Loading summary
A
All right. Good morning everybody. What's cooking? Welcome to Simply Cyber's daily Cyber Threat Brief podcast. I'm your host, Dr. Gerald Ozer, coming to you live from the Buffer Ozer Flow Studio. I hope you're having a good morning. Got the coffee going. We're going to be ripping through the top cyber stories of the day while getting companionship, friendship, social interaction here with like minded professionals who are all about support, inclusion and empowerment. We're going to level up like a bunch of bosses. We're going to have a good time and it's a great way to start your Friday morning. So thank you for joining me. Let's get ready to get cooking. Yeah. All right. Good morning everybody. What's up? James McQuiggin at 35, 000ft. My man Nerman with the coffee cup. Cheers. Great to see everyone. Listen, we're gonna go through eight top cyber news stories of the day. I have not seen these stories. I have not prepared or researched for these stories. Ain't nobody got time for that. That's right. Ain't nobody got time for that. I'm up here working my guy, so yeah, every day it's the same format. I don't know what we're going to be doing. I have 20 plus years of experience in industry also. I'm very, very passionate about cyber security. Spend a lot of time in higher education learning and refining those skills. I'm super excited that no matter what story comes up, I know I will be able to go beyond those headlines and give you additional insights and value that you wouldn't get from a textbook, a classroom or from just an RSS feed with some stories in it. Yes, of course you should absorb the top level, surface level part of the story and we will talk about that if it is germane to you being able to deliver cyber excellence to your constituents. But I want, I, I care about you, okay? If you can make your organization more secure, all of the more power to you, right? But at the end of the day, I'm all about empowering you. I want you to be awesome. I want you to kick butt in your, in your role basically. And I want you to be marketable. I want you to be, say you're in a toxic situation, say your boss isn't giving you the raise because you know they like, they're suppressing you. I want you to be able to be like, you know what, I'm gonna go shop myself. So we're going to be doing all that and more. It is Friday, guys, which means Only one thing, it is James McQuiggin's dad jokes of the Week. That's right. Every single day of the week here at the Daily Cyber Threat Brief, the podcast of the year, sans award winning show. Every day has a special segment and for years James has had Fridays locked down with dad jokes. I don't look at those in advance either, so you get my reaction with those. Sometimes they make you groan, sometimes they make you laugh, but they're always enjoyable. The experience is great. And James is in chat right now, so say hi to James if you would. I think he's at Osmosis Con. He's definitely traveling right now. He was in Coffee Not Coffee Talk Cyber Career hotline yesterday. Guys, if you're here for the first time, welcome to the party, pal. Did you know?
B
Welcome to the party.
A
We love welcoming our first timer. So don't be shy, say what's up in chat, everybody. You can see if you're looking at the chat directly above my head. This is a live data feed right now from the Simply Cyber community. You can see how kind hearted and welcoming everybody is. Devin Grady's welcoming Dennis Keith. Dennis Ke's welcoming James McQuigan. James McQuigan is welcoming Pirate Kitty and so on and so forth, as it were. James is at Elev it and Big Dallas going through the big D and don't mean Dallas. Oh my God. Country music. We got both here country and western. I don't see what your problem is, but if you're a first timer, don't be shy. Don't think that this is a closed group of people who all know each other already and you're just an interloper coming on in. Take a second, say what's up? Drop a hashtag first timer in chat so you can identify as a first timer, not so we can single you out to point and be like, oh my God. Quite the opposite, my friend. We want to know because we have a special emote, we have a special sound effect to welcome you to this inclusive, supportive community. This one's not like any other cyber community that you know of. Believe that. We don't pay wall stuff. We don't have tiers where like you get access. We don't have a discord server that costs 50 bucks a month. We don't have dumb stuff like that. What we do have is a genuine passion for helping people and sharing knowledge and being all about good times. So drop a hashtag first timer zombie. What does that say? Zombie What? Zombie lvnd. Zombie lvnd. First of all Zombie lvnd. Welcome to the party, pal. Welcome to the party. If you guys could help it, help me welcome Zombie. There is a le speak in there on the Zombie here. I'm gonna do it myself. I want to say welcome from first timer Zombie. Also Zombie. I know it's your first time here, so you may not know that, but I'm huge into retro synthwave. And I see your profile photo looks retro synth wavy. Look at my background, dude. Oh, yeah, there's no mistaking that 80s son. Come on now. Welcome to the party. I hope you have a great time. Zombieland. All right, my guy. I hope you enjoy the experience, dude. Thanks so much. All right, guys, what do we do first? Oh, my gosh. Hello. Every single episode of the Daily Cyber Threat Brief is worth half a cpe. Did you know that? That's right. If you have cyber security certifications that need annual maintenance, I. Your boy, two thumbs, all smiles has got you covered. How this episode, believe it or not, even though it's a lot of fun and we got cool lights and stuff, Even though it's a lot of fun, let me tell you this. I am a qualified instructor. I teach at at El Military College. I got 20 years of experience. I have a PhD hanging on the wall. I don't care if I'm all about good times. Nobody can dispute the fact that I can't run a qualified instructor LE Cyber Security webinar, which is what this bad boy is. We have fun for an hour. To make it easy on the math, we say half the show is education, so it's very easy. You get a half a cp, they add up. Now I've made it even easier for you. Go to Cyberthread brief, simply Cyber IO cpe. I got a link in chat. You can also hit an exclamation point CPE in chat. And we have a bot that will automatically see ThatException CPE and reply back with the link. Here's the deal. Oh, thank you very much, Pirate Kitty. I just got these shirts made. I want to look like a real boy when I go to conferences now. Fake people into thinking I'm a real business. All right, so check it out. Go to this website. You can put in your username. I mean, excuse me, your full name. So Gerald Oer, James McQuiggin, whatever you want. Dennis Keef. And your email address. Check these two boxes and then to. On the first of the month, every month, I will email you from an automated email account with a list of all the days you attended the cpes and it, it looks great. It's on like a certificate. It's got my name and kind of like sign off on it. It looks very nice. Our first one's going to be going out June 1st. So the beta testers. I also want to say quick shout out yesterday there was a bit of beta user feedback live in chat about the CPEs. There was a request to have the day switch over not at midnight Eastern time as it was, but have it switch at 8am Eastern time. So the show starts at 8am Eastern Time. So now so everybody's aware since you're all beta testers since you're all to make you aware now when you watch the show on replay, you have until 7:59am Eastern Time the the next day to be able to get the CPEs. Okay, it doesn't reset at midnight. It reset basically when the show starts the next the page gets updated with the next show. So like this web page got updated nine minutes ago. All right, Chef's kiss. I take your feedback seriously. I implement it. I'm not just a blowhard up here listening to myself. Also shout out thank you. New new new shirt. Feels good. Good fitting. I can wear it when I do conference talks and stuff. All right guys, we got our CPEs. We got our first timers. I want to say quick love shout out to the stream sponsors starting with anti siphon training. Guys, anti siphon training Start hunting summit is coming. There is still time to register for this free six and a half hour six and a half CPE basically 10am to 4:30pm conference. You can attend it virtually which means you can take it from anywhere. You can take it from Delta flight seat 3B James McQuigan. You could take it from a coffee shop, you could take it from the delivery room. Justin, like wherever you need to be my guy. You can take this training. Go to anti siphon training site. I'm going to drop a link to sign up for this. In addition to the free six and a half hours of virtual conference, they have mad amounts of training including all the training that you can see here. Wade Wells training two days. Wade's a a member of the community. You can get 20 off any of the trainings with my code Simply Cyber 26. 20 off with Simply Cyber 26. Go check it out. Wade raffled off one last night on firesides. It was great. Also want to say shout out to threat locker. Threat locker. Bringing zero trust protection to to enterprises by application by Deny by default. They do it on the endpoint now they do it in the cloud. Let's hear from them and then we're going to get into the news. I want to give some love to the daily Cyber Threat brief sponsor Threat Locker. Do zero day exploits and supply chain attacks. Keep you up at night. Worry no more. You can harden your security with Threat Locker. Worldwide companies like JetBlue Trust Threat Locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cybersecurity and and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation. Is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and learn more about how ThreatLocker can help prevent ransomware and ensure compliance. Visit threatlocker.com DailyCyber. All right, hey, really quick shout out a win for the community at the Rich 464. Thank you Justin. By the way, at the Rich 464 if you would join me in wrecking ball emote please. Sorry, there's a stray Chief Wiggum in there. Guys. Rich464 officially starting his new account manager position today thanks to Team SC. Rich464. Hell yeah dude. Crush that job. You earned it. Way to go. Super pumped for you. I hope you can continue to be a participating member of the Simply cyber community. The rich 464 what a boss. Dude. This, this community. You guys absolute bosses up in this mother trucker. All right guys, let's start the news, shall we?
C
From the CISO series, it's Cyber security headlines. Foreign these are the cyber security headlines for Friday, May 29, 2026. I'm Sarah Lane. Fraud Gang Steals from World Cup Fans Researchers at Group IB say a Chinese speaking fraud network dubbed Ghost Stadium has set up more than 300 fake FIFA ticketing sites across thousands of domains to target fans. And ahead of the 2026 World cup, the phishing pages reportedly mimic FIFA's login flow to steal credentials and payment details, then redirect to victims to the real site. While some can trigger password resets to lock users out and resell legitimate tickets. Pentagon all right.
A
I mean, okay, so I don't normally like to say this, but for this particular one, I like to say it because I really do like FIFA World Cup. I used to buy a new TV every four years aligned with the World Cup. I don't do that anymore, obviously. I, I have, I have a family now and like, you know, I have to take the trash out and whatever. All right. So this is. To me, the World cup is the apex case study event of threat actors capitalizing on what is so hot right
B
now that Hansel's so hot right now.
