POPULARITY
Law enforcement agencies take down A-V-Check, four US Senators urge for the reinstatement of the Cyber Safety Review Board, Germany identifies the leader of the TrickBot gang, and an AI-vibe-coding platform leaks user data and API keys. Show notes
Navigating AI Cyber Threats and Critical Infrastructure Vulnerabilities In this episode of Cybersecurity Today, host Jim Love discusses the recent cyber attack on AI platform DeepSeek that exploited open source vulnerabilities. He highlights significant challenges in U.S. cybersecurity oversight following disruptions in key bodies like the Cyber Safety Review Board. The episode also covers a backdoor vulnerability in Juniper routers being actively exploited, and the FBI warning about misuse of local admin accounts. Organizations are urged to bolster their defenses by reviewing admin logs and enforcing stronger access controls amidst evolving cyber threats. 00:00 Introduction to Cybersecurity Challenges 00:23 DeepSeek Cyber Attack Incident 01:10 Leadership Crisis in Cybersecurity Oversight 02:28 Juniper Router Backdoor Vulnerability 03:49 FBI Warning on Local Admin Account Exploits 04:55 Conclusion and Contact Information
Forecast: Murdoc botnet storms hit IoT devices, Mastercard's DNS flaw clouds visibility, and DHS shutdowns leave security in the dark. In this episode of Storm⚡️Watch, we explore a major DNS misconfiguration at Mastercard that went undetected for over four years. Security researcher Philippe Caturegli uncovered a simple but critical typo in Mastercard's DNS nameserver records where "akam.net" was written as "akam.ne". This error affected one in five DNS requests to Mastercard's infrastructure and could have allowed attackers to intercept emails, capture Windows authentication credentials, and distribute malware through trusted domains. The cybersecurity community was rocked by news that several crucial Department of Homeland Security advisory committees have been terminated. The Cyber Safety Review Board, which was actively investigating the Salt Typhoon hacks targeting U.S. telecommunications companies, was among the disbanded groups. This move has interrupted ongoing investigations into communications targeting high-profile political figures and raised concerns about gaps in information sharing and policy recommendations. A sophisticated new variant of the Mirai malware called the Murdoc Botnet has emerged, targeting IoT devices worldwide. With over 1,300 compromised devices and more than 100 command-and-control servers, this botnet specifically exploits vulnerabilities in AVTECH IP cameras and Huawei HG532 routers. Between December 2024 and January 2025, the botnet has launched significant DDoS campaigns against Japanese corporations, banks, and organizations across multiple sectors in various countries. The 2022 HIPAA Breach Report reveals concerning trends in healthcare security. There were 626 incidents affecting over 41 million people, with hacking and IT incidents accounting for 74% of all large breaches. Surprisingly, paper records remain a significant vulnerability, especially in smaller breaches. The report highlights persistent issues with weak authentication practices, insufficient audit controls, and incomplete risk analyses, resulting in major settlements totaling over $2.4 million. Join us for an in-depth discussion of these critical cybersecurity developments and their implications for the industry. Don't forget to check out the upcoming GreyNoise University Live event for more insights into threat intelligence and network security. Storm Watch Homepage >> Learn more about GreyNoise >>
The Department of Homeland Security's Cyber Safety Review Board will look into an alleged China-linked hack of U.S. telecom networks. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
The Department of Homeland Security's Cyber Safety Review Board will look into an alleged China-linked hack of U.S. telecom networks. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Video Episode: https://youtu.be/_DKTFyP1bOM In today’s episode, we discuss Microsoft’s recent cybersecurity initiatives, including the appointment of deputy CISOs and the launch of the Cybersecurity Governance Council as part of their Secure Future Initiative to enhance internal security measures and reduce risks. We also explore the implications of ‘never expire’ passwords in cybersecurity, highlighting the potential risks while considering the practicality of password policies. Additionally, we cover critical vulnerabilities found in Microchip’s software affecting IoT devices and Discord’s introduction of the new DAVE protocol for secure audio and video communication. Article URLs: 1. https://www.cybersecuritydive.com/news/microsoft-deputy-cisos-security/727763/ 2. https://thehackernews.com/2024/09/why-never-expire-passwords-can-be-risky.html 3. https://thehackernews.com/2024/09/critical-flaw-in-microchip-asf-exposes.html 4. https://thehackernews.com/2024/09/discord-introduces-dave-protocol-for.html Timestamps 00:00 – Introduction 01:07 – Microsoft Removes Inactive Accounts 02:48 – IoT RCE Vulnerability 04:53 – Discord’s DAVE end-to-end Encryption 06:00 – Should all passwords expire? 1. What are today’s top cybersecurity news stories? 2. What security changes is Microsoft implementing in its internal practices? 3. How is Microsoft addressing its internal security culture? 4. What vulnerabilities were recently disclosed for Microchip’s Advanced Software Framework? 5. Why might ‘never expire’ passwords pose a risk in organizations? 6. What is Discord’s new DAVE protocol and how does it enhance security? 7. How is Microsoft restructuring its cybersecurity governance? 8. What impact did the federal Cyber Safety Review Board report have on Microsoft? 9. What recent vulnerabilities affect IoT devices and what are their risks? 10. How is Microsoft training its staff to improve security practices? Microsoft, deputy CISOs, security breach, email theft, passwords, cybersecurity, expiration, IT help desk, Microchip, IoT, vulnerability, remote code execution, DAVE protocol, end-to-end encryption, audio calls, video calls, —
The Department of Homeland Security's Cyber Safety Review Board is preparing to launch its next big investigation. Trouble is the board itself faces an uncertain future as DHS calls on Congress to permanently authorize the CSRB into law. For the latest, we turn to Federal News Network's Justin Doubleday. Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
The Department of Homeland Security's Cyber Safety Review Board is preparing to launch its next big investigation. Trouble is the board itself faces an uncertain future as DHS calls on Congress to permanently authorize the CSRB into law. For the latest, we turn to Federal News Network's Justin Doubleday. Learn more about your ad choices. Visit megaphone.fm/adchoices
China's dominance of global supply chains for many goods, including clean energy technology, is increasing concerns about resilience, security, and geopolitical influence in today's new era of great power competition. At the same time, efforts to curb China's dominance are raising concerns about the cost of clean energy at a time when its rapid deployment is needed. So are we in a new Cold War with China? Should American policymakers try to decouple from China? And how should policymakers address China's supply chain dominance of the materials needed for the energy transition? This week, host Jason Bordoff talks with Dmitri Alperovitch about his new book “World on the Brink: How America Can Beat China in the Race for the 21st Century.” They discuss what the strategic challenges from China mean for American policymakers, how the U.S. can diversify critical supply chains away from China, and the security of America's energy infrastructure. Dmitri is the co-founder and chairman of Silverado Policy Accelerator. He is a co-founder and former CTO of CrowdStrike. Dmitri previously served as special advisor to the Department of Defense and currently serves on the Department of Homeland Security Advisory Council and the Cybersecurity and Infrastructure Security Agency's Cyber Safety Review Board.
In the aftermath of the CrowdStrike outage, Delta Airlines estimates a $500 million loss due to flight cancellations and financial repercussions. Delta is considering legal action against CrowdStrike and Microsoft, with shareholders also filing a lawsuit against CrowdStrike for alleged misleading information. The Cyber Safety Review Board is contemplating an investigation into CrowdStrike's incident, while over 180 software companies have committed to CISA's Secure by Design pledge to enhance cybersecurity practices.The episode also covers new tools and enhancements in the tech industry, including Gradient MSP's benchmark tool for managed services providers, Cohesity's AI-powered data cloud with improved threat detection capabilities, and NIST's Dioptra for assessing security risks in AI models. The discussion delves into the evolving landscape of SaaS pricing in the AI era, highlighting the shift towards usage-based pricing models and the importance of adapting pricing strategies to capitalize on AI capabilities. Additionally, strategies for successful IT outsourcing partnerships are outlined, emphasizing the need for clear communication, defined goals, and talent acquisition.Dave Sobel provides insights into the impact of the CrowdStrike outage on managed services providers and their clients, noting regional differences in the effects of the incident. The episode also previews upcoming bonus content, including discussions on AI and security, the AI promise of enhancing top performers, and insights on automating workflows using artificial intelligence. Three things to know today00:00 CrowdStrike Outage Impact: Delta's $500M Loss, Shareholder Lawsuit, CSRB Consideration, and CISA Pledge Growth04:16 New Tools and Enhancements: Gradient MSP's Benchmark Tool, Cohesity's AI-Powered Data Cloud, and NIST's Dioptra for AI Security05:46 Navigating the Future of SaaS Pricing and IT Outsourcing: Strategies for Success in the AI Era Supported by: https://timezest.com/mspradio/https://www.huntress.com/mspradio/ All our Sponsors: https://businessof.tech/sponsors/ Do you want the show on your podcast app or the written versions of the stories? Subscribe to the Business of Tech: https://www.businessof.tech/subscribe/Looking for a link from the stories? The entire script of the show, with links to articles, are posted in each story on https://www.businessof.tech/ Support the show on Patreon: https://patreon.com/mspradio/ Want our stuff? Cool Merch? Wear “Why Do We Care?” - Visit https://mspradio.myspreadshop.com Follow us on:LinkedIn: https://www.linkedin.com/company/28908079/YouTube: https://youtube.com/mspradio/Facebook: https://www.facebook.com/mspradionews/Instagram: https://www.instagram.com/mspradio/TikTok: https://www.tiktok.com/@businessoftechBluesky: https://bsky.app/profile/businessoftech.bsky.social
Amongst the most bizarro thing about last week's truly bizarre Presidential debate was how much Biden and Trump were in violent agreement on China. Trump certainly has won the ideological battle about the supposedly existential China threat and the two decrepit old men both celebrate American embroilment in a second Cold War. This is great news , of course, for the America's sprawling military industrial complex with its unquenchable thirst for rearmament and military engagement overseas. I'm not sure that the DC based Dmitri Alperovitch is a card carrying member of that establishment, but he's certainly a slick China hawk who fears that the world is on the brink of a major conflict over Taiwan with Xi's supposedly “Marxist-Leninist” regime. Maybe, maybe not. But talking to him about “winning” what he calls the “Cold War II” is a surreal throwback to a Fifties paranoia about the supposed existential threat of the Marxist-Leninist Soviet Union. America “won” the first Cold War; I doubt it can afford to win the second. Dmitri Alperovitch is an internationally recognized thought leader on geopolitics and national security and co-founder and executive chairman of Silverado Policy Accelerator, a think-tank focused on policy solutions in national security, trade and industrial security, and ecological and economic security. He is also the former CTO of the cybersecurity company CrowdStrike Inc. Alperovitch serves on the Homeland Security Advisory Council of the Department of Homeland Security and as a founding board member of US Government's Cyber Safety Review Board, and has previously served as a special advisor to the Department of Defense. He is the host of Silverado's “Geopolitics Decanted” podcast.Named as one of the "100 most connected men" by GQ magazine, Andrew Keen is amongst the world's best known broadcasters and commentators. In addition to presenting KEEN ON, he is the host of the long-running How To Fix Democracy show. He is also the author of four prescient books about digital technology: CULT OF THE AMATEUR, DIGITAL VERTIGO, THE INTERNET IS NOT THE ANSWER and HOW TO FIX THE FUTURE. Andrew lives in San Francisco, is married to Cassandra Knight, Google's VP of Litigation & Discovery, and has two grown children. This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit keenon.substack.com/subscribe
The Cyber Safety Review Board's (CSRB) report on the Summer 2023 Microsoft Exchange online intrusion sheds light on how a series of flaws in Microsoft's cloud infrastructure and security processes allowed a hacking group associated with the People's Republic of China (PRC) to strike the “equivalent of gold” in accessing the official email accounts of many of the most senior U.S. government officials managing the U.S. government's relationship with the PRC. Lawfare Senior Editor Stephanie Pell sat down Maia Hamin, Associate Director with the Atlantic Council's Cyber Statecraft Initiative; Trey Herr, Assistant Professor of cybersecurity and policy at American University's School of International Service and Director of the Cyber Statecraft Initiative at the Atlantic Council; and Marc Rogers, Co-Founder and Chief Technology Officer for the AI observability startup nbhd.ai, to discuss their recent Lawfare piece about the CSRB's report and the lagging state of cloud security policy. They talked about ways to improve cloud service provider transparency, other investigative and regulatory tools that could facilitate better cloud security, and their thoughts on Microsoft's response to the CSRB's report. To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.
