South Korea investigates a substantial leak of military intelligence to the north. Google fixes a Workspace authentication weakness. Wiz identifies an API authentication vulnerability in Selenium Grid. The UK’s Science Secretary warns Britain is highly vulnerable to cyber threats. Global shipping faces a surge in cyber attacks. Apple has resolved the iCloud Private Relay outage. Google Chrome offers to scan encrypted archives for malware. Barath Raghavan and Bruce Schneier examine the brittleness of modern IT infrastructure. Guest Brian Gumbel, President and COO at Dataminr, joins us to discuss the convergence of cyber-physical realms. Rick Howard previews his latest CSO Perspectives episode on the state of Zero Trust. Teaching AI crawlers some manners.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
Guest Brian Gumbel, President and COO at Dataminr, joins us to discuss the convergence of cyber-physical realms. Cybersecurity is no longer just a matter of protecting data on servers or computers, a cyber-attack can have tangible, real-world consequences.
CSO Perspectives
This week on N2K Pro’s CSO Perspectives podcast, host and N2K CSO Rick Howard focuses on “The current state of zero trust.” Hear a bit about it from Rick and Dave. You can find the full episode here if you are an N2K Pro subscriber, otherwise check out an extended sample here.
Selected Reading
South Korea Reports Leak From Its Military Intelligence Command (New York Times)
Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services (Krebs on Security)
Selenium Grid Instances Exploited for Cryptomining (SecurityWeek)
UK ‘desperately exposed’ to cyber-threats and pandemics, says minister | UK security and counter-terrorism (The Guardian)
Cyber attacks on shipping rise amid geopolitical tensions (Financial Times)
Apple Fixes iCloud Private Relay After Extended Outage (MacRumors)
Chrome now asking for ZIP archive passwords to help detect malicious files (Cybernews)
The CrowdStrike Outage and Market-Driven Brittleness (Lawfare)
AI crawlers need to be more respectful (Read the Docs)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the Cyberwire Network, powered by N2K. When it comes to music, everyone has a totally unique taste. So when a song comes on to perfectly fit your mood, it kind of feels like magic. And at Credit Karma, we do the same thing, but for your finances. We got tired of the financial system, giving broad, impersonal, and a relevant advice to everybody. So we created a way for you to cut through the noise and find offers and recommendations that make sense for your specific money goals. So you know the guidance you're getting is truly custom to you. Download into at Credit Karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. South Korea investigates a substantial leak of military intelligence to the north. Google fixes a workspace authentication weakness, while WIS identifies an API authentication vulnerability in Selenium Grid. The UK's science secretary warns Britain is highly vulnerable to cyber threats. Global shipping faces a surge in cyber attacks. Apple has resolved the iCloud private relay outage. Google Chrome offers to scan encrypted archives for malware. Barat Raghavan and Bruce Schneider examine the brittleness of modern IT infrastructure. Our guest is Brian Gumble, president and COO at DataMiner, joining us to discuss the convergence of cyber-physical realms. Rick Howard previews his latest CSO Perspectives episode on the state of zero trust. And teaching AI crawlers some manners. It's Monday, July 29th, 2024, I'm Dave Bittner and this is your Cyberwire Intel briefing. Thank you all for joining us here today. It is great to have you with us. South Korea is investigating a significant leak from its top military intelligence command. Local media reports claim the leak resulted in a substantial amount of sensitive information, including personal data of agents abroad, falling into North Korean hands. The military has vowed strict action against those responsible but has not confirmed the media claims, ending further investigation. A breach of agents personal data could severely impair South Korea's intelligence operations against the North. This incident is reminiscent of a 2018 breach where an active duty officer sold classified information to foreign agents. North and South Korea engage in intense intelligence and counterintelligence activities. North Korea has increasingly used hackers to infiltrate networks in the U.S., South Korea, and elsewhere, aiming to steal information or cryptocurrency. Recently, the U.S., Britain, and South Korea warned of a global cyber espionage campaign by North Korean hackers targeting military secrets to support its nuclear program. Additionally, a North Korean military intelligence operative has been indicted by the U.S. for hacking American entities with a $10 million reward offered for his capture. Google has resolved an authentication weakness in its workspace account creation process that allowed attackers to bypass email verification, this vulnerability enabled cyber criminals to impersonate domain holders on third-party services, using the sign-in with Google feature. A reader informed Krebson security about receiving a notice regarding the creation of a potentially malicious workspace account using their email. Google identified a small-scale abuse campaign where attackers used