CyberWire Daily - Malicious ads in a chatbot. A vulnerability gets some clarification. Cl0p switches from Tor to torrents. Influence operations as an adjunct to WMD. And NSA’s new AI Security Center.
Episode Date: September 29, 2023Malicious ads in a chatbot. Google provides clarification on a recent vulnerability. Cl0p switches from Tor to torrents. Influence operations as an adjunct to weapons of mass destruction. Our guest Je...ffrey Wells, former Maryland cyber czar and partner at Sigma7 shares his thoughts on what the looming US government shutdown will mean for the nation’s cybersecurity. Tim Eades from Cyber Mentor Fund discussing the 3 who’s a cybersecurity entrepreneur needs to consider. And NSA has a new AI Security Center. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/187 Selected reading. Malicious ad served inside Bing's AI chatbot (Malwarebytes) Critical Vulnerability: WebP Heap Buffer Overflow (CVE-2023-4863) (Huntress) Google gives WebP library heap buffer overflow a critical score, but NIST rates it as high-severity (SC Media) A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day (Ars Technica) Google "confirms" that exploited Chrome zero-day is actually in libwebp (CVE-2023-5129) (Help Net Security) Google quietly corrects previously submitted disclosure for critical webp 0-day (Ars Technica) CL0P Seeds ^_- Gotta Catch Em All! (Unit 42) A ransomware gang innovates, putting pressure on victims but also exposing itself (Washington Post) 2023 Department of Defense Strategy for Countering Weapons of Mass Destruction (US Department of Defense) NSA chief announces new AI Security Center, 'focal point' for AI use by government, defense industry (Breaking Defense) NSA starts AI security center with eye on China and Russia (Fortune) NSA is creating a hub for AI security, Nakasone says (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Malicious ads in a chatbot.
Google provides clarification on a recent vulnerability.
Plop switches from Tor to Torrents.
Influence operations as an adjunct to weapons of mass destruction.
Our guest Jeffrey Wells, former Maryland cyber czar and partner at Sigma 7,
shares his thoughts on what the looming U.S. government shutdown will mean for the nation's cybersecurity.
Tim Eads from Cyber Mentor Fund discusses the three who's a cybersecurity entrepreneur needs to consider.
And NSA has a new AI security center.
I'm Dave Bittner with your CyberWire Intel briefing for Friday, September 29th, 2023. Thank you. it may offer sponsored results similar to those seen at the top of a regular search engine query.
In this case, Malwarebytes says,
the malicious actor hacked into the ad account of a legitimate Australian business and created two malicious ads,
one targeting network admins and another lawyers.
The links led to spoofed websites designed to trick users into downloading malware.
Google has updated its account of a vulnerability and issued a patch to address exploitation in the wild.
TechCrunch reports that what had formerly been perceived as a vulnerability in Chromium
is in fact a problem with the open-source LibWebP library used by Chromium developers. Researchers at
Huntress are tracking CVE-2023-4863, a critical heap buffer overflow vulnerability, in the LibWebP
library used by Chromium. LibWebP is widely used by applications for supporting the WebP image
format.
The vulnerability's description says the flaw has been exploited by a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.
Huntress says,
A full list of affected software is still unknown at this time.
Any software that uses the vulnerable library is likely affected.
Due to the prolific use of LibWebP as a software library,
the attack surface of this vulnerability is likely extensive.
The patch to LibWebP 1.3.2 fixes this issue upstream of its implementation.
However, any software that ships with LibWebP is potentially vulnerable.
The researchers add,
Right now, the most prudent step to take is to update any web browsers
and ensure you have a solid software inventory that includes software versions.
Being able to quickly identify where you have vulnerable versions of software
as patches are released will greatly reduce your risk.
versions of software as patches are released will greatly reduce your risk. The CLOP ransomware gang has moved away from posting stolen files to a Tor dump site in favor of releasing them in torrents,
Palo Alto Network's Unit 42 reports. It's a quicker way of moving large amounts of data,
and so a faster way of pressuring victims into paying extortion demands, but speed and
convenience come, as they so often do, at the cost of security. Klopp was an early criminal adopter
of double extortion ransomware attacks, stealing data and threatening its release to increase the
pressure on victims. The threat of doxing is in addition to the classic ransomware approach of encrypting victims' data
and offering a decryptor in exchange for ransom payment.
