A novel side-channel attack has been found to leverage radio signals emanated by a device's random access memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks.
The technique has been codenamed RAMBO by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of

Vulnerability / Hardware Security

A novel side-channel attack has been found to leverage radio signals emanated by a device's random access memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks.

The technique has been codenamed **RAMBO** by Dr. Mordechai Guri, the head of the Offensive Cyber Research Lab in the Department of Software and Information Systems Engineering at the Ben Gurion University of the Negev in Israel.

"Using software-generated radio signals, malware can encode sensitive information such as files, images, keylogging, biometric information, and encryption keys," Dr. Guri said in a newly published research paper.

"With software-defined radio (SDR) hardware, and a simple off-the-shelf antenna, an attacker can intercept transmitted raw radio signals from a distance. The signals can then be decoded and translated back into binary information."

Over the years, Dr. Guri has concocted various mechanisms to extract confidential data from offline networks by taking advantage of Serial ATA cables (SATAn), MEMS gyroscope (GAIROSCOPE), LEDs on network interface cards (ETHERLED), and dynamic power consumption (COVID-bit).

Some of the other unconventional approaches devised by the researcher entail leaking data from air-gapped networks via covert acoustic signals generated by graphics processing unit (GPU) fans (GPU-FAN), (ultra)sonic waves produced by built-in motherboard buzzers (EL-GRILLO), and even printer display panels and status LEDs (PrinterLeak).

Last year, Guri also demonstrated AirKeyLogger, a hardwareless radio frequency keylogging attack that weaponizes radio emissions from a computer's power supply to exfiltrate real-time keystroke data to a remote attacker.

"To leak confidential data, the processor's working frequencies are manipulated to generate a pattern of electromagnetic emissions from the power unit modulated by keystrokes," Guri noted in the study. "The keystroke information can be received at distances of several meters away via an RF receiver or a smartphone with a simple antenna."

As always with attacks of this kind, it requires the air-gapped network to be first compromised through other means – such as a rogue insider, poisoned USB drives, or a supply chain attack – thereby allowing the malware to trigger the covert data exfiltration channel.

RAMBO is no exception in that the malware is used to manipulate RAM such that it can generate radio signals at clock frequencies, which are then encoded using Manchester encoding and transmitted so as to be received from a distance away.

The encoded data can include keystrokes, documents, and biometric information. An attacker on the other end can then leverage SDR to receive the electromagnetic signals, demodulate and decode the data, and retrieve the exfiltrated information.

"The malware utilizes electromagnetic emissions from the RAM to modulate the information and transmit it outward," Dr. Guri said. "A remote attacker with a radio receiver and antenna can receive the information, demodulate it, and decode it into its original binary or textual representation."

The technique could be used to leak data from air-gapped computers running Intel i7 3.6GHz CPUs and 16 GB RAM at 1,000 bits per second, the research found, with keystrokes being exfiltrated in real-time with 16 bits per key.

"A 4096-bit RSA encryption key can be exfiltrated at 41.96 sec at a low speed and 4.096 bits at a high speed," Dr. Guri said. "Biometric information, small files (.jpg), and small documents (.txt and .docx) require 400 seconds at the low speed to a few seconds at the fast speeds."

"This indicates that the RAMBO covert channel can be used to leak relatively brief information over a short period."

Countermeasures to block the attack include enforcing "red-black" zone restrictions for information transfer, using an intrusion detection system (IDS), monitoring hypervisor-level memory access, using radio jammers to block wireless communications, and using a Faraday cage.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New RAMBO Attack Uses RAM Radio Signals to Steal Data from Air-Gapped Networks

Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Source: Dzmitry Skazau via Alamy Stock Photo

Because of their large attack surface made up of different sets — including laptops, desktops, mobile devices, and servers — endpoints are becoming the primary targets of increasingly sophisticated attacks. This diversity is further complicated by the variety of operating systems (OSs) being run on those devices. In addition, the location of these devices is often no longer tied only to company networks, due to the increase in hybrid and remote work, and more server workloads moving to the cloud.

To meet the growing needs of security teams, the endpoint security market is constantly evolving, albeit at an incremental rate recently. Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Below are four areas for security professionals to focus on to establish and enhance their endpoint security. While not a comprehensive list, this should help security experts, both new and established, understand the core concepts around endpoint security.

**Baseline Security**

Endpoint protection starts with strong baseline security. Organizations must make optimal use of all of the features their OSes and applications provide that can help with endpoint protection. To do this, security experts should:

*   Use consistent application deployment methods: Restrict application deployments to known sources. Layer on a workflow for updating and maintaining approved applications.
    
*   Perform configuration management: Configure OSes and applications for security. For example, use hardening guidelines and manage browser add-ons and client applications' security capabilities.
    
*   Use auditing and logging: Understanding events on an endpoint starts with auditing and logging the right security events, and with having a process in place to monitor for security events. Aim to establish a single source of truth for endpoint status.
    

While providing a foundation for baseline security, this list is not exhaustive. Security leaders should also look into actions that include managing vulnerabilities for all OSs and managing backups.

**Endpoint Detection and Response**

Endpoint detection and response (EDR) tools store and monitor endpoint events to detect and hunt for suspicious behaviors, and also provide response capabilities to those events. Common events that are monitored include, but are not limited to, execution events, registry events, file events, and network events.

EDR, in its purest form, does not interrupt running processes; instead, it analyzes the resulting events to search for known indicators of compromise or patterns that indicate malicious behavior.

EDR tools can be likened to a data recorder, or "black box," for the endpoint devices on which they are installed. These tools gather telemetry data about the activity happening on those devices and make it available for examination later. Of course, storing the recorded data is not nearly enough — an EDR tool must also be able to present the data to an administrator in a way that enables further analysis using both automated and human-driven means.

**Automated Moving Target Defense**

Automated moving target defense (AMTD) is an emerging technology that focuses on constantly changing the attack surface of a system or network. AMTD makes it harder for attackers to identify and exploit vulnerabilities by dynamically modifying the process structure, memory space, system configurations, software stack, or network characteristics. This proactive approach helps to improve cyber defense and mitigate the risk of successful attacks.

