As Day 99 rolls in, the tension between convenience and control is louder than ever. From AI vulnerability studies to legacy server breaches, the cracks are forming โ and theyโre no longer just human.
๐ค The Explosive Growth of Non-Human Identities (NHIs)
New research highlights a massive rise in non-human digital identities โ think bots, APIs, service accounts โ and with it, massive attack surface expansion. NHIs often lack MFA, have static keys, and are rarely monitored. Theyโre the perfect blind spot.
๐ https://thehackernews.com/2025/04/explosive-growth-of-non-human.html
๐งธ โLovableโ AI Found Most Vulnerable to Social Engineering
A fascinating study shows that AI personas designed to be friendly or emotionally engaging are far more susceptible to manipulation. The takeaway? Empathy-based design introduces new threat vectors. Even AI can be too trusting.
๐ https://thehackernews.com/2025/04/lovable-ai-found-most-vulnerable-to.html
๐ Tariffs Driving Up Global Cyberattacks
Geopolitical tensions are bleeding into cyberspace. Analysts warn that new tariffs are sparking retaliatory cyber campaigns โ not just by nation-states, but by hacktivists and opportunistic actors. Trade war meets code war.
๐ https://www.darkreading.com/cyber-risk/tariffs-increase-global-cyberattacks
๐ (duplicate confirmed)
๐ฉ OCC Hit with Major Cyber Incident, Email Data Exposed
The Office of the Comptroller of the Currency is investigating a major cyber incident involving executive and employee emails. Regulatory bodies being targeted signals how bold and capable attackers are becoming โ especially when trust is the ultimate currency.
๐ https://www.darkreading.com/vulnerabilities-threats/occ-major-cyber-incident-executive-employee-emails
๐ฃ CrushFTP Exploitation Sparks Disclosure Debate
The ongoing CrushFTP exploitation saga reveals cracks in vulnerability disclosure culture. With researchers and vendors clashing over timelines, weโre reminded that coordination and communication are as critical as code fixes.
๐ https://www.darkreading.com/vulnerabilities-threats/crushftp-exploitation-disclosure-dispute
๐งจ Oracle Breach Linked to Two Obsolete Servers
Oracle confirmed that a breach originated from two obsolete servers still connected to critical infrastructure. Itโs a classic case of โforgotten but functionalโ โ and it cost them. Sunsetting tech isnโt just technical debt; itโs active liability.
๐ https://www.darkreading.com/cyberattacks-data-breaches/oracle-breach-2-obsolete-servers
๐ Zero-Day Report: WLB-2025040015
A new zero-day affecting a widely-used internal data processing library has been added to the CXSecurity database. Itโs still under analysis, but early chatter suggests privilege escalation potential. Worth keeping an eye on.
๐ https://cxsecurity.com/issue/WLB-2025040015
๐ญ Reflection
Itโs Day 99, and I keep circling back to the theme of non-human complexity. Whether itโs forgotten servers, friendly AIs, or unmonitored service accounts โ the edges of security are fraying in places that arenโt always human-shaped. As I sharpen my CISSP focus, especially around identity, operations, and architecture, Iโm reminded that true security isnโt about locking the doors โ itโs about knowing where all the doors even are.
