CyberWire Daily - Don't mess with the NCA.
Episode Date: July 23, 2024UK law enforcement relieves DigitalStress. Congress summons Crowdstrike’s CEO to testify. FrostyGoop malware turned off the heat in Ukraine. EvilVideo is a zero-day exploit for Telegram. Daggerfly t...argets Hong Kong pro-democracy activists. Google has abandoned its plan to eliminate third-party cookies. The FCC settles with Tracfone Wireless over privacy and cybersecurity lapses. Wiz says no to Google and heads toward an IPO. N2K’s Brandon Karpf speaks with guest Justin Fanelli, Acting CTO of the US Navy, about streamlining the fleet’s innovation process. Target’s in-store AI misses the mark. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest N2K’s Brandon Karpf speaks with guest Justin Fanelli, Acting CTO of the US Navy, about the US Navy streamlining the innovation process. For some background, you can refer to this article. Additional resources: PEO Digital Innovation Adoption Kit Atlantic Council’s Commission on Defense Innovation Adoption For industry looking to engage with PEO Digital: Industry Engagement Selected Reading Prolific DDoS Marketplace Shut Down by UK Law Enforcement (Infosecurity Magazine) Congress Calls for Tech Outage Hearing to Grill CrowdStrike C.E.O. (The New York Times) How Russia-Linked Malware Cut Heat to 600 Ukrainian Buildings in Deep Winter (WIRED) Telegram zero-day for Android allowed malicious files to masquerade as videos (The Record) Chinese Cyberespionage Group Expands Malware Arsenal (GovInfo Security) Google rolls back decision to kill third-party cookies in Chrome (Bleeping Computer) FCC, Tracfone Wireless reach $16M cyber and privacy settlement (CyberScoop) Wiz rejects Google’s $23 billion takeover in favor of IPO (The Verge) Target Employees Hate Its New AI Chatbot (Forbes) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. Turned off the heat in Ukraine. Evil video is a zero-day exploit for Telegram.
Daggerfly targets Hong Kong pro-democracy activists.
Google has abandoned its plan to eliminate third-party cookies.
The FCC settles with track phone wireless over privacy and cybersecurity lapses.
Wiz says no to Google and heads toward an IPO.
N2K's Brandon Karp speaks with our guest Justin Finelli,
acting CTO of the U.S. Navy,
about streamlining the fleet's innovation process.
And Target's in-store 23rd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel briefing.
Thank you for once again joining us here today.
It is great to have you with us.
UK law enforcement agencies have taken down Digital Stress,
a prominent underground marketplace for distributed denial-of-service services.
The National Crime Agency and the Police Service of Northern Ireland disabled the site on July 2nd and replaced its domain with a warning page.
This takedown followed the arrest of a suspected site controller, Skiop, in early July in a joint
operation with the FBI. Digital stress allowed users to order DDoS attacks easily, contributing
to tens of thousands of attacks weekly. The NCA infiltrated the site's communications channels,
leading to its shutdown. Deputy Director Paul Foster emphasized that the operation demonstrates
that online criminals have no guarantee of anonymity. The NCA will now analyze collected user data
and share information about international users with global law enforcement agencies.
A congressional committee has summoned CrowdStrike's CEO to testify about last week's tech outage
caused by a faulty security update which disrupted global operations.
The update affected millions of Microsoft Windows devices,
impacting airlines, hospitals, and many other organizations.
Representatives Mark Green and Andrew Garbarino
emphasized the need for transparency on the incident and mitigation steps.
The letter to CEO George Kurtz requested a response to schedule the hearing.
CrowdStrike confirmed ongoing communication with congressional committees. While Kurtz emphasized
that it was not a cyber attack, lawmakers stressed the importance of learning from this event to
protect critical infrastructure from future threats. Russia has used both digital and physical attacks against Ukraine,
particularly targeting heating infrastructure during winter.
