Loading summary
Ryan
Welcome to another episode of.
Tim
Wait.
Ryan
Government Topics. We disclose government secrets on a podcast. Wait, no, that's a different. That's a different show we do.
Tim
Sorry, is this the Murder Mystery podcast?
Ryan
Welcome to another True Crime edition of Black Hills Information Security. Talking about news. Are these crimes true? We'll find out when any of this stuff gets prosecuted.
John
Welcome to the Murder and Mystery podcast. All right, all right.
Ryan
We're testing some fountain pens today.
Tim
Oh, wait, that's the other podcast actually in South Dakota. What's that? Are you actually in South Dakota?
John
I am.
Tim
That's pretty weird. I heard you were teaching, so I guess you're teaching in South Dakota.
John
I am, which is strange. It's very weird being here. Super weird.
Tim
I don't know that it should feel weird being where you live. That sounds.
John
That's the Joe Walsh song. Life's Been Good to Me. It's like, says something. I got a house, Gold records on the wall. Or. No, wait, it's something like, I've never been there. They told me it's nice. Like, he's got, like.
Corey
Oh, yeah, yeah.
John
I've got a mansion. I've never been. They told me it's nice. Yeah. So that's. That's how I feel sometimes. Like, you know, people will send me pictures and be like, here's your house. It misses you. It's.
Ryan
Google Photos is just trying to make you feel homesick. It's like, oh, they do that all day. Yeah.
John
You're sitting there on a train in Europe and you're watching the Google photo where it has the music going and you're crying. You're like, oh, my God. Look, I had a family.
Tim
Apple does the same thing.
John
But I'm in the home studio, which is cool. Hey, Ryan. Yeah? Linux shit worked today. What?
Tim
Nice.
John
Yeah, no, Tim, I tried switching everything over to Linux because I got a really nice thin carbon x1, and it was supposed to have a high definition camera and all this shit and worked fine with Fedora for like, I don't know, a month. I was doing my classes and stuff. And then while I'm overseas. No, no, not while I'm overseas. Intermittent. While I was in Baltimore, it, like, crapped the bed hard. Like, all of a sudden, camera was crashing every 15 minutes and microphone was shitty. It was. It got ugly, man.
Tim
All of a sudden, you didn't update and it overwrote some driver that was dependent on something else. And that is the man.
Corey
But that's the next year presenting from Linux. Like, that is like, don't the history yes.
Ryan
This isn't the guys. You know there's a whole news article about this, right? Oh, is it save your hot takes? Oh, no. There's multiple municipalities in Europe that are like, we're ditching Microsoft, we're switching.
John
That.
Tim
I mean, if you don't do any like actual.
Ryan
All right, great.
John
No, it's a thing. It's a thing.
Corey
LibreOffice is the worst.
John
Well, and that's one of the things that always pisses me off because you have people like, what do we need to do to make Linux acceptable to people? Make it compatible with Adobe products and Office. That's it. That's all you gotta do. You do those two things, you win today.
Tim
Run teams. I know it sucks, but I have to, right?
John
No, and I run teams on Linux with Microsoft Edge on Linux and it works just fine.
Tim
Well, so the last time I tried this, and it was will be the last time unless like somehow Mac goes away. The last time I tried it worked fine for a bit and then all of a sudden when I went to go screen Share, like it was just, it's too boring. Nobody could read it.
John
It's just done. Yeah, like, well, I, I, I don't, I don't know. But like, like I said and instead of the people at LibreOffice just making sure that their compatible with Office, what they do is like, we're going to create a new open standard for Word documents and spreadsheets. So we're going to that wheel and we're going to make it an open standard that anybody can contribute to. It's like, screw you, stop.
Tim
Yeah, so for the run it in the browser crowd, okay, fine. But I had at the time, again, this is a couple of years ago, I had to run it in Chrome. Now if I'm going to be running Linux, I don't want to have to put Chrome on it. Right. Like, kind of defeats the whole purpose of going to Linux. Right?
John
Yeah.
Ryan
All right, hold a finger.
John
No, we should do, we should do this.
Ryan
We should, we could do a podcast about these fun topics.
John
It. Hello and welcome to another edition of Black Hills Information Security. Talking about news. In this particular episode, we're going to complain about Linux, which is purely designed to calm people and bring the temperature down in the operating system wars as people are moving away from Microsoft, apparently in Europe, we're also going to be talking about some really cool smart attacks. Smartwatches, Frog Fog Fog, Ransomware, employee monitoring tool to break into networks and all kinds of stuff with discord. But we were talking about it before the show, let's continue. We have two different stories that are kind of the same thing. We're done with teams. We German state hits uninstall on Microsoft and I think it's directly tied to Denmark, wants to dump Microsoft software for Linux and LibreOffice.
Ryan
And they've already done it. The German state has already switched. Like the both of them have already switched away and have been using LibreOffice for like a year. And now they're going to roll, they're getting rid of teams. The thing that actually before the show I spent a decent amount of time like trying to dig because neither article, they say, like, we're done with teams. Like, the quote's right there. Speaking on a video call via an open source German program, I was like, what program? Because from my perspective, I get ditching Word and Excel. Okay, I can understand it. There's direct replacements. What's the open source chat application that replaces teams?
Corey
And on top of that they say of course, like, we should all know.
John
Of course.
Ryan
I don't know. I'm really curious. Like, I totally understand the thing. I don't like the. If you're looking at like your open source, like matrix, what's covered and what's not covered. Document editing is not that complicated. You have cloud apps, you have, you know, LibreOffice, you have all that good stuff, which, I mean, we can get into details about how good it actually is. Maybe not so good, but with like real time meetings. I mean, what is this city? Or it's like a state in northern Germany that we're talking about, which I won't try to pronounce for the sake of my own sanity, but basically what are they using to like have 30,000 people being able to chat with each other in real time? That's open source.
John
Irc.
Ryan
Irc?
John
No, irc. No, I just.
Ryan
How do you share your screen with irc? I don't think you can do that. Don't.
John
That's the best part.
Ryan
Did you just use ascii? You just keep pasting ASCII with what your screen looks like.
John
Yeah, so, okay, but it does bring up what is the app that they use. Like you said that you looked into it, trying to figure out what the was. What the hell is the app that they're using?
Ryan
Because no way.
John
I would like to know.
Ryan
You can use Discord, couldn't you. That's not open source.
John
Not open source. Right.
Corey
Open source, of course.
Ryan
Don't forget, like, of course open source. The only one I know of that could even Get Close is called Jitsi Meat. That's like the open source competitor to teams and that one is like you can self host it and it does RTSP and all the screen sharing stuff, but I don't think there's like a what about most?
John
Maybe, but that's self hosted.
Ryan
Yeah, that's a freemium model where you can't actually have more.
John
Right.
Ryan
It's not open source.
Tim
So we could, I don't know, Google, you know, GitHub, awesome chat apps and see what's on on GitHub.
John
I, I, I on Reddit I subscribe called D Google, where it's all about people trying to get Google out of their lives.
Tim
I gave up on that.
