You're listening to the Cyberwire Network, powered by N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA, and more, saving you time and money. In Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. UK law enforcement relieves digital stress. Congress summons CrowdStrike's CEO to testify. Frosty Goop Malware turned off the heat in Ukraine. Evil video is a zero-day exploit for Telegram. Daggerfly targets Hong Kong pro-democracy activists. Google has abandoned its plan to eliminate third-party cookies. The FCC settles with track phone wireless over privacy and cybersecurity lapses. Wiz says no to Google and heads toward an IPO. N2K's Brandon Park speaks with our guest Justin Finelli, acting CTO of the U.S. Navy, about streamlining the fleet's innovation process. And targets in-store AI misses the mark. This Tuesday, July 23, 2024, I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thank you for once again joining us here today. It is great to have you with us. UK law enforcement agencies have taken down digital stress, a prominent underground marketplace for distributed denial of service services, the National Crime Agency and the Police Service of Northern Ireland disabled the site on July 2 and replaced its domain with a warning page. This takedown followed the arrest of a suspected site-controller "ski-op" in early July in a joint operation with the FBI. Digital stress allowed users to order DDoS attacks easily, contributing to tens of thousands of attacks weekly. The NCA infiltrated the site's communications channels leading to its shutdown. Deputy Director Paul Foster emphasized that the operation demonstrates that online criminals have no guarantee of anonymity. The NCA will now analyze collected user data and share information about international users with global law enforcement agencies. A congressional committee has summoned CrowdStrike's CEO to testify about last week's tech outage caused by a faulty security update which disrupted global operations. The update affected millions of Microsoft Windows devices impacting airlines, hospitals and many other organizations. Representatives Mark Green and Andrew Garberino emphasize the need for transparency on the incident and mitigation steps. The letter to CEO George Kurtz requested a response to schedule the hearing. CrowdStrike confirmed ongoing communication with congressional committees. While Kurtz emphasized that it was not a cyber attack, lawmakers stressed the importance of learning from this event to protect critical infrastructure from future threats. Russia has used both digital and physical attacks against Ukraine, particularly targeting heating infrastructure during winter. This past January, Russia-based hackers used a new malware, Frosty Goop, to disrupt a heating utility in Lviv, Ukraine, leaving 600 buildings without heat for 48 hours during freezing temperatures. Cyber security firm Dragos discovered this malware, which manipulates temperature readings to trick control systems. The attack highlights a new tactic of directly sabotaging utilities. Frosty Goop sends commands via the insecure modbus protocol to industrial control systems. Although Dragos hasn't linked this to a specific hacker group, the incident is part of Russia's broader strategy to destabilize Ukraine. The attack underscores the vulnerability of industrial control systems and the psychological impact of such cyber warfare on civilian resilience. Researchers have found a zero-day exploit for the Telegram app on Android, dubbed "Evil Video" by ESET, which allowed attackers to send malicious payloads disguised as legitimate files. Telegram fixed this bug in versions 10.14.5 and above after ESET reported it. The exploit was potentially usable for about five weeks before the patch, though it's unclear if it was used in the wild. Discovered on an underground forum in early June, the exploit was sold by a user named Ancryno, who demonstrated it with screenshots and video. The vulnerability exploited Telegram's automatic media download setting, making malicious payloads appear as multimedia files. Even with auto-download disabled, users could still be tricked into downloading the malicious app disguised as an external video player. The patch Telegram version now correctly identifies such malicious files as applications. It remains unknown which hacker groups showed interest or how effective the exploit was. The forum account also advertised undetectable Android crypto-mining malware. Security researchers at Symantec have linked a series of 2021 backdoor attacks on Hong Kong pro-democracy activists to the Chinese cyber-espionage group Daggerfly. This group, also known as Evasive Panda and Bronze Highland, has retooled its arsenal, including the Macma backdoor targeting iPhone and Mac OS devices. Macma was distributed via watering hole attacks on a Hong Kong media outlet and a pro-democracy group. Despite police crackdowns, smaller-scale protests continued in 2021. Daggerfly's new Macma iterations feature enhanced screen capture and file system listing capabilities. Symantec connected Macma to Daggerfly by identifying overlaps with the MG bot malware framework. Daggerfly also attacked a telecommunications organization in Africa in 2023 and is deploying a new Windows backdoor. Google has abandoned its plans to eliminate third-party cookies in Chrome and will instead offer users more control over these cookies. Third-party cookies, which track users across different sites, are seen as privacy risks. GDPR requires user consent for these cookies. Mozilla Firefox and Apple Safari have already blocked them by default, with Google initially planning to follow suit. Google aimed to replace third-party cookies with privacy sandbox, a more anonymous tracking method. However, adoption has been slow and many platforms remain in beta testing. Due to the significant impact on advertisers and