Hacked - 23andMe Exposed + AI Watermarks + Announcing Hotline Hacked
Episode Date: October 16, 2023Visit hotlinehacked.com to share your strange technology tale and hear us discuss it on the show assuming this experiment works (and to see the least mobile-optimized website ever created). We discuss... the recent leaked 23andMe data, the MoveIt Breach, and what "out of pocket" means. NOTE: We misspoke, the name of the show we discuss is Ransomware Files, not Ransomeware Diaries. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
I just took a DNA test.
Turns out I'm 100% that victim of a massive data breach.
This week on Hacked, Genetics firm 23 and Me reveals user data stolen.
We're going to talk about it.
We're also going to talk about the move-it breach.
Finally, it's been a few months in the making,
but it seems to be tying into many of the stories
and things that we're looking at and reading today.
And then since the early days of Generative AI,
we've been hearing about how crucial a role watermarking
is going to play in fighting misinformation and maintaining copyright.
How is that going?
According to experts, poorly.
We're going to talk about it.
Also, the group known as Alva, Alpha, Alpha, Black Cat,
whatever you'd like to call them, the ransomware group is back at it.
So we talked about them in the Las Vegas episodes.
They are back at it again.
So we're just going to touch on what they're up to.
All that and more in this chat episode, packed.
Do do, do, do.
Scott, how are we doing this week?
Good, good.
I'm moments away from jetting over to your part of the world
and going to pick Chantrell mushrooms in the wild.
Heck yeah.
Yeah, so I'm off for the weekend to go mushroom picking.
So that should be fun.
Not the mushroom type that I think most people would think.
but but uh you probably kind of make some good risotto should be nice
maybe you can make a good risotto with the other kind of mushrooms people are thinking about
oh my god kid you i've never even thought about that that seems treacherous it wouldn't taste
very good no it is treacherous it's very true that's a good word for it it would be a treacherous
meal the uh yeah but we'll be kind of up in tofino so hopefully we'll get a little surfing into
we'll see how the waves are but we're mostly there to pick mushrooms so we'll see how
how that goes. Good times. I've actually never been up to Defino. Me and my partner were just
talking about going up there sometime soon as well. You know what? Neither have I. Shocking.
Oh, sick. To everybody that I know. Island living. Island living. But I have not done it.
Island Scott. I don't think I've ever seen Island Scott. Oh, Island Scott existed. Like when I lived in
when I lived in Hawaii, Island Scott was full fledged, full on. Oh, yeah. I forgot you did have an
Island Scott era. Yeah, I did. I did. I would love to have another Island Scott era, honestly.
Maybe that's something that I should be tuning my life for is to become an islander again.
Board shorts? Every day. Every day. Everyday board shorts.
Hawaiian print floral button ups. You know, it's a vibe. It's a vibe. And I can't lie. I enjoyed that vibe very much.
You know who also brings a sort of easy, breezy flower floral print, board shorts, island kind of vibe?
Who's that?
I'm talking about Sarah Gardner, a new patron on our trusty Patreon.
Ooh.
Yes.
Yes, thank you very much, Sarah.
And I think Walt Kimbrough would also vibe pretty hard in the hacked island compound.
I think he would.
I think Walt Kimbrough has like, I'm seeing him with like a Mai Tai, a big, a big drink.
like a really big island vibe drink.
Him and Floyd Clark.
He's just running the Margaritaville constantly at the island villa.
Yeah, that's them.
They're out there.
Floyd Clark, thank you very much.
And putting a pin in the whole thing, fittingly, Ender.
I think Ender's like the dark horse of the island.
He's sort of overseeing it.
He's in like the bird's nest up top, making sure everything's okay.
Maybe in like a lighthouse.
Ender.
What a name to end the list of except for the sad, the sad fact that we have one more.
Suffrageten Bonnie.
Oh, we did miss one.
I jumped straight into the middle of the list.
I'm so sorry, Sufya and Bonnie.
Thank you so much for your support.
It means a lot to us.
And also we're going to see, you get a hammock for that.
You get like a really nice, a hammock and a drink made of a cocoa nut.
A cabana.
In a cabana.
A cabana by the ocean.
Cabana with a coconut drink.
Thank you all so much for your support.
If you also want to support tech storytelling and bullshit about tech,
I don't know if we curse on this show.
You should support us.
We do.
Great.
I should know that.
I curse on this show.
Me too.
I guess I did know that.
I've told a guest recently they can curse on this show.
So you can curse on this show.
All of you, supporters,
new and old concur with this show.
If you want to support tech content and stories and chatting, hackedpodcast.com.
It's a great way to support the show.
Directs to our Patreon and it means the world to us.
Totally.
Any other news?
Now that we've got our travel stories and plans out in the open and a bit of patron thank you,
is there anything else we want to touch on before we get going?
Maybe a new thematic episode type that we're thinking about doing?
You want to maybe pull that out there?
I think we maybe do.
So fun little insight for users,
my cat is ferociously attacking me right now.
I'm just going to pod through it.
I'm podding through.
We're going to do a little experiment.
And I'm hoping the website's up and running good by the time we drop this one.
So a few episodes ago, we talked about the idea of a call-in show.
