DEF CON RECAP – 2025-08-11

A

You're gonna. You're gonna lose. All right? So. So if everyone knows I'm quitting my job as a security practitioner and I'm gonna become. I'm gonna go back to the forest service and just do logging, but in a different format. If anyone.

B

You're gonna be waiting through logs.

A

I'm gonna be waiting through logs. Just a different type of logs.

B

Like, it's great.

A

It was. It would. I'll be healthier. I'll feel probably more satisfied, to tell you the truth. Like, not just sitting here staring all day, pretending to be, like, a mall cop.

C

But are you going to keep the mustache or you going to grill?

A

The mustache will stay the mustache. And forest service. Like, people already think I'm either a firefighter, a cop, or in the military, so now they're just going to be. Right.

B

So dress for the job you want, not the job you have. Exactly.

C

I'll send you some flannel laid.

A

I do. I will need some. I will need some.

C

I don't know if this was, like, a meme or that I saw or, like, where I saw it, but someone had posted, like, the best jobs status update, and it went from, like, this person being, like, a director of cyber security operations to director of chickens.

A

That is right up our alley. Like, that guy's like, director of chickens.

C

Yeah.

A

Technically, it's the same thing almost.

B

Right. Right.

A

Like, honestly, depending on who you're leading in the sock.

B

I mean, I've for years said if I could do a different job, like, if I could take my salary and just pick a job, who would work in security. Right. Like, I. You know.

A

Yep.

B

I'd go, like, make bread or something. Like, I would not bread. I don't know. You know, what's it called?

A

The people who, like, sit in the towers on top of mountains and just look for fires. Like, there's a whole firewatch. Firewatch. Like, I used to drive up to one of those, but it was an abandoned one that they didn't. And, like, honestly, that would have been pretty chill. Just, like, you sit there, you watch, you eat. Maybe you listen to some audiobooks. Just as long as it's not one treehouse. Just as long as it's not one where there's, like, a giant crevice and then there's, like, monsters coming out of it. You know if anyone's seen that movie?

B

No.

A

Ryan has.

D

At the Gorge.

A

The Gorge, yeah.

B

So when you're picking your job, always look for crevices. That's what I've learned. Do not work Somewhere with crevices.

A

This, this isn't in the news, but another topic I wanted us to talk.

B

About it is now we make the news.

A

The new, the new War of the Worlds movie. I think it.

B

People think it was real, just like the original.

A

It's Ice Cube, and he's pretty much like a CIA spook that just watches everybody's webcam and like, tracks his daughter and then sees aliens invade from it. Like, it's right there. I think it borders on cyber security.

C

Like, let's be honest, that's kind of creepy.

B

That's so creepy.

A

It's super creepy. Like, he's tracking everybody. He's tracking the boyfriend. But I watched it.

C

What?

A

I watched it for 15 minutes and I'm like, he, he gets more teams calls than anyone in his. In their life should. Microsoft must have paid them pretty well to put that teams jingle in every 10 minutes as somebody calls him. Like, I'm ill.

B

So what is it? Is it just thinly veiled cyber security training? Basically?

A

So it's, it's literally, it's literally. It's. This is the movie we're going to, we're. We're going to screen share this guy who is a cyber security guy who just watches everything, and then he finds aliens and you literally watch him go around. Click. Like, click to call people in teams. Click to call people in WhatsApp. Like, it's, it's bad.

B

Okay, so what do we think? The Rotten Tomatoes. This isn't really War of the World.

A

It's like, it's War of the Worlds. Like, it's War of the Worlds, but it's just as if this dude on a, with a, this dude's monitor is the way you're viewing it. Like, it's horrible. I think it was like one of Amazon's like, top rated, like, watched movies right now. And it's being watched because it's so bad.

B

Top watched, top watched and key metric. It has 3% on rotten tomatoes.

A

It's. It's number three right now on Amazon's in the U.S. all right, 3%.

B

I'm not sure how different an AI version of ICE Cube stars in a screen life version of War of the Worlds would be from the current smash hit on Amazon Prime.

A

I want to know how much you spent on it. Like, this could have been good.

B

Like, I mean, if people watch it, they'll make their money back.

A

How do we do this? But like, cyber security, like, like real one oset. Like, there's going to have to be some good osint where you're like, whoa. And then literally all the websites you use on there are real.

C

Did you finish watching?

A

I literally. I literally like five minutes. Like, no, like two minutes. Watch the beginning skip like an hour. Two minutes. Two minutes. I just wanted to see the aliens and some like, okay parts. But it was. I couldn't watch it. It was bad. As someone who's like, War of the Worlds is one of my favorite books. So I had.

B

I mean, the start, even just the tagline, a computer security analyst. All right. I'm already checked out. It's boring. You could, you could.

C

I would watch someone making fun of it for sure.

B

Like, oh, you're saying.

A

If you scrape our patreon, Corey and I will watch this movie and you can hear the. Okay, that's actually director's commentary.

B

Didn't we used to have like a movie night that Will would do where he would stream.

A

He still does it. He still does it. But it's only like one of the.

B

Private groups, so we need to do it. I mean, yeah, I was gonna say probably for. For copyright reasons. Yeah, we need to do like at Wild West Hack Infest. Maybe we could do like a live riff tracks of this. Just like one night. Just sit down with live hot mics and just talk the movie the whole time. Yeah, I don't know. Either way, roll the finger. Let's do the. Let's do the news. Let's make it happen foreign. Hello and welcome to Black Hills Information securities. Talking about news. It's August 11, 2025. We're all back from Hacker Summer Camp. Drained or refilled, depending on what parties you went to and when you went to them. Did anyone here actually go? Because I feel like if you were. If you did go, you probably aren't on the show.

A

I thought you were going.

D

Well, I think we are all back.

