Information Technology

Skills shortages are at an all-time high, with 67% of digital leaders struggling to get hold of the right talent, especially in key areas such as big data, cybersecurity and artificial intelligence.
With talent tough to find and IT budgets constrained, a focus on development and mentorship programmes could be the smartest way for CIOs to fill their digital skills gaps. Three tech leaders share their best-practice tips for honing internal talent.
1. Help good people become great

Danny Attias, chief digital and information officer at British charity Anthony Nolan, says mentorship and development is hugely important to his organisation. The charity runs apprenticeships to help talented staff flourish.
SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)
“Starting with people who have an appetite for growth, and who are ambitious, makes mentoring a lot easier – they want to succeed,” he says. “We start with that as a baseline, and then it’s about giving them the tools and the training they need, and providing them with every possible opportunity.”
Attias says the aim of the charity’s mentorship and development programmes is to help talented people get even better. He gives the example of someone who started in an entry-level IT job with the charity eight years ago and was recently promoted to director of product.

“There’s been some big steps on the way,” he says. “I’ve secured her external mentorship from a digital design agency, so that she can learn, and the deal is that she learns from the outside and then she teaches me about digital.”
Attias says the charity is always looking for new ways to inspire its talent. For example three developers at the organisation, who recently completed 18-month software engineering apprenticeships, and are now running key IT and data projects at the charity.
Education is also baked into the charity’s day-to-day engineering work. Each two-week sprint at Anthony Nolan includes half a day of personal development, which Attias says adds up to a significant amount of time on an annual basis.
The tech team self-organises this development process – they decide who learns what, how knowledge is imparted and exchanged, and how this learning process contributes to continuous personal growth.
“So we’re all teaching each other all the time and we’re all learning. None of us pretends to be experts in what we do or that we’ve ever reached a limit,” says Attias.
2. Make sure people’s objectives are met
Joe Soule, CTO at Capital One Europe, says he feels lucky that people have taken the time and effort to mentor him at particular points during his career. He currently mentors people in his own organisation and unlike coaching, which he feels is more generalised, Soule says effective mentorship centres on career development.
“There is always the great debate between coaching and mentoring. If it’s mentoring, then it’s likely that I’ve personally been through the problem, and have an idea of how to solve it, and I’m prepared to share with others how I went about solving that issue – and then they can choose to take that into how they plan to go through their career,” he says.
When he provides coaching, Soule says it’s likely he doesn’t know the specifics of the problem but does know the person involved. While coaching is often provided to companies via external experts, Soule says the coaching he provides internally tends to centre on his relationship with the individual.
“I tend to coach them on things like objectives and performance. And for me, that coaching conversation has to satisfy three things: are they interested, does it leverage their ability, and is there an organisational need,” he says.
SEE: Digital transformation: The new rules for getting projects done
Soule splits coaching needs into three areas: chores, prayers and hobbies. If they’re interested and they have an ability, but there’s no organisational need, then that’s a hobby. If there’s an organisational need and they’re interested, but they have no ability, then that’s a prayer. And if there’s no interest, but there is an ability and a need, that’s a chore.
“Most people’s lives are made up of a collection of chores, prayers and hobbies, rather than a solid objective that meets all three of those things. So I look from a coaching perspective to make sure that people’s objectives, particularly their performance objectives, meet those three criteria and are written in their own voice,” he says.
3. Share your knowledge across communities
Shane Read, CISO at commodities trading firm Noble Group, says mentoring is a crucial element in the creation of rounded, next-generation IT professionals – and he likes to share his best-practice cybersecurity knowledge whenever he can.
“I’ve always been a mentor – I love mentoring. My take on the cybersecurity industry is that we have to share: mentoring is knowledge transfer 101. I have mentored since my first job and it helps me get so much out of this industry,” he says.
Read says good mentoring sometimes involve recognising that people can learn from other people in other businesses, too – even when they’re one of your best workers.
One of his staff left recently after working with Noble for two and a half years. Read describes the worker, who was a good fit for the IT department, as “skilled and talented”. However, after helping the professional develop, Read knew it was time for him to move on.
“I knew he’d be better off outside of this company because we don’t provide the right challenges for his skillset. I’ve just recently helped him find the next big role, and that’s from my industry contacts. It’s all about finding the right place for the right people – we can all do the job, but you want to be able to grow and expand,” he says.
Read says it’s worth remembering that cybersecurity is quite a small industry. Individuals are likely to cross paths again, whether it’s at an industry event or in another workplace. Mentoring people and then staying in touch helps managers and their staff.
“I still talk to people I first met in the industry 20 years ago. Some of them I deeply respect and will continue to do so because they’re furthering the industry. I try to emulate that, too. Cybersecurity is such a collaborative industry,” he says. More

Ticketmaster has been fined $10 million after staff admitted to hacking into a rival firm’s systems in order to “choke off” their presale ticket business.

