CyberWire Daily - The age old battle between iPhone and Android.

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions. This coffee is so good. How do they make it so rich and tasty? Those paintings we saw today weren't prints. They were the actual paintings. I have never seen tomatoes like this. How are they so red? With flight deals starting at just $589, it's time for you to see what Europe has to offer.

Starting point is 00:00:31 Don't worry. You can handle it. Visit airtransat.com for details. Conditions apply. AirTransat. Travel moves us. Hey, everybody. Dave here.

Starting point is 00:00:44 Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete.me.

Starting point is 00:01:22 Now at a special discount for our listeners. private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code n2k at checkout. That's joindeleteme.com slash N2K, code N2K. Microsoft is phasing out Android use for employees in China. Mastodon patches a security flaw exposing private posts. OpenAI kept a previous breach close to the vest. Nearly 10 billion passwords are leaked online.

Starting point is 00:02:15 A Republican senator presses CISA for more information about a January hack. A breach of the Egyptian health department impacts 122,000 individuals. South Africa's National Health Laboratory Service suffers a ransomware attack. El Dorado is a new ransomware-as-a-service offering. CISA adds a Cisco command injection vulnerability to its known exploited vulnerabilities catalog. N2K's CSO Rick Howard catches up with AWS's Vice President of Global Services Security Hart Rossman to discuss extending your security around generative AI. And ransomware scrambles your peace of mind. It's Monday, July 8th, 2024.

Starting point is 00:03:10 I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thank you for joining us here today. It is great, as always, to have you with us. Starting in September, Microsoft employees in China will be required to use iPhones for work, cutting off Android devices. An internal memo revealed that this move is part of Microsoft's Secure Future initiative, aiming to ensure all staff use Microsoft Authenticator and Identity Pass apps.

Starting point is 00:03:51 The decision stems from the fragmented Android app market in China, where Google Play is unavailable, and local platforms by Huawei and Xiaomi prevail. Consequently, Microsoft has decided to block these devices from accessing its corporate resources. Affected employees will receive an iPhone 15 as a one-time replacement. The change is driven by security concerns following multiple state-sponsored cyberattacks,

Starting point is 00:04:20 including a significant breach linked to Russia earlier this year. Microsoft's Executive Vice President Charlie Bell emphasized the company's commitment to prioritizing security, pledging a major overhaul to address cloud vulnerabilities and enhance credential protection. Mastodon, the decentralized social network, has issued an urgent call for instance operators to update their server software due to a high-risk security flaw. The vulnerability allows attackers to access private posts by expanding the audience to unintended users. Rated with a CVSS score of 8.2, it affects all versions from 2.6.0 onwards. The Mastodon team has released updates to fix this issue and other security problems. An additional fixed bug involved inadequate permissions check for API endpoints. Mastodon emphasized the importance of updating servers

Starting point is 00:05:21 promptly given past security issues. The team will release a detailed description of the vulnerability on July 15th, giving administrators time to update. The decentralized nature of Mastodon makes timely updates by individual instance operators crucial. Early last year, a hacker accessed OpenAI's internal messaging system, stealing details about their AI technologies. The breach occurred via an online forum where employees discussed the latest advancements. Although the hacker didn't access core systems, OpenAI revealed the incident internally in April of 2023, but didn't inform the public or law enforcement since no customer or partner data was compromised. Some employees feared that foreign adversaries

Starting point is 00:06:13 like China could exploit such vulnerabilities, raising concerns about OpenAI's security measures. Leopold Aschenbrenner, an ex-employee, highlighted these issues, alleging inadequate protection against foreign threats. Despite his claims, OpenAI asserted they had addressed the incident. The company claims to have since bolstered its security products and continues to improve its defenses against potential threats. Last week, almost 10 billion passwords were leaked on an underground hacking forum described as the largest password leak ever. On July 4th, a user named Obamacare posted a file rockyou2024.txt containing 9.9 billion unique passwords. Cyber news researchers confirmed these passwords stemmed

Starting point is 00:07:07 from various data breaches over the past two decades. The file updates the previous record holder, Roku 2021, which had 8.4 billion passwords. Despite the age of some passwords, security experts warn they can still be exploited due to password reuse. Simon Lawrence from iConfidential emphasized the danger of credential stuffing attacks, where stolen logins are tested across different networks. Organizations are urged to reassess password policies, educate employees on password reuse risks, and implement multi-factor authentication

