CyberWire Daily - A possible breakthrough in data privacy legislation.
Episode Date: April 8, 2024Might there be motion from Congress on data privacy legislation? Maryland passes a pair of privacy bills. A database allegedly from the EPA shows up on Russian cybercrime forums. HHS issues an alert f...or the Healthcare and Public Health sectors. CISA gears up for their Cyber Storm. A leading UK veterinary service provider suffers a cyber incident. A hardcoded backdoor is discovered in deprecated Network Attached Storage devices. NSA’s new cybersecurity director takes the reins. Guest Caleb Barlow, CEO of Cyberbit, shares his insights on the evolving role of the CISO. The bull market for Zero-days. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Caleb Barlow, CEO of Cyberbit, discussing how we need to think about the role and position of the CISO. Selected Reading A Breakthrough Online Privacy Proposal Hits Congress (WIRED) Maryland Passes 2 Major Privacy Bills, Despite Tech Industry Pushback (The New York Times) US Environmental Protection Agency Allegedly Hacked, 8.5M User Data Leaked (HACKREAD) U.S. Department of Health warns of attacks against IT help desks (Security Affairs) CISA’s ‘Cyber Storm’ will help it update National Cyber Incident Response Plan (Federal News Network) Veterinary Giant CVS Reveals Major Cyber-Attack (Infosecurity Magazine) Over 92,000 exposed D-Link NAS devices have a backdoor account (Bleeping Computer) NSA Appoints Dave Luber as Cybersecurity Director (SecurityWeek) Price of zero-day exploits rises as companies harden products against hackers (TechCrunch) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Might there be motion from Congress on data privacy legislation?
Maryland passes a pair of privacy bills.
A database allegedly from the EPA shows up on Russian cybercrime forums.
HHS issues an alert for the healthcare and public health sectors.
CISA gears up for their cyber storm.
A leading UK veterinary service provider suffers a cyber incident.
A hard-coded back door is discovered in deprecated network-attached storage devices.
NSA's new cybersecurity director takes the reins.
Our guest, Caleb Barlow, CEO of Cyberbit,
shares his insights on the evolving role of the CISO
and the bull market for zero days.
It's Monday, April 8th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you all for joining us here today.
It is great to have you with us in between the time that you are spending
safely gazing at the solar eclipse.
I wouldn't get your hopes up, but Congress appears to be nearing a breakthrough
on data privacy legislation with the unveiling of the American Privacy Rights Act, APRA. This bipartisan effort
proposes significant restrictions on how companies can collect, retain, and utilize consumer data,
limiting it to what's necessary for their services. It empowers users to opt out of
targeted advertising and manage their online data, including corrections,
deletions, and downloads. A key feature is the establishment of a national data broker registry,
mandating an opt-out option for data sales. The proposal addresses Americans' desire for
more control over their personal information, targeting big tech's text data practices and ensuring user consent. The APRA
attempts to navigate long-standing legislative divisions, particularly around preemption of
state laws and individual legal recourse against privacy breaches. It incorporates stronger
protections than existing laws, allowing for state-specific regulations on civil rights and
consumer protections, while including provisions from California's privacy law for lawsuits related
to data breaches. Enforcement focuses on larger businesses, exempting small companies and certain
entities like government organizations. Despite its comprehensive approach, the APRA's success
remains uncertain as it enters a discussion phase for further refinement and support.
Meanwhile, on the state level, the Maryland legislature has passed two major privacy bills
aimed at regulating tech companies' data collection practices, especially concerning consumers and miners,
despite significant opposition from industry giants like Amazon, Google, and Meta.
The Maryland Online Data Privacy Act introduces broad restrictions on consumer data collection
and usage within the state. The Maryland Kids Code specifically targets the protection of users under 18,
banning tracking and manipulative tactics designed to keep them online.
Lawmakers say these moves signal Maryland's commitment to establishing robust data privacy protections,
aligning it with states like California and Connecticut.
However, tech industry challenges are anticipated, particularly from groups like
NetChoice, which has previously contested similar legislation on constitutional grounds.
