Hello and welcome to the Cyber Rants podcast. This is your co -host, Zach Fuller joined by Mike Rotondo and Lauro Chavez. Today, we have a special guest. I'm excited to see where this conversation goes because he is one heck of an interesting guy. Mr. Chris Rock. Chris, thank you for joining us on the show today.
Thank you, Zach.
Hey, we're going to dive right in, but first, Mike, why don't you kick us off with the news and we'll go from there.
Hey, good day and welcome to the podcast headlines for 621 -23. Unless you're living under a rock, you've probably heard movement exploit used against several federal government agencies. Several government agencies, including the Department of Energy, fell victim to hackers exploiting a vulnerability in the movement file transfer application that claimed its first victim in this way of attacks in May. The movement vulnerability was actually first discovered in 2021.
US Cyber Security Infrastructure Security Agency said the agency is providing support to several federal agencies that are experiencing intrusions affecting their movement applications. In the statements, this said they were confident they will not be significant
impacts to the federal agencies from the hacks because of government's defensive improvements with its partners. On May 31st, progress software, which makes a movement IT transfer, movement transfer apps urge organizations to quickly patch the vulnerability since the application is used by thousands of enterprises, including 1700 software companies and 3 .5 million developers. I guess government was a little slow there.
A new RD Steeler malware steals from drives shared over remote desktop. The cyber espionage and hacking campaign tractors, red clouds, uses custom RD Steeler malware to automatically steal data from drives shared through remote desktop connections. The threat actors infects remote desktops with a custom RD Steeler malware that takes advantage of this device redirection feature. It does this by monitoring RDP connections and automatically stealing data from local drives once they are connected to the RDP server.
The five modules that compromise RD Steeler are Keylogger, Persistence Establishers, Datatheft, and Xfiltration Staging Module. Clipboard content, Capturing Tool, and One -Controlling Encryption Decryption Functions, Logging, and File Manipulations.
All right, so next, for those of you chat GPT fans, over 100,000 chat GPT accounts stolen via info stealing malware. More than 101,000 chat GPT user accounts have been stolen by info stealer malware over the past year, according to the dark web marketplace data. Information stealers are a malware category that targets account data stored on applications such as email clients, web browsers, instant messages, gaming servers, cryptocurrency wallets, etc. These types of malware steal, this type of malware steals credentials saved to web browsers by extracting them from the program's SQLite database and abusing the Crip protected data function to reverse the encryption.
The cyber intelligence firm Group I .B. reports having identified over 100 ,000 info stealer logs on various underground sites, containing chat GPT accounts with the peak observed in May 2023 when threat actors posted 26,000 new chat GPT credential pairs. The critical thing is that employees in a classified correspondence or use the bot to optimize proprietary code given that chat GPT standard configuration contains all conversations. This could have inadvertently offered a trove of sensitive intelligence to threat actors if they obtain account credentials.
Still saving passwords and browsers, are we?
Yeah, yep.
Steampower browsers, I assume.
Now, we talked about deep fakes last week for the FBI or was it two weeks ago? Now hackers have moved on using fake only fans pics to drop info stealing malware. A malware campaign is using fake only fans content in adult lures to install a remote access trojan known as DC RAT, allowing threat actors to steal data and credentials or deploy ransomware on the infected device. This is not the first time threat actors have taken advantage of only fans to achieve their malicious goals. The infection chain is unknown, but it might be malicious forum posts, instant messages, malware, tizing, or even black CEO sites that rank high in specific search terms.
A sample shared by Eclipseum pretends to be nude photo of a former adult film actress. The VB script loader is minimally modified and obfuscated version of a script observed in 2021 campaign discovered by Splunk, which was slightly modified Windows printing script. When it's launched, it spawns a 32 bit process extracts embedded DLL file, registers DLL with registered 32. This gives them all our access to dynamic or dynamic wrapper X, the tool that enables calling functions from the Windows API and other DLL files. The injected payload is DC RAT, a modified version of async RAT that is freely available on GitHub, which is which it's author demanded after several abuse cases surfaced online. So if you're sitting there thinking, I don't know what only fans is, you're probably have a only fans.
Headlines on only... there's only one headline I really want you to focus on. The other ones are good. But this is, if you hack these people, I hope you get cancer because ransomware gang prays on cancer centers and triggers alert. If you have stooped to that level, I got no sympathy for you. So with that, we'll head over to Lauro's Corner and probably talk more about only fans or cancer centers or something enlightening and happy. Lauro?
Thanks, Mike. Welcome everybody to Lauro's Corner today and keeping with the conversation topic of hacking and threat assessing and threat hunting or technical assessments. Whatever you want to call it, some of you may be interested in this and we are special guests today has a lot of value in this space.
And so for those of you who may hear this conversation today and be interested in doing technical assessing or pin testing or threat hunting or whatever it is, the industry is calling it at the moment, I want to point you to a place that we're not affiliated with of any kind or we paid for.
