Greg Otto

A lot of talk about Apple security on the RSA floor. We'll talk about it on this episode of Safe Mode.

Welcome to Safe Mode. I'm Greg Otto, editor in chief at cyberscoop. Every week we break down the most pressing security issues in technology, providing you the knowledge and the tools to stay ahead of the latest threats, while also taking you behind the scenes of the biggest stories in cybersecurity.

An attack is coming. It's about keeping us safe. He's just a disgruntled hacker.

Michael Covington

She's a super hacker.

Matt Kapko

Stay alert.

Greg Otto

Stay safe.

Stay safe.

This is SAF Mode.

Welcome to this episode of Safe Mode. I am your host, Greg Otto. In our interview segment this week, we're talking with Michael Covington, the VP of strategy for jamf. JAMF is a mobile security company that specializes in protecting Enterprises, Apple and iOS devices. And if you've been reading CyberScoop, you know that it has been a really busy week in the world of iOS security. So we jump into the dark sword conversation on with Michael and all of the things that he thinks enterprises should and should not be worried about when it comes to this leaked exploit kit that has been bouncing around the Internet. But first, talking with Matt Kapko, who has joined me out in San Francisco for the 2026 RSA Conference. Matt, thanks for joining us.

Matt Kapko

Thanks for having me on, Greg.

Greg Otto

So let's talk about the things that we have been hearing, especially in the federal realm, because I would say that, look, we know that Feds pulled out of talking at rsa, but that does not mean that there wasn't conversation about things that were going on in D.C. especially with the national cybersecurity strategy that was just released. And a big part of that cybersecurity strategy was companies going out on the offense. And since that has been released, there's been a lot of talk about what exactly does that mean? And we know that Sean Cairncross, National Cyber Director, has been out saying that doesn't mean hack back. We do not want hack back. That would be bad. That's still pretty universal in that hack back is bad. But that aside, what does that mean? What does active disruption mean? And we both sat in on a panel with some heavy hitting policy people that really got into the cybersecurity strategy and what they've seen since it's been released. So let's talk about it, because you wrote the article, we were both in the session and we thought it was really interesting, the takeaways that we heard.

Matt Kapko

Yeah, I agree. I mean, these, these Policy professionals were really evangelizing what they enjoyed about the cyber strategy, the nuance, I think, with the disruption strategies. It's. It's about asking the technology companies, particularly those that control major systems, to actually remove resources that cybercriminals are using to conduct these attacks. Right. It's not about hacking back, it's about taking away the tools that they're using for attacks.

Greg Otto

But it was really interesting to hear some of the policy people say that this was or this is different. Like, it really does feel different. And I was really surprised. We sat in on a panel with Jamil Jaffer, David Lashway, who runs a cyber division of a law firm in D.C. wendy Whitmore, who is at Palo Alto, who we talk to frequently about cybercrime. And they were all pretty universal in saying no. We have seen a market change since this strategy has come out in that we're talking more, we're being open, we're being upfront, and we're being a lot more. More active in reaching out in collaboration and take, and when it comes to taking things down, just working together. Now, me personally, this is my personal just opinion based on covering this over the past 10 years, a lot of what is going on doesn't seem to be some new tool that wasn't already at the disposal of the federal government. And I had some other people, some other sources that were also at the conference pull me aside and say basically that same thing where it was like, okay, being loud about it, fine. But if you're talking about being a little bit more definitive in the legal aspects of what needs to be done, or if you're picking up the phone, a lot more, we could have done that without being, being so gung ho about it. Like that was already at the disposal. For some people, the jury is still out, but for others, like who we saw on stage, they were really. There was a great quote. Jamil Jaffer said, what we want to do is treat this as like a bully in the schoolyard, basically, that instead of being quiet about it, we want to be loud about it. That if we get punched in the face, we can punch back, tell everybody we punched back, and we're not going to be messed with. A blunt metaphor, to say the least, but an interesting juxtaposition of the way that people in D.C. are thinking about what this new paradigm looks like.

Matt Kapko

Yeah, I agree. This is my personal opinion too, but it is hard to believe that in a matter of two weeks that that much has changed. But they, they were saying that dialogue has increased the government is more supportive than ever before. I guess time will tell on that.

