News

The recent signal Houthi PC small group chat scandal raises some fundamental issues that all organizations are also challenged with.

If you are not aware, Michael Waltz (Secretary of Defense) created a chat group in Signal that included Marco Antonio Rubio (secretary of state), JD Vance (VP), Tulsi Gabbard (the Director of Mational Intelligence), Scott Bessent (Treasury Secretary), Pete Hegseth, Brian Hughes (National Security Council), John Ratcliffe (Directory of CIA), plus the journalist Jeffrey Goldberg. The group included 18 people in total. The group then went on to discuss who should be point of contacts and then discussed timing, phases, and equipment to be used in a military strike.

Tuli Gabbard, John Ratcliffe, Kash Patel, and others also testified at the Senate hearing on global threats https://www.youtube.com/watch?v=OBbR9utZLLM

The Atlantic has now published the full text of the chat on Wednesday

What lessons can we learn from this incident?

The first is a challenge that we see popping up all the time. How do you know who you are talking to? Phishers frequently send out emails, text messages, and voice or video calls pretending to be the CEO or a vendor and asking for things like gift cards, or ETF payments, or update bank account numbers.

In the case of signal chat, we have a group of high-level officials who may or may not know each other, who trusted on spec that the group was real and all the participants were authorized to be part of the discussion. No one questioned who the other people were on the chat, or if they were authorized to be on the chat.

Validating the identity of an employee starts even before they are hired. There are have been a number of instances where individuals have been hired who have have either fraudulent or malicious intents, including taking on multiple jobs at the same time, farming out work to 3rd parties in cheaper countries or to gain access to sensitive systems or information. If remotely hiring, the video should be turned on during the interviews. The identity of the interviewee should be confirmed is the same as the person showing up for work. Background checks should be performed by a qualified organization to confirm identity and education. References should be checked and validated are real. Policies around work locations should be clearly defined so alerts can be set up to notify if an employee is connecting to corporate resources from an unusual location such as a different country or state.

To help employees understand where and when information should be shared a company should have an authorized communications policy that states how employees talk to each other and to people outside the company. Defining allowed technologies such as email, telephone, messaging platforms like slack. It should answer questions like “Who is authorized to send mass emails to all of the company?”, “Who is allowed to talk to the media on behalf of the company”, “When do you need to have an NDA in place before talking with customers about non public information”.

Companies should have an information classification policy. I like Salesforce’s breakdown of Public, Confidential, Restricted, and Mission Critical. Once those are defined, you can start answering questions about what the classification of data you are trying to protect is and how it should be handled.

If you have an IT or HR help desk, an employee’s identity must be validated. This could be done using an identifier in the HRIS system and asking additional questions like who the employee’s manager is. For sensitive discussions, it may require the representative to ‘call back’ the employee using a trusted number and communications tool.

Another area that is interesting about the Signal chat is that high-level officials are using Signal to communicate. From listening to the Senate Hearing, it sounds like it is a standard sanctioned tool at the CIA, but where is it allowed to be used? personal devices? Company issued devices? In Foreign Countries? What classification of information is allowed to be discussed using that tool? But most importantly how do you validate a person’s identity so you know you are talking to the right JD Vance or Tulsi Gabbard?

Within the corporate world, shadow IT can be addressed using tools that can scan for unsanctioned tools, If you use Office 365 and haven’t done so already, you should require admin consent for enterprise applications so users can not authorize an unsactioned tool to be connected to your Office 365 tenant. If possible claim your domains in tools like zoom and apple business manager so additional instances can’t be accidentally setup.

Anytime there is an incident either inside your organization or outside, it is useful to run a quick risk assessment to see if there are any lessons learned that could be applied inside your company.

With the new year it is time to start thinking about taxes in the US. This is the perfect time to send out a reminder to anyone with access to employee or corporate tax information to be on the lookout for Tax Scams. A common scam that comes up every year is a Threat Actor sends an email pretending to be from the IRS asking for Tax information for employees. Other scams include phishing emails pretending to be from the IRS that lead to malware or fake websites that try to trick users into entering their credentials.

