B (2:54)

little more use after Free bugs are just that warm blanket. And I think with the current state of the compilers and languages there, we're going to have use after Free as a potential vulnerability for a long time to come.

A (3:08)

Peter, what about you? Are you double clicking on this story? Are you going deep on the details here? Okay, I got the idea here. I installed the patch.

C (3:17)

I've got it. We see this stuff all the time. This is our business on this one. I really don't like vulnerabilities on browsers because they're controlled by end users and browser isolation has never looked so good.

A (3:35)

All right, next up here. Copilot summarizes confidential emails. A code bug in Microsoft 365 copilot caused the AI to summarize emails marked confidential since late January. Microsoft says this was a code error and began rolling out a fix earlier this month. Code errors and AI applications Do we file this under Know a little more or no? Thank you. What about you, Peter?

C (3:58)

Know a little more. Boy, Microsoft just. It seems like they just keep fumbling the ball, right? Are they really messing up this often or are they just the company that we love to hate these days? You know, at any rate, you know, some AI use cases are just not ready for prime time, and this underscores the need for AI governance so that organizations have a much clearer idea of what they're getting into so that they can get to the outcomes they want.

A (4:32)

I just want to say, as a former Linux hippie, it's never been a bad time to hate Microsoft. So I just want to rebut that there was ever a time that's not cool to do that. But Montes, for you. Do you want to know a little more about this or is it.

B (4:43)

No, thanks for you absolutely. Know a little more. The Microsoft, and I quote, they said that, you know, Microsoft has since confirmed an unspecified code error is responsible. I would like a a little more information. I think this would be an opportunity for the great empire of Microsoft to help teach us. So what was the issue? Is it a Grounding issue. Is it something else? Like there could be some real tangible benefit from a knowledge sharing perspective that could really help out security teams on wherever they are on their AI spectrum.

A (5:21)

I do want to shout out though that Apple was really leading the industry here of unhelpfully summarizing all of my emails with Siri. So at least another classic example. Microsoft ripping off unwanted features from Apple. So very classic there. Next up here, threat actor exploits Dell zero day. Researchers at Mandy and Google say a suspected China linked threat group has been exploiting a critical zero day in Dell recover point for virtual machines. Catchy name since it lit since at least mid 2024, which if you check your calendars is a while ago. The hard coded credential flaw allows unauthenticated attackers to gain root level access, move laterally, maintain persistence and deploy malware. AKA yeesh. I'm curious, what are your thoughts about hard coded credential flaws? Montes, do you want to know a little more or. No thanks.

B (6:08)

Definitely want to know a little more. And, and can I say oops on this one. Code auditing issues maybe. You know there's a. The often quoted by me is the. You know this. You know we are bitten by the specter of there's nothing more permanent than something temporary that works and

A (6:31)

that is beautiful. Oh I. That. That is going to the book of Quotes. That is. That is lovely. That is absolutely lovely. Peter, what about you? You need to know a little more about this or is it. No thanks for you.

C (6:44)

Oh, it's no. A little more hard coded credentials. Really. It's 2026. OWASP cited this as a poor practice 16 years ago. What an embarrassment on Dell's part. I hope for their sake that at least if this is really old code. But it may not be.

A (7:05)

That's. That's almost what it has to be, right? I mean like, you know, I mean some version of. I'm sure it's Dell. I'm sure there's been some version of recover point for, you know, 20 years or something like that, you know, so. But which is also terrifying. We've only discovered it since mid-2024, but it's bad in a different way. But yeah, that was kind of where my mind was at too here Peter. All right, next up here and our last one for nowhere. No identity abuse behind most attacks. Palo Alto's Unit 42 found that identity based techniques were behind roughly two thirds of all initial network access in 2025. Social engineering was the most common method. But compromised credentials poor Identity policies, insider threats, and good old brute force attacks were all in the mix as well. Nothing new to this story except for the fact that it's still happening. I need to know, Peter, for you, does this qualify as no, a little more or no thank you for you?

C (7:59)

No, thanks. This is not new news. I mean, traditional authentication has been broken for decades, and this is just the latest example. We know what we need to do.

A (8:11)

I'm curious, when you see reports like this, are these kind of reports useful for getting buy in for identity? If your organization you don't feel like is taking this seriously enough, are these reports good for getting, like, business buy in or are these just, hey, it turns out Palo Alto is selling some stuff. You know, like, is, is this marketing for them? Admittedly, unit 42 is a legitimate security researcher. Not besmirching their, their efforts here. Like, how do you read that?

