Talkin' Bout [Infosec] News | BreachForums Doomsday

Join us LIVE on Mondays, 4:30pm EST.
A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
https://www.youtube.com/@BlackHillsInformationSecurity

Chat with us on Discord! -
https://discord.gg/bhis
🔴live-chat

🔗 Register for FREE webcasts, summits, and workshops -
https://poweredbybhis.com

In this episode, we break down the “Doomsday” incident: a major breach forum gets breached, reminding everyone that even cybercriminal communities suffer constant OPSEC failures. We cover what leaked, why these underground markets keep imploding, and how infighting, reused infrastructure, weak authentication, and sloppy identity hygiene turn “elite hackers” into easy targets. Then we connect the dots to law enforcement’s latest crypto actions—how DOJ seizures and mixer investigations work, why blockchain tracing matters, and what criminals try (and fail) to do to hide money flows. Finally, we translate the news into practical defense: validate breach intel, monitor for credential stuffing, enable MFA, use unique passwords, and tighten access logs. Whether you’re a defender, creator, or online, this is the real-world cybercrime story behind the headlines.

Chapters
(00:00) - PreShow Banter™ — Task Overflow

(02:29) - BreachForums Doomsday - 2026-01-12

(05:09) - Story # 1; Did DOJ Prosecutors Violate Trump’s Executive Order by Selling the Forfeited Samourai Wallet Bitcoin?

(15:42) - Story # 2: Cloudflare defies Italy’s Piracy Shield, won’t block websites on 1.1.1.1 DNS

(23:04) - Story # 3: California bans data broker reselling health data of millions

(28:13) - Story # 4: Apple picks Google’s Gemini to run AI-powered Siri coming this year

(36:00) - Story # 5: Ragebait as a phishing tactic

(38:00) - Story # 6: Doomsday For Cybercriminals — Data Breach Of Major Dark Web Forum

(40:31) - Story # 7: The Great VM Escape: ESXi Exploitation in the Wild

(45:39) - Story # 8: OpenAI says ChatGPT won't use your health information to train its models

(46:23) - Story # 8b: Anthropic brings Claude to healthcare with HIPAA-ready Enterprise tools

(50:15) - Story # 9: Max severity Ni8mare flaw lets hackers hijack n8n servers

(53:05) - Story # 10: Instagram Denies Data Breach, Fixes Unsolicited Password Reset Requests

(56:49) - Reporter remembers saving animals a year after L.A. wildfires

(57:52) - CTF Winners

Links
Story # 1; Did DOJ Prosecutors Violate Trump’s Executive Order by Selling the Forfeited Samourai Wallet Bitcoin?
Story # 2: Cloudflare defies Italy’s Piracy Shield, won’t block websites on 1.1.1.1 DNS
Story # 3: California bans data broker reselling health data of millions
Story # 4: Apple picks Google’s Gemini to run AI-powered Siri coming this year
Story # 5: Ragebait as a phishing tactic
Story # 6: Doomsday For Cybercriminals — Data Breach Of Major Dark Web Forum
Story # 7: The Great VM Escape: ESXi Exploitation in the Wild
Story # 8: OpenAI says ChatGPT won’t use your health information to train its models
Story # 8b: Anthropic brings Claude to healthcare with HIPAA-ready Enterprise tools
Story # 9: Max severity Ni8mare flaw lets hackers hijack n8n servers
Story # 10: Instagram Denies Data Breach, Fixes Unsolicited Password Reset Requests
Reporter remembers saving animals a year after L.A. wildfires

Brought to you by:
Black Hills Information Security
https://www.blackhillsinfosec.com

Antisyphon Training
https://www.antisyphontraining.com/

Active Countermeasures
https://www.activecountermeasures.com

Wild West Hackin Fest - Join us for our Hybrid Conference and Pre-Conference Training
https://wildwesthackinfest.com

Creators and Guests

Host

Bronwen Aker

Bronwen Aker is a BHIS Technical Editor who joined full-time in 2022 after years of contract work, bringing decades of web development and technical training experience to her roles in editing pentest reports, enhancing QA/QC processes, and improving public websites, and who enjoys sci-fi/fantasy, Animal Crossing, and dogs outside of work.

Host

Corey Ham

Corey Ham has been with Black Hills Information Security (BHIS) since 2021 delivering red teaming and OSINT services. Currently, Corey leads the ANTISOC team at BHIS, providing subscription-based continuous red teaming to BHIS clients. Outside of his time at BHIS, you can find him out in the woods or up on a mountain somewhere.

Host

Ralph May

Ralph is a U.S. Army veteran and former DoD contractor who supported the United States Special Operations Command (USSOCOM) with information security challenges and threat actor simulations. Over the past decade, he has provided offensive security services at Optiv Security and Black Hills Information Security (BHIS) across various industries. His expertise spans network, physical, and wireless penetration testing, social engineering, and advanced adversarial emulation through red and purple team assessments. Ralph has developed several tools, including Bitor (set to release in January 2025) and Warhorse, which enhance efficiency in penetration testing infrastructure and operations. He has spoken at numerous conferences, including DEF CON, Black Hat, Hack Miami, B-Sides Tampa, and Hack Space Con.

Host

Wade Wells

Wade Wells has been working in cybersecurity for a decade, focusing on detection engineering, threat intelligence, and defensive operations. Wade currently works as a Lead Detection Engineer at 1Password, where he helps build and mature scalable detection programs. Outside of his day-to-day work, Wade is deeply involved in the security community through teaching, mentoring, podcasting, and running local events

Guest

Aisling nic Lynne "siriciryel"

Aisling nic Lynne is a cybersecurity practitioner with strong interest in privacy and forensics, all the way back to setting up GPG inside her AOL IMs in college. Her broad technical background includes being a sysop for a top-20 supercomputer, high-energy particle physics experiments, and aero engine engineering. She is a second-generation ttrpg player, handyma'am, and would collect more Star Wars LEGO sets if only she had a place to put them. Some people want to see the world burn; she wants to see people's eyes alight with understanding.

Guest

Cameron Cartier

Cameron Cartier joined Black Hills Information Security as a Consultant in 2023. She holds a master’s degree in computer science from the University of Utah where she studied Tor and other privacy enhancing technologies. Currently, Cameron works in the ANTISOC and specializes in Social Engineering, Physical Security Testing, and Web Application Exploitation. Outside of work, she is an amateur cage fighter, and rock climber.

Guest

David Blandford

David Blandford joined Black Hills Information Security (BHIS) in the spring of 2024 as a Security Consultant. In this role, he evaluates the security of web applications, mobile applications, cloud environments, and networks through the eyes of an attacker, working with companies to ensure their networks are secure. Previously, David has worked in many security roles such as a network engineer, software developer, and penetration tester, and he is currently a member of the Michigan National Guard’s Cyber Protection Team. He chose BHIS for the opportunity to work with “some of the brightest minds in the industry.” He thinks the best part is the people, as well as being able to contribute to the community through classes, webinars, presentations, tooling, etc. Outside of work, David can be found going on adventures with his family, weightlifting, and trying to listen to all of the albums in Rolling Stone’s top 500 albums (Fleetwood Mac’s “Rumours” is his favorite so far!).

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET

Bronwen Aker: 00:01

Yeah. No. I was reading over the weekend about the whole Stack Overflow business, and absolutely, their interactions have tanked since OpenAI was released. But they they sold out. They've sold their content.

Bronwen Aker: 00:15

So they've got almost nothing in the way of interactions Yeah. But they're making bank because

Ralph May: 00:20

For now. But I mean like, they're not going to continue to make that money forever, you know what I'm saying? Yeah. Like, eventually they need more You need like more questions being answered. And if they're not, then, you know, with this kind of thing, the house cards kinda crumbles.

Ralph May: 00:34

Right?

Corey Ham: 00:34

I don't see any I don't see any sources for Stack Overflow being sold to OpenAI.

Bronwen Aker: 00:40

No. It wasn't They license their content. I'll it was either was either 04/2004 or it was MIT tech review. I'll have to to look

Corey Ham: 00:52

We have a partnership.

Bronwen Aker: 00:54

But they're getting paid in the partnership. That's the point.

Corey Ham: 00:58

They're making more Yes, Zach.

Bronwen Aker: 01:00

You can partner without getting paid. Trust me.

Wade Wells: 01:03

I've done that a lot.

Ralph May: 01:05

Yeah. Did you get married?

Corey Ham: 01:07

Oh, man, dude.

Wade Wells: 01:09

You said it, not me.

Corey Ham: 01:13

If you're getting married and you're not getting paid, you're doing it wrong.

Ralph May: 01:21

See? That's how you 10 x.

Corey Ham: 01:23

Don't forget to call in to the BHIS podcast. That just I could just read Ralph's personal cell phone number on the air.

Wade Wells: 01:31

You could just leak John's number again like he did the other time. Honestly, I thought it was a slow news week. I didn't see anything in the articles really,

Bronwen Aker: 01:38

like, grappling.

