Podcast Detail

SANS Stormcast Thursday, March 26th, 2026: Apple Patches; SmatApeSG Update; Trivy/LiteLLM/TeamPCP Update; Google Accelerates Quantum Save Crypto Rollout

If you are not able to play the podcast using the player below: Use this direct link to the audio file: https://traffic.libsyn.com/securitypodcast/9866.mp3

previous
Podcast Logo
Apple Patches; SmatApeSG Update; Trivy/LiteLLM/TeamPCP Update; Google Accelerates Quantum Save Crypto Rollout
00:00

My Next Class

Click HERE to learn more about classes Johannes is teaching for SANS

Podcast Transcript

 Hello and welcome to the Thursday, March 26, 2026
 edition of the SANS Internet Storm Center's Stormcast. My
 name is Johannes Ullrich, recording today from
 Jacksonville, Florida. And this episode is brought to you
 by the SANS.edu Graduate Certificate Program in Purple
 Team Operations. Well, let's start with Apple patches. They
 actually came out yesterday, but due to the relatively
 large lightLLM and Privi story, we didn't really have
 time for them yesterday. So Apple patched, as usual,
 everything, covering 85 different vulnerabilities
 across their different operating systems with the
 usual overlap between them. For iOS, we actually also got
 patches for the last version, so iOS 18. Mac OS, well, a
 total of three versions, so the current one 26, as well as
 15 and 14. The remaining operating system we only got
 for the current version. Now, a little bit odd case here
 with watchOS. We got updates for two more versions, but the
 updates there state that they don't fix any security issues.
 So the security issues affecting watchOS 26 may not
 affect these older versions, or they just haven't gotten
 around yet to patch them. Remember, there was this big
 hoopla lately about some newer Apple malware that used some
 vulnerabilities that were patched before. So these are
 not recent vulnerabilities, but in the past they have been
 more used sort of in these more sophisticated spyware,
 government malware kind of packages. They're now used
 more widely, and that's overall always sort of a trend
 where, you know, what used to be sort of a more
 sophisticated and limited vulnerability or exploit a
 couple of years ago, they tend to trickle down to sort of
 become more mass exploits. So definitely make sure that you
 keep your systems up to date. None of the vulnerabilities
 being patched here is labeled as being already exploited.
 Well, I have a quick update to the Lite LLM Team PCP Privy
 story from yesterday. Just a couple of items, actually two
 items. First of all, after I recorded yesterday, I actually
 learned that Sands had a special webcast today. The
 webcast has been archived and I added a link to the show
 notes. I was able to add a link to yesterday's show
 notes, but well, it was too late when I found out to
 actually mention it in the show itself. Well, Ken Hartman
 and Eric Johnson are talking about these attacks and about
 sort of the entire supply chain attack issue. And then
 we also got an email from Michael Rosenfeld, who wrote a
 nice blog post about some of the issues around, you know,
 pinning to a particular a git hash, like pinning to these
 SHA hashes, what you have to be aware of here, that you're
 doing it correctly and are still not vulnerable to it.
 And then just a general comment, one of the number one
 things that you need to do if you ran Lite LLM or any one of
 these affected products here is you need to be able to
 rotate your credentials. You should do that even if you
 just have a suspicion, if you aren't sure if you had that
 actual vulnerable version, you should still rotate your
 credentials, even well, probably if you don't think
 you're affected at all, it may be a good idea to rotate your
 credentials, just to know that you can actually do it.
 Because it's not easy. Remember how one of the
 problems here was that, you know, initially some of the
 credentials weren't completely rotated at the first
 compromise. It's not easy to do it correctly. You'll only
 do it right if you sort of automate it, if you do it
 routinely. And that's why it shouldn't really be one of
 those sort of special things that you're doing. I know it
 is, and I know it's not easy. I mentioned secrets management
 yesterday. That's sort of one of the things that you really
 have to get under control for these attacks. Team PCP,
 actually PCP, not PNP. I think I call them sometimes a little
 bit wrong here. But Team PCP, they actually mentioned to
 some journalists who were able to get in contact with them,
 that they have something like 300 gigabytes of credentials.
 So like I said, this is just the tip of the iceberg now.
 And basically they have too much credentials now. They
 need to sort of go through them and filter out which ones
 are worth actually, you know, attacking further. So that's
 just a quick sort of add on here to yesterday's story.
 Heather Atkins and Sophie Schmeick with Google published
 a blog post stating that, well, Google is now aiming to
 move to quantum safe cryptography by 2029. They
 moved up their timeline here somewhat basically accelerated
 the switch over looking at well, sort of the current
 threat landscape, essentially. Of course, Google has been
 involved in quantum computing for quite a while and has been
 practicing it has had quantum computers on site been working
 with them. So they certainly do have some understanding of
 the capabilities of the systems and how they are
 currently evolving. I've talked last year about some of
 the breakthroughs of that came like from Microsoft and such.
 On the other hand, you also have to understand that Google
 has to work with a fairly accelerated timeline here,
 because a lot of others are essentially waiting on Google
 to implement things like quantum safe algorithms in
 operating systems like Android in Chrome, which already
 supports it, of course. So they must be sort of at the
 forefront here. They also sort of explain that in their blog
 post. But what this really means for you is that, you
 know, with the industry leaders like Google kind of
 moving ahead with that, you probably will have the tools
 you need to switch over to quantum safe algorithms,
 shortly after that. I would say, you know, 30 to 30, 2030
 to 2032 is probably when you can sort of set your own goal
 to switch to quantum safe algorithms or at least to
 offer them your customers, because by then, you know,
 given that 2029, a lot of operating systems will contain
 those algorithms, you will have a good chance to find the
 industry support that you need in order to switch over. Well,
 and this is it for today. So thanks for listening. Thanks
 for liking and thanks for subscribing to this podcast.
 And as always, talk to you again tomorrow. Bye. Bye. Bye.
 Bye.