CyberWire Daily - That’s a wrap on election day.
Episode Date: November 6, 2024Election day wrap-up. The FBI issues a warning about cybercriminals selling government email credentials. Google issues an emergency update for Chrome. An Interpol operation nets dozens of arrests and... IP takedowns. Microchip Technology disclosed $21.4 million in expenses related to a cybersecurity breach. Ransomware makes a Georgia hospital revert to paper records. South Korea fines Meta $15 million over privacy violations. A cyberattack disables panic alarms on British prison vans. A small city in Kansas recovers from a devastating pig butchering scheme. Our guest today is Javed Hasan, CEO and Co-Founder of Lineaje, discussing the growing risks within open source ecosystems. Sending data down the compressed air superhighway. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Javed Hasan, CEO and Co-Founder of Lineaje, discussing the growing risks within open source ecosystems. Selected Reading Top US cyber official says 'no evidence of malicious activity' impacting election (The Record) FBI Warns Gmail, Outlook Users Of $100 Government Emergency Data Email Hack (Forbes) Chrome Security Update: Patch for Multiple High Severity Vulnerabilities (Cyber Security News) Interpol disrupts cybercrime activity on 22,000 IP addresses, arrests 41 (Bleeping Computer) Microchip Technology Reports $21.4 Million Cost From Ransomware Attack (SecurityWeek) Ransomware Attack Disrupts Georgia Hospital's Access to Health Records (SecurityWeek) South Korea Fines Meta $15 Million for Illegal Data Collection on Facebook Users (CEO Today) Cyberattack disables tracking systems and panic alarms on British prison vans (The Record) FBI recovers just $8M after crypto scam crashes Kansas bank (The Register) The bizarre reason pneumatic tubes are coming back (BBC Science Focus) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
We've got an election day wrap-up.
The FBI issues a warning about cyber criminals selling government email credentials.
Google issues an emergency update for Chrome.
An Interpol operation nets dozens of arrests and IP takedowns.
Microchip technology discloses $21 million in expenses related to a cybersecurity breach.
Ransomware makes a Georgia hospital revert to paper records. South Korea fines Meta $15 million over privacy violations. Thank you. is Javed Hassan, CEO and co-founder of Lineage, discussing the growing risks within the open-source ecosystem
and sending data down the compressed air superhighway.
It's Wednesday, November 6, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thanks for joining us here today. It is great to have you with us.
Donald Trump won the U.S. presidential election
yesterday, and so will be headed back to the White House in January. In his previous term,
Trump emphasized bolstering U.S. cyber defenses, but took a somewhat fragmented approach,
disbanding the White House cybersecurity coordinator role and leaving certain interagency efforts
decentralized. Under the Biden administration, cybersecurity took on new urgency with major
investments in critical infrastructure protections, zero-trust architecture, and public-private
partnerships. With Trump back in office, we might expect a pivot, possibly rolling back some
regulatory elements or shifting
priorities toward a more streamlined, business-friendly cybersecurity policy. But as threats evolve,
especially with increased ransomware incidents and foreign cyber-influence campaigns, Trump's
administration will face new pressure to sustain the resilience and innovations introduced in recent years.
Time will tell. CISA reported no credible threats against U.S. voting infrastructure
during Election Day, with only minor anticipated disruptions observed. CISA Director Jen Easterly
confirmed that no evidence indicated malicious interference with election security or integrity.
Despite former President Trump's claims of fraud in swing states like Michigan and Pennsylvania,
Easterly and senior CISA advisor Kate Conley stated that no data supported these allegations.
The most significant disruption involved false bomb threats in multiple swing states,
significant disruption involved false bomb threats in multiple swing states,
including nearly 40 in Georgia, which officials traced to Russian email domains.
However, Easterly cautioned that the origin of these threats is still under investigation and that Russia's involvement is not confirmed.
Additionally, the FBI was targeted in disinformation campaigns,
leading it to debunk false election-related
claims involving its name. CISA anticipates issuing a statement soon on the resilience
of U.S. election infrastructure as the certification process continues.