Endpoint defense with AMTD can include:

*   Enhancing memory defense through morphing or enhanced randomization
    
*   Augmenting confidential computing enclaves with AMTD proactive defense
    
*   Enhancing runtime software hardening (polymorphism of code or inputs)
    
*   Automatic endpoint self-healing from known good files storage
    
*   Applying AMTD to file storage or storage access channels (command and storage polymorphing)
    

AMTD for endpoints and endpoint software is a set of technologies that make it harder for attackers to reverse engineer and exploit endpoint OSes and software technologies. AMTD works by introducing unpredictable and frequent changes in the attack surface of the applications and OSs on which it is used.

**Mobile Threat Defense**

The mobile attack landscape has continued to grow and change with the increase of smartphone and tablet sales, and with the proliferation of bring-your-own-device arrangements in enterprises. Every year, we see new statistics claiming hundreds of percentage points of growth in mobile malware.

The MTD market includes vendors that use some combination of the following mobile protection methods for Android and iOS:

*   Behavioral anomaly and configuration detection
    

*   Protection against device attacks, network attacks, and malicious and leaky apps
    
*   Mobile anti-phishing protection
    
*   OS-, hardware- and application-based vulnerability assessment, monitoring, and compliance
    
*   Crowdsourced threat intelligence
    

Baseline security, EDR, AMTD, and MTD are just a few crucial tools security leaders can use to improve their endpoints' resilience against attacks. There continue to be many other layers of security designed to contribute to the protection of endpoints, and security leaders must take a holistic approach, as this topic is foundational for enterprises who will need to adjust their strategy for changing and increased variation in devices, agile work environments, and increasingly sophisticated security threats.

**About the Author**

Director Analyst, Gartner

Eric Grenier is a Director Analyst at Gartner working in the Technical Professionals Security Technology and Infrastructure team, focusing on Endpoint Security including endpoint protection and endpoint detection and response.

How to Establish &amp; Enhance Endpoint Security

Designed to be more than a one-time assessment— Wing Security’s SaaS Pulse provides organizations with actionable insights and continuous oversight into their SaaS security posture—and it’s free!
Introducing SaaS Pulse: Free Continuous SaaS Risk Management 
Just like waiting for a medical issue to become critical before seeing a doctor, organizations can’t afford to overlook the constantly

SaaS Security / Risk Management

Designed to be more than a one-time assessment— Wing Security's SaaS Pulse provides organizations with actionable insights and continuous oversight into their SaaS security posture—and it's free!

****Introducing SaaS Pulse: Free Continuous SaaS Risk Management****

_Just like waiting for a medical issue to become critical before seeing a doctor, organizations can't afford to overlook the constantly evolving risks in their SaaS ecosystems. New SaaS apps, shifting permissions, and emerging threats mean risks are always in motion._

_SaaS Pulse makes it easy to treat SaaS risk management as an ongoing practice, not just an occasional check-up._

Security teams instantly get a real-time security "health" score, prioritized risks, contextualized threat insights, and the organization's app inventory—without setups or integrations.

****SaaS is a Moving Target****

SaaS stacks don't stand still. Business critical apps can easily slip into a state of vulnerability (i.e. supply chain attacks, account takeovers due to leaked credentials, misconfigurations, user access risks, and offboarding challenges). Relying on outdated point-in-time assessments leaves security teams blind to these shifts.

****Turn the Noise into Actionable Data****

What sets SaaS Pulse apart is its emphasis on making security insights simple, prioritized, and actionable— all with a click. It's designed for security teams who need answers fast:

*   **Dynamic Security Health Score:** Wing Security was the first in the industry to adapt the MITRE framework CWSS to SaaS security. This quantifiable language brings context, clarity, and focus, allowing for a proactive approach to prioritizing SaaS risks.
*   **Deep Shadow IT Discovery**: SaaS Pulse digs deep into every organization's SaaS stack to uncover shadow IT, risky permissions, and potential weaknesses— through a database of +350 K SaaS applications. Users get instant clarity on App2App connectivity, third-party risk management (TPRM), Gen-AI, compliance, and more.
*   **Contextual Threat Intelligence:** Users understand the "why" behind critical alerts through curated insights from expert threat intelligence analysts and automated contextual analysis - tailored for every SaaS environment.
*   **Prioritized SaaS risks:** Users get prioritized risks according to the severity level, helping security teams prioritize which risks to deal with first. SaaS Pulse monitors over 40 critical, complex vulnerabilities such as misconfigured apps, IAM inconsistencies, orphaned accounts or apps, and more.

With these features, and without complicated configurations or integrations, SaaS Pulse makes an indispensable FREE tool for continuous SaaS risk management.

****Get to the A-ha in a Click****

With a simple connection to core apps like Google Workspace and Microsoft 365, the system provides a comprehensive snapshot of the organization's SaaS security posture within minutes. SaaS Pulse continuously monitors the organization's environment, providing real-time visibility into emerging risks or major changes. Whether it's a sudden permission drift or a newly discovered shadow IT app, security teams are equipped with the insights they need to address these risks before they escalate.

****The High Cost of Ignoring SaaS Risks****

It's easy for risks to go unnoticed until it's too late. SaaS Pulse eliminates the need for sporadic assessments—through constant, automated monitoring, helping security teams avoid expensive breaches and data leaks. Managing SaaS environments manually (especially as they grow) becomes impossible—SaaS Pulse ensures no risk is overlooked, saving both time and potential losses.

