This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino. This is our milestone edition, celebrating five years of the daily Cyber Security Headlines news podcast. Our guests today will be the CSH reporters themselves, reflecting on some stories from this week as well as their favorite stories from the past few years. Joining Rich live will be Hadas Cassorla and Steve Prentice, with videos from Sarah Lane and Lauren Verno.
Missed the live show? Check it out on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
CISA implores OT environments to lock down critical infrastructure
The agency is seeking to get attention from companies with operational technology environments to get them to set a better cybersecurity posture. Noting an increase in attacks this year, 87 percent year-over-year, according to Dragos, CISA published some new foundational guidance for OT cybersecurity that “starts with the absolute basics: assume nothing, and start entirely fresh with a new taxonomy-based OT asset inventory.” A link to the report is available in the show notes to this episode.(The Register and CISA)
Sure, Joe Rogan, I’d love to be on your podcast
The Better Business Bureau warns that attackers are using fake podcast invitations to trick executives, often targeting high-profile employees with emails that look legitimate and carry professional branding. Victims are asked to join a “test interview” or technical check, during which AI-generated voices and videos pose as podcast hosts. While the session seems routine, the attackers prompt the target to install software, grant remote access, or share files, giving them the ability to exfiltrate data, harvest credentials, or deploy malware. Researchers note that this method leverages common business practices, since executives are accustomed to media requests and interview preparation.
Huge thanks to our sponsor, Conveyor
Other solutions offer browser extensions that require you to do all the copy-pasting. It’s slow, tedious, and frustrating.
Conveyor takes care of it for you. Our AI auto-scrolls, finds every question, and fills in accurate answers—all automatically. Oh, and our AI completes security questionnaires of any format, not just portals.
Visit www.conveyor.com to learn more.
Workday confirms data breach
Over the weekend, the human resources technology giant confirmed that threat actors accessed a third-party customer relationship database, obtaining personal information. This database typically stores contact information, so names, emails, and phone numbers were likely exposed. The company said there is “no indication of access to customer tenants” in the breach, but didn’t entirely rule it out. No word on which third-party was breached, but given the recent swath of Salesforce-hosted databases targeted, it wouldn’t be surprising to see another. Workday added a “no index” tag to its blog post disclosing the breach, so it didn’t surface in search.
This new clickjacking is so DOM
A new study shows that browser extension password managers can be tricked into giving up your logins with just one click. Security researcher Marek Tóth calls it a form of clickjacking. It’s the same principle, but instead of tricking you into clicking a malicious button, your click triggers invisible login fields injected into the page’s DOM (document object model). When that happens, the extension may think it’s a real form and autofill your saved username, password, two-factor codes or even credit card details. The trick only works if the attacker is on a domain or subdomain your password manager already trusts. Tests showed that eleven major browser extension managers were vulnerable, including 1Password, Bitwarden, LastPass. So far, vendors haven’t issued fixes, and the flaw affects Chrome, Edge, and other browsers.