In this episode of 'Cybersecurity Today,' host Jim Love discusses several urgent cybersecurity topics. Microsoft has released an emergency patch after a recent Windows update caused BitLocker recovery mode on certain systems, locking users out without warning. The issue stems from the May security update affecting systems using Intel, vPro chips, and TXT. Tech enthusiasts may manually download the patch through the Microsoft Update catalog, while Microsoft urges users to secure their BitLocker recovery keys. The episode also highlights day one of Pwn2Own Berlin 2025, where hackers successfully breached Windows 11, Red Hat Linux, and Oracle Virtual Box, earning a combined $260,000 in prize money. Additionally, US experts discovered hidden communication hardware in Chinese-made solar equipment, raising concerns about remote access risks to the power grid. The FBI warns of a new wave of AI-generated phishing attacks that bypass traditional security measures. Finally, the Consumer Financial Protection Bureau has quietly backed down from regulating data brokers, sparking controversy among privacy advocates. Jim Love offers insights and reminds listeners of the importance of cybersecurity.
00:00 Introduction and Headlines
00:27 Microsoft's Urgent Patch for BitLocker Issue
02:26 Pwn2Own Berlin 2025: Major Security Breaches
04:11 Hidden Devices in Chinese Solar Equipment
06:05 FBI Warns of New Linkless Phishing Attacks
07:58 CFPB Withdraws Rule on Data Brokers
09:33 Conclusion and Contact Information
Episode Transcript
Microsoft Issues.
An emergency fix for a Windowsupdate that locks users out.
Pwn2Own Berlin 2025 Hackers Breach.
Windows 11, red Hat,Linux and Virtual Box.
And that was on day one.
US experts flag hidden devices in Chinesemade solar equipment, and the Consumer
Financial Protection Bureau quietlybacks down on regulating data brokers.
(00:24):
This is cybersecurity today.
I'm your host, Jim Love.
I. Microsoft has released an urgent patchafter recent Windows updates triggered
BitLocker recovery mode on some systems,leaving users locked out without warning.
The issue stems from the May securityupdate, which caused certain enterprise
and government systems using Intel, vProchips, and trusted execution technology
(00:49):
or TXT to enter BitLocker recovery.
affected.
Users were asked toprovide a recovery key.
Something many don't readily have.
Microsoft has released Patch KB 5 0 61 7 6 8 available for manual download
through the Microsoft Update catalog.
It's not yet part of automatic updates.
(01:12):
Users who are already locked out needto locate their BitLocker recovery key
usually stored in their Microsoft accountor perhaps with their IT department.
For users who aren't locked outyet, Microsoft recommends applying
the patch as soon as possiblein case it does happen to you.
As a temporary workaround, tech savvyusers or IT admins could disable the
(01:35):
intel TXD and VT dash D settings and bios.
Boot the system, apply the patch,but try not to forget to enable those
security features when you get to fix.
Actually better still.
If you want my take on it,get the emergency fix instead.
While home users are unlikely tobe affected, the bug underscores
(01:56):
how updates, even security ones,can disrupt critical systems.
And if you've dodged the bullet thistime, it's a good reminder for support
to review the bias configurationson their intel powered machines,
and ensure that they have recoverykeys stored securely and accessibly.
Apparently, you never knowwhen you might need them.
(02:18):
I am losing track here now.
Have we had a successful Microsoftupdate this year in case you missed it.
Last week, the opening of Pwn2OwnBerlin 2025 had security researchers
demonstrate successful zero dayexploits against Windows 11, red
Hat, Linux, and Oracle Virtual Box.
(02:39):
All on day one of the conference, theseand other exploits earned participants
to combine $260,000 in prize money.
The devco research team's pumpkinexploited an integer overflow
to escalate privileges in RedHat Linux for a $20,000 prize.
Another team achieved root accessusing a combination of vulnerabilities
(03:01):
earning 15,000 star Lab's, SGS Chen Lakicombined a use after free and integer
overflow to gain system privileges onWindows 11, which earned him $30,000.
Additional exploits by otherresearchers also achieved system level
access, and that got two of them,$30,000 and $15,000 respectively.
(03:24):
Team Prison Break used an integeroverflow to escape the virtual machine
in Oracle Virtual Box and executecode on the Hostos earning $40,000.
vendors have 90 days to addressthese vulnerabilities before public
disclosure, but They might alsowant to try hiring some of these
people to do their quality control.
