CyberWire Daily - Double key encryption debate.
Episode Date: May 20, 2024Germany’s BSI sues Microsoft for more information on recent security incidents. Julian Assange can appeal his U.S. extradition. AI chatbots may have itchy trigger fingers. CISA warns of vulnerabilit...ies affecting Google Chrome and D-Link routers. Ham Radio’s association suffers a data breach. New underground marketplaces pop up to replace BreachForums. An updated banking trojan targets users in Central and South America. Cybercom’s founders share its origin story. Examining gender bias in open source software contributors. For our Industry Voices segment, guest Chris Pierson, CEO at BlackCloak, met up with N2K’s Brandon Karpf at the 2024 RSA Conference to discuss personal cybersecurity risks for executives. College students unlock free laundering — no money required. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, guest Chris Pierson, CEO at BlackCloak, met up with N2K’s Brandon Karpf at the 2024 RSA Conference. Chris and Brandon discussed personal cybersecurity risks for executives. Selected Reading BSI sues Microsoft for disclosure of information on security disaster (Ground News) Assange Can Appeal U.S. Extradition, English Court Rules (The New York Times) ChatGPT likes to fight. For military AI researchers, that’s a problem (Tech Brew) CISA warns of hackers exploiting Chrome, EoL D-Link bugs (Bleeping Computer) American Radio Relay League Hit by Cyberattack (SecurityWeek) FBI seizes BreachForums infrastructure — but successor sites are already popping up (ITPro) Grandoreiro Banking Trojan is Back With Major Updates (Infosecurity Magazine) (PDF) Gender bias in open source: Pull request acceptance of women versus men (ResearchGate) The inside story of Cyber Command’s creation (CSO Online) Two Santa Cruz students uncover security bug that could let millions do their laundry for free (TechCrunch) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Thank you. AI chatbots may have itchy trigger fingers. CISA warns of vulnerabilities affecting Google Chrome and D-Link routers.
Ham Radio's association suffers a data breach.
New underground marketplaces pop up to replace breach forums.
An updated banking trojan targets users in Central and South America.
Cybercom's founders share its origin story,
examining gender bias in open source software contributors.
For our Industry Voices segment, our guest Chris Pearson, CEO at Black Cloak,
met up with N2K's Brandon Karf at the 2024 RSA Conference to discuss personal cybersecurity risks for executives.
And college students unlock free laundering.
No money required.
It's Monday, May 20th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. briefing. Thank you for joining us. It is great to have you here with us today.
Germany's Federal Office for Information Security, the BSI, has been actively pursuing information on Microsoft's security measures since last fall.
Following significant security incidents at Microsoft, where state-sponsored attackers accessed data from Microsoft and its cloud customers,
the BSI demanded details on Microsoft's precautions.
Microsoft's precautions. Microsoft delayed responses, prompting the BSI to invoke 7 Section A of the BSI Act, which allows legal action for information release.
This escalation was disclosed through a leak from the Bundestag's digital committee.
Among the BSI's concerns included the use of double-key encryption,
where data is encrypted with two keys,
one retained by the customer. Proper implementation could have prevented data leaks,
but unclear details hindered the BSI's assessment of whether attackers accessed plain-text data.
Despite repeated requests and legal threats, Microsoft withheld the requested information.
The BSI spokesperson criticized Microsoft's inadequate security measures
and praised other cloud providers for better technical implementation and incident response.
The BSI's actions were reported to the Bundestag's digital committee and leaked to Der Spiegel.
A London court has ruled that Julian Assange, the WikiLeaks founder,
can appeal his extradition to the U.S. on limited issues. The U.S. assured the court that Assange
would receive constitutional protections and not face the death penalty, but Assange's team argued
these assurances were insufficient. Assange has been held in Belmarsh Prison since 2019
and faces charges under the Espionage Act for leaking classified documents.
Despite initial rejection, his appeal will proceed.
Assange's health has deteriorated and his supporters,
including the Australian government, advocate for a political resolution.
