Talkin' Bout [Infosec] News

This week on BHIS - Talkin' Bout [infosec] News, the team discusses the Polymarket supply chain compromise that led to the theft of millions from a small number of high-value accounts, emerging phishing campaigns abusing OpenAI invitations and Microsoft 365 device code authentication, and recent Oracle security updates. They also cover convictions tied to the Transport for London and U.S. healthcare intrusions, Google's Android earthquake warning system, concerns over MITRE ATT&CK evaluation methodology, and the ongoing debate surrounding threat intelligence researchers interacting with cybercriminals.

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
đź”´live-chat


Chapters
  • (00:00) - PreShow Banter™ — The Next Webcast Thing
  • (00:14) - Polymarket's Bad Bet with Third-Party Vendors - 2026-06-29
  • (03:56) - Story #1 - It's looking like a hot, messy summer for security teams as AI finds countless previously hidden vulns
  • (07:49) - Story #2 - FBI issues urgent Kali365 security warning for Teams, Outlook, OneDrive users
  • (08:55) - Story #3 - heavener: This is what happens when you can't afford EDR licenses
  • (18:50) - Story #4 - Ex-Huntress analyst claims company insider fed info to a ransomware crim. Social media drama ensues
  • (31:59) - Story #5 - I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.
  • (36:14) - Story #6 - CISA Adds Four Known Exploited Vulnerabilities to Catalog
  • (37:09) - Story #7 - Victory! 702 has Expired!
  • (37:43) - Story #8 - Scattered Spider Hackers Plead Guilty on Day 1 of Trial
  • (40:52) - Story #9 - Polymarket customers lose $3 million in supply-chain attack
  • (44:56) - Story #10 - Bad cybersecurity by Secret Service agents put US officials at risk, inspector general says
  • (49:31) - Story #11 - How Android Earthquake Alerts System Works
  • (53:47) - Story #12 - Cybersecurity firms targeted by fraudulent OpenAI organization invites
  • (59:34) - Story #13a - The Trojan horse of cybercrime: Weaponizing SaaS notification pipelines
  • (59:59) - Story #13b - Order-tracking app Shop abused to push callback phishing attacks
  • (01:04:29) - Chinese AI vs. Anthropic Mythos | BHIS [In Focus]

Links
Story #1 - It’s looking like a hot, messy summer for security teams as AI finds countless previously hidden vulns
Story #2 - FBI issues urgent Kali365 security warning for Teams, Outlook, OneDrive users
Story #3 - heavener: This is what happens when you can’t afford EDR licenses
Story #4 - Ex-Huntress analyst claims company insider fed info to a ransomware crim. Social media drama ensues
Story #5 - I Could’ve Rickrolled the Entire FIFA World Cup. All I Needed Was My ID.
Story #6 - CISA Adds Four Known Exploited Vulnerabilities to Catalog
Story #7 - Victory! 702 has Expired!
Story #8 - Scattered Spider Hackers Plead Guilty on Day 1 of Trial
Story #9 - Polymarket customers lose $3 million in supply-chain attack
Story #10 - Bad cybersecurity by Secret Service agents put US officials at risk, inspector general says
Story #11 - How Android Earthquake Alerts System Works
Story #12 - Cybersecurity firms targeted by fraudulent OpenAI organization invites
Story #13a - The Trojan horse of cybercrime: Weaponizing SaaS notification pipelines
Story #13b - Order-tracking app Shop abused to push callback phishing attacks
Chinese AI vs. Anthropic Mythos | BHIS [In Focus]

Click here to watch this episode on YouTube.




đź”— Register for FREE Infosec Webcasts, Anti-casts & Summits 
https://poweredbybhis.com

Brought to you by:
Black Hills Information Security 
https://www.blackhillsinfosec.com

Antisyphon Training
https://www.antisyphontraining.com/

Active Countermeasures
https://www.activecountermeasures.com

Wild West Hackin Fest
https://wildwesthackinfest.com

Creators and Guests

Host
Bronwen Aker
Bronwen Aker is a BHIS Technical Editor who joined full-time in 2022 after years of contract work, bringing decades of web development and technical training experience to her roles in editing pentest reports, enhancing QA/QC processes, and improving public websites, and who enjoys sci-fi/fantasy, Animal Crossing, and dogs outside of work.
Host
Corey Ham
Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.
Host
Hayden Covington
Hayden Covington joined Black Hills Information Security (BHIS) in the Summer of 2022 as a SOC Analyst. He chose BHIS after hearing many great things over the years and seeing the quality of work, as well as finding people who have the same passion for the field as he does. His favorite part of the job so far has been the community. Previously, Hayden worked in a SOC for a Naval contractor, where he also served as their SOAR project manager and SME, as well as insider threat lead. When he’s not working, Hayden can be found doing anything athletic (like triathlons!), as well as enjoying video gaming and Formula 1.
Host
John Strand
John Strand has both consulted and taught hundreds of organizations in the areas of security, regulatory compliance, and penetration testing. He is a coveted speaker and much loved SANS teacher. John is a contributor to the industry-shaping Penetration Testing Execution Standard and 20 Critical Controls frameworks.
Host
Ralph May
Ralph is a U.S. Army veteran and former DoD contractor who supported the United States Special Operations Command (USSOCOM) with information security challenges and threat actor simulations. Over the past decade, he has provided offensive security services at Optiv Security and Black Hills Information Security (BHIS) across various industries. His expertise spans network, physical, and wireless penetration testing, social engineering, and advanced adversarial emulation through red and purple team assessments. Ralph has developed several tools, including Bitor (set to release in January 2025) and Warhorse, which enhance efficiency in penetration testing infrastructure and operations. He has spoken at numerous conferences, including DEF CON, Black Hat, Hack Miami, B-Sides Tampa, and Hack Space Con.
Host
Wade Wells
Wade Wells has been working in cybersecurity for a decade, focusing on detection engineering, threat intelligence, and defensive operations. Wade currently works as a Lead Detection Engineer at 1Password, where he helps build and mature scalable detection programs. Outside of his day-to-day work, Wade is deeply involved in the security community through teaching, mentoring, podcasting, and running local events
MB
Producer
Meagan Bentley

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

John Strand:

By the way, Corey, expect to fly on this one because I'm getting ready for the next webcast thing.

Corey Ham:

John's like, I'm doing my own podcast with blackjack and hookers, and you're not.

John Strand:

Carry on. Have fun.

Corey Ham:

Hello, and welcome to Black Hills Information Security's talking about news. It's 06/29/2026. We're definitely not gonna talk about AI today.

John Strand:

Swear at

Corey Ham:

half our articles are not AI.

Ralph May:

I I at this point, I don't know how you avoid it.

Corey Ham:

Like, it was That was a lie.

John Strand:

Yeah. We're gonna talk to AI. They're all chickens.

Corey Ham:

No. I I knew it was a joke. I just

John Strand:

yeah. I I I got a chicken story. We can do we can do Yeah.

Ralph May:

Let's start again. Always

Wade Wells:

on the shot.

Corey Ham:

Chicken story. Usually, we make people wait until the end, but let's just flip it the other way around. Let's do chicken first.

Bronwen Aker:

Must have chickens. Must have chicken.

John Strand:

Oh. Oh, now we're recording. Okay. So now

Corey Ham:

it's like Now we can We've

John Strand:

gotta get this. We've gotta get this. So the chicken story is I spent all weekend cleaning out a chicken coop.

Corey Ham:

You're making your own chicken story?

John Strand:

Yeah. I'm making my own chicken story. This is a personal chicken story.

Corey Ham:

Right? Okay.

John Strand:

So we had a bunch of chickens, and I like our chickens. I used to hate them, now they're now they're pretty cool. We got about 27 new chickens because, you know, the price of eggs and all. And I I I spent so a skid steer bucket, I don't know exactly how much weight a skid steer bucket can hold, but I shoveled out six full skid steer buckets. With the skid steer, by hand into the bucket.

Corey Ham:

Into the skid steer.

John Strand:

Into this bucket.

Corey Ham:

That's a lot of character.

John Strand:

It was a lot of character building. It was a lot like, I could just feel the Infosec thought leader just evaporating.

Bronwen Aker:

But did the chickens build any character?

John Strand:

No. They didn't. They didn't.

Corey Ham:

Usually, you you shovel metaphorical garbage. Now you're shoveling

Bronwen Aker:

Did they build any flavor?

John Strand:

Yeah. Just little little chicken chicken crap. But now that's what I I spent a good portion of this weekend. And I I think about it a lot when I'm shoveling shit in like a corral for cows or chickens. It's like I said, man, you gotta get that Infosec thought leader out of your head.

Corey Ham:

Wait. Was it RSA last weekend, John?

Corey Ham:

Oh, sorry. No. That's bad joke.

Wade Wells:

Oh, I see.

John Strand:

I see. I see.