In today's episode, we discuss Microsoft's commitment to take full responsibility for security failures, as detailed in Brad Smith's House testimony (https://www.cybersecuritydive.com/news/microsoft--security-failures-house-testimony/718853/), YouTube's testing of harder-to-block server-side ad injections affecting ad blockers like SponsorBlock, along with the potential solutions (https://www.bleepingcomputer.com/news/google/youtube-tests-harder-to-block-server-side-ad-injection-in-videos/), and the new "Sleepy Pickle" attack technique that targets machine learning models, posing severe supply chain risks (https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html). Tune in for a detailed analysis of these pressing cybersecurity issues and their broader implications. Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: Microsoft, President, Security, Cybersecurity, Brad Smith, House testimony, Security failures, State-linked cyberattacks, U.S. federal agencies, Cyber attack, Machine learning, Sleepy Pickle, Pickle format, Supply chain risk Search Phrases: Microsoft security failures, Brad Smith House testimony, U.S. federal agencies cyber attack, State-linked cyberattack Microsoft, Measures to improve Microsoft cybersecurity, Sleepy Pickle machine learning, Protecting machine learning models, Cybersecurity in Pickle format, Supply chain risks in cybersecurity, Advanced server-side ad injection YouTube Microsoft will take full ownership for security failures in House testimony https://www.cybersecuritydive.com/news/microsoft--security-failures-house-testimony/718853/ ---`- Microsoft's Accountability: Brad Smith, Microsoft's vice chair and president, commits to taking full responsibility for recent security failures in his written testimony to the U.S. House Committee on Homeland Security. This is a critical move for transparency and accountability in the cybersecurity sector. State-Linked Cyberattacks: The testimony follows two significant state-linked cyberattacks on Microsoft. Hackers from the People's Republic of China targeted Microsoft Exchange Online, compromising 22 organizations and 500 individuals, including high-profile figures like U.S. Commerce Secretary Gina Raimondo. Another attack from the Russia-linked Midnight Blizzard group compromised senior executives' credentials, impacting federal agency security. Preventable Breaches: A report by the U.S. Cyber Safety Review Board criticized Microsoft for prioritizing speed to market and new features over security, labeling the attacks as preventable. This highlights the importance for cybersecurity professionals to balance innovation with robust security measures. Security Recommendations: The Cyber Safety Review Board issued 25 recommendations to improve security, 16 specifically for Microsoft. These recommendations are essential for Microsoft and the broader cloud security industry to address vulnerabilities and prevent future breaches. Phishing Attack Surge: Nation-state cyber activity has intensified, with Microsoft experiencing 47 million phishing attacks against its employees and 345 million daily attacks against its customers. This underscores the importance of phishing awareness and training for all cybersecurity professionals. Enhanced Security Measures: To bolster internal security, Microsoft plans to link senior executive compensation to meeting security goals, demonstrating a commitment to accountability. Additionally, the company has invited the Cybersecurity and Infrastructure Security Agency (CISA) to its headquarters for a detailed briefing on their security strategy. Industry Implications: Critics argue that Microsoft's dominant position in federal systems should be re-evaluated given its security lapses. This raises questions about the broader implications for vendor accountability and the need for stringent security standards in government contracts.` YouTube tests harder-to-block server-side ad injection in videos https://www.bleepingcomputer.com/news/google/youtube-tests-harder-to-block-server-side-ad-injection-in-videos/ ---`- YouTube Ad Blocking Challenge: YouTube now injects advertisements directly into video streams (server-side ad injection), making it tougher for ad blockers to filter them out. (Source: BleepingComputer) This method integrates ads seamlessly into the video content, creating a continuous stream that includes ad segments. Impact on Ad Blockers: Traditional ad blockers, which rely on blocking JavaScript scripts for ad insertion, will struggle with this new approach. SponsorBlock, a tool that crowdsources data to skip sponsored content, reports that server-side ad injection disrupts its functionality. Technical Breakdown: YouTube uses smaller video segments, or "chunks," stitched together to create continuous playback. A manifest file dictates the sequence of these chunks, including both content and ads, complicating the ability to skip or block ads. SponsorBlock's Response: Currently, SponsorBlock blocks submissions from browsers with server-side ad injection to avoid data corruption. Future solutions may involve calculating ad durations via metadata and YouTube's interface elements, though these systems are still in development. Potential Solutions for Ad Blockers: Ad blockers might need to evolve by developing sophisticated detection algorithms, analyzing metadata, and employing advanced pattern recognition techniques to identify ad segments.` New Attack Technique 'Sleepy Pickle' Targets Machine Learning Models https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html ---`1. Discovery of Sleepy Pickle Attack: Trail of Bits researchers discovered a new attack technique called "Sleepy Pickle" that targets machine learning (ML) models. Unlike traditional attacks, Sleepy Pickle focuses on corrupting the ML model itself, posing a severe supply chain risk. Mechanism and Risks: The attack leverages the Pickle format, commonly used in ML libraries like PyTorch, to carry out arbitrary code execution during deserialization. Sleepy Pickle can insert backdoors, control outputs, or tamper with processed data, leading to dangerous consequences like misinformation or data theft. Attack Delivery Methods: Attackers can deliver the payload using techniques such as adversary-in-the-middle (AitM) attacks, phishing, supply chain compromise, or exploiting system weaknesses. When deserialized, the payload modifies the model in-place, making detection very difficult. Recommendations for Mitigation: Only load models from trusted users and organizations. Use signed commits and consider alternatives to Pickle, like TensorFlow or Jax formats with auto-conversion mechanisms. Potential Impact: Hypothetical scenarios include generating harmful outputs (e.g., unsafe health advice), stealing user data, or manipulating news article summaries to redirect to phishing sites. The attack can maintain surreptitious access to ML systems, evading detection by modifying model behavior dynamically. Broader Implications: Sleepy Pickle highlights the need for stronger supply chain security and awareness of vulnerabilities in widely-used software components. The attack's ability to corrupt local models without appearing as an ML model broadens the attack surface significantly.`
In March, the Cyber Safety Review Board issued a report examining the Summer 2023 Microsoft Exchange Online Intrusion. Stephanie Pell, Senior Editor at Lawfare, sat down with Robert Silvers, Under Secretary for Policy at the Department of Homeland Security and Chair of the Cyber Safety Review Board to discuss the report. They talked about the Board's determination that the intrusion was preventable and should never have occurred, Microsoft's response to the report, and the Board's unique role as a true public-private partnership, giving it a powerful position from which to drive change.To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.
In this episode of the 2 Minute Drill, we provide an update on the Ascension Ransomware recovery and discuss Apple's latest security patches for iOS and desktop systems. We also spotlight Brad Smith of Microsoft as he prepares for a congressional hearing on security issues highlighted by the Cyber Safety Review Board, alongside Microsoft's new Secure Future Initiative to enhance product security. Insights from a Wall Street Journal survey reveal cybersecurity as the top concern for compliance professionals. Thanks to our sponsor ORDR for supporting the episode. Stay tuned for critical insights into the evolving landscape of cybersecurity.Contributions & Community:Become part of the conversation and help shape future episodes by contributing stories and insights. Visit thisweekhealth.com/news and click on "Become a Contributor."Stay Connected:Don't miss out on our upcoming episodes focused on hacking healthcare. Follow our podcast, like and share this post to spread the word, and join the new 229 cyber and risk community for more in-depth discussions and resources.Stay Informed, Stay Secure:Visit thisweekhealth.com/security for more information and resources to bolster your cybersecurity knowledge and defenses.Remember, Stay a little paranoid.
In this week's Security Sprint, Dave and Andy talked about the following topics: Main Topics A Russian Influence Campaign Is Exploiting College Campus Protests FBI PSA: Foreign Terrorist Organizations and their Supporters Likely Heighten Threat Environment during 2024 Pride Month, May 10, 2024 GW: Majority Of University Protesters Arrested Weren't Even Students, Police Say The network behind campus antisemitism Secret Hamas Files Show How It Spied on Everyday Palestinians Guidance for organisations considering payment in ransomware incidents U.S. Charges Russian National with Developing and Operating Lockbit Ransomware Increase of Lockbit ransomware attacks Ascension: Network Interruption Update Fitsec: Welcome to Fitsec's Akira Help First Responders Toolbox: Violent Extremists' Use of Generative Artificial Intelligence. = o Statement from NSC Spokesperson Adrienne Watson on the U.S.-PRC Talks on AI Risk and Safety o US, China meet in Geneva to discuss AI risks Faith-Based Daily Awareness Post 13 May 2024 o Abbeville: Parishioners stop teen armed with rifle from entering church during Mass o Bomb Squad at Clearlake Baptist Church-Packaged Marked “Bomb” with Swastikas Brought Inside Quick Hits Mass Gatherings Tool (CISA). https://www.cisa.gov/resources-tools/resources/mass-gathering-security-planning-tool CISA updates: CISA and Partners Release Guidance for Civil Society Organizations on Mitigating Cyber Threats with Limited Resources Fact Sheet: Biden-Harris Administration Releases Version 2 of the National Cybersecurity Strategy Implementation Plan Thompson, Swalwell Release Statement on the Biden Administration Releasing the First Cybersecurity Posture of the United States Report CISA wants ‘high-quality feedback' for another month on CIRCIA rule Secure by Design: CISA Unveils New Public Service Announcement – We Can Secure Our World. Today, the Cybersecurity and Infrastructure Security Agency (CISA) is pleased to launch We Can Secure Our World. CISA Announces Secure by Design Commitments from Leading Technology Providers ASD's ACSC, CISA, and Partners Release Secure by Design Guidance on Choosing Secure and Verifiable Technologies CERT-NZ: Joint Guidance: Choosing Secure and Verifiable Technologies CISA Unveils New Public Service Announcement – We Can Secure Our World CISA boss: Secure code is the 'only way to make ransomware a shocking anomaly' Elections: o Open Hearing: An Update on Foreign Threats to the 2024 Elections o Exclusive: Homeland Security ramping up 'with intensity' to respond to election threats o In Arizona, election workers trained with deepfakes to prepare for 2024 o Top FBI Official Urges Agents to Use Warrantless Wiretaps on US Soil o MI: AG Nessel Charges Attorney Stefanie Lambert and Former Adams Township Clerk Scott for 2020 Election Voter Data Breach. o The Answer to Election Deniers Is in an Idaho County Website RSAC 2024: Technology and the Transformation of U.S. Foreign Policy RSAC 2024: US Secretary of State Blinken advocates solidarity, not sovereignty, for cyber Volt Typhoon operation came up 'directly' in US-China talks, ambassador says Warner: Lawmakers 'in process' of finding Section 702 fix Cyber world heads to San Francisco RSAC 2024: AI adds new dimension to virus detection RSAC 2024: How to use AI without getting in trouble Readout of Deputy Attorney General Lisa Monaco's Trip to California and Participation in the 2024 RSA Cybersecurity Conference DHS, CISA Announce Membership Changes to the Cyber Safety Review Board Canadian Centre for Cyber Security Common employee IT security challenges (ITSAP.00.005) Zscaler takes "test environment" offline after rumors of a breach · Brown Pushes Biden Administration to Ban All Connected Vehicles From China And Vehicles Using Chinese Smart Technology · UK NPSA: Hostile Activity Mitigations. Updated 10 May.
