A

So Rich wanted us to cover a story called I could have Rickrolled the entire FIFA Cup. All I needed was in my id.

B

Hector Monser was responsible for some of

A

the most notorious hacks ever committed.

B

FBI Special Agent Chris Tarbell. Hackers and FBI informants participated in some

A

of the world's most infamous hacks that

B

caused up to $50 million in damages.

A

A life in the shadows.

B

Cyber attacks on the rise.

A

Welcome to Hacker and the Fed episode 137 for the free show. Heck, we're doing the free show now. I'm Chris Tarbell, former FBI special agent working my entire career in cybersecurity and I'm joined as always, my buddy, my bestie, Hector Monsegor.

B

Hey bud, my buddy, my buddy, my buddy.

A

And me. Yep, Hector's former black hat hacker who once faced 125 years in prison for his many years of hacking under the code name Sabu. Our stories collided in 2011 in in fact in June of 2011 when I arrested him and then convinced him to work with me at the FBI. Hector's now a red teamer, researcher, cyber security expert, one hell of a guy and co founder of Safe Hill.

B

All right.

A

Hey bud.

B

What's going on brother man?

A

Doing all right?

B

Yeah, yeah, no, listen, I'm here, I'm chilling, I'm cruising, I'm riding the wave, brother man. I'm riding the wave. I'm still happy the Knicks won and it's been a non stop celebration.

A

I don't want to age this podcast because I'm gonna pull back the curtain a little bit that we are recording way, way early. We're recording Friday before the Thursday the show comes out because we got some travel. I'm going down to Orlando for the weekend and then Hector is going to join Monday. You can't find us. I'm not doxing you because we will be long home by the time this episode comes out but we will not have time to record it. So I'm sure we had a great event. We're doing a speaking engagement down in Orlando at a nice pool and I decided to go a little bit early and enjoy the pool and get some sun. Sure. Just enjoy the long weekend. My Juneteenth weekend.

B

Yeah, shout out to Juneteenth and, and all that good stuff. I'm looking forward to Orlando. I'm looking forward to hanging out with you and the fam, you know, always, always fun part for me.

A

Yeah, it'd be nice. So I have to announce that I, I did a podcast recently Called first on Fraud. So if you guys want to hear me over there, check out their podcast, first on Fraud. I think I'm on two different episodes. I think they're going to split it up. They had such a. We had such a good time doing the whole thing. So they are. Their main audience is real estate agents covering fraud in the mortgage industry, the whole real estate industry. But they were fun. A lot of fun to. To do with and. And have fun. And, you know, the. It was a guy and a girl. The girl's kind of cute. I wouldn't mind. Yeah, you know me.

B

So at least they say the guy was cute. Was he cute or no.

A

And he had a bunch of technical issues. He couldn't get his shit to work. At one point, he popped out. We had to cancel one. At one time we tried recording because he couldn't get his shit to work, man. Doing podcasts on corporate laptops. Not a good idea.

B

No, definitely not a good idea. It's not like the guy's a little bit fugazi, you know, sort himself out.

A

No, he was a nice guy, but it was nice. He left me alone with his lady. So.

B

Hey, that works out.

A

Hey, hey, now.

B

Hey, Shout out to Howard Stern.

A

So, yeah.

B

Oh, man. Well, yeah, listen, you know, we are in a weird place right now. In a good place.

A

Oh, my, oh, my, oh, my.

B

Those are the date, dude. I grew up on that. That was the best.

A

I can't listen anymore. But I, you know. Oh, my. Beetlejuice.

B

Yeah. Who, me? You know who.

A

Me?

B

Yeah.

A

I love that guy.

B

I know. But, yeah, everything's. Everything's in a good place. You know, it could be worse. You have all the usual cyber stuff, the AI stuff. You know, even today I had a meeting with. With a company that they're leveraging AI up to a certain degree. And it left me in it. It left me with like, you know, or it led me into a conversation with my colleagues on the state of, like, cybersecurity and investment. The investment space what people are looking for in brand new cybersecurity startups. And, you know, some of the takeaways for me, Chris, is, you know, is the company involved in AI? Yes. If yes, then what are they doing with AI? Are they wrapping certain things over to Claude or a tropic OpenAI? Or are they running their own local models? And if so, right? So this now it's like a. Like a tree of yes and no's and where does it go? And the truth of the matter is, brother, after all, the people I've spoken to and all the different technologies that I've seen. It just feels like it goes around in one big circle. It always leads back to the same

A

problems, which is big old circle jerk.

B

Big old circle jerk. Which is what is risk, Right? How can you define and understand risk? Where do you go once you identify risk? What is the next steps to dealing with risk? And how you reduce the. How do you do. How do you reduce the friction on dealing with risk? And this is something. When this is as simple as simply as you can, you could kind of break it down, right? What is. Or what are some things that you can do that would deal with and. Or improve risk or eliminate risk in anything? Not only cyber is driving seat belt. You know, making sure your brakes are good. Making sure your tires are good.

A

Wearing a condom.

