CyberWire Daily - WhatsApp's legal triumph cracks the spyware vault.
Episode Date: March 1, 2024A court orders NSO Group to hand over their source code. The Five Eyes reiterate warnings about Ivanti products. Researchers demonstrate a generative AI worm. Fulton County calls LockBit’s bluff. SM...S codes went unprotected online. Golden Corral serves up a buffet of personal data. Ransom demands continue to climb. A US Senator calls on the FTC to investigate auto industry privacy practices. Dressing up data centers. Our guest is Dominic Rizzo, founder and director of OpenTitan and CEO at zeroRISC, discussing the first open-source silicon project to reach commercial availability. And Cops can’t keep their suspects straight. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest is Dominic Rizzo, founder and director of OpenTitan and CEO at zeroRISC, discussing the first open-source silicon project to reach commercial availability. You can find the press release here. Selected Reading Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient (Infosecurity Magazine) A leaky database spilled 2FA codes for the world’s tech giants (TechCrunch) Report: Average Initial Ransomware Demand in 2023 Reached $600K (Security Boulevard) Here Come the AI Worms (WIRED) Golden Corral restaurant chain data breach impacts 183,000 people (Bleeping Computer) Hackers stole 'sensitive' data from Taiwan telecom giant: ministry(Tech Xplore) CISA adds Microsoft Streaming Service bug to its Known Exploited Vulnerabilities catalog (Security Affairs) Senator asks FTC to investigate automakers’ data privacy practices (The Record) Looking good, feeling safe – data center security by design (Data Center Dynamics) Cops visit school of 'wrong person's child,' mix up victims and suspects in epic data fail (The Register) OpenTitan® Partnership Makes History as First Open-Source Silicon Project to Reach Commercial Availability (lowRISC) Creating Connections: Embracing change. (N2K Women in STEM newsletter) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
A court orders NSO Group to hand over their source code.
The Five Eyes reiterate warnings about Avanti products.
Researchers demonstrate a generative AI worm.
Fulton County calls Lockpits bluff.
SMS codes went unprotected online.
Golden Corral serves up a buffet of personal data.
Ransom demands continue to climb.
A U.S. Senator calls on the FTC to investigate auto
industry privacy practices. Dressing up data centers. Our guest is Dominic Rizzo, founder
and director of OpenTitan and CEO at Zero Risk, discussing the first open source silicon project
to reach commercial availability. And cops can't keep their suspects straight.
It's Friday, March 1st, 2024, the first day of Women's History Month.
I'm Dave Bittner, and this is your CyberWire Intel briefing.
A U.S. court has mandated Israeli firm NSO Group,
creators of the Pegasus spyware,
to hand over its source code to WhatsApp.
Back in 2019, WhatsApp accused NSO of targeting 1,400 of its users with Pegasus, which allows for extensive surveillance without detection.
Despite NSO's appeal citing U.S. and Israeli restrictions, the court ordered the disclosure
of all spyware active from April 29, 2018 to May of 2020,
excluding client identities or server details.
This ruling marks a significant legal win for the meta-owned app.
NSO Group has been widely criticized for enabling the surveillance of activists and journalists worldwide
and was blacklisted by the Biden administration in 2021.
The administration has also introduced global visa restrictions to combat the misuse of spyware
like Pegasus, reflecting concerns over national security and privacy.
The Five Eyes intelligence agencies from Australia, Canada, New Zealand, the UK, and the US have issued an urgent
warning about the ongoing exploitation of vulnerabilities in Avanti products. Cyber
threat actors are targeting Avanti Connect Secure and Avanti Policy Secure gateways.
The vulnerabilities rated from high to critical could allow attackers to bypass authentication,
craft malicious requests, and execute commands with elevated privileges.
The advisory also highlights that Avanti's compromise detection tools failed to detect breaches,
advising users to assume compromise credentials, hunt for malicious activity, and follow Avanti's patching guidance.
