CyberWire Daily - They really are watching what we watch.

Episode Date: September 20, 2024

An FTC report confirms online surveillance and privacy concerns. Ukraine bans Telegram for state and security officials. Sensitive customer data from India’s largest health insurer is leaked. German... law enforcement shuts down multiple cryptocurrency exchange services. HZ RAT sets its sights on macOS systems. Stolen VPN passwords remain a growing threat. Law enforcement dismantles the iServer phishing-as-a-service platform. Today’s guest is Steve Blank, co-founder of the Gordian Knot Center for National Security Innovation at Stanford University, talking with N2K's Brandon Karpf about national security and the dilemma of technology disruption. CISA’s boss pushes for accountability.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Steve Blank, co-founder of the Gordian Knot Center for National Security Innovation at Stanford University, talking with N2K's Brandon Karpf about national security and the dilemma of technology disruption. For some background, you can check out Steve’s article “Why Large Organizations Struggle With Disruption, and What to Do About It.” To listen to Brandon and Steve’s full conversation, check out our Special Edition series that will run over the next two Sundays in our CyberWire Daily podcast feed.  Selected Reading FTC Staff Report Finds Large Social Media and Video Streaming Companies Have Engaged in Vast Surveillance of Users with Lax Privacy Controls and Inadequate Safeguards for Kids and Teens (Federal Trade Commission) Ukraine bans Telegram on state and military devices (The Record) Hacker selling 7 TB of Star Health Insurance’s customer data using Telegram (CSO Online) German Government Shuts Down 47 Exchanges, Says They're Tied To ‘Illegal Activity’ (CoinDesk) New MacOS Malware Let Attackers Control The Device Remotely (Cyber Security News) More Than Two Million Stolen VPN Passwords Discovered (Security Boulevard) High-risk vulnerabilities in common enterprise technologies (Rapid7 Blog) Law Enforcement Dismantles Phishing Platform Used for Unlocking Stolen Phones (SecurityWeek) Insecure software makers are the real cyber villains – CISA (The Register)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me. I have to say, Delete.me is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data privacy is protected. Delete.me's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout. That's JoinDeleteMe.com slash N2K, code N2K. An FTC report confirms online surveillance and privacy concerns. Ukraine bans telegram for state and security officials.
Starting point is 00:01:39 Sensitive customer data from India's largest health insurer is leaked. German law enforcement shuts down multiple cryptocurrency exchange services. HZRAT sets its sights on macOS systems. Stolen VPN passwords remain a growing threat. Law enforcement dismantles the iServer phishing-as-a-service platform. Today's guest is Steve Blank, co-founder of the Gordian Knot Center for National Security Innovation at Stanford University, talking with N2K's Brandon Karp about national security and the dilemma of technology disruption. And CISA's boss pushes for accountability.
Starting point is 00:02:47 It's Friday, September 20th, 2024. I'm Dave Bittner, and this is your you for joining us here today. The Federal Trade Commission released a report confirming that major social media and video streaming companies engage in extensive surveillance to monetize user data, particularly through targeted advertising. The report, based on 2020 inquiries into companies like Meta, YouTube, TikTok, and others, highlights how these platforms collect and retain large amounts of personal data from users and non-users alike, often without adequate protections, especially for children and teens. The FTC found that many companies use privacy-invasive tracking technologies and shared data broadly, often retaining it indefinitely. Some companies also failed to delete user data when requested. The report emphasizes the conflict between the company's
Starting point is 00:03:39 data-driven business models and user privacy, with particular concerns about the impact on young users' mental health. The FTC recommends comprehensive federal privacy legislation to limit data collection and enforce stricter data protections. Companies are urged to minimize data retention, limit sharing with third parties, enhance privacy protections for teens, and comply more fully with children's privacy laws. The report also raised concerns about potential competition issues, as companies accumulating vast data may dominate the market, limiting consumer choice. Ukraine has banned the Telegram messaging app on official devices used by state and security officials,
Starting point is 00:04:26 military personnel, and critical infrastructure employees, citing national security concerns. Kairilo Budunov, head of Ukraine's defense intelligence, warned that Russian special services could access users' personal data, messages, and even deleted content. The ban applies to devices in government and defense sectors, but excludes those using the app for official duties. Ukraine's National Security and Defense Council stated that Telegram is used by Russia for cyberattacks, phishing, and military targeting. Despite privacy concerns, Telegram remains popular in Ukraine as a key source of news and alerts on Russian military actions. The app's founder, Pavel Durov, is under investigation in France for serious offenses.