A
World Cup's one of the few events even my opinion, imho, over on Reddit, in my opinion, the Olympics doesn't get to this level of fervor and passion by individuals. Right? World cup to me is the apex of just the international community going buck wild on wanting to travel, wanting to spend all the money, wanting, wanting, wanting, wanting to go to World Cup. So it should be no surprise that threat actors are going to capitalize on this. Remember this, no matter what World cup this year, Covid 2020 stimulus checks from the US government, the Olympics, it, it doesn't. The Masters tournament, golf tournament. A golf tournament like no other. Although I would point out that you want to say a golf tournament like no other. How about like the waste management is that whatever the waste management pro tour circuit is over on the PGA where people are drinking beers on the course and stuff like that's a tournament like no other. Threat actors are going to stand up and capitalize on this because, because remember, for a threat actor to be successful, they need like, social proof, authority, trust, and you know, basically either a carrot to incentivize people to fall for the trick or a stick to scare people into falling for the trick. And this one right here, dude, the economy is jacked up. People are wanting to spend money still on World cup stuff. So, hey, if I can sell you a ticket for 20% off or, oh, you know, we bought in like some stupid lie. Like, oh, we bought in bulk all the tickets to the Atlanta World cup games, and now we're reselling them at a slight markup, but still at a discount to you. People are gonna be like, sure, that sounds good, let's go. You know, or you get like my Aunt Kathy who's trying to buy me World cup tickets because she knows I'm into it, and then she gets duped, right? Whatever it is, this fraud gang has probably been preparing like it's, you know, a heist movie for months, getting ready for this, meaning getting their infrastructure up, registering all those domain names and stuff like that. What's particularly interesting in this one is they stand up a fake front. Victim goes through the. Goes through the login and purchase situation, and then gets redirected to the legitimate site. So the victim may be able to buy tickets, un, un, you know, unhappily at full price and still have their creds compromised. This is Going to be a billion dollar or at least hundreds of millions of dollar type attack 300 plus fishing domains. 79 exclusively selling premium and hospitality tier tickets priced between 1500 and $10,000 a rip. So each rip is, you know, potentially thousands of dollars. I don't know about your ROI guys, but you know, my hourly rate. Hourly rate is, you know, 250 bucks an hour. Right? I'll just, I don't care. I'll just say it, right? So if you want me for consulting, it's 250 bucks an hour. These guys are getting $10,000 like every 15 minutes. 10 minutes. You know what I mean? The, the, the ROI on this is insane. The fact that it's China based doesn't matter. Like, I could have seen Eastern Europe, Belarus, Romania, Russia, Kazakhstan, Pakistan, North Korea. Anyone could have done this. And I bet you actually, I'm gonna go, I'm gonna go one step further. I bet you, you know, a money that matters to me that this is just a story about the Chinese gang doing it. But there are other gangs. It's not like, it's not like North Korea got to the party and they're like, oh man, China's already got the World cup fraud site going. Shucks, I guess we'll have to wait for the masters in April. No, dude, everybody, it's a, it's, it's criminal con. Everybody's going buck wild on these things. It's criminals gone wild, right? Get your VHS tape right. People are throwing beads at criminals, if you know what I mean. All right, so what can you do? Educate your end users. Dude, Facebook ads. Come on. Like, stop, Stop, please. If it's too good to be true, it's. It's not. It's not. Also, I want to say something very interesting. Of course you guys can read these stories. Educate your end users on being wary of these increased threat activity. Again, don't just f. Focus on World Cup. When you're doing your awareness training. Tell them it's like whatever's hot right now, okay? Because it, the, the lesson is going to persist. Threat actors aren't going to just shoot their shot on World cup and then retire. The other thing I want to tell you that I'm super interested about. By the way, I'm wearing this shirt today because I'm going to take it to Vegas for Cisco Live. And I wanted to make sure, in case this is such a nerdy GRC move, I was like, oh, I better wear the shirt today in case it pinches somewhere or like after several hours I don't like wearing it because I don't want to be stuck on travel and all of a sudden have a shirt that pisses me off. Okay, listen, here's what I want to tell you. I attended Flare Academy's illicit networking training yesterday. Two hours focused on passive DNS reconnaissance, which is super specific. Passive DNS reconnaissance to understand illicit criminal interconnections and relationships. Very, very niche training. I loved it. If you attended it, let me know in chat what you thought of it. But one cool thing I found out about that I wanted to bring back to you all is that these threat actors, it's not like they have, like, one website called, like, fakeworldcup.com. they register hundreds and sometimes thousands of websites. And they use a technique called fast fluxing, which sounds like it should be like a, you know, a super move in Marvel versus Capcom, right? It's like M. Bison super move is fast flux. But listen, also, Kool Aid man drink. They rotate the IP address underneath the domain name every five seconds. So, dude, your Iocs gone. Like, it doesn't even matter. You do a whois lookup on a domain name. It They've already changed the domain name that's applied to that IP address. And they. And the WHOIS records don't get updated every five seconds. They get updated, like, every 12 hours. So the records and the information you're looking at from a threat intelligence perspective, from a research perspective, it is expired. It is old news. It's not valid. It's crazy how quickly these dudes are moving. All right, thanks for the Kool Aid, man. Mad Destroyer. Oh, hey, really quick. Want to share a quick personal story with everybody? See it? Since I see Mad Destroyer, who's also a fan of coffee. If you're a coffee fan, you're gonna feel me on this one. If you're not a coffee fan, just indulge me for 15 seconds. We have one of those kettles that you. You push up. You fill it up, and you push a button, and it can heat it up to, like, 160 for white tea, 170 for, like, green tea, 200 for coffee boiling, if that's your jam. Right? I. I always do the 200 for coffee, which is just below boiling, right? And then somebody switched it right where it was 160. The pot of coffee I made today, the. The coffee water temperature was 160, which is not hot enough to really pull out the oils of the coffee. And so I'm basically drinking, like, Truck Stop coffee right now. Like, not Truck Stop, the Kind of coffee where, like, they didn't change the filter and the grains, they just pushed the brew button again to cheat the system. That's the kind of, like, trash I'm drinking right now.
C
It's very unsettling and says US Military targeted by location. Reuters reports that US Military officials say adversaries are using commercially available location data to surveil and potentially target American troops in active war zones. A bipartisan group of lawmakers warned the Pentagon that data harvested through the ad tech ecosystem and can reveal troop movements and patterns, creating risks ranging from missile and drone attacks to counterintelligence exposure. The Pentagon is being urged to disable AD IDs on military devices, restrict location sharing, and move personnel away from tools like Google Chrome, IBM.
A
What? All right, like, I. Listen, I didn't serve in the military. I've never. I've never been stationed in a war zone, right? Or forward operating base. You tell me, right? I know we've got some veterans and some service members in the community. Like, if I'm in a foxhole in, like, Kabul, right? And I know. I know I'm. I'm butchering the crap out of this, but, like, if I'm in an active war zone and I've got my rifle and I've got my camo gear and everything, and I've got my periscope, right? Like, am I also got my. My personal cell phone. Like, what are we doing? What? Like, why don't. Like, how. How. How are they using location data when the soldier. Why is the soldier logging into the chrome on the laptop that controls the drone? Can someone give me that? Like, seriously, Jean Devinish says US Soldiers need to learn the hard Russian lessons learned in Ukraine. That's what I'm saying, dude. Like, I get it. You're bored. You want to go on Tinder and see what's up. Locals in your area, you want to read the news. But, like, listen, I will say this. This is not. This is not a cyber security story. In my opinion. This is more of a privacy story. Because location data is legit. People opt into it, they give it out. Not a cyber story. Okay, so I'll just spend a hot minute. You might think that you're anonymous. You're not. Your phone knows who you are. Like, that's why. That's why whenever you, like, open, you know, an app or whatever, and the algorithm feed you things, and you, like, looked up and you're like, holy crap, how. Why did I just waste 10 minutes? Like, you're waiting for a zoom meeting. To load, or you're waiting for a page to refresh, and then you look at your phone really quickly and 10 minutes later you like, come out of a blackout and you're like, oh, my God. It's because they know who you are. And in this instance, they are able to identify. They may not be able to say it's, you know, deputy Dog or Private Piles or Colonel Mustard, right? They're not going to be able to say potentially who the actual military personnel individual is unless they're very, very good at understanding the location data. But, but If I see 2550 similar, you know, private first class looking guys or, you know, ladies and men, all, you know, in one consolidated location, you guess what I think, I think that that's a base or a barracks or a Ford operating force or whatever. There's value in all of that location data. And really, guys, you can, if it's not protected, you can query it. And by the way, in this particular instance, you don't even have to hack the system. You don't even have to hack the system. You can just pay Facebook money, you can pay Google money to get that location data. Because guess what? When I'm trying to advertise, like, say I have a, A one of bakery, right? I. I've got Phil Stafford's Muffins and Cakes, right? Phil, you own a bakery now? Phil Stafford's Muffin and Cakes on, you know, Front street down in San Francisco, the Wharf district. Guess what? If I'm paying to advertise my bakery in San Francisco, I sure as hell do not want to spend money advertising to people that live in Boston, Massachusetts. I want it centralized to people who are walking on Front street that are between the ages of 25 and 45 that have disposable income, that perhaps are there on travel, like normally they live somewhere else and that's where their phone's normally located. Facebook, Google, all of these ones, they allow you to zero in on the exact targeted demo. That's my thing. It doesn't ma. They don't care if it's James McQuigan or Elliot Mati. What they care about is, is this person nearby and are they of the Persona to have money to spend in my store? Yes, serve them the ad. That's how it works, guys. That's why all this. That's why all this stuff is free. And that's why Google Mail's free. That's why Facebook's free. You're the product. Your location is part of the product. That's why these Big tech companies are so filthy rich, they're selling data, baby. Data is the new gold. Yes, sir.
C
And Red Hat commit to Project Lightwell. IBM and Red Hat have invested $5 billion and assigned more than 20,000 engineers to project Lightwell and a new initiative focused on securing open source software used across enterprise supply chains. This centers on an AI powered enterprise clearinghouse that will identify, prioritize and validate vulnerabilities in widely used open source projects, then work with maintainers to develop and distribute secure patches through commercial subscriptions. Major financial institutions like bank of America, JP Morgan Chase and Visa are backing the effort. Microsoft.
A
All right, very cool. So IBM, Red Hat. I will tell you, there was a. They're investing money to secure open source projects. Okay. You can call it Project Lightwell. Sounds very righteous, right? Like Project Hail Mary. Great movie, great book. But Project Light. Well, guys, can I just point out something wicked fast? This is not new, by the way. $5 billion is a lot of money. For real? For real. But Amazon, Google, Microsoft, you may have heard of these companies. Open source security protection, U.S. government funding. Okay, I just want to point out really quickly. So there's a story from March 2026, but that's much, much too recent. Is this it right here? No, this is AI. It was like three, four years ago where these large companies agreed to spend money to protect open source software. That the thing was, at the time, it was like, not a lot of money. I remember making fun of it because I was like, okay, like, that's great. But it was like $20 million, which I get. $20 million is a lot of money to me and you, obviously. But when you're five companies that have a combined value of like $2 trillion and you're trying to secure all of open source software, it's not really a drop in the bucket. So IBM committing $5 billion with Red Hat is insane to me. I mean, IBM has, you know, been around for a minute. But annual revenue. Hold on. IBM's annual revenue for 2025 was $67 billion. So they're committing 10% of their annual revenue, which is. Which is a lot. That's. That's revenue before operating cost. Right? So that's not profit. That's just annual. That's revenue. So if I had to guess this money's coming from somewhere else, I don't know, like, dude, you could be righteous, but I don't think the CEO of IBM keeps his job if he's like, you know what I think we should do? Let's take 10 to 15% of our money that we made last year and just give it away. There's got to be an ROI or a return on investment on this one. I will say this now as a cyber security professional. Open source software and supply chain attacks associated with that are absolutely rampant problems right now and are increasing. Right, Play your rampant growth, Justin Gold, because open source software supply chain attacks are doubling on the regular now they're saying that they're going to fix vulnerabilities without breaking what's already in production. Okay. I mean that's the dream, right? Nobody's trying to break what's in production. So that, listen, this is right on brand with what I've been saying, by the way. They're going to leverage AI to scale software security. They're going to use AI to identify, triage, prioritize and validate vulnerabilities and fix across open source code bases. Engineers involved in the project will focus their efforts on active upstream maintenance alongside open source community leaders, high volume AI assisted vulnerability reviews and the development of secure patches and release engineering. You got a Patrick. Okay, my guy, I found what the hook is. I don't know if anyone. But listen, here's. Thank you. Here's the deal. Just like this is not a surprise, this is not breaking news. Here is the reality, guys. Number one, threat actors are using AI to reverse patches in incredibly quick turnaround times and exploit the crap out of things. I've told you, we have this technical debt of 20 to 25 years worth of software that threat actors are going to be able to point AI at and get all sorts of attacks. We are going to get. We are in this like heyday and we will be in it for probably two more years of just getting absolutely our butt handed to us as defenders. The only way to solve this is to get in front of it using the same techniques, the same technology the threat actors are using to find those vulnerabilities faster than them, patch them faster than them and basically get in front of them. Right? This is a, it's an arms race is what we're doing. IBM, Red Hat, it's. They're doing the same thing the threat actors are doing. They're just doing it for good, period, full stop. Now why would they invest $5 billion, right? What's the ROI? There, there again, I said it before. There's got to be a reason that no business that's a for profit business does this without some reason. If I had to guess, okay, it would seem, yes, obviously it's valuable because IBM has a lot of code and they probably depend on stuff that's involved in this. But also they are going to be developing the, the AI vulnerability systems that are going to be discovering this. That sounds like a wicked valuable product. I don't know. I'm, I'm, I don't know if IBM's working on that. I don't know. I'm just saying, like, the key to this massive problem we're dealing with right now is doing it faster than the threat actors. That's a product. Products make money. Great cash, homie. Again, I don't know. Stay tuned for Project Light. Well, I'm glad someone's doing it. It's beyond my scope. Right. But I'll certainly be a consumer of it.
