When location data becomes a weapon.

Dave Buettner

You're listening to the Cyberwire network, powered by N2K. Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place. And they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBERTEN to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success@legalzoom.com and use promo code CYBERTEN. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services llc. A Wired investigation uncovers the ease of tracking UI US military personnel Apple releases emergency security updates to address actively exploited vulnerabilities. Latino teenagers and LGBTQ individuals are receiving disturbing text messages, spreading false threats. CrowdStrike says liminal panda is responsible for telecom intrusions. Oracle patches a high severity zero day. Trend Micro has disclosed the critical vulnerability in its deep security 20 agent software. A rural hospital in Oklahoma suffers a ransomware attack. A leading fintech firm is investigating a security breach in its file transfer program. Researchers deploy mantis against malicious LLMs Ben Yellen from the University of Maryland center for Health and Homeland Security discusses AI's bias in the resume screening process and tracking down a lost lambo. It's Wednesday, November 20th, 2024. I'm Dave Buettner and this is Cyberwire Intel Briefing. Thanks for joining us here today. It is great as always to have you with us. A contractor commuting from a home near Wiesbaden, Germany to US Military installations has inadvertently highlighted a serious national security risk posed by unregulated mobile location data sales. Investigative reporting by wired, Beric and netspolitik.org revealed how data brokers legally sell granular location information that can track US Service members and contractors at sensitive sites. The revelation stemmed from a data set obtained from Florida based Data Stream Group containing billions of location signals tied to mobile advertising IDs. For two months in 2023, the data set tracked devices at critical installations including Lucius D. Clay Kassern, the U.S. army's European headquarters and Buchel Air Base, home to U.S. nuclear weapons. Detailed movement patterns were observed, such as daily commutes, weekend activities and even stops at local brothels. The risks are profound. Foreign adversaries or terrorists could exploit such data to identify personnel with sensitive access, uncover base vulnerabilities or plan attacks. Patterns could reveal guard schedules or entry points, while personal habits might expose individuals to blackmail or coercion. Efforts to regulate the data broker industry in the US have faltered. The Fourth Amendment Is not for Sale act, which would ban federal agencies from buying such data without a warrant, remains stalled in Congress. Meanwhile, the Federal Trade Commission plans to file lawsuits recognizing US Military installations as protected sites, but broader protections remain absent. The Department of Defense acknowledges the risks of geolocation data but has largely deferred responsibility to service members through operational security protocols. Critics argue this approach is insufficient given the pervasive integration of mobile technology into daily life. Researchers emphasize that the systemic sale of mobile location data undermines privacy and creates substantial vulnerabilities for national security, with experts like Ron Wyden, US Senator from Oregon, calling the industry's practices outrageous. The investigation underscores the urgency of regulating data brokers, tightening operational security and safeguarding the privacy of military and intelligence personnel. Without action, adversaries could exploit this data to threaten US Personnel and operations, escalating the risk to national and international security. Meanwhile, the US Government Accountability Office has urged Congress to establish a federal office to ensure consistent safeguards for civil rights and liberties in government use of personal data. A GAO report highlights uneven data protection practices across 24 federal agencies, with many lacking policies to address civil liberties. Emerging technologies like facial recognition and AI amplify privacy risks, including bias and misidentification. The GAO warns that without unified oversight, agencies risk violating citizens rights and recommends Congress develop comprehensive technology agnostic regulations. Apple has released emergency security updates to address two actively exploited vulnerabilities affecting devices like iPhones, iPads and Macs. These updates fix JavaScript, Core and WebKit flaws, enabling code execution and cross site scripting. Apple advises immediate patching to prevent malicious exploitation, which was discovered by Google's Threat Analysis Group. Older Macs with Intel processors are specifically called out in the update. Latino teenagers in Georgia and LGBTQ individuals nationwide are receiving disturbing anonymous text messages, spreading false threats and targeting their identities. Messages sent to Latino students claim they are set to be deported by Immigration and Customs Enforcement ice, while others tell LGBTQ individuals to report to re education camps. ICE has denied involvement, stating these messages do not align with its operations. Santiago Marquez of the Latin American association reported multiple concerned calls from parents whose children received such texts. One screenshot detailed ICE enforcement via a brown van. LGBTQ individuals, including a lesbian business owner, receive text messages referencing discriminatory re education under a fabricated presidential directive. The FBI is investigating these incidents, which resemble earlier racist messages targeting black Americans. Advocacy groups emphasize the harm caused especially to vulnerable teens and marginalized communities. CrowdStrike has identified a new Chinese cyber espionage group, Liminal Panda, responsible for telecom intrusions previously attributed to Light basin. Active since 2020, Liminal Panda targets telecom providers in countries linked to China's Belt and Road Initiative, gathering network telemetry and subscriber data for intelligence, not financial gain, using advanced tools and exploiting telecom interconnectivity. The group breached networks in Asia and Africa while linked to Chinese state sponsored tactics. Definitive attribution remains inconclusive. CrowdStrike recommends enhanced network access controls, password policies and monitoring to mitigate risks Oracle has released patches for a high severity zero day vulnerability in Agile Product Lifecycle Management, which has been exploited in the wild. The flaw, with a CVSS score of 7.5, allows unauthenticated attackers to remotely access files under the application's privileges via HTTP. Oracle credited CrowdStrike researchers Joel Snape and Lutz Wolf for identifying the issue. Oracle urges customers to apply updates immediately to mitigate the risk of critical data exposure or full system access. Trend Micro has disclosed a critical vulnerability in its Deep Security 20 agent software. The flaw, rated 8.0, allows attackers with low privileged access to inject remote commands and execute arbitrary code. Trend Micro has released patches to address the issue and urges immediate updates. Organizations should also review access policies to prevent exploitation. Great Plains Regional Medical center in Oklahoma suffered a ransomware attack in September, compromising the personal data of just over 133,000 individuals. The attack, which impacted the hospital's systems between September 5th and 8th, led to partial restoration but left some patient data unrecoverable. Exposed data included names, health details and Social Security numbers. Rural hospitals like Great Plains, face heightened risks due to limited cybersecurity resources, making them targets for attackers. Experts urge increased federal support and public private partnerships to bolster defenses against such threats. Finastra, a leading fintech firm serving top global banks, is investigating a security breach in its file transfer platform, potentially exposing sensitive client data. Krebs on security reports Hackers operating under the alias abyss0 claim to have stolen over 400 gigabytes of data and listed it for sale on cybercrime forums targeting Finastra's banking clients. Detected on November 7, the breach involved credential compromise but no malware deployment. Finastra assured customers its operations remain unaffected, launching an alternative secure file sharing platform. Investigations continue to determine the scope of the theft, and impacted customers will be notified directly. The cybercriminal who initially listed data for $20,000 abruptly vanished with their online accounts deactivated. Finastra had previously been hit with ransomware. Back in Researchers at George Mason University have developed a novel defense system they're calling Mantis to counter cyber attacks conducted by large language models. Mantis uses deceptive techniques to lure malicious LLMs into engaging with decoy services such as fake FTP servers. The system embeds prompt injection attacks in responses to manipulate and disrupt the attacker's strategy. By exploiting the iterative process used by attacking LLMs, Mantis can redirect their actions, waste resources, and even create reverse shells to compromise the attacking system. Mantis employs both passive and active defenses, achieving a success rate above 95%. Passive strategies raise the cost of attacks, while active defenses target the attacking AI directly. The vulnerability exploited prompt injection is a fundamental weakness in LLMs difficult to patch without diminishing their utility. This innovation highlights the potential for using AI's own methods against it, marking a significant step in AI driven cybersecurity defenses. Coming up after the break, my conversation with Ben Yellen about AI bias in the resume screening process and tracking down a lost Lambo. Stay with us.

