Oktane Preview with Harish Peri, Invisible Prompt Attacks, and the weekly news! – Harish Peri – ESW #421
Interview with Harish Peri from Okta
Oktane Preview: building frameworks to secure our Agentic AI future
Like it or not, Agentic AI and protocols like MCP and A2A are getting pushed as the glue to take business process automation to the next level. Giving agents the power and access they need to accomplish these lofty goals is going to be challenging, from a security perspective.
How do put AI agents in the position to perform broad tasks autonomously without granting them all the privileges? How do we avoid making AI agents a gold mine for attackers - the first place they stop once they hack into our companies? These are some examples of the questions Okta aims to answer at this year’s Oktane event, and we aim to kick off the conversations a little early - with this interview!
Segment Resources:
- Check out securityweekly.com/oktane for all our live coverage during the event this year!
- More information about the event and how you can attend can be found here: https://www.okta.com/oktane/
- AI at Work 2025: Securing the AI-powered workforce
- Keeping AI Under Control: What to Expect at Oktane 2025
Topic - Indirect Prompt Injection Getting Out of Hand
Reports of indirect prompt injection issues have been around for a while. Of particular note was Michael Bargury's Living off Microsoft Copilot presentation from Black Hat USA 2024. Simply sending an email to a Copilot user could make bad stuff happen.
Now, at Black Hat 2025, we've got more: the ability to plunder any data resource connected to ChatGPT (they call these integrations "Connectors") from Tamir Ishay Sharbat at Zenity Labs. The research is titled AgentFlayer: ChatGPT Connectors 0click Attack.
Looks like Google Jules is also vulnerable to what the Embrace the Red blog is calling invisible prompts. Sourcegraph's Amp Code is also vulnerable to the same attack, which encodes instructions to make them invisible.
What's really going to ruffle feathers is the fact that all these companies know this stuff is possible, but don't seem to be able to figure out how to prevent it. Ideally, we'd want to be able to distinguish between intended instruction and instructions injected via attachments or some other means outside of the prompt box. I guess that's easier said than done?
News
Finally, in the enterprise security news,
- Drones are coming for you… to help?
- One of the most powerful botnets ever goes down
- Phishing training is still pointless
- Microsoft sets an alarm on its phone for 8 years from now to do post-quantum stuff
- vulns galore in commercial ZTNA apps
- GenAI projects are struggling to make it to production
- Adblockers could be made illegal - in Germany
- Windows is getting native Agentic support
- Automating bug discovery AND remediation?
- Public service announcement: time is running out for Windows 10
All that and more, on this episode of Enterprise Security Weekly.
This segment is sponsored by Oktane by Okta. Visit https://securityweekly.com/oktane to learn more about them!
Harish Peri is the Senior Vice President of Product Marketing at Okta, where he is responsible for messaging, product positioning, launches and helping evangelize Okta to the industry. He has over 20 years of experience leading teams and organizations across various industries and functions ranging from engineering to product management.
Join us at InfoSec World 2025, October 27 to 29 at Disney’s Coronado Springs Resort, Lake Buena Vista! With pre-event workshops October 25–26, and post-event workshops October 29–30. Connect, learn, and level up your cyber game! Save 25% now with code ISW25-SW at https://www.securityweekly.com/ISW2025!
Adrian Sanabria
- NEW TECH: Drone As First Responder Programs Are Swarming Across the United States
I remember reading some stuff on this a year or two ago and seeing folks freaking out on social media when they spot these things in the wild, but it seems truly commonplace now. With very little effort, I counted 34 police or sheriff departments that currently use commercial drone technology (most come from the EFF article here, which is over a year old now).
Anyone that has done penetration testing, bug bounty work, or played any of the games in the WatchDog series is immediately wondering how hackable these things are. The manufacturers seem pretty limited so far:
- Brinc Drones
- Skydio
- Axon (acquired Dedrone)
- DJI
The idea of a DFR (drone first responder) is that dispatch radio triggers a situation where they send out the drone first, before anyone else gets there (most of the time), to assess the situation. Better safety for first responders, and the ability to send the right resources to address the situation. Makes sense, but as a cybersecurity guy, I just worry about these drones making mistakes, getting hacked, getting shot at, falling on people/cars/property.
Chula Vista, one of the first to use DFRs, claims over 1000 cases in one year where the drones led them to not send out police. Just the addition of police presence can sometimes turn non-incidents into smoking craters, so this seems like it could be a good thing. Of course, the opportunity for privacy invasion, abuse of authority, and general creepiness is high here.
- VULN MGMT: From Rules to Reasoning: The Shift That Made Maze Possible – Maze
- BREACHES: Eugene Man Charged in Connection with Global Hacking Network
Dude from Alaska built his own Mirai clone out of routers, DVRs, and cameras. Like Mirai did a decade ago, he set a record for the largest DDoS attack ever (~6Tbps).
He got busted and so did his botnet. I wonder what they do with all the compromised devices after closing a case like this?
- DUMPSTER FIRES: Phishing training is pretty pointless, researchers find
The research concluding that phishing training isn't worth the pain, effort, and lost trust with employees. It can hurt productivity and even hurt security, researchers have found.
Let's not throw out the baby with the bath water just yet, though - don't conflate phishing testing with security awareness. They're often bundled in the same package from the same vendors, but these studies specifically call out phishing testing, not security awareness.
This is the same paper we covered back in December 2024 on episode 387 (that I stupidly paid $21 for). Looks like the authors are still giving talks on it, as it's Black Hat that brought this to the forefront again.
- NO RUSH: Microsoft Lays Out its Quantum-Safe Plans
Microsoft aiming for 2033.
Apparently the USGov goal is 2035.
Might as well start now?
- VULNERABILITIES: Breaking Into Your Network? Zer0 Effort. – DEF CON 33 Overview
This feels a bit like Tavis over at Project Zero Day, setting his sights on a class of software and ripping it apart. Commercial ZTNA products having a bit of a rough time here.
- SQUIRREL: Grok Exposes Underlying Prompts for Its AI Personas: ‘EVEN PUTTING THINGS IN YOUR ASS’
I won't read the entire title, but let's say the spirit of Elon is captured well in Grok's system prompting.
Ayman Elsawah
- APPSEC: Buttercup: Open-source AI-driven system detects and patches vulnerabilities – Help Net Security
Adrian: I snagged a private invite to check out Buttercup a year ago, and was pretty impressed. Back then, they had some interesting lessons learned that now seem prescient. The only team during the DARPA challenge that tried to do everything with AI failed completely. It seems the way to go is to use LLMs only when you absolutely need to and use more traditional automation techniques for everything else. Very exciting that this is open source though!
Jackie McGuire
- Zenni ID Guard – anti surveillance eyewear
- TECH DEBT: Microsoft: August security updates break Windows recovery, reset
Win10 is getting put out to pasture real soon, y'all!
This will be your only reminder (maybe) from ESW
Sean Metcalf
- AI NEWS: GenAI FOMO has spurred businesses to light nearly $40 billion on fire
"MIT NANDA study finds only 5 percent of organizations using AI tools in production at scale"
Adrian: I honestly think it's going to turn out to be a LOT more than $40 billion.
- DUMPSTER FIRES: Mozilla warns Germany could soon declare ad blockers illegal
- FUNDING: Databricks is raising a Series K Investment at >$100 billion valuation
Series K is a lot of funding rounds
- NEW FEATURES: Agentic Windows
MCP, built into Windows!
They promise it is going to be secure though, so don't worry ;)
