CyberWire Daily - AI-powered propaganda.
Episode Date: January 3, 2025The U.S. sanctions Russian and Iranian groups over election misinformation. Apple settles a class action lawsuit over Siri privacy allegations. DoubleClickjacking exploits a timing vulnerability in br...owser behavior. FireScam targets sensitive info on Android devices. ASUS issues a critical security advisory for several router models. A former crypto boss faces extradition amidst allegations of defrauding investors out of more than $40 billion. HHS unveils proposed updates to HIPAA. Millions of email servers have yet to enable encryption. Our guest is Joe Saunders, Co-Founder & CEO of RunSafe Security discussing the complexities of safeguarding critical infrastructure. Using Doom to prove you’re human. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Joe Saunders, Co-Founder & CEO of RunSafe Security. Joe joins us to discuss the complexities of safeguarding critical infrastructure amid the looming threat of cyber attacks and military conflict. Selected Reading US Imposes Sanctions on Russian and Iranian Groups Over Disinformation Targeting American Voters (SecurityWeek) Apple Agrees $95M Settlement Over Siri Privacy Violations (Infosecurity Magazine) SysBumps - New Kernel Break Attack Bypassing macOS Systems Security (Cyber Security News) 'DoubleClickjacking' Threatens Major Websites’ Security (GovInfo Security) FireScam Android Malware Packs Infostealer, Spyware Capabilities (SecurityWeek) ASUS Routers Vulnerabilities Allows Arbitrary Code Execution (Cyber Security News) Crypto Boss Extradited to Face $40bn Fraud Charges (Infosecurity Magazine) What's in HHS' Proposed HIPAA Security Rule Overhaul? (GovInfo Security) Over 3 million mail servers without encryption exposed to sniffing attacks (Bleeping Computer) CAPTCHAs now run Doom – on nightmare mode (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The U.S. sanctions Russian and Iranian groups over election misinformation.
Apple settles a class action lawsuit over Siri privacy allegations.
Double click jacking exploits a timing vulnerability in browser behavior.
Fire scam targets sensitive info on Android devices.
Asus issues a critical security advisory for several router models. A former crypto boss faces extradition amidst allegations of defrauding investors
out of more than $40 billion.
HHS unveils proposed updates to HIPAA.
Millions of email servers have yet to enable encryption.
Our guest is Joe Saunders, co-founder and CEO of RunSafe Security,
discussing the complexities of safeguarding critical infrastructure
and using doom to prove you're human.
It's Friday, January 3rd, 2025. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today, and happy Friday. It is great to have you with us.
The United States has sanctioned two groups tied to Iranian and Russian disinformation campaigns targeting American voters.
The Treasury accused these organizations of spreading fake videos, news, and social media posts to deepen divisions and undermine trust in U.S. elections.
to deepen divisions and undermine trust in U.S. elections.
The Moscow-based Center for Geopolitical Expertise used AI to create deepfake videos and fake news websites.
Its director allegedly collaborated with Russian military intelligence
to support cyberattacks.
Iran's Cognitive Design Production Center,
linked to the Revolutionary Guard,
has incited U.S. political tensions since 2023 and targeted officials with cyber attacks.
U.S. intelligence also blames Iran for promoting protests related to Israel's conflict with Hamas.
Both nations denied the allegations.
U.S. officials say Russia aimed to bolster Trump,
while Iran opposed him due to policies like reimposing sanctions and the killing of Iranian General Qasem Soleimani.
The broader effort included actions by China to undermine U.S. democracy.
Apple has agreed to a $95 million settlement in a class-action lawsuit claiming Siri violated user privacy.
The lawsuit alleged Siri unintentionally activated, recorded,
and shared private communications without user consent.
Eligible U.S. residents who owned Siri-enabled devices
between September 17, 2014 and December 31, 2024, can file claims for pro rata payments
capped at $20 per device. Devices include iPhones, iPads, Apple Watches, Macs, and HomePods.
Plaintiffs accused Apple of violating privacy and consumer protection laws.
Apple denied wrongdoing but settled after five years of litigation.
The settlement covers 10 to 15 percent of estimated damages, with attorney fees up to 30 percent of
the fund. The preliminary settlement was filed in federal court in Oakland, California. Notifications
will go to affected Siri device owners, as the class size is expected to be substantial.
Siri device owners as the class size is expected to be substantial. It's worth noting that no definitive proof has emerged from reputable cybersecurity researchers or investigations
that Apple intentionally uses Siri to listen to conversations and then sells that data to
advertisers. Apple's privacy policies explicitly state that it does not sell user data, including Siri recordings, to third parties.
Meanwhile, security researchers have discovered SysBumps, a novel attack targeting macOS systems on Apple Silicon processors.