Ben Yellen

And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBe4, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBe4's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco 35. Vendor integrations and counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to Set up real time coaching campaigns targeting risky users based on those events from your network, endpoint, identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBefore for sponsoring our show.

Dave Buettner

Do you know the status of your compliance controls right now? Like right now? We know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. And joining me once again is Ben Yellen. He is from the University of Maryland center for Health and Homeland Security and also my co host on the Caveat podcast. Hey there Ben.

Ben Yellen

Good to be with you again. Dave.

Dave Buettner

Interesting story came by from the folks over at GeekWire. This is about some research at University of Washington where they were examining racial and gender bias in AI driven resume screening. What's going on here Ben?

Ben Yellen

So this is a really striking story. So these researchers tried to examine whether there was bias in AI driven resume screening. And spoiler alert, there is. When you train a system on a lot of data and a lot of human decisions went into that training data and humans as we know can be extremely biased on a number of different grounds, then this is the result that you're going to get. It's very reflective of the training data. Some of the findings are pretty striking. They tested three open source large language models and resumes with white associated names were preferred 85% of the time. Female associated names were favored only 11% of the time. Even for jobs that one would think would be traditionally female jobs, Black men were least preferred models chose candidates nearly 100% of the time. Again, the only thing that was changed on these sample resumes was the name.

Dave Buettner

Wow.

Ben Yellen

And those are extremely striking findings. So what are the implications of this? For one, I think policymakers have a role to Play here. We've seen jurisdictions across the country try to address this problem. New York City passed a policy requiring transparency to understand exactly what is going into these artificial intelligence hiring tools to make sure that they are not reflective of biases. California has a new law in the book protecting intersectional characteristics. There's further academic research to be done, I think, to make this kind of a double blind experiment. The researchers are looking at human trust in AI driven hiring next and whether technology inadvertently reinforces the biases that we currently have. So I think this should give organization's major pause and concern about using some of these tools. I understand why these tools are helpful. Just like any AI system, it cuts down on the work that we as humans have to do in sorting through a giant pile of resumes. But when you see statistics like this, I think there are flashing red lights everywhere. So it's a very illuminating study.