Starting point is 00:07:46 to enhance security. Republican Senator Charles Grassley has demanded answers from CISA Director Jen Easterly about a January hack involving the agency's chemical security assessment tool, CSAT, and one other sensitive system due to vulnerabilities in Avanti products. This breach potentially compromised critical infrastructure information. While CISA confirmed the breach in March, it didn't disclose the involvement of CSAT until June 24. Grassley criticized CISA for not adequately protecting its systems, Grassley criticized CISA for not adequately protecting its systems, raising national security concerns. The incident led to unauthorized access to site security plans, impacted entities, CISA's prior knowledge of Avanti

Starting point is 00:08:46 vulnerabilities, and steps taken to secure their systems. Brian Harrell, former CISA Assistant Director, expressed concerns over the breach, noting its negative impact on renewing the Chemical Facility Anti-Terrorism Standards, or CFATS, regulation. The CFATS program, crucial for regulating high-risk facilities security, has stalled in Congress since July of 2023. CISA has yet to comment publicly on Grassley's letter. The Egyptian Health Department, the EHD, has reported a data breach affecting 122,000 individuals, which occurred on December 21st of 2023. Discovered the same day, the breach involved an external system hack compromising sensitive personal information, including names and

Starting point is 00:09:39 identifiers. Joseph Foos, representing the EHD, confirmed that affected individuals were notified on July 2nd of this year and authorities were informed. The breached data poses a risk of identity theft, prompting the EHD to offer 12 months of credit monitoring services through TransUnion. The EHD has set up a helpline to assist affected individuals and provide guidance on safeguarding personal information. South Africa's National Health Laboratory Service is recovering from a ransomware attack on June 22, which disrupted diagnostic systems and deleted backups, causing significant delays in lab testing across public health facilities. Although all labs are now operational, physicians cannot access test results online. NHLS assured that no patient data was compromised and data restoration is expected within weeks.

Starting point is 00:10:40 The delays have severely impacted emergency patients and intensive care units, with over 6.3 million unprocessed blood tests postponing major operations. Urgent test results are being communicated via telephone, raising concerns about operational continuity. The NHLS serves 80% of South Africa's population and operates over 265 labs. The incident underscores the nation's vulnerability to cyberattacks, following similar incidents targeting other government agencies and healthcare providers in Kenya. Representatives say the NHLS faces a prolonged recovery with an unclear timeline for full restoration. a prolonged recovery with an unclear timeline for full restoration. A new ransomware-as-a-service called Eldorado emerged in March, featuring locker variants for VMware, ESXi, and Windows.

Starting point is 00:11:36 The group has claimed 16 victims, primarily in the U.S., targeting real estate, education, healthcare, and manufacturing sectors. Cybersecurity firm Group IB tracked Eldorado's activities, noting its promotion on ramp forums and recruitment of skilled affiliates. Eldorado's data leak site was down at the time of reporting. The ransomware written in Go can encrypt both Windows and Linux platforms using the ChaCha20 algorithm and RSA encryption. It appends a numerical extension to encrypted files and drops ransom notes named HowReturnYourData.txt. Eldorado encrypts network shares via SMB and deletes shadow volume copies to hinder recovery. Affiliates can customize attacks, especially on Windows systems.

Starting point is 00:12:31 Eldorado is a unique development not based on previous ransomware groups and has quickly proven its capability to cause significant damage. The U.S. Cybersecurity and Infrastructure Security Agency added a Cisco NXOS command injection vulnerability to its known exploited vulnerabilities catalog. This zero-day vulnerability, exploited by the China-linked group VelvetAnt, allows authenticated local attackers with administrator credentials to execute arbitrary commands as root on affected devices. Cisco addressed the flaw, which affects several Nexus series switches, and recommended using the Cisco software checker to identify vulnerable devices. Federal agencies must fix this vulnerability by July 23rd of this year. Coming up after the break,

Starting point is 00:13:34 Rick Howard catches up with AWS's Vice President of Global Services Security, Hart Rossman. Stay with us. Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this. More than 8,000 companies like Atlassian and Quora

Starting point is 00:14:13 have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses

Starting point is 00:15:08 is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365 with Black Cloak.