B

They're still there. Apparently. I was there. I didn't go to any of the conferences, but I was in Vegas on site for a customer and decided to crash some parties and meet some people. So if I saw you there, hello. If I didn't see you there, catch me next year. I won't be there again. But then I somehow always end up there. It's like a vortex. I don't really understand how it works. Yeah, I mean, I don't think there's anything crazy. The only. There was a few articles that were kind of like talk summary articles. The HTTP 1.1 thing from Port Swiger is like a big deal. That was like one of the first bigger ones to hit. Is there anything else? I mean, there's a ton of AI talks, a ton of just like privacy and AI and like fun little hacks with AI, I guess. Anyone. Has anyone else? Like, has there been any crazy zero days or anything? Like, I haven't really seen anything wild yet.

A

Nothing I can discuss online.

B

Nothing as enthralling as the War of the Worlds 25 movie.

A

Definitely not.

E

Like, I streamed. I. I usually go every year. I hardly ever miss it. I just could not go schedule this year. But I streamed most of the con in the closing ceremonies there. I didn't realize that, like, they do, like, they go over all of the crime that happened and there was some sort of mention of a CEO and four employees or three employees from the same company that were arrested and they'd been in jail for a few days. Now they were arrested apparently off site, like downtown somewhere. But I mean, allegedly.

B

Was this cybercrime or just hijinks? Like, is.

E

It was. I think it was hijinks. All they said was that it was just something really stupid that they were.

B

They were like, throw a couch. Okay, maybe it was just team building. It was like, let's as a team, throw a couch off the roof.

A

Dude, it could have been. Talk about team building, suffering in a jail cell together. Like that would. I would bring you guys together.

B

Or if you don't like your current job, it could be worse. You could be sitting in jail with your CEO and three other people.

A

Does this bail count as a work expense?

B

Oh, yeah, you can expense that. Dude, that's. That's a billable expense. Yikes. Yeah, I mean, I don't think there's anything crazy. I think we can dig into this HTTP 1.1 stuff. I don't. I'm not like super good with web apps, so I'm probably going to butcher this. But basically portswigger, which is the company that makes Burp Suite, has set up this site HTTP 1.1 must die.com or something like that. Or, you know, it's. They're really here. I'll. I'll send a link. I'll. I'll link you to the link so you can link it to everyone. So, yeah, they have this website, http1must die.com, and it's research that they are really pushing to everyone to kind of. There was some shocking pieces of this vulnerability. It's written by primarily James Ketto to give credit to the researcher who presented it at Black Hat 2025. But basically, essentially, it's like, we thought we fixed this we didn't actually fix this. The issue is with desync. So essentially the main thing happening here is that if you're a web app tester and you're familiar with HTTP request smuggling, this will all be pretty familiar to you. But essentially HTTP version 1.1 is enabled in more places than we might have thought. On places like Cloudflare and other CDNs where it should be addressed. It's still supported on the backend and there's ways of kind of going after those requests and those vulnerabilities through a cdn. I think the most like crazy part of it, which is a little bit of like a fish, is they say that James says that he used the vulnerability to report and yield over $200,000 in and bug bounties over the course of a couple two, over the course of two weeks. So like the fish here is you can make a hundred thousand dollars a week in your PJs with this. There's a new burp add on that's now in the burp app store that basically helps identify it. And overall I think it's like, it's one of those things. It's like, yeah, we probably should really disable this. And now this person is trying to drive change by driving impact.

A

My first thought is like, oh yeah, WAF should be able to take care of this and then literally scroll all the way to the bottom. Ryan. Like, yeah, exactly. Not reliably. In fact, we have observed some WAFs that introduce desync vulnerabilities to otherwise secure systems. That's it. It's like at the very bottom faq.

B

Correct. It's one of those things of like, well, the proxy on that.

A

The other one.

B

Yeah, yeah, yeah.

E

Basically when the home sec did a video and had James Kettle on just a few days ago and they went into details about, you know, how you can actually, you know, hunt for this.

B

Yeah. So basically this is going to be a theme. If you're an AppSec person or a pen tester, get familiar with this and be ready to see it on all your pen test reports for the next five years. Because it's probably not going away anytime soon. Especially it's like we've got the shared responsibility model here where like, well, we have Cloudflare, so this doesn't affect us. And then it's like, well actually it does. Or you know, we have a proxy or a WAF or whatever. It still seems to be kind of a tricky vulnerability to fully remediate. I mean the, the fix really is Force HTTP 2 in all places, at all times, at all levels. So make sure your apps support that. And yeah, you'll be good and not only support it, but force it. What else? What other vulnerabilities or spicy things came out of defcon? There was a lot of AI st. There was the big one about Apple that was kind of interesting. Did you all read through that one? It was like, basically Apple sends information with certain apps, if they're configured in a certain way, send cleartext information. By cleartext I mean like not end to end encrypted information to Apple for processing. It's not a crazy vulnerability. It's a pretty minor information leakage. But depending on what you're transcribing, it could be, yeah, that's the right article. There's a few different articles that are sort of the same thing, but yeah, this is the main one. The summary of this one is if you use the Siri Kit, which is a, essentially a dev kit that allows you to tie in Siri to your app, it does leak the queries that users dictate to Apple. So like If I'm in WhatsApp and I dictate a message, that message also gets sent to Apple for processing. And it's not super clear to the user why that's happening or how you can turn it off, which then leaks.

C

The contents of it. Defeating the purpose of WhatsApp.

B

Yeah, exactly. So it's like ironically, Apple originally in like February, they were like, okay, yes, we've confirmed this is a vulnerability. Then they were like, hey, actually, nevermind, we disagree. But they did say they respectfully disagree, so it's fine. Yeah, they basically shifted their position, telling researchers that the transmission behavior was not a privacy issue for Mapple Intelligence, but it resolved stems from their use of Siri Kit. So I guess the moral of the story is don't use Siri Kit. Kind of confusing messaging from Apple. They're like, we made this. It leaks data, but it's a feature. I guess I don't really understand how that's okay. Like, I guess my interpretation is they're saying like, well, Sirikit has no privacy expectation versus Apple Intelligence does. For some reason I'm like, seems like Siri should be more private than Apple Intelligence from my perspective.

A

But you just should assume you're not private anywhere anything you type on that phone. Right?

