The justice department sues TikTok over alleged violations of children’s online privacy laws. Bad blood between Crowdstrike and Delta Airlines. The UK once again delays upgrades to their cybercrime reporting center. Apache OFBiz users are urged to patch a critical vulnerability. SLUBStick is a newly discovered Linux Kernel attack. CISA releases a handy guide to help software suppliers manage security risk. StormBamboo poisons DNS queries to deliver targeted malware. The White House looks to help close the cybersecurity skills gap with $15 million in scholarships. Our guest US Congressional candidate from Oklahoma, Madison Horn, speaking with my Caveat co host Ben Yelin about national security and cyberwarfare. Chewing on rumors of Olympic sabotage.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
US Congressional candidate from Oklahoma, Madison Horn, speaks with Caveat co host Ben Yelin about national security and cyberwarfare. You can hear the full interview on our latest episode of Caveat here.
CSO Perspectives
This week on N2K Pro’s CSO Perspectives podcast, host and N2K CSO Rick Howard focuses on “Cybersecurity is radically asymmetrically distributed.” Rick and Dave do a preview. You can find the full episode here if you are an N2K Pro subscriber, otherwise check out an extended sample here.
Selected Reading
Justice Department Sues TikTok, Accusing the Company of Illegally Collecting Children's Data (SecurityWeek)
CrowdStrike says it’s not to blame for Delta’s days-long outage (The Verge)
Replacement for Action Fraud, UK’s cybercrime reporting service, delayed again until 2025 (The Record)
Apache OFBiz Users Warned of New and Exploited Vulnerabilities (SecurityWeek)
Linux kernel impacted by new SLUBStick cross-cache attack (Bleeping Computer)
CISA says suppliers bear responsibility for insecure software in Fed procurement guide (The Stack)
Chinese hackers compromised an ISP to deliver malicious software updates (Help Net Security)
White House and EC-Council Launch $15m Cybersecurity Scholarship Program (Infosecurity Magazine)
2024 Paris Olympics: a snoop was at the origin of suspicions of sabotage in the fan zone of the Chateau de Vincennes (FranceInfo)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
(music) You're listening to the Cyberwire Network, powered by N2K. (music) (music) Identity architects and engineers simplify your identity management with Strata. Securely integrate non-standard apps with any IDP, apply modern MFA, and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress-free identity management and join industry leaders in transforming their identity architecture with Strata. Visit strata.io/cyberwire, share your identity challenge, and get a free set of AirPods Pro. Revolutionize your identity infrastructure now. Visit strata.io/cyberwire and our thanks to Strata for being a longtime friend and supporter of this podcast. (music) (music) (music) (music) (music) The Justice Department sues TikTok over alleged violations of children's online privacy laws. Bad blood between proud strike and delta airlines. The UK once again delays upgrades to their cybercrime reporting center. Apache OFBiz users are urged to patch a critical vulnerability. Slubstick is a newly discovered Linux kernel attack. CISA releases a handy guide to help software suppliers manage risk. Storm Bamboo poisons DNS queries to deliver targeted malware. The White House looks to help close the cybersecurity skills gap with $15 million in scholarships. Our guest is US Congressional candidate from Oklahoma, Madison Horn, speaking with my caveat co-host Ben Yellen about national security and cyber warfare. And chewing on rumors of Olympic sabotage. (music) It's Monday, August 5th, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. (music) Thank you for joining us here today. It is great to have you with us. The US Justice Department has filed a lawsuit against TikTok and its parent company, ByteDance, accusing them of violating children's online privacy laws. The complaint filed in collaboration with the Federal Trade Commission in a California federal court alleges that TikTok failed to obtain parental consent before collecting personal information from children under 13, violating the Children's Online Privacy Protection Act, COPPA. It also claims TikTok ignored requests from parents to delete their children's accounts and retained personal data despite knowing users were underage. The lawsuit also highlights that TikTok allowed children to create accounts without verifying their age and shared user data with other companies, like Meta's Facebook and AppsFlyer, to engage kids mode users. Despite having technology to identify and remove underage accounts, TikTok reportedly failed to utilize it effectively. TikTok disputes the claims stating that the allegations are based on outdated practices and that they've since enhanced privacy measures for minors, including age-appropriate experiences and privacy protections. The complaint calls for fines and an injunction to prevent future violations. This lawsuit adds to the scrutiny placed on social media platforms regarding their handling of children's data, echoing past legal actions against companies like Google, YouTube and Meta. CrowdStrike is disputing allegations made by Delta Airlines, which claims the cybersecurity firm was responsible for a significant flight disruption following a system outage. Delta's CEO, Ed Bastian, said the outage cost the airline $500 million and indicated that Delta might pursue legal action against both CrowdStrike and Microsoft. The outage affected millions of Windows machines globally, but Delta's recovery was notably slower than other airlines, leading to an investigation by the