WEBVTT 00:00:00.840 --> 00:00:03.799 The opinions expressed are those of the show 00:00:03.799 --> 00:00:08.060 hosts and may not necessarily be of any company 00:00:08.060 --> 00:00:21.440 in which the show hosts may represent. Hello, 00:00:21.579 --> 00:00:27.480 folks! Welcome to SANS, episode number 38. This... 00:00:27.899 --> 00:00:32.060 will be the podcast for SANS. This is the News 00:00:32.060 --> 00:00:36.100 Bites. This is annotated news update from the 00:00:36.100 --> 00:00:40.100 leader in information, security, training, certification, 00:00:40.380 --> 00:00:44.920 and research. This program will cover the newsletter 00:00:44.920 --> 00:00:53.020 from January 13th, 2026. So, how is everybody 00:00:53.020 --> 00:00:58.490 doing? We had a bit of a mild setback when it 00:00:58.490 --> 00:01:06.049 came to my health, and I know that I appreciate 00:01:06.049 --> 00:01:11.170 each and every one of you who might drop by and 00:01:11.170 --> 00:01:16.870 listen to these programs along Jared's Technology 00:01:16.870 --> 00:01:27.719 Podcast Network. is Volume 28, Number 3. So, 00:01:27.959 --> 00:01:33.019 this is going to be a very interesting newsletter. 00:01:33.359 --> 00:01:36.519 And as we always do, if we feel it's necessary, 00:01:36.900 --> 00:01:45.620 we will take from the editors. But, we know that 00:01:45.620 --> 00:01:50.739 sometimes we can just do it by ourselves. Beast! 00:01:51.659 --> 00:01:56.599 off of the content itself. But we also tell you 00:01:56.599 --> 00:02:00.319 who is writing so that you know the difference 00:02:00.319 --> 00:02:06.680 between me talking and the newsletter. So I wrote, 00:02:06.920 --> 00:02:10.580 we've got interesting news coming out of this 00:02:10.580 --> 00:02:14.539 episode of SANS. It covers the newsletter that 00:02:14.539 --> 00:02:20.120 was issued on January 13th, 2026. We've got a 00:02:20.120 --> 00:02:24.629 group. that seems to be back in the news. And, 00:02:24.669 --> 00:02:31.270 of course, it can't be good since it's item one 00:02:31.270 --> 00:02:35.069 of the section of the newsletter that is titled 00:02:35.069 --> 00:02:42.050 Top of the News. Since I'm giving you that much, 00:02:42.389 --> 00:02:51.389 what is that group? You don't have long to guess 00:02:51.389 --> 00:02:55.990 because it'll be in the table of contents, which 00:02:55.990 --> 00:03:04.150 is part of this file. We've got LLM news, especially 00:03:04.150 --> 00:03:08.789 when it comes to healthcare, as well as LLM news 00:03:08.789 --> 00:03:16.030 when it comes to it being attacked. We saw an 00:03:16.030 --> 00:03:21.360 Instagram story we decided. not to blog, that 00:03:21.360 --> 00:03:27.020 they'll cover, and there's plenty more. This 00:03:27.020 --> 00:03:30.680 file is transcribed by Jared Reimer in Woodland 00:03:30.680 --> 00:03:34.680 Hills, California. If you want a copy, email 00:03:34.680 --> 00:03:39.759 tech, that's T -E -C -H, at M -E -N -V -I dot 00:03:39.759 --> 00:03:43.740 org, and I'll take care of it. Let me know what 00:03:43.740 --> 00:03:50.189 format and size of file you want. Per usual, 00:03:50.189 --> 00:03:54.830 we break up each section on a new Braille page 00:03:54.830 --> 00:03:59.469 and number each item both in the table of contents 00:03:59.469 --> 00:04:04.550 and the items themselves so you can find them 00:04:04.550 --> 00:04:08.270 easily. So we go back to numbering each item 00:04:08.270 --> 00:04:12.389 one through whatever. And, of course, after the 00:04:12.389 --> 00:04:20.290 particulars of top of the news, it will go to 00:04:20.290 --> 00:04:24.490 a new Braille page regardless of code and give 00:04:24.490 --> 00:04:32.290 you the rest of the week's news. We are using 00:04:32.290 --> 00:04:37.709 the new UEB page numbering for chapter and page 00:04:37.709 --> 00:04:43.610 as seen in some books, although I never saw that 00:04:43.610 --> 00:04:50.139 on any book until... the Unified English Braille 00:04:50.139 --> 00:04:54.660 course book itself, but I'm using this format 00:04:54.660 --> 00:05:04.899 for podcast number, and I will use it as a podcast 00:05:04.899 --> 00:05:20.500 number and a page number. So, there. You go. 00:05:22.199 --> 00:05:26.939 Now your time is up in regards to the answer 00:05:26.939 --> 00:05:33.779 for today's trivia. The table of contents now 00:05:33.779 --> 00:05:40.139 follows. Top of the news. Item number one. Salt 00:05:40.139 --> 00:05:46.110 Typhoon threat actors. Reportedly responsible 00:05:46.110 --> 00:05:52.449 for new congressional email breach. Alright, 00:05:52.529 --> 00:05:57.329 so number one is Salt Typhoon for the threat 00:05:57.329 --> 00:06:01.689 actor's name. Who would have thought that one? 00:06:02.949 --> 00:06:07.930 I'm curious. You can email or iMessage, text 00:06:07.930 --> 00:06:14.129 or WhatsApp. That's 804 -442 -6975. Or call and 00:06:14.129 --> 00:06:17.569 leave a comment on the comment line at 888 -405 00:06:17.569 --> 00:06:29.269 -7524 or 818 -527 -4754. If you do get me, please 00:06:29.269 --> 00:06:36.629 talk to me. And do leave a voicemail. Leaving 00:06:36.629 --> 00:06:39.790 a blank voicemail may not yield any response. 00:06:40.759 --> 00:06:45.060 Because I don't know who you are or what specifically 00:06:45.060 --> 00:06:49.740 the number calling wants. So please make sure 00:06:49.740 --> 00:06:58.000 that you do leave a verbal voicemail. Okay? Number 00:06:58.000 --> 00:07:04.060 two, Spanish energy company and supplier discloses 00:07:04.060 --> 00:07:08.759 data breach. And number three, LLMs and healthcare. 00:07:10.250 --> 00:07:16.629 ChatGPT, Claude, and Google Overviews. And maybe 00:07:16.629 --> 00:07:23.730 it might be imperative in that file to talk very 00:07:23.730 --> 00:07:30.949 specifically about my use of ChatGPT because 00:07:30.949 --> 00:07:35.319 I have been a little bit... Under the weather, 00:07:35.420 --> 00:07:38.259 although I'm doing a lot better at the time I'm 00:07:38.259 --> 00:07:41.879 recording this, and I'm sure that I will be fine. 00:07:42.160 --> 00:07:46.139 I'm sure it was either a stomach bug or a combination 00:07:46.139 --> 00:07:51.100 of stress and fatty foods like a burger and fries 00:07:51.100 --> 00:07:57.139 and other combinations like ChatGPT said it could 00:07:57.139 --> 00:08:03.040 be. We just don't know. But... I'll talk about 00:08:03.040 --> 00:08:07.220 that then. And of course, you'll probably hear 00:08:07.220 --> 00:08:12.560 me talk about it on various other places, including 00:08:12.560 --> 00:08:24.779 TSB and on the RCL program if they want, if they 00:08:24.779 --> 00:08:30.259 happen to bring up AI. But, more importantly, 00:08:30.660 --> 00:08:34.000 we'll talk about it on the Throwback Saturday 00:08:34.000 --> 00:08:40.299 Night program. So, do make sure you check that 00:08:40.299 --> 00:08:44.220 out. It'll also be on the Saturday show of the 00:08:44.220 --> 00:08:47.480 Independent Artist Spotlight, which we are broadcasting 00:08:47.480 --> 00:08:50.820 at the same time I'm taping this, which is Saturday, 00:08:51.039 --> 00:08:57.740 January 24th. Speaking of LLMs, we're going to 00:08:57.740 --> 00:08:59.899 move now to the rest of the table of contents 00:08:59.899 --> 00:09:07.220 with item one, as there's more LLMs. LLM APIs 00:09:07.220 --> 00:09:12.480 targeted by threat actors and gray hat hackers. 00:09:13.600 --> 00:09:19.220 Number two, Instagram password reset emails are 00:09:19.220 --> 00:09:24.019 unrelated to... alleged data breach. I saw this 00:09:24.019 --> 00:09:27.679 in their newsletter and I decided not to blog 00:09:27.679 --> 00:09:31.899 it. There's really nothing there. I know. Number 00:09:31.899 --> 00:09:36.740 three, breach forum's member data leaked. That's 00:09:36.740 --> 00:09:40.559 always great news. I love that. Number four, 00:09:40.580 --> 00:09:47.610 California Privacy Protection Agency finds Texas 00:09:47.610 --> 00:09:51.149 firm for failing to register as a data broker 00:09:51.149 --> 00:09:58.629 with the state. And this goes back to last episode. 00:09:58.649 --> 00:10:03.049 I forget the exact item number of this one. I 00:10:03.049 --> 00:10:08.649 think it was item one of that particular podcast 00:10:08.649 --> 00:10:14.110 where we talked about this idea where Californians 00:10:14.110 --> 00:10:26.049 can register. with this particular entity, and 00:10:26.049 --> 00:10:30.870 that should, in theory, stop our data from being 00:10:30.870 --> 00:10:38.789 collected. Item 5. Spanish authorities arrest 00:10:38.789 --> 00:10:43.730 34 in connection with Cybercrime Network. 6. 00:10:44.070 --> 00:10:50.179 Printing error. prompts recall of nearly 13 ,000 00:10:50.179 --> 00:10:55.019 recent Irish passports, and that's not good. 00:10:55.279 --> 00:11:01.600 And finally, number seven, CISA retires 10 emergency 00:11:01.600 --> 00:11:08.720 directives, and that is a good sign because they're 00:11:08.720 --> 00:11:14.779 not needed anymore, notating that they were emergency 00:11:14.779 --> 00:11:21.480 directives So that is the table of contents. 00:11:21.779 --> 00:11:25.200 That's the answer to your trivia question. It 00:11:25.200 --> 00:11:28.759 is Salt Typhoon. If you guessed it, great. If 00:11:28.759 --> 00:11:34.940 you didn't, learn along. We will continue in 00:11:34.940 --> 00:11:38.600 just a moment with the newsletter as we start 00:11:38.600 --> 00:11:45.440 with item number one of Top of the News. This 00:11:45.440 --> 00:11:50.899 will be program number 38 of SANS, a Jared Reimer 00:11:50.899 --> 00:12:07.000 Network podcast. Since we played trivia earlier, 00:12:07.320 --> 00:12:10.279 let's go ahead and start with our top of the 00:12:10.279 --> 00:12:18.190 news item. And, uh... This is item number one. 00:12:18.190 --> 00:12:21.289 It looks like I didn't put item number one here. 00:12:22.850 --> 00:12:29.909 But that is okay. You can follow along if you 00:12:29.909 --> 00:12:36.110 have Braille. Assault Typhoon. They have never 00:12:36.110 --> 00:12:38.210 been good. We've talked about them since the 00:12:38.210 --> 00:12:42.230 very beginning on the security box. Well before 00:12:42.230 --> 00:12:47.230 I thought of this sans news... news thing as 00:12:47.230 --> 00:12:52.929 a full podcast set could have done this with 00:12:52.929 --> 00:12:58.710 all of that coverage then because they talked 00:12:58.710 --> 00:13:03.230 about it then too but they are back assault typhoon 00:13:03.230 --> 00:13:07.330 threat actors reportedly responsible for new 00:13:07.330 --> 00:13:11.350 congressional email breach and I think before 00:13:11.350 --> 00:13:15.679 I really get into this, I want to ask a question. 00:13:16.559 --> 00:13:21.279 And I really think that this is a serious question. 00:13:23.000 --> 00:13:36.279 If this was Congress, what were they using? Or 00:13:36.279 --> 00:13:45.750 are they using? I don't... exactly understand 00:13:45.750 --> 00:13:51.009 why we're still having issues with getting into 00:13:51.009 --> 00:13:54.730 email. I don't have anybody getting into mine 00:13:54.730 --> 00:13:58.389 that I am aware of, and I say that loosely because 00:13:58.389 --> 00:14:04.610 email can be gotten into. So I'm not going to 00:14:04.610 --> 00:14:07.830 say that it doesn't happen. But if you don't 00:14:07.830 --> 00:14:10.429 use the right tools, then of course you're going 00:14:10.429 --> 00:14:14.490 to get hacked into. But I'm wondering what's 00:14:14.490 --> 00:14:18.649 being used. Because email's gotta be saved for... 00:14:18.649 --> 00:14:30.009 What is it? Many, many years? Like... OMG. Not 00:14:30.009 --> 00:14:33.429 necessary. Once you respond to something, delete 00:14:33.429 --> 00:14:40.389 it. There's no need to keep it around. Here's 00:14:40.389 --> 00:14:45.039 what is... and we'll go through this together, 00:14:45.220 --> 00:14:49.639 ladies and gents. Cyber threat actors with ties 00:14:49.639 --> 00:14:53.600 to China's government have once again infiltrated 00:14:53.600 --> 00:14:59.980 email systems, compromising U .S. congressional 00:14:59.980 --> 00:15:06.059 staff members' communications. The intrusion 00:15:06.059 --> 00:15:11.120 was detected in December 2025 and was first reported 00:15:11.659 --> 00:15:15.600 reported by the Financial Times, which said the 00:15:15.600 --> 00:15:21.940 perpetrators are Salt Typhoon, a threat actor 00:15:21.940 --> 00:15:29.159 group that gained notoriety for breaching telecommunications 00:15:29.159 --> 00:15:35.460 systems around the world in 2024. As I said, 00:15:35.639 --> 00:15:41.480 we covered them on TSB. And they were on Sands 00:15:41.480 --> 00:15:46.120 then, too. Unfortunately, I did not do Sands 00:15:46.120 --> 00:15:52.840 then, so this can be looked into. I'm sure you 00:15:52.840 --> 00:15:55.740 can contact Sands and ask them, you know, hey, 00:15:55.779 --> 00:15:59.059 what newsletters did you guys cover Salt Typhoon 00:15:59.059 --> 00:16:07.960 in? I bet they could help you out. Officials 00:16:07.960 --> 00:16:10.779 are investigating the breach, which reportedly 00:16:10.779 --> 00:16:15.679 affects email systems used by congressional staff 00:16:15.679 --> 00:16:19.659 working on House National Security Committees. 