His supporters, including the Australian government, advocate for a political resolution.
President Biden is considering a request to allow Assange to return to Australia without facing prison.
AI-powered large-language model chatbots have taken on many roles, but aren't quite ready for military command. Jacqueline Schneider from the Hoover Institution conducted war games using
AI, including OpenAI's chat GPT versions and models from Anthropic and Meta. These simulations
showed that AI often escalates conflicts unpredictably, sometimes leading to nuclear
scenarios. Schneider points out that AI lacks ethical reasoning,
merely mimicking human decisions without truly understanding ethical implications.
She believes AI could be beneficial for routine military tasks like logistics,
personnel decisions, and planning. AI could also aid in maintaining operations during communication failures.
Schneider's research suggests AI can help diplomats by offering alternative perspectives and identifying blind spots.
AI could simulate adversaries in war games, providing insights human players might miss.
However, she stresses the importance of caution when considering AI for military and foreign policy decisions,
noting the temptation to seek technological quick fixes.
Each military branch has different views on AI deployment, and its role in future operations remains uncertain.
The policy brief advises decision-makers to proceed cautiously with AI in military contexts,
emphasizing its potential for systemic problem-solving over direct combat applications.
The U.S. Cybersecurity and Infrastructure Security Agency has added three vulnerabilities to its known exploited vulnerabilities catalog,
one affecting Google Chrome and two impacting D-Link routers. These vulnerabilities are actively exploited, prompting CISA to warn
federal agencies and companies to apply security updates or mitigations. U.S. federal agencies must
address these vulnerabilities by June 6th. The Chrome flaw involves an out-of-bounds write in the V8 engine,
while the D-Link flaws allow remote control of outdated routers.
The American Radio Relay League, the ARRL, the National Association for Amateur Radio in the U.S.,
suffered a cyber attack causing service disruptions and a potential data breach.
a cyber attack causing service disruptions and a potential data breach. Founded in 1914, ARRL has around 160,000 members and 100 staff. The attack affected the ARRL Learning Center and the Logbook
of the World, disrupting users' ability to submit and track amateur radio logs. The compromised database includes names, addresses, call signs, membership dates,
and email preferences, but not credit card or social security numbers.
While ARRL hasn't confirmed a breach of the member database,
it indicated the possibility in an update to members.
Last week, we reported on the FBI's successful takedown of Breach Forums,
a major underground cybercrime platform, in a collaborative law enforcement operation.
This forum, which succeeded Raid Forums after its shutdown in 2022,
had been a hub for stolen data, including sensitive information from Europol and health insurance records.
data, including sensitive information from Europol and health insurance records.
The recent takedown of breach forums also included the seizure of its telegram channels,
clear net sites, and a separate telegram account operated by one of its leaders.
The FBI reported taking control of the servers and domains hosting the forum and is currently reviewing the site's back end.
They have appealed to users to report
any further criminal activity. Despite the success of this operation, cybersecurity experts note that
new cybercrime platforms are already emerging. Within hours of Breach Forum's seizure, new
marketplaces were announced. The threat actor USDOD revealed plans for Breach Nation, set to launch on July 4th,
while indications suggest that shiny hunters are also developing a new platform.
Experts emphasize that while law enforcement is making strides in targeting these sites,
the resilience and resourcefulness of cybercriminals mean that new forums can quickly replace those taken down.
This cycle creates an ongoing game of cat and mouse
with temporary disruptions but no permanent solutions.
Platforms like Breach Nation may also have a limited lifespan,
but its operators and users will continue to rebrand and resurface.
IBM's X-Force reports that a banking trojan, Grandoriero,
has resurfaced in new phishing campaigns with enhanced functionality.
These campaigns target Mexico, Chile, Spain, Costa Rica, Peru, and Argentina
by impersonating tax and utility services.