Observers have noted that these ongoing notifications from intelligence organizations
amount to an indirect recommendation to discontinue use of the affected Avanti products.
Meanwhile, CISA has added a Microsoft Streaming Service vulnerability with a CVSS score of 8.4 to its known exploited vulnerabilities catalog due to its exploitation of system privileges.
Discovered by Thomas Imbert from Synactive through the Trend Micro Zero Day initiative, this flaw has seen widespread abuse following the release of proof-of-concept code.
has seen widespread abuse following the release of proof-of-concept code.
Federal agencies must remediate the vulnerability by March 21, 2024,
and CISA recommends private entities also address this issue in their systems.
Researchers have demonstrated a novel cyber threat with the creation of a generative AI worm capable of spreading across AI systems, such as OpenAI's ChatGPT
and Google's Gemini. This AI worm, called Morris2, can autonomously propagate from one system to
another, stealing data or deploying malware. Developed by Ben Nassi and colleagues at Cornell
Tech, Morris2 can exploit AI email assistants to exfiltrate
data from emails and disseminate spam, circumventing some security measures of ChatGPT and Gemini.
The exploit utilizes adversarial self-replicating prompts, akin to traditional cyber attack methods,
to manipulate AI responses for malicious purposes. The research, which was
conducted in controlled settings, underscores the emerging security risks within AI ecosystems,
especially as AI applications gain autonomy in performing tasks. The researchers have
reported their findings to Google and OpenAI. The LockBit ransomware group claimed online that Fulton County, Georgia, had paid a ransom
to prevent the publication of stolen data.
County officials insist no payment was made.
Now, security experts suggest LockBit was bluffing, likely having lost the data during
recent U.S. and U.K. law enforcement seizures of the gang's servers.
Originally threatening to release Fulton County's data, Lockbit removed the county from its victim list without clear explanation.
The FBI and U.K.'s National Crime Agency had earlier disrupted Lockbit's operations, casting doubt on the group's capabilities.
disrupted LockBit's operations, casting doubt on the group's capabilities.
Despite re-emerging with new domains, LockBit's credibility is questioned,
with analysts suggesting this episode could signify the end of the LockBit brand, pointing to possible desperation or an attempt to maintain affiliate confidence
after significant operational setbacks.
after significant operational setbacks.
YX International, an Asian tech company providing global SMS routing services,
inadvertently exposed a database without password protection,
revealing one-time security codes and password reset links for users' accounts on platforms like Facebook, Google, and TikTok.
Discovered by security researcher Anurag Sen,
the database contains sensitive information, including two-factor authentication codes
and internal email addresses. Despite the inherent security benefits of two-factor authentication,
SMS-based codes can be less secure, susceptible to interception or accidental exposure.
can be less secure, susceptible to interception or accidental exposure.
The database, with records dating back to July of 2023,
was secured after TechCrunch alerted YX International, but the company couldn't confirm the duration of the exposure
or if unauthorized access occurred.
A report from Arctic Wolf reveals a 20% year-over-year increase in median initial ransom demands in 2023, reaching $600,000.
Sectors like legal, government, retail, and energy face demands of a million dollars or more.
Manufacturing, business services, and education and nonprofits top the victim list. The report underscores
cyber criminals growing aggression, exploiting mainly pre-2022 vulnerabilities. Arctic Wolf
notes that by focusing on 10 specific vulnerabilities, organizations could
significantly enhance cybersecurity. The silver lining is improved organizational resilience,
The silver lining is improved organizational resilience, with 71% managing partial recovery from backups, aiding negotiation leverage.
Insurance mandates for modern data protection and law enforcement's increasing adeptness at identifying cyber syndicates also contribute to a proactive stance against ransomware. Golden Corral, an American buffet restaurant chain
and my father's favorite place in the world to eat out, announced a data breach affecting over
180,000 individuals after a cyber attack in August. Hackers accessed the company's systems
between August 11th and 15th, compromising data of current and former employees and their beneficiaries.