The success of these bills hinges on Governor Wes Moore's approval, positioning Maryland as
a potential leader in the national privacy legislation landscape, pending inevitable legal challenges.
The U.S. Environmental Protection Agency is contending with a significant data breach
impacting over 8.5 million users, attributed to a hacker known as USDOD. The breach has exposed
sensitive personal information, posing risks of identity theft, cyber espionage,
and could deter environmental violation reporting.
The leaked database includes contact information for customers, contractors, and staff,
with details such as full names, phone numbers, email addresses, and job titles,
but thankfully no passwords were compromised.
The data is now circulating in
Russian cybercrime forums, which underscores the breach's potential for misuse and phishing scams,
targeted marketing, and state-sponsored espionage. The incident highlights vulnerabilities in
protecting critical environmental and infrastructure data and raises alarms
about the chilling effect it could have on future
environmental reporting efforts. The U.S. Department of Health and Human Services has
issued an alert regarding sophisticated social engineering attacks targeting IT health desks
within the healthcare and public health sector. Attackers are using detailed personal information,
likely harvested from professional networking sites and open-source intelligence,
to impersonate employees, particularly in financial roles.
By tricking help desk personnel into enrolling new devices for multi-factor authentication,
these threat actors gain access to corporate resources.
Their main objective is to obtain login credentials for payer websites
to redirect legitimate payments to their controlled U.S. bank accounts,
eventually transferring these funds overseas. Additionally, some attacks have involved AI
voice cloning techniques to enhance their deception. To combat these threats, HHS recommends several mitigation strategies,
including requiring callbacks for verification, monitoring suspicious account changes,
and training help desk staff to recognize and respond to social engineering and spearfishing
attempts. The Cybersecurity and Infrastructure Security Agency is gearing up for its biannual CyberStorm
exercise, an event designed to simulate responses to a large-scale cyberattack on U.S. critical
infrastructure.
This month's exercise, which is the ninth of its kind since 2006, will involve over
2,000 participants from both government and various critical sectors like
healthcare, finance, and energy. The event aims to test the effectiveness of the National Cyber
Incident Response Plan, which CISA is currently updating. The exercise unfolds over a week,
presenting participants with hypothetical scenarios to test their preparedness and
response strategies
without revealing specific details ahead of time to maintain operational security.
This year's cyber storm is particularly timely,
given recent warnings about hackers targeting U.S. infrastructure
and aims to enhance readiness for inevitable real-world incidents
through a collaborative approach.
for inevitable real-world incidents through a collaborative approach.
Leading UK veterinary service provider CVS Group has experienced a significant operational disruption due to a cyber incident involving unauthorized access to its IT systems.
The company, which operates vet practices, laboratories, and crematoria across the UK,
Australia, and the Netherlands, and Ireland, took immediate action to isolate the issue
and temporarily shut down its IT systems to prevent further breaches.
Although the specific nature of the cyberattack remains under investigation,
it has characteristics of ransomware.
CVS has engaged specialist consultants for a forensic analysis
and informed relevant authorities, including the Information Commissioner's Office.
While it has managed to restore IT services to most of its practices,
increased security measures mean some systems are not fully efficient,
causing ongoing operational impacts.
are not fully efficient, causing ongoing operational impacts.
The incident has spurred CVS to accelerate plans for migrating its IT infrastructure to the cloud.
For our U.S. listeners, we note that CVS Group in the U.K.
is unrelated to the U.S. healthcare and pharmacy company CVS.
A significant security flaw affects several end-of-life D-Link network attached storage
models, allowing for arbitrary command execution due to a hard-coded backdoor account and a command
injection vulnerability. Discovered by threat researcher Netsek Fish, the vulnerability allows
attackers to remotely execute commands on affected devices
by sending a base64 encoded command through an http get request over 92 000 vulnerable devices
have been found online d-link has acknowledged that these models are no longer supported advising
users to replace them stating that they won't offer patches due to the device's
end-of-life status. Dave Luber has officially taken the reins as the new Cybersecurity Director
of the National Security Agency, succeeding Rob Joyce, who retired on March 31st after 35 years
of public service. Luber, with over 30 years of experience in various
significant roles within the NSA and U.S. Cyber Command, will now lead the agency's Cybersecurity
Directorate. This directorate aims to combat cyber threats against the Department of Defense,
National Security Systems, and the Defense Industrial Base. Luber expressed his commitment to building upon the team's achievements
and enhancing collaborations
to bolster cybersecurity defenses.