Victims clicking on links downloaded a malicious zip file containing the Grand Orriero loader. The updated malware can target over 1,500
banking applications in over 60 countries. It features improved string decryption, DGA algorithms,
and email harvesting, allowing it to spread through infected Outlook clients,
indicating a push for global impact.
At the recent 2024 RSA conference,
the so-called Four Horsemen of Cyber,
CISA's Jen Easterly, Lieutenant General S.L. Davis,
retired U.S. Navy Vice Admiral T.J. White,
and former NSA Chief Paul Nakasone shared their
journey of transforming the concept of U.S. Cyber Command into reality. Established in June 2009 by
the Department of Defense, Cybercom was created to address the growing vulnerability of military
computer systems to cyber attacks. Initially, getting cybercom
operational required creative approaches, including using Hollywood-style storyboards
to sell the idea to stakeholders and smoothing over institutional tensions with Starbucks gift
cards. Despite these unconventional methods, cybercom has since emerged as a pivotal hub for U.S. military operations,
tasked with protecting national security from foreign cyber threats. Operating under a dual-hat
structure, its commander also leads the NSA. The need for Cybercom became evident during the Iraq
and Afghanistan conflicts, leading to its elevation to a unified combatant command in 2017.
General Paul Nakasone and other key figures recounted how they addressed significant
challenges, including gaining top brass support and integrating advanced NSA capabilities.
In 2012, Rachel Neighbors, a software developer, shared her frustrations about contributing to open-source software.
Despite her best efforts, her contributions were repeatedly rejected, leading her to suspect gender discrimination.
Her experience wasn't unique.
The under-representation of women in open-source communities and their early disengagement from platforms like Stack Overflow
hinted at deeper systemic issues.
Fast forward to today
and the largest study on gender bias
in open source to date.
Conducted by researchers from Cal Poly
and North Carolina State University,
this study dives into the world of GitHub,
the largest open-source community,
to uncover the truth about gender bias in software development.
The results were surprising.
Women's pull requests were accepted at a higher rate than men's, 78.6% compared to 74.6%.
This initially counterintuitive finding suggested that women contributors were highly competent.
However, a deeper look revealed a more nuanced story.
When women's gender was identifiable, their acceptance rate dropped significantly.
For women with gender-neutral profiles, the acceptance rate stood at 71.8%,
but it fell to 62.5% when their gender was discernible. This stark contrast
pointed to an underlying bias against women when their gender was known. The study also uncovered
that women tended to submit larger pull requests. More lines of code added, more lines removed,
and more files changed. Despite the complexity of their contributions,
women's pull requests still enjoyed higher acceptance rates.
This finding challenged the stereotype that women might play it safe
by submitting simpler changes.
The analysis extended to the types of programming languages used.
Women's pull requests had higher acceptance rates across various programming
languages, suggesting their proficiency spanned different technical domains.
A possible explanation for these findings is survivorship bias. In a field where women face
significant hurdles, only the most resilient and competent women persist, leading to a pool of highly capable female contributors.
This theory aligns with the observation that women in open source
often hold advanced degrees more frequently than their male counterparts.
The implications of this study are profound.
It challenges the perception of open source communities as pure meritocracies
and underscores the need for anonymity in reducing bias.
It also highlights the importance of fostering inclusive environments
where contributions are evaluated based on merit, not the contributor's gender.
Coming up after the break, Chris Pearson, CEO at Black Cloak, speaks with N2K's Brandon Karf at the 2024 RSA Conference
about cybersecurity risks for executives.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta
brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Chris Pearson is CEO at Black Cloak, and at the recent RSA 2024 conference,
he met up with N2K's Brandon Carff to discuss the personal cybersecurity risks
for executives. Thanks, Dave. I am here at RSA 2024 with Dr. Chris Pearson, the CEO and founder
of Black Cloak. So, Chris, this is something I'm seeing all the time. I hear conversations
regularly with senior security leaders about how we communicate
cyber risk to executives and how we communicate cyber risk to boards. The topic that I rarely hear
discussed is actually communicating their own risk in that conversation, the risk that they face,
their families face. Can you kind of talk me through how you understand those risks and how
we should communicate that risk to those type of people? Well, look, the fact of the matter is, is that cybersecurity and privacy risks exist. They exist
within the four walls of the company all the time. And the CISO is really well situated to go and
talk about those corporate risks. But the other 12 hours of the day are massively interesting.