So when I name drop here, don't think that we're incentivized, but I want to talk about Hack the Box because this is a place where new minds can come and learn about this trade and spend some time in a gamified, uh, in a gamified, you know, space where it's fun and it's safe and you can learn. It's not the real world. We're going to break stuff or go to jail. So this is a really, really good place for you to get your feet wet in this industry if this topic today interests you. And for us here at Silent Sector, it is probably one of the most important attributes that we look for in some of our technical assessors is that they've got somewhere between five and eight capture the flags at Hack the Box
as they come in and work for our team. So this is also a place where we get our humans that want to do this type of work. So I encourage all of you who may be listening or have teams that are interested in this or, um, subordinates or employees that are interested in the space to encourage them to go there.
They have certifications, they have technical learning, and of course they have the gamified hacking class where you can go in and attach to these gamified machines and do capture the flag activities to see how good you really are.
So with that said, Mike and Zach, I'm super excited about our guest Chris today. But before we do that, I think something's got to happen first, right? Right, Zach?
Yeah, well, you know, the obligatory commercial break, right? So let's, uh, let's pause for a moment, take a breather and we will be right back.
And we're back with the Cyberance podcast. Great to be here. Um, some interesting news and always interesting. And Lauro's corner snuggling up, getting some good information, sitting Chris cross apple sauce as somebody says.
Um, but, um, yeah, let's dive into what we're, what we're going, what we really want to talk about today. And, um, there are so many things, so many areas where we could start. So Chris, again, I want to thank you for joining us on the show. Um, we're glad to have you. And I mean, you are a very smart human being out of all the things you could have done in life. Why cybersecurity?
It's a great question. I think it was timing. I think it was, I was born in a time where if computers didn't exist, I'd probably be looking at ways of circumventing, say locks, you know, I'd be a locksmith or something like that. But I think it was just perfect timing. So you know, someone who was born, I'm 50 years old now, so 70th row. Um, you know, having raised since, since I was seven, having computers around me and then, you know, being the god of computers at such a young age and then continuing that flow, that's, it's just time. It was just luck and timing.
That's interesting. So I, yeah, I guess the locksmiths were like the early hackers, weren't they?
Yeah. The early white hat hackers, right? If you're getting paid to break into locks, you were, you were white hat back then.
But, um, Chris, you've, you've presented at DEF CON three times. You've written a book, The Baby Harvest. Tell us about your, your talks, kind of the areas that you cover and what you're most passionate about today and what you're speaking about today.
Yeah. So I, talks come to me, I don't hunt for talks. So it's essentially, I'll see something so DEF CON 20 through is, I will kill you. And, and, and birth you as well. And so for me, it was a news article that I heard that somebody accidentally killed off some patients instead of, um,
they're in the hospital and instead of them, uh, said I'm departing the hospital, they tick the wrong box and said, uh, these people have died. And I saw, I saw that that was mistakenly killed. I thought, this is crazy. How could one tick box kill 200 people? So that went, I went down the rabbit hole, uh, over that topic there.
Click boxes. It's always the radio check box that gets you. It is.
And the second talk was actually a mercenary friend of mine, Simon Mann, who's done real military coups in Africa. He contacted me and we put together the next talk, how to overthrow government together.
Very cool. That's interesting. That is. Give us the five minute overview. So if we want to overthrow government tomorrow, we're going to have all kinds of agencies listening to this one. But hey, the more the merrier.
You wanted to put us on the map, this is going to do it.
What's our process? Things are getting kind of bad in some countries. They might need overthrowing.
So it's essentially own everything as in own the telco, own every website, own every component. I'm talking about all government divisions, media, telco utilities so that you can just essentially then you're pulling levers. If you don't own everything, you've only got limited levers. But if you own everything, then you just pull weight, pull weight, and then it's just a time exercise.
Now, it sounds simple in theory, but to actually do that, that's a. Yeah, talk to us about the experiment for this. I mean, you guys do it all the time. You do a pen test and it's maybe a three to four week assessment and whatever that you guys do.
It's exactly the same, but it's just a little bit more. You don't have to do a report so you can pull off one report one week off your assessment. So there's no reporting that you need today.
Exactly. That's the best part of the week. Exactly. Exactly. And usually find that if you take the telco out, then everything falls. So if you take out, I'll use 18 teams example, and then, you know, everything is out, not everything, but a lot of things are on the top. You then it's just a, it's just a dominoes that will crumble. So if we take out 18 T and your banks using 18 team infrastructure, we then own the banks and then we can control the money flow.
So we'll then input our own HCCPS bank in the front of D16 bank and then just capture using the main passwords as they put and then forward them directly through. So the user doesn't even know that it's not a fake website. It is the website.
Very good. That's brilliant. I have a question for you. On the birthing one that you did, birthing your own person, is that still valid? I mean creating a new human being?
Yes, it's still valid. Every country, every country is still valid. They did nothing, which is, I was shocked that they did nothing, but they made it so easy to do. They got caught between a rock and a hard place. They wanted doctors to move from the system where it was a handwritten form, getting submitted and then to the funeral director to a central body. So they moved them online, but then they thought, well, doctors are not that bright when it comes to technology.