U.S. Department of Transportation. CrowdStrike asserts that it repeatedly offered assistance to Delta during the crisis, including offers for on-site support, but these offers went unanswered. The cybersecurity firm argues that the threat of litigation promotes a misleading narrative about its role and points out that competing airlines resumed operations much quicker. CrowdStrike reiterated its commitment to addressing the issue responsibly and mentioned that its liability is limited, promising to defend itself if legal action is pursued. Delta has not yet commented on these assertions. Action Fraud is the UK's national reporting center for fraud and financially motivated cybercrime managed by the city of London police. It's faced criticism for being ineffective with the House of Commons Justice Committee labeling it "not fit for purpose." The system has been criticized for poor victim support and failing to manage the rising levels of fraud across the UK. A replacement service, initially scheduled to launch in April 2024, has now been postponed to spring of 2025, according to Nick Adams of the City of London Police. The new system, the fraud and cybercrime reporting and analysis system, promises improved intelligence capabilities and better communication with victims. Companies PWC and Capital are involved in its development with the project cost estimated at $39 million. The new system aims to rebuild public confidence and encourage reporting. Organizations using Apache OFBIS are urged to patch a critical vulnerability affecting versions through 18.12.14. The flaw, discovered by researchers at SonicWall, could allow unauthenticated remote code execution due to a flaw in the authentication mechanism. While SonicWall has not observed exploitation of this vulnerability, another Apache OFBIS flaw discovered in May has been targeted. The Sands Technology Institute reported increased exploitation attempts of this path traversal bug in July, potentially linked to variants of the Marai botnet. Apache OFBIS is a free ERP framework used by major companies, especially in the US, India and Europe. Despite being less common than commercial alternatives, its security is crucial due to the sensitive business data it handles. A team from Graz University of Technology has discovered a new Linux kernel attack, Slubstick, which has a 99% success rate in converting limited heap vulnerabilities into arbitrary memory read and write capabilities. This allows privilege escalation and container escapes on Linux kernels, version 5.9 and 6.2, even with defenses like SMAP, SMAP and KSLR active. The attack exploits heap vulnerabilities using a timing side channel to manipulate memory allocation, achieving high success in cross-cache exploitation. Although it requires local access and a specific vulnerability, Slubstick enables privilege escalation by passing security defenses and container escapes. It will be presented at the USNIC security symposium. The attack could be used to maintain persistence and make malware harder to detect, posing significant real-world risks. The Cybersecurity and Infrastructure Security Agency emphasizes that software suppliers are responsible for managing security risks, as outlined in its Software Acquisition Guide for Government Enterprise Consumers. The guide consolidates various software assurance frameworks and provides federal guidance, including CISA's Secure By Design Principles and a comprehensive list of questions for evaluating third-party software risk. The guide underscores that supply chain risks affect both open and closed-source software, requiring heightened awareness from both buyers and suppliers. While CISA promotes Secure By Design, it stresses Secure By Demand to make informed procurement decisions. The guide includes 77 questions covering supplier governance, supply chain issues, and secure software development, with some questions waived if suppliers provide a CISA Secure Software Development Attestation Form. Researchers from Voloxity have revealed that APT Storm Bamboo, also known as Evasive Panda or Stormcloud, compromised and unnamed internet service provider to poison DNS queries and deliver malware to targeted organizations. This Chinese-speaking cyber espionage group exploits insecure update mechanisms in software that do not validate digital signatures. By altering DNS responses for specific domains tied to automatic software updates, Storm Bamboo ensures that instead of legitimate updates, malware like Macma, a Mac Backdoor, and MGbot, a Windows Backdoor, is installed. Once compromised, the attackers deployed a Google Chrome extension covertly exfiltrated browser cookies to a Google Drive account. The DNS poisoning was executed at the ISP level, stopping once the ISP rebooted and adjusted network components. Storm Bamboo's tactics include leveraging catch DNS and exploiting an Apache HTTP server vulnerability to spread their malware across multiple platforms, including Android and Solaris. The White House and EC Council have pledged $15 million to train over 50,000 students in cybersecurity skills through a scholarship program. The initiative aims to address the Cybersecurity Workforce Gap by offering comprehensive training in ethical hacking, network defense, digital forensics, and more. This program will be available at universities, NSA Centers of Academic Excellence, Community Colleges, and other institutions across the U.S. The EC Council will provide the curriculum, and the program is part of the White House's National Cyber Workforce and Education Strategy. The initiative aims to make cybersecurity education more accessible and prepare students for well-paying cyber jobs. Currently, there are about half a million open