CyberWire Daily - How people get over on the content moderators.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Okta discloses a data exposure incident. Cisco works to fix a zero-day. DPRK threat actors pose as IT workers. The Five Eyes warns of AI-enabled Chinese espionage.

Starting point is 00:02:13 Job posting as fish bait. The risk of first-party fraud. Activists trouble humanitarian organizations with nuisance attacks. Content moderation during wartime. Malek Ben-Salem from Accenture describes code models. Our guest is Joe Oregon from CISA discussing the tabletop exercise that CISA, the NFL, and local partners conducted in preparation for the next Super Bowl. And the International Criminal Court confirms that it sustained a cyber espionage incident.

Starting point is 00:03:16 I'm Dave Bittner with your Cyber Wire Intel briefing for Monday, October 23rd, 2023. Identity and Access Management Company, Okta, has disclosed a data breach affecting some of the company's customers. The company stated, the threat actor was able to view files uploaded by certain Okta customers as part of recent support cases. It should be noted that the Okta support case management system is separate from the production Okta service, which is fully operational and has not been impacted. In addition, the Auth0 CIC case management system is not impacted by this incident. Krebs on security notes that it appears the hackers responsible had access to Okta's support platform for at least two weeks before the company fully contained the intrusion.

Starting point is 00:03:58 Cisco has disclosed a new zero-day vulnerability that was used to deploy malware on iOS XE devices compromised by another zero-day the company disclosed last week, Bleeping Computer reports. According to data from Census, as of October 18th, nearly 42,000 Cisco devices had been compromised by the backdoor, though that number is steadily falling. the back door, though that number is steadily falling. Cisco said in an update on Friday that fixes for both vulnerabilities are estimated to be available on October 22nd. The FBI has issued a public service announcement offering guidance to the international community, the private sector, and the public to better understand and guard against the inadvertent recruitment, hiring, and facilitation of North Korean IT workers.

Starting point is 00:04:48 The Bureau notes that the hiring or supporting of DPRK IT workers continues to pose many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences, including sanctions under U.S., ROK, and United Nations authorities. In an unprecedented joint call by Five Eyes counterintelligence leaders last Tuesday, the officials called out Beijing for what they characterized as theft of intellectual property on an unprecedented scale. The Five Eyes, Australia, Canada, New Zealand, the United Kingdom, and the United States, called on industry and universities

Starting point is 00:05:30 to help counter this threat of Chinese espionage. This espionage is nothing new, but what the Five Eyes find particularly unsettling is the use of artificial intelligence in these campaigns. AI can amplify and augment an already serious threat. The Five Eyes' counterintelligence leads have been unusually open in their assessment of the Chinese espionage threat.

Starting point is 00:05:54 They took their concerns to the broader public in a joint appearance on CBS News' 60 Minutes yesterday evening. They clearly want as many people to get the message as possible. They clearly want as many people to get the message as possible. WithSecure is tracking a cluster of Vietnamese cybercriminal groups that are using phony job postings to distribute malware-laden documents. The researchers say the WithSecure detection and response team detected and identified multiple DarkGate malware infection attempts against WithSecure managed detection and response customers in the US, UK, and India. It rapidly became apparent that the lure documents and targeting were very similar to recent DuckTale InfoStealer campaigns, and it was possible to pivot through open-source data from the DarkGate campaign

Starting point is 00:06:43 to multiple other info stealers, which are very likely being used by the same actor or group. The criminals are primarily interested in stealing information and hijacking Facebook business accounts. SoCure has published a report finding that first-party fraud costs U.S. financial institutions more than $100 billion per year. First-party fraud sounds exotic, but it's just fraud where those who commit it use their own identity. Additionally, the survey found that more than one in three Americans admit to committing first-party fraud themselves. The researchers explain, this includes requesting a refund on an online purchase by falsely claiming that a delivery has been lost, choosing not to pay off credit card bills indefinitely, making a purchase through a buy-now-pay-later loan, or maxing out a credit card with no intention of paying it off, or disputing a legitimate financial transaction. disputing a legitimate financial transaction.

