A

You're listening to the cyberwire network. Powered by n2k.

B

This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored Jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, Sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsor job credit@ Indeed.com podcast. Terms and conditions apply.

C

CISA's acting director exits Trump's pick to lead the NSA hits Senate headwinds the Pentagon pressures anthropic over AI guardrails A new WI Fi attack sidesteps encryption SISSA flags flaws in EV chargers Juniper patches a critical router bug Mano Mano discloses a massive breach Europol cracks down on the comm Greece delivers verdicts in Predator Gate an alleged karting kingpin lands in US Custody Our guest is Jeff Williams, founder of OWASP and co founder and CTO of Contrast Security, Sharing How NIST is rethinking its role in analyzing software vulnerabilities and Meta's mischievous monocles meet their match. It's Friday, february 27, 2026. I'm dave bittner and this is your cyberwire intel brief. Thanks for joining us here today. Happy Friday. It is great as always to have you with us. Madhu Garamukala is stepping down as acting director of the Cyber Security and Infrastructure Security Agency, with current Executive Director for cybersecurity Nick Anderson taking over as interim leader. The change comes one day after cyberscoop reported bipartisan criticism of the agency's performance during the first year of the Trump administration, including scrutiny of Gautamukkala's leadership. A Department of Homeland Security official told cyberscoop that Gautamukkala helped refocus CISA on its statutory mission and reduced contracts to save taxpayer dollars. Gautamukkala will now serve as DHS director of Strategic Implementation. Sean Planke's nomination to lead CISA full time remains stalled. Anderson, who's held cybersecurity roles at the Coast Guard, Navy and Department of Energy, has received more favorable reviews from industry and cyber professionals. The leadership shift coincides with reports that CISA Chief Information Officer Robert Costello is also departing. Senator Ron Wyden, a senior Democrat on the Senate Intelligence Committee, is seeking to block Lt. Gen. Joshua Rudd's nomination to lead the National Security Agency and U.S. cyber Command, citing concerns about his qualifications and understanding of constitutional safeguards. Wyden wrote in the Congressional Record that Rudd is not qualified and warned that national cybersecurity leaves no room for on the job learning. The Pentagon praised Rudd's qualifications and urged swift confirmation. A congressional aide said the Republican controlled Senate could override Wyden's hold with a majority vote. The leadership dispute follows President Donald Trump's April firing of former NSA Director General Timothy Hogg. During his confirmation hearing, Rudd pledged to follow the law but declined to explicitly oppose warrantless surveillance of US citizens, drawing sharp criticism from Wyden. The Trump administration is pressuring Anthropic to loosen ethical limits on its AI model. Claude or or risk losing Pentagon business and being labeled a supply chain risk. Defense Secretary Pete Hegseth has given the company a Friday deadline. CEO Dario Amodei says Anthropic cannot agree to contract terms that could allow mass surveillance of Americans or fully autonomous weapons. Pentagon officials say they want to use the model for all lawful purposes and deny plans for illegal surveillance or autonomous weapons. They've warned they could cancel the contract, designate Anthropic a supply chain risk or invoke the Defense Production Act. Lawmakers, tech workers and former Defense AI lead Jack Shanahan have all voiced concern. This dispute highlights growing tension between military AI ambitions and industry guardrails. New research reveals that a technique dubbed Air Snitch can bypass client isolation protections across a wide range range of WI fi routers, potentially enabling powerful machine in the middle attacks. The researchers say the flaw stems from weaknesses in the lowest layers of the network stack, allowing attackers with network access to intercept and modify traffic even when encryption is in place. Tested devices from vendors including Netgear, D Link, Ubiquiti and Cisco were all vulnerable to at least one variant. While the attack does not break WI fi encryption itself, it sidesteps safeguards designed to prevent devices on the same network from communicating directly. Experts caution that Air Snitch requires prior network access, limiting its scope. Still, it reopens risks similar to early WI fi attacks and underscores the fragility of longstanding wireless trust assumptions. CISA reports four critical vulnerabilities in the Switch EV charging platform. The flaws could allow attackers to impersonate chargers, hijack sessions, conduct brute force attacks and disrupt services. No patches are available, and Switch has not responded to coordination efforts. CISA warns the issue could disrupt energy and transportation operations and urges network isolation, firewalls and secure virtual private networks for remote access. Juniper Networks has issued an out of band update for Junos OS evolved to patch a critical flaw affecting PTX series routers the vulnerability allows an unauthenticated attacker with network access to exploit the onbox anomaly detection framework and execute arbitrary code with root privileges. The service is enabled by default. Juniper released fixes in multiple versions and says there's no evidence of active exploitation. Experts warn a compromised PTX router could enable traffic interception and lateral network movement. Approximately 38 million customers of Mano Mano, a France based online marketplace for DIY gardening and home improvement products, attacks were likely impacted by a January data breach. The company, which attracts more than 50 million monthly visitors across five European countries, disclosed that attackers accessed a customer support portal through a compromised subcontractor. Stolen data includes names, email addresses, phone numbers and customer service exchanges. A threat actor known as Indra claimed on breach forums to have taken 43 GB of data tied to 37.8 million accounts, allegedly via the company's Zendesk platform. A global law enforcement effort led by Europol has disrupted the comm, the loose online collective tied to ransomware, extortion and violent activity. The operation, known as Project Compass, targeted a network largely made up of teenage boys and young men linked to attacks on retailers including Marks Spencer, the Co Op and Harrods in 2025 as well as Las Vegas casinos in 2023. Authorities say the group used phishing, voice phishing and SIM swapping to hijack accounts and breach networks. Officials also warn the comm engaged in blackmail and child exploitation, with growing ties to extremist and Russian cybercriminal groups. Over the past year, Project Compass led to 30 arrests and identified 179 suspects, according to Europol's European Counterterrorism Center. A Greek court has sentenced four people, including two Israelis, over the Predator Gate spyware scandal that targeted politicians, journalists and business leaders. The case began in 2022 after opposition leader Nikos Andrulokis discovered Predator spyware on his phone. Those convicted include Tal Dillian, founder of Intellexa, and three associates. They received combined sentences totaling more than 126 years, with eight years to be served. The Greek government has denied using the Spyware, and in 2024 the Supreme Court cleared state officials. Andrew Lakis has appealed to the European Court of human rights. A 24 year old Chilean national. Alex Rodrigo, Venezuela Mone has been extradited to the United States over allegations he operated an online marketplace selling stolen payment card data. Known online as Valak, he was arraigned in federal court in Utah on charges related to trafficking unauthorized access devices and transferring identification information for criminal purposes. Prosecutors allege he ran Telegram channels from 2021 to 2023 that sold thousands of compromised card records, including account numbers and security codes. Indicted in 2023, he was extradited this month and has pleaded not guilty. Coming up after the break, Jeff Williams, CTO of Contrast Security, shares how NIST is rethinking its role in analyzing software vulnerabilities and Meta's mischievous monocles meet their match. Stick around. No, it's not your imagination. Risk and regulation really are ramping up, and customers expect proof of security before they'll sign that deal. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That's not just faster compliance, that's more time for growth. Take it from me, if you're thinking about compliance, take the time to check out Vanta. Get started@vanta.com cyber.

