Paul Bergman

Author: Paul Bergman

  • Would You Ignore a 1-in-3 Chance of a $250,000 Loss?

    Would You Ignore a 1-in-3 Chance of a $250,000 Loss?

    If someone told you that you had a one in three chance of an accident this year that could cost your business $250,000, what would you do?

    Would you roll the dice and hope it doesn’t happen?
    Or would you buy an insurance policy that dramatically reduces your risk?

    That’s the same calculation every small and mid-sized business faces when it comes to cybersecurity.

    According to Microsoft’s 2024 SMB Cybersecurity Report, 31% of small and mid-sized businesses experienced a cyberattack in the past year, and the average cost of an incident exceeded $250,000. For many organizations, that’s not just a setback! I’ve seen businesses go under from this size loss; it’s an existential threat!

    The ROI of Prevention

    Now imagine you could reduce that $150,000–$250,000 loss risk for about $3,500 a month by investing in security tools, monitoring, and staff training. That’s $42,000 per year to safeguard the entire business. That’s far less than a full time employee in much of the US.

    The return on investment is clear:

    • Losses avoided: $150,000
    • Annual cost: $42,000
    • ROI: 257%

    That’s not an expense — that’s a high-performing investment.

    Every dollar spent on proactive cybersecurity yields more than $2.50 in protected value, not counting the reputational damage, lost clients, and downtime avoided.

    Cybersecurity Is Business Insurance

    Cybersecurity isn’t just about technology, it’s about risk management. It functions like an insurance policy you can actively control.

    Unlike traditional insurance, cybersecurity investments don’t just pay off when something goes wrong. They improve efficiency, reduce downtime, and build client trust every day. And unlike insurance premiums, your controls (such as employee training, managed detection and response, and strong identity protection) actually reduce the odds of an incident.

    Would you refuse to insure your business vehicles with a 1-in-3 chance of a crash this year?
    Probably not.
    Yet that’s effectively what many SMBs do when they delay or minimize cybersecurity investment.

    The True Cost of “Doing Nothing”

    The average cyberattack costs more than money. It brings:

    • Weeks of downtime
    • Lost customer confidence
    • Regulatory fines (especially if personal data is exposed)
    • Employee stress and turnover

    Recovery costs often exceed the original damage. Even a small ransomware attack can consume weeks of effort! That’s time that should have been spent serving customers and growing the business.

    The Smarter Investment

    When you frame cybersecurity as an investment, not an expense, the logic becomes simple:

    InvestmentAnnual CostPotential Loss AvoidedROI
    Cyber controls, monitoring, and training$42,000$150,000257%

    It’s like paying $1 for every $2.50 you keep safe.
    No CFO would ignore that kind of return.

    In Summary

    If there’s a 1-in-3 chance of losing $250,000, and a $3,500 monthly cybersecurity plan can prevent it, the question isn’t “Can we afford it?” it is “Can we afford not to?”

  • The cybersecurity reality for SMBs

    In today’s digital environment, SMBs can no longer assume “we’re too small to matter” when it comes to cyber-threats. Microsoft’s report underscores how the risk has become pervasive and how the stakes are significant for organizations with limited resources yet major responsibilities. The findings reveal both awareness and a gap between knowing the risk and acting fully on it.

    Here is a summary of the Microsoft report from a survey of SMBs.
    Read the Full Report Here

    5 Key Statistics

    Here are five standout figures from the report:

    1. 94% of SMBs say cybersecurity is critical to their success.
      According to Microsoft, 94% of SMB respondents recognize that cybersecurity is fundamentally important to business success.
    2. About 1 in 3 SMBs suffered a cyberattack in the past year.
      The report notes roughly 31% of SMBs reported being victims of a cyberattack (including ransomware, phishing or data breach).
    3. The average cost of a cyberattack for an SMB is over US$250,000, and some incidents exceeded US$7 million.
      Microsoft reports that the cost to an SMB can easily top the quarter-million mark and in some cases go much higher.
    4. 81% of SMBs believe AI increases the need for additional security controls.
      As artificial intelligence becomes more widespread, 81% of SMBs view it as elevating their security requirements.
    5. Less than 30% of SMBs manage their security in-house.
      The report indicates that due to limited resources and expertise, fewer than 30% of SMBs handle security internally, the rest rely on external providers or outsourcing.

