Week in Review: Fake ChatGPT passport, Apple appeals UK encryption, Oracle's obsolete servers - Cybersecurity Headlines

Summary5 min read

Cyber Security Headlines: Week in Review - April 11, 2025

Hosted by David Spark from CISO Series, featuring guest Carla Sweeney, SVP of InfoSec at Red Ventures.

1. Fake Passport Creation Using ChatGPT

Overview: A Polish researcher demonstrated the potential dangers of AI by using ChatGPT-4 to generate a fake passport within five minutes. The document was sophisticated enough to potentially bypass automated Know Your Customer (KYC) checks, highlighting the escalating risks of mass identity theft.

Key Discussion: Carla Sweeney emphasized the vulnerability in identity verification systems:

"How we can reliably verify an identity is becoming more and more vulnerable. We are in a time where sophisticated or expensive techniques are just becoming available to everyone."
[02:33]

She pointed out the ongoing cat-and-mouse game between forgery generation and detection mechanisms, stressing the need for enhanced skepticism and robust security measures across all sectors.

2. Apple Appeals UK Encryption Backdoor Order

Overview: Apple filed an appeal against a UK Investigatory Powers Tribunal (IPT) order requiring the company to create a backdoor in its advanced data protection feature for cloud storage. This move aligns with Apple's long-standing stance on protecting user privacy against governmental demands.

Key Discussion: Carla highlighted the broader implications of such backdoors:

"Backdoors fundamentally weaken security for everyone. This is an opening not just for governments but for bad actors too."
[04:54]

She argued that while governments cite national security, the inherent risks of creating vulnerabilities that can be exploited by malicious entities outweigh potential benefits. Carla lauded Apple's commitment to privacy, noting:

"As a privacy advocate, I appreciate this from Apple. As a security advocate, I also see the benefit of not having backdoors that can then be exploited in various ways."
[04:54]

David Spark concurred, underscoring the importance of maintaining strong encryption standards to preserve user privacy and security.

3. Oracle Confirms Obsolete Servers Hacked

Overview: Oracle admitted that hackers accessed credentials from two obsolete servers, recently rebranded as Oracle Classic. Although Oracle stated that its current cloud infrastructure remained secure, the breach raised concerns about data security practices for legacy systems.

Key Discussion: Carla discussed the nuances of corporate communication during security breaches:

"Oracle is using very specific and exact language to be technically correct and not lying, but minimizing damage to their brand."
[07:29]

She questioned the decision to maintain obsolete servers:

"If these servers were obsolete, why were they not decommissioned? That's something I still have questions about."
[08:36]

The conversation highlighted the delicate balance companies must strike between transparency and brand protection in the aftermath of security incidents.

4. President Orders Probe of Former CISA Director Chris Krebs

Overview: President Trump signed an executive order revoking the security clearance of Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA). This move extends to individuals associated with Krebs, including those at his cybersecurity firm, Sentinel 1.

Key Discussion: Carla expressed concern over the morale of cybersecurity professionals:

"Having his security clearance revoked is another dimension specific to government agencies that goes beyond personal reputation and personal financial impact."
[11:35]

She noted the broader implications for recruitment and retention within government cybersecurity roles, highlighting:

"This definitely doesn't help the friends in recruiting who are trying to get cybersecurity professionals to join."
[12:37]

David added that increasing scrutiny and potential liabilities may deter professionals from pursuing government roles, further exacerbating the sector's recruitment challenges.

5. AI-Driven Hacking Tools: Xanthorax AI

Overview: Researchers at SlashNext revealed Xanthorax AI, a modular, AI-driven hacking tool capable of automated and interactive attacks. This tool leverages five operational models for tasks like code generation, vulnerability exploitation, and data analysis, operating on a custom Large Language Model (LLM).

Key Discussion: Carla discussed the rapid evolution of attack tools and the necessity for adaptive defense strategies:

"Behavioral analytics and anomaly detection are going to be much more effective. The days of signature-based only are gone."
[14:35]

She emphasized the need for comprehensive defense mechanisms as AI tools lower the barrier for sophisticated attacks:

"Where companies might have thought, well, I'm not going to be a target because they won't get what they think they're going to get from me. They might be willing to invest because it's less of an investment to attack."
[14:35]

David reflected on the accelerated timeline of such threats, noting that advancements are happening "months, days, tomorrow, yesterday" rather than years in the making.