Coming up after the break,
my conversation with Caleb Barlow,
CEO of Cyberbit,
with his insights on the evolving
role of the CISO. Stay with
us.
Transat presents
a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And it is always my pleasure to welcome back to the show Caleb Barlow.
He is the CEO at Cyberbit.
Caleb, welcome back. You know, my colleague Rick Howard and I were recently chatting about the CISO at SolarWinds,
who was recently brought up by the SEC on some federal charges here.
This is something I want to check in with you on. What's your take here? Any insights?
Well, I think there's two things we have to look at. And there's, you know, part of what we probably
should acknowledge first off, Dave, is in the cybersecurity industry, anyone following these
things on LinkedIn, there has been an enormous amount of backlash from CISOs that are concerned that when you
charge a CISO on criminal charges, is that going to encourage people to maybe go choose a different
profession? And of course, I think one of the other things we have to acknowledge is more often
than not, a CISO is walking into an environment where the environment is not pristine when they start, and they're doing everything they can to
improve the environment. But even when they finish after two or three years in their role,
it isn't necessarily, you know, all the I's are not dotted and the T's are not crossed, right?
This is a constant game of cat and mouse. So, you know, we've seen two examples of this that are
really high profile. One, of course, was the CISO at SolarWinds. The other one was the chief security
officer, Joseph Sullivan at Uber Technologies, who was actually sentenced to three years of probation
and 200 hours of community service. And that, you know, those set of charges really came forward
more from the FTC versus the SEC. So two different regulators really not only going
after companies, but the individuals. So I think it's time to have a little bit of a different
perspective here. So not that the concerns that people are raising aren't valid, but let's also
remember the other thing CISOs have been talking about, Dave, is the real desire to have a legitimate seat in the boardroom and to really be viewed
on their peers like the CFO, the head of HR, the CTO, et cetera, right? Even the CIO.
And here's one of the things I think a lot of people don't realize is I had the opportunity
to spend some time in the seat of a public company CEO. One of the first things you learn real quickly
is you are personally liable
before stockholders and what may happen.
And in certain situations,
you are pretty much guaranteed to get sued
and you are pretty much guaranteed
to get named in a lawsuit yourself.
And if there is anything that goes awry at the company,
any number of regulators are going to name you personally.
The same is true for the CFO. Now, how do you protect yourself against that? Well, first of all, and I can guarantee you this, it changes your posture on everything you
do. It changes how you communicate. It changes how you think about what you do because you know
you're personally going to get named in this or liable if you cross a line.
personally going to get named in this or liable if you cross a line. Now, the second thing you do is you go get DNO insurance. So director and officer insurance. And I'll bet you a lot of
CISOs have no idea until I just said it what DNO insurance is. And it's something that they want
to be talking about with their executive teams to make sure they're covered under the company's
DNO insurance, particularly if they're a public company, but even if they're private.
And what D&O insurance covers, basically, is errors and omissions on the part of an executive.
And it's very expensive insurance, but most companies of any size have it.
Now, the other thing to recognize in this is, let's take the example of a CFO.
Now, a CFO also has to meet certain regulatory guidelines.
They have to be audited. They have to be audited by third parties. And there's an audit committee
on the board. I think this is where security is moving towards is a very similar type of approach
where just like the CFO, if someone's cooking the books, the CFO is absolutely going to raise
their hands and say, stop.
And they're going to have the authority to do that.
They have direct access to the board and the audit committee on the board.
We need to move to a posture where the CISO is in a similar role.
There's an outside auditor that helps them review the security posture of the company.
There's a security committee on the board made up of experts in security, which largely don't exist in boards today.