    What this means for SMBs

    Given those statistics, here are some reflections and take-aways that SMBs (including you, if this applies) should consider:

    Awareness is high, but action must catch up

    Yes — 94% of SMBs know cybersecurity is critical. But the fact that ~1 in 3 have still been attacked suggests awareness alone isn’t sufficient. Investment in the right controls, training, governance and incident-response capability is essential.

    The financial risk is real

    With costs often exceeding US$250k (and in some cases many millions), cyberattacks can be existential for smaller companies. For SMBs with tighter margins, fewer resources, and less time to recover, the pressure is intense. Having a plan ahead of time can reduce both impact and downtime.

    New threats are emerging (AI, hybrid work, remote access)

    The finding that 81% of SMBs believe AI raises security demands signals that it’s not just “business as usual”. Threats are evolving, the attack surface is shifting (remote/hybrid work, cloud adoption, AI) and SMBs need to adapt accordingly.

    Outsourcing security is common but presents its own challenges

    Less than 30% of SMBs manage security internally. That means many professionals are depending on MSPs (managed service providers), consultants, SaaS tools, etc. While that’s often necessary, it creates dependencies: choose your providers carefully, establish clear SLAs, maintain visibility into what they do, and ensure you retain control over your security posture.

    Prioritisation and investment matter

    If 80%+ of SMBs intend to increase their security spending (as the report indicates), then the next question is where to invest. Data-protection, identity management (MFA, least‐privilege access), endpoint detection, and incident response planning should all be high on the list. Preventing an attack is far cheaper than recovering from one.

    Practical steps for SMBs today

    Here’s a brief “checklist” of actionable items based on these insights:

    • Conduct a cyber risk assessment: identify your assets (data, systems, identity), map your threat vectors (phishing, ransomware, remote access), and determine potential impact.
    • Ensure multi-factor authentication (MFA) is enabled for all privileged or remote access accounts.
    • Invest in employee training — phishing awareness, suspicious link detection, secure remote-work practices.
    • Implement an incident response plan: define roles, notification paths, backup/recovery procedures, and test it periodically.
    • Consider partnering with a trusted MSP or security consultant — but keep reporting, visibility and oversight top-of-mind.
    • Monitor emerging risks: AI/ML-driven threats, supply-chain vulnerabilities, cloud misconfigurations, hybrid work models.
    • Measure and track your security posture over time: number of access incidents, malware alerts, patching status, compliance with policies, etc.

    Final thoughts

    The Microsoft SMB Cybersecurity Report paints a clear message: SMBs cannot afford to be passive. The combination of widespread awareness (94%), meaningful attack rates (~31%) and potentially crippling costs (US$250k+) indicates urgency. At the same time, emerging threat vectors like AI and remote access complicate the picture.

    Yet it’s not too late — careful planning, targeted investment, smart outsourcing, and ongoing monitoring can shift a business from vulnerable to resilient. SMBs may not have the large budgets of enterprise giants, but they often have agility on their side: the ability to implement security controls, train staff, and build culture more quickly. With the right mindset and focus, smaller size can become an advantage rather than a disadvantage.

    If you’d like, I can pull additional statistics from the report (e.g., geographical breakdowns, sector‐specific results, readiness levels) and we could craft a companion infographic or checklist for SMB leaders. Would you like me to do that?

  • Protecting Yourself from FinTech Fraud: Five Common Scams and How to Stay Safe

    Protecting Yourself from FinTech Fraud: Five Common Scams and How to Stay Safe

    Financial technology, or FinTech, has made managing money faster and easier than ever. Apps can send money, invest, or pay bills in seconds. That same convenience can also make you a target for fraud.

