Podcast Summary: Cybersecurity Headlines – Department of Know: Chrome zero-day, exploits, Copilot summarizes confidential emails, Identity abuse problems

Date: February 24, 2026
Guests:

• Montez Fitzpatrick, CISO, Navis
• Peter Gregory, Cybersecurity Author & Expert
  Host: Rich Stroffolino

Episode Overview

This episode dives into the latest cybersecurity news and hot topics, featuring expert insights from a CISO and a noted author. Key stories include Chrome’s first zero-day of 2026, AI mishaps in Microsoft Copilot, persistent hardcoded credential flaws, the dominance of identity abuse in attack vectors, and deeper discussions on password manager risks, Anthropic’s security scanning in Claude, and the Texas lawsuit against TP-Link. Throughout, the panel emphasizes the ongoing challenges in balancing new technology with classic security basics.

Key Discussion Points

1. Chrome Zero-Day (Use-After-Free Vulnerability)

[02:08]

• Story: Google issued an emergency patch for Chrome’s first high-severity zero-day of 2026—a use-after-free flaw in CSS handling already being exploited.
• Montes:
  • “Little more… use-after-free bugs are just that warm blanket. With the current state of compilers and languages, we’re going to have use-after-free as a potential vulnerability for a long time.” ([02:54])
• Peter:
  • “We see this stuff all the time. This is our business. I really don’t like vulnerabilities on browsers because they're controlled by end users, and browser isolation has never looked so good.” ([03:17])

2. Microsoft Copilot Summarizing Confidential Emails

[03:35]

• Story: A code bug caused Microsoft 365 Copilot to summarize confidential emails, highlighting AI governance holes.
• Peter:
  • “Know a little more. Microsoft just... keeps fumbling the ball, right? Some AI use cases are just not ready for prime time, and this underscores the need for AI governance.” ([03:58])
• Montes:
  • “Absolutely. Know a little more. This is an opportunity for Microsoft to help teach us. There could be some real tangible benefit from a knowledge sharing perspective.” ([04:43])
• Host (Rich):
  • “At least another classic example of Microsoft ripping off unwanted features from Apple.”

3. Dell Zero-Day (Hardcoded Credentials in RecoverPoint VM)

[05:21]

• Story: China-linked actors exploited a Dell VM backup product using hardcoded root credentials since at least mid-2024.
• Montes:
  • “Definitely want to know a little more. The specter of ‘there’s nothing more permanent than something temporary that works.’” ([06:08])
  • Host’s response: “‘That is beautiful. That is going to the book of Quotes.’” ([06:31])
• Peter:
  • “Oh, it’s no, a little more. Hardcoded credentials. Really. It’s 2026. OWASP cited this 16 years ago. What an embarrassment on Dell’s part.” ([06:44])

4. Identity Abuse Behind Most Attacks

[07:05]

• Story: Palo Alto Unit 42 found that roughly two-thirds of initial access in 2025 was identity-based, chiefly social engineering and compromised credentials.
• Peter:
  • “No, thanks. This is not new news. Traditional authentication has been broken for decades.” ([07:59])
• Montes:
  • “Know a little more… we have to get the simple, basic things right. If we don’t get the basic things correct, nothing else matters.” ([09:13])

In-Depth Segment Highlights

Password Managers Under Scrutiny

[12:08–15:39]

• Discussion: Recent research reveals weaknesses in Bitwarden, LastPass, and Dashlane—even with “zero-knowledge” claims—if a provider’s server is compromised.
• Peter:
  • “That’s how it’s supposed to work… vulnerabilities identified responsibly, vendors fixed them responsibly.”
  • “Password managers are going to be a target for obvious reasons… the bar has to be much higher for software like this.”
• Montes:
  • “Obviously probably not [enough scrutiny]. Here we are in the business of keeping secrets… this domain is going to come under fire. Post-quantum cryptanalysis… ‘harvest now, decrypt later’ is pretty scary.”
  • “The accessibility versus security slider reigns supreme… potential weaknesses consumers don’t see.”

