CyberWire Daily - Will Plankey lead CISA to victory?
Episode Date: March 12, 2025The White House names their nominee for CISA’s top spot. Patch Tuesday updates. Apple issues emergency updates for a zero-day WebKit vulnerability. Researchers highlight advanced MFA-bypassing techn...iques. North Korea's Lazarus Group targets cryptocurrency wallets and browser data. Our guest today is Rocco D’Amico of Brass Valley discussing hidden risks in retired devices and reducing data breach threats. Making sense of the skills gap paradox. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Joining us today is Rocco D’Amico of Brass Valley discussing hidden risks in retired devices and reducing data breach threats. Selected Reading Trump nominates Sean Plankey as new CISA director (Tech Crunch) CISA worker says 100-strong red team fired after DOGE action (The Register) March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, 7 Zero-Days (Hackread) ICS Patch Tuesday: Advisories Published by CISA, Schneider Electric, Siemens (SecurityWeek) CISA Warns of Microsoft Windows Management Console (MMC) Vulnerability Exploited in Wild (Cyber Security News) Apple WebKit Zero-Day Vulnerability Actively Exploit in High Profile Cyber Attacks (Cyber Security News) Hackers Using Advanced MFA-Bypassing Techniques To Gain Access To User Account (Cyber Security News) North Korean Lazarus hackers infect hundreds via npm packages (Bleeping Computer) Welcome to the skills gap paradox (Computing) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
We've all been there.
You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy.
Just use indeed.
When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed.
Indeed's Sponsored Jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first.
And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get
your jobs more visibility at indeed.com slash cyber wire. Just go to indeed.com slash cyber
wire right now and support our show by saying you heard about indeed on this podcast. Indeed.com
slash cyber wire. Terms and conditions apply. Hiring, indeed, is all you need.
The White House names their nominee for CISA's top spot.
Patch Tuesday updates.
Apple issues emergency updates for zero-day WebKit vulnerability.
Researchers highlight advanced MFA bypassing techniques.
North Korea's Lazarus Group targets cryptocurrency wallets and browser data.
Our guest today is Rocco D'Amico of Brass Valley discussing hidden risks in retired
devices and making
sense of the skills gap paradox. It's Wednesday, March 12, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Hello again and thank you for joining us.
It is great to have you with us today.
Sean Planky, a former cybersecurity official in the Trump administration, has been nominated
to lead the Cybersecurity and Infrastructure Security Agency, CISA.
His nomination is under Senate review.
A U.S. Coast Guard veteran, Planky previously served in key cybersecurity roles
at the Department of Energy and National Security Council, earning a Bronze Star for offensive
cyber operations in Afghanistan. Until recently, he led cybersecurity efforts at Indigo Vault.
CISA faces criticism with some lawmakers questioning its mission scope.
Supporters praise Planky's expertise, citing his focus on risk reduction and national security.
He advocates for stricter cloud security regulations and reciprocity in cyber policy.
Planky has emphasized reducing reliance on adversarial nations for critical infrastructure. Meanwhile, a former CISA penetration tester claims his 100-person team was cut after Elon
Musk's Doge unit canceled their contract.
Christopher Chenoweth says Doge also axed another red team, leaving many cybersecurity
experts jobless.
Doge, the federal cost- Cutting Advisory Group, has targeted
multiple DHS contracts. Meanwhile, the EI-ISAC, a key election security initiative, shut down
after DHS funding was cut, and the MS-ISAC faces similar risks. Experts warn these cuts
weaken cybersecurity for elections and local governments.
Microsoft's March 2025 Patch Tuesday update fixes 57 vulnerabilities, including seven
zero days, six of which were actively exploited.
The patches address privilege escalation, remote code execution, security bypass, and
information disclosure flaws.
One critical zero day allows local attackers
to gain system privileges via a race condition
in the Windows Win32 kernel.
Two NTFS vulnerabilities let attackers extract sensitive data
using a malicious USB drive.
A publicly disclosed zero day is an RCE flaw
in Microsoft Access.
Critical RCE vulnerabilities impact Windows Remote Desktop Services, Microsoft Office,
DNS, and the Windows Subsystem for Linux.
The NTFS and FAT flaws are particularly concerning as they enable malware delivery via crafted
virtual hard disk files.
Security experts urge immediate patching,
especially for office vulnerabilities,
to mitigate exploitation risks.
