Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Episode: UK Bans Ransomware Payments
Release Date: August 1, 2025

In this episode of Talkin' About [Infosec] News, hosted by the Black Hills Information Security team, hosts John Strand, Corey, and Derek delve into several pressing topics in the information security landscape. From AI-driven security risks to alarming privacy breaches and regulatory changes, the discussion is both comprehensive and insightful. Below is a detailed summary capturing the key points, discussions, insights, and conclusions from the episode.

1. AI and Coding: Unveiling the Risks

The episode kicks off with a candid discussion about the burgeoning use of Artificial Intelligence (AI) in coding and its associated risks. The hosts express concerns over the reliability and security of AI-generated code.

• John Strand highlights the inherent vulnerabilities, stating, “I'm not surprised that people are mad that LLMs deleted production databases” (06:31).

• Derek adds, “Why is this a surprise to anyone?” (06:42), emphasizing that Large Language Models (LLMs) are trained on existing insecure code, making such outcomes predictable.

• Corey humorously suggests incorporating safeguards: “So basically what you’re going to want to do is you're going to want to put please don't delete everything in every one of your prompts and then you should be good” (15:19).

Key Insights:

• AI's capability to generate insecure code poses significant threats to software development.
• There's a pressing need for foundational knowledge in coding and system operations to effectively manage and mitigate AI-related risks.
• Cautionary tales are necessary to balance the optimistic narratives surrounding AI's potential.

2. Privacy Concerns in Massive Datasets

The hosts turn their attention to a concerning publication in the MIT Technology Review about the Common Pool Data Set—a vast collection of 750 terabytes of images scraped from the internet, inadvertently containing sensitive information like passports and credit cards.

• Corey expresses skepticism: “I was looking at it before this podcast. The large dataset is like 750 terabytes of images. So yeah, there’s gonna be some bad stuff in there” (17:16).

• Derek reassures that while the dataset contains sensitive information, measures are in place to prevent misuse: “If you go to one of these models and you say, you know, give me Jane Doe’s credit card number, it’s going to say, you know, I can’t do that” (17:16).

• John Strand probes deeper into the implications for data governance and access control, questioning how sensitive information can be effectively filtered and protected in such expansive datasets (20:01).

Key Insights:

• Large-scale data scraping without adequate filtering can lead to significant privacy breaches.
• Effective data sanitization and access control mechanisms are essential to protect sensitive information.
• Transparency in data handling practices is crucial for maintaining trust and security.

3. App Breaches: The Case of the T App

A significant portion of the discussion focuses on the breaches of the T app, a platform aimed at providing stalker protection for women. With over 4 million users, the app has been compromised twice, exposing sensitive user data.

• Corey underscores the severity: “If the goal of it is like, am I going to get murdered if I go out with John Smith? Then like it needs to have good security” (27:08).

• John Strand connects this issue to broader concerns about data privacy, emphasizing that highly sensitive information should be treated as Protected Health Information (PHI) to ensure stringent security measures (30:14).

Key Insights:

• Applications handling sensitive data must prioritize robust security measures to protect user information.
• The breaches highlight the vulnerabilities inherent in platforms promising anonymity and security.
• Regulatory frameworks may need to evolve to categorize and protect sensitive app data more effectively.

4. Predatory Business Models: Selling Infostealer Data to Debt Collectors

The hosts explore the emergence of startups engaging in unethical practices, such as selling infostealer data to debt collectors—a business model they critique as inherently predatory.

• John Strand remarks on the immorality of the practice: “It's like, can you make it worse? Like can you, can you sell like guns to kids or something?” (33:12).

• Corey echoes this sentiment, highlighting the invasive nature of such data usage: “If you’re a cyber insurance company and you’re approached by someone who has a cyber insurance policy and they’re looking at weeks or months of outages and you have to pay their cost of their business lost, you’d rather pay the ransom” (53:34).

Key Insights:

• The commodification of stolen data for debt collection purposes raises severe ethical and privacy concerns.
• Such practices exacerbate the challenges faced by individuals dealing with debt, further infringing on their privacy and rights.
• There is a need for stricter regulations and oversight to prevent the proliferation of these predatory business models.

5. Clorox vs. Cognizant: A Lawsuit Over Help Desk Breach

A notable segment covers a lawsuit filed by Clorox against Cognizant Technology Solutions for a breach resulting from help desk vulnerabilities managed by a third-party MSP.

