Cybersecurity Today

Cybersecurity Today Month-in-Review: RSAC AI Hype, Agentic Risks, Mythos Claims, and Real-World Resilience
Jim Love hosts a delayed March month-in-review with panelists David Shipley and Laura Payne, starting with RSAC takeaways: agentic AI everywhere, heightened marketing spectacle, and industry tension as AI becomes the new "cool kid." They discuss the surge of autonomous agents, including OpenClaw-style experimentation leading to stolen tokens and the ease of social-engineering LLMs, plus legal and brand risks of chatbots after the Air Canada precedent. The panel debates Anthropic's source-code leak and "Mythos" messaging, while acknowledging AI tools are finding real zero-days amid massive technical debt and rising exploit speed, raising questions about liability and EU accountability. They highlight a positive case: Stryker Medical's rapid recovery after 80,000 devices were wiped via Intune settings, and note additional incidents targeting healthcare, critical infrastructure PLCs, supply-chain attacks, and longer-term impacts from major source-code thefts.
Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst
 
00:00 Show Intro Sponsor
00:22 Panel Welcome Setup
01:56 RSAC Vibes Agentic AI
03:19 Conference Hype Booths
06:32 AI Free Fridays Skills
08:12 Marketing Hype Filters
11:38 Agent Networks Gone Wild
16:00 Social Engineering LLMs
19:45 Chatbots Liability Law
23:13 Anthropic Leak Mythos
25:17 AI Code Quality Debate
29:28 Technical Debt Bug Mining
30:40 AI Hacking Era
32:09 Paying Down Tech Debt
32:54 Software Liability Shift
34:24 AI Pen Testing Scale
37:53 Token Costs and Proof
40:08 Canary Traps and Ethics
41:26 Blast Radius Resilience
44:17 Stryker Wipe Recovery
46:52 More Attacks Recap
50:07 Fast Cheap Code Debate
53:26 War Rules and Agents
56:32 Back to Basics Close
01:00:18 Final Thanks Sponsor

WebEx SSO Vulnerability, booking.com Reservation Hijacking Risks, Windows Recall Scrutiny, and AI Vishing-as-a-Service
Host Jim Love reports that Cisco disclosed a critical WebEx vulnerability (CVE-2026-2184) affecting SSO integration with Control Hub; although server-side fixes are applied and no exploitation is seen, SSO customers must update SAML certificate configuration to avoid disruption when the old certificate expires, amid recent Cisco firewall zero-day exploitation (CVE-2026-2131) tied to interlock ransomware. A booking.com breach exposed some customers' reservation data (names, contact and address details, reservation details, and messages) but not payment cards, increasing phishing "reservation hijacking" risk using real itinerary details. Researchers also highlight new concerns with Microsoft's Windows 11 Recall, where data may be intercepted after login via another process, though Microsoft says protections are intended. Finally, an underground $4,000 platform, ATHR, automates phishing/vishing with AI voice agents to steal verification codes and accounts across major services.
Cybersecurity Today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at Meter.com/cst
00:00 Top Security Headlines
00:32 Sponsor Message
00:50 WebEx Critical Flaw
02:36 Booking.com Breach Scams
05:20 Windows Recall Weaknesses
08:36 AI Voice Phishing Service
11:24 Wrap Up and Thanks

