Talkin' Bout [Infosec] News | Hot Take Predictions for Next Year

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
🔴live-chat

🔗 Register for FREE webcasts, summits, and workshops -
https://poweredbybhis.com

Chapters

(00:00) - PreShow Banter™ — testing testing
(00:11) - Hot Take Predictions for Next Year – 2025-12-15
(02:10) - Story # 1: Russian kids revolt as Kremlin bans Roblox, other popular apps
(10:21) - Story # 2: Google's killing off its dark web report because users didn't know what to do with it
(20:05) - Story # 3: Coupang data breach traced to ex-employee who retained system access
(31:13) - Story # 4: Roomba maker iRobot bought by Chinese supplier after filing for bankruptcy
(34:18) - Story # 5: February report from researcher found Chinese KVM had an unclearly documented microphone and communicated with China-based servers, but many of the security issues are now addressed [Updated]
(36:48) - Story # 6: When adversaries bring their own virtual machine for persistence
(41:57) - Story # 7: Oh no! Hackers snuck malware inside uber-popular Windows app Notepad++
(44:20) - Hot Take Predictions for 2026

Links
Story # 1: Russian kids revolt as Kremlin bans Roblox, other popular apps
Story # 2: Google’s killing off its dark web report because users didn’t know what to do with it
Story # 3: Coupang data breach traced to ex-employee who retained system access
Story # 4: Roomba maker iRobot bought by Chinese supplier after filing for bankruptcy
Story # 5: February report from researcher found Chinese KVM had an unclearly documented microphone and communicated with China-based servers, but many of the security issues are now addressed [Updated]
Story # 6: When adversaries bring their own virtual machine for persistence
Story # 7: Oh no! Hackers snuck malware inside uber-popular Windows app Notepad++

The team looks ahead to 2026 and shares practical, sometimes blunt predictions about where cybersecurity is heading. They discuss how AI will continue reshaping both offense and defense, with attackers using automation at scale while defenders struggle to operationalize AI beyond marketing hype.

The conversation highlights growing risk from identity abuse, cloud misconfigurations, and insecure SaaS sprawl, noting that many breaches will still come down to basic failures rather than advanced exploits. They also predict continued burnout in security teams, more consolidation among security vendors, and increasing pressure to prove real ROI from security tools.

On the positive side, the hosts see improved detection engineering, better security education, and more community-driven knowledge sharing. Overall, the message is clear: fundamentals still matter, hype won’t save you, and organizations that focus on people, process, and visibility will be better positioned for 2026.

Brought to you by:
Black Hills Information Security
https://www.blackhillsinfosec.com

Antisyphon Training
https://www.antisyphontraining.com/

Active Countermeasures
https://www.activecountermeasures.com

Wild West Hackin Fest
https://wildwesthackinfest.com

Creators and Guests

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

Hayden Covington

Hayden Covington joined Black Hills Information Security (BHIS) in the Summer of 2022 as a SOC Analyst. He chose BHIS after hearing many great things over the years and seeing the quality of work, as well as finding people who have the same passion for the field as he does. His favorite part of the job so far has been the community. Previously, Hayden worked in a SOC for a Naval contractor, where he also served as their SOAR project manager and SME, as well as insider threat lead. When he’s not working, Hayden can be found doing anything athletic (like triathlons!), as well as enjoying video gaming and Formula 1.

Host

John Strand

John Strand has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry-shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.

Host

Ralph May

Ralph is a U.S. Army veteran and former DoD contractor who supported the United States Special Operations Command (USSOCOM) with information security challenges and threat actor simulations. Over the past decade, he has provided offensive security services at Optiv Security and Black Hills Information Security (BHIS) across various industries. His expertise spans network, physical, and wireless penetration testing, social engineering, and advanced adversarial emulation through red and purple team assessments. Ralph has developed several tools, including Bitor (set to release in January 2025) and Warhorse, which enhance efficiency in penetration testing infrastructure and operations. He has spoken at numerous conferences, including DEF CON, Black Hat, Hack Miami, B-Sides Tampa, and Hack Space Con.

Host

Wade Wells

Wade Wells has been working in cybersecurity for a decade, focusing on detection engineering, threat intelligence, and defensive operations. Wade currently works as a Lead Detection Engineer at 1Password, where he helps build and mature scalable detection programs. Outside of his day-to-day work, Wade is deeply involved in the security community through teaching, mentoring, podcasting, and running local events

Guest

Andy Pettit "Nerf"

Andy Pettit is a cybersecurity practitioner and lifelong builder with a hacker’s mindset, driven by deep curiosity and a desire to understand how systems truly work. He began coding in C at age 12 building custom MUDs and has been pulling systems apart ever since, focusing on gaps between design and real-world behavior. Andy brings a whole-business perspective from over a decade as managing partner of Clown Shoe Motorsports, shaping his views on risk, reliability, cost, and people. He volunteers with Black Hills Information Security and Antisyphon Training as a Nerd Herder and is a top 5% MetaCTF competitor, endurance racer, and HPDE instructor with NASA Texas Region.

Guest

Charles "bsdbandit"

Guest

MaryEllen

MaryEllen Kennel has held numerous roles in CyberSecurity, and is currently ranked top 1% in MetaCTF. MaryEllen has spoken at several conferences, including Magnet Forensics, KringleCon, and most recently, Wild West Hackin’ Fest in Deadwood, SD. MaryEllen grew up Mennonite, and treasures spending time with family.

Producer

Meagan Bentley

Guest

Michael "Shecky" Kavka

Shecky, as he is commonly called, has been in the professional world of IT for nearly 30 years the last 11 as a blue team security engineer. He is focused on detection engineering, threat intel and analysis. Outside of his day to day he is involved in Bsides312, Hak4Kidz and Burbsec (Chicago's cybersecurity meetup conglomerate).

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

bsdbandit: 00:01

Testing. Testing.

John Strand: 00:02

Hey, everybody. Would you like to see a crooked finger? Would you like to see a crooked finger with some amazing music? Let's bring out the crooked finger with the amazing music, and then we'll see what happens from now. Testing.

John Strand: 00:12

Testing. Hello, everybody, and welcome to another edition of Black Hills InfoSec talking about news. I'm your host, kind of, John Strand. Since I don't think we got Corey trying to join, but look at him. Look at him and laugh.

John Strand: 00:39

Look at him laughing and blamed about the fact that his video is not working.

Ralph May: 00:44

Maybe his shameless on.

John Strand: 00:46

Maybe yeah. Maybe he's trying to do it from his phone in the passenger seat of a diesel pickup

Corey Ham: 00:50

Listen. The images you're about to see may shock you. Okay?

Charles bsdbandit: 00:54

Oh, my.

John Strand: 00:55

You got a haircut.

Corey Ham: 00:56

No. No. I didn't get a haircut. That's what everyone's been saying that I got a haircut. No.

Corey Ham: 01:01

I just changed my desk to the different spot.

John Strand: 01:04

It's in a slightly different spot. Still looks good.

Corey Ham: 01:06

Alright.

John Strand: 01:06

I feel like ESD coming and going, though.

Ralph May: 01:11

Yeah. Every time Corey gets on camera, there's more There

bsdbandit: 01:14

we go.

John Strand: 01:15

One day. There we got him.

Wade Wells: 01:17

So it's gonna

John Strand: 01:17

be like

Corey Ham: 01:18

it? It's just gonna be me in a jungle and like you can't even see my Yeah.

John Strand: 01:23

Cats prowling around. Be like, is that is that an is that an ocelot behind you? Got him to keep

Wade Wells: 01:30

the Puma company.

Corey Ham: 01:32

So That's the goal. That's

Wade Wells: 01:34

the goal.

John Strand: 01:35

My Emmett

Ralph May: 01:36

is really gonna connect with you.

John Strand: 01:38

This is our last show of the year, everybody.

Wade Wells: 01:41

I I just went back. I was like, holy moly.

Wade Wells: 01:43

Oh, didn't even realize that. I'm glad I came.

Wade Wells: 01:45

Yeah. Yeah. It's kind

John Strand: 01:47

of kind of closing it out. So Like, you know what we're not gonna do today? We're not gonna do the year end review and the predictions. Oh my goodness.

Corey Ham: 01:53

Oh, what? I was just gonna say we should do it because it's kind of a slow news game.

John Strand: 01:56

Okay. We can totally do some predictions. Yeah. Let's do some predictions.

Corey Ham: 02:04

Yeah. There's not many good stories.

John Strand: 02:06

I think there's

Corey Ham: 02:07

some At good least not on my radar. There's Everyone's

bsdbandit: 02:09

gonna take off.

Corey Ham: 02:10

There's the Roblox one. Oh, that one

John Strand: 02:13

was good one. Let's talk about that one.

Wade Wells: 02:15

That's a good one.

Corey Ham: 02:15

It's really it's not really newsworthy. It's literally just kids complain when you take away Roblox like it's not. Not.

John Strand: 02:22

I I I think that you're you're right about that one. I mean, they do just complain, but I I I between this and then what happened down in Australia with the social media ban for kids, I think it it points to, like, a a bigger trend that's happening, and I don't know how security is gonna fit into it. I just don't. I mean, are we gonna be having getting called into boardrooms where it's like, okay. We need to validate the age of everybody that's coming to this particular website.

