Loading summary
A
We're going out.
B
The sound of silence.
A
I'm waiting for it to latch. I'm waiting for it to latch.
C
It's like.
A
What is it like a baby?
D
Yeah, like NASA.
A
Oh, it's like. It's like a little baby. It's like latching onto stream.
C
Like of rocket ships and you were thinking of babies. It's funny.
E
Yeah, that's.
D
I was going rocket ships more so.
A
Rocket ships, you know, like, you know.
C
Detaching, latching to the booster or something.
A
I don't. That made it through.
E
People heard that.
A
Yeah. It happened right as. I'm glad it's latched. I'm glad either rocket ship or baby, whatever this podcast is, to be fair, it's only like a minute old, so it should be a baby.
B
Fair enough.
E
Rockets are babies at some point.
C
So I think John's just going to keep like coming and appearing and reappearing and like it'll say something and then it'll disappear. Come back and blame his Internet.
A
As long as we get one good John rant, we'll have our bingo cards checked and we'll be good to go.
C
Sounds like a plan.
A
We can trigger him. Just whatever he shows up. We'll use the most triggering article, which I don't know what that is, but keep that in the back of your.
B
Mind and most likely, you know, again, his video will freeze at the most inopportune time, thus creating and that then speaking of babies, that is how a new GIF is born into the world. A new beam is when John's video freezes.
C
It's be quick on the screenshot because you know, the gift it keeps on giving. GIF it keeps on giving is John Strand doing this, as you know, and they made it into a Christmas themed deck for me. You know, just saying.
A
The GIF that keeps on giving.
C
Jiffing the GIF it keeps on giving.
A
Hello and welcome to Black Hills Information securities. Talking about news. It's August 18, 2025. We're here to talk about all the news that we found and mostly chickens. That's. That was a lie. I'm sorry. I just lied. The first thing I did on the podcast today was just lie.
D
At least we got it out of the way.
A
Okay. Yeah, that's true. That's the only lie. I'm gonna do the whole podcast. I did find a chicken article though. Oh, okay. So I throw one in there. Thanks for. Thanks for making me honest. There you go. That's what it takes. You just need friends that will unlie for you. That's what you need I rewrote reality to make your lie into a truth. Some articles for today. We've got Perplexity trying to buy Chrome for 35 billion, which, I mean, first of all, that's more than they're worth.
D
Which twice what they're valued at twice.
A
It's like, all right, block kills Information Security. We're going to acquire Cisco. Okay, don't worry, don't look at our numbers. Don't look at our. Don't worry about how much money we have or how much money.
B
Yeah. And this will mark the first time in history anybody's overpaid for an Internet platform.
D
Yeah, I was thinking the same thing.
A
Yeah, I was going to say honestly surprised it's not Yahoo. Right. Like Yahoo has paid for the most or overpaid for the most Internet properties I think, of any company ever. I mean, what's the deal with this? Does anyone actually know, like all cash, who's. Where's the money coming from? Like, what are they going to do? Sell some GPUs on eBay? Like, I don't get it.
F
From what I understand, it's trying to head off the doj, which makes me believe somewhere in the line there's a shell company that has Google money inside of it, that Google is financing on the outside. We've seen dirty business deals before. It wouldn't surprise me in this day and age if there was. If they were trying to do some sort of vendor round on it and say, see, we don't own it anymore. Perplexity owns it.
D
Yeah.
A
You're saying they would like pass the money under the table and be like, hey, make an offer they can't refuse. Like, is that. Yeah.
D
I mean from like a tactical perspective from Perplexity side, like they just put a ton of money into their chromium based browser which like integrates really heavily with their own models and things. So I guess it would make sense for them to want to, I guess claim more ownership of that. But someone made a point on like the pre show that maybe they just want to have the first offer and it's just an offer. So ridiculous because again, it's twice what they're valued at, basically. Yeah, I'm sure they can.
A
I mean, how much is Firefox worth? Like, like our browsers worth $35 billion.
D
Well, DOJ 50 cents.
E
DOJ claims Chrome might be worth somewhere between 20 and 50 billion. So 34 and a half is a pretty split the difference kind of number to pick. But like what business does perplexity have going, we're almost 20 billion.
A
I got some friends.
D
We can just say things are worth whatever. Like, hey, my house is worth 38 billion. Do they want to buy that too? Like, I'll sell it to them right now.
C
Yeah, mine's only worth 37 billion. So they can take mine instead.
D
We can trade, you and I.
A
They were like, if the stock after this offer goes up enough, we can afford it. Yeah.
F
Really thinking about it from two perspectives. One, the ad revenue that Chrome's Chrome generates, along with the huge user base. Number two, the way that they're integrating AI into it. With Perplexity taking over from Gemini, the amount of money that they could potentially bring back in could be worth putting that sort of money up and going basically overboard into debt to try and grab it if they have a feeling that it might not be where it is. I mean, I don't know what sort of market share Perplexity zone integrations into Chromium are worth at this point in time, but getting the whole Google data, Google user base, the whole Chrome user base into there, that's gotta be worth worth its weight in gold, I would imagine.
A
Well, so I don't want to turn this into a business podcast, but to be honest, I don't think Perplexity has the capability to monetize this like Google does. Like Google's thing. The reason they're like arguably the most valuable company in history or successful company in history or whatever, is because they can monetize with ads all the data. That's like their thing. More data we have, the more we monetize with ads. So, like, I don't see how Perplexity is going to do that with AI.
D
Perplexity already said they're going to do that. Like their big browser comment. They took a lot of crap online because their CEO or whatever his title is, came out right, and said, we're going to build very personalized advertising profiles. If you use our browser and we're going to advertise like crazy off of you. And people didn't like that. But then they put out a pretty decent browser. So, like most things, people will decide, oh, well, I'll use it anyway, what's the harm?
A
Yeah, I mean, arguably that's Google's thing too. They're like, well, it's going to be creepy, but it's going to be like really useful in a creepy way.
C
I'm already plenty creeped out about the recommender algorithm's accuracy to my lifestyle without me ever asking for that.
A
Oh, yeah, this information still works.
E
Yeah.
A
All right, let's do the next one. So apparently people are the US government. This is an article in Reuters. Apparently the US government's just throwing air tags in AI chip shipments, which I find hilarious. For the record, it does not say, it does not say airtags.
C
I just like taking them on the back of the car.