****Prevent the Next Data Leak or Breach****

Wing Security's SaaS Pulse prioritizes visibility for overloaded security teams. SaaS Pulse isn't just a one-time SSPM tool; it's a continuous companion in maintaining good SaaS security hygiene. It provides a simple yet powerful way to stay on top of SaaS risks with automated, ongoing check-ins. For those who require more advanced capabilities, Wing Security's enterprise solution provides deeper insights, threat detection, automated remediation, and extensive monitoring to keep the organization secure. Learn more at https://wing.security/

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Wing Security SaaS Pulse: Continuous Security & Actionable Insights — For Free

A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly singled out drone manufacturers in Taiwan as part of a cyber attack campaign that commenced in 2024.
Trend Micro is tracking the adversary under the moniker TIDRONE, stating the activity is espionage-driven given the focus on military-related industry chains.
The exact initial access vector used

Cyber Attack / Threat Intelligence

A previously undocumented threat actor with likely ties to Chinese-speaking groups has predominantly singled out drone manufacturers in Taiwan as part of a cyber attack campaign that commenced in 2024.

Trend Micro is tracking the adversary under the moniker **TIDRONE**, stating the activity is espionage-driven given the focus on military-related industry chains.

The exact initial access vector used to breach targets is presently unknown, with Trend Micro's analysis uncovering the deployment of custom malware such as CXCLNT and CLNTEND using remote desktop tools like UltraVNC.

An interesting commonality observed across different victims is the presence of the same enterprise resource planning (ERP) software, raising the possibility of a supply chain attack.

The attack chains subsequently go through three different stages that are designed to facilitate privilege escalation by means of a User Access Control (UAC) bypass, credential dumping, and defense evasion by disabling antivirus products installed on the hosts.

Both the backdoors are initiated by sideloading a rogue DLL via the Microsoft Word application, allowing the threat actors to harvest a wide range of sensitive information,

CXCLNT comes equipped with basic upload and download file capabilities, as well as features for clearing traces, collecting victim information such as file listings and computer names, and downloading next-stage portable executable (PE) and DLL files for execution.

CLNTEND, first detected in April 2024, is a discovered remote access tool (RAT) that supports a wider range of network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).

"The consistency in file compilation times and the threat actor's operation time with other Chinese espionage-related activities supports the assessment that this campaign is likely being carried out by an as-yet unidentified Chinese-speaking threat group," security researchers Pierre Lee and Vickie Su said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

TIDRONE Espionage Group Targets Taiwan Drone Makers in Cyber Campaign

The U.S. government and a coalition of international partners have officially attributed a Russian hacking group tracked as Cadet Blizzard to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).
"These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm

The U.S. government and a coalition of international partners have officially attributed a Russian hacking group tracked as **Cadet Blizzard** to the General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).

"These cyber actors are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020," the agencies said.

"Since early 2022, the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to Ukraine."

Targets of the attacks have focused on critical infrastructure and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of North Atlantic Treaty Organization (NATO) members, the European Union, Central American, and Asian countries.

The joint advisory, released last week as part of a coordinated exercise dubbed Operation Toy Soldier, comes from cybersecurity and intelligence authorities in the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K.

Cadet Blizzard, also known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, gained attention in January 2022 for deploying the destructive WhisperGate (aka PAYWIPE) malware against multiple Ukrainian victim organizations in advance of Russia's full-blown military invasion of the country.

Back in June 2024, a 22-year-old Russian national named Amin Timovich Stigal was indicted in the U.S. for his alleged role in staging destructive cyber attacks against Ukraine using the wiper malware. That said, the use of WhisperGate is said to be not unique to the group.

The U.S. Department of Justice (DoJ) has since charged five officers associated with Unit 29155 for conspiracy to commit computer intrusion and wire fraud conspiracy against targets in Ukraine, the U.S. and 25 other NATO countries.

The names of the five officers are listed below -

*   Yuriy Denisov (Юрий Денисов), a colonel in the Russian military and a commanding officer of Cyber Operations for Unit 29155
*   Vladislav Borovkov (Владислав Боровков), Denis Denisenko (Денис Денисенко), Dmitriy Goloshubov (Дима Голошубов), and Nikolay Korchagin (Николай Корчагин), lieutenants in the Russian military assigned to Unit 29155 who worked on cyber operations

"The defendants did so in order to sow concern among Ukrainian citizens regarding the safety of their government systems and personal data," the DoJ said. "The defendants' targets included Ukrainian Government systems and data with no military or defense-related roles. Later targets included computer systems in countries around the world that were providing support to Ukraine."

Concurrent with the indictment, the U.S. Department of State's Rewards for Justice program has announced a reward of up to $10 million for information on any of the defendants' locations or their malicious cyber activity.

Indications are that Unit 29155 is responsible for attempted coups, sabotage, and influence operations, and assassination attempts throughout Europe, with the adversary broadening their horizons to include offensive cyber operations since at least 2020.

The end goal of these cyber intrusions is to collect sensitive information for espionage purposes, inflict reputational harm by leaking said data, and orchestrate destructive operations that aim to sabotage systems containing valuable data.

Unit 29155, per the advisory, is believed to comprise junior, active-duty GRU officers, who also rely on known cybercriminals and other civilian enablers such as Stigal to facilitate their missions.

These comprise website defacements, infrastructure scanning, data exfiltration, and data leak operations that involve releasing the information on public website domains or selling it to other actors.

Attack chains commence with scanning activity that leverages known security flaws in Atlassian Confluence Server and Data Center, Dahua Security, and Sophos' firewall to breach victim environments, followed by using Impacket for post-exploitation and lateral movement, and ultimately exfiltrating data to dedicated infrastructure.

"Cyber actors may have used Raspberry Robin malware in the role of an access broker," the agencies noted. "Cyber actors targeted victims' Microsoft Outlook Web Access (OWA) infrastructure with password spraying to obtain valid usernames and passwords."

Organizations are recommended to prioritize routine system updates and remediate known exploited vulnerabilities, segment networks to prevent the spread of malicious activity, and enforce phishing-resistant multi-factor authentication (MFA) for all externally facing account services.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Offers $10 Million for Info on Russian Cadet Blizzard Hackers Behind Major Attacks

Plus: Kaspersky’s US business sold, Nigerian sextortion scammers jailed, and Europe’s controversial encryption plans return.

Your devices may be revealing a lot more about your life than you realize.

