Privacy News: Patch Now, Not Later Artwork

Silent Mode Cafe

Welcome to Silent Mode Cafe, the podcast where we translate the digital realm into plain English. From data privacy and basic internet security to smart home gadgets and the latest AI developments, we serve up tech insights with a side of caffeine.

All Episodes

Silent Mode Cafe

Privacy News: Patch Now, Not Later

October 10, 2025 • Silent Mode Cafe

0:00 | 22:31

Send us Fan Mail

We break down urgent patches, a remote‑execution risk on tens of thousands of firewalls, and an AI browser flaw that leaks context. We also flag weaker federal support, a major airline breach, and leave you with a simple checklist to reduce risk now.

• Oracle E‑Business CVE and why fast patching matters
• Cisco firewall remote code execution and CISA’s directive
• Red team vs blue team across physical, social, and cyber
• Apple’s $2M bug bounty and device update urgency
• Government shutdown impact on CISA and data sharing
• AI browser comet jacking and prompt injection risks
• Qantas Salesforce breach and phishing fallout
• A practical weekly security checklist and backups

follow us, hit that like, subscribe, follow, comment, share, do all that

Support the show

Opening & Weekly Threat Rundown

SPEAKER_00 0:02

Hey folks, you're listening to Silent Mode Cafe. Your weekly cybersecurity polls uh that doesn't that doesn't just inform you. It aims you, literally aims you in the right direction. What's happening, Vivek?

SPEAKER_01 0:23

Oh, and I'm Vivek. Thank you. Each week we bring down the top threats, breaches, and fixes that matter, uh, whether you're a sysadmin, a startup, or just two guys on Friday night talking about protecting their personal data is a topic that should happen every night of the week.

SPEAKER_00 0:48

Right? I mean, seriously, let's get into these top stories this week. Huge stuff happening. Um, some of them are uh breaking fast and can hit you in the wallet, quite literally, like it's bad this week. Uh, your inbox, and even for you small startups out there, it's going to hit your infrastructure. Right.

Oracle E‑Business CVE and Why It Matters

SPEAKER_00 1:14

All right. So look, um, Oracle, which by the way, houses all our TikTok data. Oracle has released a zero-day patch or a patch to solve for a zero day. Um, the vulnerability is in their e-business suite, and this is something a lot of small companies, aspiring startups, uh really go. They go to Oracle. Oracle is a trusted uh place to go get to utilize. Uh I'm just gonna BS here for a minute until you tell me why do I want to use Oracle as a small business? It's a great question. Ask Oracle. I have no idea, guys. I'm definitely not here to uh promote Oracle in any way. I'm just here to tell you that they have a CVE. What does CVE mean? Oh, I'm gonna have to Google that real quick. So a CVE, what it is, um a public announcement to a vulnerability fix. So when they have a vulnerability, so they have a zero day. Uh I don't know what the exploit actually is, but they have a zero day, which means there's something, any kind of an exploit they create a um a CVE for. I I should I should not specify zero day, but an ex when they find an exploit within their company and their software in their in whatever uh service that they're providing, they have to really publicly announce what that vulnerability is and the fix. Um this has to be done by law, and they just did this uh for they just released the CVE. So if you want to learn about it, you're one of those curious minds and you want to dig in, it's CVE 2025 61882, or you can just do uh a search right now through however you search these days, your favorite GPT, or uh, or if you're still in my generation, you're probably using a browser, Vivek. So, what should they do? They should patch it immediately, right? Yeah, or listen to this podcast, and then go patch it. Okay, yes.

Cisco Firewalls Under Emergency Directive

SPEAKER_00 3:39

So tell me, Vivek, uh, this is a company that's familiar to you. What's going on with Cisco firewalls, man?

SPEAKER_01 3:46

Oh man, this is our former companies bringing back memories.

SPEAKER_00 3:50

Uh back in the day when I was young, I'm not a kid anymore. Go on.

SPEAKER_01 3:58

And that is the issue with Cisco firewalls. So Cisco says about 50,000 of their firewalls are still vulnerable for what is called as remote code execution. Uh, they've published the major bugs. You can search for it. I don't want to bore you with it. It's it's it's long letters with numbers. But essentially, Cisco firewalls, uh, there are 50,000 of them uh that that are open to a remote execution vulnerability.

SPEAKER_00 4:33

Oh remote execution. So that way someone we all know what remote is. Please don't don't don't you could be sitting in Hawaii. Please don't cyber explain this. Okay, no, don't cyber don't cyber explain it. Okay. Fine. It's uh um uh so the company CISA, not Cisco, excuse me, the the security association, the government. Yes. All right, fine, fine, fine. But you know, because they use a bunch of fire. It's a separate organization called CISA. They uh issued an emergency directive on this. And that's rare, but I think it's natural because I wonder, I wonder if that means they found a any kind of a red flag situation happening, and therefore the government's saying patch it now, you have to patch it. This is not a uh an option, right? The government's shut down right now, so we don't know not Seesa, apparently.