Last week, the US Department of Justice (DoJ) said employees of Ticketmaster, a subsidiary of Live Nation Entertainment, “repeatedly” infiltrated the computers of a rival presale tickets seller. 
Ticketmaster offers a platform for purchasing tickets for events including concerts, attractions, and sports.
According to court documents (.PDF) filed in the US Eastern District Court of New York, a former employee of the victim firm — believed to be Songkick, which maintained a presence in both the UK and New York — left their post in 2012 to join Live Nation. 
Despite signing a confidentiality agreement before entering their new employment, this individual, instead, entered the heart of a scheme designed to disrupt the competitor’s business operations. 
The DoJ says that after joining Live Nation in 2013, the co-conspirator shared confidential information with Ticketmaster employees including the former head of the Artist Services division, Zeeshan Zaidi. 
Ticketmaster’s rival offered presale tickets before they were made available to the general public and created a password-protected app for artists to track their ticket sales, known as Toolboxes. 

The co-conspirator shared draft web pages built for artists, confidential URLs, financial documents, and sets of credentials for existing Toolbox accounts. In 2014, they warned Zaidi to be careful about snooping around in these systems, but also urged them to “screengrab the hell out of [it].”
By accessing Toolboxes and grabbing ticket sales data, Ticketmaster would then be able to benchmark its own performance against the rival and use this information in sales pitches. 
One of the overall goals was to “steal back one of [the victim company]’s signature clients,” US prosecutors said, and if successful, this would “choke off” the Ticketmaster rival, “cut[ting] them off at the knees.” 
In a move deemed “brazen” by the DoJ, a summit for Live Nation and Ticketmaster employees was held in San Francisco in the same year. A senior executive of Live Nation asked Zaidi and others to prepare a presentation comparing Ticketmaster presales to the rival’s Toolboxes, and the team obliged — by once again using the stolen passwords, in public. 
The unnamed conspirator was promoted and given a raise the year following. Ticketmaster employees continued to lurk in Toolboxes and maintained a spreadsheet of all account URLs until the end of 2015.
While the rival company became defunct in 2017, prosecutors were made aware of the scheme after Songkick launched an antitrust lawsuit against Live Nation in 2015. Live Nation settled the lawsuit and eventually acquired Songkick’s technological assets.  
Employees involved in the scheme were fired. US prosecutors filed five criminal counts against Ticketmaster, including wire fraud and conspiring to commit computer intrusion. In a separate but related case, Zaidi pled guilty to conspiring to commit computer intrusions and wire fraud. 
In order to resolve the case, Ticketmaster will pay a criminal penalty of $10 million and has agreed to submit to a three-year deferred prosecution agreement including the creation of a new compliance and ethics program. The ticket seller must also report to the United States Attorney’s Office annually until the agreement expires. 
Ticketmaster said, “we are pleased that this matter is now resolved.”
“Ticketmaster employees repeatedly — and illegally — accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” commented Acting US Attorney Seth DuCharme. “Today’s resolution demonstrates that any company that obtains a competitor’s confidential information for commercial advantage, without authority or permission, should expect to be held accountable in federal court.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: T-Mobile, ZDNet
US telecommunications provider T-Mobile disclosed a security breach last week, its fourth data breach in the past three years, after incidents in August 2018, November 2019, and March 2020.
“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account,” the company said in letters sent to customers, obtained by ZDNet, and on a page on its official website.
T-Mobile said it investigated the incident with the help of cybersecurity experts.
The investigation found that hackers accessed customer details such as phone numbers, the number of lines subscribed to an account, and, in some cases, call-related information, which T-Mobile said it collected as part of the normal operation of its wireless service.
“The data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax ID, passwords, or PINs,” the company said.
Since no personal or financial information was exposed, T-Mobile is not providing free credit monitoring services, but only notifying customers, per US state laws.

