CyberWire Daily - Salt Typhoon’s cyber storm.
Episode Date: September 26, 2024Salt Typhoon infiltrates US ISPs. Researchers hack the connected features in Kia vehicles.WiFi portals in UK train stations suffer Islamophobic graffiti. International partners release a joint guide f...or protecting Active Directory. A key house committee approves an AI vulnerability reporting bill. India’s largest health insurer sues Telegram over leaked data. HPE Aruba Networking patches three critical vulnerabilities in its Aruba Access Points. OpenAI plans to restructure into a for-profit business. CISA raises the red flag on Hurricane Helene scams. Our guest is Ashley Rose, Founder & CEO at Living Security, on the creation of Forrester’s newest cybersecurity category, Human Risk Management. The FTC says “Objection!” to the world’s first self-proclaimed robot lawyer. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Ashley Rose, Living Security’s Founder & CEO, talking about the creation of Forrester’s newest cybersecurity category, Human Risk Management. Read Ashley’s blog. Learn more on The Forrester Wave™: Human Risk Management Solutions, Q3 2024. Selected Reading China-Backed Salt Typhoon Targets U.S. Internet Providers: Report (Security Boulevard) Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug (WIRED) Public Wi-Fi operator investigating cyberattack at UK's busiest train stations (The Rgister) ASD’s ACSC, CISA, and US and International Partners Release Guidance on Detecting and Mitigating Active Directory Compromises (CISA) House panel moves bill that adds AI systems to National Vulnerability Database (CyberScoop) India's Star Health sues Telegram after hacker uses app's chatbots to leak data (Reuters) HPE Aruba Networking fixes critical flaws impacting Access Points (Bleeping Computer) Exclusive: OpenAI to remove non-profit control and give Sam Altman equity (Reuters) OpenAI's technology chief Mira Murati, two other research executives to leave (Reuters) CISA Warns of Hurricane-Related Scams (CISA) DoNotPay must pay $193,000 to settle false claim charges from FTC. (The Verge) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Salt typhoon infiltrates US ISPs.
Researchers hack the connected features in Kia vehicles.
Wi-Fi portals in UK train stations suffer Islamophobic graffiti.
International partners release a joint guide for protecting Active Directory.
A key house committee approves an AI vulnerability reporting bill.
India's largest health insurer sues Telegram over leaked data.
HPE Aruba Networking patches three critical vulnerabilities in its Aruba access points.
OpenAI plans to restructure into a for-profit business. CISA raises the red flag on Hurricane
Helene scams. Our guest is Ashley Rose, founder and CEO at Living Security, on the creation of Forrester's newest cybersecurity category, human risk management.
And the FTC says objection to the world's first self-proclaimed robot lawyer.
It's Thursday, September 26, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us here today.
A Chinese government-linked threat group, Salt Typhoon,
has reportedly compromised U.S. Internet service providers to collect sensitive information and potentially launch cyberattacks.
According to the Wall Street Journal,
Salt Typhoon has infiltrated several ISP's IT environments in recent months.
The Washington Post previously reported similar attacks on major U.S. providers,
comparing the tactics to those of another China-linked group, Volt Typhoon,
known for targeting critical infrastructure.
China-linked group Volt Typhoon, known for targeting critical infrastructure.
Salt Typhoon's goal is to maintain persistence within ISP networks, enabling long-term access for cyber espionage. This is part of a broader Chinese strategy to infiltrate critical
infrastructure and gather valuable information, from user data to communication records. U.S. agencies like CISA, the FBI,
and NSA recently disrupted another Chinese botnet, Flax Typhoon, used for DDoS attacks
and malware deployment. Experts warn that Salt Typhoon is just one of many groups.
Cybersecurity leaders expect more nation-state threats targeting ISPs,
highlighting the need for enhanced cybersecurity defenses.
Security researchers have uncovered a vulnerability in Kia's web portal, allowing hackers to remotely
take control of the connected features in millions of modern Kia vehicles.
Exploiting a simple flaw in the portal's back end,
the researchers could reassign control of vehicles from the owner's smartphone to their own devices.
By using this method, they could track the car's location, unlock doors, honk the horn,
or even start the ignition, all by accessing the vehicle identification number through the license plate.
While this hack didn't compromise critical driving functions like steering or brakes,
it posed significant privacy, theft, and safety risks.