Greg Otto

And we also saw Google be very vocal about this. Sandra Joyce, who runs GTIG and the Mandiant Cloud, all of that that we know, gave a keynote where she talked about how important this is for Google and just for companies that are really looking to partner with the government and partner with the industry overall in making some promises on all of the cybersecurity mantras and, and the things that we've heard at this conference for years that we're going to do it and it just hasn't happened. She has been talking about this for a while. I mean, we reported months ago that they were going to stand up a threat disruption unit and be a lot more vocal about it. And we saw that at RSA with what Sandra said. I know that you also watched that presentation. I wonder what your takeaways were.

Matt Kapko

Yeah, certainly. I mean, she used the IP idea takedown as an example of this. Again, this is about Google using its vast resources to take down the infrastructure that cybercriminals are using to conduct attacks. Again here, though, Google has been doing this for a while. I think that they're just talking about it more publicly and giving it some more formal recognition, right?

Greg Otto

I mean, yes, so there is some more formal recognition about what they're doing. But we did talk to some Google experts that were like, we've been doing this for years. Like, we're. The real change is that we're just going to be a little bit more loud about it and we're going to let people know, we're going to let the threat actors know it was us. Basically, it's almost reminiscent of that famous Game of Thrones scene where Lady Olenna tells Jaime Lannister, tell, tell, tell. Searcy it was me. Like, I almost feel like, tell Google's, we're going to tell you it's us. It is interesting, though, to see just how much the rest of the industry is going to follow along. Like, because there's only so many companies that really can pull the lever here. There's Google, Microsoft, Palo Alto that have been really working at this. But we haven't heard too much. At least I haven't heard too much from other companies that like, yes, we're on board. Obviously, if that comes through the lens of the cybersecurity strategy and the cyber security strategy is only a few weeks old, maybe we start to see that more, because I know that implementation documents are coming in the coming months too. But it was really interesting to hear from the big players how much, how gung ho they are about this.

Matt Kapko

Yeah, I agree. I think that's a good point. There's, I mean, if we're being generous, maybe 10 companies that can really make an effective change in this regard and there's probably even a smaller number that are willing to put a target on their backs effectively. Right. That potential blowback by being loud about these disruption efforts. Yeah, that could come back on them. I think Google, Microsoft, these tech giants, they can, they can, that can absorb that more than most.

Greg Otto

So switching gears, of course, with it being the RSA conference, there were buzzwords aplenty and agentic AI is on the tips of everybody's tongue. It was very stark for me. I won't say who it was because not that it was necessarily off the record, but it was just an idle conversation. A CISO of a publicly traded company, big publicly traded company, we'll just say a technology company talked to me about agentic AI and how he was giving a talk at one of the side events at RRSA with other CISOs at top public, private, huge companies. He said, I was given a talk on agentic AI, but I'm going into this really as sort of like a workshop because guess what, I don't know what I'm doing. And I know some of those other scissors in the room are saying, I don't know what I'm doing either. So I feel like I'm going in there to raise my hand and go, anybody got any answers? Because I really haven't figured out what the course of action is here. And that's really a refrain that I heard from a lot of people that I talk to where this is so nascent that we're just kind of figuring out as we go, which I feel is a double edged sword.

Matt Kapko

Yeah, I agree. I mean, I think there's, you've had conversations, I know, to this effect too. There's just this growing concern or acceptance that that AI is going to cause some serious problems in the next year and beyond. I think professionals, at least those that aren't selling a product, are no longer facilitating between whether AI will be used for good or bad. Right. The bad is coming. It's going to be loud, it's going to be aggressive. We're all going to feel the impacts