cybersecurity positions in the U.S. Applications for the scholarship are open now. ♪♪ Coming up after the break, U.S. Congressional candidate from Oklahoma, Madison Horn, speaks with my caveat co-host, Ben Yellen, about national security and cyber warfare. Stay with us. ♪♪ ♪♪ Enterprises today are using hundreds of SaaS apps. Are you reaping their productivity and innovation benefits, or are you lost in the sprawl? Enter savvy security. They help you surface every SaaS app, identity, and risk, so you can shine a light on shadow IT and risky identities. Savvy monitors your entire SaaS attack surface to help you efficiently eliminate toxic risk combinations and prevent attacks. So go on. Get savvy about SaaS and harness the productivity benefits. Fuel innovation while closing security gaps. Visit savvy.security to learn more. ♪♪ ♪♪ The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. ♪♪ Madison Horn is a U.S. Congressional candidate from the state of Oklahoma. On a recent episode of the caveat podcast, my co-host Ben Yellen spoke to Madison Horn about national security and cyber warfare. Welcome to the show. I wanted to see if you could give us some background about how you got into the field of cybersecurity and how it informs your career right now. Yeah, well, first off, thanks for having me on. As it relates to just me getting into the world of cyber security, it was entirely non-traditional. And I feel like I kind of fell into the world of cyber. You know, I'm from a small town called Stonewall, Oklahoma. It has the lowest life expectancy in the United States. As you can imagine, some of the economic statistics there that are huge drivers and then just overall health outcomes. Anyways, so that's where I'm from originally. So I was really just seeking opportunity outside of my town, outside of my state. And, you know, I was working actually at the Boys and Girls Club at the time. I was in high school. Just about to graduate and trying to figure out what the hell I was going to do with my life. I had found a lot of healing working for the Boys and Girls Club. You know, in short, some statistics I can give you quickly. You know, 49% of women in Oklahoma experience domestic violence or rape. It's the worst place in the United States for women. 68% of women are unemployed in my hometown. And so there just wasn't a place for me there. And so, you know, obviously the Boys and Girls Club offering a place of like healing. And I was teaching classes there. Then the headquarters of the Boys and Girls Club is in Atlanta, Georgia. So I received my first tax return and I drove a 26, but you all to Atlanta, Georgia had no idea what the hell I put in it at this point. But I thought that I was going to go work for the headquarters there. Never did because nothing goes as planned that I was studying Homeland Security at Georgia Military College. And I was studying business and one of my odd men jobs was a front desk person at a hotel. And as I rescue professionals do, we're constantly traveling constantly on the move. There was a group of folks traveling to my hotel. I got to know them and after six months they offered me a job in the world of security. I kind of make this terrible joke. I was like, you want me to work in security? I'm only five five. Like, how is that possible? And they were like, no computers. And I'm like, also still confused. But yeah, that's kind of like how I got into the world of cyber. Just this random interaction. I've asked this question in many interviews that is by far the most interesting origin story I've ever heard on how somebody got into cyber security, which just piqued my interest. So as you developed in this industry, in this field, what started to keep you up at night in terms of the threat landscape? I think we can kind of divide that into the micro threats you might have dealt with working in the security industry. So how to protect an individual business or grandma from a phishing email, but also as you started to learn more about policy, the threats to things like critical infrastructure. Yeah, so two things here. So one, being from the middle of the country, then primarily our veterans, our military service members come from the heartland. Right. And so I was born, which is this like really deep sense of service, always thought that I would join the military. Obviously, that's not the route that I chose. But when I kind of stumbled into the world of cyber, then it really pulled at that desire to protect. And, you know, when I first started working in cyber, then I was actually, you know, in rural substations and nuclear power facilities, I kind of make joke. If I have kids, I'm going to end up like bringing back like real live X men and X women, like it's going to come true. I hope they're cool and glow green or something. But, you know, there was this like humbling moment, no joke when I first stood outside of the nuclear stack. And I just had this very humbling moment because we've all seen Chernobyl right on HBO. And I was just like, Oh my God. And that realization that our critical infrastructure is so frail. Then it, I don't know, it was just like real call to action and pull for me. And so my entire career within the cyber world has always been tied to critical infrastructure. And just really trying to understand the problem set because it's obviously so unique. And people just don't understand it. And, you know, we could dive into a number of issues of the why. But, you know, the things that kept me up at night, you know, I would say, foreign adversaries, you know, creating real life scenarios like Chernobyl in the United States. Those are things that kept me up at night. And then I think, you know, living in the world of 