In this episode of The Security Swarm Podcast, Andy and Paul discuss the Cyber Safety Review Board's findings of the Microsoft Storm-0558 breach. During the episode, they talk about the implications of the breach and explore Microsoft's security culture, stressing the need to prioritize robust security measures over rapid feature developments. Key Takeaways: Microsoft's security culture requires a significant overhaul to address existing vulnerabilities and prevent future breaches. Transparency and accurate risk assessments are crucial in understanding and mitigating security threats in cloud environments. Prioritizing security over rapid feature development is essential to prevent security risks and enhance overall product integrity. Standardized audit logging practices should be a fundamental offering in cloud services to enable effective intrusion detection and investigation. Timestamps: (10:07) - Microsoft's Security Culture: Past, Present, and Future (15:45) - Uncovering Lack of Transparency and Accountability in Major Cloud Vendors (20:09) - Microsoft's Security Standards: A Critical Assessment and Call for Action (28:53) - A Discussion on Cloud Audit Logging Episode Resources: Cyber Safety Review Board Report - https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf Microsoft Trustworty Computing Memo - https://news.microsoft.com/2012/01/11/memo-from-bill-gates/
In this episode of the Security Swarm Podcast, our host Andy Syrewicze discusses the key findings from Hornetsecurity's Monthly Threat Report with guest Michael Posey. The Monthly Threat Report is a valuable resource that provides monthly insights into M365 security trends, email-based threats, and commentary on current events in the cybersecurity space. In this episode, Andy and Michael talk about recent security events such as the Cyber Safety Review Board's (CSRB) report assessment of the Storm-0558 attack, the FTC's reports on impersonation attacks, and an alarming potential supply chain attack on the XZ Utils package in open-source Linux distributions. Key takeaways: The cybersecurity landscape is evolving rapidly with a variety of threats, from supply chain attacks to impersonation scams. Transparency and security diligence are crucial in preventing and mitigating cyber threats. End-user training and awareness play a significant role in enhancing overall cybersecurity posture. Timestamps: (05:26) - Rising Trends in Email Threats and Cybersecurity Impersonation Tactics (15:26) - The Importance of Email Security and Supply Chain Attacks in Today's Cyber Landscape (18:12) - Uncovering the Storm-0558 Breach: Analysis and Recommendations (27:33) - FTC Reports on Impersonation Attacks and the Importance of End User Training in Cybersecurity (34:25) - Major Security Threat Uncovered in XZ Utils Package in Open Source Linux Distributions (40:22) - Insights on Cybersecurity Issues and Mitigations Episode Resources: The Full Monthly Threat Report for April 2024 Fully automated Security Awareness Training Demo
Warm Start: · GridEx VII Report Highlights Further Action to Enhance Grid Resilience · US electric grid growing more vulnerable to cyberattacks, regulator says · CISA's ‘Cyber Storm' will help it update National Cyber Incident Response Plan Main Topics: · US Environmental Protection Agency hack exposes data of 8.5 million users. · Sophos - Unpatched Vulnerabilities: The Most Brutal Ransomware Attack Vector. · Bomb threats follow Libs of TikTok's campaign against Planet Fitness o Bomb threats reported at Planet Fitness locations in Northern Va. amid transgender controversy o No threat found after several Planet Fitness locations in Jacksonville received bomb threats o Alabama Planet Fitness locations receive bomb threats, evacuated by FBI o Planet Fitness bomb threats in Connecticut spark concerns o Police: Planet Fitness locations evacuated after bomb threats o Planet Fitness locations in Daphne, Fairhope, and Mobile receive bomb threats · Furry hackers spend stolen church funds on inflatable sea lions after pastor calls out Biden. · Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023. The U.S. Department of Homeland Security released the Cyber Safety Review Board's (CSRB) findings and recommendations following its independent review of the Summer 2023 Microsoft Exchange Online intrusion. o Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023.pdf o Cyber board says Chinese hack of US officials was 'preventable' o Microsoft faulted for ‘cascade' of failures in Chinese hack · CSU: Forecast for 2024 Hurricane Activity. “We anticipate that the 2024 Atlantic basin hurricane season will be extremely active.” Info Ops: o Russian trolls target U.S. support for Ukraine, Kremlin documents show o New effort to "inoculate" U.S. voters against AI misinformation o AI-generated story that Iran had fired missiles at Tel Aviv were amplified by X's own systems o Microsoft: China tests US voter fault lines and ramps AI content to boost its geopolitical interests Quick Hits: · CISA Publishes New Webpage Dedicated to Providing Resources for High-Risk Communities. · DHS: Mitigating Harm from Violent Visual Content: CP3 Prevention Resource. · FTC Announces Impersonation Rule Goes into Effect Today (01 Apr) · FBI Atlanta gate crash: Man tries to breach security by tailing employees · Suspect arrested after vehicle crashes into gate at Atlanta FBI field office · The Surprising Intelligence Community Outreach to Russia · Why Russian intelligence dismissed US warnings of terror threat · Germany announces military overhaul with eye on cyber threats · “All your base are belong to us” – A probe into Chinese-connected devices in US networks · Forescout research finds surge in Chinese-manufactured devices on US networks, including critical infrastructure · Risky Biz News: Backdoor found in 92k D-Link NAS devices · Omni Hotels experiencing nationwide IT outage since Friday · A Quantitative Analysis of the Security Ratings of the S&P 500 · How a steel ball protected Taiwan's tallest skyscraper in an earthquake · Rotterdam teen arrested for plotting a terror attack, prosecutors say · ‘Reverse' searches: The sneaky ways that police tap tech companies for your private data · The Unification Church Infiltrated Japan's Government. Now Its Sights Are Set on the U.S. · India rescues 250 citizens enslaved by Cambodian cybercrime gang · Targeted Phishing Linked to 'The Com' Surges · GenAI: The next frontier in AI security threats · ChatGPT jailbreak prompts proliferate on hacker forums · Threat Actors Deliver Malware via YouTube Video Game Cracks · 7 Types of Business Email Compromise (BEC) Attacks · SEO Poisoning
Hello, and welcome to episode 102 of the Financial Crime Weekly Podcast, I'm Chris Kirkbride. It has been a remarkably busy week this week. While the sanctions news was a limited, further action has been taken by the US against those facilitating Iranian sanctions evasion, but the main content this week comes in the form of bribery and market abuse news. In fact, there has been a noticeable trend over recent weeks in the number of stories relating to bribery and market abuse. Why? Maybe it's the cost of living, but that argument falls down when you think of the wealth of some of the individuals concerned. Maybe it's because they might be seen, wrongly in my view, as victimless crime. At least that used to be the view in relation to market abuse. Anyway, there is a load of news from those areas. In other news, the Financial Action Task Force has updated on the implementation of recommendation 15 by all FATF members and materially important virtual asset service providers. What else? Well, there's a big report from Europol and the usual round-up of cyber-attack news. Let's crack on. As usual, I have linked the main stories flagged in the podcast in the description. These are: Ajax, Supervisory Board suspends Alex Kroes due to strong indications of insider trading.Cyber Safety Review Board, Review of the Summer 2023 Microsoft Exchange Online Intrusion.Cyber Safety Review Board, Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023 (press release).Department of Justice, Swiss Commodities Trading Company Pleads Guilty to Foreign Bribery Scheme.Department of Justice, Justice Department's Investigation into International Commodities Trading Companies' Foreign Bribery Schemes Results in Six Corporate Resolutions and 20 Individuals Convicted.Department of Justice, United States Seeks Forfeiture of Former Mongolian Prime Minister's Luxury New York City Apartments Purchased with Proceeds of Corruption Scheme.Department of Justice, Justice Department Seeks Forfeiture of $14 Million Manhattan Apartments Purchased with Proceeds of Mongolian Corruption Scheme.Department of Justice, U.S. Attorney Announces Charges In Four Separate Insider Trading Cases Against 10 Individuals, Including Drug Company Employees, Investment Firm Executive Director, And SPAC Investors.European Securities and Markets Authority, ESMA publishes latest edition of its newsletter (press release).European Securities and Markets Authority, Spotlight on Markets.Europol, Europol report identifies the most threatening criminal networks in the EU (press release).Europol, Report: Decoding the EU's most threatening criminal networks.Europol, Europol press conference: Decoding the most threatening criminal networks (YouTube).Federal Bureau of Investigation, FBI Countering Cyber Threats Through ‘Joint, Sequenced Operations,' Director Says (press release).Federal Bureau of Investigation, Director Wray's Remarks at the FBI and University of Kansas Cybersecurity Conference.Financial Action Task Force, Status of implementation of Recommendation 15 by FATF Members and Jurisdictions with Materially Important VASP Activity.Financial Conduct Authority, Stuart Bayes found guilty of insider dealing.Gambling Commission, Bet365 to pay £582,120 for regulatory failures.Home Office, Response to consultation on changes to bodies granted investigatory powers.National Anti-Corruption Commission, Guidelines for participating in anti-corruption and investment confidence in Thailand.Office of Foreign Assets Control, Treasury Targets Network Facilitating Shipments Valued in Hundreds of Millions for Iranian Military.Securities and Exchange Commission, Litigation Release No. 25962 / April 2, 2024: Securities and Exchange Commission v. Treusch, No. 1:24-civ-01050 (E.D.N.Y. filed Feb. 11, 2024).The White House, Water and Wastewater cyber-attack letter.UK Statutory Instruments, The Proceeds of Crime Act 2002 (References to Financial Investigators) (England and Wales and Northern Ireland) (Amendment) Order 2024 SI No 425.
NVD checked out, then they came back? Maybe? Should the xz backdoor be treated as a vulnerability? Is scan-driven vulnerability management obsolete when it comes to alerting on emerging threats? What were some of the takeaways from the first-ever VulnCon? EPSS is featured in over 100 security products, but is it properly supported by those that benefit from it? How long do defenders have from the moment a vulnerability is disclosed to patch or mitigate it before working exploits are ready and in the wild? There's SO much going on in the vulnerability management space, but we'll try to get to the bottom of some of in in this episode. In this interview, we talk to Patrick Garrity about the messy state of vulnerability management and how to get it back on the rails. Segment Resources: Exploitation TImelines NVD Sources for known exploitation Exploitation in the Wild - Rockstar As we near RSA conference season, tons of security startups are coming out of stealth! The RSA Innovation Sandbox has also announced the top 10 finalists, also highlighting early stage startups that will be at the show. In this week's news segment, We discuss the highlights of the Cyber Safety Review Board's detailed and scathing report on Microsoft's 2023 breach We spend a bit of time on the xz backdoor, but not too much, as it has been covered comprehensively elsewhere We discover half a dozen of the latest startups to receive funding or come out of stealth: Coro, Skyflow, Zafran, Permiso, Bedrock Security, Abstract Security, and Sandfly Apple is reportedly going to have some big AI announcements this summer, and we discuss how overdue voice assistants are for an LLM makeover. Finally, we discuss the amazing innovation that is the Volkswagen RooBadge! By the way, the thumbnail is a reference to the xz backdoor link we include in the show notes: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-356
As we near RSA conference season, tons of security startups are coming out of stealth! The RSA Innovation Sandbox has also announced the top 10 finalists, also highlighting early stage startups that will be at the show. In this week's news segment, We discuss the highlights of the Cyber Safety Review Board's detailed and scathing report on Microsoft's 2023 breach We spend a bit of time on the xz backdoor, but not too much, as it has been covered comprehensively elsewhere We discover half a dozen of the latest startups to receive funding or come out of stealth: Coro, Skyflow, Zafran, Permiso, Bedrock Security, Abstract Security, and Sandfly Apple is reportedly going to have some big AI announcements this summer, and we discuss how overdue voice assistants are for an LLM makeover. Finally, we discuss the amazing innovation that is the Volkswagen RooBadge! By the way, the thumbnail is a reference to the xz backdoor link we include in the show notes: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor Show Notes: https://securityweekly.com/esw-356
NVD checked out, then they came back? Maybe? Should the xz backdoor be treated as a vulnerability? Is scan-driven vulnerability management obsolete when it comes to alerting on emerging threats? What were some of the takeaways from the first-ever VulnCon? EPSS is featured in over 100 security products, but is it properly supported by those that benefit from it? How long do defenders have from the moment a vulnerability is disclosed to patch or mitigate it before working exploits are ready and in the wild? There's SO much going on in the vulnerability management space, but we'll try to get to the bottom of some of in in this episode. In this interview, we talk to Patrick Garrity about the messy state of vulnerability management and how to get it back on the rails. Segment Resources: Exploitation TImelines NVD Sources for known exploitation Exploitation in the Wild - Rockstar As we near RSA conference season, tons of security startups are coming out of stealth! The RSA Innovation Sandbox has also announced the top 10 finalists, also highlighting early stage startups that will be at the show. In this week's news segment, We discuss the highlights of the Cyber Safety Review Board's detailed and scathing report on Microsoft's 2023 breach We spend a bit of time on the xz backdoor, but not too much, as it has been covered comprehensively elsewhere We discover half a dozen of the latest startups to receive funding or come out of stealth: Coro, Skyflow, Zafran, Permiso, Bedrock Security, Abstract Security, and Sandfly Apple is reportedly going to have some big AI announcements this summer, and we discuss how overdue voice assistants are for an LLM makeover. Finally, we discuss the amazing innovation that is the Volkswagen RooBadge! By the way, the thumbnail is a reference to the xz backdoor link we include in the show notes: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-356
Today, we're discussing the lawsuits coming out of AT&T's massive data breach affecting 73 million, a critical flaw in the LayerSlider WordPress plugin jeopardizing 1 million sites, and a preventable hack into Microsoft Exchange highlighting cybersecurity's critical stakes. Experts weigh in on the ramifications and preventive strategies, ensuring you stay informed and ahead in the cybersecurity game. Your feedback on these issues is crucial; join the conversation and help shape a more secure digital future. References: For insights on the AT&T lawsuits and data breach impacts: https://www.bleepingcomputer.com/news/security/atandt-faces-lawsuits-over-data-breach-affecting-73-million-customers/ Understanding the critical vulnerability in the LayerSlider WordPress plugin: https://www.bleepingcomputer.com/news/security/critical-flaw-in-layerslider-wordpress-plugin-impacts-1-million-sites/ Analysis of the Microsoft Exchange hack and recommended security reforms: https://www.cybersecuritydive.com/news/microsoft-exchange-hack-china-preventable/712146/ and https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags for the Episode: AT&T data breach, cybersecurity, legal actions, LayerSlider WordPress plugin, SQL injection, plugin security, Microsoft Exchange hack, cloud service security, cybersecurity reforms, identity theft, data privacy, security protocols, cyber risk management, plugin vulnerabilities, security best practices, cyber attack prevention, digital security, cybersecurity insights, technology law, security updates Search Phrases: AT&T 73 million data breach details Legal consequences of cybersecurity failures How to secure WordPress sites from SQL injection Impact of LayerSlider plugin vulnerability Preventing Microsoft Exchange cyber attacks Enhancing cloud service cybersecurity Best practices in digital security updates Addressing identity theft and data breaches Cybersecurity insights for tech professionals Cyber risk management strategies Lawsuits following major data breaches Plugin security for WordPress administrators Learning from cybersecurity breaches Updates and security in technology law Prevention strategies for cyber attacks Transcript: Apr 4 Welcome back to the Daily Decrypt. AT&T is grappling with the fallout of a data breach that impacted 73 million customers. As class action lawsuits begin to mount, also, over 1 million WordPress sites are at immediate risk due to a critical vulnerability in the Layerslider plugin, which can expose these sites to SQL injection attacks. How can WordPress admins protect themselves from this vulnerability? And finally, the Cyber Safety Review Board has declared the massive intrusion into Microsoft's Exchange Online entirely preventable. And just a reminder, this mega intrusion led to over 60, 000 U. S. State Department officials emails being compromised. How the heck is Microsoft gonna restore trust and confidence from the consumers in their security protocols? Stick around to find out. So it's been two days since my last episode, in which I highlighted the most recent AT& T breach. Well, it's been a long couple of days, the reason there were no new episodes is because I lost internet, and you might be thinking, Hey, you just finished slandering AT& T on this podcast on Monday, and then your AT& T internet goes out? That's correct. There's really no other explanation other than aT& T is seeking revenge against the Daily Decrypt. But I digress. To recap what has happened, AT& T has admitted to a data breach exposing sensitive information of 73 million customers this breach included usernames, social security numbers, email addresses, and AT& T PINs used to make secure account changes on AT& T customer accounts. The timeline reveals that AT& T's initial denial of the breach, which was first alleged by ShinyHunters in 2021, and their recent admission after a second threat actor leaked the data in 2024, raises questions about the effectiveness of corporate data breach detection and response strategies. The leaked data isn't from the past year or even couple of years. The leaked data is from 2019. And it includes 7. 6 million current customers and 65. 