John Strand

Foreign.

Josh Sokol

I'm sure there's something in there that'll like, turn me into an adventure or something like that.

John Strand

Yes. You're gonna want to take sounds.

Josh Sokol

You're gonna want to take fight bacteria with Radiant. I don't know.

John Strand

The Mr. Burns approach to healthcare. All of your diseases are keeping each other in check.

Corey Thuen

When you have a connecting flight and they, like, check you for radiation, once you get back into the States, you're. You're going to be stuck somewhere.

Josh Sokol

Man, I'm screwed.

John Strand

I've never been checked for radiation. Am I. Am I flying the wrong places? Where should I fly?

Dale Peterson

To the right places.

Eric Conrad

That means you're flying the right places. I guarantee you that means you are flying the right places. I have had this done. They don't do it at the airport. They do it before you're allowed to go to the airport.

Josh Sokol

If they do it right. If they do it right.

Eric Conrad

If they do it right by checking your badge before they let you leave the country or state, depending, whichever. Well, one of them was Fermilab. One of them was cern.

John Strand

If you eat a banana, are you now radioactive? Because that's my understanding of radiation.

Eric Conrad

No, you were already that radioactive.

John Strand

Okay, good. I want to make sure that I'm at least slightly radioactive at all times.

Eric Conrad

You're replacing the radioactive potassium that you're losing with the new radioactive potassium in the banana. This is different from eating Brazil nuts. This is different from eating Brazil nuts because you'll get the potassium, which does the same game, but you'll also get barium, which is slightly radioactive and more radium than anyone thinks is ever in food.

Josh Sokol

Or just fly at 30,000ft for half an hour.

Joff Thyer

Yeah, I was going to say you're going to get on a flight, you're going to get irradiated.

Eric Conrad

Oh, yeah, yeah.

Greg

Well, and then there's like, X rays.

John Strand

Yeah.

Eric Conrad

But the X rays have gotten so much better so that they're super low dose. It's actually made it so that airplane flights are now worth more X rays than they used to be.

Josh Sokol

That's why I only do X rays in an airplane. Why? Splits for living.

Greg

All the rads. More rads.

John Strand

Okay. How?

Dale Peterson

Someone's mic just exploded.

John Strand

Whatever.

Josh Sokol

That's not me. That was not me. That was Andy's.

John Strand

Not me.

Dale Peterson

Yep, it was Andy. All right.

John Strand

All right. And he found the radiation source in his room and hooked it directly up to his microphone. Yeah. Sorry. If you have headphones, you are dead.

Josh Sokol

All right. Corey.

John Strand

Yeah.

Josh Sokol

Letting you drive it. I've got the tech segment on the last 20 minutes.

John Strand

What's the tech segment? Please explain.

Josh Sokol

It's a continuation of Dale's webcast from last week. We're going to be adding as much as we can take segments at the end of the news where I'm going to do a little mini CTF at the end of the webcast and then we'll do the winners and everything. Let's go.

John Strand

Roll it. Foreign. Hello and welcome to Black Hills Information securities. Talking about news. It's September 29, 2025. It's CISA emergency directive Monday. Or I guess it's hopefully okay if you're an incident responder. Hopefully you just aren't listening to this because you're sleeping because you worked all night Friday and maybe into Saturday, right?

Dale Peterson

Maybe, maybe.

Josh Sokol

So that's what we did.

John Strand

Emergency directive. It's another Cisco thing. I will say one of the. One of my favorite tidbits about this is in the, in the directive or in one of the write ups I read it was like all of the devices this effects are either end of life or will be end of life tomorrow as in Tuesday, September 20th or 30th.

Josh Sokol

So now they talking.

John Strand

It's like just in time for the end of life party. This is released to just give that last little bit of ammunition for those that don't know, I guess. Does anyone have like a technical. Wade, are you deep in this? No, I don't want to talk about it.

Dale Peterson

That's how technical I am.

John Strand

I'm sorry.

Dale Peterson

Yeah, no, I didn't have to work this one. I'll tell you that.

John Strand

It's the same whatever you're thinking of when you think Cisco zero day, it's that it's a Cisco zero day. In the web interface there's both an RCE and an AUTH bypass. So if you combine those two together, you get zero click zero auth rce. And it's accompanied by a really sophisticated malware, kind of, they're calling it what, line Dancer or something. I'm thinking of that game with the guy and he would sled down whatever you would put him on. Line writer. Yeah, I think missed opportunity, but basically it's a malware that is designed to run on Cisco stuff focused on data collection, espionage, likely nation state. I don't know if it's necessarily been attributed to a specific nation state yet, but safe to say Black Hills Information Security is not writing malware this complicated and combining it with 20 days.

Josh Sokol

This is fancy, but we could for the right amount of money.

Dale Peterson

That's it.

Josh Sokol

So this just seems that you guys kind of noticing a theme that there's a crap ton of stuff that has zero days, that is end of life or there's no patches. It's just seems to be happening more and more. What is that quote from William Gibson? The future is here. It's just not evenly distributed. You have a lot of organizations that are implementing amazing security posture and all the security support structure that goes with it. And then you have people, you find out a good percentage of them that are running stuff that's horribly out of date, not getting patches. I was screwing around with Shodan the other night and I was just playing around with queries, looking for anything that was an ELL product like end of life product, like old Mongo databases and things like this. And there are like hundreds of thousands of end of life products just basically right up against the Internet. So yeah, I think that a lot of. And what I, what I want to get to on this is I'm willing to bet that the vast majority of the people that are going to get hit by the Cisco vulnerability are not people that are up on CISO alerts. Just guessing that maybe those two.

John Strand

That's a really good point. I think part of this also is like, and I guess I want to get everyone's take on this. My thought is EDR got really good. And so threat actors are like what doesn't use EDR network devices, right? Like that. I don't know if that's actually true, but that's like where my head went when I keep reading these and I'm thinking like okay, Windows endpoints, well defended. Typical endpoints nowadays are like monitored, heavily defended, like everyone's good at it. So where do we go? We go away from those endpoints to things that don't run adr.

Josh Sokol

Right to the future.

Dale Peterson

No, I give it to you. Network devices are definitely protected against less, right? You're going to be more of looking at audit logs for it. And then even then, like there isn't a lot, honestly in my career I have not seen a lot of people actually use like idss or at least on the network side we're usually just looking at some type of VPC flow logs or firewall logs. I think you're hitting the nail on the head, right? Like why, why pwn an endpoint when you can pwn the network that all the endpoints are flowing through?