C (8:40)

Oh, I, I think that it's, it's helpful. Again, this is getting down to basics and identity and access management. I mean, organizations really need to step up their game, especially with everybody going to the cloud and, you know, we don't have those traditional perimeter defenses anymore, and organizations are in some cases have not caught up to that mindset.

A (9:09)

Montez, for you. Is this no a little more or no thanks for you?

B (9:13)

At risk of, you know, breaking our agreement streak there, I, I have to say, know a little more on this one.

A (9:18)

Okay.

B (9:20)

For one, one reason only. And I, and I think our reasons are actually probably the same. And I think that this really illustrates that we have to get the simple, basic things right and we have to be reminded every now and again that if we don't get the simple, basic things correct, then really nothing else matters. So what is the point behind having, you know, you know, several million dollars worth of security tooling that, that if I can ask one of your employees what their username and password is and they give it to me, you know, we have to, you know, again, like I said, so if we don't get it right, if we don't get this right, the rest of it sort of doesn't matter.

A (10:06)

So, yeah, it's a confirmation that the basics still matter and also are still hard for many organizations or hard to. To live up to for. For a lot of organizations. So I y. Two sides of the same coin there. I kind of, I kind of like that. I kind of like that. All right, before we move on to our larger discussions of the day, have to spend a few moments and thank our sponsor for today, Adaptive Security. This episode is Brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. AI is changing phishing because persuasion now scales like code and it's not just email anymore. Attackers hit SMS voice calls and multi step scams that jump channels. Adaptive runs AI powered phishing simulations across email, SMS and voice, including OSINT based SPEAR phishing and BEC style scenarios so employees practice what attacks look like. Learn more@adaptivesecurity.com all right, let's dig in here. One of the big ones here compromised password managers. This definitely got a lot of attention this week. Researchers in Europe found multiple weaknesses in Bitwarden, LastPass and Dashlane that could expose passwords in if the services servers were compromised. Like physically. Those machines were compromised despite their zero knowledge claims. the heart of this is their use of a malicious server model which led to a password disclosure or vault changes. The researchers said legacy cryptography and unclear threat models contributed to the issues. This appears to be an area of encryption that's either not fully understood, not well implemented here. The fact that all three companies thanked the researchers rather than refuting them I guess certainly lend some credence to the claims here. I'm curious, what are your thoughts Peter, when you saw this, is this working like how it's supposed to? Right? Like hey, security research, like security research, founder vulnerability companies responded, that's not a bad thing overall, right?

C (12:08)

That's how it's supposed to work, Rich. And as you say, if they responded and you know, the vulnerabilities were identified responsibly, the vendors fixed them responsibly. I mean that's how this is all supposed to work. But stepping back a little bit, we also have to realize that password managers are going to be a target for obvious reasons. Right. I've used them for years, but the risks are much higher. So the bar has to be much higher for software like this.

A (12:44)

Montes, for you, are we giving enough scrutiny to password managers? You know I'm thinking of other like consumer level technology that's accessible to consumers. Right? Like end to end encrypted messaging. Right. There is no end of audits that have been done to say like oh like signal and telegram or you know, choose service. Here's how they, here's how they're doing with encryption. I don't hear that same type of scrutiny with password managers. It seems to be they're all pretty good. Ish. Better than just writing down passwords or better than using one pass like one password all the time. Not the service 1Password, but Montez for you, Are we giving this enough scrutiny?

B (13:18)

Wow, that's a good, that's a great question. You know, I. Obviously probably not since you, you know, with the open of this, you know, we're talking about a, an avenue that's potentially little understood when the, in the whole world here we are, you know, in the business of, of keeping secrets, right. And I think that our, this particular domain of how we keep our secrets is going to come under fire, right? So, you know, you have the, you, the whole looming threat of post quantum cryptanalysis, right, which is the, you know, harvest now and decrypt later, which is pretty scary, right? And then, you know, so just like the, you know, the often misquoted, you know, Abraham Lincoln, right? It's not me who can't keep a secret, it's the people I tell. They can't. So there you go.

