Cyber Security Headlines: Department of Know – Episode Summary

Date: November 10, 2025
Podcast: Cyber Security Headlines
Host: Rich Strofalino
Guests: Jacob Combs (CISO, Tandem Diabetes Care), Ross Young (Co-host, CISO Tradecraft)

Episode Overview

This episode of “Department of Know” kicks off the week for cybersecurity professionals with a strategic roundtable on trending security issues. Host Rich Strofalino welcomes Jacob Combs and Ross Young to discuss major cybercrime stories, emerging attack vectors, persistent password woes, and the ever-complicated challenge of securing operational technology (OT). The theme this week is “collaboration”—for better and for worse—including how cybercriminals are joining forces and what defenders can learn.

Key Discussion Points & Insights

1. The Monday Mindset: Security Leaders’ Priorities

• Jacob Combs (02:41): Focused on Identity and Access Management (IAM), emphasizing not just technology but process, discipline, and overall security hygiene.

  • Quote: “It’s really identity access management, not just technology, but also process and discipline and everything around it.”

• Ross Young (03:12): Concentrating on cost-effectiveness and the lessons of cloud adoption, warning of potential costly misconfigurations as organizations rush into AI adoption.

  • Quote: “What are the misconfigurations we're going to be making in AI right now that are going to cost our business thousands to millions of dollars?”

2. Segment: “Know or No?” – Rapid Takes on Recent Headlines

a. Organized Crime: Cyber Crooks Stealing Physical Cargo (04:25)

• The story: Cybercriminals team up with organized crime to hijack cargo using compromised logistics systems.

  • Combs (04:49): Need to know more—cyber is moving into the physical world with multi-step, sophisticated attacks.
  • Young (05:14): No thanks—likens it to “porch pirates” and would deal with it via insurance, not a unique concern.

• Memorable Moment (05:36, Strofalino): “Business logic, unassailable thing to target if you’re a threat actor.”

b. Windows GDI Flaws: Remote Code Execution (06:32)

• The story: Three newly patched flaws in Windows GDI could enable remote execution via image files.
  • Young (07:01): No thanks—“super in the weeds,” not an executive concern.
  • Combs (07:24): Yes, for technical teams—highlighted the importance of monitoring EMF file usage.

c. Cybercrime Collaboration: Scattered Spider, Lapsis, Shiny Hunters Merge (07:48)

• The story: Three major cybercrime groups unite as ‘Scattered Lapsis Hunters’ for more powerful extortion operations.

  • Combs (08:43): No thanks—just “another day at the office” for defenders.

  • Young (09:07): Wants to know more—sees potential risk in the technical convergence of notorious groups.

  • Quote (09:07, Young): “Look at these ransomware groups… their skillset is going to get really, really good and pivot in some new ways that we haven’t seen.”

d. Staff Cuts Cripple Federal Cybersecurity (09:39)

• The story: Federal Reserve finds Consumer Financial Protection Bureau’s security downgraded due to layoffs and old systems.
  • Young (10:52): No thanks—expected outcome due to underfunding and attrition in government.
  • Combs (11:30): Agrees; notes it's par for the course but hopes modernization efforts help.

e. “Louvre” Used as Louvre’s Video Security Password (11:53)

• The story: The Louvre’s CCTV password was literally “Louvre”; security software was 20+ years old.
  • Combs (12:44): No thanks—“table stakes” failure but criticized culture of resignation.
  • Producer Steve Prentice (13:14): Adds physical aspect—attackers blatantly posed as construction workers.
    • Quote: “They just drove up there and walked straight out.”
  • Young (14:00): Wants to know more—interested in negligence implications for insurance and whether issue persists.

3. Deep Dives

a. SleepyDuck Malware: Command Infrastructure via Ethereum (15:37)

• The story: Malicious Visual Studio extension (“SleepyDuck”) installs RATs and leverages Ethereum smart contracts to update command-and-control addresses, evading takedowns.

  • Combs (16:50): Fascinated by targeting of developers, novel C2 via crypto, and detection challenges.

    • Quote: “The developers are the target...and that's the exact target they use for this. … A novel and very clever, frankly, establishment of dynamic configuration for an application…”

  • Young (18:08): Paralleled with mobile apps—dynamic code updates hard to detect, Ethereum makes takedown nearly impossible.

