Cybersecurity Today: "Innovative Tools and Tactics in Cybersecurity"

Host: Jim Love
Date: November 7, 2025

Episode Overview

This episode centers on cutting-edge tactics used by threat actors and innovative defenses emerging in cybersecurity. Host Jim Love reports on a crafty ransomware campaign misusing common Windows tools, and then dives into three new open source solutions advancing supply chain security, autonomous vulnerability fixing, and enterprise AI data privacy. Throughout, Jim emphasizes the necessity of adapting security strategies in response to both novel threats and emerging technologies.

Key Discussion Points & Insights

1. Ransomware Group Killen’s Innovative Techniques

Killen group (a.k.a. Agenda, Goldfeather) has raised alarm by using legitimate Windows utilities—such as Ms. Paint and Notepad—for file reconnaissance prior to attacking targets.
- Attackers use these trusted tools to open and examine sensitive files, making malicious activity hard to distinguish from normal user behavior.
- After locating valuable files, Killen operators exfiltrate data using CyberDuck, followed by mass encryption.
- Targets: Multiple companies ranging from SMBs to enterprises across Canada, the U.S., the U.K., and Europe.
Key takeaway for businesses:
- Security teams must monitor not just for exotic malware, but for unusual behavior of legitimate tools.
- (Jim Love, 01:05):
  
  "If Ms. Paint starts opening confidential files, that's a red flag."

2. Heisenberg: Real-Time Supply Chain Defense

Heisenberg (from App Omni) transforms software bills of materials (SBOMs) into actionable supply chain defense.
- It cross-analyzes open source dependencies, SBOMs, and external advisories.
- Flags unhealthy, new, unmaintained, or suspicious packages—before code hits production.
- Operates in two modes:
  - Check mode: Single package (NPM, PyPI, etc.)
  - Bulk mode: Entire code portfolio
- Directly alerts developers inside pull requests.
Notable Quote:
- Max Feldman, App Omni (cited by Jim Love, 02:03):
  
  "We wanted a practical way to catch and block risky changes before they reached the main branch."
Host’s advice:
- Don’t treat your SBOMs as static paperwork; integrate them into active, real-time defense.
- (Jim Love, 02:48):
  
  "If your DevOps pipeline relies on open source components, and who doesn't? You might consider adding a dependency health check like this."

3. OpenAI’s Aardvark: Autonomous Vulnerability Hunter

Aardvark is an AI security agent built on OpenAI’s GPT-5.
- Integrates into development pipelines for continuous code review.
- Functions:
  - Scans repositories, tracks commits, identifies vulnerabilities, and proposes automated fixes using Codex engine.
  - Validates potential exploits in a sandbox.
  - Tested with >90% success rate at identifying known and synthetic vulnerabilities.
  - Already resulted in discovery of 10 confirmed CVEs in open source.
Emerging issues:
- Questions about trusting automated patching.
- Recognized as a major positive step automating routine security tasks, letting humans focus on higher-level strategy.

4. OpenPCC: Securing Enterprise AI Data

OpenPCC (Open Privacy and Confidentiality Channel):
- Provides end-to-end encryption for every AI prompt, output, and login within enterprise systems.
- Built on existing model context protocols; designed as a "drop-in" upgrade.
- Open source (Apache 2.0 License), with SDKs for encrypted client-to-AI streaming, secure GPU attestation, and support for modern protocols.
- Enforces stateless processing (no persistent data outside immediate requests).
- Enterprises can audit the code for compliance (NIST 802, GDPR Article 25).
Implication:
- Promises strong privacy for organizations using enterprise AI, without impeding innovation speed.
Host’s assessment:
- (Jim Love, 06:26):
  
  "If it performs as promised, OpenPCC could let enterprises protect sensitive data end to end without slowing down their AI innovation."

Notable Quotes and Memorable Moments

Jim Love, 01:05:

"If Ms. Paint starts opening confidential files, that's a red flag."
Max Feldman (via Jim Love), 02:03:

"We wanted a practical way to catch and block risky changes before they reached the main branch."
Jim Love, 02:48:

"If your DevOps pipeline relies on open source components, and who doesn't? You might consider adding a dependency health check like this."
Jim Love, 06:26:

"If it performs as promised, OpenPCC could let enterprises protect sensitive data end to end without slowing down their AI innovation."

Important Timestamps

00:30 – 02:20: Killen ransomware group exploits everyday Windows tools
02:21 – 03:38: Heisenberg: active supply chain defense for DevSecOps
03:39 – 05:18: OpenAI’s Aardvark autonomously finds and patches vulnerabilities
05:19 – 06:45: OpenPCC brings end-to-end AI data confidentiality to enterprises
06:46 – End: Host’s closing thoughts and reminders for listeners

Podcast Tone & Language

Jim Love’s delivery is direct, practical, and ever-so-slightly skeptical—urging listeners not to accept hype but to critically examine and, where prudent, test new tools and approaches in cybersecurity.