The breach disrupted corporate operations, prompting notification to federal law enforcement
and efforts to enhance security measures. The stolen data includes names, social security
numbers, financial and medical information, among others. Golden Corral has begun notifying
affected individuals and advises vigilance against identity theft.
The breach's details were disclosed in a filing
with Maine's attorney general.
Senator Edward Markey criticized major automakers
for their vague responses to his questions
regarding data privacy practices
and has called on FTC Chair Lina Khan to investigate.
Markey's dissatisfaction stems from inadequate transparency on how these companies handle
privacy protections, consent for data collection, and data sharing for commercial benefits.
Despite automakers claiming to offer consent options to consumers, only one disclosed the consent rate, and most only delete data when legally required.
Concerns were also raised about excessive data collection,
potential loss of vehicle functionality without consent, and past cyber attacks.
The industry's practice of sharing data with law enforcement under legal orders was noted,
but the criteria
for such sharing remain ambiguous for some. Markey's appeal to the FTC coincides with the
FCC's increased scrutiny over connected car services. Data centers, essential yet often
unobtrusive components of the digital infrastructure, face growing scrutiny over their appearance and integration into local communities.
Author Dan Swinho has taken a closer look at this issue on the Data Center Dynamics website.
As these facilities proliferate, there's increasing pressure from local authorities and residents
for developers to invest in aesthetic improvements to make these large, typically windowless structures
more visually appealing and less of an eyesore.
Efforts include adding glass facades, incorporating green living walls,
and using vibrant murals to soften their imposing presence.
Despite these aesthetic enhancements, security remains paramount,
with developers balancing the need to make data centers less fortress-like while ensuring they meet stringent security standards.
Innovations in design and security, such as utilizing environmental features for protection and employing smart technology, are helping to integrate these critical facilities more harmoniously into their surroundings.
are helping to integrate these critical facilities more harmoniously into their surroundings.
This shift not only addresses community concerns,
but also reflects a broader trend toward branding and visibility in the industry,
marking a departure from the traditionally stealthy presence of data centers. Coming up after the break, my conversation with Dominic Rizzo,
founder and director of OpenTitan and CEO at ZeroRisk.
We're discussing the first open source silicon project to reach commercial availability.
Stay with us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001. They also centralize key
workflows like policies, access reviews, and reporting, and helps you get security questionnaires
done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
My guest today is Dominic Rizzo, founder and director of OpenTitan and CEO at ZeroRisk. Our conversation centers on the first open-source silicon project to reach commercial availability.
We describe it as either an open open source secure silicon platform or ecosystem or as an open source silicon root of trust.
But the root of trust being just one application of the secure silicon design collateral, design verification collateral that we've put together under the kind of umbrella of the OpenTitan project.
Well, take us through the history here.
I mean, from the initial idea to actually being able to ship product,
what are some of the steps that you and your colleagues have gone through here?
Oh, absolutely.
So it actually starts way, way, way back, about a decade ago.
In the first iteration, it was called the Honest Machines Project. You know, it takes
time for these things to gestate. So fast forward about five years from that, so five years
previous to today, when I actually started it as the OpenTitan project when I was at Google.
So the goal there being that, you know, silicon security is kind of the best kind of most
foundational security, but it's hard. The implementations are inconsistent. So how do we
sort of raise all boats across industry in a way that's transparent and trustworthy and
non-proprietary? Well, we do that with open source, right? Now, there's a challenge there,
and that open source silicon has never really been done before
in a successful kind of commercially viable way.
There's things like RISC-V
that's an open source specification.
There's never really been an implementation before.
So some of the things we did
starting from very, very, very, very early on
is one, we partnered very closely
with a host organization,
a nonprofit in the UK
called Low Risk CIC. It's a spin out of the Cambridge Computer Lab. And that was to kind
of give it a neutral place where it could be gestated and grown and kind of bring everyone
together in sort of a Silicon Commons environment. And then, you know, sort of philosophically,
as we were laying out the principles of the project, we really relied on things like flexibility and quality.