4 million former AT& T account holders, which I guess says a lot about AT& T's churn rate, that they have 65 million former customers and only 7 million current customers. Needless to say, a lot of data was breached. Now, what's fascinating about this is that this was brought to AT& T's attention in early 2021 and they denied it. And then another threat actor group released the same data from 2019 and early 2024 AT& T also denied that. They're just saying that they don't know this data doesn't belong to them. This data wasn't stolen from their systems when clearly it was. So only in the last week did AT& T finally admit that that data from 2019 belongs to them and was breached from their networks. So because of this negligence, multiple class action lawsuits have spun up very recently. Most notably, there's one from Morgan Morgan, which is the same law firm that's been suing Google over the fact that it tracks users data even when they're in incognito mode. And I believe Google paid out a settlement. So this is the same law firm that did that. And they're accusing AT& T of negligence, breach of implied contract, and unjust enrichment. And they're aiming for compensatory damages and improved data security protocols. Their lawsuit criticizes AT& T for not acting on known vulnerabilities and delaying breach acknowledgement, jeopardizing customer data privacy and confidence. I'm really glad to see these lawsuits are being spun up. As you heard in Monday's episode, I was calling for multiple class action lawsuits.. So yeah, I hope you get the crap suit out of you. And yes, I am an AT& T customer.. If you are also an AT& T customer and you're concerned about your data being in one of these breaches or this main breach from 2019, I believe the site haveibeenpwned. com has acquired the data from this breach. And so you can just search your email addresses in that site to see if it was compromised. Listen to the episode released this past Monday for some tips on how to stay safe when attackers have all of this information. All the information needed to open up new credit cards, take out new lines of credit in your name, and do a whole lot of stuff. All right. Well, there's another WordPress vulnerability out there with a CVSS score of 9. 8 out of a 10 max. The name of the plugin? Layerslider. This plugin is used by over 1 million sites. and exposes these sites to SQL injection attacks. This flaw allows attackers to potentially extract sensitive data, including password hashes, leading to site takeovers or data breaches. This vulnerability was discovered on March 25th, and was promptly reported to WordFence, earning the researcher 5, 500 bounty. The vulnerability affects layer slider version 7. 9. 11 through 7. 10, which as mentioned before, allows for SQL code injection. And just to quickly discuss what SQL code injection is, it's when data is queried from a database to be populated on a website. Those databases use a language called SQL or SQL that uses a query language, which is what the QL stands for, to query that data. This vulnerability allows attackers to query that data by injecting malicious commands. using SQL. They can essentially pull anything they want out of the databases. So that includes, yeah, password hashes, names, emails, whatever data is on the website. If that's social security numbers, that's vulnerable too. Despite the severity though, the attack is limited to a time based blind SQL injection, which relies on observing response times to infer data. And this type of SQL injection is hard to detect, but it's also hard for the attacker to get large amounts of data. It's more of an inferred sort of data attack. For more information on this attack, check out the article in the show notes by Bleeping Computer. The good news is that the flaw was quickly addressed by the plugin's developers, Creatura, who released an update to version 7. 10. 1 on March 27th, so within 48 hours of being notified. If you are a layer slider user, please go update immediately to mitigate this risk. WordPress is built on the use of plugins. That's what makes it so marketable. The more plugins you have, the more plugins you use, the higher your risk is. And I personally am a WordPress user. The DailyDecrypt. com is a WordPress site, and I'm having a hard time setting up notifications for outdated plugins. It's not very intuitive. Granted, I don't use any plugins other than the podcast plugins hosts this podcast and I'm constantly on the site making sure everything's updated and posting new podcasts, but a lot of people with WordPress sites will set it and forget it. Like they'll put up their site. It's a shop. They respond to orders they get, but they don't actually go onto the WordPress site too much. And a lot of WordPress users are less tech savvy than me. So they probably don't have alerts set up for outdated plugins. I highly encourage you to just set up a reminder that goes off once a week, once a month, whatever interval you think is appropriate for the risk of your website. and just go check to make sure all the plugins are up to date. It's a really quick check, and if they're not up to date, you just press a little button and update them. You're likely not doing advanced programming on your WordPress site that might break with an update, so just, just press the little button. All right, and our final story comes from the Cyber Safety Review Board, where they have officially declared, which is a pretty bold stance, they've officially declared that the intrusion into Microsoft Exchange Online that exposed about 60, 000 U. S. State Department emails, was entirely preventable. This report criticizes Microsoft's corporate culture for insufficient investment in security and risk management and calls for widespread security reforms within Microsoft and among all cloud service providers to prioritize cybersecurity. The Cyber Safety Review Board, or CSRF, urges Microsoft to publicly outline its security reforms and outlines a series of operational decisions that encourages cloud service providers and government partners to make security focused changes. The report, released by CSRF, details the compromise of key U. S. officials mailboxes by China affiliated actors and criticizes Microsoft for charging extra for essential security features like enhanced logging. Which, in the recent past, has since been reversed. Microsoft no longer charges extra. But still, why did they do that in the first place? Microsoft has responded and announced plans for major security reforms, including better infrastructure and security processes. It's worth noting that Microsoft has been very cooperative throughout the CSRB's investigation, and are definitely willing to listen to the suggestions and make some changes, so That's step one, that's Way better than what AT& T did when confronted. Microsoft is looking into this. They want to maintain consumer confidence as much as anybody. They're at the center of our tech universe and even more so than most consumers might even know. A lot of servers and digital infrastructure is hosted on Windows server and Windows machines. And if you've been listening for a while, you've heard DogeSpan and I discuss another recent breach amongst senior developers and executives at Microsoft without multi factor authentication on their development accounts. Attackers were able to get in. So all of these incidents are starting to pile up and really pointing fingers at Microsoft. We got to get this fixed. They're starting to crack down. We're going to keep an eye on them. We're going to keep reporting what happens at Microsoft. Hopefully nothing else big because they hold a lot of data. in their cloud services, Exchange, Azure. Microsoft is a pretty big powerhouse in the cloud service provider. So yeah, hopefully they're throwing some money at this. They're spinning up some new teams and they're really looking at legacy infrastructure. It's a pretty old product that they're continually building on. So they need to start peeling away these layers of this product and figure out how they can boost up security. They need to be leading. and setting a good example for smaller companies by being so secure. Well, that's the show. That's all we got for you. Again, sorry about the quick hiatus. Internet went out. Hopefully it will stay on for the remainder of the week and maybe I can put an episode out on Saturday, recapping some stuff. But if you like what you hear, please go find us on Instagram or The Daily Decrypt and send us a comment or a DM. We'd love to hear from you. Until then, we'll talk to you some more tomorrow.
The Cyber Safety Review Board is lambasting the cloud security practices of one of the government's biggest technology vendors.The CSRB, in its report released Tuesday, details the review of the summer 2023 Microsoft Exchange Online intrusion. The report includes also several recommendations for how agencies could improve cloud security across government and beyond.The board found a “cascade of Microsoft's avoidable errors” contributed to an incident where hackers pilfered unclassified emails from 22 organizations and more than 500 victims, including Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, and House Rep. Don Bacon (R-Neb.)“The board finds that this intrusion was preventable and should never have occurred,” the report states. “The board also concludes that Microsoft's security culture was inadequate and requires an overhaul, particularly in light of the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” Learn more about your ad choices. Visit podcastchoices.com/adchoicesSee Privacy Policy at https://art19.com/privacy and California Privacy Notice at https://art19.com/privacy#do-not-sell-my-info.
The Cyber Safety Review Board is lambasting the cloud security practices of one of the government's biggest technology vendors. The CSRB, in its report released Tuesday, details the review of the summer 2023 Microsoft Exchange Online intrusion. The report includes also several recommendations for how agencies could improve cloud security across government and beyond. The board found a “cascade of Microsoft's avoidable errors” contributed to an incident where hackers pilfered unclassified emails from 22 organizations and more than 500 victims, including Commerce Secretary Gina Raimondo, U.S. Ambassador to China Nicholas Burns, and House Rep. Don Bacon (R-Neb.) “The board finds that this intrusion was preventable and should never have occurred,” the report states. “The board also concludes that Microsoft's security culture was inadequate and requires an overhaul, particularly in light of the company's centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.” Learn more about your ad choices. Visit megaphone.fm/adchoices
As we near RSA conference season, tons of security startups are coming out of stealth! The RSA Innovation Sandbox has also announced the top 10 finalists, also highlighting early stage startups that will be at the show. In this week's news segment, We discuss the highlights of the Cyber Safety Review Board's detailed and scathing report on Microsoft's 2023 breach We spend a bit of time on the xz backdoor, but not too much, as it has been covered comprehensively elsewhere We discover half a dozen of the latest startups to receive funding or come out of stealth: Coro, Skyflow, Zafran, Permiso, Bedrock Security, Abstract Security, and Sandfly Apple is reportedly going to have some big AI announcements this summer, and we discuss how overdue voice assistants are for an LLM makeover. Finally, we discuss the amazing innovation that is the Volkswagen RooBadge! By the way, the thumbnail is a reference to the xz backdoor link we include in the show notes: https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor Show Notes: https://securityweekly.com/esw-356
The Cyber Safety Review Board hands Microsoft a scathing report. Jackson County, Missouri declares a state of emergency following a ransomware attack. The concerning growth of Chinese brands in U.S. critical infrastructure. Malware campaigns make use of YouTube. OWASP issues a data breach warning. Trend Micro tracks LockBit's faltering rebound. India's government cloud service leaks personal data. ChatGPT jailbreaks spread on popular hacker forums. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's CISSP study journey and focus on the when and how of studying for Domain 1. And you can no longer just walk out of an Amazon grocery store. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's CISSP study journey and focus on the when and how of studying for Domain 1. Resources for this session: Effect of sunlight exposure on cognitive function among depressed and non-depressed participants: a REGARDS cross-sectional study Selected Reading Scathing federal report rips Microsoft for shoddy security, insincerity in response to Chinese hack (AP News) Missouri county declares state of emergency amid suspected ransomware attack (Ars Technica) Forescout research finds surge in Chinese-manufactured devices on US networks, including critical infrastructure (Industrial Cyber) YouTube channels found using pirated video games as bait for malware campaign (The Record) OWASP issues data breach alert after misconfigured server leaked member resumes (ITPro) Trend Micro: LockBit ransomware gang's comeback is failing (TechTarget) Indian government's cloud spilled citizens' personal data online for years (TechCrunch) ChatGPT jailbreak prompts proliferate on hacker forums (SC Media) Amazon Ditches 'Just Walk Out' Checkouts at Its Grocery Stores (Gizmodo) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.
Joining the podcast this week is Tony Sager, Senior Vice President and Chief Evangelist for the Center of Internet Security and shares insights from his 45+ years on the security front lines, including 34 years at the NSA. Risk was a big theme of the discussion particularly looking at risk through a similar lens as we view other risky domains, such as the great work being done with the Cyber Safety Review Board. (And he shares color on the power of being okay with the risk of being wrong sometimes.) He also shares perspective on moving to incentive-based cyber models (such as what's been done in Ohio and Connecticut), and the criticality of translating technology, attacks & attackers into public policy and market incentives. And it can't be a great cyber discussion without addressing the growing sophistication of cyber criminals and their organizations – really becoming the defacto organized crime success path today. Tony Sager, Senior Vice President and Chief Evangelist for the Center for Internet Security Sager is a SVP and Chief Evangelist for CIS. He leads the development of the CIS Critical Security Controls™, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions of use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS's independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities. In addition to his duties for CIS, he is an active volunteer in numerous community service activities: the Board of Directors for the Cybercrime Support Network; and a member of the National Academy of Sciences Cyber Resilience Forum; Advisory Boards for several local schools and colleges; and service on numerous national-level study groups and advisory panels. Sager retired from the National Security Agency (NSA) after 34 years as an Information Assurance professional. He started his career there in the Communications Security (COMSEC) Intern Program, and worked as a mathematical cryptographer and a software vulnerability analyst. In 2001, Sager led the release of NSA security guidance to the public. He also expanded the NSA's role in the development of open standards for security. Sager's awards and commendations at NSA include the Presidential Rank Award at the Meritorious Level, twice, and the NSA Exceptional Civilian Service Award. The groups he led at NSA were also widely recognized for technical and mission excellence with awards from numerous industry sources, including the SANS Institute, SC Magazine, and Government Executive Magazine. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e273
In this week's show Patrick Gray and Adam Boileau discuss the week's security news. * Microsoft honks its clown car horn * Australia's hounds, released, catch their man * The beginning of the end for Scattered Spider * SEC was SIM swapped but had MFA off any way * Ivanti learns a lesson… * … while Progress does not * and much more DHS undersecretary for policy and Cyber Safety Review Board head Rob Silvers is this week's feature guest. He joins the show to talk about how the CSRB handles possible conflicts of interests from board members with industry day jobs. In this week's sponsor interview Resourcely's founder Travis McPeak talks about why we need to help developers with “paved roads” instead of relying on dashboard products to tell us when things have gone wrong. Show notes Microsoft network breached through password-spraying by Russia-state hackers | Ars Technica Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center Medibank cyber attack: The weakness that saw Medibank hacker Aleksandr Ermakov exposed | Exclusive Russian man identified as Medibank hacker, hit with sanctions by Australian government - ABC News Middle District of Florida | Palm Coast Man Arrested For Wire Fraud And Aggravated Identity Theft Charges | United States Department of Justice SEC.gov | SECGov X Account Owner of BreachedForums sentenced to time served plus 20 years supervised release with special conditions CISA issues emergency directive for federal agencies to mitigate Ivanti vulnerabilities | Cybersecurity Dive Ivanti Connect Secure exploitation accelerates as Moody's calls impact credit negative | Cybersecurity Dive Progress Software shakes off MOVEit's financial consequences, maintains customers | Cybersecurity Dive Cyberattack on Ukraine's largest telecom provider will cost it about $100 million Ransomware attacks leave small business owners feeling suicidal, report says Canadian Man Stuck in Triangle of E-Commerce Fraud – Krebs on Security Experts call for US Cyber Safety Review Board rethink • The Register
In this week's show Patrick Gray and Adam Boileau discuss the week's security news. Microsoft honks its clown car horn Australia's hounds, released, catch their man The beginning of the end for Scattered Spider SEC was SIM swapped but had MFA off any way Ivanti learns a lesson… … while Progress does not and much more DHS undersecretary for policy and Cyber Safety Review Board head Rob Silvers is this week's feature guest. He joins the show to talk about how the CSRB handles possible conflicts of interests from board members with industry day jobs. In this week's sponsor interview Resourcely's founder Travis McPeak talks about why we need to help developers with “paved roads” instead of relying on dashboard products to tell us when things have gone wrong. Show notes Microsoft network breached through password-spraying by Russia-state hackers | Ars Technica Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard | MSRC Blog | Microsoft Security Response Center Medibank cyber attack: The weakness that saw Medibank hacker Aleksandr Ermakov exposed | Exclusive Russian man identified as Medibank hacker, hit with sanctions by Australian government - ABC News Middle District of Florida | Palm Coast Man Arrested For Wire Fraud And Aggravated Identity Theft Charges | United States Department of Justice SEC.gov | SECGov X Account Owner of BreachedForums sentenced to time served plus 20 years supervised release with special conditions CISA issues emergency directive for federal agencies to mitigate Ivanti vulnerabilities | Cybersecurity Dive Ivanti Connect Secure exploitation accelerates as Moody's calls impact credit negative | Cybersecurity Dive Progress Software shakes off MOVEit's financial consequences, maintains customers | Cybersecurity Dive Cyberattack on Ukraine's largest telecom provider will cost it about $100 million Ransomware attacks leave small business owners feeling suicidal, report says Canadian Man Stuck in Triangle of E-Commerce Fraud – Krebs on Security Experts call for US Cyber Safety Review Board rethink • The Register
The Friday Op-Ed goes deep into this Cyberscoop article, https://cyberscoop.com/csrb-hearing-authority-transparency/, that talks about the lack of transparency and authority around the Cyber Safety Review Board. Needless to say, I have thoughts. Give a listen, tell a friend.
