Information Technology

In March of 2020, Americans began to realize that the coronavirus was deadly and going to be a real problem. What no Americans knew then was that at about the same time, the Russian government’s hack of SolarWinds’s proprietary software Orion network monitoring program was destroying the security of top American government agencies and tech companies. There were no explosions, no deaths, but it was the Pearl Harbor of American IT. 

SolarWinds Coverage

Russia, we now know, used SolarWinds’ hacked program to infiltrate at least 18,000 government and private networks. The data within these networks, user IDs, passwords, financial records, source code, you name it, can be presumed now to be in the hands of Russian intelligence agents.
The Russians may even have the crown-jewels of Microsoft software stack: Windows and Office. In a twist, which would be hilarious if it weren’t so serious, Microsoft claims it’s no big deal. 
That’s because Microsoft has “an inner-source approach – the use of open-source software development best practices and an open-source-like culture – to make source code viewable within Microsoft.” It’s nice that Microsoft is admitting that the open-source approach is the right one for security — something I and other open-source advocates have been saying for decades. But, inner source isn’t the same thing as open source. 
When hackers, not Microsoft developers, have access to proprietary code, the door’s open for attacks. True, Microsoft’s “threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.” But, making that assumption is one thing. Dealing with reality is something else. 
For decades, one of proprietary software’s stupid assumptions is that “security by obscurity” works. While it can help — no, really it can if used intelligently — that’s not the case with proprietary code. Even with the best will in the world, I doubt that Microsoft has really undertaken the hard security code review needed to lock down its proprietary code. The almost weekly revelations of new Microsoft security holes and mishaps doesn’t make me feel warm and fuzzy about the security of its software.
While President Donald Trump has completely ignored the actions of Russian President Vladimir Putin’s government, America’s Cybersecurity Infrastructure and Security Agency (CISA) said the hacks posed a “grave risk” to US governments at all levels. 

Worse was revealed. Over the Christmas season holidays, the CISA said that all US government agencies must update to Orion’s 2020.2.1HF2 version by the end of the year. If they can’t, they must take these systems offline. 
Why? Because yet another SolarWinds’ Orion vulnerability was being used to install the Supernova and CosmicGale malware. This security hole, CVE-2020-10148, is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations. I have an even better idea than updating Orion. Dump Orion. Dump it now.  And start an investigation of the SolarWinds’ mediocre security record. 
As time goes by more and more government agencies and companies have been shown to have been hacked. This includes the Department of State; Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce; and the Department of Energy, including the National Nuclear Security Administration. 
Everyone claims that nothing too important has been revealed, but then, they would say that, wouldn’t they? 
Sen. Mark Warner (D-Virginia), ranking member on the Senate Intelligence Committee, told the New York Times the hack looked “much, much worse” than first feared. “The size of it keeps expanding.” 
How much bigger will it get? We don’t know. Personally, I’d assume that if my company had been using SolarWinds Orion software during 2020, I’ve been hacked 
It didn’t come with bombs like the attack on Pearl Harbor, but this attack on our national agencies and American Fortune 500 companies may prove to be even more damaging to our national security and our business prosperity. Now, we’ll see if American developers, system administrators, and managers can rise to the occasion to rebuild their systems the way their grandparents did in the 1940s. 
Related Stories:  More

Image: Stephen Phillips
Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim’s IP address and check it against an IP-to-geo database like MaxMind’s GeoIP to get a victim’s approximate geographical location.

While the technique isn’t very accurate, it is still the most reliable method of determining a user’s actual physical location based on data found on their computer.
However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first.
This second technique relies on grabbing the infected user’s BSSID.
Known as a “Basic Service Set Identifier,” the BSSID is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi.
You can see the BSSID on Windows systems by running the command:
netsh wlan show interfaces | find “BSSID”

Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.
This database is a collection of known BSSIDs and the last geographical location they’ve been spotted at.
These types of databases are quite common these days and are usually used by mobile app operators as alternative ways to track users when they can’t get access to a phone’s location data directly (i.e., see WiGLE, one of the most popular services used for these types of BSSID-to-geo conversions).
Checking the BSSID against Mylnikov’s database would allow the malware to effectively determine the physical geographical location of the WiFi access point the victim was using to access the internet, which is a far much accurate way of discovering a victim’s geographical position.
Using both methods together allow malware operators to confirm that the initial IP-based geolocation query is correct with the second BSSID method.
Malware operators usually check for a victim location because some groups want to make victims only inside specific countries (such as state-sponsored operations) or they don’t want to infect victims in their native country (in order to avoid drawing the attention of local law enforcement and avoiding prosecution).
However, IP-to-geo databases are known for their wildly inaccurate results, as telcos and data centers tend to acquire or rent IP address blocks on the free market. This results in some IP blocks being assigned to different organizations in other regions of the globe from their initial/actual owner.
Using a second method to double-check a victim’s geographical location isn’t widely adopted today, but the technique has clear benefits that other malware operations will surely appreciate and decide to use in the future as well. More

Singapore has confirmed its law enforcers will be able to access the country’s COVID-19 contact tracing data to aid in their criminal investigations. To date, more than 4.2 million residents or 78% of the local population have adopted the TraceTogether contact tracing app and wearable token, which is one of the world’s highest penetration rates.
This figure is double that of the adoption rate just three months ago in September, when TraceTogether had clocked 2.4 million downloads or about 40% of the population. A recent spike likely was fuelled by the government’s announcement that use of the app or token would be mandatory for entry into public venues in early-2021, when it was able to distribute the token to anyone who wanted one. 
Introduced last March, TraceTogether taps Bluetooth signals to detect other participating mobile devices — within 2 metres of each other for more than 30 minutes — to allow them to identify those who have been in close contact when needed.

In its efforts to ease privacy concerns, the Singapore government had stressed repeatedly that COVID-19 data would “never be accessed unless the user tests positive” for the virus and was contacted by the contact tracing team. Personal data such as unique identification number and mobile number also would be substituted by a random permanent ID and stored on a secured server. 
Minister-in-Charge of the Smart Nation Initiative and Minister for Foreign Affairs, Vivian Balakrishnan, also had insisted the TraceTogether token was not a tracking device since it did not contain a GPS chip and could not connect to the internet. 
He further noted that all TraceTogether data would be encrypted and stored for up to 25 days, after which it would be automatically deleted, adding that the information would be uploaded to the Health Ministry only when an individual tested positive for COVID-19 and this could be carried out only by physically handing over the wearable device to the ministry, Balakrishnan said.
In addition, “only a very limited, restricted team of contact tracers” would have access to the data, the minister had said, noting that this was necessary to reconstruct the activity map of the COVID-19 patient. All public sector data protection rules would apply to the data held by the Health Ministry, he added, including abiding by the recommendations of the Public Sector Data Security Review Committee.

However, the Singapore government now has confirmed local law enforcement will be able to access the data for criminal investigations. Under the Criminal Procedure Code, the Singapore Police Force can obtain any data and this includes TraceTogether data, according to Minister of State for Home Affairs, Desmond Tan. He was responding to a question posed during parliament Monday on whether the TraceTogether data would be used for criminal probes and the safeguards governing the use of such data.
Tan said the Singapore government was the “custodian” of the contact tracing data and “stringent measures” had been established to safeguard the personal data. “Examples of these measures include only allowing authorised officers to access the data, using such data only for authorised purposes, and storing the data on a secured data platform,” he said.
He added that public officers who knowingly disclose the data without authorisation or misuse the data may be fined up to SG$5,000 or jailed up to two years, or both. 
Asked if police use of the data violated the TraceTogether privacy pledge, Tan said: “We do not preclude the use of TraceTogether data in circumstances where citizens’ safety and security is or has been affected, and this applies to all other data as well.”
He noted that “authorised police officers” may invoke the Criminal Procedure Code to access TraceTogether data for such purposes as well as for criminal investigation, but this data would, otherwise, be used only for contact tracing and to combat the spread of COVID-19.
The Singapore police, in fact, had played a key role since February in assisting the Health Ministry in identifying and locating individuals who had been in close contact with COVID-19 patients. Law officers would conduct ground enquiries and review CCTV footage to establish the location and movement of these individuals. 
Strong demand for TraceTogether token a surprise
During parliament Monday, Education Minister Lawrence Wong said the TraceTogether platform would continue to play an integral role in Singapore’s efforts to contain the spread of COVID-19, slashing what used to take two days down to hours in contact tracing.

