Category Archives: Blog

Prevendra Blog –
Topics – national security, information security, counterintelligence & Intelligence, competitive intelligence, insider threat, data loss, data breach, healthcare, social media, compliance

Prevendra - Otto Warmbier

Murder in Pyongyang

The world collectively learned of the passing of Otto Warmbier, the U.S. student who was held in North Korea.

Let me correct this, Otto Warmbier who was murdered by the Kim Jung Un regime.

Warmbier had the audacity to lift a poster off a wall (think souvenir) and was arrested for taking the wall poster. Warmbier was then tried by the regime and sentenced to 15 years of hard labor.

He never got the chance to serve his sentence as he suffered a traumatic event which caused neurologic failure and placed him in a coma.

The North Korean regime not only caused the death of Warmbier, they demonstrated their full measure of callousness by keeping his medical condition a secret from Warmbier’s parents and the United States government, who had repeatedly inquired and requested access to Warmbier by the Swedish diplomats who handle US interests in North Korea. 

Warmbier’s family released the following statement the afternoon of 19 January.

“It is our sad duty to report that our son, Otto Warmbier, has completed his journey home.  Surrounded by his loving family, Otto died today at 2:20 p.m.

It would be easy at a moment like this to focus on all that we lost – future time that won’t be spent with a warm, engaging, brilliant young man whose curiosity and enthusiasm for life knew no bounds. But we choose to focus on the time we were given to be with this remarkable person.

You can tell from the outpouring of emotion from the communities that he touched – Wyoming, Ohio and the University of Virginia to name just two – that the love for Otto went well beyond his immediate family.

We would like to thank the wonderful professionals at the University of Cincinnati Medical Center who did everything they could for Otto. Unfortunately, the awful torturous mistreatment our son received at the hands of the North Koreans ensured that no other outcome was possible beyond the sad one we experienced today.

When Otto returned to Cincinnati late on June 13th he was unable to speak, unable to see and unable to react to verbal commands. He looked very uncomfortable – almost anguished.  Although we would never hear his voice again, within a day the countenance of his face changed – he was at peace.  He was home and we believe he could sense that.

We thank everyone around the world who has kept him and our family in their thoughts and prayers. We are at peace and at home too.”


A tragedy by any measure.

Senator John McCain (R-AZ) issued a statement today, which I stand behind 100%,  “Let us state the facts plainly: Otto Warmbier, an American citizen, was murdered by the Kim Jong-un regime. In the final year of his life, he lived the nightmare in which the North Korean people have been trapped for 70 years: forced labor, mass starvation, systematic cruelty, torture, and murder.”

Secretary of State, Rex Tillerson commented, “Today we received with deep sadness the news that Otto Warmbier has passed away.” Tillerson continued, “On behalf of the entire State Department and the United States government, I extend my condolences to the Warmbier family, and offer my prayers as they enter a time of grief no parent should ever know.” He concluded, “We hold North Korea accountable for Otto Warmbier’s unjust imprisonment, and demand the release of three other Americans who have been illegally detained.”

Separately Tillerson commented that putting a travel ban on US citizen travel to North Korea may be in order. Again, I agree 100%, with the continued illegal detention of US citizens, it is totally appropriate to put in place a travel ban to North Korea.

Our thoughts and prayers go out to the Warmbier family at this time of sorrow.

Prevendra's Email Updates
Get the latest content first.
100% Privacy. We don't spam.
Prevendra - Dmitry Dokuchaev

Dmitry Dokuchaev – Playing Both Sides?

Dmitry Dokuchaev, Major in the Russian Federal Security Service of the Russian Federation (FSB; Russian: Федеральная служба безопасности Российской Федерации (ФСБ)), was arrested by the Russian FSB and charged with treason in December 2016 (see: Russian FSB cybersecurity implosion continues with more arrests). On 28 February 2017, Dokuchaev is indicted by the United States on charges of Espionage, Computer Fraud and a host of others charges for activities during the time period of 2014 through December 2016.  Note the dates. He is arrested by the FSB in December 2016 – the activities identified within the indictment ended December 2016.  Dokuchaev is both a busy and popular gent.

Who is Dmitry Dokuchaev?

Prevendra - Dmitry DokuchaevDmitry Dokuchaev’s (дмитрий докучаев) relationship with the FSB began when he was given the choice between jail or cooperation, as Dokuchaev, is the Russian hacker known by his street name “FORB.”  In a 2004 interview with Vedmosti, the then 20-year old Dokuchaev claimed to have successfully penetrated the US government (not further identified) while a university student in Yekaterinburg (his home town). Dokuchaev, continued how he met his expenses by “stealing money from credit cards” earning for himself $5-30,000 per month. This latter activity came to the attention of the FSB, and they made him an offer he could not refuse.

Dokuchaev, now a Major within the FSB’s cybersecurity CDC, and deputy to Mikhailov, was identified by the FSB as sharing both personal data and FSB data to both companies and the government representatives of the United States.

The DOJ indictment identifies Dokuchaev as:  Dmitry Alexsandrovich Dokuchaev, also known as “Patrick Nagel,” was a Russian national and resident. Dokuchaev was an FSB officer assigned to the Second Division of the FSB Center 18, also known as the FSB Center for Information Security.

Now Dokuchaev is charged with directing the effort to compromise the Yahoo email system and systematically obtain email information on targets of interest to the FSB. The indictment, 39 pages in length, goes into great detail on the depth of Dokuchaev and the FSB interest in monitoring the private email of Russian nationals, as well as international personas.  Dokuchaev and his co-conspirators harvested the content of individual’s private email accounts, and made every effort to monetize this unique and illegal access.

The Russian’s are charging him with similar activity.  There is little likelihood that Dokuchaev will be extradited to the US, though he no doubt would prefer that to his current residence, Lefortovo prison.

Is Dmitry Dokuchaev a pawn in the grand game of realpolitik chess, or was he simply too greedy and played all the angles at once and has been discovered by both the United States, Federal Bureau of Investigations (FBI) and the Russian FSB?

We’ll keep our eye on this, as the Russian FSB cybersecurity team implosion continues.

Additional reading:

Dmitry Dokuchaev Indictment
Russia’s FSB Cybersecurity Team Implodes
Russian FSB cybersecurity implosion continues with more arrests

Prevendra - Social Engineering Qatar

Social Engineering: From Qatar With Love – Cyber espionage

Is the Government of Qatar perfecting their social engineering or is this a case of Qatar vigilantism? A recent write-up by Claudio Guarnieri, a security researcher working for Amnesty International, leans toward nation state sponsorship, exercising what he describes as “Operation King Phish“.  

Prevendra - Social Engineering - Robin Sage

Robin Sage – 2009

A review of Guarnieri’s report and one’s brain will have a flurry of memory triggers, synapses, bringing to mind the highly successful social engineering exercise of 2009,  Robin Sage.  Like Robin Sage there is a femme fatale, with a multitude of social network profiles … Google+, LinkedIn, Twitter and Facebook (as of 03 March 2017 they have all been removed). 

Safeena Malik - 2017

Safeena Malik – 2017

Meet Safeena Malik. She claims to be a human right’s activist, a director at Amnet. At the height of her activity she had connected to over 500+ individuals on the professional network LinkedIn alone.

Her modus operandi … old fashion click-bait social engineering. She would send emails, direct message tweets, open Google hangouts or Facebook messenger apps. Each time she would provide a presentation or document for the recipient’s review.

Clickbait - Social Engineering used in the *Safeena Malik King Phish* op by Qatar | tks @amnesty Click To Tweet

Those who opened the file attachment or clicked on the link were either gifted with a malware payload or sent to a look-a-like login page for their Google accounts. In either scenario, the entity(ies) behind Malik were attempting to compromise your device and your Google ecosystem (google drive, photo, email, etc.).

The target?  The report indicates: “… (King Phish) was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists, human rights defenders, trade unions and labour rights activists, many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal.”