A
But that's what I'm imagining, like genuinely that's what I'm imagining here because so basically this is an article that says US law enforcement of some kind, US authorities. It doesn't say which authorities are putting, are secretly placing location tracking devices in targeted shipments of advanced chips they see as being at high risk of illegal diversion to China. So this is like export restrictions all over again, I guess.
D
There's absolutely air tags. You are so right.
A
It has to be air tags, right?
D
Nobody says they don't mean anything but air tags.
A
I know. Also all the comments from all the vendors. Oh, sorry.
E
Some cheap heart shaped thing they can hide in the box easier.
A
Maybe.
C
I mean, it's just because China's been putting tracking chips and everything that we've been getting from them, right?
A
Like, yeah, it's funny because like at the end of the article they always have the classic, like we commented all these individuals for comment and like literally no one had any comments. The HCI and FBI were like, no comment. The Commerce Department, no comment. The Chinese Foreign Ministry also no comment. Super Micro, they did comment, but they said nothing. Basically Dell. No, I mean really no comment. Not aware of a US government initiative. Like I could be wrong, but it seems like someone just opened up a box of servers, saw an airtag and was like the government. I mean, I don't know, came to.
D
Me in a dream. That's the source.
C
So I'm pretty sure that like just in the last like day or two or three that the Trump administration has relaxed the restrictions of chips that go to China. I don't remember all the details. It was something like they could only have like specialized, like they didn't get like H1 hundreds or whatever the latest one was. They were getting like memory constrained, memory bandwidth constrained. I think like special chips. But I think that that is changing and I think that the, the Trump administration told Nvidia that if like there's something like if they give, give the government 15% of revenue, they can sell them whatever they want or something.
A
Yeah, this seems dicey at best. I mean it's, it's like individual private sources. Five, like it says literally article, like five people, like, all right, Cool.
D
One of them is the author's like, mom, like, hey, can you comment on this real quick anonymously for me?
A
I don't. I don't know.
C
I guess I'm always. I just assume that all the electronicals have tracking stuff them for everything, for everybody.
D
Like you would think.
A
I mean, if I bought a server for like 200 grand, it better have an air tag included with it for free. Like I want to know where that thing's at.
D
Whereas UPS will be like, yeah, it'll be there sometime in the next year.
A
They're like, oh, sorry. It went to Australia and got auctioned off. Definitely not to China. Don't worry about it.
D
Yeah, we threw it in a creek. Go find it.
A
Do you want to talk about Tea On Her? I feel like we have to. We Talked about the T1. We danced around the issue because it's a spicy one. Tea on Her, I don't think it's spicy at all. I think it's just hilarious and stupid. So for those, for the context, there was this app called T that was designed as a female safety dating app where essentially users could anonymously, or so they thought, anonymously, talk about the men they're dating and make sure that they're not going to get turned into a put in a ditch somewhere or whatever. Which is totally fair. That app got breached a couple times because of course it did. Apparently the creator of Tea on her decided, well, if the girls can't have all the fun, we're flipping the script. We're going to do a male version of the app to talk about the girls. It's like no cooties allowed, men only on this app. And it's also got breached in the same exact way that the other one got breached less than 10 minutes. It spilled driver's licenses and other verification stuff. If you're signing up for an app like this and it asks for your driver's license, I feel like you gotta wonder your life decisions if you, you know.
D
Yeah.
A
Made the right call.
D
That's identity threat natural selection right there. Or identity theft natural selection. Like if you start uploading your license to everything, especially stuff like this, I feel like you kind of have to expect that outcome.
A
It's not, at least in the article, I didn't, I'm assuming S3 bucket. I don't know. But also there was some Twitter stuff that people submitted that basically was like, apparently the admin panel credentials were hard coded into the website.
B
Yeah.
D
T was like Firebase or something. Just totally exposed and open.
A
Yeah, yeah. Basically exactly what you'd expect as a security person approaching an app like this. An app designed to dox people has bad privacy. Oh, who would have thought? I guess if you're a user of this app, don't submit your driver's license to random apps to talk about girls you're dating or guys you're dating. Just don't. Just keep your driver's license out of your dating life. In general, there's a max severity. Cisco flaw. This is like barely an article. It's like two second article. But we do have to convene the Council of the Tens because it's a ten severity. Right?
D
Is this like their fourth one this month or something? I feel like they've had a number of those recently.
A
It is probably. Again, it's the firewall, so it's Cisco Secure Firewall Management center, which is a management interface. It shouldn't be exposed to Internet. I thought the only interesting one about this one is that it does so it's configuration dependent. It has to have the radius command or the radius components enabled and in use. But the other kind of interesting thing about this one is it works over ssh. It's command injection. Of course, it's command injection. Turns out an interface designed to execute commands has lots of command injection vulnerabilities. It's not great patch or Cisco stuff, as always. 7.07 or 7. 0.7 or 7.
C
Scroll back up there. There was a great quote. And I would just like to say anytime you see remote unauthenticated command injection, you should be concerned.
D
Nice.
A
Well said.
C
Dark church of the year. Okay, yes, you should definitely be concerned.
A
Well, it's a CVSS10. I feel like we got to have like some kind of sound effect for that. I don't know.
D
Just the air horn.
A
Just the air horn. Like, good job, Good job, Cisco. Another 10. Perfect 10. Which is why Black Hills is going to acquire Cisco for $35 billion. We totally have the money. We'll send pictures of our bank accounts that definitely aren't photoshopped.
D
Yep, John's not here, so you can say that. Right?
A
So this is fun. I don't know if anyone was at DEFCON and got a copy of this magazine or whatever, but apparently Frack magazine is back on the table, exciting things happening, fracking it up. Which, this isn't related to oil extraction from, like, horizontal drilling. This is actually a hacking thing. They basically published a. I mean, they're calling it a tranche, which sounds so fancy. It's like, oh, a tranche of Data from apts. Apparently they're assumed to be either North Korean or Chinese or something of that nature but they're fishing South Korean government so they're probably North Korean I guess is the assumption. And the data is published. It's on DDoS secrets and there's some interesting things in there. They have private custom Cobalt Strike stuff. They have phishing campaigns and phishing tools and I don't know it's. It's an interesting read. It's always cool to get a kind of peek behind the curtain at what APTS are doing. It's a fun one thread and tell people what's going on with this one. Do you read anything good read anything surprising about this one?