Starting point is 00:05:17 Meanwhile, sensitive customer data from Star Health and Allied Insurance, India's largest standalone health insurer, has been leaked via Telegram chatbots, impacting over 31 million customers. The breach, discovered by cybersecurity researcher Jason Parker, exposed names, addresses, phone numbers, policy details, and sensitive medical information. The stolen data is available for free in small portions, while bulk data is being sold by a hacker known as ZhenZhen. Despite Telegram removing the chatbots, new ones quickly emerged. Star Health confirmed the breach, but downplayed its severity,
Starting point is 00:06:00 claiming sensitive data remained secure. However, investigations revealed extensive personal data sharing, raising questions about the company's transparency. The incident highlights the growing threat of cybercriminals using Telegram to distribute stolen data, a trend exacerbated by the platform's anonymity and ease of use. German law enforcement shut down 47 cryptocurrency exchange services used by cybercriminals for money laundering, including ransomware groups and darknet merchants. These platforms, hosted in Germany,
Starting point is 00:06:36 allowed users to anonymously exchange cryptocurrencies without registration or identity verification. Among the seized services was Exchange.cash, which handled nearly half a million users and 1.3 million transactions since 2012. The police obtained extensive user and transaction data, offering valuable leads in the fight against cybercrime. No arrests have been announced yet from the operation. HZ RAT is a remote-access Trojan that initially targeted Windows devices but has now expanded to attack macOS environments. First observed in 2020, HZ RAT allows attackers full control over infected systems,
Starting point is 00:07:22 enabling them to steal data, take screenshots, record keystrokes, and access sensitive information from apps like WeChat and DingTalk. The malware also collects data on the device's hardware, networks, and applications. Delivered via phishing emails or disguised applications, HZRAT connects to a command and control server for further instructions, allowing attackers to upload or execute files remotely. While primarily used for data collection, the malware's true purpose remains unclear. A report from SpecOps Software reveals that over 2.1 million VPN passwords were stolen by malware in the past year, posing significant risks to secure networks.
Starting point is 00:08:10 While many VPN services offer strong security, attackers increasingly target end-users through phishing and malware to capture credentials. Common passwords, like 12345 and password, were frequently compromised, highlighting poor password practices. The report emphasizes that VPNs, while essential for remote access, aren't foolproof against phishing or malware. Experts recommend additional protections like multi-factor authentication, strong password policies, strong password policies, and adopting passwordless authentication methods, such as certificate-based authentication or zero-trust network access.
Starting point is 00:08:55 Businesses are encouraged to monitor login activities, audit access logs, and apply security patches to safeguard against credential theft. Rapid 7 is warning customers about several critical vulnerabilities in enterprise technologies that are high-priority attack targets. These include a remote code execution vulnerability in Adobe ColdFusion, a remote code execution and privilege escalation vulnerability in Broadcom VMware vCenter Server, and a deserialization vulnerability in Avanti Endpoint Manager. Rapid7 advises immediate remediation to prevent exploitation. Law enforcement agencies in Europe and Latin America have dismantled iServer, a phishing-as-a-service platform used to unlock stolen and lost phones. As part of Operation CAREB, 17 individuals were arrested, including the platform's Argentinian administrator. iServer targeted over 1.2 million phones and victimized 480,000 users,
Starting point is 00:10:00 mainly Spanish speakers from Europe, North America, and South America. The platform had over 2,000 paying users who were charged for phishing services that harvested credentials from cloud-based mobile services. These credentials were used to unlock devices by bypassing lost mode. Victims received phishing SMS messages prompting them to enter sensitive information like IMEI numbers and one-time password codes, which allowed criminals to unlink devices from their owners. The platform
Starting point is 00:10:33 operated for five years, running since 2018. Coming up after the break, our guest Steve Blank, co-founder of the Gordian Knot Center for National Security Innovation at Stanford University, on the dilemma of technology disruption. Stay with us. Transat presents a couple trying to beat the winter blues. We could try hot yoga. Too sweaty. We could go skating. Too icy. We could book a vacation.
