journal Archives - Cyber Protection Magazine

Security expert collapsed from exhastion

Breach fatigue or too big to fail?

Lou Covey September 19, 2024

As we prepare for the annual October holiday season with Cybersecurity Awareness Month there is an important question to ask. Are we as a society at the point of fatigue over every new security breach, or are the companies getting breached just too big to fail?

Security giant Fortinet announced a data breach this week that was remarkable in two ways. One was how small the breach was (less than 500GB) Two was how calm Fortinet seemed to be about. Security gadfly Dr. Chase Cunningham posted a flippant comment about the breach on Linkedin, encouraging his followers to “buy on the breach.” He pointed out that with big public companies, in security or not, generally take a hit on their stock for a day or two after a breach, but the stock rises to new highs as the dust clears. And no one seems to care about the downstream customers whose data might have been stolen.

A 2010 study published in the Journal of Cost Management concluded that a company could be more profitable if it annoyed unhappy customers more than they already were. The success of that strategy increased with the size of the company, according to the study, and when there were fewer competitors for a customer to turn to.

The reasons for the success were simple. If a pissed off customer decided to go a smaller provider, there were always new customers who signed up, simply because they were the biggest. If there were no smaller competitors, the customer never went away. In the process, the offending company rarely has to pay out to make the customer whole. The study pointed our that companies like United Airlines have notoriously bad customer service, but they rarely lose market share because of it.

Kevin Szczepanski, co-chair of Barclay Damon's Data Security, is much more forgiving

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here

In this screenshot, camera footage shows a group of alleged neo-Nazis outside the home of Raw Story investigative reporter Jordan Green.

Scam Bucket: Innocence is no replacement for digital vigilance

Lou Covey September 12, 2024

On Mastodon a poster asked last week, “Looking for an article or blog or text, that succinctly describes, at grade 1 level English, why ‘if you have nothing to hide, you have nothing to fear’ is a crazy and bad argument, and perhaps also includes what some good arguments are.” We thought that is an excellent idea for a Scam Bucket post. Let’s get to the biggest argument against that philosophy.

It may not be scandalous, like a drug addiction, pornography or drug dealing, but there is personal information that everyone wants to keep from someone like passwords, account number and routing number to your bank account, and social security numbers

People who ascribe to the philosophy will readily agree to those limitations of what should be available to public knowledge. What they may not be willing to admit that they have done something in their life that they are ashamed. As Jesus Christ once proclaimed, “No one is without sin. No, not one.”

Sometimes, the error is made in ignorance. Clicking on a link in an email that connects to a porn site. Being rude to a waiter or failing to give a tip. Road rage someone recorded without knowledge or consent. Sometimes it was a mistake they made when they were younger and didn’t know any better… or knew better and did it anyway.

Then there are things that people are totally innocent of but were accused of it anyway. An average of 200–300 people are arrested every year for felonies but are exonerated, according to the National Registry of Exonerations. If the arrest was reported in the news, it is likely the exoneration was not. So the news of the arrest still exists even though they did not commit the crime.

John Gilmore, director of research at the data-scrubbing service DeleteMe, related a story of Jordan Greene, a journalist who covered neo-Nazi rally in North Carolina. Members of the group picked out his face in a photo of the rally, ran it through facial recognition, found where he lived and showed up at his house holding burning flares.

A recent scam has arisen ...

Free Membership Required

You must be a Free member to access this content.

Join Now

Already a member? Log in here

Security concerns reach beyond CISOs

Lou Covey August 14, 2024

The English riots this past week provide a Dickensian “best of times…worst of times.” context to politics in the United Kingdom and possibly the United States later this year. The UK has had a significant political shift in leadership that brought relief to the majority of that countries citizens (the best) but also encouraged the minority opinion to lash out with provocation from domestic actors and foreign states (the worst). This highlight the fact that digital security concerns reaches far beyond the confines of corporate CISO offices.

The rioters are extreme anti-immigration nationalists whipped up by false information regarding the stabbing of several young children and adults at a dance recital in Southport, a town just north of Wales. The disinformation came from several sources but is primarily coming through a Russian-linked website posing as a legitimate American news organization. The claim was meanwhile amplified up by far-right figures Tommy Robinson and Andrew Tate. Robinson was arrested under anti-terrorism laws but is out on bail has been vacationing in Europe. He is still spreading disinformation. Tate is currently under “judicial supervision” for rape and human trafficking charges. X owner Elon Musk has also participated personally in sewing the discord.