Other vendors, including Cisco, Google, and Fortinet,
have also issued March security updates.
Siemens and Schneider Electric have issued
their March 2025 Patch Tuesday ICS security advisories addressing multiple vulnerabilities.
Schneider Electric warns of a critical flaw in eco-structure
that allows command execution if the default password isn't
changed, along with authentication bypass
and sensitive data exposure issues.
Siemens patched 11 advisories, including a bootloader flaw
in Cinemix S200, privileged
escalation in SciPass controllers, and authentication bypass vulnerabilities in multiple products.
OpenVPN and BIOS vulnerabilities were also fixed.
CISA released two ICS advisories, highlighting critical flaws in Optigo Network's capture
tools and a patched Schneider Electric unit tell-way driver vulnerability, security experts
urge immediate updates to protect industrial systems from exploitation.
CISO has also issued an urgent advisory for a critical vulnerability in Microsoft Windows Management Console that allows remote code execution.
Attackers exploit improper input sanitization, enabling lateral movement, data theft, or malware deployment.
Federal agencies must patch by April 2nd.
Microsoft released an out-of-band patch on March 10th, 2025.
Organizations should apply updates immediately, restrict
MMC access via firewall rules, and monitor for exploitation.
Systems with exposed MMC services are at high risk.
While not confirmed in ransomware attacks, its network-based attack vector makes it dangerous.
CISA urges private organizations to prioritize patching and adopt zero-trust architectures
to protect against future threats.
Apple has issued emergency security updates to patch a zero-day WebKit vulnerability actively
exploited in targeted attacks.
The flaw, an out-of-bounds write issue, allows malicious web content to escape the
web content sandbox, potentially enabling unauthorized actions. The update affects iOS,
iPadOS, MacOS, Safari, VisionOS, and TVOS. Apple warns that the vulnerability was used
in sophisticated attacks on older iOS versions.
This is Apple's third zero-day fix in 2025, following similar patches in January and February.
Users should update immediately to mitigate risks, as Apple has not disclosed attacker
details or targets.
Adversaries are exploiting advanced MFA bypassing techniques to gain unauthorized access to
accounts, manipulating authentication workflows rather than breaking authentication factors.
Researchers at Quark's lab discovered that attackers exploit timing vulnerabilities and
session token manipulation to trick systems into believing MFA was successfully completed.
A particularly dangerous technique involves intercepting and modifying authentication
response data, injecting JavaScript code to alter session flags before MFA verification is
finalized. These attacks are hard to detect, leaving minimal forensic evidence, and often
appear as legitimate authentication
events.
The vulnerability primarily affects systems that separate authentication and resource
servers, creating gaps attackers exploit during network latency or error conditions.
Experts recommend continuous MFA validation and cryptographically signed session tokens
to prevent unauthorized
modifications.
Users should monitor accounts for suspicious activity despite MFA being enabled.
Researchers have identified six malicious NPM packages linked to the Lazarus Group,
a North Korean hacking collective.
These typo-squatting packages, downloaded 330 times, aim to steal credentials, deploy
backdoors, and extract cryptocurrency data.
The Socket Research team linked this attack to previous Lazarus supply chain operations
seen on NPM, GitHub, and PyPy.
The malware targets cryptocurrency wallets and browser stored data. It also loads
Beaver Tail and Invisible Ferret backdoors. All six packages remain active, and developers
are urged to scrutinize dependencies for suspicious activity. Coming up after the break, my conversation with Rocco D'Amico from Brass Valley discussing
the hidden risks in retired devices, plus making sense of the skills gap paradox.
Stay with us. Cyber threats are more sophisticated than ever.
Passwords?
They're outdated and can be cracked in a minute.
Cyber criminals are intercepting SMS codes and bypassing authentication apps.
While businesses invest in network security, they often overlook the front door, the login.
Ubico believes the future is passwordless.
Ubiquis offer unparalleled protection against phishing for individuals, SMBs and enterprises.
They deliver a fast, frictionless experience that users love.
Ubico is offering N2K followers a limited buy one get one offer.
Visit ubico.com slash N2K to unlock this deal.
That's Y-U-B-I-C-O.
Say no to modern cyber threats.
Upgrade your security today.
Do you know the status of your compliance controls right now? Like right now.
We know that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous
visibility into their controls with Vanta. Here's the gist, Vanta brings automation
to evidence collection across 30 frameworks like SOC 2 and ISO 27001. They also centralize
key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for a thousand dollars off.
