September 2022 Cybersecurity News & Tips | Twitter Cybersecurity Follow-Up

*|MC:SUBJECT|*

View this email in your browser

Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.

If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.

In this issue:
Month's News in Review
Upcoming Speaking Events
TCE Strategy in the News
Must Read Articles This Month
Cybersecurity Tip of the Month

Enjoy this month's newsletter? You can use this link to post on social media or send to friends! Thanks for sharing!

https://bryceaustin.com/newsletter/september-2022-cybersecurity-news-tips-twitter-cybersecurity-follow-up/

This Month's News in Review

Follow-up to last month’s story on the Twitter CISO whistle-blower case.

I received a number of questions and comments regarding last month’s newsletter where I outlined the whistle-blower complaint that the former CISO of Twitter, Peiter “Mudge” Zatko has leveled against the company. Since then, Mudge has testified in front of Congress about some pretty serious security issues, such as Twitter not having separate environments for production vs development vs testing. Elon Musk is trying to use the $7.75 million severance agreement between Twitter and Mudge as yet another angle to get out of the Twitter purchase deal he signed. Most of the questions centered around why it was such a bad thing that Twitter admin accounts were set up to allow them to send real time tweets as any user on Twitter to the real Twitterverse. Let’s discuss.

As part of any reasonable cybersecurity exercise, it is important to develop a reasonable “worst case scenario” on what a cybercriminal could do if he/she had control of a given system. For example, if a cybercriminal hacks the water supply of a given town, the water of that town could be made unsafe or even deadly. So, what is a reasonable worst-case scenario for Twitter in 2022? Here are a couple of ideas:

Idea 1: Profit

Cybercriminals gain control of an admin account at Twitter.
Cybercriminals fly out of the USA to a non-extradition country. This is a country that has not agreed to cooperate with USA law enforcement.
Cybercriminals bet very heavily against the stock market.
Cybercriminals send tweets from Jeff Bezos and Bill Gates and Warren Buffet and Obama and Biden and others saying things that are certain to tank the stock market. Remember from last month’s newsletter, these are accounts where phony send-me-bitcoin-and-I’ll-send-you-back-more-bitcoin tweets were really sent from.
Cybercriminals make millions and are never seen from again.

Idea 2: Politics

Cybercriminals gain control of an admin account at Twitter.
Cybercriminals want to influence an election.
Cybercriminals make damaging claims against the politician they want to lose, and they use extremely popular Twitter accounts to do it.
Cybercriminals alter the outcome of a close election.

Idea 3: Violence

Cybercriminals gain control of an admin account at Twitter.
Cybercriminals want to incite violence, or even start a war.
Cybercriminals send Tweets designed to incite violence or start a war from the Twitter accounts of people in a position to actually start a war.
Violence and/or war erupts.

The last scenario feels a little far-fetched in 2022, but remember that in 2016-2020, Twitter was a very large source of news from the White House, so it isn’t such an unreasonable scenario given the timeline that the Twitter breach took place.

These are things that could have happened, but thankfully they didn’t. The takeaway from this line of thinking is as follows: for your company or for you personally, what is the reasonable “worst case scenario” that could occur if a cybercriminal gets hooks into your network? What can you do to mitigate that risk using a minimum of resources? Until you identify the cybersecurity problems you need to solve, making the best moves to solve them is much more difficult.

Until next month, stay safe!

Upcoming Speaking Events

Live events are back in action! Here is a list of the cities that I will be in for 2022. Please feel free to reach out if you have an event in mind.

September 14th-16th, San Diego, CA
September 19th-21st, Chicago, IL
October 19th-21st, Durham, NC
October 31st-November 2nd, Stevenson, WA
November 7th-10th, Atlanta, GA
November 28th-December 2nd, Key West, FL

TCE Strategy in the News

Thank you to Jennifer Hoff and the Kare11 NBC team for the opportunity to speak with them about new cybersecurity scams targeting teenagers.

Interesting Articles

Interesting research here, but to be honest I haven't found public VPN offerings to be overly useful. Mobile hotspots solve most (but not all) of the problems that public VPNs solve with a lot less hassle.

Based on what I'm reading, is this just a hack or is it a case of responsible disclosure in the hopes of implementing positive change?

Cybersecurity Tip of the Month

Password Protecting Files

Do you want to keep a file safe from your IT team? Co-workers? Hackers? Here is a terrific article on how to password protect files. CAREFUL -- If you forget the password, no one can help you get your data back.

https://www.wired.com/story/how-to-password-protect-any-file/

This article covers several popular Microsoft, Google, and Apple office applications, as well as guidance for encrypting hard drives. Even if a program or app is not covered in this article, it is possible that they offer password protection. Any time you are sharing sensitive information, do a quick Google search to see if your program offers this feature. It is another great step to take in your line of cybersecurity defenses.