CyberWire Daily - Charting the course: Biden's blueprint for global cybersecurity.
Episode Date: May 6, 2024Secretary of State Antony Blinken is set to unveil a new international cybersecurity strategy at the RSA Conference in San Francisco. Paris prepares for Olympic-sized cybersecurity threats. Wichita, K...ansas is recovering from a ransomware attack. A massive data breach hits citizens of El Salvador. Researchers steal cookies to bypass authentication. Cuckoo malware targets macOS systems. Iranian threat actors pose as journalists to infiltrate network targets. A former Microsoft insider analyzes the company’s recommitment to cybersecurity. Guest Mark Terenzoni, Director of Risk Management at AWS, joins N2K’s Rick Howard to discuss the benefits of security lakes in a post-AI world. Ukrainian officials introduce an AI generated spokesperson. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Mark Terenzoni, Director of Risk Management at AWS, joins N2K’s Rick Howard to discuss the benefits of security lakes and other security considerations for a post-AI world. Read Mark's blog on the subject. Selected Reading Biden administration rolls out international cybersecurity plan (POLITICO) Paris 2024 gearing up to face unprecedented cybersecurity threat (Reuters) Wichita government shuts down systems after ransomware incident (The Record) El Salvador suffered a massive leak of biometric data (Security Affairs) Stealing cookies: Researchers describe how to bypass modern authentication (CyberScoop) Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware (Kandji) Iranian hackers pose as journalists to push backdoor malware (Bleeping Computer) Breaking down Microsoft’s pivot to placing cybersecurity as a top priority (DoublePulsar) Ukraine unveils AI-generated foreign ministry spokesperson | Artificial intelligence (AI) (The Guardian) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. The Secretary of State, Antony Blinken, is set to unveil a new international cybersecurity strategy
at the RSA conference in San Francisco.
Paris prepares for Olympic-sized cybersecurity threats.
Wichita, Kansas is recovering from a ransomware attack.
A massive data breach hits citizens of El Salvador.
Researchers steal cookies to bypass authentication.
Cuckoo malware targets macOS systems.
Iranian threat actors pose as journalists to infiltrate network targets.
A former Microsoft insider analyzes the company's recommitment to cybersecurity.
Our guest, Mark Terenzoni, Director of Risk Management at AWS, joins N2K's Rick Howard to
discuss the benefits of security lakes in a post-AI world. And Ukrainian officials introduce
an AI-generated spokesperson.
It's Monday, May 6, 2024.
I'm Dave Bickner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us.
The Biden administration is set to introduce a new international cybersecurity strategy, marking the first U.S. global cyber
strategy in over a decade aimed at bolstering global cooperation against cyber threats.
Secretary of State Antony Blinken will unveil the strategy at the RSA conference in San Francisco.
This strategy plan targets enhancing cybersecurity through four main pillars,
plan targets enhancing cybersecurity through four main pillars, establishing a secure digital ecosystem, promoting rights-respecting digital technology with allies, forming coalitions
against cyberattacks, and boosting cybersecurity resilience among partner nations. A key element
of this strategy is the allocation of $50 million to the newly formed Cyberspace and Digital Connectivity Fund,
aimed at supporting cybersecurity improvements in allied countries.
Additionally, the strategy emphasizes a proactive role in cyber diplomacy at the United Nations
and seeks to develop global norms for emerging technologies like AI.
The U.S. aims to foster international consensus on AI usage
and cyber conduct. The strategy's implementation is considered urgent, with efforts intensifying
in the months leading up to the November presidential election, reflecting the need
for consistent U.S. leadership in global cybersecurity, irrespective of potential administration changes.
It is RSA Conference Week in San Francisco, the cybersecurity industry's largest annual gathering.
The show floor officially opens for a preview event this evening, and we've got N2K CyberWire
team members and partners we'll be checking in with throughout the week, so stay tuned for that.
The Paris 2024 Olympics are preparing for an unprecedented cybersecurity challenge,
expecting heightened threats from organized crime, activists, and state actors. The organizers,
working closely with France's National Agency for Information Security and partners like Cisco and Eviden,
aim to minimize the impacts of cyberattacks.
