Desperate Times Makes for More Cyber Crimes -2025-04-07

John Strand

That's what I want. I want that sweet, sweet money.

Corey

No, they said if you actually have, like, a financial loss, you know, no one can prove.

John Strand

I bet you that's tough to prove.

Corey

Yeah, I mean, I guess if you had your identity stolen and you did lose money, then maybe, like, you'd have a case. Right? They're like, just because your information is out there for the 400th time doesn't mean that you get any money.

John Strand

My breath smells like cat food. Nice. Okay.

Ralph

No, my cat's breath smells like.

John Strand

Oh, my cat's breath. Okay, okay.

Ralph

It's a Ralph Wiggum quote.

Corey

You think I'm on the wrong mic? No, I'm on the right. Like, I only have.

John Strand

All right. No, your mic.

Ralph

Just get that thing nice and close. It was just far away from it.

Corey

Yeah. So the SMB 7 is like, you got to be on it. That's like the full pull. Like, it's not. It's not really meant for that. Like, far away.

Ralph

Yeah, that's the. That's the whole point. So you can't see. Hear your cat, like, scratching.

Corey

Exactly, exactly.

Alex

That.

Ralph

That's the people with, like, the full on YETI mics. I'm like, dude, we can hear your microwave running, like two buildings away. Like, you really shouldn't be doing.

Corey

Yes, yes.

Ralph

It's like, is your neighbor's dog barking? I could.

Corey

Yeah, I. I think the neighbor down the street, like three blocks over. Yeah, I hear that.

John Strand

All these condenser microphones that are super powerful. I don't know. A lot of the blue mics, like the new ones, and like these shures, they got all kinds of weird functionality in them. They do a really good job.

Ralph

The NSA functionality is really nice.

Corey

I like that.

John Strand

I like. I personally look at the NSA as my personal backup solution.

Ralph

Yes, same.

John Strand

If I ever need anything back, you know, I just start sending state secrets back and forth.

Ralph

Just send in a foia. I'd like all my emails, please. Thanks.

John Strand

All of my emails, please. Why are these all redacted?

Ralph

They're like, redact. They redact all the stuff you would actually want your order will be delivered on. And then it just says, I need that tracking number.

Corey

Most of the time I'm just looking for old emails for like a serial number or something.

Ralph

Yeah, yeah. Warranty.

Corey

Warranty. Yeah. Like just something silly. Yeah, that's exactly.

Ralph

So here's like a fun little pre show banter story I'll tell. So I got an email from some random sheriff in Florida. Okay, makes sense. And the email, it was at first I thought it was a fish, but I like looked into the sender and it was like a dot gov. Like it was legit. It wasn't like some random gmail. It was a real sender. And the email said, hey, we believe you might have unintentionally purchased some stolen hard drives on ebay. And I was like, well, of course I have. Duh. I'm looking for the cheap.

John Strand

Christmas was coming up.

Ralph

Yeah. I had to get stocking stuffers for my data hoarding friends. Yeah. So I was like, okay. And so they were like, okay, can you provide us with the serial numbers of some of the hard drives you provide on ebay or bought on ebay? And I was like, sure. Here's all the serial numbers I've bought in the last six months or whatever. And they're like, okay, thanks. We believe that you're, you know, you are a victim or whatever. And they were like, okay, now you have to like submit a sworn, you know, notarized statement like that you purch. And I was like, all right, I'm done. Like, I'm not gonna like go to a notary and be like, I bought this on ebay. Like, you know, I didn't email the guy back and be like, this is a non violent crime. I don't care that much because it just felt mean. But like, it's just so funny that like, across state border or whatever, I'm supposed to be like, yes, Hel notary. I bought a stolen hard drive on ebay unintentionally, and I'm the victim here. Like, it just felt so silly.

John Strand

That's kind of. So we're dealing with lawyers right now because of Ralph.

Ralph

Oh, gosh, Ralph, what did you do?

Kimry

Come on.

John Strand

So, so I, I, I. And Ralph, I haven't been bringing you into this because it's just stupid and it's getting progressive. No, it's not worse.

Corey

All right, good.

John Strand

It's like, I just responded back and I said, we're going to rename the tool. We're going to do this. It's all going to be fine. And then they're like, are you willing to do a sworn affidavit that you're going to do that? And I'm like, no, I give it to you in an email. That's good enough. And they came back and they're like, well, we would really like to have some proof that you renamed it by this date, by this date, by this date and do these things. And I'm like, no, I'm not going to do any of that. I told you we would rename it. I told you that we'd bring it down. I told you that we do X, Y, and Z. And if I don't, then sue me.

Ralph

You sound bitter, John.

John Strand

I am a little bit better. I'm a little bit better because Kimry could have picked up the goddamn phone and they could have called me. I'm not hard to get a hold of. They could hit me up on X. They could hit. Well, maybe they did hit me up on X. I haven't been on X in, like, a month and a half.

Ralph

They could.

John Strand

They could hit me up on Blue Sky. It's like. It's like green eggs and ham. There are so many ways to get a hold of me and just say, hey, dude, name's kind of close. Could you take care of it? I'd be like, no, not a problem. But we have to have all the communication go through attorneys, right? And I've directed our attorneys to basically ignore anything else they send to us. Like, do not bill me for that. And our attorneys are all like, oh, we can win this. If we fight this. And we put in hundreds and hundreds of hours, we can win this case. And I'm like, no, my favorite part.

