McDonald’s Over 64 Million Exposed Job Applicants - 2025-07-14 - Talkin' Bout [Infosec] News

Summary7 min read

Podcast Title: Talkin' About [Infosec] News, Powered by Black Hills Information Security
Episode: McDonald’s Over 64 Million Exposed Job Applicants
Release Date: July 16, 2025

Introduction

In this episode of "Talkin' About [Infosec] News," hosted by Black Hills Information Security, the team dives deep into several pressing cybersecurity issues. From a massive data breach involving McDonald's AI hiring bot to the broader implications of artificial intelligence on the job market and cybersecurity practices, the discussion is both insightful and alarming. The hosts, including John, Brian, Corey, and guest contributors, provide expert analysis and share their perspectives on the evolving landscape of information security.

McDonald's AI Hiring Bot Data Breach

Overview: The episode kicks off with a shocking revelation about McDonald's AI-powered hiring bot. According to a Wired article highlighted by John, the bot exposed the personal data of over 64 million job applicants due to a simple and easily guessable password: "1, 2, 3, 4, 5, 6."

Key Points:

Weak Security Practices: The use of a simplistic password underscores a significant lapse in basic security measures.
Impact on Applicants: The breach potentially compromises personal information of millions, raising concerns about data protection and privacy.
Role of AI in Security Lapses: The reliance on AI without proper security testing can lead to catastrophic outcomes.

Notable Quotes:

John [00:32]: "The McDonald's story is just amazing. ... the hackers were able to get in with a password. I need you all to write this down of 1, 2, 3, 4, 5, 6. That was the password and the login name."
Brian [03:23]: "I'll go with no," in response to whether Paradox AI had recent pen tests.
Patterson [03:56]: "I'm speechless. ...if we've ever had a case that was even remotely like this, I'm not at liberty to discuss it."

Discussion: The hosts express disbelief and frustration over the breach, emphasizing the irony that an AI system, designed to enhance efficiency, became the vector for such a massive data leak. Corey laments the shift from traditional security exploits to AI-driven vulnerabilities, highlighting the need for rigorous security protocols in AI implementations.

Artificial Intelligence and Job Replacement in IT

Overview: A significant portion of the discussion revolves around the impact of AI on the cybersecurity job market. The hosts explore how AI is replacing junior-level positions and the broader implications for the IT industry.

Key Points:

Reduction in Hiring: Many companies are scaling back on hiring junior analysts, believing AI and automation can handle tasks traditionally performed by these roles.
Bug Bounties and AI: AI tools have taken the lead in bug bounty programs, efficiently identifying low-hanging fruit vulnerabilities.
Educational Paradigm Shift: There's a call for evolving educational methodologies to focus more on reasoning and analytical skills rather than rote memorization.

Notable Quotes:

Brian [06:03]: "I've always been of the opinion that it is a dramatic human paradigm shift that we're experiencing and it is for knowledge workers, it is a threat."
Corey [04:46]: "AI is being turned to for a lot of solutions that don't have a problem. Companies are implementing AI because it's cool, it's hip."

Discussion: Brian discusses the limitations of current AI models, noting that while they excel at repetitive tasks, they falter when faced with complex problems. Corey echoes concerns about AI's overreach, warning that reliance on AI for inappropriate applications can lead to inefficiencies and diminished human skills. The hosts also touch upon the ethical considerations of replacing human jobs with AI and the potential long-term effects on the cybersecurity workforce.

Credential Theft and Insider Threats: The Brazil Incident

Overview: The conversation shifts to a high-profile breach in Brazil, where an employee sold credentials for $920, leading to unauthorized activities amounting to $140 million.

Key Points:

Insider Threats: Even with extensive background checks, disgruntled or poorly treated employees pose significant security risks.
Cost-Benefit Analysis for Attackers: The low cost of obtaining credentials versus the high potential return makes insider threats particularly lucrative.
Organizational Preparedness: The need for robust identity management and multifactor authentication to mitigate such risks.

Notable Quotes:

John [23:10]: "How do you even prepare in an organization, Patterson, for dealing with this type of attack?"
Brian [25:15]: "If this was a disgruntled employee, which it probably was. It's a reasonable assumption."

Discussion: Patterson highlights the critical importance of identity in cybersecurity, questioning how the stolen credentials were leveraged for such extensive unauthorized access. The hosts delve into the organizational failures that allowed such a breach, emphasizing the need for proactive security measures and employee management to prevent insider threats.

ServiceNow Access Control Flaw

Overview: A technical discussion ensues about a recent flaw discovered in ServiceNow's access control lists, which allowed unauthorized access to multiple records by bypassing ACLs.

Key Points:

Nature of the Flaw: Similar to SQL injection attacks, the flaw involved failing to properly handle data conditions, resulting in unauthorized access.
Severity: The vulnerability had a high CVSS score of 9.3, indicating a critical threat to data security.
Prevention Measures: Importance of proper input validation and secure coding practices to prevent such vulnerabilities.

Notable Quotes:

John [47:17]: "You could very quickly gain access to by bypassing the acls to gain access to a ton of other people's records."
Corey [48:35]: "How many developers even know what secure coding looks like?"

Discussion: The hosts express frustration over the recurrence of such fundamental vulnerabilities, questioning the effectiveness of current secure coding practices. They underscore the necessity for ongoing education and stringent security protocols in software development to prevent similar issues in the future.

Advanced Attack Techniques on Mobile Devices

Overview: The episode covers sophisticated attack vectors targeting mobile devices, particularly focusing on iPhone pop-ups claiming severe malware infections.

Key Points:

Sophistication of Attacks: Such pop-ups are indicative of advanced attack methods that can bypass standard security measures.
User Vulnerability: Average users, especially those with limited technical knowledge, are at high risk of falling victim to these scams.
Mitigation Strategies: Importance of educating users about recognizing and avoiding such phishing attempts.

Notable Quotes:

Mike [38:28]: "That's kind of an advanced attack actually that there's some impressive tech that's going into that."
Corey [40:22]: "It's trivially easy to detect the operating system of the browser that things are running in."

Discussion: The team discusses the growing prevalence of such attacks and the challenges in combating them. Corey emphasizes the effectiveness of robust browser protections and diligent user practices, while Mike points out the need for continuous advancements in mobile security technologies to keep pace with evolving threats.