Anthropic’s Embedded Security Scanning via Claude

[15:39–22:12]

• Story: Claude now scans user codebases for vulnerabilities, raising questions about automated security and immediate market impacts.
• Peter:
  • “I don’t think [the market reaction] matters—there’s so much personal money in the stock market. AI is eating the world and disrupting every industry.” ([16:44])
• Montes:
  • “Are you telling me we need some AI assistance to help fix the coding issues we created with AI vibe coding?”
• Host & Peter:
  • “Reminds me of Microsoft selling security software to protect us from the flaws in their designs.” ([18:27])
  • “It’s turtles all the way down.” ([18:50]–[18:52])
• Rich (host):
  • “For anything company-facing, you’d still want some policy/contextual review—it’s not revolutionary, but disruptive in workflow integration.”
• Peter:
  • “Six months is almost an eternity. Things are moving so fast, we may not remember this by then.” ([21:53]–[22:12])

Texas vs TP-Link – Router Security and Supply Chain Risk

[23:56–26:09]

• Story: Texas Attorney General sues TP-Link for marketing insecure routers, possibly opening doors for Chinese state attack.
• Montes:
  • “This is potentially a real problem… consumer supply chain, maybe some cloak and dagger stuff… after Covid, work from home—well played. Two things can be true—TP-Link may not be complicit, but that doesn’t mean the hardware is clean.”
• Peter:
  • “This is a hot mess… Not just routers, not just TP-Link—everything with a chip multiplies our attack surface. We can’t expect consumers to know how to patch their routers—legislation and automation are needed.”
  • “No grandma ever said, ‘I’ll call you in an hour because I’m patching my router.’”
• Host:
  • “I’m an informed consumer and even I don’t know if my router’s out of support. Imagine the average user.”

Notable Quotes & Memorable Moments

• On patching old code:
  “There’s nothing more permanent than something temporary that works.” — Montes Fitzpatrick [06:08]
• On Microsoft’s frequent mishaps:
  “It seems like they just keep fumbling the ball… some AI use cases are just not ready for prime time.” — Peter Gregory [03:58]
• On hardcoded credentials in 2026:
  “OWASP cited this as a poor practice 16 years ago. What an embarrassment on Dell’s part.” — Peter Gregory [06:44]
• On the “AI turtles” problem:
  “It’s turtles all the way down.” — Peter Gregory [18:50]
• On persistent basics:
  “Do the simple, unsexy thing. Get the simple, unsexy stuff right.” — Montes Fitzpatrick [28:35]
• On consumers patching routers:
  “No grandma ever said, ‘I can call you in an hour because I’m patching my router today.’” — Peter Gregory [25:53]

Advice & Parting Thoughts

Montes Fitzpatrick

[28:35]
“Do the unsexy thing. Do the simple thing. Get the simple unsexy stuff right.”

Peter Gregory

[28:59]
“If I was still managing risk, I’d be watching closely for state-sponsored cyber attacks… and have another look at your identity and access management—policies, processes, controls—because they matter more than ever.”

Timestamps for Key Segments

• Chrome zero-day: [02:08]
• Copilot summarizing confidential emails: [03:35]
• Dell zero-day/hardcoded credentials: [05:21]
• Identity attack report: [07:05]
• Password manager risks: [12:08]
• Anthropic/Claude security scanning: [15:39]
• TP-Link lawsuit and supply chain risk: [23:56]
• Advicebot / closing advice: [28:35]

Useful for Listeners Who Missed the Episode

This episode keeps a sharp, occasionally humorous tone, balancing frustration with technology’s persistent failures and a clear-eyed view of why basic security hygiene still matters. The guests reinforce that while attacks and tech change rapidly, the fundamentals—patching, proper identity management, and transparent governance—remain as important and as neglected as ever.