A

From the CISO series, it's cybersecurity headlines.

B

Jaguar, Land Rover and European airport suffer from consolidation. AI prompt injections get smarter as expected. And New York City dodges cell tower farm threat. Now, these are some of the stories that we've selected from the past week's cybersecurity headlines. And we are now looking forward to some insight, opinion and expertise from our guests. That would be Brett Conlin, CISO for American Century Investment, and TC Niecikowski, head of security and IT over at Open Door. Thank you, gentlemen, for joining us as, as well as you. Both of them, by the way, have been on many times. Our sponsor is Conveyor Find calm in every security review. Now, if you are listening to this show as a podcast, remember that next week you too can join us and our local band of vocal experts on YouTube live. Just go to cisoseries.com hit the events, drop down and look for the cyber security headlines. We can review image. Just click on it to join us. All right. And for those of you who are here with us right now, be sure to contribute your comments in the chat. We will do our best to address them during the show. You can also send us feedback by email and we would love to know what you think of the show. Drop us a line at any time. Feedbackisoseries.com and let me give the disclaimer that we give at every show. Opinions are those of their guests, not the companies they represent. We have just 20 minutes here, so let's get started. Why don't we Now I'm going to ask both of you, start with you, Brett. What would you say the biggest story in cybersecurity was this past week?

A

For me, I think that, and we're going to talk a little bit about this, but the UK hack on the airline systems and really how that ties into what we're trying to see over in Europe, where they're going to start storing all of this biometric information that they're going to keep on their bordering country. So we'll talk a little bit about that, but that's probably the biggest one that I have concerns over.

B

We're leading with that. And TC what's your biggest story?

C

Absolutely, in the Jaguar Land Rover. I mean, just the, the financial impact of this ransomware incident is huge.

B

All right, well, let's, let's just jump right into it because that's our first story. Jaguar Land Rover and European airports suffer from consolidation. Now, we are starting with a double story which essentially both Brett and TC mentioned that happened this week. Firstly, Jaguar Land Rover attack, which is now a few weeks old, seems to have been worsened by the fact that all of its factories shared the same key computer systems, ranging from its networks to data connections, and crucially, its cybersecurity. Meaning that when the attack happened, it was impossible to isolate any one factory. Now, we then saw the same thing happen at Heathrow Airport as well as in Brussels and Berlin with their check in and baggage handling systems. All right, here's my question for both of you. Organizations work hard to improve their productivity and security, often using consolidated third party platforms. Do you feel these two events reveal a serious weakness in that approach? I'm going to start with you, Brett.

A

I do. I think it's a wake up call and I think it's a wake up call that our digitization drive is outpacing our security maturity. So the symptoms are over reliance on unhardened tech in the ecosystems, whether it's travel, whether it's our car manufacturers. So as CISOs, we need to lobby for interoperability standards. We want to see red teaming before they launch. And travelers are. You're going to have to be patient when it comes to the airlines. Because my concern right now is what we mentioned a little bit earlier, which is you now have this, what? EU's entry exit, where they want to store fingerprints, facial scans, passport deep dives. They're going to store it for three years. The goal is noble, but are we really there from the security standpoint to carry all this biometric data? And guess what? If you don't give it to them, you can't come in.

B

Let me check something. Tap on your microphone for a second, Brett. Yeah. Okay, we're on. Just get a little tighter on that microphone. All right, tc, same back to you with regards to this story. It's a doozy here. Both of these trying to make things easier just created a bigger problem for themselves, I think like a, like essentially a single point of failure here, isn't it?

C

Well, I guess when I think about it like, you know, cost reduction, consolidating your infrastructure, in this case, for both organizations, the infrastructure they consolidated on was very legacy. So I dug in pretty closely to the European airport disruption. And so in this case it was a ransomware variant that's a decade old where signatures free, Microsoft Defender Signatures would have picked this up for the last 10 years. Essentially this is some really old software that hasn't been updated. When are you going to get to it? And I think the future is here. It's unevenly distributed. So if you're working at a tech company, at a startup, you're getting the newest thing off the shelf. But in government, healthcare, manufacturing, all these services that we rely on and that actually build things, when are they going to go out and clear out these systems and get them up to date and when, you know, when would that even make sense from a cost perspective? Because for every company that does get hit, there's a hundred more that don't.