Corey Ham:

Alright. Anyway, we have a beloved cast of characters here. You can look at your screen and or listen and hear our beautiful voices. But you have me, Corey Ham, director. I promoted myself to director, John.

Corey Ham:

Is that cool?

John Strand:

That's fine.

Corey Ham:

That's I'm a director now. I'm director of continuous bend testing, which if you're wondering what a director does, they sit in that chair with their name on it and do nothing else from what I understand. We have Ralph who is here drinking some ice. Ralph only drinks ice. He doesn't drink any water.

Corey Ham:

It's like a little known Ralph fact. We got Bronwen who's gonna teach me about rags. And I don't mean the kind that John was using last weekend to clean out his chicken coop. We've got Wade, who's is that a BHS shirt? Are you

Wade Wells:

Oh, yeah. Yeah. It's a honeypot shirt. It's a honeypot shirt.

Ralph May:

Okay. I was worried.

John Strand:

I like that one.

Corey Ham:

I thought it was I don't have one.

Wade Wells:

I do too. I think this is like one of the best ones recently. Right?

Corey Ham:

That's pretty good. Yeah. That's part of the March or what is it? Summer twenty twenty six?

Wade Wells:

I'm surprised Disney hasn't stepped in yet.

John Strand:

But I think Isn't Pooh Bear that version of Pooh in Creative comments?

Wade Wells:

I believe it is. Probably does. Oh, okay then. Oh, yeah. Because the remember that movie they came out?

Wade Wells:

It's like Blood and Honey or whatever. Yep. Okay.

Corey Ham:

Now that being said What is Xi Jinping might be a little upset. But anyway Yeah. So let's get into the news. We have I mean, there's a lot of AI stuff. Essentially, there was an article in the register that's basically I don't the the terminology of this is a little weird, but essentially, the article headline is it's looking like a hot messy summer for security teams.

Corey Ham:

I mean, they definitely

Bronwen Aker:

have That's the news update.

Corey Ham:

Like, I don't yeah. I don't really know what that means. Hot, messy. But basically, this is a an article or, like, a statement made by Dan Lorank or Lawrence. I don't really know how to say that name, who's the CEO and co founder of ChainGuard.

Corey Ham:

Basically, open source projects are drowning in bugs, so is everyone else. This is nothing necessarily new, but it is gonna get hot and messy. So that's, I guess

Wade Wells:

The new part?

Corey Ham:

Good? Bad? People you know, essentially, it's like this is real. So it's another CEO like John making another statement about AI is real. Yep.

Ralph May:

Is it?

Corey Ham:

Not exactly super crazy. But

Wade Wells:

You know, I'm just waiting for blue team summer, you know, just like one of those where the defense just

Corey Ham:

You have

John Strand:

done you had it the past five, six years.

Ralph May:

You guys have been laughing in it.

Corey Ham:

Look. Okay. Get on the car. Blue team. Yes.

Corey Ham:

Blue team was on the bottom of the wheel. Like, you know, it's like the wheel and, like, red team's on the top and then it rolls

Wade Wells:

But you're doing a Game of Thrones here? Don't know

Corey Ham:

if it's Game of Thrones. I feel like it's I I feel like it's some kind of CEO analogy that I picked up along the But, list basically, blue team after the CrowdStrike blue screens, feel like that was you guys are really that was a tough one for you guys. But after that yeah. That was those tough ones. We just sat around and we're like, I guess it's a vulnerability.

Corey Ham:

That sucks.

John Strand:

I wonder how many red teams got blamed for that. Like, what Yeah. How many pentest hours? Like, how many pentest firms got blamed for that blue screen from CrowdStrike? Like, what did you do?

John Strand:

It's like, I don't know. So

Corey Ham:

You guys were on top of the you know, after that after that crowdstrike incident, you rotated back onto the top of the wheel. And now you're on the bottom of the wheel again. I'm sorry.

John Strand:

You might stay there for a while, actually. Wade, you may wanna think about joining the offensive side of the house.

Wade Wells:

Maybe. Maybe. Maybe. Maybe. Blue team is yeah.

Corey Ham:

It's just fun to break things. And everyone's like, I can break things now. But yeah. Anyway, that's a fun little kind of nothing burger of an article, but still worth addressing.

John Strand:

I I like this because we need more affirmation. I got a question in that article. I've got it open right now. Let's see what they say about hiring.

Corey Ham:

Mhmm. You know,

John Strand:

the word hire, it's not in there. Training. Nope. It's not in there. So this is a this is a wonderful article that spoke nothing of us desperately needing to hire more people to deal with the level of crap that's coming down the pipe.

John Strand:

Like so that's that's a bit of a concern that I have with this type of article is, you know, what are we going to do? And I'm sure that whoever this person is

Corey Ham:

It says,

Ralph May:

like, hire more agents, John.

John Strand:

Yeah. I think that it's a it's a somebody with some

Corey Ham:

more product

Wade Wells:

somewhere in return. Where

John Strand:

is the where is the product that they're trying to sell? Clearinghouse of reporting bugs. I I yeah. I just I keep coming back to it.

Corey Ham:

It's like or whatever they're calling here.

John Strand:

You all need to start you all need to start hiring and training a of

Ralph May:

is to protect open source software from AI attacks.

Corey Ham:

There you go. Oh, but ChainGuard

John Strand:

is the is the product. Build better software. So it's ChainGuard. It's an advertisement for ChainGuard. Who wins

Corey Ham:

the It's an advertisement. That was it was guaranteed.

John Strand:

Well, but hold hold on. Not crapping on ChainGuard. Doing an open source project, giving back to the community is the best way to sell your product. So kudos to that. Kudos to that.

Corey Ham:

Alright. So let's get into our hot messy summer.

John Strand:

Yeah. Let's do it. Yeah. The whole thing.

Corey Ham:

So there's a couple of vulnerabilities added to the KEV. There's a Cisco SD WAN vulnerability. There's an Oracle e business suite. Who doesn't love e business? It's best.

Corey Ham:

Oracle, so secure. Yeah. There's a handful of vulnerabilities added in. The FBI also issued a warning about Kali three sixty five, which if you're thinking that sounds like a really crappy pen testing tool, yeah, it basically is. But the FBI is still warning you about it.

Corey Ham:

Essentially, it's a scam that targets Microsoft three sixty five users essentially, you know, phishing and device code phishing through Teams, Outlook, and OneDrive. It looks for OAuth device codes, sneaks past MFA because it's grabbing the device code authentication. Basically, FBI specifically has warned you to disable this device code phishing. Or you can let people

John Strand:

know what news story it is because

Corey Ham:

Yeah. I just pasted it in the I just pasted it in the Discord.

John Strand:

Meagan is scrambling to try to find that.

Corey Ham:

Sorry, Meagan. Little

John Strand:

kitty. There we go. Right there.

Corey Ham:

What else we got?

John Strand:

There it is.

Corey Ham:

I mean, there's some fun vulnerabilities that have happened this week. I feel like the other article, which I don't even know if it's in here, but this everyone's been blowing me up about this.

John Strand:

Which one?

Corey Ham:

Is that, like, EDR testing framework article? You know what I'm talking about, Wade?

Wade Wells:

Mhmm. I I don't. I know I probably know what EDR testing framework you're talking about.

Corey Ham:

Heavener or whatever? No. This so this this one has hit my radar in a couple different places and is really fascinating. If you're into, like, malware development exploit development, This is a super interesting tool. I'm gonna link it.

John Strand:

Once again, gotta get that one.

Corey Ham:

Off script. Gotta get that script here. There we go. This is an article. Yeah.

Corey Ham:

So here it is. So basically, this is someone I don't actually know this researcher, Otter. I don't know exactly who this is. But basically, this is someone who builds basically an EDR test engine that supposedly matches the behavior of commercial EDR. This is not, at least to my knowledge, going public.

Corey Ham:

Basically, the the researcher is super worried about the implications of taking this public, which is which is fair.

John Strand:

They're gonna write a big, huge, long website about it.

Corey Ham:

But they're gonna basically tell you how they built it and and kind of let you sort of decide on your own how you could implement this. But yeah, it's super interesting. If you're like an exploit developer type person or malware developer, This has probably already hit your radar, but it it is really unique and interesting.

John Strand:

This also is really well written. It's not like it is wavy wavy. It's like literally it's almost like they're not releasing it, but kinda releasing

Corey Ham:

it at the same It's like a POC where it's like Yeah. Then there's a ROP gadget dot dot dot. Like, maybe something will happen if you do this. Like but, yeah, I mean, I think I guess, like, my question for the the for the panel is like

Ralph May:

You know,

Corey Ham:

let's say hypothetically, you develop this. So like in your garage, you reverse engineered a bunch of EDRs, and now you have an open source tool that can basically be used to emulate them and analyze how they work. Do you go public with this? Do you do you risk it? Like, is a big one.

John Strand:

So I I for me, I'm of two minds. Like one, absolutely release it. You know, things are only fragile until they break. Right? That's kind of the old school security model.