00:16:19.860 --> 00:16:25.759 Oh, great. So, uh, this can't necessarily be 00:16:25.759 --> 00:16:31.840 good. Is that right? So, Salt Typhoon is back 00:16:31.840 --> 00:16:35.529 again. Is anyone who is hearing this surprised 00:16:35.529 --> 00:16:39.710 by this news? Especially those who participate 00:16:39.710 --> 00:16:46.169 on TSB? Dukes writes, It's not surprising that 00:16:46.169 --> 00:16:51.610 the U .S. Congress is and continues to be a target 00:16:51.610 --> 00:16:57.509 of nation states. What's left to be determined 00:16:57.509 --> 00:17:04.269 is whether the Attack used existing Salt Typhoon 00:17:04.269 --> 00:17:09.549 TTPs or changed them up? And that, of course, 00:17:09.609 --> 00:17:14.450 we don't know. And I suppose if I do spot something, 00:17:14.670 --> 00:17:19.990 I can write something up. If they were known 00:17:19.990 --> 00:17:28.049 TTPs, then that's a black eye for Congress and 00:17:28.049 --> 00:17:35.579 their security team. What security team? Hopefully, 00:17:35.700 --> 00:17:40.380 that information becomes available soon to protect 00:17:40.380 --> 00:17:47.519 other organizations. Our guy, Neely, writes, 00:17:47.940 --> 00:17:53.140 These accounts are targeted as they are typically 00:17:53.140 --> 00:18:00.920 less hardened environments. While truly... email 00:18:00.920 --> 00:18:11.200 is not present, there is enough supporting information 00:18:11.200 --> 00:18:17.619 which rounds out open source investigations nicely. 00:18:17.960 --> 00:18:22.500 Make sure that you are considering the security 00:18:22.500 --> 00:18:29.349 of not only your mainstream email systems, but 00:18:29.349 --> 00:18:36.690 also of staff, contractor, and supporting services. 00:18:37.430 --> 00:18:44.089 An incident can quickly offset the cost of not 00:18:44.089 --> 00:18:51.450 providing someone with a corporate email account. 00:18:55.519 --> 00:18:58.599 Email security options to ensure protections 00:18:58.599 --> 00:19:06.660 are in place. Commensurate with the operation 00:19:06.660 --> 00:19:19.400 processed. As I wrote, tell me if you've seen 00:19:19.400 --> 00:19:22.019 this before, and yes, I did number everything 00:19:22.019 --> 00:19:25.619 else. I guess I forgot to item number one. That's 00:19:25.619 --> 00:19:35.099 okay. Folks, this is a huge problem. I still 00:19:35.099 --> 00:19:39.779 want to know what they're using. Outlook? Microsoft 00:19:39.779 --> 00:19:49.059 365? I mean, this is absolutely crazy. I don't... 00:19:51.309 --> 00:19:59.849 I don't quite get what they're doing here. This 00:19:59.849 --> 00:20:05.089 can't necessarily be good. And this isn't going 00:20:05.089 --> 00:20:13.730 to be the first time. So, time for them to go 00:20:13.730 --> 00:20:24.829 figure that crap out. Because... That is enough 00:20:24.829 --> 00:20:34.470 of that. Coming up, ladies and gents, we're going 00:20:34.470 --> 00:20:39.309 to move on to our next item. Spanish Energy Company 00:20:39.309 --> 00:20:47.970 and Supplier Disclose Data Breach. Well, you 00:20:47.970 --> 00:20:51.640 know... They come a dime a dozen these days, 00:20:51.720 --> 00:20:56.200 data breaches do. Let's see what this one covers 00:20:56.200 --> 00:21:00.200 as the newsletter continues. I'm Jared Reimer. 00:21:00.339 --> 00:21:21.589 This is Jared's Technology Podcast Network. Alright 00:21:21.589 --> 00:21:25.430 folks, welcome back to the program. I'm Jared 00:21:25.430 --> 00:21:30.089 Reimer. Well, I know some time has passed and 00:21:30.089 --> 00:21:34.049 people are probably wondering, what happened? 00:21:35.869 --> 00:21:39.890 Short version, I got sick. But I'm feeling a 00:21:39.890 --> 00:21:43.250 lot better now, and we are going to push on. 00:21:45.130 --> 00:21:49.009 We're just going to go the best we can, and I 00:21:49.009 --> 00:21:54.160 can't rush it. As a doctor would say, don't push 00:21:54.160 --> 00:21:59.799 yourself too hard. Just do what you can, even 00:21:59.799 --> 00:22:04.900 if it's just one AI tool. I bet my doctor would 00:22:04.900 --> 00:22:07.980 say the same thing, too, if I was telling him, 00:22:08.039 --> 00:22:10.240 yeah, I'm feeling better today, but I want to 00:22:10.240 --> 00:22:12.740 do all of this stuff. He'd probably say, no, 00:22:12.880 --> 00:22:16.180 probably not a good idea to do all of that at 00:22:16.180 --> 00:22:20.720 once, unless you're up to it. So I guess we'll 00:22:20.720 --> 00:22:26.579 see how this goes. No judgment, right? Item two 00:22:26.579 --> 00:22:30.819 of the particular SANS News Bites we are working 00:22:30.819 --> 00:22:39.640 on is this. Spanish energy company and supplier 00:22:39.640 --> 00:22:46.079 disclose data breach. Spanish energy company 00:22:46.079 --> 00:22:58.970 Endesa and its supplier, NRJ XXI, I don't want 00:22:58.970 --> 00:23:02.470 to say 21 because I don't want to assume that 00:23:02.470 --> 00:23:05.210 they mean a number, so I'll just read it as letters, 00:23:05.769 --> 00:23:10.289 are notifying customers that account information 00:23:10.289 --> 00:23:13.509 was compromised in a cybersecurity incident. 00:23:16.250 --> 00:23:22.109 is one of Spain's largest energy utilities, providing 00:23:22.109 --> 00:23:26.849 gas and electricity services to more than 10 00:23:26.849 --> 00:23:33.849 million customers in Spain and Portugal. Well, 00:23:34.009 --> 00:23:46.180 that's quite a very large amount of people. It, 00:23:46.220 --> 00:23:51.140 quote, detected a security incident that has 00:23:51.140 --> 00:23:56.460 allowed unauthorized and illegitimate access 00:23:56.460 --> 00:24:19.970 to its commercial platform. That ends the quote. 00:24:20.309 --> 00:24:46.900 The compromised information includes, with Endesa 00:24:46.900 --> 00:24:56.799 Energe and possibly payment details. And that 00:24:56.799 --> 00:25:02.559 ends that quote. Endesa has notified Spain's 00:25:02.559 --> 00:25:07.579 data protection agency and other relevant authorities. 00:25:09.759 --> 00:25:17.440 Sacks. A once -in -a -while contributor and who 00:25:17.440 --> 00:25:20.920 was mentioned in several newsletters writes, 00:25:21.200 --> 00:25:26.160 This looks like a customer data breach, but from 00:25:26.160 --> 00:25:30.259 a utility engineering perspective, it is also 00:25:30.259 --> 00:25:34.660 a reminder that the commercial platform is part 00:25:34.660 --> 00:25:42.190 of the operational ecosystem. The grid can be 00:25:42.190 --> 00:25:47.430 stable and well operated, yet attackers who gain 00:25:47.430 --> 00:25:56.329 access to IT systems can still degrade utility 00:25:56.329 --> 00:26:00.630 operations without ever touching control systems. 00:26:01.890 --> 00:26:07.930 The stolen data has follow -on consequences. 00:26:09.200 --> 00:26:14.539 and enables convincing impersonation of customers 00:26:14.539 --> 00:26:22.740 contractors and even internal staff that credibility 00:26:22.740 --> 00:26:28.220 is exactly what adversaries need to move from 00:26:28.220 --> 00:26:35.339 fraud into deeper access especially in environments 00:26:35.339 --> 00:26:40.529 where remote support and vendor connectivity 00:26:40.529 --> 00:26:49.250 are normal. This is not evidence that grid operations 00:26:49.250 --> 00:26:56.750 were directly at risk. It is evidence that an 00:26:56.750 --> 00:27:01.170 attacker reached a system boundary that should 00:27:01.170 --> 00:27:09.230 be treated as reliability relevant. Engineers 00:27:09.230 --> 00:27:16.049 should view incidents like this as a prompt to 00:27:16.049 --> 00:27:21.829 strengthen segmentation, identity controls, and 00:27:21.829 --> 00:27:27.670 vendor access governance. Those are not just 00:27:27.670 --> 00:27:34.150 IT best practices. They are part of resilience 00:27:34.150 --> 00:27:40.069 engineering. that I did not deal with the IT 00:27:40.069 --> 00:27:42.970 aspects of things, but you'll understand it. 00:27:43.269 --> 00:27:48.390 As I write in the next paragraph, stop me if 00:27:48.390 --> 00:27:53.150 Neely's comments may be somewhat familiar. It 00:27:53.150 --> 00:27:57.650 may be written a bit differently, but he writes, 00:27:57.970 --> 00:28:04.250 the breach didn't impact service, in parentheses, 00:28:04.549 --> 00:28:11.809 gas power. delivery to customers, and Endesa 00:28:11.809 --> 00:28:16.730 is notifying affected customers directly. While 00:28:16.730 --> 00:28:20.789 Endesa is claiming there is no attempted use 00:28:20.789 --> 00:28:28.170 of the purloined data, threat actors appear to 00:28:28.170 --> 00:28:36.640 have 20 million records, 1 TB, by the way, that's 00:28:36.640 --> 00:28:43.220 in parentheses, of Endesa customer database data 00:28:43.220 --> 00:28:51.039 for sale to a single exclusive buyer. Expect 00:28:51.039 --> 00:28:56.359 Endesa to implement enhanced security measures 00:28:56.359 --> 00:29:01.960 after admitting existing security fell short 00:29:01.960 --> 00:29:11.420 of expectations. And, oh boy, what do I think? 00:29:13.519 --> 00:29:19.359 If this is the only thing I record today, which 00:29:19.359 --> 00:29:22.500 I think it may not be, because I'm actually doing 00:29:22.500 --> 00:29:28.819 quite well, thank you very much, I'll say this. 00:29:31.259 --> 00:29:38.769 Endesa, you better... come clean. And you better 00:29:38.769 --> 00:29:44.970 tell your customers exactly what went wrong when 00:29:44.970 --> 00:29:51.230 you know it. Not six months to a year from now, 00:29:51.450 --> 00:29:55.450 but as soon as it's feasible for you to do it. 00:29:56.250 --> 00:30:01.210 Since you're already starting the process, if 00:30:01.210 --> 00:30:05.839 it were me and I find out new information, I 00:30:05.839 --> 00:30:10.019 would continue to send out notices so that your 00:30:10.019 --> 00:30:14.319 customers are aware of what is going on before 00:30:14.319 --> 00:30:21.759 it hits the press. Now that would be what I would 00:30:21.759 --> 00:30:26.799 do. But I'm not Endesa. And I'm not any other 00:30:26.799 --> 00:30:33.099 company who's been targeted in this list. I think 00:30:33.099 --> 00:30:37.240 if I were ever breached, and it got out, and 00:30:37.240 --> 00:30:41.660 it hit sans news bites, the way that I would 00:30:41.660 --> 00:30:45.299 do things is notify people as soon as possible. 00:30:45.960 --> 00:30:49.380 If I got pushed back by police, I would say, 00:30:49.500 --> 00:30:53.519 the problem is that if I don't notify my customers, 00:30:53.839 --> 00:30:59.099 then it gets out six months to a year later, 00:30:59.259 --> 00:31:04.069 and that's bad practice. This is what we must 00:31:04.069 --> 00:31:09.829 do, and we can do it in such a way where it won't 00:31:09.829 --> 00:31:15.650 hurt the investigation. I .e., your information 00:31:15.650 --> 00:31:20.230 was taken, we don't know by whom, there's an 00:31:20.230 --> 00:31:24.289 ongoing investigation, but you need to know that 00:31:24.289 --> 00:31:28.579 this is what's happening. When it's safe for 00:31:28.579 --> 00:31:31.839 us to give you more information about what specifically 00:31:31.839 --> 00:31:36.740 was taken, then we'll do that. At least start 00:31:36.740 --> 00:31:43.519 there. Then when you are released from the police 00:31:43.519 --> 00:31:47.299 and their investigation, you can then come clean 00:31:47.299 --> 00:31:51.440 to say what was taken and how you are going to 00:31:51.440 --> 00:31:55.279 prevent it. But at least giving a heads up that 00:31:55.279 --> 00:31:59.500 information was taken from you is a first start. 