Podcasts
CyberWire Daily
Ep 2047
The CyberWire Daily Podcast 4.16.24
Ep 2047 | 4.16.24

Weathering the phishing front.

Show Notes
Transcript

Cisco Dou warns of a third-party MFA-related breach. MGM Resorts sues to stop an FTC breach investigation. Meanwhile the FTC dings another mental telehealth service provider. Open Source foundations call for caution after social engineering attempts. The NSA shares guidance for securing AI systems. IntelBroker claims to have hit a US geospatial intelligence firm. The UK clamps down on deepfakes. Hard-coded passwords provide the key to smart-lock vulnerabilities. On our Industry Voices segment, Ryan Lougheed, Director of Product Management at Onspring, discusses the benefits of artificial intelligence in governance, risk and compliance (GRC). A Law Firm’s Misclick Ends 21 Years of Matrimony.

Today is April 16th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cisco Dou warns of a third-party MFA-related breach. 

Cisco Duo alerted customers that an unnamed telephony provider they use for multi-factor authentication (MFA) services was breached by threat actors. This breach allowed attackers access to SMS logs but not the content of messages. The breach occurred due to a phishing attack on April 1, 2024, targeting the provider's employee credentials. The accessed logs contained users' phone numbers, carrier information, and general location data from March 1 to 31, 2024, potentially affecting thousands of Duo's over 100,000 customers. Cisco warned this data could facilitate broader social engineering campaigns. The provider has since invalidated compromised credentials and is bolstering security measures. Cisco's response includes advising businesses to inform impacted customers and providing the obtained message logs upon request, highlighting the risk of further social engineering attacks.

MGM Resorts sues to stop an FTC breach investigation. Meanwhile the FTC dings another mental telehealth service provider. 

MGM Resorts International is suing the U.S. Federal Trade Commission (FTC) to stop an investigation into data security breaches following a major hack. Filed in Washington federal court, MGM argues it's not subject to FTC consumer financial data rules as it's not a financial institution. Additionally, MGM contends FTC Commissioner Lina Khan should recuse herself due to personal involvement, as she was staying at an MGM hotel during the hack. The FTC has not commented on the lawsuit. The September hack caused MGM significant financial damage, leading to tens of millions of dollars in losses and fifteen consumer class action lawsuits against the company.

Speaking of the FTC, they have proposed a settlement with mental telehealth service Cerebral Inc. and its former CEO, mandating a $7 million penalty for unlawfully sharing sensitive health data with third-party advertisers without patient consent. This action addresses violations of the FTC Act and the Opioid Act, focusing on deceptive practices and unfulfilled cancellation promises. The settlement includes a $5.1 million partial refund for consumers misled by Cerebral's cancellation policies. The order, pending U.S. District Court approval, aims to limit Cerebral's handling of consumer data and enhance privacy protections, requiring consent for data sharing and the implementation of a comprehensive privacy program. This follows a reported data breach affecting 3.2 million individuals and Cerebral's improper use of tracking tools sharing patient information with platforms like Facebook, Google, and TikTok. The FTC's move is part of broader enforcement against health data privacy violations, reflecting increased scrutiny on telehealth and data brokerage practices regarding consumer information security.

Open Source foundations call for caution after social engineering attempts. 

The Open Source Security (OpenSSF) and OpenJS Foundations have issued a warning to open source maintainers about social engineering attacks aiming for project takeovers, following suspicious activities mirroring the xz Utils hack. The OpenJS Foundation observed dubious emails seeking urgent updates for a JavaScript project under the guise of fixing vulnerabilities, with the senders pushing to be made new maintainers. These attempts resemble the tactics of ‘Jia Tan’, linked to the xz Utils/liblzma backdoor incident. OpenJS detected similar schemes targeting two other projects, which were reported to the US Cybersecurity and Infrastructure Security Agency (CISA). The foundations advocate for increased awareness and caution, outlining signs of suspicious behavior such as aggressive requests for maintainer status by unknown individuals and attempts to introduce unreadable or obfuscated code. This situation underscores the significant risk social engineering poses to the open source ecosystem, highlighting the vulnerability of underfunded projects and the potential difficulty in distinguishing genuine contributions from malicious intents.

The NSA shares guidance for securing AI systems. 

The NSA, in collaboration with multiple national and international cybersecurity organizations, has released a Cybersecurity Information Sheet (CSI) to guide organizations in securing AI systems. This inaugural guidance from the NSA’s Artificial Intelligence Security Center (AISC) emphasizes best practices for deploying secure and resilient AI systems, particularly for National Security System (NSS) owners and Defense Industrial Base (DIB) companies. The document highlights the importance of adapting security measures to specific use cases and threat profiles, aligning with the Cybersecurity Performance Goals (CPGs) by CISA and NIST. It covers comprehensive strategies for AI system deployment, including robust governance, secure configurations, privacy considerations, and Zero Trust frameworks. Additionally, it stresses the ongoing necessity of identifying risks, implementing mitigations, and monitoring for security issues to protect intellectual property, models, and data from theft or misuse. 

