Loading summary
A
AI assisted hacker breaches. 600 Fortinet firewalls in five weeks.
B
Hector Monseager was responsible for some of
A
the most notorious hacks ever committed.
B
Special agent Chris Tarbell and FBI informants
A
participated in some of the world's most
B
infamous hacks that caused up to $50 million in damages. A life in the shadows Cyber attacks on the.
A
Welcome to Hacker in the Fed free Episode number 122. I'm Chris Tarbell, former FBI special agent working my entire career in cyber security. And I'm joined as always by my friend and podcast co host and my buddy Hector. Monsieur.
B
Hi.
A
Hi Hector.
B
Hey, how you doing? How you doing over there?
A
Good. Doing all right?
B
I'm pretty good man. I'm just here, I, I had to,
A
I'm not done with the opening.
B
Oh, oh, my bad.
A
Hector's a former black hat hacker who once faced 125 years in prison for his many years of hacking under the codename Sabu. Our stories collide in June 2011 when I arrested him and then convinced him to work with me with the FBI. Hector is now a red teamer, researcher, cybersecurity expert and he's co founder of Safeville. There he is. Hey, Hector Mazagore.
B
Can I speak now? Is this the right time? Is it the right queue?
A
It is half your show, so I guess now is the time to go.
B
How's it going buddy? How you doing over there?
A
Good. I'm excited. Well, I, I will, I, I don't want to bring down to the show, sure. But unfortunately this morning at the gym, I watched a man die. Oh. And so it was. I, I, I've seen people die before. When I was, when I was in law enforcement. I one time held a guy's head while, while he died. He had gotten, he was a. Drinking and driving and smacked a windshield without a second seatbelt.
B
Oh no.
A
And his half his brain was hanging out so I just held his head as he passed away. But man, it's, every time you see it, you, you don't want to see it. And then this guy was his, his daughter who was probably in her 20s or so, she was there and saw it and she was all upset and just never good to see that shit.
B
Yeah, man, it's, it's a tough one. I'm sorry, you know, I'm sorry for his family. I feel, I feel bad for them, you know, the daughter was there. At least he didn't go out alone, you know, he had you there, he had his daughter there. And I know it's difficult. I mean, I was there and had to deal with my friend Jason Tirado. He was murdered here in New York by an off duty police officer to make it worse. And yeah, it was me and my friend Frank. And we was trying to resuscitate him and gave him CPR and chest compressions and, you know, brother, man, that, I'm surprised by that.
A
I'm surprised. The guy who shot him, the, the officer, duty cop. What, didn't like make you get away from him, you know?
B
No, because he, he, he shot Jason, then he just drove off. He had a yellow Xterra, a Nissan Xterra. The theory is that he was, he was drinking, he was off duty, he was hanging for having fun at the club. It was fun.
A
Allegedly. He was allegedly drinking.
B
Yeah, he was allegedly drinking. You know, he came out the club and then he ran into my friend. I was literally two cars behind and they got into argument. Road rage, you know, nonsensical road rage. Homeboy pulled out the gun, shot my friend in the, in the lungs and heart, killed him. And then he drove off and then he turned himself in the next day, 24 hours later.
A
You know, the cop did.
B
The cop? The off duty cop. Yeah, yeah.
A
Dude, road rage is rough. There was a one in Virginia just this week, a guy with a knife, like started. He stabbed a woman to death. He stabbed a dog on like 495Amajor road. Oh, no, they think it was like a road rage thing. And then he came, cops showed up and he's still coming after them with a knife. So they shot and killed him.
B
Yeah, it's not that serious, man.
A
Hacker in the Fed's taking a dark turn today.
B
Yeah, yeah, no, no, absolutely. This is hacker the Fed and sadness, you know, but no, it's just, it's just the way it is, man. Like even, even when you look at cyber, right, Cyber, the industry itself, the whole cyber security industry and risk and all that stuff, right? You know, it's sometimes a downer for people. We've had, we've had that one lady that email us asking us for good stories. And we tried, right, we try always to come up with good cyber stories with positive endings. And it's extremely difficult because that's not what we're seeing on a day to day.
A
So, you know, I mean, unfortunately, security breaches, you know, which is sort of our forte, you know, there's not positive things about, you know, breaches. They. You don't hear the good stories when somebody stopped an attack.
B
Sure, yeah. Because when that happens, it's, it's, it's quieted down, you know, it's in the background and that person or company doesn't want that to be publicized. So. Yeah, we're not going to hear about those. Rarely.
A
We do, let's do, let's talk about something positive, though. How about things at Seville? I know things are going fantastic at Seville, so I just want to know. Yeah, man, bring this show. Turn it around. Something good.
B
Turn around. And every now and then, all right, we do a karaoke session.
A
Oh, I've got quite a few recordings of you singing that I keep just for whenever I need them.
B
Just save it for when I'm gone, bro. You could do like a, like a montage. Okay, so, sn. Fantastic. It's been a really cool learning experience now for, for the Patreon listeners out there, you guys know what I'm talking about.
A
Dude, we're on the free show.
B
No, I know that, but for, I'm saying for the, the Patreon listeners that are listening to the free show, you guys know that I've been talking about, especially over the last few weeks, this massive, like, research just boost that I've gotten. It's been really fun looking at, you know, how to leverage AI and how to train different models and how to leverage data sets, include data classification and categorization, all that cool stuff. It's really been fantastic for the rest of the audience. What that means is, you know, what it means for folks that are just curious about seal. A lot of that research is going back into the platform in the form of modules and components language. Chris, I've always pushed the idea, and you've heard me say this before. What if we take a vulnerability of finding of some sort, an issue, and then we attach it to a price, a number. This vulnerability equals this. And this is how it's worth that. If you fix it, you're going to potentially save X amount of money and the average price of a ransomware is this right? Y or Z. And so in talking with a lot of good friends of ours, it was, it was a deep dive for me to go into like cyber risk quantitatives or, or CRQs or whatever. And what's fascinating about that, Chris, is because I would say because of the research I'm doing, I've been able to put together some really cool language in our reporting moving forward. So it's been fun. The short answer has been fun. It's been really cool. A lot of great additions and yeah, that's kind of where we're at bro.