John
It is just like, you know, so I was punching myself in the face yesterday morning and I continued punching myself in the face for the after I punched myself in the face for the entire weekend, I realized I just didn't need computers anymore and I'm done.
Ryan
Like, okay, that's a pretty good outcome. Pretty good. At the end of the day, if Linux is what you need to leave computers behind altogether, then you should install Linux right now.
John
And, and I want that to happen more than just about anybody, right? Like if we could completely like get rid of goog. Like there should be a Linux phone and don't tell me the graphene OS and Google's trying to kill graphene and you know, what is it?
Ryan
There's an article about that too.
John
Tons and tons of this crap going on. It's almost impossible. Blue button, somebody just said is the application that they're using.
Ryan
Oh, blue button.
John
You know, this goes back to my anger and I'm going to point my anger not at Microsoft, not at Google, because I mentioned this before the show, my anger is the Linux dev community, right? And the reason why I'm so pissed off at the Linux dev community is whenever they approach this problem, right, they approach it in the dumbest possible way. The Linux open Source community, like if you're looking at LibreOffice, rather than making their stuff completely seamlessly compatible with PowerPoint, Excel and Word, making it work, they develop a new standard. So they're like, oh, we need to do is we need to create a new open standard for documents that isn't completely controlled by Microsoft. I love the idea, but make your shit compatible with Microsoft first. 100%, right? The same thing with Linux. And they're like, why are people using Linux? Well, we're going to stop using MNT and it's now going to be mounting things to Media and we're going to get rid of if config and we're going to do ipa stop. You're just hurting people more and more and more. The only group that's really changing things I think for the best is Steam with Proton. Right. Because they're found out that you can run games with Proton faster than you can on Windows 11. And the gaming community is moving over to Linux for gaming much more fast than anybody else anywhere else, which is flipping crazy. It's working for video games. Can't we get Adobe products to work? Can't we get fricking Zoom to work consistently? So.
Ryan
Yeah, well, there's two different things here. There's the OS which again is Proton open source. I don't think it is Proton for.
John
Like Steam OS and what Steam's doing. I'm pretty sure it is.
Ryan
Is it? Yeah, that's a good. That's it. Oh, it says the OS is open source. I don't know if that Steam client itself is closed. Proton is open source. Yeah.
John
So right here it is, it's on GitHub.
Ryan
Yeah, the whole thing. There's two, there's two conversations here. One is D Microsofting or de Googling or D insert expensive company that costs, you know, cloud hosting fees here. Then there is the concept of open source. And I think that the article like, you know, Tim kind of mentioned this. It just is like, of course it's open source, but like that's kind of a big extra step to add on to like not only is it removing big tech companies from your government, but it's also going open source at the same time. That's like two pretty confusing concepts at the same time. Well, I get it with you got gdpr, you got expensive cloud hosting fees, you got the current political situation which we don't have to get into, but the US has never been a less stable place to invest, you know, your time and effort. So I kind of get it like it's, you know, go open source. I will say let's check back on this.
Corey
Yeah, it's an age old story. Right. Where the software is free. That's. But it's only cheaper if your time is. Has no value.
Ryan
Yes, which it is government work. So I mean it might.
Corey
Yeah, but you've got, I don't know, I mean everyone's got, Everyone can play with Window. It's been using it for decades now. You got to train it and train them on.
John
And how much of that, Tim, is just, it's inertia. Right. It's talking about switching Office. It isn't about moving forward. It's about all of the Excel spreadsheets. It's about all of the Word documents that you've had over the years that just work in Microsoft.
Corey
Well and it's, I mean just, just more broadly than that the inertia of our devs know how and devs are our admins know how to use Microsoft and if we keep different up to speed and film the blank Linux flavor not to mention that there's a billion different flavors of that which is other hard part. Yeah, some might be tougher but it's literally retraining people all over again.
John
And I love concern bringing it back to security. I don't think this makes things more secure. You know we, we always used to teach Tim for years the idea of security monocultures and you know, going all the way back to the snier. What was the at stake guy that Schneier did that article with? I can't remember. Wasn't Steve Belvin. I can't remember the dude's name but somebody can find it, they'll put it up in chat but he got fired over it. But the idea of security monocultures was, you know, everything's by the same vendor. Therefore if one vulnerability pops up we're completely insecure and we get exploited all the way across. And I think that that's inherently not true. I think what we discovered is monocultures are easier to secure because you can do it through Active Directory, you can do it from the AWS console, you can do it from one centralized place in Azure. By kind of splitting all of this stuff up across multiple different open source tools and even using Linux and all these different things, I think it makes management of patches and configurations far more difficult in today's environment. But I'd love to be wrong.
Derek
It definitely adds in more of an attack surface with, with the non monoculture system because you have to have that then on top of it all you have to have the people that understand those other operating systems, software, et cetera to go ahead and be able to try and secure those on top of it all. I mean everybody figures oh you're in security, you know how to secure everything. Our security field has gone ahead and expanded so much, it's no longer the one size fits all. And that's something that we have to make sure that people understand also I.
Ryan
Think short term it's going to be less secure. But I think if enough of these municipalities and other like if they actually can get A little bit of European Union magic happening. I mean these license fees aren't cheap. Like Microsoft licenses can get really expensive. So I, I, I could see like if, if they all commit to this and they have like standard practice, like tools that they all center on and they all share, like you could, you could remove a lot of the vulnerabilities and configuration issues in like a pretty short period of time, right?
John
Yeah.
Corey
But also like how, how are they accidentally secure because some attacker lands inside? Like I don't agree with this stuff.
John
I think there's some truth there, Tim. Right. Like I don't know where we hit environments and it's just like, what is this? And like novell network, it's 2025. Like what the hell is wrong with you? Well here now, isn't it?
Tim
But so these are endpoints, right. And then you know, the EDR space is definitely not as mature on Mac and Linux endpoints. And I've got to say that if I have a Python interpreter, I mean it's a lot better than if I don't. I'm not, I'm probably not ever. I've never been caught when I'm just Python, you know, using Python for C2, like going out so well even on.
John
Microsoft, if you download it through the Microsoft Store. And it's sure.
Tim
I feel like EDR is a little bit more mature on desktop space and then, you know, not necessarily on the endpoint. But I've also always, always been concerned too with PIP install bad package. So I just see these municipalities just give everybody sudo what could do well. Right?
Ryan
Yeah. I will say no. 1, the article does not say if they're actually using Linux for the desktops. We're all assuming that because it just logically makes sense. But they might be using Mac or you know, Linux or Windows even and just trying to get rid of recurring licensing fees. Windows would seem a pretty stretch though if they're trying to D Microsoft.
John
But, but Corey, that also kind of brings up a whole nother interesting thing here. We're talking about this like no one's doing this. And the reality is like China and Russia, like you know, we have the class, you know, attacking non western infrastructures. Like Russia is running a star and they're running their entire stack outside of the Microsoft ecosystem. And China is, and of course North Korea.
Ryan
Right.