00:31:59.640 --> 00:32:03.339 And the fact that an ongoing investigation is 00:32:03.339 --> 00:32:06.660 preventing you from giving details, you can mention 00:32:06.660 --> 00:32:12.720 that. But be as forthcoming as you can and continue 00:32:12.720 --> 00:32:20.059 to provide updates. We've got two LLM stories 00:32:20.059 --> 00:32:26.670 coming up. One before the rest of the news, and 00:32:26.670 --> 00:32:34.490 one after we start the rest of the news. And 00:32:34.490 --> 00:32:38.670 as we do, and we've started to do in these podcasts, 00:32:39.089 --> 00:32:44.690 we'll play a track between each. But first, we 00:32:44.690 --> 00:32:49.809 will start with our first of two LLM stories. 00:32:53.250 --> 00:32:57.529 Email iMessageTech, that's T -E -C -H, at M -E 00:32:57.529 --> 00:33:03.470 -N -V -I dot O -R -G. Text or WhatsApp, 804 -442 00:33:03.470 --> 00:33:10.569 -6975. Thank you so much for listening, and do 00:33:10.569 --> 00:33:17.490 make it a great day. We will continue in just 00:33:17.490 --> 00:33:40.990 a moment. All right, folks, here comes item three. 00:33:41.150 --> 00:33:46.869 And this is one of two LLM stories. And when 00:33:46.869 --> 00:33:53.430 we merge the podcast, we will put a song in between 00:33:53.430 --> 00:33:59.450 these items. Email iMessageTech, that's T -E 00:33:59.450 --> 00:34:04.539 -C -H at M -E -N -V -I dot O -R -G. Thank you 00:34:04.539 --> 00:34:08.880 so much for listening to today's program. I hope 00:34:08.880 --> 00:34:12.059 that you all will be enjoying it as much as I 00:34:12.059 --> 00:34:15.760 am when it finally gets released. Again, we're 00:34:15.760 --> 00:34:23.719 sorry for the delay. The first LLM story is LLMs 00:34:23.719 --> 00:34:32.099 and Healthcare. ChatGPT, Claude, and Google Overviews. 00:34:35.690 --> 00:34:40.250 This is probably important and this may be a 00:34:40.250 --> 00:34:42.849 little bit of a longer segment because it leads 00:34:42.849 --> 00:34:47.510 to something that I actually am now gaining experience 00:34:47.510 --> 00:34:57.250 on. And this is chat GPT and health. And I think 00:34:57.250 --> 00:35:02.849 it's worth discussing it as part of this particular 00:35:02.849 --> 00:35:09.340 item. It will also be discussed in the next TSB, 00:35:09.480 --> 00:35:14.699 which will be recorded next Wednesday, not this 00:35:14.699 --> 00:35:17.920 coming Wednesday the 28th, but the Wednesday 00:35:17.920 --> 00:35:38.980 afterward. API for use in healthcare, followed 00:35:38.980 --> 00:35:42.920 three days later by Anthropic's announcement 00:35:42.920 --> 00:35:48.460 of a healthcare -focused implementation of the 00:35:48.460 --> 00:35:56.159 Claude LLM. OpenAI's stated aim is to provide 00:35:56.159 --> 00:36:01.420 specific versions of tools that are already in 00:36:01.420 --> 00:36:07.000 use in the healthcare sector. Quote, giving organizations 00:36:07.000 --> 00:36:16.659 a secure enterprise grade foundation while supporting 00:36:16.659 --> 00:36:25.440 HIPAA compliance. I'll say bull. Now, I can surely 00:36:25.440 --> 00:36:31.659 give ChatGPT the link and say, analyze the article 00:36:31.659 --> 00:36:38.030 from this link. Titled this. And it could in 00:36:38.030 --> 00:36:44.250 theory. Give me a logical perspective. But. Granted. 00:36:44.389 --> 00:36:49.710 I'm relatively new. To this. And I'll talk about 00:36:49.710 --> 00:36:54.269 my use. As it regards to healthcare. As soon 00:36:54.269 --> 00:36:58.110 as we're done reading this. And any comments. 00:36:58.130 --> 00:37:04.630 I may have decided to pull. Notably. Sharing 00:37:04.630 --> 00:37:11.349 medical data with ChatGPT Health removes the 00:37:11.349 --> 00:37:16.989 HIPAA protection from those records, according 00:37:16.989 --> 00:37:24.889 to Sarah Gustafson, Senior Counsel at the Electronic 00:37:24.889 --> 00:37:30.469 Privacy Information Center. The healthcare models 00:37:30.469 --> 00:37:36.929 of ChatGPT will be trained with healthcare workflows 00:37:36.929 --> 00:37:45.130 and promise transparent citations as well as 00:37:45.130 --> 00:37:50.210 integration with institutional software policies, 00:37:50.590 --> 00:37:54.789 access controls, and user management through 00:37:54.789 --> 00:38:05.179 SAML, SSO, and SCIM, and support for HIPAA compliance. 00:38:05.619 --> 00:38:13.340 Quote, patient data and PHI remain under an organization's 00:38:13.340 --> 00:38:21.219 control with options for data residency, audit 00:38:21.219 --> 00:38:30.260 logs, customer managed encryption keys, associate 00:38:30.260 --> 00:38:39.639 agreement BAA with OpenAI to support HIPAA -compliant 00:38:39.639 --> 00:38:46.139 use. The final paragraph of ChatGPT's Terms of 00:38:46.139 --> 00:38:51.460 Service states, Our services are not intended 00:38:51.460 --> 00:38:56.079 for use in the diagnosis or treatment of any 00:38:56.079 --> 00:39:03.119 health condition. Anthropic characterized Claude 00:39:03.119 --> 00:39:09.719 for healthcare as HIPAA ready and says it is 00:39:09.719 --> 00:39:15.579 set up to connect to the Centers for Medicare 00:39:15.579 --> 00:39:22.639 and Medicaid Services CMS coverage database. 00:39:22.920 --> 00:39:30.699 The International Classification of Disease 10th 00:39:30.699 --> 00:39:38.579 Revision ICD -10, and the National Provider Identifier 00:39:38.579 --> 00:39:44.420 Registry. Certain subscription plans allow Quad 00:39:44.420 --> 00:39:50.400 secure access to patient lab results and health 00:39:50.400 --> 00:39:57.139 records. Meanwhile, Google has removed AI Overview 00:39:57.139 --> 00:40:05.210 results. From a few specific search queries after 00:40:05.210 --> 00:40:09.989 investigation by The Guardian revealed the site 00:40:09.989 --> 00:40:16.730 offering false and dangerously decontextualized 00:40:16.730 --> 00:40:24.070 medical advice. Examples include harmful diet 00:40:24.070 --> 00:40:31.559 recommendations for pancreatic cancer, and misinformation 00:40:31.559 --> 00:40:38.539 about test results for liver function and cancer. 00:40:40.000 --> 00:40:45.539 Kim Commando mentions not to upload health data 00:40:45.539 --> 00:40:49.840 to these chatbots. I've heard that on her minutes. 00:40:52.380 --> 00:40:58.900 If you do, try to block out any personal info 00:40:58.900 --> 00:41:04.739 tied to you as it can have that. I'll also add 00:41:04.739 --> 00:41:10.139 here that you could probably use temporary chat, 00:41:10.320 --> 00:41:20.199 which does not allow ChatGPT to remember anything. 00:41:23.179 --> 00:41:27.969 Neely and Murray have great points here. Read 00:41:27.969 --> 00:41:32.170 what they have to say. And you can find a link 00:41:32.170 --> 00:41:37.630 in our show notes. That completes Top of the 00:41:37.630 --> 00:41:45.309 News. And we will continue with my thoughts now 00:41:45.309 --> 00:41:54.960 on what I've learned. So... On Saturday, one 00:41:54.960 --> 00:42:00.860 day after I fell sick, I decided, as a free user, 00:42:01.079 --> 00:42:07.480 to subscribe. Not as a paid customer, but to 00:42:07.480 --> 00:42:14.119 keep everything in one place. On Friday, I told 00:42:14.119 --> 00:42:19.780 JetGPT very specific symptoms that I was having, 00:42:19.860 --> 00:42:26.579 and said, What could cause this? It gave me some 00:42:26.579 --> 00:42:34.800 ideas, and I read them carefully. I asked what 00:42:34.800 --> 00:42:39.420 to do. It said, I think it would be best to do 00:42:39.420 --> 00:42:45.219 this, i .e., maybe rest, maybe... Take light 00:42:45.219 --> 00:42:48.940 sips of water. Maybe it's dehydration. Maybe 00:42:48.940 --> 00:42:52.199 it's, you know, various other things. It didn't 00:42:52.199 --> 00:43:01.559 say it was. It never insinuated anything. Then, 00:43:01.820 --> 00:43:08.139 on Saturday, I thought I was getting better. 00:43:08.960 --> 00:43:13.750 But I decided I think I want an account. And 00:43:13.750 --> 00:43:18.210 we'll talk more about ChatGPT specifically on 00:43:18.210 --> 00:43:23.869 Throwback Saturday Night and our next TSB. I'm 00:43:23.869 --> 00:43:27.070 not going to read the technical aspects of the 00:43:27.070 --> 00:43:30.750 notes as I did on Saturday's Independent Artist 00:43:30.750 --> 00:43:35.769 Spotlight Show. But I can tell you that I asked 00:43:35.769 --> 00:43:42.829 the AI to give me a podcast summary. That I could 00:43:42.829 --> 00:43:48.690 use as a technical reason to use the bot. Well, 00:43:48.909 --> 00:43:54.230 I replaced my doctor. Not permanently, mind you. 00:43:54.349 --> 00:44:01.429 But as a, this isn't a bad sign. You can treat 00:44:01.429 --> 00:44:07.750 this at home. If you have these things. And you 00:44:07.750 --> 00:44:17.500 have this food. you do these things okay so bread 00:44:17.500 --> 00:44:25.179 food rice food you know eggs food applesauce 00:44:25.179 --> 00:44:32.900 food unspiced food like chicken turkey when i 00:44:32.900 --> 00:44:39.860 screwed up having barbecue from wingstop which 00:44:40.740 --> 00:44:47.579 Messed me up pretty bad. It turned into a long 00:44:47.579 --> 00:44:54.420 Sunday. And I also used ChatGPT as a log tool. 00:44:55.480 --> 00:44:59.440 Mainly, if it ever became a problem, I could 00:44:59.440 --> 00:45:03.219 hand my phone to a doctor with the right chat 00:45:03.219 --> 00:45:08.940 log and say, go through that. tell it to give 00:45:08.940 --> 00:45:13.480 you a doctor's diagnosis, a doctor's write -up, 00:45:13.480 --> 00:45:17.519 which it says it can do, and then they would 00:45:17.519 --> 00:45:20.440 know exactly what to do. And that's the technological 00:45:20.440 --> 00:45:26.920 responsibility, I think, of using a tool. I'm 00:45:26.920 --> 00:45:29.659 not replacing my doctor. I'm not saying, okay, 00:45:29.659 --> 00:45:33.679 doc, I want to come in, but I'm pooping really 00:45:33.679 --> 00:45:40.309 bad, as an example. This is an example, and I 00:45:40.309 --> 00:45:42.429 don't know if I'm going to be able to make it 00:45:42.429 --> 00:45:47.070 in, because you want me to come in, but I'm pooping 00:45:47.070 --> 00:45:51.969 pretty bad. He may just say, you'll have to go 00:45:51.969 --> 00:45:55.150 to the hospital, and you're going to need to 00:45:55.150 --> 00:45:57.670 get treated there, and I'll come and see you. 00:45:57.949 --> 00:46:05.559 That's the worst they'd say. Maybe you could 00:46:05.559 --> 00:46:12.440 order these items from the local store, i .e. 00:46:12.539 --> 00:46:19.460 an antacid or some other medication, and try 00:46:19.460 --> 00:46:22.800 those. I'm not going into any detail of what 00:46:22.800 --> 00:46:28.380 I had or didn't have, but I continue to log until 00:46:28.380 --> 00:46:32.619 I feel stabilized enough. Although I am feeling 00:46:32.619 --> 00:46:36.940 better as I said. But it's important to know 00:46:36.940 --> 00:46:43.559 what to disclose instead. What causes this? Or 00:46:43.559 --> 00:46:48.340 what should I eat? My stomach is still whatever. 00:46:48.739 --> 00:46:52.539 I still have these symptoms. But I'm hungry. 00:46:54.639 --> 00:47:04.570 And that's perfectly fine. whole health history. 00:47:06.030 --> 00:47:12.329 Okay? That's the goal, right? I didn't upload 00:47:12.329 --> 00:47:15.250 my whole health history, then give it something 00:47:15.250 --> 00:47:19.710 new. I'm dealing with something in the moment. 00:47:19.829 --> 00:47:24.329 It's giving me advice of what it could be and 00:47:24.329 --> 00:47:31.789 says, if this gets worse, i .e., if... it's diarrhea, 00:47:32.170 --> 00:47:35.650 if it gets worse and you're going more often, 00:47:35.789 --> 00:47:41.469 you start throwing up, you start feeling lightheaded, 00:47:41.690 --> 00:47:45.090 you're dizzy, you're this, you're that, then 00:47:45.090 --> 00:47:48.610 I would seek medical help. You can treat this 00:47:48.610 --> 00:47:53.530 at home by resting, eating bread, rice, applesauce, 00:47:53.590 --> 00:47:59.469 you know, things that are, you know, eggs. I'll 00:47:59.469 --> 00:48:02.630 tell you what, folks. It felt so good to eat. 00:48:02.869 --> 00:48:06.730 I ended up eating four eggs and not have any 00:48:06.730 --> 00:48:11.510 symptoms. And the day I'm recording, I am actually 00:48:11.510 --> 00:48:16.050 feeling so much better. I had a half a meal this 00:48:16.050 --> 00:48:21.590 afternoon, a recording date, which included fish, 00:48:21.769 --> 00:48:27.389 rice, and some salad. I ate the entire fish. 00:48:27.869 --> 00:48:30.550 I still have some rice, some salad, and the pita 00:48:30.550 --> 00:48:33.849 left. But I tell you what, I feel pretty good. 00:48:34.690 --> 00:48:38.730 I've got a hot chocolate here to help with any 00:48:38.730 --> 00:48:41.690 throat issues because there are times that I 00:48:41.690 --> 00:48:44.469 start coughing or want to clear my throat, and 00:48:44.469 --> 00:48:48.789 the warm liquid will assist with that. Or I could 00:48:48.789 --> 00:48:51.909 have some sort of water, whether bottled or canned. 