CyberWire Daily - AI’s blind spots need human eyes.
Episode Date: February 14, 2025Nakasone addresses AI at the Munich Cyber Security Conference. Court documents reveal the degree to which DOGE actually has access. Dutch police dismantle a bulletproof hosting operation. German offic...ials investigate Apple’s App Tracking. Hackers exploited security flaws in BeyondTrust. CISA issues 20 new ICS advisories. The new Astoroth phishing kit bypasses 2FA. Hackers waste no time exploiting a SonicWall proof-of-concept vulnerability. Our guest today is Lawrence Pingree, VP of Technical Marketing at Dispersive, joining us to discuss why preemptive defense is essential in the AI arms race. Have I Been Pwned ponders whether resellers are worth the trouble. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Lawrence Pingree, VP of Technical Marketing at Dispersive, joining us to discuss why preemptive defense is essential in the AI arms race. You can read more in "How Cybercriminals Are Using AI: Exploring the New Threat Landscape." Selected Reading Putting the human back into AI is key, former NSA Director Nakasone says (The Record) Court Documents Shed New Light on DOGE Access and Activity at Treasury Department (Zero Day) Musk's DOGE team: Judges to consider barring it from US government systems (Reuters) Anyone Can Push Updates to the DOGE.gov Website (404 Media) Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster (Bleeping Computer) Apple app tracking rules more strict for others – watchdog (The Register) PostgreSQL flaw exploited as zero-day in BeyondTrust breach (Bleeping Computer) CISA Releases 20 ICS Advisories Detailing Vulnerabilities & Exploits (Cyber Security News) Astaroth 2FA Phishing Kit Targets Gmail, Yahoo, Office 365, and Third-Party Logins (GB Hackers) SonicWall Firewall Vulnerability Exploited After PoC Publication (SecurityWeek) Have I Been Pwned likely to ban resellers (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n two k and use promo code and two k at checkout the only way to
get twenty percent off is to go to join delete me dot com slash n two k and enter code and
two k at checkout that's join delete me dot com slash n two k code and two k. NAKASONI ADDRESSES AI AT THE MUNICH CYBERSECURITY CONFERENCE.
CORT DOCUMENTS REVEAL THE DEGREE TO WHICH DOGE ACTUALLY HAS ACCESS.
DUTCH POLICE DISMANTLE A BULLET-PROF HOSTING OPERATION.
GERMAN OFFICIALS INVESTIGATE APPLE'S APP TRACKING. HACKERS EXPLOYED ITS SECURITY FLAWS IN BEYOND TRUST. success. Dutch police dismantle a bulletproof hosting operation. German officials investigate Apple's app tracking.
Hackers exploit its security flaws in Beyond Trust.
CISA issues 20 new ICS advisories.
The new Asteroth fishing kit bypasses 2FA.
Hackers waste no time exploiting a sonic wall proof-of-concept vulnerability.
Our guest today is Laurence Pingree, VP of technical marketing at Dispersive,
discussing why preemptive defense is essential in the AI arms race. And have I been honed
ponders whether resellers are worth the trouble. It's Friday, February 14th, 2024.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Well, happy Valentine's and thank you all for joining us here today.
At the Munich Cybersecurity Conference, former NSA Director Paul Nakasoni emphasized the
need for AI integration while preserving human expertise.
He highlighted that future national security professionals must blend coding skills with
policy knowledge.
AI can enhance efficiency, but human intuition remains essential, especially in intelligence
work where operators detect subtle adversarial changes that AI cannot.
Nakasone stressed that the side integrating AI fastest will gain the advantage,
but ethical and moral decision-making will still require human judgment.
Peter Kent, CEO of Enabled Intelligence, reinforced this, advocating for
neurodiverse teams to refine AI.
He noted that neurodiverse individuals excel at spotting AI
hallucinations, biases, and inconsistencies, making AI outputs more reliable.
AI, Kent argued, should automate routine tasks, allowing humans to focus on
critical thinking and innovation. Neurodiversity enhances AI development,
improving defense applications like satellite image analysis.
Ultimately, AI is a tool, but human intelligence, ethics, and adaptability remain irreplaceable.
New court documents reveal that Marco Elez, a 25-year-old employee of the Department of Government Efficiency, Doge, had right privileges
to a Treasury payment system, contradicting earlier reports that he had read-only access.
However, his privileges were mistakenly granted for just one day before Treasury officials
revoked them, and there's no evidence he made unauthorized changes.
The Treasury implemented strict security measures,
including monitoring Elez's activities
and restricting his access to certain systems.
Despite media claims that he had administrative-level access,
officials assert he was only able to edit data
in a limited capacity.
