CyberWire Daily - The political shake-up at the FBI.
Episode Date: February 21, 2025The Senate confirms Kash Patel as FBI director. The SEC rebrands its Crypto Assets and Cyber Unit. Microsoft's quantum chip signals an urgent need for post-quantum security. Chat log leaks reveal the ...inner workings of BlackBasta. CISA advisories highlight Craft CMS and ICS devices. Researchers release proof-of-concepts for Ivanti Endpoint Manager vulnerabilities. Warby Parker gets a $1.5 million HIPAA fine. Our guest is Steve Schmidt, Amazon CSO, with a behind the scenes look at securing a major event. Researchers explore the massive, mysterious YouTube wormhole. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Steve Schmidt, Amazon CSO, talking about integrating physical and logical security measures. Learn more: "Securing a city-sized event: How Amazon integrates physical and logical security at re:Invent." Selected Reading Trump loyalist Kash Patel is confirmed as FBI director by the Senate despite deep Democratic doubts (AP) SEC rebrands cryptocurrency unit to focus on emerging technologies (CyberScoop) Microsoft’s Quantum Chip Breakthrough Accelerates Threat to Encryption (Infosecurity Magazine) BlackBasta Ransomware Chatlogs Leaked Online (Infosecurity Magazine) CISA Warns of Attacks Exploiting Craft CMS Vulnerability (SecurityWeek) CISA Releases 7 ICS Advisories Detailing Vulnerabilities & Exploits (Cyber Security News) Ivanti endpoint manager can become endpoint ravager (The Register) Feds Fine Eyeglass Retailer $1.5M for HIPAA Lapses in Hacks (GovInfo Security) How a computer that 'drunk dials' videos is exposing YouTube's secrets (BBC) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Your business needs AI solutions that are not only ambitious, but also practical and
adaptable.
That's where Domo's AI and Data Products Platform comes in.
With Domo, you can channel AI and data into innovative
uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your
data workflows, helping you gain insights, receive alerts, and act with ease through
guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
The Senate confirms Cash Patel is FBI director.
The SEC rebrands its crypto assets and cyber unit.
Microsoft's quantum chip signals an urgent need for post quantum security.
Chat log leaks reveal the inner workings of Black Basta.
CISA advisories highlight Kraft CMS and ICS devices.
Researchers release proof of concepts for Avanti Endpoint Manager vulnerabilities,
Warby Parker gets a $1.5 million dollar HIPAA fine, our guest is Steve Schmidt, Amazon's
Chief Security Officer, with a behind the scenes look at securing a major event, and
researchers explore the massive mysterious YouTube wormhole.
It's Friday, February 21, 2025. I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today and happy Friday.
It is great to have you with us.
The Senate confirmed Cash Patel as FBI director in a narrow 51-49 vote, despite concerns over
his qualifications and political loyalties.
A Trump loyalist, Patel has been vocal about reforming the FBI, shifting its focus from
intelligence gathering to traditional law enforcement.
His confirmation follows Justice Department shakeups and demands for agent names tied
to January 6 investigations, raising fears of political retribution.
Patel's past remarks, labeling FBI investigators as criminal gangsters and suggesting January
6 rioters are political prisoners, alarmed Democrats.
Critics fear he will use the FBI to target Trump's adversaries, undermining its independence.
Republicans however, back him as a reformer who will restore accountability.
From a cybersecurity perspective, Patel's leadership could impact federal investigations
into cyber threats, foreign influence campaigns,
and domestic extremism.
His shift away from intelligence-driven operations might weaken nationwide cybersecurity efforts,
leaving agencies and critical infrastructure more vulnerable to cyber threats.
The Securities and Exchange Commission has rebranded its crypto assets and cyber unit
as the Cyber and Emerging Technologies Unit, expanding its focus beyond cryptocurrency
fraud to include hacking, social media scams, and AI-related threats.
Led by Laura de Allard, the unit will still investigate crypto-related fraud, but critics worry the change signals
a weakened enforcement stance under the Trump administration, which is seen as more crypto-friendly.
The rebrand follows SEC enforcement actions against major crypto firms like FTX and Binance
and its previous focus on unregistered asset offerings and securities violations.
Some former officials argue the shift diminishes crypto oversight, while others believe it
allows for a broader focus on AI and quantum tech risks.
The change reflects ongoing political shifts in U.S. crypto regulation, raising questions
about how aggressively the SEC will police blockchain-related fraud and market abuses moving forward.
Microsoft has unveiled Majorana One, the first quantum chip, accelerating the timeline for quantum computers capable of breaking encryption from decades to years. The breakthrough powered by a new topological core architecture could lead to million-qubit
systems capable of solving problems beyond the reach of classical computers.