John
They got their own crazy phones and different operating systems that they're using. So there are like very large entities. Right. Like Russia. And I think China is going to continue to head down that way more and more where I do wonder how much longer it's going to be where we can joke about like me saying, oh well, there's no stuff for managing this and securing it. I think that there can be enough money behind it, especially if you get like Germany or Denmark and you have Russia working there and China working there, that we might actually start getting some really good tools in the future that allows us totally. I just don't.
Ryan
If you take there right now, no, it's not there right now. And they do, they're transparent that this is going to be a long term like transition and they're, you know, hopefully going to ditch Microsoft within a year or whatever. So online meetings, I guess you have this big blue button. I don't know what you do for a chat though. I guess Matrix or Signal or something, who knows. But just for a little bit of context, this isn't small peanuts. This isn't like this is a. This is a state in Germany that has like 3 million citizens and like 30,000 government employees that are all going to be using this platform. So if this scales and pans out, this could be legit. I mean we'll see. Or maybe they come crawling back to Microsoft or Google after a year of pain.
John
I wish them, even though I don't think everybody should be jumping to it, I wish them nothing but much success. Like go get it Denmark, Go get it Germany. Go get it France. Go get it Russia. Let's figure out how to do this stuff all in an open source stack and let's make it happen because yeah.
Tim
I predict that 2026 will be the year of the Linux desktop.
John
Oh no, that's a no.
Ryan
Now let's talk about. Or go ahead.
Corey
Dan, I guess you might notice that the German article was written by the French.
Ryan
I saw that too. I saw that too. I noticed that too was on like France 24 and they were like yeah, we didn't go to the meeting but I mean here's what the Germans are doing. So I mean while we're on the topic, let's talk about maybe some reasons to ditch Microsoft. So we have a really cool AI vulnerability that was based in Microsoft Copilot. It's a really cool. So this, the article's in Fortune. It's also in Bleepy Computer. Basically it's called Echo Leak and it's a zero click vulnerability where it's kind of like a stored XSS but for AI I guess is how I would describe it.
Tim
It's an indirect prompt injection.
Ryan
Yeah. So indirect prompt injection it's really cool. If you scroll down, Ryan, to the or I guess you're probably still pulling it up, but it's the bleeping computer link. Zero click AI flaw. I'll just post it in Discord.
Tim
That doesn't narrow things down for me.
Ryan
Okay, that's fair. All right.
Tim
Working is I believe under AI.
John
Yeah.
Tim
The threat actor sends a seemingly innocuous looking document. But inside of that document is a prompt that when the document for business reasons gets stored in the RAG database that you know, that prompt then goes to the LLM and then when it looks for, when it pulls up that document later, it's able to exfiltrate data based on what that prompt says to do.
Ryan
Yes.
Tim
In fact, Microsoft had a, A, a challenge earlier this year. I think it's closed now called LLM Mail, where they were testing out various defenses and it was open to the public and you could go like that, you know, a leaderboard and everything. And me and Ryan Fairman played it for a while, it was really hard actually. But they had different, different levels of defenses to get like for this exact attack, like you send in an email and then there's an embedded prompt inside to get the, the downstream large language model to send email on your behalf. And it's not as easy as it sounds, that's for sure.
John
So Ryan all sounds so familiar though. Like.
Tim
Yeah, I mean.
John
It'S not, it's an image. Can I insert a web shell and change the, the extension? Can I insert a web shell within like you know, a log file that's logged and then invoked from the logs like.
Tim
Or cross site scripting and go after.
John
The admin persistent and stored cross site scripting style attacks. It's, it feels like we're using the same playbook, which is cool seeing it applied in different ways. But it's just, it's kind of scary to me sometimes like when this thing, it's like did no one think of testing this?
Ryan
Well, so that's where John, you see all the red triangles in this. This is all the security protections they had to bypass at each step. They have this thing called xpia which I'm not going to, you know, let's keep this non technical. It's basically their XSS filter for prompts. They have a filter for prompts that's like is this prompt designed to exfiltrate data or do something malicious? So they have to bypass that. Then they also have to bypass. They have to come up with a way because they can't just post the Data to like some random DigitalOcean IP address. Right. They have to figure out a way to get around the link redirection. Then they also have to figure out how to get away around the CSP stuff. So they have to catch the data in SharePoint. So it's a trivial attack when you dumb it down, but there's actually like three security controls they had to bypass to get all the way through. So like that's the difference between 10 years ago and now is now you have all these extra things you have to bypass to just get this web shell working basically. But it's pretty cool.
John
Let's give credit to where credit's due. This is aim. AIM Security.
Ryan
Run by aol.
John
Run by aol. But do want to give credit to that research?
Ryan
Yeah, awesome write up. Give it a shot.
Tim
I think that to me the most important takeaway from the article, this is one that I read because it had to do with AI, right? The most important takeaway is that as large language models get embedded into freaking everything, this stuff is going to become more and more important. And widespr had one of our web app testers, Craig messaged me a couple weeks ago, he's like, dude, they're putting LLMs into everything now. And so yeah, we're running across it and everything. So as they're more and more involved in our lives, I think this is going to be an issue because at the moment prompt injection, there's not been a large language model that's not susceptible to it. There's various types of defenses as we just showed. Right. But there's no large language model that can inherently prevent itself.
Ryan
Well, I think this is like that's why I wanted to lead into this from the D Microsofting thing because this is a great example of like Microsoft added Copilot to everything and now we have a zero click vulnerability in copilot. So like you did if your co pilot was reading your business documents, which it was because that's the feature that got enabled for everyone, then you are vulnerable to this. It was fixed before Reach production. To be clear, I want to, you know, I'm sure Microsoft probably sent a fat paycheck to that researcher, I hope. But yeah, like this is a great example. If you had copilot and I'm sure you know the underlying thing of like we talked about a couple weeks ago on the MCP servers which are basically like AI connecting to another AI, there's a ton of them out there right now and everything's slapping AI into Atlassian, slapping AI into teams, slapping AI into every tool. A lot of these things are going to have the same vulnerabilities or similar vulnerabilities.
John
So. But here's the thing that pisses me off about this, and I want to get Tim's take, like, is like, whenever we're doing pen testing, and it's better now than it was, like, even five years ago, there are people all the time that are like, well, how do we know we can trust your pen testers? You know, well, okay, you can do background checks. Here's what we do. Here's how we validate. Here's the Certs. Here's all this stuff, criminal records and all of that. But there was always this, like, real strong distrust. It's like, well, we're letting you in, and you're going to hack, and you're going to get to our most sensitive things. And we need you to sign this. We need you to sign this. We need this signed in blood. We need to have insurance of at least $10 million. And I even had people with crazy, like, 25, $30 million insurance requests for us to have that type of liability. And then along comes Copilot and AI and they're like, yeah, so this software ran by this company is just going to have access to absolutely every organization. And everyone's like, cool.
Ryan
Well, all their eggs are already in the Microsoft basket. So that's.
John
In some ways, yeah.
Tim
On, it's artificial intelligence. How can it be bad?
