Hacking the bureau.

Dave Buettner

You're listening to the Cyberwire network powered by N2K.

Brandon Karp

And now a message from our sponsor. Zscaler, the leader in cloud security enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler Zero Trust plus AI stops attackers by hiding your attack surface making apps and IPs invisible eliminating lateral movement Connecting users only to specific apps, not the entire network Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security the FBI warns agents of hacked call and text logs. The US treasury sanctions entities tied to North Korea's fake IT worker operations. Russian hacking group Star Blizzard attempted to infiltrate WhatsApp accounts of nonprofits supporting supporting Ukraine. Yubico discloses a critical vulnerability in its pluggable authentication module software. Google releases an open source library for software composition analysis. CISA hopes to close the software understanding gap. Humakit targets critical infrastructure simple help patches multiple flaws in their remote access software. The FTC bans GM from selling driver data. HHS outlines their efforts to protect hospitals and health care. Our guest is Maria Tranquili, Executive Director Director at Common Mission projects, speaking with N2K's Brandon Karp about the origins and impacts of hacking for defense and even the best of Red Teamers are humbled by AI. It's Friday, January 17th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It is great as always to have you with us. According to an FBI document reviewed by Bloomberg, hackers breached AT&T's systems in 2022, stealing months of FBI agents call and text logs, triggering concerns about exposing confidential informants. The stolen data, including agents, phone numbers and call details, could link investigators to their secret sources, but excluded content of communications and encrypted messaging records. AT&T disclosed the breach in July, which involved six months of customer data following an extortion attempt by hackers. The FBI has raced to mitigate risks to its sources and investigations, underscoring concerns about the Bureau's operational security. The breach was part of a broader campaign targeting AT&T and Snowflake customers, with hackers exploiting accounts lacking multi factor authentication. Federal prosecutors charged individuals connected to the breach and related extortion schemes. Despite efforts to secure the data, it's unclear if the information remains at risk, raising alarms about safeguarding sensitive data in third party systems. The U.S. treasury's Office of Foreign Assets Control has sanctioned two individuals and four entities tied to North Korea's scheme to generate illicit funds through fake IT worker operations. North Korean operatives used stolen identities and AI to secure IT jobs in Western countries, funneling earnings to the regime. Hundreds of companies in the US UK and Australia unknowingly hired these workers, while others were stationed in Russia, China and beyond. North Korea's government withholds up to 90% of these workers wages funding weapons programs including WMDs and ballistic missiles. Sanctions target North Korean front companies, Korea Oseong Shipping Co. And Chonsurim Trading Corporation as well as their leaders. A Chinese company was also sanctioned for supplying electronics to facilitate these activities. These operations generate hundreds of millions annually for Pyongyang's regime. The Russian hacking group Star Blizzard attempted to infiltrate WhatsApp accounts of non profits supporting Ukraine using phishing messages impersonating US officials. Victims were invited to join a fake WhatsApp group US Ukraine NGOs group and prompted to scan a malicious QR code, giving attackers access to their messages. This marks the first use of WhatsApp by the group, which is linked to Russia's FSB. Despite recent US actions dismantling their infrastructure, Star Blizzard quickly adapted, demonstrating their resilience. Their targets include government entities, nonprofits and Ukraine aid organizations. Ubico has disclosed a critical vulnerability in its pluggable authentication module software package. This flaw could allow attackers to bypass authentication under certain configurations. The vulnerability, rated high with a CVSS score of 7.3, impacts macOS and Linux systems but does not affect Yubico hardware devices. Users should upgrade to the latest version or modify configurations to mitigate risks. Google has released OSV Scalibur, an open source GO library for software composition analysis. The tool scans software inventory, identifies vulnerabilities and generates