Corey Ham: 01:39

Yeah. Didn't even get to scroll through the first freaking page of articles.

Wade Wells: 01:44

I went all the way down it. There's some cool AI stuff as

Corey Ham: 01:47

cybersecurity. There's a lot of, like, geopolitics, policies.

Wade Wells: 01:51

Some cool privacy stuff. Right? But some scary privacy stuff further down

Corey Ham: 01:57

cool is an interesting term you got there.

Wade Wells: 02:00

The California privacy stuff is pretty cool, I think.

Corey Ham: 02:03

Yeah. It is. It is. But that's like whack a mole. Right?

Wade Wells: 02:07

Yeah. But at least someone's whacking the malls. Right?

Bronwen Aker: 02:10

For sure. Privacy is whack a mole.

Corey Ham: 02:14

Take one we'll take one dead mole over zero, I guess.

Aisling: 02:18

Right. Exactly.

Wade Wells: 02:20

Nothing else? Nobody else had anything cool stuff?

Corey Ham: 02:22

No. The the show's over.

Wade Wells: 02:24

I was like There's no chicken minutes, you guys can leave.

Corey Ham: 02:28

I like the class like that too. Welcome to Black Hills Information Security talking about news. It's 01/12/2026. We have all kinds of articles, lots of geopolitics, lots of cryptocurrency, money laundering, Discord IPO. I can finally cash in on my 3 prime tokens or whatever I have on Discord on the stock market.

Corey Ham: 03:04

We've got articles and we've also got hosts. We have Ralph who's who's here. We've got and he's he's branded himself a gator catcher, which I feel like it's more about chasing them than catching them. I feel like you don't really wanna catch.

Ralph May: 03:21

You gotta catch them and then you gotta go release them into another lake and then it's like a circle of life thing, right, where they call you back.

Corey Ham: 03:27

Okay. I see. I I see. We've got Brahma

Cameron Carter: 03:31

How many times have you done this?

Corey Ham: 03:33

Yes. Please explain. Please explain. How much

Cameron Carter: 03:35

what's the most money you've made off of one gator?

Ralph May: 03:37

I mean, it's it's pretty good. It's really easy too, by the way. All you do is play baby gator noises and they will come to you.

Corey Ham: 03:43

Ah, okay. That's a tip. That's a hot tip. Mhmm. We've got Pentester aka Cameron who's painting her fireplace during the podcast, which so far is the most productive anything anyone's done on the podcast.

Corey Ham: 03:55

We have Wade, and then we also have Dave. Dave is Dave and Cameron are here to plug their upcoming class about iOS hacking or I guess iOS pen testing. Unfortunately, we don't have any iOS articles. So we'll just make up iOS articles as we go along. Alright.

Corey Ham: 04:11

It's fine. We have Aisling. We have is that everyone? Did I say Wade yet? Wade Wells, the legend.

Corey Ham: 04:19

He probably is on like 75 podcasts by now. Like, how many podcasts are you actually on, Wade? Do you feel comfortable sharing that number?

Wade Wells: 04:26

Yeah. I guess I can share that number.

Corey Ham: 04:27

Is that like asking a lady your age?

Wade Wells: 04:32

I'm on three that are like weekly things but like they get pre recorded and then one that's like every sometimes.

Corey Ham: 04:42

If I wake up early enough Four?

Wade Wells: 04:44

Four or five. Four or five. Five. You know me, like, I don't I don't have a website. I don't do anything.

Wade Wells: 04:49

I just do everybody else's thing. That's it's the easiest way to

Corey Ham: 04:51

do it. Same here. Having a website. What is this? Sponsored by Squarespace?

Corey Ham: 04:55

Absolutely not. If this podcast is ever sponsored by Squarespace, we're all gonna shut down this company.

Wade Wells: 05:00

I was really trying to get it sponsored by Liquid Death and they won't do it. I've been trying so far.

Corey Ham: 05:04

You don't wanna be sponsored. Liquid

Wade Wells: 05:06

Death. Alright.

Corey Ham: 05:10

So let's get into it. Let's step straight into the political, like, skier. Is I guess it's it's kind of a political article. I don't know. Basically, the word is that Trump is considering pardoning two individuals who got five years in prison, or I guess one year one individual who got five years in prison for running a cryptocurrency mixer service.

Corey Ham: 05:35

Basically, the the service is called Samurai, I'm assuming is how it's pronounced. But there's a few there's a few articles about this. Trump in a recent press conference said that he's considering pardon pardoning this person. There's been nothing finalized about it. This article that Megan's throwing through right now is talking about how when they seized this when the Department of Justice seized this cryptocurrency wallet, they sold it, they liquidated it like they do for all seized assets.

Corey Ham: 06:03

But let's just imagine what a cryptocurrency mixing service would be used for. It probably would be used by nation states like North Korea mainly to launder money. That's kind of the main issue with these services is that they're abused by nation states and criminals, but mostly nation states, I think. And so basically, it's like all the currency in this mixer we're assuming was nation state bad cash. So there's basically two things here.

Corey Ham: 06:31

The first thing is, I mean, privacy versus money laundering. I think we all on this episode or on this show generally are pretty on the side of privacy and we're gonna talk a lot about some other privacy wins. But I guess, is there a limit to privacy? Like, should it be legal to run a Bitcoin mixing service or any cryptocurrency mixing service? Because there's been a bunch of these over the years and a lot of the people who run them have gone to jail because they're so easy to abuse.

Corey Ham: 07:01

I guess, what what do people think? Is it should this be pardoned? Like, it seems like it's pretty cut and dry to me, but I don't know.

Wade Wells: 07:09

For me for me, it kinda like goes against the heart of like cryptocurrency. Well, like the ledger. Right? Everything's supposed to be trackable. Everything's supposed to be able to, like, go back and see exactly how things were.

Wade Wells: 07:20

So it's almost against the soul of Bitcoin. At least that's the way I I think of it. And, of course, there's a criminal aspect of it as well. Right? Like, is there a legitimate like, this is also going into the privacy.

Wade Wells: 07:33

I don't think there's, like, a real legitimate reason to have these besides hiding. Yeah. Because it is cryptocurrency. Right? Like, you're you you should be expected to be tracked because that's exactly what it's for.

Corey Ham: 07:45

I totally agree.

Aisling: 07:48

Yeah. Like, if you actually want a private transaction, that's not the way to do it. That's what Use a different literal cache is for.

Corey Ham: 07:56

Or that. I mean, but there are privacy track. Sure. An Yeah. Well, yeah.

Corey Ham: 08:03

I mean, basically, there's essentially, I think what Wade is saying, I wanna put some words in your mouth here, Wade, but basically Go

Cameron Carter: 08:10

for it.

Corey Ham: 08:10

I'm comfortable with cash or Monero or any other thing that's like, let's call it pseudonymous. So it's not explicitly tied to my name, my credit card, and my address. Right? Like let's say I wanna buy something online but I don't wanna provide the seller with all my personal information, I think that's totally fair. That's the equivalent of buying something in cash.

Corey Ham: 08:30

If I buy something in cash, I don't you don't know who I was, what my, you know, address is, any of that other stuff. But if I buy something with a credit card, that information's out there. I think from my perspective, it's okay to have pseudonymous cryptocurrency like Monero where whose transactions are inherently private or masked in some way, but it's not a mixer. Because the mixer is where you get into which if those if you for those that don't understand what a mixer is, it's essentially like an anonymizing service that I send in x amount of Bitcoin and it comes back through a bunch of other transactions. Essentially, it really is just for anti money laundering.

Corey Ham: 09:11

Like that it really is just for that purpose. Like Tornado Cash was an old one. There's been a bunch of them over the years. It's essentially a way to mix your Bitcoins in with other people so that no one can tell where they came from or who got them.

Cameron Carter: 09:25

I mean public. Right?

Aisling: 09:26

It's literally transaction laundering. That is its entire purpose.

Dave Blandford: 09:31

Yes. And I do have

Aisling: 09:32

a We can say we're laundering it because we don't want people to know who we are, not because we got the money through some nefarious means. But end of the day, it is a laundering system, that's all it does.

Dave Blandford: 09:44

Yeah. So my question is, it looks like the law is related to they they got them because they operated a business. Would this apply in like a co op fashion if 10 people got together and there was no profit? Is that how the law was written? So

Corey Ham: 10:01

there was Tornado Cache was set up like that. It was like basically just like a GitHub page. Like it wasn't really there wasn't I mean, there were developers. Right? But it was like essentially what happened was in the case of no one went to jail, but the government sanctioned or blacklisted the Tornado Cache protocol.

Ralph May: 10:23

Okay.

Corey Ham: 10:24

So it was like the government was like, you can't use this. It's illegal for US citizens, residents, and companies to use this protocol. The GitHub was shut down. They did arrest one of the developers, but I don't think the developer actually went to prison, from my understanding. I I guess I don't know what how that actually they but yeah.