Image: supplied
A T-Mobile spokesperson said the breach only impacted 0.2% of the company’s total userbase, which puts the number at around 200,000.

The security breach does not look as bad as the company’s previous security breaches, primarily due to the smaller number of affected customers and the less sensitive nature of the exposed data.
These previous breaches included a March 2020 incident (when T-Mobile said hackers gained access to both its employees and customers data, including employee email accounts), a November 2019 incident (when T-Mobile said it “discovered and shut down” unauthorized access to the personal data of its customers), and an August 2018 incident (when T-Mobile said hackers gained access to the personal details of 2 million of its customers).
Before it merged with T-Mobile in 2020, Sprint also disclosed two security breaches in 2019 as well, one in May and a second in July. More

China has described the US government’s order to delist three Chinese telcos from the New York Stock Exchange (NYSE) as politically motivated and in breach of market rules. It urges need to respect rule of law and safeguard “order of global financial market”. 
Outgoing US President Donald Trump had issued an executive order last November prohibiting any trading and investment activities involving companies previously deemed to be Communist Chinese military companies by the US Department of Defense. Trump’s order would ban trading in any new companies 60 days after the US placed such a label on them.
Slated to begin on January 11, the ban would impact three NYSE-listed companies, namely, China Telecom, China Mobile, and China Unicom Hong Kong. 

Blocking China can lead to fragmented 5G market
With China-US trade relations still tense, efforts to cut out Chinese vendors such as Huawei from 5G implementations may create separate ecosystems and consumers could lose out on benefits from the wide adoption of global standards, as demonstrated with 4G.
Read More

In response, the China Securities Regulatory Commission said Sunday the delisting of the Chinese telcos “disregarded” the “legitimate rights” of global investors and “severely disrupted” market order. 
Citing a spokesperson from the commission, state-run media agency China Daily reported that the three Chinese companies had secured American Depositary Receipts and had been listed on the NYSE for almost or more than 20 years. The telcos also had complied with the rules and regulations in accordance with the US securities market. 
The China Securities Regulatory Commission spokesperson added that the delisting was politically charged and in serious breach of market rules and order. He said some US politicians had made attempts to suppress US-listed foreign companies at the “cost of damaging” the global standing of the US capital market, describing these moves as random, arbitrary, and “unwise”.
The spokesperson noted, however, that the delisting would have “very limited impact” on the operations and development of the three Chinese telcos, given the companies’ large user base, established operations, influence on the global telecommunications industry, and small volume of American Depositary Receipts in their total shares. 

He added that the commission would support the three companies in safeguarding their rights and interests. “We hope the US sides will respect the market and the rule of law and do more to protect the order of the global financial market, safeguard investors’ lawful rights and interests, and promote the steady development of the world economy,” the spokesperson said.
An official of the China Banking and Insurance Regulatory Commission also urged for a stabilising of relationships between China and the US, which would be the “fundamental interests” of both parties as well as meet the expectations of the international society.
It said: “We hope the US government will meet China halfway, uphold the spirit of non-conflict, non-confrontation, mutual respect, and win-win cooperation, promote the healthy development of the China-US relationship, and maintain international financial market stability together with us.”
RELATED COVERAGE More

The New York Stock Exchange will delist a trio of Chinese telcos as a November executive order from US President Donald Trump enters force on January 11.
The three listed companies hit by the change are China Telecom, China Mobile, and China Unicom Hong Kong.
“The order prohibits, beginning 9:30 am eastern standard time on January 11, 2021, any transaction in publicly traded securities, or any securities that are derivative of, or are designed to provide investment exposure to such securities, of any Communist Chinese military company, by any United States person,” the NYSE said in a statement.
Signed on 12 November 2020, the executive order forbids trading and investing in any of the companies previously deemed to be Communist Chinese military companies by the US Department of Defense, and bans trading in any new companies 60 days after the US places such a label on them.
Besides the three telcos, other large Chinese companies on the list include Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.
In the executive order, Trump said the People’s Republic of China (PRC) was “exploiting United States capital” to boost and update its military, which allows Beijing to threat the US and its overseas forces, as well as develop “advanced conventional weapons, and malicious cyber-enabled actions against the United States and its people”.
“Through the national strategy of Military-Civil Fusion, the PRC increases the size of the country’s military-industrial complex by compelling civilian Chinese companies to support its military and intelligence activities,” Trump said.