Greg Otto

and not just the sizzos. I know the experts are really thinking through these problems too and really like, look, I really hate to make this sound like fud. I don't like doing that in the pages of Cyberscoop or what we do here on Safe Mode. But I sat down with Alex Stamos, Kevin Mandia, Morgan Adamski and talking about AI security and they were really, I don't want to say frightened, but they were like very genuinely and organically talking about, look, the next two to three years are going to roll out in ways that are completely unprecedented for this industry. We just don't know where this is going to go because of the way specifically that threats are going to be able to be found, the speed at which threats were going to able to be found, the speed at which exploits are going to be built and the speed by which vulnerabilities are going to be exploited. It's just going to be unprecedented in the way that the cybersecurity industry knows was funny. If the article is not out, I will be writing an article. There's as of this recording, it is not written yet, but it will be out hopefully by the time that everybody is listening to this, where they talk about the things that people need to worry about and how things are going to change. And Alex Stamos said something very, very interesting where he can see a world where we have patch Tuesday and then we have exploit Wednesday, the next, the very next day, or with the open source, just the sheer amount of open source software that is used, whether it's in security or just technology writ large, that we don't know what's coming because of the speed. Like open source is a really, really big problem, especially with agentic AI and exploit development. And people need to start finding answers because the attackers are going to start gearing up. So I thought that that was really prescient in that I had all these experts that are saying no, like this is going to get weird basically, if not worse.

Matt Kapko

Right. I think the industry is just unprepared for this too. Right. They still haven't address the decade old problems that are underlying all of these issues within technology. This is gonna, it's gonna hit him in the face.

Greg Otto

And that's, it's funny that you say it that way too because Morgan Dadamsky said something to that which I write about in the story, which he basically said that this technology is going to find yesterday's exploits. And that's something that, I think that, that was a very succinct way to wrap your mind around that, that there's still a lot of vulnerabilities out there like that there are, you know, a lot of people creating AI agents that are basically acting as red teamers or software auditors and the AI comes back and they're finding high level, critical level bugs and stuff that has been looked over by humans over the past 20, 25 years and they did not find it like that's a very a new paradigm to say the least. And we're seeing a little bit of it too, even just this week because you wrote about this issue in Trivi, which I will let you talk to our listeners about this Trivi hack I feel like is a good example of what's coming down the pike.

Matt Kapko

Yeah, so with this attack, it was open source software tool that is used to find vulnerabilities in open source repositories. Over a thousand companies already impacted just in a matter of days. Mandian thinks up to 10,000 companies might be impacted. Ultimately it just keeps on going further downstream. I think this speaks to a just a broader problem or trend in the industry that security tools and security vendors are under attack. I don't think this gets acknowledged enough. I've been pressing some of the companies this week on this issue because I think it's a growing trend and it says a lot about the industry's ability or inability to thwart this problem that they're all confronting.

Greg Otto

Matt, really interesting week. A fun week to get together and talk about all of this stuff with all of the people that are in this industry and are really looking forward out into the horizon to see what we're going to be writing about over the next year. Really good conversation. Any other takeaways from RSA that you have?

Matt Kapko

I'm looking forward to some more conversations today with Mandy and I'm really trying to understand more about this trivia supply chain attack. I it exemplifies some broader issues that we haven't fully grappled with in the industry. If this type of an attack can hit that many companies all at once, there's going to be more coming like that. And I think AI for example, is a way that that could just accelerate.

Greg Otto

Great. Look forward to reading about it in the pages of cyberscoop. Matt, thanks for joining us.

Matt Kapko

Thanks for having me on, Greg.

Greg Otto

All right, now to our interview with Michael Covington of jamf. One of the big stories at RSA has been this GitHub leak of the Dark Sword exploit kit. We talked with Tim Starks about this last week who has been covering this and the news just keeps coming out. The fact that this exploit kit is now available on GitHub has people talking and we talked to Michael about it. Michael specializes with guarding enterprises and their use of iOS. So we talked with Michael to really sit down and say if you are worried about this Dark Sword exploit kit, what can you do to protect your enterprise? And hey, you'll be surprised to learn that the answers have always been there. So check out our interview with Michael.

All right, joining us on this week's Safe Mode, we're here at the 2026 RSA Conference and I'm talking with Michael Covington, the VP of Strategy for Jamf. Perfect week to be talking to Michael. As we've heard a lot at RSA about Dark sword, the leaked iOS exploit kit. And this comes on the heels of the week before the Karuna exploit kit. We've seen reports now that the Dark Sword exploit kit has been thrown up on GitHub and a lot of people have been talking us to go, this is not great. Especially when we talk about what we know in terms of Apple security and the walled garden. This is a new paradigm. So Michael, I really appreciate you taking some time to talk to us about this.

