Ghost students “haunting” online colleges. - CyberWire Daily

Summary7 min read

CyberWire Daily: Ghost Students “Haunting” Online Colleges
Released on June 11, 2025 | Host: Dave Bittner

Episode Overview

In this episode of CyberWire Daily, host Dave Bittner delves into a spectrum of pressing cybersecurity issues, ranging from critical software vulnerabilities and evolving botnets to the alarming rise of AI-powered fraud in online education. The episode also features an insightful conversation with Matt Radelek, VP of Incident Response and Cloud Operations at Varonis, who explores the multifaceted role of Artificial Intelligence (AI) in cybersecurity.

Patch Tuesday: A Flurry of Critical Vulnerabilities

00:45 – 04:30

The episode kicks off with an overview of the latest Patch Tuesday updates from Microsoft, highlighting over 60 vulnerabilities addressed, including an actively exploited WebDAV zero-day vulnerability deemed a top priority fix. Dave emphasizes the severity of these vulnerabilities:

"One headline grabber, a WebDAV zero day actively exploited in the wild, dubbed a top priority fix." (00:55)

Additionally, other high-risk patches target public SMB client privilege escalations and multiple Office component vulnerabilities. However, not all updates rolled out smoothly, as some Windows 11 users experienced throttling of the June cumulative update due to compatibility issues. Microsoft has assured that a revised version with all security fixes will be available by the end of the day.

Securing Operational Technology: Siemens and Schneider Electric Lead the Charge

04:31 – 06:50

Shifting focus to the industrial sector, Dave reports on critical advisories from Siemens, Schneider Electric, Aviva, and CISA regarding Operational Technology (OT) infrastructure. Siemens addressed a significant flaw in their G5 digital fault recorder, which previously allowed remote attackers to hijack recording equipment by exploiting default admin credentials. Schneider Electric and Aviva have followed suit, implementing mitigations to close these vulnerabilities and prevent their weaponization.

Mozilla and Salesforce Under the Spotlight

06:51 – 09:20

Mozilla has released an urgent Firefox update to patch two critical security flaws:

Memory Corruption in Canvas Rendering: This flaw could allow attackers to exploit memory issues and compromise browser stability.
Integer Overflow in JavaScript Engine: Specifically in the ordered hash table structure, potentially leading to heap buffer overflows.

Both vulnerabilities are rated with high severity (CVSS scores over 8), prompting Mozilla to urge immediate updates (07:15).

In parallel, a critical vulnerability in Salesforce Omnistudio has been uncovered, exposing sensitive customer data stored in plain text. This flaw, resulting from misconfigurations in Omnistudio’s data pipeline, affects thousands of organizations, particularly in healthcare, finance, and retail sectors. Researchers at Appomni have highlighted compliance risks under GDPR, CCPA, and HIPAA due to weak or missing encryption in data transmissions (08:45).

The Evolution of the Bad Box Botnet

09:21 – 11:15

Gavin Reed, CISO at Human Security, sheds light on the evolution of the Bad Box botnet. Initially discovered in 2022, Bad Box utilized backdoored firmware to spread malware across Android smart devices. Despite efforts by Human Security and the FBI to dismantle the botnet, Bad Box resurfaced in 2025 with enhanced tactics:

"Attackers have shifted from ad fraud to residential proxy services, exploiting real user IPs for attacks like DDoS and data theft." (10:05)

The latest variant employs rotating command and control domains to evade detection, signaling the imminent emergence of Bad Box 3.0.

AI-Powered Fraud: Ghost Students Exploit Online Education Systems

11:16 – 13:30

One of the most alarming trends discussed is the rise of AI-powered "ghost students" enrolling in online college courses to siphon government funds. Using stolen personal data, criminals apply for grants and loans, often targeting community colleges with low tuition fees. In 2024 alone, California reported 1.2 million fake applications, resulting in over 223,000 suspected fraudulent enrollments and at least $11.1 million in unrecoverable aid. Victims typically discover the fraud through credit score drops or loan notifications, with remediation processes stretching over years.

The U.S. Education Department has responded by mandating ID verification for new aid applicants. However, ongoing federal staffing cuts threaten to undermine these preventative measures (12:30).