During the Democratic National Convention in Chicago last month, we set out to find just how much data is floating around in the digital ether all around us. Armed with a fanny pack filled with radios—including a hot spot loaded with custom code developed by the digital rights nonprofit the Electronic Frontier Foundation and an Android phone armed with the data-revealing app Wiggle—WIRED reporters collected signals from nearly 300,000 devices in and around the DNC. This included more than 2,500 police body cameras, which effectively revealed how the Chicago Police Department deployed its officers at the protests. It also exposed new ways everyone—police and activists alike—can be surveilled via our gadgets.

Thanks to a legal dispute over content moderation, Elon Musk’s X has been blocked in Brazil for a week—mostly, away. The South American nation has some 20,000 internet service providers and lacks the centralized stranglehold over internet infrastructure that authoritarian countries like Iran have built. So when it comes to blocking an entire social network in Brazil, the whole thing is a bit of a mess.

Speaking of Musk-run companies, SpaceX is getting a big new customer for its Starlink satellite internet service: the United States Navy. In addition to providing sailors with a way to stay connected to friends and family while out at sea, Starlink is part of a large project to connect US warships wherever they are in the world.

Russia’s military intelligence agency, GRU, is known for having some of the most aggressive hacking teams on the planet. Now, it’s added a new one: GRU Unit 29155—a unit notorious for coup attempts, bombings, and other physical attacks—has a cyber warfare team of its own, according to the US and other Western governments. Dubbed Cadet Blizzard, the hacking team is said to have carried out attacks against Ukraine using destructive Whispergate malware, defaced Ukrainian government websites, and leaked information while posing as a hacktivist group. It all adds up to more evidence of the increasingly blurry lines between cyber and kinetic warfare.

Activists in Japan have been waging a pressure campaign against a company many people don’t know exists. The FANUC Corporation makes industrial robots, which are used for a wide variety of purposes. The activists claim this includes weapons manufacturing—specifically weapons used by Israel in its war in Gaza—and believe the company is violating export laws and its own policies. (FANUC denies both accusations.) Whatever the case, the controversy reveals how difficult it can be to untangle ethical issues from a global supply chain.

Health care companies are among the biggest targets for criminal hackers. But sometimes, the security issues come from the inside. Therapy sessions and other sensitive patient records were recently left exposed in a misconfigured database operated by Confidant Health, which provides addiction recovery care and other mental health services. The company says it secured the database immediately after a researcher alerted them to the fact that it was publicly accessible online, but it’s still a reminder of just how many of our deepest secrets can find their way into the open by accident.

Even those of you who do everything you can to secure those secrets can find yourself vulnerable—especially if you’re using a YubiKey 5 authentication token. The multifactor authentication devices can be cloned thanks to a cryptographic flaw that can’t be patched. The company has rolled out some mitigation measures—and the attack itself is relatively difficult to pull off. But it may be time to invest in a new dongle.

That’s not all, folks. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

At the end of August, cybercriminals from the ransomware group RansomHub appear to have hacked into the systems of Planned Parenthood’s Montana branch. The organization this week confirmed it had suffered from a “cybersecurity incident” on August 28 and said its staff immediately took parts of its network offline, reporting the incident to law enforcement.

Days after the incident took place, RansomHub claimed to be behind the attack, posting Planned Parenthood on its leak website. The criminal group said it would publish 93 GB of data. It is unclear what, if anything, the ransomware group has obtained, but Planned Parenthood clinics can hold a huge array of highly sensitive data about patients, including information on abortion appointments. (Around 400,000 Planned Parenthood patients in Los Angeles were impacted following a similar ransomware incident in 2021.)

In recent months, RansomHub has emerged as one of the most active ransomware-as-a-service groups, following the law enforcement disruption of LockBit. According to an FBI and Cybersecurity and Infrastructure Security Agency alert at the end of August, the group is “efficient and successful” and has stolen data from at least 210 victims since it formed in February. “The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims,” the alert said.

**Nigerian Sextortion Scammers Sentenced to 17 Years After Teen Death**

The Nigeria-based scammers known as the Yahoo Boys run almost every scam in the playbook—from romance scams to pretending to be FBI agents. Yet there's little-more devious than the increase in sextortion cases linked to the West African scammers. This week, Nigerian brothers Samuel Ogoshi and Samson Ogoshi were sentenced to more than 17 years in US jail for running sextortion scams, following their extradition earlier this year. It is the first time Nigerian scammers have been prosecuted for sextortion in the US, the BBC reported.

The Ogoshi brothers, who pleaded guilty in April, have been linked to the death of 17-year-old Jordan DeMay, who took his life six hours after he started talking to the scammers, who posed as a girl, on Instagram. The teenager had been duped into sending the brothers explicit images, and after he had done so, they threatened to post the images online unless he paid them hundreds of dollars. US prosecutors said the brothers sexually exploited and extorted more than 100 victims, with at least 11 of them being minors. There has been a huge spike in sextortion cases in recent years.

**Kaspersky’s Banned US Business Sold**

In June, the US Commerce Department banned the sale of Kaspersky’s antivirus tools over national security concerns about its links to the Russian government. (Kaspersky has, for years, denied connections). The firm later fired its workers and said it was closing its US business. This week, cybersecurity company Pango Group announced it is purchasing Kaspersky Lab’s US antivirus customers, according to Axios. This equates to around 1 million customers, who will be transitioned to Pango’s antivirus software Ultra AV. Ahead of the Kaspersky deal, parent company Aura also announced it was spinning out Pango Group into its own business. Pango’s president said customers would not need to take any action and that it would allow subscribers to continue to receive updates after September 29, when Kaspersky updates will stop.

**Europe’s Encryption-Busting “Chat Control” Plans Return**

For years, the EU has been trying to introduce new child protection laws that would require private chats to be scanned for child sexual abuse material—something that would potentially undermine encrypted messaging apps that provide everyday privacy to billions of people. The plans have been highly controversial and were shelved earlier this year. However, the proposed law, which has been dubbed “chat control,” reappeared in legislators’ in-trays this week. The Council of the EU, which is currently chaired by Hungary, wants to pass legislation by October, but reports say strong resistance to the plans still remain.