I love call-in shows.
I think Scott, you've expressed some appreciation for them in the past.
Classics?
They're classics.
You got your love lines.
You know, it's a great medium.
It's a great format.
And we just started thinking about what would it be like if there was, I don't know,
some kind of a hotline, a hacked hotline.
Dare I say, a hotline hacked?
I could have handed it to you on that one.
You could have handed it to me, but you chose not to it.
You wanted to hit it.
It's your name.
You take the credit.
You roll with it.
I chose violence.
This isn't Hotline Miami.
It's a hotline hack.
Yeah, all good.
Yeah.
So the idea behind it.
Take it away.
Let's give everybody a little thing is we're going to have essentially a voicemail line.
You can call and leave a message where you tell us a story about either a cyber crime that you committed or a cyber crime that was committed to you or that you were aware of or in the periphery,
before if you're like a security officer and we're going to kind of listen to these back and figure
out which ones are kind of good stories and we're going to turn them into episode content.
You got it.
What do you think of that?
I think that's bang on.
I think it's like we want those cyber crimes, but we just want like strange tales of technology.
Maybe you hacked into something.
Maybe you solved an internet mystery.
Maybe you like got into a thing you shouldn't have.
We just want you to either submit an audio file or leave a message at the.
the hotline, and we'll talk about it on these hotline hacked episodes.
If this worked, it might not work.
This might be the last you hear about this.
We might get no content.
You might get no content.
Nobody reaches out.
The content might be, I say this with so much love, unhinged, and we just won't do this.
But I'm hoping we talked to so many people to listen to this show, and they always have
these really cool stories.
And I never quite know, we never quite know what to do with all of them, whether or not.
They can make up a whole episode.
And this is just a space where we can talk about a couple different stories
and sort of speculate about what people call in and leave on the hotline hacked.
So there will be an email option to email in either text or an audio file.
If you do send in an audio file, be aware that we probably will play it in the episode.
Same with the phone number.
Or at least an edited version of it.
Yeah.
Same with the phone number voicemail.
So be aware.
If you want to make sure it's more anonymized, just send it in some text,
and then we'll digitize it into the voice of a reader and use that.
Or we'll read it ourselves, one of the two.
Or we'll read it ourselves.
Yeah, if you want to submit text, there's the email on the website.
And as we said, it's kind of as anonymous as you make it.
You can go to hotlinehacked.com.
Hotlinehack.com to find hotline.
Take it away.
Land the plane.
I was going to say, hot.
Hotlinehacked.com.
Hotlinehacked.com.
Visit it today.
We got to record like, oh man,
like weird late night infomercials for this.
We should also tell everybody before anybody visits the website
that Jordan generated the website on ChadGBT.
So it's very basic.
It's very functional.
It's got some pretty sweet JavaScript text coloring elements.
I wasn't fishing.
for you to complement the JavaScript, but I do appreciate it.
Hey.
Hey, hey, I'm here for you.
Last week, it's Python.
This week it's HTML and CSSS.
Like, who are you?
The next thing you know, you'll be, you'll be writing malware and rust.
Well, I'll be in trouble.
Then what?
You'll be joining Alpha.
Alpha or Alpha or Alf, or Alf, V.
And maybe you're part of Alpha or Klopp or any number of people getting out to stuff.
Maybe you just have an interesting story.
but we would love to hear it at Hotline Act.
Either our brand spanking new franchise
or our whatever happened to that
that someone asks us in five episodes.
Only one of the two.
Dead in the water idea.
Totally.
Yeah, yeah.
Speaking of which, I heard this interesting,
I read in our news article that says nothing to do
with anything we're about to talk about,
but I just thought it was funny.
You made, you made a, like, use a little statement
that made me read.
realize it is, did you know that there's apparently a generational shift for the phrase out of pocket?
Oh.
So like, if I'm like, oh, Jordan's out of pocket this weekend, to me that means like Jordan's
kind of whiling out.
You know, he's like, he's out of pocket.
Oh.
But apparently in the older generations, out of pocket means like I'm out of the office.
It's like, oh, I'm going to be out of pocket today at two.
And it's everybody's like, huh?
Oh.
So I had no idea.
But apparently there's this generational gap for the, for the phrase.
is out of pocket. I just found it interesting. I have no idea why I just inserted this,
but I found it interesting. I thought you'd find it interesting. You know how I feel about
idioms and etymology. See, what's interesting about that is that I thought, I think of out of
pocket as neither of those things. Really? I don't think of it as being like in absentia or wilding
out. I think of it as being like based, like about money and transactions. Oh, like you.
Like it was like the cost of the concert was like a bunch of, the example on Google, I'm not going to,
someone's going to check and see that I'm reading this.
The organizer of the concert was $15,000 out of pocket after it was canceled.
Yeah, that's how I think of it.
Yeah.
Like, it's a cost thing.
Like, you put money up for that.
I think I, I see that too.
Like, that's a classic.
Right.
I'm out of pocket 10 grand for this or whatever.
But it's like, if I'm like, Jordan's out of pocket,
does your mind go to, is Jordan in the office or not in the office?
Or does it go to, is Jordan?