Corey Ham: 10:45

They basically, they were charged and arrested. Oh, no. Yeah. I'm sorry. I'm catching up on the wiki.

Corey Ham: 10:51

They were arrested essentially for facilitating this protocol. So I think even if you don't make money for it, bought from it, it's still illegal. Guess, is the Yeah.

Wade Wells: 11:00

The long answer. Samurai Right was was conspiracy for money laundering, as well as operating an unlicensed money money transmitting business.

Corey Ham: 11:10

Yes. Which

Wade Wells: 11:12

talk about a mouthful of a law. But

Corey Ham: 11:16

I feel like if it went to a jury, whatever, it's pretty easy to convince them to like, he wrote the code and then the code was used to launder money. Like, it's not, you know, it shouldn't be like a crazy Uh-huh. Big logical leap for that.

Wade Wells: 11:29

Looking at this from like a different perspective, is any is anyone like surprised that he's gonna get pardoned? Like, we already saw the one dude from the Silk Yeah. Road get

Bronwen Aker: 11:40

Right?

Wade Wells: 11:40

Like, this is I

Ralph May: 11:41

mean, Ross Holberg was like nuts too. I mean, like, he Yeah. I mean, according He

Corey Ham: 11:45

did to try to kill a guy.

Ralph May: 11:46

Yeah. According according to like, actual court testimony, right, and that he did try to hire someone to kill, like, you know, it

Corey Ham: 11:56

was it was it wasn't Yeah. People ask if Tracers in the Dark goes into crypto washing. Yes, it does. That's like half the book.

Bronwen Aker: 12:04

Okay. Well, here's here's another issue though. Executive orders are not law. Period.

Corey Ham: 12:11

This isn't an executive order. What But Oh, you're talking about him violating it? Yeah.

Bronwen Aker: 12:16

The the the articles are talking about the fact that the Department of Justice is violating an executive order. And Right. Executive orders are not law.

Corey Ham: 12:30

Period. I mean, would violate sanctions too. Right?

Bronwen Aker: 12:33

It's Probably it does violate sanctions. So so okay. If the there are probably other laws involved, and this is where I'm I'm crypto ignorant. I mean, I own some Bitcoin mainly just for the giggle factor, but I don't really know anything about it. But when it comes to the issue of, gee, USM has sold forfeited Bitcoin and it's violating an executive order.

Bronwen Aker: 13:04

Like I said, an executive order isn't law. Laws are passed by congress.

Corey Ham: 13:10

Yeah.

Bronwen Aker: 13:10

I mean Yeah. I mean, basically

Corey Ham: 13:13

yeah. I mean, I think the the to me, the executive order violation isn't really the story here. The story is the general like, essentially for me, it's crazy that or interesting to talk about that the government would be like, money laundering is fine. That's basically that's basically what they'd be if they if they pardon this person, they're basically saying running a money laundering business is fine as long as it's done with crypto because we like crypto.

Ralph May: 13:42

Yeah. This is this is actually counter to everything the federal government has done. Typically, you wanna go after crime, you'll go after the money laundering that has to occur in that Yeah.

Corey Ham: 13:53

In the profiteering Or taxes. Yeah.

Ralph May: 13:55

Yeah. You go after them. Like,

Bronwen Aker: 13:56

They've seized assets obtained in whatever laundering in

Ralph May: 14:00

order Yeah. Exactly. Because what happens is is once you seize those assets, this is a way to stop this criminal enterprise because what the criminal enterprise has to do after that is have to prove, right, that that money was not used or that money did not come from illicit activity. So to do that is like a whole thing and most people just let the money go.

Corey Ham: 14:19

That's Yeah. I I mean, basically, the government has a long history of prosecuting

Ralph May: 14:23

Yes.

Corey Ham: 14:24

Illegal businesses through business laws Yes. Taxes Exactly. And, you know, money laundering regulations and things like We

Ralph May: 14:32

can't catch you, like, selling the drugs, but we know that you are getting the proceeds from that and that's how they work it

Corey Ham: 14:40

out.

Wade Wells: 14:40

Once again, going back to tracers in the dark, right, where the tax man Yeah. Is the one who comes down on everybody at the end of the day.

Ralph May: 14:47

Yeah.

Corey Ham: 14:47

Exactly. Basically, the like, from my perspective on this is that if this if this pardon happens, I that to me is against the interest of the executive branch that would pardon it. It's like, nation state North Korea, you can buy your missiles with money laundered date. Like, that that's basically what they're I don't get that. That's

Bronwen Aker: 15:09

crazy, but

Cameron Carter: 15:10

Does the value of Trump coin go up if they do get pardoned?

Corey Ham: 15:14

Good question. We don't know.

Wade Wells: 15:16

I I don't know I don't know if you had to hack someone's iPhone, how would you to get their cryptocurrency wallet, how would you do so?

Cameron Carter: 15:28

I'd make a bunch of money and employ the NSO group.

Corey Ham: 15:35

Alright. Good answer.

Wade Wells: 15:37

Alright. Well, that didn't work.

Corey Ham: 15:38

Yeah. Okay. So

Bronwen Aker: 15:40

Nice attempt at a segue though, Wade.

Wade Wells: 15:42

Thank you.

Corey Ham: 15:42

Thank you. Let's let's step out of let's step out of political space real quick and talk about, I guess, it's still politics, but politics around Italy and Cloudflare and a more interesting kind of an interesting story. Politics I really for hope so okay. This here's the article. The article is Cloudflare won't censor basically, Italy find Cloudflare €14,000,000 and Cloudflare was like, no.

Corey Ham: 16:06

This is ridiculous. Which reading into it, I do think that it is ridiculous. Essentially, for those that understand, this is about I don't understand all like the Italian like like like mobster politics of all this. Like, I I really don't like there's a lot of like shady European stuff happening here that I do not understand. But basically, Italy dropped a bomb on Cloudflare.

Corey Ham: 16:30

Was like, you need to censor all these sports piracy websites. And Cloudflare was like, okay. We don't have the ability to do that and won't do that because you just gave it's essentially them sending a list of IPs to Cloudflare and saying, don't resolve these IPs, which is like, for obvious reasons, can just break the whole Internet. Right? Like, there's so many reasons not to do this.

Corey Ham: 16:52

Like, I think the funniest part of this is, of course, it has like that Italian mobster thing where it's like, it's about live sports. So it's a bunch of like shady European, like, FIFA corrupt type people being like, they're they're pirating the sports. They they gotta pay us. It is funny that like, even the EU is like, this scheme is concerning this, you know, quasi court order that isn't a real court order thing is weird. It's like, it's so Italian.

Corey Ham: 17:18

I love it.

Wade Wells: 17:19

Do do you think somewhere out there, like, big DNS is getting together in order to fight this?

Ralph May: 17:24

Big DNS. Like, one of big DNS.

Corey Ham: 17:27

Is Cloudflare not big DNS?

Wade Wells: 17:29

No. It's a part of it. Right? They mentioned Google too. Right?

Wade Wells: 17:33

So there's some other DNS providers.

Ralph May: 17:35

Hold on. The DNS is democratized. Right? It's not, like, controlled by one entity. Those are just entities that have large presences in that And

Aisling: 17:44

who can

Wade Wells: 17:45

be sued or who can go to lawsuits for a large amount of money.

Corey Ham: 17:48

Yeah. But you can also still just go to a

Ralph May: 17:50

different different resolver to get the same

Corey Ham: 17:53

And it's recursive. So, like, what you you block it all the way down, Cloudflare could just say, I don't know. Find another DNS server, and then it would Cloudflare still

Ralph May: 17:59

doesn't own the root DNS servers anyways. They're not they don't own that. They're just reproducing that information. Yeah. Right?

Ralph May: 18:05

So they're not in control of I mean, they're not I can't. Right? That like

Corey Ham: 18:09

I like the idea. Okay. Here's the most Italian possible response to this. Cloudflare figures out the entity, like, they're coming from, and then just black holes them only for that entity, so they can't tell if it's been fixed or not. Be like, our DNS our DNS is down.

Corey Ham: 18:26

We'll email you back once the DNS comes back and it just never comes back.

Ralph May: 18:30

I I glad to hear, whole Reddit thread on this. And, like, kind of the TLDR of, like, some of the opinions was that, you know, this is just a way to offload the risk onto Cloudflare. And the reason why they all want to do that is because it's like a simple easy scapegoat as opposed to implementing what would be a significant network policies to try to block this and essentially you start going down this rabbit hole and next thing you know it's like the great firewall of China and even then you still don't block everything. So they don't they don't have the money to do that. So it's way easier to just be like, hey, well, Cloudflare, you block it then.

Ralph May: 19:00

It's your fault.

Corey Ham: 19:01

Right? Yeah. Totally. I I I really wanna like, I want a dramatized adaptation of like the sports bosses in, like, their super tight suits smoking a cigarette with an espresso and being, like, we gotta kill these piracy sites. And then some intern is, like, but it's hard.

