You're listening to the Cyberwire Network, powered by N2K. When it comes to music, everyone has a totally unique taste. So when a song comes on to perfectly fit your mood, it kind of feels like magic. And at Credit Karma, we do the same thing, but for your finances. We got tired of the financial system, giving broad, impersonal, and a relevant advice to everybody. So we created a way for you to cut through the noise and find offers and recommendations that make sense for your specific money goals. So you know the guidance you're getting is truly custom to you. Download into at Credit Karma today and get everything you need to outsmart the system. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPPA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Your listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's v-a-n-t-a.com/cyber for $1,000 off Vanta. With the U.S. Disrupts a Russian disinformation campaign, anonymous messaging app NGL is slapped with fines and user restrictions, the NEA addresses AI use in classrooms, gave furry hackers release data from a conservative think tank, Microsoft and Apple change course on open AI board seats, Australia initiates a nationwide technology security review, a patch Tuesday rundown, our guest is Jack Cable, Senior Technical Advisor at SISA, with the latest from SISA's secure by design alert series. And our friend, Graham Cluely, ties the knot. It's Wednesday, July 10th, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It is great as always to have you with us. A newly discovered attack dubbed blast radius targets the remote authentication dial-in user service, that's radius, used widely on network authentication. Developed in 1991, radius remains crucial for VPNs, ISPs, Wi-Fi and cellular networks. However, it relies on the outdated MD5 hash function known for its susceptibility to collision attacks, where two different inputs produce the same hash output. Others have shown that these MD5 collisions can be exploited to gain unauthorized administrative access to devices using radius. The attack involves an adversary intercepting and manipulating radius authentication packets to trick the server into granting access. This is made feasible by optimizing the attack process, reducing the required computational time from thousands of hours to mere minutes. Despite the known weaknesses of MD5, radius has not been updated to mitigate these vulnerabilities effectively. The recent research underscores the urgent need to transport radius traffic over TLS or DTLS, ensuring encrypted and authenticated communications. In the interim, short-term mitigations include using HMAC MD5 for packet authentication, although this might break compatibility with older implementations. The vulnerability has prompted security bulletins and patches from over 90 vendors, urging users to implement recommended updates and check with manufacturers for specific guidance. This discovery highlights the importance of updating legacy protocols and adopting more secure cryptographic practices to protect critical network infrastructure. The U.S. has disrupted Russian threat actors associated with RT, formerly Russia today, who use AI features of the Milurator software to create fake online personas spreading disinformation in the U.S., Germany, Israel, the Netherlands, Poland, Spain, and Ukraine, according to a joint advisory from government agencies. The U.S. sees two domain names used to register these fake accounts, revealing a bot farm was managed by a Russian FSB officer and a private intelligence organization with Kremlin support. The Milurator generates realistic social media profiles that post-content, mirror disinformation, and formulate false narratives. It includes an administrator panel and a seating tool to control the fake personas. RT has used this software since 2022 to support Russian interests. By June of this year, it had created 968 accounts on X-Twitter. The identified accounts have been suspended and social media platforms are urged to help identify and reduce these fake personas. The anonymous messaging app NGL will no longer be available to users under 18 following a settlement with the Federal Trade Commission and Los Angeles District Attorney's Office. This agreement pending judge approval marks the FTC's intensified efforts to safeguard children's privacy. The settlement, distinctive for its age ban, contrasts with past actions under the Children's Online Privacy Protection Act (CAPPA). NGL, an app for soliciting anonymous messages, faced accusations of misleading young users into buying a premium version by sending fake messages and promising identity reveals. Instead, users received vague hints. The FTC also claimed NGL falsely advertised effective AI content moderation while cyberbullying was rampant. Additionally, NGL allegedly failed to obtain parental consent for users under 13, violating COPPA. The company agreed to pay $5 million and implement age restrictions. The nation's largest teacher's union, the NEA, has voted to address AI use in classrooms through policy actions. On July 4, the union's 6,000 delegates approved a policy statement at their annual assembly. This policy focuses on ensuring AI is used safely and equitably, emphasizing the importance of human interaction in education. It highlights issues like equity, data protection, and environmental impact. The NEA aims to guide educators on AI use, pushing for professional development and involvement in policy discussions. The policy calls for ethical AI development and equitable access ensuring AI supplements rather than replaces human teaching. The NEA will advocate at various levels for these principles, recognizing the potential of AI to support but not replace educators