AI and Capture The Flag (CTF) Competitions

Overview: A segment is dedicated to the influence of AI on CTF competitions, where AI tools are being used to bypass challenges, thereby skewing participation metrics.

Key Points:

AI Participation in CTFs: AI can rapidly solve and complete CTF challenges, reducing the learning experience for human participants.
Impact on Skills Development: Overreliance on AI tools might hinder the development of essential problem-solving skills among cybersecurity enthusiasts.
Best Practices: Encouraging human-centric challenges and limiting AI-assisted solutions to maintain the integrity of CTFs.

Notable Quotes:

Mary Ellen [16:54]: "AI has the ability like to go back into past write-ups and ... it's not really versus a human really when you look at it like that."
John [18:09]: "AI is making us dumber."

Discussion: Corey and Mary Ellen express concerns that AI's ability to solve CTF challenges effortlessly undermines the educational value of these competitions. They advocate for revising CTF formats to emphasize creative and complex problem-solving that AI cannot easily replicate, thereby preserving their role in training and skill enhancement.

The Broader Implications of AI in Cybersecurity

Overview: Concluding the episode, the hosts reflect on the overarching impact of AI on the cybersecurity landscape, emphasizing both the opportunities and threats it presents.

Key Points:

AI as a Double-Edged Sword: While AI can enhance security measures, its misuse can lead to significant vulnerabilities and ethical dilemmas.
Security Challenges: The rapid adoption of AI introduces new technical challenges that require innovative security solutions.
Future Outlook: The necessity for continuous adaptation and education to leverage AI's benefits while mitigating its risks.

Notable Quotes:

John [54:00]: "AI is going to bring with it all new technical challenges, all new technical limitations, brand new technical stacks."
Corey [19:43]: "We need to shift that focus to how do I discern good answers from bad answers?"

Discussion: The conversation underscores the critical need for the cybersecurity community to stay ahead of AI advancements, ensuring that security protocols evolve in tandem with technological progress. The hosts advocate for a balanced approach that harnesses AI's capabilities while instituting robust safeguards to protect against its potential misuse.

Conclusion

The episode of "Talkin' About [Infosec] News" offers a comprehensive examination of current cybersecurity challenges amplified by artificial intelligence. From high-profile data breaches to the nuanced impact of AI on job markets and security practices, the hosts provide a thought-provoking analysis aimed at both professionals and enthusiasts in the field. As AI continues to reshape the cybersecurity landscape, the insights shared in this episode highlight the urgent need for adaptive strategies and enhanced security measures to navigate this rapidly evolving domain.

Thank you for tuning into this episode of "Talkin' About [Infosec] News." Stay safe and stay informed.