6. Additional Security Developments

Precision Validated Phishing: Attackers are employing real-time email validation to target high-value individuals with phishing attempts, increasing efficiency and success rates.

Akira Bot: An AI platform named Akira Bot is automating the creation of content to bypass spam filters in website chats and comment sections, enhancing the effectiveness of malicious communications.

WinRAR Vulnerability: A newly discovered vulnerability in WinRAR allows attackers to bypass web security warnings, posing significant risks to users who rely on this file archiver solution.

Key Discussion: Carla highlighted the evolving nature of these threats:

"Phishing vetting is really interesting. These attackers are thinking about how to get better results while staying quiet."
[17:56]

She stressed the importance of advancing detection technologies to keep pace with sophisticated attack methodologies driven by AI.

7. Carla’s Final Thoughts and Takeaways

Carla commended Apple for resisting the push to create encryption backdoors, reinforcing the importance of safeguarding user privacy:

"I will give a thumbs up to Apple. I think opening backdoors just opens up risk for everyone. So keep going, keep going. Apple."
[19:55]

David echoed her sentiments, acknowledging the challenges companies face in advocating for strong encryption amidst potential backlash from governmental demands.

Conclusion: The episode underscored the relentless advancement of cyber threats, particularly those augmented by AI technologies. Carla Sweeney provided expert insights into the implications of these developments, advocating for robust security measures and cautious corporate practices. The discussions highlighted the critical need for transparency, advanced detection systems, and unwavering commitment to privacy and security standards in an increasingly complex digital landscape.

For more detailed stories and insights, listeners are encouraged to visit CISOseries.com.

