CyberWire Daily - Things aren’t looking so Shiny(Hunters) at cloud provider Snowflake.
Episode Date: June 3, 2024Signs point to a major cybersecurity event at cloud provider Snowflake. Hugging Face discloses "unauthorized access" to its Spaces platform. Australian legislation seeks jail time for deepfake porn. C...ISA adds two vulnerabilities to the KEV catalog. Spanish police investigate a potential breach of drivers license info. NSA shares mobile device best practices. Everbridge crisis management software company reports a data breach. N2K’s CSO, Chief Analyst, and Senior Fellow, Rick Howard joins us to preview CSO Perspectives Season 14 which launches today! Google tries to explain those weird AI search results. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest N2K’s CSO, Chief Analyst, and Senior Fellow, Rick Howard joins Dave to preview CSO Perspectives Season 14 which launches today! The first episode explores SolarWinds and the SEC. This episode of CSO Perspectives has a companion essay. You can find it here. Not an N2K Pro subscriber? You can catch the first half of the episode here. Selected Reading The Ticketmaster Data Breach May Be Just the Beginning (WIRED) Hugging Face says it detected 'unauthorized access' to its AI model hosting platform (TechCrunch) Jail time for those caught distributing deepfake porn under new Australian laws (The Guardian) CISA warns of actively exploited Linux privilege elevation flaw (Bleeping Computer) Spanish police investigate whether hackers stole millions of drivers' data (Reuters) The NSA advises you to turn your phone off and back on once a week - here's why (ZDNET) Everbridge warns of corporate systems breach exposing business data (Bleeping Computer) Google’s AI Overview is flawed by design, and a new company blog post hints at why (Ars Technica) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. We'll be right back. Australian legislation seeks jail time for deepfake porn. CISA adds two vulnerabilities to the KEV catalog.
Spanish police investigate a potential breach of driver's license info.
NSA shares mobile device best practices.
Everbridge crisis management software company reports a data breach.
N2K's CSO chief analyst and senior fellow Rick Howard joins us preview CISO Perspectives Season 14, which launches today.
And Google tries to explain those weird AI search results.
It's Monday, June 3rd, 2024. I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Hello and happy Monday, and thank you for joining us.
It is great to have you here. A series of interconnected breach announcements involving Ticketmaster, Santander, and Australian ticketing provider Ticketek
may represent a major cybersecurity event potentially linked to cloud provider Snowflake.
event potentially linked to cloud provider Snowflake. Live Nation, which is Ticketmaster's parent company, reported investigating a breach claimed by the Shiny Hunters Group,
who advertised 500 million users' data for $500,000. Ticketmaster confirmed its database
was hosted on Snowflake. Simultaneously, Ticketek disclosed a cyber incident impacting Australian
customers' personal data, though Snowflake's involvement remains unconfirmed. Australia's
cybersecurity minister highlighted the breach's significant impact. The Australian Signals
Directorate alerted companies using Snowflake to secure their accounts. Shiny Hunters also posted data from a mid-May Santander hack
with customer bank and credit card numbers for sale at $2 million.
Hudson Rock initially reported, then retracted claims,
that breaches at Ticketmaster and Santander involved hacking a Snowflake employee's account.
Snowflake serves over 9,000 customers,
including major corporations like Adobe and MasterCard.
Shiny hunters claim they bypassed Okta's authentication
via a Snowflake employee's ServiceNow account
using session tokens to extract customer data.
Mandiant's investigations suggest information-stealing malware
facilitated access to Snowflake tenants.
Snowflake denied platform vulnerabilities or breaches,
noting potential unauthorized access to customer accounts
from May 23, 2024.
Cloud security firm Mitiga identified a threat actor
using Snowflake databases with an attack tool named Rapeflake,
indicating possible brute force attacks and automated tool usage to infiltrate accounts.
Late Friday, AI startup Hugging Face disclosed unauthorized access to its Spaces platform.
The breach involved Spaces' secrets, which are keys to
protected resources. Hugging Face suspects some secrets were accessed by third parties.
As a precaution, they've revoked several tokens and advised users to refresh their keys
or switch to fine-grained access tokens. Hugging Face says they're collaborating with cybersecurity experts,
law enforcement, and data protection authorities to investigate. They say they regret the disruption
and aim to enhance their security infrastructure. Increased cyber attacks have been noted,
possibly due to Hugging Face's growing popularity. Previously, vulnerabilities and malware issues were identified by security firms Wizz, JFrog, and HiddenLayer,
Hugging Face is partnering with Wizz to improve platform security.
