CyberWire Daily - Securing democracy.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K. Chinese hacking into U.S. telecoms draws federal scrutiny. ESET examines evasive Panda's Cloud Scout toolset. A new chat GBT jailbreak bypassed security safeguards. Nintendo warns users of a phishing scam.

Starting point is 00:02:16 The Five Eyes launch the Secure Innovation Initiative for startups. CISA releases product security bad practices guidelines. Apple's new bug bounty program offers a million bucks for critical vulnerabilities. The city of Columbus drops its suit of a cybersecurity researcher. On our Solutions Spotlight, N2K's Simone Petrella speaks with Chris Porter, CISO at Fannie Mae, on cultivating cybersecurity culture and talent. And spooky spam is back. It's Tuesday, October 29th, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us.

Starting point is 00:03:27 The U.S. Cyber Safety Review Board, the CSRB, will investigate Chinese hacking into U.S. telecom networks, which may have targeted presidential campaign communications ahead of the 2024 elections. This scrutiny follows reports of a Chinese state-sponsored operation, Salt Typhoon, focusing on surveillance of U.S. political figures, including Republican presidential nominee Donald Trump and his running mate J.D. Vance. The Washington Post recently reported that hackers collected unencrypted call and text data but may not have breached encrypted channels like Signal. This inquiry will be the CSRB's fourth major investigation,

Starting point is 00:04:01 building on its April 2023 report that criticized Microsoft's cybersecurity lapses. Federal agencies, including the FBI and CISA, swiftly notified affected telecom companies to mitigate further risks. Despite the probe, officials have not confirmed if these intrusions were intended to influence election outcomes. Security concerns are intensifying as the election approaches, with threats also reportedly emerging from Iran and Russia. Congress has demanded accountability from telecom giants, urging them to address systemic vulnerabilities.

Starting point is 00:04:39 Homeland Security has warned that risks to election security may persist through 2025, with the potential for adversaries to exploit any perceived election irregularities. Research from ESET examines the CloudScout toolset used by the Chinese state-aligned group Evasive Panda, targeting Taiwanese entities from 2022 through 2023. This included a government body and a religious organization. CloudScout, integrated with the group's MGBot malware, hijacks authenticated sessions through stolen browser cookies to access data from cloud services like Google Drive, Gmail, and Outlook. Analysis revealed three Cloud Scout modules designed for these services, while several additional modules likely target other platforms.

Starting point is 00:05:32 Evasive Panda's long history of cyber espionage, especially in regions opposing Chinese interests, reflects their advanced capabilities. The group frequently uses sophisticated tactics like watering hole attacks and supply chain compromises to gain access to sensitive data. Cloud Scout modules leverage hard-coded details and are tailored to the Taiwanese context, making their activity highly specific and potentially difficult to counter. Security advances in Chrome, like app-bound encryption, could eventually limit CloudScout's effectiveness by preventing cookie theft. Mozilla's Odin bug bounty program recently revealed a new jailbreak that bypasses ChatGPT's safeguards by encoding malicious instructions in hexadecimal. in hexadecimal. Disclosed by Marco Figueroa, Odin's manager, the jailbreak could allow ChatGPT to produce unauthorized content, such as a Python exploit for a CVE vulnerability, despite standard restrictions. Mozilla's Odin, launched in June 2024, rewards researchers for

Starting point is 00:06:42 identifying vulnerabilities in AI models, such as prompt injection and data poisoning, with bounties up to $15,000 for critical findings. This jailbreak involved not only hexadecimal encoding, but also alternative techniques like emoji encoding to produce restricted outputs, highlighting AI's limitations in recognizing encoded threats. OpenAI appears to have patched these vulnerabilities as attempts to reproduce the jailbreak failed. Apple has launched an ambitious bug bounty program, offering up to $1 million for identifying vulnerabilities

Starting point is 00:07:21 in its private cloud compute servers, which power intensive AI tasks for Apple Intelligence. This initiative focuses on strengthening the security of Apple's PCC architecture, which Apple claims to be the most advanced cloud AI security infrastructure at scale. In addition to the bug bounty, Apple introduced a virtual research environment that provides researchers access to PC bug bounty, Apple introduced a virtual research environment that provides researchers access to PCC software, enabling in-depth security analysis. Apple's detailed security guide and reward structure support the program, with payouts ranging from $50,000 for minor data disclosure issues to $250,000 for sensitive data access violations, and of course $1 million for severe

