Ben Yellen (12:20)

And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools, it's time to rethink your security. Zscaler Zero Trust+AI stops attackers by hiding your attack surface, making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security Foreign.

Dave Bittner (13:39)

Threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door. The login Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today.

Ben Yellen (14:27)

Foreign.

Dave Bittner (14:36)

And joining me once again is Ben Yellen. He is from the University of Maryland center for Health and Homeland Security. But much more important than that, he is the co host on the Caveat podcast with yours truly. Ben, it's great to have you back.

Sam Kinch (14:48)

Great to be with you again.

Dave Bittner (14:49)

Dave, I want to touch base with you on what's been going on with Apple and the UK government here. Some interesting movements. Can you describe for us what's going down?

Sam Kinch (15:01)

Sure. So this was first reported in the United States by the Washington Post. The British government made a request to Apple and presumably to other big tech companies, although we don't have any detail on those other companies, to allow a backdoor into encrypted icloud data. This comes from a law called the Investigatory powers Act of 2016 which allowed the British government to compel companies to turn over data and communications for both law enforcement and intelligence intelligence agencies. So it was leaked that Apple had received this request and this prompted concern not just in the United Kingdom, but worldwide. We have data sharing agreements between the US and the UK So there was concern expressed by members of the United States Congress that if the UK was seeking this backdoor into Apple's encrypted communications, that could have an impact on US consumers. Also for intelligence gathering purposes. We're part of the five eyes intelligence of English speaking countries and if we're sharing intelligence with one another, then this could have a significant impact on US persons communications potentially. So there was kind of a expectation or at least concern that Apple, despite standing up to governments in the past, might have to comply with this demand to stay in the market in the United Kingdom. And Apple, instead of doing so, decided to no longer offer its advanced data protection feature in uk. So users in the UK starting as we're recording this this coming Friday, will no longer have the capability to encrypt their icloud data messages, notes, photos, iPhone, backups, et cetera. So this is major news for consumers of Apple products in the United Kingdom. UK users are going to get a notice on their application saying that this advanced data protection feature, which Apple has established to put itself at the forefront of efforts to prot user privacy, is not going to be available in Britain. So it's certainly a major news story.

Dave Bittner (17:12)

It's interesting to me how Apple announced this without acknowledging the request from the UK government to build in the back door they're just sort of saying because reasons we can no longer offer this in the uk.

Sam Kinch (17:28)

Yeah. Presumably they're subject to a gag order, which is why they can't actually reference this order. I think people who've been following the news can read between the lines and understand why Apple said, due to circumstances, quote, end quote, we are no longer able to offer this advanced data protection feature.

Dave Bittner (17:45)

Right.

Sam Kinch (17:46)

I think Apple is calling the UK government's bluff and they are hoping that by removing this feature, enough UK Apple users will be angry and will complain to their members of Parliament that the government will drop its request to create this backdoor to users cloud data. But you don't know what the British government is going to prioritize. Maybe they're more concerned about access to valuable law enforcement and counterintelligence information than they are about angry Apple users. So it remains to be seen how the UK is going to react to Apple's decision. But I think it's certainly encouraging from a privacy perspective that Apple, as it did in the United States with the San Bernardino terrorist iPhone back in 2015, 2016, is standing up to a government that's trying to force it to create this backdoor. And it means that they take user privacy very seriously.

Dave Bittner (18:47)

At the risk of being highly speculative here, what if I'm using some other company's end to end encrypted app in the uk? I'm using Facebook messenger, for example.

Sam Kinch (18:59)

Use it at your own risk, Mr. Bittner.

Dave Bittner (19:01)

Well, so what I'm asking is should I base should I assume a backdoor? If a backdoor was allegedly requested from Apple, should I assume that the UK government also requested a backdoor from Meta and that since we've heard nothing from Meta, perhaps the backdoor was granted?

Sam Kinch (19:25)

I don't know if you can assume it, but it's certainly something you can take into consideration if you use encrypted applications and if you rely on them to keep your communications private. I think it would be naive to believe that the UK government only made this demand of one tech company and not the other companies that use end to end encrypted applications. We don't have any facts and evidence that indicate that to us at this time. But yes, I think it would cause a prudent person to be careful and to be cognizant of the fact that the UK is trying to claim these powers. They are trying to use the Investigatory Powers act to gain backdoors into these company systems. So yes, I think it's cause for concern and cause for users of some of these other end to end encrypted applications to be wary of using them in the United Kingdom.

Dave Bittner (20:21)

Well, Ben Yellen is from the University of Maryland center for Health and Homeland Security and also my co host on the Caveat podcast where we discuss cyber law and policy. So if you have not already done so, please do check out that podcast. We have a good conversation every week. Ben, thanks so much for joining us.

Sam Kinch (20:38)

Thank you.

Dave Bittner (20:54)

Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. And finally, the Wall Street Journal chronicles how Disney employee Matthew Van Andel's life fell apart because of a simple mistake. Downloading an AI tool from GitHub, a software development manager, he thought he was experimenting with AI generated images. Instead, he unknowingly installed malware that gave a hacker full access to his computer, including his Disney login credentials. For months, the hacker lurked undetected, collecting Van Andel's passwords and session cookies. Then, in July of last year, a chilling message arrived on Discord. A stranger knew about a private conversation Van Andel had at lunch with coworkers, details no outsider should have. Minutes later, Disney's internal Slack messages began appearing online. The hacker used Van Andel's credentials to breach the company's systems, leaking 44 million sensitive messages, including private customer data, employee passport numbers, and financial reports. Disney's cybersecurity team scrambled to contain the fallout, but the damage was done. Meanwhile, Van Andel's personal nightmare worsened. The hacker drained his bank accounts, stole his Social Security number, and even accessed his home security cameras. His private information was dumped online, leaving him exposed to identity theft. Then came another Disney fired him. The company's forensic review claimed he had accessed pornography on his work device, an allegation he vehemently denies. It's impossible to convey the sense of violation, he said. The incident highlights the growing dangers of AI driven cyber threats. Hackers are increasingly using infostealers, malicious software hidden inside downloads, to collect credentials, which are then resold on the dark web. Stolen credentials were behind nearly 40% of cyber intrusions in 2024, up from just 20% the year before. Van Endel's story is a cautionary tale for both individuals and corporations. As companies expand remote work and AI adoption attackers are finding new ways to exploit unsuspecting users. One careless download was all it took to bring down a Disney employee and compromise an entire company's security. And that's the Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insight insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a message from Black Cloak did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Blackcloak's award winning digital executive protection platform secures their personal devices, home networks and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 247365 with BlackCloak. Learn more at BlackCloak IO.