F

Yeah, I saw that for DEF CON when people were posting photos and being like, aren't the rules that you're supposed to blur out photos if you take a hallway photo of people. And somebody was like, congratulations, you're one of the five people that still care about that. Because it's just, you know, it's like, welcome to privacy and whatnot. Somebody's gonna photograph a hallway of hackers and post it online.

A

Dude. We tried to solve that at BSIDE San Diego. So much like we gave people like certain lanyards to say like, oh, taking a picture of me is good and taking a picture. Or like, red is good, like black is bad. And we just like, we can't use any picture ever. So we have to change our terms in order if we want to take any pictures at all.

B

I mean, I don't understand how, like, can you explain why being seen at DEFCON would be considered, like, who is living that far under a hole or under a hole?

A

I think it's. It's a legacy thing. Right? Like, who do you. Who still takes a burner phone to DEF con, right? Like, I didn't go this year, but the Wall of sheep, definitely 12 sheep definitely isn't as a thing as much as I believe it used to be. But half of that is it's not as scary to go to DEF CON as it once was. Right? Does that make sense? At least for me, that's what I think.

B

I mean, I agree, but part of it is tech has changed.

A

Yeah.

F

Yeah. And I think Deviant alum did a recent kind of breakdown on like, should I take a burner phone? How dangerous is defcon? It was, you know, it's a really good way of kind of bringing together that threat model, I guess. He's like, is there likely to be some zero day during defcon maybe? Are they going to use it on you? Really? No, they're not.

B

Yeah, there probably will be some idiot with a stingray or some like, you know, femtocell that'll get like have a three hours worth of jamming and then we'll go to jail. There'll probably be someone spamming BLE attacks on a flipper. But yeah, I mean, the Wall of Sheep was always like, really? It was. It wasn't just an open WI FI network. It wasn't anything crazy. Like, it wasn't. It was purely just public shaming. It had nothing to do with security exploitation. It was just, hey, if you connect to this WI fi that's called, you know, free DEF con, WI Fi or whatever, and then we're just going to post your data. But like now we have ssl. So like there is, I don't know, it's not really so Much of a thing. And the amount of things you would have to do to actually get a wall of Sheep, like to do a karma attack or an evil twin or something would be like potentially breaking the law. You know, like I get it, it's a whole thing.

A

It was definitely a thing where when DEFCON was at a hotel, right. Where there's unsuspecting people around in order to connect the things. But even now since it's at the actual convention center, everyone, almost anyone around there is going to be completely understanding of what's going on and not connect to anything or have.

B

That's a good, that's a good point. It used to be just in, it just was about Vegas and now it's much more in the convention center self isolated. People are talking about the US courts hack. That is one we should probably talk about. Basically this is not the actual court system itself but the one the like filing system which I don't super understand all the different.

F

Yeah, the PACER network.

B

Yeah, I don't, I don't understand all the different layers or how this works. But basically the electronic filing system used by the federal judiciary has been breached. It was not previously reported. So they're you know, breaking their own rules and not publicly disclosing this breach. Yeah, essentially they, this breach started around July 4th is when they became aware of it. This is all like from confidential sources. So like who knows? But yeah, no one knows who's behind it or exactly what was leaked. Some internal insider is leaking this to the press or disclosing it to the press. But it basically it affects the core case management system which has like the electronic filings. And so you could imagine this could go very badly. Public judiciary, federal judiciary. Like this would include. Yes, public filings in addition to all the discovery documentation and stuff that lawyers would be uploading for like private, like private use. Not really designed for use by the public card. Not subject to foia.

F

Yeah. And I think it may have implications for confidential informants as well if it's in like a court case. I think that was one of the, that was one of the concerns. I have PACER access, like a lot of O centers do get PACER access just to be able to further look up semi public files, you know, for the public records that are more on a federal level. Able access for that.

B

Yeah, I mean anything tied specifically to a court filing is pretty bad. Like that. That could be discovery documents like you said, confidential informants, what law enforcement people are set with what cases, even like documents about whose lawyers and Whose parties and all that stuff that can be pretty sensitive. So overall it's not great.

A

Those lawyers are going to probably have all the information on the attack and what was breached and the if it was fixed already. And theoretically those lawyers are probably a lot less secure than the actual organization is in order to steal that and pivot. But that's definitely like nation state level stuff.

B

So definitely it's, I mean arguably the, you know, judiciary system is one of like the key US sovereign components. Right. Like you have the three branches of government, it's like kind of one of them. Right. It's a big deal, probably nation state, but it could also just be a ransomware threat actor who got really lucky and was hoping to get a federal payout. Although doors will be kicked down. This is not going to get, this is going to be treated very aggressively. And so, you know, if you're a ransomware threat actor, you're probably going to wish this one never came on your doorstep because it's probably going to end up not well for you. What else is going on? I guess there's a couple of other breaches we can just breeze through real quick.

A

The Google ones kind of.

B

There's a few Salesforce ones. What did you say?

A

Oh, the Google one? Yeah, the Salesforce one.

B

Yeah, there's a few Salesforce ones. Or like Chanel was Salesforce. Apparently Google was Salesforce. Was the Cisco one Salesforce too? I don't think so.

A

I didn't see that. Yeah.

B

Oh yeah, it probably is. So basically everyone's been around. Well, it says a third party cloud based customer relationship management system used by Cisco. So let's read between the logs. Yeah, it has to be Salesforce. They haven't confirmed it but like, come on. Yeah, so basically, I mean this is something that's been on our radar. The SaaS stuff is a big deal. Right. So basically these are, they're actually direct social engineering. The companies. It seems like these are kind of like unconfirmed for the most part. But Google reported or posted like a Google threat intelligence or whatever report about how they're targeting SaaS providers with vishing campaigns. Which is pretty crazy, but makes sense because you're abusing the relationship between, you know, the company who's paying for the product and the actual company who's like facilitating the product. Unc, we're still on UNCS. UNC 60 40, what we're dealing with, pretty crazy.

A

It just, it just sucks for Google because they're the ones who reported it and then they're the Ones who got attacked by it and leaked. Right. Like, you do all this good work for it and then you don't even protect yourself from it.

