CyberWire Daily - The court draws a privacy line.

Episode Date: June 30, 2026

The Supreme Court limits geofence warrants. DHS moves to expand CISA. The State Department offers $10 million for Russian hackers. A legal theory could reshape EU-U.S. data sharing. Plus, cyberattacks... hit D.C. housing, Oracle and SimpleHelp flaws face active exploitation, malware lingers on Japanese military networks, and stolen Apple supplier data surfaces online. John Cannava, CIO at Ping Identity, discusses how identity threats don't go on holiday. The Secret Service dial down the risk on BYOD.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by John Cannava, CIO at Ping Identity, as he discusses how identity threats don't go on holiday: how attackers take advantage of these high-traffic moments to blend in with normal user behavior, and what needs to change to better protect fans of major events like this summer's World Cup, and identity threats in travel at large. Selected Reading Supreme Court says police need a warrant to obtain Google location data (Washington Post) DHS Eyes 600 New Cybersecurity Hires, New Director for CISA (BankInfo Security) US posts $10 million reward over Russian cyber campaign targeting Signal, WhatsApp (The Record) US Supreme Court just blew up EU-US Data Transfers (NOYB) DC Housing Authority hit by cyberattack, website down (WJLA) Exploitation of Recent Oracle E-Business Suite Vulnerability Begins (SecurityWeek) USB drives carrying China-linked malware infected Japanese military networks for nearly a year (Bitdefender) A forged login key unlocks SimpleHelp servers, and a new stealer is raiding cloud and AI credentials (SURIQ) Apple iPhone 18 Pro supplier list, parts and photos exposed in Tata data leak (Reuters) Even the Secret Service won't use company-issued phones (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. This episode is supported by Black Hat USA. If you follow the research, you know a lot of it breaks on Black Hat stages. Hundreds of peer-reviewed briefings, more than 100 hands-on trainings, and the largest business hall in Black Hat's history. Six days to learn the skills you'll need tomorrow. August 1st to the 6th. Use code Cyberwire for $200 off your briefings path,
Starting point is 00:00:36 at blackhat.com. We'll see you in Vegas. The Supreme Court limits geofence warrants. DHS moves to expand Sisa. The State Department offers $10 million for Russian hackers. A legal theory could reshape EU-US data sharing, plus cyber attacks hit D.C. housing, Oracle and simple help flaws face active exploitation.
Starting point is 00:01:13 Malware lingers on Japanese military networks and stolen Apple supplier data surfaces online. Our guest is John Canova, CIO at Ping Identity, discussing how identity threats don't go on holiday. And the Secret Service dial down the risk on B-YOD. It's Tuesday, June 30th, 2026. I'm Dave Bittner, and this is your Cyberwire Intel briefing. Thanks for joining us here today. It's great to have you with us.
Starting point is 00:02:10 In a landmark 6-3 decision, the U.S. Supreme Court ruled that police, generally must obtain a warrant before accessing a person's detailed Google location history, strengthening constitutional protections for digital privacy. Writing for the majority, Justice Kagan said, people have a reasonable expectation of privacy in the location data generated by their smartphones, even when that information is stored by a third-party company like Google. The court stopped short of deciding whether Geofense warrants are themselves constitutional, sending that question back to a lower court. The case stemmed from a 2019 Virginia bank robbery
Starting point is 00:02:52 investigation in which police used a geofence warrant to identify suspect O'kella Chatri. Technology companies and privacy advocates praised the ruling, arguing that broad location requests can sweep up innocent people, while law enforcement maintained the data is an essential investigative tool. Homeland Security Secretary Mark Wayne Mullen told Congress that the cybersecurity and infrastructure security agency's biggest challenge is not funding but staffing. He said SISA is operating at roughly half-strength and needs to hire about 600 experienced cybersecurity professionals to restore its role as the nation's primary cyber defense agency. Mullen said President Trump has already met with a candidate to lead,
Starting point is 00:03:42 SISA, and estimated it will take about a year to rebuild the agency once new leadership is in place. The agency has experienced significant turnover, with roughly one-third of its workforce departing during Trump's second term, and its election security efforts largely dismantled. Mullen warned that growing cyber threats from China, North Korea, Russia, and Iran require stronger public-private partnerships, arguing that Sisa is essential to court national cyber defense and cannot rely on private industry alone. The U.S. State Department is offering up to $10 million for information leading to members of two Russia-linked hacking groups accused of targeting signal and WhatsApp accounts belonging to government
