Cyber Security Headlines: Week in Review Summary

Episode Title: Week in Review: ClickFake Deepfake Scam, Krispy Kreme Breach, NIST ZTA Guidance
Host: CISO Series
Guest: Howard Holton, COO and Industry Analyst at Giga
Release Date: June 20, 2025

1. Beware the SMS2FA Middleman

Overview:
The episode kicks off with a critical examination of SMS-based Two-Factor Authentication (2FA). An anonymous whistleblower revealed that approximately one million SMS messages containing 2FA codes were intercepted by Fink Telecom Services, a Swiss company previously linked to government and private surveillance activities.

Key Discussions:

• Supply Chain Vulnerabilities:
  Howard Holton emphasizes the inherent risks in the SMS supply chain, stating, “Security needs to be about are my services being leveraged in the way that I intend my services to be leveraged?” (00:54) He underscores the importance of ethical service provision and the necessity for service providers to implement robust security controls to prevent misuse.

• Accountability and Ethical Use:
  Holton further elaborates on the responsibility of service providers: “You probably need some more security controls in there. At least enable them for your users so you and turn them on by default” (04:36). He advocates for proactive measures rather than relying solely on law enforcement to address malicious use.

Conclusion:
The discussion highlights the critical need for comprehensive security measures within the SMS supply chain to safeguard against unauthorized interceptions and misuse of 2FA codes.

2. NIST Publishes New Zero Trust Architecture (ZTA) Guidance

Overview:
The episode delves into the latest Zero Trust Architecture (ZTA) guidance released by the National Institute of Standards and Technology (NIST). This guidance serves as a foundational framework for organizations aiming to build their own zero trust environments.

Key Discussions:

• Critique of NIST’s Approach:
  Holton expresses reservations about NIST’s technology-centric approach, stating, “Policy is the most important part philosophy and policy. You have to change the minds of everyone associated with security in the org” (06:35). He argues that without a strong emphasis on policy and human factors, the implementation of zero trust will falter.

• Challenges in Implementation:
  The conversation touches upon the practical difficulties CISOs face when adopting complex frameworks: “It's not a tools problem. You cannot solve it with tools” (07:59). Holton emphasizes the necessity of organizational buy-in and policy enforcement to ensure the effectiveness of zero trust strategies.

Conclusion:
While NIST’s ZTA guidance provides valuable insights, the discussion underscores the importance of balancing technology with robust policies and cultural shifts within organizations to achieve true zero trust security.

3. Washington Post Journalists Targeted in Hacking Incident

Overview:
The Washington Post is under scrutiny following a hacking incident that compromised the emails of several journalists, including those focused on national security and economic policy.

Key Discussions:

• Enhancing Cybersecurity for Journalists:
  Holton advocates for a collective effort to bolster journalists' cybersecurity: “Freedom of speech is paramount to any free society globally” (10:42). He suggests developing a framework tailored to journalists to improve their security posture without overburdening them with technical responsibilities.

• Collaborative Solutions:
  The conversation highlights the need for industry-wide initiatives and potential governmental support to provide journalists with the necessary tools and training to safeguard their communications effectively.

Conclusion:
Protecting journalists from cyber threats is essential for maintaining a free and informed society. The discussion calls for collaborative efforts to create practical and sustainable security measures tailored to the unique needs of media professionals.

4. State Healthcare Exchanges Sharing Data with Big Tech

Overview:
An investigation by The Markup and Calmatters revealed that four state-run insurance marketplaces are sharing sensitive data with major social platforms like LinkedIn, Snapchat, and Google through embedded advertising trackers.

Key Discussions:

• Privacy Violations and HIPAA Compliance:
  Holton asserts, “It absolutely violates HIPAA” (18:09), emphasizing the gravity of sharing personal health information without proper safeguards. He criticizes the lack of stringent audits and the over-reliance on market-driven solutions to enforce privacy standards.

• Accountability and Legal Reforms:
  The discussion explores the need for significant regulatory changes to hold third-party processors accountable. Holton advocates for personal liability for corporate directors to ensure stricter adherence to privacy laws and prevent unauthorized data sharing.

Conclusion:
The unauthorized sharing of sensitive healthcare data with big tech companies underscores the urgent need for robust regulatory frameworks and accountability measures to protect individuals' privacy and ensure compliance with laws like HIPAA.

5. North Korea's ClickFake Deepfake Scam

Overview:
A sophisticated deepfake and social engineering scam targeting cryptocurrency foundation employees was reported. The scam involved impersonating executives through Zoom calls, leading to the installation of malicious software.

Key Discussions:

• The Growing Threat of Deepfakes:
  Holton remarks, “You cannot trust anything online and must verify” (23:44), highlighting the escalating threat posed by deepfakes in eroding trust in digital communications.

• Preventative Measures and Awareness:
  The conversation emphasizes the importance of verification and skepticism in digital interactions. Holton advises, “Stop blindly trusting because it is blind trust that makes this happen” (22:31), advocating for rigorous verification processes to mitigate the risks of deepfake scams.

Conclusion:
Deepfake technology is revolutionizing social engineering attacks, necessitating enhanced verification protocols and heightened awareness to protect against increasingly deceptive scams.

6. Krispy Kreme’s November Data Breach Impact

Overview:
Krispy Kreme suffered a significant data breach in November, compromising over 160,000 victims' Personally Identifiable Information (PII), including sensitive data such as credit card information, email passwords, and biometric data.

Key Discussions:

• Data Collection Practices and Legal Implications:
  Holton condemns the extensive and seemingly indiscriminate data collection, asserting, “They should go to jail” (26:09). He emphasizes the lack of justification for retaining such sensitive information and the urgent need for legal accountability.

• Market Response and Corporate Responsibility:
  The discussion touches on the role of the market in penalizing unethical data practices. Holton states, “Truth in data collection should be a thing” (28:19), advocating for consumer and market-driven consequences for companies that mishandle sensitive data.

Conclusion:
The Krispy Kreme breach highlights severe lapses in data protection and ethical handling of customer information. The episode underscores the necessity for stringent data management practices and robust legal frameworks to prevent such breaches and hold responsible parties accountable.

Closing Remarks

The episode concludes with acknowledgments to participants and a preview of upcoming content, emphasizing the importance of continuous vigilance and adaptation in the ever-evolving landscape of cybersecurity.

Notable Quotes:

• “Security needs to be about are my services being leveraged in the way that I intend my services to be leveraged?” – Howard Holton (00:54)
• “Policy is the most important part philosophy and policy. You have to change the minds of everyone associated with security in the org” – Howard Holton (06:35)
• “It absolutely violates HIPAA” – Howard Holton (18:09)
• “You cannot trust anything online and must verify” – Howard Holton (23:44)
• “They should go to jail” – Howard Holton (26:09)

Timestamps Reference:

• 00:54: Discussion on SMS2FA middleman risks.
• 04:36: Importance of security controls in service provision.
• 06:35: Critique of NIST’s ZTA guidance focus.
• 07:59: Emphasis on policy over tools in zero trust.
• 10:42: Enhancing cybersecurity for journalists.
• 15:06: State healthcare exchanges sharing data concerns.
• 18:09: HIPAA violations in data sharing.
• 22:31: Importance of verification in preventing deepfake scams.
• 23:44: Trust erosion due to deepfakes.
• 26:09: Krispy Kreme data breach and legal accountability.
• 28:19: Market's role in enforcing data privacy.

This detailed summary encapsulates the pivotal discussions and insights shared during the "Cyber Security Headlines" podcast episode, providing a comprehensive overview for those who missed the live session.