A
Right before we got on, I saw the beautiful Alanis on. She joined us for a few minutes and she's helping us put together our live show coming up. Just not too long. March 11th at 4:30pm we'll is sending out a link. You guys sign up for that. We're excited about that. For the doing the live show. The last one was fantastic. So we're really going to push for that in the next few days. You guys might see emails, you'll see LinkedIn posts on where to sign up for that sort of stuff. Again, support the show. We are determined to keep the free show free and free of commercials. It's not just free of cost, but it's free of commercials. And the only way we do that is by you guys helping us out. Join the Patreon. I know that Will's throwing up another level on the Patreon that's going to start getting video. You can watch video of us recording.
B
Oh no.
A
I know, but, but Will. Will's excited about it so I'm going to push it. Also merch at hacker and the fed.com guys. Get your hacker in the Fed T shirts and sweatshirts. That's been really successful so far. Lots of help. I wear one when I go to the gym. I had one on today. So yeah, really advertising that stuff on we get out there. So I like wearing one on a plane once in a while. You'll see somebody come. Oh, do you listen? I said, yeah, it's a hell of a podcast. You should listen to it. I don't tell them who I am, but maybe this new video part of Patreon Will will screw me over on that one.
B
She like, oh my God, he bamboozled me, you know.
A
Well, you know me, I'm a bamboozle. I'm a Shim Sham Bamboozle man.
B
That's right. That's right. The Shim Sham man. Good stuff, man.
A
Good. All right, you ready to start to get into the show a little?
B
It's about to get fun. It's a bunch of crazy stories today. So yeah, I'm excited.
A
A massive cyber disruption in Iran amid the US Israel strikes. So coordinated cyber operations targeting Iran's digital infrastructure early Saturday morning on March 1st coincided with US Israel military strikes on targets across Iran. Key incidents included hacking the Bad Saba religious calendar app. Hopefully I pronounced that right. It has over 5 million downloads to push anti regime messages urging armed forces to disarm and defect and calls to join the People's Liberation Forces. There's Also defacements of multiple news websites displaying unauthorized messages and disruptions to government services and military targets and significant Internet connectivity drops and blackouts throughout this whole thing. What's your thoughts and feelings on this? Is this external? Is this internal? Is this us? Is this Israel? Is this a combination of everything?
B
It's a combination of everything, bro, because you have operators out of the US that are either within the government or third party. You have operators in Israel that are either part of, you know, one of the units, unit 80, 200 and whatever else. They have whatever other units dedicated to cyber, but they also have third parties inside of Israel. And then you have folks that are anti Iranian regime, they're anti Ayatollah, anti theocracy. Right. There might be Muslims, they might be Saudis. So what you had is a coordinated effort by all sorts of people. I think honestly the, the religious calendar app, that was probably US Israel, that makes the most sense. And then some of the defacements even made for the news sites. Right. But everything else you're seeing, the DDoS's and stuff like that, that's, that's outsiders, you know.
A
Well, I'm going to go a little against what you just said. I don't think coordinated is the right word. Because if you're doing outsiders, they're obviously not part of knowing when the US now maybe they're opportunistic, they see the attack and they join in. But the problem with that is, let's say we have like the US we talked about this on shows a lot of times before. Maybe the US is trying to put out this message of, hey, if you guys want to, you know, overthrow the government, you know, this is what you should be doing. And then on top of it, some uncoordinated internal group is now DDoS in the site or taking down the Internet so that message can't get out. That's really, you know, cross contamination. Yeah, so, but, but I do think this is going to be the wave of new, new, new attacks. I think, you know, the media loves to be the first to announce. You know, we've been building up military assets in the area for weeks now. I think this is going to be the new scene. Like they used to sit outside military bases and see when the, know, the Stealth bombers left and that sort of thing. I think now the new thing is when you see cyber go offline, if you're seeing cyber stuff happening in a country that's being targeted, that is the tip off that, that that action is about to take place.
B
Yeah, well, you got to remember, we did a lot of this during, you know, when I was an adversary and was part of Anonymous, when we engaged, like Operation Egypt, op, Egypt, Tunisia, etc. The crazy thing about that is that. Yeah, I'm sure there were agencies involved in that.
A
Right.
B
I mean, like I said, I always say this Anonymous is compromised before I even walked in the door. But the crazy thing is when you have a ton of different people with a certain ideology or belief, you know, political or not, Right. They want to focus and target a country, a government, you're going to see a whole bunch of different methodologies. I was really good at lateral movement and pivoting and breaking through systems, but there were guys that had massive DDoS nets, you know, that. That was in my space. But you had guys that participated, and then you had people that were really good, and it had a good understanding of like, BGP hijacking and routing and DNS cash poisoning and things like that. So when you have a movement like that, we have multiple groups targeting infrastructure in all different types of ways. Yeah, it's. It's. It's crazy as hell, and it's extremely disruptive, you know, after the fact.
A
Hold on, I want to unpack that a little bit. I don't know if we've ever openly talked about this. Sure. When you were doing these, these operations against foreign countries in, you know, we're part of Anonymous, you said that when you joined Anonymous that it was already infiltrated by whoever. Can I say, would you think, like, U.S. intelligence agencies?
B
Not only us. You had Chinese in there. You had us. You had Israeli. One of the biggest guys that infiltrated Anonymous was a guy that. He was Russian, Ukrainian. He was working with the FBI and they became a rogue. I think you might know who I'm talking about. He became a rogue, and then he started just engaging operations on his own for his own purposes.
A
So did you find that those people would, like, push operations in a certain direction?
