DOGE days numbered? - CyberWire Daily

Summary

Podcast Summary: CyberWire Daily - "DOGE Days Numbered?" (February 5, 2025)

Introduction

In the February 5, 2025 episode of CyberWire Daily, hosted by Dave Bittner from N2K Networks, the spotlight is on the escalating controversy surrounding Elon Musk's advisory team, Doge, and their involvement with federal agencies. The episode delves into various cybersecurity news, including significant vulnerabilities, corporate espionage, workforce initiatives, and updates on cybersecurity certifications. This comprehensive summary captures the key discussions, insights, and conclusions presented throughout the episode.

1. DOGE Team Faces Growing Backlash

Elon Musk's Doge and Federal Agency Access

The episode opens with a deep dive into the contentious role of Elon Musk's advisory group, Doge, within federal agencies. The team has been accused of attempting to dismantle critical federal operations, raising alarms among cybersecurity experts, government officials, and Democratic lawmakers.

National Security Concerns: Experts warn that Doge's efforts could jeopardize national security by exposing sensitive data of federal employees and violating federal laws. “Their actions could compromise national security, expose federal employees' data, and violate federal laws,” states Bittner ([02:31]).
Access to Critical Systems: Specific concerns revolve around Doge's access to pivotal federal systems:
- Treasury's Payment System: Handles over $6 trillion in annual transactions, including Social Security payments and federal salaries.
- Office of Personnel Management (OPM): Stores sensitive employee records. Musk reportedly installed an unvetted private server, reminiscent of the 2015 OPM hack by Chinese hackers. “At the Office of Personnel Management, which stores sensitive employee records, Musk allegedly installed an unvetted private server, raising fears of a Repeat of the 2015 OPM hack by Chinese hackers,” Bittner explains ([02:31]).
Administrative Privileges and Legal Violations: Contrary to White House assurances that Doge's access is read-only, reports indicate that a former Musk employee may have been granted administrative privileges. This unauthorized access is argued to breach federal cybersecurity laws, including FISMA (Federal Information Security Management Act), thereby creating vulnerabilities that foreign adversaries could exploit.
Political Repercussions: Senator Elizabeth Warren has called for accountability from Treasury Secretary Scott Bessant, emphasizing the enormity of the systems at risk. “Senator Elizabeth Warren has demanded answers from Treasury Secretary Scott Bessant, emphasizing that these Systems handle over $6 trillion in annual transactions,” notes Bittner ([02:31]).
Operational Hazards: The lack of oversight and independent logging systems makes it impossible to verify the integrity of accessed or altered information. House Democrats have expressed concerns that new email systems at OPM may facilitate phishing attacks targeting federal employees. Additionally, there are reports of federal employees facing termination or leave for resisting these unauthorized changes.
Analogy to Jenga: The situation is metaphorically described as a precarious Jenga tower, where each reckless interference risks triggering a catastrophic collapse of government operations. “Critics liken the situation to a precarious Jenga tower, where reckless interference could trigger a catastrophic failure of government operations,” Bittner highlights ([02:31]).

Industry and Government Response

In response to the growing threats associated with edge devices, the UK's National Cybersecurity Centre and its Five Eyes partners have released new guidelines. These standards aim to bolster the security of routers, network-attached storage, IoT devices, and perimeter security solutions, which are frequent targets for cyber attacks.

Baseline Security Standards: The guidelines set baseline security measures for manufacturers and outline best practices for consumers selecting network hardware. Emphasis is placed on logging and forensic capabilities to ensure devices can effectively detect and investigate threats.
Rising Vulnerabilities: A 2024 report indicated a 22% increase in vulnerabilities within edge devices, many with higher severity ratings. Recent zero-day exploits targeting products like Avanti and Fortigate underscore the escalating risks.