John Strand: 02:52

That might be where we're going. Is that gonna be under our banner? Kind of hope it's not because that that type of HRE type thing kind of sucks. But everything kind of rolls down to security anyway. But now that's that's the only hot take I have on it is you have, you know, or you're gonna ban it in Russia, and I think it also kinda ties in what's going on in Australia, and I don't necessarily have an opinion about that right now.

Corey Ham: 03:15

Woah. Woah. Woah. You can take away social media. That's fine.

Corey Ham: 03:18

Taking away Roblox, that's

John Strand: 03:20

a different

Corey Ham: 03:21

story. Wait, you gotta

Wade Wells: 03:22

you gotta be careful. This may this may become a World of Tanks situation with this Roblox server. The next thing you know, like, all

Ralph May: 03:28

the Yeah.

bsdbandit: 03:28

You never know.

Corey Ham: 03:29

You never know. Yeah. That is a good point. That like Okay. So I think the only So we talked about it last week.

Corey Ham: 03:37

Basically, they did I think they banned it officially last week, and now this is just the Fallout article being like I mean, the quote in the article is pretty funny, the person literally said, they have gotten an a message from literally every child in Russia.

Wade Wells: 03:52

I think they

John Strand: 03:53

said every second child. Every

Corey Ham: 03:55

second child. Every second child aged eight to 16. So, I mean, yeah. That's mean, that's what you'd expect.

John Strand: 04:03

It's like everything else that's going on in Russia but this. This is the This is what makes

Wade Wells: 04:07

the world hate it.

John Strand: 04:08

So how long until

Corey Ham: 04:08

we get RuBlocks? The other thing RuBlocks. Fuck.

John Strand: 04:13

RuBlocks are you?

Corey Ham: 04:15

That's pretty good. I I think the other only other interesting tidbit in this article is that Roblox casually dropped in the article that they have responded to Russia specific takedowns of LGBT type

Charles bsdbandit: 04:32

content? Or

Corey Ham: 04:34

Which is like

John Strand: 04:35

It was immoral, I think is what they said. Some kind of like Oh. Moral fabric blah blah blah blah blah. And it's like, have you seen the Internet? And that's what bothers you.

John Strand: 04:42

Oh.

Wade Wells: 04:43

I mean

John Strand: 04:43

Okay. I see.

Corey Ham: 04:45

Alright. State specific takedowns. I I mean, I'm guessing this is the norm, but, like, would they do the same thing for America? Would they do content takedown if Trump is like, I don't want this on my platform?

John Strand: 04:59

But I think that I think that we've already seen that. Right? Like, if we're looking at, like, Google and Apple whenever they talk to China, they're willing to do things for China. But there's no way they would do for The United States. So I I think we've already seen large organizations that have that kind of True.

John Strand: 05:13

Difference in the way that they handle different countries. And I think I don't know. It seems like a lot of the companies whenever they started out, they had like, you know, this idea of a moral fabric. And then it was like, you know what's awesome?

Corey Ham: 05:26

That Money is better than morals. Well

Wade Wells: 05:28

well, speaking to that moral fabric. Right? Like Sony, Nintendo and Microsoft have all backed out of Russia. It's just Roblox's state. Point.

Wade Wells: 05:38

Right? So they are company.

Corey Ham: 05:42

For for now. For

Charles bsdbandit: 05:44

now. With

Wade Wells: 05:45

2,000,000 active daily users. So I don't think I I used the data center that I first got hired at actually used to host Roblox servers. Like that was one of our big contracts. It it was cool until you get DDoSed every weekend telling peep telling kids calling us while they're DDoSing us Why

Corey Ham: 06:02

is it server? Yeah.

Wade Wells: 06:04

No. I'm saying you better give me a a server or we're gonna continue to DDoS you. Oh, bitch. Dude, it

John Strand: 06:10

Oh, you punk bitch, you're a noob.

Corey Ham: 06:12

Charles. Charles, you sound like you're straight out of Ventrilo right now and I absolutely love What

Charles bsdbandit: 06:17

is going on here?

Corey Ham: 06:19

It's something about your mic. It just it's hitting a nostalgia thing for me and I love it.

John Strand: 06:23

I like it. I

bsdbandit: 06:24

I appreciate guess we're gonna work

Charles bsdbandit: 06:27

with it, though. But

Corey Ham: 06:28

Hell, yeah. Yeah.

bsdbandit: 06:30

But yeah. I just think that, like I said, with,

Charles bsdbandit: 06:33

like, with Nintendo, there are it's always gonna be some kind of merry-go-round. Right? You're gonna see, like, okay. Right now, it's Roblox. Next, it could be Kirby's Adventure.

Charles bsdbandit: 06:42

Maybe Mario might do something wrong one day. We we we just never know.

Corey Ham: 06:45

Right? Man.

Charles bsdbandit: 06:47

And it's interesting to see what the kid how the kids are gonna respond. Are we creating the next generation of programmers and open source people that are just gonna start, hey. You know what?

bsdbandit: 06:55

You could take roadblocks. We're gonna go rubleck. You take roadblocks, we're gonna go with something else.

John Strand: 07:01

See? And I wanna

Charles bsdbandit: 07:02

I wanna pull on

John Strand: 07:03

that thread. I wanna pull that thread because I I think kind of what you're getting at is I think that a lot of people that make these choices two things. One, I think they don't know how the Internet and how technology works. Right?

Ralph May: 07:14

Right.

John Strand: 07:15

Like, I I think that they don't understand that there's a way to try to hack around a lot of these things. And the Internet is not Facebook and Roblox and Minecraft. People are gonna find other creative things. But I also don't think that that's necessarily their goal. Right?

John Strand: 07:28

Their goal isn't necessarily reducing it to zero. I think their goal is reduction. And I'm not just talking about the Roblox issue. I'm talking about any time that they try to ban social media. In Australia, there's a bunch of people like, well, that's just stupid.

John Strand: 07:42

They're gonna get around it through this way and this way and this way, and they're gonna use VPNs. That's fine. I think that they're okay with that. I think it's more of an issue of fragmentation and reduction. And I'm sorry, I'm getting to a point on this and it's taking me longer than I should, but I'm really tired.

John Strand: 07:56

And I think somewhat it goes back to Arab Spring, honestly. Because when you looked at Twitter and what happened during the Arab Spring, the ability to use a single platform that kind of became the platform that everyone was using for Egypt and other countries that had kind of takeovers. I think that that's terrifying to some countries. Right? If you have that type of platform that's kind of an uncontrolled, that is a problem.

John Strand: 08:25

And I think sometimes when you're looking at Russia doing this or China is already doing it with video games and all kinds of other things, they have been for years. I think it's less of an issue of trying to reduce it to zero, and it's more of an issue of reduction and fragmentation. So you don't have that social media platform that's as big as like Twitter was, where it can create this movement across these different countries that can not be controlled by the governments. That's that's kind of, like, if we're getting into some kind of weird takes. That's one of my weird takes on this one as well.

John Strand: 08:58

And I already think we spent too much time on

Corey Ham: 09:00

Yeah. Well, so people in the audience, John, are curious where you are. So can you state if you can play Roblox or cannot play Roblox where you're based

Wade Wells: 09:08

right now?

Charles bsdbandit: 09:10

That's the ultimate challenge.

Corey Ham: 09:12

Yeah. I

John Strand: 09:13

I can I can Okay? Play Roblox.

Corey Ham: 09:18

That's all we need to know.

John Strand: 09:19

Alright. I'm at International Airport. I just looked at the facility for Wild West Hacking Fest at Mile High for 2027. I'm really excited about it. Somebody says it looks like he's in a Subway sandwich shop.

John Strand: 09:33

I'm in the United Red Carpet Club.

Ralph May: 09:34

No. Wait. They have wallpaper there at Subway.

Corey Ham: 09:37

Yeah. Was gonna say that wallpaper is way too bougie for Subway. Are you kidding me?

John Strand: 09:40

It is.

Corey Ham: 09:41

The Subway bread is only 30% bread.

Wade Wells: 09:44

Really hope one of our listeners is at the airport right now and can run.

Wade Wells: 09:49

And I'm sorry. If they can Okay. Yes.

Corey Ham: 09:51

This is not We do not condone this or encourage it. Do not do this. That's how you go to jail. Yeah. But, yeah.

Corey Ham: 10:00

Anyway, let's move on. I I guess, unless one I guess, now that I think about it, it is very normal for countries to fall or companies to follow the laws of the countries they're based in. That's just how it is. Like, you you just have to

Charles bsdbandit: 10:12

Yeah.

Corey Ham: 10:13

You have to pay the troll toll to get sovereign nations to agree to do business with you, I guess. Yeah. Alright. What else I we

John Strand: 10:22

there's a story we could stay on Russia, but I would like to talk about the Google killing off its dark web report. I think that that's interesting. What are your takes on it?