B
Absolutely. There was one incident with that guy I'm talking about, and I'm not even sure if he's alive or he's in prison, where he's at, but he was extremely connected, man. He provided me the source code for VMware. In return, he wanted me to attack Ukraine. And I was curious, you know, as to why, because the way he presented himself to me was he was part of a group called the Lords of Dharmaraja, which was an Indian activist group. And so I was like, why does a group of Indian, Indian hacktivists want me to target Ukraine? What Is that about, you know, and then I found out later, like he's Ukrainian, but he's Russia alliance, which I'm like, I was just so confused by it. But anyways, the point is, is that there's a lot of people like that that are really extremely well connected or they're connected to a Russian government or U.S. agency or something. I saw a lot of it, bro. And to this day it makes me scratch my head.
A
Now the next part of it, when you guys were doing an operation and whether it was, you know, you guys decision or you've been pushed or you know, sort of nudged in the, in the direction that this group wanted to go, let's say you got to a sticky point and you didn't have an expertise or you didn't have a certain way of doing it, or it's sort of halted. Would someone, would that skill set magically pop in?
B
Always 1000%. I'll give you a good example. This is, this is the best example I can give you. So. And feel free to tell, to tell Will to like, whatever, burn this out. Right. But like during the HB Gary incident, that operation, right. Um, you know, I had compromised email, had compromised, you know, the, the website. I grabbed hashes, did all the heavy lifting and then we had, I don't know, 24 hours to move very quickly. And I wasn't well versed in Google workspace enough to kind of automate the exfiltration of emails. Like there was. I was so busy doing 10 different things that I passed on that responsibility to one of the other teammates who happened to find.
A
I thought that was Kayla.
B
Which one was Kayla?
A
They did the email exfiltration. It wasn't. It was somebody else.
B
No, it was somebody else. So what happened was, is that I passed on that responsibility to somebody else. Yo, guys, I gotta focus on, you know, lateral movement. I gotta get root on these machines and I got root to the support system. But while I'm doing all that tweed flow, found some random person that not only was able to exfiltrate the emails out of Google workspace in like minutes, but they even put together like a searchable front end UI for it. Yeah. And ironically, it looks very similar to the WikiLeaks email search thing that came out much later. Right. So obviously this guy, this person must have been involved in WikiLeaks or a developer for WikiLeaks. And I'm just making an assumption. I have no idea.
A
Sure.
B
But yeah, every time we ran into like a blocker, there was somebody that knew how to do it. Yeah. Anonymous was compromised. And so you wish you had that
A
sort, those sort of resources today.
B
I do. I have my team, you know, my team. Yeah, we'll have.
A
But once in a while people have to teach themselves how to do something. All that. Not just, oh, I can do that. Oh, I can do that.
B
Yeah, yeah. No, no, it's especially for time sensitive projects, time sensitive operations, especially that one that I mentioned. But yeah, man, it was always weird to me how, how quickly we moved. And of course another thing is the media. So when we compromised PBS or whatever it was, right. That was a big story. Almost instantly all across the planet we had journalists writing stories on it. We did have like a media channel. And you know, now that I think about it, in hindsight, you had a lot of journalists in there waiting for stories and leads, you know, so we saw the propagation in real time. We could have released a fake story and all of these journalists would have propagated that fake story.
A
Could have. You did.
B
We did. With the whole Tupac B thing. Yeah, you're right. Yeah. But what I guess my point here is that when you have an incident like this, you have a massive situation, geopolitical. There are all sorts of people of all sorts of different interests with all sorts of different skill sets that will intervene and jump in. And we've seen that with this here, the Canada incident, you know, pushing out like the anti regime messaging. Yeah, that's Israel. Israel is really good stuff like that. But everything that came afterwards, all the recent attacks against Iran's infrastructure, all those massive DDOs. Yeah, that's, that's third party. Those are, those are randoms.
A
So in this thing in Iran, we're not seeing any specific CVs coming out of it. They're saying it was likely based attacks based on weak authentication or unpatched web servers, insider threats, all of that misconfigurations. Yeah, it seems like the Israelis has everything, everything, you know, infiltrated. Interesting to see some of the stuff, you know, lived on a Google play ecosystem. Sure, you know, strange, but we'll see what's going on with that. So, yeah, we'll see how it keeps going. But I think this is the new part of war. We saw it in Venezuela, we're seeing in Iran. I think it now just. It literally is the first wave of any attacks. Well, I'm not hearing as much about it out of Ukraine, Russia, are you? Or is that still as active as when the war first started?
B
It's even more active.
A
You know, is it, is it being reported?
B
It is being reported, but it's not being thrown down our fucking throats. Like, like it's been in the past. We've, I mean, I think yesterday alone or this morning, you know, Russia lost another 300 or 400 Shahid style drones. Right. You know, it's, it's, it's difficult because the Ukrainians, man, they're, I got, I got to give them props. Like they're doing their best to kind of deal with that situation. They've gained back a lot of land too, over the last like three months. I'm not sure if you've been following that. They've been beating the Russians back. So there's been a lot of movement on that side. But kind of going back to interview we did with Jeffrey Carr. Jeffrey Carr predicted this. He said, let's not call it cyber war until two things happen where there's cyber incidents and it's kinetic and they're tied together. Right. And so listen, I know cyber war is, is, is defined differently by different people. Sure. But specific to Jeffrey Carr and his perspective and intelligence and all that. Yeah, he was spot on after Ukraine and Russia when we saw cyber and kinetic, and now we're seeing that here in Iran. This is interesting to see. It's interesting.
A
I think Venezuela too. I think we saw Venezuela as well. That's right.
B
That's right. Yeah. So fascinating stuff, scary stuff. As you know, Chris, I'm a humanist. I'm very much about humans. I want to protect our people. I don't care what color you are, I love you. So obviously I am sad when I see people, they're dying behind this shit, you know, I wish there was another way. You know, I wish, I wish the, I wish motherfuckers could put their egos to the side and talk, you know, it would have been great if we could put Trump. Trump is a great speaker. He could, he could, he's a great. You know, you could put Trump and Netanyahu and you could have put, I don't know about the Ayatollah, he was kind of a dickhead. But you take a leader, let's say the President of Iran, and then you put, where you put all these people in a room and a guy. You guys can't leave this room until you sort it out. I wish that was a thing, you know?