2. Critical Security Vulnerabilities and Updates

macOS Kernel Vulnerability

A significant security concern involves a critical macOS kernel vulnerability that allows for privilege escalation, memory corruption, and kernel code execution. Discovered by MIT CSAIL researcher Joseph Rajakandran, the flaw affects macOS Sonoma, Sequoia, and iPadOS.

Technical Details: The vulnerability arises from a race condition in Apple's XNU kernel, involving unsafe memory operations such as memcpy. This improper synchronization permits unauthorized credential modifications.
Proof of Concept: Rajakandran released an exploit demonstrating the flaw, urging users to avoid running untrusted code until Apple releases a patch. “A critical macOS kernel vulnerability allows privilege escalation, memory corruption and kernel code execution,” Bittner reports ([02:31]).

Google and Mozilla Security Updates

Both Google and Mozilla have released urgent security updates addressing multiple high-severity vulnerabilities in their browsers, Chrome and Firefox, respectively.

Chrome 133: Includes 12 security fixes, three of which were identified by external researchers. Two critical "use after free" flaws in the Skia graphics library and JavaScript engine could enable code execution or sandbox escapes. Google incentivized reporting with awards of $7,000 and $2,000 for the bugs.
Firefox 135: Patches several vulnerabilities, including high-severity "use after free" bugs in the Custom Highlight API and XSLT. These fixes mitigate risks of code execution across Firefox, ESR, and Thunderbird. “Google and Mozilla have released security updates for Chrome and Firefox addressing multiple high severity memory safety vulnerabilities,” Bittner explains ([02:31]).

Veeam Backup Products Vulnerability

A critical vulnerability in multiple Veeam backup products exposes systems to man-in-the-middle attacks, allowing remote code execution with a CVSS score of 9.0.

Impact: The flaw in the Veeam updater component can lead to full system compromise, data theft, and ransomware attacks. Affected products include Veeam Backup for Salesforce, AWS, Azure, Google Cloud, and others.
Mitigation: Veeam has released urgent patches, advising users to update immediately to prevent exploitation. “A critical vulnerability in multiple Veeam backup products allows attackers to execute remote code via man in the middle attacks with a CVSS score of 9.0,” Bittner notes ([02:31]).

Zyzole Routers Vulnerabilities

Zyzole has declared it will not issue patches for two actively exploited vulnerabilities affecting its end-of-life routers, contrary to recommendations from security researchers.

Exploitation: Threat intelligence firm Graynoise reports that attackers are exploiting these flaws to execute arbitrary commands, resulting in full system compromises. Approximately 1,500 vulnerable routers remain exposed to the internet, with botnets like Mirai leveraging these vulnerabilities in large-scale attacks.
Company Response: Zyzole advises customers to replace affected routers rather than expect fixes, although many compromised devices remain in use and even available for purchase online. “Zyzole suggests you replace those outdated routers,” Bittner summarizes ([02:31]).

3. Corporate Espionage Case: Former Google Engineer Charged

Lin Wei Ding, a former Google engineer, stands accused of stealing AI trade secrets for a Chinese company, facing multiple charges that could result in significant prison time and hefty fines.

Allegations: Prosecutors allege that between 2022 and 2023, Ding copied over 1,000 confidential files related to Google's AI supercomputing infrastructure. He reportedly used Apple Notes to transfer the data to bypass security measures.
Career Trajectory: After leaving Google, Ding accepted a CTO position at Beijing Rongshiu Langzhi Technology. Concurrently, he founded a Chinese AI startup seeking government funding to develop AI infrastructure.
Detection and Arrest: Google detected the data theft in December 2023, promptly revoking Ding's access and notifying authorities. He was arrested in March 2024. “Former Google engineer Lin Wei Ding faces multiple charges for allegedly stealing AI trade secrets for a Chinese company,” Bittner states ([02:31]).
Potential Consequences: If convicted, Ding could face up to 15 years per economic espionage charge and 10 years per trade secret theft count, along with millions in fines.