John Strand:

I can see that, like, it's too dangerous, but I think what I would like Otter to think about is the adversaries, one, can totally read this article and piece together what they did. So it's not like by not releasing it, he's making the Internet a safer place. But then again, at the exact same time, does it actually change anything? Like, I think almost every company that's out there has EDR bypass techniques. What I would like to see here's what I would like Heavener to be part of is part of the MITRE evaluations project.

Wade Wells:

Yeah. Yeah.

John Strand:

Where we can have something like MITRE doing the evaluations and truly get something in there, like, maybe get completely independent people that bypass EDR for a living to give us a really good unbiased view of which EDRs are performing and in what conditions. Because right now, I get what MITRE's trying to do. I do. I understand the politics of it. I do.

John Strand:

But I'm also gonna say I think it's hot garbage. I don't think that people are getting value out of the MITRE Engage framework because it literally comes across that every product wins MITRE Engage or not Engage, MITRE or what do they call it? The evaluations. Engage is their cyber deception thing, which I've been teaching today. So that's the Freudian slip.

John Strand:

So that's my take.

Ralph May:

What do you

John Strand:

guys think?

Corey Ham:

John, you stole my take.

Wade Wells:

I totally agree. Like and also then have, like, go get some college students to actually set up the network and then clone the network and then install this on it. Right? So then they play on the same field. The one thing with the evaluations on is they also just like lock completely lock it down as as an EDR goes.

Wade Wells:

And no one's gonna be able to run that way if when it with that type of EDR. Like Right. There's always exceptions.

John Strand:

They also do like MSSP enrichment, where their sock is watching the telemetry from the product. And they know that the evaluation is going on. Like, it's and this is what they had to do, Wade, to get the vendors to play.

Wade Wells:

And that that makes more sense.

John Strand:

The vendors wanted to look good. They don't wanna go into this and look bad. So MITRE had to make had to make sacrifices. So it's so frustrating.

Corey Ham:

Yeah. I mean, keep in mind, this is reverse engineering of their products, which is very much like they're like, Oh, this violates our TOS. I don't know if it's

John Strand:

legal. It's

Corey Ham:

completely legal. Interesting. So I mean, I like their TOS, they they can nuke your account, but they can't do any take any any other action.

John Strand:

That is true. They absolutely could nuke your account.

Corey Ham:

Okay.

John Strand:

But it basically goes back to the Consumer Protection Act. The Consumer Protection Act, basically, you can you can talk about the shortcomings of any product publicly. Anytime you have a nondisclosure agreement with the vendor, you can completely ignore that particular clause. Just eat it into the sun. The other thing is the Digital Millennium Copyright Act.

John Strand:

A lot of vendors like to come at you with the Digital Millennium Copyright Act, but all you need to do, and I've made this joke before, is you can reverse engineer any product for the purposes of interoperability. So you can reverse engineer a product to make it interoperable with other products, including

Corey Ham:

Like like my commercial c two framework. Yeah. Exactly.

John Strand:

So, you know, it's really it's really hard. And this goes back to I can't remember. It was a long time ago, but we really, really pissed off Cylance. Cylance was threatening to sue a bunch of security researchers. So I had Dave go through the blog is still up on our website if you wanna go find But Dave went through and bypassed Cylance every single day of the week.

John Strand:

And they we published how to bypass Cylance on Monday, then a different one on Tuesday, different one on Wednesday, and so on. And the whole point of that was to make sure that silence would sue BHIS. Unfortunately, they didn't. I was excited because that great publicity. I know.

John Strand:

I know. I know. But the the reason why I bring up that story is there's so many people that are so afraid of AV companies, and they don't wanna release their research publicly. And if you don't wanna release it because it's helping your business, awesome. I'm with you a 100%.

John Strand:

But if you're like, hey. You know, I don't wanna release it because I'm afraid that they're going to sue me, wrote BHIS in. We're happy to get sued by EDR companies.

Corey Ham:

So hotter.

John Strand:

A It's a bast.

Corey Ham:

No. I don't know where this person works or who they are, but if you wanna hang out.

John Strand:

But I think that they did. I think they walked that line, Corey, about as well as anybody could possibly walk that line rather than just have way hand waving and saying, I did this thing. It's like got code snippets. It's got explanations. It's literally a blueprint.

John Strand:

And also this person knows what the hell they're doing.

Corey Ham:

It's beautiful. Anyone else have a take on this? Wade? Is this is this like

Wade Wells:

I say, miss it. Like, there are there's like John said, right, they're already bypassing it. There's I my my first one is always just think like vulnerable drivers. Right? Bring your own vulnerable drivers in.

Wade Wells:

Like, the your EDR isn't gonna be the end all be all. You should be building detections everywhere. So go for it.

Corey Ham:

It'll make everyone more secure and it'll hurt in the process.

Ralph May:

The only reason they don't release it is so that those detections don't get just passed right away. I mean, that's

Corey Ham:

the only That's also true. That's a good point. Yeah. We didn't cover that. It's like, once you document how an EDR behaves, they can change how it behaves.

Ralph May:

Yeah. It's just like the flip side of it. But it it doesn't, like the idea the idea that if you don't release this, you're making the world a safer place is silly. It it doesn't. It's a that doesn't It doesn't the needle.

Ralph May:

It doesn't move the needle at all. Right?

Corey Ham:

Especially when, if we're being honest, I bet you I could take this blog post, plug it into the cloud, and be like, make this for me, buddy. I can definitely do it. I'm like,

John Strand:

I'm gonna Ralph, I'm gonna I'm gonna throw a counterpoint out there.

Corey Ham:

Uh-huh. I think it

John Strand:

does make the world a better place. And and the only reason why research like this and what we've done in the past with, like, the sacred cash cow tipping series at BHIS is we we gotta counter program. Right? There's so many CTOs out there that live off the marketing from all of these vendors, and they start to believe the hype and the bullshit that their products are a 100% effective, zero false positives guarantee. And I think that stories like this are important as a way to push back against that narrative.

John Strand:

And that's that's that does have value, I would say.

Ralph May:

No. I mean, I actually I I totally agree with you, John. I I was just trying to I I think my my bigger my bigger point here is that when people hold it back thinking that they're the only ones that hold Oh, reality or something like that, like, it doesn't really move the needle. Like, there's so much more of that out there as well. Not to be I'm not even trying to, like, hate on or say you don't have something amazing.

Ralph May:

He he probably does or whatever. It doesn't really matter. The the point is is that and to your point, releasing it is better for everyone, the better good. And still making this article, it's I'm fine with that as well. Like, telling you that, hey.

Ralph May:

Look. This is kind of a road map of, like, how you guys could do this too. Right? But I just don't feel like releasing it is is okay as well.

John Strand:

I agree. And I and I think I think what somebody had mentioned, turn this into an evaluation, unleash a bunch of, like, PhD, masters, and college students that know what the hell they're doing, and let's tear the hell out of EDR systems. Let's get under the hood and see how they actually function. And honestly, the more we do that, the better they'll be.

Ralph May:

Open weight EDR. There you go. Oh.

Corey Ham:

Tell me where to sign.

John Strand:

Model and smoke. Tell me tell me

Corey Ham:

where to sign. I'd like to buy that. It's so good. Yeah. I guess, the other thing that kind of I don't know.

Corey Ham:

This is kinda getting into a little drama. Like, I don't know if we necessarily need to cover it, but I'm curious if anyone's been following it that closely. Is all the huntress stuff that happened? Yes. Did you guys follow

John Strand:

this? Get article up. Let's get the article up

Corey Ham:

real quick. Yeah. There's I can't

Wade Wells:

know saw that.

Corey Ham:

I don't necessarily know if there is an article, honestly. It was kind of a series of LinkedIn posts. And I don't know. Like, I'll I'll try to find something, but there's not I don't think this has been covered by the news. Sorry.

John Strand:

I this. I missed

Corey Ham:

this completely.

Ralph May:

Is it the insider?

Corey Ham:

Yes. Basically ransomware. Yeah. I'll throw it on I got

Ralph May:

an article for you.

Corey Ham:

That's okay. There's an article.

Bronwen Aker:

I remember reading that. It's basically saying that there was somebody inside Huntress who was I'm not sure if it was blackmailing

Corey Ham:

or

John Strand:

This is they were

Bronwen Aker:

Or something else somebody else.

Corey Ham:

Yeah. I just based out the article in the in the description.

Bronwen Aker:

It said that they had the evidence. They were going to present it. And yep. There we go.

Corey Ham:

Basically yeah. I love it. It's social media drama. Yeah. It's social media drama.

Corey Ham:

I don't wanna spend too long on this, but I do wanna consider the implications of this. This is because because we're getting into essentially, I think I'm gonna give my take on this, John. I'm curious if you have a take as well.