It doesn't go to either of those, actually.
on the beach at the hack cabana because mine goes to the ladder.
Interesting.
My brain goes exclusively to Jordan did a bad business deal and now he's feeling it.
Wow.
He spent all that money on the hacked cabana and now he doesn't have that money because of the storm that claimed the hack cabana.
That's what I think about a pocket.
Okay.
Interesting.
but I think we should move through this.
Yeah.
Let's get into this one.
Five years ago, there was this situation
with a DNA testing service called My Heritage.
Someone breached 92 million of this,
like, DNA testing companies' accounts.
Do you remember this?
I do not.
It was sort of, it wasn't a good news story,
but when they announced that the infiltrator,
what the infiltrator got access to,
there was sort of a sigh of relief
because they got access to encrypted emails and passwords.
And everyone went, oh,
your user data.
Exactly.
Everyone went few. That could have been bad because they never reached any kind of genetic data.
I was reminded of that this past Friday when 23 and Me, a U.S.-based biotechnology and genomics firm,
confirmed a data breach of their user accounts.
The company said that hackers accessed certain counts of 23 and Me users.
I would say it's not just any genetic testing company.
That's got to be the biggest one I know of.
Like I know.
They're the one I think.
Yeah, I know lots of people that have done 23 and Me testing.
Yeah, me too.
I remember a few years ago, like thinking about doing it.
And I didn't, I didn't not do it because of some, like, privacy-based awakening.
I didn't do it because I lost interest.
Like, it's there, but by the grace of Goghai.
And let's be clear, not every single 23 and Me account was breached.
And it's not to say that 23 and me itself was necessary.
breached, there's some nuance here.
But the outcome is
pretty gnarly. And I think it kind of
paints a picture of what a
spectrum of genetics-based
leaks can look like.
So,
this announcement came a couple days
after hackers started advertising an
alleged sample of this 23
and me user data on the hacking form
breach forms, offering to sell
these profiles for between $1 and $10.
And these sort of
early samples, which a couple different
places we're able to verify were organized based on the dissent of the users. So there was essentially
a little cluster being sold of 100,000 Chinese users. There was a cluster being sold of a million
Ashkenazi Jewish descendant users. A spokesperson from 23Me confirmed that the data that is in
these leaks is legitimate. And what it looks like happened is the threat actors used essentially
a credential stuffing attack. So credentials that were in.
and other breaches that were recycled on 23 and me were used to get into these accounts.
Quote, they clarified, quote, we don't have any indication at this time that there's been a data security incident within their systems.
It was a credential stuffing technique.
Let's segue way before we get into the actual hack and just talk about credential stuffing just a bit.
If you're an old hacked fan, you would have listened to a problem with passwords.
I think it was one of our first four or five podcast episodes.
and I am now a believer in the password manager
and I think that this style of attack is the main reason why
you know you need a unique password for every site
or else you just become with the scale and velocity of
data exploitation style hacks where they're pulling out user records
if you have a password that's guessable
even within a reasonable timeline of months
chances are you're vulnerable to having a pretty nasty set of this style of attacks happen to you.
And I just think that that's something like I've set up my wife's got a password manager now.
Everybody that I come into, I recommend them using unique passwords on everything, complex passwords as well as changing them with frequency.
And I think that's as long as we live in this antiquated password-based life, which I don't think we're going to get away from.
because even if we use other things as forms of biometrics or whatever,
all they do is getting coded into passwords anyway.
So realistically, it's all just data.
So at the end of the day, the best thing to do is to just have different data for each site
so that this doesn't become a problem for you.
100%.
For the folks that it did become a problem for, leaked data included full names,
username, profile photos, sex, date of birth.
Geographical location and genetic ancestry results.
So a pretty gnarly doxing as doxings go.
Bleeping Computer found that the number of accounts sold by cybercriminals
doesn't necessarily match the number of 23Mae accounts that were breached using the exposed
credentials.
At the heart of this whole thing is something called this DNA relatives feature.
And what it's essentially like a toggle that you can choose to use or not use that lets you
find and connect with genetic relatives indexes other people that share some sort of genetic
relationship with you based on your 23-Me results. And what it looks like the threat actor did was
they were only by accessing a few 23-Me accounts through this credential stuffing. They were able
scrape enough data from the DNA relative matches to start building out essentially like a database
of different people that shared certain genetic markers. This is how we ended up in a situation where you would
have a breach of just here's a list of people that share this ethnic background.
You wouldn't really be able to do that without a system like DNA relatives unless the hacker
had gotten full access to 23Mee system.
But because of that feature, just through user accounts, they were able to create these
million strong entrance.
And given that we know more accounts were breached than have been exposed in these leaks,
we can probably assume more of these lists are going to come.
Yeah, I feel like this is going to be one of those data sets that people will target and will eventually probably people will try and expose.
Yeah, I think that's true.
I shouldn't say they probably will expose, but they will try.
100%.
And this is also going to be one of those things that like once it's out, you know, it becomes the classic thing of like, it's like the Ashley Madison hack.
It's like the damage is already done.
If you were in there, it's like the damage was done.
It's like they don't need to sell it.