4. CISA Issues Advisories for Industrial Control Systems (ICS)

The Cybersecurity and Infrastructure Security Agency (CISA) has released nine new advisories highlighting critical vulnerabilities in Industrial Control Systems (ICS). These vulnerabilities affect major vendors like Rockwell Automation, Schneider Electric, and AutomationDirect, impacting sectors such as energy, manufacturing, and transportation.

Key Vulnerabilities: The advisories identify risks including remote code execution, denial of service (DoS) attacks, and unauthorized access, with some vulnerabilities scoring as high as 9.3 on the CVSS scale.
Affected Devices: The vulnerabilities span a range of devices, including routers, Programmable Logic Controllers (PLCs), and industrial software platforms.
Mitigation Strategies: While some vendors have issued patches, others recommend network segmentation or outright device replacement. “CISA has issued nine new advisories highlighting critical vulnerabilities in industrial control systems,” mentions Bittner ([02:31]).
Botnet Exploitation: Graynoise reports that botnets are actively exploiting certain vulnerabilities, emphasizing the urgent need for organizations to apply updates and protect critical infrastructure from cyber threats.

Industry Leadership Changes

Karen Evans, former DHS and Energy Department cyber executive, has joined CISA as a senior advisor for cybersecurity. Her extensive experience includes serving as DHS CIO and leading cybersecurity efforts at the Department of Energy. Although her role is currently advisory, sources indicate she may ascend to a pivotal position within DHS.

Strategic Importance: Evans' leadership comes at a crucial time as agencies battle Chinese-backed cyber threats like Volt Typhoon. Her expertise is expected to bolster CISA's capabilities in countering sophisticated cyber adversaries.
Political Landscape: The future of CISA under the Trump administration remains uncertain, with Homeland Security Secretary Kristi Noem advocating for a more streamlined agency and criticizing its involvement in countering misinformation during elections. Key cybersecurity leadership roles in the administration are still awaiting appointments.

5. Cybersecurity Workforce Scholarship Bill Introduced

House Homeland Security Committee Chairman Mark Green, a Republican from Tennessee, has reintroduced the Pivot Act—a bill designed to address the U.S. cybersecurity workforce shortage by establishing an ROTC-like scholarship program for two-year cybersecurity degrees.

Legislative Details: The Pivot Act proposes that students at community colleges and technical schools receive scholarships in exchange for two years of government cyber service. Managed by CISA, the program aims to accelerate security clearances and inject 10,000 new cyber professionals into the workforce.
Support and Challenges: Despite previous unanimous committee support, the bill stalled in the last session but remains a priority due to escalating cyber threats, particularly from Chinese-backed hacking groups like Volt Typhoon. “House Democrats warn that the new email system at OPM could enable phishing attacks targeting federal workers,” Bittner adds ([02:31]).
Agency Roles: Mark Green emphasizes the critical role of CISA in national cybersecurity and workforce development efforts, even amidst internal Republican debates over the agency’s functions. “House Homeland Security Committee Chairman Mark Green... argues the agency is critical to national cybersecurity and workforce development efforts,” he states ([02:31]).

6. CertBytes: CISSP Practice Segment

In the CertBytes segment, hosted by Chris Hare and Steven Burnley, the focus shifts to cybersecurity certifications, specifically the CISSP (Certified Information Systems Security Professional) exam.

CISSP Exam Overview

Target Audience: The CISSP exam is designed for experienced security practitioners, executives, and managers seeking to validate their comprehensive knowledge across various security practices and principles.
Expert Insights: Stephen Burnley, N2K Networks’ resident ISC2 expert, underscores the CISSP's reputation as the premier cybersecurity certification. “It has been the premier cybersecurity certification... they have earned their reputation as sort of the capstone of any cybersecurity professional's certification journey,” Stephen asserts ([17:08]).

