Podcasts
CyberWire Daily
Ep 2039
The CyberWire Daily Podcast 4.4.24
Ep 2039 | 4.4.24

Securing secrets: The State Department's cyber hunt.

Show Notes
Transcript

The State Department investigates an alleged breach. The FCC looks at regulating connected vehicles. A big-tech consortium hopes to mitigate AI-related job losses. Google aims to thwart cookie-thieves. SurveyLama exposes sensitive info of over four millions users. Omni Hotels & Resorts is recovering from a cyberattack. A national cancer treatment center suffers a breach. How cyber is approached on both sides of the pond. In our Industry Voices segment , George Jones, CISO at Critical Start, discusses strategies for maximizing cybersecurity investments to achieve optimal risk reduction. Playing the identity theft long-game.

Today is April 4th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The State Department investigates an alleged breach. 

The U.S. State Department has launched an investigation after a hacker group, IntelBroker, claimed to have leaked documents from Acuity, a technology consulting firm serving federal security customers. IntelBroker alleges these documents contain sensitive information from the Five Eyes intelligence alliance, including personal details of government, military, and Pentagon employees. Acuity, with nearly 400 employees and over $100 million in annual revenue, specializes in services like DevSecOps and cybersecurity for national security customers. As for the hacker group IntelBroker, this isn’t their first major breach; their history includes unauthorized access to data from various U.S. government agencies and notable companies like Hewlett Packard Enterprise. The State Department has confirmed it's looking into the breach but has not disclosed specifics, citing security concerns. The overlap of leaked data in previous IntelBroker disclosures hints at a potential connection between this and earlier incidents.

The FCC looks at regulating connected vehicles. 

There is a clash brewing between Automakers and the FCC over whether connected vehicles should be regulated as telecom entities. FCC Chairwoman Jessica Rosenworcel questioned if cars' technological advancements necessitate new regulations. This inquiry aligns with increasing concerns over connected cars' data practices, including law enforcement's use of such data without consent, potential for stalking, and automakers selling information to third parties. Rosenworcel's focus is on whether automakers qualify as "mobile virtual network operators" (MVNOs), potentially subjecting them to stricter data handling and sharing rules. Most automakers denied operating as MVNOs, but the debate raises critical questions about privacy, transparency, and regulatory authority in the era of connected vehicles.

A big-tech consortium hopes to mitigate AI-related job losses. 

AI's role in the workforce presents a dual narrative: On one hand, companies like UPS and IBM are adjusting their workforce strategies due to AI's growing capabilities, with some roles being cut or hiring paused in anticipation of automation. On the other, a notable consortium led by Cisco, including tech giants like Google and Microsoft, is focusing on mitigating AI-related job losses through reskilling and upskilling initiatives. This AI-Enabled ICT Workforce Consortium aims to assess AI's impact on job roles within the ICT industry, providing training recommendations and connecting businesses with skilled workers. Despite these efforts, skepticism remains regarding the actual availability of AI roles in the future, as demand appears to be declining. The tech industry's challenge lies in delivering tangible solutions and actions beyond mere promises to address the evolving landscape of work in the AI era.

Meanwhile, Amazon announced yesterday it would cut hundreds of jobs within its cloud computing division, AWS, aligning with a strategic realignment. This decision affects the technology team for physical stores, following Amazon's choice to abandon its Just Walk Out technology in U.S. groceries. Further job reductions span AWS's sales, marketing, and global service teams, particularly impacting AWS training, certification programs, and sales operations. These layoffs are part of Amazon's broader strategy to refocus resources and drive innovation, despite recent layoffs across Prime Video, MGM Studios, Twitch, and Audible. 

Google aims to thwart cookie-thieves. 

Google is developing a security feature called Device Bound Session Credentials (DBSC) to counter hackers who bypass multifactor authentication by stealing authentication cookies. This feature binds cookies cryptographically to a user's device, making them useless on a hacker's computer. Leveraging Trusted Platform Modules (TPM) in computers for storing encryption keys, DBSC aims to make stolen cookies valueless for account hijacking. Google proposes this mechanism as a web standard, envisioning an API for servers to initiate at each browsing session's start, enhancing security without compromising privacy. With interest from identity provider Okta and Microsoft's Edge browser, Google seeks to convince other major browser makers to adopt this approach, potentially establishing a new standard in web security.

Google addressed two critical vulnerabilities in its Pixel devices exploited by forensic firms to bypass PIN security and access device data. These zero-days, involving the bootloader and firmware, were distinctively patched in Pixel's April 2024 update, separate from the general Android patches, due to Pixel's unique hardware and features. GrapheneOS researchers, who discovered the exploitation, highlighted that Google's fixes aim to block unauthorized access to memory and factory reset bypasses, though they noted the latter fix may be partially effective.