Starting point is 00:11:16 Like somewhere hot. Yeah, with pools. And a spa. And endless snacks. Yes! Yes! Yes! With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Starting point is 00:11:28 Visit Transat.com or contact your Marlin travel professional for details. Conditions apply. Air Transat. Travel moves us. Do you know the status of your compliance controls right now? Like, right now? Do you know the status of your compliance controls right now? Like, right now. We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
Starting point is 00:11:58 More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done
Starting point is 00:12:20 five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak. Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact,
Starting point is 00:13:11 over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. Steve Blank is co-founder of the Gordian Knott Center for National Security Innovation at Stanford University. He recently sat down with N2K's Brandon Karp to discuss national security and the dilemma of technology disruption. I'm joined today by Steve Blank, adjunct professor at Stanford University and co-founder of the Gordian Knot Center for National Security Innovation at Stanford University. Steve, thank you so much for joining us today. Thanks for having me. So I want to start at a high level. You are a well-known expert and entrepreneur. You've written numerous books and articles on national security
Starting point is 00:14:14 innovation. This is what you spend, it seems to be, the majority of your life and work doing. Can you give us a sense, where are we today? What is the state of play in national security technology innovation? Well, you know, I would separate out the two. What's the state of, you know, innovation and what's the state of national security, maybe adoption of innovation. And you have to put that in the context of, and what's the state of our adversaries vis-a-vis the United States and national security innovation. I just want to remind your listeners something which might be obvious, but people inside the national security space are still having a hard time getting their heads around.
Starting point is 00:14:52 It used to be that the U.S. owned all the technologies necessary to deter or win a war, right? Whether they were drones or cyber autonomy or AI or ML or semicondu you know, semiconductors, et cetera. We owned it. Our primes owned it, our contractors owned it, our weapons labs owned it, you know, University of Maryland or wherever else we went for cyber was the world's best at X or Y. That's simply no longer true for most of these areas. We still own some exquisite capabilities,
Starting point is 00:15:22 whether they're hypersonics or nuclear weapons or exquisite capabilities, whether they're hypersonics or nuclear weapons or exquisite sensors or capabilities or the ability to throw hundreds or thousands or tens of thousands of people on a program and keep it black and whatever and put stuff in space at scale. But all the other core stuff we used to own now is like you could buy half of it on Amazon
Starting point is 00:15:42 and the other half, I mean, you know, we kind of predicted, you know, we kind of predicted, you know, with General Manus, the world would be now two plus three, you know, Russia and China, and then North Korea and Iran and still the non-nation states. Who would have thought the Houthis
Starting point is 00:15:55 would have been, you know, throwing. And a legitimate threat, I mean, to bring up that non-state actor. Right. Well, obviously they're not making that stuff. They're getting it from a regional disruptor, which is Iran. I forget the name of the book I just read, but the fact that you could buy zero-day breaks for a couple million dollars are now, oh, want to get into the latest iPhone? You no longer need to go to Fort Meade.
