Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
Mergers / Acquisitions and cybersecurity sometimes don’t mix well.
Greetings, and welcome back to another month in the wild world of cybersecurity. This morning I decided to focus on a topic that gets most people’s attention: money. More specifically, when companies buy or merge with other companies, there may be a lot of money involved. Say, for example, $44 billion. That’s a lot of money by almost anyone’s standards.
Elon Musk made a bid to buy Twitter for $44 billion, and now he doesn’t want to buy Twitter anymore. In order to not buy Twitter, he needs a good reason that may hold up in court, which he has been having a hard time finding by most people’s accounts. Peiter "Mudge" Zatko, Twitter’s former head of cybersecurity (or CISO, which stands for Chief Information Security Officer), may have just given Elon a helping hand in finding a reason to not have to go through with it.
The breach underscored two gigantic issues at Twitter: First, people with global administrator rights at Twitter can be conned out of their credentials by 3 teenagers. This shows a serious lack of cybersecurity awareness training, policies and procedures, checks and balances, etc. Second, someone thought it was a good idea to SET UP TWITTER ADMIN ACCOUNTS TO BE ALLOWED TO SEND REAL TWEETS TO THE REAL INTERNET USING ANY ACCOUNT THEY WANT TO. In hindsight, this was the greater failure on Twitter’s part than the admin account compromise. Setting up a system that allowed Twitter admins to send real tweets as any account they chose to was lunacy, but in Twitter’s infancy, it really didn’t matter much, because in the early days of Twitter, Twitter itself didn’t matter much on the grand scheme of things. Fast forward to 2016, and Twitter mattered a whole heck of a lot. However, it wasn’t in their financial best interest to fix this problem even though Twitter became hugely popular, so they didn’t. After the breach, they hired Mudge to help them clean up the mess.
Mudge has been in cybersecurity long before it was considered cool. He was one of the people in the 1990s who started disclosing vulnerabilities in commercial software packages to the developers of those packages, literally decades before there were bug bounties offered to do so. He testified in front of Congress in 1998 to bring their attention to Internet critical infrastructure vulnerabilities. He was an advisor to Bill Clinton’s administration. He worked for DARPA back in 2010 (DARPA literally invented many fundamentals of the Internet), for Google in 2013, and then went back to help the White House in 2015. This guy has a background in the world of cybersecurity that extremely few people have.
Mudge has alleged that Twitter has a long list of cybersecurity issues, including Twitter execs deliberately misleading regulators and their own board of directors, not properly preventing foreign intelligence services from planting people in twitter as employees, not deleting data after they agree to do so, and so on. Serious stuff. On the other side of the argument, Twitter fired Mudge in January 2022 for “ineffective leadership and poor performance”, but I should note that there was a change in CEOs of Twitter between 2020 (Jack Dorsey) and 2022 (Parag Agrawal, Twitter’s former CTO).
This is why Twitter is in such a predicament at the moment. Elon wants out of the Twitter acquisition, but he needs to prove that Twitter falsely represented the company in such a way that it has a “material adverse effect” on Twitter. This has not gone well for Elon so far. Mudge may have just changed that, and Elon’s lawyers just subpoenaed him. So, we may find that not taking cybersecurity seriously could have a dramatic impact on a 44-billion-dollar acquisition. Wow.
There was a dramatically different acquisition a few years ago that came to light a few months ago that also involved cybersecurity. This this was more of the “smash and grab” type of crime. A company called Tassel Parent, Inc. decided to buy a company called Graduation Alliance, Inc., for $130 million. An email breach allowed hackers to intercept emails from the law firm helping to do this deal, and somehow the hackers got the $130 million wired to them instead of Graduation Alliance, Inc.
Now the question, who is responsible? Who owns Graduation Alliance, Inc? Tassel Parent paid for it, but Graduation Alliance never got the money. Who is at fault? As so often occurs in cases where technology allows a type of crime to take place that wasn’t reasonable to do before that technology existed, there aren’t many legal precedents or existing laws to lean on. There was something called a “medallion guarantee” that the law firm was supposed to require from anyone requesting payment and they failed to require it, but apparently that doesn’t necessarily pin the blame on the law firm. It’s fascinating reading.
The takeaways from this month’s rollercoaster are simple: Protect your email accounts with strong passwords and multi-factor authentication. Protect the devices that you read/write emails on with strong passwords, patched software and a good antivirus package. Take cybersecurity seriously as a company, and don’t mislead others about the real cybersecurity posture of your organization. Your company’s definition of what is Secure Enough may not match someone else’s, but don’t lie about it.
Until next month, stay safe!
Upcoming Speaking Events
Live events are back in action! Here is a list of the cities that I will be in for 2022. Please feel free to reach out if you have an event in mind.
September 14th-16th, San Diego, CA
September 19th-21st, Chicago, IL
October 19th-21st, Durham, NC
November 7th-10th, Atlanta, GA
November 28th-December 2nd, Key West, FL
3rd party risk management is critically important in the world of cybersecurity. Here are some examples of why.
With the recent list of data breaches potentially exposing your personal data, now might be the time for a refresher on freezing your credit. Concerned about someone taking out a credit card or loan in your name? It’s a very reasonable concern, and since the Equifax breach in 2017, it’s one that you can largely avoid by placing a credit freeze on your information with the companies that handle this data. The three largest are Experian, TransUnion and Equifax. It is now free to freeze and unfreeze your credit (they used to charge for this “privilege” of keeping yourself safe, similar to how phone companies used to charge for not publishing your name in the phone book. Pure robbery.)
There are a few reasons to not freeze your credit. It’s inconvenient to unfreeze it when you really do need a new loan or credit card. Credit checks also occur in unusual places, such as changing cell phone providers or moving utilities (water, power, natural gas, etc.) into your name. That being said, I think it’s the right thing to do for most people, especially now that it’s free to freeze and unfreeze it.
To freeze your credit, you must contact each of the three major consumer credit bureaus (Equifax, Experian and TransUnion) and request a credit freeze. You will need to provide your name, address, birth date, and Social Security number. After answering a few identity verification questions, you will receive a PIN that can be used to unfreeze and refreeze your credit report. Credit freezes are required by federal law to be offered for free by all three credit bureaus.