Ralph

Was when your lawyers called you and said, hey, by the way, in calling you, you've already spent X amount of money.

John Strand

Yeah, right. And they did all. We did all of this market research. We did all of this analysis. We realized the trademarks are not active. We have done X, Y, and Z. And I'm like, why? The. Why?

Ralph

Why? I didn't ask you.

John Strand

Like, you're my trademark. Like, I should be able to do. What are you doing? And they're like, well, we just have your best interests at heart. I'm like, no, you don't. You don't.

Corey

Oh, God. Yeah. It is one of those.

Kimry

Or not well trained.

John Strand

We just lost her.

Corey

It's one of those funny things, though, that, like, any of you can go on and look up a trademark in, like, five minutes. You don't need to be, like, an expert. Right? It's, like, simple. It's so.

Ralph

No, no, no, no, Ralph, hold on. Anything a lawyer does costs more because they're taking on legal responsibility for it. And that's actually fair, what I would tell you versus what I would charge.

John Strand

In five minute increments. They just don't.

Corey

Yeah, it's totally fair.

Ralph

The law is a complex business. I get it. Also, suits are expensive.

Corey

I mean, the nice ones are.

Ralph

The nice ones Are expensive. Yeah, dry cleaning is expensive. All right, roll the finger.

John Strand

Let's go. Hello, my name is John Strand. I'm the owner of Black Hills Information Security. You may know me from such podcasts as Black Hills Information Security. Talking about news. I am once again completely and utterly unprepared for today's webcast, which means it's going to be fantastic. Pay what you can. I've been traveling constantly, so we're going to be going into today's show blind. And let's see if the attendance, the people in attendance know the difference. Welcome to Black Hills Information Security. Talking about news. Does anybody have any news stories that speak out to them properly?

Ralph

Well, okay, so before we do the news, I say we just make John Strand predict the outcome of all the news articles and then we, like, give him a scorecard. Oh, oh, okay.

John Strand

I like this idea.

Ralph

Here's number one. Okay, John Strand, Did Oracle own up to the data breach? Yes or no?

John Strand

Okay, you want me to be serious about this? I'm going to be serious. Yes, they finally owned up. But they only owned up if, in the event that there was incontrovertible proof that they were at fault.

Ralph

So for 100 companies that were in the sample data file.

John Strand

Wait, was I right? Because seriously, I've been on nothing but planes, trains and automobiles and Europe and I'm jet lagged to snot right now. Was I right or wrong?

Ralph

So you're right. I'll give that the thumbs up for being right. Okay. Yeah, I mean, I would say there's a few articles we have in here about it. One from Bleepy Computer, where they're basically like, some customers have been acknowledged. Now on, like, on our side, we looked at all of our customers, at least for the continuous pen testing, and there were about 80% were affected. So, like, out of, you know, most of the customers were affected. Now, all of them were like, some of them, we of the companies that were affected. Wait, wait, wait.

John Strand

Corey, hold on. I gotta ask a question before you go any further. Were our customers more concerned about the breach or were they more concerned with the open, terrifying realization that they're doing business with Oracle?

Ralph

Well, so that's a good question. I will say we had customers and this is kind of where I was going next. We have customers who, some of them said, yes, we use Oracle Cloud heavily. We rolled everything. We rolled all like, we were aware of this and we fixed it. Other customers were like, we didn't know we used Oracle. So we're kind of worried about this one Customer said the only time they are like, to their knowledge, the only usage they have of Oracle is their employees logging into other people's Oracle cloud environments. So maybe it's just like my theory is attackers are lazy. They just took the list of emails and just cut off the, you know, email domain and said those are the affected domains. So I guess Oracle seems to have more data about what was affected. Flair put out a little notice that was like, hey, go talk to Oracle and ask them. So I'm sure they've gotten nine bajillion emails about, you know, every day. Yeah, I can only imagine what the inbox, email inbox volume is at Oracle right now. But yeah, so, I mean, it seems like it was like an unpatched server that they took down, like just a little too late and just took that server offline just a little bit after it should have been taken down.

John Strand

I just think it's, I think it's hilarious because the way Oracle handles this is very predictable.

Corey

Right?

John Strand

I mean, I talked about it two weeks ago where they absolutely deny, nope, this isn't a vulnerability. This isn't a vulnerability. This isn't a vulnerability. And then finally, whenever they're confronted with it, a lot of times they want to take legal action because that's always the best way to handle these things. Write lawyers for that firm who's going to go, unnamed lawyers involved first. But I do. There's no consequence to Oracle for the way that they do things. And I think that that's the bigger problem here, and it's something I would like to kind of talk about, is firms act this way. I don't care about the security breach all that much. I mean, there's some of the people in some of the articles I've been reading are like, well, they should have had better security. Okay, Everybody can be breached. Everyone has bad security.

Corey

When Microsoft got breached too, I mean, there was such a big breach. Right?

John Strand

Right.

Ralph

Yeah, yeah.

John Strand

But it's just an issue of handle it. And I like the firms that are more honest and they're like, you know, we screwed up. We're going to do better. Great, congratulations. But the people that initially start, like, their default position is deny, let's deny right out of the gate.

Ralph

I think that that's distract deny. Gaslight gatekeep.

Corey

Brutal.