Starting point is 00:16:22 It's an auction. Who would have thought that 10 or 20 years ago? It's like, what? Yeah, there's a market for that, right? There's a whole market. And you kind of go, well, maybe we could lay off a couple of divisions at some of our agencies. Not that I'm suggesting that, but who would have thought that? My point, again, is that this notion of everything was owned by our national security establishment and and the point isn't that we've gotten stupid or whatever is that the a lot of this stuff has a become commoditized and here's the big idea is that our systems and organization and more
Starting point is 00:16:57 importantly our acquisition organizations have not there's an impedance mismatch between how we buy, how we organize, who we hire, and how we deal with the outside world and the organizations we've built. And that still hasn't kind of gotten aligned. And what's worse is our adversaries have done that. So, for example, both Russia and China understand that this is a whole of nation approach. That is, their economies and their military are aligned and interconnected. For us, you hear any agency say, well, the problem's money. We have a, you know, it's a zero-sum game. And you kind of, at least I look at it and I go, no, the problem is it's a lack of imagination of where to get the money. You know, how come we're not figuring out how to engage the folks who are already building this stuff or could be building this stuff with a set of incentives?
Starting point is 00:17:51 And the answer is, and I'll stop here for the next sentence, I say this a lot and I truly mean it. We have world-class people, world-class organizations designed for a world that no longer exists. It's a big idea. If we would understand the world we're living in and get out of our skiffs or buildings or wherever we are and spend some time outside, first of all, leadership's head would explode going, what? I mean, mine does. Every time I find out, wait a minute, I could buy an iPhone crack or an Android crack for here, time I find out, wait a minute, I could buy an iPhone crack or an Android crack for here, and we were spending, you know, N dollars inside of a building trying to solve X or Y.
Starting point is 00:18:34 Well, why don't I just have a note? And we kind of do, but not, think about it. Senior leadership grew up in a world 20 years ago, right? And that world no longer looks anything like the world that it, and so you kind of get stuck with the things you knew when you were kind of coming up the ranks. And when the world is changing at such a rapid rate, the older you are, the harder it is for you to kind of adapt and adopt. Not that it's impossible, but you need to understand that it's not just the rate of change, but the delta rate of change is increasing. Number of adversaries, number of capabilities, number of whatever. We could just focus on cyber, but we could talk about the national security space writ large is incredibly complex today. It looks nothing like it did even 10 years ago. Sure.
Starting point is 00:19:16 And that context matters, right? Because when we talk about whether it's cybersecurity or national security, the political context matter, the interstate competition matters. So when I think about what you just said in my own context, right, I spent nearly 10 years active duty in the Navy. The last three years of my life, I stepped outside of the building
Starting point is 00:19:35 and I've been in the private sector. And what I've seen is from the outside, it looks like the defense world is refocusing to great power competition. You see that in their strategies. You see them kind of refocusing their efforts primarily to China. And it seems like a lot of the technology that they are pushing for the development of is focused on that threat from China. At least that's what the outsider in me is seeing. So I'm curious from your perspective, what is the national security community getting wrong in terms of the nation state adversaries, in terms of reorienting ourselves to the China threat and competition with nations like China?
Starting point is 00:20:15 So, you know, I'm going to admit my bias, which, again, brings all kinds of baggage. which, again, brings all kinds of baggage. But my professional career was an entrepreneur at Silicon Valley, where you operated with incredible speed and urgency because there was a virtual gun to your head back then of running out of money before you could actually generate revenue. And so you would build things now we call minimum viable products. You'd ship them. You'd get feedback, et cetera.
