I don't have time for you. Like, I, I can't, I can't sleep at night if I say that to someone. James, share some stuff. Share some love.

B

Ah, let's see. So next week, well, the next few weeks, busy doing presentations, going to conferences. Cyphercon next week got a refreshed and updated presentation regarding the dark side of AI and deep fakes. Got some new toys that I'm bringing with me that I've created to demo on how easy it is.

A

What conference is there a conference someone can meet you at?

B

I will be at cyphercon in Milwaukee next week, the week after. Let's see here, the week real quick.

A

If you're going to cyphercon, let us know in chat. Say you're going to be there. If you're actually going to be there. I'd love to see if who's going to be there then.

B

I'm doing with the ISC2 Central Florida chapter, we're doing a CISSP training day. So that's gonna be a lot of fun. On April 11th that's available on the their website. And then I'm doing a presentation for the Maritime Security Group, but that's close to them. Yeah. And then I'll be in Tampa, elevate it on April 16th. So I'll be leading a CISO panel there. So got some busy work coming up, plus some other fun projects. Irons are still in the fire, still working through, but gonna have some, gonna have some fun this month with some getting back out there and doing some presentations.

C

I will plug James too. To anyone listening, James is available. He's amazing. He's a fantastic presenter. If you need somebody to show your product to talk on a huge stage to get people engaged and get new customers in the door. James is your guy.

B

Checks in the mail there, Robert. Thanks, bud.

A

Nailed it. Yes. So Venmo, money coming your way, right? I also want to point out. Oh, nope, I forgot. I forgot I had something. I had something for James and then I didn't of course. I'm Jerry. So if you're, if you're here, welcome to Simply Cyber. We do all sorts of great stuff. Go to Simply Cyber IO schedule to see all the things, or Simply Cyber IO and then, you know, that is that question from Nick James asked yesterday, but a bit late. Come on show on screen. Computer SCADA devices be invisible. Is that due to lack of segmentation, budget incompetence? What is it?

B

All the above, actually. You know, a lot of the times people just connect to the Internet going, oh, this is an easy way to be able to get to it. Or, hey, look, this is, you know, we're, we're making our, our access a lot easier for us and not. They just don't have the awareness and understanding of it. Some of it may come down to budget, but if you've got. Even if you don't have budget, you can still put them behind a firewall and isolate them. You don't have to be connecting them directly to the Internet. Have some sort of remote access into that environment from a single point. Don't do many to many. Do one to many or even one to one. And from that one system on that side of the SCADA then talks to all the other systems. Least user privilege is key, availability is key, you know, and you can do all that without, you know, blowing the budget. It's just, you know, some firewalls and a couple computers kind of a thing. But lack of segmentation. Yeah. Segment those systems even if you don't get a budget, because a lot of those, you know, just keep it available. But if it's incompetence, then it's just a matter of getting your folks trained. Never let ska be ratable. Amen. There you go.

A

Next question for Robert. Ian Guidry says he's got his Pen Test plus and Cysa Plus. Can he get an interview?

C

Robert, that's all. That's all it takes, man. No, unfortunately, I don't have any roles open. When I do, I post them on my page and tell you exactly what I'm looking for. I also interview people who have actual jobs open. I reach out to probably about 100 people a month who post roles that say, hey, I'm looking to hire somebody, and I message them privately and I say, is this role actually open or is your company asking you to post it? And he said, the role is not actually open. I've got an internal person is the most common response. So don't get discouraged as you go through it. Build those relationships. If you're Looking for a pen testing type roles. Sign up for like Hacker one and other like bug bounty programs. Start getting your name out there and then the offers will start to come. But it's, it's a rough, rough field right now even. But when I interview or when I have open roles, I post on my page and any of my friends who had actual open roles, I do hiring spotlights to really highlight that role when it opens. But if you see a role, reach out to the hiring manager. Reach out to all of the recruiters. Do. If you're just applying and expecting a response and you have no connection, you're not going to get one. Every role that I've opened In the last two years, within 24 to 48 hours, I have to close because I have over 700 to 800 applications.

E

Yep.