Hackers Threaten to Leak Planned Parenthood Data

Vendors of mercenary spyware tools used by nation-states to track citizens and enemies have gotten savvy about evading efforts to limit their use.

Source: Robert Brown via Alamy Stock Photo

Efforts by the US and other governments to curb the development, use, and proliferation of powerful spyware tools like NSO Group's Pegasus and Intellexa Consortium's Predator have largely been unsuccessful. Rather, they appear to have encouraged these espionage retailers to improve their ability to evade detection and do business in the shadows.

Spyware could arguably have some legitimate law enforcement or intelligence gathering use case, however, human-rights-abuse watchers have soundly established tools like Pegasus and Predator as tools employed by authoritarian governments to spy on journalists, dissidents, and citizens, and to police their activity. Western governments (including the US, the UK, and others across Europe) recognize these spyware tools as a threat to human rights and basic freedoms, and have joined to try and stop their use through sanctions and other enforcement actions.

In 2021, the US Department of Commerce sanctioned NSO Group, Candiru Ltd., and two suppliers. In 2023, it added Intellexa Consortium to the list for "trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide," according to a Sept. 4 report from The Atlantic Council DFRLab.

Further in 2023, the US proposed blocking government agencies from using commercial spyware and joined with several other countries to pledge to work against the misuse and spread of commercial spyware, DFRLab's report noted. In March of 2024, the US Department of the Treasury also levied sanctions against seven spyware entities. And the following month, the US government also issued Visa restrictions to "promote the accountability for the misuse of commercial spyware," the report added.

It worked for a time. But the market for governments who want to use spyware against their citizens proved too big of a prize for these vendors to miss out on: the Atlantic Council report also highlighted the subsequent return of sanctioned spyware sellers.

"Most available evidence suggests that spyware sales are a present reality and likely to continue," the Atlantic Council admitted. "Proliferation heedless of its potential human rights harms and national security risks, however, is not a stable status quo."

**Predator Spyware Claws Back With Location Obfuscation**

Take Predator as an example. In 2024 Predator spyware use dropped sharply after the company was sanctioned, according to researchers at Insikt Group. But recently, new and improved Predator infrastructure has been detected in more countries, including the Democratic Republic of Congo and Angola.

Updates to the new and improved Predator tool anonymizes customer operations, which obscures which countries are using the spyware, Insikt Group reported in a Sept. 5 report on Predator.

"This change makes it more difficult for researchers and cybersecurity defenders to track the spread of Predator," the report added.

But Predator is hardly the only spyware tool gaming its location to evade oversight. The Atlantic Council's report identifies several ways spyware vendors have adapted to take advantage of jurisdictional gaps, including simply by structuring their businesses with subsidiaries, partners, and other relationships scattered across different areas. Spyware vendors also play games with naming and re-naming their companies and legal entities in an effort to get around sanctions and other regulation.

"The most persistently shifting identity is that of the firm originally known as Candiru Ltd., which changed its name four times over the ensuing nine years, and is known at the time of this writing as Saito Tech Ltd," the Atlantic Council's report noted.

The strategy goes beyond business operations; this jurisdictional shell game also allows these vendors to court investors from a wider range of countries.

"These relocations may offer a variety of location-specific benefits, from facilitating sales to the EU market with an EU-domiciled firm to situating branches in states with more forgiving laws," the Atlantic Council report said.

The good news is, these loopholes could be closed, according to the Atlantic Council, with more controls and scrutiny on spyware investment.

"Improving corporate transparency requirements, such as the US’ recent move to compel companies to report their beneficial owners in line with policies in other countries, will support improved investor due diligence and deal review inside the United States," according to the report. "For vendors located outside the US, a recent notice of proposed rulemaking to extend US security review over some forms of outbound investment could provide the basis to catalog and potentially block investment."

**Spyware Vendors Concentrated in Three Countries**

The Atlantic Council report said the current spyware vendor landscape is heavily concentrated in three areas: Israel, India, and Italy. While there has been a lot of focus on Israeli spyware firms like NSO Group, the Atlantic Council report encourages Western governments to expand their sanctions focus to companies working out of India and Italy as well, two countries that were recently left out of the high-profile international sanctions from the UK and France against cyber intrusion tools, called the Pall Mall Process.

India is home to five prolific spyware vendors, including Aglaya Scientific Aerospace Technology Systems Private Limited and Appin Security Group, and Italy has six, including Memento Labs, Movia SPA, the report points out.

More needs to be done to bring transparency to the spyware market, the Atlantic Council report urged.

"Nascent steps by a handful of countries demonstrate that a more vigorous approach to shape the behavior of spyware vendors, their supply chain, and their investors is possible," its report said. "However, much more remains to be done."

Commercial Spyware Use Roars Back Despite Sanctions

The Biden administration launches an initiative to encourage careers in cybersecurity, as businesses try new tactics to get unfilled IT security roles staffed.

Source: Prisma by Dukas Presseagentur GmbH via Alamy Stock Photo

With more than half a million cybersecurity jobs unfilled nationwide in the US, private enterprise and the federal government alike are focusing efforts to help fill the gap by changing hiring strategies and encouraging careers in IT security.

This week, the White House Office of the National Cyber Director (ONCD), in collaboration with the Office of Management and Budget (OMB), announced the "Service for America" initiative, which is part of the National Cyber Workforce and Education Strategy (NCWES).

The main directive is to recruit and prepare Americans for jobs in cybersecurity, technology, and artificial intelligence (AI). The initiative focuses on creating accessible career pathways by removing degree requirements, and emphasizing skills-based hiring.

To that end, the program promotes work-based learning, such as registered apprenticeships, which allow individuals to earn while they gain new skills. And on the AI front, while it is seen as having the potential to fill some of the perceived workforce gaps, human cybersecurity does not appear to be a role that is going away any time soon — for most AI and related tools, a human element is still vital to decision making.

The announcement comes as the US faces a significant cybersecurity talent shortage, with 225,200 more workers needed to fill nearly 470,000 job openings, according to a June report from CyberSeek.