Corey Ham: 19:18

And they're, like, you gotta do it. And he's, like, what if we just fine them instead? Fine them $14,000,000. Alright. Yeah.

Corey Ham: 19:25

We have a deal. Capiche or whatever. Like, it's just like like this like mobster style deal. Because yeah, you're right. Blocking DNS like, okay, we all know the best response to piracy is just to make it easier and cheaper for legitimate users.

Corey Ham: 19:38

Right? Like, that's the way to fix piracy. Don't try to prevent piracy. It's not gonna work. There's always gonna be a way around it.

Corey Ham: 19:45

It's the Internet. Instead, just make it easier to stream whatever, I don't know, Italian Yeah. Curling or whatever. I I don't know exactly what sports are trying to prevent streaming, but Yeah. I mean, it's gonna

Bronwen Aker: 19:57

it's gonna be sucker.

Wade Wells: 19:58

Look at, did you like, we didn't even the time frame in which they want this to be blocked.

Corey Ham: 20:03

Thirty minutes,

Wade Wells: 20:03

dude. Thirty minutes. Right?

Corey Ham: 20:05

They wanna block a global block within thirty minutes. Oh, man. Can you imagine having the

Wade Wells: 20:12

Yeah. I just think of working at a data center when we used to tell people to put in like any type of DNS. They're like, yeah, it's gonna take two days to resolve

Dave Blandford: 20:19

it Yeah.

Corey Ham: 20:20

Right. Right? Yeah. DNS It usually has to be one hour. Time to live record dude, how many what percentage of the internet has TTLs at thirty minutes or less?

Corey Ham: 20:30

That's a tiny percentage. Right? Like, most DNS servers are way slower than that anyway.

Wade Wells: 20:36

That there's the law after this is gonna be everyone has to set their TTLs to thirty minutes.

Corey Ham: 20:41

Thirty minutes or less. Twenty nine minutes.

Cameron Carter: 20:43

Yeah. So the and the

Ralph May: 20:44

other thing too is that and just to kind of close it out, it's like as soon as you open up this can of worms and then like Cloudflare blocks certain things and like all this other stuff, now next thing you know, nobody wants to use Cloudflare anymore because it's kind of like the filtered version of the Internet. Right? So then just another DNS pops up and they do the same thing and, you know, now it's just whack a mole.

Corey Ham: 21:04

So Exactly.

Ralph May: 21:05

And and and into Cloudflare's defense, they're not hosting anything. All they're doing is just records of IP addresses. What happens in there, that's on them, not on Cloudflare.

Corey Ham: 21:14

Well, hold on. I would argue, I don't know if this is a hot take or not, but I think Okay. Controlling a DNS server is potentially the best data collection you could possibly get on the Internet. Maybe browsing like, maybe you could get better data from a search engine, I think the data flowing the the amount of data flowing through a DNS resolver and the amount that you could profit from it is pretty significant. Like, who is resolving what from where is a huge like, that's a huge profit center.

Corey Ham: 21:44

So they are running the service and they are profiting immensely from it, I would imagine. But Yeah. Well, and then do this too. Right?

Ralph May: 21:51

Yeah. Anybody can. This is not special. There

Bronwen Aker: 21:54

is another really good issue raised by the Auris Technica article is that if an IP address is filtered inappropriately, then legitimate stuff goes down. I mean, they were talking about how they took down Google Drive for Yeah.

Corey Ham: 22:14

Oh, yeah. So because you can pirate things on Google Drive. Yeah.

Bronwen Aker: 22:20

People do it all the time. I mean, I understand why it got flagged, but then you wind up taking down all of Google Drive just because of a few kids who are misbehaving.

Corey Ham: 22:32

Yes. It is it is seriously just throwing out the baby with the bathwater, but the internet version of that. It's like, if you block also, what percentage of the internet is just Cloudflare IPs? You're just gonna they they're asking them to block themselves across the whole internet, like anyway, moving on. This is probably gonna get it's it's a nothing burger.

Corey Ham: 22:51

This is probably not it is interesting to think about, but there's no way this could ever get implemented at on a legitimate, like, on a lit this is never not happening. It just isn't technically feasible. Speaking of whack a mole, let's talk about California banning a data broker. This is a for me, this is a privacy win. Wade, do you wanna run through this one?

Wade Wells: 23:12

Let me find it real quick. Where is it?

Corey Ham: 23:16

Data masters.

Ralph May: 23:18

Pretty much

Corey Ham: 23:18

But sadly,

Wade Wells: 23:19

it's not. It? Throw it up someone throw me the link. From what I remember, pretty much there's a new California has been going pretty hard on data brokers recently. If you didn't know, they actually came out with a program where you can actually request it in California and they will then go out and request you to be removed from all the data brokers, which is amazing.

Wade Wells: 23:40

It also had a really cool acronym. I don't remember what it was. Dropped but

Bronwen Aker: 23:45

Yeah. Dropped is is the new Dropped. Online platform. Delete request and opt out platform. And I already I live in California.

Bronwen Aker: 23:54

I already signed up for it. Form's super easy to use. And, you know, it's it's nice that somebody is looking out for the privacy of individuals because big tech certainly isn't. And it it's gonna be interesting to see how effective this is because data brokers are worse than tribbles. They they multiply all over the place.

Bronwen Aker: 24:20

And I I already am using services to pull my data from data brokers. So it's gonna be interesting to see how much this new agency and this new program is going to impact steps that I've already taken and you know, I get the monthly reports x number 100 data brokers have been requested to remove my data from their systems.

Corey Ham: 24:47

So is this gonna turn into like the same system we use for taxes where Incogni and all these delete me services are lobbying against these so that

Wade Wells: 24:56

they That's exactly what I thought. That is exactly what I thought

Corey Ham: 24:59

was No. Gonna happen. You can't have a government agency that does the thing that we also do.

Wade Wells: 25:04

Right. No. One thing to think about joke. Obviously. The sign up for this though is live, but the services from what I read don't go live for another six months.

Wade Wells: 25:14

Did you read that somewhere too, Bronwyn?

Corey Ham: 25:15

Correct. Yeah. Has six months.

Wade Wells: 25:21

Bronwyn, what what what prevents a non Californian from signing up for this?

Bronwen Aker: 25:26

You have to enter address information. It has to be verified with documents.

Wade Wells: 25:31

With the Okay. So if anybody wants to live in California, here's my note.

Bronwen Aker: 25:36

So basically, yeah, you'd have to commit fraud in order to sign up for it, but

Corey Ham: 25:41

Maybe it's okay Trump pardoning those people. We'll be fine.

Bronwen Aker: 25:44

Of the things we've seen though when it comes to privacy legislation is that California does tend to be one of the four runners and other states tend to follow. We saw that with CCPA.

Corey Ham: 25:57

And every building in my state now causes cancer. Thanks California.

Ralph May: 26:01

You're welcome. Ruined everything I had. Man,

Corey Ham: 26:05

you ever go to a

Wade Wells: 26:05

Dyson, everything has lead. Don't go to NASA.

Corey Ham: 26:08

No. I mean, you're not wrong, Bronwyn, for sure. That like, this is one of those things of like, if you have to make a policy for The US and you have it you want it to apply to everyone, this is like there's 50,000,000 people or whatever that live in California, so you might as well just lump them all in with that.

Wade Wells: 26:23

So the go into this article though, like, kinda like went around it. So the California Privacy Protection Agency announced that they're hitting a company in Texas, which what what was it? Rick and Rick Becker Data LLC? I feel like it it maybe it's one of those lower level data brokers that I've never heard of, but who knows? Rick and yeah, dude.

Wade Wells: 26:45

That just shows you my reading level.

Corey Ham: 26:47

I thought they said it was Data Masters.

Wade Wells: 26:50

Was it? The one I got

Cameron Carter: 26:52

saw your data

Bronwen Aker: 26:53

Oh, they were operating as Data Masters.

Corey Ham: 26:56

Data Masters is a sick name. I'm sad.

Wade Wells: 26:58

That's way better name. That's not even changed that LLC.

Bronwen Aker: 27:01

Here's the thing about these laws. Even though they technically only apply to California residents, if I'm interacting with a company based in Texas, I'm still a California resident so that company in Texas has to obey California law because I'm a California resident.

Corey Ham: 27:23

So you have this request. Wondering for anyone wondering what, you know, what this company did. Basically, they bought and resold user information with people suffering from medical conditions so it could be used for targeted advertising, which is like just nazzy We to begin heard your we heard your leg hurts. Here's some pain killers or what like

Bronwen Aker: 27:44

We heard you've got Alzheimer's. Here, click this button to get

Corey Ham: 27:48

All the lyrics are already purple. Are you scared? No. Yeah. For sure.

Corey Ham: 27:54

It's bad. So this is a win, I think. I mean, a lot of states will probably follow suit. I don't know about setting up their own system. I kinda hope they don't because they'll just SQL injection.

Corey Ham: 28:03

But

Ralph May: 28:04

Absolutely.

