Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: Prove That You're Wearing Pants
Release Date: February 19, 2025
Hosts: Black Hills Information Security Team
Description: Join the Black Hills Information Security team each week as they dissect the latest in information security attacks, breaches, and the underlying causes. From penetration testing insights to discussions on emerging technologies and their vulnerabilities, this podcast is a must-listen for anyone passionate about cybersecurity.

I. Modern Workplace Etiquette: "Prove That You're Wearing Pants"

In a humorous analogy to traditional workplace attire, the hosts discussed the modern expectation of showing one's pants during virtual meetings. This segment highlighted the evolving norms of professional presentation in the digital age.

• John: “[...] we need to just think of it as like the most average phishing email, the most average whatever. [...]` (05:34)

The conversation delved into how turning on webcams has become the new formality, akin to wearing a three-piece suit in physical conferences.

II. Fortinet's Dual Role: Vulnerabilities and Trustworthiness

A significant portion of the episode focused on Fortinet, a prominent cybersecurity firm, examining both its vulnerabilities and its ranking on Forbes' trust list.

A. Fortinet CVEs and Security Concerns

The team addressed recent CVE (Common Vulnerabilities and Exposures) disclosures related to Fortinet products, emphasizing the ongoing challenges even top-tier security firms face.

• John: “None of it means, wow. None of it means a thing.” (14:18)

He criticized how Fortinet's CEO leveraged Forbes' trust ranking to enhance the company's image, despite the existence of vulnerabilities.

B. Forbes' Trust List and Its Implications

Fortinet's inclusion in Forbes' list of the most trusted companies sparked a debate on the relevance and methodology behind such rankings.

• Corey: “I think the thing that gets me is the concept of trust. I think a cyber security concept like trust is now just like, should you buy this?” (10:53)

Wade explored the criteria Forbes used, questioning the disconnect between security professionals and business-oriented rankings.

• Wade: “They graded them on four different things. Employee trust, customer trust, investor trust, trust, and media sentiment.” (08:22)

Kelly provided a counterpoint, suggesting that Fortinet's appeal also lies in its cost-effectiveness and ease of use compared to competitors like Cisco.

• Kelly: “Fortinet licensing [...] is a little less than Cisco.” (14:10)

Overall, the discussion underscored the tension between perceived trustworthiness and actual security robustness.

III. Recent CVEs and Security Vulnerabilities

The hosts delved into several critical vulnerabilities impacting major platforms and services.

A. GitHub Enterprise SAML Bypass (CVE2025-23369)

This significant vulnerability allows unauthorized access to user accounts by exploiting SAML (Security Assertion Markup Language).

• Corey: “It's a SAML flaw. [...] you can impersonate users, right? So unauthorized access to user accounts, then you can elevate privileges, then you can compromise repos.” (16:34)

The flaw is particularly concerning for organizations using GitHub Enterprise as a repository for sensitive code and secrets.

B. Beyond Trust CVE Linked to Postgres Zero Day

Another critical vulnerability linked Beyond Trust’s exploits to the Postgres database system, highlighting a complex chain of attacks.

• Corey: “...a metasploit module that can exploit it that's recently been published. That's pretty cool.” (19:08)

C. Apple Device Vulnerabilities

The discussion touched upon recent vulnerabilities in Apple devices, stressing the importance of patching.

• Corey: “Patch your iPhones. The patch came out today, so I got it today, so...” (36:34)

The hosts emphasized that many pen-testing firms may not have immediate visibility into such vulnerabilities until exploited.

IV. AI in National Security

A deep dive into the intersection of artificial intelligence and national security, sparked by remarks from the NSA director.

A. Human Oversight in AI

The NSA director advocated for maintaining human involvement in AI processes to ensure diversity and prevent homogenized thinking.

• John: “We put the human back into AI. It's key.” (20:11)

This perspective led to a broader discussion on the limitations of AI in handling out-of-the-box thinking and its reliance on diverse datasets.

B. Diversity and AI Training

The importance of diverse data in AI training was emphasized to prevent biases and improve the model's ability to handle unique scenarios.

• John: “...you can start looking at like different coins and like cryptocurrency space in different meme coins. [...] you're going to absolutely miss the possibility of potential Black Swan style events.” (27:14)

Bronwyn highlighted the role of role-based access controls (RBAC) in safeguarding AI systems, ensuring that only authorized personnel interact with sensitive data.