Despite growing education and training programs, "many Americans do not realize that a cyber career is available to them," National Cyber Director Harry Coker Jr. said in a blog post about the initiative. "There is a perception that you need a computer science degree and a deeply technical background to get a job in cyber."

Federal initiatives are also underway to support neurodivergent candidates and those who are blind and visually impaired. And earlier this year, the administration announced a $244 million investment in apprenticeships for growing industries, including cybersecurity. The initiative also supports community-driven efforts to address local workforce needs through collaboration between employers, educational institutions, and government.

**Cyber Pros With Unconventional Backgrounds**

Erich Kron, security awareness advocate at KnowBe4, said he agreed that many people who work in roles that are not highly technical or related to computer science believe there is no path for them in cybersecurity, even if they have the interest and passion to be great at it. 

"Some of the most amazing cybersecurity talent that I am aware of has come from nontraditional paths, including those in insurance, arts and theater, as well as other seemingly unrelated trades," he said.

Kron added that tapping this well of talent to fill positions in the cybersecurity world has the benefit of infusing nontraditional thought processes and experience into the industry.

"This helps round out defenses and develop ways to defend against cybercriminals through a fresh perspective," he explained.

Meanwhile Shane Fry, CTO of RunSafe Security, said businesses, especially large organizations, tend to favor highly skilled cyber workers with a college degree.

"This can lead to some great candidates, but it also ostracizes a large group of folks that are so passionate about cyber that they picked up the skills on their own and don't have a degree to put on a resume," he said.

He added some of the smartest cyber security professionals he's worked with in his career never even stepped foot on a university campus, let alone finished a degree.

"There's a ton of opportunities for businesses to provide on the job training and external training courses to get people from the fringes of cybersecurity into the cybersecurity fold," Fry said.

That could be changing: a May survey report from the SANS Institute and GIAC found a growing emphasis on certification-based training over traditional degrees, with cybersecurity and HR managers favoring certifications by a 2:1 margin.

**Apprenticeships, Community Engagement**

Recent surveys have also indicated that the so-called "workforce shortage" may be in part to unrealistic demands for qualifications and low salaries — added to the systemic problem of persistently high burnout rates among IT security professionals.

Indicative of the issues is the fact that broke, burned out, or laid-off cybersecurity pros are turning to cybercrime side hustles to make ends meet.

The SANS report for instance found that the cybersecurity talent shortage numbers are driven by headcount gaps, and don't reflect the number of available candidates that have appropriate skills.

And indeed, while most respondents (71%) in the SANS survey said they are committed to recruiting diverse candidates, hiring efforts are hindered by internal confusion, a lack of standardized career paths, and misaligned skill sets, particularly for mid-level roles.

Survey results also indicated many organizations lack alignment between HR and cybersecurity teams, with 37% of managers suggesting HR needs a deeper understanding of cyber roles, and 46% calling for better collaboration.

**Cyber: A Rewarding Profession, But Be Realistic**

Kron noted that for those who understand that cybersecurity can be a stressful, but also incredibly rewarding, type of career field, checking out programs to help accelerate education and a career change is critical.

"It is important that people considering a career in cybersecurity understand some of the challenges of this career path, including the potential to be on call and a requirement to react quickly when incidents occur, even on weekends or in the evenings," Kron explained.

From Fry's perspective, far too many businesses have been apprehensive to spend money on training or skills development; but that's likely an untenable position.

"The impact to those organizations, and the customers of those organizations is that they will continue to fall prey to cybersecurity attacks," he said. "The longer those organizations wait to prioritize cybersecurity and build a cybersecurity pipeline, the farther behind the power curve they will be."

Thus, business' hands may be forced, and the time is right to embrace some of the federal initiatives.

**About the Author**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Cybersecurity Talent Shortage Prompts White House Action

The spy agency that dared not speak its name is now the Joe Rogan of the SIGINT set. And the pod's actually worth a listen.

My first story for WIRED—yep, 31 years ago—looked at a group of “crypto rebels” who were trying to pry strong encryption technology from the government-classified world and send it into the mainstream. Naturally I attempted to speak to someone at the National Security Agency for comment and ideally get a window into its thinking. Unsurprisingly, that was a no-go, because the NSA was famous for its reticence. Eventually we agreed that I could fax (!) a list of questions. In return I got an unsigned response in unhelpful bureaucratese that didn’t address my queries. Even that represented a loosening of what once was total blackout on anything having to do with this ultra-secretive intelligence agency. For decades after its post–World War II founding, the government revealed nothing, not even the name, of this agency and its activities. Those in the know referred to it as “No Such Agency.”

In recent years, the widespread adoption of encryption technology and the vital need for cybersecurity has led to more openness. Its directors began to speak in public; in 2012, NSA director Keith Alexander actually keynoted Defcon. I’d spent the entire 1990s lobbying to visit the agency for my book _Crypto_; in 2013, I finally crossed the threshold of its iconic Fort Meade Headquarters for an on-the-record conversation with officials, including Alexander. NSA now has social media accounts on Twitter, Instagram, Facebook. And there is a form on the agency website for podcasters to request guest appearances by an actual NSA-ite.

So it shouldn’t be a total shock that NSA is now _doing its own podcast._ You don’t need to be an intelligence agency to know that pods are a unique way to tell stories and hold people’s attention. The first two episodes of the seven-part season dropped this week. It’s called _No Such Podcast_, earning some self-irony points from the get-go.

In keeping with the openness vibe, the NSA granted me an interview with an official in charge of the project—one of the de facto podcast producers, a title that apparently is still not an official NSA job posting. Since NSA still gotta NSA, I can’t use this person’s name. But my source did point out that in the podcast itself, both the hosts and the guests—who are past and present agency officials—speak under their actual identities. We conducted the interview via Microsoft Teams; my spokesperson and one of the hosts were in a room with an impressive background of the official seals of the NSA, the Central Security Service, and the United States Cyber Command. I did my end from a World Trade Center conference room, praying my Wi-Fi wouldn’t cut out.