B

What about. Yeah, relations. Yeah. Get yourself a nice condom. Make sure that you test it. Make sure it's not broken. It's not. Doesn't have a rip in it.

A

Unroll a condom into your ass, just in case.

B

Be preemptive. That's what Chris is talking about, you know, preemptive risk alignment.

A

Well, I know what you always say, you know, protect your attack surface.

B

That's exactly right. Well, you have to understand the attack surface to protect it, right?

A

Oh, I understand it.

B

Well, I'll leave it at that. The point is, as you kind of start thinking about this stuff, you start to philosophize. It's not only cyber is everything. National security, how to fly safely, how to drive safely, how to get your kids to school safely. You know, understanding risk and all that. And that's the core theme, the thesis, rather the theme, on everything that's happening right now. All the political stuff, everything in sports, everything in life, you know, it's cool. It's cool to think about.

A

Yeah, it's fun. I gotta give a shout out to my friend Allison. She's having a rough day yesterday. Yeah, she. The whole laundry list. Her kid just had surgery on her foot, and then her kid was up all night, and then she came down and her bunny rabbit, her foot was hanging off. The bunny. Roger. The rabbit the foot was hanging off. So I had to have the bunny rabbit's leg amputated.

B

No.

A

Oh, It's a whole laundry list of shit she had to go through. So. Rough day. So I give her. She's one of the mean girls. So. So hopefully today is a better day than yesterday for her.

B

So that's. That's a way. That's the way to start the day, bro.

A

I know, I know.

B

So bad.

A

Yeah, like the bunny, bunny rabbit just hopping around with a dangly foot. But.

B

Oh, Jesus. Poor, poor guy.

A

Yeah. You feel bad then, you know, can you imagine waking up and you're missing a limb?

B

I mean, you know, now, now I have a fear that it's. It's unlocked. I'm gonna go to bed tomorrow. I'll be like, oh my God, I'm gonna wake up my legs tomorrow. I don't know.

A

Do you want me to honestly tell you one of my biggest fears?

B

Yeah, please do it.

A

I've been freaking out lately, so. You know how I have a sauna and it's like, it's all wood, it's made of cedar and it's got, it's, it's a, it's a. Made for six people, so it's like, it's circular. And there's two benches around there. So most people like sit on the benches. Well, it's just me and the old lady, so we, we, we lay on the benches. It's easier. I fear that someone's going to come up with a screw gun and just. Screw gun the door shut and I'm trapped inside and then I can't get the. I can't get the heat off. I just die by being cooked inside. Like slow roasted.

B

Yeah. You'll be dehydrated. By the time they find you. You're going to be like, like, you know, old grapes. Yeah.

A

Oh my God. Trust me, that is not. I don't want to go out slow. When I finally go. I do not want to go slow, I'll tell you that. I want to like not see the bus coming and just, boom, done.

B

Well, have you considered you know, making like. So I'm assuming the, the sauna is on the outside of your home, correct?

A

Yes.

B

So have you considered doing a little bit of construction where the door is actually coming through your house rather than from the outside?

A

I wouldn't want it. I wouldn't want to introduce that, that sort of. I wouldn't want to penetrate the house.

B

Sure.

A

Just for that.

B

Yeah, well, yeah, you gotta be careful what you penetrate for sure.

A

You definitely do. That's why I've got the preemptive condom unrolled at all times.

B

Yeah, no, see, that is a concern. You know what's crazy? I think, I believe I saw like an old mafia movie or something where that happened.

A

I think it's in the Sopranos or in a mafia movie where that's how they killed the guy.

B

Yeah, exactly.

A

Yeah. Trust me, it freaks me Out.

B

All right, well, listen, this is why I have. So I have. I have a billion dollar idea.

A

Oh, are we gonna just put it out there on the free show or this for the Patreon?

B

Let's say. You know what? Let's say for the Patreon, I do have a billion dollar idea first.

A

All right, all right.

B

But for everybody. Everybody can participate.

A

Well, if you pay for the Patreon, you can participate. That's it.

B

There you go. There you go.

A

All right. Yeah, guys, thanks for supporting us on the Patreon. Thanks for supporting us with merch. You want to get into the show now? We did all our shout outs was good. You almost dropped a big load of whatever down the front of you just there.

B

I know, I know. It was so close.

A

I'd like to know if people can realize I had a beer during the warmup part of this show. I don't normally drink beer during the show, but, man, nice Friday afternoon. I just finished mowing the lawn. Nice cold beer afterwards. It's delicious.

B

Yeah, yeah, yeah. Well, have you been before we get into the stories, right?

A

Yeah.

B

Have you been seeing the responses of the Europeans visiting the United States lately?

A

Apparently they're pummeling things like. Apparently all the Scottish out drinks, like Boston Dry last night.

B

Yeah, they, they, they out. They out drank Boston this whole week. And to the point of like, you know, Boston's like, they're gonna have to import liquor and beer from. From other states. That's one. But I've been watching the videos. Chris, watch the videos. They're actually fantastic. I saw a German guy going to, like, Costco or something. He was like, losing his mind. What the hell is this? There was a. A video of like, like some, some. Some girls, I don't know from where? London or Sweden or something. And they were like, they went to a Walmart. They went to one of those big Walmart super centers and they was losing their. And you got to see people. You got to watch the videos of the people eating, like, chick fil A. Like, oh, my God, this is a proper chicken sandwich.