The minister, who co-chairs the multi-ministry COVID-19 task force, said some SG$10 million had been spent on developing TraceTogether and SafeEntry, with costs optimised by the use of off-the-shelf components to minimise manufacturing complexities. This, however, had led to tokens that were not rechargeable. The wearables currently had a battery lifespan of between six and nine months.
Amongst the 4.2 million participants of TraceTogether, some 2 million use the app on their smartphones. According to Tan, the government had not expected the strong demand for the token, given the accessibility of the mobile app. This had resulted in delays in the manufacturing and distribution of the wearable device. 
Such issues would be addressed soon as the government looked to build up inventory and resume distribution of the token at community centres where it was currently halted, he added.
The mandatory use of TraceTogether would be rolled out once everyone who wanted a token had a chance to connect one, Wong said.
According to ProPrivacy’s digital privacy and VPN expert Ray Walsh, however, that the police could access the data should serve as reminder why centralised systems were harmful to personal privacy.
In a statement released in response to the news, Walsh said: “As suspected, location information collected in the centralised database for the purposes of preventing the spread of the virus can also be leveraged by Singaporean police — thanks to existing legislation. This means citizens’ location data is being stored in such a way that is extremely damaging to their privacy, their freedom of movement, and their right to free association.
“This is extremely concerning considering that the government is planning to make the use of the TraceTogether app mandatory for all citizens,” he said. “Test and trace systems forced on the general public for the purposes of preventing the spread of the pandemic have no right being used to create an extensive surveillance network, and it is extremely unnerving to see a soon-to-be mandatory app being exploited in this way.”
Balakrishnan, though, previously noted that TraceTogether data was not stored on a centralised database, but was “decentralised and encrypted on phones and devices”. This data only would be uploaded when the individual tested posted for COVID-19, the Singapore minister had said.
Similar concerns about police access to contact tracing data in the UK had prompted the country’s Department for Health and Social Care to say neither the police nor the government would receive any data from the its contact tracing app. 
In a tweet last October, the UK National Health Service said user data of its COVID-19 app was anonymous and the app could not be used to track users’ location, for law enforcement, or to monitor self-isolation and social distancing. The contact tracing app then had clocked more than 18 million downloads since its launch in September.
Singapore’s TraceTogether app was updated last June to include the registration of passport numbers of foreign visitors, as it reopened its borders. 
During parliament, Wong had encouraged residents to download the TraceTogether app — rather than use the token — since the former would be updated with new features.
RELATED COVERAGE More

2020 was a year many of us would like to forget, and as 2021 entered with little of the fanfare usually associated with New Year’s Eve celebrations, the challenge of the COVID-19 pandemic, still, is far from over. 

Healthline

Despite surging infection rates worldwide and fresh outbreaks, however, there is hope that vaccines recently approved in some countries, such as the Oxford/AstraZeneca and Pfizer-BioNTech variants, will begin to turn the tide. 
While we wait with impatience to have our pre-COVID-19 lives and ‘normality’ restored, our place in the vaccine queue depends on a number of factors that vary from country to country: for example, the UK has chosen to vaccinate the highest-risk groups, first, such as the elderly, alongside frontline healthcare workers. 
In Britain, the situation could be best described as confused; letters have been sent to some individuals — but not all in each “group” — informing them that they will be told when their place in the queue comes up, and some appointments for second doses have been canceled in order to provide first-dose protection to as many individuals as possible. 
There is now a rising sense of urgency due to the new COVID-19 variant that appears to be more easily transmitted. Mass vaccination is no easy task, especially when two separate doses are required — and when you combine millions of people desperately waiting for news and confusion in how vaccine programs are being operated, this becomes a situation that cybercriminals can exploit. 
Over the past few weeks, scammers and other threat actors have launched their own programs: not for public health, but to steal personal information, conduct identity theft, scam victims, and all with the potential for criminal financial gain. 
In December, Interpol warned that law enforcement should be prepared to deal with COVID-19-related scams and cybercrime over the coming months. 