Dave Buettner

Yeah. One of the things that stuck out to me was that they found that even if you remove the name, that in a lot of cases these LLMs can infer someone's identity from other information on their resume.

Ben Yellen

Yeah. So you could look at somebody's work experience, for example, and if somebody worked at, for example at the naacp, something from that work experience will trigger and that will end up introducing bias in the data. The system suspects that that candidate is likely black or African American, and those biases will manifest themselves in whatever the output. Again, this is after you've stopped using names. And so it's not unique to just stereotypically white or non white names. That's not what's driving the bias here. It's more than that, it's the names. Yes, but it's also what is contained inside of the resumes. So what's kind of depressing here is that the systems are advanced enough to be uncommonly good at perpetuating racial biases here. Like it's extremely efficient in a number of different ways at reinforcing some of the biases that all of us have as human beings.

Dave Buettner

Yeah. As I've said before that it seems like these systems in a lot of ways they reflect who we actually are rather than who we aspire to be.

Ben Yellen

Yeah, it's sort of depressing that we thought that machines could solve a lot of our problems. And it turns out when you try to develop machines and try and get them to think like human beings, they're going to reflect the good and the bad of human beings. There are a lot of good aspects about thinking like human beings, let's say, relative to Standard computing, where it's all very linear. You're looking for decision points. Thinking like a human being is great, making these neural connections from a bunch of different stimuli, but it comes with the negative, and this is the negative being manifest here.

Dave Buettner

It reminds me of a story I heard about folks auditioning for symphony orchestras or even auditioning for colleges, you know, elite music colleges, that they found that there was a lot of gender bias in the hiring or the acceptance of musicians who are auditioning, you know, by playing their instrument in front of a panel of judges. So the first thing they did was they put up a black curtain on the stage so that the person playing would walk out behind the black curtain, sit down, play their instrument, and be judged.

Ben Yellen

You should use some of those, the chairs they use on the voice that are reversible so that they can't see the person well.

Dave Buettner

So my understanding of the story is that the curtain helped a little bit, but what they ultimately learned was that they also had to put carpet on the floor because the judges could hear the way the people walked. And women's shoes sound different from men's shoes. And so the click, click, click of, for example, someone in heels is different from a man in dress shoes. And they were implying things just based on that. So it's tricky.

Ben Yellen

It's very tricky. It's so hard to completely root out these biases. I think some people just kind of want to throw up their hands and say, well, humans are more biased than these machines, even after understanding what these studies are showing. So despite the deficiencies of these systems, we should still use them. I think we have to work beyond that and say we now know how policymakers are reacting to biased AI systems. We have tools potentially to help root out some of the discrimination that we're seeing here. And I think it's incumbent upon us to at least consider the use of those tools through things like regulation, requiring transparency, et cetera.

Dave Buettner

Yeah. All right. Well, again, it's a study from the University of Washington and written up by the folks over at GeekWire. We will have a link in the show notes. Ben Yellen, thanks for joining us.

Ben Yellen

Thank you.

Dave Buettner

And now a word from our sponsor, NordPass. NordPass is an advanced password manager from the team behind NordVPN designed to help keep your business safe from data leaks and cyber threats. It gives your IT professionals control over who has access to your company's data and makes it easy for everyone else on your team to use strong passwords. Right now you can go to www.nordpass.com cyberwire for 35% off the NordPass business yearly plan. Don't miss out on that. And finally, our exotic motoring desk tells us that Chris Bryant, the Colorado Rockies third baseman, had a rough off season when his flashy 2023 Lamborghini Huracan went AWOL en route to his Las Vegas home. The Saga began on October 2nd when the supercar mysteriously vanished, sparking a multi agency investigation. Turns out the transport company fell victim to business email compromise, a scam that rerouted Bryant's Lambo to an unauthorized Las Vegas destination. Thanks to license plate recognition cameras. Police tracked the car's journey, recovering it on October 7th and nabbing multiple suspects. The bust revealed a jackpot of criminal goodies, fake VINs, key FOBs, fraudulent docks and other stolen vehicles. One bonus car even turned up in California. Though police didn't name drop Bryant, the Denver Post did, with Detective Justin Smith quipping, we'd treat it the same if it were a Ford 150, but hey, a Lamborghini does make for a cool case. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpie is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here. Tomor the IT world used to be simpler.

Ben Yellen

You only had to secure and manage environments that you controlled.

Dave Buettner

Then came new technologies and new ways to work.

Ben Yellen

Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business Everywhere you do business.