• Bronwyn: “Copilot Enterprise does have some ability to do role based access control, sort of.” (25:28)

The discussion underscored the necessity of integrating human judgment and diverse perspectives in AI development and deployment.

V. Government Data Exposure and Shodan Findings

The episode addressed concerns over increased data exposure from government agencies, as tracked by Shodan, a search engine for internet-connected devices.

• John: “If your CEO and CTO is getting their news about what products to buy from Forbes, you're failing at your job.” (16:34)

The hosts expressed alarm over the trend of government data becoming more searchable and accessible, raising questions about data security protocols.

A. Analysis of Shodan Trends

Wade examined reports indicating a surge in government-related data appearing on Shodan, suggesting lax security measures.

• Wade: “It's a call to action to get more federal or a federal privacy law that's been updated since you know, the last privacy law wasn't updated until 1972.” (58:28)

John shared firsthand experiences from his time in government, recounting instances where data exposures were mishandled due to urgent demands overriding security protocols.

• John: “But what's worse is after that immediate precipitating event that causes that security, like exposure, almost always that exposure gets forgotten about and they move on to something else for a while.” (40:29)

VI. SIM Swapping and SEC's Twitter Account

A cautionary tale about social engineering and identity theft was shared through the conviction of an individual who SIM swapped the SEC's Twitter account.

• John: “[...] he made a fake ID from them, walked into AT&T's retail store just to [...] purchase an Apple iPhone […] that's how he did it.” (48:34)

Corey emphasized the risks associated with SMS-based two-factor authentication, advocating for more secure authentication methods.

• Corey: “Don't use SMS based 2fa. Like we've talked about that a hundred times.” (48:30)

Kelly added an interesting angle by questioning the potential legal implications of AI prompts being subpoenaed.

• Kelly: “Have you seen any cases where somebody's AI prompts have been subpoenaed?” (48:53)

VII. Sandworm Threat Actor and Microsoft's Attribution to Russia

The episode covered Microsoft's attribution of recent US and UK cyberattacks to Sandworm, a Russian-affiliated threat actor group.

• Corey: “Microsoft Fingers Russia's Sandworm in US UK Attacks.” (51:08)

The hosts discussed the nature of Sandworm's attacks, noting their reliance on older vulnerabilities and the implications for national security.

• Kelly: “Sandworm has been around since at least 2017.” (52:36)

John highlighted the sophistication of Sandworm's operations and the ongoing challenges in mitigating their threats.

VIII. Data Privacy and Consumer Choice: Call to Action from Bruce Schneier

In a segment aimed at emphasizing the urgent need for updated privacy laws, the hosts discussed Bruce Schneier's latest insights.

A. Failure of Consumer Choice in Data Privacy

Bruce Schneier critiqued the ineffective reliance on consumer choice to protect privacy, advocating for robust federal legislation.

• Kelly: “It's a call to action to get more federal or a federal privacy law that's been updated since [...]” (58:28)

John expressed skepticism about the likelihood of achieving meaningful reforms, drawing parallels to past efforts and ongoing monopolistic trends in the tech industry.

• John: “Consumers won't pay for privacy. It's the reason we're in this situation.” (60:18)

B. Future of Privacy Standards

The conversation touched on potential industry shifts towards "data transparency" akin to sustainable practices in other sectors, though skepticism remains about consumer demand for such measures.

• Corey: “Is there going to be companies that have like a no data, like stamp of approval?” (55:19)

IX. Conclusion: The State of Information Security

Wrapping up the episode, the hosts reflected on the multifaceted challenges facing information security today, from corporate trust issues to sophisticated cyber threats and the imperative for diversity in AI.

• John: “We've got some serious breakdowns.” (12:35)

• Corey: “It's always been garbage in, garbage out. It's always been garbage in, garbage gospel.” (35:00)

They reaffirmed the importance of staying informed and proactive in addressing these evolving security landscapes.

Note: This summary captures the core discussions and insights from the episode, embedding notable quotes with corresponding timestamps for reference. For a comprehensive understanding, listeners are encouraged to tune into the full episode.

Timestamps Reference

• 05:34
• 08:22
• 10:53
• 14:10
• 16:34
• 19:08
• 25:28
• 27:14
• 35:00
• 36:34
• 40:29
• 43:07
• 48:30
• 48:34
• 51:08
• 52:36
• 55:09
• 58:28
• 60:18
• 63:08