software bills of materials in SPDX and CycloneDx formats. It supports Linux, Windows and macOS and works with OS packages, binaries and source code. OSV Scalibur is used within Google for scanning live hosts, repositories and containers and will integrate further with Google's OSV Scanner. Users can leverage its plugins for software extraction and vulnerability detection with custom plugins supported cisa, alongside federal partners, released a report titled Closing the Software Understanding Gap, calling for a national effort to better understand and secure software critical to infrastructure and national security. The report urges collaboration between public and private sectors to prioritize software analysis under all conditions. Recommendations include stronger security in software development such as network segmentation, multi factor authentication, encrypted data storage, and robust supply chain risk management. CISAW also launched the vulnrichment program to enhance the national vulnerability database by adding detailed metadata for better vulnerability tracking. These measures align with CISA's Secure by Design principles, aiming to shift the security burden from users to manufacturers, ultimately improving resilience against cyber threats to critical infrastructure systems. The advanced Linux rootkit PUMA Kit has been identified targeting critical infrastructure sectors including telecommunications, finance and national security. Discovered by Elastic Security Labs, PUMA Kit operates at the kernel level, employing sophisticated evasion techniques to remain undetected. It conceals malicious activities, ensures persistence through reboots, and disables security tools, enabling long term access to compromised systems. Indicators of compromise include unusual kernel modules, suspicious traffic to specific IPs and concealed processes. Organizations are urged to apply security patches, enforce multi factor authentication, monitor for anomalies, and use Elastic's YARA rule for detection. Critical vulnerabilities in Simple Help Remote access software could allow attackers to compromise servers and client machines. Horizon 3 AI reports. These include a path traversal flaw enabling unauthorized file access, an arbitrary file upload vulnerability allowing remote code execution, and a privilege escalation bug enabling technicians to gain admin access. Simple Help patched the issues in January and urges users to update and reset admin and technician passwords promptly. To mitigate risks, the Federal Trade Commission has imposed a five year ban on General Motors and its OnStar subsidiary from selling sensitive driver data, including geolocation and driving behavior, to data brokers. The ban stems from allegations that GM misled customers about data collection and shared precise driver information, such as location and habits, without consent. This data, often sold to insurers, led to premium spikes or policy cancellations for some drivers. The FTC settlement requires GM to obtain explicit consent for data collection, improve transparency and and provide mechanisms for consumers to delete or limit data collection. The automaker must also allow users to disable Precise geolocation tracking. GM, which ended its smart driver program and related third party contracts in 2023, stated the FTC order enforces stricter privacy standards beyond current laws in an editorial for CyberScoop, Deputy Secretary of the Department of Health and Human Services. Andrea Palm describes the significant steps the agency has taken to combat rising cyber attacks targeting hospitals and health systems. These attacks disrupt care, jeopardize patient safety and erode trust, Palm says. HHS has focused on three policy, resources and coordination. Policies include updated HIPAA rules and new cybersecurity requirements for medical devices. Funding efforts like $240 million for hospital preparedness and a proposed $1.3 billion through Medicare AIM to bolster cybersecurity for under resourced organizations. The agency also provides free training, a cybersecurity risk map and plans to use AI to guide security improvements. HHS emphasizes a sector wide approach to protect interconnected health systems and has enhanced incident response and collaboration with industry. Despite progress, HHS stresses continued investment and bipartisan support are crucial to strengthening cybersecurity and protecting national security. Coming up, our guest Maria Tranquilli from the Common Mission Project speaks with our own Brandon Karp about the origins and impact of hacking for defense. And even the best of Red Teamers are humbled by AI. Stay with us.