    • Quote: “When the whole design of these distributed systems … can’t be controlled, what a brilliant technique for this malware...this is the start of what we will see a lot more.”

  • How to Use This Story:

    • Combs (19:32): Advocates positive but realistic communication with developers: “You don’t want to be the source of a breach.… Let’s make sure what tools you want to use are safe.”

    • Young (20:56): Allowlist concepts for developers may be necessary; critical to control what tools devs can install, especially for sensitive sectors.

b. Passwords: Still Awful in 2025 (21:45)

• The story: Eight of top ten passwords are “123456” variants; others include “password,” “admin,” and “Minecraft.”

  • Young (22:43): User training simply not working; must default to controls like emailed login links or biometrics.

    • Quote: “We're going to use the biometric on your phone as a second factor because if we just trust grandma or Bobby the intern… they’re going to do what's most convenient for them.”

  • Combs (23:36): Optimistic about tech shifting away from passwords; passwords' dilemma is psychological, users always trade off convenience for security.

c. Operational Technology (OT): A Persistent Security Quagmire (24:24)

• The story: OT security in manufacturing hamstrung by old systems, resistance to upgrading, integration with new tech.

  • Combs (25:50): “Gordian knot”—difficult to fix as manufacturing is resistant to downtime, spends little on cyber, but the consequences of attacks can be existential.

  • Young (26:38): “Manufacturing just doesn't spend the money in cyber… probably the only thing that's going to change this is massive ransomware attacks.” Litigation might be the only real motivator.

  • Quote (26:38, Young): “They don't have the same level of oversight… Probably the only thing that’s going to change this is the massive ransomware attacks stopping production…”

  • On network pivoting (29:33):

    • Combs: Attacks generally move OT-to-IT because OT is the weaker point but usually some bridge exists.

Notable Quotes & Memorable Moments

• On business logic attacks: “Business logic, unassailable thing to target if you're a threat actor.” – Strofalino, 05:36
• On cybercrime collaboration: “Their skill set is going to get really, really good and pivot in some new ways that we haven’t seen.” – Young, 09:07
• On SleepyDuck’s Ethereum trick: “A novel and very clever...establishment of dynamic configuration for an application makes it very, very hard to detect.” – Combs, 16:50
• On password futility: “After no small amount of user awareness training, education, it's not working. It just clearly isn't working.” – Young, 22:43
• On manufacturing’s security resistance: “They don't have the same level of oversight which means nobody's asking them to have good cybersecurity so they can kind of sweep it under the rug.” – Young, 26:38

Timestamps for Important Segments

• 00:00 – Episode intro and guest welcomes
• 02:41 – Security leader focus (IAM, cost-effectiveness, and AI risk)
• 04:25 – Organized crime steals cargo via cyber-physical attacks
• 06:32 – Windows GDI flaws and RCE risk
• 07:48 – Big ransomware groups merge (“Scattered Lapsis Hunters”)
• 09:39 – Federal agencies security gets worse after staff cuts
• 11:53 – Louvre’s bad password and physical security farce
• 15:37 – Deep Dive: SleepyDuck malware, Ethereum-powered C2
• 21:45 – Segment: Passwords—Still as bad as a decade ago
• 24:24 – Segment: The OT security conundrum in manufacturing
• 29:33 – Q&A: OT–IT attack pivots
• 30:41 – Final thoughts and face-palms of the week

Episode Flow & Tone

• Friendly, humorous, and slightly irreverent—panelists are candid about challenges (“table stakes,” “another Tuesday” in cybercrime) and practical about limitations.
• Balance of technical depth and executive-level clarity; accessible even for lay listeners.
• Real-time audience interaction energizes discussion.

Summary for Non-Listeners

This episode spotlights how both defenders and attackers are banding together, with a focus on the latest tactics threatening organizations. SleepyDuck’s Ethereum-enabled resilience, timelessly terrible password practices, escalating threats to industrial infrastructure, and the ever-present risk/reward balance in security programs are discussed. The hosts and guests emphasize actionable insights, real-world limitations, and the importance of moving from reactive to resilient security postures—delivered in a way that’s as fun as it is thought-provoking.