By taking several proactive steps, boards can improve their organization's resilience against cyberattacks and protect their critical OT assets.

John Cusimano, Vice President, OT Security, Armexa

February 19, 2025

4 Min Read

Source: Lev Dolgachov via Alamy Stock Photo

COMMENTARY

Boards of directors play an important role in managing the strategic risks faced by their organizations, particularly in sectors with high-risk operational technology (OT) environments such as energy, transportation, manufacturing, and production. Each of these industries relies heavily on OT — the hardware and software that controls physical processes and devices — to maintain safe, reliable operations, making them particularly concerned about cyberattacks. However, understanding and managing cyber-risks in OT systems can be challenging for boards, often due to the cyber-physical nature of OT and its integration with information technology (IT).  

**The Primary Obstacles Boards Face in Evaluating OT Risks**

One of the biggest challenges boards face is the wide gap between OT specialists and board members. Individuals with deep OT domain knowledge are often too far down the organizational hierarchy to directly influence board-level decisions. This disconnect can lead to a lack of risk awareness and understanding at the highest levels of the organization. 

Additionally, the chief information security officer (CISO), who typically manages enterprise cybersecurity risk, often lacks the specific expertise and training needed to manage cyber-risks in OT environments. OT systems have security vulnerabilities that are significantly different from traditional IT systems. This can result in OT cybersecurity being misunderstood, understaffed, and underfunded despite the potentially catastrophic impact of an OT cyber incident.  

To gain a true picture of OT risks, boards may consider appointing a dedicated OT cybersecurity leader to collaborate closely with the CISO. This role will often have executive-level visibility as well as the authority and resources to assess and manage OT security risks effectively. Just as companies have dedicated leaders for managing environment health and safety risks (EH&S) or financial risks, they also need specialized leaders for OT security. More companies are recognizing this need and are creating dedicated roles for OT cybersecurity leaders, signaling a positive shift in prioritizing OT security. 

**Three Key Strategies Needed for Effective Decision-Making in OT Environments**

Effective decision-making begins with recognizing that the consequences of an OT security breach are notably different from an IT security breach. While an IT breach might compromise data and financial assets, an OT breach can have serious consequences, including physical damage to equipment, disruption of critical processes, and even health, safety, and environmental impacts.  

To address these challenges, organizations must consider adopting a risk-based approach to OT cybersecurity. This involves following industry standards for OT risk assessment and management, such as ISA/IEC 62443-3-2, which provides guidance on partitioning OT systems into security zones and developing credible risk scenarios.  

By developing and analyzing risk scenarios, organizations can identify and prioritize the most serious threats to their OT environments. These scenarios can be ranked based on their likelihood and potential impact, using the same scale the company uses for ranking other risks, ensuring consistency and allowing the board to understand the relative importance of different risks in a broader organizational context. 

**How to Achieve Strategic Cyber-Risk Management Across the Organization**

Boards of directors that recognize the need for separate but aligned programs for IT and OT cybersecurity, each led by their respective experts, will be able to address the specific characteristics and risks associated with each domain. IT security focuses on protecting data confidentiality, integrity, and availability, while OT security prioritizes safety, availability, and process integrity. 

To confirm effective oversight and governance, boards can establish an OT Cybersecurity Governance Committee. This committee may include key executives from operations, engineering, IT, and finance, fostering cross-functional collaboration to make sure that OT cybersecurity is integrated into the organization's overall risk management framework. 

**The Board's Role in OT Security**

Boards and senior management must proactively address the growing cyber-risks in OT environments. This requires a multifaceted approach beginning with appreciating the unique challenges and risks associated with OT cybersecurity, including understanding the potential consequences of OT breaches and the importance of dedicated OT security leadership. Organizations will need to invest in building internal OT cybersecurity expertise and/or partnering with specialized external providers. This includes hiring skilled professionals, providing ongoing training, and leveraging external resources when needed.  

The next step is to develop a comprehensive OT cybersecurity program that includes elements such as risk assessments, vulnerability management, incident response planning, security awareness training, and continuous monitoring. The program will foster collaboration between IT and OT by sharing information, aligning security policies, and coordinating incident response efforts. With an evolving threat landscape, it's important to regularly review and update the OT cybersecurity strategy to confirm it remains effective, focusing on emerging threats, vulnerabilities, and best practices.   

By taking these proactive steps, boards can improve their organization's resilience against cyberattacks and protect their critical OT assets. Specialized firms can provide valuable guidance and support in navigating the complexities of OT cybersecurity, helping organizations align their security processes with business goals and achieve their desired security outcomes.  

Boards of directors have an important role in overseeing and managing cyber-risks in OT environments. By understanding the challenges of OT security, investing in dedicated expertise, and adopting a strategic and proactive approach, organizations can strengthen their defenses and safeguard their critical operations from the growing threat of cyberattacks. 

**About the Author**

Vice President, OT Security, Armexa

John Cusimano is the vice president, OT Security for Armexaan. He is accomplished business and thought leader with more than 30 years of experience in process control, functional safety, operational technology (OT) and industrial control systems (ICS) cybersecurity. John has performed and led hundreds of OT cybersecurity vulnerability and risk assessments and helped dozens of companies establish OT cybersecurity programs. He is a voting member of the ISA 99 cybersecurity standards committee. As part of that committee, he chaired the subcommittee that authored the ISA/IEC 62443-3-2:2020 standard IACS Security Risk Assessment & Design. He is the developer and primary instructor of multiple training courses on OT cybersecurity.

What Is the Board's Role in Cyber-Risk Management in OT Environments?

Google is allowing its advertizing customers to fingerprint website visitors. Can you stop it?

In the ongoing saga that is Google’s struggle to replace tracking cookies, we have entered a new phase. But whether that’s good news is another matter.

