This week on the podcast, we take a look at the impact of the US National Institute of Standards and Technology (NIST) backing away from their previous role of enriching vulnerability CVE records. Before that, we discuss Huntress's insider threat drama before ending with an AI-assisted vulnerability discovery in the Front Gate Tickets platform.
View Transcript
Marc Laliberte 0:00
Everyone, welcome back to the 443 Security Simplified. I'm your host, Mark Laliberte, and joining me today is
Corey Nachreiner 0:08
Cory Holiday Nachreiner. We're going into a long weekend, Mark.
Marc Laliberte 0:14
Your dog just gave out an amazingly perfectly timed snore as you were.
Corey Nachreiner 0:18
How did you hear that? She's all the way over
Corey Nachreiner 0:20
there, but yes, she sure did. That would be..
Marc Laliberte 0:23
she is excited for this episode,
Corey Nachreiner 0:26
I think. She's giving me a sign that she doesn't want to hear me recording a podcast in the morning while she still sleeps. But deal with it, Cali, security is important.
Marc Laliberte 0:37
It is. And on today's episode, we're going to start with a little bit of drama in the security space, and we've got some opinions on it that I think are maybe a little less dramatic than what's been going on. Then we'll dive into the world of NIST, the National Institute of Standards and Technology, and they're pulling back from grading CBSS stores on CPEs, and we'll end with some fun little research that I was hoping would bankrupt Ticketmaster, but unfortunately is not going to.
Corey Nachreiner 1:11
It's too bad. So, tickets are still going to be absorbently too pricey, for what they're worth, thanks to that 1/3 party,
Marc Laliberte 1:19
especially after this vulnerability was fixed, but with that
Corey Nachreiner 1:23
planet AI, we'll find another
Marc Laliberte 1:26
one. Well, with that, let's go ahead and hack our way in. So, starting, Corey, let's dive into some internet drama. Does that sound fun?
Corey Nachreiner 1:43
I love drama. Get out. Where's my tea? I need you to, I need you to spill the tea.
Marc Laliberte 1:48
So, this all started a bit over a week ago when a former security operations analyst at Huntress made a pretty inflammatory LinkedIn post that, was accusing Huntress of covering up an insider threat incident since December of 2025 They claimed that the incident would cause significant reputational damage to Huntress, and it continued to put clients at risk. In their post, they even shared their resignation letter they sent on december 29 where they said that their decision to leave was based on personal reasons, and also due to a conflict, conflict of interest that arose from a discovery that on december 20, nine days before their resignation, another Huntress employee passed communications from US law enforcement to a cyber criminal known as Dev Man, who was actively and publicly targeting their family in them, so like this post came out, it came out following another one where they replied to like a Hunters post about being transparent with like a clown emoji, and it kicked off a big firestorm on social media, both on LinkedIn and on Reddit there was a lot of speculation on like what was shared and how serious the insider threat accusation actually was, and it forced Huntress, and specifically Huntress's CEO Kyle Henslovin, to publish a response on the Huntress corporate blog, as well as on Reddit too, with a bit more details, they started it by saying that they hunters had conducted multiple investigations and found no evidence of illegal content or conduct or in an insider threat, and that their consultation with law enforcement also reached the same conclusion. And then they dove into, like, some limited information that they could share, they said they were being a bit, you know, not as transparent, because it involved employee privacy and law enforcement and stuff like that, but they did say that first off, Huntress permits their threat researchers to engage with threat actors when it's beneficial for them, which makes sense. WatchGuard has a similar policy, we have a very strict don't fund cyber crime policy, but like for threat research we're on most of the forums as well to try and gain firsthand intelligence too, so that's not surprising. He went on to say they were aware of separate questionable long term threat actor communications from both a current employee and this former employee that made the post in one particular exchange, the current employee disclosed to the threat actor that law enforcement had reached out to them about the threat actor. They said that while the disclosure was not illegal, it did reflect poor judgment, which I think, pausing there, that's fair. Maybe I mean, you could argue that sharing law enforcement communications about an investigation is bordering on obstruction of justice, but that would be pretty extreme for something relatively trivial, like talking to a threat actor and saying, 'Hey, the FBI is asking about you. Yeah, it certainly won't. Make the FBI happy, whatever it is, even if it's not illegal. Yep. The so the post from Huntress's CEO went on to say that when it was first reported by the former employee, they investigated and consulted with law enforcement and ultimately just implemented stronger policies. After the former employees post on LinkedIn last week, they did another investigation, and so far haven't found any evidence. So, basically, they're saying it's a big nothing burger that, while it was probably poor judgment for the current employee to say, "Hey, the FBI is asking about you, it wasn't strictly illegal, and they don't consider it. Yeah, but go ahead.
