Hack-proofing the future to shape cyberspace.

Secretary Blinken and Senator Warner weigh in on cybersecurity at RSA Conference. Ransomware profits are falling. Proton Mail is under scrutiny for information sharing. A senior British lawmaker blames China for a UK cyberattack. Medstar Health notifies patients of a potential data breach. A study finds cybersecurity education programs across the U.S vary wildly. Brandon Karpf, N2K Man on the Street, stops by to share his thoughts on the 2024 RSA Conference. An Australian pension fund gets lost in the clouds.

Today is May 7th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Secretary Blinken and Senator Warner weigh in on cybersecurity at RSA Conference.

U.S. Secretary of State Antony Blinken unveiled an international cyber strategy at the 2024 RSA Conference in San Francisco. The strategy focuses on collaborating globally to shape cyberspace and digital technology development and governance. 

The strategy outlines four goals: advancing economic prosperity, enhancing security to fight cybercrime, promoting human rights and democracy, and tackling other transnational challenges. This plan emphasizes "digital solidarity," involving mutual aid for cyber attack victims and supporting partners, especially emerging economies, in developing secure and sustainable technologies. The strategy criticizes Russia, China, and other authoritarian regimes for exploiting technology and seeks to counteract their influence in shaping global internet governance. Key actions include promoting a secure, resilient digital ecosystem, coordinating with allies on digital governance, and expanding U.S. capabilities to combat cybercrime and influence global cyber policy.

Elsewhere at RSA Conference, Senator Mark Warner, head of the Senate Intelligence Committee, emphasized the ongoing challenges in defining "electronic communications service providers" under the renewed Section 702 of the Foreign Intelligence Surveillance Act. During a discussion at the RSA Conference, Warner acknowledged the complexity introduced by a House amendment that broadly expanded this definition, potentially increasing U.S. surveillance powers. Despite privacy concerns, Warner defended the provision but committed to refining it in the upcoming intelligence authorization bill. He stressed the necessity of updating the definition to align with technological advances since 2008, while ensuring it remains narrow to avoid overreach. Warner expressed confidence that resolving this issue would not be a significant obstacle.

 

Ransomware profits are falling. 

Ransomware operations are becoming less profitable despite an increase in attacks, with both the number of ransom payments and the average amount paid declining. This trend is attributed to better cyber resilience among organizations, availability of decryptors by law enforcement and cybersecurity firms, and increased law enforcement action. Chainalysis reports a 46% drop in ransomware attack payments in 2023. Meanwhile, law enforcement successes, such as the disruption of the LockBit gang and Qakbot botnet, have undermined criminal operations and trust within these networks. The exit scam by the BlackCat group, which once commanded over 30% of ransomware payments, has also damaged the ransomware-as-a-service business model. These developments reflect a growing resistance to paying ransoms, bolstered by concerted efforts from the private sector and law enforcement to disrupt ransomware ecosystems comprehensively.

Proton Mail is under scrutiny for information sharing. 

Proton Mail, a Swiss-based secure email service known for privacy, is under scrutiny again due to its compliance with a legal request involving the Spanish authorities and a Catalan independence advocate. This incident echoes a previous case where Proton Mail complied with Swiss law to provide a user's IP address, leading to the arrest of a French activist. The current controversy involves Proton Mail giving a recovery email to Spanish police, which then led to further identification processes with Apple. This sequence of actions highlights the ongoing tension between maintaining user privacy and adhering to national security demands under anti-terrorism laws. Despite Proton Mail's encryption of contents, the company confirmed compliance with 5,971 data requests in 2023, emphasizing the challenge of balancing privacy with legal obligations.

A senior British lawmaker blames China for a UK cyberattack. 

A senior British lawmaker, MP Tobias Ellwood, suggested that China was likely behind a cyberattack targeting UK armed forces personnel data, including names and banking details, through a third-party payroll system. This claim, which Ellwood described as having the characteristics of a Chinese operation to potentially coerce individuals, was met with strong denial from Beijing, labeling the accusations as "utter nonsense" and reaffirming its stance against cyberattacks. Despite this, the UK government has not officially blamed China, describing the challenge posed by Beijing as "epoch-defining" but emphasizing caution in attributing the attack. This incident adds to ongoing tensions, with the UK and US previously accusing China of various cyber intrusions.

TunnelVision undermines the security of VPN applications.

Researchers from Leviathan Security have discovered a vulnerability named TunnelVision that significantly undermines the security of virtually all VPN applications. This attack exploits a DHCP server setting, option 121, to reroute VPN traffic to allow attackers to intercept, read, and modify data that should be encrypted within the VPN tunnel. This vulnerability impacts VPNs on most operating systems except Android, which does not implement option 121. While Linux offers a partial mitigation, the breach remains largely exploitable on other systems. The flaw exposes the limitation of VPNs in securely anonymizing user traffic, especially when connected to hostile networks. The findings emphasize the necessity for more robust security measures for VPN services, like running the VPN within a non-bridged virtual machine or using a cellular device's Wi-Fi for internet access.

Medstar Health notifies patients of a potential data breach. 

MedStar Health notified 183,079 patients of a potential data breach after unauthorized access to three employee email accounts was detected, as reported to the U.S. Department of Health and Human Services. The breach occurred intermittently between January 25 and October 18, 2023. Although there is no evidence that patient information was viewed or acquired, the possibility cannot be dismissed. Exposed data may include patients' names, addresses, birth dates, service dates, provider names, and health insurance information.

A study finds cybersecurity education programs across the U.S vary wildly. 

A review led by Washington State University revealed significant variation in cybersecurity education programs across U.S. institutions designated as National Centers of Academic Excellence in Cybersecurity by the NSA. The study highlighted a lack of uniformity in program types, course offerings, and the depth of cybersecurity content. The research suggests enhancing these programs by incorporating educational theories from fields like educational psychology to better prepare graduates for the rapidly evolving cybersecurity industry. The findings stress the need for closer alignment with industry expectations and advocate for continuous adaptation to meet the changing tactics of cyber adversaries. This study serves as a benchmark for comparing programs and shaping future educational strategies in cybersecurity.

 

 

An Australian pension fund gets lost in the clouds. 

Australian firm UniSuper, a superannuation fund — The U.S. equivalents would be a defined-benefit or defined-contribution plan — recently faced a week-long systems outage traced to a series of rare issues at Google Cloud. These issues caused misconfigurations during the provisioning of UniSuper's private cloud and activated a secondary software bug, affecting both primary and secondary systems. This incident occurred shortly after UniSuper transitioned many of its workloads from Azure and its own data centers to Google Cloud, specifically using the Google VMware Engine for easier migration. Despite the disruption, UniSuper plans to begin progressive restoration of member services, including online access and mobile app functionalities. The fund also highlighted its use of multiple cloud providers, which helped mitigate data loss. Google Cloud has since taken steps to prevent such occurrences and is working continuously with UniSuper to restore all services, and they emphasize this was the result of cascading internal errors, and was not the result of a cyberattack. 

Guess UniSuper found out the hard way that not every cloud has a silver lining.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.