Corey Ham: 10:36

So as the resident dark web fake expert, I think the first of all, I was also surprised to learn that this existed. Like, I I you know, dark web information, like, flare reports and credential exposures and have I been pwned and all that kind of stuff, I definitely agree with their logic of it being just impossible to really know what you're supposed to do based on it, especially for the end user. Like, to be honest, we don't even we have trouble getting our customers to understand how this all works and do stuff, let alone just a random person who subscribed to Google One. So I definitely don't think the information is that actionable for people. My only thing that I really hope is that Google still does all of the stuff they were doing before, which is like protecting the accounts even if they're not telling you they are, if that makes sense.

Corey Ham: 11:29

So like, making sure that if dark web credential disclosures happen, that they invalidate session tokens and invalidate credentials and accounts so that, you know, things are safe, user accounts are safe, if that makes sense. So it's like This is I don't care that much that they tell you, I just still want them to keep protecting the accounts based on dark web data.

Ralph May: 11:48

This is classic Google killing off another service.

Corey Ham: 11:50

They love killing a

Wade Wells: 11:51

They love

Charles bsdbandit: 11:53

I'm not surprised.

Ralph May: 11:54

Yeah.

Wade Wells: 11:54

But it's a It honestly sounds like a service that none of us even knew about though.

Ralph May: 11:57

Yeah. Unless you had Google One, which most people don't even want any Google stuff.

Hayden Covington: 12:02

Google One. They gave it to me for free and I still don't know what

Ralph May: 12:06

it is.

John Strand: 12:09

Do you think like like, seriously, if I was in charge of this, it'd be like, okay. How can we make this more user friendly rather than just throwing it away? Right? This also makes me wonder how many people like, if you think about your aunts, your uncles, people that are not computer savvy, when and let's say that they stumbled into this report that none of us knew about. Right?

John Strand: 12:27

And they looked at it. I I talked to a lot of people that get compromised, and they blame Google. They blame Yahoo. They blame, you know, Hotmail or whatever. They're like, oh, yeah.

John Strand: 12:38

Well, Google clearly let them back my account. And it's like, well, what is your password? What was password? 1234. I wonder how much of it by showing people just kind of the dark underbelly of computer security and the problems, the security perspective of their accounts, we're blaming Google.

John Strand: 12:54

Right. It's like shooting the messenger.

Corey Ham: 12:55

Right. Yes. That totally happened. I

John Strand: 12:58

I think that that may be part of it as well.

Corey Ham: 13:02

Yeah. No. That is definitely a thing. We warn our customers about that. So like, here's a common scenario we encounter with our customers.

Corey Ham: 13:08

They we've actually had this both directions. One direction is a comp an employee of a customer's stuff gets hacked. Right? They get hit by impulse dealers and then we pick it up because it's their work email. We check their work credentials, they aren't valid, but then we tell the customer, hey, you need to tell this person because they have like Netflix, Amazon, Chase, like, all these other But but then like, the situation there is incredibly awkward to go to an employee and be like, you got hacked, we know about it, but it wasn't our fault.

Corey Ham: 13:39

The other thing that we've had happen is we've had customers tell us, hey, can you validate this? Because the some employee signed up for a service like Google One's dark web information and it said that their work credentials were compromised and so they thought that we got breached because of that. So it's Exactly. Like basically, all of this whole situation just leads to confusing outcomes for everyone, and so I'm not I get it. I get just being like, no, we're out.

Corey Ham: 14:05

We're good.

Hayden Covington: 14:06

Yeah. Because there

John Strand: 14:07

Years ago, I can't remember the name of the company, but ReconNG had a module. We got an API key for, like, $5,000 where you could it was kind of like, have I been pwned, but you could get access to the hashes and the credentials. I we demonstrated this at DerbyCon, and we demonstrated against the FBI with permission from the FBI. We worked with them before we disclosed it in the issue at at DerbyCon. And it was a it was a cool presentation by Tim Tomes, you wanna go look at it.

John Strand: 14:35

After that, we had a whole bunch of people that would call us up, and they would say, yeah. Can you look that up for us? And we would, and we would sit down and we'd look it up. And then we'd show them you have, like, 47 credentials that are compromised out on the open web and things like that. And then they would get mad at us.

John Strand: 14:56

So we thought it would be a great sales technique. Right? We could do it. We could show them, hey. Here's the things that are out there.

John Strand: 15:02

This is the stuff that we're seeing, and here's the things that we can help you with. And almost immediately, it was like, maybe get angry. Right? They'd be like, how did this happen? Where did these credentials come from?

John Strand: 15:12

Where are you getting this information? How come you have this information? What are you doing that's illegal that gives you this? It got really dicey, so it killed it after like two calls. And I still to this day have people that are starting up pen testing companies that come to me and they're like, so I got this idea for getting customers.

John Strand: 15:27

What we're going to do is we're going find companies that have a lot of data breach. We're going to reach out and set up a meeting. Extortion sell of marketing tools. I'm like, don't do that. That that's not gonna work.

John Strand: 15:38

And they get all excited and they're like, well, we're gonna give it a shot. We're gonna give it a shot. And then they usually call me up and like, yeah, did that. It didn't it didn't it didn't go the way that

Wade Wells: 15:46

we thought it was.

John Strand: 15:47

So there's definitely a shoot the messenger aspect to this.

Wade Wells: 15:50

From the other side of this, right, from the blue team side, I have had this where I've had to reach out to contact and be like, hey, I found your account. It's your personal account. But if your personal account's on here, probably means your entire passwords are all locked. Yes. Did you save any work passwords on there?

Wade Wells: 16:06

You said you did it? We're gonna reset your password anyway. Like, usually, the moment you say anything, that's the I guess that's the one thing about being, like, insider defense. Usually, everyone immediately jumps to you the moment you say, hey, you got something. Where as from a a red teamer or an attacker, I could definitely see the suspicion being built as you telling them about it.

Wade Wells: 16:27

But I wish I wish I would've known about this because I would subscribe to it, to tell you the truth.

Wade Wells: 16:32

Yeah. I know

John Strand: 16:33

it's true. Right?

Corey Ham: 16:35

Well, yeah. I mean, at the end of the day, like, this information isn't gonna blow your mind. It's gonna be like No. And also, the to kind of like I know we've kind of maybe talked about this article a little too long. The other hilarious scenario, and I tell customers this all the time, no one's there's no validation of this data.

Corey Ham: 16:52

And we've actually seen instances of a threat actor was trying to hack our customer, was saving the logins they were attempting against the customer in their browser that got hit by info stealers, and then we reported them as branch credentials, and they said, this isn't credentials, this is a hacker trying to get into our site. So like, there's no validation of the data. Right? Like there's I can type anything, and and also, this very smart customer who I hope is listening, also self misinformationed and intentionally infected their did some Honey credentials, infected them with an info sealer intentionally, and so now they know they can validate like that you have good info sealer data because they intentionally breached a login that isn't a real user that they like keep track of for Nice. In postular tracking.

Corey Ham: 17:42

So like, yes, it's one of those things of like, the data isn't validated. I can say I can I can go on breach forums right now and say I have a sick combo list and it's just random b s? Right?

Wade Wells: 17:54

I'm not

Corey Ham: 17:54

So what

Wade Wells: 17:55

what if what if you had a company that could validate though? Like a password company?

Corey Ham: 18:00

Well, there's that. There well okay. Thing. That's all

Wade Wells: 18:05

I'll say about that. That's all we'll

Ralph May: 18:07

say about that. You can say so password?

John Strand: 18:09

I don't know.

Corey Ham: 18:09

Yeah. I cannot. That's there's a legit If

John Strand: 18:13

that company was to do password stuff, they would that would that mean way that they would have their password stored in some kind of access with reversible encryption that people could do those types of checks? Or how far down this rabbit hole are we gonna go?

Wade Wells: 18:25

Technically, it only gets unencrypted when you put your code in it.

Wade Wells: 18:29

No. I'm not.

John Strand: 18:30

I'm definitely not gonna talk about problem.

Wade Wells: 18:32

Yeah. I

John Strand: 18:33

know. So how about

Wade Wells: 18:35

well, so well, but

Corey Ham: 18:36

there is a legitimate point here, which is that a lot of other companies do this for you already. I think, obviously, we're talking about password managers. Password managers do this for you already. They tell you if your passwords are compromised. Also, like, Mozilla can do this.

Corey Ham: 18:50

Like, tons of other services do this as well. And so, it's just kind of like an extra unnecessary step. So it

Hayden Covington: 18:56

It just seems like a not fleshed out product that no one really understood how to use correctly, and then they're just killing it off because no one knows how to use it and it's a waste of however much it costs them to do, which probably isn't But multiply that by their user base, that becomes bigger.

Corey Ham: 19:13

Correct. If it's 1¢ per user, it's still an uncalculably large amount of money.

John Strand: 19:17

And it quickly gets to the point, like, how many times have you been in presentations that are like, the only way we're gonna get security is by user awareness. And at some point, you realize that's not gonna work because the users don't care. Right? Like, they they have other things to do. And I'm not saying that like they're dumb or they're idiots.

John Strand: 19:34

It's just they have a job and that job is accounting. That job is web dev. That job is surfing the Internet. I don't know what they're doing. I don't know what people do outside computer security.