Loading summary

Transcript123 lines

[00:01]
John
Go.
[00:02]
Brian
I don't see the finger.
[00:06]
Corey
Sends us live first.
[00:08]
John
Yeah. Oh, we're live.
[00:09]
Corey
Oh, know the tradition, right? First we go live, then we go to the finger.
[00:16]
Brian
It is so Monday.
[00:18]
Corey
Definitely a Monday. Rolling, rolling, rolling.
[00:32]
John
Foreign. Welcome to another edition of Black Hills Information Security. Talking about news. It's the addition where we talk about how artificial intelligence has replaced all jobs across all of I. And we're all forced to communicate with McDonald's chatbot to get a job in McDonald's that we can barely afford. So welcome to the apocalypse, everybody. So thank you very much for joining. I appreciate it. Corey is off. I'm assuming he's mountain biking like crazy long distances. But we got, we got regular friends and family here to jump into the news stories. I like how Nikki just jumps right in with the chat is like, so we're doomed. Yeah, we're pretty much that. Pretty much that. Like, it's. And Brian's like, I know what the password is. I bet you it's the same password that many use for their luggage. Let's jump straight in. I. I want to jump into that McDonald's story. The McDonald's story is just amazing. Let me put it into the chat so Megan can kick it out to everybody. It's in a Wired article. So what happened was McDonald's AI hiring bot exposed millions of applicants data to the hackers. And the hackers who are amazing, like super elite, cutting edge hackers. Seriously, they're really, really good, good pen testers, but they were able to get in with a password. I need you all to write this down of 1, 2, 3, 4, 5, 6. That was the password and the login name. Oh, God. So I think that.
[02:23]
Corey
Better and better, you know?
[02:24]
John
You know, it's awesome. So what do you call two ducks? You call them a paradox. Like Paradox AI who's responsible for coding this? Like, seriously, guys, come on. I, I go case. Oh, God. There's so much to unpack here. Why? You guys remember the good old days where there was like new buffer overflow, memory corruption exploits, heap feng shui. And we sit and we talk about the, the elegant technical details of hacks. But I was going to fix all of that. It was going to make everything better. We were going to be completely secure with next, next generation AI computer. And then 1, 2, 3, 4, 5, 6. Like, God. All right, couple of things. Let, let's start on the exploitation side. Is anybody here want to take an over and under on whether or not Paradox AI had any pen tests done recently at all?
[03:24]
Brian
I'll go with no.
[03:27]
John
Patterson, I want to throw you on real quick. I, I know you've worked a lot of incidents. We've talked about a lot of incidents that you've worked. I, I don't think I've worked an incident where it was 1, 2, 3, 4, 5, 6. 1, 2, 3, 4,. 5, 6. Incident that exposed millions of records. This is, I, like, I don't even know how you handle this. Like, when talking to the insurance company. How do you handle this? Like, like paradox. AI to their, to their credit, they're like, we're owning this. This is our bad. But that's all that they said as.
[03:57]
Brian
They, as they ran screaming for their insurers and their lawyers.
[04:02]
Patterson
I, I'm just, I'm speechless. I don't know. I definitely, you definitely don't want to put these results in writing. And, and if we've ever had a case that was even remotely like this, I'm not at liberty to discuss it. Yeah, mind blowing.
[04:16]
John
Yeah, that's, that's so bad. And then let's. I, I want to add in the AI folks, right? Like, when we're talking about AI, right? There's, there's like, it's bad out there. I'm not going to try to sugarcoat this, but we have like, for example, we have a hiring fair that we're going to be trying to do. We are going to rename it as a career fair because literally no companies are willing to come to a hiring fair in the D.C. area in information security. I want you guys to soak that in for a little bit. Just.
[04:47]
Brian
Yeah, marinate.
[04:48]
John
Just marinate in that part of the reason of what's going on. And Bronwyn and Joff, I want to get you, you both give a take for this, but a whole bunch of companies are just, they're just not hiring junior people anymore. They just aren't. Their take is that AI and soar and automation is going to completely replace a lot of the junior level analysts that they need. And I think in a lot of ways that kills the pipeline. Moving up. You know, I'm tying this into this overall narrative and this overall story with this. But because McDonald's is literally using artificial intelligence in a disutopian nightmare kind of way to filter through Apple, right? You're seeing things like this, you're seeing it hit the computer security industry. You're seeing intel fire their entire marketing team and replace them with Accenture, running AI for their marketing endeavors. We talk about computer security, the soar, the automation and all that crap and literally 1, 2, 3, 4, 5, 6 blows. Right, so I'd like to get you two's take on this and then I like to get, you know, Shecky and, and, and get Mary Ellen's take on this as well. But what, what, what the hell's going on with AI? Like is it literally going to completely fundamentally change the world? Is it not? Is it somewhere in between? Like what, what the hell do we make of this?
[06:02]
Corey
Jaff, you want to go first?
[06:04]
Brian
Yeah. I've always been of the opinion that it is a dramatic human paradigm shift that we're experiencing and it is for knowledge workers, it is a threat. Having said that, there is some evidence out there and in fact I actually read a paper quite recently, Apple put it out of all people that speaks to reasoning models, large language models actually starting to break down in fact in some catastrophic ways when they are presented with extraordinarily complex problems. My take sort of where we are right now has been, you know, these generative models are very, very good at getting low hanging fruit work done very, very quickly if they are appropriately prompted. And that's actually an entire skill unto itself, but it's not a particularly difficult skill, you know. You know, accompanying this for example, is, is the fact that the leading bug bounty player right now is an AI.
[07:14]
John
I thought it was in third. Did it take first place?
[07:17]
Brian
No, it took the lead. And the reason is, and it's something you and I have talked about before, John, is that bug bounties are broad hits at low hanging fruit at scale or that's something that AI is perfectly suited for. Right?
[07:32]
John
Yeah.
[07:32]
Brian
So it's not a surprise that it took the lead. We're seeing this impact of, of, of lots of low hanging fruit, easier work being done at scale very quickly. And we're seeing companies respond to just what you said, the junior level people. Right, the what is the people that are normally doing that grind work, being let go or not hired because the AI is able to do it. Now how that scales going forward and whether when we get to significant complexity, will the models be able to sustain this level of growth and sustain complex chain of thought reasoning at a level that's productive is still an open question, but it's going in that direction by the looks of.
[08:23]
Corey
Yeah, Bronwyn, I absolutely believe with the people who say that AI is a disruptive technology and in a lot of ways we're seeing similar kinds of disruption to what happened in the 1950s and 60s when computers started taking over positions that had been done manually. For years, decades, whatever. So will jobs be lost? Yes. Is it absolutely borking our already broken hiring process? Oh yeah, it's messing with that big time. And it's also the, the other problem, and I don't, I don't have a simple solution for it, is that AI is being turned to for a lot of solutions that don't have a problem. Companies are implementing AI because it's cool, it's hip, everybody wants it without ever asking the question what is the point of pain that we're trying to solve? And this is going to turn around and bite people in the butt. Matter of fact, there was something on 404 Media. I haven't had a chance to read the article in depth. But the takeaway is that a lot of these online publications and publications in general have turned to AI as a way to not have to deal with those, those troublesome journalist people. We don't need to hire them. We can have AI do everything. And now you're finding that no, gee, in fact a decent journalist can ask questions that an AI would never think to. And this is the basic thing that most people. Absolutely. And I'm not, I'm not talking people in this room, not I'm not talking people in this space, but people in the, the world at large. Your ordinary average Joe blow human on the planet doesn't understand. All your LLMs can do is regurgitate what they've already been fed. All they can do is manipulate, mangle, slice, dice and put into a salad spinner content that they've already been given. And they're not generating anything new. They're not capable of generating anything new. They're not actually intelligent, they're absolutely not conscious. And you compare for new creative processes. Software development is a creative process. Music is a creative process. Writing is a creative process. For all of those processes, a human is always going to be better. But you hit the nail on the head for the low hanging fruit, for the grunt. Yeah, AIs are wonderful. It should be used. Oh yeah, Grok praising Hitler. That's, that's a whole.