A

Yeah, no, I've watched it. Like, I like watching, like, foreign people eat Texas barbecue for the first time. Sure.

B

Yeah.

A

You know, and they're like, what is this? I don't even. My tongue doesn't even know what to do. So those are good videos.

B

Well, I'm glad they're getting to experience that because, you know, America's beautiful. That does have a lot to offer. You know, it's not a. It's not the dystopian BS that you see in the news. You know that's true. So I'm happy to hear that folks are coming here and enjoying it and maybe some of them will stay. That's nice.

A

So heck, a defense contractor was fined $500,000 and it claimed it had perfect cybersecurity score and then failed the government review. So Log Zone, which. Man, that sounds like a funny name. Log Zone is a Huntsville, Alabama based disabled veteran owned defense contractor providing logistics, medical support, training and operations and maintenance service to the US Navy. They've agreed to pay $507,144 under the false claims act. From May 2021 through March 2025. The company allegedly submitted false claims for payment on two naval oceanic oceanographic Command contracts while failing to implement required NIST cyber certification controls on systems handling covered defense information despite self reporting a perfect score of 110 in October of 2021. A February 2024 DoD assessment revealed a score of negative 170 near the bottom of the -203 to 110 range indicating significant non compliance that can enable the exploitation or exfiltration of sensitive defense Data. So the DOJ announced the settlement on June 18, 2026 and the company receives approximately $682,193 in payments under the contracts through March of 8th of 2025. And the settlement includes a $253,572 in restitution. So they brought in 682 and they're fined 507. Still made a little bit of money with lying.

B

These guys are insider threats to national security. But you know what else they are? They're the tip of the iceberg. Yeah, that's what they are. These guys are the tip of the iceberg. They're one of the smaller ones. That's why they got hit, that's why they got fined. Chris, you know this. If it was one of the big boys, it'd be a different conversation.

A

Why do you think? Because either because the Navy couldn't do an assessment on one of the big boys like they had the qualification, or we're too reliant on some of these contractors and the Navy couldn't dig them like that.

B

We're too reliant on some of these big companies. I'm not going to mention them because I'm not trying to, I'm not trying to get whacked. But the reality is is that they might, you know, let's say one of those be big federal contractors. And you know how I feel about federal contractors, Chris? I've kind of been a proponent for a long time. Some of these guys might, you know, be really good at X, Y and Z, but maybe they lack a credential for this or maybe they'll fill that. And it's very easy for them to kind of skirt around that. Right. A small company like this, not so much 600,000 in contracts tomorrow. But you know, that's nothing. That's. They're literally at the bottom on the federal contractor totem pole. And this is why they probably got hit and they got discovered. And to have a minus 70, that's like you have nothing. That's like you have a router.

A

It's a minus 1, 70. 1 70.

B

Minus 1 70. It's like you have no controls. That's what that is. It's like a vanilla network. You know, you have got a community

A

terminal out in the parking lot, let people pull up and access it.

B

Yeah, yeah, exactly.

A

Right.

B

You have an office. You have an office and you have a network, a corporate network. But like you offer free Wi Fi to your neighborhood. That's what that is.

A

Password 1, 2, 3.

B

Yeah, yeah, yeah, exactly. But they're insider threats and they're the tip of the iceberg. So I would expect more of these kind of stories assuming they get published, assuming it doesn't go underneath the radar or goes to court or there's some seal that happens. But it actually pisses me off. Right.

A

I'm not 100%. 100% the self reporting, you know, these scores of perf. And to score yourself a perfect. What the hell's that?

B

What are you thinking? Right? What are you thinking?

A

Yeah. Do you think, you think this is coming from Uncle Pete? Where, where's this coming from?

B

Well, Uncle Pete did start to shout out to him, you know, I know people don't like him, but the dude did enforce. You have to reach a certain threshold. And by the way, this case is from 2024. So it wasn't Uncle Pete, but maybe the, the consequences could have.

A

Right, yeah. Well, the reason that we're talking about it now is the settlement was just reached on June 18th.

B

Yeah.

A

So. So yes, it was started the actions, but this is always negotiated down to what's the penalty going to be.

B

Sure, sure. But you know, I, I'm happy for this and I hope that company, I wish them the best of luck and I hope that they're able to kind of figure out what they're going to do moving forward, assuming they survive this. But there has to be Scrutiny for sure. Even us with Seifill. If Sayfield starts working with the federal government, we should be scrutinized. You should be able to look at our security and then come up with some sort of metric and then we're gonna put in the work for auditing and work with third parties. But we can't have this no more. And this is something that's been going on for 20 plus odd years. Right. Tough story.

A

But let me ask you, do you think the penalty should be higher? I mean they, again, they brought in 600 and some odd thousand, 682,000 and they're paying out 507. So yes, it hurts that they have to give up half a million dollars, but does it hurt so bad that the next guy is not going to do it? I mean, some of it has to

B

be that it's not a deterrence.