This past January, Russia-based hackers used a new malware, Frosty Goop,
to disrupt a heating utility in Lviv, Ukraine,
leaving 600 buildings without heat for 48 hours during freezing temperatures.
Cybersecurity firm Dragos discovered this malware,
which manipulates temperature readings to trick control systems.
The attack highlights a new tactic of directly sabotaging utilities.
Frosty Goop sends commands via the insecure Modbus protocol to industrial control systems.
Although Dragos hasn't linked this to a specific hacker group,
the incident is part of Russia's broader strategy to destabilize Ukraine.
The attack underscores the vulnerability of industrial control systems
and the psychological impact of such cyber warfare on civilian resilience.
Researchers have found a zero-day exploit for the Telegram app on Android,
dubbed Evil Video by ESET,
which allowed attackers to send malicious payloads disguised as legitimate files.
Telegram fixed this bug in versions 10.14.5 and above after ESET reported it.
The exploit was potentially usable for about five weeks before the patch,
though it's unclear if it was used in the wild.
Discovered on an underground forum in early June,
the exploit was sold by a user named Ancrino,
who demonstrated it with screenshots and video.
The vulnerability exploited Telegram's automatic media download setting,
making malicious payloads appear as multimedia files.
Even with auto-download disabled,
users could still be tricked into downloading the malicious app
disguised as an external video player.
The patched Telegram version now correctly identifies
such malicious files as applications.
It remains unknown which hacker groups showed interest or how effective the exploit was.
The forum account also advertised undetectable Android crypto mining malware.
Security researchers at Symantec have linked a series of 2021 backdoor attacks on Hong Kong pro-democracy activists to the Chinese
cyber espionage group Daggerfly. This group, also known as Evasive Panda and Bronze Highland,
has retooled its arsenal, including the MACMA backdoor targeting iPhone and macOS devices.
MACMA was distributed via watering hole attacks on a Hong Kong media outlet and a
pro-democracy group. Despite police crackdowns, smaller-scale protests continued in 2021.
Daggerfly's new MACMA iterations feature enhanced screen capture and file system listing capabilities.
Symantec connected MACMA to Daggerfly by identifying overlaps with the
MGBot malware framework. Daggerfly also attacked a telecommunications organization in Africa in
2023 and is deploying a new Windows backdoor. Google has abandoned its plans to eliminate
third-party cookies in Chrome and will instead offer users more control over these cookies.
Third-party cookies, which track users across different sites, are seen as privacy risks.
GDPR requires user consent for these cookies.
Mozilla Firefox and Apple Safari have already blocked them by default,
with Google initially planning to follow suit.
Google aimed to replace third-party cookies with Privacy Sandbox,
a more anonymous tracking method.
However, adoption has been slow, and many platforms remain in beta testing.
Due to the significant impact on advertisers and publishers,
Google will now introduce a Chrome feature allowing users to limit third-party cookies
instead of phasing them out entirely.
Anthony Chavez, VP of Privacy Sandbox, announced that this new approach
will let users make informed choices about third-party cookies.
Privacy advocates like the EFF criticize Google for prioritizing profits over privacy.
The EFF suggests using tools like Privacy Badger and uBlock Origin to block trackers.
The FCC has reached a $16 million settlement with TrackPhone Wireless over privacy and
cybersecurity lapses. This marks the first FCC settlement requiring specific conditions to secure APIs.
The settlement stems from three data breaches exploiting API vulnerabilities between January of 2021 and January 2023, exposing sensitive customer data.
Loyan Igal, chief of the FCC Enforcement Bureau,
emphasized the importance of API security for carriers.
Verizon-owned TrackPhone did not comment on the settlement,
which also mandates securing API vulnerabilities per industry standards,
undergoing external security assessments,
and personnel training on privacy and security.
security assessments, and personnel training on privacy and security. The breaches involved unauthorized access to customer proprietary network information, including call details.
This settlement follows a $200 million fine against major carriers for illegal data sharing
in April. The FCC stresses the need for carriers to protect customer information
as per Section 222 of the Communications Act.
