CyberWire Daily - Read all about it—or maybe not.
Episode Date: February 10, 2025A cyberattack disrupts newspaper publishing. A major AI summit takes place in Paris this week. A federal judge restricts DOGE from accessing Treasury Department systems. Cybersecurity cooperation betw...een Canada and the U.S. remains strong. The Kraken ransomware group leaks credentials allegedly linked to Cisco. Europol urges banks to start preparing for quantum-safe cryptography. Microsoft expands its Copilot bug bounty program. The PlayStation Network (PSN) experienced a major outage over the weekend. Indiana man sentenced to 20 years for $37m cryptocurrency fraud. Our guest is Mike Woodard, VP of Product Management for App Security at Digital.ai, sharing strategies to minimize risk when implementing AI. Hunting for length and complexity in WiFi passwords. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Mike Woodard, VP of Product Management for App Security at Digital.ai, sharing strategies to minimize risk when implementing AI to enhance security. Selected Reading Cyberattack Disrupts Publication of Lee Newspapers Across the U.S. (New York Times) Trump’s AI Ambition and China’s DeepSeek Overshadow an AI Summit in Paris (SecurityWeek) Musk Team’s Treasury Access Raises Security Fears, Despite Judge’s Ordered Halt (New York Times) In Breaking USAID, the Trump Administration May Have Broken the Law (ProPublica) Judge: DOGE made US Treasury ‘more vulnerable to hacking’ (The Register) Cisco Data Breach – Ransomware Group Allegedly Breached Internal Network (GB Hackers) Europol Warns Financial Sector of “Imminent” Quantum Threat (Infosecurity Magazine) Trade war or not, Canada will keep working with the U.S. on cybersecurity (The Logic) Microsoft Expands Copilot Bug Bounty Program, Increases Payouts (SecurityWeek) PlayStation Network Down; Outage Leaves Gamers Frustrated (Updated) (HackRead) Indiana Man Sentenced to 20 Years in Federal Prison for Conspiracies Involving Cyber Intrusion and a Massive $37 Million Cryptocurrency Theft (DataBreaches.Net) The World's Longest and Strongest WiFi Passwords (InfoSec Write-ups) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try
DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started
removing my personal information from hundreds of data brokers. I finally have peace of mind,
knowing my data privacy is protected. DeleteMe's team does all the work for you, with detailed
reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, today get 20% off your DeleteMe plan when you go to JoinDeleteMe.com delete me dot com slash n2k and use promo code n2k at checkout.
The only way to get 20 percent off is to go to join delete me dot com slash n2k and enter
code n2k at checkout.
That's join delete me dot com slash n2k code n2k. A cyber attack disrupts newspaper publishing.
A major AI summit takes place in Paris this week.
A federal judge restricts DOGE from accessing Treasury Department systems.
Cyber security cooperation between Canada and the US remains strong.
The Kraken ransomware group leaks credentials allegedly linked to Cisco.
Europol urges banks to start preparing for quantum safe cryptography.
Microsoft expands its copilot Bug Bounty program.
The PlayStation Network experienced a major outage over the weekend. An Indiana man has been sentenced to 20 years for $37 million of cryptocurrency fraud.
Our guest is Mike Woodward from Digital.ai, sharing strategies to minimize risk when implementing
AI, and hunting for length and complexity in Wi-Fi passwords.
It's Monday, February 10th, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing. Thanks for joining us here today.
It is great to have you with us.
A cyber attack last week disrupted operations at Lee Enterprises, a major news media company
owning over 70 daily newspapers and 350 other publications across 25 states.
The attack caused printing delays, website issues,
and forced some newspapers to publish smaller editions.
Papers like The Daily Progress and The La Crosse Tribune
couldn't print for days,
while the press of Atlantic City
had been unavailable to print
since February 1st. Some subscribers also faced access issues online.
Leander Prizes confirmed the cybersecurity event and notified law enforcement, but did
not disclose the cause or perpetrator. The Omaha World Herald continued publishing but with modified editions,
and the Buffalo News faced delays and altered content layouts.
Despite these setbacks, editors assured readers that normal service would resume as soon as possible.