The migrant worker issue has been a political hot potato in Qatar for quite some time, especially featuring those who migrate to Nepal specifically to help build the infrastructure required for the FIFA World Cup of 2022. In 2014, The Guardian reported, “Nepalese migrants building the infrastructure to host the 2022 World Cup have died at a rate of one every two days in 2014 – despite Qatar’s promises to improve their working conditions.” According to the BBC, more than 1400 had died as of 2015, no doubt the number is higher. 

The BBC has been covering the issue for some time, and in 2015 found that their reporter’s investigative skills were not appreciated by the Government of Qatar.  The video from the BBC reporter highlights the sensitivity in Doha.

How many migrant workers are there in Qatar? According to the Guardian, there are about 400,000 Nepalese workers in Qatar among the 1.4 million migrants.  

What say the Government of Qatar? Not only no, but emphatically no. They claim no interest in Amnesty International or any other and they too wish to know the identity of the culprits behind this activity.  They would never engage in cyber espionage.

What say Amnesty International on QatarThe authorities unduly restricted the rights to freedom of expression, association and peaceful assembly. One prisoner of conscience was pardoned and released. Migrant workers faced exploitation and abuse.

Will this be the last case of social engineering used in a political farcus. Those with opinions, remember the adage, don’t click. Nation states and unscrupulous competitors will use all the tools available to them to engage their target.


Prevendra: Intellectual Property Theft

Departing Zynga Employees Heist Intellectual Property?

Easiest way to lose your intellectual property?  When your departing employee walks your intellectual property right out the door. It happens far too often and the insider threat you thought of as a hypothetical?  Well, it is now a reality.

This is what apparently happened to Zynga.

Zynga (yes the game company is still alive and kicking) alleges in their complaint (United States District Court Northern District of California), that a number of employees have left their employ and went to a competitor, Scopely, with Zynga’s intellectual property in hand.

Nothing wrong with jumping ship to a greener pasture. Non-compete does not exist in California … so the move is all good.  However, it’s not ok to take the intellectual property of your employer (even if you had a hand in creating it) out the door with you for use at your next employer.

Let’s look at the ‘alleged’ smoking guns.

If your employee is looking for 'how to erase or delete their hard drive' CLUE: #insiderthreat Click To Tweet


Prevendra - ZyngaPrevendra - ScopelyZynga filed suit against a direct competitor, Scopely. The claim: Former-employees departed Zynga and took (stole) the intellectual property of Zynga on their way out the door and directly to Scopley.

How much of Zynga’s intellectual property did the departing employee(s) take? What other agreements did the employees violate?

The complaint alleges:

Massimo Maietti (Maietti worked for Zynga as a senior level game designer and is now employed by Scopely as a Vice President and General Manager of Product Development). Forensic examination of Maietti’s laptop two days after his departure from Zynga showed how one day before he tendered his resignation he downloaded Zynga Google Drive folders to his laptop. Maietti then inserted a USB drive into the laptop, copied all the folders to the USB drive. The laptop drive’s “trash” file contained 20,000 files. An analysis of the corresponding Google Drive folders revealed that Maietti took over 14,000 files and approximately 26 GB  which were from the  folders. Within this treasure trove of documents was Zynga’s new Project Mars.  (NOTE: Maietti’s access to these files were within his Zynga approved access, i.e. he had natural access to these folders on the Zynga Google Drive.)

Ehud Barlach (Barlach worked for Zynga as General Manager of Hit It Rich! Slots (“Hit It Rich!”). Forensic examination of Barlach’s Zynga issued computer revealed that when Barlach accepted Scopely’s offer of employment, he also offered to help Scopely raid Zynga’s workforce, which Scopley’s HR representative noted that had he not offered they would have asked on his first day.

It’s a dog eat dog world in the trenches of employee retention, and Zynga details the wholesale raid by Scopely on its talent pool, as a result of their contact with Maietti and Barlach. Three of which were Derek Heck, a Product Manager, Evan Hou, a Manager Data Analytics, and Zynga Lead Product Manager, Joshua Park.

The complaint indicates Zynga’s forensic analysis reveals “Barlach, Heck, and Hou all attached external USB devices to their Zynga-issued laptop computers in the weeks before resigning to go to work for Scopely. Heck also deleted more than 24,000 files and folders in the last month of his employment with Zynga, and referenced articles entitled, “How to erase my hard drive and start over” and “How to Erase a Computer Hard Drive…”.

Employee departs to competitor? #insiderthreat preserve their drive! Click To Tweet

What did Zynga do right?

They had their departing employees attest they had returned all Zynga’s intellectual property prior to their departure.

They also had the departing employee agree and sign that they would not solicit employees from Zynga for a period of one year.

“Maietti reaffirmed in writing that he had returned all of Zynga’s trade secrets and would not solicit its employees.”

They also preserved the laptop hard drives of employees who departed to competitors. The complaint explains: “Zynga realized that its key talent was being solicited and hired by Scopely with increasing frequency, Zynga commissioned a forensic examination of the departed employees’ computers, going back to Maietti’s resignation months earlier.”

Demonstrated forensic support capability should be in every company’s arsenal (in-house or out-sourced), Zynga was able to include the time line of Maietti’s removal of their intellectual property from the Google Drive to the laptop and then to the USB drive in their complaint.

• 9:01 a.m. – External USB device connected to laptop

• 9:04 a.m. – Google search for “download a google drive folder”

• 9:06 a.m. – Zip files downloaded to laptop

• 9:20 a.m. – Zip files copied onto external USB device

• 10:18 a.m. – Original Zip files placed in Trash (but not the copies Maietti created on his USB device)

Raw Material

Want to learn more and draw your own conclusions. Here is the Zynga complaint and the Scopley response — good reading.

Zynga-Scopely-Complaint – 29 November 2016

Scopely – Zynga – Response 08 December 2016

How this plays out will be one worth watching.


Prevendra - FSB cybersecurity in handcuffs

Russian FSB cybersecurity implosion continues with more arrests

As we discussed in our recent piece, “Russia’s FSB Cybersecurity Team Implodes” the number of individuals who are in shackles from within the FSB cybersecurity entities continues to increase, and the timeline of the Russian security service, Federal Security Service of the Russian Federation (FSB; Russian: Федеральная служба безопасности Российской Федерации (ФСБ)), investigation continues to expand.

Over the course of the past two day, we have seen Russian media, digging deep into their sources within the FSB on the powerplay going on between two FSB elements, and the arrest of four individuals associated with Humpty Dumpty (hacker group) and having shared information with US entities.

US Election – Russian shenanigans

Prevendar - US ElectionWhat is clear now, is the existence of a United States angle in the longer tale, which is tied to the FBI’s August 2016 alert to Russian activity targeting individuals associated with the Arizona and Illinois voting systems. See Washington Post: Russian hackers targeted Arizona election system, for how the activity was described in 2016.  And, the New York Times September 2016 report, that the King Servers company’s servers were also used for the attack on the Democratic National Committee (DNC).

The CEO of the company, when interviewed in September 2016, noted that when he learned his company’s servers were showing up in FBI reports, he immediately blocked those servers. The worldwide media carried Vladimir Fomenko’s comments about being shock and outrage that a criminal might have leased his servers for such nefarious activity.

Additionally, the previously mentioned Wroblewski and his Chronopay investigation and conviction is connected to King Servers — yes, Chronopay was hosted by King Servers.

January 2017 – FSB cybersecurity investigation

Prevendra - FSB Emblem


Fast forward to 26 January 2017, and we learned of the December 2016 arrest of yet another member of the FSB cybersecurity, Information Security Centre (CDC), Dmitry Dokuchaev. Dokuchaev, a Major within the FSB, served as deputy to Sergei Mikhailov. Dokuchaev, is also being charged with treason (Article 275 of the Russian Criminal Code).

