Author: Christopher Burgess

Cloudflare percolated back into the news cycle last week when the company, which provides security services to websites, blocked Kiwi Farms as a client. Kiwi Farms has a reputation as being the worst trolling site on the internet, where individuals meet to collate and create action plans targeting individuals for both online and physical harassment including doxing and swatting (taking action that results in a police SWAT team arriving at a given address to neutralize the reported threat to life).

Social networks were aflame with calls for Cloudflare to cease providing their services to Kiwi Farms. Indeed, a recent Vice article highlighted the case of Clara Sorrenti, also known as Keffals, an online streamer who has been doxed multiple times and was arrested on August 5 amidst a raid on her home as a result of swatting, highlighted how there have been at least three cases of individuals committing suicide as a result of the targeted harassment received as a result of the actions taking place on Kiwifarms.

To read this article in full, please click here

We have discussed election security for many years, perhaps more so within the last ten years with the documented confirmation of interference by nation states (Russia, China and Iran). Until recently, however, domestic election interference that leverages the power of social networks wasn’t recognized and, frankly, didn’t exist. The power of social media to influence elections has now been thrust into the spotlight again with the whistleblower allegations of Twitter’s former CISO.

History of social media influence on U.S. elections

The 2008 and 2012 election campaigns of President Barack Obama displayed the power of social networks in delivering platform points and energizing the electorate. Pundits and technical analysts at that time (including me) characterized the effort as Obama’s campaign smoking their opponents on the social network landscape. This success was achieved through a better understanding of the social network medium the amplification provided through viral messaging.

To read this article in full, please click here

The Federal Trade Commission (FTC) flexed its muscle on August 29, 2022, when it filed a lawsuit against Kochava, Inc., for harvesting, aggregating, collating, and then selling the “precise geolocation data” of millions of individuals in violation of the FTC Act.

FTC complaint: Data allows tracing individuals to and from sensitive locations

The FTC explains that Kochava acquires the location data, which originated from individuals’ mobile devices, from an array of data brokers. Kochava then creates customized data feeds and markets these feeds to commercial clients. Their client’s rationale for paying up to $25,000 per feed, according to the FTC, is to “know where consumers are and what they are doing.” Kochava is “then selling of geolocation data from hundreds of millions of mobile devices that can be used to trace the movements of individuals to and from sensitive locations.” The FTC identified “reproductive health clinics, places of worship, homeless and domestic violence shelters, and addiction recovery facilities” as the type of locations that could be identified as having been visited by individuals.

To read this article in full, please click here

It seems as if everyone is playing “buzzword bingo” when it comes to zero trust and its implementation, and it starts with government guidance. The White House’s comments in January on the Office of Management and Budget’s (OMB’s) Federal Zero Trust Strategy for all federal agencies and departments were both pragmatic and aspirational. Their observation, citing the Log4j vulnerability as an example, sums it up nicely: “The zero-trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats.”

To read this article in full, please click here

It seems like just yesterday that the mad scramble following the SolarWinds compromise elevated supply chain security to the forefront of every entity, regardless of sector. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), formed the Information and communications technology (ICT) Supply Chain Risk Management task force in an effort to unite public and private entities with the goal of developing an actionable strategy to enhance supply chain security.

From the CISO perspective, a recent industry report from Coalfire on Software Supply Chain Risk hit the nail on the head: “Managing risk within software supply chains and product development lifecycles has become as important as protecting traditional, physical inventories and equipment supply lines.” Their survey, conducted with CyberRisk Alliance, highlighted how 52% of managers are concerned about software exposed to attack.

To read this article in full, please click here

In late July 2022, Politico ran a story detailing how the U.S. Department of Justice was investigating a recent data breach of the federal court system, which dated back to early 2020. The chair of the House Judiciary Committee, Jerrold Nadler (D-NY), described the breach as a “system security failure of the U.S. Courts’ document management system.”

On the same day, July 28, 2022, the U.S. Government Accountability Office (GAO) published the report GAO-22-105068 “U.S. Courts: Action Needed to Improve IT Management and Establish a Chief Information Officer.” The GAO report described systemic shortcomings in the administration of the U.S. court system, including the lack of a CIO, to oversee the substantive infrastructure.

To read this article in full, please click here

In the world of espionage and intrigue, China has always played the long game, planning far beyond the next quarter, looking over the horizon at the next generation. For this reason, it should come as no surprise that China and Chinese government-supported companies like Huawei will look at every avenue to advance the long-term goals of the Chinese Communist Party (CCP).

With this in mind, CNN’s exclusive report on the FBI’s investigation into how Huawei’s equipment could be used to disrupt and listen to U.S. nuclear arsenal communications should not have come as a surprise.

To read this article in full, please click here

Every time a user opens an app on their device, it seems they are being asked to provide both information necessary to engage with the app and far too often additional information that falls into the nice-to-have or marketing niche. Having CISOs participating in the discussions on what data is necessary for an app to function is table stakes. They should have a say in how that data is parsed to determine how it must be protected to remain in compliance with privacy laws. In addition, CISOs have a role to play in assisting the workforce in remaining safe online as well as protecting their (and the company’s) privacy.

The risks of data over-collection

During a recent conversation with Rob Shavell, founder of DeleteMe, he commented how data over-collection by companies is a rampant problem. The data brokers take what you give them and what they scrape and package and sell it. He notes, “Employers are now helping employees protect their PII [personal identifiable information] as it is in the company’s interest to do so.”

To read this article in full, please click here

The headline read, “How an unqualified sex worker allegedly infiltrated a top Air Force lab” and our eyes immediately rolled as we read the bizarre case of Dr. James Gord. He maneuvered a 32-year-old sex worker into a position of trust within Spectral Energies, a government contractor associated with the U.S. Air Force Research Laboratory located at Wright Paterson Air Force Base. His motivation? He wished to keep his sexual liaison sub rosa.

Stuff right out of Ripley’s Believe It or Not. While we sit and smirk at the ridiculousness of the situation, a deeper dive gives CISOs and their organizations food for thought as we dissect how Gord was able to manipulate his business partner and others to successfully place an individual within his company who had no business being there. Specifically, it underscores the value of background checks on individuals being placed into sensitive roles.

To read this article in full, please click here

Much has been written about NSO Group’s collision with government reality when the Israeli firm found itself on the wrong side of a business decision to sell their technologies to entities that used it to target human rights activists, political leaders, journalists, and a bevy of U.S. persons. The collision came in the form of the U.S. government blacklisting the company, effectively drying up a great percentage of their clients to the point where bankruptcy was seen on the horizon.

White House nixes L3Harris interest in NSO

Then, according to a recent New York Times expose, U.S. defense contractor/supplier L3Harris allegedly attempted a Phoenix-like save and raise the charred NSO from the ashes, with the sub rosa assistance of the U.S. intelligence community. Apparently, L3Harris had its eye on the “zero-click” exploit provided by NSO’s Pegasus for resale or exploitation by the U.S. To those not well versed in the government supply and contract world, L3Harris has expertise in the exploitation of cellphones.

To read this article in full, please click here