Hacked in plain sight. - CyberWire Daily

Summary6 min read

CyberWire Daily Episode Summary: "Hacked in Plain Sight"

Release Date: February 26, 2025 | Host: N2K Networks

Introduction

In the February 26, 2025 episode of CyberWire Daily, hosted by Dave Bittner from N2K Networks, listeners are presented with a comprehensive overview of the latest cybersecurity threats, breaches, and industry developments. The episode, titled "Hacked in Plain Sight," delves into significant data breaches, legislative impacts on encryption, critical software vulnerabilities, and a cautionary tale highlighting the dangers of AI-driven cyberattacks.

Major Data Breaches

DISA Global Solutions Breach

At [02:20], Dave Bittner reports a substantial data breach involving DISA Global Solutions, a Texas-based employee screening provider. The breach compromised data of over 3.3 million individuals between February 9 and April 22, 2024. Sensitive information such as names, Social Security numbers, driver's licenses, and financial data were exposed. DISA responded by offering a free year of credit monitoring and has yet to find evidence of data misuse or confirm ransomware involvement. As Bittner states:

"DISA conducted an extensive review to identify affected individuals and is offering one free year of credit monitoring. The company has not found evidence of data misuse and has not confirmed if ransomware was involved." ([04:20])

Doge’s Cybersecurity Practices Under Scrutiny

House Democrats have raised alarms about the cybersecurity practices of Doge, an employee screening provider. Concerns revolve around negligent cybersecurity practices that may expose federal systems to cyber threats. Representative Gerry Connolly leads the call for a briefing by March 11 to evaluate these violations. A U.S. district court judge has already blocked Doge from accessing Treasury payment systems, highlighting serious lapses in the company's security protocols. Bittner summarizes:

"Lawmakers led by Representative Gerry Connolly have requested a briefing by March 11 to assess cybersecurity violations." ([06:15])

Signal’s Encryption Challenges in Sweden

At approximately [07:30], the podcast discusses Signal's potential exit from Sweden following proposed legislation that would mandate backdoor access to encrypted messages. Signal CEO Meredith Whitaker emphasized the conflict between complying with such laws and maintaining the app's core purpose of privacy. The Swedish armed forces have voiced opposition, citing security vulnerabilities. Ben Yellen (Sam Kinch) elaborates on the implications for UK users and broader global security concerns, noting:

"UK users are going to get a notice on their application saying that this advanced data protection feature... is not going to be available in Britain." ([17:12])

Critical Vulnerabilities in rsync

The episode highlights severe vulnerabilities in rsync versions 3.2.7 and earlier, which allow attackers to execute remote code and bypass security controls. These flaws include heap buffer overflows and symbolic link exploits, enabling full remote code execution. Organizations are urged to upgrade to rsync 3.4 immediately and implement stricter security measures:

"Users must upgrade to rsync3.4 immediately, which patches these issues by implementing stricter bounds checking, stack buffer initialization, and improved path sanitization." ([09:45])

Amazon’s Class Action Lawsuit

A federal class action lawsuit alleges that Amazon's software development kit (SDK) unlawfully collects and sells sensitive user data, violating Washington state's My Health My Data Act. Plaintiff Cassandra Maxwell contends that Amazon's SDK tracks location and biometric data without user consent, potentially revealing sensitive health-related information. Although Amazon denies these claims, stating adherence to data protection policies, legal experts predict a surge in similar lawsuits with significant implications for the tech and healthcare sectors. Bittner notes:

"Plaintiff Cassandra Maxwell claims Amazon's SDK... tracks location and biometric data without user consent." ([10:30])

CISA’s Advisory on Microsoft’s Partner Center Platform

The Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory regarding a critical privilege escalation vulnerability in Microsoft's Partner Center platform. Initially rated 8.7 on the CVSS scale, the vulnerability was escalated to 9.8 due to its potential to allow unauthenticated attackers to gain elevated privileges and access sensitive data. Microsoft has patched the issue, and CISA mandates federal agencies to apply the updates by March 18th. Recommendations include enforcing network segmentation and adopting zero trust principles:

"CISA mandates federal agencies to apply updates by March 18th." ([11:15])

Vulnerability in Mitre’s Caldera Security Training Platform

A critical remote code execution vulnerability was discovered in Mitre's Caldera security training platform, affecting all versions since 2017 except the latest patched release. Security researcher Dawoud Kulakowski warns that this flaw allows attackers to hijack the platform, especially in default configurations. Mitigation strategies include applying patches promptly and restricting access to authentication endpoints:

"Users should apply patches or restrict access to prevent unauthorized attacks." ([11:50])

AI Cybersecurity Collaboration Playbook

Sam Kinch, an executive client advisor at Tanium and former senior executive at U.S. Cyber Command, discusses the JCDC AI Cybersecurity Collaboration Playbook. Kinch emphasizes the growing threat of AI-driven cyberattacks and the necessity for defenders to leverage AI in security operations while enhancing public-private sector coordination. He praises the playbook's structured information sharing and warns against delays in intelligence sharing that could impede rapid response efforts:

"He emphasizes that trust is key to successful cybersecurity collaboration, urging clearer protocols and stronger protections for private sector partners." ([12:30])

Apple’s Withdrawal of iCloud End-to-End Encryption in the UK

A significant segment of the episode features an in-depth discussion between Dave Bittner and Ben Yellen regarding Apple’s decision to remove its iCloud end-to-end encryption feature in the United Kingdom. This move follows the UK government's request for a backdoor into encrypted communications under the Investigatory Powers Act of 2016. Yellen explains that Apple, instead of complying, chose to discontinue the advanced data protection feature to stand firm on user privacy:

"Apple is calling the UK government's bluff and they are hoping that by removing this feature, enough UK Apple users will be angry and will complain to their members of Parliament that the government will drop its request." ([17:28])

Yellen also speculates on the broader implications for other companies like Meta, advising users to remain cautious about the potential for similar backdoor demands.

Case Study: Disney Employee’s Data Breach

One of the most compelling narratives in the episode is the story of Matthew Van Andel, a Disney employee whose inadvertent actions led to a massive data breach affecting 44 million sensitive messages. By downloading an AI tool from GitHub, Van Andel installed malware that granted a hacker full access to his computer. This breach resulted in the leakage of private customer data, employee passport numbers, and financial reports. Furthermore, Van Andel's personal information was compromised, leading to identity theft and financial losses. Despite the breach, Disney’s internal review falsely accused him of accessing inappropriate content, resulting in his termination. This incident underscores the escalating risks posed by AI-driven cyber threats and the importance of vigilant cybersecurity practices:

"One careless download was all it took to bring down a Disney employee and compromise an entire company's security." ([19:45])

Conclusion

The "Hacked in Plain Sight" episode of CyberWire Daily encapsulates a range of pressing cybersecurity issues facing individuals and organizations. From significant data breaches and legislative challenges to critical software vulnerabilities and the perils of AI-driven attacks, the episode provides listeners with a thorough analysis of the current cyber landscape. Through expert insights and real-world examples, the podcast emphasizes the need for robust security measures, proactive vulnerability management, and steadfast commitment to user privacy.

Notable Quotes:

Dave Bittner [02:20]: "DISA conducted an extensive review to identify affected individuals and is offering one free year of credit monitoring."
Sam Kinch [17:28]: "Apple is calling the UK government's bluff and they are hoping that by removing this feature, enough UK Apple users will be angry and will complain to their members of Parliament that the government will drop its request."
Dave Bittner [19:45]: "One careless download was all it took to bring down a Disney employee and compromise an entire company's security."

This detailed summary aims to provide a comprehensive overview of the "Hacked in Plain Sight" episode, highlighting critical cybersecurity events and discussions that are pivotal for industry professionals and enthusiasts alike.