John
I know, I know. That's right. That's my bad. My bad.
Tim
It doesn't have law, and I don't.
Corey
Think AI So they're like, yeah, yeah, AI it. Wait, what does that mean to you? I don't know. I want AI on it. What are you gonna do with it?
John
I. Dude, I want AI do you not understand? Josh? Give it to me. Give it to me. It's my. I want that AI like, but, you know, and I'm waiting for next year at rsa. Like, everything's AI at RSA this year, right? Like, if we go back six, seven years, it was all NGAV ng firewalls. And I'm waiting for next year to be the next generation AI because they got to keep evolving the buzzwords, right? We can't. Like, AI is not the pinnacle. You got to have next generation ASI AGI. Yeah. We need John Wick Ngai from Palo Alto to defend our cyber trains in the desert. I don't know. For a million dollars, I am going to say those Palo Alto ads were badass. If you haven't seen them, you must go see them. They're amazing. I'm still like geeking out over them. So whoever.
Ryan
I'm not in the pay band where I get Palo Alto ads. So.
John
Dude, they had them on like 30 like foot jumbotrons. You couldn't miss them.
Ryan
You got to be a first class flyer to get those.
John
Yeah.
Ryan
All right, so next article is the. So this is. It's a ransomware group, but they're doing some pretty weird things and I'm curious to get people's take on it. So the main thing they're using is there. We've seen RMM tools get abused so much. We've talked about it like every week on the news for the last three years. This one is abusing employee monitoring tool, but they're using it as a keylogger. So instead of like bothering with, you know, Cobalt Strike module for key logging or whatever, they're just using something called Sciteca, which is a legitimate tool that is designed for employee monitoring. Which I don't really know what the legitimate use case is for employee monitoring other than are your work from home employees doing laundry check here. So I don't know, it's interesting. They're like using these legitimate tools, I'm assuming through compromised attacks or compromised accounts. Like I'm assuming they didn't just go and purchase a license.
John
Holy.
Ryan
Yeah.
John
What do you think this is from Symantec? They're still in business.
Ryan
That's what you're taking away from this.
John
Congratulations, Symantec. No, dude, Symantec being in business is like finding an 80 year old man that does like, you know, still runs half marathons. You're like, oh, congratulations grandpa.
Ryan
Okay, listen, John, if you're running Linux and you're a city with 30,000 employees, you better have Symantec at the very. You're not going to get Crowdstrike. That's too expensive.
Tim
So how get access to the employee monitoring software? Was it just.
John
You can just install it? Like a lot of these are installed.
Tim
Okay, so it makes.
John
But I need to talk to me, Derek, like two years ago you installed a velociraptor in the middle of an incident. And then you're like, you know, this just installed and the AV just let it install. Oh yeah, it gives us access to everything. You're like, it's just velociraptor as a C2.
Corey
Yeah, we've been so. It is not that exact long.
John
I gotta kick my cat outside. No.
Tim
Well, so the thing I Like about this article is that they hi to Cory's cat.
John
Cory's cat's not there. Oh, okay.
Ryan
Next time maybe they so angry they.
Tim
Installed, you know, basically an out of band like C2. So not malware. Right. It's employee monitoring software. And then they go on to use SMB exec after that.
Ryan
Yes, well, so that's the other thing. It's a hilarious mix of tools and I'm going to be honest, like I don't. I think they just info stealer their way into an account and just used it because they had access to. I don't think, I don't think they actually did any refit. I would guess they just happened to pop an account. We're like, let's give it a shot. Why not?
Tim
But I do like the last thing and I actually was hoping that we talked about it. Maybe I missed last week's news and they used GC to an open source post exploitation backdoor that leverages Google Sheets and SharePoint for command control. So I mean I just. Every time I see you, because this is. I saw there was a threat actor using calendars, Google calendars for C2 like.
John
A week or two ago.
Tim
I. John, I thought you'd laugh at.
John
That because my first starting that trend.
Tim
I remember when Google got mad at us for that. It wasn't a problem until it was a problem. Right?
John
Yeah, yeah.
Ryan
I mean I think it's. It's a funny mix of tools. You have like really cool living off the land type tools and then you have like SMB. Exactly.
Tim
Should be flagged by Symantec.
John
Right?
Tim
Like semantics, you catch us in beans.
Ryan
Well they, they did flag it. That's why they have security researchers posting about it or else, you know, they wouldn't be flagging on everything they didn't detect. But I mean, I think it's this, this apt. Let's just say they're like two hackers in a trench code and one of the hackers really knows what they're doing and the other one's a complete noob.
John
Yeah, there's a com and with their.
Ryan
Powers combined, one is like we're going to use living off the landscite of monitor keystrokes. The other is like I ran as a B exec on the DC and now we're quarantined by some. What the hell, man? I was monitoring keystrokes for like we were going to live off the land for a couple months. Not. Sorry, dude, SAB exec was on disk. I did that at no choice.
Corey
Well, it Sounds like the tool was good for pushing the stuff, but they didn't have a way to run it. And they're like, yeah, let's go to school.
John
So that's why they should have used Velociraptor. Yeah, I know.
Ryan
So, yeah, needless to say, block these tools in your environment if you use them. I don't know why you're creepy, but definitely monitor their use. Just use Microsoft as your spyware. Don't. Don't pay another company for spyware that's unnecessary.
Corey
Use Linux.
John
Use Linux. Use Linux.
Tim
Because there are no keystroke loggers for Linux.
John
No, Linux doesn't have malware.
Ryan
That's why I wanted to talk about this expired Discord invite, because I thought it was an interesting one. As part of continuous pen testing, we do a lot of work with, like, expired takeovers and things like that. DNS records are common. S3 buckets are common. We've seen lots of, like, domains expire, things like that. But this is a unique one where. So the threat actor basically is taking the discord. They call them like vanity URLs or whatever, or. What is the actual tool. Yeah, vanity link registration. So what that means is Discord. GG Bhis. Yep, that's a vanity link. The problem is not all these Discord servers. You know, Epic streamer 9000 had a vanity link, but then he, you know, got divorced or whatever, so his stream shut down, but the vanity link is now available for education.
John
Why did he let the stream expire if he got divorced?
Ryan
Lawyer fees. I don't know. I guess he got me there. Oh. Oh, no, no. It's because he got canceled, and then he couldn't have any more viewers because he got canceled.
John
Okay. So. Yeah, didn't have. Okay, got it. Okay, carry on. Anyways, yeah, context.
Ryan
Okay, fine. So we got married and he had to shut down the stream because he had. You wanted to have a life.
John
I don't know.
Ryan
This. This is a fictional scenario. Okay? The vanity link expires, and now an attacker goes and registers the same vanity link. When you land in the server, though, you just get redirected to all kinds of fun malware. So they, you know, they have a malicious Discord server that sends you to a phishing website that runs a powershell command that drops, of course, stealer malware on your system. And now you're in the botnet. So. Yeah, I don't know. I just thought it was interesting. Like, we think about expired URLs and takeovers and things, but this is like putting people watering hole into a malicious. Discord is new. You're like, why are all the people in this. Discord is really excited.
