CyberWire Daily - Escape from GPU island.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. A critical vulnerability has been discovered in the NVIDIA container toolkit. Representatives from around the world are meeting in Washington to address ransomware. The Pentagon shoots down the notion of a separate cyber service. A genetic testing company leaves sensitive information in an unsecured folder.

Starting point is 00:02:19 A public accounting firm breach affects 127,000 individuals. The DOJ charges a British national with hacking U.S. companies. California's governor vetoes an AI safety bill. CISOs deserve a seat at the table. Tim Starks from CyberScoop describes the House Homeland Security Chair's proposed cyber workforce bill. And password laziness leaves routers vulnerable. It's Monday, September 30th, 2024. I'm Dave Bittner, and thank you for joining us here today.

Starting point is 00:03:17 A critical vulnerability has been discovered in NVIDIA Container Toolkit, posing a major risk to AI applications that rely on it for GPU access. This flaw affects both cloud and on-premise environments and allows attackers to perform container escape attacks, gaining full control over the host system. Once inside, they could execute arbitrary commands or steal sensitive data. NVIDIA Container Toolkit is widely used across AI platforms and comes pre-installed in many virtual machine images, making the issue especially concerning. According to Wizz Research,

Starting point is 00:03:58 more than 35% of cloud environments are vulnerable to this exploit. The vulnerability stems from a failure to properly isolate containerized GPUs from the host, allowing containers to mount parts of the host file system or access runtime resources like Unix sockets. Rated with a critical severity score of 9.0, attackers could exploit this issue by using specially crafted container images, allowing them to interact with the host system. Wizz Research reported the vulnerability to NVIDIA in early September 2023, and a fix was released on September 26th. Users are strongly advised to upgrade. For now, detailed technical information on the exploit remains private to allow organizations time to apply the fix.

Starting point is 00:04:52 This week, representatives from the 68 members of the International Counter-Ransomware Initiative are gathering in Washington, D.C. to address the ongoing threat of ransomware. gathering in Washington, D.C. to address the ongoing threat of ransomware. Despite the initiative doubling in size since 2021, ransomware attacks have also nearly doubled in the same period, according to U.S. intelligence. The fourth annual summit will focus on disruption operations and launching a fund to help countries hit by cyberattacks. There will also be discussions on the intersection of artificial intelligence and cybersecurity. U.S. officials, including Deputy National Security Advisor Ann Neuberger, emphasize that ransomware remains a significant problem,

Starting point is 00:05:37 with Russia serving as a key haven for many attackers. Although the decentralized nature of ransomware groups poses challenges, it also prevents any single group from dominating. The summit aims to bolster efforts to dismantle infrastructure supporting ransomware and disrupt the cryptocurrency flows that fuel these operations. However, officials acknowledge that the incentives for attackers remain strong, acknowledge that the incentives for attackers remain strong as many victims continue to pay ransoms. The Pentagon has requested that lawmakers reject a proposal mandating an independent assessment for creating a separate cyber service, according to sources cited by Breaking Defense. This appeal was submitted to the House and Senate Armed Services Committees, arguing that a similar assessment was already required in the 2023 National Defense Authorization Act.

Starting point is 00:06:32 The idea of establishing a separate cyber service has been debated within the Department of Defense, with some officials warning it could create confusion and overlap with existing military cyber efforts. While proponents argue it could streamline operations, others caution that separating cyber functions from broader warfighting missions might hinder effectiveness. Lawmakers will revisit the issue when crafting the final version of the 2025 NDAA after the November presidential election. CHICE DNA, an Indiana-based genetic testing and facial recognition service, exposed sensitive data, including biometric images, personal details, and facial DNA records, due to an unsecured WordPress folder. The breach, discovered by cybersecurity researcher Jeremiah Fowler,

Starting point is 00:07:28 involved around 8,000 records accessible without any security protections. These records contained names, phone numbers, emails, racial identities, and personal notes, even including data on vulnerable individuals like newborns. The incident didn't involve a misconfigured database or cloud server, but rather an unsecured folder titled Facial Recognition Uploads. Fowler promptly notified the company and the folder was secured, but the exposure raised serious privacy concerns. Experts warn that such sensitive information could be exploited for phishing, blackmail, or identity manipulation, emphasizing the need for companies to implement stronger

Starting point is 00:08:11 data protection measures, including proper configuration and security for online storage systems. Public accounting firm Wright, Moore, DeHart, Dupuis, and Hutchinson, WMDDH, is notifying over 127,000 individuals of a data breach that occurred in July 2023. The breach exposed sensitive personal information, including names, social security numbers, driver's license and passport numbers, financial details, and medical data. While the breach was detected in July, it took WMDDH nearly 10 months to identify the affected individuals. The firm is offering one year of free credit monitoring and identity theft protection services to those impacted.

