CyberWire Daily - A secret scheme resulting in stolen secrets.
Episode Date: March 7, 2024A former Google software engineer is charged with stealing AI tech for China. State attorneys general from forty-one states call out Meta over account takeover issues. Researchers demonstrate a Stuxne...t-like attack using PLCs. Buyer beware - A miniPC comes equipped with pre installed malware. A Microsoft engineer wants the FTC to take a closer look at Copilot Designer. There’s a snake in Facebook’s walled garden. Bruce Schneier wonders if AI can strengthen democracy. On our Industry Voices segment, guest Jason Lamar, Senior Vice President of Product at Cobalt, joins us to discuss offensive security strategy. And NIST works hard to keep their innovations above water. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, guest Jason Lamar, Senior Vice President of Product at Cobalt, joins us to discuss offensive security strategy. You can find out more from Cobalt’s OffSec Shift report here. Selected Reading Former Google Engineer Charged With Stealing AI Secrets (Infosecurity Magazine) Several States Attorneys General have written to Meta demanding better account recovery (NY gov) Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers  (SecurityWeek) Whoops! ACEMAGIC ships mini PCs with free bonus pre-installed malware  (Graham Cluley) Microsoft AI engineer warns FTC about Copilot Designer safety concerns  (The Verge) Snake, a new Info Stealer spreads through Facebook messages (Security Affairs) NSA Details Seven Pillars Of Zero Trust (gbhackers) How Public AI Can Strengthen Democracy  (Schneier on Security) This agency is tasked with keeping AI safe. Its offices are crumbling. (WashingtonPost) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A former Google software engineer is charged with stealing AI tech for China.
State attorneys general from 41 states call out Meta over account takeover issues.
Researchers demonstrate a Stuxnet-like attack using PLCs.
Buyer beware, a mini PC comes equipped with pre-installed malware.
A Microsoft engineer wants the FTC to take a closer look at co-pilot designer.
There's a snake in Facebook's walled garden.
Bruce Schneier wonders if AI can strengthen democracy.
In our Industry Voices segment, guest Jason Lamar, senior vice president of product at Cobalt, joins us to discuss offensive security strategy.
And NIST works hard to keep their innovations above water.
It's Thursday, March 7th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thanks for joining us here today. It is great to have you with us. Lin-Wei Ding,
a former Google software engineer, has been indicted on charges of stealing trade secrets related to
Google's AI technology. Hired by Google in 2019, Ding had access to sensitive information about AI
models due to his role in developing software for Google's supercomputing data centers. Between May
2022 and May 2023, he's accused of uploading over 500 confidential files to a personal cloud account.
Allegedly, after receiving a CTO job offer from a Chinese tech startup in June of 2022,
Ding founded his own company in May of 2023, focusing on machine learning acceleration,
and applied to a Chinese startup program.
He's accused of plotting to replicate and improve upon Google's computational power platform for China.
The Department of Justice claims Ding employed methods to evade Google's data loss prevention checks,
including transferring data to PDFs via Apple Notes.
He also allegedly manipulated access controls to disguise his location.
The FBI emphasizes the seriousness of this sort of intellectual property theft
for American innovation, economic security, and national security.
Ding faces up to 10 years in prison and a $1 million fine if convicted.
faces up to 10 years in prison and a $1 million fine if convicted.
States Attorneys General from 41 states have expressed significant concern to Meta over a sharp rise in account takeovers on Facebook and Instagram, highlighting an alarming trend that
strains both their resources and affects users profoundly. These takeovers lead to unauthorized access,
privacy breaches, financial fraud,
and misuse of personal information.
Victims experience distress and disruption,
especially when their accounts,
integral to personal and professional lives,
are compromised.
Complaints to Meta about these issues have surged
with reports of inadequate support
and response from the
company. The problem has escalated, with complaints increasing drastically across various states,
indicating a pervasive issue on meta platforms. The attorneys general are demanding immediate
action from meta to bolster its effects in preventing account takeovers and improving
support for affected users,
stressing the importance of safeguarding user accounts and alleviating the burden on state resources.