SPEAKER_01 5:38

No, there's reports which you hear later down is that CISA might be getting heavily impacted.

SPEAKER_00 5:45

Oh, that's that's good new uh bad news. That's good news for red teams. Red teams. Oh, not the not not the blues, not the blue teams, not the blue team. What is a red team and a blue team? You just opened a can of words.

SPEAKER_01 5:57

Well, let's continue talking about it.

SPEAKER_00 5:58

So Vivek, Vivek, explain what is a red

Red Team vs Blue Team: How Attacks Happen

SPEAKER_00 6:02

team and what is a blue team. And I know you have experience with both, so please adjudicate us.

SPEAKER_01 6:08

No, I don't know what you're talking about. A red team is typically the team that simulates being attacking, and the blue team is a defensive team. Yes. And usually there's role play. And usually the better engineers and the red team, allegedly, than the blue team.

SPEAKER_00 6:24

Typically, um, so look, the the difficult part is the blue team uh will test if they do their job right, they do a penetration testing on your organization, your whatever service that you provide, like a website, your infrastructure. So a thorough red team investigation or test, red team doing pen penetration testing will actually go through the entire gamut of being of physical, social, and cyber penetration to your organization. So let me explain each. Physical means that they try to access your infrastructure physically or access your network or your offices physically. So imagine in a busy front desk situation, you go in, you badge to go into your office, and another sharp-looking employee with their backpack or holding their laptop is on the phone like they're on a meeting, and they just coattail in behind you without badging in themselves, or they might pretend like they badged in, they might have a fake badge, and they follow you in and then they connect to the network, or they try to get access even deeper into data centers. Not that we know it about this in any way. Second aspect is social engineering. Social engineering is one of my favorite topics because I don't have to turn on any device for this, other than possibly my phone. Social engineering is everything from tracking you, knowing what your employees or you typically do in a day, and then they try to coincidentally be in that same location. So, for instance, if you hang out at a Panera all day, and at Panera, you tend to do all your work. Well, they will either sit near you or gain access to that network or create their own network without Panera knowing, which is not very difficult to do. Wi-Fi Pineapple is a very easy setup. Yeah, ISA's doing it today, by the way. I have no idea what you're talking about. Um, and we we can talk about that. They're using Stingrays a little more, I think.

SPEAKER_01 8:41

Um moving with moving vans, yes.

SPEAKER_00 8:43

Yeah, so you see uh a cool-looking van without any decals on it, without anything on it, just parked there with with like a cargo van with no windows. There's probably something nefarious happening in that van. And what they'll do is you will connect to them, and all your network traffic uh that you would think or you would hope is is encrypted is actually being captured uh by this. So they do things like this, and that's the social engineering aspect of it. That is actually a little more of a anyway. Um, the social engineering, I can call into a bank, and this is really interesting, folks. This is another thing you can you can do a search on. Great stories out there really good stories about social engineering. Um, and you can either pretend you're a company and or you pretend you're one of the partners, or you pretend you're one of the employees, or the CEO. Deep fakes are really taking advantage of the social engineering world right now. It's really exploding. The last is cyber, and cyber is just, you know, your typical geeky. I'm wearing uh a hoodie with a mask, and I'm sitting in front of a keyboard with this really cool screen with a bunch of crazy code running across it. Um, at least that's the way it looks in the movies. Uh reality is it's typically someone that looks that that looks like they're in the corporate world doing this work.

SPEAKER_01 10:18

No, or or or a kid in a basement eating pizza.

SPEAKER_00 10:21

Sometimes it's a kid in the basement with a lot of soda drinks laying. I'm careful not to not to uh promote any sugar drinks. Uh but what's a drink that's typically associated with with these folks? There's a there's there's definitely Mountain Dew, man. Mountain Dew is the drink of choice for hackers, apparently. Or it used to be.

SPEAKER_01 10:44

I don't know what the new drink is.

SPEAKER_00 10:47

Who knows? I mean, we are in a different generation and a different age. Vivek, you want to make two million dollars?

Apple’s $2M Bug Bounty and NGO iPhones

SPEAKER_01 10:55

Well, well, if you do want to make two million dollars, then uh Apple has raised the bug bounty to two million, which means what is that that if which means that if you find a serious bug on an Apple platform, uh they will give you a bug bounty of up to two million dollars.

SPEAKER_00 11:12

So if you are one of those high schoolers sitting in your mom's basement drinking mountain dews, haven't shaved, cut, or brushed your teeth in a week.

SPEAKER_01 11:22

And but you did put away the garbage on Thursday.

