CyberWire Daily: When Location Data Becomes a Weapon

Release Date: November 20, 2024
Host: Dave Buettner
Produced by N2K Networks

1. Location Data as a National Security Threat

In this episode, host Dave Buettner delves into a critical investigation by Wired, Beric, and Netspolitik.org, exposing the vulnerabilities posed by the unregulated sale of mobile location data. The investigation centers on a dataset acquired from Florida-based Data Stream Group, which contained billions of location signals tied to mobile advertising IDs. Over two months in 2023, this data tracked devices at sensitive U.S. military installations, including Lucius D. Clay Kassern—the U.S. Army's European headquarters—and Buchel Air Base, home to U.S. nuclear weapons.

Key Findings:

• Granular Tracking: The dataset revealed detailed movement patterns, such as daily commutes, weekend activities, and even visits to local brothels.
• Potential Exploitation: Foreign adversaries or terrorists could exploit this data to identify personnel with sensitive access, uncover base vulnerabilities, or plan coordinated attacks. Patterns might expose guard schedules or entry points, while personal habits could make individuals susceptible to blackmail or coercion.
• Regulatory Inaction: Efforts to regulate the data broker industry have stalled. The proposed Fourth Amendment Is Not for Sale Act aims to prevent federal agencies from purchasing such data without a warrant but remains stagnant in Congress. Although the Federal Trade Commission (FTC) plans to file lawsuits to recognize U.S. military installations as protected sites, comprehensive protections are lacking.
• Department of Defense's Stance: The DoD acknowledges the risks associated with geolocation data but has deferred responsibility to service members through operational security protocols. Critics argue this is inadequate given the pervasive integration of mobile technology in daily life.
• Expert Opinions: Senator Ron Wyden of Oregon labeled the data broker industry's practices as "outrageous," emphasizing the urgent need for regulation to safeguard national security and individual privacy.

Notable Quote:

"The systemic sale of mobile location data undermines privacy and creates substantial vulnerabilities for national security," - Dave Buettner [05:30].

2. U.S. Government Accountability Office (GAO) Recommendations

The episode highlights a GAO report urging Congress to establish a federal office dedicated to ensuring consistent safeguards for civil rights and liberties in the government's use of personal data. The report underscores uneven data protection practices across 24 federal agencies, many of which lack policies to address civil liberties adequately. Emerging technologies like facial recognition and AI significantly amplify privacy risks, including bias and misidentification.

Key Recommendations:

• Unified Oversight: Without cohesive oversight, agencies risk violating citizens' rights.
• Comprehensive Regulation: GAO advocates for technology-agnostic regulations to manage evolving privacy challenges effectively.

Notable Quote:

"Without unified oversight, agencies risk violating citizens' rights," - Dave Buettner [07:15].

3. Recent Cybersecurity Developments

a. Apple’s Emergency Security Updates

Apple has released urgent security patches addressing two actively exploited vulnerabilities impacting devices such as iPhones, iPads, and Macs. These updates rectify flaws in JavaScript, Core, and WebKit, which could allow malicious actors to execute code or conduct cross-site scripting attacks. Notably, older Macs with Intel processors are specifically targeted.

Notable Quote:

"Apple advises immediate patching to prevent malicious exploitation," - Dave Buettner [08:10].

b. Disturbing Text Messages Targeting Latino and LGBTQ Communities

Latino teenagers in Georgia and LGBTQ individuals nationwide are receiving alarming anonymous texts that spread false threats and target their identities. Messages falsely claim impending deportations by ICE for Latino students and suggest discriminatory re-education under fabricated presidential directives for LGBTQ individuals. ICE has denied involvement, and the FBI is actively investigating these incidents.

Impact:

• Community Harm: Advocacy groups stress the significant emotional and psychological harm inflicted on vulnerable populations.
• Investigation Status: The FBI is probing these incidents, which mirror earlier racist messages targeting Black Americans.

Notable Quote:

"These messages do not align with ICE's operations," - Dave Buettner [09:00].

c. CrowdStrike Identifies Liminal Panda Cyber Espionage Group

CrowdStrike has attributed telecom intrusions to a newly identified Chinese cyber espionage group named Liminal Panda, previously mistaken for Light Basin. Active since 2020, Liminal Panda targets telecom providers in countries involved in China's Belt and Road Initiative, seeking network telemetry and subscriber data for intelligence purposes rather than financial gain. The group employs advanced tools and exploits telecom interconnectivity to breach networks across Asia and Africa.

Mitigation Strategies:

• Enhanced Controls: CrowdStrike recommends bolstering network access controls, enforcing robust password policies, and implementing comprehensive monitoring to mitigate these threats.

Notable Quote:

"Liminal Panda gathers network telemetry and subscriber data for intelligence," - Dave Buettner [10:20].

d. Oracle and Trend Micro Vulnerability Patches

• Oracle: Patches a high-severity zero-day vulnerability in Agile Product Lifecycle Management, allowing unauthenticated attackers to remotely access files via HTTP. With a CVSS score of 7.5, the flaw poses a significant risk of data exposure.

  Notable Quote:

  "Apply updates immediately to mitigate the risk of critical data exposure," - Dave Buettner [11:00].