Starting point is 00:15:36 Learn more at blackcloak.io. My N2K colleague Rick Howard recently caught up with AWS's Vice President of Global Services Security, Hart Rossman, at the AWS Reinforce event. They discussed extending your security around generative AI. AWS is a media partner here at N2K CyberWire. In June of 2024, Brandon Karf, our VP of Programming, Jen Iben, our Executive Producer, and I traveled to the great city of Philadelphia to attend the 2024 AWS Reinforced Security Conference.

Starting point is 00:16:22 And I got to sit down with Hart Rossman, the AWS Vice President of Security for Sales, Marketing, and Global Services. He gave a presentation on the future of generative AI and security, so I asked him how it went. You know, it was super fun. I had Emily Weber with me,

Starting point is 00:16:38 who is a principal security leader on the Annapurna organization. That's the part of the business that helps fabricate some of the chips that we use internally, Infranium, Tranium, those sorts of things. Infrancia, Tranium, and those sorts of things. And then we also had two customer speakers as well from RC and from Bloomberg. And the focus of our talk was really to help the security community learn about best practices for implementing security around Gen AI workloads? Well, it's also new, right? I was looking at the Gartner hype chart for AI in security just

Starting point is 00:17:12 last week, right? And everything's still on this side of the peak of inflated expectations, right? It hasn't even got to the top and started to drop yet. So we're all still very excited about it. And we're all pretty confused about what security people should be doing, let alone what businesses should be doing with generative AI. So what's some of the pitfalls that you could try to avoid if it listened to your talk? Yeah, you know, I think it's honestly less about pitfalls and more about understanding how you can take the security program you've already invested in and extend it to this new technology, this new experience in Gen AI. Things that have always been important are still important. Identity and access control, having that principal lease privilege across your Gen AI workload.

Starting point is 00:17:59 You want to look at things like ensuring that you've got encryption end-to-end. So that's the learning point, right? Because you're saying the strategies that you've chosen to protect your enterprise, they don't change just because we have this new fangled technology. A lot of it's the fundamentals, right? But then there's new opportunities to do security well. And by the way, for me, the most exciting part is actually using this new technology to improve security outcomes.

Starting point is 00:18:26 In my mind, there's like two big areas of kind of green field for generative AI. One is what you just described. We can run those algorithms against our own configurations to make sure that we haven't screwed anything up, that we're not missing anything, and maybe even proactively finding things. You know, this bad thing might happen in the future. So that's one thing. And that's what you were talking about with those kinds of services. Yeah, it's like an assistive technology, right? You've got these really expert people in your organization who are security architects,

Starting point is 00:18:57 engineers, incident responders. And, you know, they can benefit from this technology in an assistive fashion to get things done better, faster, less expensive, right? Or to correlate knowledge across the enterprise. And I think for the responder in particular, right, having access to an LLM that's been deeply encoded with security-relevant knowledge is a game changer, right? It really adds a ton of value. So that's a really interesting question. Who owns that in the enterprise? Right? It really adds a ton of value. So that's a really interesting question.

Starting point is 00:19:26 Who owns that in the enterprise? You know, because I'm not sure that, I mean, maybe Amazon, it's so big and has so many resources that you might have a special team that does that. But I'm on the other side of that at N2K. We're just a startup. So who does, who is in charge of figuring that out and incorporating that? I mean, what's a best practice there? Yeah, you know, I think obviously there are different approaches for different folks. What I often advocate is, you know, the service team or the enterprise application owner is probably the best suited to adopt anything new.

Starting point is 00:20:05 And Gen AI is no different. And so in this case, if you've got a team responsible for security escalations and investigations, this is an opportunity for them to embrace the new hotness, bring that technology in-house, train it, develop it in a way that works best for their needs, and then get after it. Having said that, some organizations work better in a CCOE model,

Starting point is 00:20:22 a center of excellence model. And if that's that's your jam you know get after it that's super cool so then the other way you might use generative ai is as because what we were just talking about is improving your already deployed systems how do you configure them how do you monitor them those kinds of things but the other way is to just take all the data that's generated by the exhaust of all those tools in your environment, run these algorithms on it, and maybe find new bad guys

Starting point is 00:20:50 that you didn't know were there, okay? So is that sometime in the future or is that still years away from us? Yeah, I think that's true if you expand kind of that shorthand of Gen AI to talk about machine learning in general, right? And so when we talk about generative AI as a great way to interface

Starting point is 00:21:07 and create that knowledge base to the LLM, and then we add to it kind of some broader machine learning techniques, that's absolutely the right way to go, right? And guard duty is a great example of that, right? We were doing machine learning-driven threat detection and response in guard duty years before generative AI became a thing, right?