Corey Nachreiner 5:42
I was just basically going to say, yeah, she kind of did a silly thing.
Marc Laliberte 5:49
Yep, but this isn't where the story ends. So, that former employee, mr. Ben F, made another post just this last Tuesday with some facts, or I guess like stated facts from them. There's no corroboration for it, but they said that the FBI reached out to the Huntress employee to gather intel on Dev Man. The employee immediately forwarded the exact FBI communications to the threat actor, including screenshots of the FBI agent names. She informed Dev Man that law enforcement was actively looking into them, and that they also, the employee refused to cooperate with the FBI. In this case, one thing, important thing to note, I think both of these folks were based in the United Kingdom, so while Huntress is like they're an American company,
Corey Nachreiner 6:33
yeah, these based,
Marc Laliberte 6:35
yeah, these two employees were not, and then they found
Corey Nachreiner 6:39
little detail that they threw out a she there, like kind of adding more wood to the fire of people speculating who the insider might be
Marc Laliberte 6:49
correct, and they followed it up with a comment at the end of it, like replying to their own post explaining why they cared so much about this. They said that before the incident, Dev man was carrying out a campaign of death threats against Ben and his family. There were claims about people being sent to dismember his family. There were even like paid OS intelligence investigations into Ben from this threat actor that he found out about because the threat actor ended up not paying them, and so they went to, like, arbitration on the cyber crime form that he was doing it. So I think my main takeaway from this is it just like sucks for everyone involved. I'm sympathetic to Ben, and I'm also sympathetic to Huntress, that the end result of this, it's not like illegal, it's just sketchy, but I can see why this former employee is really upset, like if I was a security operations analyst and I was working with a threat actor that was now sending death threats to me and my family, and then one of my employees did something that seemed like they were trying to help that threat actor, or at least, like I mean, help, but while maintaining a relationship, I'd be pretty pissed off too, and I can see why they want a
Corey Nachreiner 8:04
company. Yeah, yeah. No, I kind of agree there. To be honest, I don't know if it's.. I mean, it is now publicly aired drama, though. I don't know how it really affects their customers or folks like that. But exactly what you say, I. you know, Ben, I, I, if he is getting threats, that has to be scary, and you would want your company to help you, you know, catch an FBI catch that guy. Yeah, overstating, I don't know if he's overstating. I do think he's getting a little too, like, at the end of the day, I don't think they're mucked up their total investigation with Dev Man, or not still going after the guy, although at this point, Dev Man, I mean, the drama has done nothing but benefit the threat actor, that's kind of the bad thing, is now Dev Man is not the topic, all of this is out in the open, and Dev Man knows not to interact, probably with this team any longer. So, I don't think it really helps in the scheme of things,
Marc Laliberte 9:09
and I don't think that this would cause significant reputational harm to hunters. I don't think it has. I don't think it necessarily puts their clients at risk either. It just seems like, actually, exactly like their CEO, Kyle, said, like there's just poor judgment all around in this from maybe multiple people as well, too. So
Corey Nachreiner 9:30
I do, they should have some sort of punishment. Oh, sorry.
Marc Laliberte 9:36
Oh, go ahead.
Corey Nachreiner 9:36
What was your main takeaway, Mark?
Marc Laliberte 9:38
Main takeaway is that it's drama, but I don't think this is as big of drama, like, to anyone other than Ben. Like, if I was in his shoes, I would still be freaking out about some of the threats he was receiving. So, I am sympathetic.
Corey Nachreiner 9:50
I would like.. if I were.. we don't know the story about why this woman disclosed what she did, you know, but it could have been.. what if they.. what if they were guided by the. FBI to kind of string him along, but for whatever the reason, it doesn't sound like that was the case, and it does sound a little bit like she was protecting him, him being Dev Man. So I do think internally it's like I hope that Huntress is investigating this and taking some sort of action on the poor judgment of what was shared with, with no, it's still up the story to hear the story around why she did that, while it's not here nor there, but they should definitely take action in some way privately on that. But yeah, I agree with you. Poor judgment, a fun drama. We got a little tea with our Morning 443 podcast.