John Strand: 19:42

Roblox. Right? And computer security and thinking about this crap deeply is not something they have cycles to put in their life. And that's kind of a terrifying concept because it leads to a lot of these types of breaches and these types of things that we actively take advantage of in the, you know, continuous pentesting side of VHIS. Do we wanna try another story though?

Corey Ham: 20:05

Yeah. Yeah. Let's talk about Coupang. Coupang? Coupang?

Corey Ham: 20:09

Coupang?

John Strand: 20:09

Coupang? Coupang.

Corey Ham: 20:10

Coupang. I don't know how to say it. I'm sorry if you are

John Strand: 20:13

Apologize if you're Korean. Yes.

Corey Ham: 20:15

If if you're Korean and you know what this company is and know how to pronounce it, I'm sorry. Coupang. Yeah. This is a breach. It's apparently the largest online retailer in South Korea, which is make Yep.

Corey Ham: 20:26

Makes it huge. It's a pretty sizable breach of, I think, what did they say, 36,000,000 users or something like that? 33,000,000 users? The I think the so basically, the story goes that they raided this company, which that is honestly to me the biggest, like, that is the biggest surprise. Like, I commented in the Notion being like, could you imagine a US company getting raided because they got breached?

Corey Ham: 20:51

Like, even Yeah. Can you even imagine? Like, in The US, we'd be like, yeah, we got breached. Hold on, Corey. Hold on.

Corey Ham: 20:58

We'll see you on the stock exchange.

Ralph May: 20:59

Hold on. Uh-oh.

John Strand: 21:01

Okay. I'm done imagining it.

Wade Wells: 21:03

That was

Corey Ham: 21:03

fantastic. Thank

Wade Wells: 21:05

you. Continue. Yeah. I wanna know what

Hayden Covington: 21:08

company he was imagining.

Charles bsdbandit: 21:10

Alright? Yeah.

Corey Ham: 21:11

Hope Yeah. Well, I mean, so basically, they they I I don't know if this is South Korean law or I don't I have no idea how things work in South Korea. But basically, they raided this company like it was an FBI thing and took all their information. Even though the company was court cooperate cooperating with the investigation, they came in and they got fancy blue boxes and took all their stuff home with them, I guess. Basically, they've investigated and it turns out that it I guess, it sounds like it was an inside job, but also Yes.

Wade Wells: 21:40

Kind of

Corey Ham: 21:41

not so much of an intentional inside job. It was like a past employee who still had access and probably shouldn't have. Right?

John Strand: 21:48

Yeah. It was a citizen that disappeared. Yeah. But they also this is over 50% of the total population of South Korea. Right.

Hayden Covington: 21:58

And the second to last

Wade Wells: 21:59

paragraph is a little Jeez.

Andy "Nerf": 22:01

But haven't the recent breaches in South Korea been, like, the entire population?

John Strand: 22:05

Yeah. Let's go to the second to last paragraph.

Andy "Nerf": 22:07

So haven't the recent breaches in South Korea been, like, the entire population? So, I mean, in in comparison, isn't

John Strand: 22:14

this kind of a nothing burner?

Wade Wells: 22:15

We don't know.

John Strand: 22:17

The CEO resigned.

Charles bsdbandit: 22:18

Wow. Man.

Corey Ham: 22:19

No breach of

John Strand: 22:20

the economy. I love the fact that South Korea, like, they actually have shame in their executive ranks. Like, the CEO resigned. He's like, I'm I'm not. You know?

John Strand: 22:30

I can't remember what airline it was. There was a CEO of an airline. His daughter got on the airplane and treated the flight attendant. I wanna say poorly. It doesn't do it justice.

John Strand: 22:39

Like, it was horrific what they had this flight attendant do, and he resigned too. But you would never see that in The US. Like, I I don't I don't know, like, how bad of an incident would have to be for the CEO to fall. I mean, don't they hire CISOs to take the fall for them? Isn't that what

Wade Wells: 22:54

you're supposed to do?

Corey Ham: 22:57

Yeah. Don't worry, John. He's gonna he he's gonna come be the CEO of a US company or something.

John Strand: 23:02

Yeah. Very shortly. There was the second to last paragraph someone was talking about. Can we bring that up and go to the second to last paragraph and read that one?

Hayden Covington: 23:09

Yeah. It's it's talking about how, like, the it's very interesting to think about. Like, we we talked about, you know, oh, what if, a US company had gotten raided because they got breached? It sounds like like it says they're being treated as the victim, but if negligence or other legal violations are found, they could be held liable in some capacity. So you got breached, and if they find out that you did something wrong, they could totally hang you out to dry.

Wade Wells: 23:34

Now The old no logs, no breach scenario.

Corey Ham: 23:37

Okay. Okay.

John Strand: 23:37

So it's different. So this is different, but I've worked I've worked incidents where the FBI has gone in the Secret Service in some instances and has seized equipment rather dramatically. And usually in those particular situations when they do that, either a, they think that there's a scenario where there's an employee that's like like like, there's multiple employees working together. Or b, they believe that there's a nation state level component of it, and they have the warrants to basically get that. Even if it's not adversarial with the company, they literally come in and start seizing servers and workstations.

John Strand: 24:13

Now that is exceedingly rare. And I don't think that they brought ops down for this company either. Right? I think that they were just taking hard drives of workstations. So that would kind of match up with what I've seen with some US companies where law enforcement has done this type of heavy handed tactic.

John Strand: 24:31

But most of the time when they do it, they either, a, think that there's the exigency of the circumstances that another employee will wipe the data, or they believe that there's a nation state component, and they have to move very quickly without notifying the company. But once again, I mean, can think of two in the last twenty five years where that happened. So it's something like this.

Corey Ham: 24:52

The other thing I'm not clear on is when they talk about liability, are they talking about like, do they have the concept, like, we have of civil liability versus criminal liability? I don't even know if that's, like

Charles bsdbandit: 25:02

I'd In

Corey Ham: 25:03

The US, I I don't think there's any criminal liability for breaches whatsoever. Correct?

Hayden Covington: 25:08

I can't

Corey Ham: 25:08

doing it.

Hayden Covington: 25:11

Yeah. It sounds more like it's about negligence about the data loss or maybe even like the repercussions of that data loss. Because it talks about how much, like high volume phishing is there is now related to this company and how many reports the police are getting. So I imagine it's just can they hold them liable for something just in general.

Corey Ham: 25:28

Yeah. But is it criminal liability or is it money? Because if it's money, it's kind of a different story.

John Strand: 25:34

So but getting into it, it it they do have an act that is very similar to GDPR. I think it's called PEPA. Hold on. I'm just looking it up right now. But you can be held liable if you haven't had like like, it it's basically like GDPR.

John Strand: 25:51

So if you end up which, by the way, I had someone in London that's like, you guys talk about GDPR, but you need to learn more about GDPR. So I hear you. We're gonna learn more to educate ourselves. But you can absolutely be held accountable under the South Korean GDPR in that particular situation. So, yes, they do have, which is something we miss in The United States.

Wade Wells: 26:12

Could you imagine like working and like some dude rushes in the office, pushes you aside, types host name on your computer, your host name comes up and he goes, yep, and then just takes it and runs away with the computer?

Wade Wells: 26:24

You just go

Wade Wells: 26:28

That's what I imagine.

Charles bsdbandit: 26:28

Might as well.

John Strand: 26:29

So years ago when I went to work for years ago when I went to work for Accenture. And there's video on this I checked like a few months ago from an old flip phone, an old Nokia Razr. Was it Motorola Razr? I was working at Accenture and I wasn't on the security team yet. And this guy just came into my office and he was wearing a suit and he just grabbed my trash can.

John Strand: 26:54

And I grabbed my trash can, and I'm like, what are you doing with my trash cans? And he mumbled something. I can't even remember what he mumbled. But then he jerked the trash can with me holding on to the trash can and, like, drug me down the hallway between, like, the cubicles for a few pee. And somebody was able I was, like, screaming at this guy.

John Strand: 27:13

I'm like, what the hell are you doing? But he was literally the equivalent of a penetration tester back in 2000 that was hired. And he was doing the the the thing where he's going around and kind of actively dumpster diving, where he was trying to pull down trash and find credentials. And he had drugged me a little bit down

Corey Ham: 27:32

the It's a pretty good pen tester

Ralph May: 27:34

you got there.

Wade Wells: 27:35

It's not

John Strand: 27:35

white. It's not white what you're talking about?

Wade Wells: 27:38

I would say that's more violent.

Wade Wells: 27:40

That was that's

John Strand: 27:42

So the report. Only one person stopped us from actively taking their trash. That that was me. I I want.

Corey Ham: 27:49

Like, that guy that guy's a future

John Strand: 27:51

Sam's instructor. Instructor. Let's get there.

Wade Wells: 27:54

Jeremy is

Hayden Covington: 27:54

just fine with this. Okay.

Charles bsdbandit: 27:56

Is that the physical definition of try harder?

Wade Wells: 27:59

Yeah. And every people. Right? It

Corey Ham: 28:02

sounds like it worked

Hayden Covington: 28:02

except for John.

John Strand: 28:04

I know. Explain more. So I did Contesting never skipped a like

Corey Ham: 28:10

I I I while we were hearing John's amazing security awareness training, I got I I apparently, executives can be held up to two years and fine. So basically, you could be imprisoned for data breaches. Yes. For failing to implement private proper security measures. So this could have actual jail time associated with it, explains why they're taking it so seriously and How?

