Summary4 min read

SANS Stormcast Daily Cyber Security Podcast

Episode Summary: May 12th, 2026 – Apple Patches, Encrypted RCS, CAPTCHAs, Checkmarx vs TeamPCP

Overview

This episode of the Stormcast, hosted by Johannes B. Ullrich, provides a concise yet comprehensive roundup of the day’s most pressing topics in cybersecurity. Covered are Apple’s new security patches, major developments in encrypted RCS messaging, a review of CAPTCHA effectiveness against bots on ISC’s own site, and a continued watch on the Checkmarx vs TeamPCP security incident in the Jenkins plugin ecosystem. The tone remains pragmatic, educational, and focused on actionable insights for both practitioners and the security-curious.

Key Discussion Points & Insights

1. Apple Patch Day: Typical but Significant

[00:20]

Apple’s Unpredictable Patch Release: Apple released its expected update, though the exact timing wasn't predicted.

"Apple does not have a regular patch schedule. This particular update was kind of expected for this week. Not sure if anybody really predicted Monday as being the patch day for Apple."
Scope of the Update: Affects nearly all Apple OS products (iOS 26/18, macOS back two versions, tvOS, watchOS, visionOS).
Content & Volume: Roughly 80 security flaws fixed, described as a “usual mix” with nothing highly remarkable or inflationary as seen in some AI-generated reports.

"The number of patches is just about average. So there is no sign of like any inflation as we have seen in some cases with AI generated patch or vulnerability reports..."

2. Encrypted RCS Messaging – A Security Milestone

[01:25]

RCS Overview: The Rich Communication Services (RCS) standard is now poised to replace SMS, with past priorities on usability.
Apple’s Security Improvement: Introduction of end-to-end encryption for RCS on iOS—aligning with latest releases on Android (Google Messenger).

"Apple is now fixing that with this update in iOS. Now RCS messages can be end-to-end encrypted."
How Users Know: A lock icon and the word “encrypted” indicate a secured conversation.

"There should be a small lock icon and the word encrypted that you'll see sort of in your messaging window."
Limitations and Caveats:
- Reliant on both parties running latest OS/software versions.
- Both users' carriers must support encrypted RCS.
- Encryption usability and transparency remain challenges; coverage is far from universal.
"Usability of course is always kind of an issue here—how well it's communicated to the user whether or not a particular connection is encrypted or not encrypted..."

3. CAPTCHA Effectiveness Against Bots

[03:05]

Context: CAPTCHAs were deployed on ISC’s data-intensive pages due to bot-driven performance problems.
Outcome: The vast majority of bots—except for one in 300 requests—are now blocked.

"No surprise, they do appear to block most if not all bots. And yes, as a result, out of 300 requests to some of these Data Intense pages like our IP info page, well, only one request actually passes the bot filter."
Observations on Bot Behavior:
- Some bots persist even after months of being ineffective, suggesting low operational costs and lack of monitoring.
"Even after several months now and these particular bots don't really get any results from the page, it kind of tells you that they're not really looking that closely if their bots are actually still working."
API Alternative: ISC offers free data downloads—encouraging use of their API for ease and to reduce strain from scraping.

"We just ask that you use the API... it's also easier for us to actually give you the data via the API, so please use it."

4. Warning: Checkmarx Jenkins Plugin Tampering

[04:34]

Incident Recap: TeamPCP published a maliciously modified Checkmarx Jenkins AST plugin in the marketplace over the weekend.
Exposure Window: Saturday to Sunday; immediate action is urged for anyone who downloaded during this time.

"If you downloaded it, definitely pay attention. And if you're using the Jenkins AST plugin, then please take a quick look at the Checkmarx advisory..."
Mitigation Advice: Checkmarx has released checksums and advisories to help verify plugin integrity, even if unsure of download timing.

Notable Quotes & Memorable Moments

On Apple’s Patch Frequency:

"The number of patches is just about average. So there is no sign of like any inflation as we have seen in some cases with AI generated patch or vulnerability reports..." — Johannes B. Ullrich [00:34]
On Messaging Security Improvement:

“Now RCS messages can be end-to-end encrypted. And ... there should be a small lock icon and the word encrypted that you'll see sort of in your messaging window.” — Johannes B. Ullrich [01:44]
On Persistent Bots and Security Insight:

“Even after several months now ... these particular bots don't really get any results from the page, it kind of tells you that they're not really looking that closely if their bots are actually still working.” — Johannes B. Ullrich [03:34]
On Jenkins Plugin Security:

"If you downloaded it, definitely pay attention. And if you're using the Jenkins AST plugin, then please take a quick look at the Checkmarx advisory..." — Johannes B. Ullrich [04:40]

Important Segments Timestamps

Apple Patch Day Overview: [00:20 – 01:25]
Encrypted RCS Messaging: [01:25 – 02:45]
CAPTCHA Effectiveness & Bot Activity: [03:05 – 04:34]
Checkmarx Jenkins Plugin Incident: [04:34 – 05:16]

Takeaways

Keep Apple devices up to date: The latest patches address a routine but essential set of vulnerabilities.
User awareness for RCS encryption is improving but true end-to-end security requires compatible devices and network carriers.
CAPTCHA remains a viable anti-bot measure, especially paired with transparent alternatives like open APIs.
Monitor Jenkins plugins for tampering: Recent incidents reinforce the need to validate downloads against official advisories.

For direct listener questions or contributions, contact the SANS Internet Stormcenter: https://isc.sans.edu/contact.html

Loading summary

Transcript1 lines

[00:05]
A
Hello and welcome to the Tuesday, May 12, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ulrich, recording today from San Diego, California and this episode is brought to you by the Sans Edu credit certificate program in penetration testing and ethical hacking. Today we got, well, one of Apple's typical patch days. Now, Apple does not have a regular patch schedule. This particular update was kind of expected for this week. Not sure if anybody really predicted Monday as being the patch day for Apple. It again affects pretty much all of their operating system and fixes about 80 different flaws. The flaws are not really all that remarkable. It's your usual mix kind of for Apple or also based on sort of what we sort of historically get from Apple, the number of patches is just about average. So there is no sign of like any inflation as we have seen in some cases with AI generated patch or vulnerability reports for iOS, iPadOS, you'll get updates for the 26 as well as for the 18 version. So the current and the next to current version from macOS it goes back two versions, so all the way to macOS. Sonoma 14, tvos, watchos and missionos only get updates for the current version of the operating system. In addition to the security updates, there's of course always a number of features that are being updated with these sort of in between operating system releases from Apple. There is one particular feature that is kind of of interest from a security point of view and that's end to end encrypted RCS messaging. RCS is the standard that's supposed to eventually replace sms. And initial versions released by Apple and Google were more focusing on some of the usability issues like for example markup and the like. But of course one of the big problems with SMS from a security point of view is that there's no authentication and no encryption. Well, Apple is now fixing that with this update in iOS. Now RCS messages can be end to end encrypted. And if you're either using two iPhones on the latest version of iOS or if you're using iOS on one side and then an Android phone on the other side with the latest version of Google messenger which also supports this encrypted RCS standard, there should be a small lock icon and the word encrypted that you'll see sort of in your messaging window. From my point of view, this is a real nice feature to have, but usability of course is always kind of an issue here, how well it's communicated to the user whether or not a particular connection is encrypted or not encrypted, and there's certainly a chance that things will sort of flip forth and back. In particular, since not all carriers are supporting this feature, both ends of the connection also must use a carrier that actually supports end to end encrypted RCS messages. And A few months ago I did implement CAPTCHAs on a couple of sort of Data intense pages on our website, part because bots really sort of caused some performance issues on the site. So I figured it's a good time now to go back to see how well the captchas worked. And well, no surprise, they do appear to block most if not all bots. And yes, as a result, out of 300 requests to some of these Data Intense pages like our IP info page, well, only one request actually passes the bot filter. There are a couple of IP addresses I list in the diary that sort of stick out for the number of requests we are receiving for them. Given that even after several months now and these particular bots don't really get any results from the page, it kind of tells you that they're not really looking that closely if their bots are actually still working. Which kind of also means that these bots are super cheap for them to run. And just as a side note, here we do of course offer our data for free for download. We just ask that you use the API. So another thing, well, it's easier for you if you use the API and don't screen scrape off our IP info pages and the like. But well, it's also easier for us to actually give you the data via the API, so please use it. And Checkmarks is continuing its battle with TeamPCP. This weekend team PCP apparently published a modified version of the Checkmarks Jenkins AST plugin to the Jenkins marketplace and well, this download was available from Saturday to Sunday, so if you downloaded it, definitely pay attention. And if you're using the Jenkins AST plugin, then please take a quick look at the Checkmarks advisory because it has additional ways to identify any potential malicious download, like checksums and the like in case you aren't sure when your particular version was downloaded. Well, that's it for today. Thanks for listening, thanks for liking, thanks for subscribing, and as always, special thanks for any feedback and good reviews on your favorite podcast platform. Thanks and talk to you again tomorrow. Bye.