Many gangs now skip the encryption altogether and move directly to the doxing.
Tor can be slow and relatively inaccessible,
and Klopp found it slowed down the gang's ability to crowd the large number of victims it accumulated
during exploitation of
MUVIT vulnerabilities. So, the shift to torrents. The downside for Klopp is that the gang's
operations are now more susceptible to inspection. Unit 42 says, in this case, the result of this
research is a handful of hosting servers out of Russia that hold enormous amounts of stolen victim data. We can expect much
more to come in the following weeks. The U.S. strategy for countering weapons of mass destruction
published yesterday and was informed in part by observation of Russia's war against Ukraine.
The strategy notes that the PRC and Russia have also proven adept at manipulating the information space
to inhibit attribution of its activities,
to reduce trust and confidence in the effectiveness of countermeasure,
and to potentially slow decision-making following WMD use.
China is seen as the pacing threat, Russia as the acute threat.
And finally, as artificial intelligence becomes increasingly important to national security,
the U.S. will form an organization devoted to the secure use of AI in national security systems
and in the defense industrial base that supplies them.
The director of the U.S. National Security Agency, General Paul Nakasone,
announced this week that NSA will establish a new AI security center.
Its mission will be to help keep the U.S. ahead of foreign peer competitors in the use of AI.
Breaking Defense quotes General Nakasone as saying,
the AI security center will become NSA's focal point for leveraging foreign intelligence insights,
contributing to the development of best practices, guidelines, principles, evaluation methodology,
and risk frameworks for AI security, with an end goal of promoting the secure development,
integration, and adoption of AI capabilities within our national security systems and our
defense industrial base. General Nakasone offered a brief account of what AI security actually means, stating,
AI security is about protecting AI systems from learning, doing, and revealing the wrong thing.
It is a set of practices to protect AI systems and life cycles from digital attacks, theft, and damage.
We must build a robust understanding of AI vulnerabilities,
foreign intelligence threats to these AI systems, and ways to counter the threat in order to have
AI security. We must also ensure that malicious foreign actors can't steal America's innovative
AI capabilities to do so. So, the AI Security Center has a protective mission.
It will be housed within NSA's Cybersecurity Collaboration Center,
and it's expected to work closely with interagency and private sector partners.
The center's size and leadership are yet to be announced.
In the meantime, welcome then to Fort Meade's Latest Tenant. Coming up after the break,
Jeffrey Wells from Sigma 7 shares his thoughts
on what the looming U.S. government shutdown
will mean for the nation's cybersecurity.
Tim Eades from Cyber Mentor Fund
explains the three who's a cybersecurity entrepreneur needs to consider.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to
evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over one
third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
It is my pleasure to welcome to the show Jeffrey Wells. He is a partner at Sigma 7,
also formerly Maryland's cyber czar and a founding partner at NIST. Jeffrey,
thank you so much for joining us.
Thanks, David. It's a pleasure to be here this morning.
So as you and I get together here today, it is the morning of Friday, September 29th, and the potential government shutdown is looming large here. Can we start off with just
your take? What are the odds that we're actually going to see a shutdown here in your estimation?
I think we're 99% going to, unless there's some sort of last-minute miracle,
I think the shutdown is inevitable at this point.
Everything I've seen and heard last night in D.C., it doesn't look like there's any movement.
Well, let's talk about the potential implications of that for the folks
who are tasked with defending our nation's cybersecurity. Where does that leave us?
Unfortunately, it does not leave us in a great position. I think we can liken the shutdown as a
tool and its impact both on government and then the ripple effects to commerce and the risk, a bit like extortion
at the moment. This is going to hit CISA incredibly hard. Somebody told me last night that
80% of CISA employees will be furloughed, which leaves somewhere around 500 employees to maintain operations. And that's an incredible challenge for those 500
employees. But also, you know, they're not being paid during that period. Sure, at some point,
when the government comes back into business, and is operational, they'll, you know, they'll get
back pay, most likely, but the morale of trying to defend and be responsible for sharing information
which CISA's in charge of cybersecurity and infrastructure security, that's a pretty heavy
load for 500 individuals. And then you start to think about that as a ripple effect is our
national intelligence. NSA will have individuals that are furloughed. This happened back in 2017,
2018. And it's going to take an incredibly long time for business and government to recover
because of the great work that, and I really do call it great work, that CISA and the U.S.