Ralph

So, yeah, no, I mean, I agree. I, I guess one of my favorite, like, fun facts about, you know, if you think about, we're like going back to Microsoft versus IBM, like the old battle of large companies. Microsoft didn't have more revenue than IBM until like 2006 or something. And they had been eating their. Eating IBM's lunch for like 10 or 15 years at that point. I feel like that's about where Oracle is right now. They're like, they just have this long tail of recurring revenue. They're like, no, I mean, we're still getting paid for Oracle database licensing, so I mean, whatever, like, who cares? I genuinely do think though, this is pretty short sighted because companies have lots of options in the SaaS space. I don't know, I feel like you're going to lose customers long term if you just keep. Every time there's a breach just being like, nah, we don't have unpatched servers. We deleted them. You can't go back in time. And the attacker's like, yeah, I can. I dumped the data before you took it down. They're like, no, that's not how it works, Sass.

John Strand

Rule is, quote, we're Oracle, we have no fun facts. I don't know why I find that funny. It shouldn't be as funny as it is, but damn, that's funny.

Ralph

So all the fun facts were encrypted in the database?

John Strand

Most fun facts are encrypted, yeah.

Corey

That's the only thing that's encrypted though.

John Strand

All right, what other story? I think that I don't know, unless there's a new hot take on this.

Ralph

The spicy one I think is there's a new Twitter breach or X breach going around the interwebs, which, as the data breach pundit, I. I think you're.

John Strand

Not gonna ask me questions on a data breach connoisseur.

Ralph

Okay, no, yeah, let's. Let's have John predict. So, okay, John, another Twitter data breach or X data breach. What do you think? How many records and what details do you think were disclosed? Like, just give us like high level data breach statistics.

John Strand

So just by the fact that I, I haven't seen this in the active news while I've been traveling, it tells me that we didn't have password hashes that were dumped. Right?

Ralph

Mm.

John Strand

So I'm gonna go with. I'm gonna go with above a billion. And I'm gonna go with it's just the standard things. It's like, here's your handle, here's your email address, possibly phone numbers. I'm. Screw it, I'm gonna go straight into phone numbers. I'm gonna say that there's phone numbers and possible location information.

Ralph

I wish it was. So you're right about everything except for. So there was a previous Twitter breach. I think it was 2023. And it had all the things that John just mentioned except for location data. So it had phone numbers and it had email addresses.

John Strand

I was hoping this was just a slight modification of that breach path.

Ralph

Yeah, so there's a lot of, like, different analysis is. And like, the people who are doing analysis online, it's like, how do you even get the data? Because it's not public. No, there's.

John Strand

Right there, it says location and time zone settings.

Ralph

Yeah, but that's like a user's location when they created their account. It's not like location as of, you.

John Strand

Know, now we're just splitting hairs, aren't we?

Ralph

I. I mean, well, yeah, I mean, true. But I guess what I would say is like, no emails, no phones, which to me, that's all I've ever gotten from the data breach. The Twitter data breach is like, the phones was big because first of all, it was like Neil DeGrasse Tyson's personal phone number.

John Strand

But how many records? I don't think, like, was it.

Ralph

Yeah, so that's another good question. So the attacker is posing 2.8 billion. 2.8 billion records, but as the article mentions, there's only 335 million active users. So.

Corey

So the rest are bots.

Ralph

I will say, this does line up with the whole Elon Musk buys Twitter thing. Like, he was. Like, he was. Maybe that's why he was so upset and forced to buy it, because he was like, wait, there's 300 million users and 3 billion active users? Like, okay, we got a problem.

Alex

Either bots or your stu isn't actually deleted when you ask for it to be deleted.

Ralph

Yeah, Yeah, I think that's one of.

Alex

The things that I want, that I want to see some results for Alex.

John Strand

Why not both?

Alex

Yeah, why not both? It's probably both. I have, I. I have another, like, interesting take on this too. Like.

Corey

Or.

Alex

Because I was thinking even before this breach that we're going to see like an increase in, you know, desperation moves of insider threats. Like, your insider threats are going to go up. And I'm dancing close to kind of like that electrical third rail here. But, yeah, you're going to have, you know, insider threats increase. You're going to have companies that have maybe less budget for security controls. And if people look at their pocketbooks worldwide and go, hey, I'm desperate. Hey, desperate times makes for increase in cybercrime. Yes, I saw all that before this happened. And I go, oh, it's a disgruntled employee that's just like dumping stuff out on the Internet. I'm like, you know, hang on, get ready for more of this.

John Strand

I, that that's a, that's an incredibly bleak yet hopeful take. Yeah, I think it's bleak because I agree with you. I, I, we don't, we don't know if this is an insider. Do we know the attack path on this one yet?

Kimry

So not clear claim that the, the large data, the claim is that it was stolen by an insider, a disgruntled employee.

Ralph

That's totally just a claim.

Kimry

Somebody else went and did a data merge and merged the new data with old data from what, the 2001 or the 2003 and then pulled out anything that didn't have the emails. So there are multiple data sets running around.

