Escape from GPU island.
A critical vulnerability has been discovered in the NVIDIA Container Toolkit. Representatives from around the world are meeting in Washington to address ransomware. The Pentagon shoots down the notion of a separate cyber service. A genetic testing company leaves sensitive information in an unsecured folder. A public accounting firm breach affects 127,000 individuals. The DOJ charges a British national with hacking U.S. companies. California’s Governor vetoes an AI safety bill. CISOs deserve a seat at the table. Tim Starks from CyberScoop describes the House Homeland Security chair’s proposed cyber workforce bill. Password laziness leaves routers vulnerable.
Today is Monday September 30th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
A critical vulnerability has been discovered in NVIDIA Container Toolkit.
A critical vulnerability has been discovered in NVIDIA Container Toolkit, posing a major risk to AI applications that rely on it for GPU access. This flaw affects both cloud and on-premise environments and allows attackers to perform container escape attacks, gaining full control over the host system. Once inside, they could execute arbitrary commands or steal sensitive data.
NVIDIA Container Toolkit is widely used across AI platforms and comes pre-installed in many virtual machine images, making the issue especially concerning. According to Wiz Research, more than 35% of cloud environments are vulnerable to this exploit. The vulnerability stems from a failure to properly isolate containerized GPUs from the host, allowing containers to mount parts of the host filesystem or access runtime resources like Unix sockets.
Rated with a critical severity score of 9.0, attackers could exploit this issue by using specially crafted container images, allowing them to interact with the host system.
Wiz Research reported the vulnerability to NVIDIA in early September 2023, and a fix was released on September 26th. Users are strongly advised to upgrade. For now, detailed technical information on the exploit remains private to allow organizations time to apply the fix.
Representatives from around the world are meeting in Washington to address ransomware.
This week, representatives from the 68 members of the International Counter Ransomware Initiative (CRI) are gathering in Washington DC to address the ongoing threat of ransomware. Despite the initiative doubling in size since 2021, ransomware attacks have also nearly doubled in the same period, according to U.S. intelligence. The fourth annual summit will focus on disruption operations and launching a fund to help countries hit by cyberattacks. There will also be discussions on the intersection of artificial intelligence and cybersecurity.
U.S. officials, including Deputy National Security Adviser Anne Neuberger, emphasize that ransomware remains a significant problem, with Russia serving as a key haven for many attackers. Although the decentralized nature of ransomware groups poses challenges, it also prevents any single group from dominating. The summit aims to bolster efforts to dismantle infrastructure supporting ransomware and disrupt the cryptocurrency flows that fuel these operations. However, officials acknowledge that the incentives for attackers remain strong, as many victims continue to pay ransoms.
The Pentagon shoots down the notion of a separate cyber service.
The Pentagon has requested that lawmakers reject a proposal mandating an independent assessment for creating a separate cyber service, according to sources cited by Breaking Defense. This appeal was submitted to the House and Senate Armed Services Committees, arguing that a similar assessment was already required in the 2023 National Defense Authorization Act (NDAA). The idea of establishing a separate cyber service has been debated within the Department of Defense (DoD), with some officials warning it could create confusion and overlap with existing military cyber efforts. While proponents argue it could streamline operations, others caution that separating cyber functions from broader warfighting missions might hinder effectiveness. Lawmakers will revisit the issue when crafting the final version of the 2025 NDAA after the November presidential election.
A genetic testing company leaves sensitive information in an unsecured folder.
ChiceDNA, an Indiana-based genetic testing and facial recognition service, exposed sensitive data, including biometric images, personal details, and facial DNA records, due to an unsecured WordPress folder. The breach, discovered by cybersecurity researcher Jeremiah Fowler, involved around 8,000 records accessible without any security protections. These records contained names, phone numbers, emails, racial identities, and personal notes, even including data on vulnerable individuals like newborns.
The incident didn’t involve a misconfigured database or cloud server but rather an unsecured folder titled “Facial Recognition Uploads.” Fowler promptly notified the company, and the folder was secured, but the exposure raised serious privacy concerns. Experts warn that such sensitive information could be exploited for phishing, blackmail, or identity manipulation, emphasizing the need for companies to implement stronger data protection measures, including proper configuration and security for online storage systems.
A public accounting firm breach affects 127,000 individuals.
Public accounting firm Wright, Moore, DeHart, Dupuis & Hutchinson (WMDDH) is notifying over 127,000 individuals of a data breach that occurred in July 2023. The breach exposed sensitive personal information, including names, Social Security numbers, driver’s license and passport numbers, financial details, and medical data. While the breach was detected in July, it took WMDDH nearly ten months to identify the affected individuals. The firm is offering one year of free credit monitoring and identity theft protection services to those impacted.
The DOJ charges a British national with hacking U.S. companies.
The Department of Justice and SEC have charged Robert Westbrook, a 39-year-old British national, with hacking five U.S. companies. Between January 2019 and May 2020, Westbrook allegedly accessed corporate executives’ email accounts to obtain nonpublic information about earnings announcements. He then used this information to trade securities, profiting $3.75 million. Westbrook, arrested in the UK and awaiting extradition, faces charges of computer, securities, and wire fraud. The SEC seeks civil penalties, restitution, and an injunction to prevent future violations.
California’s Governor vetoes an AI safety bill.
California Governor Gavin Newsom vetoed a proposed AI safety bill that would have required developers of costly AI models to implement measures to prevent “critical harms.” Authored by Senator Scott Wiener, the bill aimed to regulate AI systems costing over $100 million by requiring safety testing before release and allowing legal action for damages caused by those systems. Newsom acknowledged the bill’s good intentions but criticized it for imposing broad standards on even basic AI functions without considering context or risk level.
Wiener expressed disappointment, calling the veto a setback for AI oversight. The bill had drawn opposition from major tech companies like Google and Meta, despite modifications made to address their concerns.
CISOs deserve a seat at the table.
Cyber resilience efforts are lagging globally, partly because organizations are not involving Chief Information Security Officers (CISOs) in strategic technology investments. That’s according to PwC’s Global Digital Trust Insights report. Polling over 4000 executives, PwC found that only 2% of organizations have implemented cyber resilience across all areas. Less than 50% of CISOs are involved in strategic planning for cyber investments, limiting their influence.
The report urges organizations to give CISOs a “seat at the table” to align cybersecurity with overall business risk. A disconnect between tech and business leaders is evident, with 66% of tech executives ranking cyber as a top risk compared to 48% of business executives. Additionally, only 15% of organizations are significantly measuring the financial impact of cyber risks.
PwC highlights barriers such as unclear risk scopes, data issues, and compliance concerns. The report calls for greater alignment between CISOs and boards to improve cyber resilience and better prioritize investments.
Next, I am joined by Tim Starks from CyberScoop to talk about the House Homeland Security chair releasing and pushing forth a cyber workforce bill. We’ll be right back.
Welcome back. You can find a link to Tim’s article in our show notes.
Password laziness leaves routers vulnerable.
And finally, not that any of our listeners would do this, but a recent survey by Broadband Genie revealed that 86% of broadband users have never changed their router’s default admin password. The survey showed that over half of users haven’t even bothered to tweak their router settings at all. Worse still, 89% of respondents have never updated their router’s firmware, leaving them wide open to cyber attacks.
The fix? Simple: change your router’s admin password, update the firmware, and maybe give your Wi-Fi a snazzy new name while you’re at it. It’s not rocket science, but it could save you from a digital disaster. As Broadband Genie expert Alex Toft warns, leaving defaults in place is like handing over the keys to your house! Again, not that any of you would do something like that. But you know, your friends and family. Maybe help spread the word.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.