Transcript
David Shipley (0:00)
A cybersecurity CEO is charged with attempting to infect a hospital with malware. Global CISOs band together to urge world governments to harmonize cyber rules. Microsoft Mystery folder fix might need a fix of its own and lots of AI talks at BSIDE San Francisco with also RSA kicking off this week. This is Cybersecurity Today and I'm your host David Shipley. Security affairs reported Saturday that Jeffrey Bowie, CEO of the cybersecurity firm Veradico, is facing two counts of violating Oklahoma's Computer Crimes act for allegedly infecting employee computers at the Oklahoma City St. Anthony Hospital. So what happened? According to police, back on August 6, security cameras allegedly caught Bowie roaming the halls of Oklahoma City's St. Anthony's Hospital after trying a few locked offices. He reportedly found staff computers slipped in a thumb drive and planted malware that snapped a screenshot every 20 minutes and sent images to an outside server. When staff asked what he was doing, Bowie allegedly said he had a relative in surgery and quote, needed to check something, end quote. Hospital it later discovered the malicious software and thankfully no patient data was exposed. The hospital says its security measures contained the threat immediately and it worked with law enforcement from day one. Two weeks ago, on April 14, police picked up Bowie with an arrest Warrant. For context, St. Anthony's is a 773 bed medical center in Oklahoma City's Midtown, offering everything from heart surgery to behavioral health, and this story highlights how important physical security remains when it comes to protecting information and systems. It'll be interesting to see what comes out of this case regarding what happened and what the motivations were of the accused. Chief information security officers from 45 powerhouse companies like big tech titans, global banks, hospital networks, you name it, have fired off a joint letter to the G7 and the Organization for Economic Cooperation and Development, or OECD. What are they asking for? They're asking to stop drowning in a patchwork of cyber rules from different regions, jurisdictions at the national and sometimes sub national level. They're urging world leaders to use these forums to sync up cybersecurity regulations instead of letting everyone go their own way, creating confusing, sometimes conflicting and different requirements. Four big things they're asking for single playbook and alignment and consistent enforcement of rules that already exist, working together between the private sector and the public sector on what's to come next in the regulatory framework. They want to be brought in earlier when new standards are being contemplated. They're looking for faster intelligence sharing between governments and the private sector and breaking down bureaucratic walls so that data can move at machine speed and certainly at the speed of attackers, and they want to make sure business gets at the table and stays at the table. Now why all this matters is that this list cuts across almost every sector and signals growing fatigue with regulatory spaghetti across the world. And the timing is key. The G7 is set to meet in Canada this year, and numerous regulations have popped up both in North America, in Europe, the UK and Australia that are starting to affect companies that operate globally. Now, if IT regulators listen, we could see a more cohesive approach that improves protection. However, given the geopolitical context we're now in, particularly with respect to the trade situation, cooperation may not be high on the agenda. Remember the story earlier this month about Microsoft creating a mystery folder in Windows called inetpub that look to be part of a security patch? Well, it turns out this particular cure may also have problems of its own. As we noted when we first covered this a few weeks ago, deleting or messing with that inetpub folder that was created by the Windows system can cause all kinds of problems, including preventing further security updates. The creation of this folder, which was originally a part of Microsoft's Internet Information Systems, or ISS Web Server Software, was a mitigation for CVE2025, 21, 204, an exploitable elevation of privileges flaw with Windows Process Activation. It was a workaround for the flaw instead of patching the code as it would block a particular kind of symlink attack path. Now cybersecurity researcher and for those paying attention, regular pain in Redmond's side. Kevin Beaumont, who famously highlighted all the privacy and security flaws in Microsoft's AI recall tool, shared a workaround recently that attackers could use that could also affect that inetpub folder. In Beaumont's example, attackers running as a standard user, no administrative rights required, could use another symlink approach called mklink to tie inetpub to a particular system executable. When Windows Updates tries to run again, it will check that inetpub folder hits the Mk link and then breaks. There are lots of great talks on AI this year and its implications for cybersecurity at Bside San Francisco. Particularly enjoyed the let's talk about the AI Apocalypse by Dylan A. Ray, who gave a great primer on weaponizing large language models to create malware, and props to A Ray for both an incredibly creative style in the presentation and for the quality academic references. The talk was recorded and hopefully will be available on B side's YouTube channel in the coming weeks or months. During his talk, a Ray highlighted a fantastic research paper titled quote Refusal in large language models is mediated by a single direction, end quote that explains how generative AI large language models map relationships between words in an almost three dimensional spatial map and how they use directional mapping to help generate their results. When a model refuses to give an answer due to safety guardrails, that's often done in a single direction. In this map, the researchers found that that direction can be discovered and removed, unlocking previously blocked content. That paper is available on archive.org and a link to it will be available in the Show Notes. Also, the AI Village demo at Bside San Francisco of deepfake video and audio technology running on six year old hardware was fascinating. I learned quite a bit about the interesting ways companies are trying to use to detect deepfake videos, including heartbeat analysis of the video by looking at things that are imperceptible to the human eye but possible to measure by computers. Unfortunately, this talk was not recorded. Perhaps one of the funniest but also deeply insightful talks I've seen in years came from the fantastic folks at the Electronic Frontier foundation titled quote Tracking the world's dumbest Cyber mercenaries, end quote. The presentation by Eva Galprin and Cooper Quinton dove into the years long investigation EFF did on the cyber mercenaries Dark Caracal as this took place on B side's main stage. Fingers crossed that the recording will also be available as well, and it is well worth the watch. A link to EFF's interesting 2023 work on dark Caracal is included in the Show Notes and is also worth a read. Finally, rsa, the world's largest cybersecurity vendor conference kicks off this week in San Francisco. Expect lots of press releases from vendors highlighting their latest wares. And for those of you that enjoy a good buzzword bingo game, make sure you add Agentic AI to your card. I'll be sharing highlights from sessions and from the vendor booths on LinkedIn and with Jim if you're at RSA and you'd like to connect, drop drop me a note on LinkedIn or at david.shipley@boseronsecurity.com I've been your host David Shipley, sitting in for Jim Love, who will be back on Wednesday. Thanks for listening.