Ralph May:

But

Corey Ham:

basically, we are getting to the point where I think the closest situation to draw here is, like, spy craft, essentially, is what it makes me think of. Because you're essentially in a scenario where Huntress is performing threat intelligence activities of various types and and purposes. Right? And they are having a bunch of different people working on different projects, some of which are probably, I don't know if you call them classified or whatever, but sensitive projects internally. And there's a difficult thing to be balancing transparency of, like, telling, here's what we're doing at our company.

Corey Ham:

We're trying to impersonate and go after threat actors. We're sharing information with government agencies. We're doing stuff that other people might consider to be sketchy. Right? But also trying to balance out not, you know, breaking or disclosing or scooping, like, investigations that are underway or other, you know, kind of situation.

Corey Ham:

So basically, like, the long story short for those that are, you know, following this, there isn't really, I don't think, a final situation. Like, don't think that unless it's updated since I read it, there isn't really a there isn't really a final, like, situation with this. There's like a

Hayden Covington:

lot of Reddit and LinkedIn posts.

Corey Ham:

Yes. It's a it's a lot of Reddit and LinkedIn posts. But also, interestingly, as another sort of update to this, like, to to finalize out, like, the catch up before we get into discussion of it, is that a ransomware group today listed Huntress on their portal. So Aker is the Aker is ransomware group listed Huntress claiming they had breached 88 gigs of Salesforce data. So, like, I don't know if this is all connected or if these two events are completely unconnected.

Corey Ham:

I don't know. But I don't know. Has anyone been following this closely enough to have, like, a more specific take on this?

John Strand:

I I wanna talk about I wanna talk a little bit about the whole accusation that somebody at Huntress was talking with a cyber criminal. Huntress' response is they do threat intelligence and they do interact with the criminal underground. And I think if you look at a lot of companies that do threat intelligence, think that that happens quite a bit. I know for me personally, I've you know, I set up a lunch with somebody that was a Chinese hacker just having lunch. Right?

John Strand:

Was was I supposed to, like, turn that person in and make sure they got to jail? It was a good conversation. Right?

Wade Wells:

Learned a lot

Corey Ham:

about after this, man. I'm hungry. Yeah. I I

John Strand:

it was a good conversation about what their life was like, the things that they were focusing on. And I don't know, man. Like, is that is that something that should be illegal? I I don't know. I mean, we don't have enough information to go off of this.

John Strand:

And having a disgruntled employee that's throwing a bunch of shit on the wall right now, I think anytime you have that happen, you gotta take it with a grain of salt, and you gotta wait and see if there's any more information that comes out. But until you get another side of the story or you get more clarification, I just wouldn't trust the thing this person says until they until they start posting a little bit more details. Because my fear is Huntress was doing Huntress things. They were doing threat intel. They were in fact communicating with some nasty threat actors.

John Strand:

Also, ransomware negotiations on behalf of their customers. Right? That is something that's gonna involve some level of communication. And to be honest, there are employees, a lot of security companies that think that any communication and any kind of negotiation is a bridge too far for their morals and their ethics. And I respect people stepping away for those types of things.

John Strand:

But I I there's just not enough information here to go one way or the other.

Corey Ham:

I yeah. I agree.

Ralph May:

Go ahead.

Bronwen Aker:

Another hot take on this is that why wouldn't we treat communications between threat hunters and adversaries in a similar light to how we treated spies having back channels during

John Strand:

the cold war? Absolutely. I did. You know? Mean

Wade Wells:

didn't even

Bronwen Aker:

Those are so valuable.

John Strand:

But you totally could be paying off some of these people to get information. Right? You could say, hey. This we got this information about this customer who appears to be breached. You know?

John Strand:

Here's a thousand in Bitcoin, thousand dollars in Bitcoin. Can you confirm or deny this? They're they're basically a source. They're a human source. And I can see a company of hundredths' size.

John Strand:

I would think they would be negligent if they didn't have human sources that they were actively communicating and possibly even paying money to to get that data.

Bronwen Aker:

I Law enforcement, they have confidential insiders. They've got they've got CIAs.

Corey Ham:

Yeah. I mean

Bronwen Aker:

I know that most no. Have I frozen again?

Corey Ham:

No. You're good. We can hear you.

John Strand:

No. No. We got you.

Bronwen Aker:

Okay. My my screen froze. That was why I didn't know. No. I mean, law enforcement uses informants.

Bronwen Aker:

Why is this not a norm? I mean, granted, we don't have the law enforcement mandate.

John Strand:

And Bronwen, that could be part of it too. Huntress could have been working with law enforcement with full authorization from, like, the United States marshals or the FBI and communicating through back channels. It's entirely

Bronwen Aker:

And that's exactly the kind of thing they would not be able to divulge publicly. Yeah.

Corey Ham:

Yeah. So I the that'll super just to throw another wrench in this, and I do wanna get Hayden and Wade's and everyone else's take on this too. But the other thing that I thought was really interesting is, like, you read the you read the writing on the wall here and you're like, okay. This is just a disgruntled employee. Right?

Corey Ham:

It's someone who's upset, you know, they got, you know, their they switched to the night shift or I don't know. They're just mad. They're they're mad at their company and they want to do damage to them. But then this person, I believe his name is Ben Folland. If you look at his both his previous work, his qualifications, and, like, he talked at DEFCON and was, like, speaking specifically to, like, analyzing threat actor communications.

Corey Ham:

Like, he's in this industry. He should know how it works. He should know how the sausage gets made, so to speak. And so it's really interesting, I think, that, like, it's not just like a random, like, I was I was a janitor. I was I was cleaning up a printer, and I saw a bunch of sketchy documents.

Corey Ham:

Like, this is a person who a 100% knows how this all works. And so it's kind of like, to me, that kind of is a unique situation of like, someone who should know how these investigations work and should be a part of them and has participated in them, but also is like seemingly confused or upset about how they are going. I don't know.

Hayden Covington:

Yeah. Yeah. I I can speak from, like, the, like, the SOC perspective. Communicating with customers can be very messy sometimes. I cannot imagine what it would be like communicating with an adversary in that sort of con context, because it will probably become very messy very quickly.

Hayden Covington:

And I could see how someone could misconstrue that or or misunderstand or maybe even, you know, a mistake was made. But these communications are are hard when you're at a one to one with this person versus when there's some adversarial nature there.

Corey Ham:

Totally. Wade, what do you think? I don't know about the situation. Like, you made some good points.

Wade Wells:

I don't I don't like, Huntress is normally pretty cool, so I don't know. Right? Their reputation is decent.

Corey Ham:

Right. They have a pretty yeah. I agree

Wade Wells:

with So I don't know what to believe that way, but I Insider threat is still always a thing. Right? That's always the easiest way. Yeah.

John Strand:

I know Kyle. John Hammond has been a friend of ours for a long time. Just cannot and it's possible. Right? It's absolutely possible.

John Strand:

But I cannot see that company being like, we need to be given information and helping the hackers. Like,

Corey Ham:

I I

Wade Wells:

I can't do that.

Corey Ham:

Yeah. I would say they they got in trouble, like, six months ago for going too far on a threat actor. Right.

Hayden Covington:

Like, you know, so yeet. Like

Wade Wells:

like Okay.

Bronwen Aker:

So now they're going the other way.

Corey Ham:

Yeah. No. Actually, a

John Strand:

little too harsh. We got beat up on that one. So here's some creds. Can you guys share this out on the dark web to help?

Corey Ham:

Gotta be sure that

John Strand:

We're going IPO. We need to make sure the hacker community is off It's the yeah.

Corey Ham:

I don't know. I I would guess it's just an example of, like, the worst possible communication breakdown that could occur of, because it's all on Reddit. Yeah. It's all on Reddit and LinkedIn. It's like, it's super unclear.

Corey Ham:

There's not really any facts on either side of the fence. They're both just like, no, you're a towel or what? Don't know. They're just like yelling at each other. You know?

Corey Ham:

But I don't know. It's it's an interesting I I more it's not I don't wanna, like, capitalize on other people's drama. It's more just to think about how far can a threat intelligence investigation go. Like, we talked to a lot of topics. You know?

Corey Ham:

John mentioned, like, paying a threat actor. Is that ethical? Buying breaches. Like, it brings up a lot of interesting, like, how far should it go? Is hacking back too far?

Corey Ham:

Like, what if you you know, it's yeah. I don't know. You know,

John Strand:

think about Remember. Hold on. You remember years ago, and it still might be like this. Corey, you'd probably know more. But if you wanted to be part of different groups in the hacking community, like the illicit hacking community, to get through the front door, you literally had to commit a crime to prove that you could hang with that group.

John Strand:

And there were absolute security companies that were doing that, sharing data in order to gain access to those back channels communication. I had one guy who wanted me to get involved in it. I I can find other ways to make money. And I understand their business model, and I don't wanna crap on it too much. It's just not something I'm comfortable with.

John Strand:

But, yeah, he was totally getting data and but, like, exploits in zero days and then using that as kind of currency to gain access to some of the forums where they would build trust so they could get information from these threat actors. I personally think that's skeevy as hell, but there's no way that that is an isolated case. There's tons of companies that are probably doing the same thing.