Kia patched the vulnerability after being alerted in June of last year,
though the researchers highlight that such security gaps are common across many automakers' web systems.
Similar vulnerabilities have been found in other brands like Honda, Toyota, and Hyundai,
exposing a broader issue in the automotive industry's web security practices.
Network Rail, the UK body responsible for train infrastructure, is investigating a cybersecurity incident
after Islamophobic messages were displayed on Wi-Fi portals at major train stations.
The compromised landing page referenced the 2017 Manchester Arena bombings.
The issue has affected Wi-Fi services at 20 stations,
including London's major hubs and key stations like Manchester
Piccadilly and Birmingham New Street. Network Rail, British Transport Police, and Talent,
the company managing the Wi-Fi, are investigating. Initial findings suggest the attack involved
unauthorized access to a legitimate administrator account at Global Reach, which manages the
landing pages. Talent confirmed that no personal data was affected. Experts emphasize the
vulnerability of public Wi-Fi and the need for stronger security, especially in critical
national infrastructure. The incident remains under investigation by the BTP.
The Australian Signals Directorate, CISA, and international partners
have released a joint guide titled
Detecting and Mitigating Active Directory Compromises,
providing strategies to address common techniques
used by malicious actors to exploit Active Directory.
As the most widely used authentication and authorization system
in enterprise IT networks, Active Directory is frequently targeted for privilege escalation and access to sensitive user data.
Organizations are urged to review the guide and implement its recommended mitigations to enhance security and reduce the impact of Active Directory compromises.
security and reduce the impact of Active Directory compromises.
The AI Incident Reporting and Security Enhancement Act aims to push the National Institute of Standards and Technology to establish a formal process for reporting security vulnerabilities
in AI systems.
Introduced by Representatives Deborah Ross, Jay Obernolte, and Don Beyer, the bill passed the House Science, Space, and Technology Committee.
It directs NIST to include AI systems in the National Vulnerability Database and consult with other agencies to standardize AI security incident reporting.
However, implementation depends on available funding, and NIST faces challenges with resource constraints and an increasing number of vulnerabilities.
Despite passing by voice vote, concerns were raised about clearly defining AI-related terms and excluding foreign standards organizations from adversarial nations.
Proponents plan to push for a full House vote later this year.
Indian insurer Star Health has filed a lawsuit against Telegram and a hacker called Genzen after personal data and medical records of policyholders were leaked through chatbots
on the messaging platform. The lawsuit also targets U.S.-based Cloudflare,
alleging its services were used to host the leaked data.
A court in Tamil Nadu granted Star Health a temporary injunction
to block chatbots distributing the data in India.
This case follows increased scrutiny of Telegram's content moderation,
with further hearings set for October 25th.
HPE Aruba Networking has patched three critical vulnerabilities in the command-line interface
of its Aruba access points. These flaws could allow unauthenticated attackers to gain remote
code execution by sending specially crafted packets to the PAPI management protocol.
The vulnerabilities affect Aruba access points running instant AOS 8 and AOS 10.
Administrators are urged to apply the latest security updates with temporary workarounds
available. No active exploitation or public exploit code has been reported,
and other Aruba products remain
unaffected. OpenAI plans to restructure its core business into a for-profit benefit corporation,
removing control from its non-profit board to attract investors, sources told Reuters.
The non-profit will retain a minority stake, and CEO Sam Altman will receive equity
for the first time. The restructuring could raise OpenAI's valuation to $150 billion and remove the
cap on investor returns. While the change may appeal to investors, it raises concerns about
the company's commitment to AI safety and governance in its
pursuit of artificial general intelligence. Three top leaders at OpenAI resigned on Wednesday
amid the company's ongoing restructuring and funding negotiations. Chief Technology Officer
Meera Murati, VP of Research Barrett Zoff, and Chief Research Officer Bob McGrew announced their departures on ex-Twitter.
It's unclear if these executive exits will impact the funding process.
As Hurricane Helene bears down on the Gulf Coast of Florida,
CISA is raising the red flag about potential cyber threats.
After major natural disasters, scammers love to take
advantage, sending out fraudulent emails or social media messages loaded with malicious links or
attachments. If you see hurricane-related subject lines, emails, or links, think twice before
clicking. Also keep an eye out for sketchy social media posts, texts, or even door-to-door solicitations about storm relief.
