CyberWire Daily: Episode Summary – "Eavesdropping on America’s Eyes and Ears"
Release Date: November 14, 2024
Host: N2K Networks

Introduction

In this episode of CyberWire Daily, host Dave Buettner delves into a range of pressing cybersecurity issues, from state-sponsored hacking to emerging threats in the healthcare sector. The episode also features an insightful conversation with Sarah Hutchins, a partner at Parker Po, discussing the complexities of state data privacy laws. Below is a comprehensive summary of the key topics covered, complete with notable quotes and timestamps for reference.

1. Chinese Penetration of US Telecom Wiretap Systems

Timestamp: [00:45]

The US Government has confirmed that a Chinese-linked hacking group, Salt Typhoon, breached several major US telecom providers, including AT&T, Lumen, and Verizon. This breach granted the hackers access to wiretap systems used by law enforcement agencies.

Dave Buettner reports:

“Hackers reportedly accessed networks for months, collecting Internet traffic and intercepting call records of targeted individuals, many of whom were involved in government or politics.”
[00:50]

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released a joint statement highlighting the severity of the breach and urging other companies to bolster their cyber defenses. The group allegedly copied data subject to US Court orders for wiretaps, raising significant national security concerns.

2. Top Cybersecurity Challenges for the Trump Administration

Timestamp: [03:10]

Ann Neuberger, the White House Cyber Advisor, outlined the primary cybersecurity challenges facing the incoming Trump administration. Speaking at Columbia University, Neuberger emphasized the escalating cyber activities from China, particularly in pre-positioning within critical US infrastructure sectors to enable future disruptions.

She highlighted:

“Ransomware gangs are causing significant disruptions and rely heavily on cryptocurrencies, which facilitate ransom payments and fuel global cybercrime.”
[03:30]

Neuberger commended the Biden administration's efforts in establishing minimum cyber standards across industries such as pipelines, railways, and aviation through collaboration with industry leaders. However, she stressed the necessity for the Trump administration to address cryptocurrency regulation to mitigate its role in enabling cyber threats.

3. Jack Teixeira’s 15-Year Prison Sentence for Leaking Classified Documents

Timestamp: [05:20]

Jack Teixeira, a former Air National Guardsman, has been sentenced to 15 years in prison for leaking classified US military documents online. While serving as an IT specialist at a Massachusetts base, Teixeira shared sensitive information on a Discord server dedicated to gaming and firearms. The leaked documents exposed US and allied military strategies in Ukraine, Middle Eastern operations, and intelligence methods.

FBI Director Christopher Wray commented:

“This case serves as a stark warning to anyone handling national defense information about the severe consequences of unauthorized disclosures.”
[05:45]

The incident has led to disciplinary actions against 15 Air National Guard leaders and prompted the US Air Force to tighten protocols for accessing classified data.

4. Chinese National Sentenced for Money Laundering in Pig Butchering Scams

Timestamp: [07:15]

Darren Li, a Chinese national, faces up to 20 years in prison after pleading guilty to laundering over $73 million from pig butchering scams. These scams involve relationship-based cryptocurrency schemes where victims are enticed into fraudulent investments.

Authorities revealed:

“Li led a money laundering network that utilized 74 shell companies to funnel funds from victims, converting them into tether and redistributing the proceeds.”
[07:30]

Li’s arrest in April is part of a larger crackdown on organized Southeast Asian criminal groups involved in burgeoning US cryptocurrency fraud, which reached nearly $4 billion in 2023.

5. Security Vulnerabilities in Popular Pregnancy App "What to Expect"

Timestamp: [09:05]

Security researcher Ovi Lieber uncovered significant vulnerabilities in the pregnancy app "What to Expect." The app’s exposed API endpoint lacked proper authentication and rate limiting, making it susceptible to brute-force attacks that could lead to full account takeovers and exposure of sensitive reproductive health information.

Lieber noted:

“The exposed endpoints allow attackers to reset passwords easily and access email addresses of community forum administrators, heightening the risk of targeted harassment.”
[09:20]

Despite Lieber’s efforts to notify the app developers since October, no response has been received, raising ethical concerns about the company's commitment to user security.

6. NIST Misses Deadline for Clearing National Vulnerability Database Backlog

Timestamp: [10:50]

The National Institute of Standards and Technology (NIST) announced a delay in clearing its backlog of over 18,000 vulnerabilities in the National Vulnerability Database (NVD). The original goal to eliminate the backlog by September 30th was unmet due to incompatible data formats from authorized data providers.