Despite not being able to prevent all attacks,
efforts include employing ethical hackers to test security measures
and utilizing artificial intelligence to prioritize threats.
With a significantly higher number of cybersecurity events anticipated compared to the
Tokyo 2021 Games, the preparation for Paris 2024 is extensive. ANSI's director, Vincent Struble,
emphasized the rigorous security tests conducted on all 500 competition sites and related venues,
expressing confidence in their preparedness for potential cyber threats
during the Olympic and Paralympic Games. Wichita, Kansas is facing significant
service disruptions following a ransomware attack that encrypted city systems on Sunday.
Officials had to shut down some systems to prevent further spread of the malware,
resulting in online service outages,
although the specific affected services were not detailed. The city is implementing business
continuity measures to ensure that first responders continue providing essential services.
Restoration of the systems will occur in stages to minimize further disruptions.
The city is collaborating with third-party specialists
and federal and local law enforcement to manage the situation securely.
No details were provided on the ransomware group responsible
or any data potentially stolen by the hackers.
This incident makes Wichita the largest U.S. city affected by such an attack this year.
Researchers at ReSecurity have uncovered a
substantial data breach on the dark web, affecting over 5 million citizens of El Salvador, more than
80% of the country's population. The breach was orchestrated by an entity known as Cyber
Intelligentsia SV and involved a 144-gigabyte data dump posted on breach forums. This leak
includes highly sensitive personal information such as identification numbers, full names,
birthdates, contact details, and high-definition photos linked to each individual's document
identification number. This incident marks a significant compromise of biometric data,
number. This incident marks a significant compromise of biometric data, posing a serious risk of identity theft and fraud. The breach's scale and the inclusion of biometric data enable
threat actors to create convincing deepfake identities, increasing the potential for
widespread fraud in digital and financial services. Passwords and knowledge-based authentication continue to be security
vulnerabilities, with nearly a third of breaches involving stolen credentials.
Modern alternatives like FIDO2, using hardware-based cryptographic credentials,
aim to enhance security by moving away from easily compromised passwords.
CyberScoop reports on a new study by Silverfort
which reveals potential weaknesses in these systems,
particularly in session management post-authentication.
FIDO2 and similar standards
significantly reduce the risk of initial breaches
but can be circumvented via person-in-the-middle attacks
that hijack session tokens.
These tokens can be circumvented via person-in-the-middle attacks that hijack session tokens. These tokens can be replicated and used without geographic or numerical restrictions,
posing a significant threat even after successful authentication.
The research underscores the need for enhanced protection of session tokens,
possibly through token binding,
which adds an additional security layer by binding the session token to the TLS handshake,
thus limiting its use to the authenticated session.
This technique is not yet widely adopted, with major browsers like Chrome and Firefox discontinuing or not supporting it.
Cybersecurity researchers at Kanji have identified a new malware called Cuckoo targeting Apple Mac OS systems.
It's designed as a universal Mach-O binary compatible with both Intel and ARM-based Macs
and found on websites offering music ripping and MP3 conversion tools.
conversion tools. Cuckoo establishes persistence via a launch agent and employs a locale check to avoid execution in Russia or Ukraine. It tricks users into providing system passwords through
fake password prompts for escalated privileges and performs extensive data harvesting. This
includes capturing hardware information, running processes, installed apps, screenshots, and
sensitive data from iCloud Keychain, Apple Notes, web browsers, crypto wallets, and various
applications like Discord and Steam. The associated malicious application bundles are signed with a
valid developer ID. The Iranian state-backed threat actor known as APT42 is using social engineering, including posing as journalists, to infiltrate the networks of targets in the West and Middle East, bleeping computer reports.
Iran's Islamic Revolutionary Guard Corps intelligence organization,
has targeted NGOs, media, academia, activists, and legal sectors across 14 countries.
Their tactics involve spear phishing emails from typo-squatted domains resembling legitimate organizations.
These emails, purporting to be from entities like the Washington Post or The Economist, eventually direct victims
to phishing sites that capture credentials and multi-factor authentication tokens.