A
Yeah, yeah. Unfortunately, that's not the way the world works. And maybe one day, but I think that's a little naive to believe that it does work that way.
B
No, no, no. Yeah, I know it doesn't. Work that way. But I'm saying, Melee, it's. I wish it was better than, you know, people dying like this. This is not.
A
I agree. I 100 agree. As I get older and older, you start thinking, man, people. People's kids are dying over, you know, resources. A little bit of land here, a little bit of land there, and just. Or ego or whatever it may be, it's complete. Because I know if it was my kid, it would end my world.
B
Oh, yeah. Oh, absolutely. Same here, bro. And rest in peace and thanks to your service and sacrifices to the soldiers that we've lost. You know, we've. I think the last number I've heard is about six U.S. servicemen. I'm not sure that that's numbers updated, but. Yeah, man, it's. It's. It's terrible. And I feel for their families, you know.
A
Yeah. But I mean, this might sound weird coming from, you know, me, but both sides, I mean, there's a lot of people, you know, that, that, you know, we talked about it, but I know probably before the recording, but about like the, the school girls, you know, that, that, you know, I. I hate that shit.
B
Yeah.
A
All right, onto something more happy. Oh, wait, no, this is not happy. Sorry. Sorry, Tristan. This ain't happy.
B
Happy.
A
In cyber AI assisted hacker breaches 600 Fortinet firewalls in five weeks. So a Russian speaking financially motivated threat actor used commercial generative AI services to compromise over 600 for firewalls across more than 55 countries. The campaign ran from January 11 to February 18 of this year. And the scope included breaching exposed management interfaces via weak credentials lacking mfa, extracting full device configurations and attempting the lateral movement to other servers and systems for credential harvesting and ransomware prep. No forner gate vulnerability, whereas was exploited purely a configuration credential abuse amplified by AI automation. So this is happening more and more and more and I get your thoughts on this before I ask you the next question.
B
Yeah. So here's. Here's what I've been telling you guys for a long time. These adversaries are not sophisticated in the way that adversaries were in the 90s and early 2000s. Okay. And even by the 2000s, they were getting lazy and using scripts. It became script kitties.
A
Yeah. Push push button hacking.
B
Push button hacking by the 2010s. Right. I was still one of the OG hackers. I did it the old school way. Kayla Ryan Aykroyd was another one that did it the old school way. And it was a few others, but it was already becoming that. And this high, this story right here highlights exactly what the hell I've been saying, which I'm not, I'm not, you know, I'm not looking down at these actors. I mean, I don't like the actors at all. I mean, they're adversaries. They're jerks. Right? I was a jerk once. I'm over that. All these guys open their eyes, you know, eventually, but they are using public chatgpt style platforms to help them generate attack paths and strategy. They, they're not even aware yet on how to deploy their own large language model where they could do this offline and not be interrupted. These are essentially children, okay, that are learning about attack paths and then leveraging these tools that help them automate this stuff to be able to move forward and actually gain access. 600 Fortinet firewalls in five weeks is a massive campaign. And this person probably caused millions of dollars in damages and probably millions more in potential reputation damage for every compromise they did. And we don't know. We know based off of what, what the GPT vendors telling us. Right? And what the third party intelligence reports are telling us of what they were able to get access to. We don't know what ransomware campaigns came out of this, what information was stolen from here and what the actual damage is. Yeah, this is very eye opening because it goes to show you that you don't need to be a genius super duper hacker to compromise and cause millions of dollars in damages.
A
And that's kind of why I agree it's eye opening. But I think it's eye opening the other fucking way. You know, the attack vector used credential stuffing and brute forced on exposed management web interfaces. You know the exposed vulnerability? None for Fortigate. Fortigate was done fine. It was due to opportunistic weak default credentials and no mfa. Fortigate's not a cheap device.
B
No.
A
How are we deploying spending the money on this? And these, these, these people that are running these security departments still have weak or default credentials and no mfa. I mean, what the fuck are we doing?
B
Well, I'll tell you, I'm gonna keep it very.
A
It's the same every fucking week.
B
It is the same way, but it's the same every week. But let me tell you something, brother. The, the reason why this is still a thing and it's persistent is because there is no accountability. You know, we had a couple weeks ago, we had the anonymous teacher come on here and say, yeah, I have to spend millions of dollars on grc in audits every year. But it doesn't mean anything because none of it is validated. Right. And that's with CISO. These CISOs are doing the same exact things. They're not validating. They might get a pen test and if they have, if they bring in a pen tester or a company that isn't scoped to look at, let's see, the Florida gates firewalls. And it's not part of the rules of engagement to test default credentials, which it should be by the way. That should be a given. Right. Then you're going to end up with gaps like this. That's just the reality now for the CISOs themselves. Unfortunately for them, they're in a weird place because now the SEC could violate them. But they have to be a public company and private companies are likely just kind of skirt through this. With the exception of companies that are within certain states like California and New York. But the rest of the states are not enforcing some of these guidelines that California, New York is passing, which is if your organization is breached and there is no sort of announcement or breach notification, then fines. But sometimes the risk appetite is way to eat those fines, you know what I mean?
A
Sure. It's cheaper to just pay the fine than it is to fix the problem.
B
That's exactly right.
A
And who cares? It's your data, not ours.
B
Is your personal information, not ours. We don't care.
A
I wouldn't put my information in there. That's what Cisco says. So let me ask you, I listened to another podcast this week and this guy, the guest on there, owns a cybersecurity company.
B
Sure.
A
And he was talking about how crazy AI is and how people are using these agents now to just go out and find a vulnerability in a website and just go, go, go all through the night and keep going until they find one. And how dangerous is it's going to be? Why can't a company just do that to their own shit and find the vulnerability and fix it? Why is it so dangerous only in one direction? Why is it not useful in a defensive standpoint? Is it Chris? Because this guy sells cyber defense.
B
No, he's right. He's right, but I've.
