CyberWire Daily - They really are watching what we watch.
Episode Date: September 20, 2024An FTC report confirms online surveillance and privacy concerns. Ukraine bans Telegram for state and security officials. Sensitive customer data from India’s largest health insurer is leaked. German... law enforcement shuts down multiple cryptocurrency exchange services. HZ RAT sets its sights on macOS systems. Stolen VPN passwords remain a growing threat. Law enforcement dismantles the iServer phishing-as-a-service platform. Today’s guest is Steve Blank, co-founder of the Gordian Knot Center for National Security Innovation at Stanford University, talking with N2K's Brandon Karpf about national security and the dilemma of technology disruption. CISA’s boss pushes for accountability. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today’s guest is Steve Blank, co-founder of the Gordian Knot Center for National Security Innovation at Stanford University, talking with N2K's Brandon Karpf about national security and the dilemma of technology disruption. For some background, you can check out Steve’s article “Why Large Organizations Struggle With Disruption, and What to Do About It.” To listen to Brandon and Steve’s full conversation, check out our Special Edition series that will run over the next two Sundays in our CyberWire Daily podcast feed. Selected Reading FTC Staff Report Finds Large Social Media and Video Streaming Companies Have Engaged in Vast Surveillance of Users with Lax Privacy Controls and Inadequate Safeguards for Kids and Teens (Federal Trade Commission) Ukraine bans Telegram on state and military devices (The Record) Hacker selling 7 TB of Star Health Insurance’s customer data using Telegram (CSO Online) German Government Shuts Down 47 Exchanges, Says They're Tied To ‘Illegal Activity’ (CoinDesk) New MacOS Malware Let Attackers Control The Device Remotely (Cyber Security News) More Than Two Million Stolen VPN Passwords Discovered (Security Boulevard) High-risk vulnerabilities in common enterprise technologies (Rapid7 Blog) Law Enforcement Dismantles Phishing Platform Used for Unlocking Stolen Phones (SecurityWeek) Insecure software makers are the real cyber villains – CISA (The Register) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. An FTC report confirms online surveillance and privacy concerns.
Ukraine bans telegram for state and security officials.
Sensitive customer data from India's largest health insurer is leaked.
German law enforcement shuts down multiple cryptocurrency exchange services.
HZRAT sets its sights on macOS systems.
Stolen VPN passwords remain a growing threat.
Law enforcement dismantles the iServer phishing-as-a-service platform.
Today's guest is Steve Blank, co-founder of the Gordian Knot Center for National Security Innovation at Stanford University,
talking with N2K's Brandon Karp about national security and the dilemma of technology disruption.
And CISA's boss pushes for accountability.
It's Friday, September 20th, 2024. I'm Dave Bittner, and this is your you for joining us here today.
The Federal Trade Commission released a report confirming that major social media and video streaming companies engage in extensive surveillance to monetize user data, particularly through targeted advertising.
The report, based on 2020 inquiries into companies like Meta,
YouTube, TikTok, and others, highlights how these platforms collect and retain large amounts of
personal data from users and non-users alike, often without adequate protections, especially
for children and teens. The FTC found that many companies use privacy-invasive tracking technologies and
shared data broadly, often retaining it indefinitely. Some companies also failed
to delete user data when requested. The report emphasizes the conflict between the company's
data-driven business models and user privacy, with particular concerns about the impact on young users' mental health.
The FTC recommends comprehensive federal privacy legislation to limit data collection
and enforce stricter data protections. Companies are urged to minimize data retention,
limit sharing with third parties, enhance privacy protections for teens,
and comply more fully with children's
privacy laws. The report also raised concerns about potential competition issues, as companies
accumulating vast data may dominate the market, limiting consumer choice.
Ukraine has banned the Telegram messaging app on official devices used by state and security officials,
military personnel, and critical infrastructure employees, citing national security concerns.
Kairilo Budunov, head of Ukraine's defense intelligence,
warned that Russian special services could access users' personal data, messages, and even deleted content.
The ban applies to devices in government
and defense sectors, but excludes those using the app for official duties. Ukraine's National
Security and Defense Council stated that Telegram is used by Russia for cyberattacks,
phishing, and military targeting. Despite privacy concerns, Telegram remains popular in Ukraine as a key source of news and alerts on Russian military actions.
The app's founder, Pavel Durov, is under investigation in France for serious offenses.
Meanwhile, sensitive customer data from Star Health and Allied Insurance, India's largest standalone health insurer,
has been leaked via Telegram chatbots, impacting over 31 million customers.
The breach, discovered by cybersecurity researcher Jason Parker,
exposed names, addresses, phone numbers, policy details, and sensitive medical information.
The stolen data is available for free in small portions,
while bulk data is being sold by a hacker known as ZhenZhen.