[11:30]
John
I don't even think we have that as a story. But yeah, go ahead.
[11:33]
Corey
We should, but it's, it's one of those things where if someone already knows what they're doing, they can use these AIs to help improve their quality or their efficiency. But the other factor, they're finding that the experienced testers, or not testers, experienced software developers who use AI to do the whole vibe coding thing, it slows their productivity because they're too busy debugging the AI slop code.
[12:08]
John
And that brings up to a quote. I can't remember where I heard it but like AI is impressive because we suck. And the point of it is if you look at like how we do education, how we do knowledge, if you look at Jeopardy, right, the whole idea of what knowledge and how we quantified knowledge in humans for a long time was how much crap can you memorize, right? And AI and even the Internet before that was like really good at that, right? So if you ask it a question, it's like it's able to regurgitate that kind of knowledge. It seems like a lot of things whenever you get into like simple coding things, great doing those things. But when you give it really complicated tasks, kind of like craps the bed, especially whenever you remove all of the fail safes associated with. But I want to get, I want to get. Mike, I want to get your take on this as well to. I'm trying to spread things around. Mary Ellen, we're coming for you too. But.
[12:59]
Mike
I think Bronwyn went ahead and hit most of what I was going to say on the head. The problem that, that I see going forward with AI is the fact that everybody's focusing on two letters, A and I, which it is not. You still need somebody to write the prompts for it. You still need somebody to train it. And this is the stuff that most companies are not looking at. They're just thinking, oh, we could drop this in and it'll go and it'll completely understand and figure out our systems and figure out the nuances. And even with the low hanging fruit that's only going to go so far because you could only have so much space put into it. But I think what I fear is going to happen is that this tool that could be a very fantastic tool for us to use is going to turn around and destroy the companies in the economy because we're going to put too much faith into it.
[13:55]
John
And I think that's the key problem, right? The people that are making the decisions about hiring, they're making the decisions about budgets. They're the people that tend to know the least about the technological stacks that their company deals with. And it's like the AI stuff is really impressive. Mary Ellen, what's your take on that by the way? Are you like literally doing the webcast from bed? Because if you are.
[14:16]
Mary Ellen
Yeah, it's from the new. It's from. We're undergoing construction. So my office. See, I think you missed this earlier but my office is, we found out today, a trapezoid. So when I'm eventually back in there, it's going to look like a fun house. It'll be kind of fun. We tried to square it off and it's an old house and you just can't do that. So I'm in the kids room downstairs in the playroom just for a couple weeks. But yeah, so I have a couple interesting. What I think is interesting, interfacing with AI. So I had gotten a gift for someone recently and the person is really petite and it was a size small and the person put it on and it literally looked like an extra large. I mean they were drowning in it. So I reached out to the company over email because there was no, of course there was no phone number. And I've since learned don't ever buy from like a no name company, but whatever. So it was this chatbot and it kept like, you know, I said clearly in the, in the, to describe the issue. It's a size small, but it wears like an extra large. Well, can you send us a picture and then we can try to help you figure out what the problem is. Can you send us a picture of the item in the package?
[15:28]
John
Did you try to turn it off and on again?
[15:30]
Mary Ellen
You know, like how can a folded up smashed picture of it in its original, you know, the way it arrived. So this went back and forth and I don't like to be this kind of person. I think I've only ever done this once before where I had to contact the credit card company and say I have no other recourse but like I have to have you start like, you know, look, look into this for me because if I'm crazy, great. But like, and then they, they ended up doing an investigation and they refunded everything. I mean, I don't like to do that but like they wanted me to resend the. Apparently I had to send it back, but pay to send it back to Italy.
[16:08]
John
Oh my gosh.
[16:09]
Mary Ellen
And so no, I didn't want to do that. So that's it. And then I'd like to comment a little bit on using AI for CTFs. There, there was some, there was some, some backlash that people were saying about, well, you know, AIs. They have like a lot of people that might start a CTF. So they'll sign up for the CTF, they won't finish it. They'll do like 1% of it and then walk away. So that counts as they're counting that as someone, you know As a player, right? So when you get like, oh, you know, AI is better than, you know, so many, the numbers are a bit skewed because of something like that. And also AI has the ability like to go back into past write ups and you know, it has all of that. It can, it's not really versus a human really when you look at it like that.
[16:54]
John
So anyway, the kind of thing that, you know, I struggle with with ctfs, right? I really like people using AI because it gets them kind of jived and they're doing the ctf. The thing that I hate about AI and capture the flags is you'll have somebody to be like, so what level are you at? Oh, I'm at level eight. It's like, okay, what did you do? I don't, I don't know. Did you do base 64 encoding? I think that sounds familiar because literally you'll see people that just copy a string and they'll put it into AI and be like, what is this? And it'll be like, well, that's actually obfuscated PowerShell. And here's what it does. And they're like, okay. And then they got nothing out of it. And that's hard, right? That's really, really, really difficult for me to try to figure out how we can use this as a great tool to achieve results for like some of these quick things. But I think it's been put in the chat a lot. Like AI is making us dumber. And it's like, yeah, it really feels that way when I'm working with junior people that try to use this in ctfs. And Google makes it worse, right? Like it's using AI immediately. If you Google something, it's like giving you the answer right away. And it's like, well, crap. Okay.
[18:09]
Brian
There's an old term, if you know me jumping in. There's an old term that, that really comes to me when it comes to AI and it's, it's garbage in, garbage out. Because I absolutely lies. You know, I disagree.
[18:22]
John
I think that's so wrong. I hate that. You know, I hear people all the time say garbage in, garbage out. It's not true. It's garbage in gospel.
[18:30]
Corey