Massive Data Breach at Texas Department of Transportation

13:31 – 14:56

Hackers exploited a compromised user account to steal nearly 300,000 vehicle crash reports from the Texas Department of Transportation. The stolen data included sensitive information such as names, addresses, driver’s licenses, insurance policy numbers, and license plates. Although the agency promptly disabled the compromised account and enhanced security measures, the breach highlights the importance of vigilant account monitoring and prompt response to unusual activities (13:45).

ConnectWise’s Proactive Security Measures

14:57 – 16:30

ConnectWise announced the rotation of its digital code signing certificates for Screen Connect, Automate, and RMM Tools following concerns raised by a third-party security researcher. This precautionary move addresses potential misuse of configuration data, although it is not linked to any existing security breaches, including recent nation-state attacks. Users are advised to update their builds to avoid service disruptions, with cloud users receiving automatic updates (14:15).

Leadership Change in Cybersecurity Legislation

16:31 – 19:50

Representative Mark Green, chair of the House Homeland Security Committee and a staunch advocate for cybersecurity, announced his upcoming retirement. Green’s departure could significantly impact the progress of key cyber legislation, including the reauthorization of the 2015 Cybersecurity Information Sharing Act. Potential successors like Representative Michael McCall and Representative Clay Higgins are emerging, but the future trajectory of cyber policy remains uncertain. The committee plans to maintain cybersecurity as a top priority, with Representative Andrew Garbarino expected to assume increased responsibilities (16:45).

In-Depth Conversation: AI as a Double-Edged Sword in Cybersecurity

19:51 – 28:38

The highlight of the episode is an engaging discussion with Matt Radelek from Varonis, focusing on the dual roles of AI in cybersecurity.

AI for Business and Defense vs. AI as an Attack Vector

Dave opens the conversation by addressing the multifaceted nature of AI:

"There are three main things we're all trying to do with it. One is we want to get the business gains… the second is how do we, as security professionals use it for defense? But next to that one is how does an attacker use it against us." (14:57)

Matt builds on this by emphasizing the necessity for security practitioners to balance leveraging AI for business benefits while mitigating its misuse:

"We have to see all three heads of the dog." (14:57)

Strategies for Integrating AI Securely

Matt advises organizations to:

Inventory AI Usage: Maintain a comprehensive overview of where and how AI is integrated within the organization, ensuring data used for training is secure and appropriately managed.
Promote Secure AI Adoption: Encourage businesses to adopt AI proactively while implementing robust security measures to prevent exploitation.
Enhance Access Control: Implement stringent access controls to prevent unauthorized data exposure through AI tools, ensuring only trusted individuals can interact with sensitive information.

Empathy for Security Professionals

Dave expresses empathy for security teams grappling with AI integration, likening the challenges to previous technological shifts like cloud adoption:

"It's just moved again. And so it's inevitable that it's going to move again..." (17:55)

Matt underscores the importance of not succumbing to resignation but instead adopting proactive security measures to harness AI’s potential safely.

Practical Recommendations

Dave advises focusing on protecting high-value data assets first, employing a precision approach to security:

"Aim small… try to protect the really important stuff first." (19:48)

He also highlights the critical need for robust access control mechanisms to prevent AI from becoming a conduit for data breaches.

Success Stories and Common Pitfalls

Matt identifies that successful organizations typically have longstanding data classification and management practices, often driven by compliance requirements. Conversely, many companies neglect security during cloud transformations, leading to pervasive vulnerabilities once AI tools like Copilot are integrated (23:27).

Key Takeaways

Data Security Fundamentals: Emphasizing the importance of data classification, encryption, and access control.
Proactive AI Integration: Encouraging businesses to adopt AI with a security-first mindset to stay competitive without compromising safety.
Continuous Assessment: Regularly evaluating data exposure and access privileges to adapt to evolving AI capabilities.

Final Highlights: Government Surveillance and Data Privacy Concerns

28:23 – 30:03

The episode concludes with a report from 404 Media revealing that major U.S. airlines have been covertly selling domestic flight data to Customs and Border Protection (CBP) through their data broker, ARC. This arrangement, known as the Travel Intelligence Program, amasses over a billion records daily without public disclosure, raising significant civil liberties concerns. Advocates criticize it as a "digital age revival of the collect-it-all mentality," prompting congressional inquiries into the transparency of loyalty programs and government surveillance practices (30:03).