Corey Ham: 28:35

Like they're, yeah.

John Strand: 28:37

So Were you able to find anything in this article or other articles about how long the guy had been separated from the company?

Corey Ham: 28:43

It was for a year. 2024, he he parted ways. So it's definitely This looks bad

Wade Wells: 28:49

for them.

Corey Ham: 28:49

It's definitely bad for them. Like, it's there's pretty clear there's pretty clear evidence that that this guy should not have had access to the data that he did and that definitely on the company to to close that out after an employee loses leaves the firm. Gotta roll those passwords.

Wade Wells: 29:08

That's always been a detection of mine, like, looking for employees who have been off boarded, who are improperly off boarded, like, that's usual Yeah. Thing that's floating around. Right? So

John Strand: 29:18

Well, I think the tools like Paintcastle will go through and say, like, when's the last time an account has been accessed too.

Wade Wells: 29:23

Yeah. Oh, they do

Ralph May: 29:25

a lot of stuff. I mean, they are also cool if they leave that in, like, a folder and then you're on a pen test and then, like, it has all the passwords in it. That's

John Strand: 29:32

I like it when they

Wade Wells: 29:33

do that.

John Strand: 29:34

We found this folder with all of these this thing called the SAM file from the previous pen test. You should

Ralph May: 29:40

probably change those passwords. Pretty interesting. Yeah. Yeah. You didn't change any of those.

Ralph May: 29:45

That's cool.

John Strand: 29:47

Now we have seen over the years where we have seen previous years pen test reports while we're pen testing. And there's a little bit of the, like, looking over the bathroom stall, how did they do it? Like, you know.

Ralph May: 30:00

Or either that or, like, you guys missed all of this stuff, or you're like, oh, that's

Corey Ham: 30:05

how they did it? Okay.

Ralph May: 30:06

Let me try that. Let's see if it works this year. Ah, it does. Perfect.

John Strand: 30:09

Yeah. There was one of the companies that I was doing expert witness stuff, and they had five years of pen test reports, And I got to review them, and the the disparity of, like, the skill set and the quality was all

Ralph May: 30:19

over place. Oh, it's all over the place. There's no unifying body. There's no unifying body So, for the like, you can get a pro, you can get, like, an intern, essentially. And I mean that in, like, the sense of they've never actually done this, so they don't have the experience to handle this kind of test.

Ralph May: 30:36

So but there's no way to tell.

Corey Ham: 30:38

So That was always me.

John Strand: 30:41

The intern?

Corey Ham: 30:43

Yeah. Yeah. Me and Ralph doing Red Teams many years back, same vibe. But we always pulled it out, you know? We always we always figured it out.

Hayden Covington: 30:53

You always got away with that trash can.

Corey Ham: 30:54

You just pulled hard. We always got away with that dress.

John Strand: 30:57

But you had hair back then. I had hair back then. Everyone had hair. Everyone had hair. It was luxurious.

Corey Ham: 31:05

I I didn't have hair.

Wade Wells: 31:06

No mustache. Modern

John Strand: 31:08

day Scott Stapp. Look at that guy. So Did you guys

Ralph May: 31:13

oh, I I did have one article I wanted to cut cut on for, like, a second.

Charles bsdbandit: 31:16

Did you

Ralph May: 31:16

guys read the that iRobot was filing for chapter 11?

John Strand: 31:22

Oh, no.

Corey Ham: 31:23

Will Smith is gonna be out of a job?

John Strand: 31:25

Yeah. Oh, no.

Ralph May: 31:26

So, alright. Here's here's here's my interesting take on it. Right? I read the article about it and I kind of saw the writing on the raw, because right now there's like a robot vacuum war with China, and they're building like an army of robot vacuums. So And they're really good.

Ralph May: 31:41

About this is the company that ended up alright. So that robot iRobot filed chapter 11, and they actually immediately during that filing sold the company to Shocker, a Chinese company. They're gonna inherit all of the IP of iRobot. What's more interesting is that iRobot was already using this particular company to build all of their robotic vacuum. Right?

Ralph May: 32:06

So, like Wow. It wasn't like they sold it off to a competitor. Like, they were already, like, part of the supply chain thing. Right?

Corey Ham: 32:13

It was like, hey, you owe us for parts, they were like, nah, just take the whole company.

Hayden Covington: 32:17

Yeah. Exactly. Consolidation at this point. You can

Ralph May: 32:20

have it. And what I think is interesting is how it's not just robotic vacuums. It's all kinds of robotic devices, whether it be lawnmowers and vacuums and other things that are being developed in China now. And from a security standpoint, right, Like, where does that put us on this thing where they're essentially taking this whole market of all the stuff that lives in our house, right, the consumer market? And, you know, where does that put from, like, a a bigger picture?

Ralph May: 32:49

I don't know. It's just something to think about.

John Strand: 32:50

What we need to do is we need to do, like, some contact where we take one of these robot vacuums that's, like, industrial and use it for like, get remote access to it and then bridge the wireless network. Because a lot of these devices, they're on the wireless network because they have to for activation and things like that. That's that's one of the things that I would look for is like, what is the backdoor for updates and firmware and things like that? And is there a way to bridge onto the wireless network that it's it's part of? Because you're you're just bringing these things into your house.

John Strand: 33:22

And I think we had another story about a KVM, because it's not out of the realm of possibility of

Corey Ham: 33:27

I China doing this world that to keeps a KVM.

Wade Wells: 33:31

Yeah. Those vacuums are mapping your house too. That's the other thing. Yeah.

Corey Ham: 33:34

At least they have room know what else is mapping my house though? Myself. Zillow.

Ralph May: 33:39

Yeah. I was gonna say.

Corey Ham: 33:40

Was gonna point out can just look at every photo. Yeah, dude. You can just look at the detailed photos of my house from the listing and there's nothing details?

Ralph May: 33:49

I mean, honestly, they should be hiring those little robots out to do surveys.

Wade Wells: 33:52

I do feel like those robot vacuums whenever my

Corey Ham: 33:55

definitely come in.

Wade Wells: 33:56

It comes straight for me every time. It knows.

John Strand: 33:58

It's you, right? It doesn't like you. No. ACDC? Wait.

John Strand: 34:03

Wait. There's a point ACDC who made who when it starts coming towards you because you might be dealing with a maximum overdrive situation.

Corey Ham: 34:11

Nah. If you're in the and you're controlling Wade's robot, let us know. Please take pictures.

Ralph May: 34:18

The the Nano the Nano KVM one was about in essence, the device was getting created and the software configuration was was just like horrible. Right? And so I think this goes across the board for any kind of either consumer device. Doesn't have to be just from China. There's, like, wildly different products and product pricing.

Ralph May: 34:37

And depending on those, they might just not be able to afford really any security, but they're like, hey. It looks. It works. Right? Like, we're just trying to sell stuff.

Ralph May: 34:44

Sell stuff.

John Strand: 34:45

Well, but I also think I also think with this is you if you look at, the components, Ralph, that they build these things out of. Right? Like, lot of this crap is just Frankenstein. They get the circuit board from here. They do this, they do that.

John Strand: 34:56

And a lot of times, there'll be components within those circuit boards that they don't even use. Right? Like, whatever they did with this little, what is it, nano KVM that they got from China, had a little microphone in it. And I'm willing to bet that they just whoever that KVM company was, they just got access to a whole bunch of really small boards, and they had lots of features that were built into them. And that's

Hayden Covington: 35:18

something that

John Strand: 35:18

can be turned on after that is the way I kinda see it.

Ralph May: 35:21

Well, something that's interesting about the Chinese market is that all of these vendors, right, they're all right next to each other. So they're like, hey, I can just go over here and get this board. These already I'll make this and we kind of put it all together, and they didn't have to, like, call around the world and get them all shipped in. They're, like, literally in the same building almost. Right?

Ralph May: 35:36

And so, I mean, this is this economies of scale for them to to develop this stuff. So, yeah.

Wade Wells: 35:41

I thought the NanoKVM, more interesting part, it was beaconing back via DMS. Right?

Ralph May: 35:46

Oh, that's Like it

Wade Wells: 35:46

was hitting check. It was it was hitting check.

Corey Ham: 35:48

Thing is straight up implant. It's

Wade Wells: 35:52

the reason my baby monitor isn't on the network anymore, man. Like, soon as I hook up pick as soon as I hooked up the Ubiquiti, I realized that my baby monitor was hitting China. And I was like, this is man.

Wade Wells: 36:03

Isn't that

Ralph May: 36:03

something? It's funny because you you mentioned that because we're actually working on building ESP 32, what do you call it, implants. Right? Drop devices. So this is ESP 32 with a PoE.

Ralph May: 36:16

So you can just drop one of these little bad boys as opposed to, like, the traditional ARM based system or or not ARM, but like Raspberry Pis. Right? Yeah. Super low power. Same same idea, though.

Ralph May: 36:27

Right? Like, this that's exactly what that chips running in the in those KBMs. They're like it's a RISC chip, which is, in essence, like, the equivalent of an ESP 32, but they're so much more powerful now that you could do all kinds of tasks. It's pretty wild.

