CyberWire Daily - Push notifications pushing surveillance.
Episode Date: December 6, 2023Governments target push notification metadata. Dissecting the latest GRU cyber activities. A look at Russia's AI-powered Doppelgänger influence campaigns, and how cyber warfare is evolving beyond t...he battlefield. We've got updates on the Adobe ColdFusion vulnerability, the expanding 23andMe data breach, and insights into the financial impacts of ransomware. Our guest is Camille Stewart Gloster, Deputy National Cyber Director for Technology & Ecosystem Security from the Office of the National Cyber Director at the White House. Plus, discover how the TSA is embracing AI for future security. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Camille Stewart Gloster, Deputy National Cyber Director, Technology & Ecosystem Security from the Office of the National Cyber Director at the White House. Camille shares her views on women in cybersecurity, their efforts in diversity, equity and inclusion and what she sees for the future. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/231 Selected Reading Governments spying on Apple, Google users through push notifications - US senator (Reuters) Obfuscation and AI Content in the Russian Influence Network “Doppelgänger” Signals Evolving Tactics (Recorded Future) Russian AI-generated propaganda struggles to find an audience (CyberScoop) How cybersecurity teams should prepare for geopolitical crisis spillover (CSO) Russia’s Fancy Bear launches mass credential collection campaigns (CSO) The Dragos Community Defense Program Helps Secure Industrial Infrastructure for Small Utilities (Dragos) Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers (CISA) CVE-2023-26360 Detail (NIST) SEC on 23andMe breach (SEC) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Government's target push notification metadata,
dissecting the latest GRU cyber activities,
a look at Russia's AI-powered doppelganger influence campaigns,
and how cyber warfare is evolving beyond the battlefield.
We've got updates on the Adobe ColdFusion vulnerability, the expanding 23andMe data breach,
and insights into the financial impacts of ransomware.
Our guest is Camille Stewart Gloucester,
Deputy National Cyber Director for Technology and Ecosystem Security
from the Office of National Cyber Director at the White House.
Plus, discover how TSA is embracing AI for future security.
It's Wednesday, December 6, 2023.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. We begin today with news from Reuters that U.S. Senator Ron Wyden has raised concerns about governments using smartphone app push notifications for surveillance.
In a letter to the Department of Justice, he indicated that foreign officials were requesting data from
Google and Apple. This method of surveillance takes advantage of the fact that most push
notifications for emails, messages, or updates pass through Google and Apple's servers. This
access provides these companies, and potentially governments, with insights into app usage and
user interactions. Wyden urged the Department
of Justice to revise policies that restrict public disclosure of this surveillance method.
Apple responded, stating that the letter allows them to disclose more about government monitoring
of push notifications. Previously, they were prohibited from sharing this information,
but now plan to update their transparency reports accordingly.
The Department of Justice and Google have not commented on the issue.
The letter's claims are based on a tip confirmed by a source familiar with the matter,
who revealed that both foreign and U.S. agencies have sought metadata related to push notifications to link anonymous app users to
specific Apple or Google accounts. The foreign governments involved are described as U.S. allies
and democracies, but they were not specifically identified. This surveillance practice has gone
largely unnoticed by most users. However, concerns have been raised about the inherent privacy issues,
as highlighted by French developer David Lebeau earlier this year. He labeled push notifications
as a privacy nightmare due to the data emission to U.S. tech giants, underscoring the need for
awareness and transparency in how apps handle user data and interact with large technology companies.
Recorded Futures' Insict Group has observed an evolution in Russia's doppelganger influence
operation, which now utilizes generative AI to create fake news and opinion stories on a large
scale. This operation, targeting audiences in Ukraine, Germany, and the U.S., disseminates typical Russian propaganda themes, such as anti-LGBTQ messages, criticism of U.S. military competence, highlighting U.S. political divisions, and pointing out German social and economic issues.
According to CyberScoop, while this AI-driven disinformation campaign has achieved only limited success, its use of advanced technology to mass-produce false content represents a significant development in the field of digital propaganda and misinformation.
The conflicts in Ukraine and between Hamas and Israel demonstrate the growing role of cyberspace in warfare, as outlined in a CSO essay. This spillover into cyberspace requires security teams to be vigilant
against cyber attacks. The essay stresses the importance of sound risk management practices
for both public and private sectors, urging cybersecurity teams to adapt to changing
geopolitical landscapes through simulation and information sharing.
Notably, external states like Iran have exploited vulnerabilities such as in U.S. utilities PLCs.
In Russia's hybrid warfare, state security services and auxiliary hacktivist and criminal groups like Fancy Bear play active roles in cyber attacks.
activists and criminal groups, like Fancy Bear, play active roles in cyber attacks.
A crucial lesson from these conflicts is the need for public-private cooperation in cyberspace. An example is Dragos' community defense program, which supports small utilities with training and
information sharing, especially in water and power sectors, highlighting collaboration as a key defense against evolving cyber threats.
CISA has issued a cybersecurity advisory confirming the exploitation of a vulnerability
in Adobe ColdFusion within a federal civilian executive branch agency. This vulnerability
allows for arbitrary code execution due to improper access control.
