The Trump campaign claims its email systems were breached by Iranian hackers. A Nashville man is arrested as part of an alleged North Korean IT worker hiring scam. At Defcon, researchers reveal significant vulnerabilities in Google’s Quick Share. Ransomware attacks hit an Australian gold mining company as well as multiple U.S. local governments. GPS spoofing is a matter of time. Cisco readies another round of layoffs. Nearly 2.7 billion records of personal information for people in the United States have been shared on a hacking forum. Our own Rick Howard speaks with Mark Ryland, Director of Amazon Security, about formal verification. A hacker hacks the hackers.
Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.
CyberWire Guest
On today’s guest slot, N2K’s CSO Rick Howard speaks with Mark Ryland, Director of Amazon Security at AWS, about formal verification, which is logical proofs about correctness of systems, at AWS re:Inforce. Rick and Mark caught up at AWS re:Inforce 2024.
Selected Reading
Experts warn of election disruptions after Trump says campaign was hacked (Washington Post)
Nashville man arrested for running “laptop farm” to get jobs for North Koreans (Ars Technica)
Google Patches Critical Vulnerabilities in Quick Share After Researchers' Warning (Hackread)
Australian gold mining company Evolution Mining announces ransomware attack (The Record)
GPS spoofers 'hack time' on commercial airlines, researchers say (Reuters)
Exclusive: Cisco to lay off thousands more in second job cut this year (Reuters)
Hackers leak 2.7 billion data records with Social Security numbers (Bleeping Computer)
Local gov’ts in Texas, Florida hit with ransomware as cyber leaders question best path forward (The Record)
Simple Coding Errors Lead to Major Ransomware Takedown (Cybersecurity News)
Share your feedback.
We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.
Want to hear your company in the show?
You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info.
The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[Music] You're listening to the Cyberwire Network, powered by N2K. [Sound of seagulls] This episode is brought to you by Shopify. Forget the frustration of picking commerce platforms when you switch your business to Shopify. The global commerce platform that supercharges you're selling, wherever you sell. With Shopify, you'll harness the same intuitive features, trusted apps, and powerful analytics used by the world's leading brands. Sign up today for your $1 per month trial period at Shopify.com/tech, all lowercase. That's Shopify.com/tech. [Music] The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps and added risk. That's why CloudFlare created the first-ever Connectivity Cloud. Visit cloudflare.com to protect your business everywhere you do business. [Music] [Music] The Trump campaign claims its email systems were breached by Iranian hackers. A Nashville man is arrested as part of an alleged North Korean IT worker hiring scam. At Defcon, researchers reveal significant vulnerabilities in Google's Quickshare. Ransomware hits an Australian gold mining company as well as multiple U.S. local governments. GPS spoofing is a matter of time. Cisco readies another round of layoffs. Nearly 2.7 billion records of personal information for people in the U.S. have been shared on a hacking forum. Our own Rick Howard speaks with Mark Ryland, director of Amazon Security at AWS about formal verification. And a hacker hacks the hackers. [Music] It's Monday, August 12, 2024. I'm Dave Bittner and this is your Cyberwire Intel Briefing. [Music] Thanks for joining us here today. It is great to have you with us. Concerns about foreign interference in the U.S. presidential election resurfaced after the Trump campaign claimed its email systems were breached by Iranian hackers. The breach was reportedly tied to the release of a confidential internal document about vice presidential candidate J.D. Vance. News outlets received the document from an anonymous sender named Robert, raising alarms about potential foreign meddling. The Trump campaign linked the incident to a recent Microsoft report that identified Iranian hacking attempts targeting a high-ranking official in a U.S. presidential campaign. While Microsoft didn't explicitly name the campaign, sources indicated it was likely Trump's. Despite these claims, no official evidence has confirmed the breach or Iranian involvement. Democratic representatives Eric Swalwell and Adam Schiff have called for the declassification of any information related to foreign interference. They stressed the importance of a swift response to prevent a repeat of the 2016 election's Russian interference. Meanwhile, Trump took to his platform Truth Social to accuse Iran of hacking one of his campaign websites, although he admitted that only publicly available information was accessed. Security experts remain concerned about the broader implications, fearing additional leaks and the potential for disinformation campaigns similar to those seen in 2016. The situation underscores the ongoing challenges in securing U.S. elections against foreign influence as the country approaches another contentious election cycle. Federal authorities arrested Matthew Isaac Knut, a Nashville man, for allegedly facilitating a scheme that deceived U.S. companies into hiring North Korean IT workers using stolen identities. These workers, posing as U.S. citizens, funneled income to fund North Korea's weapons program. Prosecutors revealed that Knut hosted laptops at his residences, allowing