Marc Laliberte 10:38
Yep, and unlike other stories, I feel like this probably is the end of it. There's not a whole lot more to get out of it. That's some good news, though. By the way, like, I guess some silver lining. There was another follow-up comment from this former employee, where they said even though they felt like they weren't getting a lot of support from their, their co-workers and their employer, they were getting support from the United K, United Kingdom law enforcement, where, like, as soon as the threat started, they had immediate support from them. There was, like, protection from them for their family, and so the UK government was taking it very seriously, which is, it's good to hear. I'm glad that they were, like, totally high and dry, but I guess that is, like, a like operational hazard of being in security and working with threat actors is like many times, most times it's probably a bluff from them, but at the same time it's pretty scary for working with hardened criminals that maybe aren't afraid to do really scary, sketchy crap, but anyways moving on to the next story. So, historically, the National Institute of Standards and Technology, or NIST, has been a very active member of the CVE program. Like, if you think back, probably what, five years ago, Corey, maybe a decade ago, it felt like every CVE that would show up on miter.org would also show up in the National Vulnerability Database, which is maintained by NIST. Almost all of them had a CVSS score attached to them, done by NIST, and while they weren't always accurate, because NIST was operating just off of like the title and description from the vulnerability and not intimate knowledge. Yeah, it was at least something, and could help at least somewhat triage if, like, the vendor themselves didn't put a CPSS score on it. But if you haven't noticed, like, the volume of vulnerabilities that are being discovered and disclosed every day is just skyrocketing across the board.
Corey Nachreiner 12:42
Who could have predicted that? I wonder why exactly.
Marc Laliberte 12:46
And it's caused a real problem, like CISA and NIST, like trying to enrich these vulnerabilities and keep providing the service they used to. And so, back in April, NIST even announced they were going to dramatically cut back on the number of CVEs that were receiving enrichment, they were going to prioritize flaws that were under active exploitation or ones that are in products that are used by the federal government, and so saw a post on Dark Reading just the other day where some researchers at another vulnerability management company, Valerian, analyzed all 13,000 CVEs that were published to the National Vulnerability Database since April, since that announcement, and just went over some interesting stats, but then, like, I thought there was some good just discussion points in here too, so, like, of those 13,000 CVEs, 8.3 1000 of them were prioritized by NIST for enrichment, but only 6.7 1000 were actually enriched. But pausing there, six and a half 1000 vulnerabilities in two months is a lot, still, even if it's not all of them, not even half of them, that's still a ton, and pretty impressive in my opinion. But so, of those, I'm curious,
Corey Nachreiner 14:03
by the way, I'm alluding that AI is helping release more vulnerabilities a month, but what we're basically talking about is it sounds like NIST is not able to keep up with enriching data, but why not move to AI? I mean, it seems like an ideal problem to use AI, I'll say, you, we even have a cool project in our SOC where we automate enrichment of incidents with AI. Yeah,
Marc Laliberte 14:30
absolutely, it is extremely powerful, and I, yeah, interesting.
Corey Nachreiner 14:37
I mean, if they're losing folks, anyways, either way, it sounds like they're not keeping up.