D
No, I've spent too long reading about Scattered Spider the last month now they're just, they're ultra popular I guess they're everybody's favorite right now.
A
Well yeah, because they're having a lot of success. Their tactics are pretty simple though so that's easy.
D
Yeah, it's just the classic abuse the user through social engineering and then that's all you really got to care about. But I mean you can look at it was CISA published a bunch of like ttps and stuff that we sent to all the SOC customers. Like hey, here's how they're registering fake SSO domains. It's going to look something like this. And then we ran some searches for a customer name and what that would look like if they had registered one. We didn't see any of those yet but yeah, the Scattered Spider stuff is just very much like faking the help desk kind of basics that just still works. You can pay so much money for all the fanciest tools and all it takes is just one really good help desk call and you're in.
A
Yeah, they did flip their tactics in the past they were doing like they would call the help desk as a user and now they're calling the user as the help desk. And they also are typically using like teams for the call because people are like oh teams, that's work related. I better answer this.
D
Yeah, yeah, I mean teams, the fake voicemails, like that's another thing we've been seeing on like the email front a lot which isn't really attributed to any apts that we could tell but just so many of the fake voicemails that are very clearly evil unless you don't understand how like images and files are rendered in emails. Then you're like oh this is clearly not anything bad. And then if you look at it for A little bit longer under the hood. It's very clearly just as evil as evil can be.
A
I mean, yeah, like the. I think the reason they're doing the voicemail thing is because, like you said, it like allows you to get some weird fishy file extensions and files and download things. But the other thing that's kind of nice is, well, from their perspective is they're. They're using direct send to Phish people as themselves.
D
Yeah.
A
So it's like, I think that's a way of like, it kind of bypasses some of the security training. It's like, what do I do if the call is coming from inside the house? I phished myself. Do I trust my own self as the sender? I guess so. I mean, it's a trusted sender.
D
We had so much of that in one of the sock customers that we do email stuff for is they just had thousands of emails sent to themselves, which obviously is not themselves. And we had to explain to them, like, hey, here's how the email records are configured incorrectly. And then I think, Patterson, you were working on a blog post on direct send stuff as well. Just because that's just. It's low hanging fruit for, you know, attackers to just use.
A
Yeah, for sure. But it is now good news. It's now easy to disable, which not.
B
Long ago it was a real pain.
A
In the hind end, but now there's. Yeah, that is true. There's like a Microsoft setting. Right.
B
Simple switch. Yeah.
A
Blog post forthcoming. Sweet.
D
Yes, I've seen it. It's good. It's one of the better blog posts you've ever seen in your life. So get ready for that.
A
Wow. Yeah, that's a. Good luck living up to the. That's the second lie. Second lie.
C
I saw numbers for the NMAP blog post that's blowing up. Like, which. Yeah, go figure. So good luck with that. Please explain the NMAP blog post. We have a blog post on at Black Hills that. On NMAP scanning and it's like, you know, recently, and it's like, like two orders of magnitude higher than the rest of our blog posts at the moment.
A
No, no, no, no. What you're thinking of is disable llmnr. That's the whole.
C
I'm saying this is like now. Now even more than that. Like, are you serious?
A
A blog post? You serped the blog post about how to disable LLM and R, at least for this month.
C
I don't know about all time, so.
A
Or at least the past can't be all time. That. That one's a legend.
C
No, I didn't. I did not make the claim of all time.
A
No.
D
Okay, I'll make that claim. Patterson's going to beat that one easy.
C
Yeah, I'm looking forward to it.
D
No pressure.
A
Patterson's like, this is fine, this is fine. What could go wrong? Why do I even come to these?
D
I don't know. I don't know.
C
I don't know why I come in.
A
There to write really good blogs, obviously.
D
I'm just happy the one time I come to this, I get to harass Patterson live. That's just. It's made my night.
A
Did anyone see the one that's like, Russian cyber attack bricked all the speed cameras. It's like, finally Russia does something good. Yeah, didn't see that. It's pretty funny. Apparently Russia. So, yeah, I'll link the article. Apparently Russia, like, they did a cyber attack. I don't know if this was their plan. I don't know. This could just be elaborate false flagging on behalf of like, the citizens who are sick of the speed cameras. I don't know. But essentially there was a cyber attack against the Public Prosecution Service of the Netherlands, which. I can't believe there's a service just called the Public Prosecution Service. It's like, what do we do? I mean, we just go after people.
D
Yeah.
A
So, yeah, basically dozens of feed cameras were temporarily taken offline after they got breached. But something they did along the way means that the cameras cannot be brought back online. Um, it doesn't really go super deep on technical details, but just, it's so like, this is the best cyber attack ever. Taking down speed cameras. I finally have a hacktivism that I can really get behind.
D
It's just PR for that. APT is they need some positive relations. So, like, hey, we're going to let everybody have a little bit of fun for a while.
C
Listen, I'm. I'm in full support of this kind of hacktonism because last year my daughter got a $50 ticket at one of traffic cams because she rolled right through a red light. And so what I did was they, you know, it came to me because the car is registered to me, so I.
A
You hacked into the company and took them all that way?
C
I paid the ticket and then I took the, the receipt for the ticket and I, I folded it up, put it in a box, and I wrapped it and gave it to her for Christmas.
D
Oh, nice. That's good. I gotta write that one down.
A
That's such a dad move. That's such a dad move. So the. Okay, the. The Russian threat actor here, or whoever it is, does need to close the loop because the key. The locations of the cameras that were bricked has not been disclosed. So no one knows you just have a camera that isn't working, but no one knows it isn't working. So I guess it's either going to be the threat actor has to post the speed cameras that are disabled, or they, the citizens have to figure it out for themselves through trial and error.
D
Just a really fun geocache.
A
Yeah. Pass around the information about, like, just someone drives really fast across the country and then tells how many tickets they got and where.
D
Takes one for the team.
A
Guys, I'm going in. I'm going. Going in for a couple murders. I'll take one for the team and just catch every speed camera in the Netherlands.
D
Can't be that big, right?
E
It seems almost like one of the pivots where somebody came in and went, well, the only thing I can get on is the camera inside the building. So let's go with that. And decided to leverage all of the speed cameras to break everything else and get in for whatever it is they really wanted. And now they don't know how to do anything with the cameras to get them back to a safe state. Okay, we fixed these things. Now we'll turn them back on. Oh, no, it's back.
