CyberWire Daily - Privacy nightmare or useful tool?
Episode Date: May 22, 2024Some say Microsoft’s Recall should be. A breach of a Texas healthcare provided affects over four hundred thousand. Police in the Philippines shut down services following a breach. Ivanti patches mul...tiple products. GitHub fixes a critical authentication bypass vulnerability. Researchers discover critical vulnerabilities in Honeywell’s ControlEdge Unit Operations Controller. The DoD releases their Cybersecurity Reciprocity Playbook. Hackers leak a database with millions of Americans’ criminal records. Mastercard speeds fraud detection with AI. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey, diving into Domain 5: Identity and Access Management. Remembering a computing visionary. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Learning Layer On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Joe and Sam dive into Domain 5: Identity and Access Management (IAM) and tackle a question together about biometric configuration. Try the question yourself before listening to the discussion! You are configuring a biometric hand scanner to secure your data center. Which of the following practices is BEST to follow? Decrease the reader sensitivity Increase the FAR Decrease the FRR Increase the reader sensitivity Selected Reading UK watchdog looking into Microsoft AI taking screenshots (BBC) How the new Microsoft Recall feature fundamentally undermines Windows security (DoublePulsar) CentroMed Confirms Data Breach Affecting an Estimated 400k | Console and Associates, P.C. (JDSupra) PNP suspends online services amid data breach probe (Philippine News Agency) Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager (SecurityWeek) Critical SAML Auth Bypass Vulnerability Found in GitHub Enterprise Server (Heimdal Security) Critical Vulnerability in Honeywell Virtual Controller Allows Remote Code Execution (SecurityWeek) DoD CIO debuts cybersecurity reciprocity playbook to streamline system authorizations, boost cybersecurity efficiency (Industrial Cyber) Criminal record database of millions of Americans dumped online (Malwarebytes) Mastercard Doubles Speed of Fraud Detection with Generative AI (Infosecurity Magazine) Gordon Bell, Legendary Designer of Computers, Dies at 89 (Gizmodo) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Some say Microsoft's recall should be...
A breach of a Texas healthcare provider affects over 400,000.
Police in the Philippines shut down services following a breach.
Ivanti patches multiple products.
GitHub fixes a critical authentication bypass vulnerability.
Researchers discover critical vulnerabilities in Honeywell's Control Edge Unit Operations Controller.
The DoD releases their cybersecurity reciprocity playbook.
Hackers leak a database with millions of Americans' criminal records.
MasterCard speeds fraud detection with AI,
in our Learning Layer segment,
host Sam Meisenberg and Joe Kerrigan
continue their discussion of Joe's CISSP certification journey,
diving into Domain 5, identity and access management,
and remembering a computing visionary. It's Wednesday, May 22nd, 2024. I'm Dave Bittner, and this is your CyberWire
Intel briefing. Thanks for joining us once again here today. It is great to have you with us.
The UK's Information Commissioner's Office is questioning Microsoft about its new feature, Recall, which takes
frequent screenshots on new Copilot Plus PCs. Privacy advocates are concerned about potential
risks, calling it a privacy nightmare. Microsoft states that Recall is optional, keeps data local,
and is designed with privacy in mind. Users can control what Recall captures,
and private browsing on Edge is excluded. However, the ICO emphasizes the need for
rigorous risk management assessments before product releases. Recall allows users to search
past activity, including files and browsing history, by capturing screenshots every few seconds.
Critics warn this could deter people from accessing sensitive information.
Legal experts express concerns over privacy and consent,
especially regarding confidential and proprietary information.
Additionally, Mozilla's privacy team highlighted that stored screenshots could expose sensitive data like passwords and
financial information if a hacker gains physical access to the device. This raises further security
concerns given the history of InfoStealer malware targeting local data. Overall, while Microsoft
assures users of built-in privacy protections, critics argue that recall could significantly undermine security and privacy,
urging consumers to disable the feature unless significant changes are made.
My favorite online comment I've seen so far suggested that maybe,
through the deployment of recall,
perhaps Microsoft will make it the year of Linux on the desktop.
On Monday, Centromed, a supplier of health care services in Texas,
reported a data breach to the Texas Attorney General
after discovering unauthorized access to sensitive patient information.