A

And just real quick, pen test plus is offensive. CySA plus is defensive. So you are getting kind of a rounded. But. But just know that like, there's really no cert, except maybe OSCP or PNPT that I'm aware of that like, is like a door opener. Like, like. Like a door opener. Yeah, like. So the. These are great, Ian, and I'm, I'm happy that you got them and they're definitely going to be valuable to you, but they're a piece of the overall pie. Right? Like, you can't just call a side of corn a meal. Like, you also need like a pork chop and some mashed potatoes on that plate, which would be like, you know, experience and maybe, you know, some education or some relationships with people. But keep, keep going. Keep doing your thing. There's a question in here for James from Gabriel. Hey, James, do you have a short video I can use for deep fake security awareness training on an lms?

B

I don't have a short video. I mean, I don't have one made personally. You can go out and look at Perry Carpenter. He's done.

C

I was gonna mention Perry.

B

Yeah, Perry's a good friend and, and former colleague from know. Before he's done a bunch of videos online. Perry and I chat regularly, but he's got some good demo videos that he's done. I've done demo videos in my presentations through anti siphon and online as well. But otherwise make your own. It's not that hard to go out and be able to create your own. Do one of the CISO or your chief exec, your CEO for your organization, you know, a couple hours and you got a video made.

C

We. We did one recently to show the dangers of it to our to our company. And we did it and we showed it to, to the head of the company and he's like, no, that's way too real. So we had to, like, use a lower. We had to use a lower end bottle, which is equally as scary. But just to show, like, you can make them so good now and they're so easy to make. I literally had my 14 year old daughter make a deep fake. It took her probably about 30 minutes.

A

Yeah, yeah, yeah.

B

Well, I can do mine in four minutes now, but. Yeah, yeah, yeah, yep.

A

All right.

B

As we deflate Jerry's balloon.

A

No, no, it's fine. I. Yeah. So Perry Carpenter, definitely an AI expert. Like, it's kind of funny because, like, he does a good job of marketing it. But like, I, I feel like Perry, like, does so much and he's so good at it and a lot of people are unaware of how, how good he is at it. He's got a lot of projects going on, so I love it. I. I want to promote something or share something or whatever. And I'm, I'm saying this more for like, almost like public accountability than anything else. I have. Over the years, you may have noticed, like, I've tried to do shorts or Instagram reels and I do it and then I, I stop doing it because it's like too much work, too much effort, and I don't get any of the results I want. I am now trying. I'm going to do it for like a month and we'll see. You guys saw I did a bunch of RSA shorts, but yesterday I did one of these green screen, here's the story and then here's, here's like two sentences on what it is. And then here's my hot take on what, what you need to know about it. I'm gonna do those for a month. I'll report back, but I've got it all set up. I've got my little, you know, I got like, I got this like, right next to my computer and I got little DJI mic. So, like the idea of like, oh, I have an idea, let me do it. I can be set up and recording in like 30 seconds and then it can be posted in 60 seconds. So like, in under five minutes I can do this, which is a reasonable thing if I'm like waiting for meeting to start or something. So anyways, stay tuned. I tell people to do this stuff all the time. I'm going to be doing it too, so I can speak from experience. So hopefully that's good. Guys, we are about to rip. So if you want to say goodbye. Robert. Robert. Uh, what do you got? Just.

C

Yeah, no, that's it. Everything we talked about. I appreciate it. And anybody who's trying to get into cyber, who is working to kind of get in, just keep at it. No, it's a marathon, not a race. You're not going to get there quickly. You need to make connections. You need to build relationships. If you don't have a network, the odds of you finding an opportunity are very slim. You just have to put the time in to build relationships. Find a mentor. If you don't have one, doesn't have to be me. I'm not everybody's cup of tea because I'm very brutally honest. And you'll probably leave more depressed than happy. But I'm going to tell you the reality of the market, what you're getting into, and if you still want to do it, you're the type of crazy we want in this field because you need to have a little bit of crazy.

A

I love it. What he said.

B

And go watch Daniel.

C

Yes.

A

Yep. I love Daniel Lowry. So he's going to continue the exact vibes of what we're doing right here. So I dropped a link in chat. Go get it. Also, shout out to Daniel wearing a Goonies shirt. That is a Kool Aid Digital Kool Aid, man. Drink emote if I've ever seen one. I'm Jerry from Simply Cyber. Thank you to Robert, DJ B and James McQuiggin at 35,000 for their time and expertise. Guys, go forth, have a great day. We'll see you over in Daniel's channel. Have a wonderful weekend. Till next time, stay secure. Sam.