Corey Ham: 28:05

For sure. It's it's gonna be a thing. So what else we got? I think the other big story, which isn't really a cyber security story, but maybe Dave and Cameron you could chime in on this. Siri has I I guess, now that I say this, all my devices light up.

Corey Ham: 28:18

I'm so sorry everyone. Yeah. You just hit. The s word that will not the Apple assistant maybe is getting thrown in the garbage? Because the news article is essentially that Apple is teaming up with Google.

Corey Ham: 28:33

So Apple announced today, earlier today, that they're gonna team up with Google to use Gemini models to AI power the s words, s I r I.

Ralph May: 28:43

I was reading though that they're still gonna use the Apple hardware that they built. They're just gonna use the models from Gemini, like, on there. But

Corey Ham: 28:50

they already had kind of a deal for OpenAI. Right? They already

Bronwen Aker: 28:53

Yeah. Had

Ralph May: 28:54

I don't know. Maybe is this like a like a a pump move for like the stock? Right? I I

Bronwen Aker: 29:00

don't know.

Corey Ham: 29:00

I don't know. But these two companies, Apple and Google, have done a lot of battling over the years for sure. So it's interesting to see them teaming up in this way. Basically, they're starting a multi year partnership. I think this is from my perspective, if we're looking at like a high level business perspective, Apple needs this.

Corey Ham: 29:19

They need a win. They need to be able to give an AI win

Ralph May: 29:22

Yeah.

Corey Ham: 29:23

Because Is it SIRs isn't their win, though.

Wade Wells: 29:25

That's the thing. Right? Like, it's

Corey Ham: 29:27

But it doesn't matter. I'm saying It doesn't matter.

Ralph May: 29:29

Like, don't care where the AI actually comes from.

Corey Ham: 29:31

You just

Ralph May: 29:32

wanna use the damn thing. Okay?

Corey Ham: 29:33

It's it's getting to the point Well, where that's fair. It's getting to the

Cameron Carter: 29:38

AI point agent use?

Corey Ham: 29:40

Gemini. Which is yes. Yeah. It's basically unifying it's basically unifying what AI agent you would get on mobile, I guess, if you think about it like that.

Ralph May: 29:50

Well, yeah. Maybe in the background. But like if they are running on their own hardware though, they could still modify things. They're not necessarily beholden to what Google did. I think they're just buying or excuse me The models.

Ralph May: 29:59

Licensing the models, like Yes. So they're not training them. They're not gonna

Wade Wells: 30:02

train No. Okay.

Dave Blandford: 30:03

And I forget the source where I read this, but Gemini is current I forget where I read it, but it's the, like, the consumer level. So, like, the basis of it was the theory was Google had created the search and they made it affordable and, like, consumer friendly and that Gemini is trending that way. So there's a lot more rush. I'm hearing I'm seeing a lot better things out of Gemini now. So I think it's a good move

Corey Ham: 30:28

overall.

Ralph May: 30:29

Yeah. I mean, so there's there's pretty much three main players right now and I'm not gonna say x.

Corey Ham: 30:34

Frontier models?

Ralph May: 30:35

Yeah. There's like three

Corey Ham: 30:36

assistants main or models?

Ralph May: 30:38

Models. Like three frontier models. Right? There there are there are many other models, but I'm just thinking like from the AI perspective. So one is the OpenAI's model and like they're they have a bunch of different models inside of that, but OpenAI has some pretty frontier models, meaning like the top end most powerful models.

Ralph May: 30:53

And then Google has the other ones with Gemini, which they have a couple different flavors of it, they are frontier models. They are very, very smart at doing a lot of stuff. Then the last one is Claude. Right? And they have Anthropic.

Ralph May: 31:08

Front yeah. Claude, which is, yeah, ran by the company Anthropic, and they have Frontier models as well. And then kind of the last like one on there, which I'm going to half mention, but mostly because it only gets mentioned in like bad things right now

Corey Ham: 31:21

is You see?

Ralph May: 31:21

No. There's X and the

Corey Ham: 31:25

Oh, Grock. Right. Yeah. I mean, there's a bunch. And a lot of people are gunning for a Frontier model, but the reality is training a Frontier model is like the most expensive thing

Cameron Carter: 31:35

Yes.

Corey Ham: 31:35

On the planet you could do. And also, the other thing here that's import I think if I was Apple, this move makes sense. Maybe not from an optics perspective because Google is my enemy, but also because Google is potentially the long term pick. The other if you think about it, of all the companies that are making frontier models, Google's the only one that is making money, if you actually think about it. Like, OpenAI and Anthropic are both like, give us money so we can train our AI models or else we're gonna go belly up.

Corey Ham: 32:05

Too fun. Google is comfortable.

Ralph May: 32:08

About OpenAI. Not OpenAI. I'm sorry. Anthropic. They actually use Google GCP to run a lot of their training.

Ralph May: 32:15

Right? They're they're they're like paying Google, and they actually have partnerships with Google even though it is their model. Right? Just I mean, the hardware is a thing and then the model you use is another thing. Right?

Ralph May: 32:26

And you could rent those, you know, to make it happen. But you're right, Corey. It's really expensive to train them. And they're also none of them are making money right now. Right?

Ralph May: 32:35

Even though Anthropic argues that they're definitely in that, like, a much higher profitability than OpenAI, who's literally taking truckloads of money, jumping it into data centers to train models that none of which are paying and is continuing Coming to farmland near you.

Aisling: 32:50

And which burn out the chips that they bought to do it with.

Corey Ham: 32:53

What's up? Yeah.

Aisling: 32:55

Oh, most of the data center cost is getting sunk into chips that get burned out in the process of actually training the frontier models.

Ralph May: 33:03

Yeah. And once the

Aisling: 33:04

models Those boards are not usable again, they're not resellable, they're shot.

Corey Ham: 33:09

Yeah. Yeah. But anyway No. I could use it to play Roblox, it's fine.

Wade Wells: 33:14

I was about to say, when when all these data centers go up, what are we gonna use them for? Like like it's gonna be like Walmarts disappear and stuff and they just leave these big empty buildings. Right?

Corey Ham: 33:24

Passwords, dude. Imagine the password cracking. You could do

Ralph May: 33:27

Every password. Your password I

Wade Wells: 33:28

don't we don't we don't talk about passwords. Alright. Dude,

Corey Ham: 33:33

okay. Here's what happens. Alright. Here's what happened back last year. I have a plan.

Corey Ham: 33:38

Dude, Wade, get me the get me your CEO on the phone. Okay? Here's what's gonna happen. The Wade's employer who is not gonna be named buys an entire data center and then just cracks every password ever, and then just says, here's why you need our service, because we just cracked every password.

Wade Wells: 33:56

Oh my god. It's it's genius. I love it.

Corey Ham: 33:59

I know. That's why I do consulting on the side. Anyway, no,

Dave Blandford: 34:03

I'm I'm just kidding.

Corey Ham: 34:04

This is a joke. This is a terrible idea.

Ralph May: 34:06

So and and actually to follow-up, CES was just was it last week, right? Yeah. Yeah. And so one of the things announced at CES was NVIDIA took the stage and they announced their latest generation of AI. It's all AI.

Ralph May: 34:18

Which is their

Corey Ham: 34:19

way because it's supposed to be consumer electronics. They're like, oh, by the way, consumers, we're gonna remake the RTX 3,060. Anyway, back to AI.

Ralph May: 34:29

Yes. But one of the things that they did mention on there is like the power consumption like going, you know, and yeah. Whatever. It's all about AI and, you know.

Wade Wells: 34:37

Is that where they mentioned the Palantir stuff too? I don't think that we have an article about that.

Ralph May: 34:41

Oh, no. But did you see that?

Corey Ham: 34:43

Please hit us with an article that we don't have. What you got?

Wade Wells: 34:45

I was watching Gamers Nexus and they came out with a thing watching CES. So Gamers Nexus came was talking about how Nvidia just announced that they are going to make everything Palantir faster. Palantir is pretty much like nation state level spying on individuals and military industrial complex. So there's like some scariness behind that. And then they go into it.

Wade Wells: 35:13

But the funny part is Palantir actually, like, commented back to Gamers Nexus about the situation.

Dave Blandford: 35:19

They're like

Corey Ham: 35:20

Now we're talking about you two jumping something SpyBot with real time kill location data.

Wade Wells: 35:25

That was it. Yeah. And then, literally, like, there's other articles where it's like the Palantir president Palantir is like, yeah. So our stuff kills people sometimes. I don't know what to tell you.

Corey Ham: 35:33

I'm like, fuck. Happens.

Ralph May: 35:34

It is what it is. You never know.

Corey Ham: 35:36

AI is never wrong. It'll be fine.

Wade Wells: 35:39

Never. Never.

Corey Ham: 35:40

Yeah.

Ralph May: 35:40

Just like humans.

Corey Ham: 35:44

The Peter T. M. All right. This has been a dark episode. Does anyone have any That's true.