Loading summary

Transcript26 lines

[00:00]
David Spark
From the CISO series, it's cybersecurity headlines. Researcher creates fake passport using ChatGPT, Oracle confirms obsolete Servers were hacked and President orders probe of former CISA director Chris Krebs. These are some of the stories that my colleagues and I have selected from this past week's cybersecurity headlines. And now we're looking forward to some insight, some opinion, and most certainly some expertise from our returning guest making her triumphant second appearance on our show, Carla Sweeney, SVP of InfoSec over at Red Ventures. Carla, it has been too long. I have to ask, how was your week in cybersecurity?
[00:41]
Carla Sweeney
It was great, but my team is always very paranoid and so I'll say it was fine.
[00:47]
David Spark
Yes, I like this. Yes, couch everything. Like let's not get too high that we don't get too low. This is an attitude I can get behind. Another thing I can get behind is our sponsors for today. Nudge security bring SaaS security risks out of the shadows now some people that can get like it as jazzed as you want for the weekend, Here is our YouTube commenters helping us out, making the show better. We really appreciate everyone that shows up. It helps make the chat a really fun and welcoming place. So thanks to everybody that shows up every week and if you want to join them, you can just go to our events page@cisoseries.com and click on the weekend review show. You will be directed to our YouTube link and you can just subscribe there and then find us on YouTube. Everyone, that's fine. All good. Before we jump into the show, just a quick reminder that all of Carla's opinions are her own, not necessarily those of her employer, her friends, family or clergy. We've got about 20 minutes, so let's get started. First up here. Researcher creates fake passport using ChatGPT A Polish researcher successfully used ChatGPT4O to create a fake passport in five minutes, suggesting that the document is realistic enough to bypass automated know your customer checks. He did this to emphasize the growing risk of mass identity theft for numerous types of nefarious purposes. Just 16 hours after his announcement, ChatGPT modified its prompt rules to no longer generate fake passports. Super nice of ChatGPT to turn off the old passport making feature, but obviously that's something of a drop in the ocean given that there are so many other resources available to fabricate or alter identities. Just different prompts, different IDs you can use, different LLMs. Carla, what goes through your mind as you see this continually advancing ability to create realistic fake media kind of across the board.
[02:33]
Carla Sweeney
Yeah. I mean, how we can reliably verify an identity is becoming more and more vulnerable. We are in a time where sophisticated or expensive techniques are just becoming available to everyone and security has always been a cat and mouse game. This situation just highlights, I think, the arms race between, in this case, forgery generation and ways to detect it. I mean, I appreciate ChatGPT's quick response. I appreciate all the LLM guardrails that are being implemented, but we can't fully rely on these or we can't wait on AI policy decisions to feel safe and protected. I also think about the need, the continued need for more skepticism from everyone, for everything. The paranoia that was generally limited to security teams, I feel like would benefit everyone. This is not a simple problem or a simple answer.
[03:28]
David Spark
Yeah, kind of, you know, we talk all the time on the CISO series about kind of like building a security culture, but increasingly it's becoming, you know, letting the whole org and really letting whole of society know, like, these are the capabilities. Here's, here's what your expectation should be in terms of, you know, how you should take people at their word. So some very, very good thoughts there. Second appear Apple appeals UK encryption backdoor order. The UK's Investigatory Powers Tribunal, you may know it as the IPT confirmed that Apple filed an appeal on an order that would require it to create a backdoor in its advanced data protection feature that's part of its cloud storage. The Financial Times first reported on the appealed order and now the IPT has now confirmed it. So we're not just relying on source reporting. A hearing on the appeal was already held last month in London, but no media access was permitted, so we don't know the particulars of that. But, Carla, over its history, Apple has staunchly protected its right not to make devices vulnerable to backdoors. Privacy is one of its big marketing features, essentially product differentiators. I'm curious, what's your opinion here? You know, we could always make the argument that 10 times, you know, might call for law enforcement or governments to have access to what's on devices or in the cloud. But given the fact that we've seen many government departments being just as vulnerable to data breaches as the private sector, if not more so, I'm curious, should we be allowed to pursue this kind of backdoor conversation?
[04:55]
Carla Sweeney
I mean, I think the argument from governments always centers on legitimate national security concerns. I fully understand that, but the counterargument is also very compelling. I mean, backdoors fundamentally weaken security for everyone. This is an opening. This would be an opening not just for governments, which from a security standpoint they are also fallible, just like the rest of us, but for bad actors too. And so when we open back doors, they're open. I also think the intent of different governments can shift and sway based on the administration or if we think about it globally, the regime of the government. And as something of a privacy advocate myself, I appreciate this from Apple. As a security advocate, I also see the benefit of not having backdoors that can then be exploited in various ways that are unintended. I mean, there's trade offs to all privacy and security choices like this one. And of course there are times when national security could benefit from more data. But I mean, I think especially in these tense times, there's going to be even more justification from Apple to hold tight.