Bronwen Aker:

And, again, it's following a preexisting model in the real world because that's exactly how Yep. Gangs operate.

John Strand:

Yeah. You can already

Corey Ham:

get into the gang.

John Strand:

And I guarantee you that Huntress has multiple investigations going on right now where they're deeply coordinating with law enforcement in a variety of different ways. Guarantee it. Yeah. So and some of that, when they're working under the guys and they're running at the direction of, like, the United States Marshals or if they're working with the Secret Service or they're working with the FBI, yeah, they're probably gonna do some things that an employee not knowing the whole context would be like, well, that's weird.

Corey Ham:

So That was mostly straight to tell companies.

Wade Wells:

Right? You need you need to think about, like, the legal ramifications of seeing your company on an initial access broker website, and then you paying for it. Right? Or just seeing one of your accounts on it and paying for it because just because your account is mentioned or your domain mentioned doesn't particularly mean it's yours. And now you have access to allegedly possibly this person's entire life.

Wade Wells:

Right? So it a lot of weird stuff happens when you start messing around with dark web and that type of thing. And usually, for most corporations, you have to try to get legal involved involved to see where how far you're allowed to go. If you're doing intel from a corporate perspective. Yeah.

Corey Ham:

Wow. Buzzkill. Buzzkill. Wet blanket.

Hayden Covington:

He he mentioned the lawyers.

Wade Wells:

You gotta mention dude, you gotta mention the lawyers. That's the first person you gotta protect yourself. Right?

Hayden Covington:

And I would imagine Puncturist involved their lawyers at every step of that process.

Corey Ham:

Oh, yes. A 100%.

Hayden Covington:

Especially a company of that size. Yeah.

Corey Ham:

Yep. Alright. Anyway Let's let's pivot. Anyone got an article they want?

Wade Wells:

I got got one. I'll even Go read

Corey Ham:

for it. Yeah. Drop it. I posted it in the chat. I posted it in the chat.

Wade Wells:

Supposedly, someone got access to FIFA's network. Right? So Oh, we carried it like

Corey Ham:

this last week.

Hayden Covington:

Did we? We did. I was yeah.

Corey Ham:

We did. We talked about But okay. But we can recover it because it is I was watching the World Cup this week just being like, man, I can break her all this sucks. Basically, for those that didn't catch this one, it's use client side RBAC is how it was working. So for those that were it's a really interesting way of designing an app.

Corey Ham:

Tenant, basically horrible. They haven't yeah. It's a terrible way of designing an app. They have an they have an Azure tenant or an Entre tenant. You can self register into this tenant, but you'll be granted no permissions.

Corey Ham:

Okay? So basically, that's what the user did. They were granted no permissions, but the all the permissions were enforced client side. Oh, god. They were able to just, you know, basically be like, oh, no.

Corey Ham:

I actually am an admin. My browser said so. Like, this is like video game hacking from 1995. And they were able to see, like, the live streams, the possession. Basically,

Wade Wells:

they could

Corey Ham:

have edited the WebRTC destinations, and they could have brick rolled the entire World Cup. They didn't, which I mean, I get it. The other thing we highlighted, Wade, which I thought was hilarious is at the end, it has, like, the log of everything they did to try to notify the vendor. Like, it's like it took them, like, nine tries, including, like, a personal favor they had to call in with the FBI or whatever.

Wade Wells:

And then and then they just patched it and didn't say anything. Right? Like No. It's all Literally, like,

Corey Ham:

t shirt. No, like, at least, like, a pair of Kid a pair of shin guards. Yeah. Like, give them soccer ball or some messy jersey. A jersey.

Wade Wells:

A jersey. Those jerseys are expensive. That's like a $170 a year. They know So is that.

Corey Ham:

So is losing your primary stream. But Yeah. Anyway, that's a funny one. Definitely, you know, client side, anything is bad. Yeah.

Bronwen Aker:

Yeah. What else

Corey Ham:

you got? Any other other articles from last week?

Wade Wells:

This why it's in there? I was the one week I wasn't on. Alright?

Corey Ham:

Like, I heard

Wade Wells:

It's not this.

Hayden Covington:

It's just It

Wade Wells:

It is, Wade.

Corey Ham:

Am I

Wade Wells:

in the wrong day? Like, guys, Bronwen sent me a link and that's how I got into the You

Corey Ham:

are in the wrong day, my friend. It's June 29, Wade. Today is June 29. They sent you the June 29 link. What's that?

Corey Ham:

How did I find

Wade Wells:

that? Good job. Job.

John Strand:

Y'all, I'm gonna step out and get ready for the webcast. By the way, folks, we'll share it in the links and Discord. We're doing an emergency webcast. It was on Front Page News about China matching anthropic and cybersecurity and the Wall Street Journal and all kinds of things. And we're gonna be talking about China.

John Strand:

We're gonna be talking about AI hacking. We haven't been talking about that article in this newscast because we're gonna do a full one hour ambulance chasing newscast on that topic. And I might have some special guests joining. Exciting. Corey, if you wanna come.

John Strand:

It would

Corey Ham:

be awesome to have a podcast, John.

Bronwen Aker:

Nice try. Chanting.

Corey Ham:

Alright. I'll see you. I already have a podcast. We've already had one first podcast.

Wade Wells:

Yeah. But what about that?

John Strand:

That's fine. Some of us have been doing this for, like, five hours today. So fuck it. We'll just keep going.

Corey Ham:

Alright. Okay. Keep going, John. Twenty four hours. It'll be easy.

Hayden Covington:

Yeah. You did that before.

Bronwen Aker:

Aren't aren't we supposed to be doing another podcast? Show spacing today. No. It's a pre show conathon.

Corey Ham:

No. The pre show I don't I don't know.

Wade Wells:

Should be

Corey Ham:

a twenty four hour

Bronwen Aker:

con

Ralph May:

Dude, it'd

Wade Wells:

be so

Hayden Covington:

much fun. Just a whole bunch of Red Bull. You you guys can, like, come work with the sock for a night. That'd be fun. We'll call in

Bronwen Aker:

That would be From

Hayden Covington:

the night shift. Yeah.

Corey Ham:

Alright. Anyway Totally cool. That'd be fun. Anyway Did we did

Bronwen Aker:

we hit a swear jar item?

Hayden Covington:

John, we did a couple. Hit a couple.

John Strand:

Okay. I

Wade Wells:

did what John did.

Bronwen Aker:

I I just don't pay attention. You know, somebody else can let me know and I'll I'll feed the kitty.

Corey Ham:

Anyway, we can talk about first of all, SZA KEV. If you have Unifi gear, if you use Unifi gear in your home lab, I think I mentioned this last week, but definitely patch it. CISA added four or three Unifi CBEs to the KEV list this week. Mhmm. All of them in improper access control, path traversal, improper input validation, all in CISA.

Corey Ham:

Not good. Patch your UniFi stuff, you do have to reboot. And then also a Lantronix one, which no one would expose that to the Internet, so it's fine.

Hayden Covington:

I I always love how I know when there's, like, a UniFi vulnerability of some kind. Because, like, all of my servers go down because it updates in the middle of the night, and I get a billion alerts on my phone when I wake up. Like, PagerDuty is trying to make me think somebody died or something, like

Corey Ham:

It's automatic, but you have to enable the automatic.

Hayden Covington:

Right. Yeah. You have to enable that piece.

Corey Ham:

Strongly recommend that. Also, this is an older article, but I found it interesting. Apparently, the section four zero two of the Foreign Intelligence Surveillance Act expired.

Bronwen Aker:

07/2002.

Corey Ham:

Yeah. It just expired on June 12, and we didn't talk about it on the show. But I wanted to bring it up because the you know, basically, this actually did happen. It's a win for privacy. And I feel like we should highlight that because it's been a long time since we had a win for privacy.

Corey Ham:

And yeah. So that's EFF post. I'll send in the Discord.

Wade Wells:

Yeah. 702 is bad news. There's a scattered spider one.

Corey Ham:

Yeah. They basically Well,

Bronwen Aker:

we also have chrome.

Corey Ham:

There's a conviction. Right?

Wade Wells:

I got the convictions. So it's two defendants pled guilty pretty much to hacking the transport of London. Yep. From 2020 the crazy part, there were 20 and 18. Right?

Corey Ham:

I was gonna say that well, that's at the time of being charged. The kid was 16 when he actually did it. Yeah. Or 14 or something. Like, it's so young.

Wade Wells:

One one of the defendants actually coped to hacking US healthcare, a couple US healthcare providers. The other one, US prosecutors have gotten to him. And they're they're saying he participated in a 120 network intrusions against 47 US entities, which Dang. Pretty gnarly. Pretty cool.

Hayden Covington:

It's like almost kinda brisk. He

Bronwen Aker:

had no life.