John Strand

So, and all of that's bad, right? Like, I think that we can agree that, you know, if everyone's, look, if you're looking at classifications, right, a lot of times you can have unclassified data set one, unclassified data set two, unclassified data set three. And when you merge all three of those unclassified data sets, it becomes a classified data set just by basically merging them together. So I see a lot of companies kind of poo poo the idea where they're like, hey, this data is old or some of this data is old because, you know, I mean, literally that's what BHIS is doing with flare where there's a whole bunch of different data sets, data breaches out there, info stealer logs, and then pulling them all together, correlating, infusing them is where the real power actually becomes what you can do with it. Right? But getting back to Alex's point on the insider threat stuff, if you're looking at the landscape right now, we're looking at the economy, we're looking at everything and just, you know, it's bad. Right? But the, with this economy goes to crap as people start losing their jobs. I agree 110% with what Alex was talking about and I think that this is it. This should be a bigger story when you're laying off tens of thousands of people in the government and you're look, it's just a matter of percentages that you're going to get somebody that's going to have a large amount of data that they're willing to put out there simply from an act of revenge, maybe not even from financial gain, but then you're also going to have people that are going to do it for financial gain. And I think that this becomes a problem as you move forward in how you start laying off people, possibly with the economy and everything that's going on. Does your company have a strategy for laying people off? Because I know, like when I was at Northrop, we had a program. This was awful. We had a program, contacted everybody. The program was. We were downsizing or something. I can't remember exactly what it was. And there was like a couple hundred people working on the program and they said, we're laying off half of you. However, we're laying you off in two months and we really need you to complete all the work that you're working on in the next two months before you get laid off. Right. That program went down in flames almost instantaneously. And none of this stuff got done on time. So all of this stuff, when we're looking at it, right, you got insider threats, you're going to have more people with technical skills with a lot of time on their hands. And crime is not an option for like going and robbing a bank for many people. Cybercrime is absolutely going to be part of it. And you're going to have an increased amount of people that just have hard drives laying around their house filled with work data that can be breached on or.

Ralph

Oh, John, we have dlp, so don't worry.

John Strand

Oh, I forgot about dlp.

Ralph

You're right. You're right.

John Strand

I take we were wrong. I forgot about data loss prevention.

Alex

About those three letters.

Ralph

Yes. Three magic silver bullets.

Alex

I mean, if. I mean, if it's next gen dlp, like, we're done.

John Strand

Yeah, it's next gen AI. Dlp.

Corey

Yeah. AI reads all of the data to find out if it's sensitive and then doesn't do anything with that. That's good.

Ralph

And then it doesn't. I will say, me personally, I did send an email to Elon Musk asking him to explain in five bullet points what his security program is and how. So I. I'll let you everyone know if I get a response. So far I have not.

John Strand

It's my belief that my big ball should be held every night because when.

Ralph

I have, no one will ever. No one will ever take that out of context.

John Strand

What do you mean? It's a party. It's a fancy dress party. So.

Alex

And calling back to net last week, like for whoever said they didn't get enough rants last week and wanted their money back. We're doubling down.

Corey

We're doubling down. We're pushing so many more rants.

John Strand

I'm a little bit terrified that anytime I talk People are like oh here it comes. Like it's that, it's like.

Corey

Hold on, let me get the chair. Soap box Joe.

Ralph

John, did you. Or I guess, okay here since we're keeping the theme of having John just predict all the articles doing pretty good so far. You're, you are. I'd say I, I'll give you approval. You said north of a billion. You had the wrong records. But let's say we went 2 for 2 so far. Now let's, let's talk about a fishing as a service platform. So this is run by Chinese criminals or that's a spoiler. I should have asked you what guessed.

Corey

Russia, the ranch with you.

John Strand

I would have gotten that wrong. If you would have asked me who it was, I would have said Russia.

Ralph

Okay. So Russia has bigger fish to fry right now. So basically there's a fishing as a service provider. Okay. And I guess I would say here's, here's what you have to predict. You have to predict how many smishes do they send on a daily basis roughly and what kinds of like fees or things do they charge for this service? Like how does it work, how do I, how do I sign up? Are they using open source software, et cetera. Like give me the high level product.

John Strand

I'm going to say number one, they're using open source software. Number two, not exclusively. They have some customization for the number of smishes they send. Over 10 million, I'm going to guess on that. I would have guessed it would have been Russia. A daily 10 million. I would have say 10 million.

Ralph

Okay.

John Strand

For the APT group I would have said Russia. I would have gotten that wrong of course. And what was the other question?

Ralph

So their question is like how does it actually, how do you think it actually works? Do you think it's based on that?

John Strand

They probably like going off of previous services that have done the exact same thing. There's usually tiers like you know, it's like free tier or a hundred bucks gets you to tier X all the way up to like full on white glove premier tier service if I had to guess and that's because botnets and that's once again I would have tied that to Russia because that's Russia's MO is they have these services, these botnets as a service, these you know, SaaS level services. I think it is interesting that China is starting to do it but those.

Ralph

Would have been my comfortable, it's profitable. Okay, so okay, let's give you a scorecard. So I would say you're high on the numbers, they're only sending about 100k a day.

John Strand

Oh, wow.

Ralph

And which. Which is still insane. And by the way, we've probably all gotten these. Has anyone gotten the fish?

John Strand

I'm gonna say I'm packaging a sizable percentage of those about. About like parking tickets and speed cameras.

Ralph

Like, yes, no, if I can. Package tracking. Yeah. So you were wrong. You were a little high on the numbers. They use a platform called Darkula v3, which we've actually talked about on the show, but it's basically some other crime syndicates phishing as a service product. So it's not really open source, but it is reused and it probably uses open source stuff. Right?