“Criminal networks will also be targeting unsuspecting members of the public via fake websites and false cures, which could pose a significant risk to their health, even their lives,” commented Jürgen Stock, Interpol Secretary-General. “It is essential that law enforcement is as prepared as possible for what will be an onslaught of all types of criminal activity linked to the COVID-19 vaccine, which is why Interpol has issued this global warning.”
Only four weeks after this alert was issued, Interpol’s scenarios have already come to pass, with both the general public and vaccine supply chains as top targets. 
What scams are out there?
Fake products
The worst is fake vaccines being offered for sale online, which could have a severe detrimental impact on buyer health. Check Point researchers found “coronavirus vaccines” and “coronavirus remedies” for sale through forum posts connected to the Dark Web. Vendors claiming to have access to unspecified COVID-19 vaccines are requesting up to $300 in cryptocurrency. 
Check Point has also recorded thousands of new website domains recently registered with phrases including “vaccine” and “corona”. In a related study, Interpol found that out of a sample of 3,000 websites appearing to be selling dubious medicines and medical devices, roughly 1,700 contained threats including phishing code and malware.
Phishing emails
Sending out fraudulent emails can be performed automatically and with very little effort on the part of cyberattackers and fraudsters. Coronavirus-related phishing emails were in high circulation over 2020 and show no signs of stopping — except, now, some campaigns have pivoted to vaccines as their subject. 
In some cases, fraudsters will ask recipients to go to a website and fill out a form to secure their place in a ‘vaccine queue.’ Information including names, addresses, Social Security numbers, dates of birth, and potentially medical data may be requested — all of which is Personally Identifiable Information (PII) that could be used to further more elaborate scams and social engineering attacks. 
It is also possible that cybercriminals will ask for payment to ‘register’ with fake vaccine programs.
The Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO) are now commonly impersonated in phishing emails. You may expect fraudsters to now also impersonate local medical providers and government entities.
Malvertising 
If you see any advertisements online related to the COVID-19 outbreak or vaccine which does not come from official sources — such as healthcare providers, government domains, or hubs such as Facebook’s COVID-19 Help Center which only provides data from official sources — you should ignore them outright. 
Adverts like this may lead you to fraudulent websites in order to steal PII, financial data, or deploy malware on your PC. 

At present, vaccines are not being offered privately. Simply put, you cannot purchase a COVID-19 vaccine online in the same way that you can book a flu jab, and any advert or message telling you otherwise is fraudulent. 
Text messages
COVID-19-related fraudulent texts have begun making the rounds, with messages claiming that government officials require you to take an “online coronavirus test,” as reported by the Better Business Bureau. Government officials are also being impersonated, and in some samples, criminals are also trying to hook victims by sending SMS messages related to stimulus checks and IRS/tax payments. 
In the UK, the National Cyber Security Centre (NCSC) has warned (.PDF) of four main SMS scams: 
Fake government URLs that must be visited to claim coronavirus-related payments
Lockdown fine notices for breaching stay-at-home rules
Offers of health supplements to protect you against COVID-19
Financial support offers that appear to be from your bank
An SMS-based scam is also in circulation in which messages claim to be from the UK National Health Service (NHS). Recipients are told they have been identified as “eligible to apply for [a] vaccine,” and a link then leads victims to a convincing, but fake, NHS website requesting sensitive personal information.
Over the phone
While, perhaps, not as common, some scam artists are cold calling victims directly. In recent cases, the COVID-19 vaccine has been offered by fraudsters over the phone, in which victims are asked to press a number on their keypad to confirm that they wish to have a vaccine — or bank details are asked for directly. 
Information such as telephone numbers, names, dates of birth, and home addresses that has already leaked online may be used by criminals to appear more authentic when they call. 
How do I stay safe from COVID-19 scams?
The first and most important point is to never purchase medical equipment or treatments from unofficial, untrusted sources. Cybercriminals don’t care what sales vector has to be used to make a dollar or two — including exploiting demand for potentially life-saving vaccines — and there is no proof or guarantee chemical products bought online from third-parties are genuine or safe. 
You should also treat any request for PII, whether made over the phone, via text, or email, very carefully. If there is a shred of doubt that this is genuine — and it is likely to be a scam when communicated in these ways — you should give nothing over. Instead, directly email or phone your local provider, or check official websites for the latest information. 
Lastly, be wary of clicking links or downloading attachments in unsolicited messages and remember to take a breath before responding to any form of message that tries to elicit panic — such as a claimed vaccine shortage or time-based offer. Grammatical errors, too, are often a red flag for scams.  More

