The CyberWire Daily Podcast 5.20.24
Ep 2071 | 5.20.24

Double key encryption debate.

Transcript

Germany’s BSI sues Microsoft for more information on recent security incidents. Julian Assange can appeal his U.S. extradition. AI chatbots may have itchy trigger fingers. CISA warns of vulnerabilities affecting Google Chrome and D-Link routers. Ham Radio’s association suffers a data breach. New underground marketplaces pop up to replace BreachForums. An updated banking trojan targets users in Central and South America. Cybercom’s founders share its origin story. Examining gender bias in open source software contributors. For our Industry Voices segment, guest Chris Pierson, CEO at BlackCloak, met up with N2K’s Brandon Karpf at the 2024 RSA Conference to discuss personal cybersecurity risks for executives. College students unlock free laundering — no money required. 

Today is May 20th, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Germany’s BSI sues Microsoft for more information on recent security incidents. 

Germany's Federal Office for Information Security (BSI) has been actively pursuing information on Microsoft's security measures since last fall. Following significant security incidents at Microsoft, where state-sponsored attackers accessed data from Microsoft and its cloud customers, the BSI demanded details on Microsoft's precautions. Microsoft delayed responses, prompting the BSI to invoke Section 7a of the BSI Act, which allows legal action for information release. This escalation was disclosed through a leak from the Bundestag's Digital Committee

Among the BSI's concerns included the use of double key encryption, where data is encrypted with two keys, one retained by the customer. Proper implementation could have prevented data leaks, but unclear details hindered the BSI's assessment of whether attackers accessed plain text data. Despite repeated requests and legal threats, Microsoft withheld the requested information. The BSI spokesperson criticized Microsoft's inadequate security measures and praised other cloud providers for better technical implementation and incident response. The BSI’s actions were reported to the Bundestag's Digital Committee and leaked to Der Spiegel.

Julian Assange can appeal his U.S. extradition. 

A London court ruled that Julian Assange, the WikiLeaks founder, can appeal his extradition to the U.S. on limited issues. The U.S. assured the court that Assange would receive constitutional protections and not face the death penalty, but Assange's team argued these assurances were insufficient. Assange has been held in Belmarsh prison since 2019 and faces charges under the Espionage Act for leaking classified documents. Despite initial rejection, his appeal will proceed. Assange's health has deteriorated, and his supporters, including the Australian government, advocate for a political resolution. President Biden is considering a request to allow Assange to return to Australia without facing prison.

AI chatbots may have itchy trigger fingers. 

AI-powered large language model chatbots have taken on many roles but aren't quite ready for military command. Jacquelyn Schneider from the Hoover Institution conducted war games using AI, including OpenAI's ChatGPT versions, and models from Anthropic and Meta. These simulations showed that AI often escalates conflicts unpredictably, sometimes leading to nuclear scenarios.

Schneider points out that AI lacks ethical reasoning, merely mimicking human decisions without truly understanding ethical implications. She believes AI could be beneficial for routine military tasks like logistics, personnel decisions, and planning. AI could also aid in maintaining operations during communication failures.

Schneider's research suggests AI can help diplomats by offering alternative perspectives and identifying blind spots. AI could simulate adversaries in war games, providing insights human players might miss. However, she stresses the importance of caution when considering AI for military and foreign policy decisions, noting the temptation to seek technological quick fixes.

Each military branch has different views on AI deployment, and its role in future operations remains uncertain. The policy brief advises decision-makers to proceed cautiously with AI in military contexts, emphasizing its potential for systemic problem-solving over direct combat applications.

CISA warns of vulnerabilities affecting Google Chrome and D-Link routers. 

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three vulnerabilities to its 'Known Exploited Vulnerabilities' catalog: one affecting Google Chrome (CVE-2024-4761) and two impacting D-Link routers (CVE-2014-100005 and CVE-2021-40655). These vulnerabilities are actively exploited, prompting CISA to warn federal agencies and companies to apply security updates or mitigations. U.S. federal agencies must address these vulnerabilities by June 6th. The Chrome flaw involves an out-of-bounds write in the V8 engine, while the D-Link flaws allow remote control of outdated routers.

Ham Radio’s association suffers a data breach. 

The American Radio Relay League (ARRL), the national association for amateur radio in the U.S., suffered a cyberattack causing service disruptions and a potential data breach. Founded in 1914, ARRL has around 160,000 members and 100 staff. The attack affected the ARRL Learning Center and the Logbook of the World, disrupting users' ability to submit and track amateur radio logs. The compromised database includes names, addresses, call signs, membership dates, and email preferences, but not credit card or social security numbers. While ARRL hasn't confirmed a breach of the member database, it indicated the possibility in an update to members.

New underground marketplaces pop up to replace BreachForums. 

Last week we reported on The FBI’s successful take down of BreachForums, a major underground cybercrime platform, in a collaborative law enforcement operation. This forum, which succeeded RaidForums after its shutdown in 2022, had been a hub for stolen data, including sensitive information from Europol and health insurance records.

The recent takedown of BreachForums also included the seizure of its Telegram channels, clearnet sites, and a separate Telegram account operated by one of its leaders. The FBI reported taking control of the servers and domains hosting the forum and is currently reviewing the site’s backend. They have appealed to users to report any further criminal activity.

Despite the success of this operation, cybersecurity experts note that new cybercrime platforms are already emerging. Within hours of BreachForums' seizure, new marketplaces were announced. The threat actor 'USDoD' revealed plans for 'Breach Nation,' set to launch on July 4th, while indications suggest that ShinyHunters are also developing a new platform.

