CyberWire Daily - From lawsuit to logoff: Google's incognito mode makeover.
Episode Date: April 2, 2024Google agrees to delete billions of user records. NIST addresses the NVD backlog. India rescues hundreds of citizens from scam jobs in Cambodia. The UK and US agree to collaborate on AI safety. The FT...C tracks an explosion in impersonation fraud. A PandaBuy breach exposes over 1.3 million customers. Prudential Financial informs over 36,000 customers of a data breach. A look at safeguarding sensitive data. Our guest is Jeff Reich, Executive Director of the Identity Defined Security Alliance (IDSA), with insights on identity security best practices. A dash of curiosity reveals a hotel chain vulnerability. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Jeff Reich, Executive Director of the Identity Defined Security Alliance (IDSA), sharing insights on identity security best practices, identity and access sprawl, and how Generative AI is helping and hurting identity management. The IDSA’s Identity Management Day 2024 is coming up on April 9, 2024. Selected Reading Google agreed to erase billions of browser records to settle a class action lawsuit (Security Affairs) Vulnerability database backlog due to increased volume, changes in 'support,' NIST says (The Record) India rescues 250 citizens enslaved by Cambodian cybercrime gang (Bleeping Computer) The US and UK are teaming up to test the safety of AI models (Engadget) Impersonation Scams Net Fraudsters $1.1bn in a Year ( Infosecurity Magazine) PandaBuy data breach allegedly impacted +1.3M customers (Security Affairs) Prudential Financial Data Breach Impacts 36,000 (SecurityWeek) How to bridge the gap between the IT and legal staffs to better combat insider risk (SC Media) IBIS hotel check-in terminal keypad-code leakage (Pentagrid AG) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Google agrees to delete billions of user records.
NIST addresses the NVD backlog.
India rescues hundreds of citizens from scam jobs in Cambodia.
The UK and US agree to collaborate on AI safety.
The FTC tracks an explosion of impersonation fraud. A Panda Buy breach exposes over 1.3 million customers.
Prudential Financial informs over 36,000 customers of a data breach. A look at safeguarding sensitive
data. Our guest is Jeff Reich, Executive Director of the Identity Defined Security Alliance, with insights on identity security best practices.
And a dash of curiosity reveals a hotel chain vulnerability.
It's Tuesday, April 2nd, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Hello, everyone, and thank you for joining us here today.
It is great to have you with us.
Google has resolved a class action lawsuit dating back to 2020
by agreeing to delete billions of records related to users' incognito mode browsing activities.
The lawsuit accused Google of misleading users into believing their browsing in incognito mode would not be tracked,
despite the company allegedly using advertising technologies to monitor and collect data on users' online activities,
violating privacy and wiretapping laws.
The settlement, reached in December of 2023, does not include financial compensation from Google,
reached in December of 2023, does not include financial compensation from Google, but mandates the company to delete identifiable private browsing data and adjust incognito mode's
default settings to block third-party cookies for five years. Additionally, Google is required to
remove any data that could make browsing identifiable, such as IP addresses and specific browser details. While Google insists
the lawsuit was baseless and that it never associated incognito browsing data with individual
users or used it for personalization, the settlement allows individuals to pursue separate
damages in state courts. The National Institute of Standards and Technology, NIST, faces a significant backlog
in processing vulnerabilities for its National Vulnerability Database, the NVD, attributing the
issue to increased software volumes and changes in interagency support. NIST is working to establish
a consortium to tackle these challenges and has reassigned staff to prioritize
critical vulnerabilities analysis. Despite a 20% funding cut, cybersecurity experts have urged
Congress to support the NVD, labeling it as a critical infrastructure essential for defending
against cyberattacks. NIST's efforts include long-term strategies and increased collaboration
to enhance the NVD's efficiency. However, the backlog has led to concerns over the database's
current functionality and transparency, with calls for urgent action to maintain global
cybersecurity standards. The Indian government successfully repatriated 250 citizens from Cambodia
who were deceived by promises of lucrative jobs
but were instead forced into cybercrime activities upon arrival.