John Strand

And this isn't even the only. I mean so also data collection, like the salt typhoon stuff from last year, like getting onto these endpoints network endpoints is super high value. I don't know. I guess I don't know exactly what they're collecting, but presumably whatever they can get. But they're also using these as launching points. Like, I'm thinking of another article that's in our list, which is that. What is it called? Brick. Brick Door or something like that? Brick Storm, I think Brick Storm, Brick Breaker. These are all like vintage video game references I'm coming up with. But yeah, basically there's another article that Google Mandiant posted that is another malware that's designed to run on networking devices and is really advanced and has. It's basically like a custom C2 channel built as a backdoor boot kit for, for network devices. So I don't know, it seems to be an emerging theme or. Yeah, brickstorm, that's what it's called. It seems to be like an emerging theme where threat actors are targeting network devices not just for the value they have, but also because they're stealthier. Their presence on the network is inherently stealthy. And I think John nailed it. Like a lot of people just, it's. Do not replace. We don't even know it exists. We've even seen on some, like some of our customers where we'll find a vulnerable network device and they'll be like, we don't even know whose this is. It's our ISPs. Like, it's, it's not ours, it's not our device or it's, you know, it's leased out to us and we can't do anything about it or whatever. So there is some shared responsibility with this as well.

Unknown

You have, you have that and then you have the companies that have a directive to go ahead and decommission all these older devices as they are replacing them and never know where the last ones are and don't even sometimes know that they're. That they're open to the Internet. I run into that quite often over the course of the years, especially with Cisco devices. The amount of ASAs that are still out there is unbelievable.

John Strand

Totally.

Josh Sokol

I think I did a check. Once again, playing with Shodan. I wanted to say it was like 360 some thousand and I could have gotten that horribly wrong because I'm tired.

John Strand

So are all ASAs EOL now? Is 100% of ASAs EOL or are there still some that are supported?

Dale Peterson

Did you know there's ASAs, there's like virtual ones?

John Strand

Yeah, we talked about it months ago in an news article. Because all the ASA cloud Machines had the same password if they were set up at the same time.

Dale Peterson

Oh, I do remember that. Yeah.

John Strand

Like, I didn't.

Dale Peterson

I, I, yeah, I do remember that one, man. Dude, it's like, I feel like John right now, just so much news. But.

Josh Sokol

Things are getting better. Except for the desktop.

John Strand

I don't know. I don't have to, I don't have.

Dale Peterson

To write SOPs anymore. So I'm fine. You know, I mean, ChatGPT. Got that.

John Strand

I will say that. Like, it kind of blows my mind because other vendors don't seem to have this problem as much. There's definitely four there. Okay. But there's, there's more than two network vendors out there, right? Like, there are. I don't know. I guess I'm like, are companies making choices based on these advisories are like, obviously network upgrades are expensive.

Josh Sokol

But that's my point. Right? I, I think that the people that are the. I think, I think the point that I'm trying to get at is like, there's so many organizations that are running end of life stuff just because it works and it keeps running and the bits keep flowing. They're not, once again, they're not subscribing to CISO Alerts. They don't listen to this podcast. They don't do any of the normal security stuff that normal people would do. It's just, you know, someone set it up for them and they just keep doing their business stuff and keep moving forward. I also, it was kind of interesting. I got into an interesting conversation and it's a valid question, I think, on a sales call today where someone was talking about ripping their entire tech stack out and just going with one vendor so it's easier for them to manage it. And I think that that's a noble goal, but I don't think it's necessarily 100% possible. There's a point that sarsaparilla brought up and I can't remember, Sasviller was talking about, I love Shodan. I just add my IP and it lets me know if there's an issue. And I think that that's good. But the problem also comes from like out of band networks or things that you don't know are directly into your network. For example, I don't know if J remembers, but we were doing a pen test a long, long, long time ago when I was actually still testing a long time ago. And one of the customers had. They had industrial control systems. It was an assembly line system that had an out of band management interface for the manufacturer that was just some janky ass edge networking device that hadn't been patched and updated and it was allowing them direct access into the network and it wasn't part of their network topology that they handed to BHIS to test. I still can't remember how we found it. Ja, I think we found it. We were on site and we saw an ethernet cable dangling from the roof connecting into it or something.

Joff Thyer

That wouldn't surprise me.

Josh Sokol

But. But you see this stuff and it's not necessarily the tech profile that the organization is scanning regularly. It's this weird shit that's plugged into their network that they just don't expect.

Joff Thyer

Well, the thing that strikes me about all these Cisco vulnerabilities is A it's giving me PTSD because I used to run big networks back in back a long time ago. But B it is so preventable because a lot of these vulnerabilities that are coming out are in the control plane side of the architecture which you should never expose to a production network. So people are just not architecting things correctly. They're just throwing stuff out there.

John Strand

I believe this was SSL VPN Jav.

Joff Thyer

Yeah. Okay, so that one might.

John Strand

This one was something that has legitimate use case to expose, which is what makes it scarier.

Josh Sokol

That may be, but a lot of the what job's saying is true because we still see all these vulnerabilities showing up in the management interface. But. Right, so if you're running an SSL vpn, that's end of life. Dear God. Like what, what the hell, like what else is going on in that network?

Joff Thyer

But, but you know, I, I see things like, you know, oh, only needed SNMP read only access. Well, first of all, if you're architecting a network and you're allowing SNMP to, to that end device from anywhere. What the hell are you doing?

Corey Thuen

So hey Joff, there, there were two big Cisco stories. So there's the SNMP one, but that's not the one that the CISA directive went out on. The CISA directive was on.

Josh Sokol

Okay.

Corey Thuen

Yeah, but directive was on this 9.9 SSL VPN1.

Joff Thyer

Yeah, I mean it was talking about the general theme though.

Josh Sokol

It's just that that's what I wanted to get to.

Joff Thyer

There is this. It's probably a breakdown in training and architecture of networks that people are just not thinking anymore. They're just whacking it on the network. They're sticking their management interfaces out there. They're not protecting it, they're not doing any access Control. And it's become like it's ubiquitous as electricity and plumbing and they're just not thinking about it. And it's a recipe for trouble every single time. I don't care how good.

