The CyberWire Daily Podcast 7.3.24
Ep 2101 | 7.3.24

The Supreme Court is bringing a judicial shakeup.

Transcript

The Supreme Court overturning Chevron deference brings uncertainty to cyber regulations. Stolen credentials unmask online sex abusers. CISA updates online maritime resilience tools. Patelco Credit Union suffers a ransomware attack. Spanish and Portuguese police arrested 54 individuals involved in a vishing fraud scheme. Splunk patches critical vulnerabilities in their enterprise offerings. HHS fines a Pennsylvania-based Health System $950,000 for potential HIPAA violations related to NotPetya. CISOs look to mitigate personal risks. On the Learning Layer we reveal the long-awaited results of Joe Carrigan’s CISSP certification journey. Avoiding an Independence Day grill-security flare-up.

Today is Wednesday July 3rd 2024.  I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Supreme Court overturning Chevron deference brings uncertainty to cyber regulations. 

The U.S. Supreme Court has dramatically shifted the regulatory landscape with its decision in Loper Bright Enterprises v. Raimondo, undermining nearly 40 years of established law by overturning the Chevron deference. This precedent had allowed courts to defer to regulatory agencies' interpretations of ambiguous congressional statutes. Now, the courts are the final arbiters, potentially destabilizing federal regulations across various sectors, including cybersecurity.

Chief Justice John Roberts stated that courts must independently determine if agencies have exceeded their statutory authority. This decision does not overturn past cases but encourages new challenges to existing regulations. For cybersecurity, this means recent regulations might face significant legal hurdles.

Potentially impacted regulations include SEC cyber incident reporting, FCC data breach reporting rules, CISA cyber incident reporting, TSA cybersecurity directives, among others.

Pending regulatory actions, such as Coast Guard maritime cybersecurity rules and FCC requirements related to the Border Gateway Protocol, could also be affected. Furthermore, long-standing rules, like those from NERC and the Nuclear Regulatory Commission, may face fresh judicial reviews.

This decision introduces uncertainty for Chief Information Security Officers (CISOs) who must navigate conflicting judicial decisions across different circuits. Existing regulations remain in effect, but the likelihood of deregulation and inconsistent application of laws will complicate compliance efforts. CISOs should prepare for a turbulent regulatory environment and potential shifts in cybersecurity requirements due to increased litigation and judicial scrutiny.

So hold on to the bar, we may be in for a bumpy ride. 

Stolen credentials unmask online sex abusers. 

Researchers at Recorded Future have discovered that thousands of users on darknet websites sharing child sexual abuse material (CSAM) can be identified using stolen credentials. Infostealer malware, typically used to steal banking logins, also captured credentials for CSAM sites on the Tor network. These logs link anonymous CSAM site users to clear web accounts, like Facebook, revealing real names and personal data.

Recorded Future analyzed this data and identified around 3,300 users with CSAM site accounts, sharing their findings with U.S. law enforcement. Case studies include a previously convicted child exploiter and a volunteer at children's hospitals with multiple CSAM site accounts.

The research highlights how infostealer data, which also includes various other criminal activities, can aid law enforcement in uncovering offenders and protecting children. The report aims to demonstrate the potential of such data in criminal investigations.

CISA updates online maritime resilience tools. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has enhanced its Marine Transportation System Resilience Assessment Guide (MTS Guide) with a new web-based tool for maritime stakeholders. The updated guide, incorporating expertise from partner agencies, offers resources and methodologies to evaluate and strengthen the resilience of port networks and inland marine transportation systems. It uses sophisticated techniques like Bayesian Network Analysis and provides a systematic framework for resilience assessments.

The MTS Guide is customizable and scalable, similar to other planning frameworks, and helps identify issues, focus assessments, and implement findings. The guide emphasizes a holistic view of infrastructure, people, and organizations to develop strategies for reducing losses during disruptions. It also features a Resilience Assessment Resource Matrix (RARM), a web-based library with over 100 tools and resources to support maritime resilience assessments.

Patelco Credit Union suffers a ransomware attack. 

Patelco Credit Union, serving Northern California, shut down several banking systems following a ransomware attack on June 29, 2024. Patelco, with over $9 billion in assets, is working with cybersecurity experts and has reported the incident to regulators and law enforcement. Affected services include online banking, the mobile app, and outgoing wire transfers, while ATMs and cash deposits remain functional. The ransomware type is undisclosed, and it’s unclear if any data was stolen. No ransomware group has claimed responsibility yet.