A

Yeah, right.

B

Because they're, they're, they're having to give back less than what they earned.

A

Well, they didn't really earn it.

B

Yeah, yeah, you're right. So, so shout out to the Force Claims Act. The only difference is you're right. The accountability probably has to need to be bigger so that it accesses deterrence. Otherwise. Otherwise anybody listening to this right now could start a new business, go through accreditation, go through all these different processes, get themselves a little federal contracts and do the same thing, not care about the security.

A

That's the whole thing where like punitive dangers came in. I mean was, you know, they, there was a car company, I won't mention by proper noun, but you know, it was cheaper for them to pay out deaths settlements than it was to fix all the cars. And so that, that's when the government's like, well no, fuck that, you're, it's going to hurt. If you're going to let people die, we're going to, we're going to hurt you. Thanks, but yeah, but it sounds like in this case not so much. Again, I don't know all the details. They're certainly not public.

B

And this is the thing that for the audience to know, like, you know, we're going off of what we have. We don't have all the details. I'm sure there's some intricate backend stuff that's, that's not being reported. But you know, just going based off of like what we know, I would say my assessment here is that, you know, listen, the company was doing some work and they didn't make any investments into cyber security program. It was confirmed and validated by, by the by the Navy. And this is. This is where we're at now. What does that mean for future companies that want to kind of start in their path and start a business and be. I want you guys to start businesses. I want you to get older, you guys start businesses. But you have to do things right. You have to have a solid foundation in networking and your structure and your security logging, you know, resilience that costs money. You can't cut corners because this is the consequence.

A

And don't give yourself a perfect score. Geez Louise.

B

Yeah, don't make it obvious. Like, God damn, don't make it that obvious.

A

I think those are the people they're going to audit first. Oh, perfect score. Let's see that. I'd like to see that. Facts, big dummies. All right, so Germany would rather accept weaker cloud services than depend on US Providers.

B

Hey, we've been talking about this Bitcom

A

survey, a German digital influence association of 603 companies revealed that 85% believe Germany is overly dependent on US cloud providers, up from 78% last year. And 37% are willing to accept fewer features and higher costs for domestic only data processing and storage. The gap between the preference and the reality is 71% currently use US Cloud, but only 8% prefer it. 91% of German providers only sees 53% usage. This is driven by geopolitical risk potential, US access restrictions, and recent AI export controls discussions. So we're seeing the Europeans sort of pulling away from our infrastructure. I mean, we sort of see it in the law enforcement world for a few years now, but now we're actually seeing companies doing it.

B

We've been talking about it, right? We've been talking about it since literally the beginning of the year when, you know, the CVE system went down or was about to go down, you know, when we start to see certain. Certain, you know, technologies being embargoed. A good example now is. Is mythos and fable from anthropic. Now there's export control. And this applies even to our allies in the five eyes. You know, here in the United States, we have a tendency, somehow, I don't know why, where did this come from? But we have a tendency now to shoot ourselves in the foot. It's very recent. It's a very new thing. We're very extreme about it. This is a consequence of that, Chris, when you have our allies saying, you know what? I'd rather pay for more shitty service than use aws, Google Cloud, or Azure, I'm cool. Yeah, you know what? Let's build up our own. We saw last week France, you know, saying, hey, yeah, you know what, we don't want a Microsoft Windows operating system. We would rather just build a French Linux version. Right. Before that it was we don't want to use Word or we don't want to use, you know, Outlook anymore. Right. Our allies are running for the hills. They're getting away from our technology because our technology, as good as it is, doesn't align with their sovereignty. That's the reality, Chris. Yeah.

A

So I mean, we've talked about ourselves, I mean when Trump was running for president and all that about like moving away from foreign technologies as far as like chip making and all that. So it's not one sided?

B

No, no, not at all.

A

I mean we saw a huge problem during COVID I remember the cost of vehicles went way up because we couldn't get chips.

B

Well, that's the problem, right. The problem there is that, you know, we also have to do the same thing. Right. And that what that does for the global economy, it's going to make things a little weird now, right? Because a big, you get, Chris, you remember this from an economical perspective. The real, the real push for a long time was globalization, right? Intertwining economies, local economies into, you know, the, the, you know, the global economy. And hey, China is going to make all the cheap stuff and the US Makes all the technology and then France will generate, you know, this, and the Germans will make all the manufacturing technology and we're all going to use it, right? And no, now it's like, well, I don't know if I want Chinese chips anymore and I don't know if I want American technology anymore. I think we can just do it ourselves here in the United States. What has burned us has been greed. We had Detroit. Detroit was our key point in manufacturing and mass production of vehicles and automotive parts. We could have easily adapted any of those warehouses and manufacturing plants for boards, PCB boards for generating computer parts, for creating ram. Maybe one of those warehouses, one of those factories could have been, you know, fabricated or enhanced to work on chips. But no, the corporations who were greedy stripped them all away and bankrupted Detroit, the city. And now what do you have? We have a country where we can't even develop chips en masse to satisfy our needs. At least in the case of like, let's say, missile production, we can't do that anymore. We're relying on China to help us produce missiles. Isn't that crazy?