00:48:53.110 --> 00:48:56.309 But the point I'm trying to make here is that 00:48:56.309 --> 00:49:01.190 it's telling me, that I made the right call. 00:49:01.409 --> 00:49:07.429 I did not force anything. I did not give it more 00:49:07.429 --> 00:49:12.010 than it needs to know. And it was giving me simple 00:49:12.010 --> 00:49:22.789 advice. So, I think now I will actually read 00:49:22.789 --> 00:49:28.440 the document. that I titled, AI Use for Diagnosing 00:49:28.440 --> 00:49:33.119 Health Concerns from a Tech Perspective. And 00:49:33.119 --> 00:49:36.320 we will actually dive into this as part of a 00:49:36.320 --> 00:49:43.380 deeper discussion on AI later on. The tech angle. 00:49:45.739 --> 00:49:53.110 AI as a thinking partner, not a doctor. What 00:49:53.110 --> 00:49:58.030 this experiment shows isn't that AI replaces 00:49:58.030 --> 00:50:03.429 doctors. It's that it can act as a real -time 00:50:03.429 --> 00:50:07.710 thinking partner. So I asked it, what do you 00:50:07.710 --> 00:50:10.969 think I should do? Should I go to the doctor? 00:50:11.130 --> 00:50:17.110 Is this urgent? Can I treat this at home? What 00:50:17.110 --> 00:50:24.590 would I need? Right? You had a... mild, but uncomfortable 00:50:24.590 --> 00:50:29.050 health issue. So it's not even telling you publicly 00:50:29.050 --> 00:50:32.289 what I had, and I'm not telling you publicly 00:50:32.289 --> 00:50:37.030 what I had. I used diarrhea or stomach issue 00:50:37.030 --> 00:50:42.630 as an example in the talk. I'm not saying publicly 00:50:42.630 --> 00:50:46.750 whether that's what I had or not. As an emergency, 00:50:47.779 --> 00:50:52.420 not as something that clearly required urgent 00:50:52.420 --> 00:50:57.300 care, just enough to make you unsure. So again, 00:50:57.519 --> 00:51:01.719 you had a mild uncomfortable health issue, not 00:51:01.719 --> 00:51:05.260 an emergency, not something that clearly required 00:51:05.260 --> 00:51:09.039 urgent care, just enough to make you unsure. 00:51:11.360 --> 00:51:14.519 That's the gray zone where people usually panic 00:51:14.519 --> 00:51:21.820 over Google. Worst case scenario or ignore symptoms 00:51:21.820 --> 00:51:29.380 entirely. I didn't ignore those symptoms, ladies 00:51:29.380 --> 00:51:32.719 and gentlemen. I was purely saying, this is what 00:51:32.719 --> 00:51:37.659 I have. Is this urgent? Is there something I 00:51:37.659 --> 00:51:43.219 can do? What's going on here? Instead, you use 00:51:43.219 --> 00:51:48.659 the conversational AI to... Talk through symptoms 00:51:48.659 --> 00:51:54.440 in plain language. Sanity check decisions. What 00:51:54.440 --> 00:51:58.340 to eat. What to avoid. That's in parentheses. 00:51:59.400 --> 00:52:03.019 Slow yourself down enough to make measured choices. 00:52:05.139 --> 00:52:09.679 From a tech perspective, that's important. AI 00:52:09.679 --> 00:52:14.300 lowered the cognitive load. That's important. 00:52:14.639 --> 00:52:19.110 It didn't... Make me overthink. People probably 00:52:19.110 --> 00:52:22.630 overthink and probably would overreact. Oh God, 00:52:22.690 --> 00:52:24.530 I gotta go to the doctor. I've got diarrhea. 00:52:24.809 --> 00:52:27.329 Or I've gotta go to the doctor. I've got whatever. 00:52:28.090 --> 00:52:31.309 Sometimes you can just treat this stuff at home. 00:52:31.489 --> 00:52:36.190 Again, I'm not publishing any medical anything. 00:52:36.969 --> 00:52:41.650 Those who may know what happened to me are close. 00:52:42.360 --> 00:52:47.340 friends, and people I trust. I'm using these 00:52:47.340 --> 00:52:51.239 as an example as part of talking on a podcast. 00:52:52.860 --> 00:52:57.500 It didn't diagnose. It helped you organize your 00:52:57.500 --> 00:53:02.079 thinking. And I wasn't saying I was ever diagnosed 00:53:02.079 --> 00:53:09.820 by AI. It knew it was potentially GI because 00:53:09.820 --> 00:53:16.550 it knows by its models that it's stomach -related 00:53:16.550 --> 00:53:21.909 because one of the symptoms was diarrhea, right? 00:53:22.010 --> 00:53:25.590 So if that was the case, then it knew it was 00:53:25.590 --> 00:53:31.050 GI? I didn't know what all that meant, but it 00:53:31.050 --> 00:53:36.269 does. That's its job. Why that matters technologically. 00:53:37.690 --> 00:53:42.469 AI is always available. unlike doctors, friends, 00:53:42.610 --> 00:53:47.070 or hotlines. And that's important. You can't 00:53:47.070 --> 00:53:50.869 call a hotline. Some friends you trust may not 00:53:50.869 --> 00:53:53.349 be available or may not have the knowledge to 00:53:53.349 --> 00:53:58.449 know or advise you what to do. And hotlines, 00:53:58.489 --> 00:54:01.010 I don't know if I would call a hotline to get 00:54:01.010 --> 00:54:07.409 advice like that. It's non -judgmental, which 00:54:07.409 --> 00:54:11.579 makes... people more honest. It didn't judge 00:54:11.579 --> 00:54:17.780 me. It said, this sounds like a GI problem. I 00:54:17.780 --> 00:54:21.360 would recommend rest right now. Don't eat anything. 00:54:21.719 --> 00:54:26.920 Just relax. Take it easy. Turn on Nature Space. 00:54:27.239 --> 00:54:33.019 Turn on SiriusXM Yoga or any of the other channels 00:54:33.019 --> 00:54:36.400 I told it that I listen to on a regular basis. 00:54:37.260 --> 00:54:42.480 to keep myself calm, relaxed, and in the frame 00:54:42.480 --> 00:54:48.519 of mind as part of my everyday life these days. 00:54:51.340 --> 00:54:57.159 It can respond dynamically as conditions change. 00:54:58.420 --> 00:55:03.949 Diarrhea is gone. Burps remain. So... if the 00:55:03.949 --> 00:55:08.710 condition was that I had acid burps, but the 00:55:08.710 --> 00:55:11.829 diarrhea was gone at one point, then it could 00:55:11.829 --> 00:55:16.190 advise me, okay, if this is consistent, maybe 00:55:16.190 --> 00:55:20.190 you should get some type of medication. And it 00:55:20.190 --> 00:55:24.329 named the type of medications to get. And it 00:55:24.329 --> 00:55:29.489 said, get one, don't get all. That's important. 00:55:31.409 --> 00:55:38.820 That loop, Observe, reflect, adjust is basically 00:55:38.820 --> 00:55:44.320 a feedback system. You were running a human -in 00:55:44.320 --> 00:55:49.940 -the -loop health model. The subtle win. The 00:55:49.940 --> 00:55:53.960 healing didn't come from advice alone. It came 00:55:53.960 --> 00:55:59.420 from thoughtful planning. Okay? So, eating small 00:55:59.420 --> 00:56:05.980 portions. avoiding known irritants, soda. So 00:56:05.980 --> 00:56:09.239 I bought a soda one day, but I didn't touch it. 00:56:09.340 --> 00:56:13.420 And even when I did touch it, I took slow, deliberate 00:56:13.420 --> 00:56:19.920 sips, put it down, and left it there. Monitoring 00:56:19.920 --> 00:56:24.539 changes instead of reacting emotionally. So for 00:56:24.539 --> 00:56:28.199 example, okay, it's 10 o 'clock at night. I'm 00:56:28.199 --> 00:56:31.860 done with the diarrhea. I still have this issue 00:56:31.860 --> 00:56:36.280 or that issue. What's next? Try and get some 00:56:36.280 --> 00:56:39.599 sleep. See how you feel in the morning. If you 00:56:39.599 --> 00:56:43.219 have anything overnight, let me know and we'll 00:56:43.219 --> 00:56:48.059 reevaluate. If it seems like you need to go get 00:56:48.059 --> 00:56:53.019 medical care, I'll advise that. Otherwise, I'm 00:56:53.019 --> 00:56:57.559 here for you. A, I didn't replace intuition. 00:56:59.949 --> 00:57:06.590 Amplified it. The responsible take. AI works 00:57:06.590 --> 00:57:11.190 best in low -risk situations as a support tool, 00:57:11.449 --> 00:57:16.210 not as a replacement for medical care. And I 00:57:16.210 --> 00:57:19.889 think that's the very important thing. If it 00:57:19.889 --> 00:57:24.349 said, this sounds like urgent care, you need 00:57:24.349 --> 00:57:28.550 to do this, then that's exactly what I would 00:57:28.550 --> 00:57:33.110 do. I hope it never comes to that. But now I 00:57:33.110 --> 00:57:37.889 have the tools to assist me, i .e., if my symptoms 00:57:37.889 --> 00:57:43.190 were. I'm coughing. I can't breathe. This feels 00:57:43.190 --> 00:57:45.769 to me like an upper respiratory infection. I 00:57:45.769 --> 00:57:50.769 get them regularly. I've tried to rest, but I 00:57:50.769 --> 00:57:56.769 can't rest. I can't sleep. When I cough, it hurts. 00:57:57.530 --> 00:58:00.230 That type of thing. Then it would probably say, 00:58:00.250 --> 00:58:09.210 go get medical care. It's great for reassurance, 00:58:09.210 --> 00:58:15.469 decision scaffolding, knowing when to wait versus 00:58:15.469 --> 00:58:22.030 when to escalate. And that's a very defensible, 00:58:22.130 --> 00:58:27.570 forward -thinking tech use case. So that's that 00:58:27.570 --> 00:58:31.250 file. And that, I think, is important. Because 00:58:31.250 --> 00:58:38.050 if we take nothing else out of this, then what 00:58:38.050 --> 00:58:44.550 would AI be used for? I did use it for finding 00:58:44.550 --> 00:58:52.110 out when an artist is an independent. I've used 00:58:52.110 --> 00:58:56.639 it more recently. and discussed vending machines 00:58:56.639 --> 00:59:03.760 and other accessibility stuff. I even had it 00:59:03.760 --> 00:59:08.380 generate an email which I submitted because there 00:59:08.380 --> 00:59:15.460 was a serious issue in the ChatGPT app itself 00:59:15.460 --> 00:59:21.599 as I was learning it. So it can be very useful 00:59:21.599 --> 00:59:26.400 in the right situations. You've just got to be 00:59:26.400 --> 00:59:32.579 smart and not share every little detail. Or maybe, 00:59:32.800 --> 00:59:36.719 if that's what you're going to do, switch off 00:59:36.719 --> 00:59:44.699 the item to let it learn from your account so 00:59:44.699 --> 00:59:48.880 that it can be trained based on everything you 00:59:48.880 --> 00:59:58.300 have. cause problems and i'm not going to say 00:59:58.300 --> 01:00:00.960 hallucinate because we'll talk about that more 01:00:00.960 --> 01:00:06.539 on tsb there's a lot i want to get into when 01:00:06.539 --> 01:00:13.280 it comes to the aspect of this whole ai thing 01:00:13.280 --> 01:00:17.199 because the hallucination topic was very fascinating 01:00:17.199 --> 01:00:20.320 when i was talking to it about that specifically 01:00:22.920 --> 01:00:26.019 Now, it could say, I don't hallucinate, I make 01:00:26.019 --> 01:00:30.239 up stuff. Well, maybe in the tech press's mind, 01:00:30.360 --> 01:00:35.099 that's hallucination. And that I understand. 01:00:35.579 --> 01:00:40.619 But that's because it's just fed a lot. And we'll 01:00:40.619 --> 01:00:44.119 discuss all of that later. But in the context 01:00:44.119 --> 01:00:48.860 of whether I would use it in, like, a hospital 01:00:48.860 --> 01:00:53.380 as part of clinician work? Maybe in the right 01:00:53.380 --> 01:00:58.820 circumstances, i .e., a chat for each client, 01:00:58.980 --> 01:01:06.280 the account not being in the I'll share everything 01:01:06.280 --> 01:01:10.340 so that the models learn from what I'm doing 01:01:10.340 --> 01:01:13.519 option. I forget exactly what it's called at 01:01:13.519 --> 01:01:17.739 the moment, but we'll dive into all of that when 01:01:17.739 --> 01:01:23.010 we do our AI chat. Suffice it to say, I've got 01:01:23.010 --> 01:01:26.349 a lot of ideas coming for that podcast, and I'll 01:01:26.349 --> 01:01:31.869 start work on that very soon. In the meantime, 01:01:32.269 --> 01:01:36.570 as I said, I wanted to include this as part of 01:01:36.570 --> 01:01:40.969 this discussion so that you are aware of how 01:01:40.969 --> 01:01:45.269 I used it. And yes, I did give a couple of symptoms, 01:01:45.389 --> 01:01:48.010 but I'm not giving every little detail because 01:01:48.010 --> 01:01:51.880 it honestly doesn't matter. I'm good now. It 01:01:51.880 --> 01:01:55.780 may take me another day to get this particular 01:01:55.780 --> 01:01:59.239 podcast out because I had several days off and 01:01:59.239 --> 01:02:02.400 I'm doing this mid -afternoon and I don't know 01:02:02.400 --> 01:02:09.920 if I want to stay and do this all night. In the 01:02:09.920 --> 01:02:16.039 meantime, I do want to play the track which will 01:02:16.039 --> 01:02:18.500 be coming up next. I'm not going to tell you 01:02:18.500 --> 01:02:22.050 what it is do this on the fly and I don't know 01:02:22.050 --> 01:02:25.130 what I'm going to pick. We will continue with 01:02:25.130 --> 01:02:28.329 the rest of the news right after this track. 