Corey Ham: 36:40

Put a mic in it. They already the the Chinese people gave you an idea. Put a

Ralph May: 36:44

mic Yeah. In No. You could totally put you could put all kinds of fun stuff on here. It's just you.

Wade Wells: 36:48

Could I bring my own VM on there?

Wade Wells: 36:51

No. Good.

Hayden Covington: 36:52

Oh, good segue.

Wade Wells: 36:53

It's so Only

John Strand: 36:54

if it's QMU. Oh, tell us more.

Corey Ham: 36:59

I I have no idea what article this is. I'll go You hit it.

John Strand: 37:05

This red is canary.

Andy "Nerf": 37:07

Red canary one.

John Strand: 37:07

Beyond the bomb when adversaries bring their own virtual machine for persistence, which I think is funny because we've been using virtualization for now.

Corey Ham: 37:16

We've been doing this for years. EDRs are the thorn in our side.

John Strand: 37:20

Yeah. So I don't know if anybody else had read this, but they base the one thing that I thought was interesting, and Wade, I wanted to get your take on this was the spam bomb. I'm trying to figure out how we go from spam bomb because they show, like, the timeline. They're like, spam bomb, spam bombing, and then it's like initial access. I'm like, how did I get from point a to point I missed how we did this.

Wade Wells: 37:43

There's a No. No. Engineering.

John Strand: 37:45

They called? Is that how they did?

Andy "Nerf": 37:47

Yeah. So they spam bombed them, and then they called and said, hey. This is your service desk. Are you having any problems with your email?

Wade Wells: 37:54

And the

John Strand: 37:54

guy was like, was timeline? I've got all the I was reading the timeline wrong. Okay.

Corey Ham: 37:59

This is an ancient technique. This is this is this is for two There's

Andy "Nerf": 38:03

words other than the pictures, John?

John Strand: 38:06

Thanks, Andy.

Wade Wells: 38:08

Thanks. So I found this article I found this article somewhat interesting as like a defender because like, I think the hot thing is more of like bring your own vulnerable drivers. Right? That's the that's the thing or bring your own like executable in and then that I I actually haven't seen VMs as much so I'm actually I'm not surprised you guys are using it. But I will tell you this, from an Intel standpoint, Red Canary usually writes some of the best Intel reports.

Wade Wells: 38:33

And this report is very good so I was a little disappointed when I got to the end and all of the I IOCs were were just IPs and hashes. There's no Okay.

Corey Ham: 38:41

Yeah. There's no And there's threes.

Wade Wells: 38:43

There's no MITRE stuff. I was like, were they rushing to get this out because of something or would did they just not wanna do the the hard like, the five extra steps?

Corey Ham: 38:51

So how big was

Wade Wells: 38:52

this VM though

John Strand: 38:53

that I

Wade Wells: 38:53

had to download?

John Strand: 38:54

That's what I want.

Wade Wells: 38:54

Not big.

John Strand: 38:55

Not big. Was really small, but I think it did get bigger. I'm not

Wade Wells: 38:59

They brought it over they brought it over via RMM and then Yeah. They ran a couple commands, threw it up and then I believe they did sliver c two in order for c two and then because of course. Of course. Right? And then of Red Canary was able to see the actual server via Shodan.

Wade Wells: 39:17

Came back at it which which was amazing. Always good to do that. And then they found a couple of things for actual like SoxBoxy.

John Strand: 39:24

$7? Wasn't this a Windows seven box? Because they

Wade Wells: 39:27

were think

Corey Ham: 39:27

this is just a really bad pen test.

Wade Wells: 39:31

It is a Windows seven.

Corey Ham: 39:33

To the Internet. They use Windows seven. Come on. Dude. What?

Ralph May: 39:37

The the target host was Windows seven?

Corey Ham: 39:39

No. That's what

John Strand: 39:40

I was trying to figure out too.

Corey Ham: 39:41

It's like the VM.

John Strand: 39:42

So you you can afford Red Canary. So you can afford Red Canary, but you're still running Windows seven. There's like, there's there's there's a dichotomy happening in this report that kind of like like is interesting.

Corey Ham: 39:55

Oh my god. Right. The the the downloaded a whole Windows seven VM? Correct. And then they Linux VM.

Corey Ham: 40:01

Like, why Windows?

John Strand: 40:02

I don't understand that.

Corey Ham: 40:03

It's so bad. It gets worse. They downloaded a Windows seven VM, and then they just c two ed it. And just used it to launch beacons in their network? Dude, just Guys, just use SSH.

Corey Ham: 40:16

Terminals If are all you want is a network proxy, you don't need to freaking I think it a joke. QEM. Yeah. Think it

John Strand: 40:23

was a joke. I think that they set up like a like an iron hacker challenge in China. They're like, okay. Here's what you gotta here's what you gotta okay. Okay.

John Strand: 40:31

First, you gotta use QEMU. Alright? Then probably

Wade Wells: 40:34

Then you gotta use Windows seven. Then then did you, like,

John Strand: 40:38

credit this thing?

Wade Wells: 40:39

Yeah. Okay. Let's go.

Corey Ham: 40:41

Was this that try hack me advent of cyber, but in China or something?

Ralph May: 40:45

Yeah. Would kill me too if you looked in the Windows seven VM. They had to actually, like, bypass Windows Defender to get their payload to run-in their own video.

Charles bsdbandit: 40:53

Oh, yeah. Someone made

Hayden Covington: 40:56

a really good comment in the Discord. Said, just go with what Claude knows. Imagine they're just trying to use AI and it's like, well, first, install Windows. And like, okay.

Wade Wells: 41:04

I guess. Do that later. Hey.

Charles bsdbandit: 41:07

I see an ISO. Let me grab it. There we go.

John Strand: 41:09

This the strangest hack the box ever. I

Corey Ham: 41:14

Oh, my will say though, I don't think this is China. If anyone, this would be Russia. Like, it's the Windows seven licenses we had, an ISO g dot t x d. This isn't China, dude. China would be using Red Flag OS or something.

Charles bsdbandit: 41:29

When in when in doubt, blame China. Yeah.

Ralph May: 41:32

I do I do wanna know where this Windows seven image that was so small is.

Corey Ham: 41:36

Yeah. Why didn't they put that in the IOCs? Why didn't they

Wade Wells: 41:39

put that in IOCs? Just a link to download it? What do

Corey Ham: 41:42

you mean?

John Strand: 41:42

Yeah. Find it in your environment, just just delete it. Just just delete it and make it go away.

Ralph May: 41:48

My god.

Corey Ham: 41:48

Executives hate this one trick to keep Windows seven running without violating compliance requirements. Yeah.

John Strand: 41:57

Oh. Yeah. Trying to find the next story.

Wade Wells: 42:00

A lot.

John Strand: 42:01

Plus plus had another, like, way to drop now. We're on Supply chain. Plus.

Corey Ham: 42:07

This isn't the first one and probably won't be the last.

John Strand: 42:10

Seems very similar It seems very similar to to the old school GOP generic update process exploit that existed a number of years ago. But there's been a couple against Notepad plus plus for their symbol similar to this as well.

Ralph May: 42:25

You guys use Notepad?

John Strand: 42:27

Notepad plus plus.

Corey Ham: 42:29

Yeah. Because you do. Have Versus Code.

Charles bsdbandit: 42:31

I use Google for everything.

John Strand: 42:32

Languages such as Fortran and COBOL that has That's

Corey Ham: 42:37

the reason to use it? That's the reason right there.

John Strand: 42:40

I thought it was weird that that was in the article about this attack. I just threw that in there. I just feel like the author of this article, A PC World, is like a hardcore notepad plus plus and he fights with people.

Hayden Covington: 42:50

It's a tough test.

John Strand: 42:51

And he's he's gotta sneak that in. He's like, well, if you're using Ortran, it's like, no, I'm not.

Wade Wells: 43:01

I'm still I'm still a hardcore Notepad plus plus user.

Corey Ham: 43:04

Oh. Dude, regex. Like, I

Wade Wells: 43:09

can easily use regex. I can add characters when I'm doing mass amounts of queries. Say someone throws me an IOC list, I can add a four in front I of can parse it.

John Strand: 43:17

Say supports cobalt, form a tran.

Corey Ham: 43:19

Yeah. Say the line. Hey,

John Strand: 43:24

Say it, barn.

Charles bsdbandit: 43:25

Hey, Wade. I was once guilty of v I ing everything, but Versus Code has slapped my hands to

Corey Ham: 43:32

Yeah. You can use v s You can use VIM bindings in Versus Code. That's what I do.

Charles bsdbandit: 43:36

I do. Best of both worlds. Yep. H j k l, always.

Wade Wells: 43:40

It's just nice. Yeah. I don't Versus Code takes forever to launch sometimes. No you know.

John Strand: 43:46

And it doesn't support the whole or Fortran.

Wade Wells: 43:49

90% of the time it's

bsdbandit: 43:51

Not terrible.

Hayden Covington: 43:53

Versus code sucks. Just use like cursor or something. It's so much better. Right?

Wade Wells: 43:57

Right. Right.