The Cyber Safety Review Board was created by a Biden administration Executive Order entitled, “Improving the Nation's Cybersecurity.” The Board reviews major cyber events and makes concrete recommendations that can drive improvements within the private and public sectors. Lawfare Senior Editor Stephanie Pell sat down with Robert Silvers, Under Secretary for Strategy, Policy, and Plans at the Department of Homeland Security and Chair of the Cyber Safety Review Board, to discuss the Board's mission and work. They talked about the two reports that the Board has issued, one that it's currently working on, and a legislative proposal from DHS that seeks to codify the Board in the law and ensure that the Board receives the information it needs to continue to advance the overall security and resiliency of our digital ecosystem.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.
Got a Minute? Checkout today's episode of The Guy R Cook Report podcast - the Google Doc for this episode is @ Do you know about the Cyber Safety Review Board ----more---- Support this podcast Subscribe where you listen to podcasts I help goal oriented business owners that run established companies to leverage the power of the internet Contact Guy R Cook @ https://guyrcook.com The Website Design Questionnaire https://guycook.wordpress.com/start-with-a-plan/ In the meantime, go ahead follow me on Twitter: @guyrcookreport Click to Tweet Be a patron of The Guy R Cook Report. Your help is appreciated. https://guyrcook.com https://theguyrcookreport.com/#theguyrcookreport Follow The Guy R Cook Report on Podbean iPhone and Android App | Podbean https://bit.ly/3m6TJDV Thanks for listening, viewing or reading the show notes for this episode. This episode of The Guy R Cook Report is on YouTube too @ This episode of The Guy R Cook Report Have a great new year, and hopefully your efforts to Entertain, Educate, Convince or Inspire are in play vDomainHosting, Inc 3110 S Neel Place Kennewick, WA 509-200-1429
On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: More victims identified in Chinese breach of Microsoft email accounts Cyber Safety Review Board to investigate Microsoft We got some stuff wrong last week More details on Viasat hack revealed Special guest Heather Adkins talks about the CSRB's Lapsus$ report Much, much more This week's show is brought to you by RunZero. Its co-founder HD Moore is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes Chinese Microsoft hackers also hit GOP Rep. Don Bacon of Nebraska - The Washington Post US cyber board to investigate Microsoft hack of government emails | TechCrunch Richard: "@briankrebs @metlstorm @riskyb…" - Mastodon.Radio Mastodon.Radio An SSRF, privileged AWS keys and the Capital One breach | by Riyaz Walikar | Appsecco Chamber of Commerce urges SEC to delay cyber rule implementation | Cybersecurity Dive Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault | CyberScoop Microsoft to freeze license extensions for Russian companies Takedown of Lolek bulletproof hosting service includes arrests, NetWalker indictment Ransomware Diaries V. 3: LockBit's Secrets How the FBI goes after DDoS cyberattackers | TechCrunch Meet the Brains Behind the Malware-Friendly AI Chat Service ‘WormGPT' – Krebs on Security Multiple zero days found affecting crypto platforms Lawmakers press FCC for action on Chinese-made cellular modules Panasonic Warns That IoT Malware Attack Cycles Are Accelerating | WIRED Rapid7 to cut 18% of workforce, shutter certain offices | Cybersecurity Dive SecureWorks layoffs affect 15% staff | TechCrunch Researcher says they were behind iPhone popups at Def Con | TechCrunch Review of the Attacks Associated with LAPSUS$ and Related Threat Groups US should crack down on SIM swapping following Lapsus$ attacks: DHS review Kevin Collier: "Def Con is over and nobody hac…" - Infosec Exchange
On this week's show Patrick Gray and Adam Boileau discuss the week's security news. They cover: More victims identified in Chinese breach of Microsoft email accounts Cyber Safety Review Board to investigate Microsoft We got some stuff wrong last week More details on Viasat hack revealed Special guest Heather Adkins talks about the CSRB's Lapsus$ report Much, much more This week's show is brought to you by RunZero. Its co-founder HD Moore is this week's sponsor guest. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes Chinese Microsoft hackers also hit GOP Rep. Don Bacon of Nebraska - The Washington Post US cyber board to investigate Microsoft hack of government emails | TechCrunch Richard: "@briankrebs @metlstorm @riskyb…" - Mastodon.Radio Mastodon.Radio An SSRF, privileged AWS keys and the Capital One breach | by Riyaz Walikar | Appsecco Chamber of Commerce urges SEC to delay cyber rule implementation | Cybersecurity Dive Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault | CyberScoop Microsoft to freeze license extensions for Russian companies Takedown of Lolek bulletproof hosting service includes arrests, NetWalker indictment Ransomware Diaries V. 3: LockBit's Secrets How the FBI goes after DDoS cyberattackers | TechCrunch Meet the Brains Behind the Malware-Friendly AI Chat Service ‘WormGPT' – Krebs on Security Multiple zero days found affecting crypto platforms Lawmakers press FCC for action on Chinese-made cellular modules Panasonic Warns That IoT Malware Attack Cycles Are Accelerating | WIRED Rapid7 to cut 18% of workforce, shutter certain offices | Cybersecurity Dive SecureWorks layoffs affect 15% staff | TechCrunch Researcher says they were behind iPhone popups at Def Con | TechCrunch Review of the Attacks Associated with LAPSUS$ and Related Threat Groups US should crack down on SIM swapping following Lapsus$ attacks: DHS review Kevin Collier: "Def Con is over and nobody hac…" - Infosec Exchange
An African power generator has been targeted by ransomware. The APT31 group is believed to be responsible for attacks on industrial systems in Eastern Europe. There have been arrests related to the takedown of LolekHosted. Ukraine's SBU has alleged that Russia's GRU is using specialized malware to attack Starlink. Microsoft has decided not to extend licenses for its products in Russia. Rick Howard opens his toolbox on DDOS. In our Solution Spotlight: Simone Petrella and Camille Stewart Gloster discuss the White House release of its cybersecurity workforce and education strategy. And the Cyber Safety Review Board will be investigating cases of cyberespionage against Exchange. Watch the full video of Simone and Camille here: Solution Spotlight: Simone Petrella and Camille Stewart Gloster For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/154 Selected reading. DroxiDat-Cobalt Strike Duo Targets Power Generator Network (Infosecurity Magazine) New SystemBC Malware Variant Targets Southern African Power Company (The Hacker News) Power Generator in South Africa hit with DroxiDat and Cobalt Strike (Security Affairs) Southern African power generator targeted with DroxiDat malware (Record) Common TTPs of attacks against industrial organizations. Implants for uploading data (Kaspersky ICS CERT) APT31 Linked to Recent Industrial Attacks in Eastern Europe (Infosecurity Magazine) Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics (The Hacker News) LOLEKHosted admin arrested for aiding Netwalker ransomware gang (BleepingComputer) Russian spy agencies targeting Starlink with custom malware, Ukraine warns (The Telegraph) Russia Bans iPhones And iPads For Official Use: Report (BW Businessworld) Microsoft Suspends Extending Licenses For Companies in Russia (RadioFreeEurope/RadioLiberty) Department of Homeland Security's Cyber Safety Review Board to Conduct Review on Cloud Security (US Department of Homeland Security) Microsoft Exchange hack is focus of cyber board's next review (Record) Microsoft is under scrutiny after a recent attack by suspected Chinese hackers (Windows Central) The DHS's CSRB to review cloud security practices following the hack of Microsoft Exchange govt email accounts (Security Affairs) Microsoft's role in data breach by Chinese hackers to be part of US cyber inquiry (Firstpost)
Ford says cars with WiFi vulnerability still safe to drive Cyber Safety Review Board to analyze cloud security in wake of Microsoft hack Knight ransomware distributed in fake TripAdvisor complaint emails Huge thanks to today's episode sponsor, Veza 75% of breaches happen because of bad permissions. The problem is that you don't know exactly WHO has access to WHAT data in your environment. For example, roles labeled as “read-only” can often edit and delete sensitive data. Veza automatically finds and fixes every bad permission—in every app—across your environment. For the stories behind the headlines, head to CISOseries.com.
