Jerry Guy

What's up, everybody? Welcome to the party. It is Friday, November 21, 2025. This is episode 1011 of your Simply Cyber Daily Cyber Threat brief podcast. Listen if you are looking to stay informed on the top cyber news stories of the day while also getting insights and additional knowledge around those stories that will be important for you to be able to crush your job today, help you level up tomorrow, and be able to absolutely bust those job interviews. And in our industry, then you've come to the right place. Because alongside my friends, Team sc, right above my head, we are doing this every Single morning at 8am and today, Friday, November 21st is no different. We're off and running on a beautiful day going into a Thanksgiving week. Next week, let's cook. All right, what's up, everybody? Good morning. Good to see you as always. So many friendly, familiar faces. Marcus, Steve Young, Poner, Joe, Robert Hendrickson. My man Nerman. Find through. Find the true two. Got to spend time with him at SC Con. Couple beers. Dream Logic's in the house. Guys, it is Friday, which is awesome going into the weekend. I hope you had a great week. I hope you crushed your goals both transactionally and working towards those strategic goals. I'm going to try to speak today. About 3 inches away from the microphone, someone in chat. I was asking yesterday about feedback on the show Shout out to Team Live. I went back and watched that team replay, dropping comments. Someone said, my voice gets distorted on the mic. I said, it's an audio thing that's kind of like, I can't really fix audio, but, you know, for the DJ B sex and the casually Josephs in the world, I'm going to try to speak a good three inches from the mic instead of putting my face right on it. All right, guys, hey, listen. This show is amazing. We're gonna go through the next hour going through eight cyber security stories. I literally got into the studio just a few minutes ago, coming in real hot. So I literally have no idea what the stories are going to be, not even the topics. That's why you're not going to see the headline, ain't nobody got time for that. Ain't nobody got time for that Running around. I got kids. I had to shower. Obviously, I shout out really quickly to Joe Hudson. Got my Joe Hudson shirt on today. Yes, sir. Yes, sir. Joe Hudson, an absolute treasure to the community. Guys, every single episode is worth half a cpe. So if you have cyber security certifications that require maintenance, say, what's up in chat, Grab a screenshot. That's why the chat is above my head right here. Josh Mason, good morning to you. Just turn the game down. Yeah, I'm not, you know, sure. I could try that here. I don't know. Is that better? Again, I, I don't know. I don't have a. I know you're supposed to turn the game down. I don't have a, an item that says gain. Right? So I don't even know what we're doing here. But listen, grab a screenshot. Include right there, BW5542 knows what's up. The show itself has the episode number and the date in it. This is how we do it individually. Just take a screenshot once a year, count the screenshots, divide by two. Okay? Don't turn it down. All right? I'm not going to touch any dials. I need casually Joseph to make a house call.

DJ B Sec

All right?

Jerry Guy

Once he wakes up because, you know, get a job at Palo Alto and all of a sudden the guy sleeps a lot. I'm joking, I'm joking. He works his butt off. All right? Yeah. Okay, so I've been told not to mess with the audio. I, I, I think I put it back to where it's supposed to be. Let me know. Dj B sec, guys, we got the cps. Listen, if today's your first episode, okay, thank you, Marcus Kyler yelling at me. Let's just go ahead and not touch anything and we'll, I'll just be the talent and, uh, we'll have an audio engineer hook me up. All right, guys, listen, if today's your first episode, you are getting a pretty accurate tasting of what this show is all about. It's good times, good people, and cyber security. I can't think of any three things that I would like to mix into a, you know, cauldron and brew up than those three things. So if you're here for the first time, drop a hashtag first timer. Hashtag first timer in chat, let us know. Hashtag first timer in chat. We got a special sound effect. Welcome to the party. We got a special emote, and, you know, the squad itself, right above me here, we'll welcome you in the community. And you're here right now, which is the first step. Okay? Second of all, CPEs, first timers. And, oh, every single day of the week has a special segment. And Fridays is a delight. It's actually James McQuiggin at 35, 000ft. This guy right here, long time member of the community, definitely contributing and helping everybody out. He does dad jokes every Single Friday custom jokes. Just like Dan Reardon does the custom memes, we do the custom jokes. He has sent them to me and super, super excited to share those with you as always. Now, before we get into it, allow me to pay the bills. You know, audio engineers aren't free, guys. Audio engineers are not free, right? So we got to pay the bills. So let me do a quick shout out to Delete me, guys. Delete Me makes it easy, quick and safe to remove your personal data online. At a time when surveillance and data breaches are common enough to make everyone vulnerable. Delete Me does all the hard work of wiping you and your family's personal information from the data broker websites. Delete Me knows your privacy is worth protecting. Sign up and provide Delete Me with exactly what information you want deleted. And their experts take it from there. As someone with an active online presence, privacy is really important to me. I have kids, I have a wife, and I don't want to have to be like, hide your kids, hide your wife. Right? I want where I live to be private unless I choose. Just like all of you, like your information just because, like, it's your information, right? You should get to choose how it's allocated, not have somebody sell it. Take control of your data. Keep your private life private. By signing up for Delete Me now at a special discount for our listeners. Get 20% off your delete me plan when you go to joinedelemy.com simply cyber and use promo code Simply Cyber at checkout. The only way to get 20 off is to go to join deleteme.com/cyber. Enter code Simply Cyber at checkout. That's joinedeline.com/cyber code Simply Cyber. DJ B Sec, let me know in in chat. So we've got a good sample now of me speaking like 1/5 full away from the microphone. Is that good? Is that better? Oh, we got a first timer. Who's the first timer?

Daniel Lowry

What?

Jerry Guy

Oh, crap. We got a couple first timers. Dr. Garfield, sack and gibbons. So we'll just say gibbons. Dr. Garfield, sec and gibbons, welcome. Hold on, let's get this delete Me out of the way. Dr. Garfield and Gibbons. Welcome to the party, pal. Welcome to the party, pal. Yes, sir. Thanks for coming in. Thanks for checking us out. I hope you have a great experience here. Say hello. Oh, hey, Mad Destroyer. Coffee cup. Cheers to you, brother. Coffee cup. Cheers to Mad Destroyer. I am fully in the magic of the gathering hole, Dan. I am like. I'm. I'm like spending most of my time on SCRYFALL guys, I also want to say shout out and holla to anti Siphon training guys. Anti siphon training.com just go to their live training course calendar. This is what I like to do. Scroll down. Look at this calendar of events. Dude, Today, today at 11:30am today you can learn AI foundations. Like how your workflows can be optimized using AI. Guys, are you using AI for more than just hey, can you make this email sound cool or can you give me five ideas for a blog post? You want to take it to the next level and actually integrate it into your workflows. Make you a superhuman essentially like sock analyst level 1.5 coming out the gates, Joff Thier and Derek Banks. I I know both of these guys but I know Joff's work better than Derek. So not taking anything away from Derek but Joff is definitely all up into AI's face. This workshop is a mad opportunity so giddy up on it. It looks like maybe registration's closed, so too late. Too late would be the cry. So check it out. If it is closed for registration, then look forward to December. Oh actually this is even better guys. Next week or the week after Thanksgiving. Everybody's taking next week off basically. But next the week after. This is a 4 day 16 hour course with John Strand himself leading it. If you want to either one learn fundamentals with hands on practical examples of cyber security or two you've been working in cyber security and you just want to buff refresh yourself on fundamentals. There's no shame in that, right? Go check it out. Anti Siphon Training.com links in the description below. And then of course we got the Threat locker. Let me just drop the Threat Locker one and then we're going to be off and running on a beautiful Friday morning. Holla. I want to give some love to the daily Cyber Threat Brief sponsor. Threat Locker do zero day exploits and supply chain attacks keep keep you up at night but worry no more. You can harden your security with Threat Locker worldwide. Companies like JetBlue Trust threat locker to secure their data and keep their business operations flying high. Threat Locker takes a deny by default approach to cyber security and provides a full audit of every action allowed or blocked for risk management and compliance. Onboarding and operation is fully supported by their US based Cyber Hero support team. Get a free 30 day trial and link. Learn more about how Threat Locker can help prevent ransomware and Ensure compliance. Visit threatlocker.com Daily Cyber. All right, what's up everybody? We could talk about that. Okay. All right guys. Hey, check it out. We got a lot of stuff going on in Mod Chat right now around something that we're all familiar with, but we could talk about that. Guys, I just want to remind you, Dr. Garfield and Gibbons, stay tuned because at the top of the hour, 9:00am Eastern Time, we do another segment called Jawjacking. You're welcome to stay, you're welcome to go. It's separate from the daily Cyber Threat Brief, but what we do is we do a panel of cyber security professionals and experts who are just answering any and all questions. But first we got to get to work. So do me a favor, Marcus Kyler knows what to do. Dream Logic knows what to do. Medine G knows what to do. Sit back, relax and let's let the cool sounds of the hot news wash over us all in an awesome wave. Guys, I look forward to doing the news and I'll see you at the mid roll. All right, before we get into it, James McQuiggin, the same James McQuiggin that you can see here on screen right now, just dropping 20 gifted subs casually. Did we just become best friends?