Why an NSA podcast? The spokesperson explains that the NSA has the world’s best cryptologists and cryptanalysts, all of whom work in silence, and the agency wanted to talk about their critical and amazing work. “The podcast,” the spokesperson says, “is a medium that allows for good storytelling and conversation that is distinct from things we already engage in. It provides a different level of connection.” I later received a statement from Sara Siegle, the NSA’s head of strategic communications, echoing that point: “NSA believes in showcasing the incredible, dedicated work of our diverse, expert workforce. _No Such Podcast_ extends our existing efforts into a new and growing medium.” Got it.

I suggest some secondary motivations. Some of the NSA’s social media posts solicit workers, and this podcast seems likewise designed to appeal to STEM graduates who might place patriotism over working for Google or a startup. My source acknowledged that this was the case. “Recruitment is not the number one goal of the podcast, but we are certainly hoping that by showcasing the work we do here, and the real people on the show who work here, listeners might say, ‘Oh, that sounds like a really cool job—and that person seems pretty normal, right?’”

The NSA also apparently sees the podcast as a chance to answer some critics who charge that the agency is a Big Brother-ish snooping operation that threatens our privacy. In the very first episode, guest speaker Natalie Laing, the NSA’s director of operations, speaks at length about how the NSA limits itself to information relevant to national security and similar imperatives. “Compliance is our number one focus,” she says. By hitting this note so hard that my Apple Watch sent me a volume alert, the NSA seems to be using the podcast format to address suspicions that it violates privacy—especially after the shocking revelations from Edward Snowden about how much stuff the NSA does grab. (I am told Snowden’s name is not uttered in the entire NSA podcast series—no such person?)

The NSA used fairly traditional marketing skills to figure out the format of its podcast. It checked out not only popular pods, but those of its sister intelligence agencies. Yes, the CIA and FBI are already in the game. The NSA finally settled on a classical interview format where a revolving set of four hosts—not outside professionals, but the winners of an internal talent search for employees with broadcast skills—talk with officials about the agency’s operations and exploits. “We definitely wanted that conversational tone that provides space for our guests to share their expertise and stories in a way that doesn’t really feel like lectures,” says my spokesperson. The podcasts were recorded in the NSA’s own in-house video studio. That is a sentence that you will never find in a John LeCarré novel.

As you would expect, there is a lot of vetting to make sure that none of the stories shared on the pod are classified, or would compromise future operations. No, we will not find out whether there is a quantum computer in the basement of the NSA’s Fort Meade, Maryland, headquarters. While the numbers of reviewers varied by episode, I was assured it was more than a dozen and less than a hundred.

I’ve read the transcripts for the first two episodes. The series opens with a bang, with episode 1 recounting the NSA’s role in finding Osama Bin Laden. As background to the narrative, Laing and the other guest, former director of operations Jon Darby, provide a rather detailed precis of the workings of signals intelligence, or SIGINT in spook-speak, which is the core activity of the agency. They give a once-unthinkably straightforward rundown of what the NSA calls its “production cycle”—the way it grabs signals, analyzes them, and distributes them to US officials, the military, our allies, and even some people in the private sector. The information is familiar to those who have been studying intelligence agencies, or at least reading spy novels, but for many years the NSA would confirm none of this.

The description of how SIGINT helped find Bin Laden was gripping, but I missed a journalistic toughness in the questioning. Paging Barton Gellman or our own Andy Greenberg! At one point Jon Darby said, “… the fall of 2001—that’s when we really started really looking for Bin Laden.” Since the NSA was well aware al-Qaeda had already run terror operations against the US, why not earlier? And maybe an explanation of why we were blindsided by 9/11? Another question: While it’s an inspiring triumph that we located Bin Laden, it did take over 10 years. Given how much we pay for the NSA, is that acceptable?

The second episode is about cybersecurity. It struck me as relatively vague, with a lot of talk about the importance of protecting information for the military and even the space program but fewer concrete examples. The guests talk about stopping ransomware attacks but don’t say how. I would have liked to have heard more about how the NSA works with private industry to protect our infrastructure. Or doesn’t. A few spectacular breaches in recent years exposed critical government information, including several whopping hacks of Microsoft by the Russians and the Chinese. Those didn’t make it in that episode.

Still, _No Such Podcast_ can be revealing. The Bin Laden episode had a brief but intriguing digression about encryption. (Future episodes, I am told, will dive deeper into the subject, including one about the history of cryptography.) During the 1990s the NSA had been an active opponent of strong public encryption. But at the end of the decade, the Clinton Administration seemingly ended the Crypto Wars by allowing the private sector to employ the techniques. Nowadays we’ve got the FBI and other law enforcement officials caterwauling about the danger of end-to-end encryption in software made by Apple, Meta, and others. But in this podcast, the NSA’s head of operations is not crying doomsday. To the contrary, Laing brags about how the great codebreakers at the NSA, despite the revolution in private sector cryptography, are still able to get the job done. “Our ability to impact in a positive way our nation's national security, to defend our nation, that has not changed … Every day I am a little gobsmacked at the talent that we have at this agency and the things they are able to do. That absolutely has not changed. And what else hasn't changed is, we can't tell people about it generally.” While the FBI is screaming that we’re doomed if we don’t rein in end-to-end crypto, here is the NSA saying, “We got this.”

For that reason I’ll give a thumbs-up to _No Such Podcast_. Yes, it’s kind of propagandistic—how could it be otherwise?—but despite the podcast’s selective spin on its activities, there’s more signal here than noise. As a bonus, there are no ads for energy drinks, gold bullion, or newly minted cryptocurrency tokens. Also, I’m curious to hear the NSA’s take on artificial intelligence, the subject of an upcoming episode.

Before I end my discussion with the NSA, I ask a question that is top of mind for every podcaster: Will _No Such Podcast_ be picked up for season 2? “We can neither confirm or deny,” says the unnamed person I spoke to. Now _that’s_ the NSA I know.