My guest today is Rocco D'Amico from Brass Valley.
A conversation centers on the hidden risks in retired devices and reducing data breach
threats.
Well, there's two aspects to that.
One is businesses and the other aspect is just individual computer users.
I think individual computer users at your house, I think some people think you can just
do an FDISC or something like that and erase the data.
But in reality, you're really not getting the data and erasing it.
You should try to find a competent resource that can help you recycle and destroy data.
You probably can get those through Best Buy or companies like that.
From the business side, people don't...
Some people do a good job and other people
don't do a good job.
I think that what we find is in data centers,
as people move to the cloud, one of the things that gets
overlooked is hidden media.
And folks will do a really good job
at identifying where the hard drives are and they will do a
good job typically of erasing or physically destroying the hard drives, but when it comes to other areas that
store data they get missed and they get missed by the people that are actually
doing the work in terms of doing the data destruction. Because what happens is in data center,
they use servers and they use arrays.
And what happens is arrays for a long time
have been built for speed and self-healing.
And that means there's some types of buffer memory
inside those arrays.
And typically, it's not where the hard drives reside.
It's usually in a different spot. And so if you're not looking for it, it's not where the hard drives reside. It's usually in a different spot.
And so if you're not looking for it,
it's somewhat easy to miss.
But it still contains all the data that goes on the hard drive.
So we find that's one of the gaps
that folks miss in this process, particularly with data centers.
That's interesting.
I mean, I've seen some arrays have combinations
of spinning hard drives and SSDs.
I would imagine that's similar to what you're talking about.
It is, it is.
And it's harder to identify them now because there are SSDs.
But you really have to know the architecture of the system
to really do a thorough job.
And so for example, some of the software
won't work on some of the other types of drives
or some of the other media.
So you just have to know what you're doing to be able to make
sure you get everything.
Can you give us some idea of what you all consider
best practices to be as an organization
is turning over equipment?
What's the baseline they should be thinking about?
Yeah, so you're going
Ultimately your goal is to have a complete chain of custody
So that starts with understanding what you have and having a strong inventory list of what you have
then
reconciling that inventory list against lists that your ITAD provider gives you that
gives you forensic proof that data was destroyed.
And you also want to be able to show the movement
of the equipment.
You want to be able to show a bill of lading that
shows the equipment going from your facility
to the vendor's facility.
And you also, ideally, in a perfect world,
you want to see where it goes after that.
Because they may be reselling it,
and they may be sending it downstream for recycling and
To have that complete cradle to grave chain of custody
You'd be want to be able to document all those aspects of the process
Well, that brings up a good question here
Which is if I'm shopping around for someone to help me with these recycling tasks,
what sort of questions should I be asking?
Have you had any security incidents would be a good one
because there's more out there than you think.
I guess I would ask for to look at their reporting
and see what their reporting is comprised of.
As I said before, a complete chain of custody
is going to show the movement of the equipment,
not just a certificate of destruction
or a certificate of recycling.
You're gonna wanna be able to see
the movement of the equipment.
And one of the reasons behind that is that,
in my view, electronics is considered universal waste.
Many of the electronics devices that we handle
are classified as universal waste.
And the universal waste classification
is one that if it treats has universal waste is really
kind of hazardous waste, but it's not exactly treated
like that until something goes wrong.
So if you handle hazardous waste, you really have to have a chain of custody that shows
the movement of the equipment.
And so we think that it's best practice to have that for the electronics industry as
well.
So I would look at their chain of custody and see what they can give you.
And that's because it's so important because if something goes wrong, that's really your
only defense is how good your chain of custody your
documentation is. How can an organization go through and figure out
you know where they're doing well and where they have weaknesses? I think it's
important to reconcile the documentation that you get back with your existing
lists. I think once and one step, I think, is what we've done internally is
we've established high reliability practices in our organization because high reliability
was originally developed by the nuclear industry. It was a place where if something goes wrong, it really is catastrophic. And it's to prevent just human errors.
And it was developed in nuclear,
and then it was adopted by the airline industry
and then by the healthcare industry.
So if you've ever gone to the hospital, the doctors,
and they're asking you questions two or three times,
like, are you Rocco D'Amico?
And you say, yes, I am, and they check your date of birth.
That's two-way cross-checks.
If you've been on a plane, and just before they take off,
you'll hear the pilot say, cross-check complete.