Cybersecurity startup Wiz rejected a $23 billion takeover bid from Google's parent company, Alphabet, opting instead for an IPO.
Co-founder Asaf Rapoport stated in an internal memo that Wizz will focus on reaching $1 billion in annual recurring revenue and proceeding with the IPO.
The proposed acquisition would have doubled Wizz's $12 billion valuation from May after raising $1 billion in funding.
Wizz provides cloud-based security solutions for enterprises, making it a valuable asset for Google in competing with Microsoft and Amazon.
Antitrust concerns and investor apprehensions contributed to Wiz's decision to abandon the deal. The Justice Department has ongoing antitrust lawsuits against Google,
which has previously acquired cybersecurity firms Simplify and Mandiant
for $500 million and $5.4 billion, respectively.
Coming up after the break, N2K's Brandon Karpf speaks with our guest Justin Finelli,
acting CTO of the U.S. Navy, about streamlining the fleet's innovation process.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation
to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
The CyberWire's executive editor, Brandon Karpf, recently caught up with Justin Finelli, acting CTO of the U.S. Navy.
They spoke about streamlining the fleet's innovation process.
Justin, thank you so much for coming on the show.
I believe it is your first time on CyberWire.
It is. A long-time listener, first-time caller.
Thanks for having me.
And you and I and Rick Howard, who's well-known on this network,
have had numerous conversations around technology creation,
technology adoption, public-private partnerships,
both within the Department of Defense and the government.
I would like to just get your view today on how are we doing with these partnerships? So the public-private partnership
is growing in terms of the number of actual private sector partners that we have and work with.
It's up. New entrants are up. The performance of existing players are up. And so the CNO, the Chief of Neighbor Operations, sometimes says, hey, we want more players on the field.
From a warfighting perspective, we also want more industry partners on the field contributing to national security, contributing to economic security.
And in this particular case, we are really excited about the number of new ideas and
the impact of the solutions.
If we can, I would love to dig in a little deeper on the nature of that partnership,
because oftentimes folks who maybe are just uninformed or don't have the experience in DOD think of national security as purely military power.
But you mentioned something in that response about it's not just military power.
It's economic power.
It's capability.
It's national strength.
It's even technology innovation adding to our national security.
The strength of our market, the strength of our companies, the strength of our military all working together in concert. Can you talk a little bit
about kind of why today is as good as it's ever been and maybe some of the examples you see
about how the Navy but also DoD more broadly is enabling that? One of the things that is
improving for us is our ability to harness and adopt innovation more intelligently and faster.
We're evaluating based on the outcome-driven metrics.
What does this bring to the table?
Does it open the door to divesting something so that we can invest further?
That keeps this flow healthier in terms of both the technical debt and the resilience that the
cyber capabilities create. Sometimes people refer to the defense ecosystem as a sector. I teach a
course at Georgetown called Cybersecurity Strategy Public and Private Perspectives.
Dual use that is funded by science and technology funding within the Department of Defense is in
all 11 sectors, right? Like this is showing up everywhere. So that is a launch pad as opposed
to a sector. If someone is proving something out or increasing the technical maturity in a
government lab or in a military lab, it's very likely that's going to be picked up by EdTech
or FinTech or something else. We then, on the back end, often make use of that again after that
initial investment. There is money on the left side of that and there's money on the right side
of that. We're trying to bring those closer together and really make that a focal area for where we can connect dots and how
we can close that gap in terms of the speed to impact. We've been just kind of ringing that bell
to say, hey, if there is a topic where, and there are a lot of cyber topics where we can make use
and pull something through, hey, this is a gap in the market.
Hey, this is a tool that allows us to do something more effectively and more resiliently at a lower cost than we've ever done before.
