CyberWire Daily - Episode: "Hacking the Bureau"

Release Date: January 17, 2025
Host/Author: N2K Networks

Introduction

In the January 17, 2025 episode of CyberWire Daily, hosted by N2K Networks, listeners are presented with a comprehensive overview of the latest developments in the cybersecurity landscape. The episode, titled "Hacking the Bureau," delves into recent high-profile cyber incidents, government actions against malicious entities, and an insightful interview with Maria Tranquilli, Executive Director of the Common Mission Project. This summary captures the episode's key points, discussions, and expert insights, providing a valuable resource for those seeking to stay informed about the ever-evolving field of cybersecurity.

Key News Highlights

1. FBI Warns of Hacked Call and Text Logs ([05:10])

Dave Buettner reports a significant breach where attackers infiltrated AT&T's systems in 2022, accessing six months of FBI agents' call and text logs. The stolen data, which includes agents' phone numbers and call details, poses a severe risk by potentially linking investigators to their confidential informants. Although the breach excluded the content of communications and encrypted messages, the FBI has been racing to mitigate the risks associated with this exposure. The incident underscores the critical importance of safeguarding sensitive data within third-party systems.

Notable Quote:
"This breach was part of a broader campaign targeting AT&T and Snowflake customers, with hackers exploiting accounts lacking multi-factor authentication," ([05:45]) emphasizes Dave Buettner.

2. U.S. Treasury Sanctions North Korean Entities ([07:30])

The U.S. Treasury's Office of Foreign Assets Control has imposed sanctions on two individuals and four entities linked to North Korea's illicit funding operations. These operatives utilized stolen identities and artificial intelligence to secure IT positions in Western countries, thereby funneling earnings to support the regime's weapons programs, including WMDs and ballistic missiles. The sanctions target front companies such as Korea Oseong Shipping Co. and Chonsurim Trading Corporation, along with a Chinese company facilitating these activities, highlighting the international efforts to curb North Korea's financial networks.

3. Russian Hacking Group Star Blizzard Targets Ukrainian NGOs ([09:15])

Star Blizzard, a Russian hacking group associated with the FSB, has attempted to compromise WhatsApp accounts of nonprofits supporting Ukraine. By sending phishing messages that mimic U.S. officials, victims were lured into joining a fake WhatsApp group titled "US Ukraine NGOs" and prompted to scan a malicious QR code, granting attackers access to their messages. This marks the group's first use of WhatsApp for infiltration, showcasing their adaptability despite recent U.S. efforts to dismantle their infrastructure.

4. Yubico Discloses Critical Vulnerability ([11:00])

Yubico has revealed a high-severity vulnerability (CVSS score of 7.3) in its pluggable authentication module software, affecting macOS and Linux systems. This flaw allows attackers to bypass authentication under certain configurations, though Yubico hardware devices remain unaffected. Users are urged to update to the latest software version or modify their configurations to mitigate potential risks.

5. Google's Open Source Release: OSV Scalibur ([12:20])

Google has introduced OSV Scalibur, an open-source GO library designed for software composition analysis. The tool efficiently scans software inventories, identifies vulnerabilities, and generates software bills of materials in SPDX and CycloneDx formats, supporting multiple operating systems and various software components. OSV Scalibur is set to integrate further with Google's OSV Scanner, enhancing vulnerability detection capabilities across platforms.

6. CISA's Initiative to Close the Software Understanding Gap ([14:00])

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with federal partners, has released a report titled "Closing the Software Understanding Gap." The report advocates for a national effort to enhance the understanding and security of software critical to infrastructure and national security. Key recommendations include strengthening security in software development, implementing robust supply chain risk management, and expanding the National Vulnerability Database through the vulnrichment program. These measures aim to shift the security burden from users to manufacturers, bolstering resilience against cyber threats.

7. Humakit Targets Critical Infrastructure ([16:40])

Humakit has uncovered multiple high-risk vulnerabilities in its remote access software, Simple Help. The identified flaws include a path traversal vulnerability allowing unauthorized file access, an arbitrary file upload flaw enabling remote code execution, and a privilege escalation bug permitting technicians to gain administrative access. Simple Help has promptly patched these issues and advises users to update their software and reset relevant passwords to ensure system security.

8. FTC Bans General Motors from Selling Driver Data ([18:30])

The Federal Trade Commission (FTC) has imposed a five-year prohibition on General Motors (GM) and its subsidiary, OnStar, from selling sensitive driver data, including geolocation and driving behavior information, to data brokers. This action follows allegations that GM misled customers about data collection practices and unlawfully shared precise driver information without explicit consent. The FTC settlement mandates GM to obtain explicit consent for data collection, enhance transparency, and provide consumers with options to delete or limit data sharing, thereby reinforcing privacy standards in the automotive industry.

9. HHS Enhances Cybersecurity for Healthcare ([20:10])

Andrea Palm, Deputy Secretary of the Department of Health and Human Services (HHS), outlines the agency's proactive measures to combat escalating cyberattacks targeting hospitals and healthcare systems. HHS has implemented updated HIPAA rules, established new cybersecurity requirements for medical devices, and allocated $240 million for hospital preparedness, with a proposed $1.3 billion through Medicare AIM to bolster cybersecurity for under-resourced organizations. Additionally, HHS offers free training, a cybersecurity risk map, and plans to utilize AI to guide security enhancements, emphasizing a sector-wide approach to protect interconnected health systems.

