ZeroFOX under fire for social media 'Threat Actors' report during Baltimore riots - Technical.ly Baltimore

Civic

Aug. 4, 2015 1:17 pm

ZeroFOX under fire for social media ‘Threat Actors’ report during Baltimore riots

We speak with the founders of the cybersecurity company about why they sent the controversial report. Here's a glimpse, from city officials and others, about its impact.

The cover of ZeroFOX's report.

(Screenshot)

On the afternoon of April 27, James Foster, CEO of Federal Hill-based cybersecurity company ZeroFOX, sent an email to a group of city leaders. The subject was marked “IMMEDIATE CALL TO ACTION.”

“We are trying to get in touch with the Mayor or Police Chief in Baltimore City asap as we turned on our system for Baltimore City and have some immediate intelligence for them,” Foster wrote, adding that the company recently provided similar services during protests in New York City.

Within the hour, he was connected with city and state officials, emails from city officials show.

An emailed report dated April 28 at 2:32 p.m. shows the information Foster discussed. It appears in a “Crisis Management” report that Foster said the company performed entirely for free in an effort to help the city amid the riots that followed Freddie Gray’s funeral.

“We worked around the clock,” he said, adding that employees, many of whom are Baltimore City residents, volunteered to work long hours to help.

ZeroFOX, which makes software that monitors social media accounts and other internet channels for potential cybersecurity threats, provided the 22-page report that looks at Twitter accounts, potential cyberattacks and makes recommendations for securing information.

On the fourth page, the report says ZeroFOX recorded 19 “threats mitigated,” and tallies up 340 real and fake social media accounts monitored.

But since the report was released via crowdfunded public records request, most of the focus has been on a few of those accounts.

Screen Shot 2015-08-04 at 12.10.07 AM

From the ZeroFOX report. (Screenshot)

A section identifying “Threat Actors” includes information about national #BlackLivesMatter protest leaders DeRay McKesson (who is originally from Baltimore) and Johnetta Elzie, who have been called leaders of a 21st century civil rights movement.

Advertisement

Local grassroots collective Baltimore Bloc, which participates in events like the weekly West Wednesday that peacefully calls for justice in the case of Tyrone West, was also flagged. All three, who use Twitter as a means of organizing and advocating against police brutality, are labelled “Threat Type: Physical.”

The report, which wasn’t flagged in initial media reports about the emails, touched off a lengthy thread full of criticism on the Baltimore Tech Facebook page that currently has 256 comments (and counting). Stories followed Monday in national news outlets, including The Independent and Mother Jones.

Responding to a request for comment from the Baltimore Sun, McKesson tweeted:

In an interview with Technical.ly Baltimore, Foster and ZeroFOX cofounder Evan Blair said that despite the labels, the report wasn’t designed to be taken to mean that the protest leaders were out to do harm. ZeroFOX’s system likely identified the protest leaders due to the amount of followers they have on Twitter.

In part, the system identifies, “who are the biggest influencers out there, who are the people that have the biggest voices, the most reach,” and flags them for monitoring to keep track of the activities, Foster said.

“In any intelligence report, you would have to include two of the most well-known folks that are organizing activities,” Blair said. “If we didn’t include those two people, they would say didn’t understand two well-known people in the whole Baltimore protest.”

The ZeroFOX cofounders pointed out that the organizers were described as “main coordinators of the protests” in the report, without any specific malicious activity listed. Being labeled “physical,” they said, means the person is acting in real life rather than via cyber, Foster said.

The report advised that the city monitor the protest leaders. There was no indication that the company performed monitoring beyond the report. Foster said the information was passed to the city, and decisions on what to do with the info was up to officials.

City spokesman Howard Libit declined to comment on how the city used the information in the report, or even say if it was used. A separate email released by the city showed a spreadsheet of activities that were apparently being monitored by city officials. Two @deray tweets are listed, but it’s not clear how or why they were flagged.

At this point in time, it’s common for police to monitor social media during such events, said UMBC cybersecurity professor Richard Forno.