Despite Telegram removing the chatbots, new ones quickly emerged.
Star Health confirmed the breach, but downplayed its severity,
claiming sensitive data remained secure.
However, investigations revealed extensive
personal data sharing, raising questions about the company's transparency. The incident highlights
the growing threat of cybercriminals using Telegram to distribute stolen data, a trend
exacerbated by the platform's anonymity and ease of use. German law enforcement shut down 47 cryptocurrency exchange services
used by cybercriminals for money laundering,
including ransomware groups and darknet merchants.
These platforms, hosted in Germany,
allowed users to anonymously exchange cryptocurrencies
without registration or identity verification.
Among the seized services was
Exchange.cash, which handled nearly half a million users and 1.3 million transactions since 2012.
The police obtained extensive user and transaction data, offering valuable leads in the fight against
cybercrime. No arrests have been announced yet from the operation.
HZ RAT is a remote-access Trojan that initially targeted Windows devices but has now expanded to attack macOS environments.
First observed in 2020, HZ RAT allows attackers full control over infected systems,
enabling them to steal data, take screenshots, record keystrokes,
and access sensitive information from apps like WeChat and DingTalk. The malware also collects
data on the device's hardware, networks, and applications. Delivered via phishing emails or
disguised applications, HZRAT connects to a command and control server for further instructions,
allowing attackers to upload or execute files remotely. While primarily used for data collection,
the malware's true purpose remains unclear. A report from SpecOps Software reveals that over
2.1 million VPN passwords were stolen by malware in the past year,
posing significant risks to secure networks.
While many VPN services offer strong security,
attackers increasingly target end-users through phishing and malware to capture credentials.
Common passwords, like 12345 and password,
were frequently compromised, highlighting poor password practices.
The report emphasizes that VPNs, while essential for remote access, aren't foolproof against phishing or malware.
Experts recommend additional protections like multi-factor authentication, strong password policies,
strong password policies, and adopting passwordless authentication methods,
such as certificate-based authentication or zero-trust network access.
Businesses are encouraged to monitor login activities, audit access logs,
and apply security patches to safeguard against credential theft.
Rapid 7 is warning customers about several critical vulnerabilities in enterprise technologies that are high-priority attack targets. These include a remote code execution vulnerability in Adobe ColdFusion, a remote code execution and privilege escalation vulnerability in Broadcom VMware vCenter Server, and a deserialization vulnerability in Avanti Endpoint Manager.
Rapid7 advises immediate remediation to prevent exploitation.
Law enforcement agencies in Europe and Latin America have dismantled iServer,
a phishing-as-a-service platform used to unlock stolen and lost phones. As part of Operation CAREB, 17 individuals were arrested,
including the platform's Argentinian administrator.
iServer targeted over 1.2 million phones and victimized 480,000 users,
mainly Spanish speakers from Europe, North America, and South America.
The platform had over 2,000 paying users who were charged for phishing services
that harvested credentials from cloud-based mobile services.
These credentials were used to unlock devices by bypassing lost mode.
Victims received phishing SMS messages
prompting them to enter sensitive information
like IMEI numbers and
one-time password codes, which allowed criminals to unlink devices from their owners. The platform
operated for five years, running since 2018.
Coming up after the break, our guest Steve Blank, co-founder of the Gordian Knot Center for National Security Innovation at Stanford University, on the dilemma of technology disruption.
Stay with us. Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details. Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now? Like, right now?
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta
when you go to vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact,
over one-third of new members discover they've already been breached. Protect your executives
and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
Steve Blank is co-founder of the Gordian Knott Center for National Security Innovation at Stanford University. He recently sat down with N2K's Brandon Karp to discuss national security and the dilemma of technology disruption.
I'm joined today by Steve Blank, adjunct professor at Stanford University and co-founder of the Gordian Knot Center for National Security Innovation at Stanford University.
Steve, thank you so much for joining us today.
Thanks for having me.
So I want to start at a high level. You are a
well-known expert and entrepreneur. You've written numerous books and articles on national security
innovation. This is what you spend, it seems to be, the majority of your life and work doing.
Can you give us a sense, where are we today? What is the state of play
in national security technology
innovation? Well, you know, I would separate out the two. What's the state of, you know,
innovation and what's the state of national security, maybe adoption of innovation.
And you have to put that in the context of, and what's the state of our adversaries
vis-a-vis the United States and national security innovation. I just want to remind your listeners something which might be obvious,
but people inside the national security space are still having a hard time getting their heads around.
It used to be that the U.S. owned all the technologies necessary to deter or win a war, right?
Whether they were drones or cyber autonomy or AI or ML or semicondu you know, semiconductors, et cetera.
We owned it.