Corey Thuen

No, I think you're 100% right. And I think it's some of the training material that people are seeing as well. I was trying to figure out how to onboard some PALO firewalls not too long ago, and I'm finding what training videos I can. And a bunch of them, they were like, okay, and here's the management plane. And yeah, this is usually going to be connected to the Internet. And it's like, what?

Josh Sokol

But.

Corey Thuen

That'S the free training that you can get. And then you're going to have a bunch of guys that watch that and then they're going to be your L1 help desk that the initial config gets pawned off to. If you're having like an msp, do it. And there you go.

Joff Thyer

Or the operators, you know, the architecture group, whoever's doing it succumbs to some kind of operational pressure where, you know, the ops group comes down on and says, I don't care, I've got to get to that out of band network. In band. Why did we call it an out of band network then?

John Strand

I mean, come on.

Josh Sokol

Right, but, but still, you know, we come back to a lot of these vulnerabilities. Like they're saying they're all end of life or they're set to be end of life tomorrow. We've got monster, like not even talking about in band out of band if you're that far out of date on patches. And I didn't know. Did this, this alert say how many systems they think are vulnerable to this?

John Strand

Because I think there was an estimate.

Josh Sokol

And Shodan's like, now this is what's happening with Shodan a little bit. It's like you got to be an enterprise user if you want to do that query that's relevant to the news topic you're talking about on the show.

John Strand

So it's going to be thousands, tens of thousands probably. ASAs are ridiculously common.

Joff Thyer

Yeah, they're everywhere. Cisco was very successful for a long period of time, that particular product line.

Josh Sokol

Yeah.

John Strand

All right. Anyway, I mean, it got a 9.9. So Cisco pays for CVSS premium where they don't get the full 10. I mean, the only way this could go any more is, I guess, if it's public. I will say we did. Look, there's no public exploits, at least not right now, maybe there will be soon or in the future, but the only people who have this one are, you know, apts, I guess, or whoever wrote this.

Josh Sokol

Just some reference points, right. And once again, this isn't getting granular, but the number of Cisco devices that have 443 exposed to the Internet or anything that's purports to be Cisco in any part of its banner, out of the 2.69 million that are out there, there are 36,000 Cisco devices that have port 443 open and there are 37,318 that have port 80 open. For some reason. There's a whole Bunch of Port 888-84444 and two two two two open. That's, I don't know, I'm just going to throw out. I think that that might be bad if your Cisco device is listening on port 4444.

John Strand

So let's get, let's, let's move on. I mean, yeah, I mean, unless anyone has any final thoughts on this, it's the same dead horse we've been beating for years. Ditch your ASAs, people. I mean, I like zero trust a lot. I think it's amazing if you have to go centralized vpn, maybe just get one that is an end of life.

Josh Sokol

That might not be a bad call or one that's patched up to date, not even better.

John Strand

At least not end of life. Come on, Josh.

Greg

Hatchable would be nice.

Josh Sokol

A huge percentage of the stuff that I just called out is in Russia and China, so. China, Russia. We know that you're usually probably not listening to the show, but you guys should be patching your stuff. I don't know how to say that in Chinese. I don't know how to say that in Russian. But hopefully Google will translate it for you. And YouTube. You should patch your stuff. I'm just saying.

John Strand

What are you going to say, Josh?

Joff Thyer

Put some access control around it.

Josh Sokol

If you see that's insulting. J J is reaching out across the sea. That's awesome.

John Strand

I will say you don't, you don't. I mean, as a, as a note to, you know, let's get a little bit technical. You don't need SNMP on the Internet. You don't need an SSL vpn. Technically. How many people are really like, let me go to secure.company.com and use the SSL VPN. No, they just click the button or their computer connects automatically. The most secure Companies don't have SSL VPNs. You don't need one either. Just disable it and have certificate only directly to Ike or whatever. All right, anyway, moving on. This Neon app, which, I mean, I guess let's cover this real quick because it's just such a data mining campaign from the very beginning. The fact that it has cybersecurity, like, it is literally an article that AI. Or we could just make up on stage at Wild West Hack infest and cover 99% of the details. So here's the details.

Greg

Well, my favorite thing about this article is that now we have the answer to what our privacy is worth. $30 a day.

John Strand

That's all.

Greg

That's what it's worth.

John Strand

That's actually more than I would have guessed.

Josh Sokol

I thought we got at wholesale for like, $5 per person. I didn't.

John Strand

No, it's okay.

Josh Sokol

All right, go ahead.

John Strand

Yeah, for some context, there's an app called Neon, which apparently got about 75,000 downloads yesterday alone. And by yesterday, I mean, like, six yesterdays ago, because this is from September 25th. But basically, there's this app called Neon, which, I mean, even just their website is so, like, yucky to just look at. It's like, basically their pitches. Your ISP is caching in on your data, so why not cache it on your own data, too? It's like, which, believe it or not, the app openly claims this and then claims that. What it does is record your calls and pay you for the audio. This is such a specific privacy invasion. Who is opting into this? Because, okay, first of all, placing phone calls in 2025. Ew, gross. Number two, cashing in your phone calls with AI. Like, who is this for? The people who are making phone calls don't even know what AI is or don't want to cash in on their privacy.

Greg

Impulsive coupon clippers. This is for people who absolutely insist on doing absolutely anything they can, even if it isn't cost effective, in order to get a 5% discount off of something that costs them way more than it's worth.

John Strand

Okay, that is the only phone calls.

Josh Sokol

That you get are. That makes a lot of sense.

Corey Thuen

Like having to call, you know, Comcast or Spectrum or something like, okay, you know, 30 cents a minute to talk to Spectrum. Still not worth it, but, you know, slightly better than zero.

Eric Conrad

Yeah, I was gonna say. I mean, throwing something like this onto any time I actually pick up a scam. Likely call, sure, why not? Give me a little money back for dealing with these people I don't really want to talk to, however long they keep spieling at me.

Josh Sokol

Yeah.

John Strand

What do you say, John?

Josh Sokol

I probably scam sometimes. Just need that spice in your life sometimes. You see that call coming in, you're like, I'm taking it. Yeah.

John Strand

Exactly where I was going, too.

Josh Sokol

It's like I got 5%.

Eric Conrad

Every once in a while you need somebody to yell at.

Josh Sokol

Yeah.

John Strand

Or you get bored.

Eric Conrad

Half the time it's a robot.

Greg

I'm available when I need to vent.