Study Tips and Practice Question

Study Strategy: The recommended approach is to focus on exam topics that challenge the candidate. Stephen advises, “You study the parts of the exam that scare you... cover every objective in the outline when you're studying,” encouraging a comprehensive review ([17:52]).
Practice Question: Participants engage in a scenario-based question to assess understanding of the security management lifecycle.

Question: You are your organization's security administrator and you're reviewing the audit results to assess if your organization's security baselines are maintained. In which phase of the security management lifecycle are you engaged?

Choices:
- Plan and organize
- Implement
- Operate and maintain
- Monitor and evaluate
Discussion: Steven Burnley methodically analyzes the question, emphasizing the importance of verb tense and contextual logic in mapping actions to lifecycle phases. Ultimately, the correct answer is Monitor and evaluate. “Monitor and evaluate... are synonymous with review and assess,” Steven concludes ([19:19]).
Additional Advice: Stephen commends Steven's analytical approach and reiterates the value of focusing on action verbs to determine the correct lifecycle phase. “Study what scares you... those are pro test taking skills,” he adds ([21:47]).

Upcoming Certifications

Stephen mentions upcoming updates to various certification exams, including an early 2025 CISSP update and recent changes to the Cisco Certified Network Associate (CCNA) exam, encouraging listeners to stay tuned for more resources ([22:17]).

7. Closing News: Google's AI Ethics Playbook Update

In the final segment, Dave Bittner addresses Google's recent update to its AI ethics playbook, which marks a significant shift from its previous stance.

Policy Changes: Google has quietly updated its AI ethics guidelines, removing the prior pledge not to use AI for weapons or surveillance. The company asserts that this change reflects a new geopolitical reality where democratic nations should lead in AI development.
- “Google just quietly updated its AI ethics playbook, deleting its previous pledge not to use AI for weapons or surveillance,” Bittner reports ([25:19]).
Strategic Realignment: This update coincides with rising U.S.-China tensions over AI dominance. Google, along with OpenAI, Microsoft, and Amazon, is aligning more closely with defense agencies, shifting away from earlier moral stances against military applications.
Public and Internal Reaction: Critics view this as tech giants abandoning their previous ethical commitments in favor of government contracts and geopolitical maneuvering. Despite the backlash, Google maintains that its focus remains on human rights, even as it engages more with defense initiatives.
Loss of Past Commitments: Bittner remarks, “As for past promises, well, those seem to have been lost somewhere between government funding and geopolitical tension,” highlighting the perceived erosion of Google's earlier ethical assurances ([25:19]).

Conclusion

The CyberWire Daily episode titled "DOGE Days Numbered?" provides an in-depth analysis of pressing cybersecurity issues, from contentious corporate-government interactions and critical system vulnerabilities to significant espionage cases and strategic workforce initiatives. Additionally, the episode offers valuable insights for cybersecurity professionals pursuing certifications. The closing discussion on Google's AI ethics shift underscores the complex interplay between technology, ethics, and geopolitics in the modern cybersecurity landscape.

Notable Quotes:

“Their actions could compromise national security, expose federal employees' data, and violate federal laws.” — Dave Bittner ([02:31])
“Study what scares you... those are pro test taking skills.” — Stephen Burnley ([21:47])
“Google just quietly updated its AI ethics playbook, deleting its previous pledge not to use AI for weapons or surveillance.” — Dave Bittner ([25:19])

Resources and Further Information

For more detailed insights and access to the ISC2 CISSP practice test mentioned in the episode, listeners are encouraged to visit N2K's website and explore additional resources at thecyberwire.com.

Transcript

Dave Bittner (0:02)

You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try DeleteMe. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know.

Chris Hare (0:45)

Exactly what's been done.