Conclusion

This episode of CyberWire Daily provides a comprehensive overview of the latest cybersecurity threats and innovations, underscored by a deep dive into the complex role of AI in both fortifying and challenging organizational security postures. Matt Radelek’s insights offer a roadmap for integrating AI responsibly, ensuring that businesses can leverage its benefits while safeguarding against its inherent risks.

Notable Quotes:

“One headline grabber, a WebDAV zero day actively exploited in the wild, dubbed a top priority fix.” – Dave Bittner (00:55)
“Attackers have shifted from ad fraud to residential proxy services, exploiting real user IPs for attacks like DDoS and data theft.” – Gavin Reed (10:05)
“There are three main things we're all trying to do with [AI].” – Dave Bittner (14:57)
“Aim small… try to protect the really important stuff first.” – Dave Bittner (19:48)

For more detailed insights and updates on the evolving cybersecurity landscape, tune into future episodes of CyberWire Daily.

Loading summary

Transcript29 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network powered by N2K.
[00:14]
Matt Radelek
We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed when it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed Indeed Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first. And it works. Sponsored Jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with Sponsored Jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed according to Indeed Data Worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indee indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. We've got notes on Patch Tuesday Mozilla Patch matches two critical Firefox security flaws. A critical flaw in Salesforce Omni Studio exposes sensitive customer data stored in plain text. The Bad Box botnet continues to evolve. AI powered ghost students enrolling in online college courses steal government funds. Hackers nab nearly 300,000 vehicle crash reports from the Texas Department of Transportation. ConnectWise rotates its digital code signing certificates. The chair of the House Homeland Security Committee announces his upcoming retirement. Our guest is Matt Radelec, VP of Incident Response and Cloud Operations at Veronis. Wondering if AI may be the ser baris of our time and friendly skies or friendly spies. It's Wednesday, June 11, 2025. I'm Dave Bittner and this is your CyberWire Intel BR. Thanks for joining us here. It's great to have you with us. This month's Patch Tuesday rolled out with a bang. Microsoft released fixes for over 60 vulnerabilities, including one actively exploited zero day, nine critical severity issues covering remote code execution and privilege escalation, and around 56 other patches addressing memory corruption, information leaks and more. One headline grabber, a WebDAV zero day actively exploited in the wild, dubbed a top priority fix. Other high risk patches include a public SMB client privilege escalation and several Office component heap overflow and use after free bugs, all teed up for urgent deployment. However, the rollout hit a snag for some Windows 11 users. Microsoft throttled its own June cumulative update due to a compatibility issue with a limited number of devices. The company assures admins a revised version with all security fixes would be released by the end of the day. In a rare move, they paused the full scale deployment, a reminder that even well tested updates can misfire in production. Beyond OS and Office, the industrial realm isn't off the hook either. Siemens, Schneider Electric, Aviva and CISA released critical advisories this week in support of OT infrastructure. Siemens standout fix plugs a glaring flaw default admin credentials in the G5 digital fault recorder that could let remote attackers hijack recording equipment. Schneider and Aviva have joined in with their own mitigations, closing loopholes before they can be weaponized. Mozilla has released a Firefox update to patch two critical security flaws that could crash the browser or allow hackers to run malicious code. The first flaw involves memory corruption in Firefox's canvas rendering system. If triggered by specially crafted web content, it could let attackers exploit memory issues and compromise browser stability. The second flaw is an integer overflow in Firefox's JavaScript engine, specifically in the ordered hash table structure. This could lead to heap buffer overflows and similar risks when handling JavaScript heavy websites. Both vulnerabilities are rated high severity, with CVSS scores over 8. Mozilla urges users and enterprise admins to update immediately via the Built in updater or Mozilla's website to protect against potential exploitation. A critical flaw in Salesforce Omnistudio exposes sensitive customer data stored in plain text affecting thousands of organizations. The vulnerability stems from misconfigurations in Omnistudio's data pipeline of allowing input fields to bypass encryption. Simple API requests can exploit the flaw, which impacts key components like Flex Card and Omniscript. Healthcare, finance and retail sectors are particularly at risk with exposed data including names, Social Security numbers and payment info. About 15% of implementations show signs of the flaw, often due to disabled advanced security settings. Appomni researchers found that weak or missing encryption in data transmissions between