[06:03]
David Spark
Yeah. And given, you know, it is not just, certainly it's not just coming from the UK we hear these kind of arguments, you know, whether it's going back to the FBI, San Bernardino shooter, Apple unlock case with the US government, how many years ago? Over a decade ago now. We've had encryption battles before smartphones going, you know, back to the 90s and stuff like that. So this is, I think it's important for us to have this debate, but to still have the ability to legally have something that's private electronically, I feel like is an important precedent. Maybe not a production feature for all companies, but to have that capability and have it legal to have that capability I think is an important precedent for sure.
[06:46]
Carla Sweeney
Agreed. Agreed.
[06:48]
David Spark
Next up here, Oracle confirms obsolete servers hacked. Oracle has finally confirmed to customers that hackers leaked credentials stolen from its servers, despite being adamant that Oracle cloud infrastructure had not experienced a security breach. The emphasis mine. They did say that a hacker was able to access hash usernames and passwords from two obsolete servers that were never a part of oci. Now, researcher Kevin Beaumont said that Oracle's denial of breach for Oracle Cloud comes down to just basically wordplay since the breach servers were part of Oracle's older cloud services environment which, which it has recently rebranded as Oracle Classic. Taking the Warcraft approach there, Carla, what's your take on this?
[07:29]
Carla Sweeney
I think there are so many nuances to corporate communications during and after a security incident. So this does not at all surprise me. If we read any mandatory disclosure language, then you read language like this all the time. And I think Oracle is using very specific and exact language to be technically correct and, and not lying, but minimizing damage to their brand. Of course, they want to assure their customers and their future customers that using the service is safe. And I'm not a lawyer or PR person, but certainly understand wanting to protect the trust that the customers have. So this doesn't surprise me. I do think it can backfire if it starts to look like you're trying to minimize the problem. In this case, the passwords were hashed, so it's okay. But even hash passwords can be vulnerable depending on the algorithm and if they were assaulted and things like that. And I think the question that I am lingering with is if these servers were obsolete, why were they not decommissioned? Why were they up in the first place? So, you know, I know Oracle is trying to make everyone feel good, but if we're. I'm still, I still have questions.
[08:37]
David Spark
Yeah, I completely agree with the idea of, like, let's give the corporate comms team the benefit of the doubt. Like never, never ascribe to maliciousness. What can be ascribed to overly cautious lawyers? I think this every time there's like a terms of service kerfuffle where someone adds, you know, something, and it seems kind of out of left field. It was like a lawyer copy pasted that out of some other agreement in there to give them future clearance for, for something that they're not actually doing right now. I feel like that's the same way here, but I don't know. I think there is, for cybersecurity specifically, there is such an emphasis on timely disclosure. You know, transparency being a key to this kind of answering a lot of these questions. CCL raised the exact same point you did. You know, how customer data somehow got sucked onto an obsolete server. And then Kevin Farrell is asking, it wasn't obsolete until it was breached. Right. So again, the problem that it is is it's again, sympathetic to that, but when you have kind of this delayed and kind of run through the mill kind of answer to this, the natural, like the cybersecurity community, of all people are a little bit skeptical, maybe a little bit jaded. Depending on experience, you're more likely to read Ill intent as opposed to we got breached. Here's the specifics. It wasn't Oracle Cloud, but it was this kind of stuff. So, yeah, always something to keep in mind. Before we move on to our next story, I have to spend a few moments with our sponsor for today, Nudge Security. Are you struggling to Secure your exploding SaaS footprint? With Nudge Security, you can discover all SaaS apps and accounts, manage access, ensure secure configurations, vet unfamiliar tools, and automate daily identity security tasks. Visit nudgesecurity.com that's n u d g-e s e c u R-I-T y.com all right, one of the bigger stories that broke late this week, President orders probe of former CISA Director Chris Krebs. President Trump signed an executive order on Wednesday intending to that removed the security clearance for Chris Krebs, who had served as director of CISA and who was fired in 2020 after having stated that there had been no technical issues with the presidential election. The executive order not only directs agencies to revoke Krebs security clearance, but also to suspend those held by individuals at entities associated with Krebs, including the cybersecurity firm Sentinel 1, where he is the chief intelligence and public policy officer. The directive is pending a review of whether such clearances are consistent with the national interest, according to a fact sheet supplied by the White House. So, Carla, it is of course no surprise that Krebs ended up with a target on his back here. But I'm curious, what does this do to the morale of CISOs and security executive security professionals everywhere, knowing that they too might be subject to an action similar to this if they choose to take up government work?
