June 16, 2023

Leaked Videos of Tucker Carlson Demonstrate the Importance of Cyber Security

By: Caleb Larson

Keeping hackers and malicious insiders away from sensitive data is crucially important for organizations. The release of behind-the-scenes footage of Tucker Carlson demonstrates how impactful data leaks can be for a media organization and its personalities. Details are still coming out on how exactly the footage was obtained, but the lesson is abundantly clear. Preventing unauthorized access to critical assets is so important that robust cyber security programs are non-negotiable for any organization of any size that wishes to prevent intrusions.

The Fox News leaks have prompted the Department of Justice to open a hacking investigation into how the footage was acquired without consent. US attorneys notified Fox in a letter dated May 25th claiming that they are looking into “allegations of criminal wrongdoing involving intentional unauthorized access of a computer” and “intentional interception and disclosure of wire, oral, or electronic communication.”

Fox has confirmed the authenticity of the leaks through a cease-and-desist letter sent to Media Matters, the original publisher of the footage. In it, Fox identifies the data as “misappropriated proprietary footage” and “confidential intellectual property”. They also make it clear that this data was “unlawfully obtained.” Media Matters justifies their reporting by saying the leaked material is newsworthy and therefore warrants coverage.

Interestingly, on May 8th the FBI conducted a search on the house of media consultant Tim Burke in relation to the hacking investigation. Like Media Matters, he has not yet been formally accused of wrongdoing. Unsealed documents disclose that his home was to be searched for evidence relating to alleged crimes committed after August 1st of 2022. Burke’s wife, Tampa City Council member Lynn Hurtak, states the search seems to be connected to Burke’s previous journalism.

A lawyer for Burke says the videos were publicly available and Burke did not hack Fox News. He did not say where the data was found specifically but says that Burke is a “master at finding links to stuff publicly posted on the internet” and that there is nothing criminal about finding videos that are “posted, public, unencrypted, and unprotected.”

It will be hard to judge how true these statements are without knowing specifics on how Burke went about getting these videos. Was he perusing through a hack and leak site in the dark web, or did he find that Fox had an unprotected cloud repository publicly exposed? Did he have a connection within Fox that alerted him to their existence or provide him with credentials to an internal system?

Whatever the details are, Fox obviously did not want this information getting out. The full story would best inform organizations on how to defend against this specific case of information leakage, but there are general principles and practices that can be followed that will help to reduce the probability of similar cyber security incidents.

When it comes to data management, a key area of control revolves around authorization and authentication. Only those with a valid reason should be able to access data and that access should involve granting the user the least amount of privilege necessary to achieve their goal. Along with this, each time the data is accessed there should be a validation of that user’s identity involving multiple forms of authentication. Microsoft claims that multi-factor authentication reduces account compromises by 99.9 percent.

It is also critical that controls are in place to prevent malicious insiders from compromising and releasing information. It can be hard to correctly identify internal actions as malicious, but there are certain factors that can contribute to a higher risk, such as poor employee performance reviews or a sudden end of employment. Proper assignment and monitoring of permissions is also crucial in this area as permission creep, wherein users amass permissions over time and never have them revoked, can often enable data loss.

Finally, a cloud services governance program should be in place to ensure that assets deployed in the cloud are properly managed and secured. With the recent rush to the cloud, organizations often neglect these steps allowing employees to mishandle simple configurations that need to be enabled to prevent unauthorized access to stored data.

We may never know if Fox was following these cyber security principles or if something was specifically at fault for the leak. However, organizations should still pay attention and if possible, find specific takeaways for their own IT environment. Without retrospectives such as these, it is easy to fall asleep at the wheel and assume that your organization is not vulnerable. It is only a matter of when you will be hacked, not if you will be. Cyber security is vitally important and those pretending otherwise will end up paying the price.