Josh Sokol

I'm never in the deficit of people to yell at. I'm doing well in that category, thank you.

John Strand

Okay, let me just bring everyone's attention to the fact that all of Both Android and iOS now have the capability to screen your calls before you answer them. Just saying.

Josh Sokol

Good, good idea.

John Strand

But, yeah, basically the reason we're talking about this article, not just because the app exists, but because predictably, it got breached and they exposed the database of all the people's phone numbers or a lot of the. You know, probably an S3 bucket. I didn't even bother to look into the technical details because that's how I feel.

Josh Sokol

And yeah, I mean, you're just the stories. I'm guessing.

John Strand

I'm literally just vibe guessing. Like, the app had hard coded S3 keys in it. Someone just ran mob sf on the app and now they got the keys and it's just the same key for every user. And that's. I mean, I've. We've seen it all before. Yeah, I guess I'm blown away by it. And I'm also. I'll look for the data breach, but I'm guessing that the I'm. The use cases we identified are at least maybe half. But then the other half is purely just exploitation, just people being like, AI, call your one AI agent call you and talk to the other AI agent, and it's just two phones talking back and forth about nothing forever.

Josh Sokol

Someone's compromising NPM packages. It's just amazing how it escalates.

John Strand

Oh, yeah. And you can guarantee this app was vibe coded like money says.

Corey Thuen

The part about that I love is that it's not that, like, they just had a data breach where, you know, oh, we. We've accidentally exposed all of your data. That's what they were trying to sell. Like, that was their product.

John Strand

That is true. They were like, oh, crap. Did you actually buy our product by downloading the app? Oops. Yeah. I mean, I don't know. I think it is interesting, though, that these kinds of things are always going to be in, like, there's no way to fix this from an app store. Perspective like you, you can't be like, is the company that publishes this app have S3 buckets exposed? Like you can't. You know, it's a weird angle.

Joff Thyer

This story is just proof that we actually do live in the Upside down now.

Josh Sokol

Yeah.

John Strand

Oh, it's going to get worse. It's going to get worse. Joff, let's keep going. Oh, I know. So a couple of AI. There's a couple of AI articles in here that I wanted to talk about. One is the AI Darwin Awards, which I just find really funny. So basically the AI Darwin awards are just. There's a website, 404 media had an article about it, but there's a website that essentially is just. You can submit the dumbest things people have done with AI this year and the list is hilarious. The current, like, I would recommend taking a look at that. The list, it's a totally different website. You don't need to actually read the 404 article. But basically the, the winner or the like current frontrunner is the lawyer who used ChatGPT and then it made up cases that didn't actually exist. And the judge, that one is like, I think hard to beat. But there's a few other nominees in there that are just hilarious.

Corey Thuen

Like, aren't there dozens of those lawyers at this point?

Greg

I think so. I think so.

John Strand

The taco bell AI drive thru one where someone ordered 18,000 waters, that one was good. There's a. There's a few good ones. So yeah, I mean, maybe I just think it's funny to have like, I am overall a supporter of AI. I think AI is a tremendously helpful tool for a lot of people and it does amazing things. But I also support understanding its limitations and making fun of people who do dumb things with AI. And so this is last part's the.

Josh Sokol

Most important, the being able to make fun of people on this one. So Jeff, do you have any. Do you have a podcast dedicated to AI Security? I think. What's the name of your podcast with Brian and Derek and Ben and people.

Joff Thyer

Doing dumb things with AI? No, it's called AI Security Ops. But this article, I love it.

Josh Sokol

I absolutely love it.

Joff Thyer

The amount of times that I have thought a AI gives people task acceleration. It doesn't mean that you actually have to have a brainy idea to accelerate to begin with. You can have the dumbest idea forever.

Josh Sokol

And it will accelerate.

John Strand

Like making an app to record my call and then sell the data back.

Greg

That was the beauty of the original Darwin Awards was that it was so ludicrous it was all about people doing things so stupid that they removed themselves from the gene pool. Thank you very much for improving the species. Now this is just a different theater, as the military people would say.

John Strand

And I agree with the. The output is the same. Because this will make AI better, right? Like, arguably more so than the Darwin Awards, because as we. Most people. I would say most Darwin Awards are over the age of reproductive maturity, so it's not breeding its way out of the population.

Eric Conrad

Well, that only matters if they did have kids.

John Strand

Well, it doesn't matter how old they.

Eric Conrad

Are, as long as they haven't had kids yet.

Greg

If they had not spawned, they were eligible. If they had spawned, they could only get an honorary mention.

John Strand

The AI will get better because of this. And I guarantee you that some of this stuff has, like, if statements in the code. It's like, if. Hold on, if you are a lawyer, do this. Or like, I don't know exactly how it'll get implemented. I don't know.

Josh Sokol

So are there any stories that stick out for you from, like, the podcast that you're like, really dumb use of AI, that you're just like, they shouldn't have done that.

Joff Thyer

You know, I. I don't know that we've truly sought that out yet, to be honest.

Josh Sokol

We should add it in.

John Strand

Yeah.

Joff Thyer

Because, you know, the stories like this remind me of. You know, I look at artificial intelligence, I look at large language models and generative. Generative AI, you know, as a general concept, and there's this human capability amplifier effect that's going on, but I hadn't really thought about, and I suppose I should have, the human stupidity amplification, that can occur as well.

Greg

You've been technical stuff for how many years?

Joff Thyer

Well, well.

John Strand

But he works for Black Hills, where we assume good intentions and everyone's nice and hopeful and smart. We're not just using AI to spite each other all the time.

Joff Thyer

I try to be an optimist because it's. Today, honestly, today it's really hard to see because we're in a world of. Of actually AI amplification of uncertainty because of its probabilistic nature. Right. And to me, that's a really scary world that we're entering, and people are just not thinking about the potential consequences of that. And they are starting to happen. It's very obvious that they are starting to happen in multiple different areas. I mean, your stupid phones are doing dumb stuff just randomly, if you've noticed. Right. I. I'm even getting into a habit, even on podcast stuff, putting the Phone in a damn chilled bag.

Josh Sokol

Because it's crazy.

