Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: Perplexity Stealth Crawlers Evade No-Crawl Directives
Release Date: August 7, 2025

Overview

In this episode of Talkin' About [Infosec] News, the Black Hills Information Security team delves into a diverse array of topics spanning cybersecurity conferences, significant cyberattacks, browser security vulnerabilities, and the burgeoning challenges posed by artificial intelligence (AI). The lively discussion offers insights, personal experiences, and expert opinions, making it an engaging listen for both seasoned professionals and newcomers to the infosec arena.

1. DEFCON Canceled: Impacts and Alternatives

The episode kicks off with a discussion on the cancellation of DEFCON 2025, a pivotal event for cybersecurity enthusiasts and professionals. Host Ralph shares the team's mixed feelings about the news.

“DEFCON is canceled this year, so that's. That sucks for everybody.” [02:04]

Bronwyn, drawing from her personal experience, highlights the physical and logistical challenges of attending DEFCON in Las Vegas. “Spending time with 25 to 30,000 of my dearest acquaintances... it just wrecks havoc with you physically.” [04:29]

Ralph emphasizes the value of attending DEFCON at least once, likening it to a pilgrimage for infosec professionals. “Yeah, you absolutely should go at least once.” [03:33]

The team also explores alternative conferences like B-sides and Wild West Hacking Fest, with John advocating for B-sides in San Diego. “Go to B sides, don't go to defcon.” [11:01]

Key Takeaways:

• DEFCON’s cancellation poses a significant loss for networking and knowledge sharing.
• Alternative conferences like B-sides offer valuable experiences with different vibes.
• The physical demands of large conferences underscore the importance of self-care.

2. Notable Cyberattacks: City of Hamilton and Russian Airlines

The team shifts focus to recent high-impact cyberattacks. Ralph discusses the ransomware attack on the City of Hamilton, emphasizing the critical failure to implement multi-factor authentication (MFA).

“If you don't have multifactor authentication, bhis report, it's automatically a high minimum high right out of the gate.” [12:49]

John adds, “If we start seeing stuff like this where insurance isn't paying out because guess what, you're not doing the bare minimum...” [13:10]

The conversation then transitions to a devastating attack on a Russian state-owned airline. Ralph provides alarming details about the scale of the breach, including the destruction of 7,000 servers and the exfiltration of 22 terabytes of data.

“They basically stole everything and then burned the entire company to the ground.” [27:46]

Bronwyn cautiously notes the potential physical risks, “At least they didn't hit the flight controls.” [28:29]

Key Takeaways:

• The City of Hamilton attack underscores the dire consequences of neglecting basic security measures like MFA.
• The Russian airline breach highlights the destructive potential of sophisticated ransomware attacks.
• Insurance companies are beginning to refuse payouts for breaches where basic security protocols were not followed, reinforcing the necessity of implementing MFA.

3. Browser Security: The New Frontline

A significant portion of the discussion centers on browser security, particularly the vulnerabilities introduced by browser extensions.

Ralph raises concerns about Mozilla Flag's phishing attempts aimed at hijacking trusted Firefox add-ons. He ties this issue to CIS Control Number Nine, which advocates for the inventory and auditing of browser extensions.

“Seriously, how many organizations have you all come across that's not bhis that have... regularly auditing the browser plugins that are deployed in their employee systems?” [41:09]

Derek shares his experience from a former employer dealing with DoD-classified systems, emphasizing the importance of stringent browser plugin audits. “We were doing that kind of stuff at my former employer.” [41:16]

Bronwyn echoes the sentiment, advocating for simplification and standardization to make security measures more manageable. “We haven't even found the better mousetrap. We haven't found the better seatbelt to make security easier... until we make safety and security possible for people who can't find the any key, it's not going to happen.” [24:03]

Key Takeaways:

• Browser extensions represent a significant security risk, necessitating regular audits and strict controls.
• Implementing standardized security measures can alleviate the complexity burden on organizations.
• Simplifying security protocols is essential to enhance compliance and effectiveness across the board.

4. AI and Cybersecurity: Perplexity Crawlers and Privacy Concerns

The latter part of the episode delves into the intricate relationship between AI and cybersecurity, focusing on Perplexity's stealth crawling techniques.

Wade introduces the topic, explaining that Perplexity, an AI answer engine, is continuously crawling the internet to gather data, often bypassing "no-crawl" directives.

“Perplexity is crawling the Internet to make these searches and find that data, and they do not care if you tell them no.” [45:05]

Derek counters by emphasizing the responsibility of content providers to protect sensitive information, suggesting that if data shouldn't be public, it should be behind authentication portals. “If you have data you don't want access, then put it behind an authentication portal.” [46:21]

The discussion broadens to cover broader AI privacy issues, including ChatGPT’s handling of private chats and Amazon's Alexa integrating ads into AI responses.

Megan draws a parallel between user consent for data usage and firearm safety, criticizing the opaque nature of AI data handling policies. “It's like a checkbox that they have to check that says make this chat... you want to share this.” [52:25]

Key Takeaways:

• AI tools like Perplexity are challenging traditional web crawling norms by ignoring "no-crawl" directives.
• Content providers must take proactive measures to safeguard sensitive information, beyond relying on AI compliance.
• Emerging AI integrations, such as Alexa’s ad injections, raise significant privacy and consent concerns.

5. The Future of AI in Cybersecurity and Society

Towards the episode's conclusion, the conversation veers into speculative territory about the future implications of AI advancements.

John references a YouTube video where AI experts predict existential threats posed by AGI (Artificial General Intelligence), highlighting concerns about AI autonomy and regulation. “Once we hit AGI, it's going to be regulated and we're going to notice right off the bat that it's actually not answering in the way we want it to.” [55:54]

Ralph and Wade discuss the potential for AI to evolve beyond human control, referencing historical overstatements about technology threats. Wade optimistically suggests AI can be a tool for solving complex problems without leading to dystopian outcomes. “AI can be used for a lot of things. It's not just chat GPT.” [58:14]

The team collectively underscores the importance of balanced investment in AI, advocating for ethical development and cautious integration into societal frameworks.

Key Takeaways:

• The advent of AGI poses both transformative opportunities and significant existential risks, necessitating robust regulatory frameworks.
• Ethical considerations and responsible AI development are paramount to harnessing AI's benefits while mitigating its threats.
• The discourse around AI's future highlights a spectrum of optimism and caution, reflecting its complex role in modern society.

Conclusion

This episode of Talkin' About [Infosec] News provides a comprehensive exploration of current and emerging issues in the cybersecurity landscape. From the nuances of major cyberattacks and the evolving challenges of browser security to the disruptive impacts of AI, the Black Hills Information Security team offers valuable perspectives and actionable insights. The discussion underscores the ever-present need for vigilance, adaptability, and ethical considerations in navigating the dynamic intersection of technology and security.

Notable Quotes

• “If you don't have multifactor authentication, bhis report, it's automatically a high minimum high right out of the gate.” — Ralph [12:49]
• “We didn't hit the flight controls.” — John [28:29]
• “If you use Perplexity right, you'll never have to pay for drinks or food either.” — John [08:23]
• “We need to make safety and security possible for people who can't find the any key.” — Bronwyn [24:03]
• “AI can be used for a lot of things. It's not just chat GPT.” — Wade [58:14]

Final Thoughts

The episode elegantly balances technical discussions with relatable analogies and personal anecdotes, making complex topics accessible and engaging. Whether debating the merits of DEFCON, dissecting major cyber incidents, or contemplating the future of AI, the Black Hills Information Security team delivers a thought-provoking and informative session that resonates with a broad audience.