“Those companies, though remaining ostensibly private and civilian, directly support the PRC’s military, intelligence, and security apparatuses and aid in their development and modernisation.”
Trump also said the PRC “exploits United States investors” to finance its military.
“At the same time, those companies raise capital by selling securities to United States investors that trade on public exchanges both here and abroad, lobbying United States index providers and funds to include these securities in market offerings, and engaging in other acts to ensure access to United States capital,” he said.
“To protect the United States homeland and the American people, I hereby declare a national emergency with respect to this threat.”
The winner of the 2020 US presidential election, Joe Biden, is due to be sworn in on January 20.
Related Coverage More

Image: Zyxel
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities.
Device owners are advised to update systems as soon as time permits.
Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.
Affected modules include many enterprise-grade devices
Affected models include many of Zyxel’s top products from its line of business-grade devices, usually deployed across private enterprise and government networks.
This includes Zyxel product lines such as:
the Advanced Threat Protection (ATP) series – used primarily as a firewall
the Unified Security Gateway (USG) series – used as a hybrid firewall and VPN gateway
the USG FLEX series – used as a hybrid firewall and VPN gateway
the VPN series – used as a VPN gateway
the NXC series – used as a WLAN access point controller
Many of these devices are used at the edge of a company’s network and, once compromised, allow attackers to pivot and launch further attacks against internal hosts.

Patches are currently available only for the ATP, USG, USG Flex, and VPN series. Patches for the NXC series are expected in April 2021, according to a Zyxel security advisory.

Backdoor account was easy to discover
Installing patches removes the backdoor account, which, according to Eye Control researchers, uses the “zyfwp” username and the “PrOw!aN_fXp” password.
“The plaintext password was visible in one of the binaries on the system,” the Dutch researchers said in a report published before the Christmas 2020 holiday.
Researchers said the account had root access to the device because it was being used to install firmware updates to other interconnected Zyxel devices via FTP.
Zyxel should have learned from the 2016 backdoor incident
In an interview with ZDNet this week, IoT security researcher Ankit Anubhav said that Zyxel should have learned its lesson from a previous incident that took place in 2016.
Tracked as CVE-2016-10401, Zyxel devices released at the time contained a secret backdoor mechanism that allowed anyone to elevate any account on a Zyxel device to root level using the “zyad5001” SU (super-user) password.
“It was surprising to see yet another hardcoded credential specially since Zyxel is well aware that the last time this happened, it was abused by several botnets,” Anubhav told ZDNet.
“CVE-2016-10401 is still in the arsenal of most password attack based IoT botnets,” the researcher said.
But this time around, things are worse with CVE-2020-29583, the CVE identifier for the 2020 backdoor account.
Anubhav told ZDNet that while the 2016 backdoor mechanism required that attackers first have access to a low-privileged account on a Zyxel device — so they can elevate it to root —, the 2020 backdoor is worse as it can grant attackers direct access to the device without any special conditions.
“In addition, unlike the previous exploit, which was used in Telnet only, this needs even lesser expertise as one can directly try the credentials on the panel hosted on port 443,” Anubhav said.
Furthermore, Anubhav also points out that most of the affected systems are also very varied, compared to the 2016 backdoor issue, which only impacted home routers.
Attackers now have access to a wider spectrum of victims, most of which are corporate targets, as the vulnerable devices are primarily marketed to companies as a way to control who can access intranets and internal networks from remote locations.
A new wave of ransomware and espionage?
This is a big deal in the bigger picture because vulnerabilities in firewalls and VPN gateways have been one of the primary sources of ransomware attacks and cyber-espionage operations in 2019 and 2020.
Security flaws in Pulse Secure, Fortinet, Citrix, MobileIron, and Cisco devices have often been exploited to attack companies and government networks.
The new Zyxel backdoor could expose a whole new set of companies and government agencies to the same type of attacks that we’ve seen over the past two years. More

