Guest Blog Post

GUEST ESSAY: Theft of MQ-9 Reaper docs highlights need to better protect ‘high-value assets’

By Sherban Naum

The discovery of sensitive U.S. military information for sale on the Dark Web for a nominal sum, in and of itself, is unfortunate and unremarkable.

However, details of the underlying hack, ferreted out and shared by researchers of the Insikt Group, an arm of the security research firm Recorded Future, are most welcomed. They help frame wider questions, and pave the way for improved best practices.

Here is what is known thus far: Team members of the Insikt Group encountered an English-speaking hacker who jumped on a Dark Web forum to pitch the sale of MQ-9 Reaper UAV docs for $150 to $200. The hacker/salesman also had other unclassified military intelligence for sale: an M1 Abrams tank maintenance manual, a tank platoon training course, a crew survival course, documentation on improvised explosive device (IED) mitigation tactics; he even claimed to have access to footage from a MQ-1 Predator drone.

The Insikt Group determined that the hacker/seller must have accessed a Netgear router with misconfigured FTP login credentials. This raises wider questions about data security best practices, not to mention the wider contractor support community. …more

GUEST ESSAY: Here’s why Tesla has been sabotaged twice in two years — lax network security

By Igor Baikalov

The disclosure earlier this week that Tesla CEO Elon Musk reportedly informed all of his employees about a rogue worker conducting “extensive and damaging sabotage” to the company’s operations very much deserves the news coverage it has gotten.

Musk reportedly sent out an internal email describing how an unnamed insider allegedly made unspecified code changes to the company’s manufacturing systems. The news agency Reuters, which viewed a copy of Musk’s email, quotes it as saying: “The full extent of his actions are not yet clear, but what he has admitted to so far is pretty bad . . . His stated motivation is that he wanted a promotion that he did not receive.”

For now the company is investigating the matter, focused on determining if the employee acted alone, or with co-conspirators.

Baikalov

For a cutting-edge company like Tesla, its security practices seem to be pretty lax, especially in light of previous suspicions of sabotage two years hence. In 2016, the company sued a former oil-services executive for impersonating Musk while crafting an email message sent to former Tesla CFO Jason Wheeler. The lawsuit describes how that email was part of an oil-industry effort to undermine the company’s push for energy-efficient transportation.

Fast forward to this week. Based on the limited information available, the alleged saboteur was able to accomplish a series of pretty advanced steps to access and inflict damage on the company jewels. This included:

•Hijacking other employees’ accounts to gain access to sensitive systems and data.

•Modifying production code affecting manufacturing operations.

•Exfiltrating highly sensitive data to external third parties.

Each one of these steps should be sounding alarms in a well-protected environment, as these are the most watched insider activities, and their concentration around a single person would be a huge risk booster. …more

GUEST ESSAY: 3 key ingredients to stress-free compliance with data handling regulations

By Izak Bovee

The variety of laws and regulations governing how organizations manage and share sensitive information can look like a bowl of alphabet soup: HIPAA, GDPR, SOX, PCI and GLBA. A multinational conglomerate, government contractor, or public university must comply with ten or more, which makes demonstrating regulatory compliance seem like a daunting, even impossible, undertaking. But there are a manageable number of precautions you can take to secure customer data that will tick the boxes for many different regulations.

Organizations that have control of their information have an easier time demonstrating compliance with regulations. Passing a compliance audit boils down to proving to auditors that your organization has implemented three fundamental things: adequate data security, …more

Comment | Read | June 14th, 2018 | Guest Blog Post | Privacy

GUEST ESSAY: DHS tackles supply-chain issues over malware-laden smartphones

By Vincent Sritapan

At the Black Hat security conference last August, researchers from the security firm Kryptowire announced that they’d discovered Amazon’s #1-selling unlocked Android phone, the BLU R1 HD, was sending Personally Identifiable Information (PII) to servers in China. The culprit was a piece of firmware update software created by AdUps Technologies, a company based in Shanghai.

Related article: How enterprises address mobile security

For many members of the audience, it was a major episode of deja vu. Just eight months earlier, the same company, Kryptowire, had announced they had discovered the exact same backdoor in AdUps software running on the exact same BLU phone. BLU claimed then that the existence of the backdoor was a mistake, and that the problem …more

Comment | Read | May 23rd, 2018 | Guest Blog Post

GUEST ESSAY: The Facebook factor: Zuckerberg’s mea culpa reveals intolerable privacy practices

By Elizabeth A. Rogers, Adrienne S. Erhardt and Ryan T. Sulkin

In the words of the Nobel Prize writer Bob Dylan, “The times, they are a-changin.’” Revelations in the press about Facebook’s current privacy problems, and a new comprehensive European Union privacy framework that impacts American businesses, may be changing the climate towards more data privacy regulations by United States lawmakers.

As technology and uses for data surge ahead at breakneck speed, however, the testimony of Facebook CEO Mark Zuckerberg seemed to highlight both the public’s and lawmakers’ limited understanding of the impact that dizzying advancement has on individual privacy and on our society at-large.

Against these rapidly changing times, the challenge now is for …more

Comment | Read | May 21st, 2018 | Guest Blog Post | Top Stories

GUEST ESSAY: How data science and cybersecurity will secure ‘digital transformation’

By Roger Huang

In today’s environment of rapid-fire technical innovation, data science and cybersecurity not only share much in common, it can be argued that they have an important symbiotic relationship.

A fundamental understanding of the distinctions – and similarities – of these two fields is good to have. Both must flourish separately and together to fuel “digital transformation” in a way that makes our connected world as secure as it needs to be.

Related article: Machine-learning does heavy-lifting

Data science focuses more on data structures, algorithms and computability. Cybersecurity emphasizes knowledge of systems administration, architecture, operating systems and web applications. However, both data science and cybersecurity rely on proficiency across a shared base of technical knowledge.

Both …more

Comment | Read | May 21st, 2018 | Guest Blog Post | Top Stories

GUEST ESSAY: Rising workplace surveillance is here to stay; here’s how it can be done responsibly

By Elizabeth Rogers

People often recite the cynical phrase that ‘privacy is dead.’ I enthusiastically disagree and believe, instead, that anonymity is dead.

One area where this is being increasingly demonstrated is in the workplace. Employee surveillance has been rising steadily in the digital age. And because it’s difficult, if not impossible, to keep ones digital work life separate from ones digital private life, the potential for abuse to happen while carrying out an employee surveillance program is real.

However, I firmly believe that, together, we can preserve the employee privacy through clearly stated social ‘contracts’ and fair enforcement of same.

Let’s begin with the notion that employees, unless advised otherwise, have a right to privacy in the workplace. However, the scales also tip in favor of the employer to monitor threats to the company’s intellectual property.

Unique ties

Employers and employees share a unique relationship built on trust. When it comes to assets of the company, it is in the mutual interest of both that they stay protected. Generally, employees will sign a contract, in the form of a Non-disclosure Agreement that yields to the …more

Older Articles »

The Last Watchdog