Starting point is 00:21:27 Yeah. And, you know, machine learning has been around even with, you know, detecting malware. I mean, it's been around forever. And so when you put them together, though, you get this powerful, really, experience for the developer, for the builder, for the responder. And that, for me, really drives this idea that, you know, we have to remember as leaders in the security community, we've got to be early adopters. We've got to take advantage of first mover, right? And so if the rest of the business is super excited about something like

Starting point is 00:21:56 Gen AI, and you're still hesitant, or you're still reluctant or resistant, right? By the time you get hip to it, it's going to be the same old trope in security where, you know, you're chasing the business to help protect them. Whereas if today, you know, you're building security workloads on bedrock, if you're using solutions and technologies like perplexity, right, to do your own searches as a security leader, right, you'll have an authentic point of view on what works for you, what doesn't work for you, and where you want the business to go instead of playing catch-up and trying to sort of artificially create rules of engagement.

Starting point is 00:22:35 What's the downside there? I mean, I know all of us look at the Gartner hype chart, everything that thinks it's going to be great for us in the future. What can go wrong here? What should we be looking for? You know, I don't see specifically a downside going to be great for us in the future, what can go wrong here? What should we be looking for? You know, I don't see specifically a downside, to be perfectly honest. I think it goes back to what we were discussing earlier,

Starting point is 00:22:52 which is, you know, really taking the lessons learned that we know in enterprise security programs, right, and extend that to Gen AI. So, you know, model input and output validation, right? Encryption, identity, all of these things are still important, right? The question is, as a security professional, do you understand the nuance of the use cases

Starting point is 00:23:15 of the new technology to ensure that those best practices are implemented? That was Hart Rossman, the AWS Vice President of Security for Sales, Marketing, and Global Services. That's N2K CyberWire's Chief Security Officer, Rick Howard, speaking with AWS's Vice President of Global Services Security, Hart Rossman. Thank you. cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com

Starting point is 00:24:18 today to see how a default deny approach can keep your company safe and compliant. And finally, a new report out of the UK reveals the often-overlooked mental toll ransomware attacks take on victims. Beyond data theft and financial loss, these cyber attacks significantly impact the psychological and physiological well-being of individuals, as highlighted by the Royal United Services Institute, RUSI. Dr. Jason Nurse, a cybersecurity expert at the University of Kent, emphasized that ransomware not only disrupts services but also deeply affects staff who suddenly cannot return to their families. The report, Your Data is Stolen and Encrypted, the Ransomware Victim Experience, published on July

Starting point is 00:25:19 2nd, provides unique insights into victims' psychological experiences during ransomware incidents. It outlines how certain factors can worsen or alleviate their distress and suggests policy measures to reduce harm. Daniel Card, an incident response specialist, stressed the importance of basic self-care during a response, noting that well-being is crucial for effective incident handling. The report recommends that line managers be sensitive to the psychological and physical harm caused by ransomware attacks. Public policy must prioritize mitigating the psychological

Starting point is 00:25:58 impact of such attacks. The report calls for more funding for mental health services tailored to ransomware victims and suggests that cyber insurance policies cover mental health counseling. Despite awareness efforts, many organizations still prioritize cybersecurity inadequately. Daniel Card noted the scale of this challenge, emphasizing the need for organizations to strengthen their security measures continuously. This report is part of a 12-month research project by RUSI and the University of Kent, funded by the UK's NCSC and the Research Institute for Sociotechnical Cybersecurity. In the heat of the moment, it's easy to lose sight of the human element of a ransomware attack.

Starting point is 00:26:45 Let's remember to extend kindness and understanding to those affected, fostering a culture of compassion and resilience. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.

Starting point is 00:27:28 If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Thanks for listening. We'll see you back here tomorrow.

Starting point is 00:28:45 Your business needs AI solutions that are not only ambitious, but also practical and adaptable. That's where Domo's AI and data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.

CyberWire Daily - The age old battle between iPhone and Android.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.