Corey Ham:

Yeah. I was gonna say how bored can you possibly get?

Bronwen Aker:

I I've I've gone to school with kids like this. I I remember what it was like. They have no life. This is their their only justification. The 120 doesn't surprise me at all.

Wade Wells:

You just said there's a whole hacking for World of Warcraft and that was me.

Corey Ham:

I was about to say, if I'm

Hayden Covington:

gonna take, like, Xbox Game Pass, play some Forza, like, something

Corey Ham:

else for video games. Not a crime. And it's Yeah. Please. Dare.

Corey Ham:

Don't do hacks.

Hayden Covington:

Dude. One of those pays you is the problem. One of them costs you.

Corey Ham:

Well, pays you. But really, I think I mean, I could be wrong. I'm not like an expert on this. But I really do think

Bronwen Aker:

pay to play.

Corey Ham:

I I think most of these folks are motivated by clout chasing and the game more than they are the financial side of it.

Hayden Covington:

I bet it's

Corey Ham:

different thing. Think if you're financially I think if you're financially motivated, you are using better OPSEC and taking less risks, and you're probably not 16. Right? Like, I think Or being 14. I think a 14 year old's like, I don't need money.

Corey Ham:

I need, like, clout that I can post on TikTok or whatever. I could be wrong. But, like, that's

Bronwen Aker:

Also, they're funneling all the hormones that they would normally funnel into having social interactions into their hacking. So, of course, they're going off the chain.

Corey Ham:

Yeah. I mean, ScatterSpider did steal money. Like, they stole, you know, they they did. They but they weren't like Lazarus Group or something that, like, runs these elaborate long campaigns. I mean, I guess, you know, 115,000,000, that's that's decent chunk of change.

Corey Ham:

But, like, you know, they're gonna have to pay most of that back. Like, it's not it's not super successful. They can't be, like, long lived. Anyway

Wade Wells:

They get sentenced July 15. So someone put a reminder in so you can see. Yeah. In The UK.

Hayden Covington:

So you can talk about it the week after.

Corey Ham:

And they'll put a they'll they'll put a fire stick in their prison room and then they'll have to act from a fire stick.

Bronwen Aker:

That week is gonna be a busy week for cyber security.

Wade Wells:

Man, yeah, you're right. That and the dude. Forgot about that guy. Alright.

Corey Ham:

Oh, the Polymarket hack is probably worth talking about. Right? Okay.

Wade Wells:

The huge Polymarket scandal. This

Corey Ham:

is this is a really interesting one. So Polymarket essentially yeah. And I apologize the news are the for some reason, the Notion is kinda wonky this week. But yeah. I'll I'll send it

Bronwen Aker:

in

Corey Ham:

Discord. Basically, the they were compromised in the supply chain attack. And the so essentially, they were able to threat actors were able to add a malicious front end script like JavaScript into the Polymarket website due to a third party breach. Not sure

Bronwen Aker:

who the

Corey Ham:

third party is. I think the other so first of all, the the money about $3,000,000 was stolen, and they're gonna reimburse it. Of course, they are because they wanna maintain their reputation. The other really interesting thing is that it only targeted 15 accounts. So they sold $3,000,000 for only 15 from only 15 accounts.

Corey Ham:

That tells you the type of people that are betting on Polymarket, I guess. But I'm assuming they had some kind of logic to target the high value accounts or whatever, like some like a whaling type algorithm type deal. But yeah. Basically, user were tricked into approving fraudulent transactions on the official website after malicious job strip was injected. They're gonna reimburse the folks that got impacted.

Corey Ham:

It was only $3,000,000, which believe it or not for crypto is a very small amount of money.

Wade Wells:

That's nice of them to actually reimburse. Right? Like, I feel like we don't hear that too often. I

Corey Ham:

would say it's yeah. I mean, in the in most cases in crypto in this industry, they do their best to do that. But it's obviously if the numbers get too big, like, it's $500,000,000,000 or whatever, it's not gonna happen.

Hayden Covington:

It's probably insurance to a part of it too, I would imagine.

Corey Ham:

Yes. Definitely. A lot of the, like, crypto schemes and scams that we hear about, they do when they do reimburse because, I mean, obviously, you gotta look at the incentives of Polymarket. This looks bad. And if they didn't reimburse, everyone would just switch to, you know, Bali Market or whatever the other like, the same thing.

Corey Ham:

There's so many other betting apps. Like, it's a it's a network of the same thing offered from 10 different companies.

Ralph May:

Pervasive. I can't believe how you can just bet on anything. But anyway

Corey Ham:

You can bet on anything. And someone in the Discord did make the joke. Did they bet on themselves

Ralph May:

Yes.

Corey Ham:

Before doing that? Yeah. Like, made the bet. Polymarket gets hacked this week.

Hayden Covington:

Right. And then they get refunded. Like, can you imagine that?

Wade Wells:

That's that's

Hayden Covington:

the heist for sure.

Corey Ham:

Oh. I mean, you yeah. It it is really interesting though because I do I do know that Polymarket, like, they do investigate, like, the self. Like, there was a guy who, like

Wade Wells:

Yeah.

Corey Ham:

That's bet a bunch of money on whether there was gonna be the streaker and then he was the streaker. You know, like, that they will, like, negate those, obviously, fraudulent bets. It's it's almost like Yeah. Like, at

Hayden Covington:

this point, you can bet on anything. Like, people are betting on when Fable returns to to Anthropic for you to be able to use. And, like, there's maybe some data points there where it spiked when they added back in references to the code of of Fable. So there might be some, like, usefulness for normal people. But I think at that point, when you're betting on somewhat ridiculous things like that, like, may maybe it just means that I don't have a ridiculous amount of disposable crypto to

Ralph May:

use out of stocks.

Hayden Covington:

A real problem

Corey Ham:

right there.

Hayden Covington:

I I guess. I'd rather go buy, like, U. Cases or something. Like

Wade Wells:

That's what you think. Yeah.

Corey Ham:

It is funny, though. Like, I saw this randomly. This is like a side tangent. But in I I saw this random YouTube clip of, like, Brewster's Millions or, you know, if you guys know that movie from back in the eighties.

Ralph May:

It's like the

Corey Ham:

guy who he has to spend all of his money in a certain, like, thirty days or whatever. It's like, nowadays, just one bet on Polymarket. You can rinse through the entire or or like Hayden said, know, CS GO cases. Can spend a million you know, $10,000,000 on loot boxes in like a a weekend of clicking.

Hayden Covington:

Yeah. And even if you lose, you get some stuff out of it. Right?

Corey Ham:

Yeah. You get some stuff. Get some really Yeah. Crappy field tested It's fine. It's fine.

Corey Ham:

Did you guys see the article about, like, bad OPSEC? Secret service bad OPSEC?

Wade Wells:

No. We're

Bronwen Aker:

So No.

John Strand:

This is

Hayden Covington:

I was in the

Wade Wells:

wrong notion anyway or something. So is

Corey Ham:

a CNN article. Basically, the inspector general has essentially warned that secret service agents have left their phones vulnerable to hacking and risk the lives of US officials. Basically, they're claiming the the inspector general is claiming that foreign adversaries could intercept and exploit secret service information. There's not a lot of technical details on this. Basically, they were using text messages to exchange information.

Corey Ham:

So

Bronwen Aker:

SMS messages? Yeah. SMS. Oh, man.

Wade Wells:

Certain types okay. It's okay. Just everything just got switched to r c three. Right? We're good now.

Corey Ham:

Yeah. Oh, yeah. It's fine. Even RCS.

Hayden Covington:

So yeah. I'll get out of it.

Corey Ham:

The basically, they also use their personal devices to receive a picture message from local law enforcement of the assassin, you know, like, things like that. Like, they're they're using their personal devices, essentially. They're texting and they're using their personal devices.

Bronwen Aker:

Well, they're following examples set by people higher up.

Hayden Covington:

Well, I I would think that the an organization like that should know better than to utilize personal, like, BYOD policy for this kind of stuff. Like, this says they're using personal phones, they're traveling internationally or, like like like, with these phones that they don't then wipe. Like, if I have a work phone for my job, why do you, as the secret service, not have a work phone that you're supposed to use? Like, that that just seems like a really, really I could see why there were some people upset with them for that. That's just, like, why would you even have BYOD in the government space in any capacity?

Wade Wells:

Just just Yeah. Imagine you get on one of their phones and there's just, like, 17 different versions of Solitaire on there. Yeah. Right. Eight perks.

Corey Ham:

If you want a stakeout, enter stakeout post.

Bronwen Aker:

Each one had a different kind of malware inside.

Wade Wells:

Yeah. Right. Yeah. Probably. Yeah.

Corey Ham:

Yeah. I mean, I I don't know. Like, really, I would agree that, like, this is core to their mission. That, you know, doing things like making sure they have cell phone coverage. Like, you know, like, whatever take out

Ralph May:

the bathroom breaks.