This breach included names, addresses, dates of birth, social security numbers,
financial account details, medical records, health insurance
info, and treatment information. The breach, detected on April 30th of this year, impacted
approximately 400,000 individuals. Centromed has notified affected patients, advising them to be
vigilant against fraud and identity theft. This incident is separate from a prior breach on June 12, 2023,
which affected 350,000 Texans. The Philippine National Police, the PNP, has indefinitely
suspended all online services following an alleged breach of its online systems,
including the Firearms and Explosives Office and the Logistics Data Information and Management System.
PNP spokesperson Colonel Jean Fajardo announced the suspension as a precaution to enhance security and integrity.
Frontline services remain available at regional offices.
The PNP is coordinating with the Department of Information and Communications Technology
to investigate and prevent further data exposure.
The hacker FINZ has been identified as the perpetrator, with potential links to breaches in other government agencies.
Avanti released patches for multiple products, addressing critical vulnerabilities in Endpoint Manager.
addressing critical vulnerabilities in Endpoint Manager.
Six SQL injection flaws in EPM with a CVSS score of 9.6 were fixed.
These bugs could allow unauthenticated attackers to execute arbitrary code.
Avanti also patched an unrestricted file upload vulnerability in Avalanche and several other high-severity flaws.
No evidence suggests these vulnerabilities have been exploited.
Avante reaffirmed its commitment to enhancing security
and vulnerability management practices.
GitHub fixed a critical authentication bypass vulnerability
in GitHub Enterprise Server,
affecting instances using SAML single sign-on with encrypted assertions.
Exploiting this flaw could allow attackers to spoof SAML responses,
gaining administrator rights and full access without authentication.
The vulnerability was reported through GitHub's bug bounty program.
Users are advised to update promptly to secure their systems.
Cybersecurity firm Clarity discovered critical vulnerabilities
in Honeywell's Control Edge Unit Operations Controller,
including one which allows arbitrary code execution via an undocumented function.
Another flaw involves path traversal, enabling file reading.
These vulnerabilities could let attackers gain
full control of controllers. Clarity reported these issues, leading Honeywell to release
patches and advisories. Additionally, CISA published an advisory covering 16 vulnerabilities
in Honeywell's systems, primarily discovered by ARMIS, which could expose sensitive information
or allow privilege escalation.
The U.S. Department of Defense Chief Information Officer announced the release of the DOD Cybersecurity Reciprocity Playbook,
providing guidance on implementing cybersecurity reciprocity within DOD systems.
The playbook outlines benefits, risks, and example use cases,
The playbook outlines benefits, risks, and example use cases, emphasizing the reuse of security authorization packages to save time and resources.
It highlights the importance of cooperation and trust among authorizing officials for efficient system authorization.
The playbook aims to enhance cybersecurity posture by promoting interagency collaboration and standardizing security practices.
A cybercriminal known as EquationCore and USDOD has leaked a database they claim contains the criminal records of millions of Americans, with 70 million rows of data from 2020 to 2024.
The data includes full names, birthdates, aliases, addresses,
arrest and conviction dates, and sentences. The source of the data is so far unknown.
Observers wonder if USDOD, linked to the original breach forums and involved in a
trans-union breach, may use this leak to attract users for a new data leak site.
may use this leak to attract users for a new data leak site.
MasterCard says they're deploying generative AI to enhance their fraud detection capabilities,
doubling the speed at which they identify compromised cards. This technology scans transaction data across billions of cards and millions of merchants,
better predicting card details and alerting MasterCard to new fraud
patterns. It reduces false positives by up to 200% and increases the speed of identifying
at-risk merchants by 300%. The AI solution targets the growing issue of stolen card numbers being sold online. Coming up after the break, Sam Meisenberg and Joe Kerrigan
continue their discussion of Joe's CISSP certification journey. Stay with us. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes! Yes! Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their
controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30
frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done
five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, Thank you. already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
On today's Learning Layer segment, host Sam Meisenberg is joined by Joe Kerrigan,
my co-host on Hacking Humans. They continue their discussion of Joe's CISSP certification journey, diving into Domain 5, Identity and Access Management. Welcome back to Learning Layer.