The attack exploits speculative execution vulnerabilities in system calls to bypass kernel address space layout randomization, a key security feature.
The research, led by a team from Korea University, demonstrates how SysBumps leverages speculative
execution and translation look-aside buffer side-channel analysis to infer kernel memory
layouts. Using a prime plus probe technique, attackers identify valid kernel
addresses with 96% accuracy, exposing systems to further exploitation. The attack highlights
challenges in securing modern processors, particularly Apple's ARM-based M-series chips.
While no immediate fixes exist, the researchers proposed mitigation strategies
and responsibly disclosed their findings to Apple. Users are advised to update their systems
as patches become available. Hackers are exploiting a timing vulnerability in browser behavior with a
technique called double-click jacking, a sophisticated evolution of clickjacking attacks. Security
researcher Paulos Yabelo identified this method, which manipulates the delay between two mouse
clicks to trick users into authorizing sensitive actions, such as granting OAuth permissions,
enabling account takeovers, or confirming transactions. Double-clickjacking bypasses modern browser
protections like same-site cookies and X-Frame options by exploiting the mouse-down and click
event sequence. The attack starts with a deceptive browser window, such as a CAPTCHA prompt,
which closes after the first click, revealing a sensitive action like an authorization form.
The second click, intended for the initial prompt, unwittingly triggers malicious actions.
Yabello demonstrated the technique on major platforms like Salesforce, Slack, and Shopify. He proposed defenses, including client-side JavaScript disabling critical buttons until intentional interaction is detected
and introducing a double-click protection HTTP header.
Platforms like Dropbox and GitHub have already adopted these mitigations.
A new threat has emerged in the Android ecosystem, a stealthy malware known as Firescam, capable
of harvesting sensitive information and monitoring user
activities, according to research from Cypherma. Disguised as Telegram Premium, Firescam spreads
through a phishing website imitating the Roostor app store, hosted on a GitHub.io domain. Once
downloaded, Firescam's installer gains control over the device by requesting
extensive permissions. It lists installed apps, modifies storage, and prevents updates from other
sources, ensuring its persistence. The malware tricks users into granting unrestricted background
operation, further solidifying its grip on the system. Firescam doesn't stop at merely existing.
It actively observes.
It fingerprints devices, monitors applications,
and registers a backdoor using Firebase Cloud Messaging,
enabling remote commands.
It tracks interactions, intercepts USSD communications,
and exfiltrates data to a Firebase database.
By exploiting legitimate services and phishing tactics, Firescam showcases a chilling capacity to compromise privacy and
security, highlighting the need for vigilance against evolving cyber threats.
Asus has issued a critical security advisory for several router models, highlighting vulnerabilities in multiple firmware versions.
These flaws could allow authenticated attackers to execute arbitrary commands
via the AI cloud feature, potentially compromising network security.
Asus has released firmware updates and urges users to update immediately.
To enhance security, the company advises using
strong, unique passwords and disabling internet-accessible services on older routers.
Do Hyon Kwon, the co-founder and former CEO of a cryptocurrency firm, has been extradited to the
U.S. from Montenegro to face fraud charges.
Appearing in a Manhattan court,
Kwan, 33, is accused of defrauding investors in Terraform cryptocurrencies between 2018 and 2022, leading to losses exceeding $40 billion.
According to the Department of Justice,
Kwan allegedly misrepresented Terraform's stability and success,
inflating the value of its cryptocurrencies.
He claimed the Terra protocol maintained a stablecoin's dollar peg,
exaggerating the independence of the Luna Foundation guard
and fabricated partnerships, including with payment processor Kai.
Despite early efforts to mask issues,
a collapse in 2022 exposed systemic vulnerabilities, causing massive losses.
Kwan faces charges of commodities and securities fraud, wire fraud, and money laundering,
with a potential 130-year prison sentence if convicted.
The U.S. Department of Health and Human Services
today unveiled a proposed overhaul of the HIPAA security rule, the first major update in over 20
years. The revisions aim to shift from a flexible process-oriented approach to more prescriptive
requirements, including mandatory encryption, multi-factor authentication,
and vulnerability scanning every six months. Key proposals include annual technology asset
inventories, network mapping, and a requirement to restore critical systems within 72 hours.
Additionally, business associates must verify compliance with technical safeguards annually.
associates must verify compliance with technical safeguards annually. Critics argue the 72-hour restoration mandate is unrealistic and could increase risks if systems are restored prematurely.
The update responds to surging healthcare data breaches, with incidents increasing 102 percent
between 2018 and 2023. Compliance costs are estimated at $9 billion in the first year
and $6 billion annually thereafter, raising concerns about the financial strain on small
and rural health care providers. Public comments on the rule are open until March.
Millions of email servers worldwide are sitting exposed, vulnerable to network sniffing attacks.