The company is still investigating the incident,
emphasizing the complexity of such cyber attacks, which may take weeks to resolve.
A major AI summit in Paris will bring together world leaders, tech executives, and researchers
to discuss the future of artificial intelligence.
Hosted by French President Emmanuel Macron and Indian Prime Minister Narendra Modi, the
event aims to balance AI's potential benefits with its risks.
The summit follows previous AI governance meetings but seeks broader commitments on
ethics, safety, and sustainability.
A major focus is China's DeepSeq chatbot, which challenges US dominance in AI.
Meanwhile, President Trump's AI policies, emphasizing deregulation and U.S. supremacy,
may hinder global consensus.
France hopes to position Europe as a key AI player, supporting open-source initiatives
like Startup Mistral.
However, tensions between the EU and U.S. tech giants could complicate agreements. A federal judge has ordered Elon Musk's Department of Government Efficiency, DOGE, to cease accessing
Treasury Department systems over cybersecurity concerns.
Judge Paul A. Engelmeyer ruled that Musk's team risked exposing sensitive financial data
and making Treasury systems more vulnerable to hacking.
The ruling follows concerns from 19 state attorneys general who argued that Musk's
access violated federal laws and the Constitution.
The controversy stems from the Trump administration's granting Musk's team, composed of young coders,
access to Treasury's payment systems with minimal vetting.
Experts warn this could create an entry point for foreign adversaries like China and Russia.
A hearing on February 14 will determine next steps.
Musk called the judge corrupt on ex-Twitter, claiming Doge has pushed reforms, including
better payment tracking. His ex-Twitter profile now humorously labels
him White House tech support.
Canada's tech publication The Logic examines cybersecurity cooperation between Canada and
the U.S. Despite political tensions, the relationship remains strong. Rajiv Gupta, head of the Canadian
Center for Cybersecurity,
emphasized that protecting critical infrastructure is a nonpartisan issue.
His agency collaborates daily with its U.S. counterpart, CISA, to defend shared
assets like pipelines, telecom networks, and financial systems. However, concerns
persist about U.S. policy shifts, particularly President Trump's rhetoric
about annexing Canada and controversial appointments like Tulsi Gabbard leading U.S. intelligence.
The Five Eyes intelligence alliance may be weakening.
Meanwhile, Canada faces cybersecurity challenges, including gaps in private sector defense oversight
and delays in implementing
a unified cyber incident reporting system.
Despite setbacks, Gupta believes more organizations now recognize cybersecurity risks.
His agency remains focused on advising businesses, though like CISA, it lacks regulatory authority.
With cyber threats rising, continued U. US-Canada security collaboration remains crucial.
A data breach has reportedly exposed sensitive credentials from Cisco's internal network
with the new Kraken ransomware group leaking hashed passwords from its Windows Active Directory
environment.
The leaked dataset includes domain user accounts, administrator
credentials, and NTLM password hashes, which could allow attackers to escalate privileges
and move laterally within Cisco's network. Researchers believe the data was extracted
using tools like Mimikatz or HashDump, commonly used by cybercriminals and nation-state actors. Cisco has yet to
confirm the breach but security experts recommend immediate countermeasures
including forced password resets, disabling NTLM authentication, enforcing
multi-factor authentication, and monitoring access logs for suspicious
activity. Europol has urged Europe's financial sector to start preparing for quantum-safe cryptography
as the threat of store-now-decrypt-later attacks grows.
These attacks involve stealing encrypted data today, with plans to decrypt it once quantum
computers become powerful enough to break current encryption methods.
Although cryptographically relevant quantum computers are still a decade or more away,
rapid advancements could accelerate their arrival.
Europol's Quantum Safe Financial Forum outlined five key recommendations, including prioritizing
quantum safe cryptography, improving stakeholder coordination, and increasing cross-border
collaboration.
The U.S. has already introduced post-quantum cryptography standards, and the U.K. banking
sector has warned of the risks.
With 64% of banks facing cyberattacks last year, financial institutions must adopt new
encryption standards alongside existing ones to ensure a smooth transition and safeguard
sensitive financial data
from future quantum threats.
Microsoft has expanded its co-pilot Bug Bounty program
to cover more consumer products and offer higher rewards.