Corey Ham:

I think more than anything, it's the I think this is the upshot of, you know, how have the there have been so much political violence that succeeded in the last few years. You know, clearly negligence. Yeah. Mean, I think part of it is negligence, and part of it is also just the it's a land it's a complex landscape. And, like, you they don't control the landscape always.

Corey Ham:

And so it's it's difficult. But this is egregiously bad, and I hope it, you know, gets better.

Wade Wells:

And government officials are hard to I've of example they used at the very end, where they talk about a Mexican drug drug cartel hired a hacker to surveil the movements of a senior FBI official in Mexico City in 2018, or earlier gathering information from the city's cameras that allowed the cartel to kill potential FBI informants. Like Yikes. That's pretty gnarly.

Corey Ham:

I mean, that's a long time ago. Like, twenty eighteen's a like, that's ancient history, but, like, this is hap. They're also claiming some cases in 2024. It's like, okay. 2018, you could argue, like, they didn't know any better or we didn't have RCS back then or whatever.

Corey Ham:

But like, you know, nowadays, they should know better. They shouldn't be like, hey, dude. I didn't get I didn't get that text. Can you just send it to my personal phone? Just send me the classified information on my personal phone.

Corey Ham:

Thank you. Like, that's like how did they not tabletop that? I don't know.

Hayden Covington:

It almost must be like a lack of repercussions for some of these things. Like, if you're a government contractor and you're in a breach of a contract because you process something on a personal device and something happens, you're just done. It's over for you. But if it happens in the government space, it's, hey, you guys messed up. Don't you dare do that again.

Hayden Covington:

We're gonna put out a new governance thing for all of our contractors to have to do now. Like, that usually seems to be how it goes, which is an unfortunate because, you know, we're we should be I I would I would wish that we could be following those examples of those organizations as, like, the gold standard for what our security practices should should look like and what we should be emulating versus, you know, we have these very strict controls that are evidently not sometimes being followed as well as they should be.

Corey Ham:

Makes sense. Did you guys see that this kind of, like, not necessarily cyber security related, but I thought it was really interesting, is the earthquake and the war like, early warning earthquake warning system in Android?

Wade Wells:

Yeah. I've I've experienced this. Have you ever got one? I get

Corey Ham:

I've got have. Don't have an well, I typically do have an Android, but it's like my burner phone. I don't pay that close of attention to it. Okay.

Hayden Covington:

So I haven't seen that. Is that the hypertension alerts my phone sends me? My iPhone?

Wade Wells:

I linked to No.

Bronwen Aker:

It's it's earthquake warnings.

Corey Ham:

Yeah. I linked to Google blog. Basically, the the news article, there's also a New York Times article, which I'll link. It's paywall. But essentially Of course.

Corey Ham:

Phones alerted like, Android phones warned millions of people. But this is related to the Venezuela earthquakes that have been super tragic and very much damaging to that area and the people in that area. Mhmm. Well, yeah, basically, millions of people got alerts from their phones that, like, there's an earthquake coming and, you know, that probably saved an ungodly number of lives. But, yeah, basically, also has a post about it where it's it it only it's only available, I guess, to people in California, Oregon, and Washington where there are earthquakes in The US.

Corey Ham:

But, obviously, it's available internationally as well, which is really cool. When

Wade Wells:

it alerts, you only have you're literally, like, seconds. Yeah. I remember the last time it alerted, like, it went off and I looked at on the phone, it actually

Corey Ham:

tells was six you seconds. Yeah. It it said, in this case, it's seconds.

Wade Wells:

It told me that Six seconds

Bronwen Aker:

can be enough.

Wade Wells:

It's on me a category seven earthquake was about to happen, which is, like, one of the biggest earthquakes that North yeah. So I literally sat here, held my monitor. I'm like, alright. Here we go.

Corey Ham:

Held my monitor? Got his priority. Save the monitor.

Wade Wells:

Well

Corey Ham:

Oh my god.

Bronwen Aker:

And here's the thing. Six seconds in an earthquake is plenty of time to be able to get into position or at least get moving. It it

John Strand:

it Or stop your car. Like

Corey Ham:

Or stop your car

Bronwen Aker:

or yeah. Or stop your car or something.

Wade Wells:

It has to take seconds, Hold off your monitor. Mine was yeah.

Hayden Covington:

The was

Wade Wells:

Quicksave was pretty far out.

Bronwen Aker:

Yes. Quick save. F five for the win.

Wade Wells:

I had, like, probably two seconds until it alerted till I I felt it. Bigger thing is I was

Corey Ham:

like quick plus. Are you not paying five

Wade Wells:

quick plus?

Ralph May:

You get extra three more seconds. By the way, can assume the position, which is putting your head between your legs and kissing your ass at the

Wade Wells:

bottom. Yeah.

Corey Ham:

If it's above a nine or magnitude, you you just don't have to do anything because you're gonna die anyway.

Hayden Covington:

Yeah. That's unless you have the the earthquake season pass though. That'll just

Wade Wells:

happen. Yeah.

Ralph May:

I have to go for I

Wade Wells:

it's cool.

Bronwen Aker:

One of the things though about the the earthquakes in Venezuela, if anything is proof positive that the regulations that we have in Southern California as far as building standards, that those regulations save lives. I hate to say it. Venezuela is proof positive of how not having those regulations, those safeguards in place really a big deal. And I've I've lived through let's see. The the '71, in, not Northridge.

Bronwen Aker:

It was in the San Fernando Valley. There was also the the god. The '84, the Northridge were overdue for another one. I've seen multiple quakes. I've seen people lose their lives.

Bronwen Aker:

And my heart goes out to all those people in Venezuela. And if you are in an earthquake prone neighborhood, part of the world, get something because, yeah, six seconds doesn't sound like much, but it can save your life.

Corey Ham:

Alright. And on another note, I agree. And that's super, you know feel free to donate. I don't know if we have anyone, like, specifically that I'm aware of, but I'm sure there are many, you know, non government organizations that are helping out in Venezuela right now. So, yeah, pivoting back to cybersecurity for a second.

Corey Ham:

I did I thought this did you guys catch this article about organization invites in OpenAI and how they're being used for phishes? I just linked it at Discord.

Ralph May:

Basically being used for phishes.

Corey Ham:

So this is a this is this is a I mean, there's a really good write up on this done by push security, and I'll link that as well. But basically, this so they're kind of they're doing the whole like I told you so thing, because they claimed the tone they push security says they coined the term poison tendon attack back in 2023. And then ironically, it got used against them this year, like, from these OpenAI invites. And for those that aren't familiar with this attack, basically, you're creating we've done it with Slack. We've done it with a bunch of different things.

Corey Ham:

But you're essentially creating a fake version, like a watering hole attack version of a, you know, something like an OpenAI tenant. And then you're sending invites to your phishing target. So, like, you can see the invite in their write up. It basically says you're invited to the tenant on OpenAI. Obviously, it has a nice little bold warning that says, please check that you recognize the invite before accepting.

Corey Ham:

It says even there it it actually says, the invite or email domain, gmail dot com, does that match your domain, pushsecurity.com? And, yeah, basically, like, obviously, it was unsuccessful, and they did a fun little blog post about it. But, essentially, what they had set up is the an attack, they they had set up a person in that same tenant that was supposed to be the CEO of the company. And then I'm guessing they would, you know, try to scam the person directly. Be like, hey, can you help me pay for OpenAI or whatever?

Corey Ham:

I need your credit card number or something like that.

Hayden Covington:

And it says too in here that it sounds like you would almost, like, log everything they're doing. So you'd be stealing everything that you would put into the model.

Corey Ham:

Your credentials or

Wade Wells:

Right.

Corey Ham:

Yeah.

Hayden Covington:

And and from, like, a SOC to, like, defensive perspective, you we've thought a lot about that is how do you get every ounce of logs out of Claude, out of Claude code, out of Codex, like, this stuff. And it's all very gettable, which isn't a word. Yeah. But it's it's very very simple to get all of those logging out, especially for stuff like codec or co co work or Claude code. Very easy to get logs out of that kind of stuff.

Hayden Covington:

And so in this case, like, everybody's been told don't drop sensitive information into Random AI. Use the one that we pay for instead. This is the secure one. So you now invite this person to what they believe is the secure version of ChatGPT that their company pays for, and then they start dropping in payroll documents and who knows what else into there and just ugh.

Corey Ham:

Yeah. It's A 100%. It's a fascinating attack.

Bronwen Aker:

Does it affect opportunities go through the roof?

Ralph May:

This attack vector with essentially using another platform to send your phishing email to lure people in. Right? It's getting applied across the board. It's not just OpenAI. Any platform.

Ralph May:

In fact, I think this is more of like a category of attack. So, like, if you're building a platform and it allows you to send emails through that platform, there should be some kind of controls in places to prevent that to be used in a phishing attack. Right? Because threat actors are using any and all platforms that they can send. And the the way the way they're doing is they need to be able to control who they send it to and the message that gets sent inside of there.