Steve Prentice

Yep.

Jerry Guy

Thank you James mcquiggins. Great guy. Guys, if you get a chance to meet James McQuiggin not at SCCON 2026 because he's going to be in Copenhagen, but black hat DEFCON meetup definitely there.

James McQuiggin

From the CISO series, it's cyber security headlines.

Steve Prentice

These are the cyber security headlines for Friday November 21, 2025. I'm Steve Prentice. Sternus Android Trojan captures encrypted chats and hijacks devices. Cybersecurity researchers at the Dutch mobile security company Threat Fabric are warning of this new Trojan that enables credential theft and full device takeover to conduct financial fraud. They report that it is capable of bypassing encrypted messaging by capturing content directly from the device screen after decryption. This allows it to monitor communications on WhatsApp, Telegram and Signal. Sternness is also able to stage overlay attacks using fake login screens over top of banking apps to capture victims credentials. With its current targets being financial institutions across southern and central Europe, Canadian regular.

Jerry Guy

Okay, so you know we are looking at an Android banking malware app that does the fake overlay transparent screen and you know can steal all the things. This is not new, this is not innovative. However, like you should be well aware of this Android malware has been doing this for quite some time, right? Like put in the six digit pin, put in your code, put in whatever you know it can steal that you type it on your screen, right? This isn't BlackBerry. You don't have a physical keyboard. You. Everything you touch is on the screen. So what's so special about this one? It quietly captures encrypted chats as well. Okay. It bypasses encrypted messaging by capturing content directly from the device screen after decryption. Okay. So I mean, this is kind of cool. This would, it's a banking malware, but this could definitely be weaponized for spyware, right? So I mean, this is, this is basic 101, but I guess it's worth mentioning. And by the way, for those who are in chat, I love educating. I love cyber security, like, almost like to, to a fault. And I want to make sure everybody understands all the things and everybody at every level can level up. Here's the deal. Data. Okay, let's start on, on basic, day one stuff, right? Data. It. It can show up on your screen, right? So I text. Who am I going to text? Space Tacos. I. I text Space Tacos. Did you see that? They're bringing back thundercats. Okay, right. But I don't want anyone to know that I'm into thundercats. Okay? So it's, it's just for me and Space Tacos. And I send it via signal from the signal app on my phone. It gets encrypted, so now no one can read it. And it goes down out the wire, across the Internet, up the wire and into Space Taco's phone and then signal decrypts it. So right up until the moment it splashes on Space Taco screen, no one can intercept it. No adversarial in the middle attack, no physically stealing the device, ripping it open and pulling the RAM and being able to do that, it's encrypted, but at some point it's got to be decrypted for the intended recipient to be able to consume that information. Because of that, because that's the only spot where it really can be attacked. And of course, yes, you can hack the encryption and all that other stuff, but let's be practical here. And of course you could do like spoofing and whatever, but if you can grab screenshots and you can keylog what the inputs are, this is the clear text elements before. So it's possible some malware could just get one side of the conversation. So just the victim, who, who's typing get that part of the conversation. It's possible it could get the victim and the screenshots and send those. So, yeah, I mean, guys, it's, it's funny, like, oh, Voltron and, or Thundercats. But what if it's like Pete Hegseth texting somebody about doing a, you know, military strike on a target? Or what if it is a CEO? Like, what if it's Tim Cook at Apple talking about their strategy for getting, you know, Apple produced in China or something like, like high level, big money type things, right? There is a reason that literally the US Government recommends and I. This kind of went under the radar, but. I mean, I kind of dunked on this when it happened. Back in. Here we go. This was earlier this year. You can't even really see it, but federal law enforcement recommends encrypted and ephemeral messaging. So like, literally the US Federal government was advising state, local, federal and private sector to use really secure messaging in order to protect the confidentiality of that data. This is a response to that. And again, guys, I love. Here's my thing. Like, I love a lot of stuff, okay? Love Joe Hudson, obviously wearing the shirt. But I love the academic element of our industry of threat actors being cats and us being mice, right? Or, or, you know, Troy and the Greeks or whatever. Like we come up with something and threat actors innovate. We come up with secure messaging, they come up with screen captures and key, you know, thumb, thumb keyloggers, right? It's cool. It keeps us on our toes. Dude, I love, I would, I would be so bored if everything was just stagnant. Like, oh, we solved. We solved cybercrime. What's next, Right? So anyways, be aware, educate your end users. Essentially, don't download malware, don't download Android apps from weird places. And you know, if you're doing BYOD environments and allowing your end users in your environment to ins. Have Android, Android, then, you know, get a good MDM solution in place. Have the data on the devices compartmentalized. So, you know, honestly, even if the data is compartmentalized, the user is authenticated and authorized to access the sensitive emails, the sensitive files. And if you're able to take screenshots of it, I mean, it's game over. So. Oh yeah, Marcus Kyler, my man. I forgot about Gem. Gem was good. John was targeted for females. But you know what? They did a great job. I mean, I, it was part of my, my Saturday morning lineup.

Steve Prentice

Say schools share blame for power school hack.

Jerry Guy

What was Gem's band's name like? Her band was like her. Her, like her posse, right? It was Gemini, like Gem in the moon rocks or Gemin the Rhinestones or something. I can't Remember a band's name.

Steve Prentice

The information and privacy commissioners for the provinces of Ontario and Alberta released their investigative findings on the massive Power School data leak and faulted the school systems for missteps such as, quote, not putting privacy and security related provisions in their contracts with the education software firm and failing to effectively monitor and oversee Power Schools security guardrails, particularly in regard to multi factor authentication, end quote. Schools also did not have appropriate breach response plans ready to go. The report said the breach which affected schools and students across the US and Canada was the result of the actions of a Massachusetts college student who pleaded guilty and received a four year sentence in October.