C
Slams GitHub Zero Day Disclosures. Microsoft is criticizing a researcher known as Chaotic Eclipse who published details and proof of concept code for multiple Windows flaws, bypassing Microsoft's disclosure process. The company says three of the bugs affecting components, including Defender and BitLocker, are being actively exploited and warned that releasing details before patches are available puts customers at greater risk. The dispute escalated after the researchers, GitHub and GitLab accounts hosting the code were removed.
A
All right, hold on. This is, this is interesting. Okay, so first of all, we got an anime profile picture. Cool. All right, let's see what Microsoft's come out strongly in favor of coordinated vulnerability disclosure. Okay, okay. Like urging the research community to share their findings with the vendor before going public. Okay. Microsoft has come out strongly in favor of coordinated vulnerability disclosure. Okay, listen to me really quickly, please. Responsible disclosure is not a new concept. This has been around for 20 years, maybe 15 years. If you're old like me back in the day, if you came out with a vulnerability, the company would try to get you arrested for violating the Computer Fraud and abuse act of 1986. In the United States, security researchers were scared. This is why that famous. Like, this was kind of a watershed moment, honestly, when. This is like cyber security history, if you will. The members of LOF crack, if you know this area, where's the. There's like a famous picture of them all sitting in front of. Dude, what the hell? There's a picture of them all sitting in front of. Where's that picture? Is that picture been scrubbed from the Internet? What the hell? Hold on one second, one second. It's a famous picture. If this has been removed somehow from the Internet, I'm going to lose my mind. No. Okay, here we go. It looks like the last supper. Okay. All right. You can see it on stream Right now, this was a watershed moment. This is the Loft group, okay. And they were out of Boston. They were security researchers, effectively hackers if you will, kind of of the 1995 Johnny Lee Miller Angelia Jolie hackers movie. And they came to Congress and interestingly enough, their name placards in front of them at Congress has their hacker handle. So mudge is dead center. That's Peter Zapko. He's actually gone on to have an amazing career with the NSA and federal government at the highest levels. We have Weld Pawn, Space Row kingpin who was like 19, right? And the whole point behind this was up until this point in 1998, like it was. You were like in the, in the dark, right? You, you like did these hacks like as a. Not anarchist, but as like an anti establishment. Stick it to the man. My only crime is that of curiosity when, when Loft came in front of Congress and came out and said, listen, what's about to happen is called the Internet and it is absolutely insecure. And this people at this table could bring down the US Government if we wanted to, just like other people in other countries can. You've got a major problem. And it was basically this moment that lit the fuse that turned into responsible disclosure. The. The reversal of prosecuting security researchers for doing good. It's where Hacker one bug, crowd integrity, all of those came out of something like this. So for, for Microsoft to say we come out and we're really big into coordinated vulnerability disclosure, my guy, like that's been around since 20 years. So I appreciate them echoing it, but people should do it because here's the problem. If you just come out like a hothead and you're like, oh, I found a vulnerability in Microsoft operating system and here's how you hack it, that means Microsoft hasn't had time to fix the problem. Which means people who are regular people like you and I using that technology are now exposed because threat actors are going to weaponize that vulnerability or the exploit if one is released, also to attack systems. So for a security researcher to just be an anarchist and release exploits and vulnerabilities, zero day vulnerabilities, it's kind of reckless to me. It's. It's a bad, it's a bad practice. Right? Now remember, Microsoft owns GitHub, so they can straight up pull up these things out. All right? The folding rays included Blue Hammer, Red sun, undefend, yellow key green Plaza, mini Plaza. Oh my God. Okay, so a lot, a lot of colors in there, right? I noticed they omitted black Must not be a mono black fan for all my magic players out there. So what else? So this is not surprising, okay? Microsoft bans the account and takes the stuff down. Okay guys, this GitHub is not the only place on the planet to host code, okay? So shortly after this account gets removed, a brand new account gets lit up on Get Lab and all this code gets published so that it's out there. The TLDR is. If you're a security researcher, don't be a, don't be a pecker head, don't do this, okay? You can still get your, your flowers, you can still get glazed. You can do all your Gen Z things and not do this. Okay, Second of all, I will tell you an instance where sometimes people get fed up and do this. Sometimes security researchers will submit findings to a vendor and the vendor ignores them. Or the vendor says it's not a real finding and then the security researcher feels frustrated then releases it. I'm. I'm all for that. I know this sounds counter to what I just flipped out about, but I'm for that. If the vendor is going to ignore it, you cannot suppress this information because you're a big, you know, conglomerate and the security researcher is an individual. So security researchers, this happens. Number two, if you see a zero day release like that, all you have to do is as a practitioner is you have to increase your detection and your threat intel feeds to make sure that you're aware of whatever this window of exposure is. And then you know, get, get patched. As soon as the vendor does patch it. Ah, you gotta patch it huge.
C
Thanks to our sponsor Guard Square, attackers are treating your mobile app like an open book. 63% of security leaders recently detected app tampering, cloning or unauthorized modifications. When your code runs in an untrusted environment, you need runtime, self protection and code hardening to keep attackers out. Address tampering before it starts. Learn more@guard square.com all right, all right,
A
hold on one second. We got to do the mid roll. I've got to talk about flare really quickly. All right guys, we are at the mid roll. Do want to say thank you to the stream sponsors. Threat Locker with their deny by default solutions Anti siphon with the socks Threat hunting summit. Excuse me. Coming up June 17th and want to say really quickly what's up to Flair now Flair. I haven't fixed the redirect yet so. But I wanted, I do want to tell you. Listen, Flair is the threat intelligence platform that prevents breaches, right? The Identity first threat intelligence platform Collapses the detection to remediation gap. You can absolutely use this platform for a two week free trial to see the value. I love flare. I'm actually. They're actually releasing a whole bunch of new features. I'm going to be doing another product review with them in July or August time frame because of all the crazy new features that they have. Guys, people are not hacking in, they are logging in. Identity is the frontier of cybercrime. It's insane. Not to mention agentic AI non human identities is going to be another massive attack service because people don't quite understand how to protect that. I will. You can use this orange button at the top right here. Grab a free trial, two weeks. They do have to verify your identity first before they give you access to the platform. Like I said, there is a simply cyber redirect. So I can get credit that I sent you, but don't let that hold you back. I'll get this fixed for next week, but thank you very much. Flair. Love those folks over there. And if you've used flair, let me know in chat. All right, guys. Every single day of the week has a special segment. And Monday, Fridays, oh my God, can you imagine if today was Monday? Every day of the week has a special. And Fridays is Dad jokes of the week with James McQuiggin at 35, 000ft. Now remember, I don't research or prep for the. I don't read these in advance. So let's hear what James has got to say. Hold on, let me get my. Let's go full screen so you can see the full. The full cringe coming on. All right, here we go. Dad joke, summer style. James has got us hitting for the summer. By the way, after the stream's over, I am going to be listening to Kenny Chesney's summer song. You know, the summer one. It's kind of my kickoff, that one. And Miley Cyrus, born in the usa. All right. Why are there fish at the bottom of the ocean? I don't know. James. Why are there fish at the bottom of the ocean? Oh, my gosh. The fish are at the bottom of the ocean because they dropped out of school. Oh, boy. All right, all right. Hey, why did the beach say to the what did the beach say to the tide when it came in? What did the beach say to the tide came in. So the tide came in, the beach saw it and said, hey, long time no see. Oh, my God. Okay, here we go. Final joke coming hot from James McQuiggin at 35, 000ft. What did the. Oh, follow up, what did the tie say in reply? So the beach says to the tie when it comes in, long time no see. The tide replies, nothing. It just waved. Nothing. It didn't reply. It just waved. Oh, my God, bro. Oh, my God. Like, if you could see. If I could be an emote right now, I would be the skull. All right, Gen Z, you know what I'm talking about, Rip. All right, so that's your dad. Jokes of the week. Thank you very much, James. And quick into 35, 000ft. We have some members of the Cyber Career hotline panel in the green room. I don't know, Fletus, if you have. If you've split a side stitch laughing on this one, we'll have to. We'll have to get you stitched up before the panel goes. All right, guys, let's slide back into the. Into the news and finish strong. Remember, stay tuned. At the top of the hour, we do have Cyber Career Hotline where we're going to be answering your questions. It's Friday, which means we'll have a panel of practitioners. We've already got a full slate of great professionals, so stay tuned for that. I hope you enjoyed the jokes at. James McQuiggin is who you can thank.
C
Cruise Giant Carnival confirms data breach. Carnival Corporation says a cyber attack in April exposed personal data of 6 million people after attackers compromised an employee account and access part of the company's IT systems. The stolen information includes names, code, contact details, and in some cases, dates of birth, passport and driver's license numbers. Shiny Hunters has claimed the breach and says it published millions of records.