A lawsuit has been filed to block Doge employees
from accessing Treasury systems over security
concerns.
Elez resigned on February 6 following media scrutiny.
While some reports suggest he altered Treasury code, court documents indicate his work mainly
involved helping automate payment review processes rather than making unauthorized or disruptive
changes. Meanwhile, the doge.gov website has serious security flaws,
allowing anyone to edit its database.
Two security individuals demonstrated the vulnerability
by adding public messages mocking the site's lack of protection.
Doge.gov was hastily launched after Musk touted Doge's transparency, but experts say it appears
to be hosted on cloudflare pages rather than secure government servers.
The site pulls data from an open database that's been modified by third parties.
One researcher found they could alter government employment stats by accessing exposed API
endpoints.
The site's codebase appears to be deployed from GitHub
without proper security measures.
Similar issues were found with Waste.gov,
another Doge-affiliated site.
Needless to say, the lack of cybersecurity raises major concerns.
Dutch police dismantled the Z-server's X-host
bulletproof hosting operation, taking 127
illegal servers offline.
The US, UK, and Australia recently sanctioned the same service for aiding cybercriminals,
particularly lock-bit ransomware operators.
Run by Russian nationals Alexander Mishin and Alexander Bolshakov, Z servers facilitated
botnets, malware distribution, and money laundering.
The service openly advertised its tolerance for criminal activity, making it a safe haven
for cybercrime.
Authorities found servers hosting hacking tools from Lockbit and Conti Ransomware, two
of the most damaging ransomware operations.
The Amsterdam-based servers allowed anonymous purchases via cryptocurrency.
While no arrests were made, Dutch cybercrime specialists are investigating seized equipment
for further evidence.
Mission and Bolshakov face asset freezes and travel bans, but criminal charges have not
been filed yet.
Dutch police emphasize that shutting down bulletproof hosting is key to disrupting global
cybercrime.
Germany's competition watchdog is investigating Apple's app-tracking transparency framework,
alleging that the company exempts itself from the strict privacy rules it enforces on third-party
apps.
Since 2021, iOS developers must ask for user consent before tracking activity across apps
— a move that hit Facebook hard, costing it an estimated $10 billion in ad revenue.
However, regulators claim Apple still tracks users within its own ecosystem, using data
from the App Store, Apple ID, and
connected devices for personalized ads.
Apple's consent prompts also appear to favor its own services by reducing user friction
compared to third-party apps.
The German Federal Kartell Office argues this could be anti-competitive self-preferencing.
Apple, which has appealed its regulatory designation in Germany, has yet to respond.
A final court decision on its competitive status is expected on March 18th.
Hackers exploited security flaws in Beyond Trust,
a company that helps businesses manage secure access to their systems.
They used two unknown software bugs and a stolen security key
to break into Beyond Trust's network in December.
A month later, the U.S. Treasury Department was also hacked.
Investigators linked this attack to Chinese state-sponsored hackers
known as Silk Typhoon, who stole sensitive government documents
related to economic sanctions and foreign investments.
Experts later discovered that the hackers also took advantage of a hidden weakness in PostgresQL, a database tool used in many systems. This flaw allowed them to take control of
BeyondTrust software remotely. Although BeyondTrust fixed one of the security issues, it didn't fully
repair the database flaw. Still, their update blocked hackers from using it.
CISA has since ordered agencies to secure their systems against these types of attacks.
Speaking of CISA, they've issued 20 new security advisories for industrial control
systems warning about critical vulnerabilities in products from Siemens, O-Ring, MySketa, Mitsubishi Electric,
and others. These flaws could allow hackers to disrupt operations, steal sensitive data,
or gain unauthorized access. Issues range from remote code execution, authentication bypass,
weak encryption, and command injection. CISA urges organizations to apply security patches,
strengthen authentication, and isolate vulnerable systems.
A new phishing kit called Asteroth has emerged
as a major cybersecurity threat capable of bypassing
two-factor authentication using advanced session hijacking
and real-time credential interception.
First seen in January of this year, it targets platforms like
Gmail, Yahoo, and Office 365.
Asteroth acts as a person in the middle,
mirroring real login pages with SSL certificates to avoid detection.
When victims enter credentials and 2FA tokens,
attackers intercept session cookies, allowing them to bypass authentication
entirely.
Sold for $2,000 on cybercrime forums, it includes real-time credential capture, SSL-certified
phishing domains, and takedown-resistant hosting.
Experts warn that traditional security measures are ineffective against Asteroth's real-time
attacks. Enhanced
cybersecurity, user awareness, and proactive threat detection are crucial to defending
against these evolving phishing threats.