components leads to gdpr, CCPA, and HIPAA compliance risks. The issue enables potential privilege escalation and identity theft. Organizations are urged to audit configurations and enforce encryption until patches are issued. Bad Box 2.0, a botnet infecting millions of low cost Android smart devices is evolving toward a new wave of fraud, according to Gavin Reed, CISO at Human Security. First uncovered in 2022 by Reed's team, Bad Box used backdoored firmware to spread malware across streaming boxes, projectors and infotainment systems. Despite takedowns by human security, the FBI, and others, bad box resurfaced in 2025 with more advanced tactics. Reid and VP of Threat Intel Lindsay Kay report that attackers have shifted from ad fraud to residential proxy services, exploiting real user IPs for attacks like DDoS and data theft. A new malware variant uses rotating command and control domains to evade detection. With continued demand for cheap, insecure Android devices, Reid warns that Bad Box three is likely on the horizon. Financial aid fraud is on the rise, fueled by identity theft and AI powered ghost students enrolling in online college courses to steal government funds. Criminals use stolen personal data to apply for grants and loans, often enrolling in community colleges where low tuition means more aid goes directly to students. In 2024 alone, California colleges reported 1.2 million fake applications, leading to over 223,000 suspected fraudulent enrollments and at least $11.1 million in unrecoverable aid. Victims often learn about the fraud only after seeing credit score drops or loan notifications. Clearing their names can take years. To combat the trend, the US Education Department now requires ID verification for new aid applicants. However, federal staffing cuts may undermine efforts to detect and prevent these increasingly sophisticated scams. Hackers accessed a compromised user account to steal nearly 300,000 crash reports from the Texas Department of Transportation. The stolen data included names, addresses, driver's licenses, insurance policy numbers and license plates. Although not legally required, the agency notified affected individuals after detecting unusual activity on May 12, the compromised account was disabled and security measures are being enhanced. The department advises victims to file taxes early and stay alert for suspicious emails or messages related to vehicle crash data. ConnectWise is rotating its digital code signing certificates for Screen Connect, Automate and RMM Tools after a third party security researcher raised concerns about potential misuse of configuration data, the issue involves how the Screen Connect installer handles certain settings, which could be exploited by threat actors with system level access. While ConnectWise states this action is not linked to any security breach, including a recent nation state attack, it is also releasing updates to improve configuration handling. The certificates issued by DigiCert were initially set to be revoked on June 10, but the deadline was extended to June 13 to allow time for updates on PREM and cloud users must update builds to avoid service disruptions. Cloud users will receive automatic updates but should verify their agents are current. Representative Mark Green, a key advocate for cybersecurity and chair of the House Homeland Security Committee, announced his upcoming retirement, potentially shifting the landscape for cyber legislation. Green prioritized cyber workforce development and the reauthorization of the 2015 Cybersecurity Information Sharing act, which expires in September. His departure could delay or complicate progress on these initiatives. Possible successors include representative Michael McCall, a past chair, and cyber policy veteran, and Representative Clay Higgins, who also has a cybersecurity focus. The committee says it will maintain cyber as a top priority, with increased responsibility likely falling to Representative Andrew Garbarino, who leads the cybersecurity subcommittee. Green is leaving for a private sector role after a final vote on a domestic policy bill. The fate of key cyber programs remains uncertain in his absence. Coming up after the break, my conversation with Matt Radek from Veronis wondering if AI may be the Cerberus of our times and friendly skies or friendly spies. Stay with us. Hey everybody, Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. DeleteMe keeps finding and removing my personal information from data broker sites, and they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Delete Me team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. DeleteMe also offers solutions for businesses, helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal, 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K and now a word from our sponsor, ThreatLocker. Keeping your system secure shouldn't mean constantly reacting to threats. ThreatLocker helps you take a different approach by giving you full control over what software can run in your environment if it's not approved, it doesn't run. Simple as that. It's a way to stop ransomware and other attacks before they start without adding extra complexity to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. matt Radelek is VP of Incident Response and Cloud Operations at Varonis. In today's sponsored Industry Voices conversation, we wonder if AI may be the Cerberus of our time.