Michael Covington

Hey, thanks for having me. It's an exciting week. Lots of security topics around mobile, I think for discussion. And it starts with just understanding that baseline that customers are getting out there.

Greg Otto

So the GitHub leak fundamentally changes things. And especially in terms of like the speed of seeing these high level exploit kits being weaponized. What are you seeing in terms of not just with this, but like the Apple ecosystem? Are we talking days or hours before commodity threats are being deployed like this? I mean that's a new paradigm when it comes to iOS security.

Michael Covington

Lots unpack there. Let's start maybe with the good news. Just a couple weeks ago we saw that iPhone and iPad was approved to consume classified information by NATO. I think that these devices and the operating systems that run on them have gone through extensive testing by I think some pretty skilled organizations that show that these consumer grade devices really are further ahead than many of their brethren for really processing sensitive information and contributing to intellectual property at the same time. We're seeing that the way that those devices are being put into production environments by even some of the most sophisticated organizations, they're not always following best practices. So the reality is you're taking what is already a pretty good device in a hardened state that pretty quickly falls out of a good state once some OS updates start following through and once the device goes into a production environment and gets handed to a real user. So reality check, good devices, not necessarily very well maintained. And then we start to get into the scenario that you're talking about where there's some exploitation kits that are out there, that now are available to the masses of the of threat actors that can pick this up and really start to do some novel things from their perspective with it.

Greg Otto

So how does it change the risk calculus if you are an enterprise that does rely on iOS and you are looking at them as an enterprise tool? I mean most people have iPhones in their personal lives. It's the biggest device when it comes to the mobile market. But if you are an enterprise that relies on this, what's the risk calculus like now where it is suddenly something where it's like, oh, I might have a low level cybercrime person out there try to target my enterprise through iOS with this kit that I just happen to find in a GitHub repo.

Michael Covington

Great question. And I think that the fact that you started by talking about the enterprise tooling is really the important part here. Because historically, even two, three years ago, most businesses were using their smartphones for email and maybe a little bit of messaging. We're now seeing a lot of truly innovative enterprise use cases in play, which means lots of intellectual property, lots of sensitive information, lots of connectivity to critical workloads that are important to that business. I don't think 95% of businesses have done the risk calculus to figure out what the impact is of these exploits on their organizations. I think it's massive, especially since we don't have a lot of existing tooling that's out in deployment. One of the biggest things I hear in the market is that most businesses are they lack visibility into what's happening on mobile. They don't even know if their devices are being used, let alone how they're being used, let alone do they have the ability to understand if there's been any kind of security or risk incident on the device and then start to work backwards to remediation? So I'm concerned about the fact that we don't have the tooling to assess and to address in most organizations. And that's the part that should be

Greg Otto

giving us a little bit of concern. So with that, how do you even begin to assess that? Like you're seeing the news this week and you're going, all right, I'm the CZone, I got a new thing to worry about. But it is a real worry. So what do I do in terms of just establishing that baseline of visibility?

Michael Covington

You're going to hate my answer because I'm going to oversimplify it. I really think we need to get back to basics. And this is why I started with the reference to baseline. Okay, we need to really make sure that businesses get a handle on how their devices are configured, establish some kind of organizational standard, at least know what operating systems are in play and where there are exploited vulnerabilities that are or exploitable vulnerabilities that you may need to patch. Most organizations don't have that level of visibility within the SoC, and I think that we need to increase that level of awareness.

Greg Otto

So what does that look like in practice? Is that just looking at new network telemetry too? Is it DNS patterns, like all of the technical. Is there anything from a technical standpoint in terms of just taking a step beyond, okay, what does my visibility look like across the attack surface? Like, how many phones do I actually have on my network? Let's take it another step down the path from just that telemetry standpoint. Let's say, what can we look at? Say, oh, it looks like somebody's having some fun with some of our devices.

Michael Covington

Yeah. And again, I'm going to oversimplify this.

Greg Otto

Just, hey, no, keep it, keep it simple.