A

Big time.

B

Big time, right.

A

But the problem we still have with this Is, you know, so there's this Cloud act, which is, I guess the Clarifying Lawful Overseas Use of Data act, which was put into federal law in 2018, that it says, you know, that allows U.S. authorities with a warrant or subpoena to compel U.S. companies to turn over data regardless of where the data physically is stored. So it sets up this sort of, you know, this false sovereignty. So even if it's still a US Company in a European data center, the US Government can still subpoena and all that. So what are we going to do? Are we going to. Is Google going to sell off their European data centers? Are these big AWS going to sell off the data centers over there? Can they spin off a different company? And then it's not like I'm sure lawyers are going to get involved in somehow. Or does it have to be a wholly, you know, German owned data center?

B

That's a great question. And I think honestly, what, what you just kind of put out there might be it maybe Amazon has to launch his own, its own data center operations in Germany that follows and adheres to German laws that provides the same AWS interface it does for U.S. customers.

A

Yeah, but these companies are going to want to break up, break themselves up like this.

B

But that's, that's one problem. You know what the next problem is?

A

What's that?

B

Are Germans going to trust a German aws? That's the question.

A

German Jeff Bezos no way.

B

No, no. And so the consequence of our obsession with isolationism, the concept of make America great again, whatever the fuck that means, has put us in a weird position where it has subverted our technical prowess and, you know, and, and our capabilities for the world and, and now it's creating these effects. Now it's starting these conversations. You know, I don't blame the Germans, I don't blame the French, I don't blame the Australians. I don't. You know the way we feel about chips, you and I, you and I know that if we want to be able to move forward, we have to modernize. We have to be able to create our own chips. You know that, correct? You agree with that, right?

A

Yeah, 100%.

B

The Germans are feeling the same way about their data.

A

Yeah.

B

So I respect it.

A

Yeah. I understand why they want to Uruan do it. I mean, it's not offensive to me. Now whether they can pull it off, I don't know.

B

Well, it's going to be very expensive, that's for sure.

A

Yeah, that is for sure. So heck, we need to follow up on a story that we had last week. So an open letter was written on the transparency of AI cyber protections. So the US Department of Commerce issued an export controls directive on June 12, which we talked about in the last episode, which was prompting Anthropic to suspend access to its Fable 5 and Mythos 5 large language models for foreign nationals, citing national security concerns over jailbreak enabled code vulnerabilities discovered and exploited. Gen exploited. And you, you explained it well on what the jailbreak was. So this also, this control also included non US anthropic employees. So even internal to the, to the company, you know, and I know this has been an issue, you know, for SpaceX, you know, and the Biden administration sued SpaceX for not hiring certain foreign national. But because of itar they couldn't. So, you know, until this, you know, export control was put on, Anthropic could hire anybody they wanted. So it sort of changes, you know, now we have all these foreign nationals that are part of our company sort of change the rules halfway through the game. So, but this, this export control triggered by Amazon cybersecurity researchers which we, you know, thought was kind of weird because Amazon put 33 billion into anthropic and then ratted them out to the government, identified a prop technique that allowed Fable 5 to review Insecure code and then generate patches and create test scripts. So the cyber security community responded and wrote an Open letter on freefable.org and it was signed by over a hundred executives and technical leaders arguing that the restrictions harmed U S defenders while adversaries access equivalent models. You got into this, of course, brother.

B

You know me, I'm in there, I'm in there like swimwear. I'm always for these open letters. I think they're fun, you know, whether they're effective or not is whatever, right? But a shout out to these researchers that acknowledge that, you know, there is a problem here and the, the concept of placing export controls on models that, you know, can help defenders. It just doesn't make any sense. There's no way, no way to prevent a jailbreak, a quote unquote jailbreak on any model today, maybe tomorrow, maybe next year, maybe the harness changes. Maybe there's a new way to like, you know, you know, create little jails for these models where they can't go beyond the scope. Maybe, but this is an engineering problem, an engineering problem that even those that are dropping at OpenAI and Google and Microsoft's Nvidia have not sorted out. Chris.

A

Yeah, I mean it's rules put in place by People that don't understand what the hell they're talking about.

B

They don't fucking know. They have no idea. Because if they knew or if they were fair, then there would be expert controls on all of the models. That's, that's, that's, that would be fair. This is not fair. The thing with Amazon, the Amazon researchers, that's weird, Honestly. And in my personal opinion, me as a business owner, what I'm probably gonna do is probably take my resources away from Amazon at some point in the near future. That's probably what I'm gonna do, right? And I could, I could use, I could set up my own rack somewhere and offer the same sim similar services, maybe at an initial, bigger investment. But in the long run, I'll probably save money. But there's a lot of weird behavior like that in the industry because technically Amazon has their own model. It could be export controlled as well. And it would be funny if the anthropic researchers jailbreak it and report it to the Department of Commerce. Then what?