A (14:12)

It was interesting. I think it was the register I was reading this on and they were kind of talking about like a lot of the password manager. I know LastPass got in trouble with this a number of times where they're trying to service very legacy customers, right? And they don't want to be like, hey, you have to change your password. You know, you signed up in 2009 or whatever, you had a 8 figure 8 character password. And, or, you know, we don't want to transfer your vault because we don't want to risk you losing access to all of your passwords. And so there's a lot of. I was surprised at the idea of something like a password manager having to manage their own technical debt, not just from their servers, but just on the whole architecture and stuff like that. Like, that was something that I never even considered as a, you know, that's a consumer problem, right? They don't want to upset their consumers, so they're making compromises to kind of their core value in some way. I was very surprised by that.

B (15:03)

You know, that's, I think maybe this hearkens back to that this hasn't, you know, the accessibility versus security slider has been, you know, still reign supreme there. It remains unbroken as a, as a, you know, theoretical, you know, concept there. And you know, we've been able to share passwords and you know, escrow to be able to do key sharing and, and whatever backdoors that Rich entices these organizations to put in for him is, you know, you know, those are faults there that they have to contend with and weakness, potential weaknesses there.

A (15:39)

All right, next story here, another one that was getting a ton of run in the last couple of days, Anthropic announces embedded security scanning for Claude. This new feature can scan a user's software, code bases for vulnerabilities, and suggest patching solutions. It has seen a year of internal stress testing conducted by the company and an outside vendor. Anthropic says that as Vibe coding becomes more widespread, the demand for automated vulnerability scanning will exceed the capacity of manual security reviews. This is my shocked face for that disclosure. But in addition to this being possibly a new frontier in security scanning, it had the additional effect of sideswiping the stock market, at least for a little while here with cybersecurity stocks of CrowdStrike, Okta Cloudflare going down by up to double digits on this news here. That's an issue in itself. Maybe a little bit outside our purview here, but, Peter, from your perspective, pretty big news. Anthropic and Claude rolling this out. Should we read anything to the market reaction immediately from this?

C (16:44)

I don't think so, Rich. We gotta remember that there's so much personal money in the stock market that it. It doesn't always make sense to pay attention to one day's ups or downs because we don't know whether those are wise, educated, informed institutional investors or if it's E traders and so forth reacting emotionally to things because the two kinds of reactions are vastly different. But on the development itself, I'd say that the security vendor field is highly dynamic. AI is eating the world and disrupting virtually every industry. And this is just all part of that disruption. You know, the ripples in the pond that are crisscrossing and looking chaotic. Because it is chaotic.

A (17:37)

Montes, for you, are you like, I feel like this news is not surprising, right? Like, Claude is so popular and so dynamic because it's been so integrated into software development. This seems, I don't know, just like a fairly natural extension. Admittedly, they've been testing it for a year, right? Like I. Are you surprised that they rolled up this capability? Or more surprised at how people are reacting to it?

B (18:02)

I'll tell you, Rich, are you telling me that we perhaps need some AI assistance to help fix the coding issues that we created with by using AI Vibe coding.

A (18:15)

Wait a minute. Are you saying an AI company wants to sell you an AI solution to a problem that their AI caused?

B (18:23)

I mean, I would have never saw that coming.

C (18:27)

Reminds me of Microsoft selling security software, right, to protect us from the flaws in their designs.

A (18:37)

I am always skeptical when I see the AI turtles. I call it AI Turtle stacking, right? Because at some Point you don't see, see where it started. And it's just we need the AI to do the AI thing to defeat the AI thing, right. At, at, at some level, Rich, you

C (18:50)

know, it's turtles all the way down. Right?

A (18:52)

That's what I'm saying. Yeah. At some. We are, we are approaching where we can no longer see turtles. Is what, the start of turtles. We like two years ago we saw the floor and we're like, you know what could use some turtles? Let's, let's build them up here.

B (19:05)

I will say one thing that especially when I was looking at, when I look at old code or something that I've, I've put together as I, you know, have a, a ton of projects and absolutely dearth of things that I've started with the best of intentions but never finished. But sometimes I go back and, and, and take a look at some of that old stuff and like, oh, this is when I was actually trying to be clever. I have no idea what I was doing here. But you know, and I think that's potentially where we could get here. Especially with the vibe coding there. There's a, a lot of clever things that could be happening and just, maybe people just don't understand because it's, for what it's worth, it is an order back that's more difficult to read code than it is to write it.