Android Mirax RAT, North Korea's Friend-Request Hacks, Adobe PDF Zero-Day, and FBI Phishing Takedown | Cybersecurity Today
David Shipley covers multiple trust-based cyber threats: Mirax Android malware pushed via Meta ads posing as free streaming apps, functioning as a remote access trojan and turning infected phones into residential proxies, amid reports of widespread scam advertising on Meta platforms. Researchers link a North Korean APT37 campaign to Facebook friend requests that shift to Messenger and Telegram before delivering a tampered PDF viewer that installs Rock Rat and exfiltrates data via Zoho WorkDrive. Adobe issues an emergency patch for an Acrobat/Reader zero-day where opening a PDF can expose files, seen targeting oil and gas with Russian-language lures. The FBI and Indonesian authorities dismantle the Wall phishing marketplace designed to bypass MFA via session-cookie theft, as similar services quickly rebound. The FBI reports Americans lost nearly $21B to cybercrime in 2025, driven by investment and crypto fraud, with growing AI-enabled scams.
00:00 Headlines And Sponsor
00:57 Mirax Android Proxy Malware
02:47 Meta Scam Ad Machine
05:01 North Korea Friend Request Hack
07:44 Adobe Acrobat Zero Day Patch
10:11 FBI Wall Phishing Kit Takedown
12:28 Why Takedowns And MFA Fall Short
15:02 Cybercrime Losses Hit $21B
18:16 Wrap Up And Thanks
18:55 Meter Sponsor Message

Mythos Sparks Urgent Bank Meetings, AI Shrinks Exploit Windows, CEO Phishing Beats MFA + Crypto Fraud Bust
Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst
Host David Shipley covers urgent meetings among U.S., Canadian, and U.K. financial leaders after Anthropic's Mythos announcement, with regulators and major banks assessing potential systemic risk; Mythos is described as capable of finding and chaining zero-days and is limited to a preview program (Project Glasswing) with select critical infrastructure and tech firms. The episode highlights how fast vulnerabilities are now exploited, citing a critical Marimo flaw patched in 0.2.3.0 that attackers probed within 9 hours and research showing AI can generate exploits from CVEs in 10–15 minutes. It then details "Venom," an invitation-only phishing-as-a-service targeting executives via QR codes to hijack sessions and register new devices, and Microsoft's warning about Storm-2755 redirecting Canadian paychecks by stealing M365 session cookies and altering direct-deposit details. Finally, Operation Atlantic is summarized: authorities identified 20,000 crypto-fraud victims, froze $12M, and linked $45M in stolen crypto tied to approval phishing.
00:00 Headlines and Sponsor
00:57 Mythos Shakes Finance
04:58 AI Exploit Window Collapses
08:11 Venom Targets Executives
11:54 Payroll Redirect Scam
14:35 Crypto Fraud Takedown
16:47 Wrap Up and Thanks
18:04 Sponsor Outro

AI-Powered AppSec, OWASP Origins, and Anthropic's "Mythos" Model: Jeff Williams on What Changes Next
Cybersecurity Today  would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale.  You can find them at Meter.com/cst
Jim hosts Jeff Williams (Contrast Security co-founder/CTO and former OWASP global chair) for a wide-ranging discussion that begins with Anthropic's new "Mythos" model, described as powerful for finding zero-day vulnerabilities, and expands into how AppSec must evolve. Williams explains Contrast's runtime instrumentation approach, recounts OWASP's early days, the creation of WebGoat and the OWASP Top 10, and notes that many common vulnerabilities persist despite years of maturity models. They debate open source versus commercial security scrutiny, the likely high cost and scalability limits of advanced AI vulnerability discovery, and why finding more bugs matters only if remediation improves too. Williams argues for AI-powered "software factories" with feedback loops, assurance evidence, and runtime monitoring, and flags the EU Product Liability Directive treating software as a product with no-fault liability for security defects, including those from embedded open source.
00:00 AppSec Stuck in Ruts
00:42 Show Intro and Sponsor
01:40 What Contrast Security Does
02:35 OWASP Origins and WebGoat
04:33 Why the Top 10 Persists
06:28 Mythos Model Overview
08:05 Open Source Scrutiny Myth
11:31 Cost and Adoption Barriers
15:04 Finding vs Fixing Bugs
15:55 AI Code Quality Reality
17:46 AI Powered Software Factory
23:11 Building with AI in Practice
25:18 AppSec Metrics and New Approaches
26:42 Staying Optimistic as a CISO
28:00 EU Product Liability Shift
32:13 Bug Bounties in an AI World
34:06 Wrap Up and Outro