    According to Stripe’s Guide to FinTech Fraud Detection, criminals use many different tricks to steal money or personal data. Understanding how these scams work is the best way to protect yourself.

    Below are five of the most common FinTech fraud attacks and what you can do to stop them before they happen.

    You will notice that I use “IMMEDIATELY” a lot. I don’t want you to misunderstand and think that I use it for impact. I use it because while transactions seem to happen in the blink of an eye, there is actually a window of time in which they can be reversed. It’s NOT a very long window, so reacting “IMMEDIATELY” is important.

    1. Account Takeover

    What happens: A criminal gets access to your account by stealing or guessing your password and then uses it to move money, make purchases, or change your settings.

    How to protect yourself:

    • Turn on multi factor authentication (MFA) in every app that offers it, especially your bank and payment apps.
    • Never reuse passwords across multiple sites. Consider using a password manager to generate and store strong, unique passwords.
    • Watch for unusual login alerts or changes to your account and report them immediately.

    2. Payment Fraud and Card Testing

    What happens: Thieves use stolen card numbers to make fake purchases or to test which cards still work. Even a few small transactions can quickly add up.

    How to protect yourself:

    • Check your bank and card statements regularly. Set up transaction alerts so you are notified of any activity right away.
    • Use virtual card numbers for online shopping when possible since many banks and payment platforms now offer this feature.
    • Report any unauthorized charges immediately. Your bank can usually stop additional fraudulent activity.

    3. Identity Theft and Fake Accounts

    What happens: Fraudsters use your personal information, such as your Social Security number or driver’s license, to open new accounts or apply for loans in your name.

    How to protect yourself:

    • Never share your personal information unless you initiated the contact and are sure of the company’s legitimacy.
    • Use an identity monitoring or credit report service to track any new accounts opened in your name.
    • Shred old financial documents and store sensitive information securely.

    4. SIM Swaps and Phone Hijacking

    What happens: A scammer convinces your phone carrier to move your number to a SIM card they control. Once they have it, they can intercept text messages, including security codes, and access your accounts.

    How to protect yourself:

    • Avoid using text messages as your only form of authentication. Use an authenticator app or security key instead.
    • Add a PIN or password to your mobile carrier account to prevent unauthorized changes.
    • Be cautious of sudden loss of cell service because it can be a sign of a SIM swap attack.

    5. Insider and Fake Business Scams

    What happens: Sometimes fraud comes from within an organization or from fake businesses pretending to be legitimate merchants or investment firms. These scammers process fake payments or trick victims into transferring funds.

    How to protect yourself:

    • Before sending money or investing, verify the business. Check their website, contact details, and online reviews.
    • Be skeptical of any company that pressures you to act fast or promises guaranteed returns.
    • Use well-known payment apps and platforms that have fraud protection policies.

    Stay Alert, Stay Secure

    Fraud is constantly evolving, but awareness is your best defense. Use strong authentication, monitor your accounts regularly, and think carefully before sharing personal or financial details.

    As Stripe points out, fintech companies are working hard to detect and prevent fraud, but users play an equally important role in staying safe.

    In Summary:
    Fraudsters are always looking for weak spots, but with a few smart habits, you can make their job much harder. Protect your passwords, verify who you are dealing with, and act quickly if something does not look right.

  • Ransomware: What Small Businesses Need to Know

    Ransomware: What Small Businesses Need to Know

    When ransomware first hit headlines, attackers often lingered in networks for weeks or even months before making demands. That window has shrunk dramatically.

    Today, the average time from initial compromise to ransom is just 17 hours, with reports showing some attacks happening in as little as 6 hours. In other words, by the time many businesses realize something’s wrong, it’s already too late.

    The Paradox: Payments Down, Attacks Up

    Interestingly, ransom payments have declined in recent years. Organizations are more reluctant to pay, and law enforcement agencies strongly discourage it. But this hasn’t slowed attackers. In fact, the number of ransomware attacks continues to rise.

    Why? Cybercriminals understand that they can still disrupt operations, steal sensitive data, and pressure victims with threats of exposure. Even if fewer organizations pay, the volume of attacks ensures that enough victims will give in to make it worthwhile.