Jerry Guy

All right, so a bunch of things here I can't speak to. So the story itself that we're looking at on stream is about just the sentencing of the Massachusetts kid for four years for hacking Power School. Jam in the holograms. Thank you. Here's the, here's the reality guys. Power school is in 85% of US school systems. It's basically the back end shared infrastructure for reporting grades, you know, administration. It's, it's a, it's a very good tool. I haven't used it. Let me rephrase this. If 85 of schools are using it, I imagine it serves the purpose and good for Power School. Like dude, getting paper report cards when I was a kid was lame, right? You'd be like oh you gotta get them signed, everything now dude, as a parent I can log in right now and check my kids grades. I don't have to wait for the end of the quarter, I don't have to wait for Christmas. I can intervene immediately and take that iPhone away. So the fact that this, there's two things about this story. One is about this kid getting arrested. And he pled guilty which probably reduced his sentence. He'll be out by the age of 23. He demanded a ransom of $2.9 million. A Guys, I gotta tell you, I, I, I know they probably gave him a lighter sentence because he pled guilty and he's 19, but dude, 2.9 million. So if he got away with it, like to me, whatever it's, I'm not Judge Dread up here. I don't get to be judge, jury and executioner. But it seems light for what he did. Also they said that he's had a long history of hacking. As Nick Escoli said yesterday, if you caught the simply cyber firesides like the days of getting out of jail and like federal law enforcement being like hey can you come work for us? Because you're a hacker. Those days are long gone. People in federal law enforcement, they know how to hack, they know how it works. They don't need like that, that, that pipe dream of, you know, getting this sick job because you committed crime is gone. So this dude's. I, I will tell you, this dude, it's interesting because he's gonna be a felon, right? Well, someone, can someone confirm whether or not he was charged with a felony? Because a felony is way different than a misdemeanor. I feel like extorting a, a corporation for $2.9 million, that feels felonious to me, Especially since it costs $14 million in expenses. So whatever, this guy's going to jail. We'll follow up on him. Secondly, Massachusetts, you know, those that' stomping grounds. So whatever, you know, I, I don't even know what to say for this guy. Hey, like, I don't know, like Sully, he probably, you know, he probably got caught. He was probably. Well, he's 19, so he's definitely not drinking at the local town spa, but like he probably went down to the Cape Cod Cafe up in Brockton out in Campello, got a couple bar pizzas, friggin Loose lips got his donkeys, you know, he's talking about how he's going to get himself a sweet F250, head up to the job site. All right, so the other thing that they said that's not on the story right here, and this is something I'd like to give to you guys is that they, it said Ontario and some other school system is holding the schools accountable for not ensuring that Power School, the software provider, was implementing the security controls properly and that the school systems did not have proper privacy and security requirements inside the contracts, and that the schools didn't have good incident response planning, bro. First of all, I can't think of a more out of touch, tone deaf, misinformed, poor adjudication for whoever the, you know, federal politicians, the judges, the people wearing wigs up in Canada. Are you kidding me, dude? First of all, public school systems are grossly underfunded. Go look at any K through 12 school teacher's salary. Makes you want to puke. Second of all, you think that they're going to have mad it people? No, it's like three people serving an entire county of multiple schools. Third, this is power school. They're literally in 85% of schools in the United States. They don't need to conform to Charleston's county school district. Dude, are you serious? Oh, they didn't have privacy and security in the contract, buddy. If, if a school system goes to Power School and they're like, we'd like to use your product. Power School is like, fine. Like 10,000 other school systems are using it. Sure, sign up. They're like, whoa, we're gonna have to redline this contract and add additional security and privacy requirements. You know what Power School is going to say? See you later, dude. Can you imagine for a minute, like, let's, let's make this more applicable to everybody. Imagine, if you will, that you're, you're. It's time for you to start working at a company and you guys use M365 and it's a monthly. It's a monthly renewal. Monthly renewal. And you go look at the contract and it doesn't say anything about privacy, right? You're gonna call Microsoft and be like, Microsoft, I know we're giving you eighteen hundred dollars a month for our services. We really feel like we need you to update the contract. They're going to tell you that they're probably not even going to respond to you. You know what I'm saying? So, like, to put this on the school systems is idiotic. And then the school systems didn't have incident response, bruh. I got an idea for you, whoever is like the lead official person in Ontario making this claim, how about you fund their incident response program? There's a concept I. It just pisses me off when people who don't know what they're talking about throw stones at, you know, perceived problems and then like puff their chest out and walk around like they've made some type of contribution. It's. It's so it. Like any. Anyone who's in chat right now knows how tone deaf. This is ridiculous. All right. Also, DJ B dropped this in chat. He says this guy, Matt Lane pled guilty to multiple federal felony counts. Conspiracy to threaten to impure the confidentiality. Threatening to. Yeah, basically. So here's my thing about this guy really quickly. Yeah. He's only got four years of prison. He's 23 and he's a felon. It doesn't come up often, but, dude, I've been doing this game for like this, this helping people for six years. Okay. It doesn't happen often, but every once in a while someone comes into the chat and like, I have a felony. How do I get into cyber security? It is an incredibly difficult accomplishment to be a felon and get into cyber security, just so you know. So this dude's got a sick uphill battle he's going to be swimming upstream.

Steve Prentice

Bill reintroduced to bolster cybersecurity at securities and Exchange Commission. Put forward as a bipartisan initiative. Georgia Representatives David Scott, a Democrat, and Barry Loudermilk, a Republican, introduced the legislation on Wednesday under the name the SEC Data Protection act of 2025. Specifically, the bill would establish uniform policies and procedures governing how the SEC requests, handles, stores, and protects sensitive information obtained from investors, advisors, broker dealers, and other market participants. It is also intended to develop and update data protection cybersecurity protocols consistent with federal and NIST standards and best practices. Both representatives are senior members of the House Financial Services Committee.

Jerry Guy

Oh, my God. My knees. My knees are weak. I'm swooning here. They're talking about implementing NIST controls. Say less. Oh, okay. So the sec, which is responsible for protecting shareholders, people who own publicly traded companies, this is one of those ones. Guys, I, I kind of talked about this yesterday on stream when it came to, oh, my God, what was it? There was some Biden administration regulation that required security controls, and they were getting rolled back because that those businesses said they were too, too burdensome. This is kind of going the other way. Right? So this is saying that the SEC is going to put more cyber security requirements, I assume, onto publicly traded companies. This is a bipartisan leg piece of legislation, which means it's. Especially in this hotly contested political ecosystem, getting bipartisanship is great. It's rare. But this is to help these businesses respond to cyber threats, which can mean anything. Protection and detection. All right. Uniform policies and procedures governing how the SEC request handles and stores sensitive information. Oh, this is about the actual federal agency, not about the shareholders they're trying to protect. You know what's stupid, man? The bill won't impede regulators from seeking the information they need, but it does ensure that the SEC meets modern cyber security. So the Congressional Budget Office got hacked. A bunch of cyber attacks on financial institutions. Sure, sure. Buddies. Okay, I'm just going to tell you this really quickly, all right? I worked in federal infosec for a number of years. If I didn't. If I was like, super rich, like super rich right now. If I was super rich, I would put my hands under my desk right now and I would flip it. This is infuriating. Okay. Hello. Allow me to take you down this. This is a nothing burger for you. Okay? So there's nothing here that is going to help you at work today, tomorrow, next week, next month, next year, nothing. I will give you something, though, okay? Number one, allow me to introduce you to The FISMA act of 2002. Now this might put some of you to sleep. This is a NIST website. The Federal Information Security Modern Modernization act of 2002. This is 23 years ago, okay? And what this law says is that any system, application program, data center infrastructure, any system that is funded by federal dollars, U.S. federal dollars, money that Congress allocates, is required to comply with fisma. Now I've, I'm. I made, you know, one of the many careers I've had. I made a whole career about being an expert in fisma. Okay? FISMA is not like a compliance checkbox, okay? It's not like there's like five things you got to do. FISMA gets complicated. But I will boil it down simply. Once you get into needing to comply with fisma, you have to figure out like what, what's what collection of controls matter to you. Then you have to implement them, then you have to assess them, then you have to get it, somebody with authority to sign off and say, this is good, let's go. Because you're not going to implement all the controls. Some of them will be tailored out, some of them will be accepted, some of them will be remediated down, some don't apply. Okay, Can I just tell you, I would bet an amount of money that matters to me, okay, that the SEC, the Security and Exchange Commission, the same SEC that has a.gov website, I'm just confirming right now, yes, the US Security and Exchange Commission. I would bet you a thousand dollars that they are funded by US Federal tax dollars or federal funding, federal budget. So when you come at me with lawmakers want to introduce bills to make sure the SEC does minimum security, my immediate question isn't like, well, what's it, what's the new security look like, guys? My immediate question is where is their authority to operate? Where is the piece of paper that somebody with authority signed off on that said all the controls that they needed to do to comply with this law? That's over two decades old. Where's that, bruh? It's ridiculous. Like stop with the freaking theater. Stop with the, the hand gestures and the shiny baubles. Dude, I'm sorry that Fisma's boring. I'm sorry that NIST837 is just blocking and tackling, but if you did these things, you'd be fine. I mean, like, give me a call. When lawmakers want to exceed the minimum requirements of security controls for federal agencies, give me a call then. Otherwise I'll be, I'll be in, I'll Be in my trailer.

Steve Prentice

CISA gives government agencies seven days to patch new Fortinet flaw CISA has stated that US government agencies must secure their systems within a week against this latest vulnerability in Fortnet's 40 web web application firewall, which has been exploited in zero day attacks, allowing authenticated threat actors to execute code as root in low complexity attacks that do not require user interaction. The CVE numbered vulnerability has been added to the known exploited vulnerabilities catalog, meaning agencies of the Federal Civilian Executive Branch have until Tuesday, November 25th to secure their systems.