We need that, and we can tie that almost definitely to a top-level requirement that already exists. I mean, as you talk about this need to align the timing, the resources, the funding, the technology maturity, you know, that type of alignment sounds extraordinarily complex
to me. You know, you also talked about determining and assessing and evaluating what you need from
a mission perspective, mission outcomes, and kind of aligning those things together, both the
investments that you're making, but also the acquisition programs that you're creating to align technology with mission outcomes.
I mean, that sounds extraordinarily complex.
Just as in my layman observation, how are you doing that functionally on the ground?
Like, how are you actually accomplishing that mission?
We want to simplify that story.
And so one of the things we've done to try to
simplify that story is to say, hey, there are times where someone is selling a product or
someone is using a product, but in a very limited way. And it's hard to tell. Sometimes it takes an
hour. Sometimes it takes two or three meetings to figure out even where that is. And so we've
used a couple of constructs to start on second or third base to expedite the
conversation. One of the most powerful ones, even though it's simple, is the investment horizons.
And so this looks at technology, where it is in the process, to say 3-2-1-0. One is production.
Is it at scale production, whether it's a designated enterprise service or otherwise?
This is at large. We have tens or hundreds of thousands or maybe even millions of users
within this ecosystem. Horizon two is piloting. We've looked at it. Someone's using it. We want
to use a structured pilot to learn by doing. We won't put this to scale. So there's
psychological safety in there to learn before we scale, but we can't just do this at arm's length.
And then there's horizon three, which is scouting, but scouting more deliberately. And so this could
be other people's money, those S&T organizations that we talked about, or internal research and development,
or the full dual use case ecosystem to include, here's what venture capital firms are backing,
here's what new exciting things are happening. By laying those out three to two to one, we can see
from a matriculation perspective how close we are, where they line up, where one product might do the job more effectively of three
products. We don't want one for ones because that just keeps more cars piling out in the garage.
But what that funnel actually shows us is really important. And then zero is divestment, which is
it's not sexy. We're trying to make it sexy. But this is the idea of there are already a lot of things that we're sustaining.
If we can turn off a legacy capability in favor of something that is more effective or providing bigger outcomes, we want to do that.
So those are the technology horizons, 3-2-1-0.
The interesting part was most of our partners were already playing into this. They just
didn't have the taxonomy. And so we have a lot of partners who are just excited to play
in connecting dots. My program executive office, Digital, we had a handful of program offices.
And so this is a familiar construct, whether you're in government or not, a program office. And we switched to portfolio management offices.
And portfolio theory has been around for a long time. It's not used a ton in government, but as a
concept, I think people are generally familiar that this allows us to make more data-driven,
objective decisions as opposed to
here is my monolithic baby and I want to protect it at all costs. When we were at RSA, people said,
oh, you're the folks who are using Horizons and Portfolio. We know where we fit. We know what
portfolio we fit in and we don't have to defeat some program of record. We can just make our value proposition.
And so that's, we've talked to 500 companies
in the last probably 14 months.
The venture backed community is giving us,
hey, here's the list of portcos
that have the biggest impact on what we're doing.
And we can prove that through outcome-driven metrics. So I'd say
across the services and across several agencies, we're getting good support and people get it,
and that's helping with traction. I was struck by the headline quote in the Atlantic Council's
commission on defense innovation adoption. They published this back in April, 2023. I've seen you use this quote
on some of your documents from your office.
So the quote is,
we have found that the United States
does not have an innovation problem,
but rather an innovation adoption problem.
The DoD struggles to identify, adopt,
integrate, and field these technologies.
And so the thing that really stuck out to me was
this four-step process of identify, adopt, integrate, and field. And you've talked about
a number of ways in which your office and others in DoD are trying to better identify, adopt,
integrate, and field. What I just heard you say, though, is there's still a tremendous amount
of responsibility to the company to help you identify them, to help you adopt them.
They need to pitch themselves and present their value proposition in a way that they understand how it's going to be adopted, how it's going to be integrated within your existing programs, offices, portfolios, and really mission needs.
I think this is fairly accurate.