publishers, Google will now introduce a Chrome feature allowing users to limit third-party cookies instead of phasing them out entirely. Anthony Chavez, VP of privacy sandbox, announced that this new approach will let users make informed choices about third-party cookies. Privacy advocates like the EFF criticize Google for prioritizing profits over privacy. The EFF suggests using tools like privacy Badger and UBlock Origin to block trackers. The FCC has reached a $16 million settlement with track phone wireless over privacy and cybersecurity lapses. This marks the first FCC settlement requiring specific conditions to secure APIs. The settlement stems from three data breaches exploiting API vulnerabilities between January of 2021 and January 2023, exposing sensitive customer data. Loyan Egal, Chief of the FCC Enforcement Bureau, emphasized the importance of API security for carriers. Verizon-owned track phone did not comment on the settlement, which also mandates securing API vulnerabilities per industry standards, undergoing external security assessments and personnel training on privacy and security. The breaches involved unauthorized access to customer proprietary network information, including call details. This settlement follows a $200 million fine against major carriers for illegal data sharing in April. The FCC stresses the need for carriers to protect customer information as per Section 222 of the Communications Act. Cybersecurity startup WIS rejected a $23 billion takeover bid from Google's parent company Alphabet, opting instead for an IPO. Co-founder Asaf Rappaport stated in an internal memo that WIS will focus on reaching $1 billion in annual recurring revenue and proceeding with the IPO. The proposed acquisition would have doubled WIS's $12 billion valuation from May after raising $1 billion in funding. WIS provides cloud-based security solutions for enterprises, making it a valuable asset for Google in competing with Microsoft and Amazon. Anti-trust concerns and investor apprehensions contributed to WIS's decision to abandon the deal. The Justice Department has ongoing anti-trust lawsuits against Google, which has previously acquired cybersecurity firms Simplify and Mandiant for $500 million and $5.4 billion, respectively. Coming up after the break, N2K's Brandon Karp speaks with our guest Justin Fennelly, acting CTO of the U.S. Navy, about streamlining the fleet's innovation process. Stay with us. And now, a word from our sponsor, know-before. Where would Infosec professionals be without users making security mistakes? Working less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an Infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no-before-developed security coach, a real-time security coaching tool, that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. If users learn from their mistakes and strengthen your organization's security culture with security coach, learn more at know-before.com/securitycoach, that's know-before.com/securitycoach, and we thank know-before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever Connectivity Cloud. Visit cloudflare.com to protect your business everywhere you do business. The Cyberwire's executive editor, Brandon Karp, recently caught up with Justin Finelli, acting CTO of the U.S. Navy. They spoke about streamlining the fleet's innovation process. Justin, thank you so much for coming on the show. I believe it is your first time on Cyberwire. It is a long time listener, first-time caller. Thanks for having me. And you and I and Rick Howard, who's well known on this network, have had numerous conversations around technology creation, technology adoption, public-private partnerships, both within the Department of Defense and the government. I would like to just get your view today on how are we doing with these partnerships? So the public-private partnership is growing in terms of the number of actual private-sector partners that we have and work with. It's up. New entrants are up. The performance of existing players are up. And so the C&O, the chief of neighbor operations, sometimes says, "Hey, we want more players on the field," the form of a warfighting perspective. We also want more industry partners on the field contributing to national security, contributing to economic security. And in this particular case, we are really excited about the number of new ideas and the impact of the solutions. If we can, I would love to dig in a little deeper on the nature of that partnership, because oftentimes, folks who maybe are just uninformed or don't have the experience in DOD think of national security as purely military power. But you mentioned something in that response about it's not just military power, it's economic power, it's capability, it's national strength, it's even technology innovation adding to our national security, the strength of our market, the strength of our companies, the strength of our military, all working together in concert. Can you talk a little bit about kind of why today is as good as it's ever been, and maybe some of the examples you see about how the Navy, but also DOD more broadly, is enabling that? One of the things that is improving for us is our ability to harness and adopt innovation more intelligently and faster, we're evaluating based on the outcome-driven metrics. What does this bring to the table? Does it open the door to divesting something so that we can invest further? That keeps this flow healthier in terms of both the technical debt and the resilience that the cyber capabilities create. Sometimes people refer to the defense ecosystem as a sector, a teacher course at Georgetown called Cybersecurity Strategy, Public and Private Perspectives, dual use that is funded by science and technology funding within the Department of Defense is in all 11 sectors. This is showing up everywhere, so that is a launchpad