For years, Google has been saying it will phase out the third-party tracking cookies that power much of its advertising business online, proposing new ideas that would allegedly preserve user privacy while still providing businesses with steady revenue streams.

But it’s not been straight forward for Google. As we reported in July, 2024, the tech giant said that due to feedback from authorities and other stakeholders in advertising, Google was looking at a new path forward in finding the balance between privacy and an ad-supported internet.

The announcement read:

> “Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing.”

It’s not hard to see why this is scary. Apple’s App Tracking Transparency (ATT) feature caused a significant upset in the mobile advertising industry. When introduced in April 2021, it allowed users to opt out of being tracked across apps and websites. This led to an estimated 96% of US users choosing to opt out of tracking. With three billion Chrome users around the world, that might easily be an advertiser’s worst nightmare.

Google promised to kill tracking cookies by introducing a one-time global prompt upgrade that would present users with the choice of being tracked or not. By third-party cookies that is.

But ahead of fulfilling that promise, Google has introduced digital fingerprinting. Digital fingerprinting is like creating a unique digital ID for you or your device based on various pieces of information collected when you browse the internet, like:

*   Operating System (OS): Windows, Android, iOS, etc.
*   Browser type and version
*   IP address
*   Installed browser plugins
*   Time zone
*   Language settings
*   …and so on.

With all these pieces of information, it’s possible to create a unique fingerprint by which websites can recognize you, even if you clear your cookies. They will even be able to make an informed guess if you visit the same site with a different browser.

Google itself, at one point, said that fingerprinting was undesirable:

> “Unlike cookies, users cannot clear their fingerprint and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”

But, per Google’s announcement on December 19, 2024, organizations that use its advertising products can use fingerprinting techniques from last Sunday, February 16, 2025. Well, as far as Google is concerned that is.

The UK information commissioner’s office (ICO) reminded businesses they do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.

But the OK from Google is likely the start of an intermediate period where we will be bothered with both fingerprinting and third-party cookies until the advertising industry has had the time to transition.

**What can I do?**

Countering fingerprinting is a lot harder than keeping cookies at a minimum. But there are some things you can do to make it harder to get your fingerprint taken.

*   However hard it may be, the time may have come to consider switching to a browser that provides built-in features to resist fingerprinting
*   Or look for anti-fingerprinting tools in the form of browser extensions
*   Use a VPN that can mask your IP address and location, which are very significant pieces of information for fingerprinting
*   Keep your browser updated, so your old version will not give away your data
*   Disabling JavaScript can break a website’s functionality, but it also significantly reduces the data websites can gather about you.

We don’t just write about privacy, we can help you improve yours. Try Malwarebytes Privacy VPN.

 Google now allows digital fingerprinting of its users 

Google warns that hackers tied to Russia are tricking Ukrainian soldiers with fake QR codes for Signal group invites that let spies steal their messages. Signal has pushed out new safeguards.

For more than a decade now, Russian cyberwarfare has used Ukraine as a test lab for its latest hacking techniques, methods that often target Ukrainians first before they're deployed more broadly. Now Google is warning of a Russian espionage trick that's been used to obtain Ukrainians' messages on the encrypted platform Signal—and one that both Ukrainians and other Signal users worldwide should protect themselves against with a new update to the app.

Google's threat intelligence team on Wednesday released a report revealing how multiple hacker groups that serve Russian state interests are targeting Signal, the end-to-end encrypted messaging tool that has become widely accepted as a standard for private communications and is now often used by Ukrainians, including in the Ukrainian military's battlefield communications. Those Russia-linked groups, which Google has given the working names UNC5792 and UNC4221, are taking advantage of a Signal feature that allows users to join a Signal group by scanning a QR code from their phone. By sending phishing messages to victims, often over Signal itself, both hacker groups have spoofed those group invites in the form of QR codes that instead hide javascript commands that link the victim's phone to a new device—in this case, one in the hands of an eavesdropper who can then read every message the target sends or receives.

“It looks exactly like a group invite, and everything would function exactly like that, except when you scan it, it links the device out,” says Dan Black, a Google cyberespionage researcher and former NATO analyst. “It instantly pairs your device with theirs. And all your messages are now, in real time, being delivered over to the threat actor while you're receiving them.”

Two months ago, Google began warning the Signal Foundation that maintains the private communications platform about Russia's use of the QR code phishing technique, and Signal last week finished rolling out an update for iOS and Android designed to counter the trick. The new safeguard warns users when they link a new device and checks with them again at a randomized interval a few hours after that device is added to confirm that they still want to share all messages with it. Signal now also requires a form of authentication such as entering a passcode or using FaceID or TouchID on iOS to add a new linked device.

In fact, Signal had already been working to update those forms of phishing protections aimed specifically at exploitation of its linked device feature prior to Google's warning, says Signal's senior technologist, Josh Lund. But Google's report about Russia's spying in Ukraine provided an “acute” example of the problem that pushed them to move quickly to protect users, he says.

“We're really grateful to the Google team for their help in making Signal more resilient to this type of social engineering,” says Lund, using the cybersecurity term for tricks that deceive victims into giving hackers sensitive information or access to their systems.

Both Google and Signal emphasized that the phishing technique Google has seen in use in Ukraine doesn't suggest that Signal's encryption is broken or that the app's messages can otherwise be eavesdropped in transit. Instead, the trick essentially combines two legitimate features—QR-code group invites and QR-code device linking that pairs a smartphone with a laptop—invisibly swapping one with the other to deceive users. “Phishing is a big problem on the internet, and it's never nice to hear that someone has fallen victim to one of these attacks,” Lund says. “But we're trying to do our best to keep users safe, and we think these recent improvements will really help.”