The advisory details two incidents in June where Microsoft Defender for Endpoint detected potential exploitation on public-facing web servers of two unnamed agencies.
These incidents are believed to be reconnaissance efforts aimed at mapping the agency's networks
for potential further exploitation.
The identity of the attackers, or whether the same threat actor was involved in both cases, remains unknown.
CISA's advisory includes risk mitigation recommendations applicable to both FCEB agencies and general users of ColdFusion, update software, network segmentation,
enforcement of signed software
execution policies, and firewall usage. 23andMe, the DNA and ancestry tracing firm,
recently amended its Form 8K filed with the SEC, revealing a more extensive breach than initially
reported. Originally disclosed as a credential stuffing attack
affecting 0.1% of user accounts, the breach actually exposed data on approximately 6.9
million individuals. The attackers gained access through reused customer passwords
and then accessed files related to the DNA relatives feature, sharing some users' ancestry profile information online.
The compromised data, now offered for sale on breach forums, includes display names, sex,
birth year, and general genetic ancestry information. Fortunately, no actual genetic
data was compromised. The stolen information, while not highly valuable, could potentially be used in affinity scams,
exploiting shared cultural or ethnic backgrounds to deceive victims.
This incident highlights the risks of password reuse and the broader implications of data breaches,
where even seemingly innocuous information can be manipulated for social engineering schemes.
information can be manipulated for social engineering schemes.
Clarity's survey on ransomware attacks in the industrial sector reveals that 75% of organizations faced such attacks in the past year. Of those affected, 69% paid the ransom, and over half of
these companies experienced financial repercussions exceeding $100,000. The survey also highlights
that 45% of respondents consider TSA security directives as having the most significant impact
on their security priorities and investments. These findings underscore the widespread and
costly impact of ransomware attacks in the industrial sector, and the importance of adhering to stringent security measures and standards. A report from SciCode on application
security posture management reveals a notable trend in the AppSec field, where teams are
overwhelmed by the abundance of security tools. The study found that 95% of AppSec teams used over 20 different security tools, and 70% have more than 40 tools at their disposal.
However, this proliferation of tools is not necessarily beneficial.
In fact, 78% of surveyed security professionals find managing multiple security tools challenging,
multiple security tools challenging, indicating that the excessive number of tools contributes to a sense of being overwhelmed rather than improving security efficacy. This data highlights
a critical issue in the application security domain where the complexity of security tool
management can impede effective security operations. ZeroFox's analysis of the LockBit ransomware-as-a-service operation reveals that it accounted for 25% of all ransomware and digital extortion attacks in North America in 2023.
The study predicts that LockBit will increasingly target North American entities in the upcoming quarters, maintaining its position as the primary ransomware and digital extortion threat in the
region. The frequency of these attacks is expected to remain high, with the proportion of lock-bit
attacks in North America likely surpassing the global average. This forecast underscores the
growing concern over lock-bits activities and its significant impact on North American cybersecurity.
Coming up after the break, my conversation with Camille Stewart Gloucester,
Deputy National Cyber Director in Technology and Ecosystem Security at the White House's Office of the National Cyber Director.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Camille Stewart Gloucester is Deputy National Cyber
Director for Technology and Ecosystem Security from the Office of the National Cyber Director,
which is to say she has a very important and influential seat at the table
at the White House, advising and advocating on cybersecurity policy. We're grateful that she
agreed to spend some time with us and to describe her efforts, starting with where she believes we
stand with cyber at this particular moment in time. We are at an inflection point. We have, I mean, the president talks about this decisive decade and putting out so much policy and work into building out our workforce in general and specifically focused on cyber.
and education strategy. We've released all this money that has been focused on building out our infrastructure through the CHIPS Act and the bipartisan infrastructure law, et cetera.
But all of those things call out special focus on workforce, and part of that workforce is
cyber workforce. And so these monumental investments provide us an opportunity to really
be intentional about how we make investments,
how we bring people along for the journey, and how we build out a workforce that can be
responsive to the changing technological needs that we have as a society.
Technology underpins everything, and it is a great opportunity to amplify the best and the
worst of what's going on.
And if we lean into focusing on that best, that means bringing every perspective to bear on the challenges and opportunities present.
And so making sure that women are a part of that, making sure diverse communities are a part of that has to be something we need to be intentional about.
something we need to be intentional about. As someone who has that behind the scenes seat at the table there among your colleagues at the White House, can you give us some insights as to
what the process is like? How does President Biden and the folks working with him, how do they make
sure that they're being intentional and really making a difference when it comes to these
efforts toward diversity and equity?
I mean, there are a number of different components within the executive office of the president that are focused on different groups. So we've got the Gender Policy Council, we have cyber, which
already has a mandate across diversity. We have initiatives like the White House API initiative. And the president has been really intentional
about standing up initiatives, groups,
policy councils focused on demographics
that need additional support or investment.