Maria Tranquilli

Will Talk to Me ABC Tuesday they took his daughter.

Brandon Karp

She's coming home alive.

Maria Tranquilli

Will Trent the series critics are calling powerful Must see TV continues to thrill. Shouldn't we strategize before we go in there?

Brandon Karp

If we screw up this case, a.

Dave Buettner

Cop killer walks free.

Maria Tranquilli

With the riveting conclusion to a two part season premiere, TBI get down will tread all new Tuesday on ABC and stream on Hulu.

Brandon Karp

Hey everybody, Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by data brokers, so I decided to try Deleteme. I have to say, DeleteMe is a game changer. Within days of signing up, they started removing my personal information from hundreds of data brokers. I finally have peace of mind knowing my data Privacy is protected. DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Deleteme now at a special discount for our listeners today. Get 20% off your DeleteMe plan when you go to JoinDeleteMe.com n2k and use promo code n2k at checkout. The only way to get 20% off is to go to JoinDeleteMe.com N2K and enter code N2K at checkout. That's JoinDeleteMe.com N2k code N2K Cyber threats are evolving every second and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant. Maria Tranquilli is Executive Director of the Common Mission Project. She recently got together with N2K's executive editor Brandon Karp to discuss the origins and impact of Hacking for defense and how universities can get involved.

And we are joined today by Maria Tranquilli, the Executive Director of the Common Mission Project. Maria, thank you so much for joining us today.

Dave Buettner

I'm so happy to speak to you today. Brendan.

Brandon Karp

So curious for our listeners to understand. Some of them may have heard of Hacking for Defense or Common mission project or BNNT. We've had a few folks on the podcast over the last few months, including Steve Blank, about those programs. But can you give us, in your own words, what is Common Mission Project? What does that organization do?

Dave Buettner

Absolutely. So the Common Mission Project is a global entity. We are present in the United States, Australia, the UK and expanding. We ensure that mission driven entrepreneurs, specifically within universities at the moment, are able to access the Lean Startup methodology through a program titled Hacking for Defense. We also offer Hacking for Diplomacy, Hacking for Homeland Security, and soon to be shared Hacking for Manufacturing. We're actually piloting Hacking for Manufacturing currently in the United States, and we're hoping to expand that program not only throughout universities and research institutions across the US but also with our allied counterparts across the globe.

Brandon Karp

Oh, very cool. And for this audience, right? Our podcast mostly speaks to professionals in the cybersecurity and national security industry. This idea of hacking is obviously very familiar to them. Can you kind of share what this Hacking four series of programs is all about and how they work?

Dave Buettner

Absolutely. So just to speak to the global dynamics that we are seeing at the moment, we know that the complexity of national security and defense problems will only intensify as the years go on. And we also know that there are rapid advancements in technologies like cybersecurity, AI, artificial intelligence, unmanned systems, all of which are very important technology verticals within the defense space and also across the private sector. And we also see this globally. There is very high level of interest across allied partners, including NATO, including the Ministry of Defense in the UK and including the Department of Defense in the United States. So when it comes to the hacking for programs, we ensure that mission partners across our global entities are able to identify problems that need to be solved at the speed of a startup. And in order to do that, we partner with bmnt. It's actually our for profit arm. BMNT works with our government partners to help those government entities identify problems that need to be solved at speed. Those problems are then deployed into research institutions and classrooms. Again, across our global instances in which we are running one of our hacking for programs, students, and I'd like to say here, students mean very specifically undergraduate and graduate level students. So we have students that are sophomores all the way through four to five years of schooling in universities working, yes, working on these problems. So they are handed problems to validate. There's a number of reasons this is incredibly important. One, we don't want the Department of Defense in the United States Ministry of Defense, etc. To waste time building solutions for problems that are not to be solved or have not yet been validated. Students will actually validate those problems and they do this in a number of ways. They ensure that they are doing proper customer discovery within the government and across government entities to narrow down to exactly the right problem that needs a solution paired with it. And this can take one month, this can take three months. It really depends on the type of customer discovery that these students are able to do from customer discovery through problem validation. Students then, with the help of Common Mission Project, have the opportunity to be funded, to travel, to understand even more deeply how to build solutions to those problems. So I'll stop there. Brennan, any specific questions there?

Brandon Karp

Yeah, yeah. It strikes me that this is a pretty sophisticated set of programming. I mean, the model itself sounds fairly complex. You're managing multiple stakeholders, some in the government, certainly some at research institutes and universities, managing student work and sounds like curriculum as well. That is a very complex program, I imagine that's evolved over many years. Can you share maybe where we are today in terms of some of the successes that this program has had?

