CyberWire Daily - Hacked in plain sight.
Episode Date: February 26, 2025A major employee screening provider discloses a data breach affecting over 3.3 million people. Signal considers exiting Sweden over a proposed law that would give police access to encrypted messages. ...House Democrats call out DOGE’s negligent cybersecurity practices. Critical vulnerabilities in Rsync allow attackers to execute remote code. A class action lawsuit claims Amazon violates Washington State’s privacy laws. CISA warns that attackers are exploiting Microsoft’s Partner Center platform. A researcher discovers a critical remote code execution vulnerability in MITRE’s Caldera security training platform. An analysis of CISA’s JCDC AI Cybersecurity Collaboration Playbook. Ben Yelin explains Apple pulling iCloud end-to-end encryption in response to the UK Government. A Disney employee’s cautionary tale. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Caveat podcast co-host Ben Yelin to discuss Apple pulling iCloud end-to-end encryption in response to the UK Government. You can read the article from Bleeping Computer here. Ben is the Program Director for Public Policy & External Affairs at University of Maryland Center for Health and Homeland Security. You can catch Caveat every Thursday here on the N2K CyberWire network and on your favorite podcast app. Selected Reading 3.3 Million People Impacted by DISA Data Breach (SecurityWeek) DOGE must halt all ‘negligent cybersecurity practices,’ House Democrats tell Trump (The Record) Signal May Exit Sweden If Government Imposes Encryption Backdoor (Infosecurity Magazine) Rsync Vulnerabilities Let Hackers Gain Full Control of Servers - PoC Released (Cyber Security News) Lawsuit: Amazon Violates Washington State Health Data Law (BankInfo Security) CISA Warns of Microsoft Partner Center Access Control Vulnerability Exploited in Wild (Cyber Security News) MITRE Caldera security suite scores perfect 10 for insecurity (The Register) CISA’s AI cybersecurity playbook calls for greater collaboration, but trust is key to successful execution (CyberScoop) A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life. (Wall Street Journal) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Cyber threats are evolving every second and staying ahead is more than just a challenge,
it's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping
unauthorized applications, securing sensitive data, and ensuring your organization runs
smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant.
A major employee screening provider discloses a data breach affecting over 3.3 million people.
Signal considers exiting Sweden over a proposed law that would give police access to encrypted messages.
House Democrats call out Doge's negligent cybersecurity practices.
Critical vulnerabilities in R-Sync allows attackers to execute remote code.
A class action lawsuit claims Amazon violates Washington state's privacy laws.
CISA warns that attackers are exploiting Microsoft's Partner Center platform.
A researcher discovers a critical remote code execution vulnerability in MITRE's Caldera
security training platform.
An analysis of CISA's JCDC AI cybersecurity collaboration playbook.
Ben Yellen explains Apple pulling iCloud end-to-end encryption in response to the UK government,
and a Disney employee's cautionary tale.
It's Wednesday, February 26, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here.
It is great to have you with us.
Texas-based DISA Global Solutions, a major employee screening provider, has disclosed
a data breach affecting over 3.3 million people.
DISA, which serves 55,000 customers with background checks and drug testing, reported that hackers
accessed its systems from February 9 through April
22, 2024.
The breach exposed names, social security numbers, driver's licenses, financial data,
and more.
DISA conducted an extensive review to identify affected individuals and is offering one free
year of credit monitoring.
The company has not found evidence of data misuse and has not confirmed if ransomware
was involved.
No cyber criminal group has claimed responsibility.
House Democrats have urged President Trump to halt Elon Musk's Department of Government
Efficiency, DOJ, due to negligent cybersecurity practices that could expose sensitive federal
systems to cyber
threats.
Lawmakers warned that DOGE's reckless actions, including accessing networks at the Treasury,
Office of Personnel Management, and Energy Department's nuclear programs, have created
security risks.
Many DOGE members lack government experience and have disrupted agencies, prompting legal
challenges and congressional
outcry. A group of 21 Doge employees, formerly from the U.S. Digital Service, resigned in
protest, refusing to compromise government security. Lawmakers, led by Representative
Jerry Connolly, have requested a briefing by March 11th to assess cybersecurity violations.