Marc Laliberte 14:42
Yep, of those 6.7 1000, or whatever, that are being enriched, only 2.6 1000 of them actually got a CVSS vulnerability severity score for them, and their takeaway. So, the company that did this analysis, I thought. Was worthy of talking about where they said that, like, without a CVSS score from NIST, users are going to have to rely on the certified numbering authorities themselves, which is usually the vendor of the product, but it can sometimes be the person that discovered it, or the at least the organization that coordinated the response, but without NIST as an independent body, you have to rely on either the vendors, which are incentivized to lower the severity or keep it down, or the person that discovered it, who's incentivized to increase the severity for bigger bounty payouts or more clout on the internet, and losing that independent grading is an issue, but like in the second breath, they talked about how even NIST grading was inaccurate in some cases too. They pointed out some disagreements with things like the attack complexity vector, or whether user interaction, or what levels of permissions were required to exploit it. So, even NIST isn't perfect, which makes sense, because NIST is offering operating with just public information and not like source code, but like I thought it's it's worth talking about this issue that we have in the industry right now, speaking as like someone that helps run Watch Guards certified numbering authority process to issue CVEs and grade CVSS, sometimes it feels a bit like an art form, even doing CVSS, versus like a true data-driven thing, just because you're basically distilling what can be a very complex issue down into a couple of very basic like metrics that crank out a zero through 10 score of like the worst case scenario severity, so I'm not like I understand when there's concerns about like inaccuracy in CVSS scoring, but it's not meant to be like a perfectly accurate number grading the true risk of a vulnerability, even not all 10 out of 10s are even the same, so to speak,
Corey Nachreiner 17:01
you might do like you might know better than I, since you tend to go through the flow chart to give it us our vulnerabilities to score, but I feel like the inaccuracies are not that huge either, like I've seen us internally change our scores from a researcher and it goes from like a 9.8 to a 9.3 because of a little detail we thought was important, so I accuracy is important to these, but I feel like if the vendor and or third party is following the flowchart a little, it's close enough to me, a 9.8 or a 9.3 are ultimately the same thing, as far as true impact. I do love, I mean, we're a vendor, we're trying to be transparent with our, you know, usage of CVS and CVS, you know, we, we publish CVS ourselves because we are a CNA or CNE, but, but I think it's nice to have a third party, especially an authoritative like government, hopefully that you trust, checking on all this, so the fact that they're not going to be doing this as much, you know, doesn't necessarily help the industry. I would like to hope that most vendors are doing a good job of this on their own, but you know the whole reason we have third parties is sometimes the vendors don't do it, or sometimes there's negligence. So it does suck to hear that they're going to be participating less or scaling back. There is a whole part of the CVE system that supports like third parties adding enrichment, it doesn't have to just be NIST or CISA, like really anyone as a part of the system can add a their own enrichment to any CBE. It's like an entire like field in the JSON schema for it. So, like, when we publish one, we add our own, where it's the vendor-provided
Marc Laliberte 19:00
one, which in theory, should be the most accurate, as long as they're not biased, which we're not, but like other people could pick up the slack and go enrich them themselves too, like other international enforcement agencies or international authorities could help too, and they're not currently, NIST is still cranking out most of them. Sounds like an AI project for an international global team. I think this is a great application for AI, because the whole program is, it still feels a bit shaky, like we almost lost the CVE services last year when Miter had their funding cut until the literal 11th hour, so there's a genuine risk, like there's some instability in here, and something that's still very important, like having CVE numbers for vulnerabilities is very helpful for us as defenders to have just that common language when. Trying to discuss a specific issue,
Corey Nachreiner 20:02
and it's not just discussing it's automated systems, it's vulnerability management, it's how all of our defenses looking for these flaws, fixing them, tracking that we fix them, pen testing against them, you know, if you have a think of think of malware naming conventions among vendors, no one agrees. You end up with 20 different names for a group or a malware or a nation-state threat actor. CVEs are what make different types of security systems that have to deal with vulnerabilities. However, they do that, you know, whether it's vulnerability assessment or pen testing work. So, I think they're programmatically important too.
Marc Laliberte 20:43
Yep, I agree. So, I think this is an area that we need some more help in, and AI, like you said, is a great application to help with automated enrichment, and it is getting more accurate every single day, too.
Corey Nachreiner 20:56
I, for one, even though I like the United States, I hope still for a while to come, and yay, the forthcoming soon for everybody. I like what your idea. I feel like this should be some sort of international organization to not have any sort of country bias, and so that if one country decides not to focus on the same things because of leadership, we still have some international body that helps run this the way we try to with ICANN and DNS and some other things.
Marc Laliberte 21:27
Yep, and I think Europe is well, they're not trying to create that international one, they are creating a European only one that right now clones CVEs from the US run program into the European vulnerability database,
Corey Nachreiner 21:42
that's good. It's at least international,
Marc Laliberte 21:46
yeah. At least there's a backup in case, uh, Miter drops off the face of the earth next this year. If by losing funding again,
Corey Nachreiner 21:54
Miter is just going to move to another country, they're too good to drop off the face of the earth, but at this point they're probably getting irritated with their, their rich daddy.