Corey
And aren't isn't all Discord malicious? Whatever.
John
I Except for those Black Hills Information security Discord servers. We appreciate all of you, which we're at 57,000 people now.
Ryan
Oh, Red Siege Infosec. Isn't this one of the other military.
John
This is what we did instead of Twitter. We just came up with Discord. Yeah, I don't, I don't know, man.
Derek
This is.
John
I, I'd hate to have people remove Discord from work, but I still wonder like, why is this allowed for people's work? I I, it's just strange. I I, I'm happy. It's great for us, but still, it's kind of weird.
Corey
We actually Quiet. They use that for their internal comms.
John
No.
Ryan
No.
John
Yep.
Ryan
No.
Corey
So they set up their own private.
Ryan
I was like, was it a northern Germany state?
John
They had Denmark today.
Corey
That's cord.
Ryan
But I mean, to be fair, is it that much worse than teams? You can send malware and teams, as long as you make the password not infected, they won't see that.
John
That's a really good point. After talking with, you know, Matthew and some of the people that have been investigating teams, it might be possible that Discord is more secure than teams. Honestly.
Ryan
I mean, at the very least, it's like, who's your provider? Right?
John
Because I remember talking with with Matthew about it and I'm like, is there any security that they're putting on teams? Like, no, they're intentionally shutting it down. Like they want people to use teams and they don't want anything to get in the way of that crap.
Ryan
So I mean, when teams started, we were teams fishing and that was like three or four years ago. They just enabled external teams messages for everyone.
John
Yes. Yes. Did they get that fixed or is that still a thing?
Ryan
That it's pretty fixed. It's still possible but organizations most organization have locked it down now, but it's definitely still a thing years later.
John
Well, do we want to talk a little bit about smart watches?
Ryan
Yeah. Let's talk about this in a lab disclaimer attack.
Tim
I swear this was in dubs. Anybody's ever watched dubs. This was an attack that was in doves.
John
I you know, this is kind of like. Do you remember bad bios, Tim, where it was?
Ryan
Yes.
Corey
Oh my God. Throwback.
John
Holy crap. Was the guy. He was the guy that did. Wasn't Seor.
Corey
No, no, no. Insect wise dragosaur.
John
Dragus. Yeah, he was talking about it and the idea of communicating with frequencies on computers and, and that was really cool. And this kind of feels like that. This feels like another lab type, like environment proof of concept, which I think is really, really cool. But the thing that I hate about these is I know in DOD someone's going to read this and immediately there's going to be panic and they're going to be like, well, now we need to ban.
Ryan
Well, they probably already know that from the Strava thing.
John
They do. Actually, I was.
Ryan
Remember the Strava thing where like there was heat maps of like US military bases? That was like 10 years ago.
John
Yeah, yeah. You're welcome. So that's fun. But you know, this is this. I hate this because anytime some type of crazy ass vulnerability shows up like this, there's literally hundreds of people all around the world. They're like kicking out RFPs. And Northrop Grumman and Raytheon are like, we're gonna bid $10 million to solve this problem. It's just, it's always. I always love the research for the pure research perspective. And I think that that's more fun to read. What they did, how they did it, look at their code, it's cool. But like the practicality of this is getting onto like James Bond level shit. It's like you have to take over someone's watch. Then you have to put malware implants on the inside of the Air Gap network. Then you need something on the other side to pick it up, which would be easier with the watch. It's just there's a lot of like. Really.
Corey
Well, you're not supposed to have the watch on the inside in the first place.
Tim
Yeah, well, my experience with the government is it would just be the contractors that can't have their phones or.
John
Oh, good point, good point.
Tim
All the civil servants and enlisted folks totally have whatever they want.
John
Yeah, I'm reading. It's like data Transmission rate of 5 bits per second.
Ryan
Always get it. Yeah.
Tim
5 bits per second.
Ryan
Yes. Is that beyond rate?
John
I don't know.
Corey
And here, here's the other question.
Derek
This is just using standard RF signaling.
Corey
18.5 kilohertz.
Derek
19.5 kilohertz for 1 0. How is that not susceptible to RF poisoning? Just going ahead and running something at those frequencies in the background.
John
Okay, now that is true. That is true. In some skiffs that you go in, they'll have a white noise generator. But then they also have RF scramblers. So when you go in, it's actually scrambling like literally. Cell phones don't work and a lot of the RF transmission stuff just doesn't work either.
Ryan
Okay.
John
A lot of skips they have to get fcc. Like usually it's not like a skip that's in a building with a bunch of unclassified offices because the FCC will come down on you. But usually it's places that are in like a campus where they could get authorization for the FCC to do that type of scrambling because it won't bleed outside of the boundaries of the facility itself. So that is a thing. That is a thing, absolutely. That you do see in some skiff areas.
Ryan
So two jokes. Number one, private. Where'd you get your smartwatch? Like what? Like what? You know this would have to be.
John
Like a custom on Instagram from Baidu.
Ryan
I got it from tiwu. All right, you're fired. The other thing, at an ideal transfer rate of 50 bits per second it would take. Okay, no, 50 is between 5 to 50. 50 is the cap of like the ideal scenario. I want to be. I did some math. To get a one gig file out of the government or out of the air gap, it would take 5.4 years of usage. So I mean in a lab, okay, it's cool.
John
But come on, I think it's cool lab thing, right?
Ryan
It would make a great gap question.
John
It would. Oh, oh gosh. For like given give a wav file that has ack in it and then you got it. Oh yeah, that's going to happen at Wild west hacking.
Ryan
But do we make them wait for the 50 bits per second data transfer? So they have to be at Wild west hack infest for 5.4 years.
John
That's what we should do. Just have it transmitting over the air. But I like at the bottom, if we could bring that up, it says the researchers way the best way to counter this is to prohibit using smartwatches.
Ryan
No, it's not. It's just to have files bigger than.
John
50 bits air gapped machines. This would eliminate the attack surface for all acoustic servers. Covert channels, not just smart attack.
Ryan
So what about just playing music in the skiff? Does that help?
John
It has to be over that right frequency, right Clyte?
Ryan
Yep. Yeah, that's perfect. Just poison that frequency with like party in the usa.
John
You just shift it up and.
Ryan
Yeah, it's.
John
If you look at the waveform, it's Apex twin face.
Ryan
Yes.
Corey
Getting their data pink cut. What the.
John
That? Is that Tim Medine from Red Siege?
Ryan
Come on. Hold on. Zoom in. It's John Strand at 50 bits a.
Derek
Second, all you'd have to do is send a pulse on one of them at a half second interval.
John
And it was totally messing all up.
Derek
It would totally mess it all up.
John
But still, like I said, we spent a lot of time chasing these ghosts when I was working in a skiff all the time. And then some jackass C, like not cto, but like a director, brought a wireless router and put it in his office because he wanted to use his computer while going to the bathroom in a skiff.
Tim
So he had to use the.
John
Are you going to really worry about. Are you going to worry about this stuff or are you going to worry about the idiot that springs?