SPEAKER_00 11:26

Possibly if your parents forced you to, and you want to make two million dollars, uh, try to find a weakness in the Apple software and report it to Apple. Uh on their website, they have a bounty uh link. You you can search for it and you can fill out the form and submit, and you could make up to two million dollars. Holy cow, man. If you're that talented, why would you do anything else?

SPEAKER_01 11:57

There's also a positive side to it. They're giving a thousand iPhones to uh NGOs fighting spyware. So it's basically smart PR at their end.

SPEAKER_00 12:07

Wait a minute.

SPEAKER_01 12:09

NGOs, non-government organizations.

SPEAKER_00 12:12

I know what NGOs are. So NGOs, isn't that let's not go down that.

SPEAKER_01 12:18

No, no, no, no. That'd be getting conspiratorial on a Friday.

SPEAKER_00 12:21

Are we? Or is it conservative?

SPEAKER_01 12:23

Let's move on, move on, move on, nothing to see, move on.

SPEAKER_00 12:26

So tell me, tell me, uh, you said uh there's government shutdown situations happening.

Government Shutdown Weakens CISA and Info Sharing

SPEAKER_01 12:33

So the government as uh as of October 10th, uh I don't know, 803 Pacific, the government PM is still shut down. So because of that, uh on the federal front, because of the budget gridlock, CISA, which is we talked about was the uh the cybersecurity agency the ones that put out the emergency directive for the Cisco Pix firewall is down to 35% of its staff.

SPEAKER_00 13:05

That's scary.

SPEAKER_01 13:06

That is scary.

unknown 13:08

Right.

SPEAKER_00 13:08

So CISA is underresourced, uh, the central cyber safety net has a whole. Yeah. Thanks to the government shutdown. So these things, not only, you know, why do they matter? Sometimes we we try to find reasons that they should matter. Uh, this is why they matter, because these furloughs impact us in a very bad way sometimes.

SPEAKER_01 13:33

Yeah, and also, I mean, people not getting paid, etc., right? There's significant impact. So it gets worse, right? Um, even the Cyber Security Information Sharing Act that expired on October 1st, and Congress has to approve it. Uh, and the law gave companies legal cover to share intelligence. And now companies can't share intelligence. Oh no. Which is even more detrimental. Could be because one one of the ways uh is close collaboration amongst different companies when they find something. And sometimes, as Goodwill, if some if a company found another company's security vulnerability, they would say it in a friendly way, quietly, so they could fix it. So there used to be a lot of that uh sharing of information, and uh we don't want to share anymore. And yeah, I mean, yeah, now the legal cover is gone, yeah. Which is an issue.

SPEAKER_00 14:29

That is an issue. We have holes, basically. Houston. Uh Houston. We have a problem. We have a problem, yes. So uh um in other news, comment jacking vivid, and it has nothing to do with space. AI browser flaw in perplexity. So already already they just they released it. Like Perplexity was just released. It's it's actually their browser was just released, yes. Their browser, and actually, uh many people are using it that I

AI Browser “Comet Jacking” and Prompt Injection

SPEAKER_00 15:00

know. Um, and a famous podcast, the number one podcaster in the world, says he uses it. Uh, they use it because they sponsor his podcast now. Um, and uh he should know, he should know that there's a problem with comet.

SPEAKER_01 15:18

Comet jacking, is that's what they're calling it?

SPEAKER_00 15:21

Comet jacking. Yeah.

SPEAKER_01 15:23

So it hijacks the AI agent exposing sensitive information like emails or calendars.

SPEAKER_00 15:29

That's hilarious. That is so funny. Well, it's been patched um in all browsers, but it's still the Wild West. I think we're just this we're scratching the surface.

SPEAKER_01 15:40

The surface of AI browsers.

SPEAKER_00 15:42

Imagine I mean they've the hijack vulnerabilities, yeah. Dude, uh who would have thunk, but uh you know, I could imagine how how that would happen, you know, like the prompt injection um is is big in AI. Yeah, and I'm surprised.

SPEAKER_01 15:59

Oh well, okay. I'll just keep my mouth shut. But all right, well then it's it's a good test, right? Uh for future AI browsers that other companies are building. Test for prompt injection. Yeah.

SPEAKER_00 16:13

That's that. So probably uh more to start showing up on AI. Uh Vivek. What's going on with Quantas? It's in the news, right?

SPEAKER_01 16:24

Yeah. And apparently uh it's dealing with another serious data breach tied to its Manila call center uh and the target Salesforce. It's the Qantas Salesforce instance in Manila. And they've stolen 5.7 million uh customers' data.

SPEAKER_00 16:46

So that this impacts uh Australian Airlines is for one point.

SPEAKER_01 16:50

Yeah, and if you flew Australian Airlines, you'd be in trouble. Yeah, so um dresses, birth dates.

