Cyber Security Headlines: Week in Review – September 26, 2025

Main Theme:
This episode explores the major cybersecurity events from the past week, including high-profile attacks on Jaguar Land Rover and European airports, advancing prompt injection attacks via AI like ChatGPT, a major cell tower threat in NYC, MITRE EDR evaluation withdrawals by top vendors, and Microsoft’s surprising move to extend Windows 10 security updates in Europe. CISO Series host is joined by Brett Conlon (CISO, American Century Investments) and TC Niedzikowski (Head of Security and IT, Open Door) for analysis.

Key Discussion Points & Insights

1. High-Profile Ransomware Attacks: Jaguar Land Rover & European Airports (01:47–05:39)

• Jaguar Land Rover: A ransomware incident worsened by all factories sharing the same IT and cybersecurity infrastructure, leaving no room to isolate compromised systems.
• Airports Hit (Heathrow, Brussels, Berlin): Similar problems as above—shared systems led to widespread disruptions in check-in and baggage handling.

Insights

• Brett Conlon:
  “Our digitization drive is outpacing our security maturity. The symptoms are overreliance on unhardened tech in the ecosystems, whether it’s travel, whether it’s our car manufacturers.” (03:23)
  • Stresses the risks of over-consolidation and insufficiently secure digitization.
  • Warns about readiness for massive biometric data storage in EU’s new entry system: “Are we really there from the security standpoint to carry all this biometric data? And guess what? If you don’t give it to them, you can’t come in.” (03:53)
• TC Niedzikowski:
  “In both organizations, the infrastructure… was very legacy. In this case, it was a ransomware variant that’s a decade old—Microsoft Defender signatures would have picked this up for the last 10 years.” (04:47)
  • Highlights prevalence of unpatched legacy systems in critical sectors (government, healthcare, manufacturing).
  • Observes that modern tech companies move faster but core infrastructure lags far behind.

2. AI Prompt Injections & CAPTCHAs – The Cat-and-Mouse Game (05:39–10:41)

Key Stories

• ChatGPT Solving CAPTCHAs: Research revealed how conversational AI can solve CAPTCHAs when prompted cleverly.
• Salesforce Prompt Injection: Researchers found that embedded instructions in documents can trigger LLMs (large language models) to execute attacks when those docs are ingested downstream, as demonstrated in Salesforce’s own Einstein AI/Agent Force feature.

Insights & Notable Quotes

• TC Niedzikowski:
  “CAPTCHAs… have been really easy for an adversary to overcome … now it’s even less than pennies. You’re paying for tokens in order to have ChatGPT do it for you.” (07:25)
  • Some CAPTCHA types (like image rotation) still resist AI—for now.
  • Salesforce’s advice was “to audit existing lead data for suspicious submissions containing unusual instructions. … That is just—no.” (08:30)
  • “Two million rows to see if they make sense.” (09:13, sarcastically)
• Panel (On CAPTCHA Frustration):
  “The essence of CAPTCHA is not so much the rotating of the pictures, but only humans will go, ah, every time they have to do that … If their face gets hot and they’re pissed off, then you know, they’re annoyed.” (09:16–09:33)
• Brett Conlon:
  “Salesforce’s answer was scrutinize your own workflows [which] was a non-answer… They were absolving themselves of the problem.” (09:39)
  • Sees the next threat as AI-powered exfiltration through downstream prompt injections: “You’re no longer breaking in via SQL injection. You’re going to use AI against the company in forms, comments, chatbots…” (10:20)

3. Card Farm Threat to NYC Cell Towers (12:43–15:38)

• Massive SIM Farm Bust: Secret Service takes down a network of 100,000+ SIM cards and 300 servers by NYC, capable of disrupting cellular networks ahead of the UN General Assembly.
• Cost & Coordination: Infrastructure cost estimated at $2–3 million. Highly coordinated—far beyond typical SIM-swapping/everyday cybercrime.