Researchers can now earn up to $30,000
for critical vulnerabilities,
while medium security flaws can fetch up to $5,000,
an increase from previous payouts.
Eligible vulnerabilities include model manipulation, code injection, authentication flaws, and
improper access control.
Microsoft has also integrated the Bounty program with its online services bug bar for a more
consistent evaluation process.
The company encourages researchers to participate in securing the copilot ecosystem.
My teenage son alerted me to the fact that the PlayStation Network experienced a major outage over the weekend, disrupting login access, online gaming, the PlayStation Store, and more across all PlayStation platforms.
Popular titles like Call of Duty and Fortnite were unplayable,
and users struggled with account management, purchases, and streaming services.
Sony has now restored all services, but the reason behind the prolonged outage remains unknown. Evan Frederick Light, age 22, of Lebanon, Indiana, was sentenced to 20 years in federal
prison for conspiracy to commit wire fraud and money laundering following his guilty
plea in September of last year.
He was also ordered to pay at least $37 million in restitution for stealing cryptocurrency
from nearly 600 victims.
In February 2022, Light infiltrated a Sioux Falls investment firm using stolen credentials
to access client accounts and exfiltrate personally identifiable information.
He then transferred stolen funds through mixing services and gambling sites to obscure his
identity. US Attorney Allison Ramsdell and FBI Special Agent Alvin Winston, Sr. emphasized the devastating
impact of cybercrime and praised investigators for recovering a substantial portion of the
stolen cryptocurrency.
Mr. Light remains in US Marshals custody.
Coming up after the break, Mike Woodward from Digital.ai shares strategies to minimize risk
when implementing AI and hunting for length and complexity in Wi-Fi passwords.
Stay with us.
Cyber threats are evolving every second and staying ahead is more than just a
challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity
solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions
designed to give you total control, stopping unauthorized applications, securing sensitive
data and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today to see how a default deny approach can keep your
company safe and compliant.
Do you know the status of your compliance controls right now?
Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires
done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. Mike Woodward is VP of Product Management for App Security at Digital.AI.
I recently caught up with him to discuss minimizing risk when implementing AI? I think we see lots of enthusiasm.
We see less knowledge about where it might help.
I think we're kind of in the, let's kick the tires on some things,
do some experimentation, figure out what makes sense,
and probably depending on the size of the organization,
let's not try to do everything at once.
So, you know, you may be trying it in one division
or trying something with your engineering team,
the DevOps folks may be trying something else.
But figuring out what's going to make the most sense
for an organization overall
is, I think, where we are right now.
Well, you and your colleagues there have some recommendations for folks to approach this in a secure way.
What are some of the things you all recommend?
So, there are some very normal things that you would think of when you're thinking about any kind of system.
So, implementing robust authentication and authorization, you know, you certainly
want to make sure that who you think you're interacting with is really that person or
that system and that they're only able to do the things that you expect them to be able
to do. I mean, that's regardless of what kind of system you're doing,
that is always a good place to start.
Maintaining the integrity and the privacy of your system,
so using appropriate controls on your systems,
encryption for passing packets back and forth,
you can prevent man-in middle attacks, things like that.
For those systems, doing regular updates and patches,
you certainly wanna stay up to date with your software.
And when CVEs come out,
make sure that all of those have been taken care of
in your systems.
And those are some of the kind of things that everybody does everywhere or should do everywhere.
But then when we get to AI, there's some things that are maybe a little bit more special in
terms of securing the models and the algorithms. These are the illiterate property, the secret sauce
that some of the threat actors would want to get to.
And so making sure that there is not
a way in the system for somebody to exfiltrate that data when
you think that you think that they shouldn't be able to.
You want to make sure that they really can't.
Also, proactively monitoring your systems to make sure that anomalies show up.
If all of a sudden you see a lot of data going out when you expect data to just go
out in paragraphs at a time or something like that,
those things should be monitored so that you can catch it and
stop it so that you can investigate it.
How big a part do you suppose that user education plays here?
Reminding folks to be careful what you put into that AI system.
Well, it depends on who you're trying to protect at that point.