A
Gog. All right, quick shout out to Robert Trotter. Did we just become best friends? Yep. Robert Trotter giving out five gifted subs. So if you're one of the lucky folks who scooped up one of those subs, you can thank at Robert Trotter as well as dropping those new six hot emotes in your emote tray, including the Oprah emote. Let me go, Oprah emo. There we go. Thank you, Robert. All right, listen, Carnival Cruise Lines, you know, whatever, it's just a large company that has millions of customers. Shiny Hunters, which I'm telling you is going to get hit. I. I'm telling you, law enforcement is circling Shiny Hunters. There's no question. Shiny Hunters is literally hitting anyone and everyone. Like, get ready, Jack Reciter, because the Shiny Hunters Darknet Diary episode has to be in development. They hit another one. Now, they said that millions of records have already been Released, which would lead me to believe that this is an old story. I. E. Cruise Carnival got hit and told Shiny Hunters to, you know, whatever, take a hike. And then Shiny Hunters just did what they do. They released the information. Now, we know part of this because Maine's Attorney General's office. Had main maniacs, right? Had main citizens involved in the attack. Again, guys, I got you gotta love. It's Aaron Fry, the main Attorney General. This guy. This guy's not drinking. This guy's not paying for drinks when I'm around. Look at this guy right here. I've got him on stage right here. I don't know if. I mean, he's just the human personification of the Attorney General's office, but this guy right here, we know about so many different data breaches because this guy's, like, maintaining the fire, like, for. For real. This guy is essentially. What do they call it? He wears the black. Right. If you're a Game of Thrones fan, the wall up in the north, where you take the black and you just stand there on the wall vigilantly, that's this guy. Nobody, Nobody who lives in Maine is gonna have their data breached and not know about it because of Aaron Fry. Like I said, drinks on me, Aaron. All right, so Spiny Hunters. Spiny Hunter. Shiny Hunters gets it, releases it. What's. How is it? How do they get in there? The company said the threat actor gained access to a limited portion of its IT environment last month after compromising an employee account. Again. Dudes, people like. I don't know. Who needs to hear me say this again? Criminals are not hacking in. They're logging in. This is why you can't just be like, oh, it looks bad. Deny they're literally using an account. Jan in accounting, Carl in, you know, research. They're logging in as them. There's not an anomalous look about the login. You need to start considering conditional access. Privileged access, management access, least privilege. Okay, does in a county need access to the blueprints? Probably not. Does Carl and Research need access to HR files? Probably not. So maybe we, you know, limit these things. Hey, here's an idea. Multi factor authentication. I know it's not bulletproof, but, you know, there you go. I'm. I'm telling you, dude, like, by the way, this is why Flair's. Flair's focus is talking about threat intelligence that prevents breaches because identity is the frontier of cybercrime. It's. I'm not making this up, guys. I'm not just screaming for a show. I'm telling you, Shiny Hunters calls your help desk pretends to be Fleetus post in the third, asks to have their creds reset and then logs in as Fletus help desk person feels great because they just closed another ticket. Fleetus doesn't know because Fletus is just doing his thing somewhere else. Threat actors feeling groovy because they just logged in with a super user account and everything's screwed. And honestly, the sucky thing here is Carnival Cruise. Their boats are still going to float. They're still going to be able to go to a port of call in the Virgin Islands because it's me and you whose data was compromised. It's my address and email, it's Robert Wein's date of birth, it's James McQuiggin's driver's license number and passport that are compromised. So Carnival's like, oh man, that really sucks. But we've got a special 20% off on first of the summer, right? Like suck it. So again, honestly, it's probably why Carnival didn't pay the ransom because what do they care? It doesn't affect their bottom line. Is anyone deciding they're not going to cruise with Carnival because their driver's license got compromised in a data breach because of at Carnival?
B
No.
A
Having said that, yes, anybody that suffers a attack from Shiny Hunters is not going to have a good day. I will, I will confirm that. Guys, do tabletop exercises. Have, listen, do a tabletop exercise and use the vishing attack as the initial attack vector. Bring your help desk in if you can. One compel. This is the final thing I'll say on this one compelling thing that I've seen that is really interesting. If you record your phone calls for quality assurance like most, you know, good sized organizations do. If you can find the phone call where the threat actor called in and had help desk reset the password, that is a compelling thing to play to your workforce. Okay, I've heard one. I attended a SC kick. Rhonda Rummerfield and Devin Grady were in the room. A guy from CrowdStrike or a red Canary came and played us an audio. You could hear the voice of the threat actor calling. Sounded like a normal dude, 26 year old guy called help desk and he's like, hey, my name's, you know, whatever, Tom Pine. I'm, I'm, I'm new and I'm trying to log in to my new computer that just got sent to me and the credentials aren't working. Can you reset them? And the help desk guy's like, fine. Like, what's your employee ID number? He's like, oh, I don't know it. I just got hired. Like, I don't know. I. It's in my email, which I can't log into. Can you help me? They're like, okay, who's your boss? What's your boss's name? And he's like, oh, Tom, right? Like a little LinkedIn, OSINT. He's like, oh, it's. It's Tom Lavin. And he's like, no. So this is where the help desk guy goes, no, try again. And he's like. And then the help desk guy's like, it's a woman. And he's like, oh, okay, is it Cindy? And the guy's like, no, begins with a V. And he's like, oh, oh, Virginia. And the help desk guy's like, yep, that's right, it is. Virginia. Your credentials have been reset to ABC123. Have a great day. Click. It's like when you hear it, you, you, you. Like, it's like watching a traffic accident in slow motion. You're like, no, stop and don't, right? And it's not to shame the guy on the help desk. It's just to point out this is what the attack looks like. Understanding and seeing the attack is the first step to stopping it. So if you can get a recording like that or recreate it, frankly, play it for your workforce. It will stick a lot more than you just droning on about something.
C
Allows arbitrary codes. Open source, self hosted git service Gogs has a critical unpatched vulnerability that can let any authenticated user execute arbitrary code on the server. By abusing Git's rebase function with a malicious branch name. Security firm Rapid7 warns it could let attackers access every repository on a server, steal credentials, move deeper into a network, and potentially expose other users. Private code, Windows, Linux and macOS deployments are all affected. It's recommended to disable open registration or repository creation until a fix is available.
A
This is pretty gross, dude. All right, so if you're running gogs, not to be confused with David Goggins, apparently I don't really know that guy or watch any of his stuff, but apparently he's very hot right now, that Hansel.
B
So hot right now.
A
If you're running this gogs, which is basically an open source, get repo, you should probably lock it down. Okay, get full John Taffer on this one and shut it down. Because basically anyone with an account can execute any code, which effectively is like super Easy privilege escalation, right? You can go from general user to I'm the captain now. Look at me, look at me. I'm the captain now. Okay, here we go. Look at, look. Oh my God. Guy, look at me, Captain. Okay? I'm just real time looking at anyone exploiting this vulnerability. Look at me, look at me, look at me, look at me. I'm exploiting GOGS RCE right now.
D
Ah.
A
Okay, so there's no patch available, which means you got to do two things, right? Number one, IT vulnerability score. 9, 4. Interesting. It's probably a 9, 4 because you have to be authenticated to do remote code execution. 98 is unauthenticated remote code execution. When you've been around long enough, you just. They're kind of like these buckets, right? So if getting an account on it is simple, it's just signing up, then you know, it might as well be unauthenticated. It's like a very small hurdle to step over. Almost like a speed bump to step over. Yeah, the tldr. If you're running gogs, you should know it. If you're running gogs, then you should not allow anyone to sign up for a user account that you don't know, right? Like an open source one until this thing can get patched. Borderline. If you can maybe even put a moratorium on making commits or changes to the, to the, to the environment until it gets fixed. Right? The RCE happens when you create a pull request with a malicious branch that injects the exec flag into the git. Rebase this. Honestly, again, this isn't going to make a lot of sense to a lot of people, but those who know this feels very similar to using the Essay command in SQL Server back in the day before it got locked down and controlled used to be able to just call any OS command with sa. So yeah, there's no. I would imagine that the developers are working on a patch for this. Of course this is open source, which means it's, you know, it's on, it's on the. The whims and opportunity of whoever the developers are volunteering to maintain this open source is cool. But at the same time, dudes, it's like when you build a business on it, you really, really taking a risk. Rapid7 has what I would assume as a demonstration of how to exploit this. Here's what I would say, all right. As a, you know, kind of from the CISO seat, if you're running this GOGS environment, you need to, number one, confirm that you are vulnerable to this attack, right? Because you may not be. You might be running an older version that's not there. Number two, you got to figure out how, how valuable is it to leave yourself exposed, right? You may have maybe mission critical to leave it exposed, which is gross. Which means if you have to leave it exposed, you need to develop some detections to see basically when that pull request with the exec flag, you should be looking for that exact, you know, regular expression of that command in your logs so you can confirm whether or not you're actively got hit with an exploit. Number three, if your developers or your engineers push back in any capacity or your CIO pushes back, use this YouTube video to show them exactly what the exploit looks like. So they can't. So they'll have something concrete to wrap their brain around instead of just thinking that you're screaming that the sky is falling. Okay, again, I don't run gogs in my environment. So for me, when I see this story, I'm like, interesting. And then I just like get a bucket of popcorn and I sit over in the peanut gallery munching on popcorn because this doesn't affect me. Zero risk for old Jerry guy here, which a guy, which again is why you should limit your text, not limit your, your tech stack. But if you have technology in your environment that's not being used, like you tried it out and then didn't retire it or you, you superseded it, right? Like it's a legacy technology, right? This GOGS thing, you use gogs and you found it too awkward so you moved over to get lab but you never decommissioned the gogs. That is called technical debt. That is called unnecessary attack surface. That's called lazy. And it introduces risks that you don't need. So you know, basically be a good steward, do the hard work. Decommission legacy systems that don't need to be there.
C
Vi attackers use Chat, GPT and Gemini Researchers at with secure say a likely Russian linked threat threat group called Gray Vibe has been using ChatGPT and Gemini to create realistic phishing lures, fake websites and even parts of its malware toolkit. In campaigns aimed mainly at Ukraine related targets. The group has used custom Windows and Android malware to steal files, credentials, location data and communications across military, government and business sectors. The operation seems to align with Russian interests, but doesn't act like a typical state backed campaign typo squatting.
A
All right, here we go. For the sake of time. Fleet is posting the third with five gifted subs. Thank you. Fleet is posting the third for that and for everybody who got it, like via hone J. Brian, you can thank fetus. All right, we're going to speedrun these last two stories. Grave Eye Russian based hackers. Like, dude, welcome to a day that ends in wise. Criminals are using AI to vibe code weapons. There you go. Looks like they're, you know, they're using AI, but they're kind of doing the same old same old. By the way, AI doesn't invent new attacks, okay? It just allows lower level of sophisticated threat actors to develop more sophisticated tools faster. Okay? All it's doing is increasing the frequency and the amount of things that we have already seen. So don't, don't be overwhelmed and like star struck by AI. Spearfishing is spearfishing. I don't care if Claude wrote the spearfish, it's still freaking spearfish. Okay? Listen, they're spearfishing emails, delivering zip and RAW archives via Google Drive, okay? You should have been protecting from that. Fake PDFs. Okay? Educate your end users. These are mostly targeting Ukrainian government entities, so this isn't really something relative to most of us here. But dude, the. The attack can pivot to, you know, whatever critical infrastructure company in Dallas, Texas like it. Like the. The victim pool can just be modified. No big deal. They're doing click fix fake captchas. Okay. Click fix has been a blight for about four to five months right now. So if you haven't been doing things with click fix, here's your sign, like, it's time to get going. Fake Ukrainian adult sites. Oh my. All right, so I guess, you know, is kind of one of the oldest professions in the world next to a sailor, so still going to work. None of these things, dude. Okay, whatever. AI is being used. News at 11. Like they're doing the same attacks or realistic package impersonation.
C
Sonatype reports that attackers are moving beyond typo squatting in open source repositories and instead are publishing malicious packages that look like legitimate plugins, SDKs, or config tools that developers would expect to see. An analysis of more than 4,300 malicious packages showed 91% using naming tactics targeting ecosystems like React, Eslint and Tailwind. The packages are known to steal credentials or system data and can install backdoors. Sonatype warns that typo detection alone is no longer enough and that teams need closer scrutiny of new dependencies and publisher behavior. Join.