However, this also raises serious cybersecurity risks.
Quantum machines will be able to crack encryption protocols like RSA and AES, exposing sensitive data. Cyber criminals are
already harvesting encrypted data to decrypt later when quantum systems mature. To counter this,
NIST formalized post-quantum cryptography standards in 2024, urging organizations to adopt
quantum-secure algorithms. Still, challenges remain, including unclear ownership
of transitions and poor cryptographic visibility.
The financial sector is leading
in developing quantum resistant solutions,
but broader adoption is essential
before quantum computers become a widespread threat.
Internal chat logs from the Black Basta Ransomware gang have been leaked online, revealing nearly
200,000 messages detailing internal conflicts, network access, and key threat actors.
The logs, spanning September 2023 to September 2024, were first shared on Mega by a user
named ExploitWhispers before being moved to Telegram.
Cybersecurity firm ProDaft confirmed the leak is likely legitimate and sheds light on BlackBasta's decline.
The group, once a major ransomware player, struggled with internal disputes,
particularly over financial priorities and leadership issues.
A figure known as Tramp, responsible for Cubot distribution, caused significant friction,
leading to members leaving.
Many former Black Basta members have since joined the Cactus and Akira ransomware groups,
continuing operation under new banners.
The leak provides valuable intelligence, further proving that cyber-criminal groups often collapse
due to internal conflicts.
CISA has added a high-severity remote-code execution vulnerability in CraftCMS to its
known exploited vulnerabilities catalog.
Though CraftCMS has a small market share, over 41,000 instances
may be affected. The flaw was patched in January and affects installations where the security
key is already compromised. While no public reports confirm attacks, federal agencies
must patch by March 13.
Another RCE vulnerability was actively exploited in late 2024, though it has not yet been added
to CISA's catalog.
The growing exploitation of Kraft CMS flaws highlights the importance of timely patching
to prevent web server compromises.
Additionally, CISA has issued seven advisories detailing critical vulnerabilities in industrial
control systems from ABB, Siemens, Mitsubishi Electric, and others.
These flaws pose severe risks to critical infrastructure and require urgent patching.
CISA urges organizations to apply patches immediately to mitigate exploitation risks
and safeguard critical infrastructure from cyber threats.
Notable is a vulnerability affecting ABB flexion controllers,
scoring a 10 out of 10 on the CVSS scale. This allows remote code execution and sensitive data exposure.
Patch them if you got them.
Patch them if you got them. Security engineers have released a proof-of-concept exploit for four critical vulnerabilities in
Ivanti Endpoint Manager, all rated 9.8 out of 10 on the CVSS scale.
The flaws were patched in January, but unpatched systems remain at risk.
The vulnerabilities allow unauthenticated attackers to leak NTLMv2 hashes by tricking the software
into authentication with a remote server, enabling account impersonation and system
compromise.
Researcher Zach Hanley discovered the flaws and published the technical details and proof
of concept exploit earlier today.
Avanti states there is no evidence of active exploitation, but with the proof of concept
now public, the risk has increased.
The company urges immediate patching, including a V2 patch update that fixes issues caused
by the original January patch.
Eyeglass retailer Warby Parker has been hit with a $1.5 million HIPAA fine by the U.S.
Department of Health and Human Services Office of Civil Rights over credential stuffing attacks
that compromised nearly 200,000 customer accounts.
The attacks, which occurred between September and November 2018, allowed hackers to access
electronic protected health information, including names,
addresses, payment card details, and eyewear prescriptions.
Subsequent breaches in 2020 and 2022 prompted further investigations.
OCR found three HIPAA security rule violations, citing Warby Parker's failure to conduct risk assessments, implement
security measures, and review system activity logs.
Though notified in September 2024, the company waived its right to a hearing, likely to avoid
further scrutiny of its security practices. Coming up after the break, my conversation with Steve Schmidt, Chief Security Officer
at Amazon, we've got a behind-the-scenes look at securing a major event, and researchers
explore the massive, mysterious YouTube wormhole.
Stay with us.
Cyber threats are evolving every second and staying ahead is more than just a
challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions
designed to give you total control,
stopping unauthorized applications,
securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit threatlocker.com today to see how a
default deny approach can keep your company safe and compliant.
Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers.
I finally have peace of mind knowing
my data privacy is protected. DeleteMe's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life private
by signing up for DeleteMe. Now at a special discount for our listeners, today get 20% off your Delete Me plan when
you go to JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K at checkout. That's joindeleteme.com slash N2K code N2K.
Steve Schmidt is chief security officer at Amazon. I recently
caught up with him for a behind the scenes look at securing a
major event.