The users certainly need to know if their data is going to be held confidentially.
Certainly you don't want to be interacting with a pseudo AI or imposter AI and be giving
health information, personal information of whatever sort.
And so I think we need some of the same kind of campaigns for interacting with AIs
that many organizations have for identifying phishing attempts or something like that
so that you just have to be a little bit on the lookout for things that seem a little bit suspicious.
So certainly things like that.
It seems to me like there's this tension right now
between people's understanding
that there are security issues with AI,
but then also this desire to use it
for as many things as possible or else
risk being left behind.
Yeah, the risk being left behind, you know, nobody wants to think about that.
You know, this is arguably the biggest wave that we've had in a long time.
And, you know, if you want a good ride, you're going to have to make sure you catch this one.
But again, in that experimentation phase,
the generative AIs have not
been available in the mainstream for very long.
So people don't know exactly what to do with it.
They don't understand exactly
how it's going to help them or how much it's going to help them.
They also have probably visions in their heads of the matrix or something else and not knowing
is AI going to be our ultimate downfall.
So all kinds of things that are kind of personal intrinsics come into play here when people are thinking about what to do
with it and how fast and what to trust it with.
Do you have any recommendations for the security folks when it comes to communicating to the
powers that be in their organization?
They're seeing that enthusiasm come, let's say, from the board of directors who sends
down a mandate that it's going gonna be AI all the time.
How do you balance that with the real world need
to keep things safe?
Well, there are probably some things that you can do
and it's like, okay, what are we trying to accomplish
with AI and make sure that we're able to look at the results
a little bit down the road and say, are we getting what we thought we were able to look at the results
a little bit down the road and say, are we getting what we thought we were getting
for our investment, for one thing.
Another thing is if you're starting to look at, you know,
vendors to make sure that you vet them properly,
you know, you work with your legal team
and find out what we can do and what we can't do
in terms of consuming various AI models and sharing or not sharing our data with, you know,
kind of the wider population. So there are several things there that I think you can do that,
you know, maybe just tapping the brakes a little bit and alerting,
maybe that board of directors that AI holds a lot of promise,
but it's not a silver bullet and it's not something that you can just say,
oh, just turn it on and we'll be good all over. Thanks to Mike Woodward from digital.ai for joining us. And now a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than
ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI. Learn more
at zscaler.com slash security.
This episode is brought to you by Samsung Galaxy. Ever captured a great night video
only for it to be ruined by that one noisy talker? With audio erase on the new Samsung
Galaxy S25 Ultra, you can reduce or remove unwanted
noise and relive your favorite moments without the distractions.
And that's not all.
New Galaxy AI features like NowBrief will give you personalized insights based on your
day schedule so that you're prepared no matter what.
Buy the Samsung Galaxy S25 Ultra now at Samsung.com.
And finally, researcher Jason Jacobs assigned himself a weekend project to look for the
longest and most complex Wi-Fi passwords out there.
As you do.
Coming through a dataset of over 31 million actual Wi-Fi passwords people have actually used,
Jacobs came up with a scoring system to rank length and complexity.
He set his script loose on the dataset, sat back, and waited.
In terms of length, number one was supercalifragilisticexpialidocious. Respect.
But then there were others.
A random string of numbers and letters that looked like an encryption key.
A weird mix of words that Jacobs assumed was someone's attempt at speaking alien.
And finally, something that looked suspiciously like a NASA project name.
Turning to complexity, the number one most complex Wi-Fi password wasn't just a password,
it was an actual hacking attempt.
Someone, somewhere, set their Wi-Fi password as a full-blown JavaScript hacking script.
This means that if a badly built system ever tried to store it without protection, it could
actually trigger a security exploit.
This is cyberpunk level trolling.
Runners Up included the scientific name for a chemical compound and a mix of words that
sounded like a German hacker's email address.
So what did Jacob's weekend project teach him?
People use some wildly creative passwords and some terrifying ones. Someone actually thought using a cross-site scripting attack payload as their Wi-Fi password
was a great idea.
Stay safe out there friends! And that's the CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your
favorite podcast app. Please also fill out the survey in the show notes or send an email to
cyberwire at n2k.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for watching!