CyberWire Daily - Eavesdropping on America’s eyes and ears.
Episode Date: November 14, 2024The Feds confirm Chinese penetration of U.S. telecom wiretap systems. Anne Neuberger outlines top cybersecurity challenges facing the upcoming Trump administration. Former Air National Guardsman Jack ...Teixeira gets a 15-year prison sentence for leaking classified U.S. military documents. A Chinese national faces up to 20 years in prison after pleading guilty to money laundering for “pig-butchering” scams. Researchers say a popular pregnancy app has serious, unaddressed security vulnerabilities. NIST misses its deadline for clearing the NVD backlog. A B2B demand generation company confirms a leak affecting 122 million people. HHS warns healthcare organizations to be on the lookout for Godzilla. Moody’s designates the industries at highest risk of cyber attack. Guest Sarah Hutchins, Partner at Parker Poe, discusses the growing number of state data privacy laws. An AI grandma keeps scammers on the line. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Sarah Hutchins, Partner at Parker Poe, discusses the growing number of state data privacy laws. You can listen to Sarah’s full conversation including litigation trends related to targeted advertising and wiretapping, and key takeaways for companies on cybersecurity practices and risk reporting on today’s Caveat episode. Selected Reading FBI confirms China-backed hackers breached US telecom giants to steal wiretap data (TechCrunch) Top White House cyber official urges Trump to focus on ransomware, China (The Record) Chinese national faces 20 years in US prison for laundering pig-butchering proceeds (The Record) IT specialist Jack Teixeira jailed for 15 years after leaking classified military documents on Discord (Bitdefender) Pregnancy Tracking App ‘What to Expect’ Refuses to Fix Issue that Allows Full Account Takeover (404 Media) NIST Explains Why It Failed to Clear CVE Backlog (SecurityWeek) Leaked info of 122 million linked to B2B data aggregator breach (Bleeping Computer) Feds Warn of Godzilla Webshell Threats to Health Sector (BankInfo Security) Industries with highest cyber risk unveiled by Moody’s Rating (SC Media) O2 unveils Daisy, the AI granny wasting scammers’ time (Virgin Media O2) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
The Fed's confirmed Chinese penetration of U.S. telecom wiretap systems.
Ann Neuberger outlines top cybersecurity challenges facing the upcoming Trump administration.
Former Air National Guardsman Jack Teixeira gets a 15-year prison sentence for leaking classified U.S. military documents.
A Chinese national faces up to 20 years in prison after pleading guilty to money laundering for pig butchering scams.
Researchers say a popular pregnancy app has serious unaddressed security vulnerabilities.
NIST misses its deadline for clearing the NVD backlog.
A B2B demand generation company confirms a leak affecting 122 million people.
HHS warns healthcare organizations to be on the lookout
for Godzilla. Moody's designates the industries at highest risk of cyber attack. Our guest is
Sarah Hutchins, partner at Parker Poe, discussing the growing number of state data privacy laws.
And an AI grandma keeps scammers on the line.
It's Thursday, November 14th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us here once again.
It is always great to have you with us.
The U.S. government has confirmed a Chinese-linked hacking campaign breached several major U.S. telecom providers,
giving hackers access to wiretap systems used by law enforcement.
In a joint statement, the Cybersecurity and Infrastructure Security Agency and the FBI called this breach broad and significant.
Hackers reportedly accessed networks for months, collecting Internet traffic and intercepting call records of targeted individuals,
many of whom were involved in government or politics.
According to reports, affected providers include AT&T, Lumen, and Verizon,
though the agencies did not confirm specific names.
The group, known as Salt Typhoon, allegedly copied data subject to U.S. court orders for wiretaps. While CISA and the
FBI continue to provide technical support to affected organizations, they urge any companies
that might suspect similar breaches to contact local FBI or CISA offices to help prevent further
compromise and bolster cyber defenses. Yesterday, Ann Neuberger, White House cyber advisor,
outlined top cybersecurity challenges facing the upcoming Trump administration,
focusing on China, ransomware, and cryptocurrency.
