CyberWire Daily - Whistleblower warns of profit over protection.
Episode Date: June 13, 2024A whistleblower claims that Microsoft prioritized profit over security. U.S. warnings of global election interference continue to rise. Cyber insurance claims hit record levels. Location tracking firm... Tile suffers a data breach. A new phishing kit creates Progressive Web Apps. Questioning the government’s cyber silence. On today’s Threat Vector segment, host David Moulton, Director of Thought Leadership at Unit 42, is joined by Data Privacy Attorney Daniel Rosenzweig. Together, they unravel the complexities of aligning data privacy and cybersecurity laws with technological advancements. AI powered cheating lands one student in hot water. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment In this segment of Threat Vector, host David Moulton, Director of Thought Leadership at Unit 42, is joined by Data Privacy Attorney Daniel Rosenzweig. Together, they unravel the complexities of aligning data privacy and cybersecurity laws with technological advancements. Daniel shares his insights on the critical partnership between legal and tech teams. To hear David and Daniel’s full conversation and learn how a deep understanding of both legal and tech realms can empower businesses to navigate evolving legal frameworks, particularly in light of emerging AI technologies, listen here. Check out Threat Vector every other Thursday in your favorite podcast app. The information provided on this segment is not intended to constitute legal advice. All information presented is for general informational purposes only. The information contained may not constitute the most update, legal or interpretative compliance guidance. Contact your own attorney to obtain advice with respect to any particular legal matter. Selected Reading Microsoft Chose Profit Over Security and Left U.S. Government Vulnerable to Russian Hack, Whistleblower Says (ProPublica) Microsoft president to testify about security lapses (IT News) Spy agencies’ foreign influence hub says it is issuing more private warnings (The Record) Cyber Insurance Claims Hit Record High in North America (Infosecurity Magazine) Hacker Accesses Internal ‘Tile’ Tool That Provides Location Data to Cops (404 Media) New phishing toolkit uses PWAs to steal login credentials (Bleeping Computer) Microsoft’s Recall puts the Biden administration’s cyber credibility on the line (CyberScoop) Turkish student creates custom AI device for cheating university exam, gets arrested (Ars Technica) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. A whistleblower claims that Microsoft prioritized profit over security.
U.S. warnings of global election interference continue to rise.
Cyber insurance claims hit record levels.
Location tracking firm Tile suffers a data breach.
A new phishing kit creates progressive web apps.
Questioning the government's cyber silence.
On today's Threat Vector segment, host David Moulton, director of thought leadership at Unit 42,
is joined by data privacy attorney Daniel Rosenweg.
Together, they unravel the complexities of aligning data privacy and
cybersecurity laws with technological advancements. And AI-powered cheating lands one student in hot
water. It's Thursday, June 13th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Thank you for joining us once again here.
It is always great to have you with us.
An investigation by ProPublica claims that Microsoft prioritized profit over security,
leaving the U.S. government vulnerable to a major cyber attack.
In 2016, Andrew Harris, a former cybersecurity expert at Microsoft,
uncovered a severe flaw in the company's Active Directory Federation services,
a product used by millions to log into cloud-based services.
The flaw allowed attackers to forge security assertion markup language tokens, that's SAML,
enabling them to masquerade as legitimate users and access sensitive data
without detection. SAML is a computer language used to authenticate users, and this flaw meant
that hackers could generate a valid token, bypassing security measures. Harris, who had
extensive experience with the Defense Department, recognized the profound security implications of
this vulnerability,
particularly for the federal government. The flaw allowed attackers to exploit Microsoft's single sign-on feature, which permits users to access multiple applications with one login.
By forging SAML tokens, attackers could gain access to sensitive data, including national
security secrets and corporate intellectual property,
without leaving a trace.
Despite Harris's repeated warnings
and proposed interim solution,
disabling the SSO feature to mitigate the risk,
Microsoft's management dismissed his concerns.
They were wary of the potential financial impact,
fearing that acknowledging the flaw
could jeopardize a multi-billion dollar contract
with the federal government
and affect their competitive position in the cloud market.
In August of 2020, Harris left Microsoft,
frustrated by the company's inaction.
Just months later, the SolarWinds cyberattack,
one of the largest in US history, occurred.