Jerry Guy

All right, here we go. Okay. Devil's in the details. I've been interviewing a lot of people recently for a project I'm working on that's going to release in January of 2026. I think you guys are going love it. I've been teasing it, but I don't want to give any details away. CESA is giving government agencies seven days to patch a Fortinet flaw. So obviously, ah, you gotta patch it if you're running Fortinet. You should take this as guidance, by the way, if you're a private sector business running Fortinet, that doesn't mean that you shouldn't a patch. You should absolutely get in there. Let's take a look at this vulnerability really quick to see how bruh. See how serious it is. Let's go. EPS lookup. Dropping it in here. Checking the EPSS score. Oh, it's not this. I mean, almost 3% of a chance, right? So this, I'm not gonna poo poo this. Right? 3% chance that in the next 30 days you'll get hit with this. That. I mean, I don't like those odds. Okay. I mean, they're very slow, they're very small, but they're significantly larger than you hitting the lottery in the next 30 days. As far as how bad is it? Of all the vulnerabilities in the EPSS database, which is hundreds of thousands, this one ranks as 85th percentile. So it's pretty gnarly if it gets executed. Guys, it's, it's a, it's a Fortinet vulnerability that has a known patch. So patch it. All right, that's. That's for you and me as practitioners. Go find out. And by the way, you should know if you have. Unless you just started at your job, you should know if you have Fortinet tech in your environment because Fortinet is constantly on fire. So you probably have a private DM with the network engineers just around Fortinet. Bull crap. Now here's the one thing I want to go beyond the headlines. CESA gives government agencies seven days. That is not unreasonable. Okay? Seven days is enough time to patch a, a Fortinet device. What I will say is, what happens if they don't? Right? CESA gives the government agencies. This is like my son giving me 10 minutes to make a choice on, on some. You know what I mean? Like, what authority do you have, dude? Like, I'm going to do what I want to do because you're not the boss of me. Right? Like, so again, the problem with things like this is you have to empower the agency with authority and then have repercussions if they don't do what they're being told to do or just call say it what it is, you know. No, I'm not going to do this. So I certainly hope personally that agencies patch in the next seven days. I really, really do. Sadly and cynically, I believe that in two weeks, three weeks, we're going to hear a story of some government agency, probably like a fringe one, that suffered a cyber attack because they didn't patch this Fortinet flaw. Mark my words. Mark Tape Episode 1011 Jerry Hot take on the Fortinet government agency vulnerability.

Steve Prentice

Okay, huge thanks to our sponsor, Know before. Your email gateway isn't catching everything and cybercriminals know it. That's why there's KnowBe4's Cloud Email Security platform. It is not just another filter. It is a dynamic AI powered layer of defense that detects and stops advanced threats before they reach your user's inbox. Request a demo of KnowBefore's Cloud email security@knowbefore.com that is K N O W B E on the number4.com. Or visit them this week at the Microsoft Ignite booth, number 5532.

Jerry Guy

All right. Do I do it? Do I? Yes. I just can't help myself. It feels so good. What's up, Davey? Crack it. Good Morning, everyone. Hey, Dr. Garfield and Gibbons. I hope you guys are enjoying your first time here with us. I feel like this is a pretty representative episode between how I feel about these stories, the value I'm trying to deliver. Chat popping off as always, guys. You guys are killing it. Thank you to the stream sponsors. It's you guys support and, and I get up for you. But I, I do want to say thank you to the stream sponsors because because of their sponsorships, I am able to do this. Otherwise I, I would have to. I wouldn't be able to do this because I'd have to be making money some other ways. So thank you Flair. Not well thank you Flair, but thank you. Delete me. Anti Siphon Threat Locker and Barricade Cyber Solutions. Guys, Barricade Cyber Solutions, they do many, many things but they are actually running a webinar series right now every two weeks that you should definitely check out called Fortify365 webinar series. All right, check it out guys. If you are interested in getting practical knowledge on how to secure Microsoft 365 environments which are pretty common place, come check out this Webinar Series on November 26. So the day before Thanksgiving, next Wednesday, which honestly, what are you going to be doing at work on Wednesday? Half the companies left. No one's checking. It's. It's 1pm you can't really leave because you got to be seen at your desk, but you're not working. Emails have crawled to a stop jump on this webinar. Learn how to secure SharePoint and OneDrive for the users in your environment. We're talking very practical skills setting up alert policies for external file sharing. Wouldn't you like to know that DJ B sec just shared with Josh Mason's personal Gmail account? Or actually, I think the thing that you would most commonly see is like Nick Escoli is sharing with nickascoli's personal email, right? This is a common thing. When people are about to quit their job, they start firing things off to their personal email. Wouldn't it be nice to detect that? How about when existing or new guest access gets authorized? Wouldn't you like to be able to identify that? Maybe put a. Put a time limit on that. All that and more go to webinars.barricadecyber.com check it out. I say Nick Escoli because he dropped it in chat yesterday that he tunes into the show on the reg. So what's up, Nick? All right, guys. Every single day of the week, every single. Look at this picture. My kid. Whoops. Every single day of the week has a special segment. And Fridays is James McQuiggins. Yeah, James. James McQuiggin at 35, 000ft's joke of the day. James, can you DM me on Discord so I can get you the link easily? Here we go guys. Why is a piano so hard to open? Why is a piano so hard to open? Because the keys are on the inside. Oh my God. All right, guys. What's a rabbit's favorite kind of music? I don't know if you guys Know that I am 1/3 I'm. I'm 1/3 Irish, 1/3 French Canadian, and 1/3 Hare. H A R E. Do you know why? Because me and rabbits have something in common. Our favorite kind of music is hip hop. What's a computer's favorite kind of music? Oh, my God. What's a computer's favorite kind of music? Algorithms. Oh, yeah. And finally, bonus question from James McQuiggin at 35,000ft's dad jokes of the day. What do you call a computer that sings? What do you call a computer that sings? Adele. Oh, hey, yo. All right, thank you, James Quick and 35, 000ft. I guys, I hope you enjoy it. I know there's a bunch of you regulars that drop your own dad jokes in chat, so go ahead, do it right now. It takes a village, y'.

DJ B Sec

All.

Jerry Guy

You know what else takes a village? Dr. Garfield. Gibbons, all you got to do is say, la la la la la. All right, everybody else knows. Let it wash over you. Let's do it. Let's do it. All right. Let's finish strong, everyone. Solid. Solid.

Steve Prentice

W German authorities warn of evasion attacks on LLMs Germany's Federal Office for Information Security BSI is warning of rising evasion attacks on LLMs and has issued guidance to quote, unquote, help developers and IT managers secure AI systems and mitigate related risks. Evasion attacks involve malicious inputs such as prompt injection and data manipulation designed to subvert or bypass model safeguards. The BSI released a document aimed at developers and IT managers in companies and public authorities that have opted to operate a pre trained language model such as OpenAI's GPT. The recommendations are a blend of technical controls such as filters, sandboxing and retrieval, augmented generation along with organizational practices such as adversarial testing, governance and training as part of a defense in depth strategy. The office emphasizes that no single control is sufficient.

Jerry Guy

All right, hey, real quick. I do see Gibbons and Dr. Garfield getting in on the la la la. I appreciate that and I love the. The effort to lean into it. All right, so check this out. This story is basics, not basic, but this story is simple and straightforward. Essentially, they're this government. Germany is giving guidance to German businesses on being careful around use of AI, specifically around evasion attacks targeting LLMs. All I'll say here, hold on. Can we get an actual link to it? Come on, bro. Here we go. Now I. I'll say two things. I'm going to drop a link to this in chat. I have had multiple conversations with people I had one with Shamira Gonzalez just Wednesday. Okay. Around. Hey, how do you like, what do you have around AI governance? A lot of people have been asking me about AI governance and AI policy and you know, all things AI. There isn't a perfect solution right now obviously, but putting pieces together, it does help. And to me, if you're responsible for governance at your business, if you're trying to get better informed on how you can help, everybody at your business is using AI, right? So how do you kind of like get your arms around it, help secure it while also enabling innovation at work? This is likely a good piece of the pie. This is not a one stop shop. This is very specific around evasion attacks on LLMs. But how to counter measure it, Right. So yeah, check it out. Oh, she is definitely. Shamira Gonzalez is wonderful. I'm not, I'm not tipping my hand at all. But everybody I hope she attends on Monday's episode next week. Yeah, I mean. All right, let's keep going.

Steve Prentice

Critical flaw lets hackers access ASUS DSL routers remotely the Taiwan based computer and technology manufacturer Asus has now fixed a critical auth bypass flaw with a CBSS score of 9.3 in DSL routers that would have let remote unauthenticated attackers access devices with ease. The vulnerability impacts a handful of router families listed in the show notes. And of course ASUS recommends users update to the latest firmware as well as using strong unique passwords.