John Strand

Hell yeah. You know, so, yeah, there's another AI article I wanted to run, run into real quick, which is the C2PA stuff. Has anyone been following this? Okay, so basically, C2PA or I. I don't know if there's a fancier way to say it, like some. But basically the image authenticity certificates is a concept which has been implemented as this thing called C2PA, which is like, sponsored by Adobe, which. Adobe is kind of the devil, but also kind of the center of all of this when it comes to, like, content. Basically the idea is, is there a way to trace the authenticity of an image to prove whether it was generated by a human being with a camera or with an AI? And this news article is that Nikon, which is like the number three largest manufacturer of cameras, had to revoke their C2PA certificates because the firmware of a camera essentially exposed the vulnerability in those and the way those certificates are generated. And they are useless now. But I guess from my perspective, like, I'm not like a big photographer, but I have a basic understanding of it and I. I have been. I use Adobe Lightroom for photo processing and it lets you apply C2PA at like, the processing level. So I'm not 100% sure. Like, from my perspective, I don't see why people would be taking images directly from their cameras and using them anywhere. So applying the C2PA step in a camera, I guess it's like the base level where the photo was created. So it's the best, like the best source of this. But I don't know, like, our other cameras have C2PA. Does anyone know anything about this?

Eric Conrad

So what I know is that Canon and Nikon were both on board with doing C2PA real soon now. But as far as I know, Nikon got it into actual hardware for sale first. The biggest problem with it, from my point of view anyway, is that the signing process can't do anything to indicate that the thing on the other side of the lens was real. Like, I can prove that this is a real photo that I took with an actual camera of something. But in that process, I can't prove that this was actually a starfield instead of a black sheet with a flashlight behind it and some pinpricks.

John Strand

Right. But it's more about copyright. It's about proving who took the photo, I guess, versus the fact that it is generated by AI. Or is it? That's not.

Eric Conrad

Well, that's not the claim they're trying to make the claim they're trying to make by putting it in a camera that's distinct from what you were talking about with Lightroom. Lightroom. It is about copyright. It is about. I own this image. I made this image, I modified this image. But the ones that are coming out of the camera are. This was actually taken of a real thing on the other side of a lens with the claim that this will be useful for things like law enforcement to prove that this is actually evidence of something happened. Instead of saying, oh, this photo that was taken has been photoshopped to pretend that this other person we're framing is the one who shot whoever that we happen to catch on this picture.

John Strand

It's like chain of custody kind of thing. And this.

Eric Conrad

It's exactly chain of custody. Yeah. It is intended to be chain of custody back to this sensor in front of a lens.

John Strand

Interesting.

Josh Sokol

And I will say kind of slapping like, you know, I hate to say this, but like NFT right on top of it. Like, you take a picture, bang. Now it's. Is it kind of that type of.

John Strand

It's more like public key, private key. But yeah, I think so. I mean, I guess my take on this is sadly any. I'm not sure what law enforcement is doing. I don't really want to know. But any kind of like image chain of custody investigation that's ever going to happen is going to have to use a blend of different factors. Right. Like having a valid C2PA certificate can't be like the BL end all. It also has to, like, you know, is the picture of a tv like, I don't know, like other things. So I don't know. It's an interesting angle, but basically Nikon will have to go back to the drawing board on this and reissue. You know, they'll basically have to start over on their implementation, hopefully with the pen test before they go to prod.

Eric Conrad

I think the only other potentially interesting question here is whether they're going to wind up in some kind of a class action sue suit from all the people who spent extra for a camera with this ability.

John Strand

Yeah. Who knows? They'll probably make it right somehow.

Josh Sokol

Shut up.

John Strand

What are you, a lawyer?

Josh Sokol

Don't give them ideas.

John Strand

So, yeah. Really?

Joff Thyer

What do you mean, I have to patch my camera?

John Strand

So the other spooky one that I wanted to talk about, and this again is not like a crazy news story, but basically a journalist at the BBC was offered 15% of the ransom payment if they were to compromise their account. So this isn't like a new concept. Insider threats are real and established. You know, it's a real, it's a, it's a thing. But 15% of the ransom is an interesting angle just to understand what threat actors are doing. I mean, obviously, like, as a sane person, you'd be like, okay, like, no backsies, like, you're totally going to pay me. Right? No, you can't, you can't just say you're going to pay me and then not do it.

Josh Sokol

That would be the neon story. There's a lot of really dumb people, people out there take advantage.

John Strand

15% of the ransom. This, I mean, they basically, the purported, you know, messaging back and forth is basically the threat actor saying you'd never have to work again. You can retire on this amount of money. I will say though, the BBC is based in the UK and the UK banned paying the ransom. So 15% of the ransom. 15% of $0 is $0.

Josh Sokol

Yeah. Speaking of which, how is Range Rover and Jaguar doing?

John Strand

That's a good question. I don't know.

Josh Sokol

Actually. The last news story I saw is that there's serious conversations about a government bailout to help them.

Joff Thyer

They're in real trouble. Yeah, that's what I saw too.

John Strand

Yeah. I don't think there's been any updates. Some firms have posted. I mean, they're, they're still, as of four days ago, they're still.

Josh Sokol

Let's go to an update on this ransomware attack. It's bad. Thank you.

John Strand

Thanks for the update, John. Much appreciated. But yeah, I mean, I don't know, I think this is just an interesting way to. This is a bigger dollar value. Like in the jo. In the past we've joked about like, oh, users will give up their passwords for 15 bucks or 5 bucks or a candy bar or whatever. Like, as far as back as you go, there's some story about people being willing to compromise their own accounts, but nowadays they're having to offer people 15% of the ransom, which, that's a lot. I mean, if their ransom was a million dollars, that would be hundreds of thousands of dollars. And we know ransoms can go into the tens of millions. So I don't know, it's an interesting angle to think about, like, how much they have to offer people.

Josh Sokol

The United States has been using this for a long time. Right. Like, you know, you'd be surprised how many cyber off, like offensive cyber operations involved just a suitcase of cash and a USB stick. Right?

John Strand

Sure.

Josh Sokol

You, you basically go to someone and like, here's a whole bunch of money. Plug in this and run it. And if they're like, no, then you're like, then we're going to tell the organization or the group or the country that you're with that you're talking with us. And then you will be killed. Do you want to be dead or have a suitcase full of money? It's really a super easy choice. Right. I think the hardest thing for a ransomware organization would be how do you choose your target? Right. Like, how do you identify a disgruntled employee that's disgruntled enough to the point where they're willing to take that money and assist the ransomware organization? But you've got to wear it if you're an old code of Reddit.