Russian hackers exploited the very flaw
Harris had identified using the forged SAML tokens to breach multiple federal agencies,
including the National Nuclear Security Administration and the National Institutes
of Health. This breach allowed the attackers to steal sensitive data, including information related to COVID-19 research
and the U.S. nuclear weapons stockpile. Despite Harris's prior warnings, Microsoft publicly
insisted that its products were not at fault. Brad Smith, Microsoft president, assured Congress that
no vulnerabilities in Microsoft products were exploited in the SolarWinds attack and suggested
that customers could have done more to protect themselves.
However, ProPublica's investigation, supported by interviews with Harris and former colleagues,
contradicts this narrative, highlighting how Microsoft's profit-driven decisions compromised security.
Following the SolarWinds breach, Microsoft implemented measures to address the SAML vulnerability, but many of these advancements were only available through paid services, drawing further criticism.
This incident underscores the tension between Microsoft's business priorities and the imperative to protect customers from emerging cybersecurity threats.
Microsoft President Brad Smith will testify
before a U.S. House of Representatives panel
on Homeland Security later today.
We'll have coverage of that session
in tomorrow's daily briefing.
We note that while Microsoft is an N2K partner and sponsor,
we cover them the same way we do any other company.
The U.S. Foreign Malign Influence Center has issued a record number of warnings about election interference over the past year, coinciding with the 2024 presidential race.
The center, established in 2021 and part of the Office of the Director of National Intelligence, targets foreign threats, especially from Russia, China, and Iran, leveraging new technologies like generative AI.
Despite leadership changes, including Jessica Brandt's appointment as head,
some lawmakers remain concerned about the center's preparedness.
The center uses an interagency consortium to assess threats and coordinates with agencies like the FBI for further action.
Preparations for the upcoming election include exercises with various federal entities
and enhanced collaboration with state and local levels.
Cyber insurance claims in North America hit record levels in 2023, with insurance firm
Marsh reporting over 1,800 claims, driven by sophisticated cyber
attacks, the MoveIt file transfer incident, privacy claims, and more organizations purchasing
insurance. Approximately 21% of clients reported a cyber event, up slightly from 18% in 2022.
The healthcare sector submitted the most claims,
followed by communications, education,
retail, wholesale, and financial institutions.
Cyber extortion incidents, including ransomware,
surged with 282 events reported
and median extortion payments rising
from $335,000 to $6.5 million. Despite effective negotiations reducing final
payments, the percentage of demands paid increased, though fewer companies paid ransoms compared to
previous years. A hacker accessed internal tools of location tracking company Tile, stealing customer data, including names,
addresses, email addresses, and phone numbers, according to 404 Media. The breach didn't include
location data of Tile devices, but highlighted significant vulnerabilities in internal tools
intended for employee use. The hacker claimed access to everything, including tools for law enforcement
data requests, and demanded payment from Tile, which was ignored. Tile confirmed the breach
after 404 Media provided data samples, revealing that compromised admin credentials led to
unauthorized access of the customer support platform. Tile claims to have since taken steps to further prevent unauthorized access.
A new phishing kit enables cybercriminals and red-teamers to create progressive web apps, PWAs,
mimicking corporate login forms to steal credentials.
PWAs, made using HTML, CSS, and JavaScript appear as desktop applications but run in a browser with hidden standard controls
These apps can be deceptively convincing, featuring fake address bars showing legitimate URLs
The phishing toolkit, created by security researcher Mr. Docs, demonstrates how these PWAs can display fake login forms for various services.
While persuading users to install PWAs might be challenging, attackers can create fake software distribution sites to promote these malicious apps.
Once installed, the PWA can prompt users for credentials, making this a potentially effective phishing
technique. The PWA phishing templates are available on GitHub for testing and modification.
Gavin Wild is a senior fellow in the Technology and International Affairs program at the Carnegie
Endowment for International Peace. In a piece for Cyberscoop, he examines the Biden administration's
silence in the face of certain controversies. Cybersecurity advocates praise initiatives like
the Secure by Design partnership to improve software security and an international coalition
to limit commercial spyware. However, recent events show significant challenges.
Experts say Microsoft's recall feature, which tracks all device activity, poses serious privacy and security risks, directly contradicting secure-by-design principles.
Despite these concerns, the Biden administration and key cyber officials have remained silent. Critics argue that this lack of response undermines
efforts to promote secure software and curb spyware proliferation. Pressure from cybersecurity
experts forced Microsoft to make recall opt-in and add security features, but Wilde believes
this should have been addressed proactively by regulators. He says the administration's silence
highlights the need for stronger regulatory policies
and active oversight to ensure tech companies
adhere to cybersecurity commitments.