Jerry Guy

All right, hold on first. Okay, so a couple things here. One, ah, you gotta patch it. You gotta patch it. So if you're running Asus, guys, basically here's my thing. Commercial, like residential grade and low end commercial grade network devices notoriously have problems fortinet. I mean Asus TP link, qnap, zyxel. Right? And it's not, I'm not saying that those products suck. I'm just saying they typically show up as the things that are most often on fire. So ASUS has got a thing. So number one, you got to patch it. Number two, obviously if it's end of life, there is no patch. Right? So you, if you, if it's end of life, you've got to replace it, right? We should do this. Ah, you gotta replace it. Okay, but may I just point out something that to the untrained ear you may have missed. Okay, but since I love myself some cyber security and I'm an absolute nerd when I hear something that's not true or stupid, it, my, my, my spidey sense goes off. Okay? For end, for end support for un. They say in the story here for unsupported end of life models which are never going to get a patch. Use strong unique router and wi fi passwords. Okay? Disable Internet exposed services. All right, here's my thing. This particular flaw allows remote. So anywhere in the world, unauthenticated attackers, bruh, you could have a 6000 character password. Unauthenticated means I don't need it, I pass, I go buy it. It's like these pictures. You ever seen these pictures of like there's a security gate, but then there's like no fence and there's just like a well beaten path around the security gate. That's what this is. Build a wall, put a catapult, have armed guards with machine guns standing at the, at the gate. Your wireless router is absolutely secured and then it's like, like five feet to the right, you can just walk past it. So I mean, sure, sure, sure, sure, sure, sure. Now having said that, I'm not saying you should not have strong passwords, right? You absolutely should. I'm just saying for this particular vulnerability, for end of life devices that are vulnerable to it, a strong password is not going to save you. If anything, it's going to give you a false sense of security. All right? And just for those who are keeping Score, it's the DSL router family, the DSL AC51, DSL N16, DSL AC750 router family. So if you got those, that would be the ones that you got to worry about. Yeah. Here we go. Here's a live look in at, Here's a live look in of you putting a strong password on your, on your end of life device that's vulnerable to this vulnerability. Ooh, you know what, this is too, by the way, Just to like further punch a hole in the side of the GRC mafia, which I'm a card carrying member. This right here passes a compliance audit. This is a visual representation of why compliance is not equal to security. Okay, do you have a, do you have a gate on your, on your main, you know, network path?

Steve Prentice

Yep.

Jerry Guy

Check. We're complying here. Let's go get tacos.

Steve Prentice

Palo Alto networks sees massive surge in malicious activity inside mystery traffic flood. The traffic has been targeting Palo Alto network's global protect portals and has surged almost 40 fold in the space of 24 hours, hitting a 90 day high and putting defenders on alert for whatever comes next. This is according to attack intelligence firm Gray Noise, who says the sudden wave began on November 14th coming from a single network based in Germany and Canada. The company also said in an earlier blog that spikes in attacker activity, quote, often precede new vulnerabilities affecting the same vendor, with 80% of observed cases followed by a CVE disclosure within six weeks.

Jerry Guy

Excuse me. All right, so there's some compromised assets in, in Germany that are. What exactly are they doing? Hold on. I'm trying to figure out exactly what they're doing here. Like, significant escalation in malicious activity. But like, what, what's the malicious activity? This is like, oh, there's something really bad coming out of Germany. You, you, you gotta block it. Like, what is it? This is annoying. Like, listen, they're just scanning.

DJ B Sec

All right.

Jerry Guy

Sure. I mean, okay, so, all right, so basically what Gray Noise is saying here is that there is kind of appearing to be threat actor activity, scanning, looking for this very specific Global Protect login page everywhere in the Internet. Okay? Now what you can do is, because they're all coming from this. What is is as Autonomous system. I think it. I think it's one of those ones where I forget. I always forget the. Is it autonomous system? No, it's not autonomous. What the hell is the AS stand for? It is Autonomous system. Huh.

DJ B Sec

Huh.

Jerry Guy

Autonomous. Didn't feel right. Anyways. You can block an entire autonomous system number, but that's kind of like, I don't know, killing a mosquito with a cannonball. Like, you can do it, but like, you're going to black out Germany. So, you know, I don't know if you're. If your business depends on Germany, right? Say you're like a sauerkraut importer, right? You probably don't want to black out Germany. What else we got? BMW. Those made in Germany. Let's pretend they are like Heineken, right? You can't. This is definitely like a, a bit of an over correction, I would say. Guys, here's the deal. Stick a honey pot out on the Internet, it's going to get poked, prodded, and jammed up immediately. So, you know, an uptick in activity of scanning is not to be concerned. All I would say is if you are running Palo Alto Global Protect, obviously there's threat actors out there who are working on some type of exploit or they have an exploit. Increase your level of detections. Maybe put some honey pots or honey tokens around that Global Protect server in case it gets popped and they jam up on it. And you know, stay, keep your ear to the, to the wire on updates and patches from Palo Alto. I will tell you, though, that like, this activity. This isn't some kid in his basement who's like, let's try to like. Let's just try to, like, prod around on Palo Alto.

Steve Prentice

E link warns of new RCE flaws in end of life Dir878 router.

Jerry Guy

Oh, I do like a good Dunkle.

Steve Prentice

It was a big day for router technology, it seems yesterday, with D link warning of quote 3 remotely exploitable command execution vulnerabilities that affect all models and hardware revisions of its DIR878 router, which has reached end of service but is still available in several markets. These routers are typically used in homes and small offices. Since the Dir878 reached end of life in 2021, D Link warns that it will not release security updates for this model and recommends replacing it with an actively supported product. Four vulnerabilities are involved, listed in the show notes, which, according to cisa, have a medium severity score.

DJ B Sec

This is Rich Stroffolino.

Jerry Guy

Adding it medium. Medium severity score basically means that it'll never rise to the occasion of doing anything. Guys, D link. Like, basically just take the video, take the show, and rewind about three minutes of me talking about this Asus vulnerability. Okay? D link. Asus fortinet. Q. Like all these things, guys like it it. I'm not dunking on it. Like, basically you pay for what you get. These devices cost less money, but then there's a higher maintenance in. In basically burden around managing them. You put. And again, I'm not saying Cisco and Palo Alto and Aruba aren't like, they're bulletproof, but when you buy higher end gear, you get higher end, you know, quality and performance. So choose your own adventure, dudes. Right? So, okay, so anyways, if you're running end of life D link, guess what? The. The patches aren't coming through, right? Larry Bird's not coming out of that locker room. This is a very, very specific niche reference about that. But anyways, replace your stuff, period. Ask for budget. Like, become best friends with the IT administrator and be like, can I get some budget? We really got to replace these D links, right? Or, you know, write up a document. Yo, when we get. When we get compromised, it's probably because of these dealings. You're picking up what I'm putting down, Ted. Okay. All right, let's go. Definitely don't ever speak to your boss in a sarcastic tone. It does not work. All right, friends. We just did it. We did the thing. Somebody called Nick Barker. It's 9am we're nailing it. I got about 30 seconds before the top of the hour. Just enough time to say thank you very much for coming here today. I hope you enjoyed it. Dr. Garfield. Gibbons. Huh?

DJ B Sec

Huh?

Jerry Guy

First timers. You guys gonna come back? I hope you do. Don't go anywhere, though, because we got a half hour of Jawjacking. And then immediately following that, we are going to be doing James McQuiggin at 35,000ft. Simply secured, another show that we run here. We're going to be talking to Real Bilbo, another community member here at Simply Cyber. Love. Love myself some real Bilbo. So come hang out, have a good time. Start your Friday right. I'm Jerry from Simply Cyber. Let's go get the panel and get to Jawjacking. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts. What the hell.

DJ B Sec

Did.

Jerry Guy

Am I live right now? Did the video just end? What the heck just happened there? Hold on. Ever wonder what it takes to break into cyber security? Join us every weekday for Jawjacking, where industry experts answer your burning questions about the cyber security field live, unfiltered, and totally free. Let's level up together. It's time for some Jawjacking. All right, what's up, everybody? Welcome to Jawjacking. I don't know what just happened. Sometimes you get to see behind the curtain and see how the sausage is made. I'm your host, Jerry Guy. As you can tell from the spectacles, or. Or is that what you call them? Spectacles? That feels wrong. We're coming. Hot off the heels of the daily Cyber Threat Brief, hosted by that nerd, Dr. Gerald Oer. Shout out to Joe Hudson. We got a panel today on Friday. Let me bring them on. Oh, we got a full look at this cart of, you know, the. The band Motley Crew, how they got their name.

DJ B Sec

The.

Jerry Guy

They were originally called Christmas. Spoiler alert. But then they walked in and the A R guy was like, holy mackerel. Look at this motley crew. And they took it and ran with it and made a ton of music. Let's introduce you to the 2025 Simply Cyber. Motley Crew, ladies and gentlemen. Couldn't pick a better one for this particular travel to start. Daniel Lowry. What's up, dude?

Daniel Lowry

What up, Jerry? Good to see you this morning.

Jerry Guy

You remember Motley Crue, right?

Daniel Lowry

Dr. Man, remember them? They were delicious.

Jerry Guy

All right, continuing on the. The gray beard train, here we go. DJ B Sec, what up? That's not great. You're wearing a gray hat, right?