Marc Laliberte 22:05
Yes, they're probably getting irritated with their rich daddy. Moving on to the last story for today, so a security researcher named Ian Carroll published an interesting blog post just this last Wednesday describing a vulnerability that he discovered in Front Gate Tickets, which is a subsidiary for Live Nation and Ticketmaster, that handles ticketing and payments for like big festivals, things like Bonnaroo and the Electronic Daisy Carnival in Vegas and Outside Lands, and other EDM festivals are big customers of it, but the notable thing is this is a vulnerability he discovered, or at least like weaponized, largely thanks to Cloud Code and Opus 4.7 I think it was. So he starts by describing like these APIs that are used for both the consumer apps as well as infrastructure at venues, so think like when you buy a ticket, your mobile app is communicating with an API when you go scan the ticket at the event. The scanner is communicating with the API. If someone needs to, like, reissue a ticket or comp a ticket, it's another API endpoint. So he was doing analysis of this to see just look for vulnerabilities and wasn't having a lot of success on the consumer side, but he noticed that when the path contained the word device for his API requests, he was getting a unique error message that the device UID, universal ID parameter, was missing, and so this led him to start investigating, like, what is this device UID parameter, and might I be able to mess with it, and ultimately he found what evidence that there was a potential SQL injection vulnerability in here. Oh no,
Corey Nachreiner 23:47
that can't be true. I've had developers tell me SQL injection is from like the 80s and 90s, that doesn't exist anymore. Their engineers are too smart. SQL injections old, Mark. What are you talking about?
Marc Laliberte 24:00
Yeah, well, sarcasm aside, unfortunately, it's still very much around this one, like he found it, like the evidence of it pretty easily. Basically, found like a device UID of 12345 returned a success message, but a device UID of 12345 and then a single quote on the end caused it to hang, which indicates that it was breaking the SQL requests by just directly inputting that quote, causing quote is like a reserved
Corey Nachreiner 24:28
character in SQL, so right away you know you can do some fun things.
Marc Laliberte 24:33
Yep, so they spent the next bit of time like hammering away trying to actually weaponize the potential SQL injection, but the API has a web application firewall in front of it, and all of his requests were getting filtered out or blocked by that firewall, and they were about to give up, and they decided to throw it at Cloud Code running Opus and see what it could do, and he said it very quickly noticed that the web application firewall was only sanitizing. Like the outer SQL command, and if he nested the actual injection inside there, then it would bypass the WAF and would run on the endpoint. So they found a way to, like,
Corey Nachreiner 25:13
this reminds me of a network fragmentation attack, and I mean, not exactly the same, but it's just splitting something up into pieces, so that you don't see it all together, if you're a security control,
Marc Laliberte 25:24
it's like putting a decoy around what you're actually trying to sneak in, and so the WAF, like, detects and removes the decoy, but allows the actual bad payload inside through into the back system, but so the next step was they needed to find what's called a boolean oracle, basically some way to tell whether their statement was returning true or false, and they could basically use that to extract data, like think of if you had a table with like a password in it in plain text, which hopefully they don't, but imagine they did, you could have a command that says if the first letter of the password is p, then return true. Otherwise, return false. And you could use that to suss out individual characters of the password, and ultimately extract the entire thing based off true and false responses from it. They found was there's a couple tables that they could read and return data out of based off whether their command was true or false, like it literally would return one string of text. I think it was like, if you scroll up just a little bit, the word MC 70 023 if it was true, and then in telex upload if it was false. So that was their upload, or their Oracle, rather, and it would let them query tables in the database to return data, so the final step was, How do I weaponize this into something that actually matters? They went and looked and found different table names in there. They found one that made a really interesting target called reset underscore token. Basically, if you go and reset your password or issue a password reset request. It generates a token and stores it in this database, which the user gets a copy of it from their email when they click that link, validates the token is correct, and then lets them reset their password. They found is they could issue a password reset for an administrator account, scrape it out of the database using their SQL injection attack, and then use that token to take over the account, which got them into the admin portal, which gave them all sorts of access, including like managing inventory and actual events pricing, or they found they could comp tickets, basically issue free tickets for any event that they wanted to in there. Now this is where they stop. They said they didn't actually give themselves free Bonnaroo tickets. Now that they validated the impact of the vulnerability, they reported it to Front Gate. They did note they couldn't find a publicly, like a public security report mailbox, but they just guessed there's probably security at Frontgate tickets.com or whatever, and notably, Frontgate actually fixed it within 24 hours,
Corey Nachreiner 28:07
super fast. Yeah, I like to say they're like super security conscience for good reasons, but I feel like it's more about the greed of, you can't have those cheap tickets being comped to everyone,
Marc Laliberte 28:19
exactly.