Starting point is 00:07:52 Pro-Hamas, or at least anti-Israeli hacktivists, disrupted some online services in an unspecified cyber attack against Tel Aviv's Sheba Medical Center at Tel Hashomar. The hospital took itself offline and reverted to manual operations, but patient care has continued. The Jerusalem Post reports that the Israeli Health Ministry has disconnected several other hospitals from the Internet as a precautionary measure. The Jerusalem Post also reports that the website of the Israeli Shevra Kadisha, Jewish Burial Society, was defaced Saturday with anti-Semitic slurs and images. These incidents appear to be instances of a larger trend. It's important to note that Palestinian as well as Israeli organizations have been affected.

Starting point is 00:08:32 The Wall Street Journal reports that humanitarian organizations serving people on both sides of the conflict have increasingly come under hacktivist attack. The European Commission is waiting for a satisfactory response from X, TikTok, and Meta to allegations that they're out of compliance with the anti-disinformation and anti-hate speech provisions of the EU's Digital Services Act. The European Commission's inquiries are directed principally against disinformation and hate speech aligned with Hamas, are directed principally against disinformation and hate speech aligned with Hamas. But content moderation, ineffectual as it may have been,

Starting point is 00:09:13 has apparently had adverse effects on the Palestinian population in Gaza. Wired describes some of the ways in which moderation amounts to shadow banning. Reports say that it can make it difficult for Palestinians to share warnings, information about basic necessities, and personal news concerning family members. Eastern Europe and the Middle East aren't the only regions where conflict is outrunning platforms' content moderation capabilities. Bellingcat describes how Hindu nationalists are taking advantage of YouTube's ArtTrack's auto-generation functionality

Starting point is 00:09:44 to produce Hindutva pop. The genre is associated, Bellingcat says, with incitement to violence against Muslims and with calls for Muslim expulsion from India. Content moderation has remained notoriously labor-intensive and difficult. It becomes more so as people determined to communicate come up with code words, slang, typographic substitutions, and the like. Their hope is to slip past automated gatekeepers. The Washington Post has an account of how, for better or for worse, pro-Palestinian social media users are employing these types of measures to circumvent platforms' content moderation.

Starting point is 00:10:25 And finally, TechCrunch reports that the International Criminal Court has confirmed that a cyber attack it sustained last month was indeed cyber espionage. The ICC said, the attack can therefore be interpreted as a serious attempt to undermine the court's mandate. It looks like a government-sponsored operation. The ICC hasn't determined what government is behind the attack, but it's almost certainly Russia. Moscow has been determinedly hostile to the court since the ICC issued a warrant for President Putin's arrest. Russia retaliated by issuing its own arrest warrants for the court's president, deputy, chief prosecutor, and one judge. The ICC expects to be the target of disinformation campaigns designed to destroy its legitimacy.

Starting point is 00:11:12 It views September's cyber espionage as preparatory work for that disinformation. The ICC has briefly outlined the steps it's taken to mitigate the attack and says that Dutch police are investigating. Coming up after the break, Malek Ben Salem from Accenture describes code models. Our guest is Joe Oregon from CISA discussing the tabletop exercise that CISA, the NFL, and local partners conducted in preparation for the next Super Bowl. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.

Starting point is 00:12:15 But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows

Starting point is 00:12:35 like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform

Starting point is 00:13:22 secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Joseph Oregon is chief of cybersecurity for CISA Region 9, where they recently collaborated with security professionals from the NFL, as well as local partners for a tabletop exercise exploring potential vulnerabilities around this season's Super Bowl. For Joseph Oragon, it's a prime example of the type of partnering that CISA hopes to promote. A tabletop exercise, in a nutshell, it's an informational, kind of a discussion-based

Starting point is 00:14:21 walkthrough of different scenarios, and they're created or customized by us, by CISA, to help stakeholders address their roles and responsibilities during a specific incident. So as an example, we may help stakeholders by creating a scenario which helps them walk through how they would respond to a ransomware incident or maybe even an incident response plan or a physical incident at their location. So I'll take a moment just to highlight that this resource and the fact that CESA's regional offices and our headquarter elements have dedicated professionals who help craft tabletop exercises for partners is for free, right? And something that a lot of organizations, whether they're public or private, kind of leverage because it comes with a lot of benefits.