These individuals were coerced into illegal online scams under harsh conditions,
controlled by a network involving Chinese and Malaysian operatives.
Despite the significant rescue effort, reports suggest around 5,000 more Indians might still
be trapped in similar conditions in Cambodia, contributing to scams worth nearly $60 million
over six months. The case highlights the crucial role of international collaboration in addressing cybercrime and underscores the evolving challenges in cybersecurity, as well as the risks associated with overseas employment opportunities.
Investigations are ongoing to rescue more victims and dismantle this expensive scam network.
scam network. The governments of the UK and the US have signed a Memorandum of Understanding to establish a unified approach for the independent safety evaluation of emerging
generative AI technologies. This collaboration involves the UK's AI Safety Institute and a
forthcoming US counterpart with plans to develop test suites assessing the risks of advanced AI models.
They aim to share knowledge, information, and personnel,
beginning with a joint testing exercise on a publicly accessible model.
This move comes as AI developers like OpenAI, Google, and Anthropic rapidly advance their technologies,
prompting urgent action to ensure these
innovations are safe. This partnership, the first of its kind globally, underscores a commitment to
addressing AI's potential risks to national security and societal well-being. Additionally,
it complements broader regulatory efforts in the U.S. and Europe aimed at safeguarding the public from the adverse effects of AI.
The Federal Trade Commission reports that impersonation fraud losses have tripled over
the past three years, reaching over $1.1 billion in 2023. The agency received around 490,000
reports related to business and government impersonation scams,
constituting half of all fraud reports in that period. There's been a notable shift in the
methods of impersonation, with email and text-based scams increasing significantly,
while phone-based scams decreased. The share of fraud involving bank transfers and cryptocurrency payments also rose substantially, contributing
to $593 million in losses last year.
The FTC highlights a growing trend of scammers impersonating multiple entities within a single
scam, blurring the lines between business and government impersonation, complicating
the detection and prevention of these fraudulent
activities. Hackers infiltrated the PandaBuy online shopping platform, exposing over 1.3
million customers' personal information. The breach, disclosed on a cybercrime forum by
threat actors Sangiero and Intel Broker, exploited critical vulnerabilities in Pandaby's platform and API.
The leaked data encompasses a wide range of personal details, including user IDs, names,
contact information, order details, and addresses. The breach, involving nearly 3 million data rows,
was confirmed by Have I Been Pwned founder Troy Hunt, who validated 1.3 million
email addresses and added them to the HIBP database for affected users to verify their exposure.
Despite these developments, PandaBuy has not formally acknowledged the breach,
and there are claims of the company attempting to conceal the incident.
claims of the company attempting to conceal the incident.
Meanwhile, insurance giant Prudential Financial has informed over 36,000 individuals about a data breach in early February 2024, where personal details were compromised.
The incident, reported to the SEC in mid-February, was promptly identified,
revealing unauthorized access to administrative data
and employee accounts. The AlfV Black Cat ransomware group, known for recent disruptions,
including a major U.S. health system, claimed responsibility. Following the breach,
identified on February 4th, Prudential engaged cybersecurity experts for investigation and
response, learning that a fraction of personal
data was extracted. Affected data includes names, addresses, and identification numbers.
Prudential says that the breach has been contained with enhanced security measures implemented.
Although there's no evidence of identity theft or fraud from this breach,
the company is offering two years of free credit monitoring to affected
individuals. Code42's president and CEO Joe Payne writes an article for SC Media that addresses the
critical intersection between IT security leaders and legal professionals in safeguarding sensitive
data and intellectual property against a broad spectrum of threats, including those posed
by insiders. Highlighting findings from the 2024 Data Exposure Report, Payne reveals that despite
widespread adoption of data protection strategies, a significant majority of organizations still fall
victim to data breaches, underscoring the persistent challenge of insider threats.
victim to data breaches, underscoring the persistent challenge of insider threats.