And so we come together quite a bit,
whether it's in the name of cyber workforce
or we're thinking about chips
or we're thinking about bipartisan infrastructure law. How do we bring our specific expertise to bear in service of those communities,
in service of the whole? So there's a real coming together of experts who focus on gender every day,
focus on these communities every day, and then on that content area.
and then on that content area. For the folks in our audience, how do you recommend that they best interface with these programs that the White House is putting out there?
So we are really excited because the implementation of the National Cyber Workforce and Education
Strategy is multifaceted. There is a federal component for sure, but most of the work, quite frankly,
is focused on nonprofits, private sector, state and local, academia, all of the partners that
help build out a broader technological ecosystem, a workforce ecosystem. And so in support of that,
we have been doing a lot of work to understand how different organizations want to implement
We have been doing a lot of work to understand how different organizations want to implement the workforce strategy, to provide tools to help do that, and to get out into burgeoning ecosystems, to strong ecosystems, to help spark support or elevate good work going on across the nation and internationally for that matter.
And so there are a lot of opportunities to plug in.
You can go to whitehouse.gov slash cyber workforce and take a look at some of the work that we've been doing.
You can invite us to come to your cyber workforce ecosystem
if there is one, or if you think there should be one
and need some support.
And then also we do a lot
of direct one-to-one engagement to understand the programs that are working, how they can scale,
and really be able to spread best practices and lessons learned throughout the community.
There's certainly been a lot that the administration has achieved. What do you see coming here? Are there things
on your list that you hope we get done as we look towards the horizon?
Yeah, a focus on data has been a priority for me. I think there's been a clamoring from the
industry to really understand the cyber workforce better. Where are there gaps? What programs are
working? Should we focus on retention or recruitment? Should we focus on mid-career, early career, later in your career?
So I think really understanding the data will be helpful.
We've got a lot of new technologies emerging.
One of the things that we were intentional about with writing the National Cyber Workforce and Education Strategy
was making it technology agnostic, much like the National Cybersecurity Strategy. And so as we think about the AI workforce,
the quantum workforce, all of these burgeoning technologies that will change the very nature
of how we operate and then, of course, of work, applying this strategy to those areas
and seeing how the work that we are investing in now will create the agility to be responsive to the new skill sets that are necessary to answer the call, to understanding of changing landscape.
I'm really excited about the investment that we're making there and the collaboration across groups that will help facilitate effectively doing that, building that agility.
Those are two things I'm really excited about. What is your message to that person who's considering a move
into cybersecurity? And I'm specifically thinking about maybe that young woman who's coming up from
school or maybe someone who's considering a career shift. Do you have any words of wisdom or
thoughts of encouragement? Yes, join us. Whatever your
skill set is, whether you were exploring a variety of things in school or you are thinking about
transitioning your career, cybersecurity is a multidisciplinary space where whether you are
very technical or you have a focus on marketing or a focus on the law or society or psychology, whatever,
there is an opportunity to blend that with the technical acumen to be able to understand to what is increasingly becoming
an underlying calculus in every decision that we make, right?
And so do not ever self-select out.
If you think that you don't want to be a technologist,
you don't have to be.
You don't have to be an engineer to work in cybersecurity.
There's probably a way for you to leverage that
skill set, that insight that you have about a different industry, a different community,
and overlay that with cybersecurity knowledge and be a contributing member of this ecosystem.
And I will also mention that there are a lot of good paying jobs in this space.
And so you will be paid and rewarded
for all of your hard work and expertise.
That's Camille Stewart Gloucester,
Deputy National Cyber Director
for Technology and Ecosystem Security
from the Office of the National Cyber Director. Thank you. ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
And finally, the Transportation Security Administration, the TSA,
is gearing up to integrate artificial intelligence across its operations,
aiming to enhance passenger screening and threat detection.
Kristen Ruiz, deputy CIO of TSA, spoke about the future of U.S. travel powered by AI advancements
during the GovAI Summit in Arlington, Virginia. The agency envisions using AI to refine baggage scanning with advanced
image recognition and improve training through generative AI and simulation technologies.
Last year, TSA's Identity Management Roadmap highlighted the potential of digital identity,
AI, machine learning, and blockchain for efficient identity management solutions.
learning, and blockchain for efficient identity management solutions. This aligns with the agency's ongoing use of AI for facial recognition and machine learning in screening processes at
airports. Ruiz discussed AI applications that could reduce redundancies for TSA agents and
offer travelers a smoother experience, including pre-processed baggage scans and streamlined
contactless identification methods. The TSA's move towards AI integration and travel security
isn't just a flight of fancy. It's a tech-savvy leap towards ensuring that the future of flying
is as smooth as an automated baggage carousel.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Please take a few minutes and submit the survey in the show notes.
Your feedback ensures we deliver the information that keeps you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like The Cyber Wire
are part of the daily intelligence routine of many of the most influential leaders
and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500
and many of the world's
preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence
optimizes the value of your biggest investment, your people. We make you smarter about your team
while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Ervin.
Our mixer is Trey Hester with original music by
Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karp. Our executive
editor is Peter Kilby, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.