Well, okay, okay. We've had, ever since the, the Internet went mainstream, we've had the problem in that people treat anything on the Internet the way that they have treated any printed material in times past. So as communication evolves, you know, once upon a time was written on stone tablets and it took a lot of time and effort and only really smart, educated People could do that sort of thing. So it was taken as being trustworthy if it had been written down and you move forward through printing and now into the Internet. That perception of validity, because it's been written down, persisted and turnaround and has bitten us in the butt so many times it can't be counted now. What I want to get to though is that comment you made about AI making us dumber. And as someone who did technical training for decades and has watched people as a struggle through learning new skills and in that business, you also commented about memorization used to be the benchmark for education.
[19:43]
John
Seriously, just jumping in. Look at even like San SERTS and cissp.
[19:48]
Corey
I know, I know. None of that goes into permanent memory. When you're studying for an exam, you're not storing stuff in permanent memory, you're storing it in temporary just to get you through the exam. So here's where it comes down to a problem that we're asking ourselves within BHIS now is what methodologies can we develop to leverage AIs in a positive way so that we're getting the most bang for our buck. And this is where if I am no longer required to force a student to memorize gobs of information, then as an instructor, my opportunity is to spend more time on teaching people how to reason and how to question and how to analyze. And this is where we need to have a paradigm shift in education that can leverage that. Because when having access to the data, to the historical records, the information, whatever, becomes easy, then you need to shift that focus to how do I discern good answers from bad answers? And that's where we haven't gotten to yet, where we can let go of this garbage and gospel out nonsense, where it's actually, okay, that sounds good. How realistic is it? Does it fit this? And I've watched people struggle with little things like spreadsheets. And then they go on. And if they've never been taught how to ask the questions, when they get into working with databases, they have the same points of pain. So what AIs allow us to do is to access gobs of data. And if we can learn how to ask good questions, and that's prompt engineering is learning how to ask the questions. That's when we're going to get the real payoffs that this technology can offer us.
[21:59]
John
Wow. And somebody just put in, that's Philosophy 101. It's like, I can see this going all the way back to Greece. It's like kids these days, yeah, they don't got the Hands for the stone tablet writing. All right, so I want to move on to the next story. This one's kind of crazy. So this one comes out of Brazil. An employee gets $920 for credentials, and then those credentials are used in $140 million. I, I, I, I just, I, I, this is, I feel like I got to throw it to Patterson. I mean it. These are bad breaches this week. It's 1, 2, 3, 4, 5, 6, and $920. That, I wonder. That's one hell of a chocolate bar looking at this stuff. How the hell do you even prepare in an organization, Patterson, for dealing with this type of attack? You know, we, we've taught it for years in our classes, but, you know, and everyone's always focused on like ransomware. And ransomware did come into, not this story, but another story we'll get into a little bit later. But we're seeing that intersection between social engineering and some pretty good ransomware attacks. And this one's pretty wild. The cost benefit analysis off the charts.
[23:11]
Patterson
Yeah, again, absolutely crazy. And we talk more and more and more about the importance of identity, the criticality of identity. It's less of a sales pitch than ransomware solutions. So I think we often, we tend to gloss over the identity component. I would love to know, and I'm not intimately familiar with this story, but I would love to know the workflow that transpired from the theft of that identity, or in this case, the sale of that identity up to $140 million. And all of the opportunities potentially for multifactor workflows, for approval process for non technical solutions that would stop 920 from moving to 100. $140 million.
[23:59]
John
Nuts. Yeah, I'm trying to, I'm trying to go to the main website. My, my Spanish is bad, but my Portuguese is even worse.
[24:10]
Corey
I haven't even tried Portuguese.
[24:12]
John
Looking at the Portuguese, doesn't really look like there's too much more. In fact, the article that I linked to, I think is pretty much almost straight English translation of this. But there's a weird thing that they said that I thought was very, very, very bizarre is they said that the guy that sold the credentials, he basically the cmm, CNM employee attempted to conceal his activity and changed his mobile phone every 15 days, but he was still arrested. That, that gets back into what you're talking about Patterson. It's like, like that, that's the thing, that's the technical thing that they're dropping in this article. It's like he tried to be Stealthy by changing his phones out every 15 days. It's just. Yeah. Somebody just said how much is a Brazilian? I, I, I don't know. But, but, but if we kind of boil this down to its Nexus, right. When you're looking at your threat model and we've another social engineering story here a little bit later with Scattered spider, that I think is pretty good as well. It's like the two stories that we're looking at.
[25:15]
Brian
Right.
[25:15]
John
You know, if we're looking at computer security now versus 10 years ago. Seriously, it's hard to do good computer security when you have 1, 2, 3, 4, 5, 6 as a password and user ID in your environment. And we're talking about extremely large organizations. All it takes is one disgruntled employee to be willing to sell creds and you're hosed. And even the two factor authentication, I mean two factor authentication is fantastic, but it's usually not everywhere.
[25:41]
Mary Ellen
But.
[25:41]
John
Yeah. Anybody else have a take on this one too?
[25:43]
Brian
So I thought it was, you know, there's another line in there that, that, that Roke then executed commands into CNM systems as instructed by the hackers through the notion clause.
[25:52]
John
Right. Walk to them through it. Yeah.
[25:54]
Brian
If this was a disgruntled employee, which it probably was. Right. It's reasonable assumption. Wow. Did they undervalue their credentials?
[26:06]
John
That's kind of. I wonder if that guy's sitting in prison and he's like, I should have asked for more money.
[26:12]
Brian
I know, right? Talk about regrets.
[26:14]
Mary Ellen
It brings new meaning to crime doesn't pay.
[26:16]
John
It really does. Yeah. Like if crime doesn't pay, if you're dumb, I don't. The dollar amount. I shudder to think like how many corporations, like if you like our continuous pen testing that we do at BH is, this is something we would never do. Right, Joff? Like there is no way in a million years that any of our customers for red teaming or this are going to allow us to socially engineer an employee like this.
[26:44]
Brian
Not with a payment.
[26:45]
John
No, no, no, no. It's weird. It's weird because that's not true because we do it with gift card, you know, Amazon. Okay.
[26:52]
Brian
There's some technicalities there, but it's always discussed. Right.
[26:56]
John
And this becomes like these, these gray areas that exist because they're not being tested. People don't look at this as a threat model coming into their organization. And I don't know, I don't know what the answer is. Like do, do we have companies that are like, you know what, go after our employees. But that Actually assumed compromise is kind of doing this type of testing, right?
[27:17]
Brian
Yeah, yeah. I mean, I, you know, I, I remember a customer talking to us on a scoping call of some sort many, many years ago, how they were disappointed with a former penetration testing company because the pen testing company walked into the organization and just stole all the equipment. And it's like, oh, that was a bad idea. And actually got prosecuted for it, you.
[27:42]
John
Know, now, so there's that story. But one of my favorite stories is a company that allowed their pen testing company to do this. It was part of the rules of engagement. They wanted them to steal it. This is a beautiful story about a company in Guardians who a number of us know very, very, very well. And the story, the person I think that was doing the testing was J. Beal. And the company was like, we want you guys to do this. Come in, see if you can break in and see what you can do. And Jay was the one that was doing it. And he was like running around the office looking for notebook computers that were left unattended and like stealing them. And I remember the story goes like the CTO of the company was watching the video at the debriefing of Jay running around the environment and just kind of watching him steal these notebook computers. And he goes, wow, that little MFER is really fast because Jay was running around like a hyper active squirrel. You know, when we talk about it, Joff, like those are beautiful tests from heaven. Whenever you have somebody that allows you to try to do something that's novel and out of the, out of the ordinary. And that's Right.
