Cybersecurity Today: October Recap – Addressing AI, DNS Failures, and Security Vulnerabilities

Podcast: Cybersecurity Today
Host: Jim Love
Panelists: Laura Payne (White Toque), David Shipley (Boceron Security)
Release Date: November 1, 2025

Episode Overview

This October recap dives into the major cybersecurity incidents of the month, focusing on critical infrastructure failures, threats from botnets, vulnerabilities in cloud providers, and the evolving landscape of AI-related security. The panel also grapples with persistent issues in industrial systems, fraud, regulatory needs, and the complex social implications of cybercrime.

1. Cloud Outages and DNS Nightmares

(01:02 – 06:18)

• Major DNS Outages:

  • AWS US-Northeast and Microsoft Azure both suffered significant DNS failures, affecting critical online services from smart beds to pizza orders.
  • Outages revealed how dependent everyday life is on cloud services, with cascading failures across industries: “Everything we do is tied into the cloud and we really haven’t advanced a lot in 30 years. … We’re sitting on a fragile house of cards and I find that kind of scary.” — Jim Love (03:25).

• Cascading Business Impacts:

  • Key productivity features (like phishing report buttons in Outlook) were disabled for numerous clients and a million users during the outages (04:20).
  • Microsoft’s communication about the issue boiled down to: “We don't know what we did but we're going to roll back to a good state. Buckle up.” — David Shipley (05:04).

• Call for Regulation:

  • Discussion about the absence of regulation for cloud hyperscalers: “We regulate every other industry… but not cloud hyperscalers. Good lobbyists. But maybe we should start thinking about that.” — David Shipley (05:42).

2. The Botnet Surge and Fragile Home Networks

(07:08 – 13:36)

• Botnet Traffic Outpacing Legitimate Use:

  • Noted that a botnet-linked URL now overshadows legitimate web traffic, illustrating “just how much traffic there is” — Laura Payne (07:08).

• Asuru Botnet Evolution:

  • Asuru, the latest progeny of Mirai, targets routers and IoT devices, causing outbound traffic from US ISPs to be disruptive even before hitting targets (09:04).
  • Nefarious use includes DDoS attacks and residential proxying, undermining conditional access: “Conditional access policies RIP 2025, question mark.” — David Shipley (09:22).

• Router and IoT Device Vulnerabilities:

  • Widespread issues with default passwords and insecure consumer devices.
  • Rumor: TP-Link could be banned in the US due to security flaws (10:43).

• “Escalator Principle” for Failsafes:

  • Laura’s analogy: “When escalators stop working, they are still stairs…IoT device manufacturers, please consider embedding the Escalator Principle.” (12:41)
  • Panel agreed that smart devices should revert to basic functionality offline.

• Quip:

  • “If anybody attacks me, I’ll just fold up like a cheap Venetian blind.” — Jim Love (12:14)

3. Industrial Control Systems (ICS) Under Fire

(14:04 – 21:25)

• Canadian Center for Cybersecurity Warning:

  • Advisory released on ICS abuse and the need for multifactor authentication and not exposing controllers online (14:04).

• Hacktivist Attacks:

  • Industrial targets included water treatment and grain storage, raising both safety and economic risks (15:18).
  • These incidents stemmed from amateur attackers, showing the growing risk even from less skilled threat actors.

• Persistent Vulnerabilities:

  • “Almost everybody that has a [water treatment] plant... has been hacked by either Russia or China.” — Jim Love (16:45).

• Air-Gap Myth:

  • Real-world examples undermined the belief in “air-gapped” ICS, as accidental connections often bridge gaps (18:25).
  • Configuration errors make “air-gap” protections unreliable.

• Attack Surface Extends:

  • Simple disruption tactics (such as disabling alerts) can compromise entire systems (19:23).

4. Script Kiddies, “Prompt Cowboys,” and the Next Generation of Cyber Threats

(21:25 – 23:57)

• Script Kiddies Evolving:

  • Interview with a black hat hacker: “There’s a second wave of script kiddies now…claiming trophy [targets] and they don’t know the damage they can do.” — Jim Love (20:09).
  • Phrase of the week: Prompt Cowboys — those who use AI tools without much knowledge, relying on prompts over technical skill (21:25).