A

You know, well, it'd be even funnier if they jailbroke it and said, oh, wait, no, their shit's good. They can't do any of this fucking code review. Their shit sucks at it.

B

This shit sucks at it. Facts, facts.

A

That would be funny. That'd be funny to troll them. Oh, well, we tried to do this, but their shit not, not good.

B

It's trash. It doesn't work. You know, Fugazi. It's fugazi. But here's one last thing I'll tell you on this, right? It's a hell of a story. It's historical, Chris. This is very historical. You're gonna, you're gonna hear about this 20, 25 years from now. You know, it's gonna be in a history book somewhere. We called it the crypto wars of the 1990s. This is going to be probably the AI wars or something. It's going to be something goofy, right? Who knows what they're going to call it, but.

A

Well, maybe not. I mean, if Trump turns it around and gets rid of this export control this week, I mean, this, I mean, by the time this podcast comes out, it may be gone already, and then people aren't even going to remember it.

B

I did see the interview he did today about this.

A

What'd he say?

B

He was like, I hung out with the anthropic people. I met with the CEO yesterday. He seems like a nice guy. That's usually an indicator. He's gonna, you know what I mean? He's A nice guy, you know. And you know he, he, he said that Anthropic got ratted up. He's like, yeah, you know one of their partners called us about it, Amazon. So like I think Trump's gonna turn around this week probably. So maybe by the time the audience hears this it's like either being lifted or is about to be lifted.

A

Yeah, but hopefully, hopefully. Because again I agree with you that this is not just pinpointed down on Anthropic. This should be across the board if we're going to do it. But again, I don't think we should do it.

B

Crazy times bro.

A

Or just times.

B

Just crazy or times. Yeah, my bad.

A

All right guys, you guys want to reach out to us? Questions at hacker and the fed.com normally when I say that it's the end of the show, but heck, surprise, surprise, it's not.

B

Oh, what do we got?

A

Hi Chris and Hector. I'm a longtime listener. I really enjoy your weekly podcast and the sprinkle of humor. Humor, sprinkle. I put humor throughout this whole fucking thing. You motherfucker. You bring into every episode. It helps lighten the mood in these strange times. I have a question that I've been working, I've been wondering about for quite some time. In many of these mid sized companies, breaches and ransomware attacks, how do attackers gain initial access? It seems like the company websites are unlikely to be the main attack surface. Especially since so many is now cloud based and presumably not directly connected to internal systems, knowledge bases or production infrastructure. So how do threat actors actually get into companies internal environment if not through their public web presence? Thanks and keep up the amazing work. Best regards, Car Carsten in from, from Germany. Well Carsten, all your Amazon shit is about to be taken over. We already covered that. So heck, how do adversaries get in if it's not through the website? Now if you can do this, can you kind of do it historically? Like back in the day when we first started it was this way. Now it turned into this and it's going this way.

B

No, I love that. You know I'm a historical guy, right?

A

I know, I, I love hearing the history of hacking from you.

B

So back in the days during the 1990s when the WWW, the World wide web became a real big thing. And this is right after people were stepping away from the Gopher protocol. So before www you had gopher, which is a plain text. It would be a wall of text you would you see on your browser, your Netscape browser, Netscape Navigator. That's the browser people used to use back then, and Mosaic was another one, it's a really good one. But web applications or websites became a thing and they also became dynamic. Meaning that using cgi, common gateway, gateway interface, you could have it do dynamic things with people went to your website counters. That's one of the first things, accept commentary, et cetera, et cetera. And the problem with that, my friend, is that back in those days, not to sound old, but it is old. If you saw a website hosted anywhere, more than likely it was hosted on the same network as your internal network, your corporate network. Setting up a data center, setting up a server, a virtual machine, you know, all of that was unlikely back then. This is why it was very important for us to get the protections against syn cookies and NATS network address translation by the late 90s, because that changed the entire game. So back, I'm going to tell you right now, so before we move forward, before nats, before nats, it was, you found a website, more than likely was to connect to the corporate network. You could just hack into that site and you get access to like a corporate headquarters or something.

A

Because that had a static IP address. Like.

B

Yeah, it had, it had one IP address that went to a web server that was hosting some guy's office next to the, Next to the, the CEOs, you know, bathroom. Right. That's how it was back then.

A

Yeah.

B

But then people realized, hey, this is not working. But that wasn't a concern. And that was not the reason why NAT became a thing. The reason why NAT became a thing and it changed everything for everybody is because somebody came up with the theory that we would run out of IPv4 IP addresses. Remember this, Chris?

A

Oh, dude, they were pushing IPv6 for so long. I keep waiting for them to. They're not going to take off?

B

No, not at all. Because of nats. NAT changed that. If NAT didn't become a thing, I'll give you guys kind of a break on what it is. If NAT hadn't become a thing, then, yeah, we would have ran out of

A

IPv4 IP addresses because so IP address are like phone numbers. So you run out of phone numbers. You can't add more phones.

