CyberWire Daily - Old school, new threat.
Episode Date: July 10, 2024Blast-RADIUS targets a network authentication protocol. The US disrupts a Russian disinformation campaign. Anonymous messaging app NGL is slapped with fines and user restrictions. The NEA addresses AI... use in classrooms. Gay Furry Hackers release data from a conservative think tank. Microsoft and Apple change course on OpenAI board seats. Australia initiates a nationwide technology security review. A Patch Tuesday rundown. Guest Jack Cable, Senior Technical Advisor at CISA, with the latest from CISA's Secure by Design Alert series. Our friend Graham Cluley ties the knot. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Jack Cable, Senior Technical Advisor at CISA, joins us to share an update on CISA's Secure by Design Alert series. For some background, you can find CISA’s Secure by Design whitepaper here. Details on today’s update can be found here. Selected Reading New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere (Ars Technica) US Disrupts AI-Powered Russian Bot Farm on X (SecurityWeek) FTC says anonymous messaging app failed to stop ‘rampant cyberbullying’ (The Verge) NEA Approves AI Guidance, But It’s Vital for Educators to Tread Carefully (EducationWeek) Hackvists release two gigabytes of Heritage Foundation data (CyberScoop) Microsoft and Apple ditch OpenAI board seats amid regulatory scrutiny (The Verge) Australia instructs government entities to check for tech exposed to foreign control (The Record) Microsoft July 2024 Patch Tuesday fixes 142 flaws, 4 zero-days (BleepingComputer) Graham Cluley ties the knot (Mastodon) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Blast Radius targets a network authentication protocol.
The U.S. disrupts a Russian disinformation campaign.
Anonymous messaging app NGL is slapped with fines and user restrictions.
The NEA addresses AI use in classrooms.
Gay furry hackers release data from a conservative think tank.
Microsoft and Apple change course on OpenAI board seats.
Australia initiates a nationwide technology security review.
A Patch Tuesday rundown.
Our guest is Jack Cable, Senior Technical Advisor at CISA,
with the latest from CISA's Secure by Design Alert Series.
And our friend, Graham Cluley, ties the knot.
It's Wednesday, July 10th, 2024.
I'm Dave Bittner and this is your CyberWire Intel Briefing. briefing. Thanks for joining us here today. It is great as always to have you with us.
A newly discovered attack dubbed Blast Radius, targets the Remote Authentication Dial-In User Service,
that's Radius, used widely on network authentication. Developed in 1991, Radius
remains crucial for VPNs, ISPs, Wi-Fi, and cellular networks. However, it relies on the
outdated MD5 hash function, known for its susceptibility to collision attacks,
where two different inputs produce the same hash output.
Researchers have shown that these MD5 collisions can be exploited to gain unauthorized administrative access to devices using RADIUS.
The attack involves an adversary intercepting and manipulating RADIUS authentication packets
to trick the server into granting access.
This is made feasible by optimizing the attack process,
reducing the required computational time from thousands of hours to mere minutes.
Despite the known weaknesses of MD5, RADIUS has not been updated to mitigate these vulnerabilities effectively.
5, RADIUS has not been updated to mitigate these vulnerabilities effectively. The recent research underscores the urgent need to transport RADIUS traffic over TLS or DTLS, ensuring encrypted and
authenticated communications. In the interim, short-term mitigations include using HMAC MD5
for packet authentication, although this might break compatibility with older implementations.
The vulnerability has prompted security bulletins and patches from over 90 vendors,
urging users to implement recommended updates and check with manufacturers for specific guidance.
This discovery highlights the importance of updating legacy protocols
and adopting more secure cryptographic practices
to protect critical network infrastructure.
The U.S. has disrupted Russian threat actors
associated with RT, formerly Russia Today,
who use AI features of the Meliorator software
to create fake online personas
spreading disinformation in the U.S., Germany, Israel, the Netherlands,
Poland, Spain, and Ukraine, according to a joint advisory from government agencies.
The U.S. seized two domain names used to register these fake accounts,
revealing a bot farm was managed by a Russian FSB officer and a private intelligence organization
with Kremlin support. Meliorator generates realistic social media profiles that post content, mirror disinformation,
and formulate false narratives. It includes an administrator panel and a seating tool to
control the fake personas. RT has used this software since 2022 to support Russian interests. By June of this year, it had created 968 accounts
on ex-Twitter. The identified accounts have been suspended, and social media platforms are urged
to help identify and reduce these fake personas. The anonymous messaging app NGL will no longer be
available to users under 18, following a settlement with the Federal Trade Commission and Los Angeles District Attorney's Office.
This agreement, pending judge approval, marks the FTC's intensified efforts to safeguard children's privacy.