[28:51]
Brian
And, and you know, the car. The corollary sort of is that we are always put into situations where we have to draw some lines. Right. The threshold. They artificially, and the truth is they artificially constrain the test and, and as a result artificially constrained the threat modeling aspect as well. Right. And there's nothing we can do about that.
[29:12]
John
Yeah. And seriously, like, even if somebody did come to bhis for something like this and they're like target our employees, go actively reach out to employees, offer them money or credentials. We would, we wouldn't do it.
[29:25]
Brian
No, we wouldn't do it.
[29:28]
John
You know, you know, I just can't.
[29:30]
Patterson
I volunteer all the time to incorporate this into tabletop exercises and nobody wants to talk about it. It, in fact, a lot of times they, they're, they're offended at the idea that this is even a relevant discussion, let alone again incorporating it into the.
[29:46]
Brian
Well, and the point is it's actually a Real threat. Right. As illustrated in the story.
[29:51]
Mike
I mean, I think that this, this reasoning behind it has absolutely nothing to do with security and has to do with the hiring process and the background checks. And it shows that their hiring process and background checks showing that the person is morally and ethically available to do this stuff properly fails.
[30:12]
John
I, I'm gonna disagree. I'm. Well, so I'm gonna agree and I'm gonna disagree. I think for a lot of corporations, I think I would agree with that. Especially in the classified space. Right. That's why they do polys. And we can get into an argument of whether or not polys work. They usually they don't, but what they do is they tweak people and they tend to start telling the truth. It's weird, but when you're doing that from a classified perspective, sure. Right. But you're also, Mike, you're talking about people who are usually in that scenario, well compensated. There are people, you're hiring people, you're giving them sensitive data, you're paying them well. You're doing that background check investigation to make sure. How the hell do you juxtapose that? I'm not going to pick on any companies, but pick any large corporation where their number one goal is like Joe versus the volcano level workspaces, where it's miserable. Jack Welch, ge. Right. You know, Jack Welch destroyed, you know, kind of the way corporate America is because of the crappy pushed in the 80s of like, you know, it's like, oh, we got to identify the bottom 10% and we need to lay off the bottom 10% all the time. If you look at a lot of companies that do not take care of their employees, they do not pay well, they treat them like absolute garbage. You can literally create a percentage of employees that become susceptible to that, even if you have background checks. So like I said, I agree in a certain subset of companies. But I think that one of the things that sucks is a lot of corporations treat their, treat their employees like dog shit and then it opens up the possibility for this to happen.
[31:46]
Brian
Yeah, I would tend to agree with that, John. I mean, if you people can be pushed only to a point and they, they will break, you know, and then.
[31:54]
John
Yeah, well, well.
[31:55]
Corey
And you know, if they're being paid not enough or barely enough to survive, if they're not able to advance or, or develop themselves within the organization, if they feel that they have no agency, then of course they are going to become at least passive aggressive and they become perfect opportunities for, to become an insider threat from Anybody who says, hey, I'll give you X number of dollars if you can give me a set of valid creds.
[32:27]
John
Yep. Well, and you mentioned Bronwyn, you mentioned passive aggressive. I was at Northrop Grumman. We had a very, very large project that we were working on. I remember the project management on that particular project basically went to everybody and they said, hey, we lost the contract. We have. We're going to lay off. I think it was 150 people in Aurora, Colorado. And they then said, you know, and in the old TRW days, they would have said, hey, we're going to find jobs for you. You guys have a home here. We're going to reposition you guys. We're going to get you guys set up. At that point, Northrop was like, you're all going to be fired at the end of this. So we got two months. We got to finish this last development Sprint. You're all going to be laid off at the end of this development Sprint. So, hey, let's get this development Sprint done. I remember management just losing their minds. They're like, oh, my God, nobody's working. Nobody's working to finish the product. We're going to be in breach of the contract. What the hell? And it went down in flames horribly. And those were people that extensively had background check investigations. And they weren't doing things maliciously. They just kind of were being passive aggress. I guess it is malicious, but they were just kind of like not working. So it's really easy to take a group of people and under the right conditions, at the minimum, what Bronwyn said, get them to that passive aggressive point. And there's always going to be a percentage of people that do worse things beyond that. Bronwyn, you want to talk about the Microsoft playoffs? I think we should actually. Can we, can we bring that story up? If you have a link so we can share it, that would be awesome. I'll look for it. Why don't you start talking about it and I'll get the link.
[34:04]
Corey
Well, what you were talking about in terms of the story from Northrop Grumman about they basically hamstrung their entire development department, all of the people that they were going to lay off. There was zero incentive for them to continue to put out anything of quality. And I can't help but wonder how much of that is going to start impacting Microsoft. And part of it is because in years past, I remember I worked for a company. This was back when I was in the desktop publisher, excuse me, textbook Publishing biz, we went into a slump and people started getting laid off. As people were let go around me in my department, in different departments, there was this ongoing sense of when is the bomb going to drop and hit me. I don't care who you are, when you have that kind of stress going on, you're not going to be able to put out your best. You're not going to be motivated to put out your best because you feel like there's no control. So now we get into this business where. Thank you for that link. You've got Microsoft and other large tech company laying off not tens, not hundreds, but thousands of people. And we are now more addicted and dependent to technology today than we have ever been in history. Flooding the markets with that many unemployed people, what is that going to have in terms of repercussions? What does that do in terms of confidence in the company itself? If now they're letting go 9,000, 15,000, however many thousand people.
[36:03]
Brian
Well, they did it. Jump in there. They did do this in two rounds. They laid off 6,000, I believe, at the beginning of July, right around, and then 9,000 just this week. So that's.
[36:14]
Corey
So we're looking 15,000 people this year.
[36:17]
Brian
Yeah.
[36:19]
John
By the way, the chat. There's something that I'm going to start seeing in resumes, I think, in the future is how many rounds of layoffs you survived at each job, not how many years you work and how many rounds of layoffs. Like I survived 15 rounds of layoffs. That's. That's kind of crazy. I'm telling you, it feels a lot like the dot com bust in 2000. Right now, it feels a lot like that.
[36:42]
Brian
It's actually a really interesting thought, John. That does feel that way.
[36:46]
John