Corey Ham: 35:51

Is there

Cameron Carter: 35:52

my fault. I don't even know

Wade Wells: 35:54

what You always get us talking about AI. There wasn't

Bronwen Aker: 35:57

my fault.

Corey Ham: 35:59

Didn't really talk stories? So, alright. Let's get darker then. The dark web.

Wade Wells: 36:04

The insider tool to

Corey Ham: 36:06

This is a pretty I think it's a good thing to remind people about in general. But there's a LinkedIn post that we have in here as a news article that's basically people are using rage bait as a phishing tactic. So is a post by Simo Cohoenin. I don't I'm sorry if I mispronounced your name Simo, but basically this is a fun example fish where someone is impersonating SendGrid and they are sending out an email that says, we will be adding a support ICE donation button to the footer of every email. And then they're just hoping that people click on the opt out link.

Corey Ham: 36:43

Right? Oh, That's the phishing tactic. So I think it's good to remind people in this dark time that people will try to rage bait you into clicking something you shouldn't. In addition to trying to be like, here's a free iPad or whatever. Yeah.

Corey Ham: 36:58

The positive side of phishing, there's also the negative side of phishing, is bait like that. So be on the lookout for that. That's a uniquely, I think, mean one, and like definitely would be out of scope for pen testing. Like our clients would be very upset if we did that. But, yeah.

Corey Ham: 37:16

Like you're gonna see threat actors, those are the rules that they don't have to follow. Right? They don't have to be ethical and be reasonable. So just be on the lookout for that kind of stuff.

Bronwen Aker: 37:27

And they aren't. They aren't.

Corey Ham: 37:29

And they aren't. News is you know, honestly, Bronwyn, they might even be criminals.

Wade Wells: 37:33

Oh my gosh. What? Way.

Corey Ham: 37:37

I mean, news

Cameron Carter: 37:38

is I get

Bronwen Aker: 37:39

an email saying, you need to do blah blah blah with your account on this. If I actually have an account with that organization, I pop open a different browser and I go directly to the organization. I do not click any links.

Corey Ham: 37:55

So Because You're smart. Speaking. You should be a you should out be on a podcast anyway.

Ralph May: 38:01

Speaking of criminals, right? About the data breach of major dark web form?

Corey Ham: 38:06

Yes. That's yeah. Speaking of

Ralph May: 38:09

criminals dark web form is of cyber criminals. Yeah.

Corey Ham: 38:12

Okay. So yeah. Yeah. So this is what is it called? Doomsday?

Ralph May: 38:17

Doomsday? Yeah.

Corey Ham: 38:19

Yeah. So basically, a data breach finally became, know, This is not the first time, and it won't be the last. There's been I I swear, like, if you go on a breach site and you look for breach sites, like, think raid forums got breached like seven times.

Ralph May: 38:34

Oh, dude. I mean, I I I swear to God, I feel like it's a joke. They're like, we make it so we can breach it, and then we can sell our own breach, and then we

Corey Ham: 38:41

can make another site selling the breach. It's like it's like turtles all the way down. They're just getting breached, just selling their own breach. Yeah. Basically, Doomsday, which apparently is a dark web forum, I don't keep track of these.

Corey Ham: 38:54

The only one I really keep track of is breach forums, is like the worst one. Mhmm. But basically, the ironic part of this is there's 300,000 users, 70,000 of those apparently are linked to traceable IPs. I don't know how traceable like, you know, it could be a botnet, it could be a Starbucks, like who knows exactly what it is. But this data will definitely be hopefully provided to law enforcement and then they'll dig in.

Corey Ham: 39:21

It's a good way to figure out who's who and kinda get a good dossier of threat actors. At the end of the day though, I mean, these sites have gotten breached every year. I've been in these breaches for the accounts that I used to collect from these sites.

Wade Wells: 39:36

I was about to say, do do you collect this breach to put in your collection?

Corey Ham: 39:40

Like I do. I do. I absolutely do. I mean, is like could give you if you're doing an incident response, this could give you super valuable information of like

Ralph May: 39:49

I heard it was like like 30,000 IPs from Starbucks's.

Corey Ham: 39:54

Yeah. Right? Like Great. Who knows how traceable It's traceable. You would hope it's misinformation.

Corey Ham: 40:01

You would I mean, opsec though, we've seen. Every criminal gets caught has opsec fails in the in the mix somewhere. Right? Gonna mess up at some point.

Aisling: 40:10

I'll note that if they didn't have opsec fails, we wouldn't have caught them.

Corey Ham: 40:15

That is that is true.

Aisling: 40:17

What few criminals have good opsec are the ones who are still out there.

Corey Ham: 40:21

That is that is true. Speaking A of opsec lot of high profile people get caught from bad opsec is I guess a better way to put it.

Wade Wells: 40:31

Did you see the Huntress article about the VM escape stuff?

Corey Ham: 40:35

No. No. Tell me more.

Dave Blandford: 40:37

I think

Aisling: 40:37

I saw the headline.

Corey Ham: 40:38

That was

Wade Wells: 40:39

it. Someone else sent me this right

Corey Ham: 40:41

when Yeah. Checked my Yeah. Is this the ghost VM thing?

Wade Wells: 40:45

I don't remember if it's the ghost VM thing, but I know there's a really easy detection for the pretty much they got in through a sonic wall. Like, that was the first vulnerability. But then they had been sitting on this vulnerability in ESXi for they think over a year, a zero day, in order to pretty much bypass and go bypass host isolation. Right? It's a hypervisor vulnerability that allows the attacker to break out of the actual guest VM and just compromise everything.

Corey Ham: 41:13

It's just crazy. That is the craziest thing today.

Ralph May: 41:15

Does the it virtual or the VMware tools to to break out?

Corey Ham: 41:20

Is that is that how it does?

Wade Wells: 41:22

That's a better question, but I don't even know. I'm guessing it does because it's some vulnerability in it. But one of the so because we were talking about op sec, that's what brought me onto this is which is one of, like, the key detections I try to write whenever I go is looking for across all of your logs for any host name that doesn't match your naming schema because there's always someone who gets in who doesn't have one, and it's a key indicator of something that doesn't belong. And that's actually, like, one of the things they caught in this particular breach was the name of the actual host that was attacking them, which always great stuff.

Corey Ham: 41:59

Yeah. So basically, getting into the details of the exploit, they don't know they they don't a 100% know what CVEs or whatever was used, but they say high confidence, those are the ones. There's three CVs listed in the post that are like these are all from 2025 by the way, so patch your ESX. I know companies struggle with this and I understand why, but please patch your ESX. Basically or just don't use it.

Corey Ham: 42:22

Proxmox is pretty good. But basically, the vulnerabilities are out of bounds read in HDFS, which HDFS is the file system that ESXI uses. So it's a memory leak in HDFS. There's also TOC, TOU, which what is that? Time of use or something?

Corey Ham: 42:40

I don't know what that actually means. V m c I out of bounds right yeah. Okay. And then arbitrary write and ESXi. So it's like three CVEs chained together.

Corey Ham: 42:52

That's pretty crazy. But the good news is all you have to do is patch your ESXI and you're good.

Wade Wells: 42:59

Oh, that's it? Yeah. You say ESX, like, Proxmox is right there. Dude, Proxmox is so confusing sometimes. Like, I just feel like the UI is Dude, have you used CSXi?

Wade Wells: 43:10

I have. And it was just so much like, the names for things make sense. Like, I'm like, yeah, that's where that should be. And then, like, I go to Proxmox and I'm like diving into, like, four folders and I'm like, alright. And I still can't remote into this box.

Wade Wells: 43:22

What's going on?

Corey Ham: 43:23

Is is definitely

Wade Wells: 43:26

false Without a doubt.

Corey Ham: 43:27

Yeah. But sec, I do think there is a significant amount of the amount of inertia with ESX is super hot. Like, the number of administrators and IT people who got certifications in ESXi and know how to use it, like, you can't just be like, we're turning off all our VMs and we're gonna switch to Proxmox overnight. Like, that's a long process. I mean, we talked about it on the news a couple or maybe a month ago of I forget the company, but I think it's a financial company that was suing Broadcom because they were taking away support.

Corey Ham: 43:55

It's like a class action lawsuit to get about I six I. So like, it's yeah, it's a hot issue right now, but definitely patch your ESXi and it is an interesting threat intel thing. So basically, they broke out of the VM, got control over ESXi, then created another VM to

Wade Wells: 44:13

use for Let post me see. I think they

Ralph May: 44:19

No. No. They compromised the underlying ESXi. Yeah.

Corey Ham: 44:22

So they popped the ESXi server, but then I guess I'm like The shell

Wade Wells: 44:26

in leaked the host name somewhere.

Corey Ham: 44:29

Oh, I see. I see.

Wade Wells: 44:31

Which is super common, like, more common than you'd expect Windows network.

Corey Ham: 44:37

No. It's super common. We've gotten popped on that many times of like, hey, someone's in the host name Callie. Like, that's a such a deep giveaway.