Spanish and Portuguese police arrested 54 individuals involved in a vishing fraud scheme. 

Spanish and Portuguese police arrested 54 individuals involved in a €2.5m ($2.7m) vishing fraud scheme targeting senior citizens. The coordinated operation on June 4, led by Europol, involved the Spanish National Police, Mossos d’Esquadra, and the Portuguese Judicial Police. Nineteen properties were searched, resulting in the seizure of computers, mobile phones, SIM cards, and drugs. The gang used vishing and social engineering tactics, posing as bank employees to extract information before visiting victims' homes to steal cards, bank details, and PINs. Some victims were forcibly robbed. Stolen funds were laundered through a network of money mules. The urgency of the operation was due to intercepted communications indicating planned severe violence. Vishing is increasingly used by cybercriminals as text-based scams become less effective.

Splunk patches critical vulnerabilities in their enterprise offerings. 

Splunk has released security updates to fix critical vulnerabilities in Splunk Enterprise versions 9.0.x, 9.1.x, and 9.2.x, which could allow remote code execution, command injection and crashes.  Users are urged to update immediately.

HHS fines a Pennsylvania-based Health System $950,000 for potential HIPAA violations related to NotPetya.

Federal regulators fined Pennsylvania-based Heritage Valley Health System $950,000 for potential HIPAA violations after a 2017 ransomware attack involving NotPetya. This is the third HIPAA enforcement action by the U.S. Department of Health and Human Services (HHS) linked to ransomware. The number of ransomware-related breaches reported to HHS has nearly tripled since 2018. HHS found that Heritage Valley failed to conduct a HIPAA security risk analysis, implement a contingency plan, and restrict access to electronic protected health information. The settlement requires Heritage Valley to undertake a corrective action plan, including a thorough risk analysis and workforce training on HIPAA policies. Heritage Valley stated there was no unauthorized data access and that they have implemented safeguards to prevent future incidents.

CISOs look to mitigate personal risks. 

Court cases against CISOs like Joe Sullivan of Uber and Timothy G. Brown of SolarWinds have highlighted the severe personal risks for security leaders, including potential jail time and hefty fines. A thoughtful report from CSO Online looks at the steps CISOs are taking to mitigate these risks.

First, they are ensuring clear definitions of roles and responsibilities within their organizations. Transparent corporate standards help prevent misunderstandings about accountability in risk management.

Meticulous documentation has become essential. CISOs, like David Cross of Oracle SaaS Cloud, are keeping detailed records of all decisions and actions to reduce personal liability and provide evidence of compliance with corporate policies.

Maintaining a risk register is another critical strategy. By recording cyber risks and stakeholder acceptance, CISOs ensure high-level acknowledgment of these risks, protecting themselves from repercussions if breaches occur.

CISOs are also seeking legal protection through indemnification agreements and engaging independent legal counsel. Monitoring public statements about their company’s security practices is crucial to avoid legal consequences from discrepancies.

By adopting these strategies, CISOs can balance securing their organizations while safeguarding themselves from personal liability.

 

Coming up on our Learning Layer segment, host Sam Meisenberg and Joe Carrigan reflect on his test day experience and what advice he has for others who are in the homestretch of their studies. Stay tuned to hear how Joe did.

Welcome back. Thanks Sam and Joe and congratulations to Joe! Don’t forget, we’ve got details on the course Joe used to prepare for his CISSP in our show notes. 

Avoiding a grill-security flare-up. 

And finally, as we head into the July 4th holiday, many will be firing up their grills for some festive fun. However, beware of the Traeger Grill D2 Wi-Fi Controller's latest vulnerabilities, revealed by Bishop Fox. These critical flaws, if exploited, allow hackers to control your grill remotely, potentially turning your perfectly cooked steak into a charred disaster.

Bishop Fox discovered that the grill's API lacked sufficient authorization controls, allowing attackers to hijack other users' grills by obtaining their 48-bit identifiers. Imagine your neighbor cranking up the heat on your grill mid-cook! To exploit this, attackers can capture network traffic or scan the grill’s QR code. Fortunately, Traeger has released updates to fix these issues.

To stay safe, ensure your grill’s firmware is up to date and consider turning it off when not in use. Enjoy your holiday grilling, but keep an eye on your Wi-Fi-connected devices! Dave, we should note here that we will not be publishing this long weekend. We have the first episode of Only Malware in the Building coming up on Thursday, an encore of a Threat Vector episode on Friday and encores of RS and CN this weekend. We’ll be back on MOnday! 

I’ll take my steak medium rare. No password required.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.