Summary

This episode underlines how attackers are constantly innovating—even using mundane tools like Paint and Notepad for cybercrime. At the same time, the defense community is responding with open source tools that make software supply chains active defense zones, automate vulnerability finding and patching, and tackle AI privacy head-on. While not endorsing any specific solution, Jim encourages security leaders to stay vigilant—both in watching for new types of threats and evaluating emerging solutions.

Transcript

A (0:00)

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST killin ransomware exploits Ms. Paint and Notepad and three new open source offerings are trying to improve Heisenberg Software, bill of materials, OpenAI AI's Aardvark agent and OpenPCC, which encrypts enterprise AI data flows. This is Cybersecurity Today. I'm your host Jim Love. A major ransomware player has pulled off a sneaky trick using everyday Windows tools to help locate high value files before deploying encryption. The group behind the attack is called Killen, also known as Agenda or Goldfeather, and they've been quietly innovating in recent investigations. Researchers at Cisco's Thales found that Killen operators used standard Windows utilities like Ms. Paint and Notepad to open and examine files during reconnaissance. They then exfiltrated selected data using CyberDuck before launching encryption. Why this matters well, these are legitimate tools most security teams allow. Without question, that makes detection that much more difficult. Killin's campaigns have hit dozens of targets across Canada, the U.S. the U.K. and Europe. And for companies from SMBs to enterprise IT teams. And for companies from SMBs to enterprise IT teams, the takeaway is simple. You can't just watch for exotic malware. Watch for legitimate tools behaving oddly. If Ms. Paint starts opening confidential files, that's a red flag. A new open source tool called Heisenberg is helping developers and security teams turn static software bills of materials into active supply chain defenses. And frankly, given some of the supply chain attacks we've seen, the need was never greater. Built by App Omni, Heisenberg analyzes open source dependencies, data from deps.dev, sBoMS, and external advisories to measure package health, detect suspicious changes, and flag risks before code reaches production. It works in two modes Check mode for single packages like NPM or pypi, and bulk mode to scan entire portfolios. It can even alert developers directly inside pull requests. As App Omni's head of security Max Feldman says, we wanted a practical way to catch and block risky changes before they reached the main branch. Instead of waiting for a CVE or a breach, Heisenberg highlights dependencies with poor health scores packages that are new, unmaintained, or just plain suspicious. If your DevOps pipeline relies on open source components, and who doesn't? You might consider adding a dependency health check like this don't treat your software bill of materials as paperwork. Make it part of your real time defense. OpenAI has unveiled a new AI agent designed to find and fix software vulnerabilities before attackers can exploit them. The system is called Aardvark and it's described as an autonomous security researcher. Powered by OpenAI's GPT5 model, it integrates directly into the development pipelines, scanning repositories, monitoring commits, identifying vulnerabilities, and proposing fixes automatically. In testing, Aardvark correctly identified more than 90% of known and synthetic vulnerabilities. It maps a project, validates exploitability in a sandbox, and uses the Codex engine to suggest patches, all with minimal human intervention. OpenAI says Aardvark has already uncovered 10 confirmed CVE registered vulnerabilities in open source projects while it's in Open beta for DevSecOps teams, this is a major advance. Yes, questions will remain about trusting automated patching, but this seems to be progress in the right direction, automating tedious tasks so humans can focus on strategy and finally, a new open source initiative is aiming to secure the data that fuels enterprise AI. It's called OpenPCC Open Privacy and Confidentiality Channel. OpenPCC is designed to integrate directly into existing enterprise systems, and it wraps every AI prompt, output and login in end to end encryption. It's built on the widely used model context protocol, embedding encryption into data streams so companies can add privacy protection without redesigning their architecture. It's apparently a drop in upgrade with open source SDKs under the Apache 2.0 license and libraries for secure GPU attestation, encrypted client to AI streaming and moder protocols like binary HTTP and oblivious HTTP. Crucially, OpenPCC enforces stateless processing. There's no data stored beyond the immediate request, and because it's open source, enterprises can audit it to meet their own compliance standards. The newly released technical white paper on GitHub details how OpenPCC uses ephemeral encryption keys and aligns with NIST 802 and GDPR Article 25. Now, if it performs as promised, OpenPCC could let enterprises protect sensitive data end to end without slowing down their AI innovation. I've been extremely critical on the show about what's been happening, or rather what hasn't been happening, in security, and that's why I dug up these three stories. I'm not endorsing any of them, but I do believe you might want to take a look at them. Check the show notes@technewsday ca or.com on the weekend, you'll be able to find links to these white papers and the stories that back them up. And that's our show. Once again, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack networking infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design hardware, firmware, build the software, manage deployments and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses to data centers. Book a demo@meter.com that's M-E-T-E-R.com CST we've got a great show for you this weekend. An interview with a former black hat hacker and we have a great chat about security as seen from the other side. I hope you can join us, but if not, we'll be back on Monday with the cybersecurity news. I'm your host Jim Love. Thanks for listening. It.