Cyber Security Headlines: Week in Review – Apple Encryption, Gamification for Security, DISA Breach

Hosted by CISO Series | Release Date: February 28, 2025

The latest episode of Cyber Security Headlines by CISO Series delves into significant developments in the information security landscape from the past week. Hosted by Rich, and featuring recurring guest Andrew Wilder, CISO at VetCore, the episode examines Apple's recent move on iCloud encryption in the UK, Anagram's innovative approach to cybersecurity training, and the troubling breach at DISA Global Solutions. Additionally, the discussion extends to the impact of layoffs at CISA, vulnerabilities in GitHub repositories exposed by Microsoft Copilot, and malicious use of ChatGPT by Chinese threat actors.

1. Apple Pulls iCloud End-to-End Encryption in the UK

Overview: Apple has withdrawn its end-to-end encryption (E2EE) feature for iCloud services in the United Kingdom, responding to a government mandate under the Investigatory Powers Act (referred to humorously as the "Least Delicious IPA"). This decision affects optional settings for iCloud data, such as backups, photos, and notes, which previously ensured that only users could access their data, safeguarding against potential cloud breaches.

Key Points:

• Government Mandate: The UK government's request for a backdoor access to encrypted data marks an unprecedented move in major democracies, as highlighted by The Washington Post.
• Apple’s Stance: Apple expressed grave disappointment, citing the rising threats of data breaches and privacy concerns. They emphasized their commitment to user privacy and the dangers of creating backdoors that could be exploited by malicious actors.

Notable Quotes:

• Andrew Wilder [03:14]: "I think this is really a negative thing. I would say, why, why an undelicious ipa? Why would you do this? It's a horrible thing."
• Rich [04:06]: "It's interesting to see that Apple will continue to do business. Obviously, you know, the UK is a pretty big market I'm sure for them, but just essentially saying, hey, you would now have one less privacy feature for your users."

Discussion: Andrew Wilder criticized the UK's decision, emphasizing the risks associated with weakening encryption standards. He drew parallels to Apple's earlier resistance against creating backdoors, underscoring the potential for abuse by bad actors if such measures were to become widespread. The conversation also touched upon similar legislative pressures in other countries, like Sweden, where privacy-focused applications like Signal are contemplating market withdrawal in response to proposed backdoor requirements.

2. Anagram’s Gamified Approach to Employee CyberSecurity Training

Overview: Anagram, formerly known as Cypher, is transforming employee cybersecurity training through gamification. Moving away from traditional annual sessions, Anagram offers frequent, interactive lessons and phishing simulations. This pivot, initiated in 2024, targets the realization that non-security employees are often the weakest link in organizational security.

Key Points:

• Traditional Training Flaws: The conventional approach often leads to disengagement, with employees rushing through sessions without retaining critical information.
• Gamification Benefits: Anagram’s strategy involves engaging employees by immersing them in the attacker’s mindset, akin to tabletop exercises, enhancing their ability to recognize and counteract phishing attempts and other cyber threats.
• Client Acquisition: The company has secured major clients, including Disney and Thomson Reuters, indicating significant market acceptance of their innovative training model.

Notable Quotes:

• Andrew Wilder [05:41]: "Cybersecurity training as we know it today is broken. Everybody is doing the click through as fast as they can to get to the end of the training so they can skip it and go to the questions and pass the test."
• Andrew Wilder [07:00]: "I am a big fan of anything that's going to take this in a different direction. And I think Anagram has done that."

Discussion: Andrew Wilder lauded Anagram’s approach, highlighting the shortcomings of traditional cybersecurity training methods that fail to engage employees effectively. By adopting gamification, Anagram not only makes training more enjoyable but also significantly improves knowledge retention and practical application. Rich echoed this sentiment, noting that rewarding employees with positive reinforcement, such as badges, can enhance participation and motivation compared to punitive measures.

3. DISA Global Solutions Confirms Data Breach

Overview: DISA Global Solutions, a prominent employee screening and background check firm serving a third of Fortune 500 companies, disclosed a significant cybersecurity incident. The breach, detected on April 22, 2024, involved unauthorized access beginning on February 9th, leading to the compromise of sensitive personal information, including Social Security numbers and credit card details.

Key Points:

• Delayed Disclosure: DISA waited nearly a year to inform affected parties, raising concerns about transparency and compliance with regulatory standards.
• Scope of Breach: Although specific data stolen remains undetermined, the breach underscores vulnerabilities in data brokers and background screening services.
• Regulatory Filing: The company filed reports with Maine and Massachusetts Attorneys General but has yet to identify specific victims or the attackers responsible.

Notable Quotes:

• Andrew Wilder [09:36]: "Your umbrage is validated... It’s really a negative thing... we couldn’t figure out which data they took."
• Andrew Wilder [10:59]: "If you can't answer any of those questions, you should probably be spinning up a data security program because that's what we do."

Discussion: Rich and Andrew expressed significant frustration over DISA’s delayed response and lack of clarity regarding the breach. Andrew emphasized the importance of robust data security programs that can quickly identify and mitigate such incidents. The conversation highlighted the critical need for companies handling sensitive data to maintain comprehensive knowledge of their data assets and access controls to respond effectively to breaches.

4. Firing of 130 CISA Staff Raises Industry Concerns

Overview: The recent dismissal of over 130 cybersecurity professionals from the Cybersecurity and Infrastructure Security Agency (CISA) has sparked alarm within the cybersecurity community. The layoffs, orchestrated by the Department of Government Efficiency (DOGE), are seen as detrimental to U.S. and allied security efforts, potentially straining international alliances and reducing trusted information sharing mechanisms.