The FBI has issued a warning about a surge in cyber criminals selling high-quality government email credentials and related instructions on cybercrime forums. These credentials,
often sold with stolen subpoena documents, enable attackers to pose as law enforcement
and send fraudulent emergency data requests to bypass traditional security checks.
These scams can facilitate espionage,
data extortion, or ransomware attacks.
The FBI noted this trend began over a year ago,
evolving from basic phishing scams
to sophisticated credential sales across 25 countries.
Recent incidents include attackers simulating
urgent law enforcement requests,
exploiting pressure
tactics to elicit sensitive data quickly. To mitigate these risks, the FBI advises organizations
to enhance security protocols, such as monitoring third-party connections, enforcing two-factor
authentication, and adopting critical thinking before responding to urgent data requests.
Attackers often rely on rushed responses,
so verifying request legitimacy can prevent falling victim to these scams.
Google has issued an emergency update for Chrome
addressing two high-severity vulnerabilities related to use-after-free bugs
in the family experiences and serial
components. These vulnerabilities could allow attackers to execute malicious code on affected
systems, posing risks of unauthorized access or complete system compromise. The patch was released
on November 5th for Windows, Mac, and Linux users. Google strongly advises users to update
immediately to protect against these security threats. Interpol's Operation Synergia 2,
conducted from April through August of this year, resulted in 41 arrests and the dismantling of over
1,000 servers involved in cybercrime across 95 countries. With intelligence
support from cybersecurity firms like Group IB and Kaspersky, the operation identified over 30,000
suspicious IP addresses, with about 75% of these taken offline. Authorities seized 59 servers and
43 electronic devices for further investigation,
and another 65 individuals are under scrutiny for cyber-related activities.
Highlights include actions in Hong Kong, where just over 1,000 servers were taken down,
and in Mongolia, where 21 house searches led to a server seizure.
The operation targeted phishing, ransomware,
and information stealer malware, which are top threats.
Interpol noted a rise in generative AI being used for phishing
and that information stealers often serve as entry points for ransomware,
which surged by 70% last year.
Microchip technology disclosed a $21.4 million expense related to a cybersecurity
breach in its latest financial report. The incident, discovered in August, disrupted some
of Microchip's manufacturing facilities. The Play ransomware group claimed responsibility,
alleging they stole gigabytes of sensitive data,
including client documents and employee information. Microchip did not pay a ransom,
and the hackers have since leaked a 4-gigabyte archive reportedly containing payroll,
accounting, and contract information. By early September, Microchip had restored most operations and confirmed the data breach.
Memorial Hospital and Manor in Bainbridge, Georgia, was hit by a ransomware attack,
disabling access to its electronic health record system.
Discovered early Saturday, the attack forced staff to revert to paper-based records,
but reportedly did not impact patient care.
The embargo ransomware group claimed responsibility,
threatening to release 1.15 terabytes of stolen data unless a ransom is paid by November 8.
Embargo, a new ransomware-as-a-service group, uses double extortion tactics,
demanding ransom and threatening data leaks if unpaid.
South Korea's privacy watchdog fined Meta $15 million for illegally collecting and sharing
sensitive data, including political views, sexual orientation, and religious beliefs,
from approximately 980,000 Facebook users. Meta reportedly shared this data with around 4,000 advertisers
without obtaining explicit user consent,
violating strict South Korean privacy laws.
The investigation revealed that Meta used data on user activities
to infer sensitive information, flagged as a serious breach.
Alongside unauthorized data sharing, Meta's
inadequate security measures left accounts vulnerable to hacking, allowing attackers to
exploit inactive pages for identity theft. This fine adds to Meta's recent penalties worldwide
for privacy violations, highlighting increasing regulatory scrutiny. Meta stated it would carefully review the decision
but has not clarified if it will appeal.
A recent cyber attack on telematics firm Microlease
has temporarily disabled critical tracking and panic alarm systems
on British prison vans operated by Serco for the Ministry of Justice.