Google notes that it's seen Russia use similar techniques to target other communications platforms like WhatsApp and Telegram, too. But the hackers tied to Russia's military have focused on Signal because of its widespread tactical use in the Ukrainian military. One of the two hacker groups that has exploited the QR code phishing technique, for instance, has disguised the codes as invites to groups associated with an artillery guidance app used by the Ukrainian military called Kropyva. In other instances, the spoofed QR codes have impersonated invites to other groups from a trusted contact, or security alerts from Signal itself.

Russia's hackers have targeted Signal as part of the country's war efforts in Ukraine since as early as 2023, a year into its full-scale invasion, says Google's Black. That's when the Russian hacker group known as Sandworm, a notorious unit of Russia's GRU military intelligence agency, began pivoting from disruptive cyberattacks to tactical espionage that included penetrating tablet computers used by the Ukrainian military. In some cases, Sandworm's hackers have also aided front-line Russian troops in off-loading Signal messages from captured devices, including by using the linked-device feature to pair compromised phones with their own PCs. Google says that Turla, a hacker group linked to Russia's FSB security agency, has also targeted Signal messages on PCs that it's infected with malware.

Google's Black says that the company's analysts nonetheless waited to highlight Russia's use of the QR-code phishing technique to target Signal until the Signal Foundation could push out new protections, in part to prevent other hackers from copying the technique. Black warns, in fact, that Russia's targeting of Signal in Ukraine shouldn't be seen as a problem limited to Ukraine nor to military conflicts in general. The trick is just as likely to be used for targeting dissidents and activists who use Signal worldwide, or even a broader set of targets. In December, for instance, US officials recommended Americans use end-to-end encrypted apps in response to the Chinese hacker group Salt Typhoon's widespread penetrations of US telecom networks.

“The use case for these techniques is just so wide," says Black. “We've seen history tell us a very particular story in terms of tradecraft, that the things that happen in Ukraine don't seem to stay confined there.”

A Signal Update Fends Off a Phishing Technique Used in Russian Espionage

At least eight ongoing lawsuits related to the so-called Department of Government Efficiency’s alleged access to sensitive data hinge on the Watergate-inspired Privacy Act of 1974. But it’s not airtight.

As Elon Musk’s so-called Department of Government Efficiency rampages through the US government, its access to sensitive data is alarming federal agencies and Americans who interact with them. In the month since the Trump administration began its purge of federal workers, opponents fighting DOGE in court have been pinning their hopes of stopping the world’s richest man on a 50-year-old law.

In just a few weeks, DOGE staffers have accessed federal employee records at the Office of Personnel Management, government payment data at the Department of the Treasury, data on student loan recipients at the Department of Education, information on disaster victims at the Federal Emergency Management Agency, and vast amounts of employment- and workplace-related data at the Department of Labor. White House staffers are even pressuring the Internal Revenue Service to grant DOGE access to US taxpayer records. The acting head of the Social Security Administration recently resigned rather than give DOGE access to her agency’s reams of sensitive personal data.

More than half a dozen lawsuits are seeking to block DOGE employees from rifling through these vast troves of data. One thing they all have in common: They allege that DOGE’s actions violate the Privacy Act of 1974.

Here’s how a law passed after Watergate could rein in another president whose self-professed zeal for retribution is unnerving constitutional experts.

The Privacy Act is a law that limits how the federal government can collect, use, and share information about US citizens and other people in the United States.

The law’s core features include letting people access government records about them; letting people correct those records if they contain mistakes; requiring agencies to limit information collection, publish lists of records databases, and protect data from hackers; and restricting how agency employees and third parties can access records.

Those restrictions on accessing data are at the heart of the ongoing DOGE saga.

The Privacy Act prohibits an agency from disclosing someone’s records—even within the agency—unless that person approves in writing or the agency meets one of the law’s 12 exceptions. Most of the exceptions deal with fairly specific circumstances, such as congressional oversight, law enforcement investigations, court orders, census work, statistical research, and National Archives preservation. But there are also two broad, vague exceptions: Agencies can share records with their own employees who “have a need for the record in the performance of their duties” or with third parties for “a routine use” (defined as one that is “compatible with the purpose for which \[the data\] was collected”).

**Why Did Congress Pass the Privacy Act?**

President Richard Nixon illegally used the powers of the government to investigate, intimidate, and punish his political enemies. He tried to use the IRS to target liberal political groups with audits and scrutiny of their tax exemptions, and he deployed the FBI to spy on and harass his political opponents. After Nixon’s resignation over the Watergate scandal, lawmakers sought to prevent future presidents from weaponizing government power.

“Congress must act before sophisticated new systems of information gathering and retention are developed, and before they produce widespread abuses,” North Carolina Democratic senator Sam Ervin said as he introduced one of the bills that inspired the Privacy Act. “The peculiarity of new complex technologies is that once they go into operation, it is too late to correct our mistakes or supply our oversight.”

After months of congressional wrangling that saw the elimination of Ervin’s proposed independent privacy oversight board, President Gerald Ford signed the Privacy Act into law on December 31, 1974. Ford, who had chaired the Domestic Council Committee on the Right of Privacy that Nixon created during his final months in office, highlighted “the vital need to provide adequate and uniform privacy safeguards for the vast amounts of personal information collected, recorded, and used in our complex society.”

**How Is This Relevant Today?**

DOGE’s critics—including Democratic lawmakers, federal employee unions, and government watchdog groups—argue that giving the office’s young, controversial, and seemingly largely unvetted staffers access to sensitive government data constitutes a major privacy breach. The incidents represent “the largest and most consequential breach of personal information in US history,” according to John Davisson, a lawyer for the Electronic Privacy Information Center, one of the groups suing to block DOGE’s access.