B

Let's jump to the next story. ChatGPT can be prompted to solve CAPTCHAS, the indirect prompt injunction bug. This is quite interesting. So another double story for you. First, researcher Dorian Schultz has found a way to get ChatGPT to solve CAPTCHAs by telling it to only work on fake captchas and then copy pasting the discussion as if it were part of a real captcha exercise. Then researchers at Noma Security have found a way to embed malicious instructions into documents that an LLM then uses in its research. This unfortunately has shown up in a Salesforce product. All right, tc, I'm starting with you. Obviously no surprise that weaknesses in new technologies have been discovered. These are not the first stories we have covered in this area. But here's the thing I want to mention. When I saw this story, I thought immediately of the classic video that we saw years and years ago of the kryptonite lock being unlocked by a Bic pen. A little plastic 10 cent pen unlocked or kryptonite lock. The second that, by the way, everyone had a kryptonite lock, it was seen as the most secure lock you could get at that very moment. What was seen as extremely secure was essentially zero security. So one of the things we talk about is we talk about these stories having an impact on business. Is this the same thing that is it as bad as this kryptonite Kryptonite lock story that do we just have to dump captchas all of a sudden or they talked about certain captures were still working like the sliding puzzle. P What do you think tc?

C

Yeah, I mean anti bot. Anti bot detection, you know, making sure it's real. Users preventing attacks like credential stuffing. CAPTCHAs for a long time have been really easy for an adversary to overcome. You can just pay people pennies to do them for you. There are services that'll do that. And so now it's even less than pennies. You're paying for tokens in order to have ChatGPT do it for you. A nuance on this from that SPLX research that when it came to the different type of captchas, the one that the AI couldn't do was rotating an image. And that's something that's known about these different AI models having a hard time with image rotation versus humans. So there might be certain types of captchas that work, certain types of captchas that don't work.

B

But that's, but that's today. You know what I mean? That's. That's a today problem, not going to be a tomorrow problem.

C

Well, you know, today is where we're fighting, right?

B

Yeah, that's a good point.

C

So I mean, if you can go and shoot an update today, you know, like, okay, six months later, we'll deal, whatever comes. But I think the one that to me is more. I'm more worried about is a Salesforce one. The idea that, you know, that I've planted something here, it's going to get picked up by your systems. I'm waiting for you to open this up in some sort of downstream system. So in this case, you know, malicious user submits like a lead with basically prompt injection as the payload. And then when you pick it up with Agent Force or Einstein AI, it ends up executing that payload from those. From the permissions of that agent, essentially inside your network. So I laughed at their recommendation from Salesforce, which was to audit existing lead data for suspicious submissions containing unusual instructions. It's like, are you saying that you should go through all of this business data and actually read it to see if it looks suspicious? That is just. No.

B

You're going to use like that's the advice. That's not advice. It's like go to check to think, make sure things are working. Thanks for the advice.

C

Two million rows to see if they make sense.

D

Steve, I was just going to say I think that the essence of captcha is not so much the rotating of the pictures, but only humans will go, ah. Every time. They have to do that to try and get somewhere. So that's, that's what determines that you're truly a human.

C

If their face gets hot and they're pissed off, then you know, they're annoyed like.

B

And do one of these. Not this again. Brett, your take on this story because it's a mess.

A

Yeah, I'm with TC a little bit on. On this where I felt like Salesforce's answer was scrutinize your own workflows was a non answer. It almost sort of looked at like them, they were absolving themselves of the problem, which I didn't care for. But I think exactly what TC Said it, you know, there are captchas out there that are standing up a little bit better to the bots than others. You should be adopting those. And if you look at what scares me most about this agent, AI and what they're starting to do, they're going to use AI to basically slip in instructions to exfiltrate data. So you're no longer breaking in via SQL injection. You're going to use AI against the company in forms, in comments, in chatbots, and see if you can't get the agent to take the data out. And I think it's that path of least resistance that AI is allowing these actors to sort of start taking advantage of it.

