Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security
Episode: 2025-01-06 - Coffee With Wade
Release Date: January 9, 2025

Introduction and Banter

The episode kicks off with the hosts engaging in light-hearted banter, sharing humorous anecdotes and jokes to set a relaxed tone for the discussion.

• John [00:01]: "And that's the end of that story, man."
• Daniel [00:05]: "Drink that much mad dog? 2020. Shucky story."

US Treasury Hack via Beyond Trust

The primary focus shifts to a significant cybersecurity breach involving the U.S. Treasury. Ryan delves into how the Treasury was compromised through the Beyond Trust identity and access management solution.

• Ryan [06:34]: "The United States treasury was hacked, but they were hacked through Beyond Trust. And for those of you that don't know, Beyond Trust is literally an application service that you can buy that's designed to make sure that you don't get compromised through credentials." [07:00]

Key Points:

• Nature of the Attack: The Chinese threat actor exploited a command injection vulnerability within Beyond Trust, allowing unauthorized access to modify local account passwords.

• Implications: This breach underscores the risks of centralizing critical identity and access management systems, where a single vulnerability can expose extensive assets.

• FedRAMP Certification Concerns: Wade highlights skepticism about the efficacy of FedRAMP certifications, suggesting that compliance does not necessarily equate to robust security.

• Wade [09:42]: "Jake Williams was actually quoted and wired and I got to kind of agree with him. His take was it was a command injection vulnerability... Fedramp really doesn't mean anything." [09:44]

Compliance vs. Security: Risk Management

The discussion evolves into the broader debate of compliance versus actual security measures. The hosts argue that organizations often treat cybersecurity as a checklist to meet compliance standards rather than genuinely addressing underlying risks.

• John [19:50]: "Anybody that's looking at it from a corporate executive position is gonna say, do we meet the minimum standards? Do we get that checkbox? If we raise that level of what it takes to get that checkbox, we get more security." [19:50]

Key Points:

• Minimum Standards: Compliance frameworks often set minimal security requirements that do not adequately protect against sophisticated threats.
• Risk Assessment: Emphasizing the need for organizations to transition from mere compliance to comprehensive risk management, focusing on threat and vulnerability assessments.
• Overrides and Exceptions: Highlighting how security exceptions for certain users or systems can create vulnerabilities, especially in critical environments like healthcare and defense.

HIPAA Security Rule Changes

The hosts review the newly proposed changes to the HIPAA security rules, which aim to strengthen protections for electronic protected health information (ePHI).

• Wade [29:11]: "They are taking out the mushy language and everything is required. Now, they used to have a risk assessment piece before. Now, the thing that gets me all excited is that risk assessment, they've said, listen, we want to see a technology asset inventory." [29:11]

Key Points:

• Mandatory Requirements: Eliminating ambiguous terminology like "addressable" and "required," making all security measures compulsory.
• Technology Asset Inventory: Organizations must maintain a comprehensive inventory of all technology assets and map how ePHI traverses their systems.
• Regular Vulnerability Scanning and Pen Testing: Instituting stringent schedules for vulnerability assessments and penetration testing to identify and remediate security gaps.

Data Breaches and Telecommunication Hacks: Salt Typhoon, AT&T, Verizon

The discussion moves to recent breaches in the telecommunications sector, particularly involving major providers like AT&T and Verizon. The threat actor group Salt Typhoon is identified as a key player behind these attacks.

• Kelly [34:37]: "Focusing on Salt Typhoon which breached American telecoms, including AT&T and Verizon, both of which have claimed they are now secure." [34:37]

Key Points:

• Salt Typhoon Tactics: Exploiting vulnerabilities in telecom infrastructure to gain unauthorized access and disrupt services.
• Provider Responses: AT&T and Verizon have publicly stated they have secured their systems post-breach, but skepticism remains about the thoroughness of these measures.
• Legacy Systems: The reliance on outdated technology within telecom networks exacerbates security vulnerabilities, making them prime targets for cyberattacks.

War Thunder: Leaked Classified Information

A notable incident involving the popular combat simulation game War Thunder is discussed, where classified information about military hardware was leaked through the game.

• Corey [25:10]: "It's been a X number of days since classified information... What's the most accurate combat simulation, which is why these things happen with the classified documents." [25:10]

Key Points:

• Leak Mechanism: Classified details about military equipment like tanks and radar systems were inadvertently released within the game's environment.
• Community Reaction: Enthusiasts and security professionals have raised concerns about the oversharing of sensitive information under the guise of realism.
• Security Oversight: This incident highlights the need for stringent controls and oversight when integrating real-world data into interactive platforms.