I. The reason why I came to it is there was a video that I came across while I was doom scrolling on Reddit because I'm old. And it was a developer, it was a JavaScript developer that was living on the streets in San Francisco. Yeah, it was. He, they were just talking to him about what development he did and where he lives and what he's doing. And he's like, oh, I live under that bridge. I pack up all my stuff every day. And I'm like, that, that happened for the, for the young kids out there. That happened in 2000. Like, I remember in Denver, somebody on the street had a sign that said, well, code in Java for food. That dude starved. All right, I want to go to another story this. I want to switch gears completely, if that's okay. This Story is so there's okay, we all work in computer security and I hate when I have family members that call me up and they're like, I got this alert on my phone that my phone is severely damaged by a virus, I need to install something to fix it, you know. And it's kind of weird, right? Because I don't think we see that that much in corporate America. But I got a question. Have any of you ever seen an attack like seriously, if you can get a pop up on an iPhone from somebody going to a website or receiving a message or any of these different things, that's kind of an advanced attack actually that there's some impressive tech that's going into that, but it's not stuff that we see in corporate America. I don't know what your thoughts are on that. Do you ever see anything like cousins, uncles, family members where you're like, yeah, never click on that. But damn, that's some good exploit tech there.
[38:29]
Mike
Not pop ups but text Messages, SMS messages, WhatsApp messages for those that use WhatsApp. Yeah, I get that question not very often, but I've had a few of them over the last year or so where it's been. I'm being told that there's something wrong in. What I'm trying to figure out is how. Just like you said, that's pretty advanced, especially with an iPhone. And I'm going, well what about the pop up? No, is it, is it actually something in say YouTube that's actually causing.
[39:04]
John
Looks like it's making it like from what you're. What I'm kind of piecing together is that YouTube uses a company called Confident and they, they basically have made up of this confidant that they kind of went through and they talked about, you know, the 5 billionth Google search scam and all of those different things and kind of walked through how that works. But yeah, I mean there's a lot of really smart people that are trying to stop these things and they still get through it.
[39:32]
Corey
Well, I mean it's trivially easy to detect the operating system of the browser that, that things are running in. And I know just earlier today I had to redownload an application. So I go to my browser, I type in the application download and of course what's the first thing that shows up? It's an advertisement for a company that is not this company I need to download the software from. But it says, hey, download. The latest version here is without knowing how the reporter on LinkedIn got this screen or got this screen okay, great. It might be, might be an advanced technique or it might just be something else.
[40:22]
John
So the, the couple of things that I've seen, like the most common is the victim. Like I'm going off of my family members. You know, they bring me their computer and it's like, oh boy, that's how it used to be. That's how it used to be. Because they would, they would, God, you know, I'd get excited and I'd start researching it and then they would start asking me lots and lots of questions and then they would give me their advice and it's like, like no, that's insane. We, we aren't going to put disinfectant in your computer. That's not how you take care of viruses on a computer. But a lot of times when I see things like especially whenever you have pop ups, they clicked and they installed something before this happened. Usually it's like a browser plugin or they installed an app, like some kind of malvertisement hit that system that, that workstation or that phone and something is on that phone that is allowing that to happen. That's what I've seen most of the time. Flash, the EEPROM with uv.
[41:23]
Mike
But looking, looking through some of the comments on there, they talk about how there's been a lot of fake celebrity investment scam ads on YouTube.
[41:33]
John
Oh my God, what was that article?
[41:36]
Mike
And that, that just brings me back to a problem I'm sure a lot of us thought we solved years ago, which of course we never really solved. We just sort of push it to the side as it gets to be less and less. And that is the whole third party ad server.
[41:49]
John
Yeah.
[41:50]
Mike
I've had friends back in the day that were heavily involved in affiliate marketing and I kept looking at him going, and what if the affiliate marketing company that you're going through gets hacked, gets something in there that's all of a sudden serving fake ads from like that never happens. No, no, never.
[42:07]
Brian
You know, I would, I get this too, right? I get the friends or family thing and they, they come and know. And I actually laid down a rule about a decade ago when my in laws were still alive anyway, God rest their soul. But the rule was this is you get one hour and if I can't address your issue in one hour, you leave the device with me and it's not getting, coming back to you until I'm good and ready to send. And that might be weeks.
[42:36]
John
Well, and it may be me completely reinstalling everything.
[42:39]
Brian
Well, right. So that was my rule. The other thing is, I forget personally how absolute crappy the Internet is now because in my network I filter things so heavily at the DNS and I've got, you know, so much extra browser protection and stuff. I don't see the garbage that people see different.
[43:01]
John
It's unrecognizable. Like you guys, do you guys remember Walmart Blue Light I think was the name of it. Like Walmart had a dial up service that was free. I don't know, I might be getting the name wrong if somebody can Google that for me. But they had this thing where you would go to Walmart and they would give you a cd and it was like AOL Prodigy type thing. It was a little bit after those, you would get full Internet. You could just dial into the local number. And I was doing this when I was down in Denver, when I first moved down there, because I didn't have anything for Internet. But it literally took your entire browser experience and they layered Walmart ads all over it, right? Yeah. So you remember ads on the top, you had Walmart ads on the bottom, and then you could surf the Internet in the middle. And it was constantly rotating ads that was less intrusive than most websites today.
[44:00]
Brian
Yeah, that's, that's a really, really good point. And I just, occasionally I see it, you know, I see other people using that device for whatever reason and, and just even like doing a little shoulder surfing and looking at how garbagey it is, I'm like, oh my God, it is just a zoo out there. It is, it's just. Yeah, and, and I know it in, in my gut, but like I said, I got my environment well controlled. Right?
[44:29]
John
Yeah, that's just not something that most people can do though. Right? I, I mean, it's just, it's just. No, actually I scratch that. That's wrong. I think you absolutely could go through like install these browser plugins, do these things. I think that people absolutely could do that. But it's tough, it's really tough when.
[44:47]
Corey
And that gets to. The whole thing that we, we struggle with constantly is that good security requires work, requires effort. Most people don't want to be bothered. They just, they just want to play with their toys. They just want to go on and do whatever. And of course all the bad guys know how lazy and how uninformed your average user is.
[45:09]
John
And I think that's one of the reasons Corey's not here. But we got to pour one out for the info stealer logs, right? Because we haven't said it. If Corey was Here he would have been talking info stealer logs. But you know, people are like, I've talked to some people in the security industry and they're like, why are info stealer logs so successful? And I think like Joff was talking about, you know, tell me about your home network. It's like, well I got DNS filtering, I've got no browser protections of doing all of these things. And it's like, okay, you're in the 1%, the 99% are surfing the Internet just raw dogging it and they just don't care about the ads that are popping up and all the things that are happening on their computer system. And that's a great way for those Infostiller logs to get creds on someone's personal computer that they can then pivot and gain access to corporate.
[45:57]
Brian
