CyberWire Daily - DOGE days numbered?
Episode Date: February 5, 2025The DOGE team faces growing backlash. The Five Eyes release guidance on protecting edge devices. A critical macOS kernel vulnerability allows privilege escalation, memory corruption, and kernel code e...xecution. Google and Mozilla release security updates for Chrome and Firefox. Multiple Veeam backup products are vulnerable to man-in-the-middle attacks. Zyxel suggests you replace those outdated routers. A former Google engineer faces multiple charges for alleged corporate espionage. CISA issues nine new advisories for ICS vulnerabilities. A house Republican introduces a cybersecurity workforce scholarship bill. On our CertByte segment, a look at ISC2’s CISSP exam. Google updates its stance on AI weapons. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CertByte Segment Welcome to CertByte! On this bi-weekly segment hosted by Chris Hare. This week, Chris is joined by Steven Burnley to break down a question targeting ISC2®'s CISSP - Certified Information Systems Security Professional) exam. Today’s question comes from N2K’s ISC2® CISSP - Certified Information Systems Security Professional Practice Test. Have a question that you’d like to see covered? Email us at certbyte@n2k.com. If you're studying for a certification exam, check out N2K’s full exam prep library of certification practice tests, practice labs, and training courses by visiting our website at n2k.com/certify. Please note: The questions and answers provided here, and on our site, are not actual current or prior questions and answers from these certification publishers or providers. Selected Reading Federal Workers Sue to Disconnect DOGE Server (WIRED) Treasury says DOGE review has ‘read-only’ access to federal payments system (The Record) ‘Things Are Going to Get Intense:’ How a Musk Ally Plans to Push AI on the Government (404 Media) Cybersecurity, government experts are aghast at security failures in DOGE takeover (CyberScoop) Five Eyes Launch Guidance to Improve Edge Device Security (Infosecurity Magazine) Apple's MacOS Kernel Vulnerability Let Attackers Escalate Privileges - PoC Released (Cyber Security News) Chrome 133, Firefox 135 Patch High-Severity Vulnerabilities (SecurityWeek) Critical Veeam Vulnerability (CVE-2025-23114) Exposes Backup Servers to Remote Code Execution (SOCRadar) Router maker Zyxel tells customers to replace vulnerable hardware exploited by hackers (TechCrunch) US cranks up espionage charges against ex-Googler accused of trade secrets heist (The Register) CISA Releases Nine Advisories Detailing vulnerabilities and Exploits Surrounding ICS (Cyber Security News) CISA hires former DHS CIO into top cyber position (Federal News Network) Proposal for federal cyber scholarship, with service requirement, returns in House (The Record) Google drops pledge not to use AI for weapons or surveillance (Washington Post) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n two k and use promo code and two k at checkout the only way to
get twenty percent off is to go to join delete me dot com slash n two k and enter code and
two k at checkout that's join delete me dot com slash n two k code and two k. The Doge team faces growing backlash.
The Five Eyes release guidance on protecting edge devices.
A critical macOS kernel vulnerability allows privilege escalation, memory corruption, and
kernel code execution.
Google and Mozilla release security updates for Chrome and Firefox.
Multiple Veeam backup products are vulnerable to man-in-the-middle attacks.
Zizel suggests you replace those outdated routers.
A former Google engineer faces multiple charges for alleged corporate espionage.
CISA issues nine new advisories for ICS vulnerabilities.
A House Republican introduces a cybersecurity workforce scholarship bill.
On our CertBytes segment, a look at ISC2's CISSP exam and Google updates its stance on
AI weapons. It's Wednesday, February 5, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It is great as always to have you with us.
Elon Musk and his advisory team, the Department of Government Efficiency, DOGE, are facing
growing backlash over their efforts to dismantle federal agencies.
Cybersecurity experts, government officials, and Democrats warn that their actions could
compromise national security, expose federal employees' data, and violate federal laws.
Key concerns center around DOJ's reported access to critical federal systems, including
the Treasury's payment
system, which processes Social Security payments and federal salaries.
Additionally, at the Office of Personnel Management, which stores sensitive employee records, Musk
allegedly installed an unvetted private server, raising fears of a repeat of the 2015 OPM
hack by Chinese hackers.
The White House insists Doge's access is read-only, but reports suggest a former Musk employee
was given administrative privileges.
Senator Elizabeth Warren has demanded answers from Treasury Secretary Scott Besant, emphasizing
that these systems handle over $ trillion dollars in annual transactions.
Security experts argue that Musk's actions violate federal cybersecurity laws, including
FSMA, and create risks for foreign adversaries to exploit. The lack of oversight and independent
logging makes it impossible to verify what information has been accessed or altered.
House Democrats warn that the new email system at OPM could enable phishing attacks targeting
federal workers.