A
Every time they turn it on, that cobalt strike beacon just starts checking in again and they're like, do you see a huge opportunity here to monetize this through SMS phishing retroactively to say, we caught you on camera three weeks ago when you thought they were disabled? Click here to pay your fine.
D
I like that.
A
Yeah.
C
What phase two of the attack.
D
Yeah, yeah, they're just gonna start.
A
Yeah, Listen, Patterson's incident response mindset. You got to be one step ahead of the attackers.
C
Okay, Is anybody else on the east coast with the Virginia or Maryland Easy pass? Because obviously they have username enumeration vulnerabilities because I keep getting the. You have to pay like a re. Redo your easy pass.
E
Your.
C
Click here.
D
Yeah, I keep paying mine off and they keep telling me it's got more money doing. It's getting really old.
A
You should call Hayden. I sent you all those gift cards, though. You should be able to cover it with those.
D
What?
A
You know, those Apple gift cards that John Strain wanted me to buy and send. Send out.
C
Oh, yeah, some too.
D
Yeah. I'm gonna send you a teams message real quick about something.
A
Just, just, just send me a ticket. I'll Pay it. It's fine.
D
Yeah, okay. Okay.
A
Has anyone been paying attention to all these HTTP vulnerabilities? Made you reset? What is this? I don't know anything about this. I'm not a web app expert.
C
Apparently that's something I'm going to be doing this week.
B
They pay attention for that HTTP one must die from last week. And then it's like, oh, here's something for HTTP 2. It's like, good grief.
A
Like, yeah, I'm not 100% sure. I mean, if anyone knows how this works, please speak up. But basically we're looking at article in GB hackers that security researchers disclosed. It's just like a person's blog and their name is Galbar Nahum. Maybe that might be mispronounced. There's a DOS vulnerability. It has a CVE. There's a bypass for the HTTP 2 concurrency limit which can lead to DOS condition. Apparently it's similar to the Mate rapid reset vulnerability from 2023. I'm not really sure if it got a CVE. What products does it actually affect? Oh, I see. There's CVE across F5, Tomcat, Swift, H2O and there's also a generic CVE. Most people probably won't have to do much about this if you're a Tomcat developer. First of all, thank you and I'm sorry, but you might have to fix this one.
D
What a life to live.
A
There's only one AI article and it's kind of, I don't, I don't want to call it boring, but apparently the, the article is that LAPD is looking into using GeoSpy, which if anyone hasn't used it, is just a tool that you just, it's publicly accessible, I think, and you just upload an image and it tells you where it's from with hilariously sometimes inaccurate results.
D
They just need that Twitch streamer, Rainbolt or whatever his name is that can like look at some grass and be like, yeah, this is somewhere in Hungary.
A
Yeah, Geoint is like a whole thing. This is like AI based geoint. I mean this is a pretty thin article basically. Like they have obtained emails that show that the LAPD was looking into it. I'm like, I mean, Joseph Cox, legendary author, like big fan of his. But I don't know, this feels like a. Yeah, of course they are, yeah.
C
I mean like my response to it is like, I, I don't know why this would be like surprising to someone. Like, I would assume that they would be really interested in that kind of stuff. It's A pretty big city.
A
I would guess this isn't admissible in court, though, right? There's no way you could go in front of a jury and be like, well, the AI said he did it, so it's obviously he did it.
F
Right.
A
Like, I'm assuming this can't be admissible. I would assume it's just for, like, emergencies or, like, if someone's like, oh, I'm trapped in a basement and they, like, send a picture of the outside or. I don't know.
E
Yeah, I expect it's one of those things where I can't put this in court, but if I get this piece, I can go look in the right, you know, trunk or doorway or whatever to get everything else I need.
A
Yeah.
D
Possibly corroborating evidence.
E
Yeah, it's one of those things where it tells them where to go so that they can do the thing that will actually go to court.
A
Yeah. Probably sounds like a really good scene.
B
Where LAPD and some other police departments are really looking for, like, an easy mode on locating individuals. And I saw an unfortunate flood of requests come in that fit a certain profile to where you go. There's. Is it this law enforcement agency that's asking, or is it ICE that's asking for a third trace labs to look for missing persons? I'm like, are they missing or are they just targeted by ice? So I've seen. Seen that in a lot of areas, and this is not surprising either that they're looking into something that they can do an easy mode for. Let's find where this picture was taken. Who. Who is this and where are they? And we making things easier versus, you know, we. We think that it's going to be used for the legit purposes of, like, hey, there was a crime committed. And, you know, we need to figure out, like, hey, here's photos from the crime or posted by the criminal. You know, who are they, where are they? Where do we go? But I think, unfortunately, a lot of the tools are being leveraged for politically charged purposes.
A
Well, so easy solution here. You find the public NAT IP of the lapd and then any request that comes from that ip, you just say, it's in Mexico. And they're like, dang it, every time. It's always in Mexico. Everything I upload, it says it's in Mexico.
B
Yeah.
A
Can't do anything about it.
C
Yeah. Aside from politics or any of that. I just. If you're a criminal and you're taking pictures of things while you're doing the criming, that's probably not What I would do if I were a criminal and posting them like online. Right. Like I don't know that that's.
A
How are you going to market to your target audience.
C
It's true.
D
Yeah, it's true. You gotta put it on tick tock to get that extra side revenue.
A
Yeah, yeah. You gotta monetize your crime.
E
Maybe I'm. There's a bunch of streamers who have done pretty much exactly that in streams and then tried to defend themselves in court in places like Japan and it did not fly.
C
Turns out it doesn't work that way.
D
Yeah, it's almost like the criminals that get caught are the ones that make very poor decisions in their during their processes.
C
It was Phil Hagan who once said something similar. Yeah, I love it when criminals are stupid because it makes them a lot easier to catch.
B
So yeah, yeah.
A
So if geoint can identify where you are, get better, do better.
B
I'm in shape.
A
Or don't because you're a criminal. Keep being bad at your job. So our jobs are slightly easier. A couple breaches we got. I mean a couple breaches that are real and a couple that are maybe not so real. Manpower, which apparently is a staffing company, got hit by Ransom Hub, which sucks. Luckily only, only 145,000 people were affected. Hopefully. I mean it. I guess I'm like, what was this closed? Doesn't really say. But if it's ransomware and they got 500 gigs of data, it contains personal corporate data, passport scans, IDs, Social Security numbers, contact info, test results, other data, years of corporate, corporate, corporate respondents, financial statements, HR data analytics and confidential contracts, non disclosure agreements.