On this segment, we're going to continue our conversation with Joe Kerrigan
as he gets ready for his CISSP exam.
So, Joe, welcome back.
Welcome to Domain 5.
Domain 5.
Well, what did you think? Like we said last time, it's different vibes than the more technical
3 and 4.
It is. It's the authentication chapter, if you will. The authentication, authorization,
the AAA, and the identity. It's all about identity management.
Yep.
Yep. So, I thought it would be a good idea to sort of talk about Domain 5
by just going super deep and doing a question together.
So, okay.
Why don't you start?
And we're on a podcast here, so we got to read the question to the audience.
All right.
We'll make sure it's on the YouTube page as well.
But so why don't
you do two things? Read me the question, and then maybe tell me in real time what's going
through your head as you're approaching this question. Okay. So the question starts off with,
you are configuring a biometric hand scanner to secure your data center, right? So immediately the first thing goes through my head
is my objection to biometrics from a security standpoint,
and that is that they are immutable.
Yeah, right.
But I have lost this debate and it's over,
so I must accept it and move on.
Wow, that's very mature.
Everybody is all in on biometrics.
They are pretty good,
but I don't think they're the panacea that they plan to be.
But they're good.
They are good.
Which of the following practices is best to follow?
So, which of the following practices is best to follow?
That's immediately that.
Now, I'm looking for, there are a bunch of different things you can do with a hand scanner when you're administering it.
So now they're asking what is the best one to follow.
There's a key detail buried in the first sentence that I think is going to be important for this question.
And even if we're wrong and that detail is not important, that's fine.
We are like actively engaging with the question.
Okay.
Can I guess what it is?
Please.
Yes, Go.
Is it that you are actually configuring the hand scanner? Is that the detail?
You're adjusting the settings on the hand scanner.
So that's half of it.
Okay.
In that you're right, you have some sort of control.
Because like you said, everybody thinks biometric is just the end-all be-all,
but it's still prone to human configuration, right? So
that's the first half. But where, what's the setting? Where are we configuring this?
For a data center.
And what do we, okay, sorry. Let me ask the obvious question. And why does that matter?
That matters. And that's, I shouldn't just say data center, right? Well, your question is
absolutely 100% important.
Because if I'm just accessing or doing this for access to the building in general,
and there are secondary security things in place,
I may not have the same level of scrutiny on the biometric for the front door that I do for the data center.
The data center is going to be much more important to me. It's a higher valued asset than somebody coming in the front door that I do for the data center. The data center is going to be much more important to me.
It's a higher valued asset
than somebody coming in the front door
because that's where everything lives, right?
One of my most important assets, my data, live there.
That's why, I mean, they call the data center,
it's really like a server farm, right?
A little mini server farm.
But I think calling it a data center is a good idea because your data is physically there.
Yep.
And the other thing that you sort of mentioned,
that you started to hint at, but to make it explicit,
is you're probably going to have fewer individuals
who should be attempting to access your data center than those who,
in your example, are just coming to the building.
Right.
So why don't you read A?
So A is decrease the reader's sensitivity.
Reject this one right away.
Right.
Why?
Because if you decrease the sensitivity, you increase the opportunity for a type two error,
the false, no, yes,
the false authentication error.
You're effectively increasing
what is called the FAR,
which is the false access rate.
False acceptance rate.
Acceptance rate.
But yeah, but you're thinking
about the right way, right?
Because somebody who should not be accepted
was accepted. So that's an FAR. So what's
the type one? What's an FRR? That is a false rejection. Okay. So if you're falsely rejected,
meaning what? Meaning that you should have been granted access, but were not.
What's the difference? What are the consequences of a type one versus type two error? So a type
one error is somebody is, you've rejected something you shouldn't have,
which means somebody can't do their job.
Okay.
That's the worst case scenario.
Right.
Now, depending on the state of urgency,
maybe that's really, really bad.
So you have other things in place.
But generally speaking,
like if I'm just going into a server room
to check on the status of a server,
I touch the palm scanner, I get a rejection.
I go, that's funny.
I try again.
I get a rejection.
Maybe I wipe my hands off, clean it up.
And then I get allowed in.
Okay, no big deal.
