NewsTechnical

SN 1085: A SOTA State-Sponsored Campaign - AI's New Superpower: Loop Engineering

Security Now (Audio)0

Security Now Episode 1085 covers Windows 10 receiving another year of extended support, Meta's employee surveillance program backfiring with exposed data, state-sponsored credential attacks on Fortinet devices affecting 86,000+ organizations globally, and AI's emerging capability to discover vulnerabilities at scale through iteration and looping techniques.

Summary

Steve Gibson and Leo Laporte discuss multiple critical security developments from late June 2026. Microsoft extended Windows 10 support until October 2027 due to widespread user resistance to Windows 11, driven by high hardware costs and performance concerns. Gibson predicts a future 'Junior 11' version that will be lighter and more compatible with existing hardware. Meta's controversial employee laptop surveillance program, designed to collect keystroke and screen data for AI training, exposed sensitive employee data when access controls were misconfigured, forcing the company to pause the initiative indefinitely. The discussion explores both the privacy concerns and the research potential of such surveillance. A massive state-sponsored credential theft campaign called FortiBleed targeted Fortinet FortiGate VPN firewalls across 194 countries, compromising over 86,644 devices through credential reuse and automated testing. The campaign operated in two stages: credential stuffing using leaked passwords, then passive harvesting of additional credentials through traffic interception. This was possible because organizations failed to rotate passwords after previous breaches and left management interfaces exposed to the internet. OpenAI and Anthropic have launched major initiatives (Patch the Planet and Glasswing) using frontier AI models to discover and patch vulnerabilities in critical open-source software, with significant early successes including findings in Linux kernel, browsers, and networking software. Andrew Ng's concept of 'loop engineering' describes how AI systems iterate multiple times to refine outputs, with three nested loops: agentic coding loops (AI writes and tests code), developer feedback loops (humans review and adjust specs), and external feedback loops (user data informs direction). The conversation covers how AI has dramatically lowered the barrier to vulnerability discovery, enabling less-skilled actors to find and disclose zero-days without coordinated disclosure, as exemplified by a researcher publishing 23 proof-of-concepts on GitHub. Gibson shares a touching story about late hacker Kevin Mitnick, who befriended his former adversary Sean Nunley and left him enough money to buy his dream Porsche 911 before dying of pancreatic cancer in 2023. Finally, Leo describes his personal experiment with autonomous AI agents (Quicksilver, Cosmo, Winfred) who are now communicating independently in a Discord channel without human guidance.

About this episode

<p>AI is now uncovering and fixing thousands of hidden software bugs faster than humans can keep up, but not everyone is playing by the rules. Find out how state-sponsored attackers and careless disclosures are turning the cybersecurity playbook upside down.</p><ul> <li>Win10's popularity forces another year of free updates.</li> <li>CISA directs all federal agencies to update their UniFi OS devices.</li> <li>CISA gave federal agencies "the weekend" to update Cisco devices.</li> <li>Australia is disturbed by a deeply compromised infrastructure provider.</li> <li>OpenAI introduces Daybreak-powered "Patch the Planet" initiative.</li> <li>Meta's employee monitoring-for-AI-training backfired badly.</li> <li>Script Kiddies figure out how to use AI to find vulnerabilities.</li> <li>AI improves with "looping", "repeating" or "iterating".</li> <li>A wonderful story about Kevin Mitnick.</li> <li>Serious hackers mistakenly left a server directory accessible</li></ul> <p>Show Notes - <a href="https://www.grc.com/sn/SN-1085-Notes.pdf">https://www.grc.com/sn/SN-1085-Notes.pdf</a></p> <p><strong>Hosts:</strong> <a href="https://twit.tv/people/steve-gibson">Steve Gibson</a> and <a href="https://twit.tv/people/leo-laporte">Leo Laporte</a></p> <p>Download or subscribe to <em>Security Now</em> at <a href="https://twit.tv/shows/security-now">https://twit.tv/shows/security-now</a>.</p> <p>You can submit a question to <em>Security Now</em> at the <a href="https://www.grc.com/feedback.htm" target="_blank">GRC Feedback Page</a>.</p> <p>For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: <a href="https://www.grc.com/securitynow.htm" target="_blank">grc.com</a>, also the home of the best disk maintenance and recovery utility ever written <a href="https://www.grc.com/sr/spinrite.htm" target="_blank">Spinrite 6</a>.</p> <p><strong>Join Club TWiT for Ad-Free Podcasts!</strong><br /> Support what you love and get ad-free audio <em>and</em> video feeds, a members-only Discord, and exclusive content. Join today: <a href="https://twit.tv/clubtwit" rel="payment">https://twit.tv/clubtwit</a></p> <p><strong>Sponsors:</strong><ul> <li><a href="http://threatlocker.com/twit" rel="sponsored" target="_blank">threatlocker.com/twit</a></li> <li><a href="http://hoxhunt.com/securitynow" rel="sponsored" target="_blank">hoxhunt.com/securitynow</a></li> <li><a href="http://cohesity.com/Resilience" rel="sponsored" target="_blank">cohesity.com/Resilience</a></li> <li><a href="http://zscaler.com/security" rel="sponsored" target="_blank">zscaler.com/security</a></li> </ul></p>

Key Insights

  • Microsoft extended Windows 10 support another year (until October 2027) because consumer resistance to Windows 11 remains so strong that hardware shortages and costs make upgrading economically unfeasible for most users.
  • Meta's surveillance program exposed over 45,000 employee data tables containing full prompts, transcriptions, and performance data due to misconfigured access control lists, demonstrating that privacy-invasive data collection schemes carry inherent security risks that scale with scope.
  • The FortiBleed campaign compromised 86,644 Fortinet devices globally not through zero-day exploits but through credential stuffing using passwords from prior breaches, revealing that many organizations never rotate credentials after security incidents.
  • AI vulnerability discovery has become so automated and accessible that individuals with modest AI knowledge can now discover legitimate exploits in critical infrastructure, fundamentally eroding the scarcity value that once made vulnerability research a specialized domain.
  • The looping or iterative concept in AI—where models improve results by cycling through multiple refinement passes—demonstrates that non-deterministic systems benefit from repetition in ways deterministic computers never do, requiring fundamentally new approaches to AI deployment.

Topics

Windows 10 extended supportMeta employee surveillance breachFortiBleed state-sponsored campaignAI vulnerability discovery at scaleLoop engineering and AI iterationResponsible disclosure challengesCredential stuffing attacksKevin Mitnick legacyAutonomous AI agents

Transcript

It's time for security now. Steve Gibson is here. We have lots to talk about. Good news for Windows 10 users. Yes, you're going to get another year. Meta's backed off on spying on its employees. A wonderful true story about hacker Kevin, the late hacker Kevin Mitnick, and the true story of a Fortinet campaign that really was a problem. Steve, I love it when he tells the stories of these hacks. You know, we've heard the news, but now we get the deep details. That's coming up next on Security Now. This episode is brought to you by Black Hat USA. If you listen to this show, you go deep on the technical detail. Well, so does Black…

Full transcript available for MurmurCast members

Sign Up to Access

More from Security Now (Audio)

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.