Starting point is 00:08:08 vulnerabilities. Apple's aim is to engage the security community actively in safeguarding its AI cloud services. Nintendo has warned users about a phishing scam involving emails that mimic official communications from the company. These fraudulent emails sent from third-party addresses contain links to malicious sites aimed at stealing user information. Nintendo advises users to delete suspicious emails immediately and avoid clicking any embedded links. If users suspect their accounts are compromised, they should change their passwords and enable two-factor authentication. The Five Eyes Alliance, comprising the UK, US, Canada, New Zealand, and Australia, has launched the Secure Innovation Initiative to help tech startups bolster their cybersecurity in response to increased state-backed cyber threats.

Starting point is 00:09:04 their cybersecurity in response to increased state-backed cyber threats. Originally a UK project by the National Cybersecurity Center and MI5, Secure Innovation now extends to all Five Eyes members. This program offers startups personalized action plans for protecting technology and reputation, along with guidance for founders and investors. Prompted by escalating cyber espionage risks from countries like China, the program aims to counteract intellectual property theft targeting innovative tech ventures. MI5's director, Ken McCallum, emphasizes that this collaboration with international allies strengthens global cybersecurity for startups. The UK reports

Starting point is 00:09:45 that over 500 startups have already used secure innovation to create tailored security plans. At the ACT-IAC's Imagine Nation ELC 2024 conference in Hershey, Pennsylvania, CISA's Rina Rekipi highlighted the agency's progress on the Secure by Design initiative, emphasizing its success in signing over 230 vendors who committed to bolstering cybersecurity and software development. Rekipi shared the agency's enthusiasm for the year-and-a-half old program, noting its focus on eliminating common software vulnerabilities, like default passwords and limited multi-factor authentication. Rakipi Session introduced CISA and the FBI's new Product Security Bad Practices Guidelines,

Starting point is 00:10:36 which outline critical vulnerabilities in product properties, security features, and organizational policies. She explained that this guide is open for public comment and is intended to help developers avoid security pitfalls in software creation. Keelan Sweeney, CISA's IT sector chief, expanded on this by advocating for memory-safe languages, citing their potential to prevent up to 70% of vulnerabilities. Both Rakipi and Sweeney underscored the agency's proactive stance with Rakipi likening secure software to essential car safety features like airbags, which should be built in and not added as an afterthought.

Starting point is 00:11:17 After being sued by the city of Columbus over revealing a data leak, cybersecurity researcher Connor Goodwolf reached an agreement that led to the case's dismissal. The city had initially sought over $25,000 in damages, accusing Goodwolf of violating confidentiality after he exposed unencrypted sensitive data on the dark web, contrary to Major Andrew Ginther's assurances. The lawsuit will now be dropped with prejudice, preventing future claims on the same grounds. However, Goodwolf must adhere to a permanent injunction that limits sharing data to public records approved by the city. Following the dismissal, Goodwolf expressed hope for better communication methods in Columbus for handling security disclosures, noting that the city's response had strained its relationship with the

Starting point is 00:12:10 cybersecurity community. Coming up after the break, N2K's Simone Petrella speaks with Chris Porter from Fannie Mae on cultivating cybersecurity culture and talent. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora

Starting point is 00:13:03 have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.

Starting point is 00:13:54 And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, Thank you. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. Chris Porter is Chief Information Security Officer at Fannie Mae. And on today's Solution Spotlight segment, N2K's Simone Petrella speaks with him

Starting point is 00:14:48 about cultivating cybersecurity culture and talent. Well, thanks so much for joining us, Christopher. It's really great to have you. I want to kick off with maybe just letting you share a little bit about yourself and your journey into the role of CISO with our audience. Yes, certainly. And I would say it's been quite an interesting path. And I'll go back to college because I think that helps set the scene a little bit on how I got to where I am today.