According to Shadow Server, over 3.3 million IMAP and POP3 email servers lack TLS encryption,
leaving sensitive email data, including usernames and passwords, transmitted in plain text.
IMAP, often used for accessing email across multiple devices,
and POP3, which downloads emails to a single device, rely on TLS to protect data during
transmission. Without it, these servers become easy targets for attackers. Shadow Server has
alerted mail server operators, urging them to enable TLS encryption or reassess the necessity of exposed services.
Despite modern TLS 1.3 being introduced in 2018
and outdated versions retired by major tech companies in 2020,
many servers remain unsecured.
The NSA has also warned that outdated configurations
allow attackers to intercept and manipulate traffic.
The message is clear. Without secure protocols, sensitive data is at significant risk.
Coming up after the break, my conversation with Joe Saunders from RunSafe Security.
We're discussing the complexities of safeguarding critical infrastructure and using doom to prove you're human.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Joe Saunders is co-founder and CEO of RunSafe Security. I caught up with him to discuss the complexities of safeguarding critical infrastructure amid the looming threat of cyber attacks and military conflict.
Well, of course, protecting critical infrastructure is a complex problem.
There's a whole subcommittee in Congress dedicated to funding critical infrastructure
protection in general. And actually, that's where CISA's budget comes from. And, you know, I think
the challenge, of course, is that a majority of the critical infrastructure is not government-owned,
it's commercially owned. And the technology provided to critical infrastructure is provided
by commercial organizations, which isn't necessarily a bad thing when it comes to security. It just means more
coordination needs to happen. And with that said, if you look across all the sectors, you know,
there's 16, 17, depending on how you count them, critical infrastructure sectors. And there are industry groups, government agencies, technology companies, and all the like that are sort of focused on making sure critical infrastructure is protected. hardware, software that's been deployed in energy grid or power stations or everywhere else that's
been around for 5, 10, 15, 20, sometimes 30 years. And so it's a complex problem where I think we're
only scratching the surface in terms of really doing a good job protecting security, given the
variety of technology, the complexity of who's involved,
the agency of who has an interest in ensuring security. Is it a national security issue? Is it
good business practice? All of the above. So with that said, I think it's a complex problem,
and we're only scratching the surface to really solve it in a good way thus far.
surface to really solve it in a good way thus far. Well, in your estimation, what are some of the things that could be done to move us in the right direction? Well, there's multiple things
that can be done. You have to think about the workforce. You have to think about the education
and awareness of the problem to the owners and operators of critical infrastructure.
For example, if you look at water utilities,
there's 10,000 water utilities in the U.S.,
which means there are some really big ones
and there are some pretty small ones.
And yet, you know, if those systems that operate
the water systems are compromised,
then, of course, that's a bad day
from a cyber event perspective.
It could deny people water. It could be doing a lot of things. And so you can imagine there's a lot of course, that's a bad day from a cyber event perspective. It could deny people water. It could
be doing a lot of things. And so you can imagine there's a lot of education, a lot of coordination,
and a lot of technology that has to come to bear. And so, you know, specifically, I think what can
happen, of course, is education of the workforce, even enhancing the workforce. But there's also
room then for programs like Secure by Design,
which CISA is promoting obviously very well, and its counterpart, Secure by Demand, where
it's looking to identify ways asset owners and operators can demand or ask their suppliers
for better security posture and the technology that they deliver. And then there's,
you know, of course, understanding the nature of the problem itself and assessing the risk in the
software and in the assets that you deploy. And so, you know, if I think about the workforce,
you know, the programs and the awareness, and then, you know, the nuts and bolts of really
understanding the nature of the risk, all three of those things have areas where we can do some work, but also where some work has been started.
Can we talk about China specifically? I think we see a lot of reports about China
kind of staging their presence within some of our critical infrastructure here, preparing,
battle space preparation, as one of my colleagues likes to say.
What is your take on where we stand with that?
And I also want to touch on the looming presence of China in Taiwan.
Sure.
So there's no doubt, as we've seen with Volt, Typhoon, and other APTs and threat actors that originate from China, that, as you say, the preparation of the battlefield has already commenced.
That China has technology pre-positioned inside critical infrastructure to pick a day of its choosing when it may want to administer, let's call it a payload, a cyber payload to disrupt, you know, service or operations.
And that threat is always real, whether it comes true or not.
The fact that there is prepositioning means that there is risk in basic services that the U.S. provides.
And so, you know, I think about telecommunications equipment being compromised.
So I think about telecommunications equipment being compromised. If you're Verizon or AT&T and some of the embedded software deep into the telecom equipment and network infrastructure, it's very scary to think that that is prepositioned and could be exploited.
But also water utilities, like I already mentioned, and other sectors.