• Radicalization and Recruitment:

  • Highlighted concerning recruitment trends in cybercriminal communities, targeting youths as young as 7 (22:24).
  • Story: Halifax case with child recruits, “the comm” subculture, and talent pipelines feeding advanced crime groups.
  • High youth unemployment as a risk factor: “We’ve got talent, you’ve got tools, you’ve got motivation and you’ve got chaos.” — David Shipley (23:04).

5. Societal and Corporate Risks from Cybercrime

(23:57 – 26:23)

• Disengaged Youth at Risk:

  • Research showing 500,000 young men in California have “gone off the map,” a potential reserve for cybercriminal recruitment (23:57).

• Cybercrime as Option:

  • As law enforcement focuses on physical crimes, more sophisticated, non-violent offenders migrate online, exploiting the “asymmetry” of damage a single actor can cause (25:37).

6. Artificial Intelligence: Progress, Pitfalls, and Peril

(26:25 – 36:27)

• Anthropic Praised for Secure Defaults:

  • Read-only, permission-based AI code model with network isolation earns Anthropic a rare shoutout for being “the only ones…courting enterprise the right way.” (27:15).

• Risks from New AI Browsers:

  • New Chrome-based AI browsers (AI2) are described as rushed to market and insecure:
    “I would not use these browsers on a corporate network until we figure out how to make them safer.” — Jim Love (28:52).
  • “If you want to create problems for your organization…then have at it.” — David Shipley (30:12).

• Ethics and AI Companies:

  • OpenAI’s move into chatbot erotica and risky rushes to IPO reflect desperate business models over responsible innovation (31:26).
  • “There are lots of lonely people talking to their chatbot. … And we’ll put erotica on there too. Okay. Just anything for a buck.” — Jim Love (32:54).

• AI and Deepfakes:

  • Australian researchers developed photo-to-voice deepfakes that can beat WhatsApp’s voice authentication (36:01).
  • David Shipley warns: "If you're still using voice as a biometric…it's a losing game when someone can take a photo and beat your systems." (36:21)

• Blended Attacks with Deepfake Voices:

  • Local example of scammers using voice synthesis to extort money from Russian families in Toronto by impersonating relatives (37:44).
  • Advice: Use “safe words”—unique identifiers—for sensitive communications (39:21).

• Notable Quote:

  • “The Internet has machines.” — David Shipley (32:38)

7. Fraud Explosion and the Regulatory Lag

(39:50 – 48:29)

• Corporate Reputational Risk:

  • Discussion on major banks suffering front-page shame after their customers fell victim to scams (41:44).
  • Calls for regulatory mandates on MFA and digital feature controls in banking.

• Payments and Open Banking:

  • Skepticism over instant payment systems: “Old school slow banking…is the reason why people still get some money back when they get scammed.” — David Shipley (44:49).
  • Caution on removing all “friction” from banking processes, as instant settlement makes fraud irreversible.

• Consumer Attitudes:

  • Many users are willing to accept more robust security in exchange for peace of mind (48:04).

8. Patch Management and Vendor Accountability

(56:11 – 63:04)

• Recurring SharePoint Vulnerabilities:

  • Microsoft’s repeated failure to patch SharePoint vulnerabilities led to major compromises, including US nuclear industry suppliers (56:11).
  • Hackathons routinely reveal issues before patches are developed and deployed, giving attackers ample opportunity.

• Industry-Wide Staffing Cuts:

  • Ongoing layoffs at tech giants are gutting security teams, resulting in “one of the worst patch months…in years.” — David Shipley (60:12).