especially crafted requests to circumvent email verification. These attackers aimed to access third-party applications rather than Google services directly. Google fixed the issue within 72 hours of discovery and implemented additional protections to prevent similar authentication bypasses. A new Yamunan, Google Workspaces Director of Abuse and Safety Protections, stated that the malicious activity started in late June involving a few thousand workspace accounts. The attackers used one email to sign in and a different one to verify a token bypassing the domain validation process. Google emphasized that no previously associated domains were affected. This issue is separate from a recent problem involving cryptocurrency-based domain names compromised during their transition to square space. Selenium Grid, a widely used open-source testing framework for web applications, allows users to simulate interactions across various browsers and environments. According to Wiz, Selenium is found in 30% of cloud environments and has over 100 million polls on Docker Hub, the Selenium WebDriver API automates browser interactions but lacks default authentication, making it vulnerable to cyber criminal abuse on Internet-exposed instances. Wiz identified over 30,000 exposed instances susceptible to attacks, leading Selenium Grid developers to warn users to secure their services. When the Selenium Greed campaign, attackers exploited the WebDriver API to run Python with a reverse shell, deploying scripts to mine Monero cryptocurrency. This campaign, active for over a year, was first documented by Wiz. Wiz shared their findings with gray noise, which confirmed other mining campaigns also target exposed Selenium Grid instances. Wiz provided indicators of compromise and recommendations for defenders. UK Science Secretary Peter Kyle has warned that Britain is highly vulnerable to cyber threats and future pandemics. He criticized deep public spending cuts under previous governments for weakening national resilience, particularly affecting the NHS and pandemic preparedness. Kyle, who assumed his role three weeks ago, highlighted internal conflicts within the Tory party as a barrier to effective threat management. Kyle's concerns prompted the introduction of a new cybersecurity and resilience bill replacing the anticipated AI bill. The National Cybersecurity Center noted increasing threats to critical infrastructure, emphasizing the urgency of the new bill to protect supply chains. Despite progress, the UK remains behind encountering these threats. Kyle also stressed the need to improve pandemic readiness, citing the COVID inquiries report on the UK's flawed pandemic planning. Additionally, financial constraints are impacting projects and visa costs for overseas scientists hindering research progress. The shipping industry is experiencing a surge in cyber attacks driven by geopolitical tensions and state-linked hackers targeting trade flows. Researchers at the Netherlands NHL Stendant University of Applied Sciences reported at least 64 cyber incidents in 2023, compared to three a decade earlier. Over 80% of attacks since 2001 have originated from Russia, China, North Korea or Iran. Conflicts from Ukraine to the Middle East have highlighted the vulnerability of global shipping, which transports over 80% of internationally traded goods. The industry, traditionally focused on physical threats, is now facing significant online piracy risks. Apple has resolved the iCloud private relay outage, restoring service after over 48 hours of disruption. The outage, which began early Thursday and lasted until late Saturday, impacted web browsing for iCloud+ subscribers. Apple confirmed the issue on its system status page. iCloud private relay enhances privacy by encrypting browsing data and routing it through two separate relay servers, one operated by Apple and the other by a third party. Apple says users can now re-enable the feature for continued privacy benefits. Cyber criminals increasingly use encrypted and password-protected files to deliver malware evading security defenses. Google Chrome now offers two new protection mechanisms to counter this threat. When users with enhanced protection download a suspicious encrypted archive like a zip file, Chrome prompts for the password and uploads the file and password to Google's safe browsing for a deep scan. According to Google, uploaded data is deleted after scanning and only used to improve download protections. For users with standard protection, a prompt will also appear, but the file and password remain local with only metadata checked. If malware is detected based on previous observations, users are still protected. Google's analysis shows that deep scanning suspicious files significantly increases malware detection. Enhanced protection users will now have all suspicious downloads automatically deep scanned to reduce user friction. Users can opt out for trusted files by using the "Download Anyway" option to maintain confidentiality. Chrome has also introduced more detailed warning messages for suspicious and dangerous files. In an essay for lawfare, Barath Raghavan and Bruce Schneier explore the massive internet outage caused by CrowdStrike, which disrupted airlines, hospitals, banks and other critical sectors, canceled nearly 7,000 flights and affected over 8.5 million Windows computers. Bhagavan and Schneier