• Corey outlines the scenario: “Clorox filed a $380 million lawsuit against Cognizant Technology Solutions...the company ended up, they led to a breach because Scattered Spider called the help desk and the company was like, here’s the passwords” (40:33).

• John Strand expresses concerns over contractual protections: “They have so much indemnification in their, they have so much indemnification built in there to protect them from this” (43:32).

• Derek adds, “Why was it in clear text and storage? I don’t understand” (43:39), questioning the security practices that led to the breach.

Key Insights:

• Third-party managed services, especially help desks, are critical points of vulnerability for organizations.
• Contracts and Service Level Agreements (SLAs) must clearly define security responsibilities to prevent such breaches.
• The lawsuit underscores the financial and reputational risks associated with inadequate vendor security practices.

6. UK Bans Ransomware Payments: Implications and Concerns

One of the most significant topics discussed is the UK government's decision to ban most businesses, including public entities, from paying ransomware demands without approval.

• John Strand elaborates on the rationale and potential fallout: “The more we pay the ransom, the more ransomware is going to happen” (50:17).

• Corey raises concerns about the practicality of the ban: “It's like, well, we don’t negotiate with terrorists... but when your company is hit, that’s life or death for your business” (50:35).

• John Strand warns of the possibility that the ban may drive ransom payments underground, complicate insurance payouts, and impede forensic investigations: “It could be that they pay through another country where it’s not going to be affected” (54:07).

Key Insights:

• The UK's ban aims to reduce ransomware incentives but may lead to unintended consequences like underground payments and increased complexity in managing breaches.
• Multinational corporations may exploit jurisdictional loopholes, undermining the effectiveness of the ban.
• The move could strain relationships between businesses and insurance providers, potentially disrupting the cyber insurance market.

7. SharePoint Vulnerabilities: Responsible Disclosure and Weaponization

The hosts discuss recent revelations about vulnerabilities in on-premises SharePoint servers, including partial Proof of Concepts (PoCs) that could be weaponized by threat actors.

• Corey highlights the balanced approach taken in disclosure: “The exploit just like published a list of all the machine keys but it didn’t really explain how to use them” (59:34).

• John Strand compares the scenario to controlled environments, emphasizing the importance of responsible disclosure to prevent exploitation: “How carefully planned like the, you know, they're like."

Key Insights:

• Responsible disclosure of vulnerabilities is crucial to prevent malicious exploitation while informing and protecting users.
• Partial or incomplete PoCs can serve as a deterrent, making it harder for threat actors to exploit vulnerabilities effectively.
• Organizations relying on legacy systems like on-premises SharePoint must prioritize updates and migrations to mitigate security risks.

8. Conclusion: The Imperative of Robust Security Practices

The episode wraps up with reflections on the interconnectedness of the discussed topics, emphasizing the need for comprehensive security strategies.

• John Strand connects the dots between AI risks, data breaches, and regulatory changes, reinforcing the necessity for foundational security knowledge and robust data governance: “Understand the core fundamentals... to get the best quality work” (15:19).

• Corey and Derek echo the sentiment, advocating for vigilant security practices and cautious adoption of emerging technologies.

Final Thoughts:

• As the information security landscape evolves, so do the threats and regulatory responses. Staying informed and proactive is paramount.
• Ethical considerations must guide the development and deployment of technologies, ensuring they serve to protect rather than exploit individuals and organizations.
• Collaboration between security professionals, organizations, and regulators is essential to navigate the complex challenges presented by advancements in AI and data management.

Notable Quotes:

• John Strand (06:31): "I'm not surprised that people are mad that LLMs deleted production databases."

• Corey (15:19): "So basically what you’re going to want to do is you're going to want to put please don't delete everything in every one of your prompts and then you should be good."

• John Strand (30:14): "Chickens can be useful for that. So go get chickens, everybody."

• Corey (53:34): "If you're a cyber insurance company and you're approached by someone who has a cyber insurance policy... you'd rather pay the ransom."

• John Strand (50:17): "The more we pay the ransom, the more ransomware is going to happen."

This episode offers a deep dive into the multifaceted challenges facing the infosec community, blending technical insights with ethical considerations. By addressing current events and their broader implications, the Black Hills Information Security team provides listeners with valuable perspectives to navigate the ever-changing landscape of information security.