So what are we going to do? So they put up an online portal, put in your registration number and your business address. I mean, it's just, and for me, on the crossroads of that is I want to make sure my doctor's registered. I use that same database, lost my doctor's registration number and address. They put all those things together. And then same thing with the funeral director. I could then become the funeral director. So I became the two keys, doctor and funeral director to that complete piece.
Very cool. Beautiful.
Yeah. I think back to the old movie. I don't know if you've ever seen it called Day of the Jackal about killing General De Gaulle in France and how the guy actually got caught because he had faked a birth certificate.
So I thought it was kind of interesting.
Yeah. So I, when I started in, you know, the whole hacking world and when I say hacking, I'm going to use the word hacking and criminal hacking and the same because I do both. I'm both good and bad. The work that I do is for good and bad people. I don't differentiate between two. So when I say hacking, but don't get caught up with that. You know, hacking is not a crime.
My hacking is both good and bad. I looked at, you know, I looked at an inter -40 inverse certificate and stuff like that. And yes, it was easy to do. You could use, you know, scotch tape and you could, you know, take the numbers off, you know, you could just pull your, you know, say the birth date, the birth number or the registration number off. And then you could put it through a printer and put your own name in. That's pretty, I think that's pretty old school stuff. Obviously still valid today, but I thought that if I'm going to get it to a birth certificate, I want a real one. I want a registered government authority giving me, I want to say a real one. It's a real certificate, but it's a fake person. So I believe in real certificates. So if I want to do a fake driver's license, I won't get a fake driver's license from somebody on, you know, on dark web. I may get a fake passport from somebody on the dark web, such as a Swedish passport, then bring that to my home country and say, hey, you know, I'm visiting Australia for a couple of years or the US. Can you, can you give me a driver's license? So then I'll then upgrade to a real driver's license. So then that becomes my, I upgrade my IDs. I'll start maybe start with a fake and move to a real ID.
Nice. Nice idea.
Yeah. Do you, do you feel it seems like all the good stuff that, you know, us, you know, that we're doing in the world is, is not, it's almost like we're taking two steps forward and like eight steps backwards with some things because you'd think that they would have fixed the problem when you, when you presented this.
So, you know, I think it's really interesting that we still seem to have the same issue, right? Despite some of these things coming to light, which I had a plan to overthrow like a, you know, not, you know, like a first world country, like the way that you could disrupt like a first world country, like Australia as an example is you would own all the silverware.
Okay.
And that would drive everybody insane because now you've got to eat with your hands and you know what I mean? Who wants to do that?
The teacups in the UK. Is that, is that where you're going with it?
Yeah. How are you going to stir your tea with a spoon?
What, what, what just terrible, terrible savagery.
Technology, all you gotta do is capture all the silverware. And not only kill people digitally, right? So actually a valid legitimate death records that were created through false means and then all, but also birth people digitally as well.
Yeah, so when I do research, it's not one of those. I see other people at DEF CON might present, they'll actually start preparing slides maybe six weeks before. I essentially do three or four years of research and start my actual writing for DEF CON at that time. So with all this research material, my first talk at DEF CON was about, I think it was about 34 minutes or something, and I was only in a 20 minute slot, so I was lucky I didn't get cut off. But I essentially have all this material that I want to then publish. So if someone has looked at my talk and go,
you didn't really go into detail on that, that he might be talking stuff. So I least then have a backup book to show this is how I went through it and this is how it could be used. I did the same with my DEF CON 30 talk. There was three or four years of research and then this wasn't a book, it was more of a paper. So I wrote a paper on that. So that's essentially right for, as a professional, I just want to write to show people that this is how I came to my assumptions.
That's interesting stuff. And then the background, are you seeing, when you put this information out, are there various government agencies coming to you from around the world saying, hey, we want to fix this? Are people using this good information that you're putting out there
in the world for the betterment and for more security? Or did you feel like a lot of times it falls on DEF years? I know for us a lot of times we can say over and over, hey, we got to be doing more of this. We got to be doing this. And a lot of times there's a lot of DEF years out there. What's been your experience?
It's you, it's what I'm, it's the latter. It's completely DEF years. I might as well, I love talking to my community, the infosect community,
and putting back. And that's why I present. But nothing's been done. Nothing's been done about anything that I've ever presented in the last seven years. Three talks, zero gets done. And now it's just, I just assume that it's, whether it's laziness, whether it's a cruise ship that's got a turn, whether it's, it's a 50 year cycle that infosec, we change very quickly. But when you're dealing with government departments and things, it's a 20 to 50 year cycle.
Now, are you consulting with government agencies and such on different things or companies? Tell us a little bit about what you do, you know, kind of in the for profit sector nowadays.