Using custom backdoors NiceCurl and TameCat, APT42 executes commands and exfiltrates data,
focusing on maintaining access through normal cloud tool features and using VPNs and ephemeral servers to avoid detection.
Microsoft has announced a commitment to heightened cybersecurity measures
in response to critiques highlighted in a recent Cyber Safety Review Board report
backed by the U.S. Department of Homeland Security.
These improvements are detailed in a blog post by Kevin Beaumont, a security researcher
and former Microsoft employee who shared his perspectives and historical criticisms of the
company's security practices. According to Beaumont, Microsoft is reprioritizing cybersecurity as its
top concern, focusing on six strategic pillars designed to bolster protection across various
facets of the organization. These pillars target the protection of identities, isolation of
production systems, network security, engineering systems security, enhanced threat monitoring,
and accelerated response to security incidents. Beaumont highlights the importance of these
measures in a blog from Charlie Bell,
Microsoft's Executive Vice President of Security,
and an all-company email from CEO Satya Nadella
emphasizing security as everyone's top priority.
Beaumont's detailed account sheds light
on past security challenges within Microsoft
and suggests that while the company has always employed
some of the smartest security personnel,
certain practices have normalized risky behavior.
He notes Microsoft's unique position
in impacting both individual users and global infrastructure,
making their security measures critically important.
Furthermore, Beaumont discusses new governance strategies
being implemented at Microsoft to unify security practices across different business units.
This includes linking leadership compensation to security outcomes and enhancing the role
of threat intelligence within the company's security operations. While acknowledging the
steps Microsoft is taking, Beaumont remains cautiously optimistic about their implementation and effectiveness,
noting that true security enhancement will require continuous commitment and may take time to fully realize.
His insights reflect a mix of technical understanding and personal experience within the company,
offering a comprehensive look at Microsoft's efforts to improve its cybersecurity stance. We note in disclosure that Microsoft is an
N2K CyberWire partner, but we cover them just like we would any other company.
Coming up after the break, my N2K colleague Rick Howard speaks with our guest Mark Terenzoni, Director of Risk Management at AWS.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
My N2K colleague Rick Howard recently caught up with Mark Terenzoni,
Director of Risk Management at AWS.
They're discussing the benefits of security lakes in a post-AI world. The 2024 RSA Security Conference is just around the corner, and there are all kinds of interesting
ideas emerging in time for the conference.
I got the chance to sit down with AWS's Mark Terenzoni.
Mark Terenzoni, my title is Director of Investigations and Response, and I've been here since January
of 2018.
and I've been here since January of 2018. AWS is an N2K CyberWire media partner,
and at their ReinFORCE conference last summer,
the big topic was vendor-provided data lakes.
Now, a year has gone by,
so I asked Mark about the latest developments.
It's been a phenomenal year
since we launched Security Lake.
The thesis behind Security Lake was really just helping customers democratize their security data. And there were two components of it. One was the easy button for them to organize all their data into their accounts on low-cost storage. The second one is normalizing it into a format that allowed us to have a common language across all security vendors and all types of data that customers would care about from a security event perspective.
And that formation was Open Cybersecurity Schema Format, or better known as OCSF.
Both have been widely adopted in the first year. OCSF has somewhere around 700 individual
contributors across a couple hundred organizations, which is much greater than what we thought and
expected. So what problems are you trying to solve with the data lake? The idea of data lake has been
around for a long time. We all assumed back in the day, this is geez, 10 years ago, that we would just dump everything there, run some magic machine learning algorithms on it, and we would find all the bad guys.
I don't think we're quite there yet.
So, you know, phase one, obviously get all your data that you care about into one place.
That's the, that's sort of the easy part.
And then what does it enable from a use case and workflow perspective?
easy part. And then what does it enable from a use case and workflow perspective? So we see three major areas that customers are mostly gravitating towards. Incident investigations, incident
response to some extent, and proactive threat hunting are the main things that they want to do
on top of this data. But ALT is a big data and analytic problem. We're taking the big data
component off
the table so customers and partners don't have to focus on that undifferentiated heavy lifting.
And they can really focus on the analytic workflow outcomes that customers would care about.