A
All right, so typo squatting has long been a thing, right? Like, you know, whatever, Microsoft.com. but instead of the M in Microsoft, you Use an R and an N. So it looks like Microsoft, they're basically saying that threat actors are pivoting slightly by using naming variants instead of typo squatting. Okay. I mean this is like really splitting the, the hair on a, on a mosquito. So instead of it like being typo squatted where they kind of flip a letter, they're, they're, hold on, like they don't give any examples in the story, which is annoying, but popular. React libraries. Okay, look it, I'm just going to make this up as I go, right? Come on. All right, hold on. Top 10 React libraries to use for developers in 2026. I just googled the random story. Okay, here we go. Give me the actual library names please, so I can do this. Material UI is number one. Okay, so basically what, three, what a threat actor would do is create material-reactor UI. Okay, so it, to me, to me it's very similar to typo squatting. I find it, like I said, splitting hairs here. Normally a typo squad might say material UI, but the L in material is A1. So it looks like material UI. All the threat actors now are doing is material-react UI. It gets kind of the trust because people are talking like, oh, it'd be like someone creating simply cyber dash educate YouTube channel and people being like, oh yeah, it's simply cyber. I believe something like that. And then people fall victim because they don't know the difference. All right, Redo toolkit, Redux Toolkit, Redo Dash Tool, you know, Dash Kit or whatever. You know what I mean? It's like, so whatever, here's the tldr, Open source libraries, React libraries, NPM libraries, PI PI libraries. All these things are getting weaponized. Threat actors are poisoning all of these pools. And honestly, AI is automatically pulling some of these plugins due to popularity. So you people vibe coding are actually sticking these things in without even knowing it. So we are in a pretty tough spot right now. As always, it's a, it's an arms race to, to do this. If you can introduce some type of validation, software validation prior to like pulling these plugins in. But this is a tough nut to crack and that's why threat actors are doing it. Okay, if you do have developers in your environment, this would be a great one to send to them. Not this top React libraries because then they're gonna be like, oh, this is great, they'll start using them all, but let them know about this particular attack, know what you're plugging into your environment. And also, also, if you try a package or WordPress plugin or whatever and you're not going to use it. Don't leave it enabled in your environment. All right, here we go. Oh, my God. Guys. What? We went a little bit over. Apologies to all y'. All. Thank you so very much. Shout out to the stream sponsors, threat locker, any siphon flare. Don't go anywhere. James Aquan. Thanks for the jokes. Don't go anywhere. We got Cyber Career Hotline. I'm going to do a. A hot transfer. Guys, if you got a boogie out of here, you probably already did. Thanks so very much. You guys are the best. Let's go have some fun doing Cyber Career Hotline. We've got a great panel lined up for you. I'm Jerry, your chat. Till next time, stay secure. I'm Dr. Gerald Osher. This is the Cyber Career Hotline. If you're building a career in cyber security, this show is for you. Let's get into it. All right, everybody, welcome to the party. We got to just do this really quickly. We got our panel loaded up. Let me change my camera angle so we can do this. What's up, everybody? Welcome to Cyber Career Hotline. I am your host, Jerry Guy. Since we'll be doing a panel today, I will just be facilitating Justin Gold with 50 months as a squad member. Jesus, dude. Justin, longtime friend. Love it. All right, let's get our panel locked. Let's get our panel locked in. Ladies. Ladies and gentlemen, we got a full boat for you today. Talk about the Carnival Cruise Lines attack. We've got the full boat, ladies and gentlemen. He comes from Appalachia. He's also pretty, pretty cool dude. Doing a lot for the community. Ladies and gentlemen, Fleet is posting the third. What's up, dude?
E
Happy Friday, everyone.
A
Great to see you. All right, who else we got? Oh. Coming to you live on the road from Dallas at Elevate it, James. A quick and at 35, 000ft.
D
Sorry, just. Just wiping away the tears from laughing so hard at the mid roll.
A
Oh, yeah, those jokes were good.
D
Your reactions, Your reactions is what makes it for me, Jerry. That's the whole purpose of it.
A
Well, I. I do it as a service. I do not look at those jokes in advance. When I get the text from you on Friday night, it's Thursday night. It's always like, all right, all right, you guys. Robert Wetstein, a regular on the panel. Good to see you. Bow tie security guy. Let's go.
B
Hey, what's going on, Gary?
A
All right, and then you. If you caught the first half of Simply Cyber Firesides last night you would know who he is. But if you didn't, he is cyber threat intelligence expert and had to leave mid show yesterday. Wade Wells. Hey Wade. What's up dude?
F
What's up? Hopefully I don't have to leave mid show today too, but who knows.
A
That's all right.
D
Hope everything was all right.
A
Managing life, not you leaving, but when you left we ended up like raffling off a bunch of prizes and having some fun. All right guys, so here is the deal. We've got an amazing panel of very talented individuals. Robert executive in kind of the C suite area as well as Tinker, former Red teamer hacker fleet is post in the third works and worked in a sock leads his builds his own program. James McQuiggin over on the end there. VC. So awareness training, expert behavior modifier, Wade Wells, cyber threat intelligence extraordinaire. And me, Jerry Guy, just a GRC dork trying to make his way in the world. So if you have any questions, drop them in chat with a queue. We will facilitate them to you as best we can. One of the stories that came up today worth getting your thoughts on was it wasn't even really a cyber story, but the US military personnel being their web threat actors, are weaponizing location data from AD networks in order to find populations of military. Was anyone in this group active military at one point? No, I don't think we are. Wasn't sure. Okay, Robert, have you done anything with location based data? I feel like you of all people tinkered with it.
B
Yeah, definitely. Well, I. There's been a lot of attacks like this. There was a popular fitness app that was utilized to identify military bases a while back. I won't call the name out, but that's a pretty common attack vector. And there's been multiple times where I've built geofences around locations to ensure that like if devices left, they would be destroyed. But using your geodata to identify targets is just kind of common OSINT to me, I've done it many times. Where back in the day photos when they were posted online still had their metadata in them. So you could find out all kinds. You could find out damn near the exact location that the photo was taken. And now most of social media strips the metadata before a photo goes live.
A
Yeah, 100%. So some good OSINT work in there. Everybody enjoys some good osint. Wade, you were talking yesterday on Firesides about your cyber Threat intelligence course and some of the OSINT type stuff that you've included in that course. Can you Talk about how OSINT relates to cyber threat intelligence.
F
Oh yeah, man. I had to do some yesterday too even. Yeah. After what I had to hit handle, a lot of it is just being able to. It's female to search really, really good. But not just like Google searching, but knowing what data and what to pivot to. So one of my favorite examples is with a. Any type of login you see out there, you could, theoretically, if there's an image on that login, you could take a hash of that image and then search that hash in URL, urlscan, IO and then look to see what websites actually contain that hash and if they've been scanned and will show you every website that it has. So for. For companies who have logos on their official logins, that's gold. Because then you can find people who are trying to fish your customers. Right. That's like one piece of it. But going down. Like right, there's infrastructure, osint, which is looking for malicious infrastructure or possibly if you're red teaming a actual legitimate infrastructure. There's people. How do you find people? And then the last one I would say is geolocations. Right. Seeing a picture of a legio location and being able to figure out where it is or even when it is. Each one of them holds around the same type of skills that you need, but very differently.
A
Excellent. Yeah. And even during that flare training I did yesterday with DNS and passive osint, I mean passive DNS reconnaissance, they were. They were talking about getting addresses and then going and looking at them online to see like, what. What is actually there, if anything. Roswell UK and thank you for the questions. I've been flagging them. S Cole07 we'll do your question next. Roswell says, what's the most satisfying investigation or hunt you've ever done? Ooh, that's a fun one. I'll throw that one. I know Wade just talked, but Wade actively does hunts. So Wade, is there anything you can tell talk about publicly?
F
I did. I. When I won the Trace Labs black Badge, that was probably the best one it we were able to find someone who was on a missing person list and then prove that they were actually alive and well and just in another city.
A
I love it. I love it. James Aquigan. You've got one for this too?
D
Yeah, I. My cousin has a fraud investigation company, Shameless Plug. Hello to Quilligence. But one of the investigations, she pulled me in to help her with OSINT work. Dealt with a domestic dispute, we'll say, where the woman was claiming that she'd been beaten by her husband, but then was out the next day gallivanting around town. And she looked just fine. And they had pictures of her and everything else. But my job was to go in and verify the authenticity of those images, find out who the photographer was. And so doing image analysis, OSINT work, looking at where the locations were and everything else, you know, basically handed it back to the. The wife was lying about it on several occasions. It just wasn't the one occasion. And ended up helping out the husband win their case. By the way, the. The husband's name was Johnny Depp. So there you go.
A
There you go. I like it. Robert, you got one too. I didn't realize you're gonna be able to go around the horn on this one.
B
Yeah. There was an investigation that I worked for a very long time where an insider was releasing basically behind the scenes photos in ruining kind of some of the things that we didn't want people to see. And they had posted a photo while they were in line somewhere complaining about the weight. And it just so happened that we had access to those cameras. We were able to pull the plate number off of the front car and then identify their car. And that led to them being removed from the company. That was. And we'd been tracking that person for probably two and a half months trying to find their identity. It was a, it was an all hands type thing. It was a very fun. Every photo that was posted, I was looking for reflections, anything. I could see where the behind the scenes photos were being taken. If I could figure out who it was, it was, it was a fun time.
A
That is very cool. Fleetus has got one. Cletus share.
E
Yeah, similar to there's. I helped with an HR case where we were trying to confirm that someone was having someone else badge them in. So they were having a colleague clock them in. They were still in their car, still driving. They wanted to be paid for their time. So they would give their badge or their PIN number. We had both for them to start logging in. And all of a sudden one day they required geofencing to the point that they needed to see the badge, they needed to look for NFC to be close by. And all of a sudden he couldn't clock in anymore. He raised an HR case which pretty much gave himself away. And we confirmed that he had been doing it for almost two years. He'd probably got close to a thousand hours of travel time paid for that he should not have been paid for. So it was a civil suit.
A
Added to that as well, that is wild. I have one.
B
It's.
A
It's not my story per se, and I'm not gonna be able to disclose all of the information, but it is one of the coolest hunts I've ever seen. I have a friend who runs a investigation agency and basically there was a Instagram model that was running a scam where like basically they get into your DMs and then they start extorting money from you or they're gonna, they're going to tell your, your, your spouse or whatever what's up. And this person got, this investigator got brought in on it and he basically set up a sock puppet account and was able to connect with that person and then get the, get the scam start running on himself. But then once he got like, where do I send the money? I'll send you the, I'll send you $1,000 if you leave me alone. Where do I send the money? And once he got that wall not. It wasn't even a wallet, it was like a Venmo or something. Once he got that, he was able to back into that and then explore the entire network of all the transactions and all the things. And he uncovered like the people involved. And then he went further and got their phone numbers and their home addresses. And then he, in the DMs, he sent like a picture of their front door and was like, should I, should I send you the money or should I just come to your house? And they're like, you know, they're just like, just absolutely. He's like, all right, you're gonna shut down this entire thing. And they're like, so very, very cool use of that type of technique. S. Cole07 says, how do I set boundaries early when starting a new job? All right, so we've got some great talent here. Fleetus. I know, Robert, you've got some thoughts on this one. But Fleetus, you know, you, you've got a team of people underneath you. You help people all the time. What do you tell SQL 07, by the way? I don't know if you guys were here, but he announced on stream this week that he got a job and we celebrated and it was awesome.