“It would surprise me if the Baltimore Police were not already monitoring social media as a part of law enforcement duties,” Forno said. Since they are in charge of public safety, police “can and should” use tools at their disposal to keep rights of way, and check for violence, Forno said.

ACLU attorney Nusrat Jahan Choudhury pointed out that government monitoring of protesters is not new. She recalled how civil rights leaders like Martin Luther King, Jr. and others were later found to be monitored by the FBI. But the information gathered has the potential to be kept beyond the march, she said.

“Government surveillance can lead to activity reports. Reports can be shared with law enforcement. The connection is that the surveillance can lead police to track or look further into people” just because they attended a protest, Choudhury said.

ZeroFOX’s Foster and Blair said that some of the Twitter accounts the company’s software identified were found to be malicious, whether fraud accounts posing as the Baltimore Police Department or officials like Mayor Stephanie Rawlings-Blake.

“We saw attacks from Russia pretending to be protesters inciting violence,” Foster said. “There are foreign governments that just want to see chaos.” (For more on that, check out this great Adrian Chen piece.)

Other accounts spread malware through pictures that purported to be from the riots, Foster said.

The report also warned that there was evidence of cyberattacks on four different city servers, and projected that another wave would hit around 3-5 p.m. on April 28. Libit, the city spokesman, confirmed the city faced “a number of different cyber attacks — and threats of cyber attacks.”

“There was also a period of time when portions of the city’s website were offline due to what is commonly referred to as denial of service attacks — something that was reported by other media outlets at the time,” Libit said in an email. “This was for a period of roughly 16 to 20 hours.”

He declined to comment on whether ZeroFOX’s report was a factor in the city’s recognition of the cyberattacks.

Forno, the UMBC professor, said such attacks are often a part of civil unrest. He said cities should be prepared, as legitimate forms of communication could be at risk.

“Fortunately, we believe that the city’s email system and internal core functions were unaffected throughout,” Libit said.

ZeroFOX’s report makes a number of recommendations. At one point, it advises officials to tell Gov. Larry Hogan that his social and email addresses may have been compromised.

Another advises the city to migrate services to the cloud, or get programs like CloudFlare or Akamai that “mitigate” denial of service attacks. When asked about accusations that the company was seeking business from the government during a crisis, Foster said ZeroFOX doesn’t sell those kinds of services.

“We recommended five other security products in the report that they should buy,” he said. “That to me is the worst sales pitch I’ve ever heard of.”

Baltimore City is not a client of ZeroFOX, Foster said.

You must appreciate accurate, relevant and productive community journalism.  Support this sort of work from professional reporters with seasoned editors.  Become a Technical.ly member for $12 per month
Organizations: ZeroFOX, City of Baltimore
-30-
JOIN THE COMMUNITY, BECOME A MEMBER
Already a member? Sign in here

Advertisement

Hanover, Md.–based cybersecurity company Dragos raises $37M Series B

Bandura Cyber integrates with Gigamon to block threats ahead of firewalls

How Facebook Community Boost is looking to help small businesses in Baltimore

SPONSORED

Baltimore

Join our Technical.ly Match beta, an opt-in alternative to recruiting

Baltimore, MD 21201

14 West

eCommerce Production Manager

Apply Now
Baltimore, MD

SmartLogic

Content and Digital Marketing Manager

Apply Now
Baltimore, MD 21201

14 West

Curriculum and Training Specialist

Apply Now

Baltimore startup TrackOFF finds uptick in candidates tracking digital fingerprints

Attila Security raises $2.5M, moves into Fulton-based DataTribe

At CyberMaryland, Baltimore startup Point3 Security organized a capture the flag tournament

SPONSORED

Baltimore

3 reasons to foster student entrepreneurship in Maryland

Canton

TrackOFF

Junior Marketer

Apply Now
Canton

TrackOFF

IOS/Swift Developer

Apply Now
Canton

TrackOFF

Chief Engineer

Apply Now

Sign-up for daily news updates from Technical.ly Baltimore

Do NOT follow this link or you will be banned from the site!