Payne elaborates on the complexities introduced by the modern workplace,
such as the widespread adoption of cloud computing and mobile technology,
which complicate data management and security. He references a high-profile case involving Tesla to illustrate the severe legal and financial repercussions that can result from inadequate data protection measures,
emphasizing the potential for massive GDPR fines.
The article advocates for a collaborative approach between IT, security, and legal departments
to develop comprehensive policies that address insider threats
while ensuring compliance with evolving data protection laws.
Payne suggests three key strategies for mitigating data risk, swift breach identification, achieving
complete visibility over file activity, and implementing ongoing staff training programs
on data security policies.
Payne's insights underscore the necessity for a unified strategy that leverages technology, processes, and education to protect against data loss, while acknowledging the challenges of securing data in an increasingly distributed and digitalized enterprise environment.
His analysis provides a valuable roadmap for organizations looking to bolster their data protection efforts in the face of both internal and external cybersecurity threats.
Coming up after the break, Jeff Reich,
Executive Director of the Identity Defined Security Alliance,
has insights on identity security best practices.
Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy. We could book a vacation. Like sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat self-packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. Identity Management Day is coming up on April 9th,
and in anticipation of that, I spoke with Jeff Reich,
Executive Director of the Identity Defined Security Alliance,
and he provided insights on identity security best practices.
The Identity Defined Security Alliance is a nonprofit organization
with the mission of raising the
awareness of identity and identity security and resulting the security of identities.
Now, that may sound like just a repeat of a lot of words, but identity means a lot of
things to different people.
To you, it means your carbon-based DNA identity, maybe.
To other people, it means your driver's license.
To other people, it may mean the chip in their iPhone or computer.
And there's a lot of different ways to look at identities.
So what we do is raise the awareness of what's out there.
And from a consumer perspective, what steps should you be taking
and what should you be saying to your merchants and retailers
about protecting your identity? And to those retailers and websites, we're saying, you're
custodians of identity. Here's the sort of things that we believe are best practices you should
follow to help protect it. And then we give the same sort of message to the identity providers,
and in some cases, standards organizations as well. And in your estimation, where do we find ourselves today in terms of the various stakeholders
having awareness and the tools to properly protect their identity?
So I'm going to give the very muddled answer of it depends and it's mixed.
Because, you know, in some ways, consumers, I'm going to start at that end of it,
and they're not our main target, although we certainly do with consumers.
Many consumers are still dealing with my identity as my driver's license,
even though that's not true for almost anyone.
And many vendors, websites, retailers, anyone that deals with consumers or other businesses,
in the U.S., they believe when we have information about your identity,
we can use that to our advantage.
We're going to sell to you, we're going to market to you, that sort of thing.
And from an identity provider perspective, many of them are saying, we have a good solution for you to manage those identities.
But almost none of them come up with a way to integrate or become interoperable with other identity providers.
So there's a lot of good things out there.
They have yet to all come together in harmony.
What are the providers aspiring to?
together in harmony. What are the providers aspiring to? I mean, is there anything on the horizon here that could help break through and be kind of a common framework for people to rally
behind? You know, to a degree, I think they may be waiting for that. You know, many providers,
certainly not everyone, but certainly some of the larger ones would like to say, well, what I do is
so good, that should be the new standard. And, you know, that's no different than operating software for computers. We've seen that
battle around for, you know, 20, 30 years. But realistically, they know that they have to, and
IDSA provides a safe space for the different identity providers to come together in a room,
check your guns at the door,
and let's come up with what makes sense so we can all work together. And they're open to that.