Ralph May: 44:00

Oh, yes.

John Strand: 44:01

I just used said knock from the command line as my editor.

Andy "Nerf": 44:07

So There are some extensions available for for trans syntax highlighting in CSS.

Ralph May: 44:12

Perfect. Yeah. See

Corey Ham: 44:14

Those are malware. Those are malware. Probably. Oh, boy.

Wade Wells: 44:20

We got we got fifteen minutes. Let's do predictions.

John Strand: 44:24

Do we want do we want the

Corey Ham: 44:25

Oh, are we actually going to? We should do that.

Wade Wells: 44:27

Yeah. I I will give I'll give my hot take prediction.

John Strand: 44:31

You wanna

Corey Ham: 44:31

go first?

bsdbandit: 44:32

Go for it.

Wade Wells: 44:32

I'll go first. More Salesforce application breaches. Yep. Agree. I think that's gonna be a key Make sure you profile.

Wade Wells: 44:40

If you have Salesforce, go in there, grab the logs, start profiling all those apps and just make

Corey Ham: 44:45

sure they are talking from

Wade Wells: 44:46

the right IP over and over again. It's pretty easy thing.

Corey Ham: 44:50

Yep. That's on our radar. We're already simulating that attack against our customers and it's been eye opening to say the least. Yeah. Gotcha.

Corey Ham: 44:57

Alright.

John Strand: 44:58

I think my prediction is I think six seven will stop being funny. Oh, man.

Hayden Covington: 45:05

We're gonna be into 2026. So it has of the six. I think that's a prediction for '27.

John Strand: 45:16

This monkey's gone to heaven. But my my real prediction, and I hope I hope I'm right on this one, and I very well could be wrong. But I think that this this whole kind of down slowing of computer security hiring, I I predict come 2026, it's gonna bounce back, and we're gonna see a lot more hiring. I think I think especially around the time of Black Hat Defcon, think you're gonna start seeing a lot of people having conversations of the AI protection and all the amazing things that we were supposed to get with AI are not securing our environments. And I think a lot of organizations are going to realize they're behind the eight ball and having people to be able to help protect their networks.

John Strand: 45:59

And I hope to God them right. Because the alternative is two things, either a, we just continue to go into oblivion into 2027 and people keep thinking that AI is going to solve all things computer security. Or even worse than that, AI does, which I don't think is gonna happen, but we'll we'll see. So that's my prediction. I think we're gonna see a hiring snap back around August, and that's just me throwing something to the wall and see if it sticks.

Corey Ham: 46:23

My prediction is there's some kind of AI caused cyber event that Mhmm. Like, I don't know I don't wanna call it like Skynet type. I'm not saying I'm I'm not at all saying that it is like an intrusion by AI or something like that. I'm talking about like

John Strand: 46:39

Maybe it's two AI agents fighting over DNS records.

Wade Wells: 46:43

I don't know.

Corey Ham: 46:44

At some point, there's going to be a mass Internet outage in 2026 related to something that AI did, and also related to cybersecurity. So stay tuned on this podcast, because I bet you that's gonna happen.

Hayden Covington: 46:55

Is that a threat, Corey? That was really specific.

Corey Ham: 46:57

Yes. That was really specific. Super specific. If if you do not subscribe to this podcast, the Internet will not make it through 2026. It will go down at least once.

Shecky: 47:07

Along those same lines, that breaches into my prediction for next year, which is that we're gonna see a massive breach due to AI walls falling down from prompt injection.

Corey Ham: 47:19

Oh. Due to asking nicely? Woah.

John Strand: 47:21

I think a good one. I think that now the the question is, what do we qualify as massive? Like are we talking front page New York Times?

Shecky: 47:30

Yes. We're talking like front page we're talking something along the lines of at least a solar wind scale.

John Strand: 47:36

Oh. That's that's big. That's Okay. I dig that one.

Charles bsdbandit: 47:41

I think

Wade Wells: 47:42

I think

Ralph May: 47:44

vibe coding and AI is going to cause a class of vulnerabilities that everyone is affected by. Right? Yeah.

John Strand: 47:51

So I could go with Shaky's. I could

Ralph May: 47:53

go with Shaky's. So in essence, that what would happen is is that because everyone has decided to use AI to do all of this and the AI has the same functional issue, it creates a class that everyone, you know, essentially has. Right? Yeah.

Corey Ham: 48:09

It would Some be weird training thing that got coded into a thousand programs.

Ralph May: 48:13

And then everyone's like, oh my god, instead of EM dashes though, it's gonna be something like way worse than that. Right? Like Yeah. It'll be something that everyone is affected by because they're, you know, coding in this way, even if they're not doing because they don't have time to look all of it because they fired half the team so that they could do more, you know. So Okay.

John Strand: 48:32

New I like that

Wade Wells: 48:33

one. OASP 10. I can see it being added.

Ralph May: 48:37

Yep. Yeah. Yeah. Yep. Don't do this.

Ralph May: 48:39

Don't use EMDAT.

Charles bsdbandit: 48:40

I think I think just to just to piggyback, I think the same is gonna happen in the the API and web space when it comes to, like, vibe coding and everything else. But I think it I think AI is gonna set it back set us back a lot further as far as, like even with these new AI browsers where, you know, there's some instances where within the server response, you're you're getting, like, a username and password. And who knows? That application could have been coded by a bunch of Vibe coders that don't really think about security whatsoever. They just think about pushing the product out.

Charles bsdbandit: 49:13

So I do think that AI is gonna cause a huge gaping hole in the world of application security. Just my prediction.

John Strand: 49:23

Nice. Nice.

Corey Ham: 49:25

I agree. Hayden, anyone else have any? Yeah. Anyone else?

MaryEllen: 49:30

I mean, I was kind of I kind of have two, really. I was thinking about what BSD Bandit just said. Like, I think five hacking is gonna become, like, huge. And I also think I'm not gonna say which one, but I think that one of the major CTF platforms that's out there is gonna go under.

Charles bsdbandit: 49:49

Oh. Oh. That's a good that's a good prediction.

Corey Ham: 49:52

Oh, because

John Strand: 49:52

Good thing we're not a major CTF platform.

Ralph May: 49:56

Now you say because of, like, the Vibe hacking, it's, like, too much like, it's too trivial to, like, for the for the AI agents to do it. Is that is that what you're saying?

MaryEllen: 50:05

No. They won't. I don't think they'll be related.

Corey Ham: 50:08

Those people

Wade Wells: 50:09

I I felt

John Strand: 50:10

like they were. That that one's interesting. I think that that one's interesting because there's a lot of VC funding going into this space, and VC funding wants to have a flush.

Ralph May: 50:20

Yeah. We here's a open question for everyone. When do you guys think or do you think the AI bubble will pop? Like, do you think

Wade Wells: 50:27

it's a big deal?

Ralph May: 50:28

Yeah. I

John Strand: 50:29

do think it's gonna pop. Think it's gonna have I think it's gonna be tied with all the things that we're talking about here because I I think it's possible everything we discussed comes to pass. Right? Massive AI vulnerabilities causing organizations to pause and reflect. Venture capital realizing that the amount of money that they've been sinking into AI, they're not gonna see those returns for a decade and half.

Ralph May: 50:49

Decade. Yeah.

John Strand: 50:49

I I and AI vibe coding, I mean, we're already seeing with organizations where we're pen testing them. And we find vulnerabilities and they're like, we don't know how to fix this because this was created by AI. We're already seeing the beginning of a lot of these different things. And we don't see a good way out.

Shecky: 51:08

Yeah. And add on to that right now, you're starting to see Nvidia. Their stock prices and the stock prices of some of these other companies start breaking down. I mean, you've got Disney now investing in open AI

Hayden Covington: 51:22

Oh, yeah.

Shecky: 51:23

To try and

Ralph May: 51:23

help

John Strand: 51:23

keep them afloat.

Charles bsdbandit: 51:24

The beginning.

Shecky: 51:25

You're already seeing the start of the of the bubble popping as everybody's rushing to try and shore up the tech industry.

Corey Ham: 51:32

Yeah. Yeah. There's only

John Strand: 51:33

one that's gonna go away.

Charles bsdbandit: 51:36

It's just gonna be minimized.

Hayden Covington: 51:38

It's gonna be an overcorrection, which kinda ties into like what my, I guess, only prediction could be, which is a little bit selfish, I think. But I'm I'm thinking that the, like, the trend of automating tier one stock is gonna continue And it's gonna go well to the point where they start branching into the higher tiers of, like, SOC analysis. And it's really gonna start

Wade Wells: 51:57

someone cut them off.

John Strand: 51:59

Cut them

Corey Ham: 51:59

off right now.

Wade Wells: 52:00

Well, it's gonna start paying people.

Corey Ham: 52:02

The models are gonna get better, and then they're gonna think, well,

Hayden Covington: 52:05

we can just do all of it.

John Strand: 52:06

And then they're gonna start messing up bad. You remember whenever I started talking to our own internal SOC, there was a bunch of people that started freaking out, like, when we started getting stuff set up. And I remember having conversations with multiple SOC analysts. And I was like, I don't look at AI as something that I can reduce costs. I look at AI as something that we can kick more ass with.

John Strand: 52:26

Right?