Researchers from the Georgia Institute of Technology have developed a new form of malware
targeting modern programmable logic controllers, PLCs, to demonstrate the potential for remote Stuxnet-like
attacks on industrial control systems. This malware, named Iron Spider, exploits web-based
features of modern PLCs to infiltrate and manipulate industrial processes through the PLC's
web server and APIs, which are accessed via a regular web browser interface.
Unlike traditional malware that requires physical or network access,
Iron Spider can be deployed remotely, leveraging cross-origin vulnerabilities
and service workers for persistence, making it both easy to deploy and hard to detect.
The malware can perform actions like overwriting input-output values and spoofing HMI displays
with the potential for significant industrial damage, all while avoiding detection.
This demonstration underscores the expanded attack surface and security risks associated
with the advanced capabilities of modern PLCs.
of modern PLCs.
Graham Cluley reports that AceMagic, a Chinese mini-PC manufacturer,
unintentionally shipped malware, including the Redline spyware and Bladabindi backdoor Trojan, with its products.
This admission came after consumers in the United States and Europe reported issues
leading to the discovery of the malware by Windows Defender.
The company's attempt to enhance user experience by modifying Microsoft's source code and adjusting
network settings without proper digital signatures resulted in the malware distribution. The affected
PCs lacked digital signatures for both the altered code and RGB lighting control software, making them vulnerable.
Ace Magic has acknowledged the oversight, offering full refunds to customers with affected PCs
and a 10% discount on future purchases, promising greater caution in the future.
Shane Jones, a Microsoft engineer, has raised concerns with the Federal Trade Commission about Microsoft's AI image generator, Copilot Designer.
He claims this is due to its ability to produce harmful and inappropriate images.
The AI-generated content allegedly includes disturbing and violent imagery, sexualization, and misuse of popular characters in sensitive contexts.
Jones, who has been with Microsoft for six years,
has repeatedly tried to address these issues internally since December
and even contacted U.S. senators after explicit images of Taylor Swift were spread online.
Microsoft CEO Satya Nadella acknowledged the need for more safety guardrails,
and the company says they are committed to addressing employee concerns,
and they have protocols for investigating and remediating such issues,
but Jones' efforts have led to pushback from the company's legal team.
We note that Microsoft is an N2K CyberWire partner,
but we cover them just like we do any other company.
Researchers at Cyber Reason
have identified a Python-based information stealer,
Snake, being spread through Facebook messages
by threat actors.
This malware campaign, active since August 2023,
involves sending victims archive files
containing malicious scripts that install one
of three variants of the snake malware on their systems. The malware targets a variety of web
browsers to steal credentials and cookie information, including data specific to Facebook,
which could allow attackers to hijack victims' Facebook accounts. The snake malware transmits
the stolen information to platforms like Discord,
GitHub, and Telegram by exploiting their APIs. Indicators suggest that the threat actors behind
this campaign are Vietnamese-speaking, targeting not only international browsers, but also
Kuk Kuk, a browser popular within the Vietnamese community.
Bruce Schneier has written a thoughtful piece
titled How Public AI Can Strengthen Democracy. In it, Schneier says the intersection of democracy
and AI present dual challenges, AI's influence on democracy and democracy's ability to govern
AI technology. With big tech firms like Microsoft, Google, and Amazon dominating
AI development, there's a risk of AI reflecting corporate interests over public welfare.
The centralization of AI control raises concerns for democratic governance, and Schneier advocates
for a public AI option to ensure universal access and counterbalance corporate AI.
A public option could foster innovation, allow public input on ethical considerations,
and ensure equitable access to AI technologies. Inspired by global examples like Taiwan's efforts
to democratize AI development, the proposal suggests creating a federal agency dedicated to developing and
managing public AI models. This agency would prioritize democratic values in AI deployment,
offering foundational AI models as public goods, and ensuring ethical and equitable AI development.
development. Coming up after the break, my conversation with Jason Lamar, Senior Vice President of Product at Cobalt. We're discussing offensive security strategy. Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
In today's sponsored Industry Voices segment,
my conversation with Jason Lamar,
Senior Vice President of Product at Cobalt.