Key Points:

• Industry Impact: Experts like David Shipley, CEO of Boseron Security, criticized the cuts as reckless, comparing them to "accelerating towards an iceberg." Frank Dixon of IDC highlighted the lack of transparency regarding the layoffs' impact on national security.
• CISA’s Role: CISA has been pivotal in providing free cybersecurity tools, tabletop exercises, and breach alerts, especially beneficial for small and medium-sized businesses lacking in-house expertise.
• Future Implications: The reduction in CISA’s workforce threatens the continuity and effectiveness of cybersecurity support for businesses relying on government partnerships.

Notable Quotes:

• Andrew Wilder [13:29]: "They are a partnership between the government and CISOs today... Jen Easterly... is a kind of a hero in the cybersecurity community."
• Andrew Wilder [14:50]: "If you’ve ever worked in small and medium sized businesses in the cybersecurity space, you know that they're really lacking in expertise... this is a big thing."

Discussion: Andrew underscored CISA’s integral role in supporting businesses with limited cybersecurity resources, lamenting the potential fallout from workforce reductions. He highlighted the invaluable services CISA provides, such as breach alerts and free cybersecurity tools, which are especially crucial for smaller enterprises. The discussion raised concerns about the broader implications for national security and international cybersecurity collaborations, emphasizing the need for maintaining and strengthening governmental cybersecurity agencies.

5. Thousands of Exposed GitHub Repositories via Microsoft Copilot

Overview: Researchers at Israeli cybersecurity firm Lasso uncovered a vulnerability in Microsoft’s Copilot, an AI tool integrated with GitHub. The flaw allows continued access to thousands of repositories that were previously public but subsequently set to private. This exposure affects over 20,000 repositories, including those of major corporations like Google, IBM, and Microsoft itself.

Key Points:

• Technical Flaw: Despite repositories being set to private, Microsoft Copilot retains access through Bing’s cache, inadvertently exposing sensitive data.
• Severity Assessment: Microsoft has classified the issue as low severity, a stance contested by cybersecurity experts.
• Implications for AI Training: The incident highlights the challenges of balancing AI tool functionalities with data privacy, especially when AI models are trained on vast amounts of public data that may later become restricted.

Notable Quotes:

• Andrew Wilder [17:35]: "Definitely not low severity in my opinion... security by obscurity, hiding a file somewhere where they shouldn't... Copilot is happy to go, boom, here it is."
• Andrew Wilder [18:36]: "No way to know that it's getting trained on good data. So that's part of the problem."

Discussion: Andrew Wilder strongly disagreed with Microsoft’s classification of the issue as low severity, arguing that the vulnerability poses significant privacy risks. He drew attention to the persistent problem of data retrievability by AI tools like Copilot, which can unintentionally expose sensitive information even after repositories are privatized. The conversation emphasized the necessity for stricter data handling and privacy measures in the development and deployment of AI-driven tools to prevent unauthorized access and data leaks.

6. OpenAI Bans ChatGPT Accounts Used by Chinese Group for Spy Tools

Overview: OpenAI has taken action against ChatGPT accounts associated with Chinese threat actors who were leveraging the AI tool to develop spy tools. According to OpenAI’s latest threat intelligence report, these accounts utilized ChatGPT to edit and debug code for AI tools designed to monitor and analyze social media posts and comments, focusing on Chinese political and social discourse. Additionally, ChatGPT was used to generate descriptions and sales pitches for these tools.

Key Points:

• Malicious Use of AI: The exploitation of ChatGPT for creating surveillance tools underscores the dual-edged nature of AI technologies.
• Account Bans: OpenAI successfully banned some of the malicious accounts, though Andrew Wilder expressed skepticism about the comprehensiveness of these efforts.
• AI Responsibility: The incident highlights the ongoing challenge of preventing the misuse of powerful AI tools by sophisticated threat actors.

Notable Quotes:

• Andrew Wilder [19:51]: "Does this surprise you?... I was hoping to read the story of how they're using fraud GPT or worm GPT... Definitely not surprised."
• Andrew Wilder [21:31]: "I would agree."

Discussion: Andrew Wilder reflected on the inevitability of AI tools being used for both beneficial and malicious purposes. He noted that while OpenAI’s efforts to ban malicious accounts are commendable, the pervasive nature of fake accounts and sophisticated threat actors means that completely policing misuse is exceedingly challenging. The conversation delved into the broader implications of AI in cybersecurity, emphasizing the need for ongoing vigilance and advanced safeguards to mitigate the risks associated with AI-driven espionage and cyber threats.

Conclusion

The episode concluded on a positive note, celebrating Anagram’s innovative training methodology amidst a week marked by several cybersecurity setbacks. Andrew Wilder highlighted the importance of fostering positive developments in the field to counterbalance the negative news. The hosts also promoted upcoming events and encouraged audience engagement through live chats on YouTube.

Notable Quotes:

• Andrew Wilder [22:04]: "But there is one positive story we talked about this week, right, Rich? And that was this Anagram company that has taken this gamified approach."
• Rich [22:33]: "How can we not love that?"

Where to Find More: Andrew Wilder can be found on LinkedIn, where he actively posts about cybersecurity topics and opportunities at VetCore. He is also scheduled to speak at RSA on ethics in cybersecurity, offering insights into the evolving challenges and moral considerations in the field.

Join the Conversation: Listeners are encouraged to participate in upcoming live events hosted by CISO Series, including discussions on the commodification of cybercrime and the continuous evolution of security programs in response to emerging threats.

For daily updates and in-depth stories behind the headlines, visit CISOSeries.com.

This summary captures the essence of the episode, providing detailed insights into each discussed topic along with relevant quotes and timestamps for reference.