the North Koreans to access U.S. company networks remotely, making it appear they were working domestically. Knut profited from this scheme by charging fees for hosting the laptops and a cut of the salaries. The operation generated over $250,000 between July 2022 and August of '23. The arrest follows a broader federal crackdown on similar schemes, including a recent case in Arizona. Knut now faces multiple charges, including wire fraud and identity theft, which could lead to a 20-year prison sentence if convicted. At DEF CON, researchers Or Yair and Schmul Cohen from Safe Breach revealed significant vulnerabilities in Google's Quickshare, a peer-to-peer file transfer utility for Android, Windows and Chrome OS. Quickshare uses various protocols like Bluetooth and Wi-Fi Direct, but these were not originally designed for file transfers. The researchers identified 10 vulnerabilities, including a critical remote code execution flaw on Windows systems that they've dubbed QuickShell. This RCE exploit combines five of the vulnerabilities, allowing attackers to bypass security controls and take full control of target devices. The flaws also enable attackers to force file downloads and hijack Wi-Fi connections. Google has acknowledged the seriousness of these issues, assigning CVEs to two of the vulnerabilities. Evolution Mining, an Australia gold mining company, disclosed a ransomware attack on its IT systems discovered on August 8th. The company, operating in Australia and Canada, reported the incident to the Australian Stock Exchange, stating that it has been contained with the help of external cyber forensics experts. No details were provided about the ransomware group involved or any potential extortion payment. Evolution Mining assured that the attack won't materially impact operations and that it has been reported to the Australian Cybersecurity Center. Meanwhile, this week, multiple U.S. local governments faced ransomware attacks, including Killeen, Texas and Sumter County, Florida, as senior U.S. cyber officials grappled with the growing threat. Killeen, with nearly 160,000 residents, was targeted by the Black Suit Ransomware Gang, disrupting utility payments and other services. In response, the city worked with state authorities to contain the breach and restore systems, urging residents to monitor their financial accounts. Meanwhile, Sumter County's Sheriff's Office also experienced a ransomware attack, impacting access to certain records. These incidents are part of a broader surge in ransomware attacks affecting governments and healthcare institutions. At the DEFCON Cybersecurity Conference, senior officials, including Ann Newberger from the White House, discussed the challenges of combating ransomware. They highlighted the difficulty in addressing the issue, particularly due to the lack of international cooperation, especially with Russia. Efforts to improve responses include promoting better backup practices, offering free cybersecurity programs and enhancing international collaboration. Cybersecurity researchers have uncovered a disturbing trend in GPS spoofing attacks, which have recently surged by 400 percent, particularly around conflict zones. Traditionally, GPS spoofing misleads aircraft about their location, but a new dimension has emerged, the ability to hack time. Ken Monroe, founder of Pentest Partners, explained during a DEFCON presentation that GPS isn't just about positioning. It's also a critical source of time for aircraft systems. Monroe described a recent incident where a major airline's onboard clocks were manipulated, suddenly advancing by years, which caused the plane to lose access to its encrypted communication systems. This forced the aircraft to be grounded for weeks while engineers manually reset its systems. Although these attacks aren't likely to cause crashes, they create confusion that could lead to more serious problems. Reuters reports that Cisco is set to announce a second round of layoffs this year, potentially affecting over 4,000 employees as it shifts focus to higher growth areas like cybersecurity and AI. This follows similar cuts in February as the company grapples with sluggish demand and supply chain issues in its core networking equipment business. Cisco recently completed a $28 billion acquisition of cybersecurity firms Splunk and has been investing heavily in AI. The layoffs are part of a broader trend in the tech industry with over 126,000 layoffs reported this year. A massive data breach has exposed nearly 2.7 billion records of personal information for people in the United States on a hacking forum. The leaked data, allegedly sourced from national public data, includes names, social security numbers, physical addresses, and possible aliases. National public data, known for compiling user profiles for background checks, reportedly scraped this information from public sources. The breach, initially linked to a threat actor named USDOD, was ultimately leaked by another hacker, Fennese, on August 6th. The unencrypted data consists of two text files totalling 277 gigabytes. While it contains legitimate information for many individuals, some details may be outdated or inaccurate. The breach has sparked multiple class action lawsuits against national public data. Affected individuals are advised to monitor their credit reports for fraudulent activity and be cautious of phishing attempts. Coming up after the break, N2K's Rick Howard speaks with Mark Ryland, Director of Amazon Security at AWS, about formal verification. Stay with us. ♪ ♪ When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC2, ISO 27001, HIPAA, and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies like Atlassian, Flow Health, and Quora use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at Vanta.com/Cyber. That's V-A-N-T-A.com/Cyber for $1,000 off Vanta. ♪ Defense contractors face immense pressure to comply with CMMC 2.0 security standards, needing a secure user-friendly file-sharing solution. KiteWorks, a FedRAP moderate authorized solution, supports nearly 90% of CMMC 2.0 Level 3 requirements, reducing compliance effort and cost. KiteWorks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. It's intuitive UI, mobile apps, and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with KiteWorks' universal secure file-sharing platform made for defense contractors. Visit kiteworks.com to get started. ♪ N2K's chief security officer, Rick Howard, recently caught up with Mark Rhineland, director of Amazon Security at AWS at the AWS Reinforce Conference. The topic of their conversation is formal verification. AWS is a media partner here at N2K CyberWire. In June of 2024, Brandon Karp, our VP of programming, Jen Eiben, our executive producer, and I traveled to the great city of Philadelphia to attend the 2024 AWS Reinforce Security Conference. And I got to sit down with Mark Rhineland, a director of Amazon Security and we got to talking about how generative AI might help in tackling a classic computer science problem, formal software verification. But actually what I'm really excited about is combining two areas of computer science, obviously neural networks and AI has been an exciting area, but we've also invested very heavily in an area called formal verification, which is logical proofs about correctness of systems. And it turns out that you can combine these technologies. You can write a formal model of correctness, for example, I know formally what a valid and legitimate IAM policy should be. And now I can use that to filter the outputs of my Jenny AI system, which can conversationally help me write such a policy, but I can make sure that hallucinations don't come in and make it so that the system happily and proudly and with great assurance gives me a bad policy. So we're working to really, and you'll see here more about that in the coming months, but we're going to combine these technologies and allow our customers as well to be able to write formal models about areas where they have experts who can build those and then kind of use that to strengthen the protections and correctness around the Jenny AI systems. Two founding fathers of cybersecurity back in the '70s, Bell and Lapidula, they wrote the original paper that says, "Here's a formal definition of our system. You can absolutely do that." And then we spent the next 40 years trying to make that happen, and that's why you have vulnerability management and antivirus and all that. But everybody failed to read the last section of their paper that said, "Yes, you can formally describe the system, but you cannot guarantee that you can deploy it correctly because everybody's going to screw it up in the deployment." Are you saying, then, with the way we've advanced, that it's now possible to get better at those kinds of things? I think we can definitely get better at that, because it turns out the formal verification scientists, who have -- it's been a little bit of a niche over these decades. Yeah, we've been applying it -- Yeah, we've been applying it pretty broadly, but we believe now that you can actually -- the Jenny AI system can actually help write the formal models. It sounds a little circular, but it helps humans achieve that goal, and then once they're available and you have experts who say, "Yep, that represents how the system ought to work," then we can use that to make sure that the systems work as expected. So there's still a lot of software out there that will never be formally verified, but you can focus on things like the correctness of your cryptography, the correctness of your access policies, the correctness of your network protocols. For example, we've formally verified the correctness of our TCP/IP stack in the free RTOS operating system. So this is a tiny, lightweight, open-source operating system that runs on light switches and toasters and dozens and millions of things across the industry. If we really downloadable, we've added a bunch of security features to it. For example, it's now -- you can feel update the operating system. Didn't used to be able to do that. Now, the operating system has a little module that can download a new copy of the operating system and upgrade it in place. But one of the things we did with formal verification was to recognize that, hey, the typical attacks in IoT environments are going to be due to network bugs. And so we've done formal proofs of the correctness of the TCP/IP stack, which is a really important thing to get right. So not a general purpose formal verification, but we can formally verify specific things, right? So that's the whole component. So that's really the approach we've taken. And, you know, hopefully gradually expand out to everything else, but, you know, start with the things that if something goes wrong, you're going to have more serious problems and then work out from there. I want to bring you back around to generative AI. I know that's a big responsibility you have now in your new role. Generally, I think there's two kinds of problems that security vendors can help solve with this kind of technology. One