C
So all data.
D
So. So not that much.
A
Yeah, not that bad. Yeah, I was hoping it was just going to be resumes and I was like, well, they're supposed to be public anyway. But no, it's bad. I mean it makes sense. Like a staffing agency, they're like doing all this drug testing and all this like stuff that shouldn't be public. The news article does say that they removed the entry from their leak site. So maybe they paid the ransom, who knows? Or maybe they, you know, could all be fake. Could it just be that they claimed they breached them and they didn't? Who knows?
C
I don't know specifically about manpower, but from my previous stints and doing like government contract work, I mean typically, you know, folks that are providing like staffing for certain like positions, they don't necessarily spend a lot of time and effort in securing their systems themselves because you know, margins are a thing and So I don't know. It doesn't surprise me that like a staffing type agency would have an issue. At least based on what I remember from the government contract world.
A
Yeah, who knows? Apparently it was earlier this year, so.
C
Earlier this.
A
Pretty long.
C
Oh, okay, then.
A
Pretty long disclosure timeline here. What they had to do was find people to staff the incident. And then they went through their pool of candidates. They couldn't find anyone, so they had to hire. They had to go on monster.com and find someone to run the incident.
E
I'm pretty sure I actually worked for them once upon a time.
C
My wife.
A
Bad news for you. You might be getting an email.
D
You need a new passport.
E
I don't think. Well, I didn't have a passport at the time. I don't think their info from 1998 matters.
A
Can't change your SSN.
C
I don't know your Social Security number.
E
You can't change your ssn. But I have three names associated with my ssn.
C
Anyway, at this point I figure everybody has my Social Security number as part of.
A
Well, I do. If you go to every SSN dot com.
C
I know, I know. We, we have our, my Social Security number.
A
I'm aware.
D
Yeah. Yours is written on my desk.
C
Yeah, probably.
A
I mean, if everyone's Social Security number is leaked on this website, I'm going to post it. I know. This is kind of crazy. Megan. You might want to open that up pretty. This is, this is, this is mind blowing.
D
This is crazy. You should open it on the stream right now.
A
You should put up somebody's Social Security it up. It's. It's a joke, I swear.
D
Type in John Strand and all it.
A
Does is it just goes. It doesn't have any names. It just increments numbers through 00,000 through 1.
D
Oh my God. That is amazing.
A
It's so stupid.
C
I agree with what trial group said. Opm. Like I was part of the OPM breeze after that. Like, I was like, well, I guess I don't care about breaches anymore crap because I don't know if anyone's ever got a clearance in the government. Yeah, all, all of that data got lost for me, so. And that means it got lost for all of my family and all of my relatives and all kinds of. So it wasn't just my data. It was a whole bunch of like my whole family's data and not just my, my, my family here. It was my dad, my mom, my in laws. Like my OPM breach was really bad. We tend to.
A
Well, I'm looking At your SSN right here. You got a good one, though.
D
Yeah, I don't. I don't know how much you remember about when you got your. Your clearance, Derek, but I remember being shocked at how easy that was.
C
Yeah, I mean, it wasn't easy to fill out all the paperwork. It took, like, four days or some kind of. You had to keep going.
A
I will say for the record that OPM Breach never went public. It's just China that has it. So you're only. Only one nation state has the data.
B
And all that adjukant information. So not just the, oh, here's the Social Security number, but here's all the interviews from neighbors, et cetera. I would say, like, the paperwork is frustrating, but then, like, the. Also the difficult part is, like, explaining to your neighbors, like, why the FB I.
A
Wants to talk to them.
B
And they're like, why are they asking me questions about, like, things that you do? How often are you at home? What are your interests? What are your hobbies? And, like, where's the FBI wanting to talk to me? I'm glad about that.
C
I'm kind of glad that didn't happen when I was here at Black Hills, right? Because when I left the shipyard, I, you know, lost my clearance. And then, you know, here I move into a new neighborhood basically the same time I got the Black Hills job. And for the longest time, I think my. My neighbors might have thought I was a drug dealer because I basically would be here for a week. I'm weari, like, a tracksuit, walking my kids to the bus stop. Then I gone for like a week or two. And then I come back, I'm like, what's the hell does he do? He's here, and then he's gone. So, yeah, kind of glad the FBI wasn't asking questions.
A
Then the FBI goes to your neighbors, and they're like, is this about the fireworks? And the FBI is like, what? Yes, please, please elaborate. What? What?
D
I love when someone comes to me with those, like, questions about, like, hey, do you know this person? Because there's always a part of me that's like, man, it would be so funny to say some crazy stuff about this person right now. But also I would just be like.
A
Yeah, yeah, I know. Remember that. What they did with those Hot pockets back in 2012.
D
You won't guess what he sold me.
C
Whatever you do, don't talk about Vegas in 2016.
A
Yeah. The other breach that I kind of wanted to bring up because people are probably going to ask about it is the PayPal breach and heavy air quotes. PayPal breach. Basically someone on breach forums is selling a dump of PayPal credentials. 8 million credentials. This is going to be repackaged info sealer data. I'm calling it now. They're selling it for $750 which means none of it's probably useful. It's PayPal. Pretty sure they have multifactor. Not really an article, but sure do. This is classic. People take this, take info stealer data, repackage it and try to sell it so that if you were the person who's going to ask about this article.
D
Now, you know, it's like drop shipping but for data.
A
Drop shipping but for data. Good call, I guess. Alex, you want to talk about this kind of political. We got to be a little careful here. But there's a, well, I just thought.
B
As a, as a follow up because last week we talked about the PACER data breach at PACER and there's a bit more that came out of it and I mean I noted it because Jake Williams commented and shared it on his feed. So but this is, I think just in summary, just for the, for the article and follow up, the PACER was, PACER system was breached. There's reports again politicizing it that Russia gets involved in perpetrating the hack. The comment by Jake Williams is that we're more than a month into detecting this intrusion and didn't have a full account of what's impacted, which has that, that good point that reconstructing what happened. You know what stood out to me though was the, it suffered a breach in 2020. The follow up reporting is that in the recent attack the hackers just exploited the software vulnerabilities that weren't fixed from five years ago. So if you want like the easiest way to hack a system is just do the same thing that you did five years ago because they didn't do any sort of updates. So certainly alarming. And concerning that, you know the, that these types of systems that contain the case management and electronic files aren't being adequately, aren't being adequately updated, adequately guarded and there isn't a whole lot of disclosure as to what happened and what the plans are for closing vulnerabilities that they found because they've just been referencing them back to, to previous disclosures, previous statements and the Department of Justice isn't responding for comment or anything.