Yeah. So I do, I do two lines of business. I'm actually the co -founder of C -Monster. So we're a C -Provider. We've created a platform that can be white labeled so that customers can run their own C. So that's my day job. And then my night job, I do whatever work that comes across my desk. So I'll get calls from, you know, from, whether it be government or private people that want stuff done and then all the system and getting it done. I know I've been quite vague, but there's some real weird requests that I get across my desk. Maybe it'd be paying a prison guard in Bitcoin in a foreign country so that I can get, you know, feminine hygiene products and stuff like that.
Simple things just to get the bag of tea.
Yeah.
You know, well, we'll list your last 12 customers in the show notes for everybody. If that's okay.
I want to know why you turned down the Ted talk.
I didn't turn it down. I actually got, actually got killed. My talk got killed because I was ready to present at Ted. I can't remember the year. It might have been 2018 or 19. And they actually asked me, because I actually had the, I'm a whole speech. I don't know if you have any of the listeners have gone through the Ted experience, but they actually, they have lawyers go through all your, your, your speech and they verify each component of your speech. And the material that I was presenting was stuff that I did about in 2011 and 12. And they actually asked me, have you done anything recently? And I said, well, nothing that I can tell you. And they said, Oh, how can we tell how, how can we prove how good you are? Like to the Ted audience. I said, I'll leave it with me. Dive in, went and hacked all the Ted people that were approving my talk to show them how easy it was to own their lives and presented that back to them. And they didn't like that. So my talk got killed.
That's the best reason to get your talk killed though.
To give you talking Ted, that's brilliant. You're dealing with a scorpion and you expect not to get bitten. I mean, that's ridiculous. They knew who that was. You know, my talk was about cyber mercenaries. It was people like me who get paid to do dodgy stuff. I mean, it was perfect and why they pulled it. I know why they pulled it. They told me why they called it. But yeah, maybe in the future, I'll be able to present that talk.
I think you've been blacklisted from here on out. You're probably never going to be back at Ted again.
That's okay. We don't listen to Ted talks unless they're interesting anyway, and you're not there. So no interest.
It's not the first blacklist. I've been blacklisted from Q8. So just add it to the list.
Yeah, I was going to say there's probably a long list of places you're not allowed to go to.
A long list now. Gosh.
What is your number one tool when you're doing nefarious activities? Are you like a mega Cortex kind of user or a nano Cortex user or you got something else? Have you played with pen tests?
I'm the same as you guys. It's the same suite of tools and it's exactly the same. And when I say you guys and for listeners, and pen tests, it's the same tool suite. It's not some magic toolkit. Don't get me wrong. There's some tools that we use. If you do a pen test on a bank and then you might produce your report saying that we got into the bank, we then actually have to move the money out of the bank. So we actually have to use a different set of tools and techniques and not just techniques. We need like organizations to assist us in moving that money out. So to answer your question, same tools as you guys, nothing special, nothing magic, but just post non report. We use different techniques.
So that's interesting because, you know, for the technical assessments we do, we have a soft handed approach. We have a kind of destroyed databases, but we certainly try not to do that. We try to, you know, use the analogy like here's the rock, there's the glass, if I throw it, it's going to break. So why don't you just patch this or change this configuration so that we can double check this vulnerability, make sure that
it's tied up tightly and move on. How do you feel about that approach versus the let's just put your money in my account and then you can have to ask to get it back?
You know, We follow the same approach as in do no harm to get the job done. But once the job's done, then the harm can happen. So if we have to devan a drive, whether we have to plant opposition flags on our target, so if you're moving money around, then you start leaving other hackers flags on service. So we'll actually then create harm, blow some boxes away so we look like script kitties. So it's essentially the same as you, but once the job's done, it's a different story. It's then it's about just covering the evidence.
Understood. I like that approach.
I'd like to take we I'd love to be in that stage of activities. And we have some testing coming up where I'm going to be able to take it that far. But for the, you know, for most cases, we tend to pull back after that that soft handed approach and help them resolve. And then we come back and test to make sure it's not there. But I've often I've often wondered at the value of doing the CTFs and placing something or doing a purposeful destruction to, you know, prove prove the the existence of this attack surface. And I'm always struggling with the value the client perceives because it's like, you know, hey, that that tree is going to fall in your car. If you don't cut that branch versus the branch falling on the car, and now you have a destroyed car and a destroyed treaty cleanup. And so do you find that the companies you serve in this in this manner, appreciative of the heavy handed work that you do after the after the official soft handed test is over.
In my business, in the second business that I run, it's essentially they want the job done and they don't care how simple it is. When I say soft handed, I don't say soft handed to protect the company or the bank that I'm after. It'll be essentially to be soft handed so I can get the job done. It's not to protect the company, it's just to make sure I can get the job done. We're talking about very different client bases here.
We're used to the realm of protecting mid -market and emerging companies. These companies need to abide with different compliance requirements and things like that versus government level type work and some of the more behind the scenes stuff that's not everybody is necessarily under contract.
In ours, it's all pretty black and white cut and dry. I see where you're coming from now. I'm trying not to ask too many questions.