as opposed to a sector. If someone is proving something out or increasing the technical maturity in a government lab or in a military lab, it's very likely that it's going to be picked up by edtech or fintech or something else. We then on the back end often make use of that again after that initial investment. There is money on the left side of that, and there's money on the right side of that. We're trying to bring those closer together and really make that a focal area for where we can connect dots and how we can close that gap in terms of the speed to impact. We've been just kind of raining that bell to say, "Hey, if there is a topic where there are a lot of cyber topics where we can make use and pull something through, "Hey, this is a gap in the market. Hey, this is a tool that allows us to do something more effectively and more resiliently at a lower cost than we've ever done before. We need that, and we can tie that almost definitely to a topical requirement that already exists." As you talk about this need to align the timing, the resources, the funding, the technology maturity, that type of alignment sounds extraordinarily complex to me. You also talked about determining and assessing and evaluating what you need from a mission perspective, mission outcomes, and aligning those things together, both the investments that you're making, but also the acquisition programs that you're creating to align technology with mission outcomes. That sounds extraordinarily complex. Just in my layman observation, how are you doing that functionally on the ground? How are you actually accomplishing that mission? We want to simplify that story. One of the things we've done to try to simplify that story is to say, "Hey, there are times where someone is selling a product or someone is using a product but in a very limited way, and it's hard to tell. Sometimes it takes an hour, sometimes it takes two or three meetings to figure out even where that is." We've used a couple constructs to start on second or third base, to expedite the conversation. One of the most powerful ones, even though it's simple, is the investment horizons. This looks at technology where it is in the process to say, "3, 2, 1, 0." One is production. Is it at scale production, whether it's a designated enterprise service or otherwise? This is, at large, we have tens or hundreds of thousands or maybe even millions of users within this ecosystem. Horizon 2 is piloting. We've looked at it, someone's using it. We want to use a structured pilot to learn by doing. We won't put this to scale, so there's psychological safety in there to learn before we scale, but we can't just do this at arm's length. Then there's Horizon 3, which is scouting, but scouting more deliberately. This could be other people's money, those S&T organizations that we talked about or internal research and development or the full dual-use case ecosystem to include, "Here's what venture capital firms are backing. Here's what new exciting things are happening." By laying those out 3 to 2 to 1, we can see, from a matriculation perspective, how close we are, where they line up, where one product might do the job more effectively of three products. We don't want one for ones because that just keeps more cars piling out in the garage, but not that funnel actually shows us is really important. Then zero is divestment, which is it's not sexy, we're trying to make it sexy, but this is the idea of there are already a lot of things that we're sustaining. If we can turn off legacy capability in favor of something that is more effective or providing bigger outcomes, we want to do that. Those are the technology horizons, 3, 2, 1, 0. The interesting part was, most of our partners were already playing into this. They just didn't have the taxonomy. We have a lot of partners who are just excited to play in connecting dots. My program executive office, Digital, we had a handful of program offices. This is a familiar construct, whether you're in government or not at program office. We switch to portfolio management offices. Portfolio theory has been around for a long time. It's not used a ton in government, but as a concept, I think people are generally familiar that this allows us to make more data-driven objective decisions as opposed to here is my monolithic baby, and I want to protect it at all costs. When we were at RSA, people said, "Oh, you're the folks who are using horizons and portfolio. We know what portfolio we fit in, and we don't have to defeat some program or record. We can just make our value proposition." We've talked to 500 companies in the last probably 14 months. The venture-backed community has given us, "Hey, here's the list of port codes that have the biggest impact on what we're doing, and we can prove that through outcome-driven metrics." I'd say across the services and across several agencies, we're getting good support, and people get it, and that's helping with direction. I was struck by the headline quote in the Atlantic Council's commission on defense innovation adoption. They published this back in April, 2023. I've seen you use this quote on some of your documents from your office. The quote is, "We have found that the United States does not have an innovation problem, but rather an innovation adoption problem. The DOD struggles to identify, adopt, integrate, and field these technologies." The thing that really stuck out to me was this four-step process of identify, adopt, integrate, and field, and you've talked about a number of ways in which your office and others in DOD are trying to better identify, adopt, integrate, and field. What I just heard you say, though, is there's still a tremendous amount of responsibility to the company to help you identify them, to help you adopt them. They need to pitch themselves and present their value proposition in a way that they understand