The settlement, distinctive for its age ban, contrasts with past actions under the Children's Online Privacy Protection Act,
COPPA. NGL, an app for soliciting anonymous messages, faced accusations of misleading
young users into buying a premium version by sending fake messages and promising identity
reveals. Instead, users received vague hints. The FTC also claimed NGL falsely advertised
effective AI content moderation
while cyberbullying was rampant.
Additionally, NGL allegedly failed to obtain parental consent
for users under 13, violating COPPA.
The company agreed to pay $5 million
and implement age restrictions.
The nation's largest teachers' union, the NEA,
has voted to address AI use in classrooms through policy actions. On July 4, the union's 6,000
delegates approved a policy statement at their annual assembly. This policy focuses on ensuring
AI is used safely and equitably,
emphasizing the importance of human interaction in education. It highlights issues like equity, data protection, and environmental impact.
The NEA aims to guide educators on AI use,
pushing for professional development and involvement in policy discussions.
The policy calls for ethical AI development and equitable access,
ensuring AI supplements rather than replaces human teaching.
The NEA will advocate at various levels for these principles,
recognizing the potential of AI to support but not replace educators
in fostering meaningful student-teacher connections.
A cybercrime group known as Sieged Sec released approximately two gigabytes of data from the Heritage Foundation, a conservative
think tank. This release was in response to Heritage's Project 2025, which aims to provide
policy proposals for a potential Donald Trump presidency.
The leaked data includes Heritage Foundation blogs, material from The Daily Signal,
and personal information of individuals associated with Heritage,
including those with U.S. government email addresses.
SiegedSec, self-identified as Gay Furry Hackers, claims this leak is part of their
Optrans Rights campaign.
The Heritage Foundation has not commented on the breach,
which is the second cyber attack they've faced this year.
SiegedSec also claims to possess
over 200 gigabytes of additional data,
but say they have no plans to release it.
Microsoft has relinquished its observer
seat on OpenAI's board less than eight months after acquiring it. Apple, initially planning
to join OpenAI's non-profit board, has also decided not to join. OpenAI confirmed Microsoft's
decision following reports from Axios and the Financial Times. OpenAI expressed gratitude for Microsoft's support
and announced a new strategy under CFO Sarah Fryer involving regular stakeholder meetings
with strategic partners like Microsoft and Apple and investors like Thrive Capital and
Kostla Ventures. These changes coincide with growing antitrust concerns regarding Microsoft's $10 billion investment in OpenAI.
This investment, making Microsoft the exclusive cloud partner for OpenAI, powers all OpenAI workloads and enhances Microsoft's AI capabilities across its products and services.
and services. Australia has directed its government entities to review their entire technology estates and identify assets potentially controlled or manipulated by foreign states.
This action addresses growing cyber threats, including repeated targeting by a state-sponsored
Chinese hacking group. The Department of Home Affairs issued legally binding instructions for over 1,300
government entities to identify foreign ownership, control, or influence risks in their technology
by June 2025. Additionally, they must assess internet-facing systems for security risks
and collaborate with the Australian Signals Directorate on Threat Intelligence Sharing.
This directive aims to enhance the visibility and security of Australia's government technology infrastructure.
The new cybersecurity measures follow Australia's earlier ban on TikTok on government devices
due to security concerns. Yesterday was Patch Tuesday. This month's update from Microsoft
addresses 142 security flaws, including two actively exploited and two publicly disclosed zero-day vulnerabilities.
Among these, five critical vulnerabilities stand out, all of which are remote code execution flaws. reveals a diverse array of threats, 26 elevation of privilege, 24 security feature bypass,
59 remote code execution,
9 information disclosure,
17 denial of service,
and 7 spoofing vulnerabilities.
Highlighting the critical fixes,
the first zero-day vulnerability
affects Windows Hyper-V.
This elevation of privilege flaw
allows attackers to gain system privileges, posing a severe risk. The second, actively exploited zero-V, this elevation of privilege flaw allows attackers to gain system privileges,
posing a severe risk.
The second, actively exploited zero-day, targets the Windows MSHTML platform.
This spoofing vulnerability requires the victim to execute a malicious file,
after which the attacker can exploit the system.
In addition, two publicly disclosed zero-day vulnerabilities have been patched.
In addition, two publicly disclosed zero-day vulnerabilities have been patched. The first involves a remote code execution issue in.NET and Visual Studio
caused by a race condition in HTTP3 stream processing.
The second, known as the FetchBench side-channel attack,
could allow attackers to view heap memory from a privileged process,
compromising sensitive information.
This patch Tuesday also coincides with updates from other major companies.
Adobe has released security updates for Premiere Pro, InDesign, and Bridge.