Net Neutrality Repeal

The hosts lament the recent repeal of net neutrality regulations, discussing its implications for internet security and corporate control.

• Kelly [37:31]: "Net neutrality is dead. Dead as of last week... We're already experiencing fast lanes and other issues." [37:31]

Key Points:

• End of Fair Access: Without net neutrality, internet service providers can prioritize certain types of traffic, potentially leading to unequal access and increased vulnerability to targeted cyber threats.
• Corporate Influence: The repeal is seen as a victory for big telecoms, allowing them to exert greater control over internet infrastructure and data flow.
• Security Risks: The collapse of net neutrality may lead to fragmented internet services, complicating security measures and threat mitigation strategies.

AI Bots and Data Privacy

A segment is dedicated to the rising concerns over AI-generated bots interacting with users, drawing parallels to data privacy issues and the manipulation of user engagement.

• Ryan [49:05]: "This needs to be protected under HIPAA." [49:05]

Key Points:

• AI Interactions: Implementation of AI bots in platforms like Facebook raises ethical and security concerns, especially when they interact based on harvested user data.
• Data Exploitation: The use of AI to maintain user engagement can lead to sophisticated data tracking and privacy invasions.
• Preventative Measures: Emphasizing the importance of regulatory frameworks to govern AI interactions and protect user data from misuse.

China Cracking Down on Ransomware Groups Using AI

The episode covers China's recent actions against ransomware groups that utilized AI tools like ChatGPT to enhance their malicious activities.

• Kelly [56:15]: "China arrests four people who weaponized ChatGPT for ransomware... They should have used their own national AI like Ernie Bot." [56:15]

Key Points:

• Ransomware Enhancement: Cybercriminals in China leveraging AI to develop more sophisticated ransomware code, making attacks harder to detect and mitigate.
• Government Crackdown: China's enforcement agencies have begun targeting these groups, signaling a tougher stance on cybercrime leveraging AI technologies.
• Regulatory Implications: The interplay between AI advancements and cybersecurity necessitates robust legal and technical measures to prevent misuse.

Bad Box Devices and Pre-installed Malware in Germany

The hosts discuss a recent case in Germany where inexpensive Android-based devices were found with pre-installed malware, posing significant security threats.

• Kelly [61:29]: "Germany instructed ISPs to blackhole domains related to these Bad Box devices... They were designed as backdoors into networks for DDoS or proxying." [61:29]

Key Points:

• Malware-Loaded Devices: Approximately 70,000 Android smartphones, CTV boxes, and tablets sold in Germany were pre-installed with malware, intended to infiltrate and compromise home and corporate networks.
• Government Response: Germany has taken measures to block these malicious domains, mitigating the immediate threat but highlighting the vulnerabilities in the supply chain.
• Consumer Awareness: The incident underscores the importance of cautious purchasing decisions, especially from non-reputable sources, to prevent hardware-based security breaches.

Final Stories and Closing Remarks

The episode concludes with a mix of additional cybersecurity anecdotes, humorous exchanges, and reflections on current trends.

• Ryan [64:08]: "This is what we're headed with data privacy and AI... We need to protect our data." [64:08]
• Kelly [65:00]: "Happy New Year!" [64:19]

Key Points:

• SQL Injection Case: A brief mention of a criminal sentenced for SQL injection attacks, emphasizing the legal repercussions of cybercrimes.
• Pop Culture References: Light-hearted discussions about Star Trek and other media to wrap up the episode on an engaging note.
• Looking Ahead: Hints at future topics and a continued focus on evolving cybersecurity challenges.

Conclusion

This episode of Talkin' About [Infosec] News offers a comprehensive dive into recent cybersecurity incidents, policy changes, and emerging threats. The hosts provide insightful analyses, blending technical expertise with relatable commentary, making complex topics accessible to both seasoned professionals and newcomers in the infosec realm.

Notable Quotes:

• John [19:50]: "Do we meet the minimum standards? Do we get that checkbox? If we raise that level, we get more security."
• Ryan [05:56]: "Don't commit cybercrime... Follow the words of Allison Nixon."
• Kelly [37:31]: "Net neutrality is dead... We're already experiencing fast lanes and other issues."

For listeners seeking a blend of in-depth cybersecurity news and engaging discussion, this episode serves as a valuable resource, highlighting the critical intersections of technology, policy, and security in 2025.