[14:58]
Dave Bittner
AI is kind of all the same thing, right? Like the idea that we're going to use some combination of either models or learning that's taken place on a particular data set. And there are three main things we're all trying to do with it. One is we want to get the business gains and we want to leverage it to level up our businesses or make us more productive or better as humanity. So that's one head of the dog. But then squared right next to it is how do we, as like, security professionals use it for defense? But next to that one is how does an attacker use it against us? And so there's really these three ways that we have to look at AI all the time as security practitioners, when a lot of the world is really only looking at it one way. A lot of the world is thinking about, how do I get business gains from it? And so to them, AI is like Pandora's box. Whereas to a security practitioner, we have to see all three heads of the dog.
[15:51]
Matt Radelek
Well, I mean, let's continue that metaphor as a security practitioner, how do you make it so that those three heads of the dog are able to coexist?
[16:00]
Dave Bittner
Some of the basic stuff like understanding where and how your organization is leveraging AI. And I think one growing concern for people is that apps that they purchased before are now getting AI embedded in them. And so something that they already bought that maybe they already did the terms and conditions with, released a new AI feature that they didn't realize was maybe using their data in a training set. So this, like, concept of, like, an inventory of, like, where you have data and how it's being used has never been more paramount than today. You need to know, like, with every kind of SaaS or PaaS application or even cloud storage that you're using, how is the data that you're exchanging with it being processed, stored and transmitted? And is it being used to train an AI model, whether it's localized to your tenant or a part of that vendor's larger learning. So I think that's one aspect of it. I think the second piece of it is endorsing it for your business. I find there are still some security practitioners and security pros that are hesitant to kind of push their business to go all in with it. But I think it's like a survive or die type of environment where you need to be using AI or your competitors are going to be using it before you, and then you should be partnering with people that have it as well. And these are all ways that you can, like, on the lower risk side, get a handle on what and how your organization is leveraging artificial intelligence. But then also get a handle on how your security teams can benefit from it while staying educated about how attackers are using it.
[17:30]
Matt Radelek
Do you have a certain amount of empathy or dare I say, sympathy for folks in security who feel a little overwhelmed by all of this, that they're trying to turn those knobs to make sure that the business gets the best benefit, but at the same time they see the potential risks that are there.
[17:49]
Dave Bittner
I mean, yeah, I have empathy for those people, but this is just cloud 2.0 in a lot of ways.
[17:56]
Matt Radelek
Right.
[17:56]
Dave Bittner
Didn't we just do this 10 years ago? What was I on a podcast and talking about adoption of the cloud and whether you were going to use box or whether you're going to use S3 object storage. And we were talking about rapid elasticity and the benefits of cloud and the resilience of cloud and new data sharing agreements. Is this really fundamentally that different?
[18:19]
Matt Radelek
Well, so the notion is that the time for questioning whether or not this is going to be a thing is over.
[18:27]
Dave Bittner
Yeah, it's not only over, but if you're in the mindset of this is going to be difficult, I don't know how I'm going to weather this storm. What about what comes next? Cloud file sharing services was first cloud containerization like Kubernetes and moving your workloads out of your data centers into just in time, Kubernetes clusters. That was five years ago, three years ago for a lot of companies right now. And now we're talking about using agentic AI instead of having a call center. The risk has just changed where you store, process and store the data and how the data is put at risk. It's just moved again. And so it's inevitable that it's going to move again, that it's going to happen again. There's going to be another in five or ten years from now, another major technological breakthrough that makes us all have to re question our security program. Maybe it's going to be quantum. Right. That makes us all have to question our security programs and adapt our security programs. But I think we as security professionals, to use your own language, is we have to have empathy and sympathy for our businesses. We have to usher that change in. And I think what AI really Represents is the need to have good underlying fundamental data security.
[19:39]
Matt Radelek
So what are your recommendations then for the people who are trying to get their arms around this, trying to get ahead rather than playing catch up. What sort of words of wisdom do you have?
[19:48]
Dave Bittner