DJ B Sec

Yeah.

Jerry Guy

Okay, ladies and gentlemen, at 35, 000ft, bringing the rib ticklers and coming to us probably from an airplane, with just a green screen backdrop of his studio, James McQuiggin. We are on mute. James McQuiggin.

DJ B Sec

Oh, the 737 has his mic turned off.

Jerry Guy

Yeah. Please put your belt on.

James McQuiggin

We didn't do any sound tests beforehand, so, you know, there you go. What's up?

Jerry Guy

James McQuigging Coming to you live from.

James McQuiggin

Ground level at home. Road tripping is done for the next couple weeks.

Jerry Guy

Oh, my God. Wow.

James McQuiggin

Yeah, so. And I got my voice to prove it because I'm still, you know, I've been under the weather all week and trying to recover, but. But doing all right.

Jerry Guy

Well, I hope you feel better, James, going into Thanksgiving. It's always good. Guys, here's the format for the show. If you're new here, if you have any questions, whether it's career related, certifications, training, AI, you know, training platforms, labs, anything, We've got a really, really great panel. So let me introduce kind of the expertise around the panel so you can get even more informed. Drop your questions in chat with a queue up front. So DJ B Sec beneath me has, you know, 20 plus years of network engineering and cybersecurity experience and has recently begun floating away from the keyboard and becoming more of an executive, but still got his feet grounded in the. You got like an RJ 45 cord tied around your ankle, right?

DJ B Sec

Basically 100 foot.

Jerry Guy

100 foot one. Oh, he came to my house and borrowed one. We got Daniel Lowry, who is an amazing trainer, many of you probably know from his training expertise. And while he can hack hardware like a boss, his I would say his expertise lies in offensive security and penetration testing. So Daniel Lowry will be fielding those questions today. And then down in the corner circle gets the square. James McQuiggin At 35, 000ft, thought leader, public speaking expert, and works at a company that is known for their awareness training and GRC type work. So James Quiggin can bring those type of heats too.

James McQuiggin

And Jerry, I'm a pen tester too.

Jerry Guy

Yes, he is a pen tester. Let's see. There it is. Boy, look at that double pen testing. He's quite the flex.

DJ B Sec

Quite the flex right out of the database.

Jerry Guy

That was for you.

James McQuiggin

That was for you, Daniel.

Jerry Guy

I love it.

Daniel Lowry

I appreciate it.

Jerry Guy

All right, so James, I guess let me just kind of a fun question for you until we get going. Any. I know you travel quite a bit. Do you have a Thanksgiving tradition that we're going to be executing on this week.

James McQuiggin

Yeah, usually we go to my cousin's house here in town and, uh, it's a big, big family, uh, get together. Cousins and aunts and uncles. And I bring my buffalo chicken dip. My ever famous buffalo chicken dip. Love to make it. It's always a hit with the family. And of course, the turkey, the stuffings, the pumpkin pie, the apple pie, all the fixings. So, looking forward to getting together with family next week because they haven't seen me since, I think, September.

Jerry Guy

Yeah, I, I don't even think, like, your dog has seen you since September, dude. You've been. You've been living on a plane.

James McQuiggin

If I had a dog. But yeah, okay. Your dog seen me more than my own cats.

Jerry Guy

I know. The proverbial. The proverbial senior. All right, we got some questions coming in. This is great. Let me start firing out at people. Roswell UK wants to know what's the origins of to blow smoke up their butt. Wrong answers only. Hey, Daniel Lowry. I feel like this is a. A tech neck type thing, you know.

Daniel Lowry

That'S exactly where my mind went because I thought for just a hot second. Isn't that time that Billy was trying to fart up. Oh, John boys. 72 Chevelle, but he turned a car on and just blasted right up his bum pipe.

Jerry Guy

Uk, we got an answer. Cyber risk, which says, looking back on your careers, what advice would you give your younger selves who are just getting into the field? DJ B sec Hit us up with some knowledge, dude.

DJ B Sec

Man, I would pay more attention to what it is that I'm doing. Not just live day to day, but actually have like a goal set. Set a goal and go for it.

Jerry Guy

All right. That's awesome. James McQuiggin, what do you got to say, buddy?

James McQuiggin

Don't wait. Get into it now. I waited a number of years before getting into it. And then cyber security, just, you know, go full speed. Get networking, get studying, get out there.

Jerry Guy

Yeah. Myself personally, this is not probably the, the most important advice I would give, but it's one thing that I actually wrestled with. I was always told, like, you have to understand how the business makes money. You have to understand the business. And I was like, why? Like, I'm securing, I'm securing the things. Like that's what my job is. And it's only, I mean, like, literally, really late in my career when I kind of got more into the executive level stuff, did I actually see why it's so important to understand how the business makes money? Because that's how, like, especially in grc, because that's how you are making decisions on what's important and where do you allocate resources and stuff like that. It just. For me, not being a business guy or an MBA person, being really tech forward, I. I never understood the need for it, but I absolutely do now.

DJ B Sec

Daniel, it also lets you know what you're actually securing. If you understand the business, you know why you're doing your job.

Jerry Guy

Yeah, exactly. Exactly. Daniel, what do you got?

Daniel Lowry

I would have said like kind of to the idea of have a plan, because I just kind of fell into this. I was like, you know what? Cool computers.

DJ B Sec

I'll.

Daniel Lowry

I'll see if I can't get a job with that. And then that job rolled into another job, and then you start picking up some skills and so that job rolls into another job and then you get some certs and then that, and you're just like kind of going with the, with the river, wherever it takes you. But if you kind of sit down and. Took me a while to realize, like, oh, if I start to like, build a name and learn people in the industry and make friends with people and, and start to contribute and be a positive influence, that is a. And then on top of that, skills. By the way, I always say to this question, technically, I would have told myself, learn programming. I don't care what you think about it or how bad you don't jive with it, learn that. Because understanding how that computer works is going to make you just that much better at what you do. So anyway, that's. That's personal. That's a personal. Yeah, do that for me. But other than that. Yeah, like, have a plan.

Jerry Guy

You.

Daniel Lowry

You can't just kind of go wherever the chips may fall because you never know where they may fall.

DJ B Sec

Not in this day and age, though. Like, back. Back in our day, you could.

Daniel Lowry

Yeah, yeah.

DJ B Sec

Because I had to say I had the same track that Daniel did. I just fell into it. They're like, hey, I've got this job here. Okay, I'll go do it. Right? And then one thing led to another, led to another, and I was like, oh, I like doing that. So I'm gonna go do that.

Jerry Guy

Yeah, yeah, it's definitely. Things have matured as far as an industry and resources and the. Even the availability of mentorship at scale Space Tacos wants to see your coffee cup. James, really quick. Can we get a feature, please?

James McQuiggin

Well, the one that I was using this morning was my Tampa Bay Buccaneers, who are kind of hurting right now, but behind me, over the shoulder, kind of right about there, there's a Simply Cyber. There's a sippy. Simply Cyber shippy cup.

Jerry Guy

I love it.

James McQuiggin

Or what we say SC2.

Jerry Guy

So you will see, yeah, you will see the simply Cyber Sippy cup on August, December 7th and 8th, because I have to go to Austin, Texas. So I'll be live from the. The hotel room. Hopefully it doesn't look like a pink nightmare that I stayed in in Colombia recently. Continuing to do some fun stuff here. DJ B Sec Amish Brain wants to know what your shirt says.

DJ B Sec

Dude, it says, if at first you don't succeed, succeed, try doing what Ben told you to do the first time.

James McQuiggin

Nice. Very nice.

DJ B Sec

I get shirts like this from my. From my wife's mother. She gives those to me all the time.

James McQuiggin

Awesome.

Jerry Guy

She must. Yeah. Like as you evolve into your executive role.

DJ B Sec

I told her the next shirt I need to get. Is that the one that says I'm your mother's favorite child. That way. That way. When I walk into family reunions or family things that my. My wife's brothers. Look at it. Look at that on my shirt.

Jerry Guy

Oh my God, that's so funny. I love it. That would be good soap flavored, says Jerry. So I'll take this. Is Palo Alto's concern to do with resurgence in the Salesforce breach yesterday? I believe they were affected in August. So I would say no because the. The scanning is looking for a specific login page with the Global Protect technology. The Salesforce breach was around customer data so it would be like leads that Palo Alto had. Like if it was related to Palo Alto, it would be like CRM and potential customers and where they are in the sales cycle. For Palo Alto, this is more of a technical scan and looking for attack surface and exploitation. So I suspect that they are completely unrelated.