A (19:44)

So, and I would say the, where I see this being disruptive is it's. Right, it's all in one interface, right? Like it's the thing that you were doing the vibe coding with can now do that. Right? Like again, I would, I would hope that that would be built into if you're, if you're using this or you know, if you want to call them citizen developers, right. If we're rolling this kind of code creation into a more formalized process, right, Hope that there was some kind of, whether it's LLM enhanced or human review of what's being put out there already kind of rolled into that process. But yeah, the fact that you can kind of do it all in one interface still though, like, for anything that's going to be company facing, you would still think you'd want some company policy, informed approach to the scanning right, to understand risk posture, to understand where it's falling within your wider infrastructure context, right? Like, I mean, we all know not all CVEs are created equal, not all bugs are created equal, right? So to me, this doesn't necessarily by itself answer that context question, which based on everything I've talked to security leaders about that is all we want to talk about, right, Is how can this actually help me in my context, not what is this cool capability? How does this actually help me? This doesn't necessarily answer that. It helps with some stuff, but to me it's not, it doesn't seem as, I don't know, as revolutionary, I guess. But we will see how that plays out long term. My question is, will this still seem like a big deal in six months on this or does everybody just, just kind of roll with this after that point?

B (21:27)

I'd be very curious with what Peter has to say, but I think that I agree with Peter. Everything that you said, Rich. I, you know, couldn't say it better myself. But then I would wonder with that, right? So how do you juxtapose that against, you know, the business? Who wants to move fast, right. Who feels that we need to iterate or die or, you know, and, and so what do you do? I mean never towards

C (21:53)

as fast as things are moving. I, I think that six months is, is almost an eternity. So many things that are other disruptive things between now and then are probably going to be even more disruptive and we won't even remember this in six months.

A (22:12)

That's the crazy thing about this whole era is it's like you look at the timeline of computing of, oh, we went from hardness to SSDs or something where there's years between stuff and it's like days. It feels like, it's like quarter to quarter. It feels like a seismic shift with some of the capabilities that we're kind of coming across. So it is a fascinating time for sure, Rich.

C (22:37)

And when you said, you know, how are we going to think about this in six months? I mean, you know, our opinions might change by Friday.

B (22:43)

That's right. And speaking of the iterations process there, which I, a company I advise on, they are, when they're doing their programming, they're talking about like Sprint Windows. They have basically daily Sprint Windows, which blew my mind.

A (23:01)

CCL in our chat points out, or we could just all go to mass hysteria. And I am also not holding out that as a possibility. So thank you, thank you CCL for always, always keeping us grounded in human behavior there. All right, next up here, Texas sues TP Link over router hack. Texas Attorney General Ken Paxton sued TP Link Systems alleging it deceptively markets its products as secure while allowing vulnerabilities that Chinese state sponsored hackers have exploited. The Lawsuit cites a 2023 report linking TP link firmware flaws to activity by the Camaro Dragon hacking group and argues because many components are sourced from China, the company could be subject to Chinese intelligence laws requiring cooperation with state authorities. TP Link, shockingly, has denied the allegations. Montes, I'm curious from your perspective, where on the spectrum of technology problem to security theater does this fall for you?

B (23:56)

I think it's awesome, you know, that this is, this is potentially, potentially a real problem there, right? This is, you know, consumer supply chain, maybe like some cloak and dagger stuff that's really beyond my, you know, horizon to see. But, you know, tinfoil hat, which I should have made one, but if true, right? You know, in this post Covid work from home kind of world that we're in, it's well played. I mean, just like, you know, two things could be true. So like the good folks at TP Link Systems, you know, you know, they're not in direct cahoots with, you know, Chinese intelligence. However, you know, it doesn't mean that Chinese intelligence isn't embedding little back doors and little extra, you know, features into the hardware that they get, so.

C (24:42)

Features?

A (24:45)

Yeah, I mean, remote access is a feature, right? It's just depending who you're giving it to. Peter, where are you? Where does the story fall for you?