    Why Small and Mid-Sized Businesses Are at Risk

    Large enterprises often dominate the headlines, but small and mid-sized businesses (SMBs) are increasingly being targeted. The reason is simple: many SMBs have limited security resources and little awareness of just how quickly ransomware can spread.

    Attackers know this. They automate scanning for weaknesses and exploit them rapidly, banking on the fact that smaller companies won’t notice until it’s too late.

    The Key Defense: Continuous Network Monitoring

    Given how quickly ransomware can move, continuous network monitoring is no longer optional. Tools and practices like Endpoint Detection & Response (EDR), Managed Detection & Response (MDR), and Security Information & Event Management (SIEM) give you real-time visibility into what’s happening inside your systems.

    This isn’t about paranoia, it’s about reducing the time to detection. If criminals can move from access to ransom in 6 hours, your team needs the ability to detect and contain the breach in minutes, not days.

    Practical Steps You Can Take Now:

    • Assess your visibility: Do you know what’s happening in your network right now?
    • Deploy monitoring tools: Even small businesses can afford lightweight MDR or SOC-as-a-service options.
    • Plan for incidents: Have a clear ransomware response plan — who to call, what systems to isolate, and how to restore from backups.

    In Summary

    Ransomware isn’t slowing down, it’s speeding up. While ransom payments may be declining, the sheer number of attacks is climbing and SMBs are firmly in the crosshairs. The best defense is awareness and action, starting with continuous network monitoring.

    I know you’re not watching your network…but chances are someone else is.

  • Why Passkeys Beat Passwords (and Why Windows Hello Makes Them Even Better)

    Google recently encouraged everyone to start using passkeys instead of traditional passwords. Microsoft has been making the same push with Windows Hello and its Authenticator app. This isn’t just tech companies trying to make life complicated — it’s a real upgrade in how we protect our digital lives.

    Let’s walk through what makes a passkey different from a password, why Windows Hello is stronger than typing in a string of characters, and how password keepers like 1Password still play an important role in keeping you safe.

    The Bottom Line First

    Ok, if you just want the highlights, here is the wrap-up.

    • Passwords can be guessed, stolen, or phished.
    • MFA is safer, but it still starts with a password.
    • Passkeys use cryptography and your device to make hijacking nearly impossible.
    • Windows Hello adds the power of biometrics and secure hardware.
    • Password managers are a smart way to manage things during the transition — and passphrases make your accounts much safer today.

    If you are interested in reading more, see below.

    Passwords vs. Passkeys: What’s the Difference?

    • Passwords
      A password is just a secret you type in. It might be something you made up, or something you reuse across multiple accounts. The problem? Passwords can be guessed, stolen in a data breach, or tricked out of you by a phishing email.
    • Passkeys
      A passkey works in a completely different way. Instead of being “something you know,” it’s built on cryptographic keys:
      • A private key that lives only on your device and never leaves it.
      • A public key that gets stored with the service you log into.

    When you sign in, the service sends your device a challenge, and your private key signs it. The private key never travels across the internet — so unlike a password, it can’t be copied, stolen, or reused somewhere else.

    Think of it this way: Passwords are like spare keys you hide under a doormat. Passkeys are like a digital lock that only your device can open — no key to steal, no doormat to check.

    Why Private Keys Are So Hard to Steal

    Here’s why a private key is safer than a password:

    1. It never leaves your device. You can’t be tricked into typing it into a fake website.
    2. It’s hardware-protected. Keys are stored in a secure chip, not in a file that hackers can copy.
    3. It only responds to a challenge. Your device proves it has the key without ever handing it over.

    This is why passkeys close the door on phishing and credential theft — two of the most common ways accounts get hijacked.

    Why Windows Hello Is Stronger Than a Password

    Windows Hello makes logging in safer and easier by using your fingerprint, your face, or a PIN that’s tied to your device.