At Columbia University, Neuberger emphasized the escalation of China's cyber activities,
including pre-positioning in critical U.S. infrastructure, potentially setting up future disruptions.
She also addressed ransomware gangs, noting their significant disruption and reliance on cryptocurrencies, which facilitate ransom payments and fuel global cybercrime.
cybercrime. Neuberger praised the Biden administration's cybersecurity strategy,
including minimum cyber standards across industries like pipelines, railways, and aviation achieved through collaboration with industry leaders. Now, 100% of critical pipelines meet
TSA cybersecurity requirements. Cryptocurrency remains a contentious issue, funding rogue governments and ransomware
attacks. Neuberger warned that the Trump administration must tackle crypto regulation,
given its role in global cyber threats. She also noted the Supreme Court's Chevron decision could
impact future cyber regulations. Despite political divides, cybersecurity remains largely bipartisan, allowing for a smoother policy transition.
Jack Teixeira, a former Air National Guardsman, received a 15-year prison sentence for leaking classified U.S. military documents online.
As an IT specialist at a Massachusetts base, Tashara shared sensitive information on a Discord server focused on gaming and guns.
The leaked documents, which eventually spread online, revealed U.S. and allied military activities, strategies in Ukraine, Middle East operations, and intelligence-gathering methods. Teixeira initially memorized details,
then escalated to printing classified documents to impress online friends.
His actions, driven by ego rather than espionage,
went undetected despite red flags
until Discord provided his information to investigators.
Following his arrest, the incident prompted disciplinary actions against
15 Air National Guard leaders and led the U.S. Air Force to tighten classified data access
protocols. FBI Director Christopher Wray emphasized this case as a warning to those
handling national defense information. Chinese National Darren Li faces up to 20 years in prison
after pleading guilty to laundering over $73 million from pig butchering scams,
a fraud involving relationship-based cryptocurrency schemes.
Li, 41, led a money laundering network,
creating 74 shell companies to funnel victims' funds, converting
them into Tether for redistribution. Arrested in April, Li's case is part of a broader investigation
into organized Southeast Asian criminal groups linked to rising U.S. crypto fraud,
which totaled nearly $4 billion in 2023.
nearly $4 billion in 2023.
Reportedly, popular pregnancy app What to Expect has serious unaddressed security vulnerabilities
that could lead to full account takeovers,
exposing sensitive reproductive health information.
Security researcher Ovi Lieber revealed
that an exposed API endpoint
without authentication or rate limiting allows
for easy brute force attacks on account password resets. The app also exposes email addresses of
community forum administrators, increasing users' risk of targeted harassment. Despite efforts to
notify what to expect since October, Libber received no response, raising ethical concerns
about the company's commitment
to user security.
Lieber stresses that
when app owners ignore
responsible disclosure,
researchers may need to alert users
and the security community
to ensure their protection.
This follows Lieber's earlier report
of a similar vulnerability
in the fertility app Glow,
which was later addressed.
The developers of What to Expect have not yet commented.
NIST announced it's working through a large backlog of over 18,000 vulnerabilities in the
National Vulnerability Database, but missed its original goal of clearing it by September 30th.
Despite hiring more analysts and addressing all known exploited vulnerabilities,
NIST struggled due to incompatible data formats from authorized data providers.
NIST is developing new systems to streamline data processing
and pledged to provide updates on further progress,
though it hasn't set a new deadline for clearing the entire backlog.
A massive data leak of business contact information for 122 million people was
confirmed to have originated from Demand Science, a B2B demand generation company.
The data includes names, email addresses, phone numbers, job titles, and social media links
aggregated from public sources and third parties.
The dataset was first sold by the hacker Krypton Zambi in February of this year,
who later made it available for free on a hacking forum.
Demand Science initially denied any breach,
but later acknowledged that the data came from a decommissioned system.
