Cyber Security Headlines – Department of Know

Episode Summary: Prompt Injection Problems, California Browser Law, Hacklore's Security Myths

Date: December 2, 2025
Host: Rich Rafalino
Guests:

• Matthew Bybee, Director of Cybersecurity, Tickstracs
• Derek Fisher, Director of Cyber Defense and Information Assurance Program, Temple University

Overview

This episode of the Department of Know tackles some of the latest cybersecurity stories impacting organizations and practitioners. Topics included high-profile vulnerabilities in cloud infrastructure components, emerging AI security risks (especially around prompt injection and generative AI misuse), shifts in user authentication requirements, efforts to debunk common security myths, and the specific challenges associated with mergers and acquisitions. The dialogue maintains a pragmatic, slightly wry tone, emphasizing the importance of evidence-based security actions and clear communication.

Episode Timed Highlights & Key Insights

1. Opening Priorities: Wrapping Up the Year and Preparing Students

• Matthew Bybee (00:19):
  Emphasizes finishing yearly projects and compliance initiatives, which are particularly important during “the holidays and audit seasons.”

• Derek Fisher (01:11):
  Focused on grading and preparing students for rapidly shifting roles within cybersecurity:

  “We're seeing a lot of changes and upheaval in cybersecurity. So it's really trying to help get these students prepared and out there in the field and hopefully making a difference.”

2. No or Know: Which Headlines Should Security Pros Care About?

a. Fluent Bit Vulnerabilities Open Cloud Disruption

• Fluent Bit is a widely used open-source log collector.
• Five vulnerabilities (authentication bypass, path traversal, RCE, DoS, tag manipulation), some over 8 years old.
  • Matthew Bybee (03:24):

    "It's close to my heart... The platform is used quite extensively... open-source, used pretty much by most of the cloud providers... I definitely would want to know a little bit more about it."

  • Derek Fisher (04:01):

    “There’s a stew of, you know, what we all deal with on a regular basis in cybersecurity. I think definitely need to know a little bit more about this.”

b. Hash Jackattack: AI Browser Prompt Injection

• New vector: malicious instructions after URL hash bypass client/server separation; AI browser assistants read these fragments.
  • Derek Fisher (05:37):

    "I think this is just the tip of the iceberg. We're gonna see a lot more of this.”

  • Matthew Bybee (06:09):

    “It points out something that's old, right—sanitization of inputs and outputs... But because of the proliferation and use of AI, this is definitely something that would be on my radar.”

c. Anthropic’s Claude Targeted by Espionage

• Issue: Nation-state actors using Claude AI for espionage.
• Testifying: CEO called before Congressional committee.
  • Derek Fisher (09:02):

    “We’ve known that attackers have been trying to use AI and AI systems to try to accelerate their attacks. Just because this is a nation state, I don’t think it really makes it any different... Anthropic being able to disclose this and get ahead of it is good.”

  • Matthew Bybee (09:57):

    “I'm cautiously optimistic that maybe... this will... help shape or bring some additional priority as a nation around the things that we need to do to elevate the conversation around how we secure these types of platforms.”

d. FIDO2 Security Keys and PIN Requirement

• Microsoft changed sign-in flow: Post-update, users may be prompted for a security key PIN, even if not previously required. Complies with new authentication standards.
  • Matthew Bybee (12:31):

    “There's just basic end-user issues that this is going to create... I would want to know a little bit more so I would be able to communicate throughout the organization how many phone calls or tickets this may generate.”

  • Derek Fisher (13:06):

    “Security always has to fight against features and usability and this is an example of that... Now you're switching it [security model] and now you're creating a usability issue.”

e. Prompt Injections & OpenAI’s Atlas Browser

• Concern: Agentic AI (autonomous tools) elevates prompt injection risks, possible data exfiltration, code execution, agent network compromise.
  • Derek Fisher (15:14):

    “It's the same topic that we've been talking about... we're giving these tools to people that don't really have the guardrails around it that are necessary to use it efficiently and safely.”

  • Matthew Bybee (16:00):

    “These days, these things are just happening so fast... which ones are the most concerning, which are the ones that may have an impact, a direct impact to our business?”