Starting point is 00:15:09 We have an actual team that will work with organizations that will actually deploy out to a location, help them walk through the scenario. We try to look at it from a humble approach. So we help facilitate, but we actually, we take our cues from those partners. So NFL're, we, we help facilitate, but we actually, um, we take our cues from those

Starting point is 00:15:26 partners. So NFL is one of such partners who reached out to CISA, um, and because of their involvement with the Superbowl and, and, and other and various events, um, they've partnered with CISA in order to, um, kind of put on a tabletop exercise that not only covers what they do within the NFL to manage particular incidents, but also to understand what private sector and public sector entities in the location of their event, how they manage an incident. So really it's this huge collaboration as an example of private and public sector entities that are coming together and walking through a, you know, this tabletop exercise. And to your initial point, David, it's with regards to, you know, why, you know, why did they approach CITSUM?

Starting point is 00:16:25 And it's more so as looking at as a collaborative relationship, right? They know that we are a government, you know, that we are a government agency. And that's the operational lead for federal cybersecurity and national coordination for critical infrastructure, security, and resilience, knowing that they want to make sure that, you know, they're kind of checking the boxes as well and kind of understand the processes from a federal government perspective. And so they reach out and they work with us and work with the local partners there to kind of get involved and provide that assistance or not assistance rather, but provide that awareness of the events and what they look for as it pertains to security and security scenarios that they can walk through with both public and private sector.

Starting point is 00:17:18 What's your message to folks who aren't operating at the scale or level of someone like the NFL, you know, an organization that's in, you know, one of the 50 states and perhaps has a manufacturing facility or, you know, something of moderate scale, think that they may want to reach out and start a relationship with CISA. Is that something that you're looking to encourage? Oh, we encourage it all the time. And the fact that we work for this example that we used earlier with the NFL, we work with organizations that vary in all kinds of sizes, whether they're private or public. We work through K-12 and cities and counties. We work with critical infrastructure such as water and wastewater. We work a number of

Starting point is 00:18:06 state partners as well as private sector partners. So as we look at smaller organizations that are looking to leverage resources that the federal government provides for free, so as in this case, a tabletop exercise, we facilitate those resources to our partner sets across the board. So we'd heavily encourage our partners, if they're interested, to definitely reach out to the CISA reps that we do have in the field, or they can go to our website at cisa.gov to identify who those points of contact might be in the respective state. I'd like to make a quick note, and that we're going into Cyber Awareness Month. So on September 29th today, CISA officially kicks off our 20th Cybersecurity Awareness Month. So throughout October, the month of October, CISA and our cooperative agreement recipients,

Starting point is 00:18:57 the National Cybersecurity Alliance, will focus on ways to secure our world. We educate individuals and organizations on how to stay safe online. So this is a collaborative effort between government and industry to enhance cybersecurity awareness on a national and global scale. We're trying to build off of last year's measures, that is using strong passwords and password managers, turning on multi-factor authentication, recognizing and reporting phishing, and finally updating software. So we're building off that strong message. And as we look at CISA, what we're trying to do is help shape behavior

Starting point is 00:19:36 and behavioral change by adopting and improving ongoing cybersecurity habits that reduce risk while online or on a connected device. That's Joseph Oregon, Chief of Cybersecurity for CISA Region 9. And joining me once again is Malek Ben-Salem. She is the Managing Director for Security and Emerging Technology at Accenture. Malek, it's always great to welcome you back. I want to talk today about code models. There's been a lot of excitement here with AI and some of the tools that can help people here. Can you unpack this for us here? What are we talking about? Yeah, absolutely. I mean, we've seen over the

Starting point is 00:20:33 past year, we've seen lots of large language models being published or announced. Some of those large language models that generate text, they also generate code, right? Source code, so Java code, Python code, et cetera. Some are even dedicated to generated code. So they don't generate regular text, but just focused on code. Some of them are open source. Others are proprietary. Some of them are open source, others are proprietary.