The risks of a cyber criminal of a nation state of some dedicated hacker or person targeting their personal lives,
they can go ahead and target those personal devices, personal accounts that the executives
have at home. They can target the family members. They can target those things that are outside the
four walls of the company and cause impact to the executives, to their families, but also in a
meaningful fashion back into the company itself. It's like the last pass breach.
The fact of the matter is they had targeted an engineer on the outside
to go ahead and hack into their computer,
steal the username and password and dual factor,
and then compromise the rest of the company.
So when you talk about how should CISOs frame this,
it's one of the things that, you know, it's a little,
sometimes it's a pain point for them,
but it's one of those
things that's natural. You don't want your personal email being compromised. You don't want your kids'
social media being compromised. You don't want your personal home network being compromised.
And the fact of the matter is, is that those risks are real. They're happening. We're seeing
more public accounts of it each and every day, which is, you know, concerning. And so CISOs have
to think about how do they tell board members and
corporate executives about these risks and how they're mitigating them. So before we started
recording, you were telling me a little bit about the discussion that you led this morning on this
exact topic. Can you share some of the potential solutions that were discussed during that
conversation, but also the solutions across the full spectrum, whether it's technical solutions,
behavior solutions that these CISOs can actually provide to their boards.
Yeah, so this morning we had a good conversation about the SEC rule in terms of materiality. And
it's one of those things, once again, that comes up and it continues to come up. A new rule that
took effect about seven, eight months ago. And it really asks the CISO to be there at the table
saying whether something is
a material cyber risk, whether it is a material cyber incident and working with the CFO on it.
What we've seen is these things keep on happening. CISOs are getting incoming from
their executives, from their board members, questions on cybersecurity, questions on privacy.
Why is my family's information out there? Why is somebody emailing on my personal email? Why is
somebody protesting
or doxing me or my family at home? And so the solutions really are a few things. Number one,
yes, there are technology solutions that need to be put in place. They need to be things that
are frictionless. They need to be things that are not corporate solutions. Second, you need some
type of silent, really threat intel, but almost silent protection force that is there, only focused on the personal
life of that executive and their family. And then third, you need to really work into things,
things that we call hardening the human. So there are things that can and will occur in the normal
personal life of an executive, a board member, C-suite, those individuals where the only way
that you could actually defeat or stop the incident from happening is to have hardened the human,
to at least shown them and talk to them
about what may or might happen,
to show their family, their husband, wife, spouse,
kids, significant other, right?
Talk to them about how an attack might happen
on social media,
how an attack might happen in their personal email
and what to do about it,
how to spot and identify it
so that some remediation can be put
in place. Sometimes it could be technology, but oftentimes it's actually a helpful former
cybersecurity expert that is actually bringing to bear both common sense education as well as
common sense solutions to actually stop the harm from happening. I like this concept of hardening
the human that you share. right? So my own personal
background, you know, when I was in the Navy, I ran operations security for most of the units that I
was a part of. And it was always about make yourself a hard target. You don't want to be
the easy target. You don't want to be the low hanging fruit. I can imagine a lot of these
conversations that whether it's a CISO having it or, you know, a head of risk or something like
that is having these conversations with the board.
I imagine boards might push back on their personal life and how involved the security organization
at their company that they're working with
is in their personal lives
and even more so the personal lives of their family.
How do you address that
in some of the engagements you've seen?
How do you kind of actually convince them
that it is important that they do need to think about
not just theirs, but their families?
Yeah, the great thing is that after the SEC rules
really kind of brought cybersecurity
up to the forefront even more.
Every single board is trained
in that they know how to recognize it.