A

Get in the game with the college branded Venmo debit card. Rep your team with every tap and earn up to 5% cash back with Venmo Stash, a new rewards program from Venmo. No monthly fee, no minimum balance, just school pride and spending power. Get in the game and sign up for the Venmo debit card@venmo.com collegecard the Venmo MasterCard is issued by the Vanccorp Bank NA Select Schools available Venmo Stash terms and exclusions apply at Venmo me stash terms max $100 cash back per month.

C

Jeff Williams is founder of OWASP and co founder and CTO of Contrast Security. He joins us to discuss how NIST is rethinking its role in analyzing software vulnerabilities.

D

In the early 2000s, researchers were finding lots of vulnerabilities in products and we need a way to exchange those. Like the people that are using those products need to know about them so they can update their software and so on. And NIST established the CVE program, the Common Vulnerability Enumeration program, which would capture those vulnerabilities, assign them a number, and generate certain metadata about those vulnerabilities, like a score, for instance. You want to know which ones are a 10 and which ones are a 4.2. And they made a database that lots and lots of people came to rely on. In the early days, there weren't that Many vulnerabilities. But last year I think there were something like 45,000 vulnerabilities that ran through that program, which is a healthy number and it's predicted to almost double this year.

C

So what's the issue then, that NIST is taking a look at this? I mean, is it merely just a matter that it's growing so fast it's hard to keep track of?

D

Well, that's part of it, but the big problem happened last year when their funding got cut and that caused a lot of problems. They got way behind in vulnerabilities that they have to process through. So there's this giant backlog and that holds up people patching their software and being protected against that stuff. So it's actually kind of a dangerous situation. And when you zoom out, you realize most of the cybersecurity industry is built on top of this tiny little pedestal that is this program run by a few folks at mitre.

C

Now, simultaneous to this, the EU is launching their own version of this. Is that an accurate way to describe it, the gcve?

D

Yeah, it's got some differences, but yeah, they saw the struggles that we're experiencing here in the US running this program and they said, well, we don't want to be dependent on just that source for our vulnerabilities. So they created their own authority.

C

Now, is this intended to be something that runs alongside of our own program or could it potentially replace it?

D

It's intended to run alongside it. And that's some of the challenge here, is that instead of having one major vulnerability authority, now we're going to have a bunch. And that creates friction for people that want to use those services. Now imagine you're a company that just wants to make sure you do your updates. Where do you go for that information? Do you go to the old CVE program? Do you go to the new GNA driven program, the GCVE program in Europe? I said GNA because they have. Their system involves multiple numbering authorities, which is kind of another complication. It's a federated kind of approach, which, you know, has advantages and disadvantages, but if you have to check a whole bunch of different places, there might be duplicates and it creates friction.