Charming Kitten collects against Iranian expatriate dissidents. The Cyber Safety Review Board reports on Lapsus$. A Call for comment on open-source, memory-safe standards. How NSA is coping with the cyber labor market. Yandex is restructuring. The Washington Post's Tim Starks joins us with the latest cyber security efforts from the DOD. Our guest is Dan L. Dodson, CEO of Fortified Health Security with insights on protecting patient data. And How Viasat was hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/153 Selected reading. Germany says Charming Kitten hackers target Iran dissidents (Deutsche Welle) Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ (US Department of Homeland Security) Review Of The Attacks Associated with Lapsus$ And Related Threat Groups Report (Cybersecurity and Infrastructure Security Agency CISA) Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages (ONCD | The White House) Amid historic hiring surge, NSA considers hybrid, unclassified work options (Federal News Network) Exclusive: Fear of tech 'brain drain' prevents Russia from seizing Yandex for now, sources say (Reuters) Yandex co-founder Volozh slams Russia's 'barbaric' invasion of Ukraine (Reuters) Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault (CyberScoop)
The “godfather of AI” has left Google, offering warnings about the existential risks for humanity of the technology. Mark MacCarthy calls those risks a fantasy, and a debate breaks out between Mark, Nate Jones, and me. There's more agreement on the White House summit on AI risks, which seems to have followed Mark's “let's worry about tomorrow tomorrow” prescription. I think existential risks are a bigger concern, but I am deeply skeptical about other efforts to regulate AI, especially for bias, as readers of Cybertoonz know. I argue again that regulatory efforts to eliminate bias are an ill-disguised effort to impose quotas more widely, which provokes lively pushback from Jim Dempsey and Mark. Other prospective AI regulators, from the Federal Trade Commission (FTC)'s Lina Khan to the Italian data protection agency, come in for commentary. I'm struck by the caution both have shown, perhaps due to their recognizing the difficulty of applying old regulatory frameworks to this new technology. It's not, I suspect, because Lina Khan's FTC has lost its enthusiasm for pushing the law further than it can be pushed. This week's example of litigation overreach at the FTC include a dismissed complaint in a location data case against Kochava, and a wildly disproportionate ‘remedy” for what look like Facebook foot faults in complying with an earlier FTC order. Jim brings us up to date on a slew of new state privacy laws in Montana, Indiana, and Tennessee. Jim sees them as business-friendly alternatives to General Data Protection Regulation (GDPR) and California's privacy law. Mark reviews Pornhub's reaction to the Utah law on kids' access to porn. He thinks age verification requirements are due for another look by the courts. Jim explains the state appellate court decision ruling that the NotPetya attack on Merck was not an act of war and thus not excluded from its insurance coverage. Nate and I recommend Kim Zetter's revealing story on the SolarWinds hack. The details help to explain why the Cyber Safety Review Board hasn't examined SolarWinds—and why it absolutely has to—because the full story is going to embarrass a lot of powerful institutions. In quick hits, Mark makes a bold prediction about the fate of Canada's law requiring Google and Facebook to pay when they link to Canadian media stories: Just like in Australia, the tech giants and the industry will reach a deal. Jim and I comment on the three-year probation sentence for Joe Sullivan in the Uber “misprision of felony” case—and the sentencing judge's wide-ranging commentary. I savor the impudence of the hacker who has broken into Russian intelligence's bitcoin wallets and burned the money to post messages doxing the agencies involved. And for those who missed it, Rick Salgado and I wrote a Lawfare article on why CISOs should support renewal of Foreign Intelligence Surveillance Act (FISA) section 702, and Metacurity named it one of the week's “Best Infosec-related Long Reads.” Download 456th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
The “godfather of AI” has left Google, offering warnings about the existential risks for humanity of the technology. Mark MacCarthy calls those risks a fantasy, and a debate breaks out between Mark, Nate Jones, and me. There's more agreement on the White House summit on AI risks, which seems to have followed Mark's “let's worry about tomorrow tomorrow” prescription. I think existential risks are a bigger concern, but I am deeply skeptical about other efforts to regulate AI, especially for bias, as readers of Cybertoonz know. I argue again that regulatory efforts to eliminate bias are an ill-disguised effort to impose quotas more widely, which provokes lively pushback from Jim Dempsey and Mark. Other prospective AI regulators, from the Federal Trade Commission (FTC)'s Lina Khan to the Italian data protection agency, come in for commentary. I'm struck by the caution both have shown, perhaps due to their recognizing the difficulty of applying old regulatory frameworks to this new technology. It's not, I suspect, because Lina Khan's FTC has lost its enthusiasm for pushing the law further than it can be pushed. This week's example of litigation overreach at the FTC include a dismissed complaint in a location data case against Kochava, and a wildly disproportionate ‘remedy” for what look like Facebook foot faults in complying with an earlier FTC order. Jim brings us up to date on a slew of new state privacy laws in Montana, Indiana, and Tennessee. Jim sees them as business-friendly alternatives to General Data Protection Regulation (GDPR) and California's privacy law. Mark reviews Pornhub's reaction to the Utah law on kids' access to porn. He thinks age verification requirements are due for another look by the courts. Jim explains the state appellate court decision ruling that the NotPetya attack on Merck was not an act of war and thus not excluded from its insurance coverage. Nate and I recommend Kim Zetter's revealing story on the SolarWinds hack. The details help to explain why the Cyber Safety Review Board hasn't examined SolarWinds—and why it absolutely has to—because the full story is going to embarrass a lot of powerful institutions. In quick hits, Mark makes a bold prediction about the fate of Canada's law requiring Google and Facebook to pay when they link to Canadian media stories: Just like in Australia, the tech giants and the industry will reach a deal. Jim and I comment on the three-year probation sentence for Joe Sullivan in the Uber “misprision of felony” case—and the sentencing judge's wide-ranging commentary. I savor the impudence of the hacker who has broken into Russian intelligence's bitcoin wallets and burned the money to post messages doxing the agencies involved. And for those who missed it, Rick Salgado and I wrote a Lawfare article on why CISOs should support renewal of Foreign Intelligence Surveillance Act (FISA) section 702, and Metacurity named it one of the week's “Best Infosec-related Long Reads.” Download 456th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
In this episode I provide a post-mortem on a Business Email Compromise event to show the seemingly non-existent "Cyber Safety Review Board" how easy it can be. I also discuss Twitter charging for SMS MFA use and how to still get MFA on Twitter with a simple phone app. Give a listen, tell a friend. Email thoughts, comments, or suggestions to darren@thecyburguy.com or follow me at linkedin.com/in/darrenmott.
In this podcast Patrick Gray talks to Tom Uren about how Microsoft continues to get important stuff wrong on Chinese vulnerability regulation and Russian cyber warfare. They also discuss how Cyber Safety Review Board's decision to look at teenage hacking Lapsus$ is a good one, and how a Chinese APT group's efforts to steal US Covid relief money will really annoy people. You can read the newsletter the podcast is based on here.
The war that began with the Russian invasion of Ukraine grinds on. Cybersecurity experts have spent much of 2022 trying to draw lessons about cyberwar strategies from the conflict. Dmitri Alperovitch takes us through the latest lessons, cautioning that all of them could look different in a few months, as both sides adapt to the others' actions. David Kris joins Dmitri to evaluate a Microsoft report hinting that China may be abusing its recent edict requiring that software vulnerabilities be reported first to the Chinese government. The temptation to turn such reports into zero-day exploits may be irresistible, and Microsoft notes with suspicion a recent rise in Chinese zero-day exploits. Dmitri worried about just such a development while serving on the Cyber Safety Review Board, but he is not yet convinced that we have the evidence to prove the case against the Chinese mandatory disclosure law. Sultan Meghji keeps us in Redmond, digging through a deep Protocol story on how Microsoft has helped build Artificial Intelligence (AI) in China. The amount of money invested, and the deep bench of AI researchers from China, raises real questions about how the United States can decouple from China—and whether China may eventually decide to do the decoupling. I express skepticism about the White House's latest initiative on ransomware, a 30-plus nation summit that produced a modest set of concrete agreements. But Sultan and Dmitri have been on the receiving end of deputy national security adviser Anne Neuberger's forceful personality, and they think we will see results. We'd better. Baks reported that ransomware payments doubled last year, to $1.2 billion. David introduces the high-stakes struggle over when cyberattacks can be excluded from insurance coverage as acts of war. A recent settlement between Mondelez and Zurich has left the law in limbo. Sultan tells me why AI is so bad at explaining the results it reaches. He sees light at the end of the tunnel. I see more stealthy imposition of woke academic values. But we find common ground in trashing the Facial Recognition Act, a lefty Democrat bill that throws together every bad proposal to regulate facial recognition ever put forward and adds a few more. A red wave will be worth it just to make sure this bill stays dead. Finally, Sultan reviews the National Security Agency's report on supply chain security. And I introduce the elephant in the room, or at least the mastodon: Elon Musk's takeover at Twitter and the reaction to it. I downplay the probability of CFIUS reviewing the deal. And I mock the Elon-haters who fear that scrimping on content moderation will turn Twitter into a hellhole that includes *gasp!* Republican speech. Turns out that they are fleeing Twitter for Mastodon, which pretty much invented scrimping on content moderation.
The war that began with the Russian invasion of Ukraine grinds on. Cybersecurity experts have spent much of 2022 trying to draw lessons about cyberwar strategies from the conflict. Dmitri Alperovitch takes us through the latest lessons, cautioning that all of them could look different in a few months, as both sides adapt to the others' actions. David Kris joins Dmitri to evaluate a Microsoft report hinting that China may be abusing its recent edict requiring that software vulnerabilities be reported first to the Chinese government. The temptation to turn such reports into zero-day exploits may be irresistible, and Microsoft notes with suspicion a recent rise in Chinese zero-day exploits. Dmitri worried about just such a development while serving on the Cyber Safety Review Board, but he is not yet convinced that we have the evidence to prove the case against the Chinese mandatory disclosure law. Sultan Meghji keeps us in Redmond, digging through a deep Protocol story on how Microsoft has helped build Artificial Intelligence (AI) in China. The amount of money invested, and the deep bench of AI researchers from China, raises real questions about how the United States can decouple from China—and whether China may eventually decide to do the decoupling. I express skepticism about the White House's latest initiative on ransomware, a 30-plus nation summit that produced a modest set of concrete agreements. But Sultan and Dmitri have been on the receiving end of deputy national security adviser Anne Neuberger's forceful personality, and they think we will see results. We'd better. Baks reported that ransomware payments doubled last year, to $1.2 billion. David introduces the high-stakes struggle over when cyberattacks can be excluded from insurance coverage as acts of war. A recent settlement between Mondelez and Zurich has left the law in limbo. Sultan tells me why AI is so bad at explaining the results it reaches. He sees light at the end of the tunnel. I see more stealthy imposition of woke academic values. But we find common ground in trashing the Facial Recognition Act, a lefty Democrat bill that throws together every bad proposal to regulate facial recognition ever put forward and adds a few more. A red wave will be worth it just to make sure this bill stays dead. Finally, Sultan reviews the National Security Agency's report on supply chain security. And I introduce the elephant in the room, or at least the mastodon: Elon Musk's takeover at Twitter and the reaction to it. I downplay the probability of CFIUS reviewing the deal. And I mock the Elon-haters who fear that scrimping on content moderation will turn Twitter into a hellhole that includes *gasp!* Republican speech. Turns out that they are fleeing Twitter for Mastodon, which pretty much invented scrimping on content moderation.
In this episode of The Corporate Director Podcast, Robert Silvers, Undersecretary of Policy for the U.S. Department of Homeland Security discusses the Cyber Safety Review Board, the Cyber Incident Reporting Council, the biggest cybersecurity threats for businesses today and what companies can do to better prepare.
Joining the podcast this week is Tony Sager, Senior Vice President and Chief Evangelist for the Center of Internet Security and shares insights from his 45+ years on the security front lines, including 34 years at the NSA. Risk was a big theme of the discussion particularly looking at risk through a similar lens as we view other risky domains, such as the great work being done with the Cyber Safety Review Board. (And he shares color on the power of being okay with the risk of being wrong sometimes.) He also shares perspective on moving to incentive-based cyber models (such as what's been done in Ohio and Connecticut), and the criticality of translating technology, attacks & attackers into public policy and market incentives. And it can't be a great cyber discussion without addressing the growing sophistication of cyber criminals and their organizations – really becoming the defacto organized crime success path today. Tony Sager, Senior Vice President and Chief Evangelist for the Center for Internet Security Sager is a SVP and Chief Evangelist for CIS. He leads the development of the CIS Critical Security Controls™, a worldwide consensus project to find and support technical best practices in cybersecurity. Sager champions of use of CIS Controls and other solutions gleaned from previous cyber-attacks to improve global cyber defense. He also nurtures CIS's independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. In November 2018, he added strategy development and outreach for CIS to his responsibilities. In addition to his duties for CIS, he is an active volunteer in numerous community service activities: the Board of Directors for the Cybercrime Support Network; and a member of the National Academy of Sciences Cyber Resilience Forum; Advisory Boards for several local schools and colleges; and service on numerous national-level study groups and advisory panels. Sager retired from the National Security Agency (NSA) after 34 years as an Information Assurance professional. He started his career there in the Communications Security (COMSEC) Intern Program, and worked as a mathematical cryptographer and a software vulnerability analyst. In 2001, Sager led the release of NSA security guidance to the public. He also expanded the NSA's role in the development of open standards for security. Sager's awards and commendations at NSA include the Presidential Rank Award at the Meritorious Level, twice, and the NSA Exceptional Civilian Service Award. The groups he led at NSA were also widely recognized for technical and mission excellence with awards from numerous industry sources, including the SANS Institute, SC Magazine, and Government Executive Magazine. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e197
In today's podcast, we talk about the Cyber Safety Review Board and their report on Log4j. Also, make sure to check out some of the articles and resources mentioned during this episode: DHS Launches First-Ever Cyber Safety Review Board via Homeland Security Pentest Stories: Responsible vulnerability disclosure via Heather Terry & Dennis Goodlett How to Write a Vulnerability Management Policy by Roxy, Hurricane Labs Director of Compliance Keep an eye out for our upcoming blog posts about vulnerability management too! Click here for our podcast episode transcript.