They know and have awareness on it.
We see the opposite.
We see them actually saying,
hey, this is actually just not important for the company,
but we actually have a role here as directors of the company with the information that we have.
And it exists on these board books, and they might be our personal board books.
It exists in personal email and text that we're actually sending.
And we get trained every single year on legal things of how to do a legal hold,
what to talk about in writing, what not to talk about in writing.
But it's time that we actually have more cybersecurity training, more cybersecurity education, and actually a cybersecurity
helper. So what we're seeing is boards are actually embracing it. They want to go ahead and be
protected, and they also don't want to be the point of exposure. The other flip side is this,
is that these board members, they actually serve, usually publicly traded boards, are going to serve
on at least three, or up to a maximum of three different boards is what's allowable, is they're getting different training from each one
of them and having a holistic solution to actually not just protect them, but also their family
members. That's where, once again, we see a lot of glue being added to it. They might have the
right training. They might have the right, they were a former CEO of a company. Now they're serving
on multiple boards. They've always had an IT person. They've always had a helper. They might have the right, you know, they were a former CEO of a company. Now they're serving on multiple boards. They've always had an IT person. They've always had a helper. They've
always had somebody doing cybersecurity, but their family members haven't. And they don't have that
same level of recognition or training or security. And so as a result, they embrace it and it's even
better when it's done by somebody else. So it don't have to be the person that is there, you
know, kind of holding the cue card, so to speak. Sure. Yeah. Yeah. And building that mental model. So I guess when it comes to helping, whether it's the personal
families or the board members and executives themselves build better mental models around
hardening the human side of security, I mean, what, what does the landscape look like in hardening
the human? Well, think about it a few different ways. So first of all, think about it in terms of privacy.
So if you're going to go ahead and mitigate risks
to the individual and their family,
really like, you know, starting to harden them,
you have to make sure that their information
is not publicly available.
So phone number, email address, home address,
that way they can't be reached out to as much.
It just filters in what they're actually getting.
It doesn't stop all those cyber criminals
or scam
artists or fraudsters from reaching out to them, but it actually will limit it. Same thing in terms
of deep web, dark web threat intelligence. You want to make sure that you're actually able to
go ahead and know what is out there so you can be better informed and make sure that they're
better informed about what attack patterns might happen given the information that's kind of out
there and exposed. Then in terms of the rest is really, yes, some technological solutions.
And then when it comes down to the rest of Hardening the Human,
it is really showing them a fact pattern,
showing them what similar situations are happening,
what similar exploits are happening,
what are the common scams and tactics,
or letting them know when something has risen to a higher level.
I'll give you an example.
About four or five weeks ago, there was an AT&T breach, 73 million persons information out there. Well, that meant
that the IMEI information for the phones and SIM cards was potentially out there. Well, that's a
huge help to a CISO as to, hey, I might have to rotate the encryption keys that I'm actually
using, might have to rotate the seed token that we're using for these phones or might have to turn off any access via dual factor
that is via an SMS text message
because we can't rely upon this information.
But making sure that that executive is educated
on what is happening, why it's happening
and how it's going to benefit them, their family
and their company overall,
that's where you really have to come in
in terms of hardening the human.
Take that common event that's actually out there and happening in live real time, and then translate it back into the CISO, translate it back into the executive and make it
relevant to them. And how a selector like an IMEI is related to them and their connection to the
business. Yeah, that's fascinating. Something that we didn't necessarily consider before.
So before we sat down,
I was reading through some of Black Cloak's material,
and you all talk about a concept
that I hadn't thought of myself before,
which was the idea of a personal incident response plan.
That is a great concept.
We all here in this community
understand an incident response plan.
I've been involved in making them
for numerous organizations as a cybersecurity engineer
and incident responder myself, but I've never thought of the personal incident response plan. I've been involved in making them for numerous organizations as a cybersecurity engineer and incident responder myself, but I've never thought of the personal incident response
plan. Can you please walk us through that concept and why you all are really pushing that idea?