Starting point is 00:04:30 officials, journalists, and other high-profile individuals. According to the FBI, the groups use social engineering to steal verification codes, pins, and backup recovery keys, allowing them to access encrypted message histories and even regain account access after victims create new accounts. The campaign is tied to Russian intelligence services and has targeted victims across Ukraine, Europe, and the United States. A recent U.S. Supreme Court ruling embracing the unitary executive theory could upend the legal foundation of EU-U.S. data transfers. In Trump v. Wilcox, referred to by privacy advocates as the slaughter decision, the court held that the president generally has the authority to remove leaders of independent executive agencies, calling into question the independence of the Federal Trade Commission. Privacy Group Noib argues that this undermines the EU-US data privacy framework, which relies heavily on the FTC as an independent privacy regulator. The group says the ruling also weakens other transfer mechanisms, such as standard contractual clauses, that depend on independent U.S. oversight.
Starting point is 00:05:50 While the current framework remains in force unless the European Commission repeals it or European courts invalidate it, Noeb has urged the Commission to withdraw the agreement and plans to challenge it before the EU's highest court. The D.C. Housing Authority has confirmed it was hit by a cyber attack that compromised its systems, leaving staff unable to access files and knocking its website offline. The incident has also disrupted constituent services, with officials unable to process requests while recovery efforts continue. It's not yet known whether any personal information was exposed. The district's office of the chief technology officer said it is providing technical guidance to DCHA, which operates its own technology infrastructure, as the agency and its incident response team investigate the breach.
Starting point is 00:06:46 Threat actors have begun actively exploiting a critical Oracle e-business suite vulnerability just weeks after Oracle released a patch. The flaw, which carries a CVSS score of 9.8, allows unauthenticated attackers to remotely take over Oracle payments. Threat intelligence firm, diffused, detected the first exploitation attempts against its EBS honeypots over the weekend, despite no public proof-of-concept exploit being available. Organizations are urged to apply Oracle's May security update immediately, as Oracle Enterprise products remain frequent targets for cybercriminals and ransomware groups. leaked documents reveal that Japan's ground self-defense force
Starting point is 00:07:33 unknowingly used counterfeit malware-infected USB drives on sensitive military networks for nearly a year. The drives reportedly introduced during 2024 earthquake relief efforts outside normal procurement channels were connected to more than 50 computers, including systems handling classified troop movement data. Investigators linked the malware to a previously identified identified Chinese hacking operation, although Japan's defense ministry said the malware only self-replicated and showed no signs of data theft. The incident raises concerns about supply
Starting point is 00:08:10 chain security and the risks of bypassing standard procurement procedures during emergencies, particularly as similar counterfeit USB drives remain widely available through online retailers. A critical authentication bypass flaw in Simple Help Remote Support Software is being actively exploited to compromise managed service providers and their customers. The vulnerability with a maximum CVSS score of 10 allows attackers to impersonate privileged technicians without authentication by exploiting improper validation of open ID connect login tokens. Researchers observed attackers using the flaw to deploy a new core. cross-platform malware called Jin Steeler, which targets cloud credentials, developer secrets,
Starting point is 00:09:00 GitHub and SSH keys, cryptocurrency wallets, and AI coding assistant tokens. SISA has added the bug to its known exploited vulnerabilities catalog, urging organizations to immediately patch affected simple help servers, investigate for signs of compromise, and rotate any potentially exposed credentials. Following up on a story from last week, sensitive files stolen from Apple's Indian supplier Tata Electronics have reportedly been published by a ransomware group, exposing supplier lists, component information,
Starting point is 00:09:39 and photos of unreleased iPhone 18 Pro models. The leak could reveal closely guarded details about Apple's global manufacturing network, potentially benefiting competitors, counterfeiters, and other suppliers. Tata has become one of Apple's most important manufacturing partners outside China as the company expands production in India. The incident comes as Apple faces rising hardware costs
Starting point is 00:10:05 and is expected to increase iPhone prices. Separately, Apple announced it will release security updates more quickly rather than waiting for major iOS releases, saying advances in AI-assisted hacking have shortened the window between vulnerability disclosure and active exploitation. Coming up after the break, my conversation with John Canova from Ping Identity. We're discussing how identity threats don't go on holiday. And the Secret Service dial down the risk of B-YOD.