how it's going to be adopted, how it's going to be integrated within your existing programs, offices, portfolios, and really mission needs. I think it's fairly accurate, and ultimately it becomes a dance, right? Where does the onus go? If we are looking for moneyball, if we're saying, "Hey, we have $1 and we're going to spend it on one or two things," which one is the biggest impact, would you want that to be on the receiver of the pitch to figure it out, or would you want to give the attacker advantage to the vendor who understands, "Here's how my product or our service has helped eight companies." They'll innately understand that probably better than they understand our domain, but it's easier for those companies that want to make an impact to know, "Hey, here's how I pitched to this group." We just know that most of the innovative ideas are out there, and so we need a funnel to receive those. What we've done is we said, "Okay, rent the same line as you, innovation adoption problem. What can we do about that?" We send warfighters into theater, we send them with a kit, so if we send folks into the DOD or federal ecosystem, here's the innovation adoption kit. The IAK is a set of tools to break that valley of death, in this case, into a handful of glands that say, "What if we're so prescriptive that we're asking for a technology that doesn't make sense anymore?" We should then use top-level requirements. What if we are measuring something that is no longer relevant or doesn't have the same impact that we'd like it to, then outcome-driven metrics are a proven answer? How do we talk about things that aren't quite mature enough? Why not the horizons? I've mentioned VC a couple of times, the VC feedback cycle, seven years before you know if you did something well or not, oftentimes. We prefer the chef or the cook feedback cycle. I know if I made a grilled cheese sandwich that sucks in seven minutes, I can learn from that. It wasn't particularly detrimental. I ate it anyway. I was a little bit burned, but then we know how to do that differently. The learning by doing at speed, that is not exposing to important or significant risk, and then applying that to higher and higher stakes problems. Mean time to feedback, if you will. Mean time to feedback. Very good. Yes. To use a cyber-term. That's it. That is less than half of my full conversation with Justin Finelli, Acting CTO of the Department of the Navy, for the full episode, tune in this weekend to our special edition, publishing in the Cyberwire Daily Podcast Feed, and of course, as always, you can get an ad-free version of that feed by heading on over to cyberwire.com/pro and signing up for an N2K pro account, where you can get this podcast and a whole host of other resources ad-free to support your development and your professional learning and skills development and cybersecurity. See you there. That's our own brand and carp speaking with Justin Finelli, Acting CTO of the US Navy. Most of our listeners who deal with legacy privileged access management products know they tend to be expensive, difficult to deploy, and hard to use. Keeper security is the answer. Keeper's Zero Trust solution delivers password, secrets, and connection management in one easy to use platform. It's fast to deploy, agentless, clientless, and has no implementation fees. Plus, Keeper is FedRAMP authorized. That's why we trust Keeper to prevent breaches and gain full control over privileged users. Visit keeper.io/cyberwire to schedule a quick demo. That's keeper.io/cyberwire, and thanks to Keeper security for supporting our podcast. When it comes to music, everyone has a totally unique taste. When a song comes on, it perfectly fits your mood. It kind of feels like magic. At Credit Karma, we do the same thing, but for your finances. We got tired of the financial system, giving broad, impersonal, and irrelevant advice to everybody. We created a way for you to cut through the noise and find offers and recommendations that make sense for your specific money goals. So you know the guidance you're getting is truly custom to you. Download into a Credit Karma today and get everything you need to outsmart the system. And finally, our retail desk alerts us to a story by Cyrus Farivar for Forbes. Employees at the retail giant Target are not thrilled with the company's new AI chatbot HelpAI, designed to assist with store processes and to support new team members. Instead of being a helpful tool, employees find it frustrating and unhelpful. We call it the s*** box because it gives s*** answers when employee told Forbes, reflecting widespread dissatisfaction. It introduced HelpAI as part of its growth strategy to combat stagnant sales with plans to roll it out to nearly 2,000 stores. Despite Target's CIO Brett Craig touting its transformative potential, employees argue the chatbot is a waste of resources and provides incomplete, often ridiculous advice such as suggesting confronting an active shooter with a baseball bat. While Target insists it is committed to improving the tool based on feedback, employees feel the company should focus on more practical solutions like improving checkout experiences and addressing workload issues. For now, as far as Target's employees are concerned, HelpAI is more hindrance than help. And that's The Cyberwire! For links to all of today's stories, check out our daily briefing at TheCyberwire.com. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's pre-eminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Batrella is our president, Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here, tomorrow. [Music] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at MYs, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, MYs features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Enter early and save at mys.io/cyberwire, that's mys.io/cyberwire. [Music] (gentle music)