A NIST spokesperson stated:

“We are developing new systems to streamline data processing and will provide updates on progress, though a new deadline has not been set.”
[11:10]

Despite hiring additional analysts and addressing all known exploited vulnerabilities, NIST continues to grapple with the extensive backlog.

7. Massive Data Leak from Demand Science Affects 122 Million People

Timestamp: [12:30]

A significant data breach has been confirmed at Demand Science, a B2B demand generation company, affecting 122 million individuals. The leaked data includes names, email addresses, phone numbers, job titles, and social media links, aggregated from public sources and third parties.

Security researcher Troy Hunt verified the authenticity of the data, leading to the addition of affected email addresses to the "Have I Been Pwned?" database for user notification.

Demand Science initially denied any breach but later acknowledged that the data originated from a decommissioned system. The company asserts that none of its current systems were compromised and continues to monitor the situation closely.

8. HHS Warns Healthcare Organizations About Godzilla Webshell

Timestamp: [14:00]

The Department of Health and Human Services (HHS) has issued an urgent warning to healthcare organizations regarding the Godzilla webshell, a Chinese-backed cyber tool. Godzilla enables attackers to manipulate files, execute commands, and evade detection using advanced encryption techniques.

HHS advises:

“Healthcare entities should adopt a multilayered defense strategy, apply timely software updates, and continuously review cybersecurity performance goals to strengthen their defenses.”
[14:15]

Though no direct cases have been reported yet, the American Hospital Association highlights the high frequency of cyberattacks in the healthcare sector, emphasizing the critical need for vigilance and proactive measures.

9. Moody's Assigns Highest Cyber Risk Ratings to Key Sectors

Timestamp: [16:45]

Moody's has designated the telecommunications, airline, and power generation sectors as the highest risk for cyberattacks. The digitization of these industries, coupled with their existing $7.1 trillion in debt, makes them particularly vulnerable.

Key points include:

• Telecommunications: Significant breaches have been reported, including attacks on AT&T, Lumen, and Verizon by Salt Typhoon.
• Airlines and Power Generation: Dependence on technology and previous incidents like a CrowdStrike software update failure underscore their susceptibility.
  [16:50]

Moody's also noted increased risk levels in the automotive, education, manufacturing, energy, and port sectors, driven by similar vulnerabilities and weak cybersecurity practices.

10. Interview with Sarah Hutchins on State Data Privacy Laws

Timestamp: [18:00]

In an in-depth conversation, Sarah Hutchins, partner at Parker Po, discusses the complexities and challenges posed by the growing number of state data privacy laws. She highlights the fragmented regulatory landscape, where companies must navigate varying state-specific requirements alongside federal regulations.

Hutchins explains:

“Companies often find themselves subject to a multitude of state laws, some comprehensive like California’s, and others niche-specific, depending on the industry or data type involved.”
[18:15]

She further elaborates on the conflicts between state and federal laws, noting:

“There are instances where state laws may impose stricter requirements than federal statutes, leading to contradictory obligations for companies.”
[19:00]

Hutchins advises a holistic and continuous approach to compliance, emphasizing the importance of aligning policies across departments and ensuring that all stakeholders are involved in governance processes to effectively manage data privacy obligations.

11. Virgin O2 Introduces AI Daisy to Combat Scammers

Timestamp: [21:30]

Virgin O2 has launched Daisy, an AI-powered chatbot designed to engage and deter phone scammers. Daisy engages fraudsters in prolonged, unproductive conversations, effectively wasting their time and resources.

Daisy operates by:

“Discussing family drama and knitting tips, keeping scammers occupied while protecting real customers from fraudulent activities.”
[21:45]

Developed with assistance from YouTube’s scambaiter Jim Browning, Daisy is part of O2's Swerve the Scammers initiative. The company also collaborates with scam survivors like Amy Hart to raise awareness and urges the government to appoint a fraud minister and establish a national body to combat scams more aggressively.

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of the latest cybersecurity threats and regulatory challenges. From state-sponsored hacking incidents to innovative defenses against scammers, the discussions highlight the evolving landscape of cybersecurity and the critical need for robust defenses and proactive strategies. The conversation with Sarah Hutchins offers valuable insights into navigating the complex web of state data privacy laws, underscoring the importance of continuous compliance and cross-departmental collaboration.

For further details on each topic, listeners are encouraged to visit thecyberwire.com and explore additional resources provided in the episode's show notes.

Produced by Liz Stokes, mixed by Trey Hester, with original music and sound design by Elliot Peltzman. Executive Producer Jennifer Iban, Executive Editor Brandon Karp, President Simone Petrella, and Publisher Peter Kilpie contributed to this episode.