C

You'd think we would have learned our lesson just from trying to name threat actors, right? Like whether it's fancy bear or octopus, Panda or. Nobody can agree on that, that we wouldn't head down this path again.

D

I'm glad that the CVE program came up with a very simple, unsexy naming approach. CVEs are just named like CVE 20250001 and the next one's named 0002. And just some of the vulnerabilities get colloquial names, but most of them don't.

C

How do you suspect this is going to play out?

D

I think it's anybody's guess. I think it's really unfortunate that the US Kind of fumbled the ball here. I think we had the potential to be the authority for CVEs for the entire world and really do something good for cybersecurity. But we've kind of bungled it now. We've broken a lot of trust. And so I think now other countries are going to start to build their own databases and it's going to make a mess of things for a while.

C

What's your advice to the folks who rely on this? How do they approach this? Looking at the level of uncertainty that may be ahead of us, I think

D

we just gotta get used to a world where there's multiple vulnerability authorities and you're gonna have a lot of duplicates. Hopefully they have the same numbers. But, you know, it's entirely conceivable that two researchers find a similar vulnerability, report it to their own vulnerability entity, they get different CVE numbers and they just live as duplicates within this world, which is then going to cause confusion. Like, did I patch it? Did I not patch it? Hey, oh, no, I already did this. How do I track it? This. Impossible to underestimate the importance of this service in the cybersecurity world. If you don't know where the vulnerabilities are, you can't have a patching program. You can't keep your software up to date. And so this is going to be a pain in the back of my head. I'm like, we really need another service that unifies all these.

C

But then I realized, yeah, that was going to be my next question. It seems like we'll need a deconflicting service, but now you've got three, right?

D

Exactly. There are some things I think they could do that would improve things, I think putting more work into analyzing these vulnerabilities and deconflicting things, making a great API that people can use at massive scale. These things get bombarded with requests. So until very recently, the CVE program didn't have good APIs, and they were constantly going up and down and stuff. So there are things we could do to make this system better and make the world a safer place. But right now it looks like there's. I'd say disorganization going on.

C

Has there been any call for this task to be transferred to someone other than nist?

D

Well, CISA got involved when MITRE lost funding. CISA came to the rescue, and so they funded the program for a while. And I think just in the current political environment in the U.S. i think it's difficult to imagine that this program's gonna get significantly expanded.

C

Yeah, it's hard to be, I guess, overly optimistic about. Feels like folks have to kind of hang on and see what's coming next, see how this shakes out.

D

Yeah, it just seems so foolish to me like this, you know, having a great infrastructure for managing these risks is for the amount of money we're talking about, it's in the low tens of millions of dollars to fund this program. It's a rounding error in the defense budget and it's really critical. Cybersecurity that may be the next battlefield. And keeping it secure is pretty critical to our defense and the safety of the world. So I don't understand the priorities here.

C

Yeah, it really is. It's a common good.

D

Yeah. And I think, you know, I don't know if our current government is really that interested in common goods.

C

That's Jeff Williams from Contrast Security. Foreign. No, it's not your imagination. Risk and regulation really are ramping up and customers expect proof of security before they'll sign that deal. That's where VANTA comes in. VANTA automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for SoC2 or managing an enterprise governance risk and compliance program, VANTA helps keep you secure and keeps your deals moving. Companies like Ramp and writer spend 82% less time on audits with Vanta. That's not just faster compliance, that's more time for growth. Take it from me, if you're thinking about compliance, take the time to check out Vanta. Get started@vanta.com cyber. Your planet is now marked for death.

E

Marvel Studios the Fantastic Four First Steps is now streaming on Disney.

A

We will protect you as a family.

E

Light em up, Johnny. Marvel's first family is certified fresh on Rotten Tomatoes.

C

That is fantastic.

E

And critics say it's one of the best superhero movies of all time. Marvel Studios The Fantastic Four first steps now streaming on Disney. Rated PG 13.

C

What time has it been? It's clobber DIIIII. And finally, in the escalating arms race between wearable tech and personal privacy, a hobbyist sociologist has entered the chat. Yves Jean Renault built an Android app called Nearby Glasses that scans for Bluetooth signatures of smart glasses, including those made by Meta in partnership with luxottica Group, and sends a polite but pointed alert. Smart glasses are probably nearby. The app listens for Bluetooth low energy advertising signals and flags devices tied to Meta or Snap. It may produce false positives, as one test confused a Meta Quest headset for eyewear, but it reflects growing unease as companies add artificial intelligence features. The New York Times recently reported Meta is exploring facial recognition for its glasses. Jean Renaud calls his project a tiny part of resistance. It will not stop surveillance culture, but it might at least let you know when it's looking back at you. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Dr. Renee Burton, Vice President of Infoblox Threat Intel. The research we're discussing is titled Parked Domains and Direct Search and Underreport Security Risk. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco.