CyberWire Daily - Leaky chats collide with shifting security standards.
Episode Date: January 30, 2026A popular chatbot exposes millions of private user messages. The White House rescinds Biden-era federal software security guidance. A senior Secret Service official urges more scrutiny of domain regis...tration. The President’s NSA pick champions section 702. France looks to reduce reliance on U.S. digital infrastructure. CISA shares guidance on insider threats. Hugging Face infrastructure was abused to distribute an Android RAT. Ivanti discloses a pair of critical zero-days. Popular dating sites suffer a data breach. Our guest is Tim Starks from CyberScoop, discussing how the US looks to push its view of AI cybersecurity standards to the rest of the world. The Nobel Committee blames hackers for a spoiler alert. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Tim Starks from CyberScoop discussing how the US looks to push its view of AI cybersecurity standards to the rest of the world. You can read Tim’s coverage here. Selected Reading Massive AI Chat App Leaked Millions of Users Private Conversations (404 Media) White House Scraps 'Burdensome' Software Security Rules (SecurityWeek) The 'staggering' cybersecurity weakness that isn't getting enough focus, according to a top Secret Service official (CyberScoop) NSA pick champions foreign spying law as nomination advances (The Record) French Government To Replace Zoom and Teams With Visio, a Local Alternative (The New York Times) CISA Urges Critical Infrastructure Organizations to Take Action Against Insider Threats (HSToday) Hugging Face Abused to Deploy Android RAT (SecurityWeek) Ivanti warns of two EPMM flaws exploited in zero-day attacks (Bleeping Computer) Match Group breach exposes data from Hinge, Tinder, OkCupid, and Match (Bleeping Computer) Nobel Hacking Likely Leaked Peace Prize Winner Name, Probe Finds (Bloomberg) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
If securing your network feels harder than it should be, you're not imagining it.
Modern businesses need strong protection, but they don't always have the time, staff, or patients for complex setups.
That's where Nordlayer comes in.
Nordlayer is a toggle-ready network security platform built for businesses.
It brings VPN, access control, and threat protection together in one place.
No hardware, no complicated configuration, you can deploy it in minutes and be up and running in less than 10.
It's built on zero-trust principles, so only the right people can get access to the right resources.
It works across all major platforms, scales easily as your teams grow, and integrates with what you already use.
And now, Nordlayer goes even further through its partnership with CrowdStrike,
combining Nordlayer's network security with Falcon endpoint protection for small,
and mid-sized businesses. Enterprise-grade security made manageable.
Try Nordlayer risk-free and get up to 22% off yearly plans,
plus an extra 10% with the code Cyberwire 10.
Visit Nordlayer.com slash Cyberwire Daily to learn more.
A popular chatbot exposes millions of private user messages.
The White House rescinds Biden-era federal software security guidance.
A senior secret service official urges more scrutiny
of domain registration.
The president's NSA pick champions section 702.
France looks to reduce reliance on U.S. digital infrastructure.
Sisa shares guidance on insider threats.
Hugging face infrastructure was abused to distribute an android rat.
Avanti discloses a pair of critical zero days.
Popular dating sites suffer a data breach.
Our guest is Tim Starks from CyberScoop,
discussing how the U.S. looks to push its view of AI cybersecurity standards
to the rest of the world.
world. And the Nobel committee blames hackers for a spoiler alert. It's Friday, January 30th,
2026. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today.
It's great to have you with us. An independent security researcher found that chat and ask AI, a popular chatbot
app, claiming over 50 million users, exposed hundreds of millions of private user messages due to a
misconfigured Google Firebase database, according to reporting by 404 Media.
The exposed data included highly sensitive chats, such as questions about suicide, drug manufacturing,
and hacking, along with full conversation histories, timestamps, and model settings.
The researcher accessed roughly 300 million messages tied to more than
25 million users. Chat and Ask AI, developed by Turkish firm Codeway, uses large language models
from multiple providers. Codeway fixed the issue within hours of disclosure. Researchers note that
Firebase misconfigurations are a longstanding widespread problem affecting many mobile apps and
continue to expose user data at scale. The White House has rescinded Biden-era
federal software security guidance, calling it unproven and overly burdensome. In a new memo,
the Office of Management and Budget revoked prior requirements for standardized secure software
development practices and shifted responsibility to individual agency heads.
Agencies must now tailor software and hardware security policies to their missions and risk
profiles. While no longer mandatory, tools like software bills of materials may still
be used, and the guidance expands focus to hardware supply chain risks through hardware bills of
materials.
A senior United States Secret Service official warned that weaknesses in the Internet's domain
registration system are being widely exploited by criminals but receive too little attention.
Speaking at a policy forum, Matt Noyes said, registrars routinely allow bulk registration
of deceptive domain names used in fishing and fraud.
He argued the problem stems from Internet governance, particularly how Internet-assigned numbers authority operates,
noting that domain registrations lack meaningful identity or trademark validation.
As a result, companies like Microsoft and Google are forced into reactive court-ordered takedowns.
Noyes said that major Internet firms could act more proactively by limiting ads, search results, or infrastructure tied to concentrated abuse.
He also highlighted business email compromise as another systemic trust failure,
noting that email identity is routinely assumed but rarely verified.
President Donald Trump's nominee to lead the National Security Agency,
Army Lieutenant General Joshua Rudd, strongly defended Section 702 of the Foreign Intelligence Surveillance Act
during a Senate hearing, calling it indispensable to national security and life-saving operations.
Section 702 allows U.S. agencies to collect foreign intelligence from U.S. tech companies,
but can also sweep up Americans' communications without warrants.
The authority expires April 19th with no renewal bill yet introduced.
Rudd's stance could conflict with Trump and Tulsi Gabbard, both past critics of the program.
Senators questioned warrant requirements and civil liberties protections, while committees moved,
Rudd's nomination forward, positioning him for confirmation before the NSA's acting chief
retires.
France is moving to reduce reliance on U.S. digital infrastructure by replacing American
video conferencing tools with a government-built alternative.
French defense minister Sebastian Le Corneux announced that officials will transition from
platforms like Zoom and Microsoft Teams to a new French application called Vizio by
years end. The government said non-European tools pose cybersecurity and data control risks and framed
the shift as a step toward digital sovereignty. Vizio is hosted by French cloud provider outscale and uses
AI features from domestic firms. The move follows similar efforts across Europe to localize
messaging, productivity, and AI tools amid growing concerns about strategic dependence on U.S. technology,
especially after renewed tensions in transatlantic relations.
The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure organizations
and state, local, tribal, and territorial governments to take stronger action against insider threats.
To support that effort, SISA released a new infographic titled
Assembling a Multidisciplinary Insider Threat Management Team,
offering practical guidance to help organizations prevent, detect, and mitigate insider risks.
Sisa emphasized that insider threats include both malicious actions and unintentional mistakes,
each capable of causing serious operational and reputational harm.
Acting Director Madhu Gadamukala said insider threats remain among the most serious security challenges
because they erode trust and disrupt critical operations.
Infrastructure Security Executive Steve Kasapula added that mature insider threat programs
improve resilience and called on organizations to build cross-functional teams and foster a culture
where employees feel empowered to report concerns.
Researchers at Bit Defender report that Hugging Face infrastructure was abused to distribute
an Android remote access Trojan.
The campaign used a fake security app called
Trust Bastion, delivered via ads, which acted as a dropper and downloaded malicious payloads
from Hugging Face repositories. The malware requested extensive permissions, enabling full
device control, screen capture, and credential theft while impersonating financial services.
Although the original repository was removed, the operation resurfaced under a different app name
before Hugging Face took down the datasets.
Evante disclosed two critical zero-day vulnerabilities in Avanti endpoint
endpoint manager mobile, both rated CVSS 9.8, and already exploited in the wild.
The flaws allow unauthenticated remote code execution, potentially exposing sensitive administrator,
user, and mobile device data, including credentials and location information.
Avanti released temporary RPM hot fixes for affected versions,
and urged customers to apply them immediately,
noting the fixes must be reapplied after upgrades.
Permanent fixes are expected in upcoming versions.
Sisa added the vulnerability to its known exploited vulnerabilities catalog,
requiring U.S. federal agencies to remediate or stop using affected systems by February 1st.
Match Group, owner of dating platforms including Tinder, hinge, Match.com,
and OkCupid confirmed a cybersecurity incident after the shiny hunters gang leaked data
allegedly tied to 10 million users.
Match Group said attackers accessed a limited amount of user data and that there's no evidence
login credentials, financial information, or private messages were compromised.
According to reporting by bleeping computer, the breach stemmed from a social engineering
attack that compromised an octa single sign-on account, granting access to marketing
analytics and cloud storage systems.
Match Group said it contained the intrusion quickly, is notifying affected users, and continues
to investigate with external experts.
Coming up after the break, Tim Starks from CyberScoop discusses how the U.S.
looks to push its view of AI cybersecurity standards to the rest of the world, and the
Nobel Committee blames hackers for a spoiler alert.
Stay with us.
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night?
How do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual work,
so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data,
and simplifies your security at scale.
And it fits right into your workflows, using AI to streamline evidence collection, flag risks,
and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A-com slash cyber.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising performance, time-to-market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at W-W-W-W-W-W-W-W-W-W.
www.gardesquare.com.
It is always my treat to welcome back to the show.
Tim Starks, he is a senior reporter at CyberScoop.
Tim, welcome back.
It's my treat as well.
So a couple of stories that you have published here recently.
In fact, this one is, we touched on earlier today in today's Cyberwire News Brief.
And this is about some comments that a senior secret service official made yesterday.
about some holes in security that has caught his eye?
What's going on here, Tim?
Yeah, he talked about a couple,
but one that was pretty interesting.
He said, we don't talk about this in polite company.
So that's always appealing if you're a reporter, right?
You hear that.
You lean in.
You usually said it, you go, oh, what's this?
You know some T-mat noise?
Right.
Anyway, he talked about something that I don't hear discuss that much.
Certainly I hear it discussed, but I don't hear it discussed
that often and not at this level of alarm.
Essentially, he's saying that the way domains are registered
is a very big vulnerability.
If you look at the number of phishing attacks
that rely on fake URLs,
he says, this process is not working.
You might recall this was something
that used to be under pretty much exclusive
United States authority
and that assigned numbers authority or IANA.
and it's been about a decade since we handed it off.
But interestingly, Matt, you know,
the Secret Service had made the point
that U.S. tech companies could do something about this.
Well, he pointed out the issue.
Did he offer up solutions?
He basically said, tech companies, you can fix this.
Certainly right now.
One of the things that happens is, you know,
there are tech companies.
companies that are doing something about it, but it's more on the back end, use his words.
You've seen things like Google and Microsoft going to the courts and getting takedowns of domains.
Right.
Which is, you know, it's more of a setback for the organizations.
And maybe sometimes it's a bad setback, but it doesn't stop the practice.
You know, to use his exact words, I'm just reading what he said.
The major internet players in the U.S., they could change the nature of the internet and change
the governance of that, to clean that up that, to clean that up when there's a heavy concentration
of abuse and fraud.
But he didn't go into any further detail about how they could do that.
Do you feel like, well, let me rephrase that and say that I feel that there is a sense of resignation when it comes to this sort of thing, that we've been operating this way for so long that it would be hard to turn this battleship?
Yeah, it's one of the, you know, it goes back to the thing that you hear said on cybersecurity a lot, which is the internet wasn't built for security.
There may be things that can be done about this, but we're talking about internet.
governance. We're talking about how the internet works even. So maybe it's not such a simple
solution. One of the things he also brought up, I'll mention because he brought it up as well, but
business email compromise, which is a one, some of dialogue covering because it's just billions and billions
of value every year. It's a massive amount of internet-enabled fraud that's happening out there.
Another situation where it's just the setup, you know, he said we're two set up to trust emails
that we get. That leads to this kind of implicit trust that you have and the system isn't
design to handle that.
So he is talking about some big picture things that would probably be hard to fix.
Yeah.
I wonder, too, it strikes me that at this exact moment, our global influence, I think it's
fair to say is waning when it comes to setting policy for the rest of the world.
And whether or not that's a valley that may rise up on the other side or if this is the shape
of things to come for the foreseeable future,
who knows, but it sort of ties into another story that you published about the U.S.
looking to be the leader when it comes to global policy for AI.
Yeah, that's a really interesting contrast you draw, because if you look at some other things
we've written about in recent weeks, we've seen the administration pull out of a number of
international organizations on cyber, or that at least have some amount of cyber involved
and what they're doing.
So it's interesting that on one hand,
you have a top secret service official
saying that internet governance isn't working.
And then on the other hand,
you have an official from the Office of the National Cyber Director,
Alexander Seymour, saying we need to launch a diplomatic effort,
essentially, to make it so that AI standards on cybersecurity
that the rest of the world are using our version.
And there has been some work to that extent during this administration,
despite how much the Trump administration is pulling back internationally.
It's definitely interesting that they're saying,
on this, we want to see the US be more of a leader.
I think what maybe is the difference is that it's part of,
if you listen to her remarks in full,
it's part of a talk about the US AI tech stack, if you will, right?
The phrase that I think is, it's a little jargony that I don't like using,
but I'm quoting her,
just essentially trying to push American AI.
This administration clearly thinks that it's an economic inroad
for the United States to have some more sustained dominance.
So I think that might be the difference.
Use our standards on this.
We're pulling out of all these other cyber ops are things,
but use our standards on this.
Because by the way, we might make a little money on it if we do it out.
Well, again, looking back to today's rundown of our Cyberwire news,
we had a story about France.
dialing back their use of U.S. video conferencing technology.
They're bringing it in-house.
And I think we're seeing day after day.
We're seeing these reports where governments around the world are saying,
we don't want to be so reliant on the U.S. these days.
Exactly.
And we talk about intelligence sharing between allied nations, even,
about other countries being more reluctant to share intelligence with us.
And in cyberspace, that's huge.
If organizations,
if countries start
pulling back
from sharing intelligence
with the United States
on cyber issues,
that's a big,
I guess force multiplier
would be the opposite.
A force divider.
It would reduce the amount of capabilities
we have to defend against cyber tax.
If not us, who?
In other words,
if the rest of the world says
we can't rely on the United States
for the leadership
that we've always provided
when it comes to tech and cyber,
Does that put China in the driver's seat?
What do you think?
That's always the risk, certainly, especially when it comes to cyberspace issues.
I think there have been some efforts, like last, we're just sticking with the subject of AI.
Last spring, there was an EU-oriented AI action plan.
So I think that we might see a more fractured, regionalized kind of way to approach cybersecurity and cybersecurity issues.
but when there's a power void
and there's one country
that is bigger than all the others, literally
in every way,
why wouldn't they see that as an opportunity?
I think the issue for China, of course,
is that there's a big body of evidence
and I'm not saying that the United States
has been perfect prior to this administration either,
but there's a big body of evidence
that China has been a very bad actor in cyberspace.
So there's a chance that they won't be able
to make the kind of inroads
that they would otherwise be able to make.
But during the times of 5G and Huawei and all those, you know, you go back just even a couple of years, there was a big effort to make America a dominant force in all these areas.
But other countries were tempted to enlist with Huawei and China because of prices and because of costs and because of intelligence risks.
It might seem like an act of desperation if countries were going to turn to China, but it's happened before.
And I don't see why it couldn't potentially happen again.
Yeah. All right. Well, time will tell, right?
You love that saying. Yes, time will definitely tell.
All right. Tim Stark's senior reporter at CyberScoop. Tim, thanks so much for joining us.
With Amex Platinum, $400 in annual credits for travel and dining means you not only satisfy your travel bug, but your taste buds too.
That's the powerful backing of Amex. Conditions apply.
I was guilty of multiple skin care crimes.
Two counts of sleeping and makeup.
One count of using disposable wipes.
I knew my routine had to change.
So I switched to Garnier-Missler water.
It gently cleanses, perfectly removes makeup, and provides 24-hour hydration.
Clear away the evidence with the number one Missler water worldwide by Garnier.
And finally, the Norwegian Nobel Institute says a cyber intrusion,
is the most likely culprit behind last year's premature leak of Peace Prize winner Maria Corina Makato.
Investigators, assisted by Norwegian security authorities,
concluded someone likely hacked their systems,
conveniently just hours before betting markets lit up on polymarket.
An internal leak, the Institute insists, was thoroughly examined and politely ruled out.
the episode drew extra attention to an already politicized prize,
thanks in part to Donald Trump,
who publicly argued he deserved the honor
and later accepted Mikado's medal anyway,
a plot twist few had on their bingo card.
The Institute declined to pursue a police case,
citing a lack of clear theory,
while delicately noting its cybersecurity routines
could, like many laureate's speeches,
use some tightening.
And that's The CyberWire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with University of New Mexico security researcher
Mohamed Dhanish about the push for frictionless user experiences
and how that's led many services to rely on SMS-delivered single-click URLs.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast, your feedback in short,
we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Caruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Helksman.
Our executive producer is Jennifer Ibn.
Peter Kilpy is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
If you only attend one cybersecurity conference this year, make it R-SAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.