John Strand

Yes, yeah, Reddit. Or just crack the passwords and then just whoever has the password. F Company.

Josh Sokol

Right. But you got to be kind of scared if you're an organization that's 100,000 users. You know, one of the things we always talk about BHIS is those really monster organizations are far easier to break into than an organization of like 100 employees. Right. And it's just because the attack surface is so huge and there were ad campaigns. You start surfing the Internet on X or LinkedIn or something. It's like, do you hate the company you work for? Would you like to make 15% of a ransomware attack? Click here to get more information. I. I honestly think that it would probably be, I'm guessing a good solid 1 to 2% of organizations may be willing to take. Take attackers up on something like this.

John Strand

Oh, I mean, this is. We have an entire product line of BHIS specifically built to. You know, this is what an assumed compromise is designed to test. Assume someone in your organization takes a ransom. Like, does this. Now, can they actually lead to ransomware? That's the concern, not whether someone will do it or not. And actually, one of the articles I guess this segues into really nicely is the one you linked about someone posted. The article is essentially phishing training doesn't reduce phishing occurrences.

Greg

Yeah.

John Strand

So, which makes perfect sense to me because as long as the number's above zero percent, you still got fish and it doesn't really matter. I've been saying for years that the whole, like, percentage click rate thing is useless. Like, it's not. It is not useful to say, oh, 40% would click versus 10% would click if anyone would click. You need to be able to contain that risk and have a response.

Josh Sokol

You're getting to that point where people are investing in security and management likes to See numbers, right? They like to see, are we better now than we were five years ago? We spent $200,000 in our user awareness and we went from 40% click rate to 10. I think your point, you know, just making sure that I'm getting it right, is 10 is still screwed. Right? Like, if you're going from 40 to 10%, that's still a big enough gap that can actually allow bad stuff to come in your organization.

John Strand

Yeah, I mean, you're right. That really. And that really is what it is. I. And I would, you know, if I was CISO for a day or whatever, what would I do? I think having a cyber security awareness training program is, I mean, it's literally required for compliance, first of all. But second of all, fishing, you know, phishing techniques or whatever, making sure people are aware of that, it's not going to hurt.

Josh Sokol

Stop. Corey. She's like, shut up.

John Strand

It's worth, it's worth the money.

Josh Sokol

It's worth the money secrets. Stop.

John Strand

So it's, it's worth the money. But at the same time, I think you just have to kind of set your expectations to. We have to assume people are going to click. Like, you know, it's. It dovetails with the assume compromise thing. Like do an assume compromise and see what happens when someone does click. Don't ask the question, well, what if they click? Just assume they did.

Josh Sokol

All right, so great question is what metrics do we report? I think that one of the things that's interesting, and we were talking with another customer today about this, is that the standard Office365 protections that exist as far as stopping a lot of the spear phishing attacks that come through is, let's just say, not as stellar as it could be. So if you're looking at other. What is abnormal is one product, Sublime is another product that can actually stick on top of your email. And you can get really good metrics as far as like, you know, what are some additional spear phishing style attacks that the standard Office365 suite is not detecting? And then like Corey said, you know, move away from the statistics of being like the click rate and being like, what type of lateral movement can you detect in your organization? And honestly, you know, I do have to get a map of this, but there's probably like six or seven first step post exploitation techniques that attackers do. It's not a huge number. Right. You know, there's going to be these opening moves that the attacker is going to go through. How many of those opening post exploitation moves can you detect. So if you're going to be gathering metrics, I think a lot of it goes into adversarial simulation, post exploitation simulation and kind of dealing with that post exploitation attack surface management reduction.

John Strand

I agree with that. Also, I swear to God, I just.

Josh Sokol

Started presenting my slides from one of my classes.

John Strand

Also also just findings, I mean like again, like on the assumed compromise angle, if I can go from a regular employee to ransomware level control of your organization, that's a problem. That metric needs to go down.

Josh Sokol

And, and I'm gonna, you know, pro tip if you want to know. One of the, one of the things that we do for our SOC is a part of our socks like offering is we do active directory review and we do cloud security reviews. Right. It's not a full pivot or a full pen test, but God, if we could take 90% of the easy lateral movement off the table, that actually saves me money in the long term because my SOC customers aren't going to get compromised as much. And I would think that any security operations center should be doing that for their customers. They should be doing some basic level attack surface management to try to reduce that risk as much as possible. Perpetually pen test. Yes, we do that too. Somebody says, so you guys. Perpetually pen test. Yes, we do have that. Corey runs that part of bhis. He's over there.

Corey Thuen

So from the, from the assumed compromise angle and the whole, you know, what happens if somebody tries to bribe one of your employees? Has anybody ever asked a question, can you tell the difference between oops, I clicked a thing and haha, I clicked a thing because I'm going to get 15% of the ransom? No, you know, I mean, if your policies don't have any teeth to oh, I made an oopsie, then I mean.

John Strand

You just have to do an investigation and you know, if you have evidence, you have to be able to collect evidence of what happened. And if you collect evidence that someone's an insider threat, you have to, I mean, that person can't work there anymore.

Josh Sokol

That whole oopsie thing. And you start getting into some of these highly targeted attacks. And I am, I am convinced that under the right conditions, with the right information, we can get anyone to click a link, you know?

Joff Thyer

Yeah, I, I think that's absolutely correct. Actually.

Josh Sokol

Most of the time our restrictions aren't because of lack of imagination. Our restrictions are because our customers are like, whoa, whoa, whoa, pump the brakes a little bit. Like I remember, you know, during COVID you remember there's one pen testing firm not Us that sent in a spear phishing campaign that basically was free Covid tests. And this is before COVID tests were available everywhere. It was like, sign up here to get a COVID test because we're considered critical infrastructure. And they crushed it in that spirit.

John Strand

So the other thing I want to bring up is that clicking a link doesn't mean anything in climate. Like really, first of all, you can just design a security program around assuming users click links and have nothing happen. If I click a malicious link, there's so many like, that's again, like Yubikeys and mfa. And like clicking the link doesn't mean everything. It's clicking the link, then approving a bunch of MFA pushes, then doing a device code off, then doing Quick Assist, then installing Rust Desk and any desk and log me in and then downloading a bunch of files and emailing them to you and then giving you my password. Like, you know, there's going to be a chain of what happened.