• Trend Micro: Discloses a critical vulnerability in its Deep Security 20 agent software, rated 8.0, enabling attackers with low-privileged access to inject remote commands and execute arbitrary code. Trend Micro urges organizations to update immediately and review access policies.

  Notable Quote:

  "Organizations should review access policies to prevent exploitation," - Dave Buettner [11:30].

e. Ransomware Attack on Oklahoma Rural Hospital

Great Plains Regional Medical Center in Oklahoma experienced a ransomware attack in September, compromising the personal data of over 133,000 individuals. The attack led to partial system restoration, but some patient data, including names, health details, and Social Security numbers, remained unrecoverable. The incident underscores the heightened risks faced by rural hospitals due to limited cybersecurity resources.

Response Measures:

• Federal Support: Experts advocate for increased federal assistance and public-private partnerships to strengthen defenses against such threats.

Notable Quote:

"Rural hospitals face heightened risks due to limited cybersecurity resources," - Dave Buettner [12:15].

f. Fintech Firm Finastra's Security Breach

Finastra, a prominent fintech company serving global banks, is investigating a security breach in its file transfer platform. Hackers, operating under the alias abyss0, claim to have stolen over 400 gigabytes of data, listing it for sale on cybercrime forums. Detected on November 7, the breach involved credential compromise without malware deployment. Finastra has responded by launching a secure file-sharing platform and notifying affected customers.

Notable Quote:

"Investigations continue to determine the scope of the theft," - Dave Buettner [13:00].

g. George Mason University's 'Mantis' Defense Against Malicious LLMs

Researchers at George Mason University have developed "Mantis," a novel defense system designed to counter cyber attacks conducted by large language models (LLMs). Mantis employs deceptive techniques, such as engaging malicious LLMs with decoy services like fake FTP servers and embedding prompt injection attacks to disrupt the attackers' strategies. Achieving a success rate above 95%, Mantis represents a significant advancement in AI-driven cybersecurity defenses.

Key Features:

• Deceptive Engagement: Lures attackers away from real targets.
• Prompt Injection Attacks: Manipulates and disrupts the attacker's AI logic.
• Dual Defense Strategies: Utilizes both passive and active defenses to thwart attacks effectively.

Notable Quote:

"Mantis can redirect attackers' actions, waste resources, and create reverse shells to compromise attacking systems," - Dave Buettner [13:45].

4. AI Bias in Resume Screening: Conversation with Ben Yellen

Host Dave Buettner engages in an insightful discussion with Ben Yellen from the University of Maryland Center for Health and Homeland Security regarding AI's role in perpetuating biases within the resume screening process.

Study Overview:

• Source: Research conducted by the University of Washington, reported by GeekWire.
• Methodology: Examination of three open-source large language models (LLMs) to assess bias in AI-driven resume screening.
• Findings:
  • Resumes with white-associated names were preferred 85% of the time.
  • Female-associated names were favored only 11% of the time.
  • Black male candidates were least preferred, with models choosing other candidates nearly 100% of the time.
  • Even when names were removed, LLMs could infer candidates' identities from other resume information, perpetuating biases.

Implications:

• Policy Intervention: New York City has enacted policies requiring transparency in AI hiring tools, while California has introduced laws protecting intersectional characteristics.
• Organizational Caution: Organizations are urged to critically assess and monitor AI hiring tools to prevent the reinforcement of existing biases.

Notable Quotes:

"When you train a system on biased data, the results reflect those biases," - Ben Yellen [17:24].
"Systems are advanced enough to perpetuate racial biases efficiently," - Ben Yellen [20:56].
"It's very reflective of the training data," - Ben Yellen [17:30].

Conclusion: The conversation underscores the necessity for policymakers and organizations to implement comprehensive regulations and transparency measures to mitigate AI-driven biases in hiring processes. Ben Yellen emphasizes the importance of leveraging available tools and regulatory frameworks to address and rectify these discriminatory practices.

5. Additional Security Incidents

Exotic Motoring Desk: Lamborghini Theft via Business Email Compromise

Chris Bryant, a third baseman for the Colorado Rockies, experienced a high-profile theft of his 2023 Lamborghini Huracán. The vehicle was rerouted to an unauthorized destination in Las Vegas due to a business email compromise (BEC) scam targeting the transport company. Thanks to license plate recognition cameras, authorities tracked and recovered the car within five days, leading to the apprehension of multiple suspects and the seizure of various stolen items, including fraudulent VINs and key fobs.

Notable Quote:

*"Detective Justin Smith commented, 'We'd treat it the same if it were a Ford 150, but a Lamborghini does make for a cool case,'" * - Dave Buettner [26:15].

Conclusion

This episode of CyberWire Daily brings to light the multifaceted challenges in the cybersecurity landscape, ranging from the national security implications of unregulated location data sales to the pervasive biases in AI-driven hiring tools. Through in-depth investigations and expert discussions, listeners gain a comprehensive understanding of the current threats and the urgent need for regulatory and technological advancements to safeguard privacy, security, and equity in an increasingly digital world.

For more detailed coverage and to stay updated on the latest in cybersecurity, subscribe to the CyberWire Daily podcast and visit thecyberwire.com.