argue that this "brittleness" extends beyond technology, permeating food, electricity, finance and transportation sectors often due to globalization and consolidation. They emphasize that in IT, numerous small companies play essential roles, and market incentives drive them to minimize costs, sacrificing redundancy and careful planning. The CrowdStrike failure exemplifies this, where a buggy software update led to global disruptions, exposing the risks of deep interdependencies and hidden vulnerabilities. The authors advocate for a shift in market incentives and regulatory approaches to foster resilience. They suggest that systems should be designed to handle failures, akin to ecological systems with deep complexity. They highlight Netflix's Chaos Monkey tool as an example of building resilience through intentional failures, despite being perceived as costly and inefficient in the short term. Raghavan and Schneier recommend regulations that focus on the processes of failure testing rather than specific checklists. They argue for embracing inefficiencies to construct robust systems, proposing continuous braking and fixing as a method to achieve reliability and resilience. The essay concludes that to counter the trend of maximizing short-term profits, the economic incentives must shift toward building less brittle, more resilient systems. Growing up after the break, my conversation with Brian Gumbel, President and COO at Data Miner, discussing the convergence of cyber-physical realms. Plus, Rick Howard previews his latest CSO perspectives on the state of zero trust. Stay with us. And now, a word from our sponsor, KnowBefore. Where would infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons KnowBefore developed security coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky, help users learn from their mistakes, and strengthen your organization's security culture with security coach. Learn more at knowbefore.com/securitycoach That's knowbefore.com/securitycoach And we thank KnowBefore for sponsoring our show. The IT world used to be simpler, you only had to secure and manage environments that you controlled, then came new technologies and new ways to work. Now, employees, apps and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. Brian Gumbel is president and COO at DataMiner, and I recently caught up with him to discuss the convergence of cyber physical realms. I think that the convergence of cyber and physical systems has definitely ushered in a new era where cyber attacks can have real-world implications on critical infrastructure. We look at power grids, to healthcare systems, this evolving landscape basically underscores the need for innovative solutions, that bridge the gap between digital and physical realms and bring the CSO together with the CSO, and now you enter in AI, which is a game-changing technology that offers fast, scalable, and comprehensive protection for all interconnected systems. I think we find ourselves at a crux right now, and whether or not within an organization you have clear differentiation between the CSO's responsibility or the CSO's responsibility and budget, you're seeing these teams working together in concert to make true impact, to make sure that there is this convergence and one single view of how they can protect their organizations at the best of their abilities. Can you give us some insights on organizations who are successful at this, or are there common elements that they share when, as you say, the various stakeholders here are collaborating? Sure. I think there's different verticals that are doing it better. I think in my experience over the years, the forefront of any type of technology adoption or movement has typically been the financial sector, and the financial sector typically are the early adopters, and also, I would say, companies within the Fortune 500, or that scale and size. They're the ones that have more resources, they have more headcount, they're the ones that are sometimes more collaborative, more budget, and they take chances. I've seen a lot of convergence and types of convergence stories happen in the past where the banking community are definitely at the forefront of that. Do we see these sorts of things then trickle down to the smaller organizations? Does it become more affordable for organizations to take on these strategies? Yes, of course. I think over time, you'll see the smaller organizations starting to adopt some of the best practices that larger companies are currently doing, and you'll also see that happening in government. Sometimes government isn't at the forefront, but they have the same problems as the larger enterprise customers, and I believe that you'll see this type of adoption as well. So for the organizations who are looking to come at this problem to kind of get the best bang for their buck, can you give us an idea of the spectrum of tools that are available to them out there on the market today? Yeah, sure. Sure. So let me just take a moment to kind of explain the situation that a CISO is in today. And imagine if you are a CISO yourself in navigating treacherous waters of cybersecurity threats with the entire weight of your organization on your shoulders, including the board. And the challenge just isn't about spotting threats. It's about understanding the big picture, the context, and the evolving nature of these threats