**Time Travel**

During the six years I spent writing _Crypto_, I begged and begged to visit the NSA, to no avail. After many months of negotiation, I finally got an official interview with a key source. It was conducted at the National Cryptologic Museum, just outside the agency’s gates. Maybe that was an early sign of the thaw that has led to this podcast. But as I documented in my book, in the NSA’s first decades, silence—and an electrified, triple-layered barbed-wire fence—enveloped all that the agency touched or dealt with.

_Since all the salient information about modern crypto was withheld from public view, outsiders could only guess what happened in “The Fort.” The NSA undoubtedly operated the most sophisticated snooping operation in the world. It was universally assumed (though never admitted) that no foreign phone call, radio broadcast, or telegraph transmission was safe from the agency’s global vacuum cleaner. Signals were sucked up and the contents analyzed with a multi-MIPS computer, combing the text for anything of value. …_

_What’s more, the NSA considered itself the sole repository of cryptographic information—not just that used by the civilian government and all the armed forces, as the law dictated, but that used by the private sector as well. Ultimately, the triple-depth fence surrounding its headquarters was not only a physical barrier but a metaphor for the NSA’s near-fanatical drive to hide information about itself and its activities. In the United States of America, serious crypto existed only behind the Triple Fence._

**Ask Me One Thing**

Chris asks, “All things considered, has the internet been a good or bad thing? Or, what percentage good or bad?”

Thanks for the question, Chris. You do realize that the internet is the big, all-encompassing blob where we all now live, right? You might as well ask whether civilization is a good thing. I can think of lots of reasons to answer in the negative, but none that would send me into a cave.

Look, a lot of us went overboard 30 years ago when we realized that the internet was going to be pervasive and revolutionary, and it seemed like an opportunity to do a constructive reset on a lot of things that stood in the way of access and equality and the generally calcified way that media operated. Some of those lofty visions came true, and some unexpected hellscapes arose. Overall, the mistake that the optimists made was somehow forgetting that it would be _people_ who would make the internet what it was, and what it would become. No matter how technology might nudge us into comity, a lot of humanity won’t go there no matter what. And the massive scale of the internet, as well as the riches to be gained, can lure even the most idealistic founders into breaking bad.

I still believe that the internet provides a pathway for the best of humanity to shine. But a lot of people are simply awful, and way too many of them are in your face all the time now. So my answer is 58-42—on the side of the good. No cave for me.

_You can submit questions to_ _mail@wired.com. Write **ASK LEVY** in the subject line._

**End Times Chronicle**

1943: Publication of Herman Hesse’s futuristic, trippy final novel, _The Glass Bead Game_. Last week: Analysis of material from a Chinese space probe reveals glass beads on the moon. Just sayin’.

**Last but Not Least**

Russia’s most feared military intelligence agency now has a cyber warfare team. A meaty subject for _No Such Podcast_!

It wasn’t the NSA but the State Department that discovered the Chinese hacker of Microsoft—and that’s just one thing Secretary of State Anthony Blinken talks about in our Big Interview.

Blinken also goes on camera as the Big Interview now has video!

WIRED hunted hidden police signals at the Democratic Convention–our own SIGINT op!

_Updated 09-06-24, 12:20 pm ET: The story was updated to correct the description of the seals in an NSA meeting room._

_Don't miss future subscriber-only editions of this column._ _**Subscribe to WIRED (50% off for Plaintext readers)**_ _today._

The NSA Has a Podcast—Here's How to Decode It

Video and audio of therapy sessions, transcripts, and other patient records were accidentally exposed in a publicly accessible database operated by the virtual medical company Confidant Health.

Thousands of people’s highly sensitive health details, including audio and video of therapy sessions, were openly accessible on the internet, new research has revealed. The cache of information, associated with a US health care firm, included more than 120,000 files and more than 1.7 million activity logs.

At the end of August, security researcher Jeremiah Fowler discovered the exposed trove of information in an unsecured database linked to virtual medical provider Confidant Health. The company, which operates across five states including Connecticut, Florida, and Texas, helps provide alcohol- and drug-addiction recovery, alongside mental health treatments and other services.

Within the 5.3 terabytes of exposed data were extremely personal details about patients that go beyond personal therapy sessions. Files seen by Fowler included multiple-page reports of people’s psychiatry intake notes and details of the medical histories. “At the bottom of some of the documents it said ‘confidential health data,’” Fowler says.

For instance, one seven-page psychiatry intake file, which appeared to be based on an hour session with a patient, details issues with alcohol and other substances, including how the patient claimed to have taken “small amounts” of narcotics from their grandparent’s hospice supply before the family member passed away. In another document, a mother describes the “contentious” relationship between her husband and son, including that while her son was using stimulants he accused her partner of sexual abuse.

The exposed health documents include some medical notes on people’s appearance, mood, memory, their medications, and overall mental status. One spreadsheet seen by the researcher appears to list Confidant Health members, the number of appointments they’ve had, the types of appointment, and more.

“There’s some heartbreaking, really painful family trauma, personal trauma,” Fowler says, adding that some of the files were audio and videos of patient sessions. “It’s almost like having your deepest darkest secrets that you've told your diary revealed, and it's things that you never want to get out.”

Alongside the medical files in the exposed database were administration and verification documents, including copies of driver’s licenses, ID cards, and insurance cards, Fowler says. The logs also contained indications that some data is collected by chatbots or artificial intelligence, making references to prompts and AI responses to questions.

Confidant Health quickly shut off access to the exposed database after Fowler contacted the company, he says. The researcher, who alerts companies to exposed data and does not download any of it, says a proportion of the 120,000 files that were exposed had some form of password protection in place. Fowler says he reviewed around 1,000 files to verify the exposure and determine the source of the data so he could alert the company. He says it is unusual that an exposed database would include both locked and unlocked files.

In a statement to WIRED, Confidant Health cofounder Jon Read says the company takes security concerns seriously and “take\[s\] issue with the sensational nature” of the findings. Read says once the company had been notified of the “improper configuration,” access to the exposed files was “fixed in less than an hour.”

Tag

#intel