There's no way to look to monetize this, but it's like if all of your genetic data is floating around on the internet, it's like the damage is kind of done.
Especially if somebody can be like, oh, I just got an insurance application for Jordan Blumen.
Plug them in.
Oh, yeah, his data's here.
Oh, look, he's got hereditary markers for X, X and X.
It's like, okay, denied.
You kind of beat me to the thing I wanted to bring up.
which is that like I don't really know, when I think of like a breach form, like where people are buying and selling this information, I don't really know what the people buying and selling stuff there would want to do with genetic information. It's just not really compatible with making money through cybercrime in the like short, short, short term. But what we know is that the information that's in these data breaches that we think of is being bought and sold from cyber criminals tends to end up on a long enough timeline getting packaged up and bought.
and sold and bought and sold.
And it kind of works its way up the chain of legitimacy
until phone numbers and emails
that were in non-legitimate breaches
find their way into the databases of real companies.
And that's what I'm worried about with this,
is that the long play on this is selling these to companies
that shouldn't be buying this data illicitly,
but have a huge financial incentive to have it.
I think that's where genetic breaches go.
And it would be an icky world if that's where it goes.
But we don't live in an icky world,
me, Jordan? I sure hope not. I sure hope not. The last thing on this one, I went down a bit of a
rabbit hole because I saw that first story from a few years ago. I remembered it. And I went looking for
like breaches and data leaks relating to genetic information. And there's this Wapos story from
2022. Quote, since the beginning of last year, more than a dozen medical labs, genetic testing
companies and fertility firms have disclosed breaches affecting more than 3.5 million people.
according to a cybersecurity, 202 review of data breaches.
Wow.
And it's just interesting to me that, you know,
small labs that have the actual, like people's genome, like genes,
like the actual raw data are as good an attack target as like a massive company like 23M
if you're trying, depending on how granular this data is.
And it just sort of makes me reflect on how the more and more genetic data we start
producing and digitizing, the bigger target's going to become.
And unlike a credit card,
there are some things you can't really change when they get leaked.
See, the problem is, like, this data is super valuable, too, to the person.
Like, if you know you have specific markers for heart diseases and cancers,
you can be well aware and more up on making sure that you're checked and tested.
Totally.
There's a lot of positive that can come into this data.
Yeah.
So it's sad that, you know, it just becomes one of these things where it's like, well,
there's a bunch of negatives that can come out of it too.
and it's just a byproduct of the world we live in.
But I think over the next 100 years,
we'll see changes come to the industries
that we're worried about having this data
and hopefully changes come to the industries
that we hope have this data.
Yeah, it's true.
Like if my family doctor knew what I'm...
Like, you know, medical history of your parents
is such an important thing.
And it's like, well, this is, you know,
your DNA essentially is the codified version
of the medical history of your family.
So it's like, now that they've deciphered the codes, you know, having the code is a good thing.
And it's like, I think that this is probably something that in society we don't take advantage of enough.
No, it's true.
From a wellness and health perspective.
Yeah, I want to see us getting better at like leveraging genetic data and be really like, I think a lot of the ways big companies handle data breaches.
It's like I'm regularly kind of disappointed by it because it's like anything.
It's PR.
You're trying to minimize a situation.
You're not necessarily being totally forthright with what happened.
And this is such a delicate, sensitive thing.
We need to build systems of security and trust to allow us to have this information
and to use it to the best of our ability.
Because the potential upside isn't like a better chat messaging app.
It's like people's lives.
The stakes are very, very high.
We should be advancing this and getting better.
But like, man, we just need more trust and more.
security in these systems.
Because
icky shit will happen.
That to me is a perfect segue
to the Move It breach if you want to talk about Move It breach.
Heck yeah. Let's talk about the move it breach.
So Move It is a data transfer system
created by Progress software
that is built to be
a movement system of high security
to move hyper-sensitive.
sensitive information. Corporate secrets, personal information, HR stuff, anything that's,
you know, you need to move, but you want to make sure it doesn't get out there. You know,
like if you go to their website, they have the first sentence at the top of the page is
talking about security standards and protocols and cybersecurity things. Anyway, so one of these
pieces of software, move it by progress, got compromised. And it's not the first one of its kind of
be compromised because it's actually hacking groups that target these styles of software
because they know that they're so valuable.
So it's the same thing.
Same thing as the genetic data.
It's like if you put a bunch of valuable information into a place,
people that want valuable information are going to try to get it.
And it's the same thing with Move It.
So Move It was behind.
I believe it was the MGM hack or one of the Vegas hacks or both of them maybe.
Can't remember.
it was behind the Sony hack that we talked about last time
and it's been behind a boatload of other hacks
like they're estimating something like 600 organizations
have fallen prey to one ransomware's group's use of it
yeah so even the the vulnerability the CV that came out on it
was given a 9.8 out of 10 so like essentially out of all the severity
that like a potential vulnerability and a piece of software could have this is like one
of the top yeah so i didn't know
what move it was.
And the thing that
put this on my radar,
like you said,
last episode we talked
about these sort of
what were then brief
early murmurings
of another Sony leak.