government have done over the last couple of years to ensure that
information sharing takes place. And with the shutdown, there'll be no information sharing,
or it's going to be incredibly challenging. And I think it's going to feel much like a ransomware
or an extortionware attack, where everyone's going to feel incredibly under-resourced,
overtasked, and incredibly tired and underappreciated. I've heard folks say that
President Biden could come at this by making the folks at CISA part of critical infrastructure,
similar to the way folks in the TSA work through a shutdown like this.
Do you have any insights there?
Yeah, technically, he could.
Not inside of CISA.
The contingency plans and response plans that CISA has is a bit of a challenge to understand
completely what that would mean, you know,
is would he be able to say that all of them are or that, you know, more than those 500?
Then I guess thinking a little bit bigger beyond CISA is, you know, what does the president or,
you know, what can the White House really do is start deeming everything critical.
House really do is start deeming everything critical. And so the shutdown really doesn't happen. Or, you know, it becomes even more of a push and pull between the Hill and the White House
for who's critical. And, you know, we've defined what critical is so that we can operate
kind of on a skeleton crew. But I just sort of have kind of mixed feelings that, sure,
but where do you stop with those exceptions?
And it's not just CISA.
It goes beyond CISA to FBI to really all of the information security operations
across the government enterprise and then to the ISACs and then kind of beyond
to the federal funding that enables the information sharing and some of the operations.
Again, where do you draw that line?
I'm not the president or the work of the White House.
Don't have to make those decisions.
But I don't think that we should be in a position to make those decisions.
But I don't think that we should be in a position to make those decisions.
We shouldn't be having to deal with this extortion, really.
Not to get political, but this is an extortion situation.
If I'm a bad actor or working for one of our adversaries out there, am I looking at this as a potential opportunity? Yes. both at the government level as well as the commercial level, because, you know, that information is shared,
that this is an opportunity to expand on programs that, you know, or vulnerabilities that have already been taken advantage.
You know, just think of, you know, kind of I was thinking last night of Volt Typhoon, you know, times, you know, exponential growth over the next 10 days.
If I was a threat actor operating out of a particular country on the Black Sea, I would
be looking at ways to exploit this to my advantage.
And there just are a lot of vulnerabilities that the government shutdown
creates, again, coming back to resources and information, which are two of the greatest
tools that organizations, both US government and private sector, have at their ready to be able to
address those. I think if they've been sitting
in environments while I heard someone mentioned to me this morning, they were told not to look
at their government-issued device while they were furloughed. You know, there were others who had
said, kind of look at it occasionally to see if there's something urgent, you know, which,
you know, is that between, you know,
three and four o'clock on a Friday? I don't know. But yeah, the guidance is very clear.
And so in this chaos, you know, kind of come back to Sun Tzu or Klaus Witzian is,
let's take advantage of it. And I would, I would be, you know be utilizing every tool in my APT toolkit to try to take advantage of our government shutdown. Yeah. All right. Jeffrey Wells is a partner at Sigma 7. He is
former Maryland cyber czar and also a founding partner at NIST. Jeffrey, thank you so much for
joining us. Hey, thank you for having me, Dave. You have yourself a wonderful weekend,
and let's hope this ends quickly.
And it is my pleasure to welcome back to the show Tim Eades.
He is the co-founder of the Cyber Mentor Fund and a serial entrepreneur.
Tim, welcome back to the show.
Dave, great to be here. I love doing these podcasts. It's fantastic.
Well, it's great to have you back.
I know today we've got an interesting topic to share here.
We're talking about the three W's, three who's, as you describe them.
Unpack what we're talking about here today, Tim.
Yeah, I mean, I've been an investor in cybersecurity companies and advising them for 20 years.
Obviously, I just started my fourth one.
And we have CyberMentor Fund that I'm a co-founder of.