This episode shows that despite good intentions,
more robust action is needed to secure the digital ecosystem. Coming up after the break on our Threat Vector segment, David Moulton
is joined by data privacy attorney Daniel Rosenweg. Together, they unravel the complexities of aligning
data privacy and cybersecurity laws with technological advancements.
Stay with us. We could try hot yoga. Too sweaty. We could go skating. Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat self-packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat.
Travel moves us. Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more
at blackcloak.io. On today's sponsored Threat Vector segment,
host David Moulton, Director of Thought Leadership at Unit 42,
is joined by data privacy attorney Daniel Rosendweig.
Together, they unravel the complexities of aligning data privacy
and cybersecurity laws with technological advancements.
Welcome to Threat Vector, the Palo Alto Network's podcast.
Join us as we navigate pressing cybersecurity threats,
discuss robust protection strategies,
and uncover the latest industry trends.
I'm your host, David Moulton,
Director of Thought Leadership for Uni42. In this episode, we're diving into two compelling topics.
First, how a strong legal and technical partnership can help businesses navigate the complex world of data privacy and cybersecurity laws.
can help businesses navigate the complex world of data privacy and cybersecurity laws.
And second, we'll explore the impact of emerging AI technologies on these legal frameworks and how businesses can adapt.
My guest today is Dan Rosenswag, the founder of a boutique data privacy law firm that specializes
in all the things you'd expect from a typical data privacy shop.
They do everything
from privacy impact assessments, risk assessments, to assisting their clients to operationalize their
legal requirements. Dan summed up the practice for me as the translation layer from legal to tech
and vice versa. The information provided on this podcast is not intended to constitute legal advice.
All information presented is for general informational purposes only. The information Let's get right into our conversation.
Dan, when you and I talked before off mic, you talked about how you took the time to learn something else and blended together your background in law and an interest in and a talent for front-end development.
And it's kind of a peanut butter and chocolate space for you.
And it's impressive that you were able to find such a silver lining in what could have been, and probably was, a tough time.
Yeah.
But, you know, to have something beautiful grow out of that is amazing.
So, you know, good on you for finding code and deciding to dig into it while you were recovering.
Yeah, and I've really, I've developed a passion for all things tech,
right? I mean, I think, you know, there's a couple of things that, and I was actually speaking a
couple of days ago at an event and it really, in my view, comes down to pretty much a couple of
things that most folks, particularly lawyers, don't really follow. And I think the first one is,
and it's super corny and cliche, but it's corny and cliche for a reason.
I think it's very important to find something that makes you happy and let that drive your desires and really get you to where you want to go.
Because work is a big part of what we do on a day-to-day basis.
And finding a passion and happiness is really, really important.
And I think a lot of people lose sight of that.
And that becomes problematic for their own lives and then the people they love and those around them.
And I think if you find that passion and you're happy, you can really, you know, grow your career, even start your own shop, whatever it is that you want to do.
Your firm presents itself as the bridge between law and technology.
And I think maybe I'll just start,
like, how does that work? To level set, so the data privacy and cyberspace is evolving drastically,
literally on a daily basis. Whether it's new laws being introduced, new regulations being
introduced, not to mention the technology. We have AI, we have the upcoming deprecation of
third-party cookies, and just things are evolving and changing on a daily basis.
And a lot of these laws, particularly laws like GDPR, CCPA, and others that are now following
suit, were enacted as a response. So because it's a response to tech, it's important to understand the underlying tech
that's driving that. So for example, in the US, particularly under the CCPA, there is the notion
of giving consumers the ability to opt out of sales and shares of personal information,
i.e. targeted advertising. And it's one thing for the law to
say that, right? But it's a whole other thing to actually make that happen, technically speaking.
So if you're going to give a consumer the ability to unsubscribe or give them the ability to opt
out of targeted advertising, which is typically done through a toggle or a footer on the bottom
of a webpage next to the privacy policy, things of that nature, then you need to honor it, right?
Long gone are the days where companies can feel like they've accomplished their data privacy and
even their cybersecurity compliance by virtue of drafting policies, right? Now, the policies are
incredibly important. I'm not at all belittling them, but you have to actually action those
policies. And the folks that are actioning them are the developers,
are the product, are those folks.
Are there any regulations that developers or lawyers
should be particularly aware of
as these technology and policy changes are coming
that are going to impact that working relationship?
that are going to impact that working relationship.