Governance on New AI Tools

• Derek Fisher (17:24):

  “We should be striving towards having AI governance boards... and use case libraries. What are the allowed and disallowed activities as it relates to AI?”

3. Hacklore.org: Busting Security Myths

• Led by former Yahoo and DNC CISO Bob Lord; over 80 experts signed an open letter promoting evidence-based security, not outdated myths (“juice jacking,” public Wi-Fi paranoia, excessive password changing).
  • Derek Fisher (20:10):

    “At one point [public Wi-Fi] was not the most secure thing. Yes, we've moved way beyond that... Are there bigger problems? Absolutely... Attackers are always going to go for the lowest hanging fruit.”

  • Matthew Bybee (22:10):

    “Oftentimes we as practitioners have used [these myths] not in the best way... we've driven fear into our users. I was pleasantly surprised to see how they've approached some of those things...”
    “…Compliance frameworks that are outdated... reference some of these things. It's a good resource [Hacklore] and a good mechanism... to help steer direction and change in that area.”

• Refocusing on practical, high-value actions for users and organizations.
  • Rich Rafalino (25:14):

    “It really does seem to be taking the onus off the individual... It gets to a point of exhaustion—'Oh, there's so many things I shouldn't do, I know I'm screwing up somewhere.'”
    “There's a certain amount of deprogramming... from some of this lore, whether it was real or not.”

4. Security Risks in Mergers & Acquisitions

• Akira ransomware affiliates exploited legacy SonicWall VPNs via acquired companies; inherited technical debt and lack of integration create exploitable windows.
  • Derek Fisher (27:10):

    “M and A’s are messy, right?... You're taking on all their security debt, their technical debt... You don't know how many people are disgruntled and upset about being acquired—you may have an increased insider threat... Getting security involved early will decrease pain down the road.”

  • Matthew Bybee (29:02):

    “Having been through multiple M and A’s, there's always that tension between business, IT integration, and security... Business always moves faster than IT and security... It's bringing the practitioners in earlier and communicating... what those risks look like.... Be the people who champion, 'Hey, if you want to do something, let us know, contact the security people—We'll help do it in a secure manner.'”

Notable Quotes & Moments

• On the pace of AI-related threats:

  “We barely understand how these things are being used, let alone how, you know, attackers are... going to be able [to leverage] advantage.” —Derek Fisher (05:37)

• On the fatigue of endless, outdated security advice:

  "There's so many things I shouldn't do, I know I'm screwing up somewhere. Is the cry of someone that's given up." —Rich Rafalino (25:14)

• On the need to update compliance frameworks and security awareness:

  “We have compliance frameworks... that are outdated and old, that reference some of these things [myths]... I think it's a good resource… to try to help steer direction and change in that area.” —Matthew Bybee (22:10)

• On the M&A security dynamic:

  “Business always moves faster than IT and security.” —Matthew Bybee (29:02)

Practical Takeaways

• Prioritize vulnerability and patch management in ubiquitous open-source tools, especially in cloud environments.
• Understand and communicate the real threat of emerging AI weaknesses—prompt injection will evolve, raising new risks for enterprise users and consumers.
• Anticipate user support and confusion from security process changes (like the new FIDO2 PIN prompt). Education is essential.
• Focus user education and compliance initiatives on risk-based, evidence-driven practices, not outdated or academic-only scenarios.
• Approach major business changes (like M&A) with a clear integration plan for security teams to minimize increased risk from legacy systems and credentials.
• Consider AI governance boards and approved-use-case libraries to manage proliferation and risk of new tools.

Additional Resources

• Hacklore.org – The project to debunk old security myths.
• CISO Series Events & Feedback: cisoseries.com

Final Thoughts

This edition emphasized that cybersecurity is about managing the highest risks with evidence-based strategies, not fighting yesterday’s battles or scaring users unnecessarily. Rapid change—whether in AI, cloud, compliance, or business structure—means practitioners need to focus on education, process improvement, and “deprogramming” users from legacy thinking while preparing for new technical realities.