[11:35]
Carla Sweeney
Yeah, I think this one's rough and I'm sure tough to hear for a lot of security professionals, especially leaders. And in this case, having his security clearance revoked is another dimension specific to government agencies that goes beyond personal reputation and personal financial impact. And the ripple effect of associated individuals and private organizations, like in this case, Sentinel 1, makes it even more concerning. Like the fact that even after your government service, your professional network and your subsequent employer and associates could face additional scrutiny based, you know, based on something that happened years ago is really disheartening. And I think government agencies already have to compete with the private sector from a salary standpoint. And so, you know, especially given. And in addition to the ongoing uncertainty around employment and government, government agencies right now, this definitely doesn't help the friends in recruiting who are trying to get cybersecurity professionals to join.
[12:37]
David Spark
Yeah, the, the talking about, yeah, the competing with the private sector on, you know, salary benefits. It, it. You're already asking people to essentially say, hey, for the sake of, what do you want to call it, Patriotism, civic pride, you know, realizing that you're doing an important mission like that has a real draw to a lot of people. That's why people go into government work. And the, the idea of, of making that more potentially problematic to your career later. Yeah. Is, is of this kind of in the in the same vein as the recent SEC scrutiny of CISOs, where, you know, we're we're seeing a lot more responsibility and potential liability put onto the role it makes. That all goes into the calculus, right, of what you decide to do with your career as a cybersecurity professional if you get into that field, you know, depending on at what point in your career. So we, like you said, a ripple effect that maybe we will see for years to come from at this point. Next up here, Researchers warn About AI Driven Hacking Tool Researchers at Slash Next published details about Xanthorax AI, which I have to note is a great name for a death metal band. Xanthrox AI is a modular AI driven hacking tool for Spotted on a hacker forum last month. Xanth ROX uses five operational models to handle things like code generation, vulnerability exploitation, data analysis, and integrates voice and image processing, making it capable of both automated and interactive attacks as opposed to running on jailbroken existing LLMs. Xanthorax runs on a self contained architecture on dedicated servers with its operators claiming it's a custom LLM. So Carla, thinking back to our Passport story earlier, it's obvious that threat actors aren't waiting around to get permission to use publicly available LLMs or at least commercially available ones. How does this impact on how does this kind of phenomenon, this reality I guess now impact a company's defense in depth strategy?
[14:35]
Carla Sweeney
I mean the cat and the mouse are all moving so fast right now. I think the detection mechanisms need to account for these more sophisticated attack patterns and the fast changing ones. So behavioral analytics and anomaly detection are going to be much more effective and the days of signature based only are gone, that's going to be unhelpful at this point. I think these advanced capabilities make attacking much cheaper. And so where threat actors might say, well it's too expensive, we're not going to get the return that's changing too. So where companies might have thought, well I'm not going to be a target because they won't get what they think they're going to get from me. They might be willing to invest because it's less of an investment to attack. And so I think the best defense is going to have to be more broad, not just on the likely attack vectors, but if the cost of attack is going down, then they can do more with less. That means we have to protect more. And I think testing is going to be critical too. So the manual red teaming and pen testing methods aren't going to tell us if we're ready against these more sophisticated attacks. And so we'll have to test ourselves in different ways too. So it's a cat and mouse game. It always has been. It just feels like the speed has ramped way up.
[15:56]
David Spark
Yeah, the idea of we saw things like Worm GPT, which are effectively running on cracked versions of ChatGPT. They found a jailbreak that they could exploit for like 5 minutes and send out and run it over Telegram or something like that. This to me feels like we've seen Deepseek kind of pioneer. Like, hey, you can do a whole lot with a model that can fit entirely in RAM on a consumer. Something that anybody can go out and buy. Like you said, the hits kind of keep on coming with this. Is this kind of independently running LLM essentially, like custom made for threat actors. Like, does this seem like it happened, I don't know, orders of magnitude faster than I thought it did? I'm not sure.
[16:40]
Carla Sweeney
Yeah, it feels like it was way faster and it feels like what, maybe a year ago we thought, oh, it'll be a couple of years. Now we're saying it's months, days, tomorrow, yesterday.
[16:51]
David Spark