Corey Nachreiner 28:20
But I'm being a sarcastic dork, but yes, good job. Front gate, that is a nice response.
Marc Laliberte 28:28
It is a good response. So, while the vulnerability is like interesting, and it's the fun idea to be able to give yourself free tickets for Ticketmaster run events, I think the really interesting thing here is like using Claude for that last mile when you get stuck as a researcher, and it very quickly finding a way to weaponize this vulnerability and turn it into a working proof of concept exploit.
Corey Nachreiner 28:50
Yeah, that's what the Wired article did. I think we first brought us this story focused on, and I don't think it's a surprise to you and I. We've been talking about this, Mark, how AI is going to speed it up, but it's a really good example. I guess it's also a decent example that it's not just AI comply. We think agentic, fully automated attacks can happen too, but we're still in state where you're just having the AI assistant with a human hacker finding flaw, realizing you can't exploit it because of security systems, but using AI to help find bypasses for that, it's just a good example of how AI is going to be hand in hand used, hopefully mostly for the good with things like Glass Wing and Open AI's Daybreak, for us all to help find these flaws as good guys and fix them, but easily, easily can be leveraged for the bad, so good find by this guy, but I now worry about all the criminal threat actors having their little AI buddy helping them out,
Marc Laliberte 29:50
and I worry about it for like smaller or at least less mature companies too, like at Watchgard, we've got a really mature product security team, we are using these. Tools for vulnerability discovery and validation, too, but like we know that researchers and threat actors are using them maliciously, and companies with important software that maybe don't have the resources, like Watch Guard, to participate in these programs and to gain access to the latest and greatest frontier models, like they're going to be a prime target for potentially very damaging vulnerability discoveries and disclosure. I would like to see from, like, the AI labs, maybe some more like philanthropy around that. I know they do some like free credits for like open source projects and stuff like that, but we need to find a way to lift the entire tide of cybersecurity for all organizations.
Corey Nachreiner 30:42
absolutely agree.
Marc Laliberte 30:45
This is absolutely the most exciting time to be in cyber security. If I do say so, it's moving so damn fast, and so many interesting things that I don't know about you, Cory, but I've totally reinvigorated within the last, like, six months, which
Corey Nachreiner 31:05
is, it's someone accountable to keep our company secure. It's, it's definitely exciting, exciting lots of different ways. You and I will not be bored for the next few years.
Marc Laliberte 31:17
No, we will not until we get mr. Claude to just totally replace both of us, and we'll probably get a little bored when we run out of stuff to do as a human. All right, maybe at that point we'll sign up for one of those
Corey Nachreiner 31:31
Lego sets,
Marc Laliberte 31:32
meat bag delivery services
Corey Nachreiner 31:33
building my Lego. Yeah,
Marc Laliberte 31:36
AI can pry my Legos out of my cold dead hands, that's for sure.
Corey Nachreiner 31:40
It's gonna chew your food for you soon. The baby bird, you,
Marc Laliberte 31:46
I do not subscribe to this future
Corey Nachreiner 31:50
robots, baby birdie, and wally people, and fat Wally people in big old floating wheelchairs. Welcome
Marc Laliberte 31:58
No thank you. You just killed my buzz. Thanks, Corey.
Corey Nachreiner 32:03
You're welcome. I'm good at at least one thing.
Marc Laliberte 32:11
Hey everyone, thanks again for listening. As always, if you enjoyed today's episode, don't forget to rate, review, and subscribe. If you have any questions on today's topics or suggestions for future episode topics, please reach out to us. I'm on Blue Sky at its merck.me Corey is at SecondEpt. We're both on LinkedIn. You can probably find us pretty easily, and we're on Instagram at WatchGuard underscore Technologies. Thanks again for listening, and you will hear from us next week.
Corey Nachreiner 32:36
And you're here in the US. Enjoy the Fourth of July, y'all!
Marc Laliberte 32:40
'merica, 'merica.