I've lost however long it takes me to do it twice.
The false acceptance rate has,
or false acceptance has, or authorization or whichever,
has a much higher consequence in, or authorization or whichever, has a much
higher consequence in that a potential malicious actor, somebody who should not be in the area that
you're protecting with this device, is in there. That's very, very bad. Type one error rate is
an inconvenience. Yes. Maybe a headache. Yep. Type two, you got a data break. Could be disastrous.
is an inconvenience.
Yes.
Maybe a headache.
Yep.
Type two,
you got a data break. Could be disastrous.
Yeah.
Right.
Okay.
So it sounds like,
if I could say this back to you,
what our goal in this situation should be
is basically try to reduce the FAR
or configure the sensitivity in such a way
where we reduce the FAR.
Correct.
So, Joe, I'm looking at the question,
what's the problem?
That's not an answer choice.
The perfect answer
that we just did all
this work predicting and figuring out is not one of the choices. No, in fact, the very next choice
is increase the FAR, which is the same thing as decreasing the reader sensitivity. Right. So,
I reject that one out of hand as well. Good. So, now I'm down to two. Okay. All right. So,
the next one is decrease the FRR, which is the false rejection rate. So,
now I'm going to not inconvenience my administrators as much. They're going to
have easier access. But every time you decrease the FRR, you are potentially increasing the FAR.
Generally speaking, decrease the FRR is essentially the same as increasing the FAR. I love what you just
said. What do you notice about A, B, and C? They are all the same. They're all the same. Right.
There are three ways of saying the same thing. And by the way, if one of them is wrong,
so are the other two. Right. So that leaves us with D, which is the right answer, which is? Increase the reader sensitivity. A.K.A. decrease the F-A-R.
Correct. A.K.A. decrease the type 2 errors.
Right. So that's
the answer. And that is how you do
a question. Okay. That is how. And look, if you're following
along at home, you're probably like, well, that took a long time.
It took like six minutes. But obviously,
we were talking out loud. We were thinking out loud.
And the point that I want to emphasize
is you can actually, you've got to slow
down to speed up. Doing that pre-work
before you get the answer choices is actually
going to speed you up on test day.
Excellent. I'm looking forward to that.
It should be soon.
Very soon, Sam.
Very soon.
So, Joe, good work.
Keep up the good work, and we'll see you next time for Domain 6.
All right. That's Sam Meisenberg joined by Joe Kerrigan.
Thank you. a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, C. Gordon Bell, a true visionary in the world of computing,
passed away on May 17th at the age of 89.
Bell, often called the Frank Lloyd Wright of computers,
made profound contributions to the technology landscape.
Educated at MIT, Bell began his groundbreaking career at Digital Equipment Corporation in 1960,
where he designed the PDP-8, the first commercially successful mini-computer.
Introduced in 1965, the PDP-8 revolutionized computing by offering a smaller more affordable
alternative to the massive costly computers of the time Bell's innovations extended beyond hardware
he was pivotal in the early days of the ARPANET the precursor to the modern internet his visionary
approach continued throughout his career from leading research and development at Digital Equipment Corporation to advising and joining Microsoft, where he further explored the frontiers of technology.
One of Bell's most forward-thinking projects was My Life Bits, an experiment in capturing and documenting every aspect of his daily life digitally.
every aspect of his daily life digitally.
This concept, which seemed fantastical at the time,
anticipated the data-rich, interconnected world we live in today.
Born in Kirksville, Missouri,
Bell overcame significant childhood health challenges,
channeling his early interest in electronics into a lifelong passion for innovation.
His legacy includes not only the technological advancements he spearheaded,
but also his enduring influence on the computing world.
Bell's work has left an indelible mark on the industry,
inspiring future generations to think creatively
and push the boundaries of what technology can achieve.
His visionary spirit and contributions will be remembered and celebrated for years to come.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver
the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine
of the most influential leaders and operators
in the public and private sector,
from the Fortune 500
to many of the world's preeminent
intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment,
your people.
We make you smarter about your teams
while making your teams smarter.
Learn how at N2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and
sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor
is Brandon Karp. Simone Petrella is our president. Peter Kilpy is our publisher.
And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.