A

Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST Cloudflare outages spill into Wednesday and Thursday Fake shopping websites surge ahead of Black Friday as phishing jumps 36% AI transcription from a bot at an Ontario hospital sparks a privacy probe and Salesforce investigates a new data theft wave. Welcome to Cybersecurity Today. I'm your host Jim Love. Cloudflare is having a tough week, and so are its clients. Tuesday brought a major outage where Cloudflare reportedly pulled down several large sites, including Amazon, YouTube and other major platforms. The company said it recovered by midday and later explained the cause. A file containing a list of blocked sites had grown so large that it triggered the disruption. But it turns out the problems didn't end there. Microsoft 365 users continued to struggle throughout Wednesday with issues widely believed to be linked to Tuesday's failure. Microsoft confirmed that some 365 services were down again, saying Office.com and related tools were inaccessible and that updates would be posted on its status channels. Users reported that even after Cloudflare's recovery notice, some files wouldn't open, changes wouldn't sync and apps froze. Those problems seem to resurface again today, with new complaints about documents becoming unusable. Then came a second wave. Wednesday night saw another huge surge of reports for Cloudflare on Down Detector, followed by fresh disruptions. Thursday morning charts showed major platforms like Amazon and YouTube appeared to be being hit again, along with a new round of Microsoft 365 trouble. As of Thursday, when we recorded, Cloudflare hadn't provided any explanation for the additional outages. And no matter what Cloudflare eventually reports, the pattern is hard to ignore. Clients will tolerate a single outage. But when failures begin clustering, especially from a company many rely on to prevent disruptions, confidence could start to erode. NORDVPN is warning that fake shopping websites are surging just as Black Friday season gets underway. Their Threat Protection Pro Service saw a 250% jump in fraudulent retail sites in October. Fake Amazon sites were up 232% and fake eBay sites jumped a staggering 500. For attackers, extended sales periods mean more time, more traffic, and more chances to catch someone rushing towards a deal. What makes this wave more effective is how polished the scams have become. Criminal groups are cloning major retail sites down to the layout, the product listings and even the checkout flow. They're also using HTTPs and their own TLS certificates, so the little padlock, once a trusted signal, longer guarantees anything. People are being pushed to these fake sites through convincing emails, shipping updates and special offer links. And a lot of these emails now masquerade as package tracking alerts, knowing shoppers are expecting deliveries this time of year. Once you click, everything looks familiar enough that many shoppers don't question it. NordVPN said that 68% of consumers worldwide don't know how to identify a phishing website, and phishing in general climbed 36% between August and October. Put those numbers together and it shows. Attackers aren't acting randomly. They're timing their campaigns for the busiest shopping weeks of the year, knowing people will be moving quickly and not checking URLs closely. One thing for all shoppers to keep in mind, even the security pros, is cognitive overload. Holiday shopping can be hectic. We're juggling multiple tabs, emails, shipping notices and gift lists. Attackers are betting that we'll be distracted and make mistakes. A simple habit can help avoid clicking any link that claims to take you to Amazon, ebay, or any other major retailer, or any retailer in general. Open a fresh tab, type the address yourself, and search for the item directly. It's one small step that removes a whole category of risk at the busiest time of year. Toronto's Globe and Mail reported on a disturbing privacy breach at an Ontario hospital that shows how everyday AI tools can quietly slip into the middle of sensitive work. According to A letter from Ontario's Information and Privacy Commissioner, a virtual rounds meeting on September 23, 2024, where seven patients were discussed, was recorded by Otter AI, a transcription bot. After the meeting, a summary and transcript were emailed to 65 people on an invite list, including 12 former hospital staff who should no longer have had access. The chain of events as described in that letter is almost mundane. A physician who left the hospital in June 2023 was still on the meeting invite list and had installed Otter AI on a personal device in 2024. The tool had access to his personal calendar. When the Rounds link came up, an Otter bot joined the call under his account, recorded the discussion, and and then automatically sent out the notes. The hospital later told the watchdog it had asked staff to delete the emails, remove transcription tools from devices, and it updated its AI policies and firewalls to block Otter AI and similar services. It formally reported the breach to the Commissioner in December 2024 and notified five of the seven affected patients the other two had died. The commissioner has recommended that the hospital ask OTTER AI to delete any remaining patient data and to tighten controls around offboarding and meeting access. University of Ottawa law professor Teresa Scazza told the Globe that this kind of case shows how vulnerable institutions can be as AI tools become more agentic, able to act on their own once they're wired into calendars and workflows. Speaking personally, as an OTTER user, I'm not entirely convinced that this is a case of blaming full autonomy. This might just as easily be described as confusing defaults or simple human error. In fact, I've once accidentally sent out a transcript to the wrong person myself, and I learned the hard way to be more careful. But is there anyone who hasn't sent something confidential to the wrong person over email? And we didn't rip out email when that happened or block it, and for good reason. So why am I defending AI in this context? Isn't it easier just to take it out? Well, doctors today spend as much or more time on documentation as they do with patients, and the administrative load they have is crushing. If we respond to cases like this by retreating from automation, we'll pay a different price in burnout, delays and patients who can't get seen. The real lesson from this breach, in my opinion, isn't that AI scribes are too dangerous. It's that hospitals need secure, approved tools and clear rules and processes. When someone leaves an organization, they should be removed, because if the tools aren't provided, people will keep using AI anyway. They'll just do it behind the organization's back. And that leads to many more errors and vulnerabilities. Salesforce is investigating another wave of data theft attacks linked to Gainsight, a customer success platform that many companies use to manage post sales relationships. And while Salesforce stresses this is not a vulnerability in its own CRM platform, the way the attack unfolded shows how long a supply chain breach can echo through connected apps. The story, first reported by Bleeping computers, centers on OAuth tokens, the credentials that let third party apps talk to Salesforce without a password. Gainsight had already confirmed it was breached using OAuth tokens stolen earlier in the year from Sales Lofts Drift Integration. Those stolen tokens gave attackers access to business contact details held inside Gainsight systems, including names, email addresses, phone numbers, location details, software licensing information and support case content. Now Shiny Hunters, the same group making claims in September, says those earlier secrets have allowed them to access another 285 Salesforce customer environments. Salesforce says it detected unusual activity coming through. Gainsight published apps and immediately revoked all access and refresh tokens associated with them. Those apps were also pulled from the app exchange. While the investigation continues and affected customers have been notified, one of the underlying questions is how these tokens were stolen in the first place. In the original Salesloft Drift breach, public reporting indicated attackers gained footholds through Salesloft's development systems, including access to GitHub and AWS, where OAuth secrets were stored. That's not a confirmed pathway for this latest round, but it does show how these tokens can leak when development and production boundaries blur. Another problem is lifespan OAuth tokens used by SaaS integrations often last a long time, far longer than end user sessions, and many organizations don't routinely rotate or expire them. Once an attacker has one, it can be reused against any connected environment where it still works, bypassing passwords and multi factor authentication entirely. The bigger picture is this probably wasn't code exploitation at all, it was identity exploitation. And until companies treat their integration tokens with the same care they give to their admin passwords and more, these long tail breaches may keep spreading through the supply chain. And that's our show. Once again, we'd like to thank Meter for their support in bringing you this podcast. Meter delivers full stack network infrastructure, wired, wireless and cellular to leading enterprises. Working with their partners, Meter designs, deploys and manages everything required to get performant, reliable and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and even run support. It's a single, integrated solution that scales from branch offices, warehouses and large campuses all the way to data centers. Book a demo@meter.com CST that's M E T E R. I'm your host Jim Love. Thanks for listening.