Loading summary

Transcript19 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, Deleteme is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your delete me plan when you go to JoinDeleteMe.com N2K and use promo code N2K at checkout. The only way to get 20% off is to go to JoinDeleteMe.comN2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K a major employee screening provider discloses a data breach affecting over 3.3 million people signal considers exiting Sweden over a proposed law that would give police access to encrypted messages House Democrats call out Doge's negligent cybersecurity practices Critical vulnerabilities in Rsync allows attackers to execute remote code. The class action lawsuit claims Amazon violates Washington state's privacy laws. CISA warns that attackers are exploiting Microsoft's Partner center platform. A researcher discovers a critical remote code execution vulnerability in Mitre's Caldera security training platform. An analysis of CISA's JCDC AI Cybersecurity Collaboration Playbook. Beniellen explains Apple pulling iCloud end to end encryption in response to the UK government and a Disney employee's cautionary tale. It's Wednesday, February 26th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Briefing. Thanks for joining us here. It is great to have you with us. Texas based DISA Global Solutions, a major employee screening provider, has disclosed a data breach affecting over 3.3 million people. Disa, which serves 55,000 customers with background checks and drug testing, reported that hackers accessed ITS systems from February 9 through April 22, 2024. The breach exposed names, Social Security numbers, driver's licenses, financial data and more. DISA conducted an extensive review to identify affected individuals and is offering one free year of credit monitoring. The company has not found evidence of data misuse and has not confirmed if ransomware was involved. No cybercriminal group has claimed responsibility. House Democrats have urged President Trump to halt Elon Musk's Department of Government Efficiency due to negligent cybersecurity practices that could expose sensitive federal systems to cyber threats. Lawmakers warned that Doge's reckless actions, including accessing networks at the Treasury Office of Personnel Management and Energy Department's nuclear programs, have created security risks. Many Doge members lack government experience and have disrupted agencies, prompting legal challenges and congressional outcry. A group of 21 DOGE employees formerly from the US Digital Service resigned in protest, refusing to compromise government security. Lawmakers led by Representative Gerry Connolly have requested a briefing by March 11 to assess cybersecurity violations. Meanwhile, a U.S. district Court judge blocked the Doge team from accessing treasury payment systems, citing a rushed and flawed approval process under the Trump administration. Judge Jeanette Vargas ruled that Democratic attorneys general were likely to succeed improving treasury act illegally. She criticized the agency's chaotic handling of security risks and noted serious lapses in training and oversight. Signal is considering exiting Sweden over a proposed law that would allow police to access encrypted messages retrospectively. Signal CEO Meredith Whitaker stated that complying would require breaking encryption, undermining the app's core purpose. If passed, the law would take effect in 2026. Sweden's Police and Security services support the bill, but the Swedish armed forces oppose it, warning it would introduce security vulnerabilities. Brigadier General Matthias Hansen even endorsed Signal for non classified military communications. This follows a similar standoff in the uk, where Signal and Meta opposed encryption backdoors in the Online Safety act, leading the government to back down. Recently, the UK also pressured Apple to remove iCloud end to end encryption. Security experts warn that such government demands undermine global security and user privacy. Critical vulnerabilities in rsync versions 3.2.7 and earlier allow attackers to execute remote code, exfiltrate sensitive data, and bypass security controls. The most severe flaw is a heap buffer overflow in checksum handling, enabling memory corruption. Attackers can also bypass address space layout randomization and exfiltrate client files using checksum brute forcing. Additionally, symbolic link exploits allow attackers to evade RSync's safe links protection. Combining these flaws enables full remote code execution, with researchers demonstrating exploitation on Debian 12's rsync3.2.7 daemon. Users must upgrade to rsync3.4 immediately, which patches these issues by implementing stricter bounds checking, stack buffer initialization, and improved path sanitization. Administrators should disable anonymous access and enforce safe links for untrusted connections to prevent breaches. A proposed federal class action lawsuit alleges Amazon's software development kit illegally collects and sells sensitive user data, violating Washington's My Health My Data Act. Plaintiff Cassandra Maxwell claims Amazon's SDK, embedded in thousands of mobile apps, tracks location and biometric data without user consent. Filed on February 20, this is the first lawsuit invoking the My Health My Data act since it took full effect in 2024. Maxwell alleges Amazon's data collection could reveal health related searches or visits. The lawsuit seeks damages, penalties and injunctive relief. Amazon denies the claims, stating it prohibits partners from sharing health or precise location data and discards any mistakenly received information. Legal experts predict more lawsuits under the My Health My Data act with implications for healthcare and app developers. CISA issued an urgent advisory warning that attackers are exploiting a critical privilege escalation flaw in Microsoft's Partner center platform. The vulnerability allows unauthenticated