Cisco has disclosed and exploited CLI command injection vulnerability in NXOS software.
Citrix has fixed flaws in its Windows Virtual Delivery Agent
and Citrix Workspace app.
Additionally,
Fortinet, Mozilla,
OpenSSH,
and VMware
have all issued updates
addressing various vulnerabilities.
Coming up after the break, my conversation with Jack Cable, Senior Technical Advisor at CISA,
on the latest CISA Secure by Design Alert Series.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
Thank you. so 27,001. They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your
executives and their families at home. Black Cloak's award-winning digital executive protection
platform secures their personal devices, home networks, and connected lives. Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect
your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Jack Cable is Senior Technical Advisor at CISA, and I recently got together with him to discuss CISA's Secure by Design Alert Series.
Definitely, and first of all, thanks so much for having me on here, Dave.
stems from CISA and our partners, Secure by Design Guidance, which was launched in April of last year with a number of both domestic and international partners with really the goal to highlight how
software manufacturers can take ownership of the security outcomes of their customers. So really,
for so long, the burden has been placed on those least capable of bearing it when it comes to security, whether it's end users, individuals, small businesses, hospitals, and so on.
And we want to see how, in line with the White House's national cybersecurity strategy, we can work to shift that burden on to those who are most able to bear it.
So we issued updates to by design guidance.
We have over 13 countries on board now.
And the Secure by Design Alert series
is really the next step in highlighting
how when we see vulnerabilities in the news
that are often quite simple in reality,
that they're preventable at the end of the day.
And that software manufacturers can do a lot
to raise the collective bar of security for all of us.
So that's really what we're hoping to accomplish
with the Secure By Design Alert series
is to shift that conversation
just from, say, what the victims have done wrong
or what the adversaries have done right
to what the vendors, what
the software manufacturers can be doing to prevent these vulnerabilities in the first
place.
Well, today, you and your colleagues there are publishing the latest alert in the series
here.
What can you tell us about that?
What are we covering here today?
This alert focuses on command injection vulnerabilities, which are one of the most
dangerous classes of vulnerabilities. And we've seen numerous examples, even just this year,
of these vulnerabilities being exploited in the wild. And essentially, they allow an adversary to
run arbitrary commands on a victim's computers, which, as you might imagine, can lead to some
quite harmful effects. And the reality with these vulnerabilities is that not only have we known
about this class of vulnerability for decades, but we've known how to prevent them for decades.
So our Secure by Design alert includes some quite basic approaches that software manufacturers can take to root these vulnerabilities out of their products.
And really, we encourage every manufacturer to review their products, understand where, for instance, they might be using and invoking commands in a manner that is vulnerable,
be using and invoking commands in a manner that is vulnerable and seeing how they can not just do one-off patches when vulnerabilities get reported to them, but rather to really
take a proactive approach to root these out and ensure that this class of vulnerability
isn't present in their products.
Can we go through some of the details there?
I mean, what are some of the things that software developers can do to prevent these command injection vulnerabilities?
Yep.
So what our guidance talks about,
the most basic starting point is to,
and this is a common theme, I'd say,
between many common classes of vulnerabilities
that we talk about in our alerts,
is the commingling of, say, application code and user input, which we know is a bad
practice and we know time and time again leads to these very damaging vulnerabilities.
And there's ways to invoke commands if you look at any modern programming language in a way that
clearly distinguishes user input from the contents of the command itself.
So what our alert talks about is, one, if possible, avoid invoking a command through code.
If there's a built-in function that can be used, say if you're creating a directory,
then use that if you can get away with it.
And if you do need to invoke a command, at the very least, ensure that
one, you're sanitizing input,
and two, that you are
separating that contextually from the
actual contents of the command.
And again, this isn't
unique by any means to
command injections, but really
across the board,
another example, for instance, which we've issued
an alert on is SQL injection
vulnerabilities, where
again, that's a preventable
class of vulnerability that's been
around for a while, and we've also known how
to prevent that for over 20 years.
And there's ways of
separating the contents of a
query from the actual query
itself. And yet, today,
in 2024, we still see these vulnerabilities being
exploited in the wild. And at CISA, we think that's entirely preventable.
And one of the things that strikes me about these secure by design alerts and really the,
I'd say the overarching approach that CISA has had since its foundation is that it's very
collaborative. This isn't just the government organization
coming down from on high to say,
this is what you must do.
It recognizes and I think encourages the fact
that this is a team sport.
Yeah, and really I'd say that that's a core part
of our SecurePy design initiative
because we know at the end of the day
where we want to make progress,
we need to work with these software manufacturers
and get them to take action
to root out vulnerabilities from their products.