B

So what was actually leaked? Like, the. All these Salesforce breaches are pretty. Like, it's not. It's just like names and emails and stuff. It's like people open tickets. Like CRMs in general are kind of just like not super sensitive data, but still kind of like a breach. Right?

A

Yeah. They hold all that information and all contact information for pretty much a client or customer. Right. The crazy part is they can definitely hold more than that, especially with Salesforce. Right. Salesforce is huge. And to defend it is a little bit tricky. Like, you can have. The logs are good for it, but it's tech. It's like its own ecosystem environment in there. Much like what we'll say, like almost like a browser. Even though they have apps, they have different control settings. Right. They can branch down. I know there's. There's literally whole apps within Salesforce just to secure Salesforce itself. Right. And give you more robust logs, which is crazy. The amount of data. It's more of like egg on your face, I would say. Right. Like you're now your customer. All your customer data is gone. And your customers know about it. Who know one really cares in the long run.

B

Yeah. I mean, it's kind of funny, like I was thinking the other day, like, when have, like I put on this shirt and it's like spearfishing social club. I'm like, when, if, when's the last time we actually did spearfishing? Like, honestly, I don't. We don't do it a lot because social engineering phone calls just work so much better these days. I don't know. Yeah, I mean, I think, like, not to say that we've completely solved phishing. It can still happen. But like, really, it's crazy how so many hacks these days are from social engineering, phone calls and social engineering and phishing versus, you know, phishing.

A

I can't believe people even pick up their phones, though. Like, I never pick up my phone unless the contact comes up and says exactly who they are. And if, even if it does and it's like a different. Like, even if there is some type of caller ID and I don't know who that is. I'm just sending them to voicemail. I send everyone to voicemail. Voicemail. And then if it sounds sure, I think they'll email me.

B

I totally agree. But there are people who spend all day talking to people on the phone and answer Their phones all the time.

F

Yeah, like targeting, like the IT support staff in the. Yeah. If somebody calls from a number, you're supposed to. If somebody calls your work phone, you're supposed to answer it. You know, those types of people. And also, you know, caller id, you know, could be one of the things to where they spoof a number or they just spoof like one off of a number going like, well, okay, it's an extension, that one off from within our building or somebody that you expect a call from.

E

Somebody once told me that, like, if you just pick up, right, and you just don't say anything. Like, I pick up and put them on mute. Like, sometimes I play like Jingle Bells, but when I don't do that and then we put them on mute and I just wait for them to hang up and then block. And somebody told me that that sort of sends a signal that they don't know that they have a working number, so they. They won't try again. I don't know.

B

Yeah, I don't know. I will say one of the interesting things, like, I think iOS26 is coming out later this year and one of the features it has is like AI call screening. So it'll like, you know, actually be like, hi, this is Siri. You're trying to reach. Insert name here. What is the nature of your problem? Like, I don't. I'm curious to see. And I. Is. I don't know. Already on Android. I was going to say, I assume Google already has.

A

Yeah, it's already. And I've used it before and people usually just hang up. Yeah, I have it. I've added Enable, I've used it. And people literally just hang up afterwards 90% of the time. But I just don't answer anything. I'd rather do that.

B

Yeah, no, I agree. I just. It'll be interesting to see if the AI call screening really affects. Like, if that's rolled out to everyone, if that's going to be, you know, a thing. Like, is that going to reduce phishing? I think a lot of it is also, like work numbers. You know, people are calling people's office phone numbers. There's a lot of, you know, how.

A

Do we get rid of telephones? Right. Like, that's the thing. They're just so you laugh. But I'm like, every time I talk to people, I try to get them to move to signal and I'm probably successful half the time. I rather have some voice calls on signal.

B

Dude, there.

A

There is no there. There is. Right. But at least there's a, some form of secure, a little bit of security there rather and like tying to people like I feel like the phone, true, the phone is still just the wild west, right. And the fcc, that's who controls the phone, I believe just doesn't care anymore. And there's all these just. It's legacy tech going crazy.

B

Yeah, yeah, I mean I will say they have, they've done some stuff. They've implemented like the text messaging like SSS7 or whatever. I forget what it's called. Or basically they have like, they have tried to help with robo dialing but at the end of the day like the way that companies do VoIP is pretty just a disaster. And so they don't want to block legitimate uses of like, you know, number spoofing is a feature. It's kind of like a Microsoft scenario where like a lot of the things that they would probably restrict down, like you have to have verified caller id, you have to have this would block a lot of companies from doing business the way that they do by like, you know, if, if your ISP calls you, they might be spoofing that number so that they don't, you know, call you from their real number. They're probably spoofing like the main help desk number line or things like that. So it's, it's. I don't know, we'll see. But I think the part of the reason it still works is because the outdated systems are still things that companies rely upon.

A

Do you, do you see, have you seen like a down crease in VoIP as, like, as at organizations? I have, but I don't look at it as many organizations.

B

No, I think it's more, I think yeah, you have less. So it's all, it's all SaaS or you know, service provider now. But yeah, I mean we see VoIP all the time. Like the companies that have like integrated customer management systems, that's super common. Like the ability for someone to take, let's say you like a bank or something for the one person to take a call on their mobile or on their desktop or on their desk phone and then have that information shared with other people. What the call was, how long it was like that's like big companies are doing that really heavily for phone based, for phone based communications.

A

My first job which was managed security provider, right. Like we all had our VOIP line. You had to, you came in the SoC, you logged into your phone and you're good to go. The second job was actually like that too, but it was an in. Like an in house SoC, but we still had to log into our VoIP after that. I haven't had like that was 2017, so it's been seven years. Almost no one's issued me any type of VoIP. It's always over like Slack or Teams. But once again I'm not as customer facing as.

B

I mean you're right. So you're right that things have moved that way. But guess who uses teams for vishing. Scattered Spider, dude. Like Scattered Spider. Scattered Spider has done a ton of teams vishing to direct users and they basically just call them as teams account that looks like, you know, company IT help desk and you know, people answer the phone wherever they're used to answering the phone. Like that's probably led to hundreds of million dollars in ransoms. And yeah, Teams is VoIP. Like at least in my opinion it's kind of the same thing. Like, especially if you have like the voip license on teams which allows you to have like a dial in number and stuff. It's like definitely voip. But yeah, I mean I think it's interesting that you're. I think it is your point still stands, which is how is this the most common threat vector in 2025 when no one in 2025 wants to answer their phone? Just as a general cultural thing. Yeah, it's a fun little mix of like everyone hates this, but it works well because. Works well. The second people answer their phones they are on the back foot and they're like scared.