attackers to gain elevated privileges, potentially accessing sensitive data and spreading malware. Initially rated 8.7 on the CVSS scale, it was later upgraded to 9.8 due to its severity. Microsoft has patched the issue automatically, but CISA mandates federal agencies to apply updates by March 18th. Organizations are urged to enforce network segmentation, audit access controls and adopt zero trust principles. The flaw's impact on Microsoft's partner ecosystem raises supply chain security concerns. CISA advises businesses to follow cloud security best practices and monitor Microsoft advisories. A critical remote code execution vulnerability in mitre's Caldera security training platform has been discovered affecting all versions since 2017 except the latest patched release. Security researcher Dawoud Kulakowski urges users to update immediately as the flaw allows attackers to hijack the platform remotely, particularly in default configurations. Caldera, widely used for adversary emulation, relies on Go, Python and GCC conditions often met in real world setups. The vulnerability exploits an unauthenticated API endpoint, allowing attackers to manipulate Manx and sandcat agents via crafted HTTPs requests. Developers were aware the endpoint lacked authentication, heightening the risk. Kulakowski published a partial proof of concept while omitting key details to prevent easy exploitation. Users should apply patches or restrict access to prevent unauthorized attacks. In an editorial for CyberScoop, cybersecurity expert Sam Kinch discusses the growing threat of AI driven cyberattacks and the importance of the JCDC AI Cybersecurity Collaboration Playbook, recently released by cisa. Kinch is currently an executive client advisor at Tanium and previously served as director of the Department of Homeland Security's Technical Security Team and as a senior executive to the commander at U.S. cyber Command. He argues that as adversaries weaponize AI, defenders must respond in kind, leveraging AI for security while improving coordination between public and private sectors. Kinch praises the Playbook's focus on operational collaboration, highlighting its structured information sharing checklist and improved coordination between federal, private and international partners. However, he warns that delays in intelligence sharing, particularly between DHS and other federal agencies, could hinder rapid response efforts. He emphasizes that trust is key to successful cybersecurity collaboration, urging clearer protocols and stronger protections for private sector partners hesitant to share threat Data. While commending CISA's proactive approach, Kinch stresses that industry leaders must take responsibility for implementing and refining the Playbook to strengthen national AI driven cybersecurity defenses. Coming up after the break, Ben Yellen explains Apple's pulling iCloud end to end encryption in response to the UK government and a Disney employee's cautionary tale. Stay with us.
[12:20]
Ben Yellen
And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools, it's time to rethink your security. Zscaler Zero Trust+AI stops attackers by hiding your attack surface, making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security Foreign.
[13:40]
Dave Bittner
Threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door. The login Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today.
[14:27]
Ben Yellen
Foreign.
[14:36]
Dave Bittner
And joining me once again is Ben Yellen. He is from the University of Maryland center for Health and Homeland Security. But much more important than that, he is the co host on the Caveat podcast with yours truly. Ben, it's great to have you back.
[14:49]
Sam Kinch
Great to be with you again.
[14:50]
Dave Bittner
Dave, I want to touch base with you on what's been going on with Apple and the UK government here. Some interesting movements. Can you describe for us what's going down?
[15:01]
Sam Kinch
Sure. So this was first reported in the United States by the Washington Post. The British government made a request to Apple and presumably to other big tech companies, although we don't have any detail on those other companies, to allow a backdoor into encrypted icloud data. This comes from a law called the Investigatory powers Act of 2016 which allowed the British government to compel companies to turn over data and communications for both law enforcement and intelligence intelligence agencies. So it was leaked that Apple had received this request and this prompted concern not just in the United Kingdom, but worldwide. We have data sharing agreements between the US and the UK So there was concern expressed by members of the United States Congress that if the UK was seeking this backdoor into Apple's encrypted communications, that could have an impact on US consumers. Also for intelligence gathering purposes. We're part of the five eyes intelligence of English speaking countries and if we're sharing intelligence with one another, then this could have a significant impact on US persons communications potentially. So there was kind of a expectation or at least concern that Apple, despite standing up to governments in the past, might have to comply with this demand to stay in the market in the United Kingdom. And Apple, instead of doing so, decided to no longer offer its advanced data protection feature in uk. So users in the UK starting as we're recording this this coming Friday, will no longer have the capability to encrypt their icloud data messages, notes, photos, iPhone, backups, et cetera. So this is major news for consumers of Apple products in the United Kingdom. UK users are going to get a notice on their application saying that this advanced data protection feature, which Apple has established to put itself at the forefront of efforts to prot user privacy, is not going to be available in Britain. So it's certainly a major news story.
[17:12]
Dave Bittner