Definitely.
I get questions from friends. It's like, hey, this guy's bullying me on Instagram. Can you break his account and let me have control? I'm like, I can't do that. But now I know somebody to call.
Now I have somebody to call. I'm kidding.
We just say 100 grand and just straight up 100 grand and then they pony up or go away and that just gets rid of the time wasted.
I like that. I like it. Show me the money and go away. If you want the job, you're going to pay for it. I like that.
Exactly. Man, my hero.
I can't tell you how many waitresses and bartenders have asked me if you can hack my ex.
Yeah, totally. That happens. A 100 grand, I'll introduce you to a guy.
Yeah, 100 grand. I have five grand to introduce you to the guy that you've got to pay 100 grand to. That's a doorman fee.
You know what I mean? There you go. Awesome.
What new research projects are you working on, Chris, that you think that it's going to be the future of cyber attacks and espionage and that sort of stuff? Where do you see that going with AI and all that?
Yes. As I said, things come to me. I don't hunt for it. I don't look for vulnerabilities and things. So, to answer your question, what I'm looking at now is things like private equity firms and banking licenses and Swift code and routing numbers. How does one go about having a bank? How do you register yourself as a bank? What turtles do you need to do? Private equity firm, bringing in customer money. What do you need to do? I'm going down that area of research right now. That whole bank charter application form, looking for holes, looking for what the private process is so I can get around it.
Yes, the bank of Lauro's corner. You know what I mean? We accept all forms of cash, but we don't give it back.
Exactly. Especially with the private equity firm, when you're looking at a 10 -year plus, plus one plus one cycle, so it's not one of those things where you put your money in the stock market and then you pull your money out at a moment's notice. When you're in private equity, you're in for the long haul. There is no getting your money back. It's long haul. So, I'm looking at that whole business model. How does that work? And where are the flaws in that model?
The money black hole, I like it.
Yeah, I used to come from the private equity world, so I'm very familiar with that, at least as far as the US regulations go. So our types of offerings and all that kind of stuff, it's definitely an interesting world. A little bit of the Wild West, although they do a pretty good job of regulation with it, and there's just huge ramifications for stepping outside those regulations. But as far as worldwide private equity, that's kind of a, I guess that'd be a different animal altogether because we have the SEC regulations, but beyond that, it's outside the US or it's not going to hold much weight.
But you raise good points.
Sorry, mate.
No, go ahead, Chris.
I'll actually then look at what the SEC does for that example. What do they do? You're doing a banking charter to do an audit. What does that involve? How many people involved? What is the cost? I'll actually look for flaws and don't assume, and that's what I did with the birth and death marriages and also the bomb jams, the IED jams, is just don't assume that it's safe and don't assume that everything's a double tick box. It may be just a single tick box, and there's the flaw in the model. That's what I look for.
Yeah, absolutely. You mentioned the IED jamming. You did a talk on that. Give us the overview there and what your interest was and how you got into that realm in the first place. It's interesting stuff to say the least.
Yeah, so it started when Julian Assange was in the UK Embassy and I saw some Twitter announcements that he couldn't communicate outside the embassy that he was being jammed. I then got interested in jammers, how do they work? I then went down the rabbit hole of three to four years with the researchers going through jammers, working with electrical engineers. My first thought was, why don't I just use emergency spectrums and stuff like that, that don't get jammed. Then I started looking at the whole wavelength from the sub kilohertz all
the way to the gigahertz. I then looked at flaws in jammers, like what ranges, what power do they need, and then to look for flaws within that. I then found that jammers were not scanning anything relevant, like 20 kilohertz, and I couldn't understand why. But speaking to electrical engineers having antennas that were kilometers long to do that jamming was just not feasible. So I then looked at what I could do to produce frequencies under 20 kilohertz. Same thing again to produce something under 20 kilohertz. You need large antennas, I could say that, look, this may be a dead end in terms of research. But then I did some research into ground antennas. We could actually use the ground to generate a magnetic field in sub 20 kilohertz. I think it was using 9 kilohertz, where you could actually communicate over long distances in the sub kilohertz model, which would then be jam approved because jammers will not scan below that number.
Interesting.
Tesla used the ground grounding model for some of his experimental work as well. So yeah, the ground is a spot on. And there's three different areas. There's essentially, there's E field and H field. And there's, you know, so there's the different types of fields that you could create with a magnetic or electrical field. And even in, like you said, in World War I, they were using it to communicate between trenches. And I was saying, well, what's that different? What's that different to what I'm doing? And they're actually doing what they called an E field. And I was doing a magnetic field, H field. So, and you're welcome to, obviously, the listeners can have a look at the talk or download the paper for more detail. But I could then find something that I could get long distances. I want to say long distances. If I could, you know,
successfully generate one to eight or nine kilometers or miles, that was sufficient to what I wanted to communicate.