Hackers are actively exploiting a high-severity authentication bypass in SonicWall firewalls
after a proof-of-concept exploit was published. This vulnerability allows attackers to bypass multi-factor authentication, access private
data, and disrupt VPN sessions.
SonicWall released patches in January, but as of February 7, around 4,500 devices remain
unpatched.
ArcticWolf warns that cybercrimin criminals often exploit firewall and VPN
vulnerabilities for ransomware attacks, citing past incidents involving Akira
ransomware. Organizations should immediately update SonicWall firewalls
or follow mitigation steps to prevent attacks. Disabling SSL VPN is recommended
if patching is not possible as the public proof of concept
increases the risk of exploitation.
Coming up after the break, Lawrence Pingree from Dispersive joins us to
discuss why preemptive defense is essential in the AI arms race.
And Have I Been Pwned ponders whether resellers are worth the trouble. Stay with us.
Cyber threats are evolving every second and staying ahead is more than just a challenge, it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely. Visit
ThreatLocker.com today to see how a default deny approach can keep your company safe and
compliant. Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian
and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation
to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off.
Lawrence Pingree is VP of technical marketing at Dispersive.
I recently sat down with him to discuss why
preemptive defense is essential in the AI arms race.
It harkens me back to when I was at Gartner. So I introduced some of the concepts in generative
AI, specifically generative AI runtime defense. And I think everyone knows now that AI has an upside and a downside, right?
It's basically dual-use technology.
And in being dual-use, it can be used for defending,
and it can also be used for the offense.
And the lay of the land in terms of AI is,
over the last 18 months, we went from the introduction
to the market of Chad GPT and the GPT craze.
And over the last maybe six months,
we've been transitioning into the AI agentics and AI agents.
And this is giving rise to lots of integrated software use
cases.
And so what's really, I think, both fascinating as well as a bit scary is that the attackers
are now capable of leveraging AI.
Obviously, there was a big scandal yesterday about the new model out of China.
And it was always my belief, actually,
that the open source GPTs would eventually win the race,
because open source generally wins over time.
But we've gone into this phase where software
can be hyperpowered by agentics.
And what's happening is the broad distribution of models,
the various use cases, they're getting better and better, right?
So we went from simply chatting with an AI and getting really kind of wonky results
sometimes and good results other times to
now where the error rate or the hallucination rate in AI is roughly maybe one and a half
percent in the larger foundational models, which means they're better at what they do,
right?
And a lot of people don't realize that the technology behind the scenes, they created entire towns out of AI and
agentics, right? So they had little creatures running around, throwing
parties, telling where people wanted to go for the party. They have some pretty
amazing superpowers when you use agentics.
What are some of the areas that you are specifically concerned about that you
think security professionals should have their eye on?
I mean, when I started doing research into AI at Gartner, I was really
concerned about this notion of an arms race between the attacker and the
defender.
What I mean by that is,
if you're using ML or if you're using these advanced AI models
to both defend and to do offense,
it's an arms race.
You're in this race condition.
My worry, at least back then,
was that the attackers would readily be able to use these models
to generate malware, hyperscale attacks with multiple dimensions in multiple domains.
For example, rather than just simply pulling up a port scanner like Nmap and then having to go grab tools and compile them that
the attackers of the past had to do, we have hyper automation that's possible to do multi-stage
and multi-step attacks.
The other thing I was concerned about is all of the breach data out there being used to
contextualize attacks down to the individual level.
So if you look at the phishing attacks of five or six years ago, they were generally
pretty easy to figure out.
Mouse over it, you could look at the URL, you could see that it was kind of broken English or broken other language.
And today, now we have, you know, contextualized based text messages coming to us with our family or coworkers names in them.
Maybe using your boss and saying, hey, you know, this is a CEO. I'm trying to reach out.
I need you to do something.
So it's gotten a lot more advanced and contextualized.
And at the same time, that, you know, that historical error-prone, you know,
phishing email looks like it's real live people sending a message in native languages.
What are your recommendations then?
I mean, for folks who are interested in exploring this,
what's a good way to begin?
I think that when it comes to the tech provider community,
well, first of all, you can start looking
for preemptive cyber defense technologies.
But Dispersive does it at the network layer.
We randomize traffic, we randomize keying, and we have preemptive measures of
hiding the attack surface, which differentiate us.
But the idea behind preemptive cyber defense is that it can be applied in many different
layers.
Okay?
It can be applied in software to randomize parameters that are being used for an application. So that script kiddies,
when they go out to various databases
like exploit DB or something,
they can't just use it,
compile it, and it works.
That's the static realm that we're in today.
We need to be able to prioritize things like
defense within the endpoint operating system,
randomizing memory better,
making it, kind of neutering these attacks
with the preemptive measures.