Legal experts stress that granting unauthorized access to federal systems is a felony, and
federal employees resisting these changes are reportedly being fired or placed on leave.
Critics liken the situation to a precarious Jenga Tower, where reckless interference could
trigger a catastrophic failure of government operations.
The UK's National Cyber Security Centre and its Five Eyes partners have released new guidance
to improve the security of edge devices.
These include routers, network attached storage,
IOT devices, and perimeter security solutions,
all frequent targets of cyber attacks.
The document sets baseline security standards
for manufacturers and provides best practices
for customers selecting network hardware.
It emphasizes logging and forensic capabilities,
ensuring devices can detect and investigate threats effectively.
Edge devices face growing threats from both financially motivated hackers and state-sponsored actors.
A 2024 report found vulnerabilities in these devices increased 22% with higher severity ratings.
Recent zero-day exploits, such as those targeting Avanti and FortiGate products, highlight the
risks.
A critical macOS kernel vulnerability allows privilege escalation, memory corruption, and
kernel code execution.
Discovered by MIT CSAIL researcher Joseph Rajachandran, the flaw affects macOS Sonoma, Sequoia, and iPad OS.
The issue stems from a race condition in Apple's XNU kernel involving safe memory reclamation,
read-only page mapping, and unsafe use of mem copy.
Improper synchronization enables unauthorized credential
modification. Ravachandran released a proof-of-concept exploit demonstrating
the flaw. Apple has not yet patched it, so users should avoid untrusted code. The
researcher recommends using atomic rights to fix the issue. Google and Mozilla
have released security updates for Chrome and Firefox, addressing
multiple high-severity memory safety vulnerabilities.
Chrome 133 includes 12 security fixes, with three reported by external researchers.
Two critical use-after-free flaws affect the Skia graphics library and version 8 JavaScript
engine, potentially enabling
code execution or sandbox escapes.
Google awarded $7,000 for one bug and $2,000 for another.
Firefox 135 patches multiple vulnerabilities, including two high-severity use-after free
bugs affecting the Custom Highlight API and XSLT. Additional fixes addressed code
execution risks in Firefox, ESR, and Thunderbird. No active exploitation has been reported,
but users should update their browsers immediately.
A critical vulnerability in multiple Veeam backup products allows attackers to execute remote code via
man-in-the-middle attacks.
With a CVSS score of 9.0, this flaw in the Veeam updater component can lead to full system
compromise including data theft and ransomware attacks.
Affected products include Veeam Backup for Salesforce, AWS, Azure, Google Cloud, and others.
Veeam has released urgent patches, and users should update immediately to mitigate risks.
Attackers can intercept and manipulate update requests, injecting malicious code.
Zysel has announced it will not release patches for two actively exploited vulnerabilities
affecting its end-of-life routers, despite warnings from security researchers.
Threat intelligence firm Grey Noise reported that attackers are using these flaws to execute
arbitrary commands, leading to full system compromise.
The vulnerabilities were discovered by Volncheck in mid-2023 but remained unpatched.
Zizel claims it was unaware until January 29th after GrayNoise reported active exploitation.
The company advises customers to replace affected routers instead of expecting fixes.
Security researchers argue that many impacted devices remain in use and even available for
purchase online.
Census reports nearly 1,500 vulnerable routers exposed to the Internet, and gray-noise warns
botnets like Mirai are exploiting the flaws in large-scale attacks.
Former Google engineer Lin Wei Ding faces multiple charges for allegedly stealing AI trade secrets
for a Chinese company.
Prosecutors say Ding copied over 1,000 confidential files related to Google's AI supercomputing
infrastructure between 2022 and 2023.
He allegedly transferred this data using Apple Notes to bypass security measures.
Ding was later offered a CTO position at Beijing Rongshu Longzhi Technology while still employed
at Google.
After leaving Rongshu, he founded a Chinese AI startup which sought government funding
to develop AI infrastructure.
Google detected the theft in December of 2023, revoked Ding's
access and notified authorities. He was arrested in March of 2024. If convicted, he faces up
to 15 years per economic espionage charge and 10 years per trade secret theft count,
plus millions in fines.
CISA has issued nine new advisories highlighting critical vulnerabilities in industrial control systems.
These flaws impact major vendors like Rockwell Automation, Schneider Electric, and Automation Direct,
posing risks to energy, manufacturing, and transportation sectors.
Key vulnerabilities include remote code execution, denial of service attacks,
and unauthorized access, with CVSS scores reaching 9.3. Affected devices range from
routers and PLCs to industrial software. Some vendors have issued patches, while others
recommend network segmentation or device replacement. GreyNoise reports botnets actively exploiting certain vulnerabilities, emphasizing the urgency
of mitigation.