SurveyLama exposes sensitive info of over four millions users. 

SurveyLama, an online survey platform rewarding users for participation, experienced a data breach in February 2024, exposing 4.4 million users' sensitive information. Have I Been Pwned (HIBP) reported the breach, which included dates of birth, email and physical addresses, full names, passwords, phone numbers, and IP addresses. SurveyLama, owned by Globe Media, confirmed the incident and notified affected users. Despite passwords being hashed, vulnerabilities exist, and users are advised to change their passwords immediately.

Omni Hotels & Resorts is recovering from a cyberattack. 

Omni Hotels & Resorts is dealing with the aftermath of a cyberattack that led to a national IT outage, disrupting its operations. The attack, identified on March 29, prompted Omni to shut down its systems to contain the breach. Most systems have been restored, thanks to efforts from their IT teams and a cybersecurity response unit. The nature of the attack has not been officially confirmed by Omni, but sources suggest it was a ransomware incident. The company is currently restoring encrypted servers from backups, with no ransomware group yet claiming the attack. The cyberattack has impacted reservation and payment systems, but all Omni locations continue to operate, accepting guests while manually restoring systems. This incident follows a 2016 breach where malware compromised Omni's point-of-sale systems.

A national cancer treatment center suffers a breach. 

City of Hope, a comprehensive cancer center with locations across the US, experienced a data breach between September 19 and October 12, 2023, affecting over 800,000 individuals. Unauthorized access to their systems resulted in the theft of sensitive data, including personal and medical information. Despite no current evidence of identity theft or fraud, the center has taken steps to contain the breach, informed law enforcement, and engaged a cybersecurity firm to enhance system security. Impacted individuals are being offered two years of identity monitoring services. Notifications began in December 2023, with ongoing efforts to identify all affected parties.

How cyber is approached on both sides of the pond. 

A piece in GovInfoSecurity by CyberTheory’s Steve King examones cybersecurity landscape in the U.K. and the U.S., and how they diverge due to differences in national security priorities, regulatory environments, and cultural attitudes towards privacy and surveillance. In the U.K, King says, the emphasis is on data protection, heavily influenced by EU regulations like GDPR, leading to a stringent compliance culture within cybersecurity. Conversely, the U.S. focuses more on protecting critical infrastructure against espionage and cyberattacks, with a fragmented regulatory framework. Cultural attitudes also vary, with the U.K. displaying a certain acceptance of surveillance for security, whereas the U.S. shows polarization, emphasizing individual freedom and privacy rights. Moreover, the U.K. and U.S. prioritize different aspects of national security in their cybersecurity strategies. The private sector's role and the approach to career development and education in cybersecurity also differ, reflecting each country's unique approach to combating cyberthreats and advancing cybersecurity practices.

Coming up after the break on our Industry Voices segment, George Jones, CISO at Critical Start, discusses strategies for maximizing cybersecurity investments to achieve optimal risk reduction. We’ll be right back

Welcome back

Playing the identity theft long-game. 

And finally, in a tale that reads like the plot of a crime thriller, one Matthew David Keirans executed one of the most audacious acts of identity theft, spanning over three decades. At 58 years old, Keirans admitted to a series of crimes that not only defrauded financial institutions but also irrevocably changed the life of William Donald Woods, the unsuspecting victim of this elaborate scheme.

After meeting Woods at a hot dog stand in Albuquerque, New Mexico, in the late 1980s, Keirans embarked on an elaborate scheme, fully assuming Woods' identity within two years. Utilizing forged documents, he secured employment at the University of Iowa Hospitals & Clinics, amassing over $700,000 over ten years.

The extent of Keirans' deceit included taking out loans, purchasing vehicles, and even entering a marriage under Woods' name. However, the cruelty of his actions was most starkly revealed in 2019 when Woods, then homeless and unaware of the debt accrued in his name, attempted to clear up the confusion at a bank. This led to his arrest and wrongful imprisonment for 428 days, followed by a forced stay in a mental hospital for 147 days, all while Keirans continued his deception.

The unraveling of Keirans' fraud began with Woods' complaint to Keirans' employer, leading to a police investigation that used DNA evidence to expose the truth. Keirans now faces up to 32 years in prison.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. Hey CyberWire listeners, as we near the end of the year, it’s the perfect time to reflect on your company’s achievements and set new goals to boost your brand across the industry next year. We’d love to help you achieve those goals. We’ve got some unique end-of-year opportunities, complete with special incentives to launch 2024. So tell your marketing team to reach out! Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals.

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Critical Start
Sponsored by Critical Start

CRITICALSTART®, a pioneer of the industry’s first Managed Cyber Risk Reduction solutions, provides holistic cyber risk monitoring via its Cyber Operations Risk & Response™ platform, paired with a human-led risk and security operations team, and Managed Detection and Response services. Learn more.