CyberWire Daily - It’s always DNS, but that may just be FUD.
Episode Date: February 14, 2024It’s always DNS, but that may just be FUD. The DoD notifies victims of a cloud email server leak. New Jersey cops sue online data brokers. Crooks use WiFi jammers to thwart security systems. A copyr...ight case against OpenAI is partially dismissed. Patch Tuesday includes two actively exploited zero days. CharmingCypress gathers political intelligence. Ann Johnson from Microsoft Security’s Afternoon Cyber Tea podcast talks with Frank Cilluffo, Director for Cyber and Critical Infrastructure Security at the McCrary Institute of Auburn University, about cyber and critical infrastructure. And beware Cupid’s misleading arrow. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Ann Johnson from Microsoft Security’s Afternoon Cyber Tea podcast talks with Frank Cilluffo, Director for Cyber and Critical Infrastructure Security at the McCrary Institute of Auburn University, about cyber and critical infrastructure. Check out the episode with the full conversation between Ann and Frank here. Selected Reading KeyTrap DNS Attack Could Disable Large Parts of Internet: Researchers (SecurityWeek) US military notifies 20,000 of data breach after cloud email leak (TechCrunch) New Jersey law enforcement officers sue 118 data brokers for not removing personal info (The Record) Minnesota burglars are using Wi-Fi jammers to disable home security systems (TechSpot) Sarah Silverman’s lawsuit against OpenAI partially dismissed (The Verge) Microsoft February 2024 Patch Tuesday fixes 2 zero-days, 73 flaws (BleepingComputer) DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability (The Hacker News) CharmingCypress Use Poisoned VPN Apps to Install Backdoor (Cyber Security News) Beyond the Hype: Questioning FUD in Cybersecurity Marketing (SecurityWeek) Valentine's Day Scams Woo the Lonely-Hearted (Security Boulevard) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
It's always DNS, but that may just be FUD.
The DOD notifies victims of a cloud email server leak.
New Jersey cops sue online data brokers.
Crooks use Wi-Fi jammers to thwart security systems.
A copyright case against OpenAI is partially dismissed.
Patch Tuesday includes two actively exploited zero days.
Charming Cypress gathers political intelligence.
Anne Johnson from Microsoft Security's
Afternoon Cyber Tea podcast talks with Frank Salufo,
Director for Cyber and Critical Infrastructure Security
at the McCrary Institute of Auburn University
about cyber and critical infrastructure.
And beware Cupid's misleading arrow.
It's Wednesday, February 14th, 2024.
I am your valentine, Dave Bittner, and this is your CyberWire Intel briefing. Thank you all for joining us here today.
It is great to have you with us.
We begin today with a word from our It's Always DNS desk, that researchers have uncovered a critical DNSSEC flaw called Keytrap,
which could potentially cripple the Internet
by exploiting a design vulnerability to exhaust CPU resources,
Security Week reports.
Discovered by Germany's Athene National Research Center
for Applied Cybersecurity,
Keytrap threatens over 31% of web clients using
DNSSEC-validated DNS resolvers, risking the availability of essential services like web
browsing, email, and instant messaging. Dubbed by some as the most severe DNS attack method,
it affects major DNS implementations and providers, including Google and Cloudflare.
While patches have been released with the last update on February 13th,
fully mitigating KeyTrap's threat necessitates a redesign of DNSSEC's core principles.
The flaw, present for over two decades, has yet to be exploited maliciously,
and security advisories have been issued by major vendors such
as Microsoft, Bind, PowerDNS, and NLNet. Also from Security Week, and not completely unrelated,
comes a report analyzing FUD, Fear, Uncertainty, and Doubt in Cybersecurity. FUD is a marketing
strategy historically linked to IBM in the 1970s,
implying that IBM products were safe while others were risky. This tactic leverages large,
often unverified numbers to instill fear, making it crucial to scrutinize these sorts of figures
to avoid falling prey to social engineering. A report mentioning cybercrime
costing the global economy $8 trillion highlights the challenges in verifying these sorts of claims.
Critics argue that without clear economic and financial analysis expertise, such figures lack
independence, evidence-based support, and exaggerate the impact on the global economy.
The discussion extends to the broader cybersecurity industry, suggesting FUD marketing persists due
to its effectiveness, despite the need for a more nuanced understanding of cybersecurity risks and
solutions. The debate underscores the importance of questioning and verifying sensational claims in cybersecurity,
advocating for a more informed and critical approach to understanding and addressing cyber threats.
The U.S. Department of Defense has informed approximately 20,000 individuals of a data breach
involving an unsecured government cloud email server that leaked sensitive emails to the public internet.
This incident, caused by a misconfiguration on a server hosted on Microsoft's cloud for government customers,
occurred between February 3rd and February 20th of 2023.
The leaked information, discovered by security researcher Anurag Sen,
included internal military emails, some related to U.S.