in fostering meaningful student-teacher connections. A cybercrime group known as Siege Sec released approximately 2 gigabytes of data from the Heritage Foundation, a conservative think tank. This release was in response to Heritage's Project 2025, which aims to provide policy proposals for a potential Donald Trump presidency. The leaked data includes Heritage Foundation blogs, material from the daily signal and personal information of individuals associated with Heritage, including those with U.S. government email addresses. Siege Sec, self-identified as gay furry hackers, claims this leak is part of their Op Trans Rights Campaign. The Heritage Foundation has not commented on the breach, which is the second cyber attack they've faced this year. Siege Sec also claims to possess over 200 gigabytes of additional data, but say they have no plans to release it. Microsoft has relinquished its observer seat on OpenAI's board, less than eight months after acquiring it. Apple, initially planning to join OpenAI's non-profit board, has also decided not to join. OpenAI confirmed Microsoft's decision following reports from Axios in the Financial Times. OpenAI expressed gratitude for Microsoft's support and announced a new strategy under CFO Sarah Fryer involving regular stakeholder meetings with strategic partners like Microsoft and Apple and investors like Thrive Capital and Cusla Ventures. These changes coincide with growing antitrust concerns regarding Microsoft's $10 billion investment in OpenAI. This investment, making Microsoft the exclusive cloud partner for OpenAI, powers all OpenAI workloads and enhances Microsoft's AI capabilities across its products and services. Australia has directed its government entities to review their entire technology estates and identify assets potentially controlled or manipulated by foreign states. This action addresses growing cyber threats, including repeated targeting by a state-sponsored Chinese hacking group. The Department of Home Affairs issued legally binding instructions for over 1,300 government entities to identify foreign ownership, control, or influence risks in their technology by June 2025. Additionally, they must assess internet-facing systems for security risks and collaborate with the Australian Signals Directorate on Threat Intelligence sharing. This directive aims to enhance the visibility and security of Australia's government technology infrastructure. The new cyber security measures follow Australia's earlier ban on TikTok on government devices due to security concerns. Yesterday was patched Tuesday. This month's update from Microsoft addresses 142 security flaws, including two actively exploited and two publicly disclosed zero-day vulnerabilities. Among these, five critical vulnerabilities stand out, all of which are remote code execution flaws. The breakdown of the vulnerabilities reveals a diverse array of threats, 26 elevation of privilege, 24 security feature bypass, 59 remote code execution, 9 information disclosure, 17 denial of service, and 7 spoofing vulnerabilities. Highlighting the critical fixes, the first zero-day vulnerability affects Windows Hyper-V. This elevation of privilege flaw allows attackers to gain system privileges posing a severe risk. Second, actively exploited zero-day, targets the Windows MS-HTML platform. This spoofing vulnerability requires the victim to execute a malicious file, after which the attacker can exploit the system. In addition, two publicly disclosed zero-day vulnerabilities have been patched. The first involves a remote code execution issue in .NET and Visual Studio, caused by a race condition in HTTP/3 stream processing. The second, known as the Fetchbench side-channel attack, could allow attackers to view heap memory from a privileged process compromising sensitive information. This patch Tuesday also coincides with updates from other major companies. Adobe has released security updates for Premier Pro, InDesign, and Bridge. Cisco has disclosed an exploited CLI command injection vulnerability in NXOS software. Citrix has fixed flaws in its Windows Virtual Delivery Agent and Citrix Workspace app. Additionally, Fortinet, Mozilla, OpenSSH, and VMware have all issued updates addressing various vulnerabilities. Coming up after the break, my conversation with Jack Cable, Senior Technical Advisor at SISA, on the latest SISA secure by design alert series. Stay with us. And now, a word from our sponsor, no before. Where would infosec professionals be without users making security mistakes? Using less than 60 hours per week, maybe, actually having a weekend every so often. While user behavior can be a challenge, they can also be an infosec professional's greatest asset once properly equipped. Users want to do the right thing, but often lack the knowledge to do so. That's one of the reasons no before developed Security Coach, a real-time security coaching tool that takes alerts from your existing security stack and sends immediate coaching to users who've taken risky actions. Existing security tools will likely block a user from visiting a high-risk website, for example, but the user might not understand why. Security Coach analyzes these alerts and provides users with relevant security tips via email or Slack, coaching them on why the action they just took was risky. Help users learn from their mistakes and strengthen your organization's security culture with Security Coach. Learn more at nobefore.com/securitycoach, that's nobefore.com/securitycoach, and we thank no before for sponsoring our show. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Some came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. Jack Cable is Senior Technical Advisor at CISA, and I recently got together with him to discuss CISA's Secure By Design Alert Series. Definitely, and first of all, thanks so much for having me on here, Dave. CISA's Secure By Design Alert Series really stems from CISA and our partners, Secure By Design Guidance, which was launched in April of last year with a number of both domestic and international partners with really the goal to be to highlight how software manufacturers can take ownership of the security outcomes of their customers. Really, for so long, the burden has been placed on those least capable of bearing it when it comes to security, whether it's end users, individuals, small businesses, hospitals, and so on. We want to see how in line with the Roy House's National Center security strategy, we can work to shift that burden on to those who are most able to bear it. We issued updates, Secure By Design Guidance. We have over 13 countries on board now, and the Secure By Design Alert Series is really the next step in highlighting how when we see vulnerabilities in the news that are often quite simple in reality that they're preventable at the end of the day, and that software manufacturers can do a lot to raise the collective bar of security for all of us. That's really what we're hoping to accomplish with the Secure By Design Alert Series is to shift that conversation just from, say, what the victims have done wrong, or what the adversaries have done right to what the vendors, what the software manufacturers can be doing to prevent these vulnerabilities in the first place. Well, today you and your colleagues there are publishing the latest alert in the series here. What can you tell us about that? What are we covering here today? This alert focuses on demand injection vulnerabilities, which are one of the most dangerous classes of vulnerabilities, and we've seen numerous examples, even just this year, of these vulnerabilities being exploited in the wild, and essentially they allow an adversary to run arbitrary economic demands on a victim's computers, which, as you might imagine, can lead to some quite harmful effects, and the reality with these vulnerabilities is that not only have we known about this class of vulnerability for decades, but we've known how to prevent them for decades, so our Secure By Design Alert includes some quite basic approaches that software manufacturers can take to root these vulnerabilities out of their products, and really we encourage every manufacturer to review their products, understand where, for instance, they might be using and invoking commands in a manner that is vulnerable and seeing how they cannot just do one-off patches when vulnerabilities get reported to them, but rather to really take a proactive approach to root these out and ensure that this class of vulnerability isn't present in their products. Can we go through some of the details there? I mean, what are some of the things that software developers can do to prevent these command injection vulnerabilities? Yeah, so what our guidance talks about, and say, kind of the most basic starting point is to, and this is a common theme, I'd say, between many common classes of vulnerabilities that we talk about in our own alerts is the combingling of, say, application code and user input, which we know is a bad practice, and we know time and time again leads to these very damaging vulnerabilities, and there's ways to invoke commands if you look at any modern programming language in a way that clearly distinguishes user input from the contents of the command itself. So what our alert talks about is one, if possible, avoid invoking a command through code. If there is, say, a built-in function that can be used, say if you're creating a directory, then use that if you can get away with it, and if you do need to invoke a command at the very least, ensure that one, you're sanitizing input and two, that you are separating that contextually from the actual contents of the command, and again, this isn't unique by any means to command injections, but really across the board, one another example, for instance, which we've issued an alert on in SQL injection vulnerabilities, where, again, that's a preventable class of vulnerability that's been around for a while, and we've also known how to prevent that for over 20 years, and there's ways of separating the contents of the query from the actual query itself, and yet, today, in 2024, we still see these vulnerabilities being exploited in the wild, and that's since we think that's entirely preventable. And one of the things that strikes me about these secure-by-design alerts, and really the, I'd say, the overarching approach that CISA has had since its foundation is that it's very collaborative. This isn't just the government organization coming down from on high to say, "This is what you must do." It recognizes, and I think encourages the fact that this is a team sport. Yeah, and really, I'd say that that's a core part of our secure-by-design initiative, because we know at the end of the day, where we want to make progress, we need to work with these software manufacturers, and get them to take action to react vulnerabilities from their products. So that's the approach we've been taking from our initial secure-by-design guidance, and we published a request for information, got some really great feedback that we're working on reviewing in order to make our guidance and associated action as helpful as possible. And then I think what one of the really exciting actions we've been taking recently is we launched a secure-by-design pledge, working with software manufacturers, where they're committing to taking actions and demonstrating measurable progress, instead of in specific areas around secure-by-design over the next year. And