John Strand

I'm not going to give me that one. I got that.

Ralph

I'm giving you that one because you killed it. As far as how it actually works, it doesn't really say if there's different tiers, but it's pretty interesting because the. I mean, I think this is just a very.

John Strand

There we go.

Ralph

So basically, if you look at the picture is actually kind of interesting. I think Ryan's in reader view, so he can't. Oh, yes, there's the picture. So they're actually using like physical devices and they're also. They're sending RCS and iMessage. That's kind of the pitch because SMS is dead, right? Like SMS phishing is dead now. RCS and iMessage. Phishing is alive and well. So they're actually like. There's a video the threat actors posted where they're basically like sending smishes while they're driving around. And you're just like, why? Okay, first of all, why? Second of all, is this like, are you. I mean, this is just like someone. Now I will say, if you want to know what fishing looks like at Black Hills, this is basically it. Now we're not usually driving down the highway.

John Strand

Thanks for clarification, Corey.

Ralph

This is how we smish, right? This is how you do it. You just take the message, you paste it into a phone, you send it to all the targets. Like that's how we smash.

John Strand

I love. I love interns. Like, you know, people are like, oh man, I'm finally on a cutting edge red team. So what's my job? You're gonna take this phone and you're gonna manually paste in for these 23 numbers. That's it.

Ralph

Y.

John Strand

That's your job. Welcome aboard.

Corey

I think it's funny. They. They bought all these phones, right? And the reason they did it is so they can make just a bunch of Icloud accounts and then log in and then the service is that it logs into all those devices. So it's like a rat for the phone so that they can send like, you know, all these smashes all at once. And the reason that they have to buy real phones is that that way it shows up as like a real device, it gets attached to the Apple, like seems a lot more legitimate, blah, blah, blah. It's pretty wild.

Ralph

Yeah, I mean I guess what I'd say is it makes sense that this is a profitable product, that phishing as a service is profitable. Having done phishing, it's super annoying and I would happily pay for one of these services.

John Strand

We've actually read Al join. He said, I'll be on a red team, I'll do it. It's like, sure, look at me, I'm a red teamer. Two hours later, I hate my life. What the hell. It's like being in a casino with no return.

Ralph

Yeah. Teams fishing these days is just sending a bunch of messages that say are you up? Basically.

John Strand

But God, I hate those.

Ralph

I think it's pretty interesting I guess like to see, I mean obviously you know, this is some company did like really cool threat research about how, you know, it works. But I mean it's profitable for the, for companies or you know, companies, I don't know what crime syndicates to send these kinds of smishes. If you send enough of these, you're going to get some responses and apparently they can, the real threat actors can pay for the service on top of, you know, all their other costs. So yeah, I guess SASS is alive and well even in the crimeware game.

Corey

Yes, SASS is everywhere.

Ralph

All right, I'm gonna count that one. I think, I think that one's close enough. We'll give it a half, a half point.

John Strand

Yeah, because I don't feel, it feels dirty like I got.

Corey

You did bring up SASS though. You were, you were kind of, you were on to it.

John Strand

Yeah, there's somebody can find out. I'm willing to bet that they have tiers because almost all of these groups.

Corey

They probably do. Yeah, they probably have.

Ralph

Every SAS product does. Are you paying for Fishing Platinum now?

John Strand

The big question I have is do they have a free tier?

Corey

Yeah, I, I guarantee. But I will tell you what, I also guarantee you that they charge extra for that two factor authentication, you know what I mean? That enterprise feature, you want to look it in that customer.

Ralph

Oh, you mean for us to sell? Yeah. Yes, we, we had at APT 42, we use. Okta so can you guys integrate with Okta.

John Strand

And Ralph? This is an inside thing. Are you paying attention? Because you're gonna need to learn this stuff, man. You gotta compete.

Alex

Wow.

Corey

I. Yeah. I. I've got a rule. There's no extra for what should be security.

John Strand

Oh my God.

Corey

That's somebody.

John Strand

Yeah. Catchphrase. There you go. Right?

Alex

Any.

Ralph

Yeah. All right. Anyone else have any like spicy articles? I can just keep making John predict the news. It's up. If anyone. I don't want to cut out. If anyone has an actual article they want to talk about, I have an.

Corey

Article I'd like to talk about real quick.

Ralph

Let's do it.

Alex

It's not.

Ralph

Well, John has to predict it.

John Strand

I don't know. I don't need. Well, okay.

Corey

All right, all right. GitHub had a bunch of essentially. All right, so let me, let me break it back for a question for John, right? What do you think GitHub's like number one security problem is right now as a whole? Like, you know, with. As like a service?

John Strand

I would say number one is just people being stupid and leaving secret shit. Secret stuff and an unsecured thing. I would say number one, that's it. Just their users being dumb. That would be.

Corey

You nailed it. Nailed it. So GitHub, so they have had that problem, right, For a while, right? It's a real problem that happens all the time. It's probably happening right now. But they. It announced that their new advanced security platform had detected over 39 million leaked secrets and repositories in 2024. Right?

John Strand

Oh my God. I would have never guessed that high of a number.

Corey

Yes.

Ralph

So don't worry. Those were just production API keys.