So we look at a bunch of different cybersecurity companies and we see them kind of grow. We're seeing a trend of what some of them do wrong that I think
is worth talking about. They kind of lose sight. The ones that lose their way lose sight of what
I refer to as the three who's. And the three who's are these. Who is your economic buyer?
Who's the guy who's going to write the check? Who's your technical recommender? Who actually gives the architectural blessing? And then who actually
operates the product? Success is never a straight line at a startup. But if you lose sight of those
three things, it's very, very difficult to build a company. Sometimes you'll find that the three
who's are at a very large bank in very different departments or very different organizations,
in which case it's very difficult to get a sales momentum, any sales momentum into your sales cycle into your business.
But what we find is if you keep, you know, who is your economic buyer?
Who is your technical recommender? And who is your operator? Top of mind.
And don't say the CISO, right?
The CISO does so much.
Who in his organization owns it or not?
But you have to get those ownership principles of those three who's, right?
Otherwise, it's very difficult to build a business.
Does it come to pass sometimes that these three who's aren't aligned that they could be
in conflict with each other not so much conflict if they are but they if the sales if the sales
team and the product team and the ceo and and you know the startup doesn't know who they are
you you'll get lost right you end up building products that are incomplete you'll get lost, right? You'll end up building products that are incomplete.
You'll end up building things that are, you know,
almost like it has three heads as opposed to just one.
And what you'll find is, let's say you're going to build a product
that is in the firewall business, right?
You need the guy who buys the firewalls,
the guy who sets the policy on the firewalls,
and the guy who operates the firewalls.
If you're in the identity business and you're up to identity access management, there's
an identity access management architect, there's the identity access buyer, and there's the
operator of the tools.
I know this sounds simple, but lots of startups lose that.
It's a real trick question when you're going to look to a startup and you're about to meet them or invest in them. Who are the three who's? And particularly in the enterprise world,
it's a great question to ask. Can we dig in a little bit on this notion of who operates the
product? Because that really strikes me as being key here. I can imagine the short-sighted view of
saying,
we've got to make this sale,
so we're going to target the person who purchases something,
but then that might not be the same person who's working with it day to day.
It very rarely is the same person
in any organization of any real size.
If you don't know who the operator is,
there's a guy that they can say no to your business.
You don't know how familiar he is, there's a guy that they can say no to your business.
You don't know how familiar he is with the competitive products or the legacy products.
But you've got to live a day in the life.
So as you build the product, as you build the user interface, you want to make sure that the operator of the product has a fantastic experience.
I mean, the best example of this, actually, if you go all the way back to the early days of Palo Alto Networks, Panorama, their user interface, was legendary because the people that just knew it and loved it and built on it.
Splunk in the early days was the same thing.
But some of these people, some of the startups these days can't answer the question, who is your day-to-day operator of the product?
How do you recommend that organizations kind of dial this in?
Who do they focus on?
How do they set their priorities?
Well, it's up to the startup to understand as they go through their little phases of,
you know, seed funding to A to B to C to D, to keep this notion front and center, to keep the operator, the three who's front and center,
in particular the operator.
Because what happens is at the operator level,
in particular, they will share information
between other operators
and they can give you really good operating feedback
on how to operationalize the technology.
So it's a good model if you can keep that center.
All right.
Well, certainly something interesting to consider.
Tim Eads, thanks so much for joining us.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant. This episode is brought to you by RBC Student Banking. Here's an RBC student offer that turns a feel-good moment into a feel-great moment.
Students, get $100 when you open a no-monthly fee RBC Advantage Banking account
and we'll give another $100 to a charity of your choice.
This great perk and more only at RBC.
Visit rbc.com slash get 100, give 100.
Conditions apply.
Ends January 31st, 2025.
Complete offer eligibility criteria by March 31st, 2025.
Choose one of five eligible charities.
Up to $500,000 in total contributions.
And that's the Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with David Liebenberg from Cisco Talos.
We're discussing their discovery of cracked Microsoft Windows software being downloaded by enterprise users all over the world.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us
at cyberwire at n2k.com. Your feedback helps us ensure we're delivering the information and
insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence
routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting
the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies.
N2K Strategic Workforce Intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Trey Hester with original music by Elliot Peltzman.
The show was written by our editorial staff.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive
alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.