Our primes owned it, our contractors owned it,
our weapons labs owned it, you know,
University of Maryland or wherever else we went for cyber was the world's best at X or Y.
That's simply no longer true for most of these areas.
We still own some exquisite capabilities,
whether they're hypersonics or nuclear weapons
or exquisite capabilities, whether they're hypersonics or nuclear weapons or exquisite sensors or capabilities
or the ability to throw hundreds or thousands
or tens of thousands of people on a program
and keep it black and whatever
and put stuff in space at scale.
But all the other core stuff we used to own
now is like you could buy half of it on Amazon
and the other half, I mean, you know,
we kind of predicted, you know, we kind of predicted,
you know, with General Manus,
the world would be now two plus three,
you know, Russia and China,
and then North Korea and Iran
and still the non-nation states.
Who would have thought the Houthis
would have been, you know, throwing.
And a legitimate threat,
I mean, to bring up that non-state actor.
Right.
Well, obviously they're not making that stuff.
They're getting it from a regional disruptor, which is Iran.
I forget the name of the book I just read, but the fact that you could buy zero-day breaks for a couple million dollars are now, oh, want to get into the latest iPhone?
You no longer need to go to Fort Meade.
It's an auction.
Who would have thought
that 10 or 20 years ago? It's like, what? Yeah, there's a market for that, right?
There's a whole market. And you kind of go, well, maybe we could lay off a couple of divisions at
some of our agencies. Not that I'm suggesting that, but who would have thought that? My point,
again, is that this notion of everything was owned by our national security establishment and
and the point isn't that we've gotten stupid or whatever is that the a lot of this stuff has a
become commoditized and here's the big idea is that our systems and organization and more
importantly our acquisition organizations have not there's an impedance mismatch between how we buy, how we organize, who we hire, and how we deal with
the outside world and the organizations we've built. And that still hasn't kind of gotten aligned.
And what's worse is our adversaries have done that. So, for example, both Russia and China
understand that this is a whole of nation approach. That is, their economies and their military are aligned and interconnected.
For us, you hear any agency say, well, the problem's money.
We have a, you know, it's a zero-sum game.
And you kind of, at least I look at it and I go, no, the problem is it's a lack of imagination of where to get the money.
You know, how come we're not figuring out how to engage the folks who are already building this stuff or could be building this stuff with a set of incentives?
And the answer is, and I'll stop here for the next sentence, I say this a lot and I truly mean it.
We have world-class people, world-class organizations designed for a world that no longer exists.
It's a big idea. If we would understand
the world we're living in and get out of our skiffs or buildings or wherever we are and spend
some time outside, first of all, leadership's head would explode going, what? I mean, mine does.
Every time I find out, wait a minute, I could buy an iPhone crack or an Android crack for here,
time I find out, wait a minute, I could buy an iPhone crack or an Android crack for here,
and we were spending, you know, N dollars inside of a building trying to solve X or Y.
Well, why don't I just have a note? And we kind of do, but not, think about it. Senior leadership grew up in a world 20 years ago, right? And that world no longer looks anything like the world
that it, and so you kind of get stuck with the things you knew when you were kind of coming up the ranks. And when the world is changing at such a rapid rate, the older you are,
the harder it is for you to kind of adapt and adopt. Not that it's impossible, but you need
to understand that it's not just the rate of change, but the delta rate of change is increasing.
Number of adversaries, number of capabilities, number of whatever. We could just focus on cyber, but we could talk about the national security space writ
large is incredibly complex today.
It looks nothing like it did even 10 years ago.
Sure.
And that context matters, right?
Because when we talk about whether it's cybersecurity or national security, the political context
matter, the interstate competition matters.
So when I think about what you just said
in my own context, right,
I spent nearly 10 years active duty in the Navy.
The last three years of my life,
I stepped outside of the building
and I've been in the private sector.
And what I've seen is from the outside,
it looks like the defense world
is refocusing to great power competition. You see that in their
strategies. You see them kind of refocusing their efforts primarily to China. And it seems like a
lot of the technology that they are pushing for the development of is focused on that threat from
China. At least that's what the outsider in me is seeing. So I'm curious from your perspective,
what is the national security community getting wrong in terms of the nation state adversaries, in terms of reorienting ourselves to the China threat and competition with nations like China?
So, you know, I'm going to admit my bias, which, again, brings all kinds of baggage.
which, again, brings all kinds of baggage.
But my professional career was an entrepreneur at Silicon Valley,
where you operated with incredible speed and urgency because there was a virtual gun to your head back then of running out of money
before you could actually generate revenue.
And so you would build things now we call minimum viable products.
You'd ship them.
You'd get feedback, et cetera.
You would build things now we call minimum viable products.