Josh Sokol

I think that organizations need to be able to look at that attack path that you just laid out and basically say, what are the different detect points within that attack path?

John Strand

Yes, exactly.

Josh Sokol

And if we're talking about security metrics, I think that those are the security metrics that we're trying to drive our customers to do. Right. Instead of spear phishing. And we do it. I mean, it's a proposal offering because we have people that ask for us, we would like to have metrics based phishing and we get into conversations like, we can do that. There's other ways to do that built into Office365 that you don't have to pay us for. But yeah, we still have people that want to do it.

John Strand

Yeah, Click rate is nothing. Click rate is the barest thin end of the wedge when it comes to how good your security posture is. And it really isn't going to tell you much.

Joff Thyer

And the targeting aspects, very real.

John Strand

Right.

Joff Thyer

I mean, today, you know, we can design a phishing campaign that's very highly targeted to a very specific set of individuals or even a single individual that has very good OSINT in it that you're going to get that person. Click.

John Strand

Right.

Joff Thyer

So that, yeah, that's not where it's at.

Josh Sokol

I, I would, and I would love. There's no way in hell that this is going to happen, but I would love to be able to be like, which of the people in this organization are most likely going to hand over the keys to the kingdom for 15 of the ransom? That would just be, you know, it's Evil. But let's be honest, thinking of evil things is kind of fun from time to time. But there's a whole host of things, and this probably gets into a.

John Strand

You sound like Kraftwerk, dude.

Greg

Was that me? No, it wasn't me.

John Strand

Okay.

Josh Sokol

Right now, everything went to hell just like that.

John Strand

Like right when we are the robots, people.

Corey Thuen

Can one of y' all reboot your Dawn Deepfake, please?

John Strand

Yeah, Joff, your. Your server overheated. Crap.

Joff Thyer

The GPU went to overdrive.

Josh Sokol

I back. I think I acquired a new ring of satellites. So can you hear me? Yes. All right. I think Ed Bronwyn knows what this is like. Reacquiring. Reacquiring. All right, so I'm going to do a quick walk through. So what we're doing, in case you're curious, whenever we do webcasts, not all of our webcasts, but we're trying to add in a mini CTF challenge for that ctf. And by the way, we have on the Discord channel, we have a number of people from bhis and we have the winners, which will be announced. I emailed them in to the team. So, Zach, could we please hit out the winners? We had the random winner that gets one year of the entire catalog of anti siphon security training on demand, which is really cool. So congratulations to them. And then the other winner is just a random. Is the one that had the best write up that gets a free anti siphon training class of their choosing. So if you want to be part of this, join our technical webcast this week. The next one will be Patterson Cakes. I will have a cyber range challenge on that. So come to that webcast, do the CTF at the end and then I'll do the walkthrough at the end of the news next week, which isn't on Monday. I believe it's on Wednesday next week. All right, so I'm going to share my screen really, really quick. We're going to allow that. And I'm going to share my entire screen. We're going to do that. All right. I am in the cloud range doing cloud range things. So as part of this challenge, you were supposed to download a zip file that had a bunch of artifacts in it that were EVTX files of an actual attack. And the first thing I did whenever I'm doing this is I went through and I wanted to look at what does NetExec look like through the lens of deep blue CL from Eric Conrad. And it actually answers a couple of the questions that were part of the CTF right away, the one, one of the questions was what was the total number of login failures? There were 207 logon failures for multiple different accounts. And that's kind of fun. The next question was what was the administrator level account the attacker got access to? And that account was Dennis. Which actually leads us to our first detect, the first good detect. More than just multiple logon failures. If you have an admin level account that keeps getting logged into and logged out of multiple times and it's not normal, that should probably be some type of risk based alerting, some type of scoring associated with that account. And this is just a standard user account that did multiple login attempts. I also have what it looks like from the back end. My initial compromise in this particular system was I was using the auxiliary scanner SMB login within metasploit. And this is for a lab that I'm doing in a couple of weeks at Cyber Bay. So check that out where we give it a file of a number of users, give it a password, let it run, and you can see it attempt to authenticate to all of these different accounts. You can see it got into Christopher, got into Dennis's account and immediately flagged it as an administrator level account and got into Gregory and a couple of other ones. But the only one that was admin was Dennis. So you can see what that attack actually looks like there. So that was kind of the first question. The other question was around what was the service that keeps getting fired up. Now NetXec, when it runs NetXec is kind of cool in the fact that it queries LDAP to get a lot of the answers from a domain. But the other thing that it does is it fires off again and again and again the remote registry service on a system. So if you're looking at the actual event logs of the computer system, you will see. Let me hide this real quick. You will see a whole bunch of different instantiations of the remote registry service on the computer. Like right here. And this comes from Sysmon, which I'm going to talk about here in a couple of seconds. So you can see it in the system event logs right here. You can see that every time I ran the tool, remote registry started and then stopped and then started and then stopped and then started and then stopped. So that's kind of a cool detect there. But you can also see it in the Sysmon event logs as well. Now this particular configuration of Sysmon just really didn't give us a lot. We were able to see the remote registry service firing off multiple times on this system. So you can see that is once again it's kind of corresponding and kind of corroborating what we were seeing in the system service. So the other question I said is how much value are we getting out of the Sysmon event logs? I honestly don't feel like it was a lot of really useful information, but it was something, right? It kind of corresponded and kind of like corroborated what we were seeing in the system. So we had three separate event logs. We had the security event log, showed all of the different failed login attempts for all of the different users in the password spray that we had with the 207 failed login attempts there as well. So I had a full breakdown and you can get that in my intro class files. You can see the attack view from metasploit and I also shared the attack view from Net Exec where I was going through and querying the shares, querying lsa, trying to query different secrets, doing user information and pulling user information all from the Dennis account. So you can see what it looks like there as well. So does Zach have the Let me stop sharing. Does Zach have the winner on that IT career questions? Did we announce the winners? Oh no. Banjo Crashland also pointed out that we've got a link where you can register for the next webcast. We have a couple of webcasts this week that are pretty fun. The one that I'm doing that I did a CTF challenge and then Patterson actually contributed as well, is dealing with business email compromises. So if you can be on our Discord server, which we recommend that you join our Discord server, you'll be able to do that and you'll be able to join that webcast. The other thing is do we got it? There we go. James O won the class of their choosing. Very nice little write up. And by the way, there was a number of great write ups I just went through. I scientifically weighed all of them and I decided that James was the one that won. And then M42 Eagle got a full year of on demand training. And yeah, we do full catalog training for ridiculously low price for corporations as well. And by the way, if you would like a lab, if we could pop this up on YouTube, let me put it into chat. Tiny URL, tiny free labs, free. If you want to register for a lab environment and you can play around with the things that I did, we have a little survey where you can fill that out and we will get you access to our lab environment. And I think it comes with 16 hours of labs so you can play around with our full lab environment because we have all kinds of free intro labs that we do for my pay, which you can training. So also the Kickstarter is going up for the Future is the next graphic novel. I think we're almost at 50,000. We're almost completely funded for that Kickstarter. We have some really cool things that are out there as well. So like I said, this is a little bit different. We're trying to integrate our webcasts and doing more CTFs and more hands on. And I really want to try to do as much hands on as I can incorporating that into the news. I don't think we need a full 20 minutes, y'. All. I think we're gonna switch it to probably 15. And that might vary on the news from news segment to news segment because we're trying to do as much hands on and give as much as we possibly can to train up you and your teams. So please check it out. So I think that's it, Corey. That's all I have. Unless we have one more news story. Anybody have anything to add? By the way, all of that crap that I did is what everybody should be doing. Going through and running a tool, looking at the stimulus and response. What are the logs that are generated? How do I write signatures for that? Because I'm going to be honest with you, Net Exec, which is the spiritual successor of Crack Map Exec, it doesn't generate really clean event logs of like, you know, running NetExec now. And if you catch event ID 666, you can catch this tool too. There's nothing like that. But learning what the tools look like in your environment allows you to capture the appropriate logs to be able to detect these things. All right, Corey, any final things?