CISA urges organizations to apply updates immediately to protect critical infrastructure
from cyber threats.
Additionally, former DHS and Energy Department Cyber Executive Karen Evans has joined CISA as a senior advisor
for cybersecurity.
While her role is currently advisory, sources suggest she may be named Executive Assistant
Director for Cybersecurity or move into a top DHS position.
Evans previously served as DHS CIO and led cybersecurity efforts at the Department of Energy.
Since leaving government in 2020, she worked in the private sector and co-led a national
study on CISA's cybersecurity workforce role.
Her return comes as agencies combat Chinese-backed cyber threats like Volt Typhoon.
Meanwhile, CISA's future under the Trump administration remains uncertain, with Homeland
Security Secretary Kristi Noem advocating for a smaller, more nimble agency and criticizing
its involvement in countering misinformation during elections.
Key cybersecurity leadership roles in the administration remain unfilled.
House Homeland Security Committee Chairman Mark Green, a Republican from Tennessee, is
reintroducing the Pivot Act, a bill aimed at addressing the U.S. cyber workforce shortage
by creating an ROTC-like scholarship for two-year cybersecurity degrees.
The legislation, which previously had unanimous committee support, stalled last
session but remains a priority due to growing cyber threats, particularly from Chinese-backed
hacking groups like Volt Typhoon. Under the bill, students at community colleges and technical
schools would receive scholarships in exchange for two years of government cyber service at any level.
The program, managed by CISA, also seeks to expedite security clearances and place 10,000
new cyber professionals in the workforce.
Despite internal Republican debates over CISA's role, Green argues the agency is critical
to national cybersecurity and workforce development efforts.
Coming up after the break on our CertBytes segment, a look at ISE2's CISSP exam, and
Google updates its stance on AI weapons.
Stay with us. Cyberthreats are evolving every second, and staying ahead is more than just a challenge,
it's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a
full suite of solutions designed to give you total control, stopping unauthorized
applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit threatlocker.com today to see how a default deny approach can keep your company
safe and compliant.
Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation
to evidence collection across 30 frameworks
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Up next, it's our CertBytes segment.
N2K's Chris Hare is joined by Stephen Burnley to break down a question from N2K's ISC2
CISSP practice test.
Hi, everyone. it's Chris.
I'm a content developer and project management specialist here at N2K Networks.
I'm also your host for this week's edition of CertFight, where I share a practice test
question from our suite of industry-leading content and a study tip to help you achieve
the professional certifications you need to fast track your career growth
in IT, cybersecurity, and project management.
Today's question targets the ISE2 CISSP
Certified Information Systems Security Professional Exam,
which was recently updated on April 15th, 2024.
This exam is targeted for experienced
security practitioners, executives, and managers who
want to prove their knowledge across a variety of security practices and principles.
The ISE2 asserts that the CISSP is the world's premier cybersecurity certification.
So I have enlisted Stephen once again to join us, who is our resident ISE2 expert.
So it's very apropos that he's here today.
Welcome, Stephen. How are you? I here today. Welcome Stephen, how are you?
I'm doing great Chris, how are you? I'm doing well, thank you for asking. So what do you think about
the CISSP being touted as the world's premier cybersecurity certification as I mentioned?
Well I think a title like that is well deserved for the CISSP. It has been the premier cybersecurity
certification before we started talking about cybersecurity on a daily basis
and they have earned their reputation as sort of the capstone of any cybersecurity
professionals certification journey.
Oh nice. So Stephen, you are going to be asking me today's question. But while I muster up some moxie, I understand you have a 10-second study bit for us.
So what do you have?
Well, I always recommend to students that in a broad topic exam like this,
it's really comprehensive that you study the parts of the exam that scare you.
You know, sometimes we gravitate towards the material we're familiar with, but I like the phrase,
the obstacle is the path.
So if it scares you, read more.
For example, they've added an exam objective
related to DevSecOps for software development security.
Might not be in the wheelhouse or experience
from a lot of people traditionally,
but still builds awareness of the topic.
So cover every objective in the outline when you're studying.
I like that.
Study what scares you.
All right.
Hit me with today's question.
All right.
Now this is a scenario question.
So let's go through it.
It says, you are your organization's security
administrator, and you're reviewing the audit results
to assess if your organization's security baselines are maintained.
In which phase of the security management lifecycle are you engaged?
Now, it is multiple choice, so let me read you your four choices.
Plan and organize, implement, operate and maintain, or monitor and evaluate.
Okay, Stephen.
So, this is from the evaluate and apply organizational processes and organizational roles and responsibilities
under the objective of evaluate and apply security governance principles, correct?
Exactly.
All right.
So, I've got one correct so far.