Yeah, I mean, this is something that's kind of more groundbreaking. We always have these
tabletops that are done on the inside of companies or incident response plans on the inside of a
company. But the fact of the matter is that you can codify five of them, 10 of them that are going to happen, likely to happen
for that executive board member or their families. For example, one could just be straight out of
identity theft. The executive is receiving five credit cards in the mail. Well, what was a
condition precedent to that? Somebody has their name, address, they have their social security
number, they have their date of birth. Okay. We can craft a plan around that. What happens if somebody gains access into their
Gmail account or when they do, right? They have dual factor at work, but they definitely don't
have it at home. What do we actually do in that case? Were any documents forwarded there? Were
any board materials forwarded there? Does it show travel pattern to make things easier for the
significant other to know where they're actually at? Does it have the same contact list that they have at work on
their personal account so they also can reach out via those mains? Those are all things that can be
adequately scoped, they can be adequately dimensioned, and they need some type of response.
We have other ones, you have doxing and swatting attacks. We right now have a lot of activities
going on in the doxing and swatting world of things. The information's
out there. The company maybe raises drug prices, does something that's not popular. And all of a
sudden, right before that quarterly board meeting, two nights beforehand, all the board members are
up late because they have the police over their homes. I mean, those are all things that you can
code around. And while the CISO has things under control on the inside four walls of the company,
they need that partner externally.
And they really don't want to be there, right?
It's too much of a pain point, too much friction, quite honestly, legal and privacy reasons.
Just not a wise job move.
Right.
You want to get the executives healthcare at the company, but you don't want to show up personally at their home with a physician and say,
hey, we're going to go ahead and conduct a physical on you
and your family members. And yet it can still affect the stock price and it can still affect
the business doing and providing value to their clients. Well, absolutely. And that's actually
the fun area of where materiality happens. So, right, publicly traded company and the CEO
disclosed that they have a heart attack, they have heart problems, all the rest. That can actually
impact or influence in some form or fashion, right, shares. It might be something that is disclosable, potentially. And the same
thing in terms of materiality on the personal side of cybersecurity. The fact that your company's
CEO and let's just say that their husband or wife were actually targeted in an extortion attack or
their kid was targeted in an extortion attack because of malware that was on their computer,
malware that was in the home, that may be something that is material. Quantitatively,
might not have a financial impact, but with the SEC rule, it actually doesn't matter.
There's materiality by nature and materiality by impact. And that impact portion is something
where there could be a reputational risk. There could be somebody trying to exploit that individual
to get into the company. There are things there that could, might need to be, you know, discussed or further
dimensioned. And so that's why it's a, it's a risk area. It's a risk area that exists and you have to
find some way of mitigating it, especially given, right, what was it, 2022, you had Uber, Zendesk,
Twilio, text messages sent to the personal cell phone numbers of employees. That's how they attacked.
Same thing for email addresses.
You then have LastPass, where the personal computer of that engineer was actually targeted.
Once again, personal side.
Two years later, almost two years later now, it's got to be part of the playbooks.
You have to find a way to actually notch that risk off.
It's a paradigm shift where just like a politician expects every little detail of
their personal life to be combed through, being a member of a board or a senior executive of a
high profile, really any large organization, your personal security, your personal hygiene,
and the security of your family through the digital means is something that you have to
comb through. Yeah, you're absolutely correct. I mean, the fact of the matter is this, is that you as an executive, your personal life
and your work life are just inextricably intertwined, period.
And cyber criminals, nation states are not going to stop at the doors of the company.
They're going to go to where the soft spots are.
They're going to go to that soft underbelly of the corporate landscape, which is in effect
your home and
your personal life. So your fiduciary responsibility is to ensure that you have a valid personal
incident response plan and understand the risks and then manage those is what it sounds like.