Very cool. I used a Wi -Fi pineapple once. This was my, this was when I put my dark hat on. I lived in an apartment and the neighbor below me played his Xbox extremely loud at all hours in the night when I had to get up in the morning and work. So I conveniently had
a Wi -Fi pineapple and located his wireless network and hold him for a long period of time. So he had no internet access so that I could get some sleep. So not quite the Julian Assange signal decimation, right? But, you know, it worked for me to get some Zs at least. But I guess the principle, right, for wireless can also work that can work for the airwaves.
Yeah, exactly. And so what you're talking about there, and your listeners will know this, but we're talking about what we call far field communication. So that's what we use, whether it be, you know, cell phones or wireless pineapple and stuff like that. I was operating in what's called a new field. So it's before the antenna turns itself into an actual signal. So operating a new field, you know, NFC, we use it every day with PayPal, sorry, PayPal, you know, when you swipe your credit card at the supermarket and you tap and go. So that, that it's essentially using that same sort of technology that near field communication NFC, but at longer distances instead of that whole design for one to five centimeter or even proximity card data transfer.
Have you thought about maybe hacking some of the point of cell devices and putting far field?
I definitely looked at that because my talk was ID's, but I would have loved to. If I had time, I would have continued down that path. And that would have been an awesome talk where you could just go to somewhere like Black Hat and just charge everyone's card at once.
Everyone's card at 99 cent fee.
Yeah, exactly. Especially the Black Hat. They got plenty of money if they got the Black Hat. Exactly. That's part of the reason we don't go. It's expensive to get in.
That's cool.
Yeah, it seems like some of the credit card scrapers and things that they use are near field. They've got to be within proximity to you. Some of the waitresses and waiters will carry those devices in their pocket.
What is that called? Is it a cummerbund?
Mike, no, I'm talking about the apron.
Yeah. Yeah, yeah. So they'll carry it in their apron. You won't really see it. It might look like a phone and they'll come up on you with their card. They'll just take your card and touch it to it and then swipe it into the POS. Yeah, you've got a double charge and you didn't know it.
It's awesome. It is awesome. Actually, we're in Black Profit.
Speaking of making a profit, tell us about your day job. I guess I'd call it.
Yeah, Sim Monster.
Yeah, your formal business with Sim Monster. I'll be straightforward. I'm a Sim hater. I think logging is after the fact. If you're generating a log, it's too late. It's too late if you're generating a log. You should have stopped it long before there was a log generated. But I do believe, I'm teasing, I'm teasing, there is certainly a benefit in Sim done right. So yeah, definitely tell us about Sim Monster and how you've kind of honed that to be the solution that it is.
Yeah, definitely. And I don't want to sound stalsy, so please excuse it. But look, as you know from my experience, I'm a hack -a -pie trade. I'm a pen -tester by trade. So we only got into the scene market when one of our customers who wanted a scene, and we pointed them directly to Splunk because, you know, 10 ,000 plus endpoints splunked the perfect fit. They couldn't afford it. It was a million bucks for the licensing for what they needed.
They had multi -HQ. So they actually asked us to build a scene platform. Now we thought, well, it's not what we do. We act. But we thought it would be a good exercise, you know, to actually build a scene platform. So we actually got the best of the open source that was out there. And at the time, that was Elasticsearch and all the other tools that you guys use and I use. And we actually put that into a scene platform. That was essentially Sim Monster version one. Since then, that's grown. That's essentially my sole day business. I'm the co -founder and CEO of Sim Monster. And we do large ingestion -based scene plays for companies who want, you know, the 2 million plus EPS counts.
So we'll actually market ourselves against customers like Splunk that don't have the budget for Splunk, as well as MSSP's who want to white label our solution and then offer it to their customers.
But going back to your point about, yeah, your rights theme is post. Traditionally, yes, that was. It was a great detective control. So when you had to go to court and you wanted to find out who did what and where, scene was great for that. So it was a great play. But the scene has evolved since then. So Sim Monster and other scenes who have XER and STOR built in with the automation component.
So we've got hospitals that we work with who have had, you know, hackers should not part hospitals, but they do. You had your intro about the cancer. So we actually have case studies where customers running our product have actually clobbered the attack. So it didn't just perform the scene function. It had the STOR automatic kill chain of that attack and to protect the business itself without any SOC people required to do anything. So that's what we've tried to master in our software. Well, it's awesome because all of the regular, all the requirements, the governance frameworks, whether it's 853, 171 Alpha, CMMC, PCI, ISO, they're all calling for a SIM. Even CIS version eight, you know, is asking specifically about a SIM. So it's very relevant in the governance frameworks, right? It's required if you're going to be, you know, any kind of compliant. So I think it's a super great market to be in and it certainly has its place.
And like you said, the legal response, but do you find that the SIM tool, the customers you put in, are they under a compliance framework?
