Lenovo caught (again) installing SpyWare and Malware on Computers! September 27, 2015Posted by Chris Mark in Uncategorized.
Tags: china, Chinese, cybersecurity, data theft, hacking, lenovo, Man in the Middle, MitM, rootkit, spyware
add a comment
I just saw on TheHackerNews Security Blog on a link I picked up on LinkedIn. If true (no reason to think it is not), this is truly bad business and shameful practices by Lenovo..AGAIN. Keep in mind that two years ago Lenovo (a Chinese company, BTW) was banned (Again..) from providing computers to the US Intelligence and defense services of Australia, the United States, Britain, Canada and New Zealand over spying issues. They were first banned in 2006! Then, in January 2015, Lenovo was caught…ONCE AGAIN..installing SuperFish malware onto refurbished laptops. SuperFish has a serious vulnerability which makes it vulnerable to Man in The Middle Attacks (MitM). Now, according to TheHackerNews Lenovo was caught in August installing a rootkit into their computers. This rootkit, known as the Lenovo Sevice Engine (LSE) installs into the BIOS on the computer. According to TheHackerNews: “One of the most popular Chinese computer manufacturers ‘Lenovo’ has been caught once again using a hidden Windows feature to preinstall unwanted and unremovable rootkit software on certain Lenovo laptop and desktop systems it sells.”
So what does this really mean for you…the consumer? If you want to buy a Lenovo I would only ask that you email me as I have a great bridge for sale in Utah and would love to introduce you to some Ukrainian friends who love to give high interest loans. Honestly, if you are going to buy a Lenovo after reading this, you probably deserve what you get. I can tell you that I would never own a Lenovo again (had one in the 1990’s). Fool me once…shame on you…fool me twice shame on me…fool me a third time? Seriously?
Tags: Chris Mark, corporate espionage, cyberespionage, cybersecurity, Dupont, InfoSec, mark consulting group, San Francisco Chronicle, security
add a comment
Many mistakenly believe that only “high tech” secrets and intellectual property are targets for intellectual property theft. In a clear example of how any propriety secret can be considered a target, a scientist (Tse Chao) who worked for Dupont from 1966-2002 (36 years!) pleaded guilty in Federal court on Thursday to committing espionage for a company controlled by the Chinese government. Mr. Chao testified that he provided confidential information to Chines controlled Pangang Group. What did he steal? Among other things, the recipe for Dupont’s Titanium Dioxide. What is TD used in? Titanium Dioxide is the ingredient in many white products that makes the products white. Products such as paint, toothpaste, and Oreo cookie filling! Stealing the ingredients to Oreos shows just how low cyberthieves will go! According to court documents: “DuPont’s chlorine-based process was eagerly sought by China, which used a less efficient and more environmentally harmful production method”
I have worked with a number of large companies who, when asked why they did not protect trade secrets, replied that they did not believe their industry or type of product was of interest. Make no mistake. If your company has a unique process, technology, or product, it IS of interest to many companies. Unfortunately, the US Government has released reports that state that China is sponsoring much of the US and European cyber espionage.
photo from: http://www.titaniumexposed.com
Getting into Information Assurance Careers June 2, 2015Posted by Chris Mark in Uncategorized.
Tags: Chris Mark, CIPP, CISSP, Consulting, cybersecurity, InfoSec, privacy, SANS
add a comment
I have had a number of folks email me asking about becoming an InfoSec worker so I am writing this post to (hopefully) help those who are interested. In 2001, I landed in InfoSec by pure luck and I have never looked back. It is an amazing field and a great career path. First..for some marketing. According to the InfoSec Institute, the average CISSP Salary in 2014 is over $100,000 per year. In 2013 there were 209,000 job postings for CyberSecurity Jobs and it is estimated that in 2015, there are 40,000 more jobs than people to take them. In short, it is a very high demand field.
InfoSec? CyberSecurity? Information Assurance? WHAT?
It is even confusing to me sometimes. At a high level I use the term Information Assurance as it encompasses all of the elements of protecting data. This includes data security (protecting data), CyberSecurity (protecting the systems, and infrastructure), Privacy (appropriate use of information) and Compliance (ensuring your company complies with relevant regulations) and Risk Management (evaluating the security risk of your organization). While this short post does not allow for a more comprehensive overview, these are the generic ‘pillars’ that we consider.
What types of Jobs are Out There? (more…)
Tags: Chris Mark, security, InfoSec & Privacy, data security, PCI DSS, cybersecurity, cybercrime, data breach, deterrence, active, response, active response, fight
1 comment so far
“Everyone has a plan until the’ve been hit” – Joe Lewis
Having spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.
As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers. This is frequently referred to as ‘hacking back’ or ‘offensive hacking’. Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’. On May 28th, 2013 there was an online discussion in which an author of the upcoming book: The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense posted the following excerpt:
“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.” (emphasis added) (more…)
Chris Mark in AT&T Network Exchange Blog February 20, 2014Posted by Chris Mark in Uncategorized.
Tags: AT&T, Chris Mark, cybersecurity, DSS, Exchange Blog, information, PCI, security
add a comment
As the AT&T PCI National Practice Director, I write and blog on numerous topics that I hope are of interest to those who have to protect data. Aside from the GlobalRiskInfo blog here I also publish some blog posts on the AT&T Network Exchange Blog. Please take a spin through. Also, there are a very large number of great writers on the AT&T Network Exchange Blog. Take some time and look through the other authors…