01:02:28.510 --> 01:02:33.610 This is Sands episode 38 covering the newsletter 01:02:33.610 --> 01:08:45.020 for January 13th, 2026. back to sans 38 and you're 01:08:45.020 --> 01:08:49.779 probably saying you should have released this 01:08:49.779 --> 01:08:59.560 a long time ago yes this is absolutely true but 01:08:59.560 --> 01:09:04.880 after i started recording this program all hell 01:09:04.880 --> 01:09:17.229 broke loose i got sick I got better. The computer 01:09:17.229 --> 01:09:21.050 actually had technical problems that needed resolving. 01:09:22.750 --> 01:09:31.430 I got sick again. The 40 cell display I normally 01:09:31.430 --> 01:09:42.800 use ended up having dot issues. Where now it's 01:09:42.800 --> 01:09:52.420 out for repair. My. 32 cell braille sense. Is 01:09:52.420 --> 01:09:57.260 having issues. And then I had to. Bite the bullet. 01:09:57.399 --> 01:10:03.359 And get the e -reader from humanware. So there's 01:10:03.359 --> 01:10:09.760 been lots of technical debt. So that's really 01:10:09.760 --> 01:10:15.819 been. the real reason why this podcast has been 01:10:15.819 --> 01:10:19.600 delayed. But I'm hoping to get back into things. 01:10:19.680 --> 01:10:24.079 Number one, the orbit arrived to get repaired. 01:10:24.659 --> 01:10:30.199 I have an e -reader that I can use. And between 01:10:30.199 --> 01:10:34.479 everything, I can, in theory, now try and get 01:10:34.479 --> 01:10:39.199 back into things. And everything is going to 01:10:39.199 --> 01:10:46.270 be... All well and good. So we're going to start 01:10:46.270 --> 01:10:52.909 the rest of the week's news for this newsletter 01:10:52.909 --> 01:11:01.890 that we started covering way back in January. 01:11:04.010 --> 01:11:12.029 Item number one in this segment is LLM APIs targeted 01:11:12.029 --> 01:11:22.609 by threat actors and gray hat hackers. And this 01:11:22.609 --> 01:11:33.470 could still be going on today in different situations. 01:11:33.869 --> 01:11:37.789 So even though this podcast is going to be out 01:11:41.710 --> 01:11:45.029 In April, because of all of the issues that we've 01:11:45.029 --> 01:11:50.710 had going on, some of this news that you're going 01:11:50.710 --> 01:11:56.989 to be hearing may still apply. So, as I say, 01:11:57.170 --> 01:11:59.850 better late than never, because I tried to get 01:11:59.850 --> 01:12:03.989 this out before the computer actually died. So, 01:12:04.069 --> 01:12:13.909 I at least tried. Threat research from a grain 01:12:13.909 --> 01:12:22.250 noise honeypot shows two recent campaigns probing 01:12:22.250 --> 01:12:29.989 the security of LLM APIs by way of misconfigured 01:12:29.989 --> 01:12:37.729 proxy servers. The first campaign spanned from 01:12:37.729 --> 01:12:44.479 an October 2025 To January 2026. Exploiting server 01:12:44.479 --> 01:12:51.180 -side. Request forgery. Vulnerabilities. To target. 01:12:51.399 --> 01:12:59.859 L. L. A. M. A. Or. Actually this is. Olama. Sorry. 01:13:00.060 --> 01:13:05.420 So to target. Olama. Model. Poll functionality. 01:13:06.439 --> 01:13:17.659 And Twilio. SMS webhook integrations. The attackers 01:13:17.659 --> 01:13:30.720 used Project Discovery's OAST out -of -band application 01:13:30.720 --> 01:13:39.100 security testing infrastructure to confirm successful 01:13:39.100 --> 01:13:49.460 SSRF exploitation, leading Gray Noise to believe 01:13:49.460 --> 01:13:55.300 the attackers were likely researchers or bug 01:13:55.300 --> 01:14:03.939 bounty hunters. The second campaign, however, 01:14:03.960 --> 01:14:12.050 was most likely a professional threat actor conducting 01:14:12.050 --> 01:14:23.130 reconnaissance by methodically probing at least 01:14:23.130 --> 01:14:32.949 73 LLM model endpoints over 11 days starting 01:14:32.949 --> 01:14:39.699 December 28, 2025. Again, I want to just make 01:14:39.699 --> 01:14:44.800 sure that while the podcast is going to be released 01:14:44.800 --> 01:14:48.520 well after this was published, and the link is 01:14:48.520 --> 01:14:54.800 going to be in the show notes, this type of thing 01:14:54.800 --> 01:15:05.180 could possibly have gone from research to a possible 01:15:05.180 --> 01:15:09.210 problem. Now, I haven't heard of this happening 01:15:09.210 --> 01:15:14.050 yet, and because we're so late, I want to make 01:15:14.050 --> 01:15:21.489 it known that this could, in theory, be happening. 01:15:22.829 --> 01:15:32.569 Yes, I did that on purpose. The attackers generated 01:15:32.569 --> 01:15:42.689 over 80 ,000... in that time, hunting for misconfigured 01:15:42.689 --> 01:15:48.810 proxy servers that might leak access to commercial 01:15:48.810 --> 01:16:02.010 APIs. Every major model family appeared in the 01:16:02.010 --> 01:16:13.119 probe list. Data associates the attacker's IPs 01:16:13.119 --> 01:16:20.859 with extensive previous CVE exploitation, and 01:16:20.859 --> 01:16:31.020 the researchers posit that the threat actor is 01:16:31.020 --> 01:16:38.430 building target lists as part, of a larger pipeline. 01:16:40.149 --> 01:16:47.050 Groenoise recommends users configure Ollama to 01:16:47.050 --> 01:16:53.670 only accept models from trusted registries. Set 01:16:53.670 --> 01:16:59.909 up alerts for rapid -fire requests and fingerprinting 01:16:59.909 --> 01:17:08.859 queries. Block OAST at DNS, rate limit suspicious 01:17:08.859 --> 01:17:20.199 ASNs, and monitor jabbled fingerprints. The blog 01:17:20.199 --> 01:17:25.920 post contains network fingerprints, OAST callback 01:17:25.920 --> 01:17:32.439 domains, and IP addresses to block as part of 01:17:33.020 --> 01:17:40.640 defending LLM infrastructure. Dukes writes, API 01:17:40.640 --> 01:17:46.020 security continues to be a concern and misconfigurations 01:17:46.020 --> 01:17:51.760 are the leading cause. Software developers should 01:17:51.760 --> 01:18:01.060 reference the OWASP API security project's top 01:18:01.560 --> 01:18:07.699 10 list as a guide when building the API. And 01:18:07.699 --> 01:18:13.960 while you're at it, fund the OWASP nonprofit. 01:18:15.500 --> 01:18:22.340 They do great work. Neely, who was first, writes, 01:18:22.439 --> 01:18:30.319 the action here is to make sure your threat hunters 01:18:31.199 --> 01:18:42.600 Are incorporating. IOC's. And. That you're taking 01:18:42.600 --> 01:18:56.260 steps. To protect. Your LLMs. Including. Gray 01:18:56.260 --> 01:19:01.600 noises. Suggestions. Of. only allowing models 01:19:01.600 --> 01:19:10.220 from trusted repositories watching for enumeration 01:19:10.220 --> 01:19:15.800 patterns and rate -limiting blocking suspicious 01:19:15.800 --> 01:19:21.979 networks and domains. And all I'm going to say 01:19:21.979 --> 01:19:27.159 is this. While I understand this is late, and 01:19:27.159 --> 01:19:30.439 later than I really wanted, because we really 01:19:30.439 --> 01:19:34.920 tried to get Sans Newsbytes out within one week 01:19:34.920 --> 01:19:41.060 of it hitting my inbox, and all the trouble that 01:19:41.060 --> 01:19:48.500 I discussed in my introduction to this segment, 01:19:48.619 --> 01:19:57.619 we've really got to still be aware of this research 01:19:57.619 --> 01:20:04.319 in case you've noticed that things have changed. 01:20:07.800 --> 01:20:14.060 It's not necessarily about the fact that it's 01:20:14.060 --> 01:20:18.020 late news. Well, Jared, you shouldn't even be 01:20:18.020 --> 01:20:21.380 covering this because it's months old. Yes, you're 01:20:21.380 --> 01:20:24.850 absolutely right. But the problem is that I started 01:20:24.850 --> 01:20:29.470 recording this when this was actually first put 01:20:29.470 --> 01:20:32.710 out as a newsletter. So now all I'm going to 01:20:32.710 --> 01:20:35.989 do is finish the work that should have been done 01:20:35.989 --> 01:20:39.510 in the first place if it wasn't all of the issues 01:20:39.510 --> 01:20:43.329 I was trying to deal with that I stated above. 01:20:43.729 --> 01:20:49.069 And part of that delay was getting sick. And 01:20:49.069 --> 01:20:51.750 I'll tell you what. What I was going through 01:20:51.750 --> 01:20:57.130 wasn't all that fun. It wasn't necessarily COVID 01:20:57.130 --> 01:21:01.149 or a cold or anything. It could have been a stomach 01:21:01.149 --> 01:21:05.729 bug or two because I had that happen to me twice 01:21:05.729 --> 01:21:09.609 in the matter of several months since I first 01:21:09.609 --> 01:21:17.310 started recording this program. All we're saying 01:21:17.310 --> 01:21:22.949 here, folks, is that This is something that still 01:21:22.949 --> 01:21:27.810 should be at least read. Understand it, because 01:21:27.810 --> 01:21:31.630 once this really gets out in the public, while 01:21:31.630 --> 01:21:35.750 we may not know about it now, it could be part 01:21:35.750 --> 01:21:42.250 of some arsenal later on. And I think that's 01:21:42.250 --> 01:21:52.109 really one of the reasons why I still want to 01:21:52.109 --> 01:22:03.409 cover this because, yes, it's late now. I understand 01:22:03.409 --> 01:22:11.729 that. But could this become a future reality 01:22:11.729 --> 01:22:23.479 problem? Hmm. Something to think about. Instagram 01:22:23.479 --> 01:22:27.039 is in the news, and we always know that Instagram 01:22:27.039 --> 01:22:31.840 has always hit some kind of news. So, since we're 01:22:31.840 --> 01:22:35.539 still in January for this newsletter, it wouldn't 01:22:35.539 --> 01:22:39.520 surprise me if other Instagram stuff has come 01:22:39.520 --> 01:22:42.960 out, but we've got something interesting coming 01:22:42.960 --> 01:22:47.500 up next. As we're going to talk about password 01:22:47.500 --> 01:22:54.039 reset emails. And I think this is still appropriate. 01:22:54.119 --> 01:22:58.539 Again, even though this is months afterward, 01:22:58.819 --> 01:23:03.619 which was never my intent. But we always hear 01:23:03.619 --> 01:23:11.960 about issues where password reset emails... could 01:23:11.960 --> 01:23:17.359 trigger things that you're not expecting. I'm 01:23:17.359 --> 01:23:23.380 Jared Reimer. You've got Sans 38. We will continue 01:23:23.380 --> 01:23:44.699 in just a moment. Let's talk a little bit about 01:23:44.699 --> 01:23:51.880 passwords. In this story from the Sans News Bites 01:23:51.880 --> 01:23:57.439 that we have been delayed on, this one's titled, 01:23:57.520 --> 01:24:08.119 Instagram password reset emails are unrelated 01:24:08.119 --> 01:24:20.550 to alleged... data breach so again this is going 01:24:20.550 --> 01:24:23.350 to be covered late because we want to finish 01:24:23.350 --> 01:24:30.689 this before we move into other sans content and 01:24:30.689 --> 01:24:33.970 i feel that that's more appropriate because we've 01:24:33.970 --> 01:24:52.710 had this here for a while So, let's do this by 01:24:52.710 --> 01:25:04.529 reading it. On January 9th, 2026, Malwarebytes 01:25:04.529 --> 01:25:08.699 warned that cybercriminals stole the sensitive 01:25:08.699 --> 01:25:18.500 information of 17 .5 million Instagram accounts, 01:25:18.899 --> 01:25:23.399 including usernames, physical addresses, phone 01:25:23.399 --> 01:25:29.060 numbers, email addresses, and more, and posted 01:25:29.060 --> 01:25:36.090 a screenshot showing an Instagram password reset 01:25:36.090 --> 01:25:46.590 email. However, the data in question and recent 01:25:46.590 --> 01:25:54.449 reports of unsolicited Instagram password reset 01:25:54.449 --> 01:26:03.090 requests are not related despite surfacing online 01:26:04.489 --> 01:26:14.289 simultaneously. Instagram announced via social 01:26:14.289 --> 01:26:21.409 media on January 10th that while there was no 01:26:21.409 --> 01:26:30.310 breach of their systems, the company has now 01:26:30.310 --> 01:26:36.069 fixed A vulnerability that had allowed a third 01:26:36.069 --> 01:26:41.649 party to trigger password reset emails and directs 01:26:41.649 --> 01:26:49.210 users to disregard the emails. Well, even as 01:26:49.210 --> 01:26:53.449 late as this is, that's always good news. Well, 01:26:53.569 --> 01:26:58.229 we did have an issue, but it's unrelated to what... 01:27:01.680 --> 01:27:06.239 was actually going on. So, that's always great 01:27:06.239 --> 01:27:10.239 news. And as late as this is, I do want to say 01:27:10.239 --> 01:27:15.420 that overall, this is great news, right? There 01:27:15.420 --> 01:27:24.039 wasn't a known breach that claimed to reset emails, 01:27:24.260 --> 01:27:29.920 but a similar issue that could be unrelated. 