Four arrested in Russian security services implosion #FSB cybersecurity in upheaval #Russia Click To Tweet

Dmitry Dokuchaev’s (дмитрий докучаев) relationship with the FSB began when he was given the choice between jail or cooperation, as Dokuchaev, is the Russian hacker known by his street name “FORB.”  In a 2004 interview with Vedmosti, the then 20-year old Dokuchaev claimed to have successfully penetrated the US government (not further identified) while a university student in Yekaterinburg (his home town). Dokuchaev, continued how he met his expenses by “stealing money from credit cards” earning for himself $5-30,000 per month. This latter activity came to the attention of the FSB, and they made him an offer he could not refuse.

Dokuchaev, now a Major within the FSB’s cybersecurity CDC, and deputy to Mikhailov, was identified by the FSB as sharing both personal data and FSB data to both companies and the government representatives of the United States. (Perhaps they are one of the many sources used in the creation of the DNI’s “Assessing Russian Activities in Recent US Elections“)

Uncovering Mikhailov, Dokuchaev and Stoyanov

No one will ever claim the FSB counterintelligence – counterespionage teams are not thorough, patient and persuasive.

Prevendra - Interrogation

Interrogation Room

The uncovering of the activities by personnel with the FSB CDC and the greater Russian cybersecurity community, came as a result of the apprehension and subsequent interview and confession of Vladimir Anikeeva (Владимир Аникеева), a journalist, who is also believed to be the head of, Humpty Dumpty (see our prior piece). Anikeeva’s online handle, is “Alice.”  Anikeeva, was lured from the Ukriane, to St. Petersburg where he was arrested and charged with “illegal access to computer information” (Article 272 of the Russian criminal code).

The arrest of Anikeeva (October 2016), had to do with the emails from Vladislav Surkov (aka Kremlin’s puppet master), which the group had published on the site “Kiberhunta” (Cyber Hunter).  It was during the interview/interrogation of Anikeeva, which resulted in his identification of the activities of Mikhailov. Indeed, the media reports how Anikeeva volunteered the information on the complicity of Mikhailov, Dokuchaev and Stoyanov.

So, while the initial investigation was focused on who dox’d Surkov and his emails; and the take down of Humpty Dumpty, the resultant multi-month investigation uncovered elements within the FSB CDC, engaging in a bit of moonlight shenanigans.

Russian media has reported a fourth individual has been arrested, with much of the media speculating it is Anikeeva.

FSB cybersecurity cat-fight

Once the FSB compartmented the counterintelligence investigation, the table was set for the imploding of the FSB CDC.

Prevenda - FSB Special Communications ServiceThe cat fight between the two elements within the FSB began. These elements being, the FSB CDC and the FSB Special Communications Group (FSB SCG) (previously known to the western intelligence services as FAPSI). The latter group is responsible for all Russian cryptographic standards, security the Russian elections, and a multitude of other activities to include signals intelligence (SIGINT).

The FSB SCG wasted no time in positioning itself to catch the pieces as the FSB CDC was systematically dismantled with the forced retirement of the head of the CDC, Andrei Gerasimov; the arrest of his deputy Sergei Mikhailov and Dmitry Dokuchaev and their good friend and the member of the troika with industry and international government contacts, Stoyanov.

Putin gets to look good to Trump

Prevendra - Putin-TrumpWhile the internal gyrations are taking place, we can expect Putin to play the internal housecleaning to his advantage when engaging with the new administration within the US. He is now able to say, “we did not interfere or try to influence the US election; but some rogue members of the FSB were associated with a criminal element and we have brought them to justice.”   He is also able to commensurate, with the new US president, Trump, “we too have our issues with the security services.”







Prevendra - Privacy

January 28, 2017 – International Data Privacy Day

Prevendra - Data Privacy ChampionI am pleased to be recognized as a Data Privacy Day Champion, as is Prevendra. Every day efforts are expended to assist companies and individuals protect their collective privacy. In 2016 we witnessed millions of individuals having had their private information compromised. A healthy percentage of those compromised, found their information was being exploited and used.

This year’s theme for Data Privacy Day 2017 is privacy aware (#PrivacyAware). The intent it to empower every individual and business to respect privacy, safeguard data and enable trust. 

For the past seven years, I’ve been generating an annual missive on this topic.  This year, we’ll share the official infographic and a few of our privacy tips which have been shared over the years and remain accurate today.

So what can we do?  Here are the two steps that we can take to understand how your data (and privacy) is being used and at the same time not appreciably diminishing your online experience.

Privacy Tip #1

Privacy Statements

Read every site’s “Privacy” statements. Why? So you will know what information will be collected, how it will be used and with whom it will be “shared.”  Every time you open a privacy statement – search for the word “SHARE” and understand how your information will be shared.  Search for the word “USED” and understand how your information will be used.  Search for the word “COLLECT” and understand what is being collected.

Here’s is the Prevendra privacy statement – Prevendra, Inc. Privacy statement.

Read the privacy statement, before you share your data. #PrivacyAware Click To Tweet

Privacy Tip #2

Privacy Settings

Set your privacy settings to your individual comfort level. Whether you are using Facebook, Twitter, LinkedIn or any other social network, they have controls on how and with whom your information is available with the application.

Take the time necessary to set those settings. Take a moment to read how the different setting affect who has access to what you are sharing. For example on Facebook you can share with a micro-group of your “friends” or with your public or somewhere in between.

On your devices, under privacy or security settings you can adjust how you share your location, what information is accessible to the application or what information on your device the application has access.

Review your privacy settings at least once a month #PrivacyAware Click To Tweet

In 2010, I admonished that each individual should take steps to protect their own privacy. No surprise, the the two pieces of advice above, were the same advice provided in 2010. An excerpt from my advice on Privacy Day 2010:  “To accomplish this goal [privacy], it’s important to know how you are sharing your information, how others are sharing your information and, ultimately, how your information is being utilized. Some would say that it’s difficult to know in this digital age; others would say it has always been. It is difficult – but not insurmountable. With a bit of awareness and education it’s within our collective capacity to develop a better understanding so that we reduce the frequency with which we effectively shoot ourselves in the foot, both accidentally and seemingly on purpose.”

I advocated the following (and continue to do so)
  • Ask how your data will be used, under what circumstances, and by whom.
  • For those who use peer-to-peer software in your home: Review the settings in detail, as an incorrect setting can open your system to an outside entity.
  • Do you have a wireless network? Suppress the Service Set Identifier Data (SSID), limit access to specific MAC addresses, and use WPA2 encryption with strong passwords. A strong password consists of more than eight, preferably 14 characters consisting of symbols, numbers, and letters (which isn’t a word from a dictionary of any language). This will greatly reduce the likelihood of unauthorized access by criminals.
  • Data destruction: Shred your paper copy data; degauss or destroy your magnetic media prior to recycling. Don’t allow a physical harvest of your data.
  • Do others use your computer? If you allow visitors to use your computer or wireless network and you share the primary passwords, change them following each use.
  • Encryption: I advocate encryption, with a robust strong key phrase for your important data. Data or full-disk encryption, the choice is yours.

A year later, 2011 and I continued to cajole all to think about privacy.  I asked a question at an event in 2010: “How many of you check Twitter or your social networks before your feet hit the floor in the morning?”About one-quarter of the 300 people present raised their hand. Quite a telling answer, and one that solidified in my mind that checking in is right up there with reaching for your morning coffee.

I then discussed the influence of social networks on our everyday life. The unintended growth of personal data that each of us creates as we move through our daily lives. A professional colleague of mine coined this “our digital exhaust.”  We should continue to review our exhaust. Review how many different online profiles you’ve created. Consider how many photos, videos, emails, comments, and tweets you’ve posted in public or quasi-public locales. These are the nuclei of your biographic mass, which can and will be compiled about you by any number of interested entities, whether they are marketers or hiring managers. I assure you, this information will not match your well-framed and articulated persona or the resume that you so painstakingly created. The good news is that if you know what others know, then you are prepared for the question that may arise about a given incident or piece of publicly available data.

Then in 2012, privacy became more important to all and we began to see different rules and regulations come to the forefront.  I used the 2012 anniversary of Data Privacy Day to delve into the privacy statements of different conglomerates.  See above for the strong suggestion to search through the privacy statements of anyone holding or using your data, search for share was and is a reality.