And I was fascinated
as you brought up
to find out that it was part
of what's looking
maybe by the numbers
like one of the biggest
hacks of 2023.
Not a singular hack.
Part of this much
sort of a supply chain
attack involving this file
transfer protocol maybe
you could call it.
Move it.
file transfer system. Yeah. So he confirmed that they were part of this move at breach.
For them, it was 6,800 users. Data extortion gang Klopp has claimed responsibility for the breach.
The breach seems to have exploited a zero-day vulnerability in Move It. And it's looking, as I said,
probably one of the biggest tax of 2023 and potentially in like over the last couple years,
it's looking like you mentioned the 600 through one ransomware gang. It's looking like to date,
the total impact is about 1150 organizations,
56 million individual users across that
and a global cost of close to 11 billion
as of time of recording.
Pretty astonishing.
Affected entities so far have include Shell,
British Airways, Sony,
and the U.S. Department of Energy.
Progress software, you mentioned,
is the owner of Move It,
did patch the sort of zero-day flaw back in May,
but clearly as we are seeing this month,
the damage has already been done.
This vulnerability, I think, dates back to April, if I'm not mistaken.
I think the first things you heard about it dated back to April.
And it's, so they patched it pretty quick, but of course, like any kind of system software
that has remote deployments and stuff, whether IT departments around the world patched fast enough,
things like that, or whether there was already access granted.
And people had already exploited it was a thing.
So the way the exploit works too, is it's,
It's kind of a classic SQL injection.
So they can kind of force a piece of SQL into a query going into it, which then causes
remote code execution.
So I think what they were doing is using it to deploy web shells and remote, like essentially
remote access shells.
So they could get in kind of either, A, go through the database, which is full of highly sensitive
data transfers because that's where they were.
Sure.
Or they could, you know, create new accounts.
etc, et cetera, et cetera.
So I know that they were using it as a jump-off point
to launching attacks further into networks,
which is what I think happened with Sony,
if I'm not mistaken.
They managed to kind of get in
and kind of spider through the networks.
So not good.
A massive public-facing service
that has a massive remote shell exploit.
And the world's paying the price for it.
Yeah.
There's typically like, I don't know, it's always sort of hard to, maybe none of these attacks ever really have that much of a narrative, but it's a lot easier to make a narrative when it's a hacking group going after one individual target.
This is so strange because you have like shell British Airways and the Department of Energy.
You also have like healthcare facilities to sort of go back to what we were talking about with genetics.
A bunch of sensitive information has already been confirmed as having leaked as being stolen as part of this vulnerability, lab test results.
Born Ontario, a government birth registry recently disclosed a move-it-related attack.
Looks like hackers stole data from 3.4 million people, including 2 million babies,
expected parents, and people seeking fertility care.
Data gathered over like a decade as part of this attack that was not explicitly targeting birth registries,
but because this was a supply chain attack of a very commonly used tech utility,
they just sort of got the keys to a bunch of different castles,
including one with two million babies in it.
And Sony.
And Sony.
Yeah.
And your PlayStation.
And Sony.
Yeah.
And your PlayStation.
The, yeah, big, big, big problem, big hack, big vulnerability.
And the reality is there's probably still unpatched versions of it kicking around.
So I think we're still seeing, like, there's still exploits and hacks.
connected back to this coming
up now. So it's
just it's
it's funny that it's a piece of, well it's not funny.
It's ironic that it's a piece of software
that was
acquired, set up and configured
to make sure that privacy was upheld
and to reduce the risk of stuff like this.
And then next thing you know,
it's the main thing that's kicked the door open on it.
Okay, when we come back from the break,
when we talk about
AI watermarks and are the folks over at Alpha.
Alva.
Alva.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent-led by design.
You get agents that coordinate, agents that investigate,
agents that respond at machine speed,
and hundreds more that automate the repetitive work
that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works
with Arctic Wolf's concierge experience.
The team brings customer-specific context
directly into the platform
so every AI-driven decision
reflects your environment
instead of generic assumptions.
The automation frees your concierge security team
to focus on higher value strategy
and proactive risk reductions
while the agents handle the grind.
If you want to see what trustworthy,
production-ready AI and security operations
actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are a
evolving faster than anyone can keep up.
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks to turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving to the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why these
attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights in how threat actors are evolving, how defenders
are responding, and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
Before we started recording, we were like, we got to pick a way.
to say it. And then both of us immediately the second it started, we were like, Alpha, Alpha, Alpha.
Like, we went immediately back to not knowing how to say their name. It is unpronounceable.
Yeah, Black Cat was their original name. And that's like, that's a word that I know how to say.
Yeah, sure. I. I got my feet under me with that one.
Alpha, alpha. I just got to call it Alpha. So yeah, anyway, Alpha is back.
Tell me about it. They're back. It's stirring up some stuff. Yeah. So they,
compromised a Florida circuit court
and apparently have stolen a bunch of employee information
including applications for careers and things like that, I think,
is what I read.
So they were related to the MGM stuff.
And yeah, they're just keep going.
So I'm not sure if this is associated to the same kind of way
that they got access to MGM, whether it was a phone call to an IT department.
that led to an endless amount of problems, but they're back and they're still mucking around.