Corey

Yes. Yeah, maybe. So what the announcement really was is the rollout of, you know, their standalone secret protection and some other things like that that you can now buy and add on. Now by the way, there are tons of other third party products you can also.

Ralph

I mean there's entire businesses. Shuffle security is an entire business that exists just to protect secrets on GitHub. There's many more.

John Strand

It's like Gray Owl. Your job is just clicking buttons on phones and crawling GitHub for creds. Like that's it.

Corey

So they're looking to essentially attack the all the different ways that secrets land here, right. So looking at push protection so when the actual git git push happens, looking for the secret for the actually land in the repository. Right. They're using copilot powered secret detection, which is for AI to detect unstructured secrets. So essentially random data or something that could be a secret. And then, yeah, they have a couple other interesting things.

John Strand

It's funny, I've got a fake company I created on GitHub for one of my CTF challenges. And if you go strand JS fake go and issues, I have firewall password not working. Can someone change the password? The password is password 1, 2, 3, 4. Change it back. And then also I had password for AWS not working in there as well and I have yet get a notification from GitHub.

Ralph

Oh yeah, well, that I, I will say to give a little bit of credit to GitHub, this is something we've also tried to tackle for continuous pen testing. And like there is no good way of classifying what is sensitive, you know, in like for something like that. Like the password is blank. From an NLP and data processing perspective, that's actually really hard to do at scale. So part of it is just they're trying to tame a huge hurricane of data with tools and things. And basically it looks like the way they went was to provide tools to people that make it easier to find and discover this kind of stuff. But truthfully, a document that says the password is blank, if someone has a way to detect that at scale, that's a million dollar idea. Like that's really hard. Or I guess now inflation, a billion dollar idea.

John Strand

My big question is, that's all that's in this fake CO repository And I have nine stargazers.

Ralph

Yeah, that's all people who use that same password. They're just saying that's their password manager. Right, that's their password manager now. And yes, GitHub is the best password manager, obviously.

Corey

And what's also interesting is that the real secret is not necessarily that the key was exposed. You want to stop that from happening in the first place. But the real power is knowing that it's exposed. Right? Because the sooner you find that out, the sooner you can just rotate that key. Right? Yeah, that's, that's really kind of the big secret with secrets.

Ralph

Yeah, I mean, I feel like this is more of just a retrospective thing. It's like GitHub is basically, they're saying like, hey, here's some things we providing you with to help stamp out this insidious problem that's been a problem since I think it was 2018. Ralph, when you left your AWS keys out and you had like 100K.

Corey

Bill, I, I got a great story. So I, I did, I pushed a AWS API key up into GitHub and I got a $30,000 bill in two days. Two days. Less than a day. It was like, it was like, yeah. Anyways, and I was like, wow, that's interesting. And then I saw exactly what I did. Just, just, you know, didn't use git. Ignored. There's all kinds of other ways to, you know, find this. And you know, it would have been great if I would have been notified right away. Hey, did you accidentally do this?

John Strand

But so two questions. One, did I pay for that?

Corey

No, no.

Ralph

This is crazy. For that. Yeah.

John Strand

What was your conversation with your wife like?

Ralph

No, no. So Amazon, dude. So Amazon just deleted it?

Corey

Yeah, Amazon just wrote it off. I said, hey, that wasn't me because there's gambling addictions.

John Strand

And then Ralph, this.

Corey

Yeah.

Ralph

No, no, look behind ralph. His wife is already familiar with how. How the aws, dude.

John Strand

Yeah, I. I know the feeling, man.

Corey

Yeah, so, but anyways, yeah, it was a write up, but yeah, so it's happened to me. I've seen it happen to other people. We've seen it in tests, we've seen it all over the place. Right. So yeah, it's easy to do. We're all human mistake that.

Ralph

Yes. And git in particular is tricky because just because you deleted from the current version of the repo doesn't mean you deleted it from the history. And that's tricky.

Corey

So everything that you push to get as soon as it's there is stuck there forever. And most of the time the only way to get rid of it without some kung fu here is to actually delete the whole repository.

Ralph

Yes. And there are tools to help you do that. There's like, what is it, Git purge or something. Or there's like Git nuke. There's a few tools out there that like you could use to nuke repository histories and things. I mean.

Corey

Yeah, yeah. Wait.

John Strand

It's basically how do you break everything that makes it.

Corey

Oh, oh, that's. That's my favorite part too. Because everyone's like, what? Gets that that hard? I'm like, okay, all right, you explain to me without looking this up how to delete a file that you just pushed to get. If you can do that right, then I believe in everything that you've got.

Ralph

Like, you know, I asked Chat gbt, it gave me a parameter that doesn't actually exist. So that's going to be helpful.

Corey

Not look at a book. Yes, exactly. Number one thing, if you want the answer, just delete the repo. That's it.

Ralph

Yes, correct. That does work. Yeah.

John Strand

I love cheddar Bob just said I see this in my future and it scares me. You know there's people like an idiot would leave the. Leave that out and get up the people that have been doing this forever. Like this is gonna happen if it hasn't happened already and it's going to suck.

Ralph

Yeah, no, we see it with our continuous spend testing customers, we do scan and monitor for GitHub secrets and we. It's a pretty high hit rate. It's probably like 50% or more of our customers have something. Whether it's just like Don said, a Cisco config that says the password is blah or if it's like an actual secret. Like the other one thing I will.

Corey

Put out is that. So let's say your repo is not public.