Ralph May:

If you can control those two things, now I have the ability to essentially build out a phishing campaign. Not not just to gain access, but also to maybe gift cards or whatever. Right? To call you've you've been a I've seen it where they're like, hey. You've there this transaction failed, and people just see that the money was charged.

Ralph May:

Call this number to prevent it. You know, go on. It keeps going on.

Corey Ham:

It could. Yeah. It it could go any different way. And they they also, in the blog post, talk about some other interesting vectors like SAML jacking or, you know

Hayden Covington:

Mhmm.

Corey Ham:

Hayden Hayden mentioned just mining their chats for sensitive information.

Ralph May:

And they're using the trust from OpenAI or whatever platform that it sends the email. That's how it lands in the inbox, and that's the interaction. Right? That's where we're that's what

John Strand:

they're going for.

Hayden Covington:

But but counterpoint, though, if it's on, like, a a pro plan, let's say ChatGPT Pro, like, invite me to that. I'll use it. I won't put anything sensitive there. What about the free tokens? Like Actually

Bronwen Aker:

Yeah. Hey. Totally. Even with one of the paid accounts, one of the things you still need to be cautious about is the feedback feature. Because when you thumb up or you thumb down, you not only send the feedback, but you do also send a whole bunch of context.

Bronwen Aker:

So if you've uploaded sensitive documents, now you've guaranteed that the Frontier LLM provider is getting a copy because they need to know why you said this was good or it was bad, and they need that context to analyze it. So word of warning to all of you people out there, don't shoot your privacy self in the foot by using the feedback feature in the Frontier LLMs.

Wade Wells:

Yeah. Just be like me. Just be like me and never use them ever, and don't even really understand that they were there. Like, I didn't even know them.

Hayden Covington:

Well well, sometimes Claude code is like, hey. How is Claude doing in this session? And I'm like, I'm about to tell you. I'm gonna hit one right now. Tell you.

Hayden Covington:

Yeah.

Wade Wells:

I don't tell I

Hayden Covington:

asked Claude

Corey Ham:

to explain the whole to put in there. Well, yeah. I mean, the I linked another article that was from Talos Intelligence that's kind of the same thing. And then we actually have yet another article basically Yeah. The same thing, which is shop which I just sent into this Discord as well.

Corey Ham:

Shop is being abused, which is like Shopify's order tracking app in the same exact way that Ralph was just talking about. So essentially, users, scammers are putting in fake orders. I don't exactly know how they're doing it. I'm assuming they this is something that hopefully, Shop will fix. But essentially, they're putting in fake orders, and then it's a callback scam.

Corey Ham:

So they're basically saying, like, you're they're the one the joke they give in the article is, your Norton LifeLock subscription for $385 or whatever. And then if you collect the receipts They might

Ralph May:

be actually making a a shop account and then, you know, sending a It's like a fake order.

Corey Ham:

It's like a like a

Ralph May:

fake order shop. It it'll come from shop's email and but then that's gonna get them off the platform so it gets them to interact. So most of the time, it'll have something on the lines of call this number if this wasn't you. Right? And that's what's ends.

Ralph May:

Right?

Corey Ham:

Exactly. So you get that thing, $385 to Norton LifeLock. Call this number back if this wasn't you. You call the number back, and then magically, you're buying Apple gift cards. Your grandma's involved somehow.

Corey Ham:

It gets weird.

Ralph May:

Oh, god. Never mind.

Wade Wells:

I'm say using Jira too.

Hayden Covington:

And and Talos in the Talos article, they're talking about how they invite people to just Jira service Yes. Management projects and things.

Corey Ham:

Yes. Anything like, basically, honestly, if we're talking you know, let's go in-depth on this because clearly a thing. This is one of those things that has to be addressed at, like, a business level. This can't be addressed with cyber stuff because it's shadow IT. It inherently goes outside of the realm of what a sigh a traditional defensive team can handle.

Corey Ham:

So what this is I mean, obviously, you guys could fish, you know, detect the fish, like, look at the communications and look at the proxy logs and things. But what it comes down to is you need to train your users essentially that they won't receive unsolicited invites. And you need to control carefully how your business communicates with your employees and make sure they know you're not just gonna send them a random invite from a random Gmail. It really hurts, like, companies that are smaller would communicate with personal accounts and things more than it does, like, the big companies. Because, you know, if I'm if I'm working at a small company and they're like, hey, John Strand just invited you to Slack.

Corey Ham:

I'm just gonna be like, oh, I I guess John wants to use Slack. Like, I'm not gonna, you know, do a bit like, I'm not gonna think about it as much. So it's kind of a business thing. You just have to understand, like, tell your employees that you won't just send them invites to things. Make sure you warn people if you are gonna deploy a new OpenAI tenant or whatever that you're gonna be, like, on an all hands call or whatever.

Corey Ham:

Be like, hey. We're gonna send out invites for OpenAI. This isn't a phish. And if you're the employee getting it, look at you know, send send it through your phishing reporting system or whatever. Like, think about it before you're just like, oh, yeah.

Corey Ham:

I'll accept this invite. Free I'll qualify.

Ralph May:

Oh, and one last thing too. As a SaaS provider or someone building these platforms, they should be validating the domains before they allow them send notifications. Right? So, like, if you're sending a notification to Gmail, right, that's not gonna work. But if you're sending a notification to another organization, they should be like, hey, you have to validate that this domain or that you have a domain even at this company.

Ralph May:

Right? Like, you have to somehow validate some relationship to that before you can send it that it could also help.

Corey Ham:

But yeah.

Wade Wells:

Look at Ralph. Big brain thoughts. Trying to solve the world's problems.

Hayden Covington:

How does that make the SaaS product

John Strand:

money? Well,

Wade Wells:

it's Hey, how many times have you triaged an email where it's like an encrypted email? Oh Like, they well, like, it's like from an encrypted system and the user is like, oh my god, got an encrypted email. This is and then you have to go log in to their encrypted email to make sure that it's not anything yeah. I've I've done that

Corey Ham:

too many times.

Hayden Covington:

I've seen some that are plenty of encrypted emails that they definitely shouldn't be getting.

Bronwen Aker:

Well, I love when we wind up getting a legitimate phishing team that hits the company and everybody's on the team saying, is this legit? Did you get this? People start hacking

Hayden Covington:

me, like, paperless.

Ralph May:

Oh god. Everyone just sees everyone else.

Bronwen Aker:

Hey, check forward mine to help desk. Okay?

Corey Ham:

Alright. I think that's everything. We're out of time. So unless anyone has any final takes, we already covered chicken at the very beginning of the show. So I I think

Ralph May:

would like to add that we did not talk that much AI today. So if you

Corey Ham:

We didn't. I love it. John told us not to. John told us not to. So if you're really into AI and you wanna talk talk about how GLM five is just as good as Mythos because, you know, I don't know.

Ralph May:

It totally is. I'm actually pricing out a rig right now

Corey Ham:

to run it. It's Dude, you're gonna need a rig to run GLM five. But, anyway, if you're interested in AI stuff, please join John at, I guess, in thirty minutes on for a special you have to register for this one. I guess, if someone could find that link. Let me see if I can find it.

Wade Wells:

I think it's in my saw side. LinkedIn. It When in

Corey Ham:

I just pasted I just pasted it it in in the Discord. Basically, it's yeah. John's gonna talk about Chinese AI again. We had DeepSeek. Now we have GLM.

Corey Ham:

Yeah. But this is a deep dive subscription.

Ralph May:

If I click the link, I can unsubscribe. Unsubscribe.

Wade Wells:

Nice. Oh, wait. Hayden and I have something going on

Corey Ham:

this Hey.

Hayden Covington:

Gotta get some What's

Corey Ham:

what's plug ins?

Hayden Covington:

It's tomorrow, isn't it? Tomorrow?

Wade Wells:

Is is it tomorrow? Oh, then yes. It is tomorrow.

Corey Ham:

It's like, crap. I gotta I gotta write some got

Ralph May:

something to happen on Sunday this week.

Wade Wells:

I've Hayden and I are doing a panel, some AI panel work. It should be pretty

Corey Ham:

three deep fakes?

Wade Wells:

Yep. Pretty much.

Hayden Covington:

You just built a panel with AI?

Wade Wells:

An AI security panel. Yeah. With Kathy Chambers, if you

John Strand:

guys remember Kathy. It should be a fun time. Yeah.

Hayden Covington:

Awesome. That'll be fun. I'm excited

Bronwen Aker:

for Say hi to Kathy.

Ralph May:

I love AI.

Corey Ham:

Alright. I love AI. Me too, man.

Wade Wells:

On that note.

Corey Ham:

Travis is over here loving on AI. Alright. Anyway, thank you all. I'll see you next week. Stay safe out there.

Wade Wells:

Bye bye.

Bronwen Aker:

See you in in about half an hour.