    Here’s why that beats typing in a password:

    • Your biometric data never leaves your computer.
    • The keys are stored in a secure chip (TPM) that attackers can’t just copy.
    • You can’t “type” a fingerprint into a phishing site.
    • It’s faster and more convenient than remembering another string of characters.

    When you pair Windows Hello with passkeys, you get security that’s both strong and easy to use.

    MFA vs. Passkeys

    You might already be using multi-factor authentication (MFA) with Microsoft Authenticator or Google’s prompts. That’s great — MFA is much safer than a password alone.

    But here’s the catch: MFA still relies on your password as the first step. And if a hacker tricks you into giving that up, MFA can sometimes be bypassed with social engineering or man-in-the-middle attacks.

    Passkeys are stronger. They don’t rely on a password at all, and they’re phishing-resistant by design.

    What About Password Managers?

    If you’re not ready to switch fully to passkeys, tools like 1Password or Keeper are still excellent for managing your digital life.

    Password managers:

    • Store all your passwords in an encrypted vault.
    • Let you use long passphrases instead of short, hard-to-remember passwords. (Example: yellow-bicycle-ocean-sunset is much stronger — and easier to remember — than P@ssw0rd!)
    • Help you generate unique credentials for each site so one breach doesn’t compromise everything.

    Some password managers also support storing and syncing passkeys, so they’ll continue to be useful as the world shifts away from passwords.

  • Devices That Support Passkeys

    If your device is relatively new (last 4–5 years), it almost certainly supports passkeys. Apple, Google, and Microsoft are all committed to making passkeys the default sign-in option, and most major browsers already support them.

    Smartphones & Tablets

    • Apple (iOS & iPadOS 16 and later)
      • iPhone and iPad support passkeys through Face ID, Touch ID, or device PIN.
      • Passkeys sync across devices via iCloud Keychain.
    • Android (Android 9 and later, with Google Play Services)
      • Supports passkeys using your fingerprint, face, or device PIN.
      • Passkeys sync via Google Password Manager.

    Computers

    • Windows 10/11
      • Supports passkeys through Windows Hello (fingerprint, face, or PIN).
      • Passkeys can sync with Microsoft accounts.
    • macOS (Ventura and later)
      • Supports passkeys using Touch ID or Apple Watch.
      • Syncs via iCloud Keychain.
    • Chromebooks
      • Supports passkeys with Google accounts, using built-in fingerprint sensors or PIN.

    Browsers (on compatible devices)

    • Google Chrome (desktop & mobile)
    • Microsoft Edge
    • Safari (on iOS, iPadOS, macOS)
    • Firefox (rolling out full support)

    Hardware Security Keys

    • Devices like YubiKey 5 series and Feitian keys support passkeys via FIDO2.
    • Useful if you prefer a physical key you plug in or tap instead of using biometrics.

  • When AI Bots Break the Rules: Lessons from Perplexity’s Stealth Crawling

    When AI Bots Break the Rules: Lessons from Perplexity’s Stealth Crawling

    Artificial intelligence is reshaping how we access and use information, but with that power comes responsibility. Recent findings by Cloudflare and investigative reporting from CyberScoop have revealed troubling behavior by Perplexity, an AI-powered answer engine, that challenges the ethical foundation of AI data practices.

    ????️‍♂️ The Incident: Crawling Behind Closed Doors

    Cloudflare discovered that Perplexity’s crawlers were accessing content even when websites explicitly blocked them via robots.txt and firewall rules. To verify, Cloudflare created private “honeytrap” domains, completely undiscoverable and locked down from bots. When Perplexity returned answers sourced directly from these restricted sites, the evidence was clear—these crawlers were bypassing protections.

    ???? Cloaked Crawls and Evasion Tactics

    Rather than respecting access rules, Perplexity reportedly:

    • Impersonated regular browsers like Chrome to avoid detection
    • Rotated IP addresses and hosting networks to slip past filters
    • Ignored robots.txt and other site owner directives

    These tactics suggest deliberate avoidance of web standards designed to foster trust between site owners and automated crawlers.