IntelBroker claims to have hit a US geospatial intelligence firm. 

The notorious hacker "IntelBroker" claims to have penetrated the cyber infrastructure of Space-Eyes, a Miami-based firm providing geospatial intelligence to US government agencies. This breach potentially exposes "highly confidential documents" related to US national security, including sensitive information about individuals and vessels under US sanctions. The exposed data, detailed by Hackread.com, include full names, phone numbers, company details, job descriptions, over 26,000 email addresses, some password hashes, and complete location data. The leak also includes public data from the US Treasury website, listing sanctioned cybercrime groups and individuals. This incident follows a similar breach by IntelBroker targeting Acuity Inc., a US Federal contractor, which was initially dismissed by Acuity and the US government until further data implicating "The Five Eyes" was released. CISA has been notified, but Space-Eyes has yet to comment on the authenticity of the breach. 

The UK clamps down on deepfakes. 

Creating sexually explicit "deepfake" images without consent could become a criminal offense in England and Wales, punishable by an unlimited fine and potential jail time, even if the creator did not intend to share the image. This new law, to be introduced as an amendment to the Criminal Justice Bill, aims to tackle the invasive use of AI to alter images or videos, particularly of celebrities or public figures, into pornographic content. The legislation, however, has been critiqued for potentially having loopholes, as it requires proving the creator's intent to cause distress. The move, bolstered by the Online Safety Act which already made sharing deepfakes illegal, has been welcomed by victims and advocates as a significant step toward enhancing protections, especially for women, against this form of digital abuse and exploitation.

Hard-coded passwords provide the key to smart-lock vulnerabilities. 

A severe security vulnerability has been identified in the software that controls certain smart locks, specifically those managed by Chirp Systems. This critical flaw allows for the possibility that individuals without authorization can remotely unlock these smart locks, posing a significant risk to the safety and security of over 50,000 households reported to be using Chirp’s system.

The root of this vulnerability lies in Chirp's Android application, where passwords and private keys are hard-coded. Through an API, attackers are capable of not just identifying but also controlling the smart locks that are affected. 

The flaw was discovered three years prior by Matt Brown, a senior engineer at Amazon Web Services, who took an interest in the security of Chirp’s Android app as his apartment building adopted these smart locks. 

Compounding the issue, Chirp Systems, based in Texas, was acquired by real estate technology firm RealPage in 2020, which in turn was bought by private equity firm Thoma Bravo. This change in ownership raises questions about the company's accountability and commitment to resolving such critical security issues, as noted by Brown.

The disclosure of this vulnerability serves as a stark reminder of the potential risks associated with smart home technologies. For users of Chirp-enabled smart locks, additional precautions such as the use of traditional mechanical locks are advisable until a definitive fix is confirmed. 

 

Coming up next on our Industry Voices segment, I speak with Ryan Lougheed of Onspring about the benefits of AI in governance, risk and compliance (GRC).

We’ll be right back

Welcome back. You find out more about Ryan and Onspring in our show notes. 

A Law Firm’s Misclick Ends 21 Years of Matrimony. 

And finally, 

In a digital age where a misclick can lead to purchasing a lifetime supply of toilet paper or inadvertently liking your ex's vacation photos from 2014, a Mr. and Mrs. Williams from the UK found themselves unwittingly at the forefront of an even more monumental digital faux pas. Imagine their surprise when, due to a clerical blunder at their law firm, they were divorced without their consent.

The scene unfolds at Vardag's, a law firm known for serving the needs of the rich and famous. One fateful day, a staffer, ventured into the online divorce portal and, with the wrong file open, a click intended to sever the marital ties of one couple inadvertently sliced through the bonds of Mr. and Mrs. Williams, a pair blissfully unaware of their participation in this electronic lottery of love.

Three days later Vardag's realized their error, and sought to undo this unwanted un-union, appealing to the wisdom of Judge Sir Andrew McFarlane. Yet, the judge decided the digital deed was done - what’s done in the cloud stays in the cloud.  The divorce stood.

This tale serves as a cautionary fable for the digital era. A world where a single click can alter lives, where matrimonial ties are as vulnerable to termination as an unsaved document in a power outage. For Mr. and Mrs. Williams, their unintended digital divorce becomes a story for the ages – a reminder to double-check before you double-click, lest you find your 'I do' turned into 'I did' by the impersonal stroke of a key.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Onspring
Sponsored by Onspring

Onspring is a no-code, cloud-based GRC software that automates critical risk and compliance activities, including mapping policies to controls, findings, regulations, and governance frameworks, triggering workflows for remediation activities and visualizing real-time data for accurate reporting and faster, better decision-making. Learn more.