E
So yeah, yeah. So it's. This is a hard but easy question at the same time. So hard. First you have to understand what the organization's expectations are. Is this a fully on site? Is this an 8 to 5, but in seat is this. I'm available after hours. What is the expectation after hours? Once you've level set all that with Your leadership as well as their leadership. But when I say both their leadership, I have a case in point where an executive decided this past week to start reaching out and asking questions because it had not been communicated all the way up that individuals have a work from home on certain days or have the flexibility to do certain things. So make sure you get stuff in writing so if and when your manager leaves, you have something to stand on. If you have a flex schedule, you have the ability to disappear for kids. Appointments, PTA meetings, et cetera. Get it in writing. Second, be open with your boss and your team. I'm unavailable between three and four because I'm picking up my kid from school. I will not be in front of my computer. After 4 o' clock I'm back in front of my computer. But let them know that if something's escalated, you're actually away and you've set that up. Especially if you're a remote employee. Other things too. If you're in the office, let them know your expectations. I take a lunch and this is why I take a lunch. Like don't abuse my lunch hour unless it's required. So that gets very tricky real quickly. My team knows that I take roughly my lunch hour to spend it with my kids. I call my interns. They know that I'm not going to be at my computer no matter what they ask so that I can be away. But they have the capability of calling me if they need to. But I'm not going to be sitting and approving their PIM requests, their multi admin approvals. I'm not going to be able to do something activities between 12pm and 1 Eastern. I have an international team or nation national team. So I have to set that expectation. So again I'm long winded this the TRD is set expectations. Get them in writing and then confirm them periodically during developmental meetings one on ones or your performance reviews.
A
Oh man, that's SQL 07. I hope you got all of that. I mean that was great information. Robert, do you have any follow up thoughts?
B
I mean, I mean that's the biggest thing is be open and honest and protect your mental health over everything. The burnout culture in cyber is dying and we have to continue to kill it because well rested investigators, well rested cyber people are drastically better and more prepared for what's coming than overworked, overstimulated, you know that's the biggest thing is we have to get better at protecting our people's mental health and making that a priority.
A
I love it. Yeah James, you want to comment on this one. The questions are kind of thin today, so we have opportunity to go around the horn.
D
Oh, okay. Yeah, No, I agree exactly what Fleetus and Robert have been saying, I think. And from my own experience, a lot of it is setting the expectations, having that life work balance. You work so you can live. You don't live so you can work. But at the same with burnout, that's certainly something you want to be avoiding. Setting the expectations, having the conversations if you got to go do something. We all have lives. So yeah, I would certainly, certainly echoing what, what Robert and Fleet of Fleetuses have already said. The coffee hasn't fully kicked in yet. My coffee's a little better tasting this morning, Jerry. It's from the in room coffee maker, but it's not so bad this morning.
A
Oh, I love it. SQL 07. One thing that's very tricky to navigate too is sometimes you come in and you're supposed to be whatever GRC analyst. Okay. I can't remember quite now what the role is you got. And they're like, oh, we also need someone to do EHR provisioning. So you're going to do that now. And like you're like, okay, like you don't want to be like, no, because you don't want to look like a thorn in anyone's side. But at the same time, your scope of responsibility could be expanding beyond what you actually committed to when you took the job. Now if that additional responsibility is professional development in a way, right, like you're doing something that could help you that's outside your job scope or get you to the next level, well, then that's awesome and fine. But if it's not, if it's perpendicular to what you want to do, if it's, if it's making you unhappy or whatever, there is a way to have that conversation with your boss. I wouldn't stamp my foot down and be like, I, this isn't in my job description. I'm not doing it because that's going to be seen as a, not a team player. Right. But I think during your one on ones and stuff, you can say, hey, like, you know, just so you know, like, you got me doing this other thing, which is really doesn't feel like necessarily in the scope of the job role that y' all hired me for. Like, what's, what's the long term plan for this? Like, are we looking to get someone else to do this? What, like, so be, be collaborative in trying to navigate that function away from you. Don't be Combative. Okay. So collaborative over combative. That's, that's my, my move. All right. I, I think you get more, you get more with sugar than you do with vinegar. Right. So if you're, you might be right and they may be exploiting you. But like, you know, going with the nuclear option isn't always the best, even if you are. Right. All right. All right. So continuing to look through chat. If you got any questions, drop them in. Chat with a Q. I haven't read this one yet, but Lemur says morning Legends Love it for CIS P. Do you think that the official ISC2 trainings request required or can the 19 course on a popular platform work? Won't name the job. So, you know, I'll say I got my CISP in 2009. I did not use the official ISE squared at the time training. I did, I think Mike Myers passport to cisp and I did flashcards and it worked for me. I think of, of all of the certs, I think the ISE2 and the CompTIA, you cannot. You can use other materials and it'll work for you again. Maybe they've changed the exam a bit since then, I don't know, but looks like we've got a consensus. James, thoughts on this one?
D
Yeah, I mean it's going to come down to how do you study, how do you learn? You know, if you're. For me, I was somebody that my butt had to be in a seat in a classroom environment so I could, I could properly focus and I did the five. I did a five day boot camp and took the exam at the end. The Mike Myers book? Yeah, I mean back in 2008 when I took my CISSP, that was the book that I pretty well knew cover to cover. And then I had two other books to back it up. So if you're somebody that you know, you can watch videos and you can ingest the information and know it, then sure, there's no rule or there's no requirement that you have to do the ISC2 training, but there are other training companies that are out there that do the five day boot camp. But again, it comes down to, you know, what your learning style is and then working towards that. The IST. The ISE2 training is good. I will state that because I'm actually working to become an IST trainer and I've been going through the materials myself. But just what's your budget? What's your learning style? What's going to work best for you? For some folks, it's three Books, five books and flashcards. Other folks it's in a class. Other ones it's auditory books.
A
So yeah, Cyberlorian has a question for Robert. So I got an email later last Friday for the differ consultant role and then they added a final to the final round for Wednesday. Yesterday I got an email to schedule a one on one today. Is this a good sign?
B
Yeah, I mean that's an excellent sign, especially if the one on ones with like a senior leader. You're not going to meet with any senior leaders unless you're in the final running. And honestly, just make sure you research the company really well. And there are a lot of scams that have been very advanced. If you want to send it to me on LinkedIn, like, I'm happy to help you research it a little bit. I've had a few mentees that have gone through several rounds of interviews with a company that wasn't even real. I'm not saying that that is the case. I'm just saying be very cautious, especially unless you're doing it in person. If you are, then awesome that you know, that kind of alleviates that concern. But yeah, that's a, that's a great sign. The biggest thing is take every interview is if it's your first interview, don't think about it as, don't look back when you finish round, you just kind of move to the next one and call it. Don't look back and don't be like, oh, I've already answered this so I'm going to try to answer it differently. Just answer it the same way you answered it last time. It's a totally different person. There's no reason to kind of get in your head about it.
A
Mad hat says, as a student, what are the steps I should be taking now if I eventually want to pursue a position that needs a DoD clear clearance? I mean, I, I like to facilitate the panels. I, I had a DoD clearance, so does anyone else on the panel have one?
B
I had secret back in the day, not dod.
A
Yeah, secret here. Okay, well, I mean, Robert, do you want to answer this then?
B
Yeah. So right now I, I think that's a lofty goal. There are a lot of people with clearance who are trying to find opportunities with all the, the, the furloughs and things that have happened as well as all of the churn that's happening within that. So if you're looking at like a three to five year plan, biggest and most important thing is be really intelligent about everything you put online, be very mindful about everything you do be mindful about the friends you have when you go for any sort of clearance. They will call your friends, they will talk to your neighbors depending on the level of clearance. It's very weird. So be mindful of who you associate with because there are lots of reasons you can get denied clearance and most the time the companies are willing to pay for it. But it's, it's gonna, I think it's gonna be harder in the future for, to get companies willing to pay for it because I think they're going to look specifically for people who maybe had just lost clearance or looking to renew clearance. I, I don't think there'll be a big focus on new people with DOD clearance. I will tell you, when applying for government jobs, if you meet all of the requirements and it is a government paid position, many times they do have to actually interview you. So the whole concern about ATS and things of that nature does get eliminated a little bit. So you have some more flexibility there. So anytime I mentor somebody who has clearance, I'm like, are you applying for every dot gov job that is being posted that you meet their qualifications for? If you aren't, you should be because they legally have to interview you if you meet the requirements. If they're government funded.
E
Yeah, I was going to add that once you get there. And a lot of your certifications going back to that questions will tell you which DoD requirement they meet. So if you're looking for government jobs, go pay attention to their job postings. Is it a SEC plus is it. Do you need the CySA? Because they started mapping certifications back to their DoD requirements. So that's another way to make sure that you're ready is by getting those courses so that you're compliant to actually get your certification and to, to work in that role. Because they require certain certifications for some of those DOD roles.
A
Yeah. And just, you know, I don't know if Robert said it specifically but I mean I had a clearance, I had a secret clearance for a number of years. It sounds cool, it sounds sexy. I, I had anxiety the entire friggin time I had it. I hated having having it because I thought everybody was trying to like compromise me.
B
You do get in your head about it, I'm not gonna lie. And, and you're so worried too as they're like talking to people and the questions they ask are just wild. It's like, has this person ever had any anti American sentiment? It's like, how do you even answer that?
E
You know, so that I want to Take that real quick. I had a former. Two former recently. And I was literally sitting by the pool when I got the call from the Secret Service agent. And my wife's like, why are you answering these questions? Because she only heard me answer the questions. And I'm using terms like, no, they've never showed any terrorist activity. They've never showed anything about this. She's like, you're sitting in a public place answering this federal agent's questions because they're screening this person. And she's like, who did you just talk to?
A
I was like, oh, I was on
E
with a special agent for the FBI. She's like, why? I'm like, I have someone who's applying for a government clearance and a government job and they're interviewing me and it's like, it's awkward for me too. I'm like, do I screw the person over? Because I stuttered, that I slowed down too much, that I speak too quickly?
A
Yeah, it's crazy. It is great. I will tell you. I got interviewed by a federal investigator, like in person for my clearance. And they don't want to hear about how awesome you are. You just talk about the worst things you've ever done. And I felt awful when I left that meeting. I mean, not that I thought I wasn't going to get the clearance, but like, it's just I. I've done some dumb stuff in my life and just like, that's all they want to talk about.
B
Yep. And be open and honest with all the dumb stuff you've done because they will find it.
A
Yeah. Oh yeah.
E
They already know the answer. They just want you to confirm the answer. They already know the answer.
B
They're doing an integrity test at that point. I had an in person also, and it was awkward.
A
Yeah.
E
To say the least.
A
Yeah. All right. If an employer is willing to pay for training, insert is it a red flag that they have you sign a two year contract and reimburse the cost you over those two years? They won't pay up front.
D
Oh, oh.
B
I can answer this one because I see it all the time. This is a very common tactic for a place that's most likely going to be a relatively toxic environment. And they are doing it specifically to lock you into contracts. There are some steep penalties too. I had one mentee who tried to leave before two years and owed $20,000. The certs only cost seven grand. So read the fine print before you sign anything. If you have no options, then I would say, yeah, it's probably a red flag, but it is you may get some good experience, but what I've seen recently with these type of jobs is they'll hire someone in for a cyber role, and then you'll just be doing desktop tech support, and then they'll pay for your certs, and then they basically lock you in for two years and basically make it so you cannot leave, no matter how bad it gets. That's in my experience, and I've seen it probably 30 or 40 times over the last year.