As the Chief Security Officer for Amazon, my job is really all about protecting customers.
It's about ensuring the services that AWS provides meet customer expectations for privacy
and security of their data, while also focusing on ensuring our shoppers have a secure experience,
whether they're discovering,
ordering, or delivering the products that they seek.
I think that the area that is most intriguing, though,
is the new stuff.
A few years ago, AWS was the new thing.
The new thing now, satellites in space.
And figuring out how do we securely connect them
to our data centers and allow customers
to enjoy access to the
internet and to AWS services wherever they are around the world.
Well, before we dig into some of the specific details here, can you give our listeners an
idea of what your day-to-day is like and how you're delegating these responsibilities amongst
your team?
My day-to-day is really one of combining both strategic and tactical. Amazon
has a series of things that we live by, our mission statement and the way we think about
our businesses. One of them is Dive Deep. It's one of the things that I really love
about the company. It allows me the freedom to go into the minutia of individual components
of the businesses.
Now, in my position, you have to do that in an auditing fashion. You can't go
deeply into everything even though it's actually probably the most fun part of
the business. And instead, what I do is focus on auditing specific areas to
ensure that the people who are running our individual businesses are doing so
in a way that's consistent with what our customers expect. That means ensuring that they've got the security standards up to date,
that they're developing software in the right way, that they're responding rapidly when something
is reported to us, and discovering problems before our customers are impacted by them.
And coupling that at the same time with thinking what's going to happen
two years, three years, five years down the road in our industry? How are we going to
make sure that we've got the investments going right now that allow us to be sufficiently
protected down the road? A great example of that was multi-factor authentication. For
example, you're hearing quite a bit about that right now. A lot of businesses are pushing their customers to use multi-factor authentication.
We chose to invest in hardware-based multi-factor authentication almost 10 years ago because
we saw that it was going to be the one thing that was really effective against stopping
certain kinds of social engineering attacks, the ones that some of the really good adversaries
employ against our customers and they try and employ against our staff.
One of the things that you talk about is the integration of physical security and
logical security. Could you explain the difference between those two?
So physical security is what people think of as, do I have a barrier around
something that I'm protecting?
It's a lock on the door or a fence around a building,
an alarm system, making sure that things are secure,
maybe some CCTV cameras, that sort of thing.
It's a barrier to keep a person from getting to a thing.
Logical security, on the other hand,
are all of the controls that we apply to data,
the kinds of things that we wrap around data to protect it,
whether it be something like encryption or firewalls
or access control systems.
And if you think about the access to data,
that's really been what adversaries have wanted
for a very, very long time.
Spies back in the early days of humanity
were always focused on getting information
data.
And they would do that by visiting somebody else's castle or corrupting one of their staff
to give them information, et cetera.
When we got better at that, we put up walls around things.
We put things in safes.
We encoded them or encrypted it to make it harder to steal.
And that meant that our adversaries had to think about new ways to get access to that
data.
Same thing happened in the logical world.
When we put stuff on computer systems, the adversaries realized all of a sudden, wait
a minute, I don't have to break into that building anymore.
I can break into the computer network quite often
because that computer network is connected
to the outside world.
And if I can break into the computer network,
I can get to the data that's stored
within that computer network.
And so to wrap that all back to the beginning,
one of the jobs that I have at Amazon
is combining the disciplines of physical
and logical security,
because we have to do both of them correctly in order to ensure that our customer's data is safe.
And how do you dial that in?
How do you make sure that you have the proper balance between those two things?
So it's not as much a balance between the two as it is sufficiency in both.
What I mean by sufficiency is are we doing enough
in each area? You know, a lot of people will say, well, can't you protect that particular
thing completely? Like, well, yes, but it would also be completely unusable at that
point. You know, I could take the data and I could put in a block of concrete and sink
it to the bottom of the ocean. But that really isn't terribly useful at that point. So we have to find ways to do enough
to dissuade the adversaries that we're faced with.
And we do that in a lot of ways.
It's often focused on layered defenses.
So layered defenses means, for example,
in the physical world, you don't just have a lock on a room.
You also secure the room with CCTV, and that room is within a building
that's separately secured, and that building has fences around it that have intruding detection
systems on it, etc. Same thing happens in the logical world. Quite often in the old
days of computer systems, people said, ah, I have a firewall. I am safe. Well, we all
know now that is not a thing. In fact, firewalls often give people
a false sense of safety. So really good control over data in the logical world now means that
it has to be encrypted, it has to be access controlled, you have to monitor the access
to ensure that it's being used appropriately, and so forth. And in order to make sure that you are doing enough, you have to test your defenses
constantly. Tests happen in the physical world, and they happen in the logical world. So in
the physical world, this by the way, is one of the best jobs in the company is we employ
people who are physical penetration testers. That means their job is to break into our
buildings and to try and get access
to our stuff. So we literally have people who scale walls and tunnel under fences and
try and defeat alarm systems. It's like stuff out of a spy movie. And it is their job every
day to try and do that. And it's the job of our defenders to catch them and make sure
that they can't actually get in. And so there really is no better way to test anything
than to red team it.