Starting point is 00:15:17 I started off as pre-med when I came out of high school. And unfortunately, I met organic chemistry and some other classes in college. I feel like that is the downfall of all pre-med is organic chemistry. And I joke today that I think that it saved lives, me going through that class probably. And so I bounced around for a little while during school. At one point, I moved from pre-med to sports medicine. And at that point, I had started majoring in psychology, kind of realized that I wasn't going to make the money that I was hoping to make once I got out of college. And so I kind of pivoted to economics, where I ended up having a double major in economics and psychology. But the entire time, though, I was always a computer guy.

Starting point is 00:16:06 I grew up with computers. I used them all the time. But I didn't think about computer engineering or anything like that when I first went to school. Because my thought back then, at least, I mean, this was a long time ago, was that the computer jobs were working at Radio Shack and being surrounded by hardware. Not that there's anything wrong with that, but that's generally what I thought about at the time. And so I sort of bounced around a little bit. I came out of school. I went and became an economist working for a small Beltway bandit. The biggest thing was I took a pivotal trip to visit one of my best friends who went to Virginia Tech. And he was working for a bunch of companies in Silicon Valley.

Starting point is 00:16:51 I toured with him and saw the sock. I think he was at Cisco at the time. And I was just really enamored with the energy that was out in Silicon Valley and how technology was so different than what I had thought it was. And so that's where my real experience started. I found a job working for a help desk at a law firm in DC, learned infrastructure, moved to New Orleans, followed my now wife down there when she went to graduate school. And I worked for LSU Health Sciences Center doing sort of a jack of all trades, help desk support and network engineering and infrastructure support. Came back to the DC area, worked as a security consultant for TrueSecure. It ended up becoming Cybertrust and then got acquired by Verizon. And so for several

Starting point is 00:17:45 years, I worked as a security consultant. Funny enough, I was a security consultant for Fannie Mae for several of those years. And so it's kind of a weird, interesting pivot to what I'm doing today compared to what I was doing close to 20 years ago at this point. And so I've been at Fannie Mae this coming January will be 10 years. And in April, I will have been the CISO for nine years. What an incredible journey. And as unique as your story is, I think it's more common than we give ourselves credit for when we talk to people in leadership today, because there was no cybersecurity degree program. There was maybe computer engineering.

Starting point is 00:18:26 One of the things that I think has been really interesting in 2024 is that this is the year we finally have data, staying on the data science theme, on the workforce, on the cybersecurity workforce that shows that demonstrably cybersecurity employers are unable to find experienced workers and yet new cybersecurity workers can't find their

Starting point is 00:18:46 first job. And we've intuitively been saying this now for a number of years, but we actually have looked through the job data. 7% of jobs posted for cybersecurity work are currently requiring two or less years of experience. 77% are requiring over that amount. And ISE2 just released its first look for its annual workforce study and found that this is the first year that the global workforce in aggregate has actually stagnated. And it's actually kind of tapped out compared to large growth numbers year over year. I'm curious what your take is on that. Is that something that you relate to in your role and you're seeing play out? Or are we over, you know, are we kind of overstating the issue? No, I think that that is an issue. You know, when you look at trying to remember the most recent sort of supply demand statistics out there. You always see these

Starting point is 00:19:46 numbers out there that there's 3.4 million cybersecurity jobs that are unfilled. And then, as you mentioned before, it's hard for the folks who have less experience to get that first job. And I think that's partly due to the pressure that is on organizations to meet their cybersecurity requirements, individual, you know, attackers that are constantly hitting organizations. And on the other hand, you need to have seasoned cybersecurity professionals that can come in to kind of meet those kinds of challenges. And then I think on top of that, you know, you've got different digital transformations that are going on across lots of different companies where there's a massive skill set shift from your traditional cybersecurity skill sets into more developer-like skill sets for

Starting point is 00:21:00 cybersecurity engineers, where it's a lot more about in cloud, about integration and engineering and security as code, compliance as code and all of those kinds of things. And so you've got this like sort of skill set pieces where you have to do both during the transition and you have to build the skill sets to be able to meet the demand of the IT infrastructures that we're going to be having over the next several years, all the while having all these new challenges that are coming up, right? Quantum, like quantum is going to be a bigger problem or an earlier problem than what we probably thought five or 10 years ago.