In-Depth Interview: Maria Tranquilli on the Common Mission Project and Hacking for Defense

Guest: Maria Tranquilli, Executive Director at Common Mission Project
Host: Brandon Karp
Timestamp: [15:43] onwards

Overview of the Common Mission Project ([16:14])

Maria Tranquilli provides an in-depth look into the Common Mission Project, a global initiative present in the United States, Australia, the UK, and expanding to other regions. The organization empowers mission-driven entrepreneurs, particularly within universities, by providing access to the Lean Startup methodology through programs like Hacking for Defense, Hacking for Diplomacy, and Hacking for Homeland Security. Currently piloting Hacking for Manufacturing in the U.S., Common Mission Project aims to extend these programs to universities and research institutions worldwide.

Hacking for Defense Series of Programs ([17:20])

Maria elaborates on the Hacking for Defense (H4D) program, designed to address the increasing complexity of national security and defense challenges. The program leverages advancements in cybersecurity, artificial intelligence, and unmanned systems to solve pressing defense problems swiftly and efficiently. By partnering with BMNT, the for-profit arm of Common Mission Project, the initiative collaborates with government entities to identify critical issues that require rapid solutions. These problems are then integrated into university curricula, engaging undergraduate and graduate students in problem validation and customer discovery, thereby ensuring that defense organizations do not invest resources into unverified or unnecessary solutions.

Program's Successes and Milestones ([20:57])

As Common Mission Project approaches the 10-year anniversary of the Hacking for Defense programs, Maria highlights significant achievements and future aspirations. She credits the program's success to the foundational work of Pete Newell and Steve Blank, and emphasizes the organization's role in scaling and expanding its impact. Currently, the initiative is preparing to commemorate its decade-long journey by hosting a National Security Innovation Education Conference in the second quarter of 2025. Goals for this event include establishing a Professional Military Education (PME) curriculum and initiating U.S.-based degree programs focused on national security innovation and entrepreneurship. This milestone celebration aims to reinforce the program's commitment to fostering innovation and collaboration among defense stakeholders.

Notable Quote:
"Ensuring that what I know to be our greatest asset... is preserving and protecting the spirit of innovation and entrepreneurship," ([25:12]) states Maria Tranquilli, underscoring the program's mission to nurture and retain talent within defense and government organizations.

Future Vision and Impact ([27:12])

Looking ahead, Maria outlines the Common Mission Project's vision for the next decade. The organization seeks to scale its programs across NATO allies and other allied nations, recognizing the repetitive nature of defense problems globally. By facilitating collaboration and data sharing among these nations, Common Mission Project aims to streamline problem-solving efforts and eliminate redundancies. Additionally, the organization is committed to ensuring that students have the necessary resources—such as funding and opportunities for research and travel—to effectively validate problems and develop impactful solutions. This approach not only addresses immediate defense challenges but also builds a sustainable ecosystem for continuous innovation and entrepreneurship within the sector.

Notable Quote:
"We know that the same problems are looking to be solved across different countries. We need to ensure that we are not wasting money and wasting time solving the same problems," ([27:13]) emphasizes Maria, highlighting the importance of international collaboration in defense innovation.

AI and Security: Microsoft's Red Team Insights

Towards the episode's conclusion, Brandon Karp discusses a report from Microsoft's Red Team, which analyzed over 100 generative AI products. The findings reveal that artificial intelligence not only exacerbates existing security risks but also introduces novel vulnerabilities. Key lessons from the report include:

• AI Amplifies Security Risks: "AI doesn't just amplify existing security risks, it invents new ones," ([29:54]) underscores the dual impact of AI on cybersecurity.

• Sophistication vs. Simplicity: While complex gradient-based attacks are less effective, "simpler tricks like phishing or UI manipulation works just fine," ([30:10]) highlighting the enduring effectiveness of basic attack vectors.

• Human Element in Red Teaming: Despite automation tools like Microsoft's Pirate, human expertise remains irreplaceable in identifying subtle vulnerabilities and managing AI-generated threats.

• Bias and Data Leakage: AI models can perpetuate biases and unintentionally disclose sensitive information, posing significant ethical and security challenges.

Notable Quote:
"AI isn't just a security headache, it's the whole migraine," ([31:00]) humorously captures the pervasive challenges AI introduces to the cybersecurity landscape.

Conclusion

The "Hacking the Bureau" episode of CyberWire Daily offers a thorough examination of current cybersecurity threats, government responses, and innovative initiatives aimed at bolstering national security through education and collaboration. The insightful conversation with Maria Tranquilli illuminates the pivotal role of programs like Hacking for Defense in shaping the future of defense innovation. Additionally, the discussion on AI's evolving security implications serves as a crucial reminder of the dynamic challenges faced by cybersecurity professionals today. For professionals and enthusiasts alike, this episode provides valuable knowledge and perspectives essential for navigating the complex world of cybersecurity.

For more detailed information and resources discussed in this episode, listeners are encouraged to visit the CyberWire Daily show notes and explore links provided for each story.