Getting to that. Our next story here kind of speaks to just how fast things are moving. So we have kind of a triple story here. Precision Validated Phishing, Akira Bot and Winrar Xanth Rock's AI not the only one with cool names in the news this week. We got three more kind of the exact same vibe here. First up, Precision validated Phishing uses real time email validation to ensure phishing content is shown only to pre verified high value targets. Second, an AI platform called Akira Bot is spamming website chats, comment sections and contact forms to craft content that it can bypass spam filters. And third, a vulnerability in the Winrar file archiver solution, it's the one you never pay for, that could be exploited to bypass the mark of the web security warnings. So here we have two AI tools and a vulnerability, all of which are revealing growing security weaknesses thanks to accelerating sophistication on the part of threat actors. AI obviously playing part of why that's happening. But which one of these, I guess, stands out the most to you? Carla?
[17:56]
Carla Sweeney
I think the phishing vetting is really interesting. These attackers are thinking about how to get better results while staying quiet. And the target is everybody. And I think that's what's always so compelling about social engineering is is the attack surfaces, is literally everybody specifically knowing, yes, this is my target who's responding, this is where I'm going to spend my time. I'm not going to waste a bunch of time with passwords or credentials that are fake or that are going to get me caught is I think very interesting in speaking to just like a business. How are they getting the results faster with less effort and with more precision? Yeah. And of course like how our detection is now falling behind and how can we stay ahead of this?
[18:44]
David Spark
Yeah, the precision phishing, it really changes fundamentally like what that threat means. Right. Because it was always cast the biggest net someone will click. Right. Like that's the thing with phishing. It's like you do it enough, someone eventually will click. And now this is we can, we can, we could still do that. And, and yeah stay under the radar. It changes how much time you would want to invest in each of these prompts and stuff like that. So it gets, it gets, it gets tricky really fast. CCL in agreement. AI is an accelerator in both directions. We did talk about this a little bit on Super Cyber Friday earlier today. You can check out the replay over to look for it@ciso series.com the just this idea that there is, you know this isn't completely asymmetric right. Like defenders are getting these tools. They the productization might take a little bit longer but it's not completely one sided. May feel like that sometimes when we were seeing rise in deep fake threats and using them for social engineering and stuff like that. So definitely social engineering on the mind in the news and on the CISO series today. Before we get out of here, Carla, was there any story that was a thumbs up or an eye roller for you?
[19:56]
Carla Sweeney
I will give a thumbs up to Apple. I think opening back doors just opens up risk for everyone. So keep going, keep going. Apple.
[20:04]
David Spark
Yeah. And the fact that it's kind of a squishy thing to explain like say we respect privacy. That's like an easy like okay, people generally like privacy or understand that. But like to go to bat for encryption is a much tougher thing to sell. Especially when you can have a government say well you're allowing drug dealers, you're allowing CSAM and stuff like all like very horrible things to happen because of like that's a tough thing to go to bat for. So I respect any company that will do that whether it's Apple or Signal or whoever. So yeah, definitely some thumbs up there as well. And a big thank you to everybody in our chat today. I saw ccl, I see Kevin Farrell, I see Adam moatsweri over on LinkedIn joining in on us. Max Tronick, big boss man David Spark is on on vacation. He's taking some well deserved time off, so he'll be in the chat next week. Uh, and, uh, before we get out of here, uh, Carla, where can people, uh, find you on the cyberspace?
[20:58]
Carla Sweeney
If, uh, they're so inclined, come find me on LinkedIn.
[21:01]
David Spark
Excellent. We will have a link for that in our show notes as well. Thank you so much. Carlos Sweeney, SVP InfoSec over at Red Ventures for your triumphant return. I'm declaring it triumphant. This was spectacular. Thank you so much for your time and your insight today with the news.
[21:17]
Carla Sweeney
Thank you for having me.
[21:19]
David Spark
Thanks also to our sponsor today. Nudge security brings SaaS, security risks out of the shadows. And thanks once more to our audience. This show wouldn't be the same without you. I see you, Jason Eyestone. You were trying to sneak, sneak in there. You still get a thank you too as well. Join us next week first up on Super Cyber Friday where our topic of discussion will be hacking the evolving DDoS. An hour of critical thinking about the changing threats to service availability. That's at 1pm Eastern. Then flash forward two and a half hours later, we got the Week in Review show. Yes, that's right. This very show that you are watching right now. To register to join us on either of these, head to the events page@cisoseries.com make sure you're also subscribed to us on YouTube so you know when we go live. In the meantime, you can still get your daily news fix every single day with cybersecurity headlines. Give us about six minutes, we'll get you all caught up until the next time we meet. For myself, for Carla, for our producer, Steve Prentice, for all of us here in the CISO series family, here's wishing you and yours to have a super sparkly day. Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.
[22:29]
Carla Sweeney
It.