C (24:54)

I'm deeply interested in this and being passionate about cyber security for, you know, individuals and, and companies. This, this is a hot mess. It's a hot mess. And it's not just TP Link and it's not just routers. It's everything with a chip in it that we have in our house that, that multiplies our attack surface and is managed by people who don't know what cybersecurity is and they shouldn't have to know what cybersecurity is. And yet we push smart appliances and smart coffee makers and smart cars and smartphones and smart everything out to consumers and they add to the attack surface and they get exploited. And I think that there is a solution out there. I think it's going to have to be legislated. It's going to need to be automated because we can't expect consumers to step up. And can you see grandma going? Well, I can call you in an hour because I'm patching my router today instead. No grandma ever, right?

A (26:09)

If your grandma has said that also. Feedbackisoseares.com I want to know. We want to give some shout outs to some grandmas or grandpas that are updating their routers. I just full, full credit here. But yes, Peter, I strongly Suspect you are accurate there. Well, and we've seen some to kind of pull back broader onto kind of this more consumer space, IoT space. We've seen some attempts at doing some labeling laws of at point of purchase, knowing that, hey, this is good for five years of software updates and that kind of stuff. But even, even that I don't think helps. I mean, I don't know if my router is currently out of support. Like, I have no idea, you know. No, I mean, I do check probably once a year if there's a, you know, when something breaks on my network or my kids unplug it. And then I have to go, okay, I have to go plug it back in. I'll just log back in and see if there's an update. But I would like to think I'm an informed consumer and I don't do that on the regular. So I can't imagine. Yeah, that is happening. And again, that's just purely old software. That's let alone issues of nation states possibly having backdoors and stuff like that. So I am interested to see where the discovery goes on this. If there's any dirty laundry, let's see this out in. Texas is not the first state to do this. Certainly we've seen similar legislation in other countries as well. So I like to think that this is not optics of us says China bad. You're not making anything radical there with that statement, but these are 100% legitimate issues. So I'm glad both of you were kind of highlighting those. So I am interested to see what we find out after that point. That brings us just about to the end of the show. Before we get out of here, we got to move on to my favorite segment of the show. Well, something we like to call Advicebot Montes Fitzpatrick. Based on our conversations today, a lot of heady things, a lot of AI identity, lots of big concepts out there, IoT security, so many Gordian knots, not enough swords to swing at them. What piece of advice would you like to share with our audience? Just kind of based on our conversation today. Anything that strikes you, there is a

B (28:35)

lot of sexy stuff out there right now, you know, but do the unsexy thing. Do the simple thing. Get the simple unsexy stuff right. That would be. If anything that I could share, that'd be it.

A (28:52)

I like that. I like that. Peter, what about for you? Any. Any parting advice for our audience?

C (28:59)

Yeah. Yeah, Rich, if I was still managing risk in telecom and I retired from cybersecurity leadership a year ago, but If I was still managing Risk, I'd be right now this week I'd be watching really closely for state sponsored cyber attacks, given that the US Is likely going to be at war with a certain Middle east country any time now, perhaps even as we speak. And then on top of that, I'd also say have another look at your identity and access management, governance, policies, processes, controls, because they matter more than ever.

A (29:41)

Well, thank you both so much for making the time. I know you're both busy fellows, so making the time for being on the show today. Montes Fitzpatrick, this is over at Navis and Peter Gregory, bestselling author, cybersecurity expert. We'll have links to both of their LinkedIn profiles in our show notes. But Peter, what else do you have going on? Anything, anything new in the works there?

C (30:06)

Well, let's see, Rich, I just recently released my my book on AI governance from It's a Cybex book through John Wiley and I'm in final proofing on two other books right now. I've just been a writing machine for for the past couple of years, so a couple other titles coming out. Watch for it on Amazon or where wherever books are sold.

A (30:30)

Fantastic. We'll have some links to that in our show notes as well. And a big thank you to our sponsor for today, Adaptive Security Protect your company from deepfake powered phishing. Remember, you can send us feedback at any time. Feedbackisoseries.com Remember to join us again next Monday, 4pm Eastern for another edition of the Department of Know. To register for the live show on YouTube, just go to the department CISO series or go to CISO series.com and click on events. Don't go to the CISO series.com I have no idea where that takes you and I don't trust it. Please don't buy that URL. Thanks you so much for joining this Monday. Stand up. Hope you learned something. Hope you took something home that you can bring to your teams. Maybe start a conversation about some of the news of the week. Hope you have a great week. Stay secure out there. And for myself, for our glorious producer Steve Prentice, for the big boss man David Spark and the rest of the CISO Series team, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.