E
I will give a one caveat. In a lot of states now, that's illegal, so work with an attorney real quickly when that comes up. There's clauses to protect you from this inside of employment agreements for a lot of the states, especially if you're out in California. I think Maine, to Jerry's point earlier, has a lot of friendly stuff. Denver, definitely, or the Colorado state will protect the employee. So if you work in some of these states, go look up your label laws for that state. It's illegal for them to do this in certain states. Not everywhere, but it's illegal in certain states to put these contractual agreements around what's considered job training. Just make sure that you look at the agreement and you have an attorney if you have questions.
A
Yeah. And I would also say, if it's reputable, they should have a policy. Like, there should be a written, documented policy on how this all works. And if it's. If it's a shady AF policy and it says, like, we will absolutely hoodwink you and own you and own your firstborn if you take this, then guess what? It's a. It's a. It's a benefit you just don't take advantage of. Right? You don't. You don't. If they force you to go to the training and then financially commit you, that sounds incredibly illegal.
B
That is the normal. Yeah.
A
So that. That's a problem. But just read the policy and, you know, some places it can be good. I had my PhD paid for fully. Right. And, you know, you know, I had to, like, basically the way it worked for me was every month it burned off, like, 800 bucks of the. The benefit I gotten. Right? So, like, they. They cut me a check for whatever, like 12,000 or whatever, and then every month it was 800. And if I left a year in, I just owed the delta of remaining money. So there are programs that are not predatory. Okay. Lazaro. I love Lazaro. He's our token superstar. Story for going from breaking in. Good morning, Team SC panel. Which cert would you recommend between Blue Team Level 2 and CCDL 2. My focus is to better improve my threat hunting and differ skills. Thank you. Now I know, I know. Blue Team Level 2. Yeah.
E
I don't know CCDL2. I don't have to go look it up.
D
Certified Cyber Defender Level 2. I don't know who puts it out, but yeah, let's.
A
Let me look here. It's by Cyber Defenders.
D
Cyber Defenders, Yeah. Okay.
E
I'll take this while they're looking at it. There's not a whole lot from a certification. Again, there are small training firms that you can get certs, but as a hiring manager I'm not going to look for certifications for these two things other than like for the D4 side. If you've clarified if you've got an NK certification so I can know you know how to use in case or if you've done a Celebrate certification because you know how to do mobile forensics, those will get me the threat hunting piece. I'm going to assume you got that through other training mechanisms. So I'm going to look at what other trainings you've taken or certifications where threat honey is part of it. If Wade was here, there probably is something. I know Anti Siphon has some stuff around this. I've seen level effect which I work with Shameless Plug and then of course Sans has their own tire D for and threat hunting program on the cti. But I'm not going to force you to go for a San Sert, especially if you're self funding, you're not paying the 10 grand a pop and I'm not going to ask you to go out to mom and pop. Nothing against these training organizations because as a hiring manager I don't know who they are. So like it's going to make it hard going back to the ats, your application tracking system. They're going to screen you out because it doesn't, it doesn't rate up anything because they don't know about it. And as an HM or hiring manager, unless I am a D for person, I'm not going to recognize celebrate or in case, I'm going to have to rely on my SME to tell me that that's a qualified certification. I know these two because I've hired default individuals and I've hired CTI folks.
A
So I looked quickly at both of these, you know, curriculum. I agree with what the panel just said about the value of the cert. Now what I'm about to comment on is the value of the education and learning experience that you would pick up, up. By going through the program, not just getting the cert. So you want to be threat hunting, you want to be differ skill set. It looks like both of these are kind of comparable to each other as far as, like, what they're doing and everything. The Blue Team Level 2 does look like it gets into differ more than. Excuse me, the. The CCDL2 goes into differ more than the Blue Team Level 2. The Blue Team Level 2 does go into malware analysis quite a bit, which is a subset of differ, but not exclusively all of that. So I think you're going to be okay with either one. What I would do, like, if it were me, right? And I was like, sheesh, I want to get into differ. I want to get into threat hunting. I need to know what I would do is the following. You're already doing kind of part of it by asking this question to this panel. But what I would do is I would search on LinkedIn and this is an awesome opportunity to use the LinkedIn trick that I made a video about, Lazaro, where you can Download your entire LinkedIn portfolio of history and throw it into AI, which I'm okay doing, by the way. You have to make your own choice around privacy and sensitivity. But you can throw it in there and then you could literally ask AI, who in my network has CCDL2? Who in my network has Blue Team Level 2? That's a first level connection with me. I have some type of rapport with. The AI will go through it and tell you and then just DM that person. You might even find someone who has both and you DM them and say, hey, listen, I see you got these. I want to do this. Tell me, which one should I do? Because you're going to get someone who's done it. They know the quality of the program, they know the value of the skills and the applicability to the actual job. That's going to be your best bet. It's work Lazaro for sure to do what I just said. But if you want the high fidelity answer to this question, that's what I would do. Okay. Pocket Pixel, straight out the gate. How long does it take to become a network engineer? Pocket Pixel, you're about to get the most consultant answer ever, James.
E
It depends.
A
Yes, very much depends.
D
So it very much you want to
A
help Pocket Pixel out here on. On. Please first explain why it depends and then try to answer it for her.
D
Sure. So how long it takes to become a network engineer? First of all, I've got to figure out, okay, where's our starting point? Where's our end point? Is that endpoint when you're actually working as a network engineer? Is that level one? Is it level two? What type of level? So if we take level one, you know, just an entry level network engineer, and you're not a network engineer and you're not in networking, it's a matter of having to go through and understand all aspects of networking, of the technology. The process is understanding how the communication works across networking, going through and learning that, then trying to get hired as a network engineer. Well, then maybe there's some certs involved. Network plus the issp. Well, probably not, but network whatever. Certs that are out there to help you with, you know, networking. Ccna. Thank you. The Cisco cert, ccnp, the professional version of it.
B
Tough test.
D
Yeah, didn't do that one, but. And then once you're going through the, you know, the networking aspects and getting certs, then getting hired, you know, and what does that involve? So you might be able to turn around and do it in a couple months, might be able to do it in a couple years, but it all depends on the what you're putting into it, what kind of opportunities you've got, how's your strong. Is your network to be able to get you a position in networking?
A
All right, thank you very much. And Pocket Pixel, get after it. I will tell you any, any work you do towards becoming a network engineer will not be squandered if you pivot, because understanding networking is very, very important to being a effective cybersecurity professional. If you end up, you know, continuing
B
down that path, critical for every role that you have, no matter what it is.
A
Yeah. Seems to be a trend in interviews for them to ask, tell me what's not in your cv? Wait, what?
E
Why?
A
And what would be a good answer? Okay, so while the panel is all smiles, Robert, you go first since you grill people all the time and interviews.
B
Yeah. So that question is kind of a how stupid are you? Question and what are you going to tell me? So I always would do something like, what's not in my CVE is a lot of the stuff I do in my free time, which is a lot of the work with mentoring and, you know, doing things. And I would talk about something positive that I do. What a lot of people do with this question, they go, well, it doesn't talk about the fact that I've been laid off and fired twice. Like, it's kind of a how foolish are you? Question. So relate it back to something that you do or make it more personal and say, like, oh, I mean, obviously I wouldn't put things in my CVE that were personal, but I love hiking and, and get more kind of, you know, comfortable with your interviewer, really look at how the conversation is going. Hopefully you've done a little oent on your interviewer first. I always do a little slight sleuthing to figure out kind of who you're interviewing with, what they're passionate about. And I would kind of steer the direction. And that's. It's. It's sad but true. An interviewer is not. It's not about your technical skills. It's about how well your team fit is. I can teach you technical and I, I bet you Fleet of Soul agree, like, I would hire somebody with less technical. That's more a team fit than I would somebody that's like, max on the technical scale but wouldn't be a great team fit. What are you. What are your thoughts? Fleetus.
E
So I completely get that. And this is going to hurt some people's feeling. I don't want you to be the SME sometimes because I have to retrain you into how my organization does things. And I hate to say that out loud because the most qualified person is probably not always the best fit. Because to. To the point is, I have to do a cultural fit first. Can I manage you? Can you mesh with my team? Will you get along with my peers? Will you get along with the business? Especially if you're facing the business. Like, if I have to push you into the business, you have to interact with the business. Sorry for the extrovert who looks at their shoes versus my shoes when they're talking. It's fine. But at the end of the day, I have to be comfortable pushing you to go talk to a C level or a finance person or a marketing person. And if you're purely technical and you have no soft skills, communication skills, you might not be the best fit.
A
If.
E
If the role requires you that. If the role requires you to sit behind a keyboard and a screen all day long with your camera off, that's a different role. So to the point of this question, I will not ask this question. I ask them, how do they disconnect? Because that's how I'm going about this. How do you disconnect? How do you re. How do you train yourself? How do you get rejuvenation? How do you decrease burnout? Because that's more or less what I think they should be asking with this question, but they may not be they may want to see if you're enough dumb enough to show.
B
Yeah. Keep in mind most people don't know how to interview. I'm going to ask you a question, Fleetus. How often are you hiring someone who has no public facing and absolutely no soft skills required? How often does that happen? I haven't done it in years.
E
I have had to interview one recently because we literally hired them to do a project where they weren't going to talk to anyone but me. Like, their deliverable was to produce evidence and give me something that I could deploy. So they were more or less building a program and project and I was their client. They were here to interview me, get information from me. But other than that, no. I think I did make them present, but they made them present to like. But they weren't required to like. I wanted them to present to me my ciso, my cio, my cto. I put them in front of the people who are going to be paying for said program that I hired them to build because I wanted buy in before I sign that check and say, hey, I just gave you $200,000 to build this. What am I gonna do?
A
So I love it. I also, like, for those who know me long enough, like, I get, I get perturbed about the most nuanced things. This pisses me off. Like, like f you. You asked me for a resume and I gave it to you and now you're gonna ask me what's not on it. Just like, why didn't you say included in the first place?
D
Place.
A
I do like. I do like Cletus asking, like, how do you unplug and stuff like that. I would say if you want like a pro tip or whatever for. For me, when they say what's not on your resume? I would even include like, when they say tell me about yourself. The, the same thing that Robert has said in the past. Like, sure, I like hiking and I love the New England Patriots and all that stuff. But like, you have an opportunity right here and you have an opportunity to seize. Sure, it's cool that you like the Patriots or whatever, but what you could say, say you're interviewing for a sock analyst. One job. Tell me something that's not on your cv. Well, I'm really interested in pursuing digital forensics and incident response. Ultimately that's my goal and I really feel like soc analyst is the path to get me there. So, like your resume doesn't say anything about differ. Like you're not like aspiring different, but. But now you're telling them You've got a plan, you have like an idea of where you want to go, which shows initiative. It tells them that like, oh, like we actually could be building into a digital forensic program. Like that's a nice to have that we've never had. This could be the guy or the lady that we could groom into that role. So you're giving you like your succession path and you're being genuine. Right. I don't, don't lie and be like, I really want to get into differ like where you have no interest in that in order to secure the role. But like, I'm just saying it, it's an opportunity to like, you know, I guess like not manipulate the conversation but to focus it in a direction that will benefit you.
