This week’s Department of Know is hosted by Rich Stroffolino with guests Mathew Biby, director, cybersecurity, TixTrack, and Derek Fisher, Director of the Cyber Defense and Information Assurance Program, Temple University
Missed the live show? Check it out on YouTube
CISO Series The Department of Know is live every Monday at 4:00 p.m. ET. Join us each week by registering for the open discussion at CISOSeries.com
KNOW or NO?
Fluent Bit bugs allowed cloud disruption
Researchers from Oligo found five long-standing, easy-to-exploit vulnerabilities in Fluent Bit, a widely used open source log collector deployed across every major cloud platform. The bugs include authentication bypass, path traversal, remote code execution, denial of service, and tag manipulation. Some flaws date back more than eight years and threaten full cluster compromise when chained. Updated versions 4.1.1 and 4.0.12 fix the issues. (The Register)
HashJack attack fools AI browsers
Cato Networks says a new indirect prompt-injection method called “HashJack” hides malicious instructions after a “#” in legitimate URLs. AI browser assistants like Copilot in Edge, Gemini in Chrome, and Perplexity’s Comet read those hidden fragments even though they never leave the client, letting attackers turn trusted sites into vectors for data exfiltration, phishing, misinformation, or harmful guidance. Google categorized the issue as low severity and “intended behavior.” Microsoft and Perplexity applied fixes. (The Register)
Anthropic questioned over Claude espionage
The US House Homeland Security Committee has summoned Anthropic CEO Dario Amodei to testify on December 17th about a likely Chinese espionage campaign that used Anthropic’s AI, Claude, to target at least 30 organizations. Lawmakers praised Anthropic for disclosing the attack but called it a “significant inflection point” for U.S. cybersecurity. The hearing will focus on how AI, quantum computing, and cloud infrastructure are reshaping state-sponsored cyber threats.(CyberScoop)
Security keys may prompt for PIN after recent updates
Also on Tuesday, Microsoft warned users that FIDO2 security keys “may prompt them to enter a PIN when signing in after installing Windows updates released since the September 2025 preview update. This is an intentional change, Microsoft says, to comply with WebAuthn specifications, which “dictate how authentication methods such as PINs, biometrics, and hardware security keys should handle user verification requests.” They added, “after installing the Windows update of September 29, you might be required to create a PIN to sign in with a security key, even if a PIN was not required or set during your initial registration.”
Prompt injections muddle ChatGPT’s Atlas browser
OpenAI’s ChatGPT Atlas browser launched in October. It includes agentic AI capable of autonomous tasks, but this expands the risk of prompt injections. Direct or even indirect injections could expose sensitive data, execute code, or compromise networks of agents. Experts warn the problem grows as agents gain tool access and autonomy, making attacks more dangerous. Mitigations include strict least-privilege access, sandboxing, human oversight, and treating untrusted input as hostile. (Dark Reading)
Huge thanks to our sponsor, Vanta
DEEP DIVES
Corporate takeovers meet SonicWall firewalls
ReliaQuest reports that Akira ransomware affiliates exploited compromised SonicWall SSL VPN appliances in companies acquired through mergers and acquisitions. Attackers gained access to the acquiring firms’ networks via inherited devices, then searched for privileged legacy credentials, unprotected hosts, and predictable server names. Once inside, lateral movement to domain controllers took an average of 9.3 hours, and ransomware deployment averaged under an hour. (The Register)
Question: I’ll simply read that last sentence again: “Attackers gained access to the acquiring firms’ networks via inherited devices, then searched for privileged legacy credentials, unprotected hosts, and predictable server names.” “Know a little more” or “No thanks”?
Hacklore to tackle security myths
A new initiative called Hacklore.org launched to push back against long-standing cybersecurity myths, like frequently changing passwords or avoiding all public Wi-Fi. Created by former Yahoo and DNC security chief Bob Lord, the project promotes simple, evidence-based practices like passkeys, MFA, password managers, and keeping software updated. More than 80 cybersecurity experts signed an open letter urging a shift toward practical guidance and support for “secure by design” and “secure by default” approaches. (CyberScoop)
California law regulating web browsers might impact national data privacy
In October, California Gov. Gavin Newsom signed a law to amend the state’s Consumer Privacy Act in order to mandate that web browsers “create a turnkey tool for residents to opt out from data sharing once instead of having to do so each time they visit a website.” Now, privacy changes required by a “newly enacted California law could mean web browsers will soon offer all Americans a mechanism to easily opt out of all data sharing and sales when surfing the web.” Currently most web browsers do not offer mechanisms for residents to exercise these rights, but once they do, tens of millions of consumers, including those outside of California. The California law goes into effect on January 1, 2027.