C

Yeah, I'll agree, like doing social engineering calls is not fun now because no one either answers their phone or the controls that are in. Everyone's using void over teams. And so even if you're phishing or you know, losing the right number, it still pops up as external and it's just.

B

Yeah, what you're going to want to do is fish on teams. Problem solving.

C

I know, right? We have been exploring that.

B

But yeah, it does.

A

I will say, like I was going to say maybe someone in chat because I know none of us went to defcon, the social engineering village. Do they, like, how are they using this? Because I remember last year they actually competed against an AI and the AI, I think, I believe won. But are they, are they doing teams calls in the booth type of deal? Does anyone remember?

B

Yeah, I mean, I think the targets are. I don't know. I mean I only know because AUB is doing it. So I talked to him a little bit. But basically I think they're targeting people who would have retail and like would be answering the phone. They're not targeting just like random people. I think for the most part.

F

Yeah. And I think also for the competition, like the contestants have to do the research ahead of time in order to be selected. So they're going to do a lot of the pre research and say, hey, I want you to call this number. It's like, okay, call the second number on the list that I put together as a contestant for it. Now they, I think they do cold calls though, so that might not be true anymore.

B

Yeah, I mean, obviously if you're. You don't want to waste your time trying to get people to answer the phone. You want to have your targets be people who typically, you know, answer the phone. Enough hacks. What else happened? Unless there's any other hacks. There's a bunch of Salesforce hacks.

C

Can we talk about the bug bounty thing that Google is saying it's doing the Google AI Powder powered bug bounty or we're not late enough yet to talk about AI stuff?

B

No, I don't.

A

John isn't here. We can talk about it right now.

B

It's AI.

C

Yeah. AI powered bug bounty hunter has just reported its first batch of security vulnerabilities.

B

Yeah. Are they real?

C

Right, well, how many of these have been identified already and reported? But the thing that I was thinking is how is this going to change bug bounty hunting?

E

Well, Expo, during, during defcon, they're second now. But Expo, the automated, you know, their, their bug bounty is they have some humans behind it, but it's pretty much all automated. And they're number one on Hacker one right now. They're number two. But yeah, they. It's. It's coming. It's definitely coming. It's making progress.

B

I mean, it seems to me like if you're a bug bounty hunter and you're not pretty heavily using AI, I feel like you're doing it wrong. Like, just because bug bounty hunting is all about scale and AI does pretty well with scale and it's also like, would you rather have an AI like gaslight you about a vulnerability that's pretty easy to figure out if it's false or true, or would you rather go the other way around and like try to manually find stuff? I mean, I think this will be a pretty. I think this will be a thing and kind of like a standard procedure going forward.

A

This is, this is coming from a far note, but I have found that a lot of the best bug hunters aren't US based either. Right. So they're coming from other countries where the use the US dollar is a lot stronger and they're hitting all these applications and actually making good money on it within their country. If this like took off, it would definitely hurt like external researchers in non first world countries pretty hard. Which is a weird economical thought about it, I guess.

B

But you know that they're going to be using these tools as well, right? Yeah, like, I mean, I don't know. I also one of the articles which was just an ad so I didn't really want to talk about it, but Anthropic is like you know, kind of advertising this cloud code product that can do security reviews. So like I don't. Presumably if you pay 20 bucks a month you can have your own AI. Don't they all do this now though?

A

Like copilot does this GitHub. Like they all do it right, but they all do. Have you used it a lot? No, I will admit I have. I used this today. Not Anthropics but a different one today. So I found it to be fairly good. Yeah, it worked out. It told me, it told me exactly what was wrong in the merger in the merge request and I had to go make some fixes to some things. Uh, and it was security related which was also awesome.

B

Yeah, no, I, I definitely think it's, I mean it's like we've said, I mean I said this at the beginning of the AI hype cycle. AI is not replacing anyone's job, but people who can use AI will replace people who refuse to use AI. You know what I mean? Like it's a tool. You can't just not use a tool. This is like me being like, I don't use Burp Suite, I just look at the requests manually, like okay, am I going to be able to find vulnerabilities? Yeah. But am I going to be working at 25% of the speed of everyone else also? Yeah, so like I feel like you're better off, you know, use AI, validate the results. I feel bad for all the people who are going to have to read all the AI slop generated bug bounty reports. Although ironically they'll probably just have an AI read their AI report. It's just AI all the way down something gets. But are they going to communicate in.

C

That AI language that supposedly exists between.

B

That's only for voice. That's only for voice.

C

Well for now.

B

Yeah, you, you imagine you're like Hacker one or something. You open up a vulnerability report that paid out a hundred thousand dollar bounty and it's just a bunch of like AI Blah, blah, blah, like nothing. It's just like what, what vulnerability is this? How did we, who did we pay for what bug? And it's just like a bunch of.

F

AI back there was a spin off article from the one we linked that talked about like the fake reports and it's just, the AI is just hallucinating things that it hallucinated vulnerabilities and it's like it sounds, you know, technically accurate and then it's like, oh, we like, we don't know, we don't use this technology packages package doesn't even exist. Like what do you making up things that they have in their environment.

B

The main, yeah, the main AI is like, hey, I found a vulnerability in this component that I also made up. It's like, yeah, okay, thank you. I mean I think at the very least if you're a bug bounty hunter, I'm curious how much customization went into Google's model, like how much training and kind of like classification and extra stuff they did or if they just use their own kind of generic tools, use AI for bug bounty hunting. It's fantastic at it. One of the things we're exploring is using AI to write PoCs for vulnerability. You know, like basically giving it saying AI. Here's like 15 different GitHub scripts we found for a vulnerability. Are any of these, are they malicious? Are they, you know, are they legitimate? Can you turn this into a POC that will actually work? That's like kind of where we're exploring it, but we're not really.