Corey
Yeah, okay, well, I mean the next. Don't go back to what John was talking about with that, the bad bios. Like he caught Dragus, whatever his name was, caught at black over that say and say, like this thing's not actually realistic or practical.
John
Like, I think that was about the time that he kind of gave up. Like he started stepping away from the industry. He.
Corey
He caught tons of crap over it. Like he would just beat up mercilessly.
John
I, I remember having a conversation with him at some dinner. I think Ed was there. I do remember it's when I was still drinking and I do remember there was a lot of frustration about that whole thing. And there's a lot of people that are just like, you know what, it's not worth it. Social media sucks. I'm out. So.
Corey
Yep.
Ryan
So okay, real quick, let's. Let's go back to like early 2000s Budweiser commercials.
John
Nice.
Ryan
Everyone remember the Budweiser? Well, yeah, first of all, when, when, when alcohol companies were allowed to have commercials that had alcohol in them, which I don't think. Isn't that banned now? I don't know. But yeah, basically I'm following me here. I don't know where I'm going, but follow me anyway. There's a security tool or like a threat intel tool called WAZA or waza. I don't know.
Tim
Waza.
Ryan
Wazoo, Wazoo, Zoo. Okay, we're going to talk about it, but I want to level set that this isn't really that big of an impact. This is more of a theoretically in the lab, like with a lot of caveats. But there is a botnet, the Mirai botnet our old friend is spreading, has been observed to spread through a vulnerability in Wazuh or what was it again? I already forgot Wazoo. Wazoo, which is a threat Intel Blue Teamer tool. This has already been patched. If you run this tool in a self hosted type environment. You need to patch your stuff right now. But basically to exploit this, the attacker would need a valid API access. So they need a user account or an admin account to get to the API. But it is interesting to see a malware that specifically targets a blue team tool. Right. I feel like it's kind of a self awareness of like, whoa, they know we use Wazoo. That's crazy. I don't know anything about this tool. It sounds like. Mike, have you used it?
John
Oh, we talk about it all the time in our classes.
Derek
Yeah, I've not used it directly. I know people that have used it. I've been meaning to get a new machine set up so that way I can play with it here at my house. It's supposed to be actually a pretty good EDR/threat intel tool that's completely open source.
John
Yep. And they make their money on subscription and support. And this is one of those things where it is neat. This is a cool article and welcome that. That's a sign you've arrived when people are attacking your tool directly. So congratulations. Even though I'm sure that that's very, very, very frustrating for them all. I really wish I could use this class or use this tool in my classes. It does require a pretty beefy server that's running an ELK stack for it to run, unfortunately.
Corey
Did you guys hit nothing at the bottom?
John
What?
Corey
None of their quote paying customers were impacted.
John
I like how they called out paying.
Corey
Yeah, yeah, you're like all the rest of you guys. We put the backdoor in, so fu.
Ryan
Oh, that's kind of. Well, hold on. Was it a backdoor or. I didn't know it was a backdoor.
Tim
Sounds like it's a flaw, but it's the inverse of the Solar Winds, Right. Where all the not paying customers were good. Yeah, man.
Corey
No, the pattern good.
Tim
It was, I guess a lot of.
John
People took from the whole Solar Winds thing. It's like as long as we don't update and patch things, we'll be fine.
Ryan
This is the opposite of that. The people who are on the paid product did get the patch. Everyone else did not. It's kind of like the move it thing where if you're on cloud hosting, you're good. If you're self hosted, you're done.
Tim
Yeah, I mean, and I think every product can have a flaw, obviously, Right? I mean, at least they didn't take down.
Ryan
Except for Lennox. Hold on.
John
Except for Linux.
Tim
I mean, I want to call out.
John
Nerf Blaster's quote real quick. The hilarious thing to me is that about the least harmful thing they could have done with remote code execution was to turn it into a botnet node.
Derek
Which.
Ryan
Right, good point.
John
Good.
Ryan
Or it says X filling all the data from a threat hunting tool that's just out there on the Internet.
John
Yeah, it's like we had a customer that was a financial organization with a crap ton of very, very sensitive stuff that they had on an external server. Derek, I think you worked on this.
Tim
You move it customers.
John
Yeah, they got nailed and literally the only thing the attackers did was turn it into a DDoS node. They didn't even bother to look at the system that they had at all. It could have been infinite.
Tim
Oh no, that was a different one. Those were Linux servers though.
Ryan
Yeah, yeah, it's like crypto miners like you.
John
Yeah, or like they drop a crypto miner on it.
Ryan
Yeah, like I, I've seen like Dell Sonic wall VPN with a crypto miner. I'm like, guys, this has like 2 watts of CPU power because it's going to mine a bitcoin every million years.
John
Yeah, no, thank God they're not creative and didn't look around.
Corey
Well it also means though too is they have so much access we're like we don't need to look around this one. Yeah, yeah, whatever.
Ryan
So on the cloud hosted versus self hosted thing to kind of follow that thread. Big Internet outage last week. It wasn't that long but it was kind of an interesting one where Google Cloud went down and that hit cloudflare. It's crazy to me. So I read the Google write up. It looks like it was all triggered from Google. So if you're interested in like the infrastructure engineering side of things, go read the Google write up. I think the most, there's a couple of like high level things that are mind blowing to me. So the first one is they identified that it was a problem within 10 minutes, immediately picked out that there was a problem. They couldn't report it to the public that it was a problem because the reporting site they use was down. That's part of the outage. The other thing is it only took, it was only out for like two and a half hours, ish, two hours and 40 minutes for it to be fully resolved. So within 10 minutes they had a, they knew there was a problem, within 40 minutes they had a fix, then they pushed it and then it took until another two hours from then to roll out. So it's like a pretty big in a pretty big deal because a lot of stuff went down, but also only like in my day. 2 hours and 40 minutes. That's just like a lunch break. Like, yeah. Back in my day, S3 went down for like three days and that was a bigger problem. I don't know. It's just like Google is so apologetic and I don't know if Canadians wrote this or whatever, but like immediately it just says we deeply apologize. The impact that this had. Yep.
John
I think a lot of it has to do with the SLAs. So I know from the other side, one of my friends used to be one work at a company that was like a DNS provider that Google used. And it was like a ridiculous amount of money. I want us. I could be wrong because it's a long time ago. I think it was like $100,000aminute. If Google went down, that was insane. And that might be wrong.
Ryan
Right.
John
I don't know.
Ryan
I got you. There are SLAs with cloud. Yeah.
John
I'm guessing that Google has some crazy SLAs and if they're down for two hours, that's significant amount of money. That's like.00001% of the amount of money that Google's going to make this year. So that matters to the bottom line of people.
Corey
Well, just to clarify, to your point, like it was actually 10 minutes to get to the root cause, not 10 minutes to detect. Because hell, the Internet goes down in my house. My kids, my wife, my dog are like, what's wrong with the Internet? Right. And the entire Internet was down from this. So they actually root cause in 10 minutes. Which is actually kind of impressive.