Wade Wells: 44:46

I've had it where, like, the the tester used their handle as the host name and then we just went and looked them up and found them. And I'm like, alright, now we know who's who's testing us.

Corey Ham: 44:55

Turns out pen testers also have bad opsec. Yeah. Which, okay, companies that get mad at this, guess what? We're just being realistic because criminals have bad op sec too. Okay?

Corey Ham: 45:06

That's what that's what we're doing. It's all a But

Bronwen Aker: 45:09

also, in a pen test, you're legitimately in the space and we kinda want their

Corey Ham: 45:16

Yeah.

Bronwen Aker: 45:16

Internal people to find us?

Corey Ham: 45:20

For sure. Think a if you're I think if you're the goal of a pen test is to get caught. Maybe not on day one, but for sure you should be getting caught at some point.

Bronwen Aker: 45:29

Yeah. If you're if you're getting d a in an hour, then there's something definitely wrong. We want to get caught. We don't want.

Corey Ham: 45:39

So what else we got? There's a couple articles about AI and HIPAA and healthcare. I don't know if we wanna this is like kind of a regulatory question I don't really understand. But basically, both Anthropic and ChatGPT OpenAI have both said that they're gonna make healthcare oriented solutions that are commercially available. I don't really know if this is I don't even know how this is possible.

Corey Ham: 46:07

Like, I don't I'm not a HIPAA expert, but it seems kind of is this just like GovCloud? It's like

Wade Wells: 46:15

it's it's fine. It's like,

Corey Ham: 46:17

it's fine because we Okay. Say it's Sounds

Bronwen Aker: 46:21

good.

Ralph May: 46:21

Don't talk back.

Corey Ham: 46:23

There's a couple articles. I'll I'll link them here just in case anyone's interested. But both Anthropic here's the article about Anthropic bringing a HIPAA ready enterprise, you know, chatbots. And OpenAI has something that's basically exactly the same.

Cameron Carter: 46:38

So we don't really need these at all because we already have technology that handles HIPAA data extremely poorly, and that is mobile applications. Right.

Corey Ham: 46:50

Right. That's probably true.

Cameron Carter: 46:53

Yeah. Dave, you wanna talk about mobile applications?

Corey Ham: 46:55

Yes. Please tell us tell us some war stories from testing HIPAA mobile application.

Dave Blandford: 47:02

Yeah. Don't. Just don't.

Corey Ham: 47:05

Keep your

Dave Blandford: 47:06

keep medical off off a phone. No. It's it's just unintended places where data will write and just what has act just not using the native default features. It it it can get pretty ugly. So my advice is in the browser.

Dave Blandford: 47:21

Not you have to do it online.

Corey Ham: 47:23

Yeah. Or in your AI chatbot.

Dave Blandford: 47:25

Or in your AI chatbot. Absolutely.

Cameron Carter: 47:27

So I legitimately once had a mobile application that was connecting to an API. And to log in to the mobile app, you entered a four digit PIN. And so I figured that would go into the key chain and be used to decrypt some kind of long lived session token that would then be used for authentication. But, no, it was just a username and four digit PIN code going to the server to access patient accounts

Corey Ham: 47:53

in clear text. Oh. Well, no one could choose 1234.

Ralph May: 47:59

It's fine. Just actually put together a mobile application from scratch on Android. And yeah. Yeah. So I I know exactly what you're talking about as far as how to secure or like the security of mobile applications.

Ralph May: 48:11

A lot of it actually has to do with Google itself. Like Google has access to all kinds of things, you know, on the device and how you configure that. Mhmm. You know, we're actually using, what do you call it, the GrapheneOS, which decoupifies the entire operating system while also not while creating con complete host isolation containers. You can, like, run other things like Google Store in an isolated container so it's not even actually connected to the to the underlying Android operating system and and that, like, from a a non isolated standpoint.

Ralph May: 48:44

But I think it really just comes down to as far as the applications themselves, comes down to developers who wanna make it as fast as possible. Screw security, I need to sell. And, you know, let's just move on to the next thing. Right?

Corey Ham: 48:55

So Speedy So if

Cameron Carter: 48:58

someone built an app like that and wants to learn how to test it, where would they go?

Ralph May: 49:02

What's up?

Corey Ham: 49:03

Can't help you there. They'd ask AI how to do it. No. They would take your class. You can plug it later.

Ralph May: 49:07

Oh, oh, no. No. No. We actually have a an app called Atlas, and it's actually for pen testing, physical pen testing, and it allows you to actually hook up to the Proximart with Bluetooth now directly. The only actually, I think it's the only mobile device that allows you to hook the Proximart directly over Bluetooth.

Ralph May: 49:24

And you can read card data, write card data, do all kinds of fun stuff on there. You can also do, like, reporting. It'll it'll show you where flock cameras are. It'll show you where other, like, OSINT data. And everything's encrypted at rest on the device at at full time.

Ralph May: 49:38

Yeah. Anyways, so it's

Corey Ham: 49:39

I only I only use AI. Sorry.

Ralph May: 49:42

You only use AI for what?

Corey Ham: 49:44

I only I only use AI, dude. If it doesn't have AI chatbot, I don't even know

Ralph May: 49:48

It does not have any AI chatbots. It doesn't have Dude, no okay.

Corey Ham: 49:53

This is a side tangent, but my the weather app that I use, it has like an AI function and it's so stupid. I love it. Like, it's just like a a really it uses the on device, like, it's on device only and it's just an AI chatbot that's set to be like as salty as possible and it's just like, it's raining again, f you, and you're just like, thanks for this chat interface. That's super useful. Anyway, let's talk about n eight n.

Corey Ham: 50:17

N Nathan? It's not Nathan, but I

Bronwen Aker: 50:19

What what n eight n?

Corey Ham: 50:20

I saw that.

Wade Wells: 50:21

I don't even know. It's condensed

Bronwen Aker: 50:22

n eight n.

Corey Ham: 50:24

Yeah. So there have been, I mean, like a countless number of CVE 10 or CVE 9.8 vulnerabilities in n eight n. We've actually only had one client to publicly expose their n eight n, but in general, this is the most recent one. It's called NI nightmare, which allows people to take control over locally deployed n eight n instance. It got a 10 out of 10 severity and according to data security company, Cyera, there are more than a 100,000 public vulnerable servers.

Corey Ham: 50:57

For those who don't know what it is, it's just a tool that connects a bunch of AI things together. So you could have it run one command and one module and one model and then send that data to OpenAI and then pull it back down and then send it back to Claude. It's essentially a way to connect together a bunch of AI services. Honestly, it's really cool and I highly recommend you download it and mess around with it. But definitely make sure you keep this up to date because n eight n has had a ton of vulnerabilities.

Corey Ham: 51:25

It turns out making a framework that just runs code and models is a vulnerable framework by design. So this is yet another one.

Ralph May: 51:35

Been out for a long time though. Like, it's been out for a while, way before actual the AI was even a Right? Because you were like, I just take this task and then I'll do this next. And like, you just pick like a, you know, a task sheet of things you wanna do, like automate.

Corey Ham: 51:48

Like IFTTT, but self hosted.

Ralph May: 51:51

Yeah. Exactly. Exactly. And so but as soon as you turn the AI piece, now you could do like, well then I asked the AI to do that and then it does this and then you next thing you know, your rabbit hole is, you know

Corey Ham: 52:02

Yeah.

Ralph May: 52:02

Pretty pretty

Corey Ham: 52:03

So patch your n eight n's. Honestly, you probably forgot you even had it out there. So just delete it and start over.

Ralph May: 52:10

Just start over again. Just get a new version. Right?

Corey Ham: 52:13

But the other thing the other reason why the n eight n stuff is really bad is because someone's at the door. Someone someone's stopping at the door. But basically, you someone Robin's like, I don't have any doors.

Ralph May: 52:25

I don't have any doors. I've got like six in my office.

Wade Wells: 52:28

I was about to say, Robin's got like seven doors. Way back

Corey Ham: 52:30

in Real fake doors. Basically, n eight n, you also give it a bunch of keys. That's the other reason why it's bad. But ironically, like, you read the blog post for Nightmare, like, the last step is just create an n eight n task to run a shell command. Like that's where like it has that capability, so that's why it's such a vulnerable service.

Corey Ham: 52:50

Like one of the things you would do with the service is run a shell command. So like, yes. Turns out when that's one of the options in the tool, compromising the web UI has some impact.

Ralph May: 53:00

Yes. Yeah. It's it's it's still cool. It's still kind of a cool tool though.

Corey Ham: 53:05

So the last article I wanna bring up, which this is something that hit my me and my personal life, people were asking about it. Instagram breach, I guess.

Ralph May: 53:14

And it was an insta breach?

Corey Ham: 53:16

Yeah. Like Oh. So so basically, here's the article. It's essentially that people are phishing with previously leaked information. So people are sending out this happened in 2024, I guess.