Interesting.
Yeah, because my memory of the casino hack was that Alpha was responsible for the ransomware
and scattered spider were the social engineers.
And you raise a really fascinating question of like, well, does Alpha do the social engineering
too?
Like what is their capacity?
I think we've got to start reading more about these folks.
Maybe one will call hotlinehack.com and we can play it on the show.
Maybe we can talk about it.
It's an interesting one because we never really have a great sense of the timelines.
We read about a story and it feels like the very next week,
the same crew of people is on to stuff.
And I do wonder, like, is there a lag in the publicity of these attacks or are they really
cooking it that quickly?
Did they really just wrap up doing a full Oceans 11 and immediately kick it over to a Florida court judicial circuit where they dropped a bunch of information on a website?
It looks like the Florida circuit didn't, court didn't pay the ransomware and that's why the data was.
I'm so fascinated by that, the internal conversations.
That's something there was the, yeah, ransomware diaries was so cool about that because it was specifically concerned with that process of negotiating.
ransomware is and making the decision of whether or not you want to pay for it.
And that's,
there was such cool reporting of that because it is such a private,
secure process that people don't want to let people into.
People don't want to talk to journalists about it.
And the fact that he was able to do that,
if you never listen to that show,
go back and listen to the feed drop we did last year with them.
It's a very fascinating one.
Yeah,
it's interesting because it's like a hostage negotiation essentially.
And it's like,
do you pay the terrorists?
Totally.
It's like if you become like Caesar.
So here's the thing.
My wife listened to the episode we talked about Vegas and was like, hey, you know,
Caesar's paid it and was back up and running.
MGM didn't.
Why didn't they just pay it?
And it's like, well, it's tough.
It's tough.
It costs them $100 million in like loss for revenues and stuff.
So it's not, I'm sure the ransom was less.
But at the same time, once you become known as the organization,
organization that pays.
Do you open yourself up to more
attacks? I would say yes.
It's like it's not going to
it's not going to be the last time this happens.
Definitely not.
And I feel like Vegas of all places
would have a lot of like I don't know
they put a lot of thought into how you deal
with a criminal messing with your system
whether it's on the casino
floor type criminal it's like no there's the
there's the old Vegas way this shit
is done and I'm not just saying
that's what happened there but it feels like
I don't know. It kind of reminded me of that.
Yeah, yeah. If Vegas was not a publicly or conglomeration of publicly traded companies these days,
if it was still back in the old days when it was mostly allegedly mafia run,
I'm sure this would be resolved in a much different way.
Yeah, I mean, if you're going to go after, if you're going to go after a place this run by the mafia,
and I am making no claims about MGM, I'm sure that is a different time.
Yeah.
But you know what? I'd probably want to do it from behind a keyboard.
Yeah, yeah. I said allegedly, intentionally there.
We need to just print allegedly on the like box art of this show.
Like we're just speculating wildly.
We try and be informed.
Speculating wildly.
We are out of pocket on hacked.
Which one?
Now there's ambiguity.
Yeah, yeah, exactly. All of them.
All of them. Okay.
So we mentioned this a little bit at the top of the show, but when just
When generative AI first started kind of kicking around, people started talking about,
people started exploring, okay, well, what is the downside of this giant earth-shattering new technology?
And along with the impact it's inevitably going to have on the creator economy,
there's the question of misinformation, both of which people start positing that watermarking could be a very useful technique.
The ability to run an image or piece of text through something and try and quickly figure out,
you know, just like a checkmark.
This was or was not generated by AI.
Major AI companies OpenAI Alphabet, Meta, Amazon,
and they immediately said we are committing to developing watermarking technology
to counter misinformation.
It was the sort of thing that was gestured towards whenever that very present threat was brought up.
Google's DeepMind introduced a sort of beta version of its watermarking tool,
synth ID in late August.
It's sort of the answer that comes up a lot when people raise those very, very
important questions. We are talking about it because of a really fascinating piece in Wired that
dropped about a computer science professor at the University of Maryland, Sohail Fazy, who, after this
long research project over the last six months, has stated that there is currently no reliable
watermarking for AI images currently used. He and his small team were able to break all types of AI
a watermarking that they tested.
I thought this was probably worth talking about.
So there's two different types of watermarking, right?
There's the watermarking that's visible to the naked eye,
a watermark in the corner.
You can think of the Getty Images type thing.
It's also funny in the context of AI.
The other type, I didn't know this phrase,
it's called low perturbation.
And that basically just means it's invisible to the naked eye.
Yeah.
So he was testing specifically these low perturbation watermarks
that would allow a user to quickly check
an image for whether or not it was generated by AI.
And I'm just going to quote him here, the results of his study, he deemed them to have,
quote, no hope.
He was, him and his team were able to, the phrase is washing out the watermark.
And it was exceptionally easy.
He also, I found this interesting, demonstrated how pretty simple it was for those same
watermarks to then be added to human generated images leading to false positives.
So it's not just that the current state of these watermarks is like crackable.
It's, it maybe suggests that the very concept of an easy to apply watermark that is not visible to the naked eye could then be misused to create these false positives that render it even less useful in the first place.