John Strand

Public.

Corey

Right. But your developers are still just leaving secrets all over the place, right? So just because it's not public, as soon as you get access to the repository as just a regular user now you've got access to all these secrets. So it's a whole nother avenue of attack. So just because it's not public doesn't mean that you shouldn't be taking care of secret.

Ralph

Yep.

Kimry

A con you're expecting develop git was created for software development where you want to retain all that history because of course developers never make mistakes, they never do things they should not have. So now you're asking this thing that really is behaving exactly the way it was intended to do, to behave in a different way because what it's doing isn't safe.

Corey

Rodman, you know how I release public repos? I take all the code, delete the private repo and just re upload it as fresh, making sure that it's well.

John Strand

And that's one of the. You know, we haven't talked about crypto in a long time and I think it's sad that crypto kind of like disappeared into the ether, right? But if you're talking like solidity and you're talking about smart contracts, I absolutely love the idea that if you watched YouTube videos on smart contracts, they're like, oh, the biggest problem is people. And if we just code it in and the code is the contract and we're going to honor the code and the contract and it's like. But that assumes the people that are writing the contract don't make errors in their code and then it's out there and it's associated with money and you can't change anything. It's like this GitHub problem, but much worse, you know, and I, I miss all those things that popped out with, with cryptocurrency and smart contracts. I, I want to come back.

Ralph

Still a lot of bad ideas out there ever. Like the dollar amount of the largest breaches of all time are almost all crypto things. Like if you, if you search by like the largest ever breaches. Oh yeah, we're talk like. Yeah, it's crazy.

Corey

You know when all of those have occurred like within the last like year too.

Ralph

Like the biggest maybe.

Corey

Yeah, no, I think, I think it was like last year was the biggest one. It's like they're not, they're not that like that far in the path. It wasn't like whoa, when Ethereum first came out. That's when all these breaches happened. No, man, they're going after it for today.

John Strand

It's wow right now.

Ralph

Yeah, I mean I would say the biggest one is probably going to be Bitfinex or whatever. Like it's going to be. Or at Mount Gox it's going to be one of those. But like the tough thing is that you look at the data breach and you're like, okay, so they took 12,000 bitcoins or whatever. That's going to be like depending on the day. Back when it was done, it was probably a $5 million breach, but nowadays it's like a 20 billion ibit was.

Corey

2025, it was February and it was around $1.5 billion.

Ralph

That's nothing compared to Mount Gox.

John Strand

Okay, so that one's that one coin check. Right. And that was 534 million FTX. 477 was 2. 2022.

Corey

Yeah. Now you have to tiny of that.

John Strand

Mount Gox 460 million in 2014. And now we're getting into the top ones. Top like DMM, Bitcoin, 308 million. No, no, I did this backwards. So yeah, the biggest one was BYBIT for 1.4 billion. That was 2025. The next one recently would be DMM, that's the fifth. That's 308 million in 2024 here. I'm going to share this in the chat so we can bring it up. But you know, there's a lot of them there.

Corey

But all I'm saying is is the values are getting higher and it's happening more often.

John Strand

They were going up higher as like a very definable like line. But when you get to buybit, it it's like parabolic, it just explodes. So if we can bring that up for the news story. Scroll down, you can see the Graphs.

Corey

And it probably was.

Ralph

Yeah. When Mount Gox got breached, it was only worth $400,000. No big deal. Now that's worth 470 million. Like it's crazy.

John Strand

That breach is huge. I mean that's bigger than the next three breaches combined.

Ralph

Yeah, that's bigger than the market cap of like 90% of companies in the world.

John Strand

Yes.

Ralph

Yeah. Like billions of dollars. There's not that many billion dollar companies to begin with, but yeah.

Corey

Anyway, I gotta, I got another interesting story. So did you guys hear that Chat GPT is gonna try to put watermarks in the images that they're creating now?

John Strand

I thought they were already doing that.

Ralph

They're already putting artist watermarks that they.

John Strand

Were putting in the art of getting images. I thought that they.

Alex

That's what the sixth finger was.

Ralph

So.

John Strand

Okay, what's the story since we started.

Ralph

Give us the story. I have more hot takes though.

Corey

Oh yeah, no. So I guess ChatGPT, have you guys played around with the new 4o image generation? So yeah, if you have Chat GPT and the 4O, which is their whole model is like wildly confusing the numbers and you're like, this is the newest. No, that's the newest. They're like, no, we upgraded the old one and now it's better anyways. So the one thing you could do now with the 4L model is you can say hey, make me a picture of this or hey, take this picture and make it professional headshot or whatever it is. Right. But I guess the image gen model was previously only for pay subscribe our our customers, but now I think you, anyone can do it but at a limited amount. But the, the thing that that's coming is that they're going to be training their models with like watermarks. Right. I'm not exactly sure how that's going to work, but yeah, so they're probably going to try to put some watermark in there. Yeah.

John Strand

Isn't that kind of ironic? I mean, yes.

Ralph

This product that plagiarizes from everyone else, we don't want anyone plagiarizing it.

John Strand

Oh, studio. Oh my God, the Studio Ghibli stuff. Oh, about that.