E
Yeah. Another thing real quick to, to the point we just talked about earlier is this is a great time to use that OSINT you just did to social engineer the interviewer into liking you 100%. If you can share something like, hey, I love helping with youth sports and you know that they coach the youth sport team. You just pretty much did an association within the first five to 10 seconds of an interview that I now have something in common with you, which is a hiring misnomer. I'm not supposed to have anything in common. I don't want to have a hiring bias where I hire someone who's like me. They train you that 101 when you're hiring as a leader to immediately dismiss that. But I'm human. If you can associate with me, you just got to point subconsciously with me. Because I associate with you.
A
You.
B
Yeah, I, I interview with my camera off specifically so I can derail the interview and talk about the room.
A
I, I do want to, I, I have done like one dark arts move in once in my career that I feel like is, is worth sharing at this time. Plus and being full, fully transparent. So when I interview, when I got my job at Booz Allen, you know, a thousand years ago, the way Booz Allen did interviews and at the time was you'd go, you would, you'd go for one two hour session. You'd interview for four people, 30 minutes each and that was it. And you either got the job or you didn't. Which by the way, thank you for a hiring interviewing practice that makes sense where it's just a two hour window. I knew who the four interviewers were. I did a little bit of Oent on them. I also had friends that worked at Booze at the time. So I got a little bit of like in Insider intel. And one of the four interviewers was this absolute narcissistic, self entitled blowhard who was like all about himself and thought he was better than everybody and he just sucked. And I knew that I needed all four of these people to like me. And I just knew that if I tried to like go trade for trade or value for value with this guy, he was going to try to one up me every time. And if I beat him, if I won, he was going to look at me negatively. So literally, I know it's a 30 minute capped meeting. He was very big into cloud security. This is like 2009, 2010. So like Cloud was just kind of coming on and he's like, all right, so you know, I see you got these degrees here. I said, yeah, I, I really do. You know, the interesting thing is I did all this computer science work, but one emerging area that's just really, really stunning me right now is cloud. He's like, oh, I know a lot about cloud. I'm like, really? Tell me more about that. And this trucker spoke about how awesome he is. And then the next interview knocked on the door and he's like, oh. He's like, wow. He's like, I can't believe how fast that was. He's like, I'm really sorry we didn't get a chance to talk more about you. I'm like, oh, no, dude, this was amazing. I just learned so much. Like, thank you. That guy walked out of there was like, we gotta hire this guy. This guy's.
B
When you're interviewing, they're not your friends. Like, correct.
F
Right.
B
If you need to use a little bit of deception to get an opportunity. I'm not saying actively lie, but like talk about what they're passionate about because it really helps you in the interview process.
A
Yeah.
B
If we nerd out about games for 20 minutes, I'm probably not gonna worry about the rest.
E
And, and that just reiterates the fact that people don't know how to interview. Because in an interview I'm supposed to ask one question and shut up. Like, I'm not supposed to talk. I'm not supposed to talk in that interview. I'm supposed to answer your questions. And then when you ask me a question, do I have the opportunity to talk? And that's usually in the last three to seven minutes of an interview. That's all it's supposed, three to seven minutes.
A
Most people should be speaking.
B
Yeah, most people just don't know how to interview at all. So they're. You got to understand Leadership doesn't come with training. You're like, hey, you're really technical now you're a leader. And then it's like, okay, I have no real soft skills because I'm a super technical guy. Oh, and then you need to interview people and it's difficult because they don't know how to interview. So the first thing they do is they go into ChatGPT. What question should I ask? And I will tell you if you want to get the leg up, type in the job that you're looking for. Type in common interview questions. And I guarantee you, and this has consistently been proven, at least 40% of the questions will be asked like you. You will know half of the interview before you even go into it.
A
Yes, Cyber Laurian gave a super chat a little while ago. Thanks, dude. This was around having the different meeting and whatnot. He says he got it scheduled. It's a touch base. Thanks for all the advice, dude. I can't wait. Dude, I can't wait to play the wrecking ball sound effect. Come back and share that with us.
B
If you want to do some mock interviews, man, reach out. I do it for free. I will make time for you. It's Val, especially if you got a core, like critical interview that you're going to be crushing soon. Feel free to reach out. I'm happy to help.
E
Yeah, that's going to be the next thing to go. Real quick. If you have managers who report to you again, that's not half this audience, but force them to do an interview with you. Like I've scheduled them and had them interview me just so they can practice the interview and I can give them critiques. And it also benefits me because I get to see questions that they're asking when I'm not in there. And it also makes me think critically about how, how I would interview again. Because for those who know I interviewed over the summer, I've changed roles. But if you're not actively interviewing, interviewing is tough. So schedule a mock interview periodically. Even if you don't have a leader underneath you. But definitely to train your leaders, have them practice interviewing with an employee who can honestly give them feedback. Because I'm not going to go ask the candidate, how would I interview you? What'd you think about my interviewing skills?
B
I had someone reach out recently and go, I saw you on Simply Cyber. And I remember our interview because it was the wildest interview I've ever had because I don't ask any questions that you can chat GPT. It's like, it's like, you wake up and it's a zombie apocalypse. What do you do first? And we, you know, I. I want to know how your mind thinks.
A
But yeah, that's awesome. Also, shout out to Simply Cyber. Like, that's kind of fun, that.
B
Oh, yeah, totally.
A
I love it. Straw hat Zach. Last two weeks, I was looking for bugs on Hacker one. Submitted four reports, all dupes. Triage team says already disclosed, but no public reports. And they haven't fixed the issues either.
B
Welcome, brother. Yeah, the life of a bug hunter.
A
Yep, exactly. Soap flavor said CV should be everything. Do you mean resume? Yeah. So cv, resume. I think those are interchangeable. I'm scanning for questions right now. We've got. Actually, you know What? We've got five minutes until the end of the stream. Daniel Lowry, IRL Episode 81 if you want to continue. Party in four minutes. But I always loved, you know, these panelists take time out of their day to come, share this knowledge, you know, behind no paywall, absolutely free. So I love giving them an opportunity to kind of pump their own stock, share their own things here at the end. And plus, like, they're great people. You probably want to get more of them. So let's go around the horn. Robert, what do you got? What do you want to share?
B
Yeah, honestly, I'm just trying to grow my YouTube a little bit. So bowtie security guy on YouTube, if you could subscribe, that would be awesome. If you need a mentor, feel free to reach out. I don't charge for it. If you need help with your LinkedIn, you need help with your resume, feel free to message me. I say it every time. There's hundreds of people here and maybe one or two people to pick me up on it. You have the ability to reach out to. I. I think all of us are willing to kind of chat with you and kind of help out. So, like, don't. Don't be a stranger. Feel free to reach out. But bow tie security guy, all one word.
A
Awesome. Thank you, Fletus. What do you got, buddy?
E
Nothing drastic. Just to Robert point. Continue to echo it. Find someone to reach out to, have a mentor. Find a mentor. I don't care if it's a technical mentor, if it's someone who can help you with soft skills, if it's someone who can just be a life coach no matter where you're at in your career. We talked about it numerous times today. Burnout is real. It is easy to get defeated in this industry. It is easy to forget why you're doing this. And without having a Buddy, a mentor, a coach, your partner who can just calm you and periodically be someone just to level set your head that it's okay to fail. Imposter syndrome is real. All of us on this call have had it and we'll continue to have it in our career. So just know that you're not alone. To Robertsport. My YouTube channel is slowly grabbing traction again. I've been a little while on it. If you're in the Charlotte area, let me know. We have a DEFCON chapter I just spoke at. We just did the Issa chapter. I'm very active in the Charlotte community of the Carolinas, so just let me know if you're ever here. I'll be glad to grab coffee, answer questions, and my LinkedIn are open or you can find me on the Simply Cyber discord if you have questions, comments or unsolicited testimonies.
A
There we go. And I'm showing Fletus's YouTube channel right here. I'll drop a link to that as well as Bow tie security guy. One second, let me just. I should have shown it bowtie security guy.com as well. James, what would you like to share while this thing loads?
D
Yesterday at Elevate, it was fantastic. I had a couple folks come out and find me actually as I was walking through the expo and as I was getting on the elevator. But yeah, basically saying, I've seen you on Simply Cyber and everything else. So shout out to Tarika and Florina who found me, took some pictures. I will be at Osmosis Con next week with Dennis Keefe for the first half of the week and then gotta hustle back home and then fly off to Minnesota for Secret Con. So I'll be presenting there. I'm doing an agentic AI talk regarding social engineering. So if you find me, I got stickers. You know I have. I spotted James McQuiggin at 35, 000ft and I've got my other sticker as well. I always love to give them out to folks. So if you're gonna be there, come say hi and always, always a good time hanging out with all you guys. Have that person. I grief let us and Kathy Chambers talked about it. Her and Daniel Lowry were talking about it earlier this week on her show. But always have that person you can talk to mentor. Multiple mentors. I have multiple mentors. I have multiple mentees, people that I can talk to all over the place with any particular topic. So very cool. So thanks again, Jerry.
A
Of course. I love it. Thank you gentlemen for your time. Shout out to Wade Wells, who had to drop a little earlier. Guys, I hope you got value from the the show. The cyber career hotline from the Daily Cyber Threat Brief. I hope you can join us next week. Bring a friend. We're always looking to expand the community if you'd like to keep the party going because you, you don't want to admit that it's Friday and you got to get to work and you want to just keep on partying like Weezer, Cybercast, irl. Daniel Lowry is about to go live here any minute. Go ahead. I've pinned the link in the chat. If you'd like to go raid. I always like to go over there for a minute and kind of kick things off. He'll do that monster pour and we'll have a good time together. For Fleetus, Robert, James, Wade and myself, I want to say thank you very much. You all have a great weekend and until next time, stay secure.
Host: Dr. Gerald Auger (Simply Cyber Media Group)
Date: May 29, 2026
Episode Theme:
Delivering the top cybersecurity news stories and actionable insights for cybersecurity professionals, with an eye toward career growth, community, and user empowerment. Includes robust Q&A and expert panel on career and technical issues.
This episode, like others from Simply Cyber, is a fast-paced exploration of the day’s top cybersecurity news, with Dr. Auger’s signature mix of deep-dive analysis, community engagement, and humor. Eight headline stories are unpacked with a blend of technical know-how, practical advice, and candid commentary. The episode is rich with community interaction, actionable takeaways, and lively banter. A special segment features the weekly tradition of James McQuiggin’s “Dad Jokes.” The podcast finishes with a career Q&A panel addressing listener questions on certifications, interviewing, DoD clearances, and workplace boundaries.
[12:02]
[21:19]
[26:50]
[33:13]
[45:11]
[53:37]
[59:24]
[62:13]
[41:00]
[67:39+] Panelists: Robert (BowTieSecurityGuy), Fleetus, James McQuiggin, Wade Wells
The episode stands out for its balance of cutting-edge technical analysis, practical defense strategies, real-world stories, and career mentorship. It’s informative, candid, and entertaining—offering value to cybersecurity newcomers and veterans alike. The recurring themes are user empowerment, community, and a call for resilience and adaptability in the face of evolving cyber threats.
Gerald’s Parting Shot:
“You all have a great weekend and until next time, stay secure.” [117:58]