DJ B Sec

There's also with this specific one, it's looking for a specific page in your Palo Alto firewall, the login. So it's usually going to be the SSL VPN and not necessarily Global Protect. They're looking for something specific. You can lock that stuff down so much that I mean if they're just scanning, they're just trying to poke holes right now.

Jerry Guy

Yeah. Or.

DJ B Sec

Or they, or they have found a CVE that they're trying to find something to. To be able to get in and use and it's not actually been put out yet. But there are so many ways to lock that stuff down. Palo Alto, you can attach it to Azure saml, you can do AWS saml. There's so many different ways to lock that thing down.

Jerry Guy

All right, awesome. Really quick. Amish brain says who has been DJ B Sec? His. His mom and dad did not name him. What? Yeah. So really quick. Soul Shine wants to know she's seen James and Daniel and myself quite a bit. Where you been? DJ B Sec, give us 30 seconds on what's new.

DJ B Sec

I have been hammering out some stuff for projects, opening new sites, doing a whole bunch of different stuff. Finally, I have today off all of next week to just chill out.

Jerry Guy

I love it. Are you. Hold on. We have to connect, right? Aren't we supposed to be getting drinks in IRL soon?

DJ B Sec

There's a possibility next month.

James McQuiggin

Hey, there you go. I mean, I got to cross paths with DJ B Sec in Houston. What was that last month?

DJ B Sec

Yeah, it was in the beginning.

James McQuiggin

September, October. I don't know, sometime.

DJ B Sec

But yeah.

James McQuiggin

And that was for all of like 10 minutes. We had a quick chat, a quick selfie. Enough.

Daniel Lowry

We went.

James McQuiggin

Yeah.

Jerry Guy

I love it. Code Brew wants to know how the CTF went last night. Ask Poner. Joe. I. I was streaming with Nicoscoli, but we did have three winners and if you guys didn't know, we do a monthly CTF in the community. We were doing it for a year, so we will have one in December. I have to evaluate whether or not we're going to continue to do it in 2026 based on multiple factors. But yeah, go check it out. I think it went well, though. Code Brew, what's your viewpoint on Flock security cameras and their constant recording and lack of security? So I did see a story pass by my feed around Flock security and I think they were able to Compromise in like 30 seconds or something like that. I don't know if anyone else on the panel read that story. I'm not really well informed on Flock security cameras, so I can give a.

DJ B Sec

Little bit on this. I haven't read for Flock Security, but Flock security cameras are basically. Think about what you see in the UK or over in. In London, in Britain, where they have cameras all over the place. That's what Flock is. It's basically like the massive network of cameras that's used by your municipalities, your local PD and so forth that do license plate reading. So for instance, they actually put them in. In my neighborhood, we had a lot of break ins where people were coming in and stealing tires and stealing wheels. And now with those cameras in place, now they'll know if somebody comes in your neighborhood or goes out of your neighborhood and they have the. They've got the License plate. But it's not just the bad guy's license plate. They have everybody's license plate so they can follow. In fact, I did see something a couple of months ago where there was an individual that broke into something or got in trouble in one area of a municipality and then ended up being on the other side of town. And the license plate reader, the Flock camera, hit that license plate, and they were able to catch that guy like that.

Jerry Guy

Yeah. I mean, it's good, but with all.

DJ B Sec

Good comes bad, Right?

Jerry Guy

Right, exactly. Like mass surveillance is great because crime doesn't happen. But if you look at 1984, there was not a lot of George Orwell's 1984, there was not a lot of crime happening, but there was also not a lot of anything happening that wasn't.

Daniel Lowry

Not a lot of real crime. Right. There was thought crime.

Jerry Guy

Yeah, yeah, exactly. So, you know, it is a balance that we have to deal with civil liberties and stuff like that. A couple questions coming in. These are great. And I'm also gonna step back and grab a book back here. So let me throw this one to Daniel Lowry. And then if the panel wants to comment on it after, we can do this. Daniel Bob art thou. Love that name. You guys think a degree is more important or certifications in the cyber security field? Daniel, you're talking to your kid. They're about to turn 18 and go off into the world. And they say, dad, degree or certs go.

Daniel Lowry

Yeah, that's gonna be both. And. Right. That's just the answer to that. The. The quick tldr on that is both and it is not one or the other. And there was a time when you'd have caught old D. Lao here telling you, man, forget that degree business. It's all about them sweet, sweet certifications. And if there was a hot minute there for that was the truth. That was really the way to go. The degree programs were cranking out people that knew some basics. And unless you had like a full CS degree where you were like a developer or some sort of data scientist or this researcher, you. You didn't really. You may be electrical engineer, that kind of thing, you didn't really have a great a grasp on cyber security. Definitely. And just a bit on it, and you had to go out and get those certifications to really kind of ramp up on day to day systems and network administration. And if you wanted to get into cyber security, it was. You learned the basics in a college program. And that. That was crazy. Today is a different story. Right? They. The university levels have Realized that they had a bad gap when it came to the skill level that they were cranking out. You know, to James is just shaking his head because he's like wgu baby. Right? They, they saw, hey, there's a good market for this. Yeah, right, yeah. Full Sail University. All these, all these. You know, I went to ITT Tech and they were the first kind of. They started a degree program in that. In cyber security. I was one of the first people in that degree program. I did not finish it. I, I ended my school career at that point because I was disenfranchised with the whole idea of that kind of thing. But nowadays, different story, man. There's some great degree programs out there and if you look at job posts, they love a good degree at this point even, even if it's just a good bachelor's in, in computer science or, or networking or even networking or cybersecurity, there's great ones out there.

James McQuiggin

So, yeah, I mean from a unit, from a professor standpoint, teaching cyber threat intelligence right now, trying to get the students to do more real world assignments, activities as assignments, writing the reports. I mean cyber threat intelligence, like pen testing, it's a lot of fun to do, but you've got to be able to communicate it. And so working on those professional skills, not soft skills, professional skills of communication, presenting, gathering up that information and being able to communicate it out is, is what we're trying to strive to do more. So yeah, the cert, the degrees are there, as I've always felt that that's there to show that you can focus on something for four years and you know, accomplish a degree through study, analysis and so forth. The certs give you that hands on practical showing that you can, yes, I can do this. So it is an. And as Daniel was saying, certs and your degrees and a lot of the schools, they'll allow you to get your certs while you're taking the classes. So that's kind of a win win in a lot of scenarios as well. So go for both. And then the experience.

DJ B Sec

Yeah, the search of the industry. Industry saying yes, you have have it.

Jerry Guy

All right. Adrian says, I've been in telecommunications for over 20 years, mostly in PM and circuit provisioning. What's the best way to pivot in terms of courses or frameworks in addition to nist? And I love that you add in addition to nist like, because obviously NIST is like a Prereq James mentor. What do you say, buddy?

James McQuiggin

20 years in PM and circuit provisioning. Wow, that's certainly Very specific. But the PM is the key aspect of it because when you get into cyber security, you know, other if, if we didn't have project management, we'd be going all, all over the place, plugging in all kinds of devices and blinky boxes and everything else, working with it to do that. But certainly the project management aspect is crucial because of planning that's needed in a lot of these cyber security projects. Whether it's identity access management, whether it's new EDRs, whatever it may be, that's key. So yeah, your, your courses and frameworks. Well, certainly Shameless Plug anti siphons. Got a whole lot. Jerry's in the simply cyber academy. Tons to go check out frameworks, you know. Yeah, NIST is kind of the standard here that we, we like to utilize here in the US. ISO is another good one, especially on the 27,000series I've seen because that focusing on trying to get that compliance re involves a lot of project management, being able to take it, scope it, implement it. As a very dear friend of mine always said, you got to plan the work and then you got to work the plan. So that would be my take.

Jerry Guy

There you go. I love it. So we just had this question a moment ago around cert versus degree. Daniel answered it, DJ B SEC followed up. So what if you can't get the degree? What cert is best depends on what.

Daniel Lowry

You want to do.

Steve Prentice

Right.

Daniel Lowry

What kind of doctor do you want to be? It's same thing with cyber. Right. So if you're, I mean, I'll speak from the red team side of things. I mean like it or lump it, OSCP is still the favored son when it comes to hr. So if you, if you want to really be able to go, hey, I'm probably going to get an interview, you go for the oscp. Other certifications out there are just as good, quality wise, if not better in some people's estimations. Right. That's going to be a judgment call on you. To me, I always try to let people know it's all about what jobs are you going for and what do they value you? If they don't value the oscp, then it doesn't matter. Go get something else. Look at what they at the jobs that you're looking at and what is a constant thread between those different jobs. What do you see as certs that they value? And that would be something I would start looking at very heavily.