Security researcher Troy Hunt verified the data's authenticity and added all affected email
addresses to Have I Been Pwned, allowing impacted individuals to receive notifications.
Demand Science maintains that none of its current systems were compromised,
but continues monitoring the situation.
systems were compromised, but continues monitoring the situation.
The U.S. Department of Health and Human Services has issued an urgent warning to healthcare organizations about the Godzilla web shell, a Chinese-backed cyber tool that enables attackers
to manipulate files, execute commands, and evade detection using advanced encryption.
Publicly available on GitHub and actively maintained,
Godzilla is a significant risk to healthcare systems,
potentially leading to ransomware attacks that could compromise sensitive health data
and disrupt hospital operations.
The American Hospital Association emphasized the threat's severity,
noting the high frequency of cyberattacks in the healthcare sector.
HHS advises healthcare entities to adopt a multi-layered defense strategy,
apply software updates, and review cybersecurity performance goals to bolster defenses.
Although no direct cases have been reported yet,
security officials stress that vigilance and proactive measures are essential.
security officials stress that vigilance and proactive measures are essential.
Moody's has assigned a very high cyber risk rating to the telecommunications, airline,
and power generation sectors due to increasing digitization and weak cybersecurity practices.
These industries collectively face $7.1 trillion in debt. Telecommunications, notably vulnerable, has seen major breaches,
including attacks on AT&T, Lumen, and Verizon by China's Salt Typhoon Group.
Airlines' cyber risk rose after a CrowdStrike software update failure exposed their reliance on tech.
Other sectors, including automotive, education, manufacturing, energy,
and ports, also saw risk levels increase to high.
Coming up after the break, my conversation with Sarah Hutchins, partner at Parker Poe.
We're speaking
about the growing number of state data privacy laws. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Sarah Hutchins is a partner at the law firm Parker Poe. I recently spoke with her for the
Caveat podcast about the growing number of state data
privacy laws. From your position of expertise here, where do we find ourselves when it comes to the
patchwork of state privacy laws? Well, first off, thank you so much for having me. But I
hate to disappoint, but I don't think you can call it level at all. We are not level
setting. We, and I think the clients that I represent, companies all over the country,
are dealing with an environment that I would say is really in flux. There are some federal guidance that's available to especially certain industries or focused on certain categories of people.
But in large part, we're dependent upon the states to give us regulatory guidance, at least as to what is or is not okay with respect to individual data.
And the challenge with that for a lot of companies is that while they may be in a certain state,
their sort of digital presence is non-jurisdictional.
They're all over.
And the laws at the state level are largely focused on where the individual lives. So companies find
themselves subject to a whole host of different laws. Some, I would say, comprehensive, like
California, for example, and some that are maybe niche specific to them because they're in a
certain industry or collecting on a certain type of person. And they have to balance that with all
of the other types of laws that they are subject to in other states and at the federal level.
I'm curious, have you found there to be any situations where there are laws that are
contradictory? Oh, absolutely. Now, some of the state laws that we're seeing, and I would say we've got at this point, late October 2024, we've got about 19 state laws that have been enacted that I would sort of label as comprehensive.
laws, although in some instances it's promised in future rulemaking, as to preemption with other existing statutes, largely federal statutes. So for example, financial data or data that's
collected by an entity when they're offering credit to a consumer. In some instances, state
laws will say that there's an entity-level exception.
So if you're subject to the Gramm-Leach-Bliley Act, because you're a financial institution,
if it's an entity-level exemption, then your entire entity is forgiven essentially from
complying with the state law.
But sometimes it's only a data-specific exemption.
And that would just be the certain data that you collect that's subject to
that federal law is subject to one law. And then the rest of the data you have is subject to
state laws relative to that specific person. And other times it's not specified yet. And you sort
of have to try to comply with both and they may, to your point, be in conflict. Another example
would be employment information. There are lots of laws at the state
and federal level that require long-term retention of certain types of employee documents and
information, but other laws that are directing you to adhere to a really strict data hygiene,
data minimization regimen, and those can also send conflicting messages to companies as well.
