Nerds Gummy Clusters (12:06)

This episode is brought to you by Nerds Gummy Clusters, the sweet treat that always elevates the vibe with a sweet gummy surrounded with tangy, crunchy nerds. Every bite of Nerds Gummy Clusters brings you a a whole new world of flavor. Whether it's game night, on the way to a concert or kicking back with your crew, unleash your senses with Nerds. Gummy Clusters.

Dave Bittner (12:29)

Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Joining me once again is Tim Starks. He is a senior reporter at cyberscoop. Tim, great to have you back.

Tim Starks (14:28)

Wonderful as always. It's like it's a real high of my week.

Dave Bittner (14:32)

Well, I appreciate that. A couple stories that you did over for cyberscoop that I want to touch on today. Let's start off with your Story about Kash Patel, nominee for the FBI, of course, and the degree to which he was questioned about cybersecurity.

Tim Starks (14:50)

Yeah, it was a minor amount, but it was not insignificant, or else we wouldn't have written a story. Of course, you know, he's a nominee who has a lot of things that lawmakers were concerned about. Democrats, of course, not Republicans. But there was an interesting thing that happened. We wrote the story, and then CNN published some details that were related to it. Not. Not because of my story, but. But it was interesting that the way that happened, timing wise. Senator Klobuchar, you know, said, hey, look, you're talking about closing down the FBI headquarters. This is the place where, you know, people who run our cybercrime investigations work. And there was a little bit of jousting over that. And, you know, she didn't get a real answer to the question, you know, about his previous remarks about having said this, that turning it into a museum of the deep state. On day one. There was a couple other things that came up. One was Ross Ulbricht, the pardon of the man who operated the Silk Road Marketplace, sold drugs, and he was charged with computer hacking. He was pardoned. They asked Kash Patel, what do you think of that? He's like, not my place to win on the pardons. I think probably maybe the most significant policy thing they discussed that was cyber related was his view on section 702, which, of course is the law that is warrantless vacuuming up of communications targeting foreigners. But if you just so happen to have been a US Citizen talking to that person, there is a way for the FBI to seek that data about you. And there was a big debate in the last couple years, you'll recall, and it's actually a pretty long running one at this point. But. But before they reauthorized it, there was a big debate. Should we add a warrant requirement? Do you need to get a warrant requirement to go in and get information about U.S. citizens?

Dave Bittner (16:34)

Right.

Tim Starks (16:34)

And cash. Patel's view was that's. That's not something that's good that would actually harm investigation. It was a pretty traditional view of the hawkish side of that debate, as opposed to the side of the debate that was really focused on privacy and Fourth Amendment and those kinds of concerns.

Dave Bittner (16:50)

Yeah. Tulsi Gabbard also made an appearance in front of the senators here. What came of that?

Tim Starks (16:56)

Yeah, she got asked about a similar thing. She got asked about. My colleague Derek Johnson wrote about the hearing. She got asked about whether Edward Snowden was a traitor, which was something that she didn't seem eager to answer all that directly. You know, she, she's had some changes on her position on section 702. That was something that, that the, the committee hearing delved into. You know, obviously that's something she's gonna, if she's gonna be the Director of National Intelligence, that's gonna be something where her agency is gonna have a lot of oversight about that kind of activity. And she had once upon a time called this section 702 an overreach. But she has turned around and said actually it's a very direct, quote, vital national security tool. And that's something that, depending on where you were at, where you were at on the debate when it was happening, whether you were happy that she said that or unhappy that she said that.

Dave Bittner (18:00)

I want to switch gears and touch on another article that I believe you co wrote here. And this was about the government falling victim to some crypto jacking.

Tim Starks (18:12)

Very rare when that happens. We did find several instances beforehand of it happening, but the, you know, the cyber pros we talked to just were like, no, this is something really, really we haven't really heard of. So it's exceedingly rare that the government is crypto jacked. And it just so happens that USAID was in the fall and me and my colleague Rebecca over at FedScoop broke this story and explained, you know, it cost the company, it cost the agency half a million dollars to fix to deal with this. Basically, they, the cryptojackers just come in, they use up your electricity to mine crypto, and then they leave. And that seems to be what happened. What has happened here? I think I was looking at the numbers to get a sense of like, what is a half a million dollars to usaid? It may not sound like that much money if you're talking about a multibillion dollar agency, but that is the amount equivalent to how much they spent in 2023 on notifying children of tuberculosis. So we're talking about real money that could make a difference and that essentially was lost as a result of this hacking. And it could have been worse because these cryptojackers, cryptojacking is a real threat, but it's a lower level threat than say, ransomware.