So China, I like to think of China as a very persistent,
aggressive adversary. If you look at the historical track record of its prowess in
stealing intellectual property, I think we can think about their tactics in the same way when
it comes to cyber attacks themselves. If this is the new phase of some of their cyber operations,
cyberattacks themselves. If this is the new phase of some of their cyber operations,
you know China, given a well-determined, well-funded, you know, sophisticated adversary who thinks long-term, is no doubt pre-positioning technology, you know, in preparation of the
battlefield. And it may not be a kinetic battle we're talking about, but it could be some of these
gray zone matters, you know, cyberattacks here, you know, that it could be some of these gray zone matters, cyber attacks here,
that can just be disruptive. It can cause confusion in the U.S. It could help focus the
U.S. government internally instead of externally on other matters like Taiwan, if we want to talk
about that. But you can see that a very determined adversary with a 50 to 1 manpower advantage in cyber
warfare, as Director Wray from the FBI said last January, February before the Select Committee
on CCP, that we need to take it very seriously.
And it's not just China, of course.
It's Russia and Iran and North Korea and others.
Of course, it's Russia and Iran and North Korea and others.
But China, you know, seems to be very aggressive in its long-term view of disrupting infrastructure with the preposition they've already done.
Well, let's talk about Taiwan specifically.
I mean, where do you suppose Taiwan finds itself right now? I'm thinking of both their ability to defend themselves, but also looking at the broader diplomatic picture of who has Taiwan's back in this particular case. cyber attacks a month take place in Taiwan. And that seems like an outrageous number.
And with that said, you can imagine a lot of testing of, you know, ability to attack.
And if you think about the ability to disrupt core sectors in Taiwan that matter to, you know,
a well-functioning society for them. Certainly communication, certainly energy,
certainly financial system. If you think about their ability to communicate as an island,
they need redundant systems. They need the ability to communicate. If you think about
their dependence on importing energy, then the storage and the distribution of the energy sources
within the island are essential. And certainly the financial system, you know, people need to
be able to move money and conduct transactions and do commerce. And so those are the sectors
I think about when I think about, you know, helping protect critical infrastructure in Taiwan.
helping protect critical infrastructure in Taiwan. And naturally, those are just subsets of a broader geopolitical consideration, as you say. So if there was some kind of
kinetic attack on Taiwan, some people have said, including Director Easterly at CISA and even
Director Wray at FBI, that there could be a simultaneous attack
in U.S. critical infrastructure. So that's the second level of thinking. And then the third
level, of course, is, you know, what if there's a blockade? What if there is an all-out war?
Who comes to defend China or defend Taiwan in that case? And naturally, those are a lot of open questions I
don't think I can answer. They are complex. There is the historic strategic ambiguity
in terms of U.S. policy towards Taiwan and China. But nonetheless, there's a lot at stake
in the region. You think about what happens if Taiwan is not supported and China were to integrate Taiwan back into China. Then you think about what does that mean for Japan? What does that mean for India? What does that mean for Singapore and others in the region. And so I think there is a lot of interest from India, a lot of interest from
Japan, from Australia to come to Taiwan's assistance, as there should be from the US.
I mean, China projecting further power out, taking over a free democratic society
that is a major top 20 economic powerhouse with strategic technology
like semiconductors. There's simply a lot at stake. And so I think in particular, how to support Taiwan
and cyber needs to be elevated, you know, just as we think about how to protect U.S. critical
infrastructure. I think protecting critical infrastructure in Taiwan is essential.
U.S. critical infrastructure, I think protecting critical infrastructure in Taiwan is essential.
That's Joe Saunders, co-founder and CEO of RunSafe Security. Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And finally, our
classic gaming desk tells us that Guillermo Roche,
CEO at web platform provider Vercel,
spent the holidays doing something a bit more intense than sipping eggnog.
He created a captcha that requires users to slay three monsters in Doom on Nightmare Mode.
Yes, instead of squinting at blurry traffic lights
or clicking on crosswalks,
you'll need to channel your inner demon slayer.
Captchas have evolved from distorted text puzzles in 1997
to Google's reCaptcha,
which works quietly in the background.
But bots are now better at solving captchas than humans.
Roush's Doom CAPTCHA,
announced on New Year's Eve, might be the most entertaining workaround yet, if you can survive the nightmare-level difficulty where enemies are relentless and your health bar drains faster than
post-holiday enthusiasm. It's a fun tech demo, though admittedly unlikely to gain
mainstream adoption. And while bots may one day conquer Doom, for now, it's a captcha worth trying,
if you dare. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Carlo Zanke, reverse engineer at Reversing Labs.
We're discussing their work, malicious PiPi crypto pay package implants, info stealer code.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. This episode was produced
by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Our executive editor is Brandon Carr. Simone Petrella
is our president. Peter Kilpie is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.