While there's no evidence that anyone has tried to exploit the situation, the incident does highlight the potential risks of supply
chain vulnerabilities. Microlease informed the London Stock Exchange of the breach,
later clarifying that while employee data may have been accessed. It's confident customer systems remain secure.
Recovery efforts are underway, with services expected to be back to normal by next week.
The FBI has recovered $8 million from a $47 million cryptocurrency scam
that severely impacted the small Kansas city of Elkhart. The scam, pig butchering, involved convincing
Heartland Tri-State Bank CEO Shan Haynes to continually invest in a fake cryptocurrency,
initially with his own money and later with embezzled funds from local entities,
including the Elkhart Church of Christ. Haynes, using his trusted position, authorized
massive wire transfers to the scammer. Despite staff concerns, he misled them about the transaction's
purpose. After a tip-off in July of 2023, an investigation revealed losses exceeding the
bank's capitalization. Haynes was sentenced to over 24 years in prison.
The recovered funds will be returned to local investors,
offering some relief to the devastated community.
Coming up after the break, my conversation with Javed Hassan from Lineage.
We're discussing the growing risks within open source ecosystems.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now?
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security
questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
Javed Hassan is CEO and co-founder of Lineage.
I recently caught up with him to discuss the growing risks
within open source ecosystems.
So the state of things as we see it is
open source has become more and more important,
especially over the last decade.
As companies have used open source
inside their applications,
we have seen a steady increase
of the use of open source in both critical applications
and business applications.
And as that has increased, the risk from open source is increasing as well.
And where we find ourselves today is that in most modern applications, 80% or so of
all components come from open source.
modern applications, 80% or so of all components come from open source.
While at the same time, the open source developers are great innovators and not as great maintainers, which is not surprising given where they come from.
And so we find that about, at least lineage analysis finds that about 50%
of all open source is not maintained.
20% is maintained,
which means that it has updates
over the last six months to two years.
And about 30% is well-maintained.
So 70% of open source is in a box
where companies have embedded it
in their applications,
while it's no longer well-maintained
by open source developers,
creating a small bit of a challenge for companies that embed open source.
Yeah. How would you describe how most organizations approach the security issues of open source software?
When they are using these components, what degree of scrutiny do they apply to these
packages? I mean, we have been working with a number of these organizations, and the way we
see it is that much of open source choice is led by developers. Companies have been pretty good at making sure that the license compliance
of open source is well done.
And to some extent, they discover the vulnerabilities that are tied to at least top level components
of open source, not necessarily the full open source supply chain, which may be 60 levels
deep.
And they are then overwhelmed by the number of vulnerabilities that come through open source.
So I think that's what we're finding right now as a current state.
You know, open source program offices
are still rare in most companies, and so we think of that
as a way most organizations can improve.
We had the incident not too long ago
with XE Utils, the backdoor incident,
where someone was really playing the long game here,
having access to an open source utility.
Was that a bit of a wake-up call for the community?
I think it was a big wake-up call, right?
Again, we would expect that
such incidents would increase.
And as you saw, they sort of
made its way across
from open source
into a company like Microsoft
without buying that scrutiny.
And then an eagle-eyed developer
sort of, you know,
in a lab, found there was performance issues in Microsoft analysis
of the software and raised the alarm there.
So it was detected by luck almost in that case.
But those kinds of attacks, I think, would become more common as we go along.
So in your estimation, what's to be done here?
I mean, how can companies both make use
of the utility of open source software,
but also take care of the security concerns?
Yeah, so, you know, again, I mean,
if you sort of now, let's take XE as an example.
You know, what you should see
if you analyze the open source,
that, you know, the Linux that contained XE,
what you would see is that open source components
embedded a private component.
And, you know, like our Linus technology
would have detected that.
I think, you know, companies need
better open source analysis tools
than they have right now
to be able to detect these kinds of threats and tamper in open source analysis tools than they have right now, to be able to detect these kinds of threats and
tamper in open source software and mitigate that threat.
So I think simply is we have always innovated in terms of,
new threats come along,
we build new tools to address them.