In 2013, I declared the prior year of 2012, as the year our “privacy was collectively hosed”. We saw the influx in medical privacy breaches, the overstepping of the US government entities in requesting data from corporate entities was at an all time high. I shouted, how every consumer should measure their sharing of their information with two phrases:  “need to know“ or “do not track.” We all must pay attention to the minutia and details.

Again, here we are, 2017 and we are facing many of the same issues.  I implore each of you.  Protect your own data.  For those who collect data, do not collect what you can not protect. It is your privacy, you are the one to ultimately decide what you will share and what you will hold dear. I urge you to know what you share.

Thank you for your time.

Christopher Burgess
CEO Prevendra.

Prevendra - Data privacy day Infographic
Lubyanka FSB Headquarters

Russia’s FSB Cybersecurity Team Implodes

While the world was watching the United State’s election and the debate over whether or not the Russian’s hacked the DNC and influenced the election, the Russian Federation was engaged in some of their own housecleaning.

A followup report to this post has been filed 28 January 2017:   Russian FSB Cybersecurity Implosion Continues With More Arrests

The Federal Security Service of the Russian Federation (FSB; Russian: Федеральная служба безопасности Российской Федерации (ФСБ)) was cleaning house within their Information Security Centre (CDC)  – their cybersecurity team.  Western media, drawing predominantly from a Kommersant article of 25 January, “Lubyanka Consultant floating in Lefortovo” learned that two individuals, one who was the deputy director of the the FSB cybersecurity team, and another a senior manager within Kaspersky Labs, had been arrested. While the FSB has not released the charge sheet, they have noted that the two are being held on “suspicion of violation of Art. 275 of the Criminal Code ( “treason”)” and unidentified non-official sources of Kommersant, framed the investigation is looking into the allegation that the individuals received money from foreign companies.  There is more to the story.

Prevendra - Humpty DumptyIt is alleged, deputy director of the FSB CDC, Sergey Yuryevich Mikhailov, is associated with the Russian hacking group Humpty Dumpty (Шалтай-Болтай) which over the course of the past few years has been doxing (sharing personal data) of members of the Putin administration, to include Prime Minister Medvedev and Deputy Prime Minister Dvorkovich.  It is further alleged Mikhailov and a professional colleague of his Ruslan Stoyanov, a senior Kaspersky Labs employee, with whom Mikhailov regularly collaborated, feathered their nest by sharing data, which they harvested with western companies.

The FSB CDC’s director, Andrei Gerasimov, who was eligible to retire, is believed to have done so in mid-January 2017. The assumption within Russian media being, the accelerated retirement was directly related to his deputy, Mikhailov having been arrested.

Always one for drama, the FSB did not disappoint. Multiple media outlets are reporting that the arrest of Mikhailov was taken straight out of the pages of the USSR era. Mikhailov was in a staff meeting, when he was bagged (bag over his head) and dragged unceremoniously from the building.

So what’s really going on?  Whether or not the relationship to Humpty Dumpty is confirmed, Russia media is associating Humpty Dumpty with the CIA (Central Intelligence Agency), based on nothing more than, “because, who else?”

FSB's cybersecurity team upheaval - they secure #Russia elections Click To Tweet

The FSB’s Paul Wroblewski Investigation

What is clear, is that the linchpin between Stoyanov and Mikhailov is the on-again off-again investigation into ChronoPay owner, Paul Wroblewski. And during this investigation the turf war between the FSB CDC and the special communications group within the FSB (aka Military unit No. 43753). The latter group’s remit covers use of cryptographic equipment and securing Russia’s electronic voting (the irony for a reader in the US is off-the-charts).

Mikhailov is quoted as saying turf wars are handled surgically – he might be right.

[x_pullquote cite=”Sergei Mikahilov” type=”left”]“The FSB has never existed internal squabbles that would lead to criminal prosecution. There is always the possibility of elementary by change leaders, layoffs, changes in the structure of these conflicts to solve. I do not see any intrigue. When two units are unable to find a common language, it is resolved surgically and without the use of procedural measures. The FSB — the powerful power structure, where the creation of precise vertical. Inclusion of third party tools is stupid”[/x_pullquote]

Sberbank’s desire to build an all-inclusive national database of personal data and to have interviewed Mikhailov for this role, may have been a red herring, designed to elicit information from Mikhailov on the means to acquire that information which may not be readily available within the already impressive Russian government databases. One can only speculate, until the charge sheets are released, on whether or not the Sberbank discussions provided grist for this fire. 

We’ll keep an eye out for the FSB updates. We expect to see the musical chairs within the FSB’s Information Security Center to continue and additional information which may confirm or refute the existence of a “very special relationship” with Kaspersky Labs to be leaked, as the Russian media is spinning up like sharks who taste blood in the water.

Let’s meet the individuals:

Sergei Mikhailov

Prevendra - Sergei Mikhailov

Sergei Mikhailov

Sergey Yuryevich Mikhailov (Сергей Юрьевич Михайлов) the deputy head of the FSB’s CDC. The CDC oversees all of the official Russian efforts against cybercrime in Russia. This includes theft of credit and financial information, personal data leakage, and monitoring of social networks.

It is reported (Constantinople Network) that Mikhailov had been meeting with the leadership of Sberbank, to take a role reporting to Sberbank’s Herman Gref. The role at Sberbank was to create a new online service, and to build the national database of personal data. It should be noted, that Gref is considered to be a moderate within Putin’s circle.

Ruslan Stoyanov

Prevendra: Ruslan Stoyanov

Ruslan Stoyanov

Ruslan Stoyanov (Руслан Стоянов) a senior manager within Russian based “Kaspersky Lab” leads one of the departments within Kaspersky. Prior to his joining Kaspersky, Stoyanov worked as a manager within Moscow police’s cybersecurity “K-control” team. He managed the “special” technical capability of  he worked in the management of special technical activities of the Moscow police. In his role, he worked closely with the FSB and other Russian security elements.

Kaspersky Labs has emphatically distanced themselves from Ruslan Stoyanov and his arrest, Kaspersky’s PR representative, Maria Shirokov, notes the activities about which he is charged, pre-date his being hired by Kaspersky Labs; that Stoyanov is not part of the company’s leadership team, but is a department head. Russian media notes that Stoyanov worked closely with the FSB’s CDC and enjoyed the trust of the Russian Federation, having been made privy to a great many state secrets.

Stoyanov held the rank of Major within the special technical activities group of the Moscow police ( “K” control) prior to joining Kaspersky.

Andrei Gerasimov

Andrei Gerasimov, director of the FSB CDC is believed to have submitted a mid-January resignation/retirement (some call ejection) as a result of his deputy, Mikhailov’s early-December arrest.

Lubyanka and Lefortovo Prison

Prevendra: Mosco Lefortovo Prison

Moscow Lefortovo Prison

Prevendra - Lubyanka - FSB Headquarters

Lubyanka – FSB Headquarters

For now, the two are being shuttled between FSB headquarters at Lubyanka and Lefortovo Prison.

Lefortovo Prison is etched in the minds of every Russian as perhaps the most frightening locale in Russia, given its association with Stalin’s NKVD and the FSB’s predecessor, the KGB. Lefortovo Prison, was built in 1881, and is best known for its history as being the place of bloody and brutal interrogations and executions during Stalin’s Great Purge is well known. During the final years of the Soviet Union, the KGB used Lefortovo as an investigative isolator center where they detained political prisoners. The bottom line, there is no worse place to sit in Russia, than an interrogation room within Lefortovo Prison.

