Robin’s Newsletter #348

16 February 2025. Volume 8, Issue 7
DOGE and the 'most consequential' breach in history. Salt Typhoon seen in five more telcos. AI Summaries are mostly inaccurate.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

I’m travelling for the next few weeks, so these newsletters will be in a slightly different format.

This week

Need to Know, 16th February 2025

  • US, UK don’t sign AI Action summit declaration (Five Things)
  • DOGE access ‘consequential breach’ (This Week)
  • Sensitive data in PowerSchool breach (This Week)
  • DOGE website security snafu (And Finally)
  • Cybercriminal tooling used by nation-states (Five Things)
  • China all up in more telcos (This Week)

DOGE and the ‘most consequential’ breach in history

  • Hacking America: Bruce Schneier has co-authored an essay for Foreign Policy on how the US is experiencing “what may be the most consequential security breach in history”. The newly created Department of Government Efficiency (or DOGE), overseen by Elon Musk, has been granted access to key US government systems as part of the new Trump administration.
  • The group has bypassed segregation of duties on US Treasury systems, copied HR data from OPM that China invested a huge amount of effort to compromise in 2015, and more. Data are being accessed and potentially copied to unknown systems, and lax security was also on display for the group’s website (see below). Various rights organisations are suing to prevent access, and one member of DOGE has been linked to cybercrime group The Com
  • It’ll take a long time to regain confidence in these systems. LINK, LAWSUITS, COM

PowerSchool breach includes mental health and safeguarding data and may affect over 70 million people

  • PowerSchool breach: This has been rumbling along all year, with information on the number of affected individuals still hard to come by (probably because PowerSchool doesn’t know yet). This week’s reports are that the breach of the education tech vendor includes special education needs, mental health data, and safeguarding data. Apparently, 6,500 of PowerSchool’s 18,000 customers have been impacted, with some estimates saying 62.4 million students and 9.5 million teachers may be caught up in the breach. LINK

China seen in five more telcos over Christmas, New Year

  • Salt Typhoon: Chinese actors compromised five telco networks in December and January, according to Recorded Future. Compromised Cisco routers within US, Thai, Italian, South African, and UK telcos were seen communicating with the Salt Typhoon group. The initial access vector is not known at this time. In some ways, this is just workaday espionage, but it has spooked US authorities. LINK, REPORT (PDF), MORE

Interesting Stats

0-499 requests made by British authorities to Apple under the Investigatory Powers Act in the first half of 2023 and, outside of this, just  4/6,000 non-IPA requests between Jan 2020 and Jun 2023 in which Apple provided customers’ iCloud content. The data come amidst an alleged request from the UK for Apple to secretly backdoor global iCloud data, which critics are calling a ‘global emergency’. STAT, MORE

Summary accuracy: The BBC has published a lengthy analysis of how its BBC News output is represented by AI Assistants and found: REPORT (PDF) 51% of AI answers to questions about the news had ‘significant issues’,  19% included factual errors about statements, numbers, and dates, and  13%% of quotes were altered or not present in the source material.

Five things

  1. Device code phishing: Russia has been using a novel technique to phish access from the “device code flow” of the OAuth spec and gain access to Microsoft 365 accounts. Device codes help users authenticate smart TVs and other connected devices, like printers, that may not support more complex authentication methods and multi-factor authentication: you open a link on your computer or phone, complete the authentication there, and are then given a code to enter into the device. LINK

  2. Cybercrime and national security: Google’s Threat Intelligence Group says that it’s no longer possible to view financially motivated cybercrime and state-backed threats in isolation. The capabilities available within the cybercriminal ecosystem can be “cheaper and more deniable” than bespoke tooling, making them attractive for state-sponsored campaigns. LINK

  3. AI Action summit: The US and UK have not signed a declaration at the AI Action summit in Paris this week. The non-binding declaration, adopted by 60 other countries, aims to ensure that AI is “safe, secure and trustworthy.” The US and the UK have previously signed similar statements, so this can be seen as a u-turn, as countries jostle for position as dominant players. According to Ukrainian officials, Russia uses AI to personalise campaigns based on previously exfiltrated data. LINK, UKRAINE

  4. National Cyber Director: Trump is to nominate Sean Cairncross for a key US government cyber role. Cairncross doesn’t have any reported cyber experience but was a senior White House adviser during the first Trump administration. This seems like ‘jobs for the boys’, but that shouldn’t come as a surprise. LINK

  5. PeerAuth: In some ways, it’s sad that it’s come to this, but with deepfake audio and video on the rise, being able to verify someone else is who they say they are is becoming more important. There are some creative ways — such as asking a caller to put their hand in front of their face to highlight graphical errors in the video — however, PeerAuth lets you create time-based one-time passcodes (TOTP) for two people and store them in your authenticator app. Alice and Bob pop their names in, and each gets a QR code to scan. In the future, you can open your app and see the same code. Could be useful for your (e.g.) CFO. Neat. LINK

In brief

  • 🪲 Vulnerabilities: iOS 18.3.1 to address an “extremely sophisticated attack”, Ivanti has fixed three critical vulnerabilities in its Connect Secure and Policy Secure solutions, and an auth bypass in Palo Alto Networks PAN-OS firewalls is being exploited. IOS (ADVISORY), IVANTI (ADVISORY), PALO (ADVISORY)

  • 👮 Law enforcement: Hacker who hijacked SEC’s X account pleads guilty, faces maximum five-year sentence. US indicts 8Base ransomware operators for Phobos encryption attacks. Dutch police have seized hardware of ‘bulletproof’ hosting provider Servers, favoured by LockBit, following UK, US, and Australian sanctions. SEC, 8BASE, ZSERVERS

  • 💰 Industry news: Security compliance firm Drata acquires SafeBase for $250M, CyberArk acquires Zilla Security in a $175 million deal, and Sophos sheds 6% of staff after swallowing Secureworks. DRATA, CYBERARK, SOPHOS

And finally

  • Wasted website: It turns out anyone can push updates to the DOGE.gov website. LINK, MORE
Robin
  Apple Investigatory Powers Act End-to-End Encryption (E2EE) Back door Surveillance Department of Government Efficiency (DOGE) China PowerSchool Education Salt Typhoon Artifical Intelligence (AI) AI Summaries BBC Device code phishing Cybercrime PeerAuth Robin's Newsletter - Volume 8
Next:
Robin’s Newsletter #349
Previous:
Robin’s Newsletter #347