C

I've been using multiple on tests to analyze GitHub projects that I've been finding. Can you walk through this, see which step may potentially be malicious in the project, Highlight it for me. Like I make it, spell it out to me because I want it to catch itself in the process of potentially screwing up. Just still is not great.

B

Yeah, I mean I think it's interesting. It's definitely worth a shot for bug hunting and software review. I mean especially because like the scale of software nowadays, first of all, it's probably all AI generated to begin with. But second of all, it's definitely, you know, there's so much code to go through. Like a human doing it manually is like so really difficult and expensive.

A

I don't write anything anymore. I gave, I gave a ChatGPT project my, like all of my writing from the past 10 years. I just like export a Google Drive and then I just have it write my language for me. There's spelling errors and grammar errors all throughout it.

B

Nobody will know, do you use N dashes a lot?

A

No, not a single M dash.

B

Yeah, classic. Did you read the Flipper one vulnerabilities? The Flipper one?

A

The Flipper one seems cool. Yeah. Like, I've only read this article. There's a YouTube video of it pretty much. There's a new firmware version through the link in the chat.

B

Okay, I see it.

A

Yeah, there's a new firmware version out there that lets you bypass rolling codes for cards for cars. So one of the first things I wanted to use my Flipper for was to actually open my garage, and my garage has rolling codes, and no one had broke it yet, so I couldn't do anything. But it seems like people are able to now do it with a couple different cognitive cars. It looks like Chrysler, Dodge, Fiat, Ford, Hyundai, Jeep, Kia, Mitsubishi, and Subaru are all effective.

B

They're just all of the big ones.

A

All the big ones for once. No, there's no German car in there, though. Congrats on that.

B

Well, those already. Those already got hacked another way. Yeah.

A

I wish they actually said what year and model, but I don't see that in the article.

B

Yeah, I was gonna say, I'm assuming these are older vehicles. I mean, at least the. The vehicle in the video is like a Ford Focus, which has been discontinued since the 20, I don't know, 2000s or something. I'm guessing this is older vehicles. But, I mean, I could also see car technology doesn't change super fast because it costs billions to change it.

A

Yeah.

B

I mean, I wonder, like, can you even patch some of this? Probably not. So I guess park your car in a Faraday cage.

F

Yeah, I don't want to.

B

What you got to do is. Yeah, go ahead.

F

I think that this technique has been done with more complex equipment in the past.

B

Yeah, totally.

F

And as I really. What I'm thinking is just going to happen from this is more people are just going to kind of brick their cars. Because with my limited experience in rolling codes, when you get them. When you get them out of sync using, like a hack RF or something, you can open them. But then it's like, okay, cool, that was a fun little demo. Now I want to go home.

B

And.

F

Well, now your regular key fob doesn't.

B

Work anymore because it rolled off the end of the range it was supposed to be using.

F

Yeah, it was like, okay, so now the only way I can unlock my car is maybe with some laptop on a hack rf. Or you have to go through the process and restart synchronizing them.

A

Thank you. For reminding me that I am no longer going to go downstairs and try to hack my Subaru just because of that.

F

Yeah. People that do this without understanding what's going on, and then it's like, oh, wait, now my, my flipper is able to lock and unlock my car. Cool. But none of my regular devices are able to do that anymore.

B

Yeah.

F

I mean, this is a rundown battery. You can't unlock your car.

B

Having a flipper be the key to your car is the most, like, cyberpunk thing I've ever heard.

C

I mean, it's cheaper than buying a new key.

A

So how much, how much are flippers nowadays?

B

Is it 200 bucks? Yeah, I was gonna say, is that cheaper? It depends on how fancy your car is. It's cheaper.

C

I think the last one I got for another key font for my car was like 250 or 300.

A

You know, it's interesting. Like, my sister had a Mercedes, and it was like a Mercedes suv and they stopped making the key. So, like, they're like, hey, don't lose that key. The manufacturer has gone out of business, and we can't make you another one. When you lose that key, this car is dead. And we're like, what?

B

So what about. So that's when you need two bad. That's when you need the flipper. You need a flipper.

E

That's when you call deviant.

B

Yeah. That's insane. I mean, the car thing we've talked about a few times over the years, but they're tricky because, I mean, arguably we've, We've even talked on this show about people stealing cars with, like, signal amplifiers and repeaters. Right. Like, if you put your keys by the door, and I have a single. I have a signal amplifier that makes it think. That makes the car think. The keys right in the. You know, that's an easy way to steal a car. Easy. You know, easy relative term. But we've seen people steal cars that way. That's going to work against any security based, like, there's no real way around that other than putting your keys into a Faraday cage or whatever. But, yeah, I mean, I don't know. I, I, this is where, like, it gets into, like, certain vehicles that have, like, a pin code to use them or things like that. It's actually kind of cool, conceptually.

A

You're gonna need MFA for your car pretty soon. You're gonna have to have your phone and give it a pass key.

B

Yeah. Honestly, yeah. Although I will say, like, nowadays with cars, like, I don't know if this definitely applies to Teslas and other like modern cars. I don't know if it applies to these, but like they're like remotely tracked so aggressively and like cameras everywhere. Like even though you could probably steal it by just stealing someone's phone and then walking up to the car and you could get in it and drive it. Like it would. All of that would be on video. The car's location is tracked in real time. Like once it gets reported stolen, it would be pretty trivially easy to like go and get that car back. So I get why those kinds of cars aren't stolen that commonly you say.

A

That not living close to a border. So that happens all the time. Down like a car immediately gets stolen, immediately driven across the border. Boom. It's gone forever. Right.

B

How are they getting across the border with someone else's car? I guess they must have.

A

They don't check the car. Getting into Mexico is the easy part. It's getting back from Mexico is the hard part. I'm gonna tell you that right now. There's like lines. All right.

F

You're gonna end up as a quote to you. Someone just gets to Beamify that and be like, please, please.

A

I would love to have that as a quote.

F

Spoken from experience.