Dave Bittner (0:47)

Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K the Doge team faces growing backlash. The Five Eyes release guidance on protecting edge devices. A critical macOS kernel vulnerability allows privilege escalation, memory corruption, and kernel code execution. Google and Mozilla released security updates for Chrome and Firefox. Multiple Veeam backup products are vulnerable to man in the middle attacks. Zyzo suggests you replace those outdated routers. A former Google engineer faces multiple charges for alleged corporate espionage. CISA issues nine new advisories for ICS vulnerabilities. A House Republican introduces a cybersecurity Workforce scholarship bill on our CERT byte segment, a look at ISC2's CISSP exam and Google updates its stance on AI weapons.

Steven Burnley (2:25)

Foreign.

Dave Bittner (2:31)

It's Wednesday, February 5th, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great as always to have you with us. Elon Musk and his advisory team, the Department of Government Efficiency Doge are facing growing backlash over their efforts to dismantle federal agencies. Cybersecurity experts, government officials and Democrats warn that their actions could compromise national security, expose federal employees data, and violate federal laws. Key concerns center around Doge's reported access to critical federal systems, including the Treasury's payment system, which processes Social Security payments and federal salaries. Additionally, at the Office of Personnel Management, which stores sensitive employee records, Musk allegedly installed an unvetted private server, raising fears of a Repeat of the 2015 OPM hack by Chinese hackers. The White House insists Doge's access is read only, but reports suggest a former Musk employee was given administrative privileges. Senator Elizabeth Warren has demanded answers from Treasury Secretary Scott Bessant, emphasizing that these Systems handle over $6 trillion in annual transactions. Security experts argue that Musk's actions violate federal cybersecurity laws, including FISMA, and create risks for foreign adversaries to exploit. The lack of oversight and independent logging makes it impossible to verify what information has been accessed or altered. House Democrats warn that the new email system at OPM could enable phishing attacks targeting federal workers. Legal experts stress that granting unauthorized access to federal systems is a felony, and federal employees resisting these changes are reportedly being fired or placed on leave. Critics liken the situation to a precarious Jenga tower, where reckless interference could trigger a catastrophic failure of government operations. The UK's National Cybersecurity Centre and its Five Eyes partners have released new guidance to improve the security of edge devices. These include routers, network attached storage, IoT devices and perimeter security solutions, all frequent targets of cyber attacks. The document sets baseline security standards for manufacturers and provides best practices for customers selecting network hardware. It emphasizes logging and forensic capabilities, ensuring devices can detect and investigate threats effectively. Edge devices face growing threats from both financially motivated hackers and and state sponsored actors. A 2024 report found vulnerabilities in these devices increased 22% with higher severity ratings. Recent zero day exploits such as those targeting Avanti and Fortigate products highlight the risks. A critical macOS kernel vulnerability allows privilege escalation, memory corruption and kernel code execution. Discovered by MIT CSAIL researcher Joseph Rajakandran. The flaw affects macOS, Sonoma, Sequoia and iPad OS. The issue stems from a race condition in Apple's XNU kernel involving safe memory reclamation, read only page mapping and unsafe use of memcpy. Improper synchronization enables unauthorized credential modification. Ravakandran released a proof of concept exploit demonstrating the flaw. Apple has not yet patched it, so users should avoid untrusted code. The researcher recommends using Atomic writes to fix the issue. Google and Mozilla have released security updates for Chrome and Firefox addressing multiple high severity memory safety vulnerabilities. Chrome 133 includes 12 security fixes with three reported by external researchers. Two critical use after free flaws affect the Skia graphics library and version 8 JavaScript engine, potentially enabling code execution or sandbox escapes. Google awarded $7,000 for one bug and $2,000 for another. Firefox 135 patches multiple vulnerabilities, including two high severity use after free bugs affecting the Custom Highlight API and xslt. Additional fixes addressed code execution risks in Firefox, ESR and Thunderbird. No active exploitation has been reported, but users should update their browsers immediately. A critical vulnerability in