{"id":35070,"date":"2025-12-19T07:10:32","date_gmt":"2025-12-19T15:10:32","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=35070"},"modified":"2025-12-19T07:11:23","modified_gmt":"2025-12-19T15:11:23","slug":"sb-2025-12-19","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2025\/12\/sb-2025-12-19\/","title":{"rendered":"Security Bits \u2014 18 December 2025"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>Yet another real-world example of the dangers of poor secret hygiene: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/over-10-000-docker-hub-images-found-leaking-credentials-auth-keys\/\">Over 10,000 Docker Hub images found leaking credentials, auth keys \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\ud83c\uddec\ud83c\udde7 <a href=\"https:\/\/cyberinsider.com\/uk-fines-lastpass-1-2m-over-2022-data-breach-impacting-1-6-million-users\/\">UK fines LastPass \u00a31.2M over 2022 data breach impacting 1.6 million users \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Google&#8217;s New Agentic AI Browser Security Framework<\/h2>\n<p>There have been a lot of conversations around Agentic AI browsers on the NosillaCast recently, and the one thing they&#8217;ve all had in common is a resounding warning to be very cautious at the moment because we&#8217;re still in the wild west-like early days, where there are a lot of very dangerous bugs. One of the things I have been saying is that we need a fundamental change in the architecture to avoid the fundamental problem of having the prompt and the content of the web pages being interacted with going into the same LLM, making prompt injection almost inevitable.<\/p>\n<p>Google have just released details of their planned architecture to start addressing those problems in Chrome. Their approach is interesting and promising, so that this is not the end of the wild-west day, nor even the beginning of the end, it just might be the end of the beginning (as Churchill might have put it).<\/p>\n<p>Google&#8217;s architecture has the following key components:<\/p>\n<ol>\n<li>The so-called <em>User Alignment Critic<\/em> \u2014 a completely separate LLM that is never fed any content from the web, so it can&#8217;t be prompt-injected. It watches over the agent&#8217;s activities to ensure they remain aligned with the user&#8217;s best interests. This is AI watching AI, so it can&#8217;t ever be perfect, but having an isolated AI that can&#8217;t be prompt-injected is a very promising idea.<\/li>\n<li>So-called <em>origin sets<\/em> \u2014 this is basically the AI-version of the existing content origin model used to restrict JavaScript code from reaching outside of the website the user explicitly visited. This stops a rogue agent from accessing random sites as the user.<\/li>\n<li>Google will show the user exactly what the agent is doing through what amounts to a real-time activity log, and dangerous actions will require explicit confirmation to proceed.<\/li>\n<li>A third AI will check the content the agent is about to ingest as context for known kinds of prompt injection. Again, can&#8217;t ever be perfect, but like an anti-virus, it should weed out everything but the most novel and innovative techniques.<\/li>\n<\/ol>\n<p>Google are also putting their money where their mouth is by adding new categories to their bug bounty program to cover these new security controls.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>A nice summary: https:\/\/www.bleepingcomputer.com\/news\/security\/google-chrome-adds-new-security-layer-for-gemini-ai-agentic-browsing\/<\/li>\n<li>A good detailed explanation: https:\/\/cyberinsider.com\/google-launches-new-security-architecture-for-ai-agents-in-chrome\/<\/li>\n<\/ul>\n<h2>Discussion \u2014 AI Agents in Meetings<\/h2>\n<p>Allison suggested a free-form discussion based on this communiqu\u00e9 received by a Nosillacastaway: <a href=\"https:\/\/it.uw.edu\/guides\/security-authentication\/read-ai-deactivation\/\">Important Security Notice: Required Deactivation of Read AI \u2014 it.uw.edu\/\u2026<\/a> (UW is the University of Washington in the US).<\/p>\n<p><strong>Related insight from Bart:<\/strong> Maynooth University similarly do not allow third-party AI tools integrate into meetings, but they do allow the corporate version of Microsoft Copilot. Why? Because Microsoft offer guaranteed data boundaries and certify compliance with relevant legislation like GDPR. Organisations using the corporate version of Copilot can be sure their data does not leave their Office365 tenancy when it&#8217;s processed by Microsoft&#8217;s various Copilots.<\/p>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2025\/12\/microsoft-patch-tuesday-december-2025-edition\/\">Microsoft Patch Tuesday, December 2025 Edition \u2014 krebsonsecurity.com\/\u2026<\/a> (56 patches, including one for a Zero-day)<\/li>\n<li>Apple&#8217;s \uf8ffOS 26.2 updates are more than just bug fixes and new features, but there are some zero days in there.