A followup report to this post has been filed 28 January 2017:   Russian FSB Cybersecurity Implosion Continues With More Arrests

Russian media is spinning up like sharks who taste blood in the water - FSB Cybersecurity shakeup Click To Tweet

Customer Loyalty Sweepstakes: The winner engages the customer securely

The 2016 Nielsen report addressing customer loyalty,  “Allegiant Alignment: What Faithful Followers of Retail Loyalty Programs Want” based on the 2016 Nielsen Global Survey of Loyalty Sentiment polled more than 30,000 online consumers in 63 countries throughout Asia-Pacific, Europe, Latin America, the Middle East/Africa and North America. They found loyalty programs continue to hook and keep hooked individual consumers. Nielsen noted, “more than seven in 10 loyalty-program participants in the survey somewhat or strongly agree that all other factors equal, they will buy from a retailer with a loyalty program over one without. Which continues the trend identified in 2013 and 2015 surveys.

Jeff Bezos may have said it best, “We see customers as invited guests to a party, and we are the hosts. It’s our job every day to make every important aspect of the customer experience a little better.” Loyalty programs, or in Amazon’s case, Amazon Prime is an excellent example of adding value to the membership and in Amazon’s case, having your most loyal customers pay a fee and in exchange receive a host of benefits.

Prevendra - Customer Loyalty - Bezos Quote on Loyalty2015

Then is 2015, Nielsen again looked at customer loyalty and found, “Consumer Loyalty is Not Much Deeper Than Our Pockets.” The 2015 global survey of 30,000 online respondents in 60 countries shows that price is the top driver of store switching behavior—and by a wide margin. Nielsen advises, “Approximately 84 percent of survey respondents indicated a strong preference to choose a retailer with a loyalty program over a competitor without one. The data points toward the efficacy of having a customer loyalty program over not having one. The vagaries of how customer relationship management (CRM) solutions are implemented is where the differentiation between brands takes place. Membership in the loyalty program does not guarantee loyalty, of course, but it does open the door for companies to earn the customer’s loyalty at every encounter.”


How Loyal Are Your Customers?”  Customer loyalty is driven by-product quality coupled with how successfully the engagement with the customer is executed, according to the November 2013 Nielsen report. ,which was derived from the Nielsen Global Survey of Loyalty Sentiment in which 29,000 Internet respondents from 58 countries participated. Nielsen’s global survey noted loyalty to be fickle, especially when competitors appear with product, promotions and technological infrastructure that not only catch the customer’s eye but also engage the customer with the least amount of technological friction.

This does beg the questions, “How are you going to engage with the customer when they are not standing in front of you?” and “How are you going to use the customer data derived from the engagement?” These two questions are not as simple as they may appear.

Use of Data

Information technology infrastructure capable of handling a robust influx of data is paramount. Data may come via a myriad of sources, including marketing, manufacturing, fulfillment, sales and support. Customers are likely to be well versed in digital engagement and will be in search of a frictionless experience. The challenge for the IT decision makers at midsize firms is to ensure that infrastructure is interconnecting all internal entities. Most importantly, it enables the company to avoid fragmentation of effort and to speak with one voice. Furthermore, it means having in place the technology to support personalized engagement oriented to the touch points between the customer and the company.


The customer may engage via social networks, a help line or loyalty program portals. In each case, the customer is choosing the manner in which it is most convenient to engage. IT leadership, especially in midsize businesses, is accountable for ensuring infrastructure is adequate to the task. If the infrastructure is not sufficiently integrated to allow the instant engagement to roll up to a customer service screen, then the customer experience will be fraught with potential disconnects. This is especially important for those small and medium businesses (SMBs) that may have a local physical presence as well as a far-reaching virtual presence. Capturing the interaction on both planes, the physical and virtual, allows SMBs a level of dexterity to make real-time adjustments to their customer interaction based on engagement data.

The loyalty program’s connectivity with the company’s social networks permits direct marketing and early warning to support staff in the event of a product failure. Moreover, there is no better way to engender word-of-mouth activity than personalization of the customer engagement via the social networks. The integration of social network engagement with the other areas of the company requires infrastructure concordance. The Nielsen reports indicated large swaths of respondents expected loyalty programs to provide perks, such as free products, with the North American market expecting discounts or other money-saving offers from the loyalty program. SMBs have the ability to engage their customers on the fly, making adjustments as necessary based on sales, social media network sentiment, volume and engagement, thus keeping their loyal customers loyal.

Privacy and Security

Loyalty programs require an investment in maintaining the privacy of the participant. If the loyalty program for the drug store chain is compromised, will the prescriptions be at risk (Walgreens,, CVS and others have experienced breaches which affected customers in recent year)?

If the airline loyalty program database is compromised, will the travel patterns of the participant and the personal identifying information be at risk?

In late-2016 the KFC UK loyalty program found itself picking up the crumbs following the compromise of 1.2 million customers data. In 2015,  Toys R Us loyalty program was compromised, and users were advised.

Are Customer Loyalty Programs for You?

Given more than 3.3 billion consumers participate in loyalty programs, so they are clearly here to stay, yet not all loyalty programs prove successful, and customer engagement comes in many flavors. Companies that make the investment in customer engagement that provides customers with useful information and that enhances their experience will be best positioned to win the customer loyalty sweepstakes.


A more condensed version of this article, by Christopher Burgess, previously appeared on an IBM blog.


Prevendra - Ameriprise FInancial

Financial Advisor at Ameriprise exposes millions in assets via NAS

Do you use a financial advisor? I do, and I recommend mine to others without reservation. Part of that recommendation comes from the manner in which the account data is secured, which provides me more than a modicum of assurance that the folks managing my money are not asleep at the switch when it comes to protecting my identity (and thus my assets).

Most financial firms of note have in place good to adequate security. And yes, like every industry, convenience is sometimes sacrificed (a little) to provide the level of security necessary to insure your data is protected. The convenience factor is a two-way street.

You the consumer need to have access to your own information and accounts; your financial advisor also needs access to your information and accounts. If either of you get lazy and bypass the established security and privacy implementations, then your data is being placed at risk.

And this is exactly what happened in the case when the Financial Data Worth Millions Unwittingly Exposed In Ameriprise Accountsthough it appears that Ameriprise and the advisor are at odds on what constitutes security.  From our optic, both failed!  The NAS (Network Attached Storage) device which housed the backup data of the financial advisor, had no security implementation in place.  

The financial advisor apparently backed up his client’s data to unsecured NAS. The advisor’s client’s data were included in the depository. Not just client account with Ameriprise, but all their accounts and their passwords … thus exposing for any who know how to scan the internet (Shodan was used in this instance) to see.   What exactly was available for harvesting?  Here are a two screenshots.

The first screenshot details the internal account details of the clients. Those portions which would expose the individual accounts of the client and the access credentials – the screenshot had been redacted and the password column omitted. In few words, a total compromise of the client’s financial accounts occurred.

Prevendra - Ameriprise Compromise 2

The second screenshot provided by the security researcher Chris Vickery is the questionnaire the financial advisor provides to Ameriprise in which data handling is discussed. 
Prevendra - Ameriprise Compromise

What to ask your financial advisor?

The financial industry is high on the threat list for lucrative harvesting by cyber criminals, we don’t need to intrust our fiscal assets with those who aren’t interested in protecting those assets.

Use the considerable assets of FINRA to fact check and augment your knowledge of the financial advisory industry and best practices. FINRA is there to protect you the investor and their tip-sheet (2 page pdf: Keeping Your Account Secure) is a good primer.

When engaging with your financial advisor ask some pointed questions on how your data is protected and secured!

  • Do you transmit my account data via unencrypted email? (Are they attaching a .pdf and winging it to you?)
  • Personal information forms and medical data for annuities, life insurance, etc. where are they physically stored?
  • How are they protected?
  • My external accounts (bank, brokerage, etc.) how is that data protected?
  • Who has access to my online account? Financial advisor? Supervisors? Analysts? (The more who have access the more opportunities to lose or misuse your data)

If you don’t like the answers or if their are no answers, find a new advisor.