Yeah, I think just keeping in mind that this space, particularly on the legal side,
of course, as well as the technical side,
but the legal side in particular,
is just changing literally every day.
I mean, in the last two weeks,
several new laws were introduced
in various different states.
A federal law was introduced, right?
So it's just constantly evolving.
And I think being able to be aware of that, right, from the developer side, check in with
your privacy lawyer and your in-house cybersecurity lawyer and say, hey, what's going on here?
What are the trends?
What are things that we should be aware of?
And I think having maybe a quarterly cadence or a monthly cadence, depending on the risk posture of the company, between legal, product,
tech, and even marketing. We didn't even really get into marketing. Marketing is a huge player
in this space. Because think about it, the marketing team is the one actually boots on
the ground working with these pixels. They're the ones either themselves or working with agencies introducing these technologies to the site or the app. They're
then responsible to an extent, so they need to be educated on this. And I think that's important.
And then that's great. If you have your marketing team pushing back on the vendors and say,
hey, you're saying you're privacy compliant, what does that mean? Your legal team is then going to be very happy for you to do that,
acting as a champion,
but it will also make your life a hell of a lot easier.
I can't tell you how many times I work with a major retailer
and during the holiday season,
they have a bunch of new campaigns
that they're introducing the marketing team and the business side.
They're like, hey, we got to market this.
We got to advertise this, which is great.
That's their business.
But ultimately what happens is
they'll introduce these technologies
to no fault of their own.
Again, they're doing what they need to do
from their business perspective and their objectives.
They don't necessarily know as process
to speak with legal or speak with tech,
again, as a partner, not as an impediment.
And what happens is they introduce these technologies.
They are now
a bunch of unintended consequences are happening with respect to data on the app or website.
And guess what? We now have to go during the 11th hour, go and fix that. And that at a time where
you don't want to be doing that, you want to be driving traffic to your site and driving the
product. So having marketing, dev, product, legal, all of everyone together, truly, like I said earlier, like a kumbaya moment together and have that frequent ongoing discussion and be each other's champions, I think will go a really long way.
And really, the way to do that is legal, tech, marketing, everyone working together, translation between each other,
and being excited to work together
to be a champion in this space.
And I think that will not only save time
and resources for the company,
but I think will also bring about
positive reinforcement for the company
because ultimately consumers,
as we've been discussing, care about privacy.
So I think it's a positive thing for everyone.
Recently, we heard from Noelle Russell,
and she was talking about an AI red team
that would look at your tools and your usage
and how you're either putting data in
or the types of answers that come out.
And to be thoughtful about those AI tools,
it seems to me that sometimes a benign use
can actually have a harmful output.
And with the generative side,
you're not always sure what you're going to get consistently over time.
And the speed of AI right now is just, I mean, it's blistering.
So if nothing else, I think this will be an
interesting conversation for you and I to come back in and we'll say six months, which might
feel like six years with this technology in this space and have another conversation on it. So Dan,
as we wrap up today, what's the most important thing for a listener to take away from this conversation?
Legal should not be viewed as an impediment. I think they can be a champion with you. And I think working between marketing, development and technology and legal all together, I think can be an incredibly powerful, powerful thing.
an incredibly powerful, powerful thing.
Dan, thanks for being on Threat Vector today.
I really appreciated the depth and thought that you put into all of my questions.
I'm sure the audience learned just as much as I did.
Thanks for having me.
Really appreciate it.
That's it for Threat Vector this week.
I want to thank the Threat Vector team.
Michael Heller is our executive producer.
Our content team includes Sheila Drosky,
Daniel Wilkins, and Danny Milrad.
I edit the show and Elliot Peltzman mixes the audio.
We'll be back in two weeks.
Until then, stay secure, stay vigilant.
Goodbye for now.
You can hear the rest of this conversation and all of the Threat Vector episodes in your favorite podcast app.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
And finally, Turkish police nabbed a student who was using an AI-powered cheat system during a university entrance exam in Isparta.
The student's high-tech kit included a camera disguised as a
shirt button and a cellular modem hidden in a shoe, all linked to AI software. The clever setup
scanned exam questions and fed the answers to the student via an earpiece. Authorities became
suspicious of the student's behavior, leading to the arrest.
If only the student had used their time and energy for studying instead of cheating.
I know it's a lot less fun, but still.
Stay in school, friends.
And that's The Cyber Wire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in the public and private sector,
from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.