\n<ul>\n<li>https:\/\/support.apple.com\/en-us\/125884<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-fixes-eighth-chrome-zero-day-exploited-in-attacks-in-2025\/\">Google fixes eighth Chrome zero-day exploited in attacks in 2025 \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li>\u26a0\ufe0f <strong>PC Users:<\/strong> <a href=\"https:\/\/cyberinsider.com\/major-motherboard-brands-vulnerable-to-pcie-attacks-by-rogue-peripherals\/\">Major motherboard brands vulnerable to PCIe attacks by rogue peripherals \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>The affected brands are <strong>ASRock<\/strong>, <strong>ASUS<\/strong>, <strong>GIGABYTE<\/strong> &amp; <strong>MSI<\/strong><\/li>\n<li>Physical access is required to abuse this flaw, so that limits many people&#8217;s exposure<\/li>\n<li>Firmware updates have been released by all four vendors<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>A great illustration of why there is no such thing as a back door just for the goodies: <a href=\"https:\/\/appleinsider.com\/articles\/25\/12\/11\/hackers-posed-as-law-enforcement-to-gain-private-apple-account-data\">Hackers posed as law enforcement to gain private Apple Account data \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>A great illustration of why data validation is important: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/beware-paypal-subscriptions-abused-to-send-fake-purchase-emails\/\">Beware: PayPal subscriptions abused to send fake purchase emails \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>It should not be possible for attackers to add anything but a URL into the <em>Customer Service URL<\/em> field!<\/li>\n<li>Pay attention to the labels on things \u2014 if data appears next to an inappropriate label, consider that a red flag!<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/ghostpairing-attack-hijacks-whatsapp-accounts-without-stealing-passwords\/\">GhostPairing attack hijacks WhatsApp accounts without stealing passwords \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li>Tricks users into scanning the QR Code to authorise a device link, logging the attackers in as the user!<\/li>\n<li>Beware of scanning QR codes in unexpected places \u2014 always remember a QR code is a URL in a pretty costume, look up and check the address bar when you arrive at a destination, and always read all warning messages carefully!<\/li>\n<\/ul>\n<\/li>\n<li>Suggested Reading (nothing you can do to protect yourself ATM \ud83d\ude41): <a href=\"https:\/\/cyberinsider.com\/tool-allows-stealthy-tracking-of-signal-and-whatsapp-users-through-delivery-receipts\/\">Tool allows stealthy tracking of Signal and WhatsApp users through delivery receipts \u2014 cyberinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/cyberinsider.com\/firefox-146-introduces-encrypted-local-backups-for-windows-users\/\">Firefox 146 introduces encrypted local backups for Windows users \u2014 cyberinsider.com\/\u2026<\/a>\n<ul>\n<li><strong>Related Suggested Reading:<\/strong> <a href=\"https:\/\/blog.mozilla.org\/en\/mozilla\/leadership\/mozillas-next-chapter-anthony-enzor-demeo-new-ceo\/\">Mozilla\u2019s next chapter: Building the world\u2019s most trusted software company \u2014 blog.mozilla.org\/\u2026<\/a> (Message from new CEO)<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/cyberinsider.com\/telegram-adds-passkey-support-for-secure-friction-less-logins\/\">Telegram adds passkey support for secure frictionless logins \u2014 cyberinsider.com\/\u2026<\/a> (Mine us set up \ud83d\ude42)<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><strong>Suggested reading:<\/strong> <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/mitre-shares-2025s-top-25-most-dangerous-software-weaknesses\/\">MITRE shares 2025&#8217;s top 25 most dangerous software weaknesses \u2014 www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>Disturbingly little changes year-to-year or even decade-to-decade, developers are still making the same trivial dumb mistakes \ud83d\ude41<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Bart:<\/strong> <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32584\">Positive trends related to public IP ranges from the year 2025 \u2014 isc.sans.edu\/\u2026<\/a><\/li>\n<li><strong>From Allison:<\/strong> Joop (aka @oetgrunnen in our  <a href=\"https:\/\/podfeet.com\/slack\">Podfeet Slack<\/a> ) posted a video from Functional Excel explaining how to make an animated Christmas tree: <a href=\"https:\/\/podfeet.slack.com\/archives\/CDD96SGSD\/p1765798749472389\">podfeet.slack.com\/&#8230;<\/a>\n<ul>\n<li>If you don&#8217;t want to join our Slack, just search online for &#8220;animated Christmas tree in Excel&#8221; and you&#8217;ll find lots of examples. I made one and invented my own Menorah! Happy Holidays, folks!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div class=\"group figure-center\" style=\"text-align:center;\">\n<p><img decoding=\"async\" src=\"https:\/\/podfeet.com\/blog\/wp-content\/uploads\/2025\/12\/excel-christmas-tree.gif\" alt=\"blinking red green yellow dots on green background in the triangle shape of a tree\" style=\"width: 25%; height: auto; margin:0 1em;\"\/><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/podfeet.com\/blog\/wp-content\/uploads\/2025\/12\/excel-menorah.gif\" alt=\"blinking red yellow dots above candles in a menorah\" style=\"width: 25%; height: auto; margin:0 1em;\"\/><\/p>\n<\/div>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. Yet another real-world example of the dangers of poor secret hygiene: Over 10,000 Docker Hub images found leaking credentials, auth keys \u2014 www.bleepingcomputer.com\/\u2026 \ud83c\uddec\ud83c\udde7 UK fines LastPass \u00a31.2M over 2022 data breach impacting 1.6 [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_post_was_ever_published":false},"categories":[147,214],"tags":[7728,50,569],"class_list":["post-35070","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-agentic-ai","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35070","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=35070"}],"version-history":[{"count":13,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35070\/revisions"}],"predecessor-version":[{"id":35083,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/35070\/revisions\/35083"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=35070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=35070"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=35070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}