This time last year, I spent a lot of time working on the move, and that’s meant that sometimes I had to set up a temporary “office” at a café or restaurant. But the more gear you have out, the greater the chances of losing something (or, as I think of it, “donating” it). 
Here’s how I managed to keep the gear I started out with.
Must read: iOS bugs and annoyances Apple desperately needs to fix in 2020
Have a place for everything, and keep everything in its place
I owe this one to my grandfather. “Have a place for everything, and keep everything in its place,” he used to say (he said it in Welsh, but the sentiment was the same).
It works for me having a good method of carrying my stuff. Pockets are always a compromise.
I tend to pack my gear into Maxpedition sling pack, which holds my MacBook Pro, charger, and other bits. I also have a Maxpedition Wolfspur bag for shorter trips, which easily consumes an iPad Pro, charger, cables, with plenty of room sandwiches, water bottle, and other bits and pieces.

My hard working, hard wearing Maxpedition Kodiak Gearslinger sling pack
Must read: Hardware 2.0: Most used gadgets of 2020
Make it a habit to check pockets and pouches

I have a habit of unconsciously patting down my pockets every so often, checking to see that I still have everything I expect to have — smartphone, wallet, pen, multitool. It’s a good habit to get into, not in an obsessive way, but occasionally, when getting up from a seat or moving on public transport or about a busy place.
Keep zips and clasps on bags shut
It’s incredible the number of people I see walking along with their backpack or messenger bag half-open (I saw it just a few moments ago — a guy’s backpack was open, and his iPad was hanging out, ready to fall out, or be stolen). Again, make it a habit to check zips and clasps on your bags.
Use tech to keep your tech safe
Have “Find my” active on your iOS and Android devices. It’s one of those things that you’ll thank yourself for if you lose something. 
I’ve also been using Tile tags a lot lately, and it’s been a constant companion around Europe, keeping an eye on my wallet, backpack, and luggage. The hardware and software have performed flawlessly, and I highly recommend the gear.

A Tile Slim tirelessly keeping an eye on my wallet as I travel

Make your gear distinctive!
I’ve found that one of the best ways to not lose stuff is to make it distinctive. Not only is it harder to inadvertently leave something behind that stands out, but it also makes it less likely that someone else will take a fancy to it. I find that distinctive Velcro patches on bags (glue them on if you don’t want someone ripping them off), and reflective tape on bags, chargers and even cables (the marine grade SOLAS tape will survive years of hard use, and cling on to most surfaces) pays for itself.
For night time, I’ve found the TEC Accessories Embrite Velcro patch to be very useful for keeping track of my bag (also a handy visual so I don’t trip over it or tread on it!).
My charging cables are also pretty distinctive — I like bright red Amazon Basics cables!
My stuff might look goofy, but it’s my stuff, I am out of hoots to give about other people think, and this seems like an effective way to keep my stuff as mine. More

Image: ZDNet
The hackers behind the SolarWinds supply chain attack managed to escalate access inside Microsoft’s internal network and gain access to a small number of internal accounts, which they used to access Microsoft source code repositories, the company said on Thursday.

The OS maker said the hackers did not make any changes to the repositories they accessed because the compromised accounts only had permission to view the code but not alter it.
The news comes as an update to the company’s internal investigation into the SolarWinds incident, posted today on its blog.
Microsoft emphasized that despite viewing some source code, the threat actors did not escalate the attack to reach production systems, customer data, or use Microsoft products to attack Microsoft customers.
The Redmond-based company said its investigation is still ongoing.
Microsoft previously admitted on December 17 that it had used SolarWinds Orion, an IT monitoring platform, inside its internal network.
Days earlier, news broke that hackers breached IT software maker SolarWinds and inserted malware inside updates for the Orion platform. The malware was then used to gain an initial foothold on the internal networks of private companies and government agencies across the world.

Microsoft was one of the thousands of companies[1, 2, 3] that discovered evidence of malware on their networks, planted via tainted Orion updates.
Microsoft downplays incident
The OS maker downplayed today the fact that hackers viewed its internal source code repositories, claiming this was no big deal.
“At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the company said.
“This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk,” it added.
Microsoft made this approach to source code secrecy clear in previous years after the source code of several Microsoft products leaked online — such as Windows 10, Windows XP, Windows 2000, Windows Server 2013, Windows NT, and Xbox. More