CyberWire Daily - Confidential or compromised?
Episode Date: August 12, 2024The Trump campaign claims its email systems were breached by Iranian hackers. A Nashville man is arrested as part of an alleged North Korean IT worker hiring scam. At Defcon, researchers reveal signif...icant vulnerabilities in Google’s Quick Share. Ransomware attacks hit an Australian gold mining company as well as multiple U.S. local governments. GPS spoofing is a matter of time. Cisco readies another round of layoffs. Nearly 2.7 billion records of personal information for people in the United States have been shared on a hacking forum. Our own Rick Howard speaks with Mark Ryland, Director of Amazon Security, about formal verification. A hacker hacks the hackers. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today’s guest slot, N2K’s CSO Rick Howard speaks with Mark Ryland, Director of Amazon Security at AWS, about formal verification, which is logical proofs about correctness of systems, at AWS re:Inforce. Rick and Mark caught up at AWS re:Inforce 2024. Selected Reading Experts warn of election disruptions after Trump says campaign was hacked (Washington Post) Nashville man arrested for running “laptop farm” to get jobs for North Koreans (Ars Technica) Google Patches Critical Vulnerabilities in Quick Share After Researchers' Warning (Hackread) Australian gold mining company Evolution Mining announces ransomware attack (The Record) GPS spoofers 'hack time' on commercial airlines, researchers say (Reuters) Exclusive: Cisco to lay off thousands more in second job cut this year (Reuters) Hackers leak 2.7 billion data records with Social Security numbers (Bleeping Computer) Local gov’ts in Texas, Florida hit with ransomware as cyber leaders question best path forward (The Record) Simple Coding Errors Lead to Major Ransomware Takedown (Cybersecurity News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
The Trump campaign claims its email systems were breached by Iranian hackers.
A Nashville man is arrested as part of an alleged North Korean IT worker hiring scam.
At DEF CON, researchers reveal significant vulnerabilities in Google's QuickShare.
Ransomware hits an Australian gold mining company as well as multiple U.S. local governments.
GPS spoofing is a matter of time.
Cisco readies another round of layoffs.
Nearly 2.7 billion records of personal information for people in the U.S. have been shared on a
hacking forum. Our own Rick Howard speaks with Mark Ryland, director of Amazon security at AWS,
about formal verification. And a hacker hacks the hackers.
It's Monday, August 12th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today. It is great to have you with us.
Concerns about foreign interference in the U.S. presidential election resurfaced after the Trump campaign claimed its email systems were breached by Iranian hackers.
The breach was reportedly tied to the release of a confidential internal document
about vice presidential candidate J.D. Vance.
News outlets received the document from an anonymous sender named Robert,
raising alarms about potential foreign meddling. The Trump campaign linked the incident to a recent
Microsoft report that identified Iranian hacking attempts targeting a high-ranking official in a
U.S. presidential campaign. While Microsoft didn't explicitly name the campaign, sources indicated it was likely Trump's.
Despite these claims, no official evidence has confirmed the breach or Iranian involvement.
Democratic Representatives Eric Swalwell and Adam Schiff have called for the declassification of any information related to foreign interference.
They stress the importance of a swift response to prevent a
repeat of the 2016 election's Russian interference. Meanwhile, Trump took to his platform, Truth
Social, to accuse Iran of hacking one of his campaign websites, although he admitted that
only publicly available information was accessed. Security experts remain concerned about the
broader implications,
fearing additional leaks and the potential for disinformation campaigns similar to those seen
in 2016. The situation underscores the ongoing challenges in securing U.S. elections against
foreign influence as the country approaches another contentious election cycle.
approaches another contentious election cycle. Federal authorities arrested Matthew Isaac Newt,
a Nashville man, for allegedly facilitating a scheme that deceived U.S. companies into hiring North Korean IT workers using stolen identities. These workers, posing as U.S. citizens, funneled
income to fund North Korea's weapons program. Prosecutors revealed that Newt hosted laptops at his residences,
allowing the North Koreans to access U.S. company networks remotely,
making it appear they were working domestically.