    ⚠️ Why This Matters: Trust Is Fragile

    The web relies on a shared understanding: crawlers identify themselves, respect boundaries, and play by the rules. When an AI company violates these norms, it doesn’t just break trust with site owners—it undermines the integrity of the entire ecosystem. Cloudflare’s response was decisive, blocking the offending bots and stripping Perplexity of its “verified” crawler status.

    ✅ A Contrast in Behavior: OpenAI’s Approach

    Interestingly, Cloudflare highlighted that OpenAI’s bots adhered to site instructions, backing off when told not to crawl. This difference underscores an important point: compliance is not optional—it’s a baseline expectation.

    ???? My Take: Innovation Needs Boundaries

    AI tools like Perplexity hold incredible potential to enhance our access to knowledge, but cutting-edge technology is not a license to bypass rules. Web standards exist to protect the rights of content creators, maintain trust, and ensure that innovation benefits everyone—not just the companies pushing boundaries.

    Breaking these rules in the name of progress is shortsighted. True innovation respects the ecosystem it operates in. Ethical AI providers must prioritize transparency, consent, and respect for established norms. Anything less risks eroding the trust they depend on to thrive.

    ???? Lessons for Website Owners and AI Companies

    1. Website Owners:
      • Monitor crawler activity closely and use tools like Cloudflare’s WAF to enforce boundaries.
      • Consider new “pay-per-crawl” models that allow compensation when AI systems use your data.
    2. AI Companies:
      • Respect robots.txt and other site policies—these are not suggestions.
      • Be transparent about data collection practices to build long-term trust.
      • Remember: being on the cutting edge does not grant carte blanche to break the rules.

    ???? Moving Forward

    The Perplexity case is a wake-up call. The future of AI must be built not only on technological advances but also on ethical conduct. The companies that will ultimately lead this space will be those that respect the boundaries of others while pushing the limits of what’s possible.

    Related news on AI crawler control

    Cloudflare says Perplexity's AI bots are 'stealth crawling' blocked sites

    Cloudflare says Perplexity’s AI bots are ‘stealth crawling’ blocked sites

    An AI data trap catches Perplexity impersonating Google

    An AI data trap catches Perplexity impersonating Google

    Cloudflare will now block AI crawlers by default

    Cloudflare will now block AI crawlers by default

  • Why don’t the carriers that got hacked in Salt Typhoon care?

    If you don’t know what the Salt Typhoon hack was, read a brief on it here: What is Salt Typhoon and why should I care? – Paul Bergman

    The perception that U.S. telecom carriers “don’t care” about the Salt Typhoon hack is understandable—but the full answer is more complex. Here are the key reasons why their response has seemed indifferent or inadequate:

    ???? 1. Lack of Regulation

    • Telecoms are not held to the same cybersecurity standards as financial institutions or utilities.
    • The FCC has historically been slow to impose mandatory controls—many best practices are voluntary.
    • Without strong oversight, carriers are more likely to underinvest in security, especially in areas that don’t directly impact customers’ bills or service quality.

    ???? 2. Profit over protection

    • Carrier executives are incentivized to cut costs, and security infrastructure is expensive and hard to monetize.
    • One telecom insider put it bluntly: “No one gets promoted for preventing a breach that no one knows about.”

    ???? 3. Outdated infrastructure

    • Much of the core telecom infrastructure (routers, edge devices, CALEA intercept systems) is decades old, unpatched, or built without modern security in mind.
    • Some systems can’t be updated without full replacement, and that comes with service risks and massive costs.
    • Carriers may choose to tolerate known compromises rather than risk downtime.

    ????️ 4. Stealth of the breach

    • Salt Typhoon was exceptionally quiet. They used valid credentials, erased logs, and didn’t disrupt operations—so detection was difficult.
    • Some carriers may not have known they were compromised for years—or chose not to acknowledge the full scope.

    ???? 5. Reputation management

    • Admitting that state-sponsored actors accessed wiretap systems and call metadata is a PR disaster.
    • Many telecoms have chosen to downplay the breach, hoping regulators don’t dig deeper.
    • AT&T, for example, was publicly silent for months while investigators privately confirmed the scope.