The Trump administration, meanwhile, says DOGE employees need this data access to accomplish their mission of eliminating wasteful spending and shuttering programs that conflict with President Donald Trump’s agenda. After one federal judge temporarily blocked DOGE’s access to government payment systems, a White House spokesperson called the ruling “absurd and judicial overreach.” Musk targeted the judge on X, saying, “He needs to be impeached NOW!”

**Can the Privacy Act Stop DOGE?**

It will depend on whether multiple judges agree with the Trump administration’s arguments claiming the law doesn’t prevent DOGE staffers from accessing agencies’ sensitive data.

The government contends that people can only sue agencies under the Privacy Act in one of four scenarios: when an agency refuses to grant someone access to a record about them; when an agency refuses to modify someone’s record as they requested; when an agency fails to keep someone’s record up to date and they experience concrete harm, such as a denial of benefits; or when an agency otherwise violates the law’s requirements in ways that adversely affect someone. It remains to be seen whether judges will determine that DOGE’s access to data adversely affects people.

Agencies have also argued that they aren’t violating the Privacy Act because DOGE’s activities fall under the law’s “routine use” and “need to know” exceptions. In a court filing responding to one legal challenge, the Treasury Department said that DOGE personnel were accessing the data to identify potentially improper payments “in furtherance of \[their\] duties” as directed by Trump (triggering the “need to know” exception) and that sharing this information with other agencies fell under one of the “routine uses” that the agency had previously disclosed as required by the Privacy Act.

The strength of that argument rests on how judges weigh two questions: whether the DOGE personnel accessing each agency’s data are employees of those agencies, and whether the two exceptions apply to the situations in which they accessed and shared the data.

**Who’s Using the Privacy Act to Sue DOGE?**

There are at least eight lawsuits against the Trump administration over DOGE’s access to federal data, and all of them rely at least in part on the Privacy Act.

1.  The American Federation of Government Employees, the Association of Administrative Law Judges, and more than 100 current and former federal workers are suing DOGE, Musk, and the Office of Personnel Management over what they claim is OPM’s illegal decision to give DOGE staffers access to a federal employee database, alleging that DOGE staffers “lack a lawful and legitimate need for such access.”
2.  The Electronic Privacy Information Center, on behalf of an unnamed federal worker, is suing OPM, DOGE, and the Department of the Treasury for allegedly giving DOGE access to OPM’s personal database and Treasury’s payment system “for purposes impermissible under the Privacy Act.”
3.  The University of California Student Association is suing the Department of Education for allegedly turning over student data to DOGE staffers who are not, in the language of the Privacy Act, “employees who have a need for the records in the performance of their duties.”
4.  Six government labor unions, two nonprofit groups, and the think tank Economic Policy Institute are suing the departments of Labor and Health and Human Services, the Consumer Financial Protection Bureau, and DOGE to prevent the office from accessing a wide range of data, including federal workers’ wage-theft complaints and injury reports, for purposes allegedly “inconsistent with the Privacy Act.”
5.  Two government labor unions and the advocacy group Alliance for Retired Americans are suing Treasury for allegedly giving DOGE access to Americans’ tax returns in alleged violation of both the Privacy Act and the Internal Revenue Service’s own special rules.
6.  The National Treasury Employees Union is suing Acting CFPB director Russell Vought for giving information about CFPB employees to DOGE staffers, alleging their status as “special government employees” places them outside the CFPB and thus outside the Privacy Act’s need-to-know exception.
7.  Nineteen state attorneys general are suing Trump and Treasury over DOGE’s access to federal payment systems, arguing that because “many of the DOGE members given access to \[the system\] were not employees of Treasury,” that constitutes “a violation of the Privacy Act.”
8.  Six Americans are suing the Treasury and DOGE over what they describe as breaches of the sensitive personal data they gave the government while filing tax returns, applying for student loans, requesting disability payments, and receiving retirement benefits.

**Where Do These Cases Stand?**

In the state AGs case, a judge quickly issued a temporary restraining order restricting access to all Treasury systems storing sensitive personal and financial data. The case has since been assigned on a permanent basis to a different judge, who adjusted the order slightly after the Trump administration objected to its restrictions on political appointees. A status hearing took place on February 14.

In the EPIC case, the organization has asked the judge for a temporary restraining order blocking further DOGE access to certain Treasury and OPM systems. A status hearing will be held on February 21.

In the UC students case, the Department of Education is arguing, among other things, that the students haven’t shown any harm; that the Privacy Act only allows courts to pause agency actions in two situations not applicable here; and that the DOGE staffers are Education Department employees allowed to access the data. On February 17, a judge denied the students’ motion for a temporary restraining order, saying they had not suffered “irreparable injury.”

In the Labor, HHS, and CFPB case, the judge rejected the plaintiffs’ request for a temporary restraining order, saying they failed to demonstrate the likely success of their arguments about the Privacy Act and other laws. But he also questioned whether DOGE staffers were employees of the agencies whose data they were accessing—a crucial question for a Privacy Act case.

In the Treasury case, the unions and ARA have asked for a temporary restraining order, but Treasury is making many of the same arguments as the Education Department, including that the Privacy Act can’t be used to pause DOGE staffers’ access to data and invoking the need-to-know and routine-use exception. The judge in the case has temporarily limited access to Treasury’s payment system while weighing the plaintiffs’ request for a restraining order. A hearing is scheduled for February 24.

The AFGE, NTEU, and class-action lawsuits haven’t proceeded beyond the filing of initial complaints.

Elon Musk’s DOGE Is Being Sued Under the Privacy Act: What to Know

A flea market buyer found medical information about hundreds of patients on second hand decommissioned hard drives.

Somebody bought a batch of 15 GB hard drives from a flea market, and during a routine check of the contents they found medical data about hundreds of patients.