I’m sure that you carry a lot of data around with you on your iPhone, personal data that you wouldn’t want others to gain access to. While iOS is great at keeping your data secure, it’s a good idea every so often to take the time to check that everything is good and secure.
There’s no better time to do this than now!
Must read: Must-have tech gadgets to start 2021 the right way
Strong passcode
Biometric access using your face or fingerprint is both secure and convenient, but only a strong passcode can keep your data secure.

No matter whether you use Touch ID or Face ID, you still need a passcode, and the stronger the passcode you can use — and remember! — the better. It really is the cornerstone of your security. If this falls into someone’s hands, they own your iPhone and its data.
Remember, even if you use biometrics to access your iPhone, the passcode is still there as a backup, so make it a strong one. I also recommend changing it every few months for additional security against shoulder-surfers.
Go to Settings  > Face ID & Passcode (or Touch ID & Passcode on older iPhones with the Touch ID button), enter your existing passcode, and then tap on Passcode Options (or Change Passcode if you have this set already) to get a set of options. 

Choose between Custom Alphanumeric Code (the most secure) or Custom Numeric Code (second-best option). I don’t recommend 4-Digit Numeric Code because it’s easy for shoulder-surfers to see what your PIN code is (it’s also sometimes obvious which four numbers are in use because of the position of the greasy fingerprints on the display).
While you’re here, scroll down to Erase Data and make sure that’s on.
After 10 attempts (toward the end there will be a timer-based lockout to slow down the entry process, preventing pranksters from nuking your data), the encryption key will be deleted and your data permanently and securely wiped.
Use a password manager
The cornerstone to all good security is having good passwords.
iOS has both a password autofill feature using the built-in iCloud Keychain or third-party password managers such as LastPass, Dashlane, and 1Password. 
You can find this feature in Settings  > Passwords  > AutoFill Passwords.
Also: Best password managers in 2021
Enable two-factor authentication for your iCloud account
One of the best ways to protect your data is to set up and use two-factor authentication. This means that, even if an attacker has your iCloud username and password, Apple will send an authentication code to a device you’ve chosen, which should block most attacks.
Go to Settings  > and tap your name at the top of the screen, then go to Password & Security, then choose Two-Factor Authentication.

Make sure your iPhone is locking itself quickly
The shorter you set the lock screen timeout setting (there are options ranging from 30 seconds to never), the sooner your iPhone will require authentication to access it. Sure, it can be a bit of a speedbump, but Face ID and Touch ID are pretty fast and smooth.
This is also a good way to save battery power.
You can change the auto-lock time by going to Settings  > Display & Brightness  > Auto-Lock.
I have mine set to 30 seconds.
Use Find My
This is a handy feature to have on if you worry about your device being stolen, or if you are the sort of person who loses things. In these situations, every second counts.
To activate it go to Settings and then tap your name at the top of the screen, and go to Find My > Find My iPhone.
From here, you can also check the Send Last Location feature, which sends the location of your device to Apple when the battery is low, allowing you to find it even when the battery is flat, and Find My network, which helps you locate your iPhone even if it is offline.
Don’t give apps your precise location
Now you have the option to allow apps access to your general location, but not your precise location. It’s nice to have the choice to use location data without giving a pinpoint location.
It makes sense for some apps to have your precise location — mapping and navigation, for example, and the Tile app that tracks my stuff — but, for other apps, it might not make sense, and for those, you can tell iOS to give them location data that’s a bit vaguer.
To access this setting go to Settings > Privacy > Location Services and then check the permissions for the apps that have access to your location.
Control how much data your locked iPhone can leak
Control how much — or how little — you want to be accessible on a locked device. 
iOS gives control over the following:
Today View
Notification Center
Control Center
Siri
Reply with Message
Home Control
Wallet
Return Missed Call
USB Accessories
The bottom line is that the more you lockdown, the more secure your device and data will be. The flip side is the more you lock it down, the more often you have to unlock your device to see what’s going on. 
The USB Accessories feature is especially useful because it will prevent the Lightning port from being used to connect to any accessory if your iPhone or iPad has been locked for more than an hour.
Go to Settings  > Face ID & Passcode (or Touch ID & Passcode on iPhones with Touch ID), and enter your existing passcode and then scroll to the bottom of the page to control this.
It’s also a good idea to secure notifications. While it’s super convenient to have information displayed on the lock screen, remember that this is available to all, so you might want to lock down what’s displayed. 
To do this go to Settings  > Notifications  > Show Previews and change the setting to When Unlocked or Never.