Prevendra- BYOD Policies

BYOD: Users are a nightmare without policies

Over the course of the past several years business leaders have evaluated and implemented the bring-your-own-device (BYOD) movement as a cost-effective methodology to preserve or reduce information technology (IT) operating expenses. In the quest to reduce these operational expenses, one might overlook the need to have a robust BYOD policy. A policy of this order addresses not only the technological issues associated with individual use of a personally owned device but also any procedural and data ownership issues. In essence, a policy document levels the expectations between company and employee.

The prevalence of BYOD is growing exponentially. In 2013, Juniper Research recently predicted more than one billion BYOD users by 2018, a number expected to equal approximately 35 percent of all consumer mobile devices. It is unlikely that every one of these devices will be used in accordance with the company’s expectations, but small to medium businesses (SMBs) should integrate their technological solutions and policies and ensure that they are commensurate with their available resources, thus making their BYOD policy a foundational item by coupling it with existing information security policies and other regulatory requirements.

Everyone has policies?

92% of C-suite execs #BYOD, but only 31% have #infosec policies says @helpnetsecurity Click To Tweet

A recent study by Help Net Security indicates, “the majority of C-suite executives (92%) and just over half of small business owners (SBOs) (58%) have at least some employees using a flexible/off site working model. Yet, only 31% of C-suite executives and 32% of SBOs said they have an information security policy for both off-site work environments and flexible working areas in place.”

Whereas, Dell UK Security is spot-on, as detailed in the above video, the use of BYOD is a mainstay. Rare will be the company that does not want their workers to use their own devices.

There is a great deal of work to be accomplished by many companies, who are allowing convenience to trump their security.

Policies Are Married to Technology

In creating the BYOD policy, no assumption should be made by IT professionals or systems administrators regarding the technical acumen of their colleagues who are participating in a company’s offering. The aforementioned Juniper survey noted how 80 percent of smart phones will remain unprotected throughout 2013. In face of so sobering a data point, midsize businesses must implement a technical engagement protocol. The goal is to provide the best possible solution to protect company data today via a secure technological implementation and a road map to a better solution.

Technological solutions cannot stand alone; they must be coupled with appropriate BYOD policies, policies that protect the company’s intellectual property, trade secrets and customer data. At the same time, the policies should not be overly restrictive of how employees may use their device nor overly broad with granting the company access to the employee’s personal data. It may appear to be paradoxical, but an excessively strict policy implementation could in fact put the company at risk of accusation of unfair labor practices, according to a recent piece in CIO; not only that, but many employees faced with highly restrictive policies will seek unsafe workarounds. This is clearly not the purpose of a  policy, which is to improve BYOD risk management, not add to the risk.

BYOD Implementation

An effective BYOD policy engagement will begin with who owns what on the device, under what circumstances the company may access the employee’s device and how that access may occur. Any specialized applications or capabilities as part of the IT BYOD management suite that will be placed on the employee’s device will be identified. These applications may provide the company with an assurance of security through mandatory encryption or remote destruction capabilities. Regardless, it is incumbent upon the implementation team to tender an explanation of what data on the employee’s device the company’s required applications are accessing and how. Similarly, IT’s obligation to declare to the employee with specificity any prohibitions of placing third-party applications on the device that accesses company data should be spelled out with crystal-clear clarity.

As nice as it would be to open BYOD implementation to any and all devices, it is reasonable for the SMB to restrict BYOD to those devices that their IT department is able to support. The last step is to have the policy presented to the employee, signed by both the employee and the company’s representative and periodically revisited with each individual user on a semiannual basis. This will not only keep the company’s expectations top of mind, but IT leadership will also have a window into any hiccups in the technological or policy implementation; the latter is information that could go a long way toward achieving the principal objective of BYOD: To enable business to be conducted in an efficient and secure manner.


A desired outcome of any BYOD implementation is to conserve operating expenses, and cost of implementation is therefore a consideration. The Sans Institute white paper, “Managing the Implementation of a BYOD Policy,” provides an effective road map for a pilot BYOD project which can be implemented with little to no additional resources.

There are a plethora of mobile device management suites available from a variety of security vendors. Use one.

All the same, those who rush to embrace BYOD in order to save expense but who fail to ensure that implementation is accompanied by appropriate IT policies and infrastructure that pass legal muster may prove themselves to be penny wise and pound foolish.

A prior version of the above piece, authored by Christopher Burgess, originally appeared on IBM’s MidsizeInsider blog.

Prevendra: Ransomware

Ransomware: Attack and Resolution

Companies continue to fall victim to ransomware* on a regular basis. According to an IBM X-Force® Research report, “Ransomware: How consumers and businesses value their data” 70 percent of companies who have fallen victim to ransomware, have paid the ransom. The FBI tells us the typical ransom is in the range of $200 to $10,000 paid, with some notable cases of ransome moving well into five, six and seven digit ranges. With a 70 percent success rate, one understands why the cyber criminal community is doubling down on ransomware as the malware of choice.

[x_pullquote cite=”FBI: Alert Number I-091516-PSA” type=”left”]What to Report to Law Enforcement

The FBI requests victims reach out to their local FBI office and/or file a complaint with the Internet Crime Complaint Center.

  • Date of Infection Ransomware Variant (identified on the ransom page or by the encrypted file extension)
  • Victim Company Information (industry type, business size, etc.)
  • How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
  • Requested Ransom Amount Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
  • Ransom Amount Paid (if any)
  • Overall Losses Associated with a Ransomware Infection (including the ransom amount)
  • Victim Impact Statement
  • Don’t Pay a Ransom


IT departments are charged with the ensuring that their entity’s infrastructure is accessible by those who use the systems; data is secure and protected, with access by those who have a need to know; and that the information within the system is trustworthy and accurate. Planning for a ransomware attack is a must.

Don’t Pay Ransomware

But what of the companies/entities who decline to pay a ransom, how do they fair?

The ransomware event certainly creates havoc and expense. In some cases, preparedness and remediation exceeds the cost of the ransom. If you do not have cold-storage of your backups, you may lose your data permanently.

The San Francisco Municipal Transit Agency (SFMTA) recently fell victim to ransomware which impacted over 900 office computers. Once discovered, the SFMTA put into action their crisis management plan, and according to the SFMTA, they turned off the ticket machines (as a precaution), and opened up fare-gates. The SFMTA service was not disrupted, though riders rode for free as the IT team assessed the situation. Once the scope and nature of the event was determined, the SFMTA began restoring the affected devices. The SFMTA did not pay the ransom of $73,000 in bitcoins which was demanded, they had a plan and they executed the plan. (Source: Update on SFMTA Ransomware Attack | SFMTA )

Prepare for ransomware

Put in place a regimented regime with respect to your data and infrastructure. Both the FBI and IBM links provided are full of useful tips on putting one’s house in order. As the Cisco video above details, ransomware is a criminal enterprise and you and your business must be prepared.

In addition, every entity (and individual) should be familiar with “No More Ransom” which is a public-private resource which was initially created by Interpol, Kaspersky and Intel Security, and now includes a number of national Cyber Emergency Response Teams, multiple information security companies and has blossomed into a multi-lingual global resource. There mission is to disarm the cyber criminals. They provide, free, software to remove ransomware from devices, servers, etc.

NEED HELP unlocking your digital life without paying your attackers? #nomoreransom Click To Tweet

Here are the recommendations from No More Ransom:

  1. Back-up! Back-up! Back-up! Have a recovery system in place so a ransomware infection can’t destroy your personal data forever. It’s best to create two back-up copies: one to be stored in the cloud (remember to use a service that makes an automatic backup of your files) and one to store physically (portable hard drive, thumb drive, extra laptop, etc.). Disconnect these from your computer when you are done. Your back up copies will also come in handy should you accidentally delete a critical file or experience a hard drive failure.
  2. Use robust antivirus software to protect your system from ransomware. Do not switch off the ‘heuristic functions’ as these help the solution to catch samples of ransomware that have not yet been formally detected.
  3. Keep all the software on your computer up to date. When your operating system (OS) or applications release a new version, install it. And if the software offers the option of automatic updating, take it.
  4. Trust no one. Literally. Any account can be compromised and malicious links can be sent from the accounts of friends on social media, colleagues or an online gaming partner. Never open attachments in emails from someone you don’t know. Cybercriminals often distribute fake email messages that look very much like email notifications from an online store, a bank, the police, a court or a tax collection agency, luring recipients into clicking on a malicious link and releasing the malware into their system.
  5. Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files. Stay away from file extensions like ‘.exe’, ‘.vbs’ and ‘.scr’. Scammers can use several extensions to disguise a malicious file as a video, photo, or document (like hot-chics.avi.exe or doc.scr).
  6. If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as home Wi-Fi) — this will prevent the infection from spreading.