My mind immediately goes to, I feel like you could train an AI to detect and remove these AI.
AI generated watermarks.
A little bit, yeah.
Like you get a big training set of AI images that have the watermarks
and a big training set of images that don't have the watermarks.
You feed it in and then train it up and be like, okay, here's a watermarked image.
Is this image watermarked?
Yes.
Remove the watermarked.
Totally.
Yeah, generate.
I feel like AI would be great at doing that.
Yeah, your solution to AI just happens to be the kind of thing that AI would be really, really great
at undoing is sort of a.
a bad situation to find yourself in this uh yeah the it raises this question of this isn't the
only one of these studies that's going on pretty much the second we realized we were entering a like
era of watermarking being really important a bunch of different studies kicked off there's a
university of california one a santa barbara carnegie melon um they have all found very similar
things to sow hills study which is that these are susceptible the interesting idea here is that
I think maybe these just, we start thinking of these not as like a silver bullet and as a small part of a much broader way of addressing misinformation and copyright that are invited by this new technology.
It's sort of like a means of harm reduction against the really, really low effort AI fagery.
You could imagine a super, it's not the kind of thing you'd want to trust for everything, but like a filter almost on.
a social media platform or an email client that is just parsing for the really, really low
effort stuff, but that you shouldn't be relying on as like a real true test of whether or not
something was authored by a human. I remember when chat GPT first came out. There were tons of
teachers running chat GPT essays through essentially these tools that came out within days of
chat GPT that were tasked with like checking whether or not it was AI generated. And we all kind
quickly had this reckoning that like this is not this put put this tech back in the oven it's
not ready yet but it's like the it's the same as the traditional watermark right like it's
essentially a road bump like if you want to get rid of it you can that's a great point like
adobe Adobe Photoshop's smart fill probably gets rid of most of them and it's exactly so but
it's essentially you have to you have to cognitively take the step to violate the
copyright.
Yeah.
And I guess that's probably the biggest, the biggest checkbox for it is like being able
to show that people actively did do something to bypass the copyright when you do find
them.
The idea of having some form of, like images are pixels, right?
Like they're just data points, literally just a grid of data points, run through compression
algorithms and a bunch of other things, depending on what type they are.
But trying to put something into a grid of data points that can't be,
either A detected or be removed is very hard.
If you know what you're looking for, very easy.
So, yeah, it's going to be a real tough one.
Unless they're also hashing the file and providing the, like, you know,
check some for the file and you have to validate that the file has been modified,
then it's very, very tough.
Yeah.
Because I have such a deep disrespect for my own time,
I end up watching a lot of like tech announcements and public press events and stuff.
And I'm always intrigued by like the recurring narratives that occur when companies have to announce new technology, let's call it.
And I'm intrigued to see, I imagine there's a lot of pitch decks and public presentations that are sitting in like private drives right now that spend a lot of time talking about security and artificial intelligence.
And I would imagine that if I could do a search for the term water market,
it would come up a lot.
And I'm very intrigued.
The thing I wanted to take away from the story is like almost like loading it into my brain.
So that the next time I see a big company talking about watermarking and how watermarking with AI will only make this more secure or will make misinformation harder.
Not to necessarily say, well, that's just a lie out right.
I don't think it's that.
But to sort of like carry a little bit more skepticism about that as we continue to wait into this AI generally.
iterative art era.
On those same drives with those same slide decks talking about watermarking,
there's probably slide decks full of artificially intelligent,
or AI generated images and AI generated copy.
Totally.
Maybe even in the same slide deck.
Yeah.
It's like every pitch deck I've seen in the last year has had some form of AI generated
images in it and some form of copy that's been accelerated, edited,
or entirely generated via AI.
So I think we're there.
With Microsoft's, I think we're there.
With Microsoft's, I think we're there.
Like I know Microsoft's looking at building,
I'm not even looking at, is actively, if not getting ready to deploy.
If maybe it has deployed, and I just don't use Microsoft Office enough,
but they are generating essentially an assistant inside of office
that will fast track tons of things for you,
whether it's writing an email and outlook,
editing something in Word,
maybe even smart,
like smart figuring out what your spreadsheet design is looking to do
and then just finishing it for you.
So I think it's going to be a,
I think it's,
we're there.
I think it's going to be good,
but it's going to be bad,
there's going to be bad things too,
just like everything.
Like if you look at this entire podcast,
it's because we have technology.
And technology, I think,
is largely seen as good.
But there's some bad there too.
Oh, definitely.
Yeah, I'm, I think you are right about all of that.
I'm very intrigued to see what the next.
I think it's, I'm fascinated to see as it gets baked more into the stuff we're already using.
Like, I've become a chat GPT user for a bunch of different things.
But I think for a lot of people, it being woven into the places they're already being productive,
Google Docs, Microsoft Office, that's going to be when it either does or doesn't become a big part of people's habits.
because like I'm, this is one of the first pieces of technology where I'm realizing that like,
I don't know, the little bit of a bubble that I'm in when it comes to new technology.
Like I have friends who like tech.
I like tech.
We do a tech show.
And in my mind, chat GPT showed up, mid-journey showed up and I'm like,
all anyone's going to be using in six months.
