73% of Orgs Still Net-Sec Split: VIAVI Forensics Cuts Breach Dwell 66% at RSA

TL;DR

• VIAVI launches Observer Threat Forensics at RSA Conference to unify network, app, and user domain visibility; 78% of CIOs/CISOs seek convergence but only 27% have acted
• AI-driven code leaks surge 34% YoY in 2025, with 29M exposed credentials on GitHub; Claude Code and MCP configurations identified as top risk vectors
• Ubuntu 24.04+ vulnerable to LPE via snap-confine/systemd-tmpfiles race condition (CVE-2026-3888)

🚨 VIAVI’s OTF Debuts at RSA: 73% of Firms Still Net-Sec Split, CVE Flood Up 30%

Only 27% of orgs have converged NetSecOps—so 73% are basically leaving the vault open while CVEs jump 30% YoY. VIAVI’s new Observer Threat Forensics promises to slam that door shut, cutting lateral-movement dwell time from half a day to <4h. Translation: fewer 3 a.m. ransom notes, more sleep. Pilots start Monday at RSA—will your CISO be in the 27% or still playing whack-a-mole?

VIAVI wheeled out “Observer Threat Forensics” at RSA, promising one glass pane for the network tantrums, app diary entries, and user stalking your SOC already drowns in. The punchline? 78 % of 750 surveyed C-suiters crave a single screen, yet only 27 % have bothered to plug anything together—leaving 387 enterprises still playing 1990s whack-a-mole with siloed dashboards.

How this Franken-console works

• Swallows raw packets, NetFlow, syslog, and click-stream in one gulp.
• Stitches them into a time-lined graph, scores each blip against MITRE tactics.
• Lets you scroll back “forever” (tiered storage = cheap glacier, hot SSD).
• Spits answers to SIEM/SOAR via REST so your interns can keep pretending they’re automating.

Why you still might get pwned

Complexity: 3–6 months of policy wrangling before your NetOps and SecOps stop flinging RFCs at each other.
Shelf-ware risk: If you don’t retire legacy blinky boxes, OTF becomes another $200 k screensaver.
Competition: Cisco, Palo Alto, and half a dozen startups already hawk “convergence” slides—some even work.

Pain timeline

• Now–Q3 2026: 10–15 % of looky-loos run pilots, mostly to justify RSA bar tabs.
• 2027: If 40–50 % of those pilots convert, adoption inches from 27 % to ~45 %.
• 2028-29: Market tops out at 60-65 % converged; late majority clings to Excel incident trackers until the next breach headline.

Glue is cheaper than grief: export your existing taps into open-source Timesketch + Grafana, fire the vendor that charges per petabyte of hindsight, and spend the savings on actually patching the 48 196 CVEs that showed up last year—30 % more than the year before, because of course they did.

🤡 29M Credential Tsunami: AI-Coded GitHub Turns U.S. Repos into Public Toilet — Internal Code 6× Dirtier

29M secrets barfed on GitHub—enough to give every New Yorker 3 fresh logins 🤡💥 AI wrote the code, we foot the ransomware bill. Internal repos are 6× nastier—your ‘private’ repo is a public toilet. CISOs, ready to babysit Claude or keep bleeding creds?

29 million credentials barfed onto GitHub last year—enough log-ins to fill every pro-football stadium in the U.S. twice. Claude Code wrote one-third of that sewage, proving “AI pair-programmer” is just corporate speak for “speed-run security dumpster fire.”

How the sausage gets spilled

Claude Code’s autocomplete-on-steroids slurps your API keys straight into the commit. One mis-hit of Tab, and your AWS token is immortalized in git history faster than you can say “force-push.” Meanwhile, MCP config files—those copy-paste cloud blueprints—left 24 k secrets lying around like loose change. Internal repos are the juiciest targets: six times fattier with secrets than their public siblings, yet protected by the same shrug emoji.

Impact buffet—grab a plate

• Account hijacks: 29 M creds = open bar for credential-stuffing bots.
• Supply-chain gut punch: internal repo breach → downstream poisoned builds.
• Analyst burnout: 68 % false-positive rate turns security teams into human spam filters.
• Share-price hangover: JFrog −25 %, CrowdStrike −8 %, Cloudflare −8 %—markets vote with their wallets.