Ryan
It's so impressive. The whole thing is very impressive. I mean, there is funny, like little tidbits where it's like, oops, the monitoring site went down because that was part of the infrastructure that went down. Like that's like a oopsie. But I mean, truly, like, I think it's like one of those where bad code can happen to anyone. It's their CrowdStrike moment. But not nearly as bad. Right. Like it just came back on its own. Which is like if you're paying for Google Cloud and it just goes down and then comes back on its own, you're like, well, that kind of sucked for two hours, but whatever.
John
Corey, I do love the fact that people are taking from this entire story. Like we have coffee stains saying, wait, your lunch break is almost three hours.
Ryan
All I said was my lunch break is as long as the Internet is not working.
John
That's true.
Ryan
As a hacker I can't do much. I guess I could social engineering phone calls, but where am I going to send them?
Corey
I mean IP phones dead.
Ryan
Phones are dead. I got nothing to do with the Internet, so. But yeah, so we do have some chicken news I want to cover before Chicken Jackie. We got Chicken Jackie. Oh no, that was, that was a few weeks ago. So this is chicken news. And it hit my radar because the one of my local restaurants which I love, it's like. I'll just describe the restaurant. It's like hardcore biker bar. You go in and then they just serve like really good hot dogs and you're just like really confused while you're at like a biker bar but eating really good hot dogs. It's very confusing. But awesome place. They posted to Instagram and said there's no groceries, we can't buy hot dogs, we gotta close. And I'll send the image they posted. But basically this is all related to that UNFI cyber attack that shut down. They also hit. It prevented Whole Foods from having groceries. A lot of groceries were impacted. But this is like food supply chain stuff. UNFI or I don't really know how to pronounce it. Unfi. I'm always like, oh, UNIFY has big trucks. But turns out it's not unfi. UNFI is like you read it like the, the acronym. Either way, they are a food distribution mostly like produce and they. I'm assuming it's ransomware because if they have to take down infrastructure, it's gotta be ransomware. Right? But this is causing pretty heavy supply chain impact. So if you went shopping for chicken last week, then you probably couldn't get any chicken. I mean that's pretty depressing. I would say.
John
Wow.
Derek
Unless you're chicken.
Ryan
Well, I guess that's depend on where.
Tim
You'Re at in the US because I'm close to a whole bunch of chicken plants on the eastern shore and I have not noticed chicken shortage.
Ryan
What does a chicken plant look like? Do they grow on trees or what?
Tim
Yeah, pretty much.
John
Pretty much, yeah.
Tim
Chicken processing plant, raising chickens.
John
I know what's going through their heads. Absolutely nothing. So yeah, now we got an argument. People like turkey's better than chicken. That's not the point of the story.
Ryan
Not it's about ransomware, people.
Tim
Well, you know, it's better than both chicken and turkey steak.
John
Yes. No arguments there. All right, what do we got? Let's. I think we're scraping the bottom of the barrel for stories now.
Ryan
Oh no, we're not. I just, I was being using my Abusive power to talk about chicken. Yeah, there is GitHub device code fishing.
John
Ain'T nothing but a brain.
Ryan
GitHub device code fishing is kind of interesting if you. If you federate GitHub login with Microsoft or OAuth providers there's a way to do device code phishing with it. It's kind of cool. Washington Post journalists are being targeted with their email attacks being compromised.
John
Yeah.
Ryan
Surprising. Well that One coming the SharePoint phishing is. Are pretty interesting. It's like we've looked at that. It's basically like it's nothing crazy but basically you can use living off the land techniques in SharePoint to get past email filters and get people to click.
John
I was going to ask you. We use that even in a test environment yet in any of our continuous pen tests.
Ryan
We have not. We have not tried. I actually talked to our initial access specialist today and we're going to give it a shot. It only gives you a link delivery which like we already have link delivery. From an initial access perspective we don't really struggle with link delivery but we'll probably give it a shot just because ransomware threat actors are using it. So it's a good thing to detect. Oh yeah. Wasn't there some like Pegasus stuff or. There was some interesting stuff.
John
I haven't seen any stories.
Ryan
There was a. So if you look at the nation state on nation state action section Citizen Labs basically released a new report that a US backed Israeli company definitely. Is it called like not Pegasus?
John
Yeah, totally not Pegasus.
Ryan
Totally not Pegasus.
Corey
Not Petsha. So not. Yeah, makes sense.
John
Yeah. But so yeah, I didn't think that NSO was US backed. Okay, go ahead. I'm sorry.
Ryan
Yeah, I mean I don't. US backed. I don't really know what that means. You know did it. Does that mean a US investor who knows. I'm not going to wait into the paragon.
John
Paragon.
Ryan
Paragon, you mean Not Paragon. Not Pegasus.
John
But that totally could be the Pegasus front.
Ryan
Well, yeah, we've. Yeah. So I believe that NSO Group is actually under OFAC sanctions or some. Or some kind of sanctions. So like I don't think they actually can officially purchase this product in the.
John
US And I remember a while ago somebody tried to get me to go to Israel because they wanted me to evaluate with NSO had because they were going to create a shell company. I don't know if this is what this article is about but just letting people know kind of what goes in the background whenever you have the NSA is like we really want that software, it's like, you can't have that software. And they're like, we're going to create a shell company and then they're going to license that software and then we're going to buy it through the shell company.
Ryan
Yeah, yeah.
John
Government's like, okay, no, they wanted me to fly out there and check that stuff out. I chose not to. And I still do not regret said choice. But yeah, this smells like that. Like they want that sweet, sweet Israeli technology, but they can't get it directly.
Derek
According to the article, Paragon was acquired by AE Industrial Partners, a private investment firm based in Florida.
John
Yeah, that sounds right.
Ryan
So if it's based in Florida, does that mean is there South American interests? No. Yeah, yeah. I mean, basically this is being targeted. Prominent journalists. Not politicians this time, but journalists are being targeted with spyware again.
John
Yes.
Ryan
Yeah, I would say, you know, go read the Citizen Lab debrief or whatever. It's probably the most technically detailed and interesting.
John
Very good stuff. They always do a great job. Citizen.
Ryan
They do. It's nothing new. Concept wise. This is like we're joking, you know, Paragon, AKA definitely not Pegasus, the name's even close.
John
I know that one's pretty bad.
Ryan
Salesforce SaaS vulnerabilities. That's a classic. Some researchers kind of did like a, I don't know, bug bashing, bug smashing on the Salesforce product. What's it called? Salesforce Velocity or App Omni or. No, that App Omni is the company that did it. The product is Omni Studio, which was like an acquisition. Honestly, I feel like this is classic when a company acquires a company and then brings it into their umbrella that there's oftentimes a lot of vulnerabilities in those products that get brought under. So, yeah, I'm sure they'll fix all this stuff, but it's a lot of CVE is 15 misconfigurations and vulnerabilities. It's a decent amount.
John
Yeah. That's what, you know, I keep. You know, this gets into bigger questions of like, are we getting better? Are things getting more secure or is it just. There's so much out there that's not getting looked at. It seems like whenever something does finally start getting analyzed, does the CD CVEs fly down like rain?