SPEAKER_00 16:58

So guess guess who guess who guess who did it? So the c the the hacking team, the hacking group, um, scattered lapses, scattered

Qantas Salesforce Breach and Phishing Fallout

SPEAKER_00 17:08

lapses hunters. So this isn't their first go-around. If you look them up, scattered lapses, they actually do let the world know what they have done. Um, and they love bragging about it. So they're claiming that they stole 5.7 million customers' data.

SPEAKER_01 17:27

That's yeah. I mean, this news is like so frequent every week, you know. At some point, I think we're all getting numb to it, but it's just doesn't stop, you know.

SPEAKER_00 17:37

These kind of leaks, man, they're um they're they're truly gold mines for phishing and identity theft.

SPEAKER_01 17:43

Yeah.

SPEAKER_00 17:43

So expect scams to follow.

SPEAKER_01 17:46

Yes.

SPEAKER_00 17:48

So what should we do this week, Chu?

SPEAKER_01 17:50

So let's uh flip the script. Let's uh have our silent mode cafe checklist for the week. Silent mode cafe checklist. Let's go. What do you got? Uh why don't you start with Oracle?

SPEAKER_00 18:02

If you use Oracle, patch immediately. I mean, uh don't delay. The government is telling you this is serious. So that means they know something, go patch it. Typically, organizations like to wait a few days for the weekend when they're not operational, but do it immediately.

SPEAKER_01 18:20

The second part of the checklist, check your Cisco firewalls uh for or any networking gear. If it's not up to date, uh please

The Silent Mode Cafe Action Checklist

SPEAKER_01 18:30

uh you're vulnerable and similar to what Sula just said, please apply the latest patch.

SPEAKER_00 18:35

Apply it. And if you use an Apple device, uh, the more incentive Apple gives hackers to report bugs, the faster it'll get protected if you stay current. So that's a great one. The action there is update your iPhone immediately.

SPEAKER_01 18:51

Uh the fourth, because of the government shutdown, review your company's disclosure policy without CSAP protections, which have expired as of October 1st. There may be new legal risk when sharing threat data.

SPEAKER_00 19:06

So look, folks, if you use browser extensions, such as like you say, I want chat GPT to be used in my whatever browser you use, or you want um any kind of an integration like a copilot with with your with your browsers, um, they're they're they're taking a lot of data. Um, and if something has too much autonomy to what it can do, uh then then it's uh it's a big liability to you personally.

SPEAKER_01 19:38

Yeah. And second to last, uh please watch for phishing attacks, especially if you've used services like Qantas or belong to loyalty programs, which all of us who fly belong to some form or the other loyalty programs.

SPEAKER_00 19:54

Big time. I wonder if it's hitting just just airlines and hotels and others, but I don't know. Um, so that's really interesting. So look, there's a topic we don't normally talk about, um, which is backup. So for from a personal perspective, you can back up your phone, right? There, your phone can backup, turn that on.

SPEAKER_01 20:16

These user backups.

SPEAKER_00 20:18

If you have hardware, uh you can you can go to Amazon and you can buy like a terabyte, which is a very small drive these days for incredibly low cost, like 20-30 bucks. Yes, right? 50 for high-end ones, a hundred if you want like terabytes of of data that you want to store. Back it up on hard drives if you have sensitive information, like your family's photos and videos of your children, or or things that you uh that you want to hold on to. Um back it up, back it up online, back it up on hard drives. Still the best way to go. Well, Vivek, that's it. That's the security rundown this week.

Backups That Actually Save You

SPEAKER_00 21:07

Um, folks, uh, this isn't hypothetical. None of nothing that we said today were hypotheticals. Um, they're active threats, uh, and they're creeping, especially with AI, closer to us every day.

SPEAKER_01 21:20

Yeah, so please stay alert, uh, please stay updated, uh, and don't trust silence. Yeah, I like that. Yeah, because silence in security is always a question mark, you know.

SPEAKER_00 21:34

Well, you know, um it's just waiting for a breach, right? It's just waiting for something bad to happen. And if this episode gave you something to act on, pass it along, uh, respond to us, let us know if you have any questions, drop us a line, folks, follow us, hit that like, subscribe, follow, comment, share, do all that. Um, we're trying to have some fun here and raise everyone's IQ when it comes to your personal security and what's going on in the world that you may not hear anywhere else.

SPEAKER_01 22:09

So till next week, uh we're uh I look forward to your travels. So now hopefully you have fun travels. Uh tell us all about what's going to happen in the world.

SPEAKER_00 22:19

I'll let you know when I'm back on an international front. Yep.

SPEAKER_01 22:23

Uh so till next week.

SPEAKER_00 22:26

Keep it in silent mode, folks. Keep it in silent mode. Talk to you then. Talk to you then. Bye.