Starting point is 00:20:42 You would build things now we call minimum viable products. You'd ship them. You'd get feedback, et cetera. You know, there was no notion of a JCDIS process or a POM process or, you know, two to three years to get something into a POM. You had to argue with some staffer who says it's, you know, not in my district and a congressman who has some political agenda. And, again, that's the nature of the business. congressman who has some political agenda. And again, that's the nature of the business. But that's not how the world operated in the world that a lot of these innovations are coming from. And that was fine when we were competing with another nation state like the Soviet Union,
Starting point is 00:21:22 that they had the equivalent bureaucratic stuff. I mean, obviously, communism worked from state planning and then a whole nother, but the clock speeds were essentially the same. The problem is, is that China, and if we just want to look at like why this next statement is not bullshit, look at the number of DDGs, there are destroyers they're putting in the water or their ship camped in the last 10 to 15 years. They've figured out how to operate at a different clock speed than we have. Period. End of discussion. out how to operate at a different clock speed than we have. Period. End of discussion. And so the question is, is like, you know, we could have lots of discussions of why we can't do that. But the other part that just flabbergastes me is that we do have a part of the nation that still knows how to operate in that. And those are the innovation clusters. And when I say Silicon Valley,
Starting point is 00:22:00 I don't mean the physical place. I mean all the innovation clusters that know how to operate with speed and urgency and could be delivering capabilities to the DOD and the rest of the national security establishment. It's not that we don't do that as point things. So let me be clear. It's not that no one knows that it's here. If you look at the list of what's called the MDAP, the Major Defense Acquisition Programs, which is basically the top tier 100 or so things that we spend billions or hundreds of billions of dollars on, there's not a single startup or scale up on it. And in fact, that list hasn't changed in the last 10 or 20 years since the consolidation of the primes. Well, that's a symptom of, you know, we basically do innovation theater when we talk about adopting innovation at scale.
Starting point is 00:22:47 But we really don't do innovation deployment at scale. And by deployment is there are more demos of, hey, look what we have, shiny object C, Admiral X or Y, or we show it to Congressman Z. And then you ask, well, how many ships is this on? Well, it's on one. Well, when does it get on the other 50? Oh, that's not really budgeted, or it's budgeted for 2045. Well, wait a minute, don't we have a 2027 problem with the Taiwan Strait? Or gee, aren't we learning lessons from Ukraine? And so when are we deploying drone stacks, let alone drone swarms? Well, we're working on it. Well,
Starting point is 00:23:23 wait a minute. And again, you know, and I know Bill LaPlante didn't really mean this, but when he says, you know, the war in Ukraine is really all about artillery and not about innovation. Well, clearly it's a hybrid war. It looks like a combination of World War I, you know, with trench warfare, you know, with World War III, with drone stacks and advanced technology and literally a meat grinder like World War I. And clearly, we need new factories for, you know, for artillery shells, but also the amount of drones we attrit are probably as many as the number of shells we're attriting. And I'm saying that as a, obviously not exactly, but, you know, so us buying, you know, a thousand drones a year is kind of silly when they're tritting a thousand drones, you know, a month, if not a week. This is only part of the conversation between Steve
Starting point is 00:24:15 Blank and Brandon Karp. We will be releasing a special edition with their complete conversation this weekend. You can look for that in your CyberWire podcast feed. Cyber threats are evolving every second, and staying ahead is more than just a challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
Starting point is 00:25:01 and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, in a lively keynote this week at the MWISE conference, CISA director Jen Easterly didn't hold back, casting software developers as complicit contributors in the cybercrime saga. Easterly proclaimed, tech vendors are building problems right into their products, leaving doors wide open for cybercriminals. Let's stop with the poetic villain names, she added.
Starting point is 00:25:51 How about calling them evil ferret or scrawny nuisance instead? Easterly argues the real issue isn't security vulnerabilities. It's shoddy coding practices. She asked, why does software need so many urgent patches? She suggested we rename vulnerabilities to product defects and hold vendors accountable. The message? It's time for software developers to shape up and secure their code before the villains get in. While many big names have signed CISA's Secure by Design pledge, Easterly wants tech buyers to wield their purchasing power and demand security up front.
Starting point is 00:26:37 And maybe, just maybe, we'll finally put a dent in the multi-trillion dollar cybercrime problem. And that's The Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Be sure to tune in for this weekend's Research Saturday and my conversation with Jonathan Tanner, senior security researcher from Barracuda. We're discussing their work, Stealthy Phishing Attack uses advanced info stealer for data exfiltration. That's Research Saturday. Check it out. We'd love to know what you think of this podcast.
Starting point is 00:27:11 Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your
Starting point is 00:27:46 biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
Starting point is 00:29:18 That's ai.domo.com.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.