Now, what's really interesting is there's a couple of technology shifts that have started to happen
that enable the data to be more approachable for customers.
You know, one is in the form of being able to direct query and have lightweight indexes on
the data that is in this schema format. So you really don't have to, customers don't have to
fully ingest all of this data into the tool they care about. And, you know, in many cases,
some of these logs are highly voluminous
and customers find that they have to query them
maybe three, five, 10 times a year.
Well, if you have to pay for the ingest cycle
and to pick a tool for the three to five times a year
that you have to query it,
it becomes really a cost-benefit analysis problem.
But if you can store that data
at relatively low cost on top of S3
and direct query it
and get reasonably quick responses,
that changes the whole dynamics of that benefit.
And then the second technology shift is,
I mean, we would not have a podcast today
without talking about generative AI and LLMs.
Well, I was on my notes. It's by law in Virginia.
We have to talk about it.
So go ahead.
Like everyone in security is probably a little skeptical,
but I've been pleasantly surprised
at some of the benefits we see
and our customers are seeing from this
with very little effort on their part.
They're getting some reasonably incredible results.
It's still early days,
so I won't call it the panacea yet. But
think about a scenario where you have all this data and
multiple sources a customer has.
And one of the things I see happening is customers are using
generative AI to translate natural language into
complex queries on the back end.
So I believe most analysts can ask a question in natural language around what they're looking for.
Tell me, show me all the critical vulnerabilities across my estate that have, you know,
potential access to the internet. Well, that may involve three or four sources joining together and running
a pretty complex query. But on the back end, if the LLMs can translate that to the most efficient
and optimized query, the customer gets those results without having to know a query language
or understand the format and schema of the data. So that's certainly one use case. The second one
is around summarization, where, okay, I've got these results, but I really
don't know what they mean to me.
And we've seen a lot of examples of, and we've done this ourselves within one of my portfolio
products called Amazon Detective, where we take these findings that are correlated and
grouped together, and we run a trained model against them,
and we provide human readable summarizations
around what the customer should know about this particular set of findings
and should they be worried about it.
And then the third one is kind of getting more into the response side,
where you can actually write the configuration changes
or patch the OS-level vulnerabilities and just reduce the friction customers have to reducing their risks in their estate.
So it's, again, still early days, but these use cases are starting to come to fruition through the vendor community and through efforts of us and customers themselves.
Well, Mark, you've managed to hit the cybersecurity podcast bingo.
We've talked about data lakes and machine learning, AI stuff.
So congratulations, sir.
You were the winner of this episode of bingo.
Thanks for coming on the show and talking to us about this.
I really appreciate it.
That was Mark Taranzoni, the Director of Investigations and Response at AWS.
That's Mark Taranzoni from AWS speaking with our own Rick Howard.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant.
And finally, Ukrainian officials have unveiled what they claim is a groundbreaking initiative in its communication strategy by introducing an AI-generated spokesperson named Victoria Shi.
This digital spokesperson, a first of its kind in diplomatic circles,
will deliver official
statements on behalf of the Ukrainian Foreign Ministry. Although the AI will handle the
presentation, the content of the statements will still be crafted and verified by human diplomats.
Foreign Minister Dmytro Kuliba emphasized that this initiative represents a significant
technological advancement, noting, with a straight face, that it's a move no other He highlighted the practical benefits of this innovation,
explaining that the main motivation behind adopting an AI spokesperson
was to conserve time and resources for the ministry's diplomats.
Visually and vocally, the digital spokesperson is modeled after Rosalie Nombre, a singer and
former contestant on the Ukrainian version of the reality show The Bachelor. She participated
in this project without charge, and the ministry has clarified that Nombre and Xi are distinct
entities, with only the AI figure designated to give official statements.
To mitigate the risk of misinformation, the foreign ministry will accompany Xi's statements
with a QR code. This code will link directly to text versions of the statements on the ministry's
official website, ensuring
authenticity and transparency. What could possibly go wrong with an AI spokesperson?
Famous last words.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of many of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at N2K.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester
with original music and sound design
by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karpf.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.