B

All right, let's go to a word from our sponsor and that would be Conveyor. Are you still stuck in security review chaos week after week? Well, guess what, you're not the only one. But with Conveyor teams finally get to a place of questionnaire Zen. Their AI auto fills answers across any format of a questionnaire, even portals and an enterprise ready trust center. Keeps documents and policies ready. For instance, sharing no more manual copy pasting, no more last minute scrambles. Just calm, clear security views that keep deals flowing. You can find your Zen with conveyor@www.conveyor.com and at least spell conveyor for you. It's C O N V Y O R. And when you go there, let them know that you heard about them from the CISO series. All right, next story Fed say 130,000 card farms could have killed New York City cell towers. All right, this is kind of a doozy. The U.S. secret Service said it dismantled a covert cellular network of more than 100,000 SIM cards and 300 servers near New York City that posed as an imminent telecommunication threat ahead of the UN General Assembly. Now officials said the foreign linked network could have shut down the city's cellular system and targeted communications government and emergency personnel. The equipment was found within 35 miles of the UN and is now under investigation as agents analyze data from 100,000 phones. I'm going to start with UTC. When we hear about sim swapping, it's usually the image is often a single person getting their phone stolen. But here we see an example of what happens when these cards are banded together. This is kind of new to us. I haven't seen examples of this, have.

C

You, TC well, yeah, I guess I feel a little naive because when I saw the pictures I was like, isn't this what's happening with, you know, romance scams or like gold farms for video games? Or where you just, you see these places where they have tons of phones, right? And they're, you know, whatever type of criminal exercise they're doing. But I went a little bit further. I, I threw it into Claude. Anyone, anyone here know what a SIM server costs? Okay, so like to have 100,000 SIM cards, you need a high end SIM server in order to have 300 SIM servers do those. So your cost for the servers are 2 to 3 million alone. So actually I got blown away once. My opinion, there's a lot of skepticism is what I'm hearing in the security community. Is this just a good timing for a PR release since they were found back in August. Is this really normal? It's normal to have these SIM farms, But just those 300 SIM servers that could, having 300 servers that can support 100,000 SIM cards, that's like 2 to 3 million dollars in infrastructure alone.

B

That's some serious investment in cybercrime here. So I don't know what their, their goal or their attempt was. Brett, what's your take on this story?

A

So I didn't know the cost, but I was sort of going along the same thing of this is 300 servers, 100,000 cards, and they're all working in concert, right? So that is not an individual. And that infrastructure is going to take, gosh, high level coordination, either organized crime, maybe military grade. I do think it's interesting that we're finding out months after it was taken down. Now on the other hand, if something at this scale was extremely resource intent intensive and law enforcement was able to manage to find it and shut it down, I guess that I feel pretty good that maybe it's not an everyday attack, it's obviously well funded, but we did find it and take it down. And maybe that was sort of a message to our adversaries that we can find those things and we will take them down and to, to deter them from the amount of money that they were standing up and using to do what they potentially thought they were going to achieve with that.

B

Well, and CCL asks this question exactly what's a gain for the bad actors? I mean this is a really, really good point in that, okay, they made this, whatever $2 million investment to do this. If it paid off. You know, this is the thing we see with cybercrime. It's usually low risk, high reward, and also usually reasonably low investment. This is a pretty significant investment. So hopefully, even though they did this and the fact it was found, it will hopefully deter the next one for not spending that kind of money. I would hope so.

C

The New York Times article had a great quote. They called that having the UN in New York. They called it the, the Olympics of cyber espionage.

B

So, yeah, yeah, well, they definitely shot high, that's for sure. All right, let's go to our next story. Major vendors withdraw from MITRE EDR evaluation. So both Sentinel 1 and Palo Alto Networks announced this month that they would not take part in mitre's Ingenuity Attack evaluation. Following a similar announcement from Microsoft back in June, MITRE CTO Charles Clancy told Infosecurity magazine that participating in this test is actually resource intensive for vendors, with the company seeking to make them harder each year, including adding cloud environments in the 2025 edition. So Clancy said Mitre will re establish its vendor form forum in 2026 to address some of these concerns. All right, TC, you selected this story. Is this a case of companies becoming reluctant to show up less than first in this context because, you know, the ones who bowed out were, were not at the top of the list? Or is it simply just a matter of the excessive cost to participate? I, I mean, I know that it's usually in these high profile things. Companies are excited to participate, they're excited to be seen as volunteering and getting involved.

C

Well, you threw me off. They were saying it wasn't the ones at the top because I think CrowdStrike pulled out last year with that outage incident. So you got CrowdStrike, Sentinel One, Microsoft, Palo Alto. I thought that was the top of the list.