2024, where we have AI. And I think that we're on the cusp of like even quantum computing becoming a real deal thing. And we're looking at a year where 2 billion people are going to be voting this year. That terrifies me just because of the strong desire for our adversaries here in the United States and against other countries to really create havoc, whether that's for destabilization or to road public trust, etc. So I would say those are the two biggest things that keep me up tonight. Some major disaster within the critical infrastructure space, and then just what we're seeing in the political landscape. For sure. And before I get to how you see us addressing those problems the most effective way I'll know you are a candidate for Congress and Oklahoma's fifth district the fighting fifth as Stephen Colbert used to say. And I think we've all watched hearings in Congress, like when Mark Zuckerberg comes, and you see members ask questions that reveal certain level of ignorance about technological issues. Can you talk a little bit about that? And even just beyond yourself, what knowledge our policymakers need to have to kind of address the threats you mentioned that keep you up at night. Sure. Yeah, I think the most recent, there was a hearing that maybe like three weeks ago where there was a sitting member that brought the hacking for dummy's book, and was like waving it around in committee. I was like, it works man, it just makes me giggle, but like being on the other end of it, it just makes you actually cringe and terrified that these are the individuals that are actually pushing policy forward. We can't expect every sitting member of Congress to be an expert in cyber security. But what I think that we should expect is the expectation that they're not going to demonize the tech sector and actually learn to collaborate and create partnerships. I think that is first and foremost, just because if we don't have right fit policy, then we're no longer going to be a global power, whether that be from an economic perspective, and risk leaving a lot of people behind just because we don't understand how to build modern policy. So I guess that's the, that's the first and foremost I guess just not demonizing the sector. I would say second, don't undermine the threat, and don't undermine it by fear mongering, because I think in a space that is so hard for people to understand that the fear mongering takes out of account that these threats are real, and they can have widespread impact that people just don't comprehend or think that is actually possible when it is. And so it makes I think cybersecurity professionals job much harder when it's already hard for us to articulate it to boards or see sweet, et cetera. I'd say those are my top two. That makes a lot of sense and in terms of where you think policy needs to develop over the next several years, regardless of which policymakers are in Washington, particularly with the new found opportunities and threats that come with AI and quantum computing. What do you foresee as our most ambitious and important policy goals over the next several years. Sure. You know, I think what Sissa is doing is incredibly like it's a really great start and framework, but what I would like to see is more education being done at the very, very local level, because realistically the top top down isn't going to work. We're going to have to start education within, you know, our local schools within our local community centers, and just doing rescaling digital scaling and understanding the importance of data privacy and the personal ownership that we have to protect our individual data, which will overarching uplift us as a country to just be more resilient. I would say that I kind of touched a little bit on rescaling, you know, complete overhaul and just like what our work first development looks like what public education looks like. What are for your degree programs look like, you know, here in Oklahoma, we have one of the strongest vocational systems, the United States, with wait list of two and 300 people, which is insane. We have people wanting to seek opportunity, but there's not enough funding for these schools to actually educate the people that are seeking to better themselves so that's highly frustrating. And just like what type of opportunities are we looking at in the future. You know, I hear a lot of conversation around bringing manufacturing jobs to states like Oklahoma and just the rural heartland in general. It's both for economic stability as a country, right, but also again, like in powering a large swath of a country that we haven't done development in. That's us congressional candidate from Oklahoma Madison Horn. Be sure to check out the caveat podcast wherever you get your favorite podcasts. It is always my pleasure to welcome back to the show Rick Howard he is the CyberWires chief security officer and also our chief analyst Rick welcome back. Hey Dave. So you have a hot topic you want to share with us here today you told me that this is something new new to you shortly new to me, but you also said there was no possible way that I was going to memorize what this topic is so I'm going to leave it up to you to lay out what we're talking about here today. Yeah, so say it with me, Dave. It's called radically asymmetrically distributed problems. No, you don't have to do that. You don't have to say easy for you to say. Yeah. Okay, and go on. Well, what's refreshing about this is you rarely get a new idea in cyber security. It's mostly a riff on old ideas. Right. And I attended the Google Mandiant M wise conference in Washington DC last December. And to my surprise, one of the keynotes was Malcolm Gladwell. Right. And I know you're a fan and