It's interesting to me how Apple announced this without acknowledging the request from the UK government to build in the back door they're just sort of saying because reasons we can no longer offer this in the uk.
[17:28]
Sam Kinch
Yeah. Presumably they're subject to a gag order, which is why they can't actually reference this order. I think people who've been following the news can read between the lines and understand why Apple said, due to circumstances, quote, end quote, we are no longer able to offer this advanced data protection feature.
[17:46]
Dave Bittner
Right.
[17:46]
Sam Kinch
I think Apple is calling the UK government's bluff and they are hoping that by removing this feature, enough UK Apple users will be angry and will complain to their members of Parliament that the government will drop its request to create this backdoor to users cloud data. But you don't know what the British government is going to prioritize. Maybe they're more concerned about access to valuable law enforcement and counterintelligence information than they are about angry Apple users. So it remains to be seen how the UK is going to react to Apple's decision. But I think it's certainly encouraging from a privacy perspective that Apple, as it did in the United States with the San Bernardino terrorist iPhone back in 2015, 2016, is standing up to a government that's trying to force it to create this backdoor. And it means that they take user privacy very seriously.
[18:47]
Dave Bittner
At the risk of being highly speculative here, what if I'm using some other company's end to end encrypted app in the uk? I'm using Facebook messenger, for example.
[18:59]
Sam Kinch
Use it at your own risk, Mr. Bittner.
[19:02]
Dave Bittner
Well, so what I'm asking is should I base should I assume a backdoor? If a backdoor was allegedly requested from Apple, should I assume that the UK government also requested a backdoor from Meta and that since we've heard nothing from Meta, perhaps the backdoor was granted?
[19:25]
Sam Kinch
I don't know if you can assume it, but it's certainly something you can take into consideration if you use encrypted applications and if you rely on them to keep your communications private. I think it would be naive to believe that the UK government only made this demand of one tech company and not the other companies that use end to end encrypted applications. We don't have any facts and evidence that indicate that to us at this time. But yes, I think it would cause a prudent person to be careful and to be cognizant of the fact that the UK is trying to claim these powers. They are trying to use the Investigatory Powers act to gain backdoors into these company systems. So yes, I think it's cause for concern and cause for users of some of these other end to end encrypted applications to be wary of using them in the United Kingdom.
[20:21]
Dave Bittner
Well, Ben Yellen is from the University of Maryland center for Health and Homeland Security and also my co host on the Caveat podcast where we discuss cyber law and policy. So if you have not already done so, please do check out that podcast. We have a good conversation every week. Ben, thanks so much for joining us.
[20:39]
Sam Kinch
Thank you.
[20:54]
Dave Bittner
Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. And finally, the Wall Street Journal chronicles how Disney employee Matthew Van Andel's life fell apart because of a simple mistake. Downloading an AI tool from GitHub, a software development manager, he thought he was experimenting with AI generated images. Instead, he unknowingly installed malware that gave a hacker full access to his computer, including his Disney login credentials. For months, the hacker lurked undetected, collecting Van Andel's passwords and session cookies. Then, in July of last year, a chilling message arrived on Discord. A stranger knew about a private conversation Van Andel had at lunch with coworkers, details no outsider should have. Minutes later, Disney's internal Slack messages began appearing online. The hacker used Van Andel's credentials to breach the company's systems, leaking 44 million sensitive messages, including private customer data, employee passport numbers, and financial reports. Disney's cybersecurity team scrambled to contain the fallout, but the damage was done. Meanwhile, Van Andel's personal nightmare worsened. The hacker drained his bank accounts, stole his Social Security number, and even accessed his home security cameras. His private information was dumped online, leaving him exposed to identity theft. Then came another Disney fired him. The company's forensic review claimed he had accessed pornography on his work device, an allegation he vehemently denies. It's impossible to convey the sense of violation, he said. The incident highlights the growing dangers of AI driven cyber threats. Hackers are increasingly using infostealers, malicious software hidden inside downloads, to collect credentials, which are then resold on the dark web. Stolen credentials were behind nearly 40% of cyber intrusions in 2024, up from just 20% the year before. Van Endel's story is a cautionary tale for both individuals and corporations. As companies expand remote work and AI adoption attackers are finding new ways to exploit unsuspecting users. One careless download was all it took to bring down a Disney employee and compromise an entire company's security. And that's the Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insight insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a message from Black Cloak did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home? Blackcloak's award winning digital executive protection platform secures their personal devices, home networks and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one third of new members discover they've already been breached. Protect your executives and their families 247365 with BlackCloak. Learn more at BlackCloak IO.