Don’t give apps access to all your photos
Photos can be incredibly personal, and now you can choose not to give apps access to all — or for that matter, any — of your photos.
When an app first requests access to your photos, you get the option to block access, give full access, or access to selected photos.
And if you change your mind, you can head over to Settings > Privacy > Photos and make changes there. It might be a good idea to go check what permissions you’ve given existing apps and whether you want to make any tweaks.
Stop your iPhone from being tracked on Wi-Fi networks
Your iPhone can now dish out a fake MAC address to Wi-Fi routers, which prevents your device from being tracked when using network connections.
This feature is on by default, and you can find it by going Settings > Wi-Fi and then click on the “i” in a circle next to the network.
Note that while this works fine on most networks, it can cause issues. For example, some smart networks are designed to send out a notification when a new device connects. It can also mess with parental controls or corporate/enterprise networks where permissions are assigned based on MAC address (it’s not recommended to use MAC address for authentication, but it happens).
If you have problems with certain Wi-Fi networks, you may have to turn this feature off.
Use hardware authentication
I’m a big believer in using hardware authentication, which is why I recommend using something like the Yubico Yubikey. 
Get one and use it. 
Install a security app
I’ve been using iVerify for a few months, and it offers intelligent suggestions for securing iOS.
What’s that green/orange dot at the top of your screen?
A green dot appears when the camera is accessed (similar to the green LED that lights up on Macs when the camera is on), and an orange dot for microphone access. It’s a handy indicator for misbehaving apps.
Not sure what app is switching on the camera or microphone? Head over to Control Center, and you’ll notice a notice at the top showing you the most recent app that has accessed the camera or microphone.
Use a VPN, especially if you use free Wi-Fi
Do you spend a lot of time using free Wi-Fi when out and about? If you do then you really need a VPN.
See: Best VPNs of 2021
A VPN (virtual private network) allows you to create a secure connection between your device and the VPN service provider’s server, allowing you to browse the web securely and without others being able to snoop on what you are doing.
There a lot of VPN providers out there to choose from, but if you are looking for a recommendation, my choice is F-Secure’s Freedome VPN.  More

Skills shortages are at an all-time high, with 67% of digital leaders struggling to get hold of the right talent, especially in key areas such as big data, cybersecurity and artificial intelligence.
With talent tough to find and IT budgets constrained, a focus on development and mentorship programmes could be the smartest way for CIOs to fill their digital skills gaps. Three tech leaders share their best-practice tips for honing internal talent.
1. Help good people become great

Danny Attias, chief digital and information officer at British charity Anthony Nolan, says mentorship and development is hugely important to his organisation. The charity runs apprenticeships to help talented staff flourish.
SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)
“Starting with people who have an appetite for growth, and who are ambitious, makes mentoring a lot easier – they want to succeed,” he says. “We start with that as a baseline, and then it’s about giving them the tools and the training they need, and providing them with every possible opportunity.”
Attias says the aim of the charity’s mentorship and development programmes is to help talented people get even better. He gives the example of someone who started in an entry-level IT job with the charity eight years ago and was recently promoted to director of product.

