SANS Internet Storm Center Podcast Highlights Critical Cybersecurity Issues

In the September 5, 2025 edition of the SANS Internet Storm Center's Stormcast podcast, Johannes Ullrich, recording from Jacksonville, Florida, addresses several crucial cybersecurity topics.

The first topic discussed is the incident involving a fraudulent certificate issued for the IP address 1.1.1.1, a critical resource used by public DNS servers. Cloudflare published a blog post detailing the findings of their investigation into this incident. The main issue here is the use of TLS in protocols like DNS over TLS and DNS over HTTPS, where certificates are used to verify that one is connecting to the correct resolver. Unlike typical connections, connections to DNS resolvers often occur via an IP address rather than a hostname, requiring certificates to include the IP address. Cloudflare usually uses Digicert for its certificates, but in this case, another certificate was issued by a different authority, allegedly for internal testing. Although Cloudflare did not detect any misuse of this certificate, the incident raises questions about the trust practices of certificate authorities. Cloudflare has also reviewed its own procedures and is working to improve its internal alerts to detect such incidents in the future.

Another important point addressed is the use of AI models and the associated risks. Palo Alto's Unit 42 published a blog post on the dangers related to the use of AI models, particularly those hosted on platforms like Hugging Face. The issue lies in the fact that the name of a model is often linked to the author's account name. If an author deletes their account, someone else can recreate an account with the same name and replace existing models with malicious versions. This poses a significant risk, as many AI models are essentially Python pickle files, meaning they contain executable code. It is therefore crucial to monitor changes and pin versions to minimize these risks.

Finally, Johannes Ullrich discusses a recently patched vulnerability in Mac OS, discovered by security researcher Ko Nagawa. This vulnerability involved the GCore utility, which had excessive permissions, allowing the creation of complete memory dumps of processes, including protected memory areas used to store keys. This enabled an attacker to access the master key used to encrypt and decrypt the keychain file. This vulnerability was fixed in Mac OS 15.3, highlighting the importance of keeping systems up to date.

In conclusion, this edition of Stormcast sheds light on several critical aspects of cybersecurity, ranging from fraudulent certificates to risks associated with AI models and operating system vulnerabilities. This information is essential for security professionals seeking to protect their systems against emerging threats.