After some more investigation in the Netherlands, it turned out the data came from a software provider in the medical industry which had gone bankrupt.

Under Dutch law, storage media with medical data must be professionally erased with certification. The normal procedure is to have them destroyed by a professional company, but that costs money and by selling the hard drives off the company would have brought in a small amount of cash.

This incident reminded me of two important security measures that we sometimes overlook.

The first is obvious. Computers are very bad at “forgetting” things. When you delete a file, the system doesn’t actually remove the file from your hard drive. Only the location of the file is set to “unused” so it may be overwritten at some point, but it often can be recovered. So you need to be careful how you decommission your old hard drives or any devices that have data on them.

One method is to overwrite the present data with zeroes or random numbers. There are several levels of overwriting hard drives:

*   **Single-pass overwrite**: Writing zeros or random data once across the entire disk is often sufficient for traditional hard drives.
*   **Multi-pass overwriting**: More secure methods involve multiple passes (e.g., 3-pass or 7-pass), which can further reduce the chance of data recovery.
*   **NIST 800-88 method**: A recognized standard that includes overwriting with random data followed by zeros and verification. This is the type of method we would like to see when it comes to sensitive data like medical information.

Some modern drives come with a **secure erase** command embedded in the firmware, but you need special software to execute the command, and it may require several rounds of overwrite.

Users that have a Windows computer with UEFI can use the secure erase option in their computer’s BIOS or UEFI settings. The exact steps depend on your computer’s manufacturer and model. Unless you’re afraid of law enforcement or a very skilled attacker that should be enough. For computers pre-dating UEFI you will need specialized software. To find out whether your computer has UEFI:

*   Right-click the Start button
*   Select Run
*   Type msinfo32 and press OK
*   Click System Summary
*   Scroll down to the BIOS Mode value to check whether it says UEFI  
      
    

Non-SSD drives can be degaussed, a method which uses a strong magnetic field to disrupt the magnetic storage on traditional hard drives. However, it is ineffective for SSDs and flash storage.

Which leaves physical destruction as the last option. The usual method to do this, called shredding, involves cutting up hard drives into small pieces and then burning them in an incinerator or shredding machine to destroy their magnetic properties.

The second security measure that is important is to have your data removed from publicly available records. In the Dutch case it’s remarkable and painful that such a company would have this type of information stored on their drives. First of all, the software provider had no right to store this information. Secondly, even with a legitimate reason to store them, the date should have been encrypted, and of course the hard drives should have been decommissioned responsibly.

Depending on the type of information and the origin it seems unlikely that someone would consider to ask for removal of the data. After all, often it’s important that medical information is shared among care providers.

On the other hand, there is a ton of information about everyone in publicly accessible places that we can keep under control by using data removal services. Using a data removal service increases online anonymity, which makes it harder for stalkers, phishers, other attackers, or advertisers to find personal details.

 Hard drives containing sensitive medical data found in flea market 

Plus: Researchers find RedNote lacks basic security measures, surveillance ramps up around the US-Mexico border, and the UK ordering Apple to create an encryption backdoor comes under fire.

As the United States reels from the upheaval caused by Elon Musk’s so-called Department of Government Efficiency (DOGE), hackers from countries the US considers hostile continue to wreak havoc from afar.

New research shows that China’s Salt Typhoon hacking group has expanded its targets list to include universities around the world and at least two more telecoms operating in the US. That brings the total number of US telecommunications networks breached by Salt Typhoon to at least 11.

Russia’s notorious Sandworm hacking unit may be best known for its attacks on Ukraine, including multiple blackouts caused by its cyberattacks and its release of the destructive NotPetya malware. However, a hacking group within Sandworm is now taking aim at targets in Western nations, including Australia, Canada, the UK, and the US, according to research released this week by Microsoft. The group, which Microsoft calls BadPilot, is known as an “initial access operation,” breaching targets for the purpose of handing over access to those systems to other Sandworm hackers.

Meanwhile, we dug into the slimy world of romance scammers who are making ill-gotten fortunes by capitalizing on the loneliness epidemic, and we dipped into the opaqueness of online advertising data that could pose a threat to US national security. Finally, we found that US funding cuts under the new Trump administration are hurting the organizations protecting children from exploitation, abuse, and human trafficking.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**The Official DOGE Website Launch Was a Security Mess**

Elon Musk’s DOGE finally started publishing some information about its activities on its threadbare website this week. But it wasn’t the only entity publishing on the site.

Two web developers, working independently, found that it is possible to push updates to the DOGE.gov domain, which claims to be an official US government website. The website uses a database that can be edited by anyone online, the experts told 404Media. To demonstrate the insecurity, they left a couple of messages on the DOGE site: “This is a joke of a .gov site,” one read, while the other says: “THESE ‘EXPERTS’ LEFT THEIR DATABASE OPEN.”

The messages stayed on the website for at least 12 hours and remained visible for some time on Friday. The DOGE website was launched in January and until this week was a single landing page containing very little information. The web experts who discovered the vulnerabilities told 404Media that the website appeared to have been “slapped together.”

The website only started being populated this week—with some figures purporting to show the size of the US government—after Musk promised his organization would be “maximally transparent.” That transparency may have gone a step too far, however, with HuffPost reporting on Friday that the site included classified material.

As well as being insecure, the DOGE website heavily leans on X, the social media platform owned by Musk. DOGE’s homepage is a feed of its own X posts, but it also uses code that directs search engines to X.com instead of DOGE.gov, a WIRED review of the site found. “This isn't usually how things are handled, and it indicates that the X account is taking priority over the actual website itself,” one developer told WIRED.