Additional Reading:

IBM X-Force® Research report, “Ransomware: How consumers and businesses value their data”

*Ransomware: Ransomware is a type of malware installed on a computer or server that encrypts the files, making them inaccessible until a specified ransom is paid. Ransomware is typically installed when a user clicks on a malicious link, opens a file in an e-mail that installs the malware, or through drive-by downloads (which does not require user-initiation) from a compromised Web site. (Source FBI)

Disclosure:  Christopher Burgess is a paid content contributor to IBM’s Security Intelligence Blog

Prevendra - Ethics in sports

Ethics in sports? Insider threat in ACC football evidenced

Nothing is sacred, as the hosts of ESPN’s Pardon the Interruption Tony Kornheiser and Michael Wilbon, discuss. Trade secrets and intellectual property (the playbook contents) in collegiate football have value, and apparently some schools within the Atlantic Coast Conference (ACC) were willing recipients of plays purloined from the Wake Forest program by a Wake Forest insider.  

[x_pullquote cite=”Wake Forest Football Coach Dave Clawson” type=”left”]”It’s incomprehensible that a former Wake Forest student-athlete, graduate-assistant, full-time football coach, and current radio analyst for the school, would betray his alma mater. We allowed him to have full access to our players, team functions, film room, and practices. He violated our trust which negatively impacted our entire program.”[/x_pullquote]

Insider theft from Wake Forest University

Wake Forest announcer Tommy Elrod (now former, as he was terminated shortly after his misdeed was discovered) shared with opposing teams various specialty plays the Wake Forest Deacon’s football team devised for that particular Saturday encounter. Elrod apparently miffed that he had been passed over as an assistant coach by his alma mater, conjured up the internal fortitude to break trust and inflict pain (perception is reality) against Wake Forest.

According to the ESPN report, Elrod’s misdeeds would have gone unnoticed save for the fact that a copy of the plays specifically created for a Wake Forest vs Louisville match. According to ESPN, “Wake Forest launched an investigation into its football program last month, after a sheet featuring its own plays was discovered inside Papa John’s Cardinal Stadium the day before its Nov. 12 game against Louisville. Shortly after the investigation was launched, coach Bobby Petrino (Louisville) said in a statement he had “no knowledge of the situation.” Subsequently, according to ESPN, Louisville AD Tom Jurich, contradicted his coach, and noted, that “Louisville had received “a few” plays from Wake Forest announcer Tommy Elrod, before the game.”

Ethics in sports?

Prevendra - Ethics in sportsDo ethics exist in the ACC?  One can perhaps understand the vengeance and revenge motivation of Elrod. That is not to condone the behavior, but it is in the scope of behavior one expects of an individual who has broken trust and is hell-bent to extract an ounce or two of blood. When caught they reap the consequences of their illegal action.  What boggles the mind is the lack of ethics within the various football programs which received the weekly data dump from Elrod. Apparently not a single one picked up the phone and gave the Wake Forest coach, Dave Clawson or Athletic Director Ron Wellman or ACC Commissioner John Swofford a call given them a heads up that something smelly exists in the hen-house.

Any company knows that when a competitor’s information walks through the door there is only one thing to do, call the owner and advise, cooperate as requested with law enforcement and when the dust settles clean out the bad egg from within your own house.  Ethics matter.

Protecting your intellectual property and trade secrets also matters, and all entities regardless of size or sector, have something of value which an unscrupulous insider can take and share to the detriment of the information’s owner.


ESPN Article: Louisville Cardinals admit to receiving leaked plays prior to game vs. Wake Forest Demon Deacons

Blueridge Now:  Wake fires radio announcer for leaking game plans


Prevendra: Madison Square Garden

Madison Square Garden customer payment cards harvested

On 22 November, Madison Square Garden Company (The Garden) began notifying their customers that a breach of the point of sale (POS) system had occurred, and may have affected those customers who purchased goods at merchandise and food concessions at The Garden’s various properties, during the period 09 November 2015 – 24 October 2016, you may be affected.

Properties affected

  • Madison Square Garden,
  • The Theater at Madison Square Garden,
  • Radio City Music Hall,
  • Beacon Theatre, and
  • The Chicago Theatre

Data exposed

The data contained in the magnetic stripe on the back of payment cards swiped in person:

  • credit card numbers,
  • card holder names,
  • expiration dates,
  • and internal verification codes

Use plastic at The Garden November 2015-October 2016? MSG customer's payment cards harvested Click To Tweet

I visited The Garden, what now?

If you visited any of the above venues during the window of criminal exposure and purchased something from one of the concessions (merchandise or food) and paid for it with a payment card (credit or debit), then The Garden recommends the following:  Potentially affected customers are advised to remain vigilant by regularly reviewing their payment card statements for any unauthorized activity. Customers should immediately report any unauthorized charges to their card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of the payment card. 

The Garden continues in a separate piecePrevendra: Madison Square Garden ticker solidifying the sense that you, the consumer, together with your credit/debit card issuer are on your own with a multi-page document repeating the data surrounding their year-long breach and then walking you through basic steps of monitoring one’s credit cards, putting freezes on credit reports, etc.

This breach appears to have little effect on the company’s valuation, as the market price of  The Garden stock went up, even though the last newsworthy item was about this very incident. What is missing from The Garden’s statements? How many consumers are affected?

But is this unique to The Garden? No. Consumers will remember and may have been affected by the POS breaches of Target, Home Depot, Wendy’s, Dairy Queen, Neiman Marcus, Eddie Bauer, HIE Hotels, and every entity using Oracle’s Micros POS system. From 2013, through 2014, 2015 and now 2016, POS systems are being compromised at a regular cadence.

I’m a retailer, what now?

Every retailer who has a POS system, be it controlled by their own IT team or via a third-party vendor, should hold those responsible for assuring the security and privacy of the consumer’s information, accountable. The POS is where the consumer exchanges their credit/debit card for the retailer’s goods, and the consumer should not have to worry if the retailer is information security savvy or not, but they should. If your business doesn’t understand the technology or the systems being discussed, then take a moment, and educate yourself either via the plethora of materials available on POS systems, or by engaging any number of reputable security and privacy consultants, to do a data flow audit to ensure the portion of the financial transaction occurring on your premises is secure.



Prevendra - MSU data breach

MSU data breach: Database with 400,000 records accessed

Michigan State University (MSU) has confirmed that on Nov. 13 an unauthorized party gained access to an MSU server containing certain sensitive data which included the personal identifying information of 400,000 individuals. The MSU data breach, characterized by the MSU President Lou Anna K. Simon as a,”criminal act in which unauthorized users gained access to our computer and data systems”.

Simon continued, “Only 449 records were confirmed to be accessed within the larger database to which unauthorized individuals gained access. However, as a precaution, we will provide credit monitoring and ID theft services for any member of our community who may have been impacted by this criminal act.”

MSU data breach

According to MSU, the database which was accessed contained the 400,000 records, each containing PII of faculty, staff and students who were employed by MSU between 1970 and Nov. 13, 2016, or were students between 1991 and 2016.. 

  • Names
  • Social Security Numbers
  • MSU identification numbers
  • Birth Dates

MSU noted, that the compromised records did not contain: passwords, financial, academic, contact, gift or health information. Apparently the information technology (IT) and information security (INFOSEC) teams had in place the ability to determine which records were opened during the period of “unauthorized access” and confirmed 449 of the 400,000 were confirmed to be accessed by the unauthorized party. 