Starting point is 00:10:47 Stay with us. John Canova is CIO at Ping Identity. We recently got together to discuss how identity threats don't go on holiday. Yes, certainly it creates challenges for cybersecurity programs in that it's really a perfect storm in that user behavior changes rather significantly. You see everything from surges in volumes of activity that seem abnormal to changes in the geolocation of your user base. And so what were signals that you could really rely on now become patterns of standard behavior for the same non-malicious user base. Are there specific things that you see around an event like the World Cup? Yeah, we see a lot of opportunism with attackers, quite honestly, unfortunately,
Starting point is 00:11:52 in that they understand the dynamics that have changed in terms of user volumes and changes in geography. And so they like to hide within the crowd. And so we see a lot of activity around credential stuffing, fraudulent registrations, etc., that make it really difficult for organizations. that are trying to host these large-scale events. What about the folks themselves who are attending an event? I'm thinking they're in a different mindset. They're away from home.
Starting point is 00:12:24 They may be a place they haven't been before. They're excited. They're in a heightened emotional state. All of those things can contribute to perhaps being a little more vulnerable. Absolutely. And I think, moreover, they're interacting with websites that they're not. generally used to. I think consumers need to be on alert in these cases and ensure that they're double-checking the websites and the emails that they're interacting with as they purchase tickets
Starting point is 00:12:56 or they look for travel and accommodations. Certainly attackers are out there looking to take advantage of these opportunities. If I'm a security professional looking after the folks in my organization and I have people I know are traveling to a big event like this. Is there anything I need to be careful of or put in place to account for that? Yeah, I think, you know, first off, understanding behavior and an identity level within your cybersecurity program is super important. And being able to understand that there are going to be patterns that maybe you relied on previously that you can't rely on going forward. And so, making sure that your cybersecurity team and your product team to the extent you have a website
Starting point is 00:13:42 or an app are really thinking about maybe there are different types of signals we want to key on for this event. So doing some pattern mapping around maybe current state versus 2B state and understanding what those gaps are going to be. And in addition to that is really thinking about when it comes to identity, they are not only focused on the login. experience, that you're thinking through the continuous adaptive sort of solutions that give you more insight throughout the session with your customers. Can we dig into that? What sort of things are you talking about here? Yeah, sure. So, you know, traditional identity access management solutions, you know, really are focused on that that login experience, that entry point. What they don't
Starting point is 00:14:29 necessarily give you control over is throughout that session, you know, what are different behaviors? Everything from the device posture to the way the user is interacting with your website, bot detection along those sorts of lines really helps put you in a position where you can take action throughout that session rather than assuming that once they're in the front door, they must be a good actor and not a bad actor. How much has AI changed this equation here? It strikes me that I think this is the first World Cup that we've had since the LLMs came online.