Meanwhile, a U.S. District Court judge blocked the Doge team from accessing Treasury payment
systems, citing a rushed and flawed approval process under the Trump administration.
Judge Jeanette Vargas ruled that Democratic Attorneys General were likely to succeed improving
Treasury Act illegally.
She criticized the agency's chaotic handling of security risks
and noted serious lapses in training and oversight.
Signal is considering exiting Sweden over a proposed law that would allow
police to access encrypted messages retrospectively.
Signal CEO Meredith Whitaker stated that complying
would require breaking encryption, undermining the app's core purpose. If passed, the law
would take effect in 2026. Sweden's police and security services support the bill, but
the Swedish armed forces oppose it, warning it would introduce security vulnerabilities. Brigadier General Matthias Henson even endorsed Signal for non-classified military communications.
This follows a similar standoff in the UK, where Signal and Meta opposed encryption back
doors in the Online Safety Act, leading the government to back down.
Recently, the UK also pressured Apple to remove iCloud end-to-end encryption.
Security experts warn that such government demands undermine global security and user
privacy.
Critical vulnerabilities in R-Sync versions 3.2.7 and earlier allow attackers to execute
remote code, exfiltrate sensitive data, and bypass security controls.
The most severe flaw is a heap buffer overflow in checksum handling, enabling memory corruption.
Attackers can also bypass address space layout randomization and exfiltrate client files
using checksum brute forcing. Additionally, symbolic link exploits allow attackers to evade R-Sync's
Safe Links protection. Combining these flaws enables full remote code execution, with researchers
demonstrating exploitation on Debian 12's R-Sync 3.2.7 daemon. Users must upgrade to
R-Sync 3.4 immediately, which patches these issues by implementing
stricter bounds checking, stack buffer initialization, and improved path sanitization.
Administrators should disable anonymous access and enforce SafeLinks for untrusted connections
to prevent breaches.
A proposed federal class action lawsuit alleges Amazon's Software Development Kit illegally
collects and sells sensitive user data, violating Washington's My Health, My Data Act.
Plaintiff Cassandra Maxwell claims Amazon's SDK, embedded in thousands of mobile apps,
tracks location and biometric data without user consent.
Filed on February 20, this is the first lawsuit invoking the My Health, My Data Act since
it took full effect in 2024.
Maxwell alleges Amazon's data collection could reveal health-related searches or visits.
The lawsuit seeks damages, penalties, and injunctive relief.
Amazon denies the claims, stating it prohibits partners from sharing health or precise location data
and discards any mistakenly received information.
Legal experts predict more lawsuits under the My Health, My Data Act
with implications for health care and app developers.
CISA issued an urgent advisory warning that attackers are exploiting
a critical privilege escalation flaw in Microsoft's Partner Center platform.
The vulnerability allows unauthenticated attackers to gain elevated privileges,
potentially accessing sensitive data and spreading malware.
Initially rated 8.7 on the CVSS scale, it was later upgraded
to 9.8 due to its severity. Microsoft has patched the issue automatically, but CISA
mandates federal agencies to apply updates by March 18. Organizations are urged to enforce
network segmentation, audit access controls, and adopt zero trust principles.
The flaw's impact on Microsoft's partner ecosystem raises supply chain security concerns.
CESA advises businesses to follow cloud security best practices and monitor Microsoft advisories.
A critical remote code execution vulnerability in MITRE's Caldera security training platform
has been discovered, affecting all versions since 2017 except the latest patched release.
Security researcher Dawid Kulikowski urges users to update immediately as the flaw allows
attackers to hijack the platform remotely, particularly in default configurations.
Caldera, widely used for adversary emulation, relies on Go, Python, and GCC, conditions
often met in real-world setups.
The vulnerability exploits an unauthenticated API endpoint, allowing attackers to manipulate
Manx and Sandcat agents via crafted HTTPS requests.
Developers were aware the endpoint lacked authentication, heightening the risk.
Kulakowski published a partial proof of concept while omitting key details to prevent easy
exploitation. Users should apply patches or restrict access to prevent unauthorized attacks.
apply patches or restrict access to prevent unauthorized attacks. In an editorial for Cyberscoop, cybersecurity expert Sam Kinch discusses the growing threat
of AI-driven cyberattacks and the importance of the JCDC-AI Cybersecurity Collaboration
Playbook recently released by CISA.