A
This situation sucks. Right? Because especially if you're one of these lawyers or somehow impacted by this filing system that potentially discovery data or informants or things like that, there's Going to be a lot of collateral damage depending on where the data went. They haven't attributed it. Right. So they don't know. I mean, people are saying probably Russia, but my understanding is that it's assumed to be a nation state, but there's no attribution. That's like a hard attribution that I. At least from what I understand. But this is a rough one.
B
Yeah, it's a rough one.
A
I think we're not.
E
I've heard some things I want to say one of them was on Risky Biz from last week, tying into this whole idea back with what happened with the FBI and was it Sinaloa cartel? I think it was down in Mexico. And the idea that there are a bajillion different operators, threat actors who got into PACER and a couple of other systems at loosely the same time and are just pulling all the data they want. So, like maybe the most recent thing that was detected was Russia, but it sounds like there's a lot of people who went, hey, I can see that and I care.
B
Yeah, they're going to share that information of vulnerabilities and everything. That would be over five years. Yeah, the cyber criminal groups are going to share what they can get into. Or somebody's going to figure that out and go, we're just going to also dig through. But when you have such a confidential court system that's not confidential, or they don't understand the word of confidentiality, when they have so many different threat actors that can get into it, it's a problem. Yeah, I was getting a comment that it's like, it's just when I'm seeing in the industry a lot of when things come up with a political slant or that it's like possibly Russia. And then you kind of go, we're going to. Not. We're going to tiptoe around it. I'm thinking that that doesn't do as great of a service to the industry to go, oh, this is politically charged. Let's sidestep it.
A
Yeah.
B
Because I think there's. It's challenging. I don't have an answer, but I think there needs to be a better way of going, okay, yeah, there's going to be a political charge to a lot of what's going on in cybersecurity again, and find a proper way of helping the industry out while not flying your team's flag too much.
A
Yeah, I mean, I brought this up to a couple of my clients who are in the industry or in the, like, you know, would be using the system. And they were like, yeah, they had been trying for years to get multi factor on that thing. So it wasn't really a huge surpr to us. Right. Like, you know, they had like, it had been like a multi year effort to be like, guys, I swear, soon we're going to get multi factor. We're going to get it. Like, it's tough because like these systems need to be online and need to be accessible. But also, do they really, like, I don't know, are we going to just go back to paper? I don't know.
D
There wouldn't be so much wrong with that, I don't think. My. My city upgraded one of our portals and when you made your new password it was like, you cannot use these five characters. You cannot use these combinations of characters. I was like, you've just given me the instruct that I need here.
A
It's for SQL injection.
D
Yeah, you give me very specifically what you don't want me to do. Like that's.
A
Don't use. It just says like, please do not post any JSON data to this API endpoint. Yeah, you're just like, this is too specific of an error message.
D
Right? Exactly.
A
Did y' all see the hilarious Japanese character that imitates the slash?
D
Oh, that's so good.
A
This is kind of like sun degree.
E
It'S the only character that doesn't have a vowel sound in it. Is just.
D
Yeah.
A
So you can read the links if you're Japanese, it makes perfect sense.
D
But it's very creative.
A
Yeah, it's very creative. I will say, if you don't have the Japanese language pack installed on your system, does this just turn into puny code or does it actually render in a URL?
D
That's a good question. I would imagine that that's like universal enough that it would render just across the way. I would think so.
E
It's a really basic character. It's not like they grabbed one of the weird deep cut kanji.
A
Right.
E
Like that is basic to hiragana. It has to be there. If you don't have any CJK support, then it'd probably either puny code or you'd get it trying to render and you'd get the little square I don't know what you are box.
A
I tried it just on the article itself, like a couple of these articles. I just. Instead of, I replaced the slash and it doesn't work for me. I just get a 404 on Chrome. So if you get a 404, that means it does work though, right?
D
Yeah.
E
So here's the thing, it's in there. And what it means is that whole thing is the domain. They say, quote unquote, the actual domain. But like all of those characters are part of subdomain names.
A
Correct. Or like you could register. Yeah, it's actually an interesting technique. I'm sure most like this is going to work really well for like two weeks and then never work again. But it's really cool. Like. Yeah. And just I guess at least in my browser, on my system it does render properly. It renders as like, you know, if this is an example, you know, on I'll, I'll post in the discord. But basically like it rendered in the URL. It looks kind of sketch though, to be honest. Like, I've seen better.
E
Yeah.
D
And yeah, but some threat actor thought of that like in the shower and they're like, I just had the best idea, like I need to go try this right now. And they were so excited.
A
I think it looks kind of sketch. But oh yeah, it's cool. I mean, I don't know, it's. It's one of those things if you're.
D
Not paying attention and you're going really quick, maybe you could breeze over it. But with the practiced eye, it's not going to fool the security practitioners. But I don't think that's the goal with these sorts of things.
A
Well, it's also incredibly easy to filter with proofpoint or any other web gateway to just be like, is this character in the URL? Bye nuke.
B
I think that's what's happening. It's just a new character substitution that isn't filtered out by most tools because you can get some foreign language characters that just look like, you know, a lowercase l and they substitute it and you go, it's like, okay, somebody tried that. Filters get updated. Okay, have a good one. It's been a problem for all of two weeks. And this is another special character that they're using in clever ways for replacement that's going to get, likely going to get filtered out very soon. But in those, you know, two weeks of not everybody updating, it can be an interesting time.
D
So yeah, that's the one that like happens to like one of your grandparents or something and they're like, what happened here? Like everything's normal. Like no, that's not like an English character. I guess you have to be inventive with every, all the security stuff that catches that low hanging fruit. So anytime you think of something crazy like that, you might as well. If you get one person it's worth it, I guess, just if you can get one, that's all you need.
E
Depending on what you get out of them.
D
Exactly. It only takes one to make it profitable.