01:27:30.800 --> 01:27:34.619 And I'm not saying back then that there was an 01:27:34.619 --> 01:27:39.260 issue with Instagram. Remember, it's a Facebook 01:27:39.260 --> 01:27:47.420 product. No recent data breach has been confirmed 01:27:47.420 --> 01:27:51.800 by Meta, but Malwarebytes was likely referring 01:27:51.800 --> 01:27:58.920 to a dataset recently published in a hacking 01:27:58.920 --> 01:28:04.779 forum and listed on Troy Hunt's site, Have I 01:28:04.779 --> 01:28:11.859 Been Pwned? And that is still a great site, and 01:28:11.859 --> 01:28:19.100 TSB has not been really keeping up with Have 01:28:19.100 --> 01:28:25.199 I Been Pwned in recent times. Not because we 01:28:25.199 --> 01:28:29.239 don't want to, but because there's so much happening. 01:28:31.159 --> 01:28:37.439 And I think people just need to find time to 01:28:37.439 --> 01:28:40.220 really check these things out on their own instead 01:28:40.220 --> 01:28:46.479 of me just saying, okay, this is what they're 01:28:46.479 --> 01:28:51.939 reporting. Because honestly, we don't see a lot 01:28:51.939 --> 01:29:00.359 of stories like they do. And... Everything else. 01:29:08.560 --> 01:29:28.050 So... That is... Where we are. So in parentheses, 01:29:28.310 --> 01:29:34.149 H -I -B -P. So if you haven't been there, have 01:29:34.149 --> 01:29:40.130 I been? P -W -N -E -D dot com. Find a link at 01:29:40.130 --> 01:29:47.279 emailhostsecurity .com under our resources. Our 01:29:47.279 --> 01:29:50.619 resources can be gotten to directly at emailhostsecurity 01:29:50.619 --> 01:30:00.880 .net. H -I -B -P is one of two websites that 01:30:00.880 --> 01:30:06.779 we actually recommend. The other is ExposedOrNot, 01:30:07.020 --> 01:30:12.380 X -P -O -S -E -D -OrNot .com, which you can also 01:30:12.380 --> 01:30:20.640 find on our website. The data allegedly contain 01:30:20.640 --> 01:30:27.979 user information obtained via API scraping. Some 01:30:27.979 --> 01:30:31.659 cybersecurity researchers speculate that the 01:30:31.659 --> 01:30:37.920 breach happened in 2022, but the data's provenance, 01:30:37.920 --> 01:30:43.699 authenticity, and age have not been publicly 01:30:43.699 --> 01:30:56.380 corroborated. bleeping computer posits that the 01:30:56.380 --> 01:31:01.880 data may be a compilation of previously scraped 01:31:01.880 --> 01:31:07.039 information about multiple sources over several 01:31:07.039 --> 01:31:18.390 years. And we know by default that There could 01:31:18.390 --> 01:31:25.630 be a breach, okay? But actors may not use anything 01:31:25.630 --> 01:31:33.010 from it. But then, there could be another breach. 01:31:34.829 --> 01:31:39.069 Let's say you're not in the original, right? 01:31:39.170 --> 01:31:42.750 So, if Instagram was breached, you don't have 01:31:42.750 --> 01:31:46.670 an Instagram account. But all of a sudden, your 01:31:46.670 --> 01:31:51.729 information comes out because some other breach 01:31:51.729 --> 01:31:58.649 happened. But yet, it's tied, for example, to 01:31:58.649 --> 01:32:04.869 a story like this one, where you could get an 01:32:04.869 --> 01:32:07.789 email saying that your account was compromised, 01:32:07.989 --> 01:32:14.399 yet you have no Instagram account. So they could 01:32:14.399 --> 01:32:19.079 package a dataset, call it an Instagram breach, 01:32:19.220 --> 01:32:25.979 even though Instagram, in its right, could say, 01:32:26.020 --> 01:32:51.529 no, that's not our breach. So, that's that. I 01:32:51.529 --> 01:32:56.029 did see the Malwarebytes story in their newsletter. 01:32:56.350 --> 01:33:00.649 A combination of things is what I figure, and 01:33:00.649 --> 01:33:08.409 I did not post the article. So, back then, I 01:33:08.409 --> 01:33:12.409 decided not to publish it, because it seemed 01:33:12.409 --> 01:33:16.840 to me That there was a whole combination of things 01:33:16.840 --> 01:33:27.840 going on here. And this could happen even now. 01:33:30.500 --> 01:33:35.020 We covered this in our last TSB program in passing. 01:33:35.220 --> 01:33:41.640 So if you listen to TSB in January. You will 01:33:41.640 --> 01:33:47.920 hear us talk about this particular story because 01:33:47.920 --> 01:33:54.539 Nick mentioned it, and yes, I still think this 01:33:54.539 --> 01:34:02.449 is going on today. Neely writes, It's a good 01:34:02.449 --> 01:34:07.789 time to check the HIBP website for all your email 01:34:07.789 --> 01:34:11.829 addresses, as well as make sure that your password 01:34:11.829 --> 01:34:16.750 practices are up to snuff. You know the drill. 01:34:16.949 --> 01:34:21.229 Use good passwords, don't reuse them, and enable 01:34:21.229 --> 01:34:29.529 MFA and passkeys for, I'm sorry, wherever supported. 01:34:30.539 --> 01:34:34.119 If you have any doubts about the security of 01:34:34.119 --> 01:34:38.319 a password for a service, update it using their 01:34:38.319 --> 01:34:42.659 password changing mechanism. Disabled accounts 01:34:42.659 --> 01:34:49.300 for services you are no longer using. I'm sorry, 01:34:49.399 --> 01:34:56.180 it says disabled, not disabled. And I think that 01:34:56.180 --> 01:35:00.619 is a great idea. if the service allows you to 01:35:00.619 --> 01:35:10.899 do that. Keep a record of that action. Sometimes 01:35:10.899 --> 01:35:19.319 it takes a bit to close an account. You can also 01:35:19.319 --> 01:35:26.399 check exposed or not whose link is on our website. 01:35:27.289 --> 01:35:33.170 at emailhostsecurity .net. The short link to 01:35:33.170 --> 01:35:39.270 the resources page, as I talked about in this 01:35:39.270 --> 01:36:03.560 segment. Let's continue now with Breach Forums. 01:36:03.899 --> 01:36:11.939 And even though this is late, I always love stories 01:36:11.939 --> 01:36:16.859 like this because we know Breach Forums was never 01:36:16.859 --> 01:36:20.600 meant to be good. And if we can get a couple 01:36:20.600 --> 01:36:23.340 of stories, even though this is going to be months 01:36:23.340 --> 01:36:34.819 late, I win completely. Right, so... Item number 01:36:34.819 --> 01:36:38.939 three in the rest of the news says, breach forum 01:36:38.939 --> 01:36:47.420 member data leaked. ReSecurity has analyzed a 01:36:47.420 --> 01:36:56.119 database of 323 ,986 forum members' records alleged 01:36:56.119 --> 01:37:03.100 to identify... administrators, moderators, and 01:37:03.100 --> 01:37:07.720 users of the latest incarnation of a cybercrime 01:37:07.720 --> 01:37:12.840 forum called Breach Forums. Let me make this 01:37:12.840 --> 01:37:17.859 very clear that at this time, I do not know if 01:37:17.859 --> 01:37:26.319 they are still around or not. Any incarnation 01:37:26.319 --> 01:37:36.130 of this forum, not good the company's threat 01:37:36.130 --> 01:37:42.609 intelligence team believes the database and associated 01:37:42.609 --> 01:37:47.409 leaked data contain information that may be useful 01:37:47.409 --> 01:37:55.289 to law enforcement pursuing cyber criminals some 01:37:55.289 --> 01:37:59.880 of the records Identified. In the database. Are 01:37:59.880 --> 01:38:09.979 definitely. Authentic. And can. Be. Cross checked. 01:38:10.060 --> 01:38:15.119 With other sources. Regarding specific. Actors. 01:38:15.779 --> 01:38:23.180 However. Some records. Have been edited. Removed 01:38:23.180 --> 01:38:32.310 or contain. Non. For example, replaced on IP 01:38:32.310 --> 01:38:41.029 127 .0 .0 .9, which is likely an OPSEC measure 01:38:41.029 --> 01:38:49.569 taken by the actors administering it. The last 01:38:49.569 --> 01:38:53.949 registration date in the newly leaked user database 01:38:53.949 --> 01:38:59.210 is from August 11th, 2025, which is the same 01:38:59.210 --> 01:39:11.550 day the previous breachforums .hn was closed. 01:39:14.649 --> 01:39:38.260 Hmm. Race security contrasts this breach with 01:39:38.260 --> 01:39:45.199 previous examples of information released by 01:39:45.199 --> 01:39:52.619 threat actors asserting that the events Involving 01:39:52.619 --> 01:39:57.359 the compromised. Breach forums database. Are. 01:39:57.500 --> 01:40:03.939 Different. From this activity. And contain. The 01:40:03.939 --> 01:40:12.279 meta data. Of many. Notable bad. Actors. So. 01:40:13.340 --> 01:40:32.380 This. Is a taste. Of. Their own. They think they're 01:40:32.380 --> 01:40:45.520 untouchable. But are they? I don't know. And 01:40:45.520 --> 01:40:48.239 the fact that we haven't seen anything that... 01:40:49.050 --> 01:40:52.170 Terry Ring, Preston Gaylor, Nicholas Jackson, 01:40:52.409 --> 01:40:58.130 or others that might end up sending me things 01:40:58.130 --> 01:41:04.189 about this type of thing. They haven't seen anything. 01:41:07.489 --> 01:41:13.170 Hmm. I wonder. I write, this is always good news 01:41:13.170 --> 01:41:17.689 in my book. If we can catch some. We can slow 01:41:17.689 --> 01:41:21.390 down the services, or have them stopped too. 01:41:22.829 --> 01:41:27.109 Neely, the face of the newsletter it seems, writes, 01:41:27.449 --> 01:41:32.510 It seems the tables have turned. In this case, 01:41:32.609 --> 01:41:38.590 the breach forum is itself breached. That said, 01:41:38.909 --> 01:41:43.630 releasing the database is not without risks. 01:41:44.909 --> 01:41:53.829 The database was released by James. And Resecurity 01:41:53.829 --> 01:42:00.430 hints they know who that is. If they can figure 01:42:00.430 --> 01:42:06.869 it out, so can others. If you want to analyze 01:42:06.869 --> 01:42:12.050 the data, obtain a clean copy from Resecurity. 01:42:12.699 --> 01:42:16.800 as there are other copies which contain malware 01:42:16.800 --> 01:42:25.420 yes mr neely the tables have turned and this 01:42:25.420 --> 01:42:52.260 i think we can agree is good Here comes our next 01:42:52.260 --> 01:43:00.140 item. California Privacy Protection Agency finds 01:43:00.140 --> 01:43:07.479 Texas firm for failing to register as a data 01:43:07.479 --> 01:43:17.140 broker with the state. California's Privacy Protection 01:43:17.140 --> 01:43:30.529 Agency is finding Rickenbacker Data, DBA, Data 01:43:30.529 --> 01:43:35.029 Masters for failing to register as a data broker 01:43:35.029 --> 01:43:42.029 in the state of California. The decision asserts 01:43:42.029 --> 01:43:47.270 that Data Masters bought, repackaged, and resold 01:43:47.270 --> 01:43:54.779 contact data of people with a variety of medical 01:43:54.779 --> 01:43:59.239 conditions, so the information could be used 01:43:59.239 --> 01:44:09.920 for targeted advertising. The action from CPPA 01:44:09.920 --> 01:44:18.819 finds Datamasters $45 ,000 and orders the company 01:44:19.340 --> 01:44:23.600 to stop selling data belonging to California 01:44:23.600 --> 01:44:30.680 residents. Data Masters was also ordered to delete 01:44:30.680 --> 01:44:35.539 all Californians' personal information it holds 01:44:35.539 --> 01:44:43.460 by the end of December 2025. In a separate action, 01:44:43.680 --> 01:44:57.159 see PPA, find S. NP Global $62 ,000 for failing 01:44:57.159 --> 01:45:02.159 to register with the state as a data broker. 01:45:02.579 --> 01:45:06.960 The issue was due to an administrative error. 