Kinch is currently an executive client advisor at Tanium,
and previously served as director of the Department of Homeland Security's
technical security team and as a senior executive to the commander at U.S. Cyber Command.
He argues that as adversaries weaponize AI, defenders must respond in kind,
leveraging AI for security while improving coordination between public and private sectors.
Kinch praises the playbook's focus on operational collaboration,
highlighting its structured information sharing checklist and
improved coordination between federal, private, and international
partners. However, he warns that delays in intelligence sharing,
particularly between DHS and other
federal agencies, could hinder rapid response efforts.
He emphasizes that trust is key to successful cybersecurity collaboration, urging clearer
protocols and stronger protections for private sector partners hesitant to share threat data.
While commending CISA's proactive approach, Kinch stresses
that industry leaders must take responsibility for implementing and
refining the playbook to strengthen national AI-driven cybersecurity defenses.
Coming up after the break, Ben Yellen explains Apple's pulling iCloud end-to-end encryption
in response to the UK government and a Disney employee's cautionary tale.
Stay with us. We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use Indeed.
When it comes to hiring, Indeed is all you need. Stop struggling to
get your job post noticed. Indeed's Sponsored Jobs helps you stand out and hire fast. Your
post jumps to the top of search results so the right candidates see it first. And it
works. Sponsored jobs on Indeed get 45% more applications than non-sponsored ones. One
of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get your job's more
visibility at Indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now and support our show by saying you heard
about indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply.
Hiring indeed is all you need. Cyber threats are more sophisticated than ever.
Passwords?
They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one get one offer.
Visit ubico.com slash N2K to unlock this deal.
That's Y-U-B-I-C-O.
Say no to modern cyber threats.
Upgrade your security today.
And joining me once again is Ben Yellen. He is from the University of Maryland Center for Health and Homeland Security, but much
more important than that, he is the co-host on the Caveat Podcast with yours truly, Ben,
it's great to have you back.
Great to be with you again, Dave.
I want to touch base with you on what's been going on with Apple and the UK government here.
Some interesting movements.
Can you describe for us what's going down?
Sure.
So this was first reported in the United States by the Washington Post.
The British government made a request to Apple and presumably to other big tech companies, although we don't have any detail on those other companies,
to allow a backdoor into encrypted iCloud data.
This comes from a law called the Investigatory Powers Act of 2016,
which allowed the British government to compel companies
to turn over data and communications for both law
enforcement and intelligence agencies.
So it was leaked that Apple had received this request, and this prompted concern not just
in the United Kingdom, but worldwide.
We have data sharing agreements between the US and the UK, so there was concern expressed
by members of the United States Congress that if the UK was seeking this back door into
Apple's encrypted communications,
that could have an impact on US consumers.
Also, for intelligence gathering purposes, we're part of the Five Eyes
intelligence of English-speaking countries, and if we're sharing intelligence with one another,
then this could have a significant impact on U.S. persons' communications potentially.
So there is kind of an expectation or at least concern
that Apple, despite standing up to governments in the past,
might have to comply with this demand
to stay in the market in the United Kingdom.
And Apple, instead of doing so, decided
to no longer offer its advanced data protection feature in the UK.
So users in the UK, starting as we're recording this this coming Friday,
will no longer have the capability to encrypt their iCloud data, messages, notes, photos, iPhone backups, etc.
So this is major news for consumers of Apple products in the United Kingdom.
UK users are going to get a notice on their applications saying that this advanced data
protection feature, which Apple has established to put itself at the forefront of efforts
to protect user privacy, is not going to be available in Britain.
So it's certainly a major news story.
It's interesting to me how Apple announced this without acknowledging the request from
the UK government to build in the back door.
They're just sort of saying, because reasons, we can no longer offer this in the UK.
Yeah, presumably they're subject to a gag order, which is why they can't actually reference
this order.
I think people who've been following the news can read between the lines and understand
why Apple said, due to circumstances, quote, unquote, we are no longer able to offer this
advanced data protection feature.