B

No, definitely not. And then you would have to change the entire system to add another digit. And then it just complicates the entire system. Right. So then, you know, so now you move forward and now you have something called nat. And basically the way NAT works, and I'm no expert, I'm sure someone can correct me. So essentially what it allowed folks to do is you can have an entire building full of computers with different IP addresses, internal IP addresses that sits behind a firewall, and then that firewall would then translate the incoming and outgoing requests for egress or egress and egress and ingress.

A

Ingress and egress.

B

Ingress and egress. Yeah, I'm sorry, I had a brain fart.

A

That's all right.

B

And so the firewall would act as kind of like a monitor between both the source and destinations and kind of determine, hey, this internal IP with this internal port is going to this website destination at this port and then it makes the connection. The beautiful consequence of that is now you could have one IP address sit in front of 10,000, 10 million IPs. It's computers, doesn't matter anymore. Now back then all you had to do is break into the website directly and you would get access to the goods after that. What it means is you have to find a vulnerability or a way through the firewall to get behind it to see what you get. Right? So you could still break into that corporate network if you could find a vulnerability in that firewall. But then the rise of the cloud, right, the rise of the cloud and managed servers and virtual machines and VPSs, virtual private servers, change the game. Because now you can host a website on a VPS in Deutschland, right? That's where Carson lives at. And that VPs, you could hack into it, you could DDoS it, you could do whatever it is you need to do, and it's going to have zero effects on the internal network behind that website that that website represents, Right? So now let's go to the question, now you have some context, let's go to the question, how does an adversary today get access to that corporate network that's being represented by that website that we both know is not connected physically to, to the backend, that backend corporate network. There's a few ways. One, the adversary is going to look at social engineering as a massive vector. You know, SMS emails, deep fake attacks are now a thing, click fix style attacks, right? Those are all vectors that they're going to try to leverage over social media and email and text messages in the hopes that you click on the link, in the hopes that you provide credentials, or in the hopes of running a system that's so outdated that you have an exploit for it, that's one. And then they'll get access to the endpoint or the workstation and then move laterally, assuming they're connected to the Internal network number two. They'll do that. Plus look at brief databases and info stealers to try to get credentials, if they get credentials or cookies, then they'll try to enumerate and discover whether the company has a vpn, some sort of login portal like Citrix or Cisco, and then gain access that way. Right. And then finally is through the developers. Now if I am the adversary trying to break into this really popular company, I need to then look at what the company is developing in terms of stack, full stack technologies that they're using. And then I'm going to try to infect the supply chain to eventually reach their developers. That's what the guys are doing literally today, right now. That's how they're getting into corporate networks. It's effective, it's scary and it works.

A

Yeah, I mean, there's a few others that you didn't really talk about, like social engineering, their way in or.

B

I did.

A

Oh, did you? Maybe I zoned out. What about physical access into the network?

B

You did. Sold out. He was looking at your phone. Very disrespectful. But you know what? It's okay. Because I love you. I love you.

A

I was trying to look at some porn. I haven't seen porn in 30 minutes. Speaking of that, did you. Do you see Terry Crews come out with his addiction to porn?

B

I heard about that. But it was old though.

A

Yeah, somewhat. Yeah, because he did. But he was like looking at like 11 hours straight of porn. Can you imagine? I can't imagine.

B

I can't. I can't, bro. Maybe when I was a teenager, you know, your hormones are all over the place. No, I don't care, man. Listen, I'll hop on only fans for like 20 minutes. I'm done. I'm ready to go home.

A

You're looking at that much, you start to get into some freaky. Because you've already seen it all.

B

Yeah, yeah. You start analyzing and thinking like, wow, what if I. She poops on me? You know? Like, what does that happen? Like. Like. It's just. I don't know, man. I can't do it, bro. Shout out to him. I think he's trying to overcome it.

A

I hope you know he wasn't relevant for five minutes and he had to say something.

B

I don't know about that. I don't know about that. But here's what I'll tell you, bro. Then you have. Let's go back. Let's go back to the topic at hand. I don't know how we got into porn.

A

Sorry, sorry.

B

So the topic at hand, the last one is physical. Yes. Chris brought up a really good point. There's a physical component. There's a physical aspect to this, which is we saw recently in France, Chris, kidnappings that became a thing. So if you're in France, you're listening to this, be careful, be mindful of your, your surroundings. I'm not laughing. I'm just like amazed that we reached this point. Because now we're reverting, we're going back in time, you know what I mean? Back when organized crime were running the streets here in New York, for example. They'll just kidnap your ass to get the secret. They wouldn't, they wouldn't have to blow up into your, into your store at 3 in the morning. They'll just, they'll just get the code from you directly.

A

I mean, not just that. I mean, they'll do other things. Like they'll, they'll hire, they'll get somebody hired as a janitor to go in there at night and simply put a thumb drive in the back of your machine, you know, or hey, find out what make and model a keyboard they have and then have them bring in a keyboard and replace it. So when you turn your computer on in the morning, it's compromised. You know, all the, all the bad software is in the keyboard inside the machine. So, you know, physical access still is a thing.