And over six months have passed.
And a lot of people in my life are not regularly using these tools.
Like, okay.
There's, there are different, there are different threads.
of tech users and being cognizant of that is something that, I don't know,
it's been a really fascinating process watching a big, big tech shift happen,
realizing that it's not all happening at once.
I was sitting in a friend's backyard a couple months ago.
We were having a beer and, you know, their brother showed up and their brother's fiance.
And she was in university now.
She's still in university, just doing a master's or something.
Sure.
And she was talking about how she uses it to summarize her readings.
Right.
Like you just copy in digital text.
So she's got to read 200 pages a week or something.
She just dumps it into chat DPT.
She's like, summarize this for me.
And bang.
Yeah.
Outcomes like, you know, three or four pages of like, you know,
everything that you need to take away from it.
It's like, wow, that's a, that's a use case.
Oh, yeah.
Yeah, it's funny.
Yeah.
I thought I'd figured out was a total tangent.
We talked about AI hallucinations a little while back,
and those are particularly bad when you're asking it questions that it's trying to derive the answer from its own internal data set.
Like if you ask it about a law or a health situation or anything like that, it might just make things up.
And I'd started to feel like I had sort of found the workaround to that, which is that always provided your own data set.
Yeah.
Always be bringing in your own information.
information and saying, I want you to work off of this. Beyond just the ability to quickly
look back up at the data and make sure something is accurate, I also just found it got much
better results. I got my first full blown hallucination using that technique. It was like kind of
spooky to me. I was looking at it writing full on the wrong thing. Like it was just going on a
total fantasy unrelated to the text I had just provided it. It was really weird to watch. Because
chat GPT doesn't just sit there with a loading bar and then show you the presented text,
you get to watch it type. There was something so creepy about watching it like,
just sort of like wax fantastical and make crap off me like dog. I can see, I just read what I
gave you. And I'm just asking you to synthesize it into notes so I can remember it later.
What are you, what is any of this? So I like, I want to just keep banging the like the robots,
the robots dream of electric sheep.
They're making shit up still.
Don't trust it yet.
Like use it.
It's a powerful tool.
But if there was a calculator that just got 5 plus 5 equals 9 sometimes,
you'd be very cautious using that calculator.
Yeah.
Hey, there is, I know we're like wrapping up here and just kind of shooting it.
So here's a good one.
Remember when we were talking about video game hackers and free to play games
and how they're overrun with video game hackers?
So CounterStrike 2 released.
The new version of CounterStrike came out.
And they have essentially instituted kind of what I said.
They put in a prime status upgrade.
So for like an additional like $20, you become a prime player.
And prime players play with other prime players.
So essentially they've created a situation where you've essentially paid a cheating bond.
You get a few other little perks with it.
But at the end of the day,
The biggest change is that prime players get matched with other prime players.
And because you've paid for it now, there's a good chance you're not going to cheat.
So it's a cheating bond.
Yeah.
So anyway, I just thought it was cool as an old school counterstrike player.
I remember that idea that you had.
Yeah, a cheating bond.
That's a really good way of putting it.
Is Counterstrike 2 out or is that?
No, Counterstrike 2 is it's been out forever or like a long time, right?
Well, yeah.
Yeah.
Yeah, but they just did a full rebuild of it.
Oh, God.
I think it was a few weeks ago, two, three weeks ago, the new, new, full route.
CSGO went away and Counter Strike 2 came out.
Oh, okay, okay, okay.
Because I was like, I thought it came out in 2012, and then I'm seeing 2023.
I was confused.
That's fascinating.
I think that that makes a ton of sense.
Yeah, it's a game that's had Valvanti cheat.
Like, Val Vantage Cheat, Cheat.
Like, Val Vantage Cheat was created for Counterstrike, essentially.
And it's got a very active anti-cheat, but there's still people that cheat and hack in it.
So this is just a way to get around that.
You know, so many of these free to play games are just overrun with hackers and cheaters that, you know, hey, you love this game.
Do you love it enough to pay 20 bucks not to get frustrated every time you die to a cheater?
Yeah, totally.
Yeah, I do.
Interesting.
So.
Huh.
Yeah.
Bring it up.
Hotlinehacked.com.
Make sure you go to it.
Final ring of the bell, Scott, Holland hacked.
What is it?
Where do they go?
What should they do?
go hotlinehacked.com.
You want to call the number and leave us a message.
And please don't use this just to send us weird things.
There's also an email in there that goes to an anonymized email box that we're going to go through.
Please don't send us malware.
Alf, we're super sorry.
We don't know how to pronounce your name.
Please don't use this as a attack vector against us.
Yeah.
Send us some stuff if you're interested.
got a good story. If you've done something or if you've seen something or if you
allegedly know of something, we'd love to hear about it. And if we think it's good, then
you know, maybe it'll be in an episode coming up. Stoke to hear from you. Thanks for listening
to another one. Thanks for making it to the end. And we'll catch you soon. We'll catch you on
Halloween with a very fun episode of Halloween Hacked. Oh yeah. Special guest. Special guest.
Looking forward to it. Catch you in the next one. Take care.