Insights

• TC Niedzikowski:
  • “Is this just a good timing for a PR release since they were found back in August? Is this really normal? … That’s like 2 to 3 million dollars in infrastructure alone.” (13:46)
• Brett Conlon:
  “That infrastructure is going to take, gosh, high-level coordination, either organized crime, maybe military grade… But we did find it and take it down. And maybe that was sort of a message to our adversaries…” (13:57)
• Host:
  “Hopefully…the fact it was found, it will hopefully deter the next one for not spending that kind of money. I would hope so.” (14:56)
• TC Niedzikowski:
  “The New York Times article had a great quote. They called…having the UN in New York…‘the Olympics of cyber espionage.’” (15:29)

4. MITRE EDR Evaluation: Top Vendors Withdraw (16:49–20:35)

Key Points

• Major vendors (SentinelOne, Palo Alto, Microsoft) opt out of MITRE’s next EDR (Endpoint Detection and Response) evaluation due to rising resource demands.
• MITRE plans to retool the evaluation for 2026 in response.

Insights

• TC Niedzikowski:
  “Biggest market cap in the space, pulling out, where people that are still—they gotta fight to get name recognition… I think the other thing going on here is…cuts in the funding for MITRE, how many people it takes to run this program… how ambitious it is…” (17:17)
  • MITRE EDR evaluations seen as valuable, but burdensome.
• Brett Conlon:
  “It was laborious and not always indicative of how the real world configurations were set up…a lot of the time, it was months and months of effort and I couldn’t really point to something that would say this made a deciding factor for us…” (19:06)
  • Notes everyone has their own “side test” when the MITRE results are published: “They already start clouding the whole process.”

5. Microsoft Extends Free Windows 10 Security Updates in Europe (21:24–22:58)

• Key Development: Under pressure from European consumer groups, Microsoft grants free extended security updates for Windows 10 in the European Economic Area.

Insights

• Brett Conlon:
  “I didn’t know this was possible. I’ve been pleading with Microsoft many times to stop certain things and they don’t… So what about the US? Can we delay that? I was actually surprised to see this, to be honest with you…” (21:24)
• TC Niedzikowski:
  “I guess end of life didn’t mean what I thought it meant… I didn’t even know that there was an extended security update program for Windows 10, but push hard enough, I guess there is.” (22:26)
  • Admiration for EU advocacy power; suggests the US might try for the same.
• Audience suggestion (humorous):
  “Set the Win10 country on your computer to somewhere in the EU and you’ll get your free update.” (22:50)
  • Panel jokes about spelling and pronunciation differences in UK/EU OS settings.

Memorable Quotes & Moments

• Brett Conlon (Biometric data storage in EU):
  “Are we really there from the security standpoint to carry all this biometric data? And guess what? If you don’t give it to them, you can’t come in.” (03:53)
• TC Niedzikowski (Prompt injection in Salesforce):
  “...Malicious user submits like a lead with basically prompt injection as the payload. And then when you pick it up with Agent Force or Einstein AI, it ends up executing that payload… inside your network.” (08:14)
• Host (On CAPTCHA pain):
  “Only humans will go, ah, every time they have to do that to try and get somewhere. So that’s what determines that you’re truly a human.” (09:16)
• On the NYC SIM card farm:
  “That’s some serious investment in cybercrime here.” (13:46)
• TC Niedzikowski (NYC/UN):
  “The New York Times article had a great quote…they called it ‘the Olympics of cyber espionage.’” (15:29)

Segment Timestamps

• [01:47] – Ransomware at Jaguar Land Rover & European Airports
• [05:39] – AI Prompt Injections & CAPTCHAs
• [12:43] – NYC SIM Card Farm Threat
• [16:49] – MITRE EDR Evaluation Withdrawals
• [21:24] – Microsoft Windows 10 Extended Updates in Europe
• [23:24] – Hosts’ Thumbs Up/Face Palm on the week’s stories

Tone & Style

The hosts and guests combine frank, pragmatic analysis with industry-insider humor:

• Willingness to critique industry practices and vendor responses (“That’s just—no.” — TC, 08:30).
• Self-deprecating jokes about forced upgrades, CAPTCHAs, and regional software quirks (“...all your spelling is going to be off... Have to say zed all the time” — 22:58).
• Emphasis on the practical challenges security leaders face—legacy tech, vendor cooperation, real-world deployment.

Closing Remarks

• Panelists share their platforms: LinkedIn; TC also frequents MacAdmins and CloudSecurityForum Slack spaces.
• Hosts encourage listeners to join the live chat and provide feedback.
• Final face-palms/thoughts:
  • TC: Face-palm on SIM article for its fuzziness and irrelevance to most enterprises.
  • Brett: Face-palm on aviation and European biometric data collection: “I can't face-palm enough... I just don't know what we're thinking right now.” (23:51)

For further stories and daily updates, visit cisoseries.com or check out Cyber Security Headlines.