So I think open source security,
like you said, there's a wake-up call, and the wake-up call leads to new tooling and new capabilities that companies need.
And then we have startups like ours that are amazingly driven to solve those problems.
To what degree is there a, I call it a chain of custody when it comes to open source software?
Can you, is it easy to track, you know, where it's been,
who's had their hands on it, what changes have been made?
By and large, yes.
So if you, like, I'll give you an example of what we do.
And so if we take a top level open source component
that a company would pick up,
we'll go find out where it came from.
So you have a PURL which tells you
where the package came from.
If you analyze the package well, which we do,
you'll find the source code it comes from.
So now you have both the package and the source code.
And the source code should match the package,
which means that the package is made up of the source code
it says it is made up of.
And as you analyze those two,
you realize that they have incremental dependencies
on other packages and other source code libraries.
So you go scan them and find out
if those have additional dependencies
and so on and so forth
till you create the full software supply chain,
which might be, like I said, 60 levels deep.
And then what you have to do is understand
who embeds whom,
but because software is well-tracked
in terms of code commits, in terms of changes,
you know where the changes came from.
You know what versions has which subcomponents
and sub-subcomponents and so on.
And so it is possible, and we do that today,
to create a full chain of custody,
a tested chain of custody list,
and ensure that every component that you include
came from the package it said it came from,
and the package came from the source code it claimed to be coming from.
And then every dependency they have at various levels
also is attestable,
so that you know that every package and source code
is identical to what was published by the open source developers.
And then you can have threat detection rules on top of it,
which says that if your open source and private And then you can have threat detection rules on top of it,
which says that if you're open source and with private source code, for example,
well, that's a red flag.
So we are getting into an era of new kinds of threat detection
and new kind of tampers that we haven't seen before.
And so again, cybersecurity technologies like lineage
will help you detect those.
What are your recommendations for organizations
who want to get a handle on this?
I mean, what are some of the best practices
from your point of view?
So two things, right?
So one, have a clear governance policy for open source.
I think just like if you worked at a car company,
let's say, and you made cars,
you would not let every engineer go and select
the vendor of choice
for your carburetor and so on and so forth, right?
You manage it centrally and you manage it.
And supply chain management is a big part of car manufacturing.
Similarly, in software, if you're going to go assemble software
from open source and so on,
you need to manage your software supply chain
and for which you must
create and empower an open source management office or open source program office with
clear governance policies and continuous assessment of the software that you bring into your company.
And then you have to proactively look at it.
Like I said, half of open source is no longer maintained, so you should be e-oiling some
parts of the open source that you use, replacing it with the new ones.
So active, proactive management
of open source, I think, is one part
of it. And governance of open source
is one part of it. The second
big part of it is you should be careful
about where you source open source
from. And so I think you
increasingly should look at
better sourcing
rules as opposed to a developer getting picked up from anywhere.
Our thanks to Javed Hassan from Lineage for joining us.
Cyber threats are evolving every second Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. client. And finally, do you remember pneumatic tubes? The invention from the 1850s propelled
mail, packages, and even food through pipes using compressed air. Though it once seemed destined for futuristic transport, a la Futurama or Micronauts,
it all but vanished in the 1900s with the rise of trucks and digital communication.
But in an unexpected twist, pneumatic tubes are making a comeback,
thanks to hospitals and even waste management.
Hospitals now rely on advanced
tube systems to zip around medical samples and medicines, leveraging automation and RFID tracking
to boost efficiency. Meanwhile, Roosevelt Island in New York and even Walt Disney World have been
using tubes to whisk away rubbish since the 70s, at an impressive 60 miles an hour. And the technology
is expanding globally. Seoul, Barcelona, and Stockholm are using tubes for waste, reducing
emissions by minimizing trash trucks. From farms to cannabis sorting, pneumatic tubes are quietly
returning, proving that sometimes old tech just needs a fresh twist
to stay relevant. So, forget those encrypted emails. If you really want privacy,
maybe just blast your data through a pneumatic tube.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo
is easy. Learn more at ai.domo.com. That's ai.domo.com.