**RedNote Security Flaws Come Into Focus**

Chinese TikTok alternative RedNote gained around 700,000 US users and courted American influencers when the ban on TikTok loomed in January. While many of those people may have only used RedNote for a few days, a new analysis from the University of Toronto’s Citizen Lab has highlighted how a lack of encryption could have opened up US users to “surveillance by any government or ISP \[Internet Service Provider\], and not just the Chinese government.”

The analysis of RedNote found a host of network security issues in both its Android and iOS apps. RedNote fetched images and videos using HTTP connections, not the industry standard and encrypted HTTPS; some versions of the app contained a vulnerability that allows an attacker to have “read” permissions on a phone; and it “transmitted insufficiently encrypted device metadata.” The flaws were contained in RedNote’s app and several third-party software libraries that it uses. Citizen Lab reported the issues to the companies starting in November 2024 but has not heard back from any of them.

The security researchers say that the vulnerabilities could risk surveillance for all users, including those in China. “As the Chinese government might already have mechanisms to lawfully obtain detailed data from RedNote about their users, the issues that we found also make Chinese users especially vulnerable to surveillance by non-Chinese governments,” the research says.

It underscores that within China even widely used apps may not meet the same security standards as those developed outside the country. “Applications that are popular in China often use no encryption, proprietary encryption protocols, or use TLS without certificate validation to encrypt sensitive data,” the analysis says.

**Military Spy Planes Increase Surveillance Flights at US-Mexico Border**

Over the last two weeks, US spy planes have flown at least 18 missions around the Mexico border, analysis from CNN has shown. The flights mark a “dramatic escalation in activity,” the publication reports, and come as the Trump administration has designated drug cartels as terrorist organizations and has turned the nation’s security apparatus toward deporting millions of migrants. According to CNN, various military planes, including Navy P-8s and a U-2 spy plane, were used in the operations and are capable of collecting both imagery and signals intelligence. Also this week, US Immigration and Customs Enforcement has advertised new contracts that would allow it to monitor “negative” social media posts that people make about it.

**Backlash Mounts Against UK’s Secret Apple Encryption Order**

Last month, the UK government hit Apple with a secret order demanding the company create a way to access data stored in encrypted iCloud backups. The order, called a Technical Capability Notice and issued under the UK’s controversial 2016 surveillance law, was first reported by The Washington Post last week. Since then, there’s been a growing backlash against the demands from the UK government, with many highlighting how a change would impact the security of millions around the world.

US senator Ron Wyden and representative Andy Biggs have sent a letter to Tulsi Gabbard, the new director of national intelligence, saying the order undermines trust between the US and UK. “If the UK does not immediately reverse this dangerous effort, we urge you to reevaluate US-UK cybersecurity arrangements and programs as well as US intelligence sharing with the UK,” the pair said, drawing comparisons to the Chinese-linked Salt Typhoon hacks of US telecom firms that utilized a surveillance “backdoor.” Since details of the order emerged, Human Rights Watch has called it an “alarming overreach,” while 109 civil society organizations, companies, and other groups signed an open letter saying the “demand jeopardizes the security and privacy of millions.”

The Official DOGE Website Launch Was a Security Mess

Veriti Research reported a developing cyber threat campaign centred around the declassification and release of the RFK, MLK…

Veriti Research reported a developing cyber threat campaign centred around the declassification and release of the RFK, MLK and JFK files. Learn more about these attacks and how to stay safe online.

Cybersecurity researchers at Veriti have discovered a cyber threat campaign targeting the release of declassified JFK (John F. Kennedy), RFK (Robert F. Kennedy Jr.), and MLK (Martin Luther King Jr.) files. Cybercriminals are, reportedly, exploiting public fascination with these historical documents to conduct various malicious activities, including malware distribution, phishing schemes, and vulnerability exploits. As media attention on the files increased, Veriti Research noted the rapid creation of potentially malicious online infrastructure.

Shortly after the file release announcement, several suspicious domain names were registered, mimicking legitimate sources related to the JFK files. These included variations of “thejfkfiles” and “rfkfiles” with different domain extensions. Here are some of the suspicious domains identified by the Veriti Research team in its report:

*   **hejfkfilescom – Registered on January 23** 
*   **jfk-filescom – Registered on January 23** 
*   **rfkfilescom – Registered on January 24** 
*   **jfk-filesorg – Registered on January 25**

The timing and naming conventions of these domains suggest they could be used for phishing, malware delivery, or social engineering attacks aimed at stealing user credentials. Veriti Research outlined several likely attack vectors based on their findings. These include:

*   **Embedding malware** within files disguised as official JFK document releases, potentially infecting devices with various malicious software.

*   **Fake websites** mimicking official government or media sources are also anticipated, designed to trick users into downloading harmful files or revealing sensitive information.  

*   **Exploiting browser vulnerabilities** through malicious websites is another concern, potentially allowing attackers to compromise systems simply by users visiting compromised sites.  

*   **Email phishing campaigns**, with emails posing as reputable institutions or individuals offering exclusive access to the files, likely containing malicious attachments or links.

A timeline of Key Events and their Corresponding Hacking Campaigns (Source: Veriti Research)

This aligns with Hackread.com’s previous reports highlighting how cybercriminals quickly exploit major public events, such as COVID-19 scams, the Gaza crisis, the California wildfire and more.

Moreover, last year Check Point Research reported that cybercriminals were exploiting Deepfake technology to conduct electoral fraud such as manipulating voters and sabotaging the entire electoral process. The image demonstrates the rapid adaptability of cybercriminals to real-world events.

These incidents highlight the need for cyber resilience against social engineering, as attackers understand that heightened curiosity and urgency can lower people’s guard. Veriti Research stressed the importance of verifying information sources and only accessing the declassified files through official channels like the National Archives.