A
No, no, his point was it could only be used for by the bad guys on the offense.
B
No, no, it could be used on the defense.
A
Yeah, of course it can. He kept over go you overshooting this. Like why can't you use these same exact agents and point them at yourself and see, hey, how do I harden this? Find vulnerabilities in my shit and tell me how to harden it.
B
Well, I'm going to tell you, I've spoken to enough CISOs and enough buyers, right? Director of IT, Director of ISS, and even in some cases legal departments. And I'm going to give you what they're telling me. I'm going to tell you what they're telling me, bro. A lot of them are non technical, so they wouldn't know how to do this internally. They lack the talent. They may have hired an engineer right
A
out of school, but then personally, they lack the talent within their organization.
B
Both. Right, all right. Write both. Because a lot of these CSOs are people that lead security departments there. They went to, they went to school for like business. They went to school for project management. Right. They might have a CISSP at the best, right? But have they ever sat down and installed Linux by, you know, by scratch? Have they ever done a pen test on themselves? No. Dancers? No. Right. They're really good at delegation, are really good at policy, whatever, and they're really good at taking reports and then converting that into business language for the board. But they're not going to sit down and do what you said. They're not going to sit down and install. And I'm speaking generally, right? Just generally speaking.
A
Yeah.
B
They're not going to sit down and set up a LLM locally and then be like, hey, here's my company, here are my assets. Let's do an impromptu pen test. That's not going to happen. Some of them are doing it, but not all of them. And so, yeah, I don't, I'm not sure what the rest is. The, the, that, that podcast guy, the, the guest was putting out there. But yeah, adversaries. Are you obviously using AI to help push their, their, their operations. Defenders could do that too now.
A
Yeah, this is why, like for some reason. But what you explain, it makes sense to me is, and it's, it's what I've seen too.
B
Well, and so, you know, and, and you know, just, just a, you know, a little indirect plug here. But that's kind of the reason why I built Seinfeld, honestly. Right.
A
What? I didn't realize I was setting you
B
up for a safe plug, but there was. Okay, I'm gonna give you guys some, some lore. I'm gonna give you some guys some good lore. So it was a while back or many years ago, we had a client, really big client. You guys might know who that is. I'm not going to mention the name obviously, but they came to me and Said, hey, I would love to just hire you just to go through this report. We got a pen testing report from another company. Sorry we didn't hire you, but I want you to go through the report and reprioritize it because there's 80 vulnerabilities here. We have no idea what to start, where to start, where to fix. Right. I'm like, so you want to, want to pay me to go through the report from another vendor and then help you prioritize that? Okay, I'll do it, whatever. The job's a job, gotta pay the bills, right. So I sat there. You know what I noticed from that pen test report? It was good, it wasn't bad. But there was 80 plus vulnerabilities in there.
A
And the prioritization, color code them or anything. They didn't prioritize them.
B
No, it was like they just listed 80, 80 vulnerabilities from critical to low, from top to bottom. But not all criticals are critical, brother. And not all highs are high. You know that.
A
And you fix one, it can cascade and fix a bunch of other things.
B
Yeah. And then you also have the concern with, with regression. You fix one and then fix another one. But that fixing the other one might have reintroduced the first one. Right?
A
Yeah.
B
So, yeah. So that's why I created SAFER just for dealing with this. Right. Because unless our entire. I'm just speaking for the US Alone. Right. I can't speak for other countries because I don't know where they stand on the cyberspace. But here in the US we have to bring in security, like culturally. It has to be a cultural thing. Has to be a cultural change in US. We can't just like do the checkbox thing anymore and just buy a bunch of products anymore because that's obviously not working. This story right here highlights that. You know, fortigate is not cheap. That's a big investment. And if you're deploying that with default credentials with no mfa. Yeah, that says a lot.
A
I mean, I think this is just going to get more and more.
B
Yeah.
A
You know, with these LLMs and access to them, what's going to stop anybody from doing this?
B
You know, it's, it's. The door is open, brother. That's it.
A
The, the, the, the downside is that I think it's going to be somewhat traceable. I don't think a lot. You know, this guy wasn't, whoever it was, wasn't that sophisticated. No, I'm sure he's going to use be, not, not use a local LLM. So they're going to be able to figure out who it was.
B
Yeah, no, they, they have his chat history. They probably know exactly who it is he had to sign up for. Claude. I think Claude is what he used.
A
Yeah.
B
From Anthropic and then, you know, and by the way, which is a really great product. Shout out to Anthropic for that Claude. It's amazing. But he had to pay for it. That's not free. So whether he used a stolen credit card or not, he had to use a credit card to pay for this. So more than likely he, they know who he is.
A
Reading this story, did you? One thing I found interesting, I kind of like to look through the, the forensic stuff of this stuff and it said the tools surely clear AI fingerprinting. And I was, it was, it was interesting to see, you know, how the AI makes these tools and what it leaves in it for like the forensics to go back. Redundant, repetitive commenting, restating function names, empty docs, stubs over formatting and functionality versus functionality. So I guess that's how you tell whether this code's written by AI or not. I would say a lot of the pseudocode and all that. If you just use the same name in the pseudocode, it's. Or if you have pseudocode, I mean you, did you ever write, you, you ever write pseudocode?
B
Yeah, of course.
A
Oh really? I'm surprised. Like that's one of the things they make you do when you take the academic approach to programming, to learning program. Well, write it out in pseudocode first and then go back. Nobody fucking did it. I want to write code, see if it worked and then I'll go back and fill in the pseudocode afterwards because why waste my fucking time?
B
But you know, what you just said, plus what you just read highlights a real stark problem with developers, human developers, and that is that they are lazy. Because, you know, if you read any of the.
A
Everyone's lazy.
B
But yeah, no, developers are lazy for the most part. Not everybody, obviously.
A
Allegedly.
B
Allegedly. Wink, wink, right.
A
No, it's not a crime. It's okay to be lazy.