in real time. And that's where there's opportunities for game-changing value of comprehensive threat intelligence. And that's what comes into play into my mind that helps organizations. And for the CISO, there are ways in which they can access a consolidated view of threats. And this is basically a powerful ally right by their side. It provides them with the insights needed to grasp the full scope of a threat swiftly, as well as effectively, and empowering them to make informed decisions that ultimately can safeguard their organizational assets. There are technologies out there, data minor has one in which is called regenerative AI. And this works in concert with generative AI capabilities. And what's important to note is that picture a tool that not only can track threats, but also compiles a detailed story around each threat, presenting all the critical information in one convenient place. And this type of powerhouse tool enables incident response teams to follow the entire life cycle of a ransomware threat, for example, from inception to resolution to how it's evolving around the world and being able to boost their ability to respond with precision and agility. So I'll say like in a world where cybersecurity threats are constantly evolving and becoming more sophisticated, having a tool like regenerative AI or regen AI for short at their disposal can make all the difference for CISOs, and it can empower them to stay ahead of the game and protect their organization from the ever shifting landscape of cyber threats. Help me understand, I mean, the role that you see AI taking in this sort of thing here. I mean, is this a matter of, I guess I'm wondering how much of it is under the hood and out of view to the user doing things behind the scenes? And how much is, you know, upfront, combining data, you know, consolidating things, summarizing things is, is it a combination of both or where do you see things headed? I do believe it's a combination of both. But, you know, I've been in the cyber industry for the last 20 years and never before have we seen so brazen and out in the open, the risk of cyber threats and cyber attacks being performed outright by nation states and other affiliated organizations, and specifically in this ever expanding realm of cybersecurity, the challenges posed by cyber criminals are just coming increasingly sophisticated and totally relentless. And one key solution that can help all this day ahead of this ongoing cyber arms race is AI, and allowing AI putting this into our defense systems and AI driven solutions offer a multitude of benefits, including proactive defense mechanisms and dynamic threat detection capabilities and by leveraging AI, organizations can truly bolster their defenses and enhance the ability to respond to threats in real time, because as the adversaries are becoming smarter and they're starting to think about ways to utilize AI to launch ransomware attacks or phishing campaigns or pushing out fraud, we need to stay one step ahead of them. So the importance of AI really cannot be understated. Do you have any thoughts on how folks can best sort of separate the hype around AI from the reality of the tools that are really ready to be deployed? There's always going to be hype around a newer technology. You know, we think back recently, oh, maybe eight, ten years ago when cloud was first starting to come out, there was a lot of organizations that were not comfortable in moving towards the cloud. And now look at where we are, AI is kind of going through the same sort of evolution. And I do not believe, I mean, look, there might be some hype, but it's the reality. And those who aren't building technologies with AI is their backbone and platform are going to be in a real, will have a real problem being able to compete and being able to ultimately sell to customers. And if you're on the customer side, if you're not adopting technologies that have AI capabilities, you're not going to be able to stay in front of the adversaries. What are your recommendations for folks who want to get started down this path? We're looking to integrate these sorts of tools into their security operations. There's a lot of great companies out there, I think it's very important to attend a lot of the trade shows that are going on, ask your fellow cohorts and even companies that love the FSISACs and the retail ASACs that are happening. Now, this is a great way to share what is common and what things are being seen from a customer perspective and also get sometimes competitors in a room that are also helping each other out and making sure that they are secure. So I think if you are a practitioner, it's best to get out there and network and understand what similar companies are doing in your space to help you protect your environment. This is Brian Gumble, President and COO at DataMiner. It is always my pleasure to welcome back to the show the CyberWires Chief Security Officer and Chief Analyst Rick Howard. Rick, good to see you. Hey Dave. So on this week's CSO Perspectives podcast, you are tackling zero trust. Now, it seems like a recurring theme between you and me here when we do these segments together about topics going through the hype cycle. And I would say that zero trust is probably in my top five of things that went through the hype cycle but have kind of settled into genuine usefulness. Well, I love you