And ultimately, it becomes a dance, right? Where does the onus go? businesses portfolios and really mission needs i think it's fairly accurate and ultimately it
becomes a dance right um where does the onus go if we are looking for money ball if we're saying
hey we have one dollar and we're going to spend it on one or two things which one is the biggest
impact would you want that to be on the receiver of the pitch to figure it out or would you want to give the attacker
advantage to the vendor who understands here's how my product or our service has helped eight
companies they'll innately understand that probably better than they understand our domain
but it's easier for those companies that want to make an impact to know, hey, here's how I pitch to this group.
We just know that most of the innovative ideas are out there. And so we need a funnel to receive
those. And so what we've done is we said, okay, we're in the same line as you, innovation adoption
problem. What can we do about that? We send warfighters into theater, we send them with a kit.
So if we send folks into the DOD or federal
ecosystem, here's the innovation adoption kit. And so the IAK is a set of tools to break that valley
of death, in this case, into a handful of glands that say, what if we're so prescriptive that we're
asking for a technology that doesn't make sense anymore?
Well, we should then use top-level requirements.
What if we are measuring something that is no longer relevant
or doesn't have the same impact that we'd like it to?
Then outcome-driven metrics are a proven answer.
How do we talk about things that aren't quite mature enough?
Why not the horizons? I've mentioned VC a couple of times. The VC feedback cycle,
seven years before you know if you did something well or not, oftentimes. We prefer the chef or
the cook feedback cycle. I know if I made a grilled cheese sandwich that sucks in seven minutes,
I can learn from that. It wasn't particularly detrimental. I ate it anyway. I know if I made a grilled cheese sandwich that sucks in seven minutes, right,
I can learn from that. It wasn't particularly detrimental. I ate it anyway. I was a little
bit burned. But then we know how to do that differently. So the learning by doing at speed
and that is not exposing to like important or significant risk and then applying that to higher
and higher stakes problems. Mean time to feedback, if you will, right then applying that to higher and higher stakes problems.
Mean time to feedback, if you will, right? Mean time to feedback.
Very good. Yes.
To use a cyber term.
That's it.
And that is less than half of my full conversation with Justin Finelli,
acting CTO of the Department of the Navy. For the full episode, tune in this weekend to our special edition, publishing in the CyberWire daily podcast feed.
And of course, as always, you can get an ad-free version of that feed by heading on over to cyberwire.com slash pro and signing up for an N2K pro account,
where you can get this podcast and a whole host of other resources ad-free to support your development and your
professional learning and skills development in cybersecurity. See you there. That's our
own Brandon Karpf speaking with Justin Finelli, acting CTO of the U.S. Navy. Thank you. fault-deny approach can keep your company safe and compliant.
And finally, our retail desk alerts us to a story by Cyrus Farivar for Forbes.
Employees at the retail giant Target are not thrilled with the company's new AI chatbot,
Help AI, designed to assist with store processes and to support new team members.
Instead of being a helpful tool, employees find it frustrating and unhelpful.
We call it the s*** box because it gives s*** answers, one employee told Forbes, reflecting widespread dissatisfaction.
Target introduced Help AI as part of its growth strategy to combat stagnant sales, with plans to roll it out to nearly 2,000 stores.
Despite Target's CIO Brett Craig touting its transformative potential,
employees argue the chatbot is a waste of resources
and provides incomplete, often ridiculous advice,
such as suggesting confronting an active shooter with a baseball bat.
While Target insists it is committed to improving the tool based on feedback,
employees feel the company should focus on more practical solutions,
like improving checkout experiences
and addressing workload issues. For now, as far as Target's employees are concerned,
help AI is more hindrance than help.
And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector
from the Fortune 500
to many of the world's preeminent
intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment,
your people. We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with
original music and sound design by Elliot Peltzman. Our executive producer is Jennifer
Iben. Our executive editor is Brandon Karp. Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease
through guided apps
tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.