Podcast: Control Loop: The OT Cybersecurity Podcast (LS 26 · TOP 10% what is this?)Episode: Demystifying the alphabet soup of OT, IT, IOT.Pub date: 2022-07-27More deniable DDoS attacks strike countries friendly to Ukraine. Russian intentions and capabilities in its hybrid war. Log4j is now “endemic.” CISA's ICS security advisories. Operational technology and the C2C market. TSA issues revised pipeline cybersecurity guidelines. Zero-trust comes to OT.Our guest is Puesh Kumar from the Department of Energy, discussing the DOE's efforts to secure critical infrastructure, and to secure clean energy infrastructure.In the Learning Lab, Kimberly Graham, senior director of product management at Dragos, talks with Mark Urban about the alphabet soup of OT. Control Loop News Brief.Threats to infrastructure in a hybrid war.Ignitis Group hit by DDoS attack as Killnet continues Lithuania campaign (Tech Monitor) Ignitis services were knocked offline this weekend in a DDoS attack as Russian hackers Killnet target Ukraine's allies.US seeking to understand Russia's failure to project cyber power in Ukraine (Defense News) “With regard to the Russian use of cyber and our takeaways,” Anne Neuberger said, “there are any number of theories for what we saw and what, frankly, we didn't see.”Battling Moscow's hackers prior to invasion gave Kyiv 'full dress rehearsal' for today's cyber warfare (CyberScoop) Years of cyberattacks have helped prepare Ukraine to fight back against Russia's arsenal of digital weapons.Log4j is now “endemic.”DHS Review Board Deems Log4j an 'Endemic' Cyber Threat (Dark Reading) Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.DHS board: No one used software inventories to find vulnerable Log4j deployment (FedScoop) Many in government and industry want SBOMs to be the secure software development compliance standard, but the technology remains limited.Review of the December 2021 Log4j Event (Cyber Safety Review Board) We write this report at a transformational moment for the digital ecosystem. The infrastructure on which we rely daily has become deeply interconnected through the use of shared communications, software, and hardware, making it susceptible to vulnerabilities on a global scale.Dragos and Emerson Expand Global Agreement to Secure Industrial Infrastructure for Process Industries (Dragos) Dragos Extends ICS/OT Cybersecurity to Emerson's DeltaV Distributed Control System to Protect Process Industries.CISA's ICS security advisories.Hundreds of ICS Vulnerabilities Disclosed in First Half of 2022 (Security Week) More than 600 industrial control system (ICS) product vulnerabilities were disclosed in the first half of 2022 by the US Cybersecurity and Infrastructure Security Agency (CISA), according to an analysis conducted by industrial asset and network monitoring company SynSaber.Operational technology and the criminal-to-criminal market. Hackers are targeting industrial systems with malware (Ars Technica) An entire ecosystem of sketchy software is targeting potentially critical infrastructure.Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems (The Hacker News) Hackers Distributing Password Cracking Tool for PLCs and HMIs to Infect Industrial Systems with Sality MalwareThe Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators (Dragos) Learn more about Dragos's discovery of an exploit introduced through password "cracking" software that targets industrial engineers and operators.TSA issues revised pipeline cybersecurity guidelines. TSA revises and reissues cybersecurity requirements for pipeline owners and operators (Transportation Security Administration) The Transportation Security Administration (TSA) announced the revision and reissuance of its Security Directive regarding oil and natural gas pipeline cybersecurity. This revised directive will continue the effort to build cybersecurity resiliency for the nation's critical pipelines.The podcast and artwork embedded on this page are from CyberWire Inc., which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
More deniable DDoS attacks strike countries friendly to Ukraine. Russian intentions and capabilities in its hybrid war. Log4j is now “endemic.” CISA's ICS security advisories. Operational technology and the C2C market. TSA issues revised pipeline cybersecurity guidelines. Zero-trust comes to OT. Our guest is Puesh Kumar from the Department of Energy, discussing the DOE's efforts to secure critical infrastructure, and to secure clean energy infrastructure. In the Learning Lab, Kimberly Graham, senior director of product management at Dragos, talks with Mark Urban about the alphabet soup of OT. Control Loop News Brief. Threats to infrastructure in a hybrid war. Ignitis Group hit by DDoS attack as Killnet continues Lithuania campaign (Tech Monitor) Ignitis services were knocked offline this weekend in a DDoS attack as Russian hackers Killnet target Ukraine's allies. US seeking to understand Russia's failure to project cyber power in Ukraine (Defense News) “With regard to the Russian use of cyber and our takeaways,” Anne Neuberger said, “there are any number of theories for what we saw and what, frankly, we didn't see.” Battling Moscow's hackers prior to invasion gave Kyiv 'full dress rehearsal' for today's cyber warfare (CyberScoop) Years of cyberattacks have helped prepare Ukraine to fight back against Russia's arsenal of digital weapons. Log4j is now “endemic.” DHS Review Board Deems Log4j an 'Endemic' Cyber Threat (Dark Reading) Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says. DHS board: No one used software inventories to find vulnerable Log4j deployment (FedScoop) Many in government and industry want SBOMs to be the secure software development compliance standard, but the technology remains limited. Review of the December 2021 Log4j Event (Cyber Safety Review Board) We write this report at a transformational moment for the digital ecosystem. The infrastructure on which we rely daily has become deeply interconnected through the use of shared communications, software, and hardware, making it susceptible to vulnerabilities on a global scale. Dragos and Emerson Expand Global Agreement to Secure Industrial Infrastructure for Process Industries (Dragos) Dragos Extends ICS/OT Cybersecurity to Emerson's DeltaV Distributed Control System to Protect Process Industries. CISA's ICS security advisories. Hundreds of ICS Vulnerabilities Disclosed in First Half of 2022 (Security Week) More than 600 industrial control system (ICS) product vulnerabilities were disclosed in the first half of 2022 by the US Cybersecurity and Infrastructure Security Agency (CISA), according to an analysis conducted by industrial asset and network monitoring company SynSaber. Operational technology and the criminal-to-criminal market. Hackers are targeting industrial systems with malware (Ars Technica) An entire ecosystem of sketchy software is targeting potentially critical infrastructure. Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems (The Hacker News) Hackers Distributing Password Cracking Tool for PLCs and HMIs to Infect Industrial Systems with Sality Malware The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators (Dragos) Learn more about Dragos's discovery of an exploit introduced through password "cracking" software that targets industrial engineers and operators. TSA issues revised pipeline cybersecurity guidelines. TSA revises and reissues cybersecurity requirements for pipeline owners and operators (Transportation Security Administration) The Transportation Security Administration (TSA) announced the revision and reissuance of its Security Directive regarding oil and natural gas pipeline cybersecurity. This revised directive will continue the effort to build cybersecurity resiliency for the nation's critical pipelines.
The Cyber Safety Review Board issued its first major report this month, which focused on the Log4j disaster. So, what is the Cyber Safety Review Board, and what is Log4j?To answer these questions and others, Benjamin Wittes sat down with the deputy chair of the Cyber Safety Review Board, Heather Adkins, and board member Dmitri Alperovitch. They talked about what the board is, where it comes from, how it is composed, and what it does. And they talked about Log4j, why the board started with this particular cybersecurity incident, how the board went about doing its investigation, what it found, and what it recommended. Support this show http://supporter.acast.com/lawfare. See acast.com/privacy for privacy and opt-out information.
A flaw discovered in a widely used piece of software, called Log4J, poses an “endemic” risk, according to a new government panel. In its inaugural report, the Cyber Safety Review Board said that, despite an available patch, the flaw in the software could expose computer systems to hackers for years to come. WSJ reporter Dustin Volz joins host Zoe Thomas to discuss why the risk remains and the goals of the new board behind the warning. Learn more about your ad choices. Visit megaphone.fm/adchoices
The Cyber Safety Review Board's first ever report gives high marks to the Cybersecurity and Infrastructure Security Agency for leading the response to the Log4j vulnerability, while warning that the software bug will continue to haunt systems for many more years.
Welcome back to Source Code, Decipher's weekly news wrap podcast with input from our sources. In this week's podcast, we go over an actively exploited vulnerability disclosed during Patch Tuesday, a Cyber Safety Review Board report that gives new details about the Log4j flaw and research that sheds light on how the ransomware ecosystem is evolving.
Podcast: Unsolicited Response Podcast (LS 30 · TOP 5% what is this?)Episode: ICS Security - February Month In ReviewPub date: 2022-03-03Chris Sistrunk joins Dale Peterson to discuss the month's big 3 stories. 1. Urkraine from an ICS preparation standpoint. 2. DHS's new Cyber Safety Review Board 3. What to take from ICSsec vendor annual / semi-annual activity reports Plus wins, fails and predictions.The podcast and artwork embedded on this page are from Dale Peterson: ICS Security Catalyst and S4 Conference Chair, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.
Chris Sistrunk joins Dale Peterson to discuss the month's big 3 stories. 1. Urkraine from an ICS preparation standpoint. 2. DHS's new Cyber Safety Review Board 3. What to take from ICSsec vendor annual / semi-annual activity reports Plus wins, fails and predictions.
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: A spate of ransomware attacks on European energy and transport Russian authorities extend cybercrime crackdown Irritating influencers arrested for laundering 2016 Bitfinex hack proceeds IRS abandons ID.me trial Microsoft disables macros by default, disables MSIX protocol handler Much, much more This week's show is brought to you by ExtraHop. Extrahop's Ted Driggs is this week's sponsor guest – he was on the show about a year ago talking about how we should really start thinking about putting together software bills of behaviours as well as bills of material. Ted is back to tell us how that effort is progressing. As you'll hear, a lot of the behavioural data on software already exists, but it's being hoarded by different vendors. Links to everything that we discussed are below and you can follow Patrick or Adam on Twitter if that's your thing. Show notes Ransomware spree hitting European oil, transport companies String of cyberattacks on European oil and chemical sectors likely not coordinated, officials say - The Record by Recorded Future Weeks after a ransomware attack, some workers still worry about paychecks Russian government continues crackdown on cybercriminals Cyberattack brings down Vodafone Portugal mobile, voice, and TV services - The Record by Recorded Future An ALPHV (BlackCat) representative discusses the group's plans for a ransomware ‘meta-universe' - The Record by Recorded Future DOJ seizes $3.6 billion from 2016 Bitfinex hack, arrests New York couple - The Record by Recorded Future Woman Who Allegedly Laundered $1B in Bitcoin Was Cringe YouTube Rapper NetWalker ransomware affiliate sentenced to seven years in prison - The Record by Recorded Future IRS abandons plans to use third-party facial recognition DHS assembles Cyber Safety Review Board to imitate fed agency that studies aviation accidents Senate lawmakers try again on cyber incident reporting legislation - The Record by Recorded Future Microsoft temporarily disables MSIX protocol handler following malware abuse - The Record by Recorded Future Microsoft to block internet macros by default in five Office applications - The Record by Recorded Future Microsoft says MFA adoption remains low, only 22% among enterprise customers - The Record by Recorded Future Google Cloud adds new cryptomining threat detection capability - The Record by Recorded Future News Corp. says Wall Street Journal, New York Post were targeted by hackers European governments targeted by Chinese hackers with a Zimbra webmail zero-day - The Record by Recorded Future Palestinian hacking group evolving with new malware, researchers say State Department sounds alarm over Red Cross breach State Department offers $10M for information on Iranian election interference Iran's national TV stream hacked for the second time in a week - The Record by Recorded Future Open Source Security Foundation launches new initiative to stem the tide of software supply chain attacks | The Daily Swig The Apache Log4j team talks about the Log4Shell patching process - The Record by Recorded Future npm enrolls Top 100 package maintainers into mandatory 2FA - The Record by Recorded Future Target open-sources its web skimmer detector - The Record by Recorded Future North Korea Hacked Him. So He Took Down Its Internet | WIRED Cryptocurrency platform Wormhole hacked for an estimated $322 million - The Record by Recorded Future
What's up, everyone! In this episode, Ryan, Shannon, and LeVon discuss the newly created Cyber Safety Review Board and what it could mean for the future. Please LISTEN
Vulns in an HTTP/3 server, path traversal in Argo CD, Log4Shell from the perspective of Log4j devs, DHS launches Cyber Safety Review Board, OSSF launches Alpha and Omega projects, resources for learning reverse engineering and appsec Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw183
Vulns in an HTTP/3 server, path traversal in Argo CD, Log4Shell from the perspective of Log4j devs, DHS launches Cyber Safety Review Board, OSSF launches Alpha and Omega projects, resources for learning reverse engineering and appsec Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw183
Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent trends in policy proposals shaping the future of security. We will also talk about bug bounties and vulnerability disclosure, what are some of the industry's best practices in this area, how to implement these programs to foster security, collaboration and transparency, and how this connects to the policy momentum and its impact on security researchers. In the AppSec News, Vulns in an HTTP/3 server, path traversal in Argo CD, Log4Shell from the perspective of Log4j devs, DHS launches Cyber Safety Review Board, OSSF launches Alpha and Omega projects, resources for learning reverse engineering and appsec! Show Notes: https://securityweekly.com/asw183 Segment Resources: - Project Circuit Breaker: https://www.intel.com/content/www/us/en/newsroom/news/intel-launches-project-circuit-breaker.html - Project Circuit Breaker Landing Page: https://www.projectcircuitbreaker.com/ - Intel's 2021 Product Security Report: https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Incident Response, Software and Product Assurance, Coordinated Vulnerability Disclosure (CVD), and IoT or Connected Products Regulations are among the most active and developing areas of security policy around the world. This evolving landscape also serves as an opportunity for innovation and research collaboration. Elazari will walk us through some of the most recent trends in policy proposals shaping the future of security. We will also talk about bug bounties and vulnerability disclosure, what are some of the industry's best practices in this area, how to implement these programs to foster security, collaboration and transparency, and how this connects to the policy momentum and its impact on security researchers. In the AppSec News, Vulns in an HTTP/3 server, path traversal in Argo CD, Log4Shell from the perspective of Log4j devs, DHS launches Cyber Safety Review Board, OSSF launches Alpha and Omega projects, resources for learning reverse engineering and appsec! Show Notes: https://securityweekly.com/asw183 Segment Resources: - Project Circuit Breaker: https://www.intel.com/content/www/us/en/newsroom/news/intel-launches-project-circuit-breaker.html - Project Circuit Breaker Landing Page: https://www.projectcircuitbreaker.com/ - Intel's 2021 Product Security Report: https://www.intel.com/content/www/us/en/security/intel-2021-product-security-report.html Visit https://www.securityweekly.com/asw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Since there's been a lot of discussion and debate about Extended Detection and Response (XDR) at the moment, we thought we would bring on two experts to talk about it. Enric Cuixeres is a Cisco Secure customer who has implemented an XDR strategy within his organization Leng D'Or. Our other expert is former US army CID special agent and computer forensic examiner Jessica Bair. Jessica is the Director of Technical Alliances at Cisco, who has been helping many of our customers with their XDR strategies.We discuss the practical implications of implementing XDR, as told by people who have been there and done it – and also what benefits will it really bring, including how it can help overburdened security staff.For more on this topic, take a look at our ebook "Extended Detection and Response for Dummies."Learn more about the Cisco Gateway community as mentioned in the episode. Before that, Lindsey O'Donnell Welch, executive editor of Decipher, is back with us for the second week in a row. Lindsey discusses the just-announced Cyber Safety Review Board and its role in assessing “significant cybersecurity events”. For more information about this check out Decipher's report.And finally, you can view the on-demand broadcast "Defending Against Critical Threats" in which six experts from across Cisco Secure came together to analyze what's been happening in the realms of ransomware, supply chain attacks, vulnerabilities, log4J, Emotet and the rise in Mac OS malware.