B

Oh, I saw a different. You know what, Steve, can you. Because I saw some numbers earlier that like, I don't know, they were like number 5, 6 and 12, something like that.

C

No, no.

B

Yeah, yeah, but, but I want to be corrected here. Steve, give me the numbers when you can jump in and let us know. Go ahead, T.C.

C

Yeah, I mean what I saw reading the articles was that like a lot of the new entrants are still wanting to participate. So me, it looks like maybe the top vendors, you know, biggest market cap in the space, pulling out where people that are still, they gotta fight to get a name recognition, right. They still want to go through the process. So it's just interesting dynamics. I think the other thing going on here is that a lot of the cuts in the funding for mitre, how many people it takes to run this program, how ambitious it is that they're adding cloud environments, the level of effort that puts back on the companies that are also still doing cost consolidation and transformation initiatives. So, you know, my hope is that they continue next year. Because if you know nothing about EDR and you just want to make sure you don't pick something stupid, you know, I would think this is a, you know, nonpartisan test to go and reference to help you make the selection. So I hope they continue, but I understand if there's challenges.

B

All right, Steve, correct me, where were they placed the these different vendors?

D

I've got here that Microsoft topped Mitre ZDR tests with Sentinel 1 ranked 5th and Palo Alto 12th. That's what I have from the story.

B

That's a bit. But so Microsoft was number one.

D

Yeah.

B

Okay. So they're. Okay, so I would. So, but okay, I knew two of them were lower down.

C

Okay, so Microsoft was out starting with last year. Right. So I thought that CrowdStrike would be one of the top ones as well.

B

All right, all right, Brett, your take on all of this. I mean, again, like, I'll give the perfect example. Like at the Black Hat conference, they have a security operations center and many of the vendors volunteer their staff and their equipment to run that. And that is seen as a coup to be able to do it, especially because they want like the newest equipment, the newest stuff going to show what it is. So in general, participating in these sort of high profile things is a big deal. And, and they're desirable, Brett?

A

Yeah, I think they are. But I will say, you know, when I was with the government, I knew that when we had to have vendors go through that MITRE process, it was laborious and it was not always indicative of how the real world configurations were set up. So you're trying to set up in a perfect world environment, and that's not what these products are built on, and it's not what we want these products to be built on. We need them to understand the environment that we're operating in. So a lot of the time it was a, it was months and months of effort and I couldn't really point to something that would say this made a deciding factor for us and really helped shape our decision. And the other thing is, the minute that test comes out, everybody else has their own side test that's more, you know, that, that, that basically says, well, we placed fifth here, but in this one we placed first. And so they already start clouding the whole process in and of itself. So.

B

And isn't there. And I swear I saw the name of, I can't remember the name. Maybe somebody in our chat room can jump in with the name. There is a new AI based attack framework as well that has a different name did you see this?

A

I have seen it. I don't recall the name of it.

B

I can't remember the name ten of them. But the thing is, maybe all these vendors are like, you know what? There's all these new. I can't keep up with this old one anymore. I'm done. You know, and they may say the same thing you said, that it's just not reflective of what's going on in the environment and might.

A

I mean, that Miterone was tough. It took them months to get that all squared away.

B

Yeah, well, yeah, that's months. Is. That is a tall ask? That's a really big ask. All right, let's go to our next story. Microsoft to offer free Windows 10 security updates in Europe. Now, Microsoft says it will now offer free extended security Updates for Windows 10 users in the European economic area. The decision was made under pressure exerted by Euroconsumers, a Luxembourg based consumer protection organization that represents 1.5 million households across Europe and Brazil. The group has also asked that Microsoft, quote, postpone the Windows 10 end of support date as it has done with earlier releases. I'll start with you, Brett. An example of a small stakeholder making a big difference. Just 1.5 million. You selected this story. Why is this such a big impact here?

A

I didn't know this was possible. I've been pleading with Microsoft many times to stop certain things and they don't.

B

Listen to get another 1.5 million.