“There’s been some big steps on the way,” he says. “I’ve secured her external mentorship from a digital design agency, so that she can learn, and the deal is that she learns from the outside and then she teaches me about digital.”
Attias says the charity is always looking for new ways to inspire its talent. For example three developers at the organisation, who recently completed 18-month software engineering apprenticeships, and are now running key IT and data projects at the charity.
Education is also baked into the charity’s day-to-day engineering work. Each two-week sprint at Anthony Nolan includes half a day of personal development, which Attias says adds up to a significant amount of time on an annual basis.
The tech team self-organises this development process – they decide who learns what, how knowledge is imparted and exchanged, and how this learning process contributes to continuous personal growth.
“So we’re all teaching each other all the time and we’re all learning. None of us pretends to be experts in what we do or that we’ve ever reached a limit,” says Attias.
2. Make sure people’s objectives are met
Joe Soule, CTO at Capital One Europe, says he feels lucky that people have taken the time and effort to mentor him at particular points during his career. He currently mentors people in his own organisation and unlike coaching, which he feels is more generalised, Soule says effective mentorship centres on career development.
“There is always the great debate between coaching and mentoring. If it’s mentoring, then it’s likely that I’ve personally been through the problem, and have an idea of how to solve it, and I’m prepared to share with others how I went about solving that issue – and then they can choose to take that into how they plan to go through their career,” he says.
When he provides coaching, Soule says it’s likely he doesn’t know the specifics of the problem but does know the person involved. While coaching is often provided to companies via external experts, Soule says the coaching he provides internally tends to centre on his relationship with the individual.
“I tend to coach them on things like objectives and performance. And for me, that coaching conversation has to satisfy three things: are they interested, does it leverage their ability, and is there an organisational need,” he says.
SEE: Digital transformation: The new rules for getting projects done
Soule splits coaching needs into three areas: chores, prayers and hobbies. If they’re interested and they have an ability, but there’s no organisational need, then that’s a hobby. If there’s an organisational need and they’re interested, but they have no ability, then that’s a prayer. And if there’s no interest, but there is an ability and a need, that’s a chore.
“Most people’s lives are made up of a collection of chores, prayers and hobbies, rather than a solid objective that meets all three of those things. So I look from a coaching perspective to make sure that people’s objectives, particularly their performance objectives, meet those three criteria and are written in their own voice,” he says.
3. Share your knowledge across communities
Shane Read, CISO at commodities trading firm Noble Group, says mentoring is a crucial element in the creation of rounded, next-generation IT professionals – and he likes to share his best-practice cybersecurity knowledge whenever he can.
“I’ve always been a mentor – I love mentoring. My take on the cybersecurity industry is that we have to share: mentoring is knowledge transfer 101. I have mentored since my first job and it helps me get so much out of this industry,” he says.
Read says good mentoring sometimes involve recognising that people can learn from other people in other businesses, too – even when they’re one of your best workers.
One of his staff left recently after working with Noble for two and a half years. Read describes the worker, who was a good fit for the IT department, as “skilled and talented”. However, after helping the professional develop, Read knew it was time for him to move on.
“I knew he’d be better off outside of this company because we don’t provide the right challenges for his skillset. I’ve just recently helped him find the next big role, and that’s from my industry contacts. It’s all about finding the right place for the right people – we can all do the job, but you want to be able to grow and expand,” he says.
Read says it’s worth remembering that cybersecurity is quite a small industry. Individuals are likely to cross paths again, whether it’s at an industry event or in another workplace. Mentoring people and then staying in touch helps managers and their staff.
“I still talk to people I first met in the industry 20 years ago. Some of them I deeply respect and will continue to do so because they’re furthering the industry. I try to emulate that, too. Cybersecurity is such a collaborative industry,” he says. More

Ticketmaster has been fined $10 million after staff admitted to hacking into a rival firm’s systems in order to “choke off” their presale ticket business.

Last week, the US Department of Justice (DoJ) said employees of Ticketmaster, a subsidiary of Live Nation Entertainment, “repeatedly” infiltrated the computers of a rival presale tickets seller. 
Ticketmaster offers a platform for purchasing tickets for events including concerts, attractions, and sports.
According to court documents (.PDF) filed in the US Eastern District Court of New York, a former employee of the victim firm — believed to be Songkick, which maintained a presence in both the UK and New York — left their post in 2012 to join Live Nation. 
Despite signing a confidentiality agreement before entering their new employment, this individual, instead, entered the heart of a scheme designed to disrupt the competitor’s business operations. 
The DoJ says that after joining Live Nation in 2013, the co-conspirator shared confidential information with Ticketmaster employees including the former head of the Artist Services division, Zeeshan Zaidi. 
Ticketmaster’s rival offered presale tickets before they were made available to the general public and created a password-protected app for artists to track their ticket sales, known as Toolboxes. 