B

I. I just bought this Tesla. I'm. Why doesn't it have plates? Don't ask.

D

I've got a related, unrelated story about that because there's. I saw an article not long ago about OnStar was helping the police slow down a car remotely.

B

Yeah.

D

Which is like you just. That's the fact that that ability exists or they're using it for quote unquote good. But that means some. Somehow somebody can find a way to get into that and use it for. Not good.

B

Oh, 100. Yeah. I mean, yeah.

F

I've heard of someone brag about playing Tetris with the cars going down the strip at Vegas. Hypothetically being able to let them start and stop. But again that may also just be like.

B

That's the c. Whoever said that is the CEO who's now in jail with four of his engineers. Yeah.

F

I'm like, I don't, I don't know about. I don't know about that. Are you standing on the bridge?

C

My 20 year old car forever now?

B

Yeah. I was going to say that. Yeah. Let steal cars the old way with lock picking and hot wiring instead of rfid stuff.

F

Yeah. 30 pound wrench method for getting access to a car.

B

Yeah.

F

Like, hey, I have a 30 pound. I have a really big wrench. Give me your keys.

B

Okay. Yeah, that works every time.

C

Like I said in chat, if you're gonna steal it, total it, please. Thanks.

A

This really makes me think about modern day chop shops if, like I would. If modern day chop shops are definitely gonna be giant Faraday cages. Right. In order to block out all signal, you're gonna have to do something to transfer it because like people, when people think about stealing cars, most of the time people are thinking like, oh, they're gonna go sell it. No, they immediately take it into a shop somewhere, piece it completely. They know where all the, where all the VIN numbers are. They take out the gas, anything about it just immediately disperses and it becomes a nothing real quick. So how could you do that to modern day cars and not be tracked? Is definitely a cool problem that I want to know and I know it's being done.

B

Yeah, I mean, I guess just go on ebay and type Tesla battery and see what results you get.

A

Right, right.

B

Yeah. I mean, yeah. I feel like it would still be easy though with cars that have real time tracking, like a Tesla. You could just see like, okay, when did the signal die? Okay, that's where the car is. Right. Like, they're so reliable nowadays with their like, you know, wiretapping or whatever they're doing.

F

Yeah. I think, I fear that if we say Tesla too many more times on this webcast that like, then when we're in a Tesla, it will just get remotely shut. It shut down for not complying with the cease and desist. I don't know if you saw that news story or saw that individual.

B

No, please hit live.

A

Where is it?

F

Please share, please. No, I have no idea where to particularly find it quickly enough, but it was some. As I recall, it's some musician that was in a spat with Elon for. They did a song called Cybertruck and it's like, hey, they like the vehicle. They own one. And apparently after numerous like cease and desist, he posted a video of like, okay, it's now shut down in the middle of the road. Like they just probably said, you know, hey, you know, kill it, please.

B

Please swipe your credit card to continue drawing.

F

Well, it seemed like it was one to where it's like you had all those legal letters back and forth were like, hey, knock it off. And he's like, no, I'm gonna just keep singing.

B

So it seems like the comments say that this is a hoax. Unfortunately, it is.

F

Well, there's a pattern. I mean, the back and forth.

B

Yeah. I don't know, it's funny to imagine that basically it started from a thread and seems like it might be a hoax.

A

There's the. I just posted the thread in there. That. That's hilarious, though.

B

Have you.

A

Has anyone else been in a cyber truck? They're like, the best way to. They're so spartan, right? Like, there's nothing in them. And it's not the best. Like, and they don't even have a garage door opener. You have to pay for an app to. To open your garage door with the cybertruck. I thought that was hilarious.

F

The stainless steel on it looks. It looks horrible. But you can. You can get a wrap so that instead of like, okay, you have to pay. I don't even know how much, like, a wrap cost, but you have to pay, like thousands of dollars more just to have your vehicle, you know, not look like one of those, like, steel urinals from, like, having, like, the major cities.

B

I'm surprised you can't, like, pay a subscription fee to change your color of your car. And then if paying it, they just come and take your car away.

A

That's scary. Don't, don't. Don't say that out loud. That sounds like something someone's gonna do now.

D

BMW will try it at some point.

B

Oh, one of the fun things we should maybe talk about is this legal pone thing, which basically it's a. An attack on AI and I'm sorry, we're gonna go back to AI Corner. Basically, it track tricks generative AI tools into misclassifying malware as safe code. And the way that it does it is that they disguise the malicious code as legal disclaimers, which is pretty funny. Like terms of service and copyright clauses, compliance statements, license agreements. There's a little graphic on the. On the blog that kind of outlines what tools are vulnerable to it. The ones that are kind of interesting if you keep going, Ryan. The only ones that are kind of, I guess Grok and Gemini are the main ones. Anthropic's tools are not affected. Neither are ChatGPTs or Metas or OpenAI. So it's pretty much just Google's Gemini models and then the Grok models. So I don't know, it's just a funny attack. It's like, I would guess it's going to be a while before we have reliable malware identification with generative AI. Just because it's, you know, this problem of like, there's so many edge cases of like, the AI is just really complicated and getting it to accurately do things repeatably is really tricky.

A

Well, you said it, Corey and I willed it into being. So here you go. Microsoft launches Project IRE to autonomously classify AI using AI tools.

B

You mean classify malware using AI tools? Yeah, if it's anything like Windows Defender, it should be really good, right?

A

I wonder. So I'm writing an article first right now, and I'm trying to use all the lyrics from Know your Enemy by Rage against the Machine inside the article as I write it. And So I asked ChatGPT to help me write this. And yes, it is. It's an article about like threat actors. So that's why it's called Know youw Enemy. And it did not want to use it. Like, it. It will not. I. I pasted them like, hey, use these lyrics. Like, I want to put these in there. Like, no, we can't use these lyrics. We know they're copyrighted. All this. And I'm like, yeah, really, right now. So I'm just gonna put lyrics, this songs in my stuff and in all my malware so then AI won't look at it. It's easy.

B

So are you telling me I should have AI read a bunch of blogs and find the hidden songs therein?

A

Maybe. Do other people do this or is it just me? I thought it was just me thing.