That's all high-reliability practices.
So that way, things don't fall through the cracks.
So I think as an initiative in an organization,
if you really want to get tight, and you've
got otherwise solid processes, if you really want to get tight and you've got otherwise solid processes
and you want to eliminate individual errors
and the human error effect,
that would be a direction I would look.
How about just the sort of human factor of,
it's easy to put things off, right?
Like many a time have I wandered into, you know, the IT teams inner sanctum.
And there's a pile of equipment sitting in the corner. Right? Or a stack of laptops. And,
you know, you move from one location to another and we're all busy and we've all got stuff to do.
It's understandable to me how things like that can be put off.
How do you put in a framework or you know checklists or whatever you need to
do to make sure that those things just don't stack up to the point where they
become a problem? I find that we'll see situations like the one you
described more often than not based on the culture of the organization.
So it really is an entire cultural attitude,
the way people look at data security.
So once they're aware of it,
if many of the banks that I work with, you won't find that.
You just won't find it.
So I believe it's a culture.
It's a culture thing because everybody's got to be aware
of it and everybody has to be on board with that.
So, I don't know if there's a checklist
you can make that does that.
Right, right.
So yeah, that's very interesting, the cultural component
that I guess it's an expectation company-wide.
Absolutely, absolutely.
And this is, high reliability helps here too,
because it gives people a way,
like if you walk in that room,
you could say without fear
that you were going to burn a bridge
or hurt somebody's feelings like,
hey Steve, I noticed you've had those laptops here.
You know, I just want to remind you,
it's our policy to do this.
And high reliability gives you a mechanism
to raise that with Steve first.
And then if Steve doesn't respond,
you can raise it to the next level
and nobody's going to get offended.
Because the goal is data security.
I mean, that's the ultimate goal.
And we're all supposed to be pulling in that same direction.
When you're working with people and onboarding them,
getting them up to speed,
are there common misunderstandings that you come up against regularly?
I think, yeah, I think there is.
I think people really don't understand.
The guys we deal with, IT guys, they understand what goes on inside the firewall, but outside
the firewall, which is where I live.
They don't understand it as well.
And so there is a level of education, as I said before,
in terms of chain of custody, why we do the things
that we do, what we can do to help you reduce
the cost of the process, things like that.
There is an educational process that goes on.
But data security usually inside their building
is usually pretty tight.
But once it gets outside of our firewall educational process that goes on. But data security usually inside their building is usually pretty tight.
But once it gets outside of our,
once it gets outside their firewall wall
or gets off network,
that's when the human processes have a larger sway
in what happens.
And it's just not necessarily their sweet spot.
That's Rocco D'Amico from Brass Valley.
Hey everybody, Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try DeleteMe.
I have to say, DeleteMe is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data
brokers. I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly
what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners, Today get 20% off your DeleteMe plan when you go to joindeleteeme.com slash n2k and
use promo code n2k at checkout.
The only way to get 20% off is to go to joindeleteeme.com slash n2k and enter code n2k at checkout.
That's joindeleteeme.com slash N2K, code N2K.
And finally, the tech industry finds itself in a bit of a bizarre paradox.
IT leaders can't find skilled workers, yet graduates in computer science and data science
can't land jobs.
It's like a dating app where everyone swipes left.
The issue?
Employers want job-ready recruits, but don't want to train them.
Automated hiring systems favor keyword-stuffed resumes, entry-level jobs demand senior-level experience,
and companies lean on underpaid interns
instead of hiring full-time staff.
Meanwhile, cybersecurity teams are especially guilty.
31% employ no entry-level pros at all.
Post-COVID layoffs flooded the job market
with experienced workers making things even harder entry-level pros at all. Post-COVID layoffs flooded the job market
with experienced workers, making things even harder
for fresh grads.
Plus, budgets are tight, salaries uncompetitive,
and companies are hoarding trusted employees
instead of hiring new ones.
Software development, cloud, AI, and cybersecurity
are in demand, but not if you want fair pay.
It's not all bad news.
The data shows that for graduates, this hiring freeze might be temporary, but for employers,
the skills gap seems to be here to stay. And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Ivan.
Peter Kilpey is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thanks for watching! And now, a message from our sponsor Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue
to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps
and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not
the entire network, continuously verifying every request based on identity and context, simplifying
security management with AI-powered automation, and detecting threats using AI to analyze
over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.