Newt profited from this scheme by charging fees for hosting the laptops and a cut of the salaries.
The operation generated over $250,000 between July 2022
and August of 23. The arrest follows a broader federal crackdown on similar schemes,
including a recent case in Arizona. Newt now faces multiple charges, including wire fraud
and identity theft, which could lead to a 20-year prison sentence if convicted.
At DEF CON, researchers Or Yair and Shmuel Cohen from SafeBreach
revealed significant vulnerabilities in Google's QuickShare,
a peer-to-peer file transfer utility for Android, Windows, and Chrome OS.
QuickShare uses various protocols like Bluetooth and Wi-Fi Direct,
but these were not originally designed for file transfers. The researchers identified
10 vulnerabilities, including a critical remote code execution flaw on Windows systems
that they've dubbed QuickShell. This RCE exploit combines five of the vulnerabilities,
allowing attackers to bypass
security controls and take full control of target devices. The flaws also enable attackers to force
file downloads and hijack Wi-Fi connections. Google has acknowledged the seriousness of these issues,
assigning CVEs to two of the vulnerabilities.
Evolution Mining, an Australia gold mining company,
disclosed a ransomware attack on its IT systems discovered on August 8.
The company, operating in Australia and Canada,
reported the incident to the Australian Stock Exchange,
stating that it has been contained with the help of external cyber forensics experts.
No details were provided about the ransomware group involved or any potential extortion payment.
Evolution Mining assured that the attack won't materially impact operations and that it has been reported to the Australian Cybersecurity Center.
Meanwhile, this week multiple U.S. local governments faced ransomware
attacks, including Killeen, Texas, and Sumter County, Florida, as senior U.S. cyber officials
grappled with the growing threat. Killeen, with nearly 160,000 residents, was targeted by the
Black Suit ransomware gang, disrupting utility payments and other services. In response, the city
worked with state authorities to contain the breach and restore systems, urging residents to monitor
their financial accounts. Meanwhile, Sumter County's Sheriff's Office also experienced a ransomware
attack, impacting access to certain records. These incidents are part of a broader surge in ransomware attacks
affecting governments and healthcare institutions. At the DEF CON Cybersecurity Conference,
senior officials, including Ann Neuberger from the White House, discussed the challenges of
combating ransomware. They highlighted the difficulty in addressing the issue,
particularly due to the lack of international cooperation, especially with Russia.
Efforts to improve responses include promoting better backup practices,
offering free cybersecurity programs, and enhancing international collaboration.
Cybersecurity researchers have uncovered a disturbing trend in GPS spoofing attacks,
which have recently surged by 400%, particularly around
conflict zones. Traditionally, GPS spoofing misleads aircraft about their location,
but a new dimension has emerged, the ability to hack time. Ken Monroe, founder of Pentest Partners,
explained during a DEF CON presentation that GPS isn't just about
positioning, it's also a critical source of time for aircraft systems. Monroe described a recent
incident where a major airline's onboard clocks were manipulated, suddenly advancing by years,
which caused the plane to lose access to its encrypted communication systems.
This forced the aircraft
to be grounded for weeks while engineers manually reset its systems. Although these attacks aren't
likely to cause crashes, they create confusion that could lead to more serious problems.
Reuters reports that Cisco is set to announce a second round of layoffs this year,
potentially affecting over 4,000 employees, as it shifts focus to higher growth areas like cybersecurity and AI.
This follows similar cuts in February, as the company grapples with sluggish demand and supply chain issues in its core networking equipment business.
equipment business. Cisco recently completed a $28 billion acquisition of cybersecurity firm Splunk and has been investing heavily in AI. The layoffs are part of a broader trend in the tech
industry, with over 126,000 layoffs reported this year. A massive data breach has exposed nearly
2.7 billion records of personal information for people in the United States on a
hacking forum. The leaked data, allegedly sourced from national public data, includes names, social
security numbers, physical addresses, and possible aliases. National public data, known for compiling
user profiles for background checks, reportedly scraped this information from public sources.