So flexibility in that it's all under a permissive Apache license, just a very vanilla, very commercially friendly open source license.
And then the quality aspects are things like the documentation, the design verification collateral, all in addition to
the digital design itself, right? So that's really one of the things that sets OpenTitan
apart as a project, is it's the full package. It's the full silicon package,
which we've now taken forward, developed over these last five years with a lot of partners,
you know, Google, Kiseki Endeavor, Seagate, Western Digital, Rivos,
among many, many others, including individual independent contributors, and pulled this
together with our partners at Winbond and Nuvaton and turned it into a chip, a commercially
available chip that is now shown to be working.
It's now still a proven IP and is moving into
mass production towards the end of this year. And so what do you envision the use cases being
for this chip? One of the core kind of initial ones is you can think of this as a platform
root of trust, something that you can integrate into a system where it can serve as this kind of independent
below the operating system, trustworthy, secure enclave of sorts, right? And that's where someone
like Zero Risk comes in to really democratize access, to make this available to, for example,
you know, providers of critical infrastructure, folks like that, right? But you can use this to really secure everything
from commercial server designs
to data center peripherals to laptops
to even something as semi-ubiquitous
as like a second-factor fob,
a multi-factor authentication device, right?
So all of those things have security
or you want them to have security
rooted all the way down in the silicon
below any of the kind of very broad attack services
that software or the operating system presents.
So help me understand how this would be integrated
into a broader system here.
I mean, you mentioned it being kind of a secure enclave.
That's a term
I'm familiar with from the way that Apple uses it. Does it parallel that sort of use case?
I would say that the way my understanding, obviously, I don't know for sure, is my
understanding of the way Apple uses it, the kind of parlance around these things can be a little squishy at times.
I would tend to call this more of a... Secure enclave is actually not the worst term for it,
but it's actually probably closer to something like a secure element,
which is a little bit smaller,
kind of lower performance in a way of an environment,
but one where you put like critical secrets, critical
assets, things like that, right? Whereas I think some of the ones where we talk about confidential
compute and things like that, those tend to be more moderate to very high performance,
secure, isolated execution environments. But again, those tend to rely on a much smaller trusted compute base, much smaller tax surface root of trust or a secure element style device like the OpenTitan, where you store the kind of critical assets that then get leveraged up into that larger, more performant environment.
So again, forgive my only slight understanding of what goes on under the hood with a project like this, but obviously you have silicon, which is baked in to get something into hardware. Is the security element of this that it is immutable,
that as it goes out into the field,
I mean, that's what you have,
and so that's where the trust comes from?
That's absolutely one aspect of it, right?
I mean, the ability to hit reset or trigger a remote reset
and get yourself back to a known good state
is a really, really critical property.
And the only way to do that, the only way to do that with any sort of confidence and get yourself back to a known good state is a really, really critical property.
And the only way to do that,
the only way to do that with any sort of confidence is to root that in something immutable
like the silicon itself, right?
You can't do it at the firmware level
because that can often be updated.
And if that update mechanism is bad,
you start to see terrible, persistent, pernicious
kind of advanced persistent threats that just stay
resident and possibly stay there quietly.
You certainly can't do it at the operating system level.
There's this notion of
turtles all the way down.
Really, what you need to have is you need to have
this kind of bottom turtle
built out of rock-solid
silicon that you always
know that it goes back to a known good state
when you choose to put it in that state. Can you share with us some of what went into the
decision-making process here? I mean, I imagine it must have been challenging to decide what gets
put in and what gets left out. Oh, that's absolutely right. And again, that's where
something like the Low-Risk Foundation, or that's not actually. And again, that's where something like the Low Risk
Foundation, where that's actually a foundation, but the Low Risk, it's called a community interest
corporation, where they come in is they actually support the governance of an open source project
where all the partners kind of come together and commit resources, be they financial or personnel, and sort of support
the overall effort. And so there's a really well thought out governance structure where there's a
project director, which is myself, and that project director proposes a yearly roadmap.