A

Yeah, I mean, I didn't know that this could happen. So what about the us can we delay that? I was actually surprised to see this, to be honest with you, and surprised that they only offered it in the UK and not pass it back here to the US So, you know, I get where Microsoft's trying to go and I think the whole security community needs to get better at upgrades. And as we talked about in the earlier thing and what TC was talking about with the Jaguar building on legacy systems, and then it just causes a problem. I completely understand what Microsoft's trying to achieve, but if the UK can do this, like, throw us a bone back here. Come on.

B

All right, I'm going to you, tc, what's your take on this? Microsoft, the fact that they were able to get him to hold on to the end of life support, not to end it so quickly?

C

Yeah, I, I guess end of life didn't mean what I thought it meant, you know, because I thought the whole thing was, this is like a game of chicken, right? No, no, really, it's the end. It's not going to be supported. I didn't even know that there was an extended security update updates program for Windows 10, which is push hard enough.

B

I guess there is.

C

I mean, paid or not, I didn't even know it was available. And so I think this kind of goes to what Brett was talking about, you know, what does it take to get people off of this legacy?

B

Well, it's interesting. CCL suggests set the Win10 country on your computer to somewhere in the EU and you'll get your free update. It's a great tip.

D

Yeah. But then all of your spelling. Your spelling is going to be off. All the colors. Oh, you are.

A

Oh, yeah.

B

To deal with or organizations.

D

And you have to say. Have to say zed all the time like we Canadians have to do.

B

So I don't. I don't know if it's worth it. Good point. All right, let's. Let's wrap this up, but I'll start with utc. Any thumbs up or face palms with the five stories we recovered today?

C

You know, I'll do. I'll do a thumbs down for the. Or face palm with a. The sim. The SIM article. I just. What I would say is I think it just led to a lot of confusion and speculation, which isn't really relevant to what I'm trying to do to protect the enterprise. Right. Versus some of these other examples that are much more concrete in terms of.

B

But it involved the UN So it's.

C

That's true, but that's someone else's job.

B

Yes, good point. All right, Brett, thumbs up or face palm for you.

A

I'm going to face palm. Not to the direct article, but you're seeing all this stuff with aviation and the issues that they're having, and now we're going to collect all this biometric information. Overse. I can't face palm enough on that one. I just don't know what we're thinking right now.

B

Yeah, that is. That is a. That's a rough one. All right, so as we close out today's show, I want to acknowledge. Acknowledge everybody, CCL who joined in and everyone else. I'll just start with you, Brett. Where can people find you? I'm assuming LinkedIn. Anywhere else.

A

LinkedIn's the best place to find me. Brett Conlon.

B

Brett Conlon, he's the CISO of American Century Investments. And TC Niedzikowski, who's the head of security and IT over at Open Door. Would it be also LinkedIn as well?

C

Yeah, LinkedIn. And then there's the Mac admins, Slack Space and the cloud security forum slack space.

B

Oh okay. All right. And I also want to thank our sponsor and that would be conveyor find calm in every security view. And I want to thank our audience. As always, we can't always get to every comment on the screen, but we deeply appreciate you being here and participating. And if you did not participate and you're listening to the audio only, join us 1pm or I'm sorry, 12:30pm Pacific, 3:30 Eastern for the live show. Don't forget you can always send us feedback by email. We would love to know what you think of the show. Drop us a line@feedbackisoseries.com Please join us next week for another episode of Weekend Reviews starting at 3:30pm Eastern. And to register, join us on YouTube and also add your comments live. Just go to the events page over on cisoseries.com and in the meantime you can still get your daily news fix every day through CyberSecurity headlines. Just six minutes and a couple other things we the entire CISO series team is going to Houston for WHOSE second on Monday we have a party. If you look at the ancillary events on the WHOSE second page you will see that there'll be a meetup the CISO series also. And this I really need from everybody. Go to our Participate page. We're playing a Family Feud style game and we need more people to answer the survey. It's just five questions. They're really fun. Just go to participate.com or not participate. Go to participate on CISO series.com you will see it there. Five questions, super easy to answer. You'll have fun with it and it will really help our game and you'll have a lot of fun as well. Anyways, that's it for me for David Spark Cybersecurity Headlines, Brett Collin, TC Nied Zikowski and our producer Steve Prentice. Thank you very much. Have and I will quote the other reporter goes here. Have a super sparkly day. Cybersecurity headlines are available every weekday.

C

Head to cisoseries.com for the full stories.

B

Behind the headlines.