Dave Buettner

Absolutely. I love that you asked. So first I'll say we are coming up on our 10 year anniversary of hacking for Defense programs.

Brandon Karp

Happy, happy decade of running this. That's awesome.

Dave Buettner

Thank you. Thank you. Well, I have to tell you, I am standing on the shoulders of giants. The founders of this program, Pete Newell and Steve Blank, who I know you've spoken to in the past, are two incredibly dynamic individuals that have brought me into this ecosystem to help scale and expand even further than the footprint that they have built. So Far so currently we are looking at that 10 year anniversary coming up it through the second quarter of 2025. So we're hoping and this is a shout out to everyone listening. We are really excited for pairing the 10 year H4D anniversary with a National Security Innovation Education conference. And we have some very. Thank you. And we have some very specific goals to hit during that conference. We are looking to eventually, and I will say inevitably establish a PME or professional military education curriculum. We're also looking to instate and or establish across one or multiple US based universities, a US degree program that specifically focus on national security innovation and entrepreneurship. So the beginning of the conversation will occur during our celebration Q2 2025.

Brandon Karp

Yeah, very curious about any intel you can share about how organizations might get involved or individuals. There's a lot of folks here in this audience that you're speaking with who are very committed to professional education and certification and development, especially around workforce initiatives and those educational pursuits that you were mentioning.

Dave Buettner

We are interested in any academics or universities that would be interested in contributing to developing PME professional military education curriculum. That goes for both private and public institutions. So public and private universities, the door is open specifically for individuals that like yourself. Actually Brendan, I know that we've actually talked about how we might engage the Navy specifically and I know you're doing some great work there and delivering H4 at a very specific university. So we're very interested in military institutions, public and private institutions playing their part and having a stake and a say in the type of curriculum that is developed as well as the US based degree program that I had mentioned. So Intel, I will say we are just on the coattails of having delivered our sixth annual Red Queen Innovation Conference. This is an executive level conference that is annual. Steve Blank and Pete Newell, along with myself and a few other individuals delivered this conference just a few weeks ago and we had an incredible contingent of the Ministry of Defense presence from the uk, DIU and other US based defense organizations, as well as NATO present. So it's one of the first moments in recent history in which all of these stakeholders are in the same room making decisions about what defense innovation and what defense education could look like. So when you ask about Intel, I would say it's very likely that the same individuals that attend our executive level convenings, some of which are private, some of which are public, will be with us during spring of 2025 for this upcoming anniversary and event.

Brandon Karp

Great.

Well everyone should keep an eye out then for those announcements. It does sound like a great Event moving into your second decade of these hacking four programs, what is the vision? Where does Common Mission Project go from here? What is the impact that you're looking to have in your second decade of running this?

Dave Buettner

I love this question. There's so much that I am excited to gain traction on and to deliver in the next 10 years. Very specifically, I would say the linchpin here is ensuring that what I know to be our greatest asset, not only in America, but across allied nations, is ensuring that we are preserving and protecting the spirit of innovation and entrepreneurship. And where does that lie? Specifically, we know that retention within our defense organizations and government organizations is at an all time low. We also know that incoming individuals that are right now in university that will be exiting university and looking to enter our economy with really interesting mission focused jobs. They need a pathway forward. And that is one way in which Common Mission steps in and ensures that not only our new talent, but talent right now that needs to be retained within these organizations does remain within those organizations. So my main focus, one of three, I'd say there are three pillars of focus. One, again, ensuring that our ecosystem is steady, our ecosystem is well fortified and that we're preserving the spirit of innovation and entrepreneurship across different stakeholders, which includes all of that new and current talent. It includes all of our academics who need consistent training and consistent access to really interesting problems and really, really interesting and challenging curriculum that they can then deliver in the classroom as well. As I'll say this, the second tier very specifically is scaling our programs across allied nations.

Brandon Karp

Okay.