I think the first one is you got a lot of data to protect, right? And so you could think of, I'm going to try to protect all of it all the time. Or you could also. I have a saying aim small that comes from the precision marksmanship community. Like if you aim small, you might miss small. And you should try to protect the really important stuff first. You can get a grasp around like your intellectual property or your customer data or your employee data, you know, mergers and acquisitions information. If you can focus on that really, really high value data asset, figure out where it is, where it's put at risk, what AI is using it, if any, and then make a decision about it. You'll learn a lot along the way about what you did or didn't know or what you could or couldn't answer about your data. And then you could look more broadly. The other end of the spectrum is assume everything is going to get gobbled up by some Pacman copilot at some point and make sure that you have good access control. Because ultimately a lot of AI is a test of access control. Do you have developers that can just dump an entire data set into a new model? Do you have users that can enter a prompt and access far too much information? Like, do you, do you fundamentally know the kind of data you want to put into AI or not? These are the questions that somebody needs to answer and really think about in order to get a handle on it. And it's not that hard.
[21:05]
Matt Radelek
I guess I'm trying to understand the difference between being cautious and resignation. Does that make sense?
[21:15]
Dave Bittner
Yeah, I'll try to give you like a customer example.
[21:17]
Matt Radelek
Yeah, that'd be great.
[21:18]
Dave Bittner
A lot of companies that are looking at Microsoft Copilot even still to this day are thinking about how deep do they go with Copilot and the difference between, let's say you're a 10,000 employee company, 300 users and 3,000 users isn't that much. Like what? Do you Trust those other 2,700 people? Slightly more than the first 300. It just doesn't make a lot of sense to me. Yes, like you should do an initial pilot, but once you break out of like IT and security and you start getting into business, users that you know have different interests in mind or don't know that everything is logged and monitored or could be logged and monitored, you start to get people that abuse these co pilots. I mean, the more users, the higher the likelihood that you're going to have some insider that's going to abuse something like that or some compromised account, but you're just delaying the benefits. And so I think if you pair security with productivity and you teach people how to use prompts, but you let them know that all your prompts are logged and monitored, well, next thing you know, people are sharing what good is coming of it and you're learning what data that you have exposed. But unfortunately, companies don't even know what that is. They don't realize how much of their 365 is wide open. And as soon as Copilot gets connected, all the obscurity that existed before is gone. And so now you can just use Copilot to say, well, what did so and so make? Or what were the last trades that were made? Or are we buying any companies? Or what were the bonuses that were handled that last year? Or are there any passwords that I have access to and realize how quickly it is to get answers back? So if you didn't have good data security, what does 300 versus 3,000 employees having access to Copilot do for that problem? Yeah, you know, I mean, again, like there's slightly less likelihood of exploitation because the more people, the higher the likelihood you got a bad apple, I guess. Right. But is it really fundamentally that big of a difference of a risk profile? And what about that 3,000 to your full 10,000? The same vulnerability exists. The likelihood of being exploited goes up slightly.
[23:13]
Matt Radelek
Well, let me turn the question around in a way and ask, in your experience, the companies who are seeing success in adapting to this, what are some of the common elements that they share?
[23:28]
Dave Bittner
They've thought about data classification and data management for a long time. Maybe it was data archiving and stale data management that drove it, like some type of compliance regulation that made them think we have to keep X data type for 5 years or X data type for 7 years, or X data type for 10 years and they knew they needed to solve that problem. And so they started to think about where their data was and what they could do about it. But a company that has a sense of access control already, even if it's only at the identity layer, is going to have a much easier time at thinking about, well, how do I make my data ready for AI than one that they think of security as like harden the perimeter and throw EDR everywhere.
[24:11]
Matt Radelek
Before we run out of time. I want to touch on a report that you and your colleagues at Varonis have published. This is your state of data security report. I want to make our listeners aware of that, but also ask you what prompts the creation of this report.
[24:26]
Dave Bittner