Are there differences between the states in terms of how aggressive they are in pursuing
these things?
Yeah, absolutely.
And I think we saw that too at the state data breach laws.
All 50 states have a data breach law that's going to dictate certain steps the company needs to go through and certain ways that they need to hold some of their data.
And you would see certain attorney generals be much more aggressive than other states when something like that happens to their constituents if they're subject to a breach. We're seeing the
same thing with the focus that some states have on the laws that they are enacting. And some are
going so far, we've got at least three that have created privacy offices, so to speak, that are solely focused and get additional resources to pursue
adherence to their comprehensive data security, data privacy statutes. And that's important,
especially for consumers, because the vast majority of these statutes do not have a private
right of action. So the way that you get companies to adhere to it is through
enforcement by the Attorney General's office and not necessarily through civil litigation.
How are you and your colleagues recommending that folks approach this patchwork of regulations here?
How do you take a practical approach to this?
It's certainly difficult. And I think it's very important to have that be a continuous and constant element of a company's hygiene and governance process. It's not sort of a one and done. I think maybe the old
adage is true that an ounce of prevention is worth a pound of cure. Unfortunately, a lot of clients,
because I'm a litigator, come to me with a renewed focus on compliance sort of post-litigation,
post-learning, a rather expensive and difficult lesson.
But if you can highlight compliance,
and it's especially important, I think,
for companies this time of year because it's usually budget season for the next year,
you can hopefully make yourself unattractive
to a regulator or unattractive to a plaintiff attorney
for different types of statutes that
do have a private right of action related to data to avoid that kind of litigation headache and
frankly, financial loss. So working on really making sure all of your stakeholders are at the
table. It's not enough to have the legal department
or frankly, your outside attorney like me
come in and draft a bunch of policies and procedures
if they don't align with your actual practices.
So making sure that marketing is at the table
and HR and certainly your IT department,
your information security professionals
and make it a holistic process.
What kind of data do we have?
How do we get it?
What do we use it for?
And how do we dispose of it and share it if we do?
And with those policies and procedures, you can put into place the right processes, the
right consents, and the right disclosures that really make your sort of
outward-facing appearance show that you are in line with this myriad of statutes.
But also, internally, you will have processes in place to deal with the data that you have,
to put in place appropriate hygiene.
And in the event an incident occurs,
you know what data you have
and how you're going to respond.
You can listen to my full conversation
with Sarah Hutchins from Parker Poe
over on the Caveat podcast.
You can find a link to that in our show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and And finally, UK telecommunications provider Virgin O2 has a new anti-fraud team member.
Daisy is a clever AI with the personality of a chatty grandma,
designed to keep scammers busy with rambling conversations to waste their time.
Officially dubbed Head of Scammer Relations,
Daisy keeps fraudsters on the line with tales of family drama and knitting tips,
all while helping real customers avoid being scammed.
Let's have a listen.
I'm an AI created by O2 to waste phone scammers' time.
So, W is then a dot.
Three times W and then dot.
I think your profession is bothering people, right?
I'm just trying to have a little chat.
It's nearly been an hour!
For the love of...
Gosh, how time flies.
Developed with help from YouTube's
scambaiter Jim Browning, Daisy is part of o2's swerve the
scammers initiative aimed at fighting the uk's fraud epidemic while daisy keeps scammers occupied
o2 is urging the public to report suspicious calls helping them block and track fraudsters
reality star amy, a scam survivor,
has joined the campaign to help raise awareness.
O2 is also calling for the government to tackle fraud more aggressively
by appointing a fraud minister
and creating a national body to combat scams.
So, scammers, beware.
Daisy's got all the time in the world,
and she's more than willing to discuss
her favorite fictional grandkids.
Because while they're busy talking to me, they can't be scamming you.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Thank you. influential leaders and operators in the public and private sector, from the Fortune 500 to many
of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for
companies to optimize your biggest investment, your people. We make you smarter about your teams
while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes.
Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.