And you know, I've given people advice like well okay, for your financial life, install a separate browser and use just that browser. Just that people won't do that. That's the thing.
[46:09]
John
Well, you and I have talked about this. How many times have you said I told you not to do that. Why, why did you not do. I don't know. I just want clicky happy. It's a whole nother button at the bottom of my tray and I don't on it.
[46:27]
Brian
Yeah, yeah, yeah.
[46:29]
John
All right, we have any other stories? Oh, let's talk about ServiceNow flaw. Just it's, it's an. I think ServiceNow had a couple of flaws I think earlier last year but this is one of those like good night. A nice write up. But the way the access control list were set up and ServiceNow is you could very quickly gain access to by bypassing the acls to gain access to a ton of other people's records in there. So if you fail a data condition or a script condition, it'll return the record count. I don't know why it would give you the record count if it does that, but then you can basically just go through and start querying all the data. It looks like kind of a sub variation of a SQL SQL injection attack. But it's basically looks like it had.
[47:17]
Brian
Some failure looks like it had some failure in conditional access controls as well by the logics failure.
[47:23]
John
Anyway, this gets into once again the SaaS. You know, we constantly see these SaaS providers, you know, coming up with vulnerabilities that show up again and again and again. It's like, I don't know, is it making us more secure by moving? I think it is. I think as we're moving more and more to Cloud and SaaS. I think it's getting more secure because the tech stack diversity is going down. But at the same time, I feel like there's fewer numbers of vulnerabilities. But the vulnerabilities that do show up are far more dangerous because they can impact far more organizations in one shot.
[47:56]
Brian
Do you get triggered? I mean, I'm just curious, John, or anyone else, but every time I see a vulnerability that looks or even smells like SQL Injection, it just totally triggers me. Because of the time that we have been around and talking about SQL Injection, I mean, what is it, 25, 30 years?
[48:16]
John
I guess it's like, come on, this, this looks and smells like SQL injection, but I don't think it is. But a competent web app pen tester. I think BB's two day intro to web app pen testing class, like it covers this type of thing.
[48:30]
Brian
Yeah, yeah, yeah. Anyway, I just.
[48:36]
Corey
How many developers even know what secure coding look like looks like? If I had half a cent, half a cent for every time that I saw lack of input validation in a pen test report, no offense, John, I'd be buying my own island.
[48:53]
John
Yeah, yeah. And you don't even. I. Yes. Like, oh God. And we have to fight that a lot too. Like, we can tell that they're not doing input validation and they're like, well, you couldn't exploit it. I'm like, well, in the three days we had to test this, we could, but. And you know, kind of tying it back to the AI thing because what the hell, let's go full AI, everybody. If we're looking at Vibe coding and these companies that are laying off all these people because they're going to replace it with AI, I think Bronwyn had made a comment, she's like, even senior people that are doing Vibe coding are spending a lot of time chasing bugs. The good ones are, but I think that there's a ton of them. They're like, yeah, you know, it kind of works. Let's roll this into production. I think that this AI vibe code crap that's hitting out there is just. We're already seeing in some of our pen tests, we're talking to customers, they're like, well, how do we fix this? And we're like, well, you need to go to your developers and do X, Y and Z. And they're like, developers don't know anything about the code. And that's a weird thing. That's a weird thing to hear from a company. It's like, well, your code has security vulnerabilities. Well, the developers don't understand it. Why don't they understand it? Technically they didn't write it. It's like it's just gonna. It's bad. That's what I'm saying, it's bad. XKCD is 100% right. It's bad.
[50:09]
Brian
So it's. It's all dependent though on the experience of the review of the output that comes out of the darn thing. Right. Because I vibe coded. I will his confession time. But I've actually reviewed the code that's coming out and understood what's happening.
[50:30]
John
And there's people that are talking about SQL injection. I guess we didn't talk about Citrix Bleed too, but Citrix Bleed is once again, as Bronwyn said, she'd have her own island like bronze. What caused Citrus Bleed too? It's in insecure input validation which leads to a buffer overflow which I've got to be honest, when I was going through the CVE and I was kind of cut through through it, I was like, oh my God, this is old school. It's absolutely old school. And, but yeah, and it's. What is it? The vulnerabilities and net scaler gateway adc. It looks to me like there was a lot of like AAA virtual servers. Boy, what is the CVSS score? CBSS base score is 9.3 for this one. It's old school buffer overflow. Now that's. I'm sure that that had nothing to do with vibe coding. This one has a vibe of legacy code that's still floating around.
[51:27]
Mike
So here's. Here's a question. Riffing off of that a little bit. Yeah, we all know about input validation. When do we start seeing from pentes on internal AI's prompt injection and prompt validation errors as a subset of input validation?
[51:45]
John
Dude, you got two people on the methodology.
[51:48]
Brian
Actually, I'll get you one better. Shaky.
[51:51]
John
Yeah.
[51:53]
Brian
There are already instances of attacks on internal AIs that are, you know, penetration testing based that look quite a lot like stored cross site scripting. And what I mean by that is that as a part of the attack, some artifact is left in the data that the AI uses for its next training cycle and you're actually data poisoning it and potentially triggering the attack. It's kind of like stored cross site scripting. It's very strange. And triggering the artifact that's left behind in the model and the infrastructure that's developed.
[52:39]
John
It's like a logic bomb.
[52:42]
Brian
It's a logic that's actually that's a good way to put it. I was trying to get my head on.
[52:45]
John
That's a good way to put it. I. That one. And then Sheki, another one that I loved. If you get a chance, you need to go look at malware. Jake's presentation at Wild West Hacking Fest, Denver, and one of the attacks that he says we just don't talk about enough is you can take with a lot of these companies that are using AI, create fake documents and seed them where the AI will pick it up, garbage in, gospel out. And he was talking about how they created in one of their customers a document that was like layoffs for 2025 or something like that. Totally a fake document, but they created a spreadsheet, put a whole bunch of layoffs, whole bunch of names and things like that, dropped it on a share where AI is floating around all the time. It picked it up. And then if you went into the chat bot, you're like, are there any layoffs that are planned for this year? It popped right up. And it's like, absolutely. And here's the document that proves it. It's like, you know, we talk about access controls. Like, it's, ooh, I, I think somebody said with AI, it feels like we're getting ahead on our skis a little bit too far. And yeah, it really, really, really does.
[53:49]
Brian
Going, going really fast down a hill.
[53:51]
John
That looks like this. Got a mountain called K2. And I don't know how you unwind that stuff. It's going to be really interesting. All right, with that, we got to wrap it up. I want to say thank you very much to all of you for joining us today. Your comments, we're more positive than normal, I think. You know, I don't think we had anything super dark and depressing this week. Bronwyn.
[54:15]
Corey
Point the finger at me.
[54:19]
John
It was pretty good. And when you're, when you're looking at all of this stuff, you all. And you're worried about AI and all these things, I'm just going to tell you, actually it is job security or security. Like AI is going to bring with it all new technical challenges, all new technical limitations, brand new technical stacks. And we're going to be in charge of securing all this stuff because the people that are writing it don't care about security. If you don't believe me, go Back to the McDonald's story passwords of 1, 2, 3, 4, 5, 6. Thank you so much, and we'll see you next week.