Yeah, so we run risk assessments. It's what we do. It's our go to market strategy. It's also how we engage with existing customers. And so what companies will have us come in and help them. Am I prepared for Copilot or is my data ready to connect to a large language model or can I put some type of masking or encryption in place on my databases or my snowflake to be better prepared? Can I do a cloud transformation project? How we help them is we'll come in and we'll assess that risk. We'll say, hey, you got a lot of data that's open or you got a lot of data that's exposed. And every so often when we run those assessments we zoom out and we look at like, well, what are the trends? And what we saw with the cloud data store specifically is that there's a lot of the same problems that existed in the on premises and we've had enough time in the cloud to say, yeah, like people don't use all the access that they have. There's a lot of third party guest identities or third party apps that are unverified and unregistered that have access to your data. There's AI apps that are connected to everything. And a lot of times, and I'll give you Salesforce an example, users have the abilities to install plugins and add ons either to like a Salesforce or a365 and they don't understand that they're connecting corporate data to a third party app. When they click Allow they but because they have the permissions to do so, they think it's okay.
[25:51]
Matt Radelek
What are some of the key things in the report that stood out to you? Anything particularly surprising?
[25:57]
Dave Bittner
I don't know. I do assessments every day so I can't say that anything is going to surprise me. But the number of third party identities that are unused and still have access to data. I thought people had better contractor management that like when someone stopped working with them, they wanted to offboard them. Maybe I just got lucky at all the different places that I worked where offboarding was like a really big deal, but I see that a lot. The amount of data that someone has access to and doesn't use doesn't surprise me. But for something that's so new, like A data lake or an object repository or like a salesforce where a company just moved there two years ago for most of your employees to have access to most of everything means you never set it up properly. And so I am surprised sometimes that we aren't investing in security from the get go when we undergo these cloud transformation projects or these like cloud migration projects, which is real common for databases to data lakes. Right now that we're not thinking about security from the forefront and we're still coming back to do it later. I wasn't expecting that to be as pervasive as it is, but the cynical part of me goes, well, why did I expect anything less?
[27:05]
Matt Radelek
It reminds me of a statement I saw in the past week or so is an engineer saying, well, of course this is just a temporary solution, unless of course it works.
[27:16]
Dave Bittner
Yeah, I think that's really well stated. Right? Like, like, well, we were just trying it out and then it, it kind of just worked so we stuck with it. I also, it's like, you know, you go from pilot to production and then you say you're going to do security and then the next project comes along and, and look to an extent that that's, that's okay. That's risk acceptance. Risk acceptance is a part of risk management. But where it's going to get you is when that data is private to you and ends up in a model that's served to more people. That's where it's kind of hard to get undone. Or you unleash a bunch of data on copilot that's private to your company or to smaller groups at your company. And now anyone with copilot can get to it. These things are not easy to undo, to take out of the semantic index. And I think this is the place. Why? Justfully so, some people are a bit more cautious because they don't want to get bit. But also why, I don't know that everyone fully understands the risk that it poses. All the more reason to figure out again, like aim small, what data do you not want to get there? Can you take some steps to make sure that that doesn't happen? You might learn a lot along the way.
[28:24]
Matt Radelek
That's Matt Radelek, VP of Incident Response and Cloud Operations at Veronis.
[28:38]
Dave Bittner
Foreign.
[28:44]
Unknown
Regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track. You're not alone. But let's be clear. There is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com cyber.
[30:03]
Matt Radelek
And finally, it turns out the major US airlines you know, the ones who can't find your luggage have been quietly selling your domestic flight data to Customs and Border Protection. An Investigative report from 404 Media reveals that through a data broker the airlines own called arc, airlines shared names, itineraries and payment information, all while telling CBP not to mention them by name. This cloak and dagger data deal, documented through FOIA requests, supports tracking persons of interest without pesky things like warrants. The program, known as the Travel Intelligence Program, updates daily and holds over a billion records. Civil liberties advocates are unsurprisingly unimpressed. One called it a digital age revival of the collect it all mentality. Meanwhile, Congress is starting to ask airlines why their loyalty programs apparently come with complimentary government surveillance. Turns out when it comes to data collection, the sky's the limit. And that's the Cyberwire. We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There is a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Helt Smith. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic Identity Threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing. To neutralize identity based threats like account, takeover, fraud, and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.