B

That's what we're saying. That's what we're saying. We don't know. So one of the someone in chat said the false negative rate is over 60%. That's pretty good. It's better than Defender.

A

That's just burnout waiting to happen. That's what I see that as.

B

And for the people asking if we have chicken news, we don't. There's no chicken news this week. I can't believe it's such a slow news week with all the DEFCON stuff, but I guess it also kind of makes sense. Maybe next week will be spicy. Maybe all the reporters just have all these spicy articles just waiting to be published on their laptops and they're currently on planes flying home, you know, or.

C

And maybe maybe just, you know, listen to this. Maybe DEFCON is not all it used to be.

A

So.

B

Or maybe all the wanted their bug bounty payouts before they went public. Which is the smart.

C

Yeah, that's.

B

It just means you're smart. That's the smart way to do it. Yeah. Oh, okay. One more AI article to close it out. The. Basically there's vulnerability in Chat GPT's connectors feature that lets you essentially like zero click information disclosure where essentially if I have my ChatGPT linked to my Gmail, you can send me a document that my Chat GPT will process and then you can use that to essentially as like a fish. You. You can fish my AI and get back sensitive information out of my Google Drive. So I guess really it is kind of funny if you think about AI, like a. An intern who maybe had a few too many drinks. That's kind of the same thing. It's like, hey, AI, go in hunting through my Google Drive and find anything labeled password or secret and send it back if you find it. It's a feature, I guess.

F

Yeah. Now that one was. Was patched before disclosure as well. So I saw that. Oh, it has a vulnerability. And it's like, no, it had. Had a vulnerability.

B

Yeah. And it's in this tool that ChatGPT connectors is something you have to opt into. So you have to like configure this if you're. If you're granting like agentic keys to your entire Google account to AI. I kind of think you're asking for this a little bit, but I guess at the same time that's how it works now. You do that and you just hope for the best. That seems sketch.

A

Just so everyone knows out there too. If you like ask AI a question and they provide you resources with like I always ask, hey, provide me the resources and the link so then I can go read them. ChatGPT tells on you and puts that it forwarded to you in the URL. So don't just straight copy paste that, read it and then send it to somebody else else. Unless you want them to know or you don't care they know you're using Chat GPT. That happened to me today.

B

You were like, check out this link. Someone's like, did you just find this with AI? You cheater, dude.

A

I pasted it and then I looked at it. I'm like, why does it say chat GPT in this? And then I'm like, it just completely told on me. Like I was using like deep research, but it was quite funny.

B

Sure. The deep research is hilarious. I'll be like, what's there between apples and oranges? And it's like 480 sources identified. I'm like, I don't think. Think that might be enough. Like, I don't think you need that many sources to confirm the difference between apples and oranges. Like, it's really cut and dry. Like three sources. The Wikipedia page for apples. The Wikipedia page for oranges. That's really all you need. Yeah. Any other final articles? There's no chicken news, sadly. Yeah. So I mean, any other article related. True. The poultry industry is really popping off.

A

Does anyone from the chat have a good article they want us to look at real quick? Because I wonder, I wonder if the news is like if DEFCON 2 is being affected by the current administration. Do you think there's people coming not going to DEFCON due to. Someone mentioned this in chat? Due to ice? No, due to ice.

F

Maybe there's a lot of now like New York Times and similar. You know, news outlets have said that, you know, that visiting Vegas is down because of that. That's them doing stories. I don't know if that's also translated into DEF con, seeing their numbers be low for the pre reg.

B

I mean, we know that tourism in general is down to the United States, just globally across the board, not just for defcon. Apparently a lot of people gave feedback that DEFCON felt pretty empty and was pretty tame. Chill, less drunk people, less chaos. I think part of that is just moving it to the north end of the strip. Like it's just a more chill location with more space and less chaos. You know, there's not like 80 different opportunities to buy daiquiris on your walk from your hotel to your conference. And I think that affects it. But I also. Yeah, I mean, maybe that global tourism, or at least US based tourism is significantly down for whatever. You know, I don't know. Who knows why. I think we all.

C

There's also a lot of other conferences that are just as good, if not better, in my opinion. And a lot of people that wanted to go to DEFCON have gone. And so they're like, I'm not going to go back here again because this wasn't worth it or it was too chaotic or whatever the reasoning is. Like me, for example. I hadn't been in 10 years and I don't really have any intentions of going back because it was absolute mass chaos.

B

It sounds like that those days are over. So maybe people want that back. I don't know.

C

Maybe I'll go back.

A

I go to see friends. That's what I said before.

B

Totally.

A

It's. That's the only reason. The security part is fine. Look. Look at, look at people spamming Wild West Hack Infest. Isn't it already sold out? Like, why even. Why even post it? Like, I'm just gonna give everyone fomo.

F

Zach, they're talking about Denver too.

A

Yeah, okay. Okay.

B

Which I guess I think there's still a few. I think there's still some tickets available for. For Deadwood, but not many. I could be wrong.

D

It's very close to being sold out if there's anything left.

B

Yeah, I mean someone posted the Dell article there. There's a firm of firmware vulnerability that basically the long story short is patch your Dell laptops if you have one. There was some interesting essentially from user land, exploitable key storage and stuff. So if you have Dell patch your stuff. I don't know how common Dell is these days. Seems like a lot more people use ThinkPads.

F

But I don't know, it depends on the state of your business. Regardless, your employer. I saw something that tracks that. If you have a now your job is good. Well, you get three warnings and then you're gone. If you get issued a Mac, your job is safe until the next round of funding. And if you get a thank pad, you're like, yeah, as long as you don't otherwise screw up, you're set for the next 10 years.

B

So you're saying if I have a Dell I'm going to get fired anyway, so I might as well just not patch the firmware?

F

Yeah, it could be. It's like, you know companies that issue Dells or the stricter ones to where they're like, yeah, no, you're expendable.

A

Doesn't your company issue Dells?

F

I.

B

Maybe he wants to be expendable. Honestly, you never know.

F

I don't think I can push past three warnings with my current employer anyways, so.

B

All right, I think that's a good place as any to call it. Welcome back from Hacker Summer camp, everyone, and we'll see you next week.