Log4Shell exploits, VoIP vs. UCaaS, and MongoDB on the future of databases. Threat actor targets Ubiquiti network appliances using Log4Shell exploits DHS launches Cyber Safety Review Board to analyze major vulnerability events FBI warns to watch out for spoofed online job listings from scammers Network security firms have 'hijacked' zero trust VoIP vs. UCaaS: The differences explained MongoDB CTO Mark Porter on what organizations need in a modern database and what the future of databases looks like Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Mark Porter Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: hover.com/twit newrelic.com/enterprise progress.com/twit
Log4Shell exploits, VoIP vs. UCaaS, and MongoDB on the future of databases. Threat actor targets Ubiquiti network appliances using Log4Shell exploits DHS launches Cyber Safety Review Board to analyze major vulnerability events FBI warns to watch out for spoofed online job listings from scammers Network security firms have 'hijacked' zero trust VoIP vs. UCaaS: The differences explained MongoDB CTO Mark Porter on what organizations need in a modern database and what the future of databases looks like Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Mark Porter Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: hover.com/twit newrelic.com/enterprise progress.com/twit
Log4Shell exploits, VoIP vs. UCaaS, and MongoDB on the future of databases. Threat actor targets Ubiquiti network appliances using Log4Shell exploits DHS launches Cyber Safety Review Board to analyze major vulnerability events FBI warns to watch out for spoofed online job listings from scammers Network security firms have 'hijacked' zero trust VoIP vs. UCaaS: The differences explained MongoDB CTO Mark Porter on what organizations need in a modern database and what the future of databases looks like Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Mark Porter Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: hover.com/twit newrelic.com/enterprise progress.com/twit
Log4Shell exploits, VoIP vs. UCaaS, and MongoDB on the future of databases. Threat actor targets Ubiquiti network appliances using Log4Shell exploits DHS launches Cyber Safety Review Board to analyze major vulnerability events FBI warns to watch out for spoofed online job listings from scammers Network security firms have 'hijacked' zero trust VoIP vs. UCaaS: The differences explained MongoDB CTO Mark Porter on what organizations need in a modern database and what the future of databases looks like Hosts: Louis Maresca, Brian Chee, and Curt Franklin Guest: Mark Porter Download or subscribe to this show at https://twit.tv/shows/this-week-in-enterprise-tech. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit Sponsors: hover.com/twit newrelic.com/enterprise progress.com/twit
Welcome back to Source Code, Decipher's weekly news podcast with input from our sources. Topping the news this week, Samba patched a vulnerability that could enable remote, unauthenticated attackers to execute arbitrary code as root on impacted installations. Also this week, the U.S. government launched a Cyber Safety Review Board, which will bring together private and public sector industry leaders to assess the lessons learned from “significant cybersecurity events.”
Facebook isn't growing anymore; Google Workspace goes all in on shadow IT; Homeland Security establishes the Cyber Safety Review Board to learn the mistakes from past cyber incidents
UPDATE to last week's Headlines:Darkside Ransomware breach on Colonial Pipeline – discuss what happened and the repercussions after our tech tipThis Week's Security Tip:While most businesses understand the importance of backing up their server and files, many forget to back up their website!Most sites are hosted on a third-party platform like HostGator or WordPress. However, these hosts have limits on what they back up, and the Terms and Conditions you agreed to most likely waive their responsibility to preserve and back up your files and data.Therefore, if you're posting a lot of new content, you should be backing up your site weekly if not daily. Hackers can (and do!) corrupt websites all the time. If you don't want to have the cost of a down website and the cost of rebuilding it, back up your website!Today's Headlines:Darkside Ransomware breach on Colonial Pipeline The first DarkSide ransomware attacks were all owner-operated, but after a few successful months, the owners began to expand their operations. On November 10, DarkSide operators announced on Russian-language forums XSS and Exploit the formation of their new DarkSide affiliate program providing partners with a modified form of their DarkSide ransomware to make use in their own operations. It's worth noting that DarkSide actors have pledged in the past to not attack organizations in the medical, education, nonprofit, or government sectors. At one point, they also advertised that they donate a portion of their profit to charities. However, neither claim has been verified and should be met with a heightened degree of scrutiny; these DarkSide operators would be far from the first cybercriminals to make such claims and not follow through. DarkSide Operators Likely Former “REvil” AffiliatesFlashpoint assesses with moderate confidence that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the “REvil” RaaS group. Several facts support this attribution: Spelling mistakes in the ransom note and grammatical constructs of the sentences suggest that the writers are not native English speakers. The malware checks the default language of the system to avoid infecting systems based in the countries of the former Soviet Union. The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to “REvil” ransomware, which is of Russian origin and has an extensive affiliate program. This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families. The affiliate program is offered on Russian-language forums XSS and Exploit. Timeline: Thursday, May 6, 2021 – Hackers Launch Colonial Pipeline Cyberattack: stealing 100 gigabytes of data before locking computers with ransomware and demanding payment (undisclosed original amount, estimated ~$100mill). Breached through phishing attack. Encrypted Sales and billing network. They then hired FireEye. Friday, May 7, 2021: Colonial Pipeline paid $4.4mil to Eastern European hackers on May 7, 2021, contradicting reports that the company had no intention of paying an extortion fee to help restore the country's largest fuel pipeline Saturday, May 8, 2021: U.S. Government Assists Attack Response: Colonial Pipeline, unnamed U.S. companies and several U.S. government organizations (including the White House, the FBI, CISA and NSA) shut off key servers operated by the hackers. The steps stopped the flow of stolen Colonial Pipeline data from the United States to alleged hacker locations in Russia. Tuesday, May 11, 2021: CISA-FBI Advisory: The CSIA and FBI issued a cybersecurity advisory that described DarkSide ransomware and associated risk mitigation strategies. Colonial Pipeline's Website Offline: The company's site was offline for a portion of the day. Colonial Pipeline Statement 5: The company described alternative fuel shipping strategies that are now in place amid the effort to safely restore the pipeline. Monday, May 10, 2021: Alleged Russia Connection: President Biden directly blames Russia in the Colonial Pipeline attack as a "State-hack", then in a later statement took it back and suggested that Russia may deserve some blame for the attack since the hackers and/or their software are allegedly located within Russia's borders. FBI Statement: The FBI confirmed that DarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks. Sec of Energy issues emergency waiver, allowing non-EPA emissions standards gasoline to be stored, moved, and sold. 3 million barrels (125mil gallons) came in not meeting regulations requiring EPA guidelines on emissions on May 11th. Did not report how much has been obtained during the EPA emissions waiver timeline, to May 18th. Wednesday, May 12, 2021: Colonial Pipeline Restarts Pipeline Operations: The restart began at about 5:00 p.m. ET, though it will take several days for the delivery supply chain to return to normal, the company indicated. The update did not mention the cyber incident investigation. Thursday, May 13: Full system restartBiden signs Executive order that: removes contractual terms that may limit "information sharing" with CISA, NSA, FBI, require service providers (including cloud service providers) to preserve data it will name later, provide said information, and share all related information, including proprietary network and security information, with federal government| also to begin discussing zero-trust framework for federal government, as practical. They are also creating a Cyber Safety Review Board, to convene after "major" incidences, made of FBI, DOJ, DOD, NSA, FBI, and select Private sector. They will also appoint a National Cyber Director. They will also require FCEB networks to employ tools for host-level visibility, attribution, and response, without authorization. May 15th: Biden spoke with Putin, blamed him for SolarWinds hack, 2020 election interference, and imposed sanctions and expulsion of diplomats Next Week's Teaser: Lie, lie, lie!Call to Action: We talk a lot about stupid (nothing bad ever happens to me; head in the sand; too busy; I'll do it later). So what's smart? Taking this seriously TODAY. Book a 10-minute Discovery Call right now. I'll ask some key questions and give you a quick score. If you're doing everything right, you can sleep better at night. If there's room for improvement, we'll discuss options. NO PRESSURE, NO STRINGS. JUST BOOK THE CALL!www.mastercomputing.com/discovery
Our interview is with Brandon Wales, acting head of the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and Jen Daskal, deputy general counsel for Cyber and Technology Law at DHS. We dig deep into the latest Executive Order on cybersecurity. There's a lot to say. The EO is focused largely on how the federal civilian government protects its networks, and it is just short of revolutionary in overriding long standing turf fights, almost all of which are resolved in favor of CISA—to the point where it seems clear that CISA is on its way to being the civilian agencies' CISO, or Chief Information Security Office. This is clearly CISA's moment. It is getting new authorities from the president and new money from Congress. Whether it can meet all the expectations that these things bring is the question. We also touch on parts of the EO that will touch the private sector, from the determined push for breach and other incident reporting in federal contracts to the formation of a Cyber Safety Review Board to investigate private sector incidents. I predict that the board will need and will get subpoena power soon. Neither Brandon nor Jen takes the other side of that bet. In the news, we get an update on the Colonial Pipeline ransomware attack from Nick Weaver and first-timer Betsy Cooper. Colonial has paid $5 million in ransom, gotten a bad decryption tool and restarted operations anyway. Since it's likely to end up as the second test case for the Cyber Security Review Board, Colonial may regret having waited five days to start sharing information with CISA. Maury Shenk explains the 200-page Irish High Court decision allowing the Irish data protection regulator to begin an inquiry that could cut off its data exports to the United States. Facebook would love to forestall that day until EU-U.S. talks on a new data export deal is done, but the Biden administration isn't exactly making it a priority to bail out either Facebook or the U.S. intelligence community, which has as much at stake in data flows as the companies. One of the puzzles of recent weeks has been persistent but vague stories that DHS wants more authority to gather information from public postings on social media. Nick, Betsy, and I try to make sense of the story, and we're not helped by the fact that much of the media and politicians have switched from condemning such intelligence operations to demanding them, and vice versa, since the Trump administration ended. Nick can't resist a story that leaves both bitcoin and Tor looking bad, so of course we cover the boom in Tor exit nodes configured to steal the cryptocurrency of Tor users. Betsy covers the unanimous view of chip making and consuming companies that the federal government should subsidize chip making in the U.S. Industrial policy is making a comeback, we note, but Betsy reminds us there's a reason it went away. *cough*Solyndra*cough* Betsy seizes on the latest WhatsApp tactic to lament the willingness of data-driven tech companies to annoy us into submission. Nick and I cross swords over Apple's firing of Antonio García Martínez, author of Chaos Monkeys, in my view one of the funniest and most insightful Silicon Valley books of the last decade. Part of its appeal is Garcia Martinez's relentless burning of every bridge in his past business and personal life. How, you keep asking, can he recover from telling all those truths about Morgan Stanley, Facebook, Y Combinator, and AdTech? Turns out, he can't. But it wasn't any of those supposedly potent institutions that nailed him. Instead, it was his claim that the women of Silicon Valley are mostly "soft and weak, cosseted and naïve” and possessed of a “self-regarding entitlement feminism.” Apple employees demanded that they be protected from Garcia Martinez, and he was summarily fired. The more interesting question is whether hiring Garcia Martinez shows just how determined Apple is to replace Facebook as Google's main competition in the “leverage customer data to sell ads” business. In quick hits, I revisit the claim that a Saudi prince hacked Jeff Bezos's phone and turned his unexpurgated selfies over to the National Enquirer in order to suppress Washington Post publicity over the killing of Jamal Khashoggi. That was all BS, it turns out, apparently designed to turn Bezos from an ordinary tawdry adulterer into a press freedom crusader. And Nick draws our attention to Counterfit, a promising Microsoft tool for testing artificial intelligence algorithms to find security flaws. And More! Download the 362nd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.
➡️ Like The Podcast? Leave A Rating: https://ratethispodcast.com/successstory➡️ Join 321,000 people who read my free weekly newsletter: https://newsletter.scottdclary.com➡️ About The GuestDmitri Alperovitch is a prominent figure in the cybersecurity and geopolitical landscape. As the co-founder of CrowdStrike (CRWD), a $93 billion cybersecurity giant, he's instrumental in safeguarding the digital world. His expertise doesn't stop there; he's also the Executive Chairman of Silverado Policy Accelerator, shaping national security strategies.His insights into global power dynamics are highly sought-after, evident in his book, "World on the Brink," and his podcast, "Geopolitics Decanted." His influence is undeniable, serving on the Homeland Security Advisory Council and the Cyber Safety Review Board, and establishing the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University.➡️ Show Linkshttps://www.instagram.com/dalperovitch/ https://x.com/DAlperovitch/ https://www.linkedin.com/in/dmitrialperovitch/ ➡️ Podcast SponsorsHubspot - https://hubspot.com/ My First Million Podcast - https://www.mfmpod.com The Growth Gear Podcast - https://www.growthgearpodcast.com NetSuite — https://netsuite.com/scottclary/ Indeed - https://indeed.com/claryMiro - https://miro.com/successpodPorkbun - https://porkbun.com/successstory24 LinkedIn Jobs - https://linkedin.com/excellencePolicygenius - https://www.policygenius.com ➡️ Talking Points00:00 - Intro02:09 - Cold War with China?09:22 - From Cybersecurity to Geopolitics16:46 - Winning Against China26:57 - Defending Taiwan35:46 - Sponsor: My First Million Podcast36:18 - Decoupling with China: Smart or Risky?45:01 - Chinese Influence by US Culture49:33 - Pros and Cons of a Cultural War with China52:15 - The TikTok Threat55:45 - Xi Jinping vs. High Achievers59:13 - Doing Business in China1:05:08 - Lessons Left Out of the Book1:13:05 - Advice to Younger SelfOur Sponsors:* Check out Miro: miro.com* Check out Policygenius: policygenius.comAdvertising Inquiries: https://redcircle.com/brandsPrivacy & Opt-Out: https://redcircle.com/privacy