The breach, initially linked to a threat actor named USDOD,
was ultimately leaked by another hacker, Fenice, on August 6th.
The unencrypted data consists of two text files totaling 277 gigabytes.
While it contains legitimate information for many individuals, some details
may be outdated or inaccurate. The breach has sparked multiple class action lawsuits against
national public data. Affected individuals are advised to monitor their credit reports for
fraudulent activity and be cautious of phishing attempts.
Coming up after the break, N2K's Rick Howard speaks with Mark Ryland,
Director of Amazon Security at AWS, about formal verification. Stay with us. Do you know the status of your compliance controls right now? Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way
to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000
off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Thank you. AWS is a media partner here at N2K CyberWire. In June of 2024, Brandon Karf, our VP of Programming,
Jen Iben, our Executive Producer,
and I traveled to the great city of Philadelphia to attend the 2024 AWS Reinforced Security Conference.
And I got to sit down with Mark Ryland,
a Director of Amazon Security,
and we got to talking about how
generative AI might help in tackling a classic computer science problem, formal software
verification. But actually, what I'm really excited about is combining two areas of computer
science. Obviously, neural networks and AI has been an exciting area, but we've also invested very heavily in an area
called formal verification, which is logical proofs about correctness of systems. And it turns
out that you can combine these technologies. You can write a formal model of correctness. For
example, I know formally what a valid and legitimate IAM policy should be. And now I can use that to filter the
outputs of my Gen AI system, which can conversationally help me write such a policy,
but I can make sure that hallucinations don't come in and make it so that the system happily
and proudly and with great assurance gives me a bad policy. So we're working to really,
and you'll hear more about that in the coming months,
but we're going to combine these technologies and allow our customers as well to be able to write
formal models about areas where they have experts who can build those and then kind of use that to
strengthen the protections and correctness around the Gen AI systems. Well, the two founding fathers
of cybersecurity back in the 70s, Bell and Lopidula, all right, they wrote the original paper that says, here's a formal definition of our system.
You can absolutely do that.
And then we spent the next 40 years trying to make that happen, and that's why you have vulnerability management and antivirus and all that.
the last section of their paper that said,
yes, you can formally describe the system,
but you cannot guarantee that you can deploy it correctly because everybody's going to screw it up in the deployment.
Are you saying then with the way we've advanced
that it's now possible to get better at those kinds of things?
I think we can definitely get better at that
because it turns out the formal verification scientists
who have, it's been a little bit of a niche over these decades.
Yeah, we've been applying it pretty broadly, but we believe now that you can actually, the Gen AI system could actually help write the formal models.
It sounds a little circular, but it helps humans achieve that goal.
And then once they're available and you have experts who say, yep, that represents
how the system ought to work, then we can use that to make sure that the systems work
as expected.
So, you know, there's still a lot of software out there that will never be formally verified,
but you can focus on things like the correctness of your cryptography, the correctness of your
access policies, the correctness of your network protocols.
For example, we formally verified the correctness of our TCP IP stack in the free RTOS operating system. So this is a tiny, lightweight, open-source operating system
that runs on light switches and toasters and dozens and millions of things across the industry,
freely downloadable. We've added a bunch of security features to it. For example,
it's now, you can field update the operating system. Didn't used to be able to do that. Now, the operating system has a little module that can download a new copy update the operating system. It didn't used to be able to do that. Now the operating system has a little module
that can download a new copy of the operating system
and upgrade it in place.
But one of the things we did with formal verification
was to recognize that, hey, the typical attacks
in IoT environments are going to be due to network bugs.
And so we've done formal proofs of the correctness
of the TCP IP stack,
which is a really important thing to get right.