I'm a huge fan of his podcasts, his books and everything like that. And here we are a bunch of cyber security nerds in the audience wondering what this social scientist has to say about cyber security. And he was quick to point out that he was a little apprehensive to come on the stage and try to tell a bunch of cyber security nerds how to do their business. But he has this idea that most problems in the world, and we're talking about nuclear proliferation, climate change, or how do you water your lawn in the backyard over the summer. Okay, we all assume that they are uniformly distributed, meaning they affect everybody the same way. And what he has observed is that they are asymmetrically distributed, maybe even radically asymmetrically distributed. And he thinks that cyber security is one of those problems. And what that means is, for the past 30 years I've been doing this and all of us have been trying to protect our enterprises the same way. We do intrusion kill chain prevention, we do zero trust, we do resilience, and everybody tries to get it done with some, you know, like everybody else is doing it. And he says that, you know, it's not likely that anybody really will get hit by a cyber tag in the next year. If you look at some of the charts out there, the most organizations that get hit are financial and healthcare organizations that have money. But if you are a small vertical, let's say mining, you have like a 1% chance to get hit with a ransomware attack anytime in the next year or two. So if that's true, then maybe your strategies for how you defend your enterprise might change. Maybe you don't have to have a zero trust architecture for your mining company. Maybe the best thing for everybody is something like resilience, right? And it's an interesting thing to talk about. That is interesting. I mean, is it about so many questions I could ask you about this. I mean, are there still some things that we would consider, you know, baseline efforts, the old digital hygiene things that are, you know, in public health. Everybody should wash their hands, right? We've established that, you know, those sorts of things. Is there a basic germ theory of cybersecurity? I'm not saying those are bad ideas and we've been doing them like I said for the past 30 years. I'm just saying that if you're if you're odds that you're going to get hit by a ransomware attack are extremely low, which let's say the mining industry is. And there's lots of evidence that backs that up. Maybe you don't have to do cyber hygiene. All right, maybe the thing that you should be focusing on is resilience, like, you know, just backing up your files and maybe encrypting them, you know, maybe have a couple of two factor authentication schemes, but maybe nothing major for your vertical. It's an interesting thing to think about. Yeah, it really is. All right, and that is the topic of your upcoming episode of CSO Perspectives. It is. We're knee deep into our season 14 and this one's a good one. All right, we'll have to check it out. Again, that is CSO Perspectives. You can hear that right here on the Cyberwire Network or wherever you get your favorite podcasts. Rick Howard, thanks so much for joining us. Thank you, sir. And now a message from Black Cloak. That's because 87% of executives use personal devices to conduct business, often with zero security measures in place. Once execs leave your organization's secure network, they become easy targets for hijacking credential theft and reputational harm. Close the at home security gap with Black Cloak concierge cybersecurity and privacy. Award winning 24/7, 365 protection for executives and their families. Learn more at blackcloak.io. And finally, our European varmint desk sent us an urgent dispatch from the Olympic Games in Paris. In the shadowy depths of the castle of Vincent, a dastardly plot was uncovered or so it seemed. Rumors of sabotage had spread like wildfire after fiber optic cables. Crucial for broadcasting the Olympic Games from Paris were found mysteriously severed. As investigators swooped in, anticipation mounted. Was this the work of a master criminal with a grudge against sports fans? Perhaps an act of international intrigue. Foreign agents looking to embarrass the French security teams responsible for securing the infrastructure of the Games. Alas, the truth was less sinister but far more amusing. It turns out the culprit was none other than a curious creature with a penchant for destruction. The sneaky critter, allegedly a weasel-like mammal known as a martin, perhaps in search of fame or a snack, had gnawed through the cables. Not once, but twice around 1 a.m. disrupting the broadcast. The cables were swiftly repaired and the investigation was officially closed with no animals brought to justice. Back in the U.S., cyber squirrels could not be reached for comment. ♪ And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the Cyberwire.com. We'd love to know what you think of this podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Park. Simone Gotrella is our president, Peter Kilpey is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here tomorrow. [MUSIC PLAYING] [MUSIC PLAYING] Quick question. Do your end users always work on company-owned devices and IT-approved apps? If the answer is no, then my next question is, how do you keep company data safe on all those unmanaged apps and devices? One password has an answer to this question, extended access management. One password, extended access management, helps you secure every sign-in for every app on every device, because it solves the problem traditional IAM and MDM can't touch. Check it out at onepassword.com/xam. That's onepassword.com/xam. [MUSIC PLAYING] (gentle music)