Hayden Covington: 52:26

Exactly.

John Strand: 52:27

And that's what we've been focusing on is not like, how can we reduce our headcount? Right? We just want to be able to do more and be more effective in what we are doing. And I'm already seeing that. Like some of the some of the crap that you guys are coming up with and what you're detecting is like top notch.

John Strand: 52:43

But it's hard getting there. Right? I think that a lot of organizations, instead of the growing pains that we're going through, I think that, you know, one of the things about a SOC is it can be this black hole where you don't know that you've gotten too far ahead in your skis by laying off people and cutting costs and dropping and dropping and dropping and dropping until you're tumbling down the side of the mouth. And at that point, it's too late. And I think that you're a 100% right about that.

John Strand: 53:08

But I think if if you're a SOC, you know, you don't need AIs like saving money. Look at AI, like, we finally have a tool that can help us get caught up.

Corey Ham: 53:17

Yeah.

John Strand: 53:17

And Yeah. We're not using it that way.

Hayden Covington: 53:19

I have two comments on that. As I've written a talk and a half about this in the last couple of days, but the two things that I came away with are someone said this to me is that a force multiplier only works if you have a force to multiply. So if your analysts are not skilled enough, they cannot properly utilize AI for proper investigations. Mhmm. So I think that really just is the crux of the issue is you're not gonna be able to know whether or not it's wrong.

Hayden Covington: 53:46

You're not gonna know how to prompt correctly in the right directions for your investigations unless you are experienced enough to utilize it. And, yeah, I think that they're just gonna keep pushing it further and further as the models get better without giving it time to mature. And I think it's really gonna screw some people over.

Wade Wells: 54:03

Yeah. Both of our blue team con both of our blue team summit talks on AI now.

Hayden Covington: 54:08

Mine mine's actually on taking threat intel and turning it into detections.

Wade Wells: 54:13

Okay. Good. Good.

Wade Wells: 54:14

I've done

John Strand: 54:14

that already. My wish list is Detection Forge. Like, this is this is what I hope to see in 2026 from our SOC. DetectionForge is the tool that we use to create our detects and it does validation. I want it to kick out atomic Red Team Atomics

Hayden Covington: 54:28

as well. Oh, yeah.

John Strand: 54:29

Like, so we do DetectionForge, it just kicks that out to the side.

Hayden Covington: 54:32

So what we have now, John, that you'll be interested to see at some point is we can create issues for detection stories and tag Copilot, and it'll write a first draft. And then the Copilot code reviewer will review the first draft. And Yeah. It's worked pretty well so far. One of them was really crap, but most of them have been pretty good and at least enough to where it saves you, you know, thirty minutes, forty five minutes of templating and, oh, which MITRE tag should I add to this?

Hayden Covington: 54:59

I gotta make sure the reference links are indented like saves you time but also you still need somebody there to make sure it's right.

Corey Ham: 55:06

And You do. In a that's the important part.

Wade Wells: 55:09

Was gonna say in a in a combo with Hayden and John about hiring more than having the AI sock, I I this is what I'm hoping to see but I think I'm I'm being too positive is what I've seen with these AI summaries is I could probably teach someone that does not have a lot of security experience to be a somewhat decent sock analyst very very quick. And I don't think enough people are utilizing that in order to spin up or at least hire new people to get into a SOC because they just don't wanna pay people. But it it's so easy to spin someone up right now that just has basic security knowledge and have the AI hold their hand through a lot of this stuff that I just I hope

John Strand: 55:50

it happens. Here's the problem, Wade. Here's the here's the problem with that. We have seen people, whether it's interns, whether it's end testers, whether it's junior SOC analysts, and also talking to a number of customers where AI is doing one of two things to people. Like, either a, it makes them lazy.

John Strand: 56:11

And I'm seeing that a lot. To where people aren't actually trying to understand the core fundamentals of what things are coming to them or they use it as a tool to try to do amazing things. And it seems like that's a very small subset of the universe right now. And that's a big concern that I have is if somebody's using vibe coding, that's great. Use that as a tool.

John Strand: 56:31

Try to strive. But then you're also getting this huge percentage, and I hate to say it, but talking to my customers, I think it's like 65, 70% of the people are using AI as just this lazy crutch to where basically they're saying, yeah, AI told me that that wasn't malicious. And it's like, well, did you verify it? Well, AI told me it wasn't Yeah. AI AI generated that code for the website.

John Strand: 56:55

It should be fine. It worked. It passed my checks. Right? And that's my biggest concern in this industry is, hate to tell you, but I think it's about 70% of the industry, especially the younger generation, has came up and they've been using AI to generate papers.

John Strand: 57:11

They've been using all these different services. And they get to the point where they have to do a job, and they continue to trust implicit this service that they have.

Ralph May: 57:20

And that's my view here. That's really what AI slop is. Right? Yeah. Yeah.

Ralph May: 57:25

Effort something. But the but that something that they made would have taken a lot of effort for someone to actually do, but that it was just AI, so but nobody appreciates it because the thing that we all appreciate in this world is the reckon recognition of the limited time we have on the server.

Hayden Covington: 57:41

And I have another good good PowerPoint quote for you is one of the ones that I threw in is that AI can make a good analyst great, but it can't make a bad analyst good. Because there has to be some amount of foundational understanding to be able to prompt and correctly recognize issues.

Corey Ham: 57:58

Well, And I think

John Strand: 57:59

that we're gonna be changing our hiring process in testers and in SOC analysts. Like what was it? Just trying to hire a CICD pipeline engineer or developer is one of the most or two of the most painful things I've ever done in this company over the past year. And I I think that we've got to try to come up with a way where we're using our platform in our LMS where somebody wants to work here, we've got to create challenges that cannot be easily solved by AI. And then try to use that, try to filter these people out because we're getting onto interviews with people.

John Strand: 58:30

And I don't know if you guys I think we talked about it on the show a couple of weeks ago. We had one interviewee that we are 99% certain was taking all of the questions we were asking and answering it with AI to the point where the interviewers asked him to turn around from his computer and answer a question, and he refused to do so. So Yeah. Yeah. It's getting weird out there, folks.

Corey Ham: 58:52

Alright. Everyone else Be coming. Soapbox. I wanna take my AI soapbox. I think Go for it.

Corey Ham: 58:57

The things the things that we said when all this AI stuff started are still true. Like, my my claim was AI is not gonna replace people's jobs. It's people who don't use AI will be replaced. Not AI replaces a person. Yeah.

Corey Ham: 59:11

Like And I also would like to mirror what Hayden said, which is I have yet to see someone who isn't very good at their job fix it with AI. That's not it's not gonna happen. Nope. I've seen people who are really good at their jobs get even better with AI. Like, that is, I think, what's happening is the people who are good are getting even better and more efficient and faster.

Corey Ham: 59:31

The people who suck are still gonna suck. And I think Right. John, like, no matter how you came up in the world, like, the same thing you said about, oh, I was brought up on AI, is the same thing as it was in the nineteen fifties. It's like, you just listened to what your professors told you and didn't actually learn anything. Like, you you're just a parrot for information that you learned in college.

John Strand: 59:50

Or used Google to answer these questions.

Corey Ham: 59:52

Exactly. Like, I think, really, AI maybe turbo charges it and it makes it harder for people to figure out that, you know, you're kind of full of crap. But I think at the end of the day, like, you know, like everyone else has mirrored here. If you don't know how to validate the results coming out of the AI, it you are

Charles bsdbandit: 01:00:07

It's

Corey Ham: 01:00:07

up Your output's not gonna be good no matter what it is.

Wade Wells: 01:00:10

Yeah. I think I think I just realized something. We're starting to become closer to a Star Trek order environment. You know where your your, like, reputation is your currency. So therefore Mhmm.

Wade Wells: 01:00:20

Because we can't trust people, you have to trust their reputation and the people around them. Yeah. Yeah. Get a rep oh my god. That's another Black Mirror.

John Strand: 01:00:33

It's But really awesome.

Corey Ham: 01:00:37

Like a skeleton with a Santa hat. I don't know. I can't tell what It's

John Strand: 01:00:41

got punk rock, misfits vibes. I wanna call it the CTF winners, Ninja Cat. Congratulations, Ninja Cat. You get one year on demand access to anti siphon security training platform, which our full catalog is available still for Black Friday. Just go to anti siphon's website, And you should see a banner at the top.

John Strand: 01:01:03

And then QNS came in second, QNS, and they get one anti siphon training class of their choice. So hats off to both of them and their hard work. By the way, if you're wondering what this is, join our Discord server and you'll see that there's a CTF Discord chat. And you can get in there and get more information about what this is. But the point is, our webcast, we're trying to add in more hands on little micro CTF challenges with every single webcast that we do instead of making them passive.

John Strand: 01:01:35

So with that, let's take it out. Thank you so much, everybody. Go forth and do awesome things, and we'll see you in the New Year.

Corey Ham: 01:01:40

See you in twenty six seven.

Charles bsdbandit: 01:01:42

Later. Now.

Corey Ham: 01:01:45

Dude. That

Wade Wells: 01:01:48

is Yeah. Pretty

Hayden Covington: 01:01:52

We're still here. '25.