jump to navigation

“Cyber Espionage is Alive and Well”; Motorola Employee Sentenced in theft of IP August 30, 2012

Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: , , , , , , , ,
add a comment

According to a story in CIO, a former Motorola employee was sentenced to 4 years in prison for theft of trade secrets. For more information on the cyber espionage threat, you can read my  article: “The Rise of CyberEspionage” published in The Counter Terrorist Magazine.

Below is an excerpt of the CIO article.

“Hanjuan Jin, 41, a nine-year Motorola software engineer, conducted a “purposeful raid to steal technology,” U.S. District Judge Ruben Castillo said while imposing the sentence, according to a statement by the department.

The Judge did not however find her guilty of three counts of economic espionage for the benefit of China and its military, although he found by a preponderance of the evidence, that Jin “was willing to betray her naturalized country,” according to the department. Jin had earlier been convicted by the court of three counts of theft of trade secrets.

Judge Castillo’s order was not immediately available on the website of the U.S. District Court for the Northern District of Illinois, Eastern Division where Jin was on trial.

Jin, who is a naturalized U.S. citizen born in China, was stopped from traveling on a one-way ticket to China on Feb. 28, 2007 at O’Hare International Airport by U.S. customs officials who are said to have seized from her possession more than 1,000 electronic and paper documents from Motorola.”

Companies need to be vigilant and understand that the same techniques used to steal national secrets are being employed in US businesses.  While not exclusive to China, they certainly represent the greatest threat today.

“Here I (we) go Again…”; GlobalCerts.net hacked August 27, 2012

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , ,
add a comment

On this lovely Monday morning on the opening week of College Football (WAR EAGLE!)…I open with some classic Whitesnake and their awesome song from 1987: “Here I go Again”.  It seemed appropriate since here ‘we’ go again with another hack and data compromise.  According to Cyber War News,  GlobalCert.net was hacked and their data posted to Pastebin..according to the report, GlobalCert.net’s web database was hacked and over 1000 clients’ data posted online by Anonymous.  GlobalCert.net’s website says the following about their website:

“GlobalCerts provides a comprehensive solution that meets a full range of secure messaging needs—including an automatic, transparent, inter-organizational secure messaging product, the SecureMail Gateway. GlobalCerts also offers a trusted, scalable, user friendly solution to overcome the hurdle obstructing many organizations from deploying a standards-based, secure messaging solution. SecureTier is a hands-off global, certificate management solution for key creation, discovery, and revocation. No other key distribution and discovery system is as effortless and efficient as GlobalCerts’ solution.”

Seems that GlobalCert.net should practice what they preach 😉

“A Rose by Any Other Name…” – Selecting the Right InfoSec Professional August 22, 2012

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , , ,
add a comment

Last week I had an experience that left me chuckling and shaking my head at the same time. I had been approached by a company that had some infosec needs.  According to the person with whom I spoke, they had found me on LinkedIn and wanted to talk.   This company had recently settled with some regulators over some privacy and other regulatory practices and were looking to beef up their security and compliance.   I spoke to one person for about an hour and a half and was asked to send more info.  Later that week I received a call from the person with whom I had spoken an was informed that the company was looking for someone with INFORMATION SECURITY experience.  I (likely not so politely) asked what they thought I did for a living?  His response was that the company was looking for someone with a computer science degree.  It was curious that they did not say an information assurance degree, or cybersecurity degree…or…list an certifications or skills…simply computer science.  Well then…there you have it.  Apparently, this company feels the only real qualification for ‘infosec’ is a computer science degree.   Considering their previous issues, you would think they would have a better handle on info sec and their needs.

When looking for an infosec professional understand that there are technical skills which are certainly important (encryption, configuring firewalls, devices, systems, app layer security etc., etc., etc.)  There are other aspects which are important, as well.  Understanding the compliance mandates as well as the various regulatory requirements and regimes is critical in today’s world.  While not specifically defined as ‘infosec’, an understanding of privacy issues (how data is used) is also important.  While understanding technology is critical, being a skilled infosec professional is about more than simply understanding technology and about more than computer science.  While I may not have been right for that particular engagement for other reasons, the company’s laser focus on a ‘computer science’ degree at the exclusion of the other aspects suggests this company may be focused on the wrong areas.  Maybe they should question why they had issues to begin with.

“You Can’t Unring That Bell!” – What is a”Data Breach” and When Should I Notify? August 21, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , , , , , , ,
add a comment

There are currently over 45 state breach notification laws, several data protection laws, and numerous regulations including PCI DSS, HIPAA/HITECH, FISMA, and more.  I frequently find myself working with companies on data breach notification plans.  One of the more interesting (and heated) discussions comes when I ask them to define a “data breach” or “data compromise”.  More interesting is when I ask them to define a “suspected data breach”.  Visa’ rules state that “suspected” breaches must be reported within 24 hours of identification or there could be penalties. Consider the following example.  You, as CSO, are informed of a malicious software outbreak in the customer service department. Does this require notification under the state breach notification laws, or relevant regulatory regimes?  Maybe, maybe not.  It is dependent upon a number of factors including access to data, data protections (ie. encryption), segmentation, the various laws etc.  In short, it is not easy to decipher yet it is critical to be as accurate as possible.

Understanding what is, and what is NOT, a data breach or data compromise is the first step in defining your company’s data breach notification plan.  The reason it is so critical is in the titled of this article.  Once you notify that your company has been ‘breached’ you cannot ‘unring that bell’.  The genie is out of the proverbial bottle and things start moving quickly.  Most company’s would absolutely hate to make an announcement only to find that, while they may have experienced a security incident, it did not impact sensitive data (PII, CHD, NPI, PHI, etc.).   It is important that you work with your compliance group, legal (don’t forget legal!), and the infosec & risk department to ensure you have a solid understanding of when, and under what conditions your company is required to notify of a breach or suspected breach.  Here are some basic definitions to use as a starting point.  (check with your legal council and don’t simply use these…there..that should protect me!;)

Security Incident/Event – Any event that compromises the availability, accessibility, or integrity of any asset.  This includes systems, personnel, applications, services, etc.

Data Breach – Any exposure of or unauthorized access of sensitive and/or protected data to include PHI, PII, CHD, and NPI.

Suspected Data Breach– In the absence of  direct evidence (identified fraud, or misuse of data, for example), any Security Incident in which it can be reasonable assumed that sensitive and/or protected data was exposed or accessed without authorization.

Remember, some state breach notification laws do not consider a breach of encrypted data as a trigger for notification…others do 😉  If you need help unraveling these issues (insert shameless marketing plug)…contact Mark Consulting Group…www.MarkConsultingGroup.com

graphic by Hippacartoons.com

“Bow-Chicka-Bow-Wow!” – Privacy Failure of Photobucket Can Make You a Porn Star! August 13, 2012

Posted by Chris Mark in cybersecurity, Data Breach.
Tags: , , , , , , ,
add a comment

For those who like to use the popular photo sharing site Photobucket to share (ahem)..”private” pictures may want to take action immediately.  According to an article on CNN, a privacy flaw in the way Photobucket allows users to share photos resulted in hackers gaining access to numerous R rated and even explicit photos of users.  Photobucket allows users to share photos using direct links.  This means that even if the user does not intend to share a photo, if a person can deduce the URL then the unencrypted file can be directly accessed.   This is a hack known as “Fuscking” and it has been used to access numerous files.  (more…)