we launched this at RSA with 68 companies on board since then. We've more than doubled the number of companies we've signed up on. We're now up to over 150, including some of the biggest software manufacturers in the world, and we're really excited to see what sorts of actions the software manufacturers take, and in particular, how they can help raise the tide not just at their own companies, but for everyone, because we know that this is an issue that industry collectively has struggled with for decades, and it's not going to be solved overnight. So how can the spirit of one of our secure-by-design principles of radical transparency, how can we make sure that information is readily available for everyone who's building software to do so in a manner that is secured by design? Our thanks to Jack Cable from CISA for joining us. You can check out the CISA Secure-by-design Alert Series on their website. Most of our listeners who deal with legacy privileged access management products know they tend to be expensive, difficult to deploy, and hard to use. Keeper Security is the answer. Keeper's Zero Trust solution delivers password, secrets, and connection management in one easy-to-use platform. It's fast to deploy, agentless, clientless, and has no implementation fees. Plus, Keeper is FedRAMP authorized. That's why we trust Keeper to prevent breaches and gain full control over privileged users. Visit keeper.io/cyberwire to schedule a quick demo - that's keeper.io/cyberwire - and thanks to Keeper Security for supporting our podcast. And finally, our Matrimony Desk reports that noted cybersecurity expert and podcast host Graham Cluely tied the knot earlier this week. As a regular guest on the smashing security podcast, I can only assume that my wedding invitation was somehow delayed in the international post. What an event it must have been. I can almost imagine what it must have been like. Nowhere to begin with this posh British wedding, picture an event so lavish that even the royal family would feel a twinge of envy, a ceremony took place in a centuries-old cathedral with more gold leaf and stained glass than you can shake a diamond-encrusted stick at. The bride was, of course, a vision of beauty, stunningly gorgeous and incredibly intelligent, the kind of woman who makes you question the fairness of the universe. She had a Ph.D. and something so complex it made quantum physics look like a children's book. And the groom? Well, he was a huge Doctor Who fan. Yes, you heard that right. Now imagine this. The aisle was flanked by life-size dollocks. Yes, dollocks. Because nothing says eternal love like deadly extraterrestrial robots. The groom had somehow convinced his stunningly beautiful, highly intelligent bride to let his hoovian obsession infiltrate every aspect of their wedding, who dosed to her for her patience, I suppose. The ceremony itself was officiated by a gentleman dressed as the fourth Doctor. Well, of course I can control it. I kid you not. The man had the scarf, the hat, the whole shebang. When he said, "Do you take this man to be your husband?" I half expected him to add. All on sea. During the reception, the groom proudly displayed his tardous shaped cake. It was an impressive confection I'll give him that, but it looked somewhat out of place next to the elegantly draped tables and the floral arrangements that probably cost more than my car. The bride's cake, a multi-tiered masterpiece covered in delicate sugar flowers, stood in stark contrast to the groom's geeky creation. And let's not forget the wedding breakfast, which was a gastronomic journey so elaborate, it would have made Heston Blumenthal weep with envy. Among the ho' cuisine and deconstructed dishes, there was a small section of the menu dedicated to delicacies from Gallifrin. Fish fingers and custard anyone? The speeches were another highlight. The bride's best friend gave a heartfelt speech that left everyone reaching for their monogrammed handkerchiefs. The groom, however, began his with, "As the doctor would say, 'We're all stories in the end, just make it a good one.' And I suppose he did make it a good one, if you're into time-traveling aliens." Then came the first dance. The bride looked like she floated on air in an exquisite gown. The groom, bless him, tried to keep up without stepping on her toes. The song and orchestral version of the Doctor Who theme. I could practically hear the collective eye roll from the more traditional guests, but hey, at least the couple was happy. As the evening progressed and the champagne flowed, the dance floor became a bizarre mix of posh people attempting to do the kungaline with a Dalek. Yes, it was as ridiculous as it sounds. In the end, the bride's radiant smile and the groom's childlike glee made it clear that, despite the oddities, they were in it for the long haul. And isn't that really what matters? Our best wishes to the happy couple. You can hear Graham Cluely on the Smashing Security Podcast, as well as his latest show, The AI Fix. You'll have links in the show notes. And that's The Cyberwire. For links to all of today's stories, check out our daily briefing at TheCyberwire.com. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey and the show notes, or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpe is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here, tomorrow. [MUSIC PLAYING] This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-Wise, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-Wise features one-to-one access with industry experts and fresh insights into the topics that matter most, right now to frontline practitioners. Register early and save at M-Wise.io/Cyberwire, that's M-Wise.io/Cyberwire. [MUSIC PLAYING] (gentle music)