Dave Bittner (19:31)

Right.

Tim Starks (19:31)

You know, there's not just monetary damage. There could be other damage as well. So these hackers could have used this access to do something much worse than they actually did. And what they did was pretty bad already.

Dave Bittner (19:40)

Yeah, I have to say I was sort of scratching my head over this one as to whether or not Crypto jacking the federal government is poking the bear.

Tim Starks (19:50)

Yeah, I mean, one of the things that I can't remember if we included this in the story, but certainly one of the things that I talked about, people is like, why would you do this? Like, what's, why would you crypto jack up the federal government? What do you, what do you, you know, there's so many, there's so many people you could target. And they, they do target lots. They target the private sector. The private sector loses tens of millions of dollars to this every year according to people he's talked to. So there's a chance that it was that they just didn't know who they were targeting, that they just were, you know, searching the web for, for vulnerable targets and found this, found this, found usa, usaid. The other thing though was that, and this is the part that I started to say this is a relatively low amount of money such that this isn't going to be like cooling a pipeline where the federal government is suddenly going to be coming for you because you shut down Eastern Seaboard's. You didn't really shut it down, but it caused a panic and suddenly people are having trouble buying gasoline. So it's a relatively low amount of money that it probably wasn't going to. It's low risk and it's low reward. But, but it does.

Dave Bittner (20:54)

It did.

Tim Starks (20:54)

It did strike us as very odd because why would you want to. Why a federal agency? And we didn't entirely get to the bottom of it, but it's entirely possible that they just didn't know who they were going at. They eventually figured it out. They would have had to have known something about who they were cryptojacking, you know, after they started doing it. But, but when they found them, they may, this may have just been very much a target of opportunity.

Dave Bittner (21:19)

Did you get any response from any of the agencies involved here as to either how this happened or what they planned to do in the future to prevent it?

Tim Starks (21:28)

No, we did not get that response. I would have loved. At least we were hit by a sophisticated attack. You always want that one, right?

Dave Bittner (21:38)

At this point, it's a given.

Tim Starks (21:40)

The good news is that we didn't need them to say that much about it because of the internal documents we had where they said, we've seen this, we responded. We're implementing these additional defenses. Multi factor authentication is key for this kind of thing. So we know how they responded or were going to respond. What we don't know is how much of what they said they were going to do. They actually ended up doing. I mean, we're talking about something that happened in November. It's possible that they haven't finished implementing all the defenses that they talked about doing. So that's the one thing that would have been nice to hear from them on. All jokes aside about the sophisticated campaign, it would have been nice to know if they have fixed these things instead of just here's what we say we're going to fix. That would have been something that would have been nice to know for the story, frankly. And cisa, which would certainly have been involved in some way, shape or form in evaluating what happened here, did not comment. They referred us back to usaid and USAID didn't want to say anything more. So that's where we were left.

Dave Bittner (22:35)

Yeah. All right, well, Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for taking the time for us.

Tim Starks (22:42)

Yeah, thanks for having me.

Tim Starks (22:57)

And now a message from our sponsor Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.

Indeed (24:13)

This episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use indeed sponsored jobs to hire top talent fast and even better. You only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast. Terms and conditions apply.

Dave Bittner (24:50)

And finally, in a recent Blue sky post, Larry Pfeiffer, former CIA Chief of Staff and current Director of the Hayden center, highlighted a concerning action taken in response to President Trump's anti diversity directive. He noted that at the National Cryptologic Museum at nsa. Images of notable figures such as Elizabeth Friedman and Anne Cara Christie from the Women in American Cryptology hall of Honor, as well as Wash Wong and Ralph Adams from the People of Color In Cryptologic History, honorees were covered over with brown paper. This act has sparked discussions about the implications of the administration's stance on diversity and its impact on recognizing the contributions of marginalized groups in national security history. The museum responded to an inquiry from Mr. Pfeiffer stating, we are dedicated to presenting the public with historically accurate exhibits, and we have corrected a mistake that covered an exhibit. We look forward to visitors exploring the museum and its rich history. The decision to obscure the images of trailblazing cryptologists at the museum, whether intentional or out of misplaced caution, reflects the deep fear and uncertainty gripping government employees under the Trump administration's crackdown on diversity initiatives. This act, seemingly preemptive, underscores how agencies are scrambling to avoid political backlash, even at the cost of erasing historical contributions. It's a troubling sign of how policies rooted in ideology rather than merit can lead to self censorship and a chilling effect on truthful storytelling in public institutions. And that's the Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2n2k's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.