You need to have this all laid out. You need to have a plan. You can't stick your head in the
sand on this one. That's great. So we've got a couple more days at RSA and then we are about halfway through 2024 for Chris and Black Cloak. What are you excited for? What are you
looking forward for, for the rest of this year? Yeah. I mean, this is, this is a great year. It's
a great year to really, really create more value in products, especially the Black Cloak product,
a lot more things on privacy that we're diving out here. We see an executive population that is traveling a lot more.
And so we'll have some really fun,
exciting announcements around that.
And we also see a definitive role here
in terms of the big buzzword at the conference is AI.
But there's a lot here.
There's a lot here around that topic
in terms of how it is being used
to target corporate executives,
how it's being used to target their families, and really how it is being used to target corporate executives, how it's being used
to target their families, and really how it's being used to target the corporations. Everybody
has an About Us leadership page. There are whatever, 10, 12, 20 mugshots that are up there
on the executives and leadership team. And the fact of the matter is, is that them, their faces,
their voices, their videos, all the rest, they're up for grabs. The technology and capacity to do harm has never been at a higher level, never.
And so we're looking at pushing out some really interesting and fun solutions there and elsewhere.
But it's full speed ahead.
We had a lot, a lot of folks that we want to continue to reach out to continue
to work with and continue to dive deeper within the organization. Actually, we just launched,
I don't even know if we've talked about, we just launched a few weeks ago, about four weeks ago,
uh, incident response as a service. So within the, yeah, within, uh, within, uh, corporations.
So those companies that were already covering, uh, you know, uh, that, that are a certain mark,
uh, they can go ahead and actually have incident
responsive service. So dive deeper in the organization, but they don't have to have
full-blown black cloak plans for those individuals. It's kind of on a per drink model, so to speak.
So if you have the number three in legal, the number four in, you know, finance, the person
that is actually getting hit and you as a CISO, as a deputy CISO would normally
spend your personal time or your team's time trying to solve for that. You now can go ahead
and use Black Cloak for, you know, use Black Cloak and the membership in the program to go ahead and
solve their pain points as well. So really, really fun stuff. Well, Dr. Chris Pearson,
thank you so much for joining us and for coming back to the CyberWire. Hey, thank you so much. Appreciate it. That's our own Brandon Karpf
speaking with Black Cloak CEO Chris Pearson at the 2024 RSA Conference. Thank you. I approach can keep your company safe and compliant.
And finally, our personal hygiene desk shares the story of a different kind of money laundering.
In the early hours of a January morning, UC Santa Cruz student Alexander Sherbrooke found himself sitting on the laundry room floor with his laptop. Amidst the hum of machines,
he had an oh shucks moment. Running a script, he watched in amazement as the washing machine
beeped and flashed push start without deducting a dime from his account.
He'd stumbled upon a golden hack, free laundry.
Sherbrooke, along with fellow student Iakov Taranyenko,
discovered a security flaw in CSC ServiceWorks' network
of over a million connected laundry machines.
The duo found that the CSC Go apps API could be tricked into granting
unlimited laundry cycles and inflating account balances to absurd amounts, all without spending
a penny. They promptly reported the flaw to CSC ServiceWorks, but their pleas were met with
silence. Calls went unanswered and emails were ignored.
Even adding a balance of several million dollars to their account
didn't provoke a formal response.
Frustrated but undeterred,
the students shared their findings at a university cybersecurity club
and later with the CERT Coordination Center.
They explained how anyone could create a CSC Go account with a fake email
and manipulate the system, making free laundry a possibility for all. The CSC Go servers,
it turned out, were trusting anything the app told them. Despite their good-faith efforts to
alert CSC ServiceWorks, the security flaw remains unpatched, leaving millions of internet-connected
laundry machines vulnerable to exploitation. While Sherbrooke and Taranyenko have moved on
to new projects, they hope their story underscores the importance of robust cybersecurity practices.
The ongoing vulnerability is a stark reminder that even the simplest conveniences, like doing laundry, require vigilant protection in our increasingly connected world.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine
of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. Thank you. at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester
with original music and sound design
by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your