The co-conspirator shared draft web pages built for artists, confidential URLs, financial documents, and sets of credentials for existing Toolbox accounts. In 2014, they warned Zaidi to be careful about snooping around in these systems, but also urged them to “screengrab the hell out of [it].”
By accessing Toolboxes and grabbing ticket sales data, Ticketmaster would then be able to benchmark its own performance against the rival and use this information in sales pitches. 
One of the overall goals was to “steal back one of [the victim company]’s signature clients,” US prosecutors said, and if successful, this would “choke off” the Ticketmaster rival, “cut[ting] them off at the knees.” 
In a move deemed “brazen” by the DoJ, a summit for Live Nation and Ticketmaster employees was held in San Francisco in the same year. A senior executive of Live Nation asked Zaidi and others to prepare a presentation comparing Ticketmaster presales to the rival’s Toolboxes, and the team obliged — by once again using the stolen passwords, in public. 
The unnamed conspirator was promoted and given a raise the year following. Ticketmaster employees continued to lurk in Toolboxes and maintained a spreadsheet of all account URLs until the end of 2015.
While the rival company became defunct in 2017, prosecutors were made aware of the scheme after Songkick launched an antitrust lawsuit against Live Nation in 2015. Live Nation settled the lawsuit and eventually acquired Songkick’s technological assets.  
Employees involved in the scheme were fired. US prosecutors filed five criminal counts against Ticketmaster, including wire fraud and conspiring to commit computer intrusion. In a separate but related case, Zaidi pled guilty to conspiring to commit computer intrusions and wire fraud. 
In order to resolve the case, Ticketmaster will pay a criminal penalty of $10 million and has agreed to submit to a three-year deferred prosecution agreement including the creation of a new compliance and ethics program. The ticket seller must also report to the United States Attorney’s Office annually until the agreement expires. 
Ticketmaster said, “we are pleased that this matter is now resolved.”
“Ticketmaster employees repeatedly — and illegally — accessed a competitor’s computers without authorization using stolen passwords to unlawfully collect business intelligence,” commented Acting US Attorney Seth DuCharme. “Today’s resolution demonstrates that any company that obtains a competitor’s confidential information for commercial advantage, without authority or permission, should expect to be held accountable in federal court.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: T-Mobile, ZDNet
US telecommunications provider T-Mobile disclosed a security breach last week, its fourth data breach in the past three years, after incidents in August 2018, November 2019, and March 2020.
“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account,” the company said in letters sent to customers, obtained by ZDNet, and on a page on its official website.
T-Mobile said it investigated the incident with the help of cybersecurity experts.
The investigation found that hackers accessed customer details such as phone numbers, the number of lines subscribed to an account, and, in some cases, call-related information, which T-Mobile said it collected as part of the normal operation of its wireless service.
“The data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax ID, passwords, or PINs,” the company said.
Since no personal or financial information was exposed, T-Mobile is not providing free credit monitoring services, but only notifying customers, per US state laws.

Image: supplied
A T-Mobile spokesperson said the breach only impacted 0.2% of the company’s total userbase, which puts the number at around 200,000.

The security breach does not look as bad as the company’s previous security breaches, primarily due to the smaller number of affected customers and the less sensitive nature of the exposed data.
These previous breaches included a March 2020 incident (when T-Mobile said hackers gained access to both its employees and customers data, including employee email accounts), a November 2019 incident (when T-Mobile said it “discovered and shut down” unauthorized access to the personal data of its customers), and an August 2018 incident (when T-Mobile said hackers gained access to the personal details of 2 million of its customers).
Before it merged with T-Mobile in 2020, Sprint also disclosed two security breaches in 2019 as well, one in May and a second in July. More