And that CISO actually has to be able to have that authority to raise their hand, particularly in the light of the CEO, and say, no, this isn't acceptable.
These high-risk, we must fix.
And if we don't, then we're going to need to disclose that. And that is a lot of where we're seeing these approaches go, where they're basically holding these CISOs liable. So I guess my point
here, Dave, is if we want the CISO to be viewed as kind of a legitimate seat in the boardroom,
we also have to take on the responsibility of that seat. I couldn't agree more. And who do you suppose has the ability
to make change here? Is this a matter of stockholders saying that we demand this position
be elevated? Is this the CEO saying that, the other board members? How do we get to where we
want to be here? All of the above. But also keep in mind, one of the things that pushes public companies in this space today
is there are a variety of trolls that go out and buy public stocks and just look for opportunities
to sue those public companies.
It's a horrible side of the industry, but as much as I dislike it, it does drive and
force good behavior, is kind of all this activism that occurs. So if you make
an error in a financial statement, even a small error, you're pretty much guaranteed to get sued
as a public company. It's unfortunate, but it's the reality. And, you know, it could even be a
small, minuscule error. And more often than not, those lawsuits will get settled because they're
not even worth taking to court. Well, you know, it won't take long before the same type of thing starts to happen on a cybersecurity posture, where we start to see a company, and, you know, SolarWinds is a good example of this, where maybe what they said externally and in their SEC statements is, everything's fine, don't look here, you know, all the I's are dotted and the T's are crossed.
And if the reality is different underneath, that's an opportunity for a shareholder lawsuit.
You know, my point in all of this is,
I think it's going to come from everywhere,
but the mechanisms are already in place to force this.
You know, we're just catching up
with where the CFO has been for a lot of years.
Yeah.
I can't help thinking that a position
that already suffers from a lot of turnover, the CISO, you know, people don't tend to stay in that position very long.
And granted, there's a variety of reasons for that.
But I can't help think that this is going to just make that worse.
To feel like you have a target on your back, you know, you have all the responsibility with none of the, you know, the actual benefits of sitting on the board.
Who's going to want that job?
actual benefits of sitting on the board, who's going to want that job?
Well, I think you could have said the same thing about a CFO, yet there's all kinds of people trying to get in line to be public company CFOs, right? That's fair, sure. But here's the point.
It probably changes the, let's just call it the level of corporate maturity of who takes that job,
right? It takes on a very different persona of who's going to take that job,
their bona fides, their experience, their education, what they've done before, and their
ability to operate at this kind of executive level. If anything, what I think happens is it
continues to elevate that position and elevate the training requirements to take that position.
But I don't think there's going to be any shortage of people willing to take it,
because at the end of the day, companies are going to need to see someone.
They're going to have to pay for someone that has that kind of qualifications.
Yeah. All right. Well, Caleb Barlow, thanks so much for joining us. Thank you. fault-deny approach can keep your company safe and compliant.
And finally, the market for zero days, hacking tools that exploit unpatched software vulnerabilities,
has seen a significant price increase, with values reaching millions.
Crowdfence, a startup company that acquires these tools to resell primarily to government agencies,
now offers up to $7 million for iPhone hacks, $5 million for Android, and between $3 and $3.5 million for browser exploits. This price hike reflects the growing difficulty of hacking devices and apps
due to enhanced security measures by companies like Apple and Google.
The rising costs also indicate the complexity and team effort required
to develop these sorts of exploits,
compared to the past where a single researcher could find and develop a zero-day.
Amidst global tensions and
sanctions, the industry faces ethical and legal scrutiny, especially when exploits may target
individuals and countries with contentious human rights records. At these prices, our social media
influencer desk wonders how long it will be before online trendsetters stop bragging about the high
cost of their mobile devices and diamond-studded cases and shift to the multi-million dollar
valuations of their potential security weaknesses. Stranger things have happened.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com. N2K Strategic Workforce Intelligence optimizes the
value of your biggest investment, your people. We make you smarter about your team while making
your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. Business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Thank you.