E
Yeah. The thing about it that makes it at all sneaky is for people who don't recognize that that's not a regular forward slash, they stop checking the rest of the domain name to see if it's garbage or not.
D
Yeah, I think that's the goal. Yeah.
E
If your tiniest subdomain part says google.com instead of actually a slash, then the people who are speed reading through it are going to blow right through and go, oh, well, it's on Google, it's probably fine.
D
Yeah. And that's something that I talked a little bit about, the scattered spider stuff earlier. But that's what like those sorts of threat actors will prey on people's misunderstanding of how domain names work. So they would register domain names. Like one of the ones on the article I saw was chipotle-sso.com. like that is not chipotle sso.com, clearly that is part of the URL character is that dash. And so they're preying on these people that don't quite understand how these URLs work. And so in this case, that one's a little more clear cut. But if you were to see, you know, your company name dash SSO and that's pretty similar to what it actually is, that could catch somebody. Those ones are the ones to be careful of. I do also love all the crazy Unicode URLs that people are inventing in the discord right now. There's some deranged ones in here.
A
Yeah. It's amazing.
D
Yeah. The lensace.com. yeah. Imagine clicking on that one and getting popped by that and having to explain that to your boss.
A
Yeah. I think. I do think there might be something to like different. Once you get too deep down the rabbit hole with these Unicodes, it'll turn into puny code in the URL and then it just looks like XN dash, blah, blah, blah. Like it doesn't render properly.
D
Yeah, we have to write some detects for that. Yeah, apparently there's.
A
I'll bring this one up. There's a few vulnerabilities. There's a vulnerability that Watchtower posted about Fortisim, which is Fortinet's sim product. I'm assuming just based on the name, it's a pre auth remote code execution being exploited in the wild. I would assume this mostly affects people like on Cloud deployments that are exposing these things to the Internet. I'm not sure what the normal deployment architecture of this tool is, but if you do use this tool, make sure it's patched. I'm assuming if it's cloud hosted, it's probably already patched, but this might be worth looking into. I don't know anyone that uses this product. I don't know how popular of a product it actually is, but I think this is the second vulnerability in this product this year. I want to say, just based on my remembering, yeah, this, this also I.
D
Came across this one not because of the Fortinet article, but because of a Gray Noise article where they mentioned there was a spike of massive brute force attacks against Fortinet SSL VPNs. And so this came a day after that, that reporting from Gray Noise. So there's maybe a little bit of relation there between those things. Maybe it's not just for the sim or maybe there's a little bit of relation there. But yeah, I mean your SIM having a vulnerability is a little bit unfortunate. I'm pretty sure Elastic also just talked about one very recently as well.
C
So it hit a little close to home there.
A
Hayden.
D
Well, I mean we're already patched, so.
C
Yeah, no, I mean this whole year, I mean if you're listening to this and you haven't started getting logs from your perimeter devices into some centralized location, you're late to the party because threat actors are going after those, you know, external facing kind of appliance type things. So yeah, I would go get those logs and put them in your sim. Oh wait, should you put your SIM.
A
Logs in your sim?
C
Yeah, probably.
D
I think you should probably, yeah.
A
Speaking of patching your stuff, I know there's a lot of Home Lab or types in the audience, so make sure everyone update your Plex servers. There was a Plex vulnerability that basically, apparently they actually emailed people that were affected, but essentially there was a potential security issue affecting Plex media server versions 1.41.7 to 1.42. It doesn't, I guess I'm not seeing much many details about the actual vulnerability itself. But the reason, I guess the reason it's interesting is I think about the, I think it was, I want to say it was Cisco a couple years ago that got breached from an employee who had LastPass or LastPass.
B
Did somebody tell LastPass that their developers should not be logging in off of their Plex server? I believe it was LastPass. I mean it could be both. So apparently this is developers and using Plex servers is probably just, you know, like peanut butter and chocolate.
A
Well, it's like home network hygiene, right?
B
Yeah, home network hygiene. You know, don't choose.
D
I mean, my.
E
I don't think confirmed it was Plex, but they definitely mentioned it was a weakness. Possibly this one. In a home media system.
A
There was one. There was a. I believe. I mean, I could be just pulling this out of nowhere, but I swear there was a breach that was hard attributed to someone's Plex server getting popped and then them pivoting onto the user's workstation.
D
I'm remembering that too. I just don't.
A
It was like they had an exposed Plex server, they popped that, then they pivoted, like did, you know, responder or whatever, to their workstation, which is on the same network, and then popped their workstation that way. Yeah, that's how they got in. I want to say it was Cisco, but I could be wrong. I mean, memory is a fun thing.
D
If you're like me. At least if your home lab is always down for some reason or broken, then at least there's no vulnerabilities there to be found.
A
Yeah, totally.
E
Alex has a link. Yeah, sure.
B
LastPass employee with a Plex server. So it's like the version that exploit addressed. This exploit was presently 75 versions ago.
A
Yeah, well, yeah, yeah, it's pretty long. It's pretty long old and they did apparently email people that were running this, which is pretty cool. I mean, I think bigger than anything. Like don't have your work machine on the same network as anything at all, really. Yeah, like definitely not home lab stuff, but especially not publicly exposed home lab stuff. But yeah, for every Plex home lab person, there's probably 50 synology default creds people. So. Yeah, Patcher, Plex. Any other articles? Spicy. Someone said chicken article. Is that really true? Mary Ellen, hook us up with the chicken. I put one in there. I had to search really far and wide for this one, so. Wade, if you're watching, this room's for you. This is like so vaguely cybersecurity, but we're going to cover it anyway. It's fine. We've got an article in. What? I'm sorry, I'm going to have to try to keep a straight face. We're covering an article here in wattpoltry.com apparently. Okay, okay, here we go. Apparently a company called Noble Foods has become the first egg producer in the United Kingdom to implement something called TerraMap, a soil mapp which uses. I'm sorry, how Much technology are we pouring into chickens at this point? It uses passive gamma ray detection to scan fields and generate high resolution maps of 48. So it's like a mass spectrometer, but from a satellite. Is that what I'm getting? No, no, no, no.
E
That's. That is not how gamma ray detection would work.
A
Please explain on this cyber security podcast how gamma ray detection for chicken soil would work.