Corey Ham: 53:32

But basically, people are sending out password Great. Reset reminders and then using them as phishing. Apparently, someone's estimated that it could impact up to 17,500,000 Instagram accounts. I don't know where that number came from, but I'm like, that's a lot of phishes.

Ralph May: 53:48

So I think they they they scraped an API to get all this data and then now they're using all of it to send out fishing. Right?

Corey Ham: 53:56

Yeah. So but it's like the the upshot of it is like use two factor and and don't get phished. So it's like

Wade Wells: 54:02

The upside is don't use Instagram. Get off all

Corey Ham: 54:04

social Well, okay. That's even better. Live in the forest. That's that's the next that's like That's the next level.

Bronwen Aker: 54:10

I actually I actually removed both Facebook and LinkedIn and a couple of other social media apps from my phone.

Corey Ham: 54:20

Aisling: 54:20

just Oh, you're following Choff?

Bronwen Aker: 54:21

I am I am detoxing from social media.

Wade Wells: 54:25

It gets a little boring sometimes, but I've read a lot more.

Corey Ham: 54:29

The dumb the dumb phones. I'm I'm

Bronwen Aker: 54:32

going for quality over quantity. I'm I'm combating the slop.

Corey Ham: 54:36

That's a good for you, honestly. I think we should all do that. There is Job. Like a whole growing market of like, you know, dumb phones. Or the what is the the I think the most recent Nothing Phone has like an actual physical switch to switch between smart mode and dumb mode.

Corey Ham: 54:53

You

Cameron Carter: 54:53

know Isn't that a Jitterbug?

Corey Ham: 54:55

Basically, like, it is dumb Jitterbug. Nice. Well, Jitterbug is like kind of holds you back. Because you're like, alright, now I need to like walk to the restaurant, and I'm Yeah.

Ralph May: 55:04

And all you have is one other button that says life alert? You

Corey Ham: 55:09

you press it, you're like, I'm at the hotel and I need to get to this restaurant. They're like, you gotta stop pressing this.

Ralph May: 55:17

You have you have exhausted all of

Corey Ham: 55:18

your credits in this plan. Yeah. Yeah. You had one credit a

Cameron Carter: 55:23

year and

Corey Ham: 55:23

you just used it.

Dave Blandford: 55:25

Well, even Apple has their like, the the defense they give for like, journalists or people targeted by by Pegasus, they it turns their Apple phone into a to a dumb phone, essentially.

Corey Ham: 55:36

Yeah. The under attack mode or whatever. Yeah.

Bronwen Aker: 55:40

Yeah. Lobotomize your smartphone.

Corey Ham: 55:43

So Yeah. Yeah. I mean, there's there's a whole, you know, there's a whole thing. I saw Pebble. Pebbles bringing a couple Pebbles back for those that like love their Pebble watches back in like 2012.

Corey Ham: 55:53

I saw them made a new they made a new watch. I feel like that was such like a nerd specific thing where like, everyone cool in 2012 had a Pebble.

Ralph May: 56:01

I had a Pebble.

Corey Ham: 56:03

Yeah. Everyone cool did. Now everyone has an Apple Watcher.

Ralph May: 56:06

Now I'm just a loser.

Bronwen Aker: 56:07

I never had a Pebble. Does that mean I'm not cool?

Corey Ham: 56:11

It's because you weren't cool in 2012.

Ralph May: 56:12

Yeah. You got cooler. Okay.

Corey Ham: 56:15

Now, you're cool. You could buy the pebble too.

Ralph May: 56:18

You could buy the pebble as well. They're probably cheap online except for the hips.

Bronwen Aker: 56:21

If you wanna be a pebble too.

Wade Wells: 56:23

They're not cheap. They're $200.

Corey Ham: 56:25

What? Dude, that's the shelf right over here. I can make some easy cash, dude. Wait, $200, that's how much I'm paying a month for all the subscription services it takes to watch the Olympics.

Ralph May: 56:40

You know and you know how much Well,

Wade Wells: 56:41

let me give you let me give you this Italian website real quick.

Corey Ham: 56:44

Yeah. Okay.

Aisling: 56:48

Wow. But

Bronwen Aker: 56:49

before we do the CTF stuff, I actually did have it's not an InfoSec related chicken story. No. But it is a chicken story. And it's it

Wade Wells: 56:59

We don't need we don't need it. It's okay.

Bronwen Aker: 57:00

We It's really short and sweet. Apparently, during the Eaton fires, all the wildfires we had a year ago here in Southern California, there were a bunch of chickens who were rescued. And there was a follow-up story by NBC or I'll have to look it up here. Where is it? Oh, I closed that tab.

Bronwen Aker: 57:23

Anyway, there are follow-up stories, and basically, the chickens are doing well. That's it.

Ralph May: 57:29

Okay. Chicken survived.

Corey Ham: 57:31

Great article. Survived. They're thriving. What about the eggs? Did the eggs survive?

Bronwen Aker: 57:35

Oh. Oh. They probably were off their lane.

Corey Ham: 57:39

What did they say first? The chicken or the egg? I think the chicken. That that tells you everything you need to know right there, people. Save the chicken first.

Corey Ham: 57:47

Don't save the egg. That thing's already hard boiled. Alright. Yeah. So CTF winners, let's do let's do the CTF winners.

Corey Ham: 57:56

The winner the first place prize goes to Josh Kemp, who gets a year of anti siphon on demand training for free. Then the second place prize goes to christy b seventy eight, who gets one class of their choice. You should have gotten an email. If you haven't gotten an email, let us know. I have no idea what the CTF was.

Corey Ham: 58:17

If anyone knows what it is

Cameron Carter: 58:19

I was

Wade Wells: 58:20

gonna Please

Corey Ham: 58:20

post it in the chat. I'm assuming the CTF was get on the podcast.

Wade Wells: 58:24

A year's worth of a year worth is a lot. Right? Like, that's a that's a long time. Yeah.

Aisling: 58:29

A year's worth of access is

Corey Ham: 58:30

You can learn a lot in the year.

Wade Wells: 58:32

Is your iOS class on demand yet?

Dave Blandford: 58:35

Not yet.

Wade Wells: 58:35

David? Not yet? Not yet. Are you gonna make it on demand? That's up

Corey Ham: 58:38

to you. It would be hard to do it because you'd have is there a is there a hardware component at all that, yeah, I guess you have to bring a representative device?

Cameron Carter: 58:47

Nope. So we're doing it all virtualized. We'll be using the Corellium platform. If someone is dead set on bringing their own rooted device, we will do our best to help them, but no guarantees with any of the labs or if anything goes wrong with their own device.

Ralph May: 59:02

Is it is it Android

Cameron Carter: 59:04

and iOS? Hardware free. No. First, it's just iOS.

Ralph May: 59:08

It's just it's just iOS? Do you do you have you guys gotten the or have you guys ever played with the development platforms that you guys can get from from Apple?

Corey Ham: 59:16

Yeah. Yeah.

Dave Blandford: 59:17

Yeah. So so we actually the class, we have our own app as well. So we did we we designed and we have a a vulnerable app. So but yeah. Yeah.

Cameron Carter: 59:26

There any cool CTF challenges in the app?

Corey Ham: 59:29

I'm sure there are based on your face. I yeah. So

Cameron Carter: 59:34

there's couple of questions that I didn't answer.

Corey Ham: 59:35

So Yeah.

Ralph May: 59:37

Yeah. So last question because now I'm just interested. So this is a virtual only or in person?

Cameron Carter: 59:44

It's a hybrid class. It'll be on demand. This will be virtual. But

Ralph May: 59:48

This is gonna be

Cameron Carter: 59:49

people signed up for in person at Wild West Denver. Hoping to get a few more. And yeah. So we'll be live walking around, helping people out.

Corey Ham: 01:00:00

Nice.

Cameron Carter: 01:00:00

Making jokes, having a good class.

Corey Ham: 01:00:02

Sounds like fun. It should be great. Someone asked about the CTF answers. Megan, do you know where the CTF answers are or how people can find them? You can't.

Ralph May: 01:00:10

You can't.

Corey Ham: 01:00:11

That's the CTF. That's the CTF answers. Them.

Wade Wells: 01:00:16

You know what you do? What was his name? You find Josh and you ask him and you become his friend.

Corey Ham: 01:00:22

That's honestly, if you wanna know the way to network and be good in the cyber security community, that is the way to do it.

Wade Wells: 01:00:28

CTF Awesome. Teamwork? No? Maybe he shares password with Anti for anti siphon, you know, something.

Corey Ham: 01:00:34

The real CTF was the friends we made along the way.

Ralph May: 01:00:37

Oh. They hacked my heart.

Bronwen Aker: 01:00:41

I'm not Alright.

Aisling: 01:00:42

I'm not sure how I feel about being a flag.

Corey Ham: 01:00:49

Alright. Thanks everyone for coming. We'll see you all next week and bye bye.

Ralph May: 01:00:56

Bye bye.

Corey Ham: 01:00:57

Bye bye.