that you said that Dave, because it's true, I like to throw everything through the lens of the Gartner hype cycle and for the uninitiated listeners, it starts with this great idea that we all get very excited about and then it rises to the peak of inflated expectations is how Gartner defines it. And then after a while, we all realize that oh my goodness, this thing is not as good as we thought it was in practicality and it starts to dive vertically down to the trough of disillusionment. And we've been in that phase of zero trust for about four or five years, I would say. But like you said, it is starting to climb out and start the solutions around what you might buy or what you might do have started to become very practical. So we're starting to rise out of that now and that's a good point for a good time to talk about the state of zero trust as we see it today. Is it fair to say that a good part of this traction comes from the federal government kind of being all in with zero trust? Well, I think it's one of the indicators that we're rising out. It's called the sloping enlightenment in the Gartner cycle, which I love that name. But the government getting behind zero trust is one of the indicators that it is an accepted idea and people are trying to pursue it, so it's one of the reasons. We'll give us a little preview here of what you're covering in your latest CSO Perspectives podcast. Well, much to my excitement, okay, I ran into John Kindervog in one of the security conferences this past year and he is the father of the idea. He wrote the original white paper back in 2010. He and I have been friends for a long time and he and I even worked together at Palo Alto Networks. Right when zero trust, the idea was kind of careening down the trough of disillusionment. So we spent many hours together trying to talk to customers about, just give it some time. It's still a pretty good idea. And he came up with this way to describe zero trust that I thought was very interesting because most people get confused, he said, "How can you run a network with zero trust that kind of defeats the purpose? You have to trust somebody." I'm sure you've thought about that before, right? Right, sure, right. So he talks about it in terms of uncertainty, okay, and it's not that we don't trust anything, but like when you initially approached the Intookay Networks, we don't trust you at all days. Okay, I hate to tell that to you, right? We are sure that you're a bad guy until we can do some things, like validate who your identity is and validate what you're allowed to get access to and make sure that you can only get to those things. And as we do that, the certainty about how much of a bad guy you are starts to go down and we get it down to an acceptable level where we're going to actually let you do things. And that's John's explanation of that in the episode. It was really hit home for me. Yeah. All right, well, it is CSO Perspectives right here on the Intookay's Cyberwire Network, or wherever you get your favorite podcast, Rick Howard, thanks so much for joining us. Thanks, Dave. Most of our listeners who deal with legacy privileged access management products know they tend to be expensive, difficult to deploy, and hard to use. Keeper Security is the answer. Keeper's Zero Trust solution delivers password, secrets, and connection management in one easy-to-use platform. It's fast to deploy, agentless, clientless, and has no implementation fees. Plus, Keeper is FedRAMP authorized. That's why we trust Keeper to prevent breaches and gain full control over privileged users. Visit keeper.io/cyberwire to schedule a quick demo. That's keeper.io/cyberwire, and thanks to Keeper Security for supporting our podcast. And finally, Read the Docs is a company that helps organize and automate documentation for various online projects. In a blog post, co-founder Eric Holscher highlights the increasing abuse of AI crawlers. AI products have aggressively crawled sites without respecting bandwidth limits, leading to substantial costs and disruptions. Notably, one crawler downloaded 73 terabytes of data in May 2024, hosting Read the Docs over $5,000 in bandwidth, while another consumed 10 terabytes in June. These incidents underscore the need for AI companies to respect the sites they crawl. Holscher calls for better crawler practices, such as rate limiting and support for ETAGs and last modified headers. To mitigate the issue, Read the Docs has blocked AI crawlers identified by Cloudflare and is improving monitoring and caching. Holscher urges AI companies to collaborate on more respectful crawling practices to prevent further issues. It's easy to forget that bandwidth ain't always free, and chewing through thousands of dollars worth of data at the expense of a modest open source organization isn't just irresponsible, it's downright rude. And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. Don't forget to check out the Grumpy Old Geeks Podcast where I contribute to a regular segment on Jason and Brian's show, Every Week, and find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Carr. Simone Petrella is our president, Peter Kilpey is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. What's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now to frontline practitioners. Register early and save at M-Wise.io/cyberwire That's M-Wise.io/cyberwire. [MUSIC]
