SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) SANS Stormcast Tuesday, January 20th, 2026: Scans Against LLMs; NTLM Rainbow Table; OOB MSFT Patch
4 snips
Jan 20, 2026 Attackers are using clever queries to scan and fingerprint exposed LLMs. Mandiant has released rainbow tables for the outdated Net-NTLMv1 protocol to expedite its deprecation. A recent out-of-band update from Microsoft addresses critical issues from the January security patch, affecting multiple Windows versions. Additionally, a new exploit technique involving Google Calendar and Gemini allows for the sneaky exfiltration of future meeting summaries. These insights highlight the ongoing challenges in cybersecurity.
AI Snips
Chapters
Transcript
Episode notes
Protect Internal LLMs With Access Controls
- Do not expose internal LLMs to the public without authentication and access controls.
- Require authentication and limit network access to prevent abuse and data leakage from internal models.
Attackers Are Fingerprinting Exposed LLMs
- Attackers are scanning the Internet specifically to find exposed internal large language models using simple queries like "How many states are there in the United States?".
- Exposed LLMs risk unauthorized use, data enumeration, and costly compute bills if left unauthenticated.
Migrate Off Net-NTLMv1 Now
- Move away from Net-NTLMv1 by adopting modern authentication protocols and disabling legacy fallback.
- Use the referenced migration resources and tools to demonstrate vulnerabilities during penetration testing.