01:45:08.739 --> 01:45:15.750 Neely writes, An indicator That's consequences 01:45:15.750 --> 01:45:25.270 for failing to follow CCPA are real. Double check 01:45:25.270 --> 01:45:35.010 the applicability of CCPA to your datasets. Datamasters 01:45:35.010 --> 01:45:40.970 claimed they were exempt from CCPA because they 01:45:40.970 --> 01:45:48.050 didn't operate. California but it's the processing 01:45:48.050 --> 01:45:54.529 obtaining of data that belongs to Californians 01:45:54.529 --> 01:46:00.550 without deleting it within 24 hours which brings 01:46:00.550 --> 01:46:09.489 CCPA into play if you are a data broker for the 01:46:10.060 --> 01:46:16.380 California, if you are a data broker for Californian 01:46:16.380 --> 01:46:24.279 data, make sure that you register. The California 01:46:24.279 --> 01:46:32.359 Delete Act expects more enforcement as single 01:46:32.359 --> 01:46:38.000 point opt out is implemented in the new drop. 01:46:38.479 --> 01:46:48.000 platform dukes start this whole thing off with 01:46:48.000 --> 01:46:57.880 californians consumer privacy act ccpa is pretty 01:46:57.880 --> 01:47:04.180 specific regarding data brokers one of the main 01:47:04.180 --> 01:47:10.399 requirements is To register within the state. 01:47:11.140 --> 01:47:20.880 And BTW. That's an annual requirement. Looks 01:47:20.880 --> 01:47:24.159 like California is getting serious about getting 01:47:24.159 --> 01:47:33.579 out. I'm sorry. Of ferreting out data brokers. 01:47:34.329 --> 01:47:42.750 operating illegally in the state. Murray also 01:47:42.750 --> 01:47:51.149 has a great point. Given how lucrative the data 01:47:51.149 --> 01:47:57.390 broker business is, these fines are not likely 01:47:57.390 --> 01:48:08.979 to be effective. The orders may B. Kudos to California, 01:48:09.420 --> 01:48:19.239 its law, and its agency. What do you say? Well, 01:48:19.500 --> 01:48:26.399 I haven't seen any more about this, at least 01:48:26.399 --> 01:48:31.659 in public circles. whether in podcasts or even 01:48:31.659 --> 01:48:37.859 brought to my attention. But companies should 01:48:37.859 --> 01:48:43.119 be ashamed of themselves for collecting data 01:48:43.119 --> 01:48:50.159 because that's what they do. They collect it. 01:48:50.520 --> 01:48:56.880 They sell it. And frankly, we don't even know 01:48:56.880 --> 01:49:03.699 who the they are. I'm sorry, but when I initially 01:49:03.699 --> 01:49:11.579 read this section of the newsletter, I was happy 01:49:11.579 --> 01:49:15.060 to see that they got fined. Yes, it's probably 01:49:15.060 --> 01:49:20.180 a small drop in the bucket. And they'll just 01:49:20.180 --> 01:49:27.140 pay them and say, go away. They may delete the 01:49:27.140 --> 01:49:30.789 data. Then they'll go back and collect it until 01:49:30.789 --> 01:49:37.229 they get caught again. But the fact that they 01:49:37.229 --> 01:49:44.449 got caught and they had to pay makes them slow 01:49:44.449 --> 01:49:51.689 down. Whether it stops the whole thing, I don't 01:49:51.689 --> 01:49:59.619 know. I'm not ready to go that far. But, I still 01:49:59.619 --> 01:50:05.619 want to hear what you have to say. Send me an 01:50:05.619 --> 01:50:09.920 email or iMessage at tech, that's T -E -C -H, 01:50:10.140 --> 01:50:15.560 at M as in Mike, E -N as in November, V as in 01:50:15.560 --> 01:50:20.039 Victor, I as in India, dot org. Text or WhatsApp 01:50:20.039 --> 01:50:30.640 804 -442 -6975. And of course, you can leave 01:50:30.640 --> 01:50:43.420 your comment on the phone line at 888 -405 -7524. 01:50:47.359 --> 01:51:12.050 Because this is going to get very interesting. 01:51:15.789 --> 01:51:23.890 I assume that this is going to be probably one 01:51:23.890 --> 01:51:29.149 of the biggest stories of the year. as we'll 01:51:29.149 --> 01:51:37.369 be approaching mid -year soon. And we haven't 01:51:37.369 --> 01:51:41.770 seen anything new, but yet again, I haven't been 01:51:41.770 --> 01:51:44.989 reading sans on a regular due to the aforementioned 01:51:44.989 --> 01:51:51.250 issues I've told you about in segment four of 01:51:51.250 --> 01:51:54.409 this podcast, which is why it's been delayed 01:51:54.409 --> 01:52:00.229 so long. Suffice it to say, it wouldn't surprise 01:52:00.229 --> 01:52:04.609 me if other SANS news bites that we have not 01:52:04.609 --> 01:52:08.409 been able to cover and will not cover because 01:52:08.409 --> 01:52:16.289 of how far we're behind has covered this. Starting 01:52:16.289 --> 01:52:19.109 with the next podcast of SANS, we're going to 01:52:19.109 --> 01:52:22.310 just move forward instead of trying to catch 01:52:22.310 --> 01:52:31.199 up completely. Please understand that we're trying 01:52:31.199 --> 01:52:35.140 the best we can. And with everything going on 01:52:35.140 --> 01:52:38.720 in the various podcasts we have, there's only 01:52:38.720 --> 01:52:46.920 so much we can do. So what do you say about this? 01:52:47.659 --> 01:52:56.380 Yay? Nay? I don't care? F you? Go ahead. You 01:52:56.380 --> 01:53:01.500 can say F you. I try not to make this a swearing 01:53:01.500 --> 01:53:09.979 program. At least on sands I don't. I try and 01:53:09.979 --> 01:53:13.600 make it my own without getting my emotions caught 01:53:13.600 --> 01:53:21.260 up in everything. I try. But you tell me. Yay, 01:53:21.460 --> 01:53:59.840 nay, what? Spanish authorities arrest 34 in connection 01:53:59.840 --> 01:54:06.600 with Cybercrime Network. And again, we are very, 01:54:06.659 --> 01:54:12.100 very happy to see things like this because we 01:54:12.100 --> 01:54:16.680 don't see a lot of it. And I know one of the 01:54:16.680 --> 01:54:22.560 things that I want to see more of is news just 01:54:22.560 --> 01:54:26.869 like this. We always talk about ransomware, you 01:54:26.869 --> 01:54:30.050 know, and all of the bad things. And we don't 01:54:30.050 --> 01:54:35.670 see good things. Now, will it lead to any time? 01:54:36.029 --> 01:54:39.689 I don't know. But the fact that people are arrested 01:54:39.689 --> 01:54:46.250 and charged with things slows things down. Is 01:54:46.250 --> 01:54:52.069 that a good thing? Overall, I believe it is. 01:54:54.189 --> 01:54:58.529 The write -up for this says, Authorities in Spain 01:54:58.529 --> 01:55:03.170 have arrested 34 individuals in connection with 01:55:03.170 --> 01:55:09.670 cyber fraud conducted by an international criminal 01:55:09.670 --> 01:55:14.489 group. According to investigators, the group 01:55:14.489 --> 01:55:19.630 is responsible for fraud losses of more than 01:55:19.630 --> 01:55:34.500 five Kaba 93 million euros. I believe that's 01:55:34.500 --> 01:55:39.960 a comma. I don't know what exactly this is. It 01:55:39.960 --> 01:55:47.579 may be 5 .93 million. I'm not 100 % sure. Because 01:55:47.579 --> 01:55:52.539 I see a dot. It's not a period in either braille 01:55:52.539 --> 01:56:02.180 code. So, I'm not exactly sure. But anyway, let's 01:56:02.180 --> 01:56:06.800 just say it's $5 .93 million, which is quite 01:56:06.800 --> 01:56:14.739 high. Law enforcement recovered a small portion 01:56:14.739 --> 01:56:20.239 of that amount by freezing bank accounts and 01:56:20.239 --> 01:56:24.000 seizing cash. Well, seizing cash is probably 01:56:24.000 --> 01:56:30.600 easy. Bank accounts, I don't know how law enforcement 01:56:30.600 --> 01:56:37.079 would seize that. I would assume that would be 01:56:37.079 --> 01:56:43.779 up to the bank. Cash, you could take and say, 01:56:43.840 --> 01:56:47.319 that's not yours. Not until we prove you earned 01:56:47.319 --> 01:56:56.359 it. Business email compromise attacks. Illegal 01:56:56.359 --> 01:57:06.840 vehicle trafficking through shell companies and 01:57:06.840 --> 01:57:11.539 other fraudulent activities. The law enforcement 01:57:11.539 --> 01:57:15.239 action was conducted by the Spanish National 01:57:15.239 --> 01:57:29.090 Police. national in cooperation with the Bavarian 01:57:29.090 --> 01:57:38.430 state criminal police office and this word is 01:57:38.430 --> 01:57:48.689 bear chess and the next word is Bendis criminal 01:57:48.689 --> 01:57:58.810 it's a criminal lemt so or no it's landis criminal 01:57:58.810 --> 01:58:07.930 lemt uh so it's gonna be b -a -y -e -r -i -s 01:58:07.930 --> 01:58:15.949 -c -h -e -s and then l -a -n -d -e -s -k -r -i 01:58:15.949 --> 01:58:25.949 -m -i -n -a -l and then AMT and support from 01:58:25.949 --> 01:58:33.010 Europol. Europol writes that the cross -border 01:58:33.010 --> 01:58:37.750 collaboration between Germany and Spain included 01:58:37.750 --> 01:58:42.649 Spanish investigators receiving analytical support, 01:58:43.010 --> 01:58:47.869 the exchange of intelligence, and the deployment 01:58:48.329 --> 01:58:55.289 of two German officers on site during the action 01:58:55.289 --> 01:59:02.130 day. Europol supported the action through a range 01:59:02.130 --> 01:59:07.609 of services including information analysis, a 01:59:07.609 --> 01:59:16.029 data sprint held in Madrid, and on -the -spot 01:59:16.029 --> 01:59:22.140 support. Neely writes, it is nice to see cross 01:59:22.140 --> 01:59:27.899 -border cooperation continue to shut down criminal 01:59:27.899 --> 01:59:32.159 operations. This group has a global presence 01:59:32.159 --> 01:59:39.600 operating in Nigeria and abroad. Spread over 01:59:39.600 --> 01:59:47.680 about 60 zones with 200 members each. and has 01:59:47.680 --> 01:59:54.159 a total membership of about 30 ,000. They were 01:59:54.159 --> 02:00:00.079 known for recruiting money mules from impoverished 02:00:00.079 --> 02:00:09.000 areas with high unemployment rates. I agree, 02:00:09.239 --> 02:00:13.840 I write. I love great news like this. Keep it 02:00:13.840 --> 02:00:22.020 coming. And yes, Money Mules. That was actually 02:00:22.020 --> 02:00:29.779 talked about in recent episodes of a podcast 02:00:29.779 --> 02:00:43.479 that deals with crime. More specifically, different 02:00:43.479 --> 02:00:47.699 types of crime. But they do talk about bank crime 02:00:47.699 --> 02:00:54.960 and what's happening. And the podcast, in theory, 02:00:55.180 --> 02:01:02.239 is mainly meant for people who don't understand 02:01:02.239 --> 02:01:08.479 a lot of what's happening recently. This podcast. 02:01:10.510 --> 02:01:13.270 was talking about business email compromise, 02:01:13.409 --> 02:01:15.609 and they made it known that they didn't know 02:01:15.609 --> 02:01:24.149 what it was. And while I can't necessarily blame 02:01:24.149 --> 02:01:29.270 the hosts per se, when a host brings something 02:01:29.270 --> 02:01:37.300 up, it's a good idea if you don't know what something 02:01:37.300 --> 02:01:40.520 is, to just indicate that you don't know what 02:01:40.520 --> 02:01:44.880 it is. It's okay to read and give your thoughts 02:01:44.880 --> 02:01:47.779 about what you're about to talk about, and then 02:01:47.779 --> 02:01:50.739 say, we want to look this up, we don't really 02:01:50.739 --> 02:01:53.979 know what this is. But to come out and just say, 02:01:54.039 --> 02:01:55.619 we don't know what this is, but we're going to 02:01:55.619 --> 02:02:02.000 talk about it anyway, makes it look bad, in my 02:02:02.000 --> 02:02:04.699 opinion. Now, I'm not going to sit here and bash 02:02:04.699 --> 02:02:12.670 podcasts. That's not who I am. We here at the 02:02:12.670 --> 02:02:16.329 Jared Reimer Network want all podcasts to succeed, 02:02:16.390 --> 02:02:26.649 and we definitely think that there is an important 02:02:26.649 --> 02:02:31.189 need for a podcast that is simple, talks about 02:02:31.189 --> 02:02:35.289 various types of scams and crime, It's pretty 02:02:35.289 --> 02:02:39.090 much what scams are. It's a form of crime. The 02:02:39.090 --> 02:02:44.529 podcast itself is titled Scam Squad. It's ran 02:02:44.529 --> 02:02:50.670 by two individuals. And, you know, if you find 02:02:50.670 --> 02:02:54.430 it of value, go ahead and check it out. I'm not 02:02:54.430 --> 02:02:58.810 going to say publicly that they should go because 02:02:58.810 --> 02:03:03.930 people... probably would say that this podcast 02:03:03.930 --> 02:03:08.569 set needs to go. And that's not what I'm about 02:03:08.569 --> 02:03:12.930 to do. I'm not going to do that publicly. You 02:03:12.930 --> 02:03:17.409 know, what we might say privately could stay 02:03:17.409 --> 02:03:23.689 that way. But I really think that education is 02:03:23.689 --> 02:03:26.489 key. And each podcast is going to do it differently. 