John Strand

I mean, not really. We can close it. There is, I guess like on the. There's one article that just has some crazy photos that I think are worth just kind of as like a final thing. It's that Secret Service article with the cell carrier takedown. They did telecom provider takedown. Did anyone else see this? It's just so weird. So here's the deal.

Josh Sokol

What I have, what I've read, honestly, whenever I looked at it, I didn't like people were like, it's gonna take down the un. It looked to me just like a standard sim, like, like spamming operation.

John Strand

Yeah, yeah. I. I can't tell.

Josh Sokol

But the ones that I've seen where People are just spamming cell phones with like, you know, please download this Neon app. Those. Those operations looked like this. And it didn't. It didn't honestly look to me like a malicious cell phone attack operation. Even though everything they said is true. It could have brought down cell communications. Yeah, really bad.

John Strand

I think that's fluff. I think that's putting extra feathers and fluffing it up to be the impact. I just think if you look at the pictures, I'm like, how do I buy one of these things? Because, like, I'm assuming you're right. I'm assuming this is a. This is a someone's idea of a startup, maybe, or just scammers being scammers of like, hey, we need to be able to send text messages to a million people. How do we do it? And like, so just to give some context, just to give some context, if you go back to one of the earlier pictures. Sorry, Megan. I'm assuming basically how this works is on the front there you have SIM cards and on the back there you have the radio antenna that SIM cards connected to. That's basically like a device that has 256 or whatever phone VOIP capability in like A1U or sub1U s. There's a.

Josh Sokol

Lot of people like, this is an Israeli or Russian operation. And honestly, nation states won't hobble a bunch of shit like this together. Which, by the way, I do want to call out props to cable and antenna management. Whoever set this up, you did a great job. I'm not ripping on you. I'm just saying they're not going to do it that way. Nation states are going to get dirt bags or stingrays. Then none of this was stuff that like. Like, if a nation state's going to do it, they're going to do it right with the.

Joff Thyer

Right.

John Strand

Yeah, it is interesting. I feel like this is scammer territory, I feel like. Because if you look at some of the pictures, it's just a residential ISP plugged into, like, that's clearly just an apartment, right? It's just like a residential Comcast box plugged into, you know, 5,000 cell phones. And they're probably selling those as like, mobile IPs. There are services that let you sell access to mobile IP addresses. That's my guess for this. And it's just like someone's idea of either using it for scamming or selling the mobile IPs in New York City. Like, this is a virtual provider of this.

Josh Sokol

That's my guess that air conditioner on that last. That last shot. That air conditioner did something bad in a previous life because now it's in hell.

John Strand

That's the goodest place.

Josh Sokol

I'd love to know what other people are saying. Initially, when I first saw the stuff that was on the rack, I was like, well, that's interesting. And then when I started seeing the on the floor, kind of the way it was laid out, it really just looks like cell spam garbage.

John Strand

If. Yeah, if you use a anonymizing proxy and it's down this week, switch to a different anonymizing proxy.

Josh Sokol

For some reason, I can't go through New York. I don't know. It's.

John Strand

The New York Data Center's down. What the heck? What's going on?

Josh Sokol

So weird.

John Strand

All right, let's close it out. Thanks, everyone, for coming, and we'll see you next week. Oh, by the way, we should say this. It's going to be a live show next week. Right? We're not going to have the news on Monday. Correct. Hopefully I'm not lying.

Josh Sokol

Yep.

John Strand

We're doing it on Wednesday for all the people that are coming to Deadwood, I look forward to seeing you there. Stop us. Say hi. And, yeah, thank you all for listening.

Josh Sokol

By the way, if you're at Wallow's Hacking Fest and you see me and I'm walking around and I look incredibly pissed off, I'm not mad. That's just my resting face.

John Strand

He's just hungry. He's hungry. Bring him a snack.

Josh Sokol

All the time. As soon as you come up to me and you say, hi, we're. I'm fine, I'm fine. Just come up, please. Interrupt me.

John Strand

Offer him a banana, and then. Then.

Josh Sokol

We haven't done that.

Eric Conrad

Radiation.

Josh Sokol

We haven't brought it up. The word has not been spoken once. But I don't have chickens anymore, otherwise. You know, maybe we could do a chicken thing at my house, but all of my chickens got eaten by a fox or something.

John Strand

So can we have, like, a ceremony where we, like, launch new chickens into the world?

Greg

Fly free, little chickadee.

John Strand

Launch wasn't the right verb. Hatch some chickens. I don't know. Should we have, like, a webcam with chickens? I don't know. Anyway.

Josh Sokol

Real quick, let's. Let's call it.

Joff Thyer

I'm seeing rubber chickens fly.

John Strand

Fuck this. I'm out. Bye, Sam.