That happens in the logical world too.
We have a red team whose job it is
is to break into our systems
and to ensure that whatever is in there
is appropriately protected and to test our defenders,
to make sure that our defenders
are doing their job appropriately as well.
Well, looking at an event like reInvent
and the high profile nature of that,
what sorts of cyber threats do you prepare for?
So reInvent is something that we start preparing for
literally when one year conference ends,
we start preparing for the next year.
We go through a hot wash to determine what worked well
and where we need improvements to be
made, both in the physical world and in the logical world. And the first thing that we do
in ensuring that our customers are safe and secure from a logical perspective is to provide them with
a safe network. And so quite often when you go to a conference, you're going to use whatever Wi-Fi
is there, we've chosen to put our own Wi-Fi networks in place, because that allows us to ensure that they're appropriately encrypted
from one end to the other, but more importantly, that they're monitored.
We have a team whose job it is to keep an eye on the networks to identify situations
where people might try and spoof our networks to trick our customers.
That happens every year, and we catch people every year who are trying to do that.
And what the adversaries are trying to do there is to get access to the traffic in between the
customer and something else on the outside world. Now, because AWS encrypts all the traffic that
goes to and from our API endpoints, it really isn't going to do any good for someone to get
in the middle of that.
But our customers use a lot of services beyond AWS.
And since they're at our conference,
we want to make sure we're doing whatever we can
to help them be safe and secure,
whether they're using AWS or using something else.
I'm curious, you know, kind of flipping it around
for the folks who are attending your conference,
do you have any words of wisdom or best practices for them
to both get the most out of it,
but also make sure that they are as secure as possible?
Certainly, so get the most out of it.
The best thing that people can do is plan in advance
what they wanna see.
A lot of the sessions are very, very well attended
and there are waiting lines for them sometimes,
but we offer reserved seating. So for those customers who are very, very well attended and there are waiting lines for them sometimes, but we offer reserved seating.
So for those customers who are interested, they should always get in the reserved seat
queue and grab the seats that they want for the conference areas that they want and plan
out their path so that they can have a reasonable time to get between various different things.
To be safe, it's very straightforward.
Keep your eyes open.
Don't leave your valuables out where other people could see them
and they might have access to them.
And make sure you keep your head about you
when you're going around on the town
if you're outside of our venues.
Wear comfortable shoes, right?
You know, there is so much truth to that.
Every year, I end up hitting my steps way early in the week.
Right.
Right.
Las Vegas.
Yep.
Yeah.
Yeah.
That's Steve Schmidt, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024, these
traditional security tools expand your attack surface with public-facing IPs that are exploited
by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, simplifying security
management with AI-powered automation, and detecting threats using AI to analyze over 500 billion daily
transactions. Hackers can't attack what they can't see. Protect your organization with
Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
Are you crushing your bills?
Defeating your monthly payments.
Sounds like you're at the top of your financial game.
Rise to it with the BMO Eclipse Rise Visa Card.
The credit card that rewards your good financial habits.
Earn points for paying your credit card bill in full and on time every month.
Level up from bill payer
to reward slayer. Terms and conditions apply.
And finally, YouTube is turning 20. And while we know it's a global juggernaut, there's
a lot Google won't say, like exactly how many videos exist
or how much time humanity spends glued to it.
So researchers took matters into their own hands, running a randomized number generator
to guess video URLs.
The result?
An estimated 14.8 billion videos live on YouTube, with users watching the equivalent of millions
of years of content every month.
But there's a twist.
Most of it goes unnoticed.
Nearly 4% of videos have never been watched, 74% have no comments, and the median view
count is just 41. While YouTube sells itself as a stage for superstars, the reality
is far messier.
As we enter YouTube's third decade, one thing is clear. It's everywhere. It's massive.
And we still don't fully understand it. And that's the CyberWire.
Be sure to check out this weekend's episode of Research Saturday and my conversation with
Selena Larson from Proofpoint.
We're discussing their research,
why biasing advanced persistent threats
over cybercrime is a security risk.
That's Research Saturday, check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in
your favorite podcast app. Please also fill out the survey in the show notes or send an
email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed
by Trey Hester with original music and sound design by Elliot Pelksman. Our executive producer is Jennifer Iben, Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for watching!