Ralph

Yeah. I mean, so here's another, I guess my, like my other hot take on this is like the, I don't know if anyone's noticed this but like if you take a Chat GPT generated image and you try to paste it into teams, it'll be like can't paste from this source. Like it already is like protecting. There's already like some kind of weird AI war happening where like the image data is tagged with, with like the prompt. Basically. Teams is one example. I'm sure there's other examples of this out there, but they're filtering the input content. Now if you take that data. Now, I'm talking about if you copy directly from the chat GBT web interface and paste directly into teams. Now if you just save the image and paste it into teams, that's fine. It doesn't have a way to detect that. My point is there's already some gatekeeping going on here with like, oh, you're. We're more Microsoft. You can't be pasting chat GPT images in here. And I'm sure companies will start watermarking or, you know, saying like, this image is AI generated. This has been around for a while. Like if you use that this person does not exist.com and you create a LinkedIn account, it'll just be like your LinkedIn account has been banned. Like they have a way of somehow detecting that. But yeah, I mean, it is like it's a whole thing.

Corey

Yeah, the image generation is kind of interesting from a security perspective. There's a bunch of different attack stuff that people will probably do, especially as the image generation gets better. Like, hey, have a picture of this person holding a letter that says, you know, a date and you know, their driver's license. Their driver's license. Yeah, exactly. There's all kinds of wild examples here. The image generation is pretty good. And the truth is the scary part is not necessarily where it is today, which is actually pretty good. It's where it's going to be in like two months, it seems like, I mean, these, these models are getting dropped every single month and every. And it's like this whole AI war to like, who's got the best model out there? And you know, well, would you call.

Ralph

It America's Next Top Model?

John Strand

Like, people joke about this stuff and it's right now is the worst it will be moving forward in the future just is.

Ralph

Or it's the best it'll ever be.

John Strand

Or it'll best maybe.

Kimry

So much of when the web was new and we were downloading a new browser every five minutes, it felt like because stuff was changing so fast and this is, it's exactly the same dynamic. Everybody is evolving their own stuff, everybody's doing their own thing and everybody's copying everybody else. So yeah, it's going to be this way for a while. While it'll settle down and then while.

Ralph

The only person who'll really profit from it is Nvidia or whoever's selling the chips.

Corey

So you know what I thought was funny too, because I've watched a bunch of videos about AI model rigs too. And the new Macs are actually amazing at this because they have an insane amount of memory that they're putting in these. Right. Which is actually what you need for like local model stuff. So anyways. But you're still right, though. AI is killing it on this because, you know.

Ralph

Yeah. The people who rent and sell the hardware are the ones who win in the end.

Corey

Yeah. You're. If you're selling the shovel in the gold rush, that's who gets.

Ralph

Correct. Yes, exactly. But I will say they've had. This is their day in the sun. They've had a long, like. Selling hardware has been an increasingly difficult game to be in, so.

Corey

Well, that's all they're into with games. So they spread out.

Ralph

Yeah.

Corey

Right.

John Strand

Got another story, guys.

Ralph

Another story.

Corey

Did you just keep us going?

Ralph

There's actually not that much, honestly. Yeah, it was kind of a nice week. I mean, Samsung got hit by an info stealer. Whatever we got, we got breaches.

Kimry

We've got the usual suspects doing stupid stuff for stupid reasons. We've got. We've got.

John Strand

So are we just not going to talk about the director of the NSA being let go?

Ralph

You can talk about whatever you want.

John Strand

I know, I know, I know. I don't know exactly what to say about this any more than what we've already said about some of the things.

Ralph

I. Yeah, not much has changed, but I don't got worse.

John Strand

Think it's going to immediately change the direction of what the NSA was doing up until this point. It might change in the next couple of months or even a couple of weeks. But I. I do think we have to talk about it because it is on the news. If you guys don't know the NSA director was let go. That's interesting. For a number of different reasons.

Corey

He probably didn't pull out the five bullets.

Ralph

I was gonna say. Maybe he had Chat GPT write the five bullets for him and they just weren't good enough.

John Strand

Yeah, he didn't do that good of a job.

Corey

Well, yeah, because they don't have. They have that gov. GPT. It's not.

John Strand

And I think Wendy left to Wendy Noble. Now there's a lot of. There's a lot of conversations about whether or not Laura Loomer was the one that got him fired because he wasn't loyal enough or anything. I don't think a lot of that speculation. Maybe There's a lot of corroborating evidence on that speculation. But as far as like what it is going to impact moving forward, I don't think it's as bad in the short term as like Jen, Jenny slowly leaving system. I think that this me kind of being headless and kind of drifting off is a much bigger issue than the NSA as far as like yeah, we will see.

Ralph

I mean the NSA isn't really civilian facing in any large capacity. Right. And SIZZA is so civilian facing in like business facing. And I mean even just like all the pen test says it was doing for like cheap, you know, free pen tests for OT and other spaces, like a lot of that stuff I think I would consider like money well spent. But gold toilets in the Pentagon are nice too. I mean I do love those like fancy Japanese toilets.

John Strand

Yeah. So at least want to discuss it. We'll see if there's anything, anything new that comes out of it as well. But hey, if it's a slow week, let's wrap it up, get out of here a little bit early because I'm willing to bet that like we're going to run into next week and it's just going to be a tsunami of cyber news. So I want to say thank you very much for attending. Thank you for everybody here that's co hosting. We appreciate you all and I am going to go do a jet lake nap right now. We'll see you next week folks.

Corey

Bye guys.