Starting point is 00:09:00 The Department of Justice and SEC have charged Robert Westbrook, a 39-year-old British national, with hacking five U.S. companies. Between January 2019 and May 2020, Westbrook allegedly accessed corporate executives' email accounts to obtain non-public information about earnings announcements. He then used this information to trade securities, profiting $3.75 million. Westbrook was arrested in the UK and is awaiting extradition and faces charges of computer securities and wire fraud. The SEC seeks civil penalties, restitution, and an injunction to prevent future violations. California Governor Gavin Newsom vetoed a proposed AI safety bill that would have required developers of costly AI models to implement measures to prevent critical harms. Authored by Senator Scott Weiner, the bill aimed to regulate AI systems costing over $100 million

Starting point is 00:10:05 by requiring safety testing before release and allowing legal action for damages caused by these systems. Newsom acknowledged the bill's good intentions, but criticized it for imposing broad standards on even basic AI functions without considering context or risk level. Wiener expressed disappointment, calling the veto a setback for AI oversight. The bill had drawn opposition from major tech companies like Google and Meta, despite modifications made to address their concerns.

Starting point is 00:10:39 Cyber resilience efforts are lagging globally, partly because organizations are not involving chief information security officers in strategic technology investments. That's according to PwC's Global Digital Trust Insights report. Polling over 4,000 executives, PwC found that only 2% of organizations have implemented cyber resilience across all areas. 2% of organizations have implemented cyber resilience across all areas. Less than 50% of CISOs are involved in strategic planning for cyber investments, limiting their influence. The report urges organizations to give CISOs a seat at the table to align cybersecurity with overall business risk. A disconnect between tech and business leaders is evident, with 66% of tech executives ranking cyber as a top risk compared to 48% of business executives.

Starting point is 00:11:32 Additionally, only 15% of organizations are significantly measuring the financial impact of cyber risks. PwC highlights barriers such as unclear risk scopes, data issues, and compliance concerns. The report calls for greater alignment between CISOs and boards to improve cyber resilience and better prioritize investments. Coming up after the break, Tim Starks from CyberScoop describes the House Homeland Security Chair's proposed cyber workforce bill. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.

Starting point is 00:12:43 But get this. programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your

Starting point is 00:13:42 company's defenses is by targeting your executives and their families at home. Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. It is always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at CyberScoop. Tim, it's great to have you back.

Starting point is 00:14:30 Hi, Dave. So, CyberScoop, you're living up to your name over there because you got a scoop with an exclusive about the House Homeland Security Chair releasing a cyber workforce bill. What's going on here, Tim? Yeah, whenever I'm talking to people, I'm always telling them on the cyber scoop part of things.

Starting point is 00:14:51 I'm like, it's in the name. Please give me a scoop because it's in the name. Right. So yes, there was a bill that the chairman of the House Homeland Security Committee released this week, and the committee actually did approve it as well a couple days later after we wrote about it. It is what Mark Green calls his top legislative priority, not just cyber priority, but his top legislative priority.

Starting point is 00:15:20 And in an election year where the House Homeland Security Committee has jurisdiction over border security, you can see that that means that's a pretty big deal. schools, aiming to get people with those skills-oriented abilities to, in exchange for scholarship, come work for the federal government, state, local government, tribal, territorial government for a couple of years and pay it back that way. Well, as you mentioned, this comes from the House Homeland Security Chairman Mark Green, who's a Republican from Tennessee. Why do you suppose he's setting this as his top legislative priority? This issue of the cyber workforce is really just so important. It feels, as a journalist, one of the things I've struggled with over the years is trying to communicate to people how big a deal this is.

Starting point is 00:16:19 Because, you know, it's human resources, basically, right? it's human resources, basically. And nothing against human resources, but I don't think people get geeked out about it the way they do about Iranians hacking the presidential campaigns. But it's such a huge deal to have the people you need

Starting point is 00:16:37 to do this. And we don't. And we never have. You and I have been around long enough to know that the cyber workforce gap has been half a million people in the United States for a very long time. And so I think he recognizes that with the threats we face, the top thing we could do, the number one thing we could do to fight it is to have actually skilled, talented people working to fight it. is to have actually skilled, talented people working to fight it. And why come at it from this direction, to have this be styled after ROTC?