E
So if the question is what isotope mix is there so that you can determine whether there's, you know, nutritious grass or not? This is sort of one of the things that happens with wildebeest. If you take video of them as they move across the plains, they actually focus on particular parts of the grass. Somehow or other, they can tell by hay smell which bits have more phosphorous which their bodies need. So they preferentially eat grass with phosphorus. You can check by what frequency of gamma ray radiation is coming out of the ground, depending on how much resolution you can get looking at the ground, what trace elements have normal radioactive element varieties, isotopes present, and you can use that to estimate how much of some nutrient I care about is in the ground that these critters are on. That's going to pass into the plants there, that's going to pass into any of the bugs or whatnot that munch on all that stuff. And then your chickens are going to eat whatever grain happens to get formed there, though that's low odds. But you're also going to get any, like, three feed walking around free range chickens eating bugs off the ground like they do, because they're that kind of bird. And you'll be able to say, aha. This plot of land has a great nutrient mix. So this is going to give us better chickens with better eggs.
A
Yeah.
E
I mean, all because you can figure out which gamma ray frequencies go with what isotopes for what nutrients you care about. So, okay, so got tons and tons of uranium and maybe you should not make radioactive chicken.
A
I have, okay, I have so many. I have so many jokes. But before I get to the jokes, how. What is the sensor? Is it a satellite? How are they, like, what is. What is collecting the gamma ray emission data?
C
It's a huawei chip.
E
Gamma rays are actually kind of tricky to do for detections, but it's not actually hard. When we do PET scans, those are doing gamma ray detections. They're doing them at a fairly high frequency because it's based on positron electron annihilation inside of whatever body part they're scanning. Though technically it's also happening everywhere else in your body. I don't like PET scans, so.
A
But like people. Okay, so people in Discord are saying there's a sensor that gets towed behind the tractor. So maybe something like that.
C
Like mesh that goes through the whole field and then it rolls like a Windows laptop. So next week we'll talk about the ransomware for it.
D
And it runs on a John Deere, so they'll break it.
C
Yeah, yeah, don't do that because then it'll cost a hundred thousand dollars to get a fix.
D
Yeah, I think that article is the one that I've learned the most about on this show. And it's all about gamma rays.
A
I was so FASC the explanation, but now I got to get to the jokes.
D
First of all, so bad.
A
Is there a, is there like a detection for when your chicken's going to go full like hulked out chicken due to the gamma radiation? Like is that part of it?
E
Anybody's worked that out yet, they should really work on that.
A
When it punches, if your chicken knocks.
D
You out, uppercuts you, that's your detection. We call it in the exploitation phase of the kill chain is when you're.
C
Getting that one exploitation robot chicken. Now I can't get out of my mind.
A
I also will link to the relevant Portlandia sketch for this as I must do where they, you know. But the concept of using this type of technology for chickens, I mean a farming.
C
Tight tech, man. It's not, it's not frontier farming.
A
I. Yeah, I mean I will say I don't. It'd be really funny if you could like geo. Like there could be like an AI powered chicken farm where it just like looks up the most nutritious soil and then drives a little like chicken enclosure thing over to that soil.
D
I found your new startup idea get backed by YC right now.
A
Yeah, that's patented already. Don't worry about it.
D
Yeah, it's very interesting to think about farming. Just. I don't know, maybe I'm weird farming simulator games and be like, wouldn't this be so cool? And then I get bored like immediately because there's no big flashing lights and screens in front of me to have a million sensory inputs at once. Like even now I have like eight windows open right now.
A
This is amazing. Like the concept of, of soil mapping. Like yeah, yeah. It makes me very happy to know that every industry has genius people doing really cool stuff. You know, like that's, that's the coolest thing I've ever read. When can I get a home version so I know where to put my tomatoes. Is there any. Is there a home version yet?
C
The dinosaur chicken meme. That's the best one I've seen in a while. I appreciate it.
A
Is there terra soil mapping technology for the home yet? I really asking for a friend.
D
I bet you could make some. You could make some. You'd get on a watch list, but you'd make some. Yeah.
A
Should I order like a pet scanner right now? Like, just send me. Just send me an Amazon link.
D
Yeah, it'll have some weird characters in it. Those are slashes. Don't worry about them.
A
So when the FBI comes asking my neighbors and they see me walk around my yard with a dosimeter, is that. Is that if you. If your neighbors see you walking around your yard with the dosimeter, just tell them it's for the chickens.
D
Yeah. Yeah. And then give them some irradiated chicken to kind of hold them off. Be like, would you like some to eat?
C
I'm glad we chicken.
A
This was an amazing podcast. Thank you all for showing up. I think we're good to roll the finger and I'll see you all next week. Bye, everyone. Sam.
Podcast: Talkin' About [Infosec] News, Powered by Black Hills Information Security
Date: August 18, 2025
Summary by: Podcast Summarizer AI
In this lively episode, the Black Hills Information Security crew, a team of penetration testers and ethical hackers, dissect the latest cybersecurity news, focusing on high-profile breaches, vulnerabilities, and the culture of infosec. A highlight is the story of Russian threat actors allegedly bricking speed cameras in the Netherlands—a rare "feel-good" cyberattack for speeders everywhere. Other discussions include outlandish business deals, government tracking anti-diversion efforts, critical vulnerabilities, pressure on legal record-keeping, and quirky intersections between tech and… chickens.
Timestamps: 02:17–06:52
Timestamps: 07:13–10:04
Timestamps: 10:17–11:50
Timestamps: 11:51–13:37
Timestamps: 13:56–15:57
Timestamps: 15:01–17:36
Timestamps: 17:36–18:52
Timestamps: 19:14–21:44
Timestamps: 23:30–24:47
Timestamps: 24:49–28:48
Timestamps: 29:38–41:14
Timestamps: 41:43–45:57
Timestamps: 46:25–47:44
Timestamps: 48:13–49:58
Timestamps: 51:55–57:05
This episode embodies the relaxed but technical banter that defines Black Hills Information Security podcasts. While many stories are “same stuff, different day” — poor development hygiene, social engineering, exploit reuse — the hosts blend deep technical knowledge with the camaraderie and humor of a seasoned infosec team. Listeners get actionable takeaways (patch, segment, be suspicious!), a window into attacker methods, and some laughs about the intersections where hacking meets real life (and radioactive chickens).
For more, and to enjoy the panel’s banter in full, listen to the podcast or join their Discord community.