Stay cautious and keep your cybersecurity guard up.
Coming up after the break, Ashley Rose, founder and CEO of Living Security, discusses the creation of the human risk management cybersecurity category.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Ashley Rose is founder and CEO at Living Security.
I recently spoke with her about Forrester's newest cybersecurity category,
human risk management.
So, I mean, this is extremely significant
for the cybersecurity industry as a whole.
For decades, most organizations
have been looking at security awareness and training
from a compliance standpoint
as the answer to their
problem. And what's that problem? You know, 90% of cybersecurity breaches have a root cause
in some sort of human behavior, human risk. And so, you know, for the last decade,
organizations have been, you know, working with partners to train their employees one time a year.
They send out some phishing simulation
assessments. And that's kind of been all that has been available to them, essentially, to try to
mitigate this very large and substantial risk to organizations. So with the growth, the emergence,
or the birthing of human risk management, we're now presenting a new and better way,
a different approach to these organizations to really solve for and mitigate their number one cybersecurity risk, which is the human side.
How do you expect that's going to play out?
Let me give you some background.
Let me give you some history.
So Living Security was founded in 2017.
in 2017. And when we co-founded the company, we looked at the industry and we said,
look, humans have been the cause of 90% of breaches plus forever, right? For all of history.
And we've had security awareness and training solutions in market. The data still remains intact. We're not seeing improvement. There has to be a different way to accomplish this.
And so we recognize that at that point, organizations and security awareness program owners and CISOs,
they were really like longing for a way to better connect or start building more of a stronger,
positive security culture between security and their employees. And so, you know, our first
approach in market was trying to lay that cultural foundation and, you know, our first approach in market was trying to lay that cultural foundation
and, you know, driving that connection point between security and the average employee.
But from the very beginning, we always had this vision that there was a better,
more data-oriented way to solve this problem. And so, you know, kind of that's where Living
Security had come up with the idea for human risk management which is essentially how do we help organizations identify their most risky employees so that we
could better protect them through things like training nudging and policy change and ultimately
report on the effectiveness of that program across the business and And so you asked a really interesting question,
like how is that going to happen?
Well, I actually had to start with us
just standing up and saying enough is enough.
And so Living Security sort of put our mark
in the industry and said,
the future is human risk management.
We spent the last three years
working with some of the most forward thinking,
early adopting CISOs
in the entire industry, people that recognize that they needed a different approach to really
define and build a product that supported this type of operationalizing of human risk management
and also influencing organizations like Forrester. And so, Dave, this has been, first of all,
a seven-year vision, right,
from the start of Living Security,
but three years of, like,
I'd say standing on top of a mountain,
screaming to an industry that, like,
had no idea what we were talking about
for quite some time.
And now here we are today, you know,
2024, September 19th, 2024. And we now have the
validation and the recognition, not just from Forrester, right? This influencing space, but also
from competitors in the market who have said, yes, this is the new approach. And hundreds of CISOs
have said, yes, like we need to move forward in this direction.
So it truly takes a collaboration between both the vendor community, the practitioners, and then I would say these sort of influencing advisory committees like Forrest or otherwise to drive a new category into the future.
into the future. So for the folks inside of an organization who are responsible for their security, what sort of changes will this prompt? What does the future look like for them?
Yeah, that's a great question. So the first thing is a realization that compliance does not equal
security. And I think, you know, it sounds really simple, but if you look at like
the day-to-day activity of a lot of the human risk or awareness and training program owners,
it's really an effort to obtain that checkbox, right? And so we need to first stop and think,
how can I make what needs to get done very easy and very simple, right? How do we put compliance on rails so that I can spend
my time thinking more strategically about how to actually manage and mitigate and report on human
risk? So first is, you know, a little bit of a grieving process. Okay, what I'm doing is not
going to work. I need to start changing, right? So that's step one. The second one is really starting to understand that we need
to up-level our data and our snapshots and our reporting. For too long, human risk metrics have
been in isolation. We've essentially been a siloed part of the security team forever.
And so in order for us to properly integrate, we first need to set up those connections and we need to get access to the data that can tell us what our humans are doing.
All of these systems, all of these different security technologies, they're already collecting all of this wonderful, valuable data on your humans.