But everyone's, you know, it's still kind of a, is it technology ready? Do I want to give up my
proprietary software or technology to work with this other one? You know, am I lowering my standards
by working with them? So that dance
is still taking place. Now, on a larger scale, IDSA is a member of CDHub, which is the Sustainable
Interoperability for Digital Identities, SIDI, and working to influence some of the standards
organizations and governments around the world to say, if you're going to have a digital wallet to contain identities, at a minimum,
consider having this criteria of authentication and standards in place in the same way that
with your physical passport right now, you can go to most countries and they're willing to accept
that passport as valid because they know the United
States, if that's where you got your passport, meets a certain criteria or above to say, yes,
they validated who this person is. That same sort of concept needs to occur with digital wallets.
Where do we stand with this influx, this enthusiasm about generative AI?
Has that affected your space as well?
Let's see, in the past 10 minutes, maybe not, but I bet it has, and I just don't know about it yet.
So yeah, the answer is yes. You know, generative AI, which by the way, I think is a good thing,
just like many other tools, but like with many other tools or weapons,
you know, some tools become weapons. They're good if they're pointed in the other direction and not
if they're pointed towards you. And that's the perspective I take with generative AI. I think
there's a lot of good things we can do with it. I think we could expand generative AI, not just deepfakes, because frankly, I'm not a big
fan of that. But if we take all the technology around AI and generative AI and start saying,
okay, here's the identities that I'm managing. Here's how they operate. Tell me when you think
one of those identities has anomalous behavior, doing something that we
wouldn't expect it to do. A wonderful use of predictive analysis and generative AI to say,
let's start getting in front of this ID may be compromised because it's doing things it's not
supposed to do. For the past year and a half, this identity has been used from 9 a.m. to 5 p.m. local time at this geolocation.
And now it's 2 a.m. in a location around the world.
Should that raise a red flag?
Yeah, I would say it certainly would.
How widespread is that capability among folks who are in charge of protecting people's identities?
Is that a common practice yet?
Oh, I'd say it's in its nascent stage because organizations now see the advantage of using it and trying to take advantage of it.
But it's still relatively new.
It's still relatively new.
It's not very different than if you go back to, say, 2007, when the new buzzword was,
oh, cloud computing is going to solve everything.
And a lot of people said, I want to use that.
But no one really knew how to yet, or not many people did.
And then eventually it became accepted practice.
And right now, you and I are using the cloud for this podcast.
So that's come a long way in that time.
And I think you're going to see generative AI and AI in general take the same sort of path, although it may be a bit faster than 15 years.
Because it is a wonderful tool that can do things like predictive analysis for anomalous behavior. Now, the bad guys like it because they can use it to steal identities
and compromise identities and attack systems and maybe hold them for ransom because they can use
the same techniques. They can use the same anomalous behavior or generative AI to predict
what should be happening and make it look like it's correct. So although that's a use I don't
endorse, it's going to happen. That's that
which direction is a weapon pointed, right? It's not an arms race, but I do believe that more and
more organizations are going to start using AI to help manage their identity and systems.
And it's not only just to protect an identity. They can improve their performance.
They can start saying, I don't need as much computing power. They can start directing their customers, their members, the identities they manage in the right places rather than having
to intercede to get that done. So I'd say five years from now, we're going to talk about how
much is being used and the new uses we hadn't even considered before.
Identity Management Day is April 9th.
Can you tell me about some of the initiatives that you and your colleagues will have in place?
I'm glad you asked.
I'd love to talk about Identity Management Day.
This is the fourth Identity Management Day,
which is hosted by IDSA. We co-hosted with, for the fourth year, with the National Cybersecurity
Alliance. They're the ones responsible for Cybersecurity Awareness Month. So a big,
large organization that we're happy to co-host with. As you said, it's April 9th this year.
It's also co-chaired by Saviant. And I want to talk about two other co-host with. As you said, it's April 9th this year. It's also co-chaired by Saviant.