Starting point is 00:21:18 But many of my clients are really interested in deploying, at least experimenting with these code models and potentially deploying them to help with application development. And even the numbers that Gartner has published do support that. Gartner, for example, expects that 15% of the new applications will be automatically augmented development and testing strategy by 2025, so just in two years. code models is to think through some of the potential risks and considerations as they select the right code model. So as I mentioned, some of these code models have been trained using open source data. Others have been trained using proprietary data. proprietary data. And so those two different types of training approaches or data sets carry with them potential liability risks and IP ownership risks. You're probably aware of certain lawsuits going on against certain models where, you know, open source repo contributors

Starting point is 00:22:48 are claiming ownership or at least some of IP ownership or copyright infringement of the code that they have contributed to those repos. So that may carry some liability for the end users of these models, the organizations developing these models. And that question of IP ownership is not clear. So does the code generated by, suppose if you're deploying a code model within your organization, does the code generated by that model, is that owned by you as the organization? Is that owned by the vendor who's providing that code model for you? Or is it owned by the developers who contributed the training data for that model? You know, that's a gray area. So that's something to keep in mind. I mean, I'm not discouraging clients to experiment and think through their use cases. I think there are tremendous benefits in terms of developer productivity, but I'd like to highlight some of the risks.

Starting point is 00:23:59 The other thing I'd like to point out is, you know, definitely there are improvements in efficiency. But I think at this point, at least these code models can work well with developers. They're wonderful pair programmers, but I don't think they're ready for completely, you know, generating code on their own. The capability is not there, but also there are security risks associated with that. So it has been shown that these models generate code that may work functionally, but carries some security vulnerabilities. And that's not really surprising because it's been trained with code, you know, that's out there in the public, open source code, that carries some and may be riddled with security vulnerabilities. And they're mimicking or regenerating those types of vulnerabilities.

Starting point is 00:25:06 of vulnerabilities. So if you're considering deploying these code models, I think it's critically to double down on your security scanning processes. Make sure that you perform SAS scans, source code scans to discover these types of vulnerabilities. The other thing to consider is in the long term, I'm sure the performance of these good models will improve in the long term. to retrain those code models so that they generate source code that is secure, that is not exploitable through those zero days, is much longer than the time it would take the security scanning companies, if you will, to be able to detect that type of zero-day attack. So again, that's another consideration to think through as you're assessing the value and risk of the use and deployment of these code models.

Starting point is 00:26:22 these code models. Yeah, it really strikes me as being, I mean, is it fair to say it's a supply chain risk here? I mean, you think about, I think about open source software and how we've seen examples of, you know, people inserting bad things into popular libraries and so on and so forth. But, you know, that has the eyes of the community on it, where we think about LLMs as being kind of a black box here. It seems to me that's a significant difference. Yeah, absolutely. I think that's one piece of it.

Starting point is 00:26:55 There is a supply chain risk as well, or in this case, a data poisoning risk if the security vulnerabilities are inserted on purpose. Definitely one risk. And in other cases, you can opt for proprietary models or models that have been trained with proprietary data. But it's important to understand the trade-offs. understand the trade-offs. It's important to also compare these models with respect to the quality of their output. And they vary significantly, right? Their performance varies significantly. And luckily, there has been some data sets published for benchmarking

Starting point is 00:27:40 these models. So organizations can do that as part of the due diligence as they're selecting the right code model for their organization. But overall, I think what I'll recommend is use them as pair programmers. Use them for tasks like quick code translation or explanation. I don't think they're ready for independent code generation. And definitely, you know, focus on your source code security testing and other types of application testing to deploy or to adopt these models safely. Kind of think of them as your junior partner, right?

Starting point is 00:28:29 Someone who can help you, but you got to keep an eye on them. Yeah. All right. Yep. Absolutely. All right. All right. Malik Ben-Saleb, thank you so much for joining us. Thanks for having me. Thank you. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. get 1% cash back. Great! That's 1% closer to being part of the 1%...

Starting point is 00:29:47 Maybe. But definitely 100% closer to getting 1% cash back with TD Direct Investing. Conditions apply. Offer ends January 31st, 2025. Visit td.com slash dioffer to learn more. And that's The Cyber Wire.

Starting point is 00:30:17 For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like The Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 Thank you. Learn more at n2k.com. This episode was produced by Liz Ervin and senior producer Jennifer Iben. Our mixer is Trey Hester with original music by Elliot Peltzman.

Starting point is 00:31:11 The show was written by our editorial staff. Our executive editor is Peter Kilby and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.

CyberWire Daily - How people get over on the content moderators.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.