• Poor Patch Quality:

  • Microsoft issued faulty or incomplete fixes, creating “come and get me day[s].” (56:32)

• Notable Quote:

  • “They have no problem reaching me to try to sell me crap. … Or they have AI. They could actually use this.” — Jim Love (59:03)

9. Email Filters, Phishing, and Human Factors

(51:32 – 55:38)

• Insurance Data on Security Controls:

  • Insuretech provider reveals organizations relying solely on email filters for anti-malware/fraud payouts had a 53% spike in claim payouts.
  • “Email and remote access were the root causes for 90% of insurance payouts. What?” — David Shipley (51:14).
  • Email filters are now in the position antivirus once was—not a silver bullet.

• Key Insight:

  • “Good robust defense is people, process, culture, and technology. … This is humans and tech together.” — David Shipley (52:08).
  • Data from phishing studies indicate those who over-trust controls are more likely to fall for attacks (83%+ higher risk).

10. Justice, Sentencing, and Asymmetry in Cybercrime

(64:58 – 72:19)

• Crime and Consequence:

  • RCMP arrested and sentenced two major fraudsters, but received relatively short sentences (max five years) for impacting 600 families and causing millions in damages (64:58).
  • Differences between US and Canadian sentencing for cybercrime highlighted.

• Moral and Emotional Fallout:

  • Panelists discussed whether white collar, non-violent offenders should be jailed ("the asymmetry problem"), especially as the harm from fraud can cause life-destroying outcomes for victims.

• Closing Reflection:

  • “There's not a smoking crater where the factory was, but it might as well be…all of the impacts are on there.” — David Shipley (68:46).
  • Panel calls for more effective, proportional penalties and justice reforms, while not losing sight of due process and second chances.

11. Memorable Quotes & Key Moments

• “When escalators stop working, they are still stairs. ... IoT device manufacturers, please consider embedding the Escalator Principle.” — Laura Payne (12:41)
• “We’re sitting on a fragile house of cards and I find that kind of scary.” — Jim Love (03:25)
• “Conditional access policies RIP 2025, question mark.” — David Shipley (09:22)
• “Email and remote access were the root causes for 90% of insurance payouts. What?” — David Shipley (51:14)
• “Good robust defense is people, process, culture, and technology. … This is humans and tech together.” — David Shipley (52:08)
• “If anybody attacks me, I’ll just fold up like a cheap Venetian blind.” — Jim Love (12:14)
• “If you’re still using voice as a biometric…it's a losing game when someone can take a photo and beat your systems.” — David Shipley (36:21)

12. Final Thoughts and Uplifting Notes

• Laura noted some positive movement: Recent fraudsters have been successfully prosecuted, though sentences remain short relative to the scale of harm (64:58).
• Hope for stronger financial logic and regulatory frameworks in Canada and beyond.
• Ended on a light-hearted note: “Thank you as always, Laura, for being the voice of sanity and wisdom. … I got a free toque.” — Jim Love (72:32).

Key Segment Timestamps

• 01:02 – 06:18: DNS/Cloud outages and societal impact
• 07:08 – 13:36: Botnets, home network fragility, escalator principle
• 14:04 – 21:25: ICS attacks, air-gap fallacy, risks to infrastructure
• 21:25 – 23:57: Script kiddies, prompt cowboys, youth recruitment
• 23:57 – 26:23: Societal impact, radicalization, cyber as crime option
• 26:25 – 36:27: AI security issues, ethical concerns, deepfakes
• 39:50 – 48:29: Fraud, reputation, regulation in finance
• 51:32 – 55:38: Insurance data, phishing, importance of human factors
• 56:11 – 63:04: Patching challenges, Microsoft’s vulnerabilities
• 64:58 – 72:19: Justice, sentencing, and the asymmetry of cybercrime

Overall Tone:
Conversational, occasionally irreverent, thoroughly expert, and at times ruefully humorous (“I’ll just fold up like a cheap Venetian blind.”), with a constant focus on practical implications for businesses, governments, and individuals.

For listeners pressed for time:
This episode offers a comprehensive, candid look at the month’s top cybersecurity stories with a mix of technical deep-dives, blunt observations, and memorable analogies suitable for both professionals and broader audiences concerned about the digital world’s increasing fragility.