And I want to talk about two other co-presenters. We have a number of sponsors as well, and I can
recommend everyone go to the website for that. But we have two other co-presenters, Identity XP,
which is based in Melbourne, Australia, and the Secure Identity Alliance, which is based in Brussels, but operates out of Paris. And the reason I'm
mentioning those two as co-presenters, this year, rather than just Identity Management Day in the
Americas, which was very successful last year, we had almost 1,200 attendees, and they represented
93 different countries around the world that attended Identity Management
Day.
So that gave us the idea to say, let's do Identity Management Day around the world.
So Identity XP in Melbourne will start it at midnight UTC, about 10 a.m.
Melbourne time on Tuesday the 9th.
Have a few hours of presentations and sessions.
They will also have an in-person event, but they'll
be doing everything online as well. Then there'll be about an hour or two break, and then we'll go
to EMEA, Europe, Middle East, and Africa, coming out of Paris, and they'll have a full set, a full
agenda of sessions on your day. And then we'll transition directly from EMEA to the Americas, where we'll have about seven hours of events,
six to seven hours of events. Now, in the Americas, in addition to all the great speakers,
I can talk about one in particular, we also have sponsors. And there's an exhibit hall,
which is open three times during the Americas event. It very much is going to feel like an in-person event
where you can go to an exhibitor booth
and you can click on a button to talk to someone there
or you can watch a video or you can download a document.
And to encourage that sort of activity,
there is gamification for the second year in a row.
And the more activities like that that you perform,
just like going to a booth and having
them stamp your card at an in-person event, the more activities you do, the more points you get.
And at the end of the day, we'll take those with the most points and have a drawing for prizes.
And that was very well liked last year as well. So our keynote speaker in the Americas,
I want to mention that real quickly, is Caleb Seema.
He is currently the chair of the Cloud Security Alliance, AI Security Alliance. Previously, he was a CSO of Robinhood and had a senior security role at credit companies. And he's
been in the space for quite a while. He's going to be talking about AI and its influence on identity, which you
and I have already talked about briefly. So I think that's going to be a great keynote. We have a bunch
of other great speakers. It's not to say the others aren't great, but I'm really looking forward to
hearing Caleb. Well, I mean, it sounds as though this year you'll be able to brag that the sun
never sets on Identity Management Day, right?
Thank you. I'll give you attribution, but I'm going to use that.
Please, with my blessing.
That's Jeff Reich, Executive Director of the Identity Defined Security Alliance. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, a vulnerability was discovered in an IBIS budget hotel lobby check-in terminal in Hamburg
by an employee of security firm Pentagrid.
The vulnerability leaked room keypad codes
for nearly half of the hotel rooms.
The security flaw became apparent
when a user entered a sequence of dashes,
dash, dash, dash, dash, dash,
instead of a valid alphanumeric booking ID into the terminal.
This peculiar input caused the terminal to erroneously display a list of bookings
complete with room numbers and keypad codes,
compromising the security of almost half the hotel rooms.
The vulnerabilities surface due to what appears to be a bug
or an overlooked test function within the terminal's software,
allowing for an unusual input form, a string of dashes,
to bypass the usual security measures that require a valid booking ID for room and code access.
This exploit was particularly alarming because it allowed anyone with physical access to the terminal,
particularly during unstaffed hours like nighttime,
to gain access to room information, and by extension, the rooms themselves,
without needing to provide any form of legitimate identification or booking confirmation.
The issue was reported to ACOR, the hotel chain operator, beginning on January 1, 2024.
Despite initial challenges in communication and ACOR's
reluctance to handle the report outside their preferred reporting program, Pentagrid persisted
with notifications. By January 26, ACOR confirmed the vulnerability's reproduction and implemented
a fix. The vulnerability, rated medium severity, affected potentially several IBIS budget hotels
across Germany and Europe. Is it fair to say this vulnerability was found due to a security
professional having a dash of curiosity? And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
N2K Strategic Workforce Intelligence optimizes the value
of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brendan Karp.
Our executive editor is Peter Kilby and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.