02:03:27.229 --> 02:03:33.560 So, let's just leave it at that. And we'll go 02:03:33.560 --> 02:03:36.119 from there. If you've heard of the podcast and 02:03:36.119 --> 02:03:44.260 you find it of value, let me know. Because I 02:03:44.260 --> 02:03:48.380 want to make sure that people are educated the 02:03:48.380 --> 02:03:55.319 best way that they can be. When we will continue 02:03:55.319 --> 02:04:00.720 with the podcast, Or better yet, when we continue 02:04:00.720 --> 02:04:03.380 with this podcast, we're going to talk about 02:04:03.380 --> 02:04:13.100 a printing error. And this printing error has 02:04:13.100 --> 02:04:18.720 got to probably be the worst I've ever seen. 02:04:20.779 --> 02:04:27.720 So let's see what this is. I'm Jared Reimer. 02:04:27.760 --> 02:05:00.189 This is SANS 38. Printing error prompts recall 02:05:00.189 --> 02:05:11.390 of nearly 13 ,000 recent Irish passports. Talk 02:05:11.390 --> 02:05:18.170 about a problem much? A software update appears 02:05:18.170 --> 02:05:22.770 to have caused Irish passports issued between 02:05:22.770 --> 02:05:31.300 December 23rd 2025 and January 6th, 2026 to be 02:05:31.300 --> 02:05:37.180 printed incorrectly, rendering them invalid. 02:05:39.100 --> 02:05:44.699 Ireland's Passport Service says that in order 02:05:44.699 --> 02:05:50.359 to mitigate against any possible travel issues, 02:05:50.880 --> 02:05:59.409 they have notified border authorities worldwide 02:05:59.409 --> 02:06:06.710 through the International Civil Aviation Organization, 02:06:07.470 --> 02:06:17.810 ICAO, as well as Irish Border Management. The 02:06:17.810 --> 02:06:22.010 documents in question are missing the letters 02:06:22.010 --> 02:06:29.479 IRL. which means they are not compliant with 02:06:29.479 --> 02:06:40.079 border control and e -gates requirements. The 02:06:40.079 --> 02:06:50.000 Passport Service has contacted all 12 ,900... 02:06:52.939 --> 02:06:57.279 for affected customers asking them to return 02:06:57.279 --> 02:07:05.319 their incorrectly printed passport books and 02:07:05.319 --> 02:07:10.140 cards, informing them that they will be issued 02:07:10.140 --> 02:07:17.300 new documents with new numbers. What a costly 02:07:17.300 --> 02:07:23.539 mistake! For that many, there will be some Upset 02:07:23.539 --> 02:07:29.399 people, and that's putting it mildly. Neely writes, 02:07:29.939 --> 02:07:38.960 Use caution with move fast and break things and 02:07:38.960 --> 02:07:42.819 have a plan for rolling back or fixing what you 02:07:42.819 --> 02:07:48.000 break. In this case, physical replacement of 02:07:48.000 --> 02:07:56.119 passports is a bit... higher impact than a case 02:07:56.119 --> 02:08:04.020 where you may have had to update data and possibly 02:08:04.020 --> 02:08:09.100 send a notification. When things do go sideways, 02:08:09.420 --> 02:08:14.659 make sure that someone has the customers back. 02:08:15.239 --> 02:08:21.000 In this case, the Irish Passport Service has 02:08:21.609 --> 02:08:27.029 been emailing affected customers, updating their 02:08:27.029 --> 02:08:31.630 website, and setting up a dedicated customer 02:08:31.630 --> 02:08:35.810 service team for those traveling immediately 02:08:35.810 --> 02:08:43.810 as well as covering any costs of reissued passports 02:08:43.810 --> 02:08:49.090 or visas. The good news is that the customer, 02:08:49.189 --> 02:08:54.609 by the way this reads, doesn't have to pay a 02:08:54.609 --> 02:09:02.409 dime. I guess that is a good thing. I could see 02:09:02.409 --> 02:09:10.489 them being outraged if they did. What a costly 02:09:10.489 --> 02:09:14.210 printing mistake, even months later and reading 02:09:14.210 --> 02:09:19.930 it now. I don't think I've seen anything as bad 02:09:19.930 --> 02:09:23.569 as this, even though I've not read Sans since 02:09:23.569 --> 02:09:30.529 on a regular. But I know that my sources haven't 02:09:30.529 --> 02:09:34.069 reported anything, but that definitely doesn't 02:09:34.069 --> 02:09:40.770 mean anything. If you've seen something, even 02:09:40.770 --> 02:09:44.470 if it's late, I'd like to at least review it. 02:09:55.239 --> 02:09:59.500 I believe this is our last item of this program 02:09:59.500 --> 02:10:03.699 and we can finally get old news out the door. 02:10:03.880 --> 02:10:08.039 Again, I completely apologize for the fact that 02:10:08.039 --> 02:10:13.180 this took so long. And now that I think we're 02:10:13.180 --> 02:10:16.779 stabilized, we'll be able to do more of these 02:10:16.779 --> 02:10:25.090 on a regular basis. So, let's cover our illustrious 02:10:25.090 --> 02:10:30.510 government now, because this is a CISA item, 02:10:30.590 --> 02:10:36.949 and we know that CISA itself has been under fire 02:10:36.949 --> 02:10:41.510 with funding and other things, and remember that 02:10:41.510 --> 02:10:45.310 this is the company that says, quote, you need 02:10:45.310 --> 02:10:50.569 to do, end quote, but, quote, we don't have to. 02:10:51.050 --> 02:10:56.289 End quote. Meaning, do as I say, not as I do. 02:10:57.890 --> 02:11:06.329 This item says CISA retires 10 emergency directives. 02:11:07.010 --> 02:11:11.890 And this is probably a good thing because if 02:11:11.890 --> 02:11:17.130 they're not needed, then that is the right thing 02:11:17.130 --> 02:11:22.220 to do. But again, this is the same company who 02:11:22.220 --> 02:11:26.319 is tasked by the government to keep everyone 02:11:26.319 --> 02:11:32.119 as secure as possible, yet they themselves, meaning 02:11:32.119 --> 02:11:35.359 the government as a whole, I'm not saying CISA 02:11:35.359 --> 02:11:40.000 doesn't, I'm saying the government doesn't. And 02:11:40.000 --> 02:11:44.260 to be honest, I'm not attacking just the U .S. 02:11:44.279 --> 02:11:49.000 government, I'm attacking government in general 02:11:49.000 --> 02:11:59.279 when I say that they don't update. On Thursday, 02:11:59.579 --> 02:12:05.399 January 8th, 2026, the U .S. Cybersecurity and 02:12:05.399 --> 02:12:10.520 Infrastructure Security Agency, CISA, retired 02:12:10.520 --> 02:12:15.319 10 emergency directives issued between 2019 and 02:12:15.319 --> 02:12:24.359 2024. In a press release, CISA writes that a 02:12:24.359 --> 02:12:30.039 comprehensive review of all active directives 02:12:30.039 --> 02:12:37.399 determined that required actions have been successfully 02:12:37.399 --> 02:12:44.380 implemented or are now encompassed through binding 02:12:44.380 --> 02:12:55.789 operational Directive BOD 2201, reducing the 02:12:55.789 --> 02:13:02.810 significant risk of known exploited vulnerabilities. 02:13:03.569 --> 02:13:08.810 The retired emergency directives include one 02:13:08.810 --> 02:13:15.819 directive from 2019 instructing FCEBs to mitigate 02:13:15.819 --> 02:13:22.060 DNS infrastructure, tampering three directives 02:13:22.060 --> 02:13:29.479 from 2020 regarding a variety of Windows vulnerabilities, 02:13:29.880 --> 02:13:36.359 four directives from 2021 including the SolarWinds 02:13:36.359 --> 02:13:45.689 Orion code compromise, Pulse Connect, Microsoft 02:13:45.689 --> 02:13:52.789 Exchange On -Premises, and Windows Print Spooler. 02:13:52.909 --> 02:13:58.489 One from 2022 regarding VMware vulnerabilities, 02:13:58.770 --> 02:14:04.850 and one from 2024 regarding the nation -state 02:14:04.850 --> 02:14:10.170 compromise of Microsoft corporate email systems. 02:14:14.479 --> 02:14:18.079 I write, I was almost going to write that this 02:14:18.079 --> 02:14:23.899 was a bad idea, but reading Neely's response 02:14:23.899 --> 02:14:29.539 seems quite fair to me. He writes, the emergencies 02:14:29.539 --> 02:14:34.439 have passed. Countermeasures and updates are 02:14:34.439 --> 02:14:41.689 in place for those specific flaws. The focus 02:14:41.689 --> 02:14:48.090 needs to be on keeping things secure slash updated. 02:14:48.609 --> 02:14:58.130 CISA slash DHS's continuous diagnostics and mitigation 02:14:58.130 --> 02:15:03.689 program is designed to do this across the federal 02:15:03.689 --> 02:15:09.229 government. It boils down... to keeping an eye 02:15:09.229 --> 02:15:13.649 on the ball and identifying and addressing issues 02:15:13.649 --> 02:15:19.390 before a directive is issued to do so, ideally 02:15:19.390 --> 02:15:24.130 with a dashboard for management to review in 02:15:24.130 --> 02:15:30.609 lieu of another meeting or report. Or and report. 02:15:31.689 --> 02:15:37.439 Dukes also writes, the key word is action. emergency, 02:15:37.840 --> 02:15:43.399 end quotes. And yes, directives issued in the 02:15:43.399 --> 02:15:47.619 last six years should have been implemented in 02:15:47.619 --> 02:15:51.920 that time frame. The bulk of the now retired 02:15:51.920 --> 02:15:56.600 directives were issued to mandate patching of 02:15:56.600 --> 02:16:00.279 specific vulnerabilities that have been around 02:16:00.279 --> 02:16:05.399 for a year or more. I'd like to believe they 02:16:05.399 --> 02:16:11.279 were all patched. So would I, guys. So would 02:16:11.279 --> 02:16:18.199 I. And I guess we're just going to have to see 02:16:18.199 --> 02:16:34.219 what happens overall. The editorial board of 02:16:34.219 --> 02:16:50.440 SANS Brian Honan. Kurt Dukes. Chris LG. David 02:16:50.440 --> 02:16:58.840 Holzer. Ed Skoudis. Gal Spitzner. Jake Williams. 02:16:59.399 --> 02:17:07.159 Dr. Johannes Ulrich. John Peskitor, Josh Wright, 02:17:07.440 --> 02:17:15.040 Kathy Bradford, Lance Spitzner, Lee Neely, Mark 02:17:15.040 --> 02:17:23.299 Weatherford, Moses Frost, Suzanne Voltronaut, 02:17:23.520 --> 02:17:30.479 William Hugh Murray, and Sands Institute is located 02:17:30.479 --> 02:17:38.379 at 11200 Rockview Pike, Suite 200, North Bethesda, 02:17:38.420 --> 02:17:46.680 Maryland, 20852. Email support at sans .org or 02:17:46.680 --> 02:17:56.659 call 301 -654 -7267 for assistance. Well, ladies 02:17:56.659 --> 02:18:01.799 and gentlemen, I am so happy that you were able 02:18:01.799 --> 02:18:12.860 to trust us in trying to get the news out because 02:18:12.860 --> 02:18:22.540 we definitely want to get that news to you. And 02:18:22.540 --> 02:18:28.959 we can't do it alone. Unfortunately, do... To 02:18:28.959 --> 02:18:34.379 other. Things. We were not able to do this. As 02:18:34.379 --> 02:18:45.579 fast as we normally do. And. We. Definitely. 02:18:48.120 --> 02:18:57.379 Want. The. Particulars. Of. Making sure we're 02:18:57.379 --> 02:19:04.549 accurate. and doing everything we can. Speaking 02:19:04.549 --> 02:19:11.170 of which, I have enabled the ability for transcripts, 02:19:11.170 --> 02:19:14.969 and we're going to try this again. And starting 02:19:14.969 --> 02:19:19.110 with our next podcast of A Day in the Life, we 02:19:19.110 --> 02:19:26.500 are also enabling the transcripts. And hopefully 02:19:26.500 --> 02:19:29.540 that might help some people because accessibility 02:19:29.540 --> 02:19:36.840 is something that I want to try and do. And since 02:19:36.840 --> 02:19:40.680 it's available to me, we're putting it on the 02:19:40.680 --> 02:19:46.139 highest quality possible. And hopefully it is 02:19:46.139 --> 02:19:51.219 good enough. The transcripts may not be fully 02:19:51.219 --> 02:19:58.059 accurate, but it should be accurate enough. So, 02:19:58.180 --> 02:20:01.500 we'll just have to see how it goes. And yes, 02:20:01.600 --> 02:20:04.420 if we end up playing music that's vocal on the 02:20:04.420 --> 02:20:08.260 security box, it'll more than likely transcribe 02:20:08.260 --> 02:20:11.559 the lyrics of the tracks. I've seen it. It's 02:20:11.559 --> 02:20:14.239 quite interesting. But you could ignore that 02:20:14.239 --> 02:20:18.379 if you want. I don't know which programs support 02:20:18.379 --> 02:20:24.139 it, but we are going to try it anyway and see 02:20:24.139 --> 02:20:32.530 how it goes. So, we'll catch up with you all 02:20:32.530 --> 02:20:40.010 next SANS episode, and we are going to go ahead 02:20:40.010 --> 02:20:45.750 and just move forward and go to the most recent 02:20:45.750 --> 02:20:51.510 episode available. Catch up with you all next 02:20:51.510 --> 02:20:51.950 time.