Starting point is 00:17:18 Well, in his case, he is a former military man, so he thinks about things that way. But another thing that I think matters here is, you know, you can keep trying to get people who are four-year college degree students. You can keep trying to get very, very highly specialized and educated people. Or you can look to a different set of folk that we haven't taken advantage of as much who maybe for whatever reason, economic factors or whatever kind of factors, that a four-year degree is not an easy or workable thing. And another thing to point out is that with a lot of these things, you probably don't need a four-year degree. So you're looking at a talent pool that is very available, is very exploitable, who can

Starting point is 00:18:03 get very high-paying cyber jobs off a two-year degree. And in theory, this could work. This is one of the other reasons we – the other things we've seen talked about as ways to fill this gap are looking to recruit women more. The workforce is very male. The cyber workforce is very male. And women make up, what, 51% of the world? Makes sense. And you look at the workforce is very white. And so if you look at the number of minorities who you can approach, I mean, there are sort of different angles to approach this problem and tackle this problem. And this is a theory that if we go to these people who we have not been turning to,

Starting point is 00:18:47 we've not been recruiting, we've not been training, this can really help with that problem. One of the things that caught my eye in your story was how this bill directs CISA to put people on the pathway to getting a security clearance and to do it quickly. Yeah, that's another huge problem. There are so many elements of this workforce problem that are huge and difficult to overcome. And the time-consuming factor, the backlog of security clearances

Starting point is 00:19:20 is another pretty constant thing that we have to deal with in this country. This says, okay, we've got someone who is in this program. So start the security clearance process for someone a year out. We know they're coming. So let's get the process started. And it could take months and months and months for this to happen under normal circumstances. So if you get the process started earlier, the thinking is, good, let's get them in the workforce right away instead of having them sit outside and wait for a job to materialize because they have to wait for the security things to happen.

Starting point is 00:19:58 What is your sense of the likelihood of this bill going anywhere? So that was an interesting thing I thought about when I was writing about this. It's September 27th as we talk. It's late September. It's an election year, and Congress ain't going to be around very much more

Starting point is 00:20:19 this year. So I question whether it can happen this year. It's possible. I think one of the things that we didn't discuss in the story that could be a problem for this bill is Senator Rand Paul on the other side of the chamber has been holding up any bill that does anything that gives CISA any power. He is one of the people who is skeptical of the agency. He has talked about this view that a number of people on the right have, that it was somehow involved in a censoring right-wing speech. There's been a court adjudicating on that that says essentially,

Starting point is 00:20:59 no, not really. The Supreme Court has ruled on this. I don't know if that will make Senator Paul ease up on his concerns about this, but it's a problem in the near term that they're going to have to overcome. I've not talked to the Senate side about this yet. The Senate Homeland Security Committee did get its own workforce bill through just a couple months ago, but taking a little different tact on this. And that tact was to not have CISA do it.

Starting point is 00:21:26 It was the office of the National Cyber Department to do it. So that may have made things easier on their side to get that bill through. So we'll see what happens. I think that it's not the kind of bill that is overly partisan. I could see it getting through the House side relatively easily, as long as you put it on the suspension calendar and say, let's just move this fast. I could see it getting through the House side relatively easily. As long as, you know, you put it on the suspension calendar and say, just let's just move this fast. I could see that happening. I think the question becomes what Senator Paul thinks of it. Yeah. All right. Interesting insights for sure.

Starting point is 00:21:57 Tim Starks is senior reporter at CyberScoop. Tim, thanks so much for taking the time for us. Thank you, Dave. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing

Starting point is 00:22:37 sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, not that any of our listeners would do this, but a recent survey by Broadband Genie revealed that 86% of broadband users have never changed their router's default admin password. The survey showed that over half of users haven't even bothered to tweak their router settings at all. Worse still, 89% of respondents have never updated their router's firmware, leaving them potentially open to cyber attacks.

Starting point is 00:23:32 The fix is simple. Change your router's admin password, update the firmware, and maybe give your Wi-Fi a snazzy new name while you're at it. It's not rocket science, but it could save you from a digital disaster. As broadband genie expert Alex Toft warns, leaving defaults in place is like handing over the keys to your house. Again, not that any of you would do something like that. But, you know, your friends maybe help spread the word. And that's The Cyber Wire. For links to all of today's stories,

Starting point is 00:24:16 check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show every week. And find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.

Starting point is 00:24:40 Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes.

Starting point is 00:25:14 Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. you can channel AI and data into innovative uses that deliver measurable impact.

Starting point is 00:26:09 Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.

CyberWire Daily - Escape from GPU island.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.