Michael Covington

That's fine. You know, I think most organizations need to start with that inventory of their mobile assets. Most of them don't have it. They have it for maybe a subset of the corporate devices. But what I'm seeing, frontline devices, BYOD devices, those aren't always in the list of corporate mobile assets. The next thing we gotta look at the apps that are installed on those mobile devices. Those are just as attackable as the devices in the operating systems themselves. And then within the apps, there are SDKs and other things that basically make up the supply chain for the mobile app ecosystem that we really need to make sure that we have assessments of as well. All of those are exploitable. We've seen with many of the examples of spyware in recent years that have really targeted some of these smaller components as the easy entry points in. And a lot of them can be attacked remotely by sending properly configured URLs to the user to either click, click on or take advantage of drive by attacks on mobile. That all of that surface area, the device, the apps, the SDKs that are embedded in the apps and the network components, all that's available in telemetry today. And so really that's really where I steer a lot of organizations to start collecting that in the SoC. Applying some threat intelligence. On top of that, it at least gives you some visibility into where some of the weakest part of the chain are.

Greg Otto

Yeah, I was going to say it sounds like it shouldn't only be monitoring for this exploit kit. Like it sounds like this is a good point to realize that while Apple has had remarkable security and these devices are really well secured, they're not impenetrable. Like it is not just Dark Sword we've seen with Karuna, or there is just, there's other iOS malware out there. And it seems like from what you're saying that now is a good point to just take a step back and go, oh, okay. It shouldn't just be for Dark Sword that I'm really monitoring for. It's anything

Michael Covington

what I've seen when we talk about some of the most sophisticated mobile malware that's out there, typically that in the spyware category you've got Pegasus Predator, Dark Sword. Every single time we encounter indicators that those attacks have hit an organization, they're different, they are different indicators. Because these are so hyper targeted, they do rely on some very recent exploits in order to land on the intended device. And so you don't see it playing out multiple times at scale. It's better that you just start with really establishing a good baseline of firming up the devices, hardening the stack that you've got for mobile, batting away the low hanging fruit, the phishing attacks that you can identify, the malicious network traffic I.e. indicators of C2 and additional downloads coming to the device. Really being able to look for those types of indicators rather than the attacks by name. That's where I steer a lot of organizations.

Greg Otto

So also with the hardening part, Apple has lockdown mode. I'm wondering, you know, look, lockdown mode does a good job of blocking these attacks. I think Apple has gone on record to say if you were operating in lockdown mode with, with at least some of the exploits that are in part of these exploit kits, you'd be alright. But with lockdown mode it's been anemic. Is, is this an inflection point where you start to see lockdown mode become a standard or is the usability trade offs just too much to overcome?

Michael Covington

Personally, I don't see it. I think that you have very specific use cases where lockdown mode makes sense and it's on an individual basis. Maybe you have an executive who's traveling to a region that is considered high risk, that individual is advised to turn it off. For most of the enterprise use cases that we see, especially frontline work, it's just not practical. It limits so much functionality on the device. To your point, it impacts usability and it almost takes you back to the dark ages of smartphone utilization. It's not why People picked the iPhone in the first place for a work tool, right?

Greg Otto

So if there is a compromise, is there anything with this particular exploit kit that would change remediation or is it just what you've seen regardless, and even just in smartphones altogether, no matter the operating system where a containment strategy, once you suspect compromise is just what we've always known it to be, remediate, shut it down. New device. Is there anything different that you would do, particularly with this exploit kit?

Michael Covington

There is some silver lining here with this specific exploit kit and it goes back to kind of where you started about this being distributed now on GitHub. This is now available for researchers to download, to analyze, to really understand how it is, how the attacks are being implemented and how the infrastructure supports its long term kind of utilization. That actually will help I think with the efficacy of the defenses that can be put in place. So it certainly helps vendors like JAMF make sure that the tools that we have out there are effective. But there's a whole growing practice of mobile security expertise within organizations now and I think that's really helping those organizations to better understand the data that's in the SoC, in the SIEM and also to build up their own defenses and not just rely on vendors to have something in place. So I do think that there's a, there's a positive element that comes out of this.