We talk about offensive security strategy.
Well, we've been seeing a shift in,
that's the name, a shift in customer mindset.
There's been a lot of discussion and thinking customers have around,
okay, am I doing enough in my offensive security area versus my sort of defensive areas?
And so that inspired us to do a survey
and to talk with customers through the survey
to kind of get more quantitative
understanding of what they're planning and how that's going. Well, how do we approach this? I
mean, when you look at the folks who are trying to balance between offensive and defensive security
and the money that they spend on that, how do they go about doing that? What's the ideal way to approach that?
Well, a couple of ways I've seen this is
people are looking at their controls,
they're looking at how they're filling out their control posture
relative to the controls that they need to have in place
for a particular level of compliance.
So there's a compliance area where you're sort of doing your due diligence,
managing to a framework.
A lot of security folks I know think in terms of,
well, am I looking at my before, during, and after a breach?
So how am I preparing before?
How am I operating during? And then what's my process of,
you know, after something's happened, what am I doing? So those are some ways that people think
about it. What about the CISOs themselves? I mean, are we finding that there's sort of an evolution
here when it comes to offensive security strategies? Yeah, I think CISOs understand, the ones I talk to at least, they understand that
sort of just sitting back and being more passive isn't the thing for today's threat environment.
And so they want to be more proactive in testing their own defenses. Testing is
testing their own defenses.
Testing is essential to, you know,
how do you know if you don't?
So being proactive and testing in more than just the passive ways,
but actively testing defenses through red teaming,
through pin testing and those kinds of things.
Can we dig into some of the specifics there?
I mean, when you look at some of the results or outcomes between, say, offensive security testing and defensive scanning tools, what sorts of things do you see?
we noticed in our survey that 75% of the respondents told us,
you know, year over year,
their company was doing more pen testing in 2023 than they were in 2022.
And so that to me is an indicator. A lot of folks have traditionally run scans monthly or whatever,
and they've got their spreadsheet and they're working down things.
But those tests, some of those tests, they don't go as deep as a pen test and they don't
simulate the kind of behaviors and attacks that they should be most concerned with.
So I would say a lot of the traditional testing is still needed.
The defensive testing is still needed.
But CISOs are clearly telling us that they want to be more active.
They want to be more proactive.
Can we talk some about the various sorts of offerings that are out there?
I mean, obviously, you and your colleagues there at Cobalt have the things that you provide,
but when you look at the offensive security solution menu,
what sorts of things do people have their eye on?
Yeah, so that's interesting.
There are lots of capabilities out there,
and one of the things that we were testing for
and are asking about in our,
in our survey was things like red teaming. So 63% of respondents agreed that, that they conduct more
red team exercises now than they did a year ago. And so red teaming is a good example of services
that are out there that people are consuming for that. People are doing more code reviews than they did before.
People are doing more digital risk assessments than they have in the past.
So there's a general trend of doing more active, proactive testing
in various different types of services.
Can we dig into some of the details here?
If we consider an organization's
offensive security strategy,
what are some of the elements
that should fit into that?
Yes, so there should be
a general approach to pen testing.
A lot of folks have traditionally
looked at that as once a year
kind of do it for compliance.
The trend that we're seeing is people are using it much more strategically and they're looking at their various assets, especially those
exposed on the internet, you know, to be more agile in their testing. So they'll do some,
a big test of an asset area and they'll come back and test it again more periodically, I would say.
And that's both being driven by the security team, but increasingly we see interest in this from the application teams.
And what we're also noticed in our survey is that people are, through activities like red teaming,
another example that should be a part of your offensive security strategy,
81% of our respondents in the survey said that they decreased successful breaches over 50% in the last 12 months.