B
But when you look at old books, project development books or development development, software engineering books from the 70s and 80s and 90s, right. They were very big on. You have to, you have to use camel case and you have to use clear, concise documentation, commentary. You have to do this, you have to do that. You look at source code written from by somebody in 2021, 2024, 2026. It's not like that.
A
No.
B
Now, now that AI is doing it, it's like, oh, no, that's an indicator. That's AI code, you know. But I could, I could show you code right now, then you could tell me. You could probably say, yo, heck, this looks like AI craziness, but it's written by a human and anybody could go check it out right now. If you guys go to, if you Google GitHub test SSL, it's a bash script that's like 4,000 lines of code and the developers wrote it out and commented everything. If you ever want to look at the most amazing mind blowing shell scripting of your life, check that out. And if you read it with, with, with this modern mindset of AI, only AI is the only thing that does commentary. You would think that's written by AI. No, it's written by humans and it's been doing it for like 10 years, that big ass project. So. But yeah, listen, any indicator that helps you profile an actor or an AI engine, whatever is useful, especially for those that deal with instant response and threat intelligence, you know, collecting intelligence and all that. Yeah.
A
All right, heck, next story. We've been following this one closely for a few weeks here and I think you probably have some feelings about this one. We'll see. We'll see if you want to put them out there or not. So the Trump administration removes controversial acting CISA director. So the leadership director transition at the Cyber Security and Infrastructure Security Agency, who served as acting director since May 2025, was removed and reassigned late Thursday, February 26 by the Trump administration to the Department of Homeland Security. He was moved into a new role of Director of Strategic Implementation at DHS Headquarters. Nick Anderson's Executive Assistant Director for CISA Cybersecurity Division was appointed the new acting director. So old leader out, new one in. But you know, we've dug a little deeper. Maybe this guy wasn't qualified. Maybe he, you know, probably shouldn't have had this job. His LinkedIn stuff looks like he maybe shouldn't have had this job. What are your thoughts and feelings on this one?
B
I don't want to be provocative, if you don't mind, Chris.
A
I don't mind at all. I didn't know if you were going to do it or not.
B
This guy has all the tells of an insider threat.
A
Really?
B
Yes. And obviously he might be a nice guy and maybe he's just well connected. Maybe that's why I'm looking at it this way. Right? He's just a well connected guy. Somebody somewhere in the US Government within Trump's, you know, within Trump's circle likes him and wants to keep him going. But we're talking about a guy that went from CIO of South Dakota, immediately dropped in, you know, plug and play into director role at cesa. He was polygraphed. And by the way, I want to give you guys some, some context I want to get. I don't want you guys to think that I'm, I'm like, you know, one sided on this. I actually sat down and read. So CESA is mostly civilian agency? Yeah, a lot of totally.
A
No, maybe, maybe there's some military that are assigned over there.
B
There's some, but it's mostly civilian. Right. So they don't require polygraphs in some cases don't even require like too many clearances. They probably got basic clearances or whatever.
A
No, I don't believe that's true. I, I, because I mean the FBI is civilian and they all have top secret clearance. You have to have top secret clearance which requires polygraph. I think there are levels at CISA that require higher levels.
B
Well, I'm not saying that there, there isn't. What I'm saying is, is that a lot of the people that are there or have been there, you know, probably had much lower requirements for, for different clearances because a lot of the employees there don't have to deal with polygraph testing. They don't have to go through the process. That's the whole point. Now, because he was walking into the director position, he had to take the polygraph from within the organization. It was within the organization that actually did the polygraph. And by the way, all of the people that were involved in polygraphing this director were let go and fired as a result, by the way.
A
Really?
B
Because once the story broke that he failed it, they were all got let go. Now moving forward, after he took on the position, took on the role, he started making really bad decisions. I believe there's a whistleblower complaint against him that I read about where in one instance he was going to chatgpt.com, the free version, without an enterprise account. I know Hegsef and the team, they had a, like an enterprise or a team anthropic account. Right. That's why we had the whole debate last week about anthropic versus military decisions. Right. He ended up going to the, the free chassis PT account which trains on your queries and he started posting a bunch of stuff in there that were potentially sensitive to CISA and, and that right there flagged them. It probably violated whatever the data loss prevention policy they had internally at cisa. And then it caused a ripple effect to the point that they had to replace and post haste. And we covered. The last time we covered this story was probably a few weeks ago because it's actually been ongoing. Right, sure. And, and back then it was already like, hey, this guy might be insider threat, because not only did he fill the polygraph, he lied to his staff, but now he's actually posting stuff on third party unattended systems and platforms. Now, somebody somewhere said, okay, we need to get him out of sisa, and instead we're going to make him a director within the dhs. So, guys, if anybody's listening from the administration, please. I'm sure he's a nice guy and I'm sure that, you know, he's done great things for the administration, but he's clearly not in the position. Shouldn't be in a position to be a director anywhere.
A
Yeah, I mean, he, he, he, he fucked up at sisa. Like, why are we keeping him on someplace else? I mean, I'm not blown away by his past experience that we need to retain his services for, for this. So I, I find that a bit strange.
B
He could go back to South Dakota. He could be, he could be a CIO in South Dakota again if South Dakota wants to deal with that. Right. But my concern is this, My concern is.
A
Isn't Noam from South Dakota? Wasn't she the governor there?
B
Yeah.
A
And that she's the Director of dhs?
B
Yeah, I didn't say that. I'm no crazy liberal. The other guy said it.
A
Those are all facts. There's nothing slanderous about what I just said.
B
No, but the truth of the matter is, is that, you know, I, I take cybersecurity serious. And I am actually a big fan of sisa, and I've supported sisa. I, you know, listen, I, I even tell you guys a funny story. I even emailed Cecil like, three years ago. I'm like, hey, I want to help you guys. Like, is there any way I can help? I just want to donate time. I'll give you guys a few hours a week. And the regional director of, like, the New York or East coast wrote me back. It's like, yeah, no, we can't do that. But if you want to apply for a job, I'm like, no, I don't want to apply for a job. I want to just help you guys. But anyways, I love, I love the, the idea behind it. I think this is dope. It's just that we need to be very Careful with who we're putting in a director space right in that position because they're going to be looking at a lot of sensitive information, and we can't have that shit on chatgpt or some unattended cloud environment.