(03:45):
I know that Microsoft should have afew bucks to be able to hire a few
people after shedding 6,000 employees.
and given the previous story about theirpatch failures and the three groups that
were quite easily busted through theirsecurity, Microsoft might want to consider
hiring a few more people for qualitycontrol, and I'm sure even Oracle and
Red Hat could come up with a few bucks toget some additional in-house expertise,
(04:11):
security teams in the US havediscovered undocumented communications
hardware in Chinese made solarinverters and batteries, raising
concerns about remote access risksto the power grid, but stopping
short of confirming any cyber attack.
According to a May, 2024 Reutersinvestigation, private companies and US
(04:31):
utilities found embedded communicationsdevices such as cellular modems in
power equipment imported from China.
These components weren't listed in productmanuals and could potentially allow remote
access that bypasses standard firewalls.
The report describes this as aserious potential vulnerability.
Some experts fear the hardwarecould be used to disable or disrupt
(04:54):
parts of the US electrical grid.
One incident from November where inverterswere remotely shut down is also noted, but
there's no confirmed link to China or anyclear evidence of intentional sabotage.
Many modern inverters, regardless oftheir origin, include remote management
features for updates and diagnostics.
(05:16):
The problem arises when suchfeatures aren't disclosed to
operators or regulators, creatingblind spots in security protocols.
US officials are taking the riskseriously, but have not publicly
released evidence of any attack.
The Chinese government forits part denies wrongdoing and
accuses Washington of politicizingtrade and technology concerns.
(05:38):
Now this issue is about trust andtransparency in critical infrastructure.
US energy firms are now facing newpressures to scrutinize imported
hardware, especially as thegrid becomes more decentralized
and dependent on smart devices.
So while no kill switch has beenproven, the findings have already
triggered a reevaluation of equipmentsourcing and raised calls for
(06:01):
stronger supply chain controls.
And the FBI is sounding thealarm on a new wave of phishing
attacks that skip links entirely.
Instead, the scammers are using AIgenerated messages to lure victims
into responding directly, a tactic thatevades traditional security filters In
a recent public service announcement,the FBI highlighted a growing trend.
(06:25):
Attackers are now crafting emails,texts, and messages that don't include
suspicious links or attachments.
the initial messages are oftenharmless, impersonating someone
who the user might know or trust.
They provide personalized, believablecontent to eventually trick victims
into replying with sensitiveinformation such as passwords,
(06:46):
personal data, or even payment details.
These linkless phishing messages areespecially effective because they
can bypass spam filters and securitysystems that look for malicious URLs.
But once the victim replies, attackerscontinue the conversation to gather
more information and escalate the scam.
(07:07):
Now, often referred to as business emailcompromise, BEC, or impersonation fraud.
This method uses generative AI tomimic writing styles and even voices.
It can appear to come from a boss,a government agency, or a trusted
vendor without any of the usualred flags like suspicious links.
(07:27):
The rise of linkless, phishingmakes traditional training and
security tools less effective.
So the FBI's encouraging individualsand businesses to verify unexpected
messages even if they seem harmless.
And avoid sharing sensitiveinformation without direct
confirmation of who you're talking to.
(07:48):
We've been critical of somegovernment's inability to develop
proper consumer protection withprivacy and security regulations.
Are you listing Government of Canada?
But the Consumer Financial ProtectionBureau, the CFPB in the US has taken this
a step further withdrawing a proposedrule aimed at restricting data brokers
(08:11):
from selling American sensitive personalinformation without their consent.
Originally introduced by formerCFPB director Rohit Chopra.
The rule intended to put somecontrols in place to protect privacy.
And since data brokers seemed to behacked regularly, adding some level of
protection for consumer information,acting director Russell Vaught cited
(08:35):
changes in the bureau policy at arevised interpretation of the Fair Credit
Reporting Act in canceling the rule.
Privacy advocates and organizationslike Common Defense and Demand
Progress strongly condemn the move,warning it jeopardizes consumer
safety and even national security.
Not sure about the lastone, but consumer safety.
(08:57):
Absolutely, definitely.
Meanwhile, industry groups like theFinancial Technology Association
representing the financial servicesindustry supported the rollback, claiming
the rule exceeded CFPB authority.
The rules withdrawal coincides witha significant downsizing at the CFPB,
that part of a broader governmentrestructuring supported by Elon Musk's
(09:20):
Doge Group, who has advocated forthe agency's complete elimination.
You can be an advocate of lean governmentand still believe that data brokers are
not something we want to have unregulated.
And that's our show for today.
Glad to be back.
I've given you my opinion on data brokers.
You can reach me with yoursor other comments, questions,
(09:42):
or confidential tips ateditorial@technewsday.ca or on LinkedIn.
And if you're watching this on YouTube,just leave me a note under the video.
I'm your host, Jim Love.
Thanks for listening.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com