    ???? 6. No clear consequences (yet)

    • Until the FCC, DOJ, or Congress imposes financial or legal penalties, there’s little incentive to change.
    • So far, the consequences have been mostly reputational and not enforced through regulation or fines.

    ???? In Summary:

    Telecom carriers aren’t entirely indifferent—they’re operating in a system that:

    • Doesn’t require strong cybersecurity,
    • Doesn’t reward proactive investment,
    • And doesn’t penalize major breaches unless customers or lawmakers force change.

  • What is Salt Typhoon and why should I care?

    ???? What is Salt Typhoon?

    Salt Typhoon is a state-sponsored Chinese Advanced Persistent Threat (APT) believed to operate under China’s Ministry of State Security. Its espionage operations began around 2020 and have heavily targeted U.S. critical infrastructure CyberScoop.

    ???? How did they infiltrate U.S. telecom networks?

    • Initial access via unpatched vulnerabilities in critical network gear—especially Cisco routers, Fortinet, and Versa Director systems—often exploiting default or weak admin credentials.
    • Once inside, they leveraged existing tools (“living-off-the-land” such as PsExec, WMIC) to avoid detection and maintain stealthy network access.
    • They carefully erased logs and stayed embedded for months—or longer. Cisco Talos notes one case with persistent presence for over three years.

    ???? Scope of the breach: What was affected?

    • At least eight U.S. telecom firms were breached (Verizon, AT&T, T‑Mobile, Spectrum, Lumen, Windstream, Consolidated, and another unnamed firm); a ninth was confirmed later by the White House.
    • Access extended to infrastructure handling lawful intercepts (CALEA systems), exposing text and call metadata—and in some cases, even call audio—of over a million individuals, including senior political figures (Trump, Vance, Harris campaign).
    • Metadata included timestamps, phone numbers, IP addresses, and live intercepts.

    ???? Broader implications

    • Senate Intelligence Chair Sen. Mark Warner described it as “the worst telecom hack in our nation’s history”—worse even than SolarWinds or Colonial Pipeline .
    • The intrusion extended beyond espionage: it potentially granted visibility and control over communications infrastructure—vital in crisis or conflict scenarios.
    • U.S. authorities fear this is a strategic campaign to enable future disruption, pre-positioning within critical inter-state communication networks.

    ????️ Government response & policy shifts

    • U.S. agencies (FBI, CISA, NSA, FCC) issued hardening guidance—patching, monitoring, stronger authentication, log retention.
    • Calls emerged for mandatory cybersecurity regulations for telecoms, culminating in new FCC rules championed by Chair Rosenworcel.
    • The Treasury .
    • However, full eviction of the hackers is still a challenge—remediation may require replacing thousands of devices.

    ???? Summary: Key facts at a glance

    CategoryDetails
    ActorSalt Typhoon (MSS-affiliated)
    Breach timelineFrom at least mid-2023 through late 2024, possibly earlier .
    Firms affected8–9 major U.S. telecoms
    Data compromisedCall metadata, wiretap systems, live audio
    Depth of accessRouter-level access via Cisco exploits
    Strategic threat levelEspionage w/ potential for disruption

    ???? What this means for you

    While the average consumer’s daily service hasn’t been significantly disrupted, this breach compromises the integrity and privacy of communications infrastructure. As a result, safer communication practices like using end-to-end encrypted apps (Signal, WhatsApp) are now recommended WIRED.

    ? Why do the carriers not care?

    The fact of the matter is that this had no impact on the carriers financially. Yes, they have failed to secure our data and communications but there is no real downside to them.

  • How US companies could be funding North Korean Missiles

    How US companies could be funding North Korean Missiles

    North Korean IT Workers in US Companies: A Hidden Threat to National Security

    The infiltration of North Korean IT workers into US companies is no longer a theoretical risk—it is a widespread, persistent, and evolving threat. Recent reports and warnings from government agencies and cybersecurity experts reveal that thousands of North Korean nationals have secured remote IT positions in US firms, including Fortune 500 companies, using stolen or fake identities and advanced AI tools. The consequences are severe: an estimated 90% of the revenue from these workers is funneled directly into North Korea’s nuclear weapons and ballistic missile programs, fueling one of the world’s most dangerous regimes.