Tim
Just seems like the threat actors move from thing to thing to thing and what is old is new again. Right? Endpoints have gotten hard, it's hardened, so now it's external infrastructure and cloud stuff and stealing data without having to get domain admin Right.
John
And so nice that we got the endpoint, the, the desktop kind of locked down just in time for everyone to get ready for the year of Linux in 2026.
Tim
Right.
John
Now that we got it done with Windows, we got this problem solved. Now we're just going to move into Linux and it's going to make everything much more so secure.
Ryan
Yeah, the Windows desktop is totally locked down. There's no vulnerabilities there whatsoever.
John
None done. It's.
Ryan
There's no, there's no AI features, especially.
Tim
With those AI features they're introducing that are completely locked down.
Ryan
Completely locked down.
John
I'm really glad that they finally got it right this time. With AI, they built it secure from the ground up.
Ryan
Thank you, Security.
Tim
From the very beginning, who would have.
John
Thought that the technology that gets us access to all of our sensitive data and all of our sensitive files was finally the point where they got it correct?
Corey
I mean, right? The S in AI stands for security.
John
That's a good one. I like that. Wait, there is no S in AI. Exactly.
Ryan
Hold on, is there no I in team, too? That's why I'm switching the Linux, because it has another.
Tim
Oh, man.
John
All right, everybody, let's wrap it up. I don't want to say here, thank you so much for coming and hanging out. Greatly appreciate it, and we'll see you next week. Ryan, take us out.
Podcast Summary: "Denmark is Done with Teams!" - Talkin' About [Infosec] News, Powered by Black Hills Information Security
Release Date: June 18, 2025
In this episode of Black Hills Information Security's weekly infosec podcast, the hosts delve into significant developments in the cybersecurity landscape, focusing on governmental shifts away from established tech giants, emerging AI vulnerabilities, and innovative attack vectors. The discussion is rich with insights, critiques, and forward-looking perspectives on the state of information security.
Overview:
The episode kicks off with a discussion about European municipalities, specifically in Germany and Denmark, making substantial moves away from Microsoft products. These governments are transitioning to Linux operating systems and LibreOffice, signaling a broader trend towards open-source solutions.
Key Points:
Germany and Denmark's Shift:
Both nations have reportedly moved away from Microsoft Teams and Office, adopting Linux and LibreOffice as their primary tools. This transition aims to reduce dependency on costly licensing fees and enhance data sovereignty.
Challenges Faced:
The hosts express skepticism about the practicality of this shift, highlighting compatibility issues and the learning curve associated with retraining staff. There's also concern about the effectiveness of alternative open-source communication tools in handling large-scale operations.
Notable Quotes:
Overview:
The hosts delve into frustrations with the open-source community's approach, particularly regarding LibreOffice and Linux. They argue that efforts to create new open standards hinder practical compatibility with widely used Microsoft products.
Key Points:
LibreOffice's Compatibility Issues:
There's criticism over LibreOffice's inability to seamlessly integrate with Microsoft Office formats, which poses significant challenges for governmental operations reliant on extensive document handling.
Linux Adoption Hurdles:
Transitioning to Linux introduces complexities in security management, patching, and configuration across diverse distributions, making it a daunting task for large organizations.
Notable Quotes:
Overview:
A significant portion of the discussion centers around AI security, specifically a vulnerability dubbed "Echo Leak" affecting Microsoft Copilot. This zero-click vulnerability resembles a stored XSS attack but tailored for AI interactions.
Key Points:
Nature of Echo Leak:
The vulnerability allows threat actors to embed malicious prompts within documents, which, when processed by Copilot, can exfiltrate sensitive data without user interaction.
Microsoft's Response:
Microsoft participated in a challenge to identify and mitigate such vulnerabilities, showcasing the complexity of securing AI-integrated tools.
Notable Quotes:
Overview:
The podcast highlights a novel ransomware tactic where attackers misuse legitimate employee monitoring software, such as Sciteca, as a keylogger to infiltrate systems.
Key Points:
Sciteca Misuse:
Attackers leverage compromised accounts to deploy Sciteca undetected, avoiding traditional malware detection mechanisms.
Comparison to Traditional Methods:
This approach underscores the evolving tactics of cybercriminals, who increasingly exploit legitimate software tools for malicious purposes.
Notable Quotes:
Overview:
The hosts discuss the rise of malicious activities on platforms like Discord, including the takeover of expired vanity links to distribute malware.
Key Points:
Vanity Link Exploitation:
Cybercriminals register expired Discord vanity links, redirecting users to phishing sites that deploy malware via PowerShell commands.
Security Implications:
This method highlights the need for organizations to monitor and secure their online identities actively, preventing attackers from leveraging recognizable links for malicious ends.
Notable Quotes:
Overview:
A segment is dedicated to exploring research on using smartwatches as covert communication channels for transferring data across air-gapped networks.
Key Points:
Attack Feasibility:
While theoretically possible, practical implementation poses significant challenges due to low data transmission rates and the necessity of physical proximity.
Defense Measures:
Recommendations include prohibiting the use of such devices in sensitive environments and employing frequency scramblers to disrupt unauthorized communication attempts.
Notable Quotes:
Overview:
The podcast reviews a recent significant outage in Google Cloud services, analyzing the incident's timeline and Google's rapid response.
Key Points:
Outage Breakdown:
The Google Cloud outage affected services like Cloudflare, lasting approximately two hours and forty minutes, with the root cause identified within ten minutes.
Response Efficiency:
Despite the widespread impact, Google's swift identification and resolution demonstrate robust infrastructure resilience and incident management protocols.
Notable Quotes:
Overview:
Towards the episode's end, the hosts touch upon several other noteworthy cybersecurity incidents and reports.
Key Points:
UNFI Cyberattack:
A ransomware attack on UNFI disrupted the food supply chain, leading to shortages in grocery stores, specifically affecting chicken supplies.
GitHub Device Code Phishing:
Exploring vulnerabilities in federated GitHub logins, enabling device code phishing attacks targeting journalists.
Citizen Labs Report on Spyware:
A new report reveals that a US-backed Israeli company, potentially Paragon, targets journalists with advanced spyware, echoing previous concerns associated with NSO Group's Pegasus.
Salesforce Omni Studio Vulnerabilities:
Identification of multiple misconfigurations and vulnerabilities in Salesforce's Omni Studio, raising questions about the security of newly acquired products.
Notable Quotes:
Overview:
The episode concludes with a lighthearted banter among the hosts, reflecting on the discussed topics and looking forward to future developments in the cybersecurity realm.
Notable Quotes:
Conclusion:
This episode offers a comprehensive look into the shifting dynamics of cybersecurity, emphasizing the tension between proprietary systems and open-source alternatives, the evolving nature of AI-related vulnerabilities, and the inventive strategies employed by threat actors. Through insightful discussions and expert critiques, the hosts provide listeners with a nuanced understanding of the current infosec landscape and the challenges that lie ahead.