That roadmap gets voted on by a steering committee, which is composed of representatives
that are all paying into the kind of communal support kitty. And then, you know, you start to have things like a technical committee
where the people who are really the day-to-day experts doing a lot of the technical work are
all evaluating proposals for what goes in and what goes out. And then from there, you have,
you know, concentric rings of committers, people who can actually approve, who can review and approve code that goes in, because it can't be unconstrained, right?
And that's a very actively monitored and pruned list to make sure that folks are really engaged in the project, that they really have the kind of background and the kind of involvement necessary to make those decisions wisely.
And then, of course, there are all the people who really do the work,
you know, the contributors, right?
So it's kind of these concentric rings of governance
that lead to, you know, one, a lot of discussion.
So it does take longer.
But by the time you conclude those discussions,
you end up with a sort of much more broadly accepted and acceptable implementation that meets the needs of all the individual partners, whatever their specific niche use cases might be.
So for folks who want to find out more about OpenTitan and the project itself, what's the best way for them to find out more?
I think the OpenTitan.org website is a great place to start.
Also looking at some of the supporting companies and their involvement.
Low Risk, obviously, is the host organization.
Folks like my company, Zero Risk, were obviously major contributors as well.
And sort of seeing how these different organizations are both utilizing OpenTitan and kind of any
sort of... It's not the worst thing to read the press around
it, right? We've really tried hard to...
I just want to give a plug for your show.
We've tried to really, really
align with the goals of transparency and trustworthiness. We've really
tried hard over the years to make this thing as accessible as possible, right?
Yeah. I mean, that's the spirit of open source, right?
That is absolutely the spirit of open source. I would tend to call open source really,
it's about conscious commoditization. It's about taking something that is broadly useful,
It's about taking something that is broadly useful, broadly necessary, and really making it so that everyone can leverage it and benefit from kind of a ubiquitous open implementation.
And we hope we've done that with OpenTitan.
That's Dominic Rizzo, founder and director of OpenTitan and CEO at Zero Risk. Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
Breaking news happens anywhere, anytime.
Police have warned the protesters repeatedly, get back.
CBC News brings the story to you live.
Hundreds of wildfires are burning.
Be the first to know what's going on and what that means for you and for Canada.
This situation has changed very quickly.
Helping make sense of the world when it matters most.
Stay in the know.
Download the free CBC News app or visit cbcnews.ca.
And finally, the West Midlands Police found itself under the scrutiny of the UK's Information Commissioner's Office
for mixing up the personal data of two individuals sharing the same name and birth date,
violating the Data Protection Act of 2018.
The errors, including sending officers
to incorrect addresses and schools
and sharing sensitive victim information
with the wrong person,
resulted from failure to distinguish
between the data of crime victims and suspects,
which seems like a pretty fundamental distinction to get right.
The police force launched a new data quality policy,
a Think Before You Link campaign,
and compensated one of the affected individuals.
The force has accepted the reprimand,
implemented most of the recommendations,
and continues to focus on data protection training
and policy improvements.
When I was a teenager back in the 80s, there was another Dave Bittner who attended the next high
school over from mine. We would regularly get each other's phone calls. He was an avid golfer,
and I was a theater kid, so I would field questions about his tee times and he would get asked about rehearsal schedules.
Each of us had the other's phone number memorized
so we could help each other's friends connect
with the right Dave Bittner.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday
and my conversation with Selena Larson from Proofpoint.
We're discussing their research, Bumblebee Buzzes Back in Black.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
You can email us at cyberwire at N2K.com.
We're privileged that N2K and podcasts like the Cyber Wire
are part of the daily intelligence routine
of many of the most influential leaders and operators
in the public and private sector,
as well as the critical security teams
supporting the Fortune 500
and many of the world's preeminent intelligence
and law enforcement agencies. N2K Strategic Workforce Intelligence Thank you. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Iben and Brandon Karp.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.