Microsoft has a threat intelligence report with examples they saw in 2024. (https://www.microsoft.com/en-us/security/security-insider/intelligence-reports/tax-season-cybersecurity-what-cybercriminals-want-and-who-they-target-most-is-it-you/)

The IRS also has a helpful website that lists all things the IRS will never do (https://www.irs.gov/newsroom/taxpayers-beware-tax-season-is-prime-time-for-phone-scams)

The IRS will never:
Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.

Threaten to immediately bring in local police or other law enforcement groups to have the taxpayer arrested for not paying.

Demand that taxes be paid without giving taxpayers the opportunity to question or appeal the amount owed.
Call unexpectedly about a tax refund.

With an eye on the recent events, it may be time to add new risks to your risk registers. One that should already be on your risk register is currency fluctuation. There are well-known ways to mitigate currency risks. Another more recent risk is the new tariffs imposed on China, Canada, and Mexico by the US Government. There is a risk from both the original US tariffs and the retaliatory tariffs that could be imposed. These can affect the cost of delivering a product while only being paid the contracted rate. Think about what could happen if your bill for AWS US regions or Canadian regions suddenly goes up by 25%. The final risk to consider is the ability to do business in certain regions. Ontario’s Doug Ford has said that US companies will be banned from provincial government contracts. It is not clear if these are for new contracts or if it will affect existing contracts as well. This could also spread to other regions or the Canadian Federal government. (https://www.bbc.com/news/articles/c5y7626l610o)

The EU has released Guidance on prohibited artificial intelligence (AI). They have listed out more exceptions than I was expecting. If you deploy AI as part of your infrastructure or product, this is well worth reviewing to see where AI may be prohibited.

https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act

For example, when discussing the workplace, it gives the following examples.

“Using webcams and voice recognition systems by a call centre to track their employee’s emotions, such as anger, is prohibited.162 If only deployed for personal training purposes, emotion recognition systems are allowed if the results are not shared with HR responsible persons and cannot impact the assessment, promotion etc. of the person trained, provided that the prohibition is not circumvented and the use of the emotion recognition system does not have any impact on the work relationship.”

“Using voice recognition systems by a call centre to track their customers emotions, such as anger or impatience, is not prohibited by Article 5(1)(f) AI Act (for example to help the employees cope with certain angry customers).”

“AI systems monitoring the emotional tone in hybrid work teams by identifying and inferring emotions from voice and imagery of hybrid video calls, which would typically serve the purpose of fostering social awareness, emotional dynamics management, and conflict prevention, are prohibited.”

“Using emotion recognition AI systems during the recruitment process is prohibited.”

“Using emotion recognition AI systems during the probationary period is prohibited.”

“Using cameras by a supermarket to track its employees’ emotions, such as happiness, is prohibited.”

“Using cameras by a supermarket or a bank to detect suspicious customers, for example to conclude that somebody is about to commit a robbery, is not prohibited under Article 5(1)(f) AI Act, when it is ensured that no employees are being tracked and there are sufficient safeguards.”

You should also consider that you have completed a sufficient risk assessment and data protection impact assessment (DPIA) for GDPR.

I was testing out the new free ASM offering from Sprocket Security and noticed it was picking up internal sites where I have the free Let’s Encrypt Certs. I had also noticed that Bitsight was seeing them as well. I originally thought I must have included the internal site names as alt names in a cert that is exposed to the internet, like the one for the mail server, but then I did a quick search and came up with https://crt.sh/?q=strategy.com and was reminded about https://letsencrypt.org/docs/ct-logs/

You may want to check what certs are associated with your domains and make sure only authorized certs exist and wild card certs are limited.

If you are interested in trying out ASM from Sprocket Security you can find out more at https://www.sprocketsecurity.com/solutions/attack-surface-management. For a free option, it does appear to give a nice interface to give you a quick overview of your exposed infrastructure.

If you are curious, I use the rfc2136 dynamic DNS update module for certbot to auth the internal servers without having to expose the sites to the internet, but having these certs publicly listed makes me reconsider my naming convention since it may give away what services I have running on my internal network.