Australia is introducing new laws to criminalize the distribution of non-consensual deepfake pornographic images.
Under the proposed legislation, sharing such images will result in up to six years in jail
with an additional year for those who created them. Attorney General Mark Dreyfus aims to
address the abuse facilitated by generative AI technology, which predominantly affects women and
girls. The legislation will target the dissemination of AI-created sexually explicit images without consent applying to any form of digital sharing.
This move is part of broader efforts to combat technology-facilitated abuse and violence against women.
The laws will complement existing protections and involve a review of the Online Safety Act to address related issues like doxing.
CISA has added two vulnerabilities to its known exploited vulnerabilities catalog,
including a high-severity Linux kernel privilege elevation flaw. Disclosed on January 31st of this
year, this use-after-free issue in the NetFilter NF Tables component, was introduced in February 2014.
It allows local attackers to gain root access
by exploiting the NFT verdict init function.
The flaw was fixed in January 2024,
and patches were backported to multiple stable kernel versions.
Exploitation details were published in March of this year.
CISA requires federal agencies to apply patches by June 20th
and recommends mitigations like blocking NF tables
and restricting user namespace access.
The second vulnerability impacts checkpoint VPN devices.
Researchers revealed it to be more severe than initially
reported. Spanish police are investigating a potential sale of private information
from millions of vehicle drivers after detecting an attempted data breach at the
Directorate General of Traffic two weeks ago. Suspicious database access attempts were blocked
and an investigation was initiated by the Guardia Civil Traffic Investigation and Analysis Group.
The DGT's database holds information on over 27 million drivers.
An anonymous user on breach forums claimed to have access to the DGT database and was selling it.
The DGT is verifying these claims.
and was selling it.
The DGT is verifying these claims.
Last year, cyber attacks in Spain nearly doubled to over 100,000 incidents,
with 130 classified as critical.
The NSA has published a handy mobile device best practices report,
offering tips to better protect those ubiquitous gadgets.
A simple method to thwart hackers is restarting your phone weekly, making it harder to steal information due to many malware packages not
having persistence. However, this won't always prevent attacks. The NSA also highlights threats
like malicious apps, Wi-Fi networks, spyware, and physical access. It's a nice collection of
best practices, easy to share with friends, family, and co-workers.
Everbridge, an American crisis management software company,
reported a recent breach where unknown attackers accessed files containing business and user data.
The breach occurred on May 21st through a previous phishing attack targeting employees.
Everbridge, which serves over 6,500 clients, including the U.S. Army and Hartsfield-Jackson Atlanta International Airport, notified law enforcement and affected customers.
No ransomware was involved, but customer data, including admin user contact information, was exposed.
Everbridge is collaborating with
Mandiant and Strauss-Friedberg to access the impact. To enhance security, Everbridge mandated
multi-factor authentication for all accounts by June 3, 2024. The company, publicly traded since
2016, was recently acquired by Tom Abravo in a $1.8 billion deal.
Coming up after the break, my N2K colleague Rick Howard joins us
to preview CSO Perspective Season 14, which launches today. Stay with us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation. Like somewhere hot. Yeah, with pools. And a go skating. Too icy. We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin Travel Professional for details.
Conditions apply.
Air Transat.
Travel moves us.
Do you know the status of your compliance controls right now? Like, right now? We know that real-time visibility is critical for security, but when it comes to our GRC programs,
we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
And I am pleased to welcome back to the show Rick Howard.
He is the CyberWire's chief security officer and also our chief analyst.
Rick, when I am out and about and I run into folks who are admirers or fans of our work,
the one question that I've been asked lately more than any other question, it is not, Dave, what stories are coming up?
It is not, Dave, what stories are coming up? It is not, Dave, can I have your autograph?
It is, Dave, when is Rick Howard's CSO Perspectives coming back to the CyberWire?
People have missed you, Rick.
You've been away far too long.
So, first of all, why the extra long hiatus here?
So, you've run into my mom and my mother-in-law out and about is what you...
That's fair enough. But conspicuously, not your wife.
Yeah, conspicuously. Right. And yes, we have been away. My only explanation is that N2K
engaged in a giant project this last year that not only consumed me, but the entire executive staff.
And at some point, we're going to do a podcast about what all that meant.
But what it really means, it's been nine months since we released a new episode of CSOP,
and we got to fix that this week.
All right.
Well, there's lots of anticipation built up there, pent-up demand.
So let's talk about it.