Special Operations Command and sensitive personnel data. The DOD has addressed the server's security
issue, removed it from public access, and is working with a security provider to enhance
cybersecurity measures. The delay in notifying affected individuals has not been explained.
In New Jersey, around 20,000 law enforcement personnel have filed class-action lawsuits against 118 data brokers for failing to remove their personal information from the Internet, violating a state law designed to protect their privacy.
law designed to protect their privacy. The law, known as Daniels' Law, mandates the removal of home addresses and phone numbers for law enforcement officials and their families
within 10 days of a request, with noncompliance incurring a $1,000 fine per violation. The legal
action could result in at least $2.3 billion in fines for the data brokerage industry, reflecting the scale of
the alleged privacy breaches. The lawsuits were initiated after these brokers did not respond to
removal requests, which officers say exposed them to significant risks, including threats and
attempted violence from criminal organizations. Data privacy advocates argue this situation underscores the
broader need for stringent regulation of data brokers to protect all citizens.
Police in Edina, Minnesota, have reported a series of burglaries involving criminals using
Wi-Fi jammers to temporarily disabled homeowners' connected security systems.
Over the past six months, it's believed that perpetrators have employed this technique in nine robberies
targeting affluent neighborhoods where homes are unoccupied during the day.
The criminals steal high-end luxury items such as safes and jewelry once inside.
Despite being illegal under federal law,
Wi-Fi jammers can still be purchased online from outside the United States,
and there have been cases of these devices being used to evade connected home security systems in the past.
Some ways to mitigate risks include using hardline cameras that connect directly to local storage
and installing security alarms and lights that do not rely on wireless networks.
A California court has partially dismissed a copyright case against OpenAI involving six
authors, including comedian Sarah Silverman, who accused OpenAI's chat GPT of copyright infringement.
The allegations include direct copyright infringement, vicarious infringement,
violation of the Digital Millennium Copyright Act, negligence, and unjust enrichment. OpenAI
requested to have all counts except for the main claim, which alleges direct copyright infringement,
dismissed. Judge Araceli Martinez-Alguin agreed with OpenAI's request and threw out claims of vicarious copyright infringement, DMCA violations, negligence, and unjust enrichment.
The court found no evidence of unlawful business practices or fraudulent conduct related to unfair competition.
The remaining claims hinge on proving direct infringement.
The remaining claims hinge on proving direct infringement.
Microsoft's February 2024 Patch Tuesday addresses 73 security vulnerabilities,
including two actively exploited zero days and five critical issues spanning denial of service,
remote code execution, information disclosure, and elevation of privilege. The updates fix a range of flaws,
notably 30 remote code execution and 16 elevation of privilege vulnerabilities alongside others.
Notably fixed are two zero days, a Windows smart screen bypass, and an internet shortcut file bypass. Additionally, other tech giants like Adobe, Cisco, and Google have released patches.
Digging into the Microsoft Defender Smart Screen Zero Day, Trend Micro reports that the Water
Hydra Threat Group, also known as Dark Casino, exploited this zero-day vulnerability to target
financial traders. This campaign utilized the flaw to bypass security checks and deploy dark
me malware through internet shortcut files. The attack involved convincing victims to click on
malicious URLs disguised as stock chart images on Forex forums, leading to a complex infection
chain that evaded SmartScreen's protections. Iranian threat group Charming Cyprus,
also known as Charming Kitten APT42 or TA453,
has been actively gathering political intelligence
on international targets,
focusing on journalists, think tanks, and NGOs.
Security firm Veloxity says
the group employs innovative social engineering and phishing techniques, engaging in extended conversations before sending malicious links.
A notable tactic includes the use of malware-infected VPN applications to facilitate access to a bogus webinar platform, effectively deploying backdoors in victims' systems.
effectively deploying backdoors in victims' systems.
This approach was highlighted in campaigns where individuals were lured into downloading a VPN client under the pretense of attending a webinar, only to install malware such as
Powerless for Windows users and KnockKnock for macOS users,
enabling Charming Cypress to control and access their devices.
The operation reflects the group's sophisticated methods of targeting
and exploiting individuals for intelligence-gathering purposes.
Coming up after the break,
Anne Johnson from Afternoon Cyber Tea talks with Frank Salufo, Director for Cyber and Critical Infrastructure Security at the McCrary Institute of Auburn University. Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365,
with Black Cloak. Learn more at blackcloak.io.
Anne Johnson is the host of Microsoft Security's Afternoon Cyber Tea podcast,
right here on the Cyber Wire podcast network.
In her most recent episode, she speaks with Frank Salufo,
Director for Cyber and Critical Infrastructure Security
at the McCrary Institute of Auburn University
about cyber and critical infrastructure.
Here's a segment from their conversation.