It's a great question and you guys might experience it yourself in your work line of work. Customers don't know what they want. That's the problem. So we have to guide them on what they want. And we have some customers who just want an XDR solution. So they'll want an endpoint protection and then some great endpoint solutions out there. But that won't protect them for insider theft. And so there's no lock for normal, you know, treasury moving money from A to B. And that's where the scene comes in. So we always tell our customer XDR yes, must have. I mean, it's essentially it's an antivirus on steroids and must have and seen you must have because at the end of the day, if you want to go to court with this sort of stuff, you're going to need a scene for it. So you're right, regulation, yes, customers, we have some smart customers who know yes, we need a scene, but others have no idea. They just don't know what they want. And sometimes I'll actually go, you know what, we don't need a scene, we'll just go with an XDR. They get half the protection that's why and that's why we're in our product and other scenes out there. I don't want to sound salesy that we put the two together because it's a complete solution.
Very cool. Very well thought out as well.
We're hackers by trade. So for us, writing a product like this, we're not like full time app developers that go, you know, we should do this commercial blah, blah, blah, as what would we want? What would you know, let's say you and I start set up a business ourselves and we wanted a tool to use, what are you going to pick? You want something that works for you, you know, you've got to be happy with your product. And that's our motto with our businesses.
Well, what do you guys want to run to protect yourself?
And we do the same. And that's why we use a lot of open source components within our product. Because there's some awesome products out there that we saw our customers running. Let's say they're running Alien Vault, right product, small business perfect. They'll then run, we saw people running other products on the side of Alien Vault, that you know, they're running all their, you know, their nezzas and this and
they're all on the stuff on the outside. And we thought why not put it into the one product, why not have a one stock picture and then so that everything is then filling the scene. So the scene is essentially, you know, the treasure trove of everything that goes in an organization, the crown jewels.
Very cool. No, it's a great idea.
Yeah, we have so many clients that, you know, I ran across this, that was that one of our clients early and they had Sophos installed and had we're using about 10% of it, you know, and leveraging everything they have. If you can find it all in one, so you don't need something to bolt on to Sophos and something to bolt on to this and something to bolt on to that.
That's a great solution.
Yeah, and it goes back to, and you guys, similar mindset to me is like, if you're driving a car and then you have to bolt on extra crap because the manufacturer didn't put that in car, someone messed up. You know, if you have to, if everyone's putting mods on vehicles or mods on
the same, it's like, I can't, as a manufacturer, I actually have the chance to, I can rectify this. We're talking about utes and jeeps here. Like they don't ever come with all the stuff they're supposed to.
That's true. That's true. And then it becomes cost, doesn't it? It does. Gotta have that rooftop tent, you know, that should have come from the factory.
So, but I mean, the native development makes so much more sense because a lot of these companies
grow by acquisition.
So I need this piece for my EDR. I'm going to buy it from somebody else's doing and they don't mind the code properly. And there's always an issue with integration.
And we're lucky at that stage that we don't work on, we're a startup. We're essentially been in business now for maybe five or six years now and we're, you know, having taken on series A, B, C, D, E funding. So we actually have the flexibility to do what we want without having investors tell us what to do. So the ingenuity can keep flowing without the commercial. Because let's face it, the commercial will follow. You're doing the right here, then commercial will follow. People get the hell out of your way. The commercial will follow. Yeah, most definitely.
Well, hey, as we're getting close to wrapping up, tell us what your biggest, you know, your top concerns are, your top threats that you see to the connected world in general when it comes to cybercrime and cyber attacks. What are the big things out there right now that we should all be watching out for?
Minus saving your passwords and browsers because we're all never not supposed to. We already talked about that. So if that's number one.
So speaking as both, I'm going to hack out and use those words interchangeably. For me, AI is the biggest threat. But someone like me can build a PE firm within seconds as in I can just trigger a PE If someone wants to contact someone, AI is going to be huge in our industry to defend and also attack. I don't want to be one of those alarmist persons, but for me, I can see me launching websites automatically and quickly without the hassle of going to word prayers, putting a website, cutting pasting pictures up there, doing buyer reviews, banking people. I think it's going to really hurt our industry, really hurt. We talk about getting an email from somebody and attack pattern one person to and with bots, but having those automated and just continually coming through. Our jobs are going to be held going forward. It's definitely a double -edged sword. I've been able to leverage it as a great tool.
To me, it's like Tony Stark's Jarvis or Friday. I use it as an assistant to help me with coding. There's something in Rust that I'm not sure of. I can ask for its help there or in PowerShell. It's extremely helpful, but at the same token, it's certainly be wielding as an offensive tool as much as a defensive tool by everybody.
It sounds like your concern is not so much about hacking into or manipulating technologies in ways they weren't meant to be, but actually just using technologies for what they were made for with that AI background and just generating websites and things. It sounds like a lot of disinformation and a lot of just misleading scams more than what we traditionally think about as hacking a system. Would that be safe to say?