Scammers Exploit JFK Files Release with Malware and Phishing

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. 
The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.   
For Snort

Friday, February 14, 2025 11:55

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.   

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.    

**ClearML XSS and information disclosure vulnerabilities **

_Discovered by Edwin Molenaar of Cisco Meraki._  

ClearML contains two vulnerabilities. ClearML is an open-source AI platform that supports the entire AI development lifecycle from research to production. It is designed to integrate with existing tools and infrastructures, allowing developers and DevOps teams to build, train and deploy models at scale. 

TALOS-2024-2110 (CVE-2024-39272) is a cross-site scripting vulnerability. A specially crafted HTTP request can allow an attacker to upload HTML files to a dataset through an existing ClearML account. The files can later be rendered within the browser of an authenticated ClearML user and execute JavaScript.  

TALOS-2024-2112 (CVE-2024-43779) is an information disclosure vulnerability. A specially crafted HTTP request can lead to an attacker reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP requests to trigger this vulnerability. 

**Nvidia memory corruption and heap-based buffer overflow vulnerabilities **

_Discovered by Dimitrios Tatsis._ 

The nvJPEG2000 library is provided by NVIDIA as a high-performance JPEG2000 encoding and decoding library. The prerequisite is a CUDA enabled GPU in the system that allows faster processing than traditional CPU implementations. 

TALOS-2024-2080 (CVE-2024-0142) and  TALOS-2024-2095 (CVE-2024-0143) are memory corruption vulnerabilities. A specially crafted JPEG2000 file can lead to an out-of-bounds write with arbitrary data which can lead to further memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. 

 TALOS-2024-2108 (CVE-2024-0144) and TALOS-2024-2113 (CVE-2024-0145) are heap-based buffer overflow vulnerabilities in the Ndecomp field handling and parameter. A specially crafted JPEG2000 file can lead to memory corruption and arbitrary code execution. An attacker can provide a malicious file to trigger these vulnerabilities.

ClearML and Nvidia vulns

The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

Source: Imagechina Limited via Alamy Stock Photo

The Chinese advanced persistent threat (APT) known as Salt Typhoon has targeted more than a thousand Cisco devices located within the infrastructures of telecommunications companies, internet service providers (ISPs), and universities.

Salt Typhoon (aka RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286) first made its name last fall, with explosive reports about its targeting major US telecommunications providers like T-Mobile, AT&T, and Verizon. In the process, it managed to eavesdrop on US law enforcement wiretaps, and even the Democratic and Republican presidential campaigns.

Apparently, all that new media attention did little to slow it down. According to Recorded Future's Insikt Group, Salt Typhoon — which Insikt tracks as "RedMike" — attacked communications providers and research universities worldwide on six occasions in December and January. The group exploited old bugs in Cisco network devices to infiltrate its targets, and this may not actually be the first time it tried this tactic.

In a statement to Dark Reading, a Cisco spokesperson wrote that "We are aware of new reports that claim Salt Typhoon threat actors are exploiting two known vulnerabilities in Cisco devices relating to IOS XE. To date, we have not been able to validate these claims but continue to review available data." They added that "In 2023, we issued a security advisory disclosing these vulnerabilities along with guidance for customers to urgently apply the available software fix. We strongly advise customers to patch known vulnerabilities that have been disclosed and follow industry best practices for securing management protocols."

Related:Chinese APT 'Emperor Dragonfly' Moonlights With Ransomware

**Salt Typhoon's Latest Attacks on Elecom, Unis**

Back in October 2023, Cisco urged all of its customers to immediately pull all their routers, switches, etc., off the Web — at least those running the IOS XE operating system. An attacker had been actively exploiting a previously unknown vulnerability in the user interface (UI) which, without prior authorization, allowed them to create new local accounts with administrative privileges. The issue was assigned CVE-2023-20198, with the highest possible score of 10 out of 10 on the Common Vulnerability Scoring System (CVSS).

Just a few days later, Cisco revealed a second IOS XE web UI vulnerability that was being exploited in tandem with CVE-2023-20198. CVE-2023-20273 took the first vulnerability a step further, allowing attackers to run malicious commands on compromised devices using root privileges. It earned a "high" 7.2 CVSS score.

Related:Salt Typhoon's Impact on the US & Beyond

Evidently, Cisco's warnings were not heard loudly and widely enough, as Salt Typhoon followed this exact path to just recently compromise large organizations on six continents. With the complete power afforded by CVE-2023-20198 and CVE-2023-20273, the threat actor would then configure Generic Routing Encapsulation (GRE) tunnels connecting compromised devices with its own infrastructure. It used this otherwise legitimate feature to establish persistence and enable data exfiltration, with less risk of detection by firewalls or network monitoring software.

Though Insikt tracks this campaign only back through December, it's possible that this isn't the first time Salt Typhoon has used Cisco devices to target major telcos.

"Very little detail is currently publicly available about the Salt Typhoon-linked intrusions against US telecommunications providers uncovered in September 2024, including whether or not Cisco devices were involved," explains Jon Condra, senior director of strategic intelligence at Recorded Future. "Notably, CISA in December 2024 put out defensive guidance for communications providers that implies that Cisco devices have been exploited, linked to the Salt Typhoon intrusions, without providing specifics. We do know that Cisco devices have been targeted by Chinese APT groups on many occasions in the past, as with a variety of other edge devices."

Related:Magecart Attackers Abuse Google Ad Tool to Steal Data

**Salt Typhoon's Latest Cyberattack Victims**

Organizations affected by this campaign include a US affiliate of a UK telco, a US telco and ISP, an Italian ISP, a South African telco, a Thai telco, and Mytel, one of Myanmar's premier telcos.