A
So what do you think about the new guy they've assigned? This, they're trying to get through this Anderson guy. He was former CISO for the Coast Guard and former CISO for the Navy. Former circumstances CISO for Vermont. You all right with this guy? You okay with his resume?
B
I have to do more research on him, but from what I've seen, I mean, he obviously has a more esteemed, you know, portfolio repertoire. You know, seems like he's, he's been more involved and I'm, I'm curious. And like I said, I gotta do more research. I can't, I can't give you my opinion yet. I'm not sold yet.
A
Oh, come on. I rather, I'd rather somebody that'll pass the polygraph and somebody with a little bit of a resume.
B
Listen, I would rather have Chris Tarbell lead the cease organization.
A
The agency wouldn't take the job. Wouldn't take the job?
B
You could change. You could make things so much better if you took that position, bro.
A
I, I, I'd only go if you went.
B
I, I would do it, too. I'll go with you. I'll be your underling. I'll be your secretary. I don't care.
A
No, no, no, no, no. CO we gotta be co Nah, they
B
don't like me, bro. They'll see me. Oh, hell no. Not this guy.
A
All right, you wanna do another story? You wanna call it a show?
B
Nah, bro, I'm with you all day, Pop. Whatever you want to do.
A
All right, let's do it. A lot of privacy has turned out to be just fiction. So a researcher has found, published a paper demonstrating that large language models back to LLMs enabled scalable automated de anonymizing and pseudo anonymous online accounts using only unstructured text from post and conversation key settings include reidentifying hacker news users to real identities and matching users across Reddit communities and linking split pseudo anonymous profiles from the same Reddit user histories over time. I guess this is kind of like what Aaron Barr was trying to do, only being used with LLMs.
B
Yeah, so there's been some really good research in this space. In fact, I think I could have swore I read some commentary on this paper here.
A
Yeah, so while you're doing that research. So the, the what, what we're bringing up is Aaron Barr. Hector talked about it earlier about HP Gary Hack. Aaron Barr went on the Internet and say he was going to decloak Anonymous. And he used it based on, like, different profiles being online at the same time, or taking a Twitter account and matching it to, you know, on an on channel or something like that.
B
Yeah.
A
And so that's sort of where the HB Gary hack from. Came. Came from.
B
Yeah, yeah, yeah, that was part of it. And then, of course, the story he did was. Was pretty crazy with the Financial Times or whatever. You know, it's. It's. It's. It's two completely different comparisons here or two different things. We're comparing, like, apples and oranges here. So what. What these guys are trying to do is. And. And what this story indicates is. Or the paper, rather is, you know, you could start to profile with confidence using all sorts of different algorithms to detect language changes between Personas, profiles for different platforms, different medias. And we've. I. What I was trying to find, I couldn't find it. But there were two. Two really good points that people made on this exact story, which is one, that guy McAfee, the one that. The crazy guy that died. I forgot his name. Was it John McAfee?
A
Yeah. Yeah.
B
So John McAfee, he brought this up.
A
Allegedly crazy.
B
Allegedly crazy. No, no, he was. He was. He was what? He was.
A
Well, he did say that he was going to s his own D on national television if bitcoin didn't hit 50,000 by a certain date. And it didn't. So he didn't do it. So I don't know how crazy it could possibly be.
B
Yeah, he was wild, but he was a wild boy. But he brought this up without the large language model usage. He brought up the concept of kind of profiling writers by nuance, by context, by indicators. And in one of his interviews, he described how anybody could discover who Satoshi Nakamoto is. He talked about the identity of Satoshi Nakamoto, the creator of Bitcoin. Okay. And he said, you need to look at the two white papers, plus a couple of the emails, plus the blog, the bitcoin forum, talk posts, blog posts, whatever. Forum posts, rather. And, you know, it's very obvious who he is. He never mentioned the person, but it was. It was an indicator that, you know, it was a couple people. Right. There wasn't just one person. And then there was another one where I think there was a security researcher who created a script to kind of look to a bunch of different, like. Like, you know, vulnerability, write up CVEs and all that, and then attribute that back to potential adversaries. This was back in the 2010s. My point here is that this is absolutely right. I mean, look, the FBI, you guys caught the Unabomber, right? You caught. You guys called Tekken because of the way he wrote in his manner.
A
His brother recognized it.
B
His brother recognized it. But then once he provided that information to the FBI, the FBI was like, oh, absolutely, yes, the writing matches. You didn't know about the brother. You didn't know about Ted Kaczycki yet because you haven't seen his writing. But you know what the writing was. Once you. Once you had the direction, you're like, yeah, this is definitely the same guy, because you guys were able to profile that. And the FBI has been doing this for a long fucking time. But now with LLMs, you could scale that. That's the difference. So do you think if. If with this in mind, with this white paper and maybe there's some automation involved, do you think the FBA would use something like this to help track, like, adversarial, you know, authors or whatever?
A
Absolutely.
B
Yeah.
A
100%, though, they're going to use this. They're going to try to, you know, I mean, obviously you have to have a public Persona and then a fake online Persona to try to marry up.
B
Yeah.
A
If you don't have the public Persona, then there's nothing to marry it to. And. But I definitely think there's going to be some false positives with it, too.
B
Oh, yeah.
A
You know, especially if you don't know there's a public Persona. You know, the LLMs are going to find the closest matching public Persona and try to say it's, you know, a 98 match or whatever it is. So I don't think it's going to be an exact forensic science.
B
Sure.
A
But I think it will provide investigative leads.
B
I'm curious, like, I'm curious about it, honestly. I know, I know that there's companies out there that do like, like data warehousing and, you know, I know we, like so about Palantir, do a lot of that stuff. Yeah, I'm, I'm. I wouldn't be surprised if that already exists. And this white paper is just, you know, an outcome of that.