What are you covering on your return well you
know dave you and i've talked about this i've had a burr up my saddle for i don't know forever
about the solar winds breach by the russian svr and not only that it was this most impactful
cyber activity but three years later the, the SEC, the United States Security and Exchange Commission, decides
to make an example of the security team at SolarWinds.
And they reach past the board of directors, reach past the executive staff, and specifically
the CEO and the CFO at the time, and decided to charge Tim Brown, the CISO of SolarWinds, with fraud
about the incident, right?
And I had been complaining about that for a long time.
I said, how is that possible?
Especially when Tim wasn't even the CISO at the time of the breach.
He was just the VP of security.
How can the SEC make an example of him when clearly decisions were made at the very top
about what should be happening?
All right.
And so, but I have talked to a lot of CISOs about this, Dave, over the last couple of
years, and about half of them are outraged like me that, how is that possible?
But the other half said, yeah, he got what he deserved.
So I'm willing to admit that I may be wrong.
So this episode is us trying to figure out what really happened and is my rage justified.
Well, in the time since then, it strikes me that even the way that some CISOs look at their own positions within an organization has changed.
Maybe they're looking over their shoulders a little more than they used to.
Yeah, that's what I think, right?
their shoulders a little more than they used to. Yeah, that's what I think, right? And now we're being held up to a standard where we don't have the protections of the executive staff in a public
company. But I would tell you the big epiphany I had here is, this came up in a lot of conversations
at the recent RSA conference just a couple of weeks ago. You know, the financial community and the SEC specifically,
they have a language.
They have a set of principles
that they follow
to present the business to the public.
And they're called gap rules,
you know, generally accepted
accounting principles.
There's about 90 of them
and all the financial community
has agreed that this is the way
we're going to represent business
to the world.
The cybersecurity field, we don't have that.
Okay.
The best thing we have is, you know, a framework like NIST or the CIA triangle, you know, idea,
right?
But those two things don't bridge together.
And we need a way, the InfoSec profession, to bridge the gap between what the generally accepted accounting principles
are and what cybersecurity risk is. And we are just starting down that path.
Who do you suppose would be best suited to lead that charge?
Well, that's really interesting. I didn't know this until we looked into it. But,
you know, we all assume that, you know, financial principles have been around since the pyramid days. Okay. So, but that's not really true.
After the depression in the United States back in the 1930s, the SEC got groups together to say,
we need to come up with a list of rules to make this happen. And they tried three different times,
failed three times until they got the gap rules that became official sometime around 2009, right?
And so, to answer your question, I don't see any reason why the SEC couldn't get a group of
people like me and, you know, the fair people and the guys that wrote how to measure everything in
cybersecurity and come up with a set of rules that make sense for the cybersecurity industry.
Hopefully, it won't take 70 years to implement, right?
Yeah, hopefully.
All right, well, let me share the excitement
from so many folks who are looking forward
to CSO Perspective's return.
Rick Howard, thanks for joining us.
Thank you. with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker
is a full suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant.
And finally, in a blog post titled AI Overviews, about Last Week. Google acknowledged the rough week it had with its AI Overview feature,
providing inaccurate and sometimes dangerous answers.
The AI Overview, showcased at Google I.O.,
aims to summarize search results using an AI model
integrated with Google's web ranking system.
Despite claims of effectiveness, it has generated bizarre and incorrect responses,
such as advising people to eat one small rock per day
or to use glue to keep cheese from slipping off your pizza.
Google VP Liz Reid nearly apologized,
explaining that the AI overview is designed to only display information backed by
top web results. However, this design assumes Google's page-ranking algorithm always favors
accuracy over SEO-gamed content, which critics say is a flawed premise given the current state
of Google's search. The AI can still draw erroneous conclusions even from accurate data.
Blaming nonsensical user queries for some errors,
read highlighted improvements to detect such queries,
restrict user-generated content for misleading advice,
and filter sensitive topics.
Despite these efforts, some errors and fake screenshots continue circulating.
Google forgives itself for these mishaps,
noting the inherent challenge of managing billions of daily queries.
The company insists it learns from errors to enhance search quality.
However, this situation exposes a fundamental issue.
AI overview doesn't inherently guarantee factual
accuracy, merely reflecting the inaccuracies of Google's page-ranking results. For now,
Google is working to address these issues before a broader rollout, but users might still encounter
unusual or unreliable results as the AI search team continues to troubleshoot.
It's a classic case of trust us, but don't trust our AI completely just yet.
And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast,
where I contribute to a regular segment
on Jason and Brian's show every week.
You can find Grumpy Old Geeks
where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like the show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies. N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karpf.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.