And so the first thing that we need to do after realizing that, hey, what I'm
doing is no longer good enough. I can't just make compliance my objective. We now need to go get
access to that data and we need to integrate into it so we can produce that visibility to what our
humans are doing, right? Where are those groups of high-risk users? And then once we do that, once we have that visibility, we can start making more
informed, smarter, data-driven decisions on how we're going to respond to that. And that's where
the strategy piece really gets exciting for us. Helping organizations to understand culturally
what's appropriate and then being able to marry that to the data and what it says,
and be able to say, hey, this policy is not working for this group, we need to adjust it.
So the strategy piece is like really where it gets fun. But there's a couple, you know,
as you mentioned earlier from a question, there's a couple first steps in place. Realizing what we're doing is not enough, we need to figure out how to make that more efficient and easier.
And then two, we need to go get access to our data so we can have visibility to actually take action from. And what
does it look like on the other side of that? I mean, the organizations that you've worked with
who have had success here, is it a big difference once you've enabled these sorts of methodologies
within your organization? So at first, yes, absolutely.
There is a difference.
And I can talk about that from a couple different sides of the table, right?
So from a human risk manager, right,
or somebody who's going to be managing the human risk program,
their job has just become much more strategic and valuable
to the CISO organization, right?
We're no longer sort of like the redheaded stepchild of security or, you know, the team
that's just like there to engage and drive culture, which are really important things,
right?
But we're somebody who has a strategic program, right, that aligns to the rest of the security
organization, and we have the
ability to report on our effectiveness. So all of a sudden, you've just now like strengthened,
up-leveled, and made this position more strategic, where they're more embedded into the rest of the
security organization. So that person's job, they now have, you know, career path opportunities
that they haven't had before. So from a security practitioner's or the program owner's perspective,
there's a huge advantage here.
From an employee perspective, we're also looking to provide both efficiency,
but also clarity and feedback.
And so a lot of organizations, people have jobs to do, right?
Users are employees, whether they're in finance or accounting or product management or engineering, security is a part of what is important for their job, but they have revenue driving activities or operational activities that are really important. And so the effect that we get to have on the employee base is that you're no longer getting training
for the sake of training, right?
Or this sort of training fatigue
that we've seen continue to grow across the industry.
We're now meeting you where you're at
with the information that makes sense
and making sure that it's contextualized
so that you can take the appropriate actions
to start or stop doing something
that is going to produce risk for your organization.
And so there's an efficiency gain
that is very, very helpful for the employee.
On the other side, I've heard a ton of employees
when I've asked them like,
hey, how do you connect to security in your organization?
They say, we only hear from security once a year.
And then on those tricks, those phishing simulations
that they're trying to trick me into clicking.
But we really have no idea of how we're fitting in,
how well we're doing.
And so when we think about the opportunity
for a human risk management program
to drive culture and ownership across the organization,
just simply by putting data in the hands of your employees
and letting them know,
hey, here's where you're doing really well.
We've seen just tremendous impacts of engagement,
of people understanding the priority
that organizations are putting on security
and then actually encouraging them
to take appropriate actions to keep data more secure. That's Ashley Rose, founder and CEO at Living Security.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, an online service named Do Not Pay, the self-proclaimed creator of the world's first robot lawyer, has agreed to a $193,000 settlement with the FTC after overpromising on its AI's
legal prowess. Part of the FTC's new Operation AI Comply, the case revealed Do Not Pay's claims,
like replacing human lawyers and handling serious legal cases, were more hype than fact. The FTC said Do Not Pay hadn't tested its AI on actual laws
or trained it to provide accurate legal advice.
Even worse, the company claimed consumers could use its AI to sue for assault
or check small business websites for legal violations,
but these features didn't hold up.
In addition to the settlement,
Do Not Pay must now warn customers about its limitations and can't claim to replace professional
services without evidence. It's a reminder from the FTC there's no AI loophole when it comes to
deceptive practices, as they also crack down on fake reviews and other AI-powered scams.
And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing
at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver
the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to CyberWire at N2K.com.
We're privileged that N2K CyberW Wire is part of the daily routine of the most
influential leaders and operators in the public and private sector, from the Fortune 500 to many
of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for
companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow. Thank you. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com. That's ai.domo.com.