Greg Otto

So in your opinion. Look, Apple's walled garden has historically meant fewer enterprise security issues when compared to like Windows or Android. Does the ease of deployment at all force a rethink into Mac and iPhones being inherently more secure, especially for high value targets? Or is this a blip on the radar? Because I would say there are some people that I've talked to that are, that have told me that like, no, like they have sat up, so to speak, when looking at what has occurred here to say, well okay, we know what Apple can do security wise, but this is a chink in the armor a little bit. I don't know if you share that same opinion or if this is just sort of an aberration and six months from now it will, it, this won't be as, as big of a paradigm shift as some people are saying.

Michael Covington

I think it's a good thing if people are sitting up when you're having conversations around these exploits now being available and being better understood. I think it has gone a long way to just help remove some of the perception gap that we had in place as it relates to any of these products, whether it's a Mac, an iPhone, or an Android device. We support customers that have mixed fleets. This is not just an Apple world for us. And when I see some of these more sophisticated malware and spyware attacks hitting mobile, they're not specific in the platform they're going after. They're specific in the individual they're going after. And if they know the individual, if they know how to get that individual, they will go and spend the money necessary to exploit whatever the device is that that individual chose. And so I think it's important that people are sitting up. They shouldn't be asking questions about Apple, that they're not asking about Google on the Android side or of the OEM vendors that are preferred providing any of the hardware in their environments. So I think the questions are good. I think now what we need is to make sure that the community is responding en masse. This is not just an organization can't respond on their own. They need support from vendors, they need support from Apple and from Android to make sure that the right telemetry can be extracted from the devices and made available to security, tooling, etc. So this is a community effort here, but I think that the people sitting up right now and asking the questions is a, is a move in the right direction.

Greg Otto

So speaking of moving in the right direction and the response to this Apple's patch cadence, I know with Karuna they back patched. I don't even know that. That might not be the technical term, but there were patches put out for older versions of iOS but particularly with Dark Sword. Dark Sword affects iOS 18, which is not the latest, but the second latest. I think it's still on like 25% of phones, which is a staggering number given Apple's market share. So I'm wondering like should teams be thinking around workarounds or is it just a mass patching update from an MDM perspective where it is just look, you're upgrading to 26 and that's what it is like. With that response, what do you think needs to happen?

Michael Covington

So I don't blame Apple for a lot of enterprises operating devices that are not current. Okay, you almost have to.

Greg Otto

No, yeah, that's not. Apple can't do anything the individual or

Michael Covington

the organization for not actioning the update. And sometimes there's good reason for it, sometimes it's app compatibility and other things. We see from our data about half of organizations are running operating systems that are not current and known vulnerable within their environment. I do think that part of this is just doing a mass patch and making sure that you do pull the devices along. But also you can be more intelligent with how you action that, especially as you think about larger organizations that may have tens of thousands of devices and some of them actually in very critical roles that can't go through a reboot at any point during the day. Really the way that we're starting to think about it is almost through the lens of a zero trust model where when you have an individual that's trying to access a rather sensitive data set or application, do a risk assessment on the device at that time and if you see that the device is not compliant with this standard, force the update then. So we're now getting to a point where some of the capabilities that we have with declarative management and with the ability to do risk posture assessments on the device in real time and tie that to access requests, we can almost now start to give the user a carrot. You want this information, go and action this update. And that will actually, I think pull your users along at the right time and not necessarily at a disruptive time. So now you're starting to have a usability conversation rather than a security need to fix, which I think is a good thing.

Greg Otto

Great, Michael, really appreciate your insights, especially with Dark Sword. It sounds like you have a shield for a dark sword out there. So if there is anybody out there that is worried about this, it seems like you can just as always follow the basics, do what you got to do patch, try to maintain that visibility and you should be good. So Michael, really appreciate your insights.

Michael Covington

Thanks so much for having me.

Greg Otto

Thanks for listening to Safe Mode, a weekly podcast on cybersecurity and digital podcast privacy brought to you by cyberscoop. If you enjoyed this episode, please leave a rating and a review and share it with your friends, your co workers, your sizzos, your sysadmins, your mom, your dad, anybody that wants to know more about cyber security. To find out more information or to contact me, please look for all of our social media handles or visit cyberscoop.com thanks for listening. Check us out next week.

SA.