And 85% of those folks reported that these measures significantly sped up their team's incident response.
So there's a virtuous interlock between more offensive testing and other processes within your security practice.
So red teaming, pen testing, code reviews, these are essential parts of an offensive security program.
What about the reality that nobody has unlimited time, no one has an unlimited budget here?
What are your recommendations for folks to dial this in?
I'm thinking about those built-in kind of cost dynamics that come with cybersecurity? You know, if we take an area like pen testing, for example,
many organizations have a budget for that.
Most organizations have some kind of pen testing budget.
And so one question you could ask yourself is,
how do I want to deploy that budget?
You know, there are opportunities like pen testing as a service
and more, you and more proactive approaches like
red teaming where you may want to look at what's the mix of how you're deploying your offensive
security dollars to be more proactive than more defensive and reactive. So as we found in this shift report,
there's an opportunity to look at the mix
of what your budget's paying for
and how active and proactive that is.
Was there anything coming out of the report here,
any of your survey data that you found surprising or unexpected?
Well, I think it's just 58% of respondents believe their
company is still lagging in integrating their offensive
security practices into their overall security strategy.
So I don't know if that's a shock. We've been around
in security a long time, Dave. But
it's definitely an insight that says, hey, people want to
do more of this. We've heard that all through the report. But what we've found is that people are
still having trouble getting that connected to the overall strategy. With the economic downturn,
everything has been under scrutiny, no doubt about that.
Lots of organizations sort of deprioritize some of their security focus.
And so it's encouraging and challenging at the same time.
It's encouraging to see that folks are wanting to be more proactive and they're sort of definitely making plans and investments there.
And it's also challenging that folks are still reporting that they're
struggling to get that connected back to their overall strategy for security.
Yeah. Based on the information that you all gathered here, what are your recommendations?
Well, I recommend that folks that are, you know, look at your budget for pen testing for any of your offensive security areas and make sure that they're aimed at things that you can do frequently that provide you proactive insights that go deep enough to tell you what the problems are. If you haven't looked at that in a while,
it's probably a good time to consider
just how do you connect your offensive security strategy
within the tools that you have,
within the service and the partners that you have,
and then do an evaluation of that.
Is it right-sized?
Is it, are you, you got the right settings within that, priorities within that?
And then bring that back to your overall security program strategy as you think about your year-to-year planning.
That's Jason Lamar, Senior Vice President of Product at Cobalt. Thank you. We're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
This episode is brought to you by RBC Student Banking.
Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly-fee RBC Advantage banking account,
and we'll give another $100 to a charity of your choice.
This great perk and more, only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
up to $500,000 in total contributions.
And finally, the Washington Post writes that the National Institute of Standards and Technology, NIST,
who play a key role in President Biden's AI regulation plans,
face severe underfunding and infrastructure decay,
putting its mission at risk.
With budget cuts and only $10 million allocated to the new US AI Safety Institute,
NIST's resources are dwarfed by the billions invested by tech giants and international counterparts.
The Institute's staff battles with leaking roofs, frequent blackouts, and inadequate internet,
forcing manual data transfers
and protective measures for sensitive equipment, like covering microscopes with sheets of plastic
during rainstorms. Over 60% of NIST's facilities fail to meet federal standards,
significantly hindering productivity and delaying critical technology evaluations.
productivity and delaying critical technology evaluations. This situation risks making NIST vulnerable to industry influence as it increasingly relies on outside tech companies for computing
resources. The agency's challenges are representative of the broader issue of the U.S.
government's struggle to prioritize and fund technological advancements and safety,
jeopardizing its competitive stance and regulatory capabilities in the global tech race.
Our hearts go out to the good folks at NIST who are working under these sorts of challenging circumstances.
The labs may not be waterproof, but their spirits are unsinkable.
Spirits are unsinkable.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people.
We make you smarter about your team
while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben
and Brandon Karp. Our executive
editor is Peter Kilby, and I'm Dave
Bittner. Thanks for listening.
We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.