    The Scale of the Problem

    • Widespread Infiltration: Nearly every Fortune 500 company has received applications from North Korean IT workers, and many have unwittingly hired them.
    • Massive Revenue Generation: The scheme has generated between $250 million and $600 million annually for North Korea since 2018, with the vast majority of these funds supporting the regime’s prohibited weapons programs.
    • Sophisticated Tactics: North Korean operatives use a combination of AI, deepfakes, and face-swapping technology to create convincing fake profiles, alter their appearance and voice during interviews, and even hold multiple jobs simultaneously.

    How North Korean IT Workers Operate

    • Identity Obfuscation: They use stolen or fabricated identities, often posing as American or other non-North Korean nationals.
    • AI-Powered Deception: Advanced AI tools help them generate fake resumes, profile photos, and even real-time video interview deepfakes.
    • Remote Work Loopholes: The shift to remote work has made it easier for these operatives to bypass traditional in-person verification and background checks.
    • Insider Threats: Once inside, these workers may steal sensitive data, plant malware, or extort companies by threatening to leak proprietary information.

    Red Flags and Warning Signs

    Technical Indicators:

    • Use of public VPNs, remote management tools, or unauthorized software on corporate devices.
    • Accessing company systems from unusual or inconsistent geographic locations.

    Behavioral Indicators:

    • Frequent excuses for missing video calls or last-minute cancellations.
    • Inconsistencies between interview performance and on-the-job capabilities—such as excellent code submitted but poor explanation of the work, suggesting multiple people may be sharing the role.
    • Different individuals appearing on camera during interviews versus regular meetings.
    • Reuse of phone numbers or email addresses across multiple job applications.

    Recruitment Process Red Flags:

    • Candidates claim to have attended non-US educational institutions with unverifiable credentials.
    • Applications coming through third-party staffing firms with opaque vetting processes.
    • Overly polished LinkedIn or freelance profiles that seem too good to be true.

    How Companies Can Protect Themselves

    1. Strengthen Identity Verification

    • Implement rigorous background checks, including verifying educational and employment history through trusted sources.
    • Use video interviews with real-time verification and cross-check against submitted identification.

    2. Monitor Technical and Behavioral Indicators

    • Track device usage, login locations, and unusual access patterns on corporate networks.
    • Educate frontline managers and HR teams to recognize the behavioral red flags described above.

    3. Scrutinize Third-Party Staffing Firms

    • Demand transparency from staffing partners about their vetting processes.
    • Connect staffing firms with law enforcement briefings on this threat.

    4. Foster a Culture of Vigilance

    • Encourage managers to have open conversations about performance and behavioral anomalies, even if uncomfortable.
    • Regularly update staff on the latest tactics used by North Korean threat actors.

    5. Collaborate with Authorities

    • Report suspicious cases to the FBI or relevant law enforcement agencies for investigation and support.

    Conclusion

    The infiltration of North Korean IT workers into US companies is a national security issue, not just a business risk. With the vast majority of their earnings funding North Korea’s nuclear weapons program, every compromised hire directly contributes to a global threat23. By understanding the red flags and implementing robust hiring and monitoring practices, companies can play a crucial role in shutting down this dangerous revenue stream.

    “This threat is very adaptable; they have an exit strategy and a plan to have some monetary gain… We have to be adaptable as defenders and responders to be prepared to detect and respond to these changes.”
    — Bryan Vorndran, FBI Cyber Division

    Vigilance, education, and collaboration are essential to keeping North Korean operatives out of your workforce—and out of your networks.

    Read more:
    Recruitment Red Flags: Spotting DPRK IT Remote Workers

    North Korea Cyber Threat Overview and Advisories

    DPRK IT WORKERS