Starting point is 00:15:08 Significantly, I think, you know, there's an unprecedented increase in scale, speed, and the adaptability of the attacks that we're seeing. So, you know, historically, the time it took to move an attack from, say, a reconnaissance stage to an exploitation stage, that might be days or hours or days. And we're seeing it in seconds and minutes now. So it's, you know, the level of. of speed is certainly an issue. And so you absolutely can't have, you know,
Starting point is 00:15:41 rules-based approach that isn't adaptive to those changes. I think on top of it, we're seeing just much higher volumes. I think the, you know, attacks being agentic make it cheaper and more accessible for a broader audience to participate in, unfortunately. And then the last thing I'd say is the bot behavior is getting harder to identify. attackers are getting better and better at having bots simulate what ordinarily would look like general user behavior. You know, John, I think any of us who have traveled for work have had that experience where you get where you're going, you get settled into your hotel room, you decide you're going to knock out a few work things before you maybe go grab a bite to eat and you go to log in and the system says, hold on there.
Starting point is 00:16:31 you're not where we expect you to be. Slow down, right? And we catch ourselves and say, okay, this is good for security. I understand I need to jump through these hoops. But the point of my question is, how do you make sure that you put these things in place without becoming such a speed bump for your users
Starting point is 00:16:49 that they come to resent it? Yeah, it is a challenge. I mean, it's something that we think about daily, even internally here at Ping, is what is the best balance between security and user friction. And so what we try to do is we try to find the third way, which is, you know, what is the step-up authentication
Starting point is 00:17:09 that challenge that we put in front of users that doesn't create a significant hurdle for them as a legitimate user to complete that transaction? So examples would be, you know, things we're accustomed to, an MFA with maybe a number matching capability, potentially, you know, internal systems. You might look at a facial, recognition, step up authentication. So, you know, really trying to ensure that when you present
Starting point is 00:17:36 those types of challenges, that they aren't an undue amount of a challenge for that end user. So it's something that can easily complete and that you're not going to create a number of exceptions that is, you know, out of line with the security it provides. How much of this is a cultural issue as well, you know, dealing with people, making sure that they're educated and informed. So again, when someone's traveling, they know what to expect. Yeah, that's a big challenge and it's, it's an ongoing challenge that you have. I think ensuring, you know, whether you're talking about your customers or you're talking about your employees, that people understand that this is something that protects them and
Starting point is 00:18:18 that, you know, the hurdles you're putting in front of them are really on to their benefit is something that should be incorporated into the comms plans for your organizations when you're changing these requirements. For an example, we require multi-factor authentication for administrators of Ping's products. And when we rolled that out, we wanted to make it really clear that this was something we're doing to protect them and that we wanted feedback around how do we struck the right balance between security and friction. That's John Canova from Ping Identity.
Starting point is 00:18:54 What happens when AI agents gain access to the same system? applications, and credentials as your employees. According to Arvind Nithrkashyip, CTO and co-founder of Rubrik, that reality is already here. As AI agents proliferate across enterprise environments, organizations face a growing challenge. How do you govern systems that operate at machine speed? To learn more about AI sprawl, the risk it creates,
Starting point is 00:19:36 and how organizations can prepare, visit explore. TheCyberwire.com. slash rubric to hear the full conversation. And finally, the U.S. Secret Service has discovered a truth familiar to office workers everywhere. Nobody wants to carry two phones. Unfortunately, according to a Department of Homeland Security Inspector General report, that convenience came at a steep security cost.
Starting point is 00:20:17 Agents routinely relied on personal smartphones during protective missions because government-issued devices lack the tools they needed, even though agency policy prohibited it. Investigators found more than 15,000 work-related calls involving personal phones during protective operations and identified employees who regularly used personal devices on overseas assignments, sometimes even as hotspots for government laptops. The report also found government-issued phones
Starting point is 00:20:48 lacked modern mobile threat protections until 2025 and were not consistently wiped after foreign travel, leaving opportunities for foreign adversaries to intercept communications or track sensitive movements. The watchdog recommended five improvements, including better equipped government devices, stronger security controls, mandatory training, and stricter enforcement. The Secret Service agreed with all of the recommendations, proof that sometimes the easy, The easiest call is admitting your phones need an upgrade. And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Starting point is 00:21:41 We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com. N2K's lead producers, Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazas,
Starting point is 00:22:10 our executive producer is Jennifer Ibin. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.