B

Yeah, physical access is definitely a thing. Wireless networks, we do wireless pen tests for customers. In most cases it's pretty straightforward. But occasionally we'll run into like a, a guest network, Chris, that's fully open. You know, this like really badly misconfigured eight years ago, someone forgot to update it or change it or audit it. So yeah, there's a physical component to this Carsten that you know, is a thing. Especially you. You guys are in Europe now. It's becoming way more physical. You gotta be very careful out there.

A

So heck, let's stay over in Europe. Cause Rich wrote in, love the show. Have a great weekend. I am currently busy tanning my balls in Sussex, uk, so now we're internationally tanning our balls. We're all doing it from the sun, the same sun. And all of our balls are getting, getting tanned. I see. Look at your face. Your face is all tanning right now. Just, just turn to your left right now, Hector, and get some tan on them balls. Yeah, no, I just get them on there.

B

Yeah.

A

So Rich wanted us to cover a story called I Could have Rick Rolled the entire FIFA Cup. All I needed was in my ID So apparently a researcher, security researcher named Bob the hacker registered on FIFA's Public Agent Platform using a standard ID, gaining addition to FIFA's standard Microsoft Entra, which is the Azure ad tenant. This granted tenant wide authentication to internal platforms like the Football data platform and the Commenter information system. So the client side angular checks enforced quote no roles access denial. But backend APIs had a no server side authentication and exposing live World Cup 2022 streaming management, match management, commentator tools and internal spreadsheets. This was discovered on June 15th. Heck, we're seeing this more and more. They're putting up these sites and giving people full access.

B

It's the wonder of Vibe coding, brother.

A

You know, Is that really all this boils down to is Vibe coding?

B

Well, this a core problem. The core problem is API security. Right? Inside of API security then you have authorization issues, access control issues. These are all privileges that you and I have been talking about for at least four or five years. We've been talking about this forever. But now with Vive coding, you're able to put together this really fantastic application, mobile app, whatever. If you're not doing a pen test, you're not doing a security audit, you're not assessing, there's zero auditing. Then you end up with this. And it's been happening over and over and over. I'm sure you noticed something. I think we talked about the last episode with Nava Disc. We talked about it, right?

A

Sure we did, yeah. That was a fresh story. We didn't have really a story, but it had just happened when we were doing it.

B

Well, we know more details and it aligns with pretty much what you and I discussed, which is they had an application and inside the application they had some API keys. Those API keys led back to GitHub, which allowed the adversary to extract all of the repositories and keys. It's the same shit, Chris. It's access and privilege controls.

A

In that case, would that have been caught by a Sefhil pen test?

B

Absolutely. That would have been caught by Sefoil, not only for that one, but for this one as well. Yeah.

A

So. All right, well, so all these people that are, how come FIFA didn't reach out to sefo?

B

Well, because security is inconvenient and sometimes it takes an incident like this to bring about a third party vendor.

A

But you wouldn't, you wouldn't sayfield wouldn't have shut this down. He would just fix it and made it not a vulnerability. Right. I mean you still, your still main goal is functionality.

B

Exactly.

A

You just want to do it in a safe way.

B

Yeah, no 1,000%. I mean, when it comes to us, we would identify, would validate. We prioritize and build out the information you need to go and hyper focus and hyper focus on it and fix it. That's not what I was referring to. What I was referring to is if the mobile app has already been created and then you have to go back in and fix something, that's where the time and money comes into play. And we see that from a lot of customers. They're like, hey, we have cyber insurance. One, two. You know, it's the mindset of what is it? Help me figure this out. It's break it first and apologize later. Right? Something like that. You know what I'm talking about?

A

I believe it's called fugazi. With what they call fugazi.

B

Fugazi, Whatever you are.

A

All right, friend. Fun. Show support. Hacker in the Fed on Patreon. Guys, we're gonna bang out a Patreon episode. It'll probably be when we get back from Florida. So if you're listening to this, then we did this one first. I'll let you know. Merch is up. Hacker in the Fed Dot com. Maybe we have to put up a Hacker in the Fed fugazi shirt. See if that sells.

B

Yo, you know what, bro? I think that's the move. I think it is. It is.

A

I'm gonna get our T shirt designer to put together something says hacker in the Fed. It's all fugazi. What do you want to do? It's all fugazi. The cyber's so fugazi.

B

I love it, bro. I'm with it.

A

All right. Five star reviews. Wherever you download and subscribe to Hacker in the Fed. Share us on social media. We're putting out stuff. I know. Alanis is putting out stuff every week. Our clips. One of us is bright, one of us is red. You guys gotta watch the clips to figure out which one is which. Tell your co workers, tell your friends, tell your lovers, tell anybody. Hey, these two talk about cyber and they're funny about it. That's all. That's all we want. Just tell the world. That's it. They're a little bit fugazi.

B

A little bit.

A

All right.

B

I'm the fool and Chris is the gazy.

A

Looking forward to a big hug down in Florida.

B

Yes, sir.

A

Can't wait to see you. I'll see you down there.

B

All right, cheerio.

A

Love and respect. Cheers, brother.

B

Much love. Bye,

A

Sam.