Jerry Guy

I love it. We got a great question coming in here for the panel and you guys will understand why I say that. When did you start feeling competent in cyber? It feels like the gap between what I know and what I've yet to learn is ever widening. DJ B, you go first. We're gonna have a therapy session here.

DJ B Sec

I'm not competent at all. I mean, I'm sure everybody on here feels the same way. We know what we know because we do what we do, but we don't know everything. And that's, that's the key to it, is you have to understand you're not ever going to know everything. It's learning on a day to day basis.

Daniel Lowry

Basis.

DJ B Sec

I may know something Daniel doesn't know or James doesn't know, but they may know a lot more than what I don't know over here. That's why we have, that's why one of the biggest things we talk about on here and any, anytime I'm talking with somebody is it's always about networking. Get people that know stuff that you don't know, so you're able to reach out to them and talk to them and find out because something may come up that you have no clue. But guess What? I have 40 people behind me that I know are competent in, in cyber security. And they probably do know what I don't know when I can ask them.

James McQuiggin

I, you know, it's interesting, you know, when did I start feeling confident in cyber? There's been different stages and like what DJ B was saying, you know, we don't know everything. So it's, we've got to know little chunks at a time, little bits. And I think for me there was a certain level of competency when I passed my cissp way, way, way, way back in the days. And since that time it's been learning more and more about cyber. And I'm all, we're always learning about cyber. But there's that competency when for me, it's when people come up to me and ask, you know, what do you think about X? And I give a response and they're like, oh, okay, all right. I'm like, all right. Well, I guess that wasn't so bad. But I think the next step for me came when I started teaching. Because then it's like, okay, now people are looking to me for the answers. I better know what I'm talking about or feel confident in what I'm talking about. But at the same time, if I don't know the answer, I got to know where I can go look for it. And that for me has always been the case. Since I was working in A help desk back in the last century. You know, I may not know the answer but I'm going to go find where you can get that answer. But presenting has been. Is also another big step as well when you. Because you've got to be able to articulate and, and communicate and share the vision, the message, whatever it is. So it's been baby steps. Do I always feel competent? No. Imposter syndrome is very real in this industry because when I got to present to a room full of hackers on a gentic AI and I'm like how many of these people are going to run circles around me? You know, it's. But if you get up and you share what you know and, and your information and you've made sure that you validated and verified and you're, you're comfortable in your response and you'll be, you'll have that competency.

Jerry Guy

So kind of a follow up question on this one and I'll throw it to Daniel since he didn't comment on that one. Overlook says if anyone curious if anyone can speak towards the importance of confidence and self esteem for career growth. Feels like degrees inserts go only as far as confidence will take them. What do you think, Daniel?

Daniel Lowry

Yeah, no, that's really good. By the way, I scheduled my confidence on like September 13th of 20, 2047. That's when I will feel confident. I put it on the calendar. Yep, I got it on the calendar. It's ready to rock. But no, you, you're, you're absolutely right about this that you can have all the skills in the world. You can, you can literally be the A genius level. But if you do not have the ability to utilize those skills in a way that someone can understand because and this is, this is the problem that we have when it comes to talking to the business leaders of whatever organization that you work for or are your clients or whatever the case is is translating that, that technical knowledge into something that they get. If you can do that, there's no end of work that will come your way because that's what they. This is the missing key. I'll take it to training because training is my, my bread and butter. Right? Is like I can't tell you how many really great training classes I've seen as far as like the content but the delivery is just garbage. It's just, it's not engaging, it's not fun. I, I have to watch it over again. I have to reread that sentence nine times to go. What are they saying? Because technical level genius man, crazy level of skills. And then you're going, I, I don't understand this. And what good is it if you have that knowledge if you can't get it into the in the heads and understanding of the people that need it? So that's, that's my take on that.

Jerry Guy

I love it. Really quick. I do want to throw this. I wanted to wait until we got a little bit further into jawjacking. If there's anyone in chat. Okay, this is a very specific ask if there's anyone in chat that is studying to become a pen tester. But they haven't actually done pen testing professionally before. But they have like Security plus or Pen Test plus or they definitely have to have at least one cert and you would like. I'm doing like a little video series and I need that particular type of person who would like to be filmed and be part of a Simply Cyber video. So I'm looking for a pre g pen testing person. Just let me know in chat really quickly. Thank you. And I wanted to, you know, make sure it's a Simply Cyber community member. Let's see here. We had another question of. Here we go. DJ B Sec Chris says I have a degree in cyber, but I feel I'm lacking the knowledge on the technical side. Did I just ask this one? No. Any recommend? Is this the one I just asked you, Daniel? No. Right?

DJ B Sec

No, it's not the same, but it follows the same concept. I mean like we always say, just because you go and get a degree, just because you go and get a certification doesn't necessarily mean you've ever put hands on keyboard and done it. And that, that falls back on the confidence. Like, hey, I'm confident enough. I can read a book and understand what the book is and I can take a test on it. That doesn't mean I know the ins and outs of what the, what the author was thinking when they wrote the book. And that's where you got to go. You now that you have passed the certification or you've done it, you need to do labs, you need to get some hands on experience. So you actually have that confidence and understand because if you, you go get hired to do a specific job of like pen testing and you've never done it before and they come to you and say, hey, here's your first pen test job. And then you're sitting over in the corner going oh crap, what do I do? So there's got to be along with the knowledge you actually have to have hands on keyboard and facilitate what, what's.

James McQuiggin

Being asked or that or they sit there and go, y' all don't have chat GPT in here?

DJ B Sec

Yeah. Can I just hook quad up to this and scan? Yeah.

Jerry Guy

Let me grab my phone really quick and pop that into my AI app here.

DJ B Sec

See, I would say that we, we are becoming more. People are saying we're becoming dumber because we're relying on those things and we need.

Daniel Lowry

They did a study on the creativity of the human mind and how it has been diminished due to leaning too heavily on AI.

Jerry Guy

Yeah, that's so interesting. I feel like I'm more creative because of AI. I'm able to kind of like workshop ideas really, really fast.

James McQuiggin

But depends how you use it. I think you know how, how you use the tool depends on how what output you get from it.

DJ B Sec

That's like if you're taking a test and every, every question or if you're a brand new person in a job and everything that you do, you're asking a question to your the person next to you of how to do something and having them explain it every single time. You're not learning anything.

James McQuiggin

Right.

DJ B Sec

It's just copy and paste.

Jerry Guy

Yeah. 100%. Hey, really quickly on Jawjacking on Wednesday, Cyber Risk which asked she's, she's wanting to get better at consulting. She asked if there was any books. I did ask my friends who are partners at Deloitte, which is a big consulting firm, what they thought and he actually recommended a book series that I, I actually own. I didn't think about it but there's the Stargazer series. So this is business model generation or Strategizer series. Cyber Risk rich right there. There's another one value proposition design and there's one about testing business ideas. These books are incredibly practical and incredibly effective at helping you understand business and business processes. And it's very like it's cool looking right? It's like it's not boring dryness stuff. So check out those Strategizer series and giddy up on that. So Daniel and we got one minute before James Aquan. So Daniel Speedrun this question. This guy, 30 years in the military or lady guy? Lady. They want to get into red teaming oscp. Hack the box. Hack the box Academy. Is that a good way to get into red teaming 30 yeah I like.

Daniel Lowry

I, I'd hack the box it honestly and then zero point securities CRTO program. That's probably where I I'd do a double whammy right there. Relatively inexpensive. Great way to get, get your feet wet. Especially when you're talking red teaming. Specifically, OSCP is more for, like, pen testing.

Jerry Guy

All right, there you go. Perfect. Really quick. Cyber research says. Do you have any tips, tricks, or starting a YouTube channel or creating content in general? Yes, absolutely. I actually have an entire course on it that I'm doing in January. Ask me about that at the next jawjacking. Ladies and gentlemen, this is James Equigan at 35, 000ft. Interview with the Real Bilbo. Great community member. I wanna. I pinned it in chat, so we're gonna go ahead and raid that in just a second. But for the panel, I want to say thank you, Daniel Lowry. Thank you, D.J. b. Sec. Thank you, James McQuigan. I hope you guys got incredible value from the Jawjacking stream today. I hope you get value from James McQuigan's interview with Real Bilbo. Thank you to all of you. And on behalf of James, Daniel and DJ B, happy Thanksgiving. We'll see you guys on Monday. Well, have a happy weekend. We'll see you guys on Monday and we'll talk about it then. Till next time, stay secure.