A
Well, I was listening again yet another podcast, and it was a tech guy out there, and he just nonchalantly says, well, you know, banks aren't going to invest in cryptocurrency because it's not. It's not anonymous. Like, all cryptocurrency you know, I think he specifically to bitcoin is traceable. Whereas that was one of the key points in 2011 when it came out was that it's not traceable and it's all been, you know, de. Anonymized now with KYC and stuff like that. Sure. You know, do you. Do you believe that is a sort of a. Not a hard and fast truth, but we're getting closer and closer to it, that you can't have anonymous bitcoin transactions?
B
Man. That's a good one. That is a real good one. Because if you look at bitcoin originally, Bitcoin, I. This is my takeaway. Right. And I could be wrong. I know, I know there's some bitcoin like, you know, promoters out there, people that really support it that'll tell me, hey, Hector, I think you're wrong. When I first learned about bitcoin many years ago, you know, back when it first came out, we even had some. Early on I looked at it as like less on a privacy thing and more like decentralizing from banks. Because you had a public ledger. You could see who's sending cash to each other. Yeah. It doesn't have a name on it.
A
You can see accounts. Yeah. You see wallets.
B
You're not seeing wallets. And then you use always intelligence and you track that down eventually.
A
Right.
B
Because it's always got to come out somewhere. Even if it's an OTC over the counter and you're meeting with a guy that invests in bitcoin, he's gonna know your identity, Right. For the most part. So. But then you have things like zcash and Monero, which by the way, the zcash guys were all over FC files. That's fucking weird. The only one.
A
Is it weird.
B
I don't know, man. I don't know about that. I know Monero is the only one that. I don't think the developers were FC Files, but makes you wonder, man, it makes you real curious about what that looks like. Honestly, bro, you know, I feel like we're going to reach a point where after there is a real World War 3, because this is not World War 3. This is a little theater. This is going to be the World War III. And then World War 4 is be U.S. with sticks and stones and physical barter, you know what I mean? Because yeah, man, privacy is dead, bro. It really is.
A
Yeah. So I mean, again, if bitcoin is not anonymous anymore, being online, to be honest, I've never seen it as totally anonymous. I mean, you get together two or three engine from Google, one from, you know, Twitter and one from some, you know, they can match their logs up and tell you exactly who's who. Oh yeah, well, you know, you make one false login, you miss your VPN and even your vpn get somebody from the VPN company, you can de anonymize all of this online activity. So people think their, their privacy, there's privacy, yeah, there might be privacy amongst each other, but if you dig into the guys over in Silicon Valley, they know exactly who's who.
B
This is why there's been a lot of pushback against mesh networks. Mesh networks are fantastic. I've set one up even though I have no peers, no peers that connect to me. But for those of you that don't know what a mesh network is, is essentially a decentralized peer to peer network where like, let's say I set up a computer and that computer acts as a relay, but also as a appear. And then Chris has somewhat sets one up in for, you know, where he's at. And then same shit, right? He's a peer, I'm a peer, and we're both relays. Now in order for me and Chris to communicate, we need a bunch of peers between our states, right? To relay our conversations back and forth. And it's going to be encrypted and all that good stuff. People will see that we're, we're communicating, right? Or they'll see communication going back between both endpoints. But they won't know really the message, at least until that the technology is tested and stress test, the algorithms are broken. But you know, I've seen a lot of pushback against mesh networks, especially here, like in New York. I think there was a story several years ago of there is a mesh network group here, they meet up like every month and they put up like mesh routers. So this, there's a bunch of mesh routers here, but I think like New York City or the New York State was like, I don't know, this might be weird. What if they're, what if they're trading like, you know, see Sam on it, you know, what if they're trading like, you know, ip, we need some, we need some sort of eyes on that. So I'm not sure if that's going to be a thing.
A
You're talking about the network inside New York City where you're just visiting right now, right?
B
Oh yeah, I'm visiting New York right now. And the weather by the way, sucks like 20 degrees. I don't I got a fucking full blown hoodie I'm about to put a shearling on.
A
Yeah, but at least you got the string all the way through your hoodie, so that's good.
B
I fixed it. Bro, look at this.
A
I know. I'm excited for you. All right, guys, questions@hackerinthefed.com reach out to us, let us know what's going on. Support Hacker and the Fed on Patreon. Support us on HackerTheFed.com, buy your merch there. Keeping the free show commercial free. I mean, we're going to mention Safe Hill once in a while, but that's all right. You know, it's my boy's company.
B
That's right.
A
We founded it. So, you know, don't bitch at us. That that's a commercial. It's not. It's not a commercial. Free show is commercial free. 5 star reviews wherever you download and subscribe to your podcast show. Share us on social media. Tell your friends, tell your co workers, tell your lovers. Hacker in the feds where it's at. Appreciate you, brother.
B
I appreciate it too, man. And take care and have a beautiful day. Cheers.
A
All right. Love and respect. Cheers,
B
Sam.
Episode: When AI Makes Hacking Easier Than Ever
Date: March 5, 2026
Hosts: Chris Tarbell & Hector Monsegur ("Sabu")
In this episode, Chris Tarbell (former FBI Special Agent) and Hector Monsegur (ex-LulzSec hacker turned red teamer) discuss the explosive impact of AI on both cyber offense and defense. They dissect recent major incidents, including AI-driven mass firewall breaches, geopolitical cyber skirmishes (notably in Iran), insider threat drama at the CISA, and advancements in de-anonymization using Large Language Models (LLMs). The hosts blend personal anecdotes, expert hot-takes, and industry stories, focusing on the real-world risks and challenges of cybersecurity in the AI era.
Hosts reaffirm their commitment to a commercial-free podcast, urge audience support via Patreon and merch, and above all, reinforce the reality that cybersecurity is increasingly about mindset, diligence, and adaptability in the age of AI—on both sides of the law.
Contact: questions@hackerinthefed.com
Merch: hackerinthefed.com
Patreon: Bonus episodes and new video tier available