Dave Buettner

We have an incredibly high level of interest from multiple countries, NATO allies, specifically from Estonia and Germany, et cetera. And we need to ensure that our hacking for programs are run across these countries. And there's a number of reasons. One, we know that the nature of the problems across defense and government organizations are duplicative. We know as far as what I have actually seen, we know that the same problems are looking to be solved across different countries. We need to ensure that we are not wasting money and wasting time solving the same problems. So one of the biggest opportunities that I see Common Mission Project having a very, a very unique stance on is the ability to actually make the invisible visible. Meaning we're able to take specific problems from across our allied nations, identify those through the data that we hold, and ensure that those nations are working together to solve the same problems. And there's a number of different ways that we will do this. It's through some of our executive convenings. It is through our programming that is delivered across universities. It's actually through deploying from our student fund to ensure that our donor dollars are going to solve the right problems. So I'd say that's our third pillar. It's really ensuring that our students have the capital that they need to do the research, to do the customer discovery, to do the travel that is needed so that they can validate those problems and go back to the government with an interesting solution.

Brandon Karp

Fantastic. And it sounds like a functional approach. I love that taking advantage of the lessons learned and applying that broadly across all of the global partners. So well, you know, if folks are interested to learn more, to get involved somehow, whether they're at a university or one of these government stakeholders, where can people go to learn more about Common Mission Project?

Dave Buettner

CommonMission US is the global instance and they can reach out directly to me through there.

Brandon Karp

Great. Well, the the organization is the Common Mission Project. The program is hacking for and specifically hacking for defense. Maria, thank you so much for joining us today.

Dave Buettner

Thank you so much, Brandon. It was such a pleasure.

Brandon Karp

That's our own Brandon Karp speaking with Maria Tranquili, Executive Director at the Common Mission Project. For more information, we'll have links in our show Notes do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber. That's vanta.com cyber for $1,000 off.

Maria Tranquilli

This episode is brought to you by Indeed. We're driven by the search for better. But when it comes to hiring, the best way to search for a candidate isn't to search at all. Don't search match with Indeed. Use Indeed for scheduling, screening and messaging so you can connect with candidates faster. Listeners of this show will get a $75 sponsored job credit to get your jobs more visibility@ Indeed.com SBO terms and conditions app.

Brandon Karp

And finally, our Sisyphus desk tells us that Microsoft's Red Team took a hard look at over 100 of its own generative AI products and walked away with a humbling AI security is a moving target that's never fully secure. Their paper Lessons from Red Teaming 100 Generative AI Products outlines eight key lessons with one undeniable truth. AI doesn't just amplify existing security risks, it invents new ones. Know what your AI does? Larger models follow instructions better, but that means they're also better at following malicious ones. Great for hackers, less so for defenders. Lesson 2 Fancy Gradient based attacks are overrated when simpler tricks like phishing or UI manipulation works just fine. Red teaming is about uncovering novel risks, not just checking benchmarks. Microsoft developed Pirate, an open source toolkit to automate red teaming tasks. But human input remains vital. Experts not only spot subtle vulnerabilities, but also handle AI generated horrors that would make anyone's eyes water. And yes, RedTeamers need mental health care too. AI's harms lesson 6 notes are tricky to quantify, like bias baked into image prompts showing male bosses and female secretaries reinforcing stereotypes. Finally, lesson 7 slams feed AI bad inputs and it'll gleefully produce bad outputs, including spilling sensitive data. The takeaway AI isn't just a security headache, it's the whole migraine. But hey, at least it's job security for infosec folks, because every new AI risk is another reason to hire a defender. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a programming note we will not be publishing on Monday, January 20th in observance of Martin Luther King Jr. Day. Check out your Cyberwire Daily podcast feed for some crossover with our T Minus Space Daily team for an interview with Kyan Space about data automation and space domain awareness. Don't miss it. Be sure to check out this weekend's research Saturday and my conversation with Nati Tal, head of Guardiolabs. Their research is titled Cross Exploiting a Zero Day Opera Vulnerability with a Cross Browser Extension Store Attack. That's research Saturday Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman, our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.