Experts emphasized that while law enforcement is making strides in targeting these sites, the resilience and resourcefulness of cybercriminals mean that new forums can quickly replace those taken down. This cycle creates an ongoing game of cat and mouse, with temporary disruptions but no permanent solution. Platforms like Breach Nation may have a limited lifespan, but its operators and users will continue to rebrand and resurface.

An updated banking trojan targets users in Central and South America. 

IBM's X-Force reports that a banking Trojan, Grandoreiro, has resurfaced in new phishing campaigns with enhanced functionality. These campaigns target Mexico, Chile, Spain, Costa Rica, Peru, and Argentina by impersonating tax and utility services. Victims clicking on links download a malicious ZIP file containing the Grandoreiro loader. The updated malware can target over 1,500 banking applications in 60+ countries. It features improved string decryption, DGA algorithms, and email harvesting, allowing it to spread through infected Outlook clients, indicating a push for global impact.

Cybercom’s founders share its origin story.  

At the 2024 RSA Conference, the "Four Horsemen of Cyber"— CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone, shared their journey of transforming the concept of US Cyber Command into reality. Established in June 2009 by the Department of Defense, Cybercom was created to address the growing vulnerability of military computer systems to cyberattacks.

Initially, getting Cybercom operational required creative approaches, including using Hollywood-style storyboards to sell the idea to stakeholders and smoothing over institutional tensions with Starbucks gift cards. Despite these unconventional methods, Cybercom has since emerged as a pivotal hub for US military operations, tasked with protecting national security from foreign cyber threats.

Operating under a dual-hat structure, its commander also leads the NSA. The need for Cybercom became evident during the Iraq and Afghanistan conflicts, leading to its elevation to a unified combatant command in 2017. General Paul Nakasone and other key figures recounted how they addressed significant challenges, including gaining top brass support and integrating advanced NSA capabilities.

Examining gender bias in open source software contributors. 

In 2012, Rachel Nabors, a software developer, shared her frustrations about contributing to open source software. Despite her best efforts, her contributions were repeatedly rejected, leading her to suspect gender discrimination. Her experience wasn't unique. The underrepresentation of women in open source communities and their early disengagement from platforms like Stack Overflow hinted at deeper systemic issues.

Fast forward to today, and the largest study on gender bias in open source to date. Conducted by researchers from Cal Poly and North Carolina State University, this study dives into the world of GitHub, the largest open source community, to uncover the truth about gender bias in software development.

The results were surprising. Women’s pull requests were accepted at a higher rate than men’s—78.6% compared to 74.6%. This initially counterintuitive finding suggested that women contributors were highly competent. However, a deeper look revealed a more nuanced story. When women’s gender was identifiable, their acceptance rate dropped significantly. For women with gender-neutral profiles, the acceptance rate stood at 71.8%, but it fell to 62.5% when their gender was discernible. This stark contrast pointed to an underlying bias against women when their gender was known.

The study also uncovered that women tended to submit larger pull requests—more lines of code added, more lines removed, and more files changed. Despite the complexity of their contributions, women’s pull requests still enjoyed higher acceptance rates. This finding challenged the stereotype that women might play it safe by submitting simpler changes.

The analysis extended to the types of programming languages used. Women’s pull requests had higher acceptance rates across various programming languages, suggesting their proficiency spanned different technical domains.

A possible explanation for these findings is survivorship bias. In a field where women face significant hurdles, only the most resilient and competent women persist, leading to a pool of highly capable female contributors. This theory aligns with the observation that women in open source often hold advanced degrees more frequently than their male counterparts.

The implications of this study are profound. It challenges the perception of open source communities as pure meritocracies and underscores the need for anonymity in reducing bias. It also highlights the importance of fostering inclusive environments where contributions are evaluated based on merit, not the contributor’s gender.

 

Coming up after the break on our Industry Voices segment, N2K’s Brandon Karpf met up with BlackCloak’s CEO Chris Pierson to talk about personal cybersecurity risks for executives.

We’ll be right back

Welcome back. That was Chris Pierson, BlackCloak’s CEO, talking at the recent RSA Conference with N2K’s Brandon Karpf. You can find information about Chris and BlackCloak in our show notes. 

College students unlock free laundering — no money required. 

And finally, our personal hygiene desk shares the story of a different kind of money laundering.

In the early hours of a January morning, UC Santa Cruz student Alexander Sherbrooke found himself sitting on the laundry room floor with his laptop. Amidst the hum of machines, he had an "oh s—" moment. Running a script, he watched in amazement as the washing machine beeped and flashed "PUSH START" without deducting a dime from his account. He'd stumbled upon a golden hack: free laundry.

Sherbrooke, along with fellow student Iakov Taranenko, discovered a security flaw in CSC ServiceWorks’ network of over a million connected laundry machines. The duo found that the CSC Go app's API could be tricked into granting unlimited laundry cycles and inflating account balances to absurd amounts—all without spending a penny.

They promptly reported the flaw to CSC ServiceWorks, but their pleas were met with silence. Calls went unanswered, and emails were ignored. Even adding a balance of several million dollars to their account didn’t provoke a formal response. 

Frustrated but undeterred, the students shared their findings at a university cybersecurity club and later with the CERT Coordination Center. They explained how anyone could create a CSC Go account with a fake email and manipulate the system, making free laundry a possibility for all. The CSC Go servers, it turned out, were trusting anything the app told them.

Despite their good-faith efforts to alert CSC ServiceWorks, the security flaw remains unpatched, leaving millions of internet-connected laundry machines vulnerable to exploitation. While Sherbrooke and Taranenko have moved on to new projects, they hope their story underscores the importance of robust cybersecurity practices. The ongoing vulnerability is a stark reminder that even the simplest conveniences, like doing laundry, require vigilant protection in our increasingly connected world.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.