So, this is one of those step one, step two, step three sequential type questions where
there is a precedence relationship, meaning there is a specific order of operations involved.
I'm not at all network security proficient.
Surprise, surprise.
So I'm going to use some contextual logic here to answer this question.
But first I have to ask, as this seems to be a set of steps that are part of the security
management life cycle, are all of the answer choices inclusive of all of the steps that
are part of this cycle?
This one, no.
Okay.
So if the student has these steps memorized, this should help narrow down the focus of
their options a bit.
Now I'm going to hone in on the verbs used,
which should help me clue into the proper answer selection.
It says, reviewing the audit results to assess.
The words review and assess.
If I just pull those two verbs out,
I can see how they map to each of your answers.
Do I feel that plan and organize map to review and assess?
Well, plan and organize sound like initial steps one would take,
so I'm going to rule that one out.
Next, implement.
This doesn't quite map to the act of reviewing and assessing,
which sound more post implementation,
so strike that one out also.
Next, operate and maintain.
Since the question refers to maintained in the past tense, this doesn't track well either,
so I'm going to pass on that one.
Lastly, monitor and evaluate.
These terms seem to fit well as monitor can be synonymous with review and evaluate is
synonymous with assess.
So I'm going to go with D, monitor and evaluate.
Very nice work. That is the correct answer, D.
And you are engaged in that monitor and evaluate
phase of the security management lifecycle. And this phase could include
things like review logs, audit results, metrics, and
service level agreements,
assess team accomplishments, complete quarterly steering committee meetings,
develop improved steps for integration into plan and organize phase,
and review audits is not part of any other phases.
Okay. So, Stephen, do you have any other advice about how a student can study for this question?
Well, one of the things that I like listening to your breakdown is that you were paying
very close attention to verb tense, like the difference between maintain and maintained.
And when you're looking at these procedural questions like that, you are exactly on the
right track.
Those are pro test taking skills there.
Excellent well another good question appreciate your being here today Stephen. Thank you very much for having me. Sure are there any upcoming ISE2 or other practice tests you'd
like to promote here? Yes actually we have an update coming to the CISSP exam in early 2025
and in addition to that we did just update the framework
for the Cisco Certified Network Associate,
or CCNA exam this past September.
And we also have a ton more coming
in Microsoft, CompTIA, and Amazon exam updates.
So keep out on the lookout for those on our website.
All right, looking forward to those.
Thanks so much, Stephen.
Thank you.
And thank you for joining me for this week's CertBite.
If you're actively studying for this certification
and have any questions about study tips
or even future certification questions you'd like to see,
please feel free to email me at certbite at n2k.com.
That's C-E-R-T-B-Y-T-E at n at n2k.com.
If you'd like to learn more about N2K's practice tests, visit our website at n2k.com forward
slash certify.
For more resources, including N2K Pro offerings, check out the cyberwire.com forward slash
pro.
For sources and citations for this question, please check out our show notes.
Happy certifying!
That's N2K's Chris Hare joined by Stephen Burnley.
We'll have a link to N2K's ISC2 CISSP practice test in the show notes.
And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars
on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase
in ransomware attacks and a $75 million record payout in 2024. These traditional security
tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than
ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Like so worried about my sister.
You're engaged.
You cannot marry a murderer.
I was sick, but I am healing.
Returning to W network and stack TV.
The West Side Ripper is back. If you're not killing these people, then who is? That's what I am healing. Returning to W Network and StacTV. The West Side Ripper is back.
If you're not killing these people, then who is?
That's what I want to know.
Starring Kaylee Cuoco and Chris Messina.
The only investigating I'm doing these days is who shit their pants.
Killer messaged you yesterday?
This is so dangerous. I gotta get out of this.
Based on a true story.
New season Mondays at 9 Eastern and Pacific.
Only on W. Stream on StacTV.
and Mondays at 9 Eastern and Pacific, only on W, stream on Stack TV.
And finally, our Terms and Conditions desk
points out that Google just quietly updated its AI ethics
playbook, deleting its previous pledge not to use AI
for weapons or surveillance.
Because, you know, times change, and so do corporate priorities.
The company says the update reflects a new geopolitical reality,
where democratic nations should lead in AI development.
Gone are the days when Google employees protested Pentagon contracts. Now Google joins OpenAI, Microsoft, and Amazon
in cozying up to defense agencies.
The move follows rising US-China tensions over AI dominance,
with Google aligning itself with national security interests.
Critics see this as yet another example of tech giants quietly
ditching their past moral stances. But Google insists it's still all about human rights, just with more government
contracts on the side.
As for past promises, well, those seem to have been lost somewhere between government
funding and geopolitical tension.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show,
please share a rating and review in your favorite podcast app. Please also fill out the survey and
the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Pelsman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Music