Foreign interference grows

Meanwhile, open source intelligence monitored by companies like Zero Fox and Fletch have identified efforts by North Korea and Russia to interfere in elections of Western countries including Germany and the United States. Zero Fox said, “The Telegram-based bot service IntelFetch had been aggregating compromised credentials linked to the Democratic National Committee (DNC) and their websites. This data, primarily sourced from botnet logs and third-party breaches, includes sensitive information such as login credentials for party members and delegates. This breach poses a significant risk of unauthorized access and potential disruptions to the convention.”

Zero Fox said the DNC had been alerted several weeks ago and that the weaknesses fixed. The DNC Convention is set to begin August 19 and Zero Fox was planning on announcing their findings that day to boost their profile.

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here

Media training offered for cyber industry

Editors Desk August 13, 2024

“Over the years, the content of news releases, websites and other marketing materials has become formulaic. We know what that formula is and it hurts company credibility,” said Covey.” The repetition in that content obscures the real story of these companies and the sheer volume of it overwhelms the few qualified journalists still working. The use of generative AI makes the problem worse. Generative AI uses the same, repetitive marketing language because that’s how it’s trained on. That results in homogenized messaging, destroying differentiation. This program will restore differentiation and, in the process, make it easier for us to accept and report on industry news. It’s a win-win.”

Cariacture of Google stomping in newspapers

Google at loggerheads over support for journalism

Lou Covey April 24, 2024

Google and the state of California have come to loggerheads over legislation designed to require Google to provide financial support for local journalism. Naturally, Google is fighting this with a PR and lobbying blitz. They and their allies may be missing the point. Whatever the outcome, it could have a profound impact on the democratic process.

The legislation, The California Journalism Preservation Act (CJPA) has been wending its way through the California legislation for about a year. The text of the law says, "This bill … would require … a covered platform (as in Google) to remit a … payment to each eligible digital journalism provider … The … payment would be a percentage, as determined by a certain arbitration process, of the covered platform's advertising revenue generated during that quarter."

History of dispute

A bit of history provides context. Google launched Google News in 2002

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here

Commentary: Getting the point of Google News v. the media

Lou Covey April 24, 2024

Cyber Protection Magazine posted a long article about Google’s decision to start de-listing California-based newspapers. We strove to be as objective as possible and present both sides of the argument, but we did say that the opponents were missing the point, hoping that the point would be obvious in the discussion. Here, however, we want to shed objectivity and make the point clear.

Google’s move, generously described, is a preemptive response to California’s Journalism Preservation Act (AB 886) that has yet to pass the Senate. The act will require Google to sit down and negotiate with California publishers over the fair price of publishing content from those media sites.

Note that the bill is not mandating a price. It is mandating a negotiation. That changes the nature of the discussion.

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here

Social media hangs itself in TikTok legislation

Lou Covey March 19, 2024

The debate over the appropriateness of the Congressional action against TikTok can be debated for a long time and probably will until the Senate takes action—which could be weeks. What is less debatable is TikTok’s, and pretty much all of the social media industry’s contribution to the situation. In essence, social media has hung itself with its own lifeline.

The industry has long embraced Section 230, a section of Title 47 of the United States Code that classifies them as part of the telecommunications industry. That particular law immunizes social media platforms and users from legal liability for online information provided by third parties. The section also protects web hosts from liability for voluntarily and in good faith editing or restricting access to objectionable material, even if the material is constitutionally protected. These protections do not apply to what is traditionally known as “the media.” That is an important distinction.

The FCC also regulates related to the foreign ownership of telecommunications companies, broadcast, and cable companies, in that it is not allowed. If TikTok expects protection under Section 230, it has to abide by all the FCC regulations, including ownership. In that case, the legislation is consistent with US law.

News media or Telecom?

However, the CEO of TikTok has made the case that the legislation infringes on the First Amendment rights of the company, creators, and users because… wait for it … TikTok is a major source of news for users. In other words, it is a news medium. According to TikTok, 43 percent of users rely on the app for daily news. But that sets up an entirely different problem.

Print, broadcast, and cable media are bound by ethics and laws to print truth. If they knowingly publish defamatory and untrue information, they can be sued by the injured party. That was most recently and famously demonstrated in the lawsuits against Fox News and Rudy Guiliani for intentionally spreading lies about election technology related to the 2020 US election.

Those same lies were and still are spread on social media platforms, including TikTok, with impunity under the protection of Section 230. But if they are a news medium, the protections of Section 230 go away and TikTok and creators who spread disinformation can now be held accountable for libel and slander.
Social media companies can adjust algorithms limiting what kind of information can be distributed on their networks and they reluctantly apply those restrictions when they are pushed to. But they can’t be sued for disseminating that information under Section 230. If they