Cheap hacks that actually close the hole

1. Pre-commit hook that scans at 50 MB/s per core—costs pennies, runs in seconds.
2. Claude Code Security inside CI—tune the 68 % noise down to 45 % with an ML filter by Christmas.
3. Sandbox every AI agent; Anthropic’s SRT demo cut permission prompts 84 %.
4. Rotate Slack/Teams tokens monthly—28 % of leaks waltz out through chat.

Timeline of will-they-won’t-they

• Q2 2026: AI-generated commits pass 40 %; leaks rise another 30 % unless hooks are enforced.
• Q4 2026: False-positive filters drop to 45 %, enterprise Claude uptake +25 %.
• 2027: Mandatory CI scanning finally drags internal-secret density down to public-repo baseline; ransomware gangs pivot to easier pastures.

Bottom line

If your “10× dev” recipe is AI autocomplete without guardrails, congrats—you’ve invented a 10× breach accelerator. Turn the free linter on, sandbox the bot, and quit hard-coding passwords. Or keep playing Russian roulette with git history; the stadium-sized crowd of stolen logins is already cheering.

💥 CVE-2026-3888: 5 MILLION Ubuntu 24.04 Desktops Open to 30-Day Root Race

5 MILLION Ubuntu boxes sit wide-open for 10-30 days while systemd plays janitor 🧹💥 One symlink + any bored user = instant root. Patch? Sure—if you like waiting a MONTH for your own server to stab you in the back. Sysadmins, got popcorn—or a rollback plan?

Ubuntu 24.04 ships a built-in “waiting game”: sit on the box for 10–30 days, then watch systemd-tmpfiles vacuum /tmp/.snap. In the blink before snap-confine re-creates that same dir, an attacker slips in a symlink or rigged folder. Next snap you launch—calculator, Spotify, whatever—executes attacker code as root. Qualys clocked the race, tagged it CVE-2026-3888, CVSS 7.8. Patch? snapd ≥2.73+ubuntu24.04.1. That’s it.

How the hustle works

1. Snap-confine drops a throw-away directory at boot.
2. systemd-tmpfiles, using the hipster uutils-coreutils “rm”, purges it on a timer.
3. Attacker polls, respawns /tmp/.snap, stuffs a set-uid payload inside.
4. You open a snap, snap-confine trusts the trojan path → instant root shell.

No memory corruption, no exploit chains—just calendar patience and a filesystem race.

Impacts – the receipt

• Scope: 5 million desktops still on vanilla 24.04.
• Dwell time: up to a month of silent prep; SOC logs look boring.
• Blast radius: full box ownage, container breakout, lateral waltz across the office VLAN.

Response scorecard

• Canonical: patched in six days, props.
• Enterprises: 30 % of fleets auto-patch; the rest wait for “change-control.”
• DIY hardening: cron to 10-day cleanup, inotify watchers, or just chmod 000 /tmp/.snap and call it a day.

Outlook – the calendar

• Next month: ~70 % patched; opportunistic script kiddies harvest the laggards.
• Q3 2026: upstream uutils fix lands in Debian/Fedora, shrinking future attack surface.
• 2027: systemd adds atomic tmpfile APIs, making “wait-a-month” bugs history—until the next creative shortcut.

Ubuntu gave us “Linux for human beings.” Turns out humans need to apt upgrade before the pizza timer dings—otherwise the box owns you, not the other way around.

In Other News

• Linux Foundation launches $12.5M grant to secure critical open-source projects via Alpha-Omega and OpenSSF; funding targets vulnerable small teams behind CURL, OpenSSL, and other foundational tools
• Fortinet FortiClient EMS vulnerable to critical SQLi (CVE-2026-21643) allowing unauthenticated root RCE
• Blumira expands EDR/ITDR capabilities, reducing ransomware response times as attacks rise 34% since 2024
• HTSlib CRAM reader vulnerability CVE-2026-31962 allows heap buffer overflow, prompting urgent patching of genomic data tools