So not a general purpose formal verification,
but we can formally verify specific things, right? Yeah, critical components. That's really the
approach we've taken and, you know, hopefully gradually expand out to everything else. But,
you know, start with the things that if something goes wrong, you're going to have more serious
problems and then work out from there. I want to bring you back around to generative AI. I know
that's a big responsibility you have now in your new role.
Generally, I think there's two kinds of problems that security vendors can help solve with this
kind of technology. One is the stuff we were kind of talking about, how do you configure your systems
to be correct? And that could really help us, you know, hey, you know, you left that
thing turned on when it should be off. So that seems like an easier do than this next thing that's also on the table,
which is look at data generally that's in the network
and then notice that there's a new bad guy in your system that you didn't know about before.
So is that a correct way to describe the problems?
I think that's correct, although a lot of what the second thing you talked about is
in some ways more traditional deep neural network type of technology.
For example, analyzing log files, we still deploy good old pre-generative AI, AI, which is deep neural network technology to look for anomalies.
Anomaly detection is super valuable.
And the bigger the data sets, the more sophisticated your model, the better you can find those anomalies and find that needle in the haystack that a human reviewer just wouldn't see.
But for me, I don't want more anomalies.
I've gotten enough anomalies in my sock. I would like you to say, hey, wicked spiders in your network.
I would love to be able to see that.
I know that's years down the road, but I would love to see that.
Well, I think that's, yeah,
I think that's, yeah,
thanks for that.
And effectively,
you're making the correction,
which is anomalies, yeah,
there's all kinds of findings,
but the ones that are
super likely to be real
is what you want, right?
And minimize the false positives
and that, again,
we can use a combination of,
you know, traditional
deep neural networks.
GNI systems, to me,
primarily have to do
with user interface, user experience, primarily have to do with user interface,
user experience,
because they're really good at translating,
literally translating.
Like I have a colleague who is a Japanese employee
who says,
I don't write my weekly reports in English anymore
because the Gen AI system writes better English than I do.
So I write a really good report in Japanese.
And by the way,
those things write better English than I do. So I write a really good report in Japanese. And by the way, those things write better English than I do.
Exactly.
So that's literal translation, but also translation of other kinds.
For example, I have a security analyst.
I don't have to teach them to write SQL or regexes or all these formal computerese things.
Computer-ese things, they can ask intelligent human questions, get really, really good answers because the tool can translate that into something that the machines currently understand.
And vice versa, if I get all these random findings coming out, the system can say, oh, wow, I can report that in a way that humans can comprehend.
I can help you write a report.
I can help you see the patterns that you wouldn't have seen otherwise in the, you know, generated output from, say, a deep neural network type of technology.
So at the interface of humans and machines, that's where the huge benefits we're seeing from the use of this technology. And that's really exciting. That was Mark Ryland, a director at Amazon
Security. You can find out more about AWS Reinforce in our show notes.
And don't miss the latest episode of Rick Howard's CSO Perspectives podcast.
This week, he's tackling what does materiality mean exactly?
That's CSO Perspectives.
Check it out. Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, security researcher Vangelis Stykus, CTO of Atropis AI, managed to outsmart ransomware gangs, saving six companies from
major financial losses. Stikas discovered glaring vulnerabilities in the hackers' own systems,
thanks to simple coding blunders. His sleuthing allowed him to infiltrate these criminal networks,
providing two companies with decryption keys without paying a dime and alerting four
cryptocurrency firms before their files could be encrypted. Among the hacker mishaps, one ransomware
group, Everest, left a default password on their SQL databases. Another group, Black Cat, exposed
sensitive APIs, inadvertently revealing their IP addresses. Stikus even accessed the Malix Group's
admin chat, grabbing two decryption keys and unmasking several members. Despite his heroic
efforts, the companies involved haven't gone public with the incidents. While Stikus admits
that hacking the hackers isn't a universal solution, it's certainly a satisfying one
for those with the right resources.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. Thank you. Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here
tomorrow. Thank you. where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.