Starting point is 00:21:43 than what we probably thought five or 10 years ago. Gen AI and all the value that businesses can get out of gen AI, but how do you secure the gen AI that your company's wanting to use to create business value for their customers or for internal efficiencies? I think this actually just reminds me of something. Dan Geer had mentioned something about the asymmetry that comes with cybersecurity, and that we have to protect against all threats that have ever had, all threats that are happening today, and all new attacks that might be happening in the future that we don't know about. And the bad guys only have to be right one time. And so that's the field of play that we're

Starting point is 00:22:27 in. And so I definitely understand the challenge. Few companies have the resources or are looking to train new hires on these things. It's more apprenticeship-like training as opposed to like, hey, I can go build the talent early on and then kind of move them along. Another one was around just like recruiting in HR. The entire process of matching skill sets with sort of the middleman, middlewoman HR role also makes it very challenging for hiring managers. So that whole process makes it difficult as well, just in how do you simplify it in a way so that you can get the right sort of folks in. But I do think it's a mindset change.

Starting point is 00:23:16 We generally have an associates program where we're bringing in new talent every year. So one of the things that my team is focused on this next year is like developing a very specific cybersecurity associates program to do just that. And what's incredible to hear about a program like that you're building is it's embracing what is a long-term approach because you have to grow the talent to what you described at the beginning, which is we have this short-termism because the problem is right in front of us today. You know, what's your advice then to those who have organizations who are dealing with this constantly dynamic, I'm not even going to try and come up with the version of dynamism, but are dealing with this dynamic threat landscape where the field is changing. How do we think about creating programs to kind of have the right people

Starting point is 00:24:09 and get them into the field and grow them and attract and grow those skills that we need to kind of be resilient in the face of an ever-changing threat landscape? Yeah, I mean, I think it's the finding the right sort of archetype of a person that can help you with that. So like, as I mentioned earlier, when I try to find leaders that are curious, like the other kinds of leaders that I like, and even, you know, folks on the team are what I call thread pullers. Because a lot of cybersecurity is around just pulling threads. And I think if you find the right people that are curious, thread pullers, and are willing to have that sort of continuous learning mindset, then you're going to be as a community have to continue to educate our next generation of cybersecurity engineers, analysts, etc. It's about cybersecurity and the challenges and those kinds of things to kind of help them get a view of what those kinds of things are. And I think that's just something

Starting point is 00:25:25 that we all have to commit to is how do we educate the next generation to make them better and then also find ways to give opportunities to those as they're coming up from the ranks. Well, Chris, thank you so much for joining me this afternoon. Really appreciate your time

Starting point is 00:25:41 and thank you so much for your insights. You're welcome. Take care. That's N2K's Simone Petrella speaking with Chris Porter, CISO at Fannie Mae. Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. And finally, Halloween-themed spam is back. It's out for more than candy. Bitdefender reports that 40% of these spooky emails contain tricks

Starting point is 00:27:06 instead of treats, with phishing links ready to swipe personal information faster than you can say boo. In early October, spam surged 18% as cyber scammers dressed up as costume stores and giveaway hosts. Emails boasting mystery box giveaways or frightening discounts entice eager shoppers to click, only to find themselves caught in a web of malicious links. Bitdefender's Alina Bisga warns that while shoppers hunt for last-minute costume deals, cyber spooks are lurking, ready to grab credit card details. The U.S. is the haunted house of Halloween spam, sending 83% of this junk mail, with 71% landing in American inboxes.

Starting point is 00:27:53 Meanwhile, Sean McNee of Domain Tools jokes that scammers trick customers with fake discounts from familiar stores like Spirit Halloween only to swap their costumes for malware. So remember, if it seems too good to be true, it might be a ghostly scam in disguise. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.

Starting point is 00:28:37 If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.

Starting point is 00:29:01 N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Park. Simone Petrella is our president. Peter Kilby is our publisher.

Starting point is 00:29:30 And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.

Starting point is 00:30:35 That's ai.domo.com.

CyberWire Daily - Securing democracy.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.