"Salt Typhoon targets telecommunications systems which are some of the most complicated Frankenstein-esque examples of architectures that exist," explains Zach Edwards, senior threat researcher for Silent Push. That even old vulnerabilities might still be exploited against telcos, he suggests, isn't such a mystery: "They possess some technologies in certain systems dating back decades that, in many cases, cannot be replaced, and with other modernized aspects that remain vulnerable to sophisticated attacks."

And besides telcos and ISPs themselves, Salt Typhoon also attacked 13 universities, including the University of California, Los Angeles (UCLA) and three more US institutions, plus more in Argentina, Indonesia, the Netherlands, etc. As Insikt noted, many of these universities perform significant research in telecommunications, engineering, and other areas of technology.

Overall, while more than 100 countries have been touched by this campaign, more than half of the devices compromised have been in South America, India, and, most often, the US.

Recorded Future's Condra emphasizes that while prior Salt Typhoon coverage has been US-centric, he says, "The group’s targeting extends far beyond US borders and is truly global in scope. This speaks to strategic Chinese intelligence requirements to gain access to sensitive networks for the purposes of espionage, gaining the ability to disrupt or manipulate data flows, or pre-position themselves for disruptive or destructive action in the event of an escalation of geopolitical tensions or kinetic conflict."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Salt Typhoon Exploits Cisco Devices in Telco Infrastructure

Hazel discusses Interpol’s push to rename pig butchering scams as ‘romance baiting’. Plus, catch up on the latest vulnerability research from Talos, and why a recent discovery is a “rare industry win”.

Thursday, February 13, 2025 14:05

Welcome to this week’s edition of the Threat Source Newsletter.

Love is in the air this week. Wait, is that love? Or is it some tech bro with a housing development company (that would totally love to meet in person but can’t this week) emailing you about an investment opportunity in his cryptocurrency scheme?

You may be seeing a lot of ‘Beware of romance/ pig butchering scams’ articles around Valentines Day. This isn’t really one of those. Although, if said tech bro initiates a course of love bombing mixed in with wire transfer requests, report that dude quicker than the roadrunner declares “meep meep”. 

I recently came across an article on The Hacker News that talked about how Interpol is pushing for a “linguistic shift” when it comes to pig butchering scams. They’re advocating for the term to be replaced by ‘romance baiting’.

In a statement, Interpol explained their reasoning:

_"The term 'pig butchering' dehumanizes and shames victims of such frauds, deterring people from coming forward to seek help and provide information to the authorities,"_

Pig butchering originates from a Chinese phrase. Its meaning is derived from “fattening a pig before the slaughter”. When we put that in the context of online scams, the emphasis is on the victim, with some not so nice connotations (and a certain sense of inevitability attached to it). 

By flipping the script and renaming pig butchering as romance baiting, Interpol suggests this could have a positive effect on the psychological nature of being targeted:

_"Words matter. We've seen this in the areas of violent sexual offences, domestic abuse, and online child exploitation. We need to recognize that our words also matter to the victims of fraud," INTERPOL Acting Executive Director of Police Services Cyril Gout said._

_"It's time to change our language to prioritize respect and empathy for the victims, and to hold fraudsters accountable for their crimes."_

I wholeheartedly agree. Victim blaming only causes more harm. The more we can do to encourage people to report perpetrators, without feeling a sense of shame, the better. 

What do you think? Will you be changing the narrative the next time you talk about romance scams? Are there any other terms in our industry that potentially put more focus on the victim than the adversary?

**The one big thing**

In the latest Talos Vulnerability Deep Dive, the team picked out something that had caught their attention during an earlier investigation of the macOS printing subsystem: IPP over USB specification, which defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). During this new investigation, Talos decided to look at how other operating systems handle the same functionality. 

The result? Some pretty good news actually. Although the potential vulnerability Talos discusses in this article is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this as a rare win.

**Why do I care?**

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY\_SOURCE, saved the day.

**So now what?**

The modern compiler features detailed above should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. Check out this excellent write up of the vulnerability, and the proof of concept.

**Top security headlines of the week**

Lawmakers unite to push forward Cyber Force: “A group of House lawmakers are working to keep the idea of creating a Cyber Force at the Pentagon a top cyber policy topic on Capitol Hill this year.” (Politico).

Authorities Disrupt 8Base Ransomware: “The 8Base ransomware group’s infrastructure has been disrupted and leaders have been arrested in an international law enforcement operation, Europol announced.” (Security Week)

Magecart Attackers Abuse Google Ad Tool to Steal Data: “Attackers are smuggling payment card-skimming malicious code into checkout pages on Magento-based e-commerce sites by abusing the Google Tag Manager ad tool.” (Dark Reading).

Update to iOS 18.3.1 Right Now. There’s a ‘Sophisticated Attack’ Risk, Apple Says: “A physical attack may disable USB Restricted Mode on a locked device. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.” (Vice).

**Can't get enough Talos?**

Google Cloud Platform Data Destruction via Cloud Build

Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 

Catch up on the latest Talos Takes podcast:

**Upcoming events where you can find Talos**

RSA (April 28-May 1, 2025) San Francisco, CA

TIPS 2025 (May 14-15, 2025) Arlington, VA

**Most prevalent malware files from Talos telemetry over the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 MD5: 7bdbd180c081fa63ca94f9c22c457376 VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91 

Typical Filename: c0dwjdi6a.dll 

Claimed Product: N/A 

Detection Name: Trojan.GenericKD.33515991

SHA256:47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA-256: 6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1

MD5: 35f8db3dde368c6d25239d27fd79a4a7

VirusTotal: https://www.virustotal.com/gui/file/6adbdd262a335eb59c55ca1c8b21efc1cc5a8bf0f8f5662e78fd9f00141feed1/details

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: easysmartpdf.msi

Tag

#ios