You'd ship them.
You'd get feedback, et cetera.
You know, there was no notion of a JCDIS process or a POM process or, you know, two to three years to get something into a POM. You had to argue with some staffer who says it's, you know, not in my district and a congressman who has some political agenda.
And, again, that's the nature of the business.
congressman who has some political agenda. And again, that's the nature of the business.
But that's not how the world operated in the world that a lot of these innovations are coming from.
And that was fine when we were competing with another nation state like the Soviet Union,
that they had the equivalent bureaucratic stuff. I mean, obviously, communism worked from state planning and then a whole nother, but the clock speeds were essentially the same.
The problem is, is that China, and if we just want to look at like why this next statement is not bullshit, look at the number of DDGs, there are destroyers they're putting in the water or their ship camped in the last 10 to 15 years.
They've figured out how to operate at a different clock speed than we have.
Period.
End of discussion.
out how to operate at a different clock speed than we have. Period. End of discussion. And so the question is, is like, you know, we could have lots of discussions of why we can't do that.
But the other part that just flabbergastes me is that we do have a part of the nation that still
knows how to operate in that. And those are the innovation clusters. And when I say Silicon Valley,
I don't mean the physical place. I mean all the innovation clusters that know how to operate with speed and urgency and could be delivering capabilities to the
DOD and the rest of the national security establishment. It's not that we don't do that
as point things. So let me be clear. It's not that no one knows that it's here. If you look at the
list of what's called the MDAP, the Major Defense Acquisition Programs, which is basically the top
tier 100 or so things that we spend billions or hundreds of billions of dollars on, there's not a
single startup or scale up on it. And in fact, that list hasn't changed in the last 10 or 20 years
since the consolidation of the primes. Well, that's a symptom of, you know, we basically do
innovation theater when we talk about adopting innovation at scale.
But we really don't do innovation deployment at scale.
And by deployment is there are more demos of, hey, look what we have, shiny object C, Admiral X or Y, or we show it to Congressman Z.
And then you ask, well, how many ships is this on?
Well, it's on one.
Well, when does it get on the other 50?
Oh, that's not really budgeted, or it's budgeted for 2045. Well, wait a minute, don't we have a
2027 problem with the Taiwan Strait? Or gee, aren't we learning lessons from Ukraine? And so
when are we deploying drone stacks, let alone drone swarms? Well, we're working on it. Well,
wait a minute. And again, you know,
and I know Bill LaPlante didn't really mean this, but when he says, you know, the war in Ukraine is
really all about artillery and not about innovation. Well, clearly it's a hybrid war.
It looks like a combination of World War I, you know, with trench warfare, you know, with World War III, with drone stacks and advanced technology and literally a meat grinder like World War I.
And clearly, we need new factories for, you know, for artillery shells, but also the amount of drones we attrit are probably as many as the number of shells we're attriting.
And I'm saying that as a, obviously not exactly, but, you know,
so us buying, you know, a thousand drones a year is kind of silly when they're tritting a thousand
drones, you know, a month, if not a week. This is only part of the conversation between Steve
Blank and Brandon Karp. We will be releasing a special edition with their complete conversation
this weekend. You can look for that in your CyberWire podcast feed.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
And finally, in a lively keynote this week at the MWISE conference,
CISA director Jen Easterly didn't hold back,
casting software developers as complicit contributors in the cybercrime saga.
Easterly proclaimed, tech vendors are building problems right into their products,
leaving doors wide open for cybercriminals.
Let's stop with the poetic villain names, she added.
How about calling them evil ferret or scrawny nuisance instead?
Easterly argues the real issue isn't security vulnerabilities.
It's shoddy coding practices.
She asked, why does software need so many urgent patches? She
suggested we rename vulnerabilities to product defects and hold vendors accountable. The message?
It's time for software developers to shape up and secure their code before the villains get in.
While many big names have signed CISA's Secure by Design pledge,
Easterly wants tech buyers to wield their purchasing power and demand security up front.
And maybe, just maybe, we'll finally put a dent in the multi-trillion dollar cybercrime problem. And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to tune in for this weekend's Research Saturday and my conversation with Jonathan Tanner,
senior security researcher from Barracuda.
We're discussing their work, Stealthy Phishing Attack uses advanced info stealer for data exfiltration.
That's Research Saturday.
Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to cyberwire at n2k.com. We're privileged that N2K Cyber Wire is part of the
daily routine of the most influential leaders and operators in the public and private sector
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your
biggest investment, your people. We make you smarter about your teams while making your teams
smarter. Learn how at n2k.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester
with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iben. Our executive
editor is Brandon Karp. Simone Petrella is our president. Peter Kilby is our publisher. And I'm
Dave Bittner. Thanks for listening. We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.