Today, I'm joined by Frank Salufo,
who is the Director of the
McCrary Institute of Cyber and Critical Infrastructure Security at Auburn University,
which fuses theory with practice and policy with technology to protect and advance U.S.
interests in the areas of national and economic security. Frank is routinely called upon to advise
senior officials in the executive branch, U.S. Armed Services,
and state and local governments on an array of matters related to national and homeland
security strategy and policy. Before joining Auburn, Frank served in senior roles at George
Washington University, where he founded and led the Center for Cyber and Homeland Security.
Prior to GW, Frank served in the White House. Immediately after the attacks
of September 11, 2001, he was appointed the Special Assistant to the President for Homeland Security.
Welcome to Afternoon Cyber Tea, Frank. Thank you, Anne. Pleasure to be here and look forward to our
conversation. Cyber is obviously a huge issue. You don't have to go far to read any headline to see
that. But there are other common trends that we are seeing in the way of how threats are attacking
critical infrastructure and national security.
Can you talk a little bit about the macro issues you are tracking and what the implications
are of those issues?
Sure.
And not to sound philosophical here, because you certainly don't want philosophy from me,
but the reality is, is whereas technology may change,
human nature remains pretty consistent. And unfortunately, a number of our adversaries are
turning to computer network attack and cyber means to achieve their diplomatic, military,
and economic objectives. I think one of the greatest challenges here, though, is that a lot of our true resources, capabilities, and value are in the hands of the private sector.
And few in the private sector went into business thinking they had to defend themselves against nation-state threats, criminals at scale, and the like.
The industry has been thinking about the cyber
security of critical infrastructure for quite some time i don't know that you know our maturity level
is where it needs to be but there's certainly been significant improvements in awareness and
the capabilities over the past several years but can you give us a sense for what is typically
included in the definition of critical infrastructure. How has that definition evolved over time from the time you started working post the
9-11 attacks until now?
And what needs to evolve even further?
That's a great question.
Lots to unpack there.
I'll start with some of the definitional points because by and large, at least the way the
U.S. government defines critical infrastructure,
this was promulgated in the presidential decision directive 21, has not been updated since 2013.
World's changed a bit since then. In that designation, they identified 17 sectors to
be critical. I think many of those sectors remain critical. Not all are equally as resilient and as secure as I would hope.
But by and large, there is recognition inside those 17 critical infrastructure sectors to be able to move the ball.
As we speak, the current administration is updating PDD 21, mandated by Congress. They're, I think,
a little behind the eight ball in moving that forward. But all things said and done, this is
an opportunity to sort of take a strategic look to see if we're on target and to see if anything has raised up to that designation of a critical infrastructure.
Are there sectors of critical infrastructure that you believe are more at risk than others?
And if so, why?
And what should the leaders in those sectors be thinking about and be doing differently?
You know, that's a great question.
I wish there were an empirically based, simple response to that. But when you look at
dependency and the essential nature of electricity, I think that has to be at the top of anyone and
everyone's list. If you don't have power, I don't care what else is up and running,
you've got issues. And I do think you've seen massive improvement of the utilities and the energy companies recognizing not only out of their own goodwill and hearts, but from scar tissue.
They're seeing a lot of activity in that domain and are treating the risk commensurately.
I would say financial services clearly is at the top of
everyone's list. And again, not always because they're doing the right thing, but they're in
the business of business. Be sure to check out the Afternoon Cyber Tea podcast right here on
the Cyber Wire podcast network or wherever you get your podcasts.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, Thank you. and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
With TD Direct Investing, new and existing clients could get 1% cash back.
Great! That's 1% closer to being part of the 1%... Maybe, but definitely 100% closer to getting 1% cash back with TD Direct Investing.
Conditions apply. Offer ends January 31, 2025. Visit td.com slash dioffer to learn more.
And finally, it's Valentine's Day, which means one thing, online scams. An analysis from Bitdefender reveals that a quarter of Valentine's Day-themed spam emails
are scams targeting online shoppers with fraudulent offers on gifts like jewelry and flowers.
Originating mostly from the U.S., these scams pose a significant risk of financial loss,
employing sophisticated phishing techniques, including the use of AI to create highly
personalized and convincing messages.
Scammers set up fake websites and offer too-good-to-be-true deals or contests to win
cash prizes or vouchers. Experts warn of the importance of recognizing phishing signs,
such as unsolicited links or requests for sensitive information, and advise against
interacting with suspicious emails.
They also highlight the increasing use of QR codes in scams,
urging caution and recommending measures like inspecting URLs,
avoiding unexpected QR scans,
and securing accounts with strong passwords and multi-factor authentication
to protect against these sorts of threats.
Seems like Cupid's arrows have
been replaced with fishing hooks this Valentine's. Roses are red, violets are blue. Fishing scams are
rampant. Don't let them catch you. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
You can email us at cyberwire at n2k.com.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine
of many of the most influential leaders and operators in the public and private sector,
as well as the critical security team supporting the Fortune 500
and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people.
We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare,
and automate your data workflows, helping you gain insights, receive alerts, and act with ease
through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.