Yes, spot on. We talked about when I was doing working Q8, where I had to hack the telco and then the media website one after another. That's a manual process, but maybe if you could get AI to do that function for you. Not only do that, but the silent sector, for example, you could set up 40 different websites, just auto -spawn out, silent sector, that's the best product out there, or even worse, it's the worst product out there. You know what I mean? It's the worst company, bad reviews. You could actually kill a business really quickly and just have this spawn automatically, and then you could have them flow onto the other. I don't think we understand how bad it's going to
be. I'm excited for it. I'm not trying to be negative, but I think it's going to be huge. I know we're in the infancy and I can't do this and can't do that, but to watch this space, I'll be watching it for sure, because for me, I can set up dodgy websites really bloody quickly with this sort of stuff and without having to do the manual manipulation.
I'm thinking we should get together and create a fake product and make the website all awesome and drive people to buy it for $5 and they just never get it.
Not just, we could do fake products. We think singular, but with AI, we could do Amazon. You could just do Alibaba. You could just do fake products, fake things, fake reviews. These are our clients. You then go to the client's website, it's a fake website, and it says how great this is. You just spawned a multi -million dollar industry and it shuts down overnight.
Oh, yeah. I think reputation control, reputation management for this stuff is going to be just explode as an industry. There's some of it out there now, but to be able to try to mitigate that and combat those bad actors that are putting thousands of negative reviews until a company pays a ransom, for example. We're going to have to figure that out. I agree with you 100%.
That's been more of my bigger concern than the traditional hacking and cracking into systems is that disinformation world because hacking, a company gets hacked and they are considered the victim. It's like, oh, that's too bad. Whereas with the disinformation, they're considered the enemy. Then they lose business, lose all of that. I'd much rather be considered by customers to be a victim of an attack rather than a terrible enemy of society. It could be portrayed. I think you're dead on there. That's a big concern.
We should do another episode on that topic alone one of these days here.
Definitely.
Well, hey, thanks so much, Chris. Mike, Lauro, any final questions?
I guess my final thought is I'll just hopefully profess that there would be so much information in the world at some point that we wouldn't be able Information integrity. What is the truth? How do we discern the truth from the fake? I think that's potentially the real problem that we may have to solve. How do you feel about that?
I feel that you hit the nail on the head. It goes back to how do we fix that problem?
I don't know. Maybe it takes AI to defeat AI. I don't know. That's too early to tell. But you're right. What you see now, whether you're on Twitter or LinkedIn, you just see that half the nonsense that comes through. It's like watching, it's like seeing something like
a UFO or a ghost. And people will be going, fake, fake, fake. It's going to be like that for even genuine stuff now. How do you feel about what you're doing? What's going on? You don't know. And when you're dealing with a single fact like a UFO or a deep fake, anywhere that's a company, like we've just built a company, a thriving company online through AI. And how do you kill that? How do you then say, no, that's a fake company? Make a phone call. Do they exist? Is that a real address? And go through that whole thing? Governments are not going to catch up fast enough.
Well, we talked about the start, about the birth, death, and marriages. They haven't fixed nothing in seven years since I presented and they're going to take them 20 to 50 and imagine what they're going to be like with this. They've got to be well behind this. Even with
Bitcoin, you see now you've got your big currency traders coming in with ETFs and stuff like that, like your JPMorgan and stuff like that. Late to the party, 20 years late, the party bells now own that industry, the Bitcoin industry. But this is that AI. We're in now the wild west of AI. And it's going to be a good time. Well, you can look at government, you can look at that move it hack. And the government founded on May 31st and then gave all their agencies, announced this publicly that you had until the 23rd of June to fix it. So the hackers had plenty of time to just sit and wait and say, yeah, okay, we got time to do our recon and hack it. With AI, it's not even going to be close. They're going to be destroyed long before then. Yes, Colonel. Yeah. I'll put my black hat on and just tell you, neglect is always our ally.
Yeah.
Hey, Chris, thank you so much for joining us. This was awesome. We look forward to having you again. If people want to get in touch with you to find out, like, let's say they want to overthrow a government in a neighboring country, or they want to just look into Simmonster, how should they reach out to you?
Yeah, so my name is Gareth Simmonstein. You can go directly to our website and you can contact me. I've got my own website, ChrisRockHacker.com, and you can contact me directly then.
Come with your 100 grand though. Don't be playing.
Yep.
Cash. Cash, no crypto or anything in a brief case.
No, crypto.
Crypto I prefer.
Oh, okay. Okay. Like the old fashion method, but well, outstanding. Hey, golden treasure chest is what I need. You know, that's what I'm taking now.
There are no winners anymore, you know, so we got to go back to the old fashioned ways.
But yeah, hey, Chris, great chatting with you.
Thanks again.
Thanks for all of you listening. Be sure to rate the Cyber Rants podcast, share it with your friends. Help us get this information out there, because it is important. We are in a world of cyber warfare, cyber attacks, all kinds of cyber espionage, and people need to know this stuff. I mean, these types of issues are here to stay, so help us spread the word. And we thank you. We'll catch you on the next episode. War is Hell. Go check out ChrisRockHacker. Thanks, Chris. Thanks, boys. Thank you, Tom.