is the stuff we were kind of talking about. How do you configure your systems to be correct? And that could really help us. You know, hey, you left that thing turned on where it should be off. So that seemed like an easier do than this next thing that's also on the table. Which is look at data generally that's in the network. And then notice that there's a new bad guy in your system that you didn't know about before. So is that a correct way to describe the problems? I think that's correct, although a lot of what the second thing you talked about is in some ways more traditional deep neural network type of technology. For example, analyzing log files, we still deploy good old pre-generative AI AI, which is deep neural network technology to look for anomalies. Anomaly detection is super valuable and the bigger the data sets, the more sophisticated your model, the better you can find those anomalies and find that needle in the haystack that a human reviewer just wouldn't see. I don't want more anomalies. I've gotten enough anomalies in my sock. I would like you to say, hey, we could spiders in your network. I would love to be able to see that. I know that's years down the road, but I would love to see that. I think that's for that. Effectively, you're ranking the correction, which is anomalies. Yeah, there's all kinds of findings, but the ones that are super likely to be real is what you want, right? And minimize the false positives. And that, again, we can use a combination of traditional deep neural networks. Genai systems, to me, primarily have to do with user interface experience because they're really good at translating, literally translating. I have a colleague who is a Japanese employee who says, I don't write my weekly reports in English anymore because the Genai system writes better English than I do. So I write a really good report in Japanese. And by the way, those things write better English than I do. Exactly. So that's literal translation, but also translation of other kinds. For example, I have a security analyst too. I don't have to teach them to write SQL or Regexes or all these formal computer-ese things. I can ask, they can ask intelligent human questions and get really, really good answers because the tool can translate that into something that the machines currently understand. And vice versa. If I get all these random findings coming out, the system can say, oh, wow, I can report that in a way that humans can comprehend. I can help you write a report. I can help you see the patterns that you wouldn't have seen otherwise in the generated output from, say, a deep neural network type of technology. So at the interface of humans and machines, that's where the huge benefits we're seeing from the use of this technology. And that's really exciting. That was Mark Rylan, a director at Amazon Security. You can find out more about AWS reinforce in our show notes. And don't miss the latest episode of Rick Howard's CSO Perspectives Podcast. This week, he's tackling what does materiality mean exactly? That's CSO Perspectives. Check it out. Elevate your enterprise identity solutions with Strata. Seamlessly connect legacy apps to any identity provider, apply MFA effortlessly, and maintain identity continuity without disruptions. Strata reduces tech debt, enhances security, and provides a robust, efficient identity management system. Feel secure and efficient managing your identity infrastructure. Strata helps you streamline operations and ensure continuous identity availability. Visit strata.io/cyberwire, share your identity challenge, and receive a free set of AirPods Pro. Take control of your identity management today. Visit strata.io/cyberwire. And our thanks to Strata for being a longtime friend and supporter of this podcast. [music] [music] And finally, security researcher Vangelis Sticus, CTO of Atropis AI, managed to outsmart ransomware gangs, saving six companies from major financial losses. Sticus discovered glaring vulnerabilities in the hacker's own systems, thanks to simple coding blunders. His sleuthing allowed him to infiltrate these criminal networks, providing two companies with decryption keys without paying a dime, and alerting four cryptocurrency firms before their files could be encrypted. Among the hacker mishaps, one ransomware group, Everest, left a default password on their SQL databases. Another group, Blackcat, exposed sensitive APIs, inadvertently revealing their IP addresses. Sticus even accessed the mallocs group's admin chat, grabbing two decryption keys and unmasking several members. Despite his heroic efforts, the companies involved haven't gone public with the incidents, while Sticus admits that hacking the hackers isn't a universal solution, it's certainly a satisfying one for those with the right resources. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show, Every Week, and find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. This episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Poutsman. Our executive producer is Jennifer Ivan. Our executive editor is Brandon Karp. Simone Petrella is our president. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here, tomorrow. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at M.Y.'s, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M.Y.'s features one-to-one access with industry experts and fresh insights into the topics that matter most, right now, to frontline practitioners. Register early and save at mwise.io/cyberwire. That's mwise.io/cyberwire. [MUSIC PLAYING] [MUSIC]