I think Apple is calling the UK government's bluff, and they are hoping that by removing this feature,
enough UK Apple users will be angry and will complain to their members of Parliament that
the government will drop its request to create this backdoor to users cloud data.
But you don't know what the British government is going to prioritize. Maybe they're more concerned about access to valuable law enforcement
and counterintelligence information than they are about angry Apple users.
So it remains to be seen how the UK is going to react to Apple's decision.
But I think it's certainly encouraging from a privacy perspective that Apple,
as it did in the United States
with the San Bernardino terrorist iPhone back in 2015-2016, is standing up to a government
that's trying to force it to create this back door.
And it means that they take user privacy very seriously.
At the risk of being highly speculative here, what if I'm using some other company's end-to-end encrypted app in the UK?
I'm using Facebook Messenger, for example.
Use it at your own risk, Mr. Bettner.
What I'm asking is, should I assume a back door?
If a back door was allegedly requested from Apple should I assume that the UK government also
requested a back door from Metta and that since we've heard nothing from Metta
Perhaps the back door was granted. I don't know if you can assume it
But it's certainly something you can take into consideration
If you use encrypted applications, and if you rely on them to keep
your communications private.
I think it would be naive to believe that the UK government
only made this demand of one tech company and not the other
companies that use end-to-end encrypted applications.
We don't have any facts and evidence that indicate that to
us at this time.
But yes, I think it would cause a prudent person to be careful
and to be cognizant of the fact that the UK is trying to claim
these powers. They are trying to use the Investigatory Powers
Act to gain backdoors into these company systems.
So yes, I think it's cause for concern and cause for users of
some of these other end-to-end encrypted applications to be wary of using them in the United Kingdom.
Well, Ben Yellen is from the University of Maryland Center for Health and Homeland
Security and also my co-host on the Caveat Podcast where we discuss cyber law and policy.
So if you have not already done so,
please do check out that podcast.
We have a good conversation every week.
Ben, thanks so much for joining us.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you.
Thank you. Thank you. Thank you. Thank you. Thank you. Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist, Vanta brings automation to evidence collection across 30 frameworks
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you
get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And finally, The Wall Street Journal chronicles how Disney employee Matthew Van Andel's life fell apart because of a
simple mistake, downloading an AI tool from GitHub.
A software development manager, he thought he was experimenting with AI-generated images.
Instead, he unknowingly installed malware that gave a hacker full access to his computer,
including his Disney login credentials. For months, the hacker lurked undetected, collecting Van Andel's passwords and session
cookies.
Then, in July of last year, a chilling message arrived on Discord.
A stranger knew about a private conversation Van Andel had at lunch with co-workers, details
no outsider should have.
Minutes later, Disney's internal Slack messages began appearing online.
The hacker used Van Andel's credentials to breach the company's systems, leaking 44 million
sensitive messages, including private customer data, employee passport numbers, and financial
reports.
Disney's cybersecurity team scrambled to contain the fallout, but the damage was done.
Meanwhile, Van Andel's personal nightmare worsened.
The hacker drained his bank accounts, stole his social security number, and even accessed
his home security cameras.
His private information was dumped online, leaving him exposed to identity theft.
Then came another blow.
Disney fired him.
The company's forensic review claimed he had accessed pornography on his work device,
an allegation he vehemently denies.
It's impossible to convey the sense of violation, he said.
The incident highlights the growing dangers of AI-driven cyber threats. Hackers are increasingly using info-stealers, malicious software hidden inside downloads,
to collect credentials, which are then resold on the dark web.
Stolen credentials were behind nearly 40% of cyber intrusions in 2024, up from just 20% the year before.
Van Endel's story is a cautionary tale for both individuals and corporations.
As companies expand remote work and AI adoption, attackers are finding new ways to exploit
unsuspecting users.
One careless download was all it took to bring down a Disney employee and compromise an entire
company's security. And that's the CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep us step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
This episode was produced by Liz Stokes.
N2K's senior producer is Alice Carruth. Our CyberWire producer by Liz Stokes. N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester, with original music and sound design by Elliot Peltsman.
Our executive producer is Jennifer Iben, Peter Kilpe as our publisher, and I, Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting
your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal
devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7-365 with Black Cloak.
Learn more at blackcloak.io.