multiple Veeam backup products allows attackers to execute remote code via man in the middle attacks with a CVSS score of 9.0. This flaw in the Veeam updater component can lead to full system compromise, including data theft and ransomware attacks. Affected products include Veeam backup for Salesforce, aws, Azure, Google Cloud and others. Veeam has released urgent patches and users should update immediately to mitigate risks. Attackers can intercept and manipulate update requests injecting malicious code. Zyzole has announced it will not release patches for two actively exploited vulnerabilities affecting its end of life routers, despite warnings from security researchers. Threat intelligence firm Graynoise reported that attackers are using these flaws to execute arbitrary commands, leading to full system compromise. The vulnerabilities were discovered by Volnchek in mid 2023 but remained unpatched. Zyzyl claims it was unaware until January 29 after Granoise reported active exploitation. The company advises customers to replace affected routers instead of expecting fixes. Security researchers argue that many impacted devices remain in use and even available for purchase online. Census reports nearly 1,500 vulnerable routers exposed to the Internet, and Gray Noise warns botnets like Mirai are exploiting the flaws in large scale attacks. Former Google engineer Lin Wei Ding faces multiple charges for allegedly stealing AI trade secrets for a Chinese company. Prosecutors say ding copied over 1,000 confidential files related to Google's AI supercomputing infrastructure between 2022 and 2023. He allegedly transferred this data using Apple notes to bypass security measures. Ding was later offered a CTO position at Beijing Rongshiu Langzhi Technology. While still employed at Google after leaving Rongshu, he founded a Chinese AI startup which sought government funding to develop AI infrastructure. Google detected the theft in December of 2023, revoked Ding's access and notified authorities. He was arrested in March of 2024. If convicted, he faces up to 15 years per economic espionage charge and 10 years per trade secret theft count plus millions in fines. CISA has issued nine new advisories highlighting critical vulnerabilities in industrial control systems. These flaws impact major vendors like Rockwell Automation, Schneider Electric and AutomationDirect, posing risks to energy, manufacturing and transportation sectors. Key vulnerabilities include remote code execution, denial of Service attacks and unauthorized access, with CVSS scores reaching 9.3. Affected devices range from routers and PLCs to industrial software. Some vendors have issued patches, while others recommend network segmentation or device replacement. Gray Noise reports Botnet's actively exploiting certain vulnerabilities. Emphasizing the urgency of mitigation, CISA urges organizations to apply updates immediately to protect critical infrastructure from cyber threats. Additionally, former DHS and Energy Department cyber Executive Karen Evans has joined CISA as a senior advisor for cybersecurity. While her role is currently advisory, sources suggest she may be named Executive Assistant Director for Cybersecurity Authority or move into a top DHS position. Evans previously served as DHS CIO and led cybersecurity efforts at the Department of Energy. Since leaving government in 2020, she worked in the private sector and co led a national study on CISA's cybersecurity workforce role. Her return comes as agencies combat Chinese backed cyber threats like volt typhoon. Meanwhile, CISA's future under the Trump administration remains uncertain, with Homeland Security Secretary Kristi Noem advocating for a smaller, more nimble agency and criticizing its involvement in countering misinformation during elections. Key cybersecurity leadership roles in the administration remain unfilled. House Homeland Security Committee Chairman Mark Green, a Republican from Tennessee, is reintroducing the Pivot Act, a bill aimed at addressing the US Cyber workforce shortage by creating an ROTC like scholarship for two year cybersecurity degrees. The legislation, which previously had unanimous committee support, stalled last session but remains a priority due to growing cyber threats, particularly from Chinese backed hacking groups like Volt Typhoon. Under the bill, students at community colleges and technical schools would receive scholarships in exchange for two years of government cyberservice at any level. The program, managed by CISA, also seeks to expedite security clearances and place 10,000 new cyber professionals in the workforce. Despite internal Republican debates over CISA's role, Green argues the agency is critical to national cybersecurity and workforce development efforts. Coming up after the break on our CERT Byte segment, a look at ISE2's CISSP exam and Google updates its stance on AI weapons. Stay with us.