So that's the approach we've been taking
from our initial Secure by Design guidance.
And we published a request for information,
got some really great feedback
that we're working on reviewing in order to make our guidance and associated action as helpful as
possible. And then I think one of the really exciting actions we've been taking recently is
we launched a secure bedside pledge working with software manufacturers where they're committing to taking actions
and demonstrating measurable progress
in seven specific areas around Secure by Design
over the next year.
And we launched this at RSA with 68 companies on board.
Since then, we've more than doubled the number
of companies who've signed up,
and we're now up to over 150,
including some of the biggest
software manufacturers in the world. And we're really excited to see what sorts of actions these
software manufacturers take, and in particular, how they can help raise the tide, not just at
their own companies, but for everyone. Because we know that this is an issue that industry
collectively has struggled with for decades,
and it's not going to be solved overnight. So how can, in the spirit of one of our Secure by Design
principles of radical transparency, how can we make sure that information is readily available
for everyone who's building software to do so in a manner that is Secure by Design?
Our thanks to Jack Cable from CISA for joining us.
You can check out the CISA Secure by Design Alert Series on their website.
Cyber threats are evolving every second, Thank you. suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, our matrimony desk reports
that noted cybersecurity expert and podcast host Graham Cluley tied the knot earlier this week.
As a regular guest on the Smashing Security podcast, I can only assume that my wedding invitation was somehow delayed in the International Post.
What an event it must have been. I can almost imagine what it must have been like.
Ah, where to begin with this posh British wedding.
Picture an event so lavish that even the royal family would feel a twinge of envy.
The ceremony took place in a centuries-old cathedral, with more gold leaf and stained glass than you can shake a diamond-encrusted
stick at. The bride was, of course, a vision of beauty, stunningly gorgeous and incredibly
intelligent, the kind of woman who makes you question the fairness of the universe.
She had a PhD in something so complex it
made quantum physics look like a children's
book. And the groom?
Well, he was a huge
Doctor Who fan. Yes,
you heard that right.
Now imagine this. The aisle
was flanked by life-size
Daleks. Yes,
Daleks. Because nothing says
eternal love like deadly extraterrestrial robots.
The groom had somehow convinced his stunningly beautiful, highly intelligent bride
to let his Whovian obsession infiltrate every aspect of their wedding.
Kudos to her for her patience, I suppose.
The ceremony itself was officiated by a gentleman dressed as the fourth doctor
Well, of course I can control it
I kid you not, the man had the scarf, the hat, the whole shebang
When he said, do you take this man to be your husband?
I half expected him to add, allons-y
During the reception, the groom proudly displayed his TARDIS-shaped cake
It was an impressive confection, I'll give him that,
but it looked somewhat out of place next to the elegantly draped tables
and the floral arrangements that probably cost more than my car.
The bride's cake, a multi-tiered masterpiece covered in delicate sugar flowers,
stood in stark contrast to the groom's geeky creation.
And let's not forget the wedding
breakfast, which was a gastronomic journey so elaborate it would have made Heston Blumenthal
weep with envy. Among the haute cuisine and deconstructed dishes, there was a small section
of the menu dedicated to delicacies from Gallifren. Fish fingers and custard, anyone?
The speeches were another highlight. The bride's best
friend gave a heartfelt speech that left everyone reaching for their monogrammed handkerchiefs.
The groom, however, began his with, as the doctor would say, we're all stories in the end,
just make it a good one. And I suppose he did make it a good one, if you're into time-traveling aliens.
Then came the first dance.
The bride looked like she floated on air in an exquisite gown.
The groom, bless him, tried to keep up without stepping on her toes.
The song, an orchestral version of the Doctor Who theme.
I could practically hear the collective eye roll from the more traditional guests,
but hey, at least the couple was happy.
As the evening progressed and the champagne flowed, the dance floor became a bizarre mix of posh people
attempting to do the conga line with a dalek.
Yes, it was as ridiculous as it sounds.
But in the end,
the bride's radiant smile
and the groom's childlike glee
made it clear that, despite the
oddities, they were in it for the
long haul. And isn't that really
what matters?
Our best wishes to the happy couple.
You can hear Graham Cluley on the
Smashing Security podcast,
as well as his latest show, The AI Fix.
We'll have links in the show notes.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
daily briefing at the cyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of
cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine
of the most influential leaders and operators
in the public and private sector,
from the Fortune 500 to many of the
world's preeminent intelligence and law
enforcement agencies.
N2K makes it easy for companies to
optimize your biggest investment, your
people. We make you smarter about your
teams, while making your teams
smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design
by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here
tomorrow. Thank you. and adaptable. That's where Domo's AI and data products platform comes in. With Domo,
you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents
connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.