And to rotate back into the things like AI,
these kinds of attacks are possible
because AI's greatest superpower is that it models things.
And how do you defend against modeling?
You have to randomize.
So just to illustrate this, if we were on, again, the battlefield, which I think of the
cyber war as the battlefield, you know, a moving target is very difficult to hit.
Okay?
So let's, you ask any soldier, if somebody's standing still, it's easy to hit them. And somebody's standing still it's easy to hit them and start running
It's harder to hit them if they start running randomly and changing direction up down left right, you know
Then it becomes an NP hard problem, right?
So you need to understand that randomization is the Achilles heel of modeling and
That's really the superpower of preemptive cyber defense,
or at least one of them.
Is it fair to think of this, at least in part,
as kind of making it so that you're not the low-hanging fruit?
In other words, if you're doing preemptive defense,
there's no silver bullet, right?
There's no 100% perfect thing. But if you're doing this and someone else isn't,
I guess to your analogy,
you're the person running around zigzagging
while the shop next door might be running in a straight line
or even standing still.
I think you're spot on, Dave.
I mean, so one of the problems is,
and I'll just talk about what we see.
Over the last 18 months, you've had Palo Alto firewalls be owned by the Chinese, backdoored.
A lot of those firewalls are configured to be able to do man in the middle inspection
of traffic.
Nothing wrong with that.
But the problem becomes that then the Chinese can literally snarf your packets, your credentials
right off the wire and go use them. Same thing with Fortinet. becomes that then the Chinese can literally snarf your packets, your credentials right
off the wire and go use them, right?
Same thing with Fortinet.
We've had a big, you know, there was a big story the other day on Fortinet where the
configurations could be accessed and downloaded by threat actors.
And I think the vulnerability existed from back in 2022.
The other big thing that people forget is that whether it's a zero day
or a disclosed vulnerability with a patch,
that vulnerability likely existed in all of history,
as long as that code existed, right?
And so, you know, if we don't think that threat actors
are literally stacking a huge list of zero day attacks
that they don't wanna ever give to anybody, we're
lying to ourselves, right?
So we have to start taking preemptive measures.
So for example, if you want to prevent a firewall attack, you have to hide the management plane,
right?
So you need to separate the control plane and the data plane.
Some of you have probably heard this, but what that means is your management
should be done elsewhere, right?
It should be in a protected environment
separate from data transactions.
The ideal attack surface is one that doesn't exist, right?
And in network security land,
if we look at the standard VPN technologies like SSL or
IPsec, the sad thing is that most of the time, even service providers do this, where they
configure them in such a way that basically people can roam around the whole planet and
still get to that port or that protocol.
That's for flexibility, agility, all of that. But the problem is that exposed attack surface
becomes the next zero.
That's Laurence Pingree from Dispersive.
We'll have a link to their recent report in our show notes. And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million
record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI powered automation and
detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't
attack what they can't see. Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And finally, Troy Hunt, the mastermind behind Have I Been Pwned, is on the verge of banning
resellers.
And honestly, who can blame him?
Have I Been Pwned, the go-to site for checking if your email has been pwned, stolen and floating around
the dark web, offers paid API access to bulk-check data breaches.
But some crafty resellers have been buying the subscriptions at $1,100 and flipping them
and doubling the price.
Worse, despite making up less than 1% of users,
resellers account for 15% of support tickets and take five times longer to assist.
Frustrated with endless pricing disputes and bizarre refund requests, Hunt says he is very very strongly inclined to kick them out.
He's still mulling over a solution, maybe automation, to save have I been pwned from
reseller-induced headaches while keeping legit customers happy.
Stay tuned. And that's the CyberWire. For links to all of today's stories, check out our daily briefing
at the cyberwire.com. A quick programming note, we will be observing Washington's birthday
in the U.S. this coming Monday. Have no fear, we will have some great content on your CyberWire We'd love to know what dark side of internet advertising. That's Research Saturday, do check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben. Peter Kilpe is our publisher.
And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Hey everyone! Grab your favorite bug and put the kettle back on the stove,
because afternoon cyber tea is coming back!
This season I am joined by an all-star team of thought leaders and industry experts
to dive into the critical trends that are shaping the future of cybersecurity.
We will explore how these technologies are revolutionizing the way we work,
the way we live, and the way we interact with the world
around us.
And as always, we will be bringing you thought-provoking discussions and fresh perspectives on what
is driving the future of cybersecurity and what leaders can do now to protect their teams
tomorrow.
New episodes will be coming to you in February, every other Tuesday, so subscribe now wherever
you get your favorite podcasts.