Furthermore, unlike many instances where a data breach causes paralysis within the entity, the MSU data breach shows us the presence of an INFOSEC team, having a plan, and executing on that plan.

Education as a target

The education sector is and always will be a lucrative target from both unscrupulous entities, as well as nation states. The information desired ranges from the PII as targeted and captured in this instance for current or future use to make an approach to an individual to the advanced transformative research being conducted at the college or university.  The need to lock down the infrastructure across academia remains challenging.  According to the 2016 Voremetric Data Threat Report, the number one shortcoming to implementation of cybersecurity infrastructure within the educational sector is the lack of skilled IT/INFOSEC staff.

In 2015, NBC News produced a short piece on the a targeting the online infrastructure of the educational sector. The salient data points within the video remain as true today (2016) as they did when the piece was pulled together.

China - Shanghai

JPMorgan runs afoul of the FCPA: $264 million settlement

This past week we learned that the Foreign Corrupt Practices Act (FCPA) has teeth. JP Morgan Chase (JPMorgan) essentially, used the hiring of the children of Chinese leaders as a bribe in exchange for US$100,000,000 in deals in China a violation of the FCPA. In addition the bank violated the anti-bribery, books and records, and internal controls provisions of the Securities Exchange Act of 1934. JPMorgan has agreed to a  pay US$264 million settlement with the Security and Exchange Commission over charges they violated the FCPA and the Securities Exchange Act of 1934.

The Fine

The SEC notes in their announcement of 17 November 2016, the bank has agreed to pay

  • more than $130 million to settle SEC charges that it won business from clients and corruptly influenced government officials in the Asia-Pacific region by giving jobs and internships to their relatives and friends in violation of the Foreign Corrupt Practices Act (FCPA)
  • $72 million to the Justice Department
  • $61.9 million to the Federal Reserve Board of Governors
  •  $105,507,668 in disgorgement plus $25,083,737 in interest to settle the SEC’s case.

JP Morgan violates #FCPA w/bribes in #China - SEC collects US$264,000,000 penalty payment Click To Tweet

The FCPA Crime

The statement continues, “… investment bankers at JPMorgan’s subsidiary in Asia created a client referral hiring program that bypassed the firm’s normal hiring process and rewarded job candidates referred by client executives and influential government officials with well-paying, career-building JPMorgan employment. During a seven-year period, JPMorgan hired approximately 100 interns and full-time employees at the request of foreign government officials, enabling the firm to win or retain business resulting in more than $100 million in revenues to JPMorgan.”

The 17 November New York Times reports, “JPMorgan … formalized the hiring into what it called the Sons and Daughters program. The bank even went so far as to create spreadsheets that tracked its hires to specific clients — and the bank’s ability to convert these hires into business deals.”

Interestingly, a former JPMorgan executive who apparently spearheaded the Sons and Daughters program, banker Fang Fang, was arrested in 2014 in Hong Kong by the territory’s anti-corruption agency. The arrest may have been as a direct result of this multiyear SEC/DOJ investigation into JPMorgan’s violation of the FCPA. It is believed, one of Fang’s emails contained the necessary confirmation that a violation of the FCPA had occurred which directly related to the capture of business. The New York Times provides a Fang quote, “You all know I have always been a big believer of the Sons and Daughters program — it almost has a linear relationship.”

CNBC on Fang Fang’s 2014 arrest

Separately, the Department of Justice announced that the JPMorgan Hong Kong subsidiary has agreed to pay a fine of US$72 million. The DOJ announcement, stated, “PMorgan Securities (Asia Pacific) Limited (JPMorgan APAC), a Hong Kong-based subsidiary of multinational bank JPMorgan Chase & Co. (JPMC), agreed to pay a $72 million penalty for its role in a scheme to corruptly gain advantages in winning banking deals by awarding prestigious jobs to relatives and friends of Chinese government officials.”

In 2016, 23 companies violated the Foreign Corrupt Practices Act #FCPA all w/SEC fines Click To Tweet

The takeaway for US businesses

The business customs and practices in a given country may not be in accordance with the laws and regulations which encumber US businesses in the United States. The FCPA exists, to prevent US businesses from engaging in corrupt business practice when engaged in international commerce, and send a clear message, that bribery is an unacceptable practice, regardless of its acceptability in a given country or culture.

Prevendra -SEC List of FCPA 2016 settlements

Click to read: 23 FCPA 2016 Settlements

In 2016 the SEC has reached settlement in 23 separate cases of FCPA violation (including the JPMorgan violation) . The description of these securities-exchange-commission-list-of-fcpa-settlements-in-2016 includes Brazilian aircraft manufacturer Embraer agreed to pay $205 million to settle charges that it violated the FCPA to win business in the Dominican Republic, Saudi Arabia, Mozambique, and India; U.K. biopharmaceutical AstraZeneca agreed to pay more than $5 million to settle FCPA violations resulting from improper payments made by subsidiaries in China and Russia to foreign officials; and in a very similar case, US Qualcomm agreed to pay $7.5 million to settle charges that it violated the FCPA when it hired relatives of Chinese officials deciding whether to select company’s products.

What is clear. Having internal controls and discovering violations of the FCPA and self-reporting, is what is expected by the SEC, and as a review of the 2016 settlements demonstrate, the settlement addresses the ill gotten gains, and normally does not include a criminal aspect.

Bottom line

All businesses which are engaged or contemplating international business, should arrange for their executives and business development staff to be well schooled in the nuances of FCPA, before they embark on business abroad.

Updated 11/21/2016 12:50 for DOJ fine of JPMorgan Hong Kong subsidiary
Prevendra Privacy

Data Breaches again at Horizon Blue Cross Blue Shield New Jersey (Horizon BCBSNJ)

Prevendra - Horizon Blue Cross Blue Shield - Data breach 2013It seems health insurer Horizon Blue Cross Blue Shield New Jersey (Horizon BCBSNJ) can’t catch a break. During the course of 2015 (1100) and 2016 (170,000), they have had two more incidents which compromised or placed at risk the protected health information or the personal identifying information of their insured. In December 2013, we commented on how Horizon had suffered two separate data breaches in the course of five years (2013 and 2008) with the 2013 breach ending up affecting 839,711  individuals.

Privacy breach incident in 2016

Horizon BCBSNJ in late-October/early-November Horizon BCBSNJ informed approximately 170,000 of their insured, that they may have received the “explanation of benefits” (EOB) for someone else with the Horizon BCBSNJ system, and that their EOB may have also been mishandled. According to, a vendor of Horizon BCBSNJ made a clerical or program error which caused a mix up which sent the individual EOB statements on their errant way to the Horizon BCBSNJ.  A statement attributed to the insurer is quoted as saying, “names, policy numbers and the physician information of other policy holders … and …  no social security numbers, financial information, addresses or dates of birth were included on the statements, (the letters) may include member name, member ID number, claim number, date of service, limited description of services, service codes or provider/facility name,”

For those familiar with reading EOB’s the description of service and service codes can be cross referenced to determine what ailment you were being treated for by the medical professional. Back in the day of ICD-9, the codes were very broad, but now that ICD-10 is in use, the descriptions and codes are much more granular. While this compromise, caused by a vendor error, may in the end not end up causing incidents of identity theft or fraud, what it did do is put very sensitive and personal PHI and PII in the hands of one’s neighbors (given all recipients were within the same geographic area served by Horizon BCBSNJ.)

Imagine showing up at a PTA meeting and introducing yourself, only to have an individual approach you afterwards and identify themselves as having received your EOB and then making an inquiry about your health, with the specificity provided within the EOB.

What's in your EOB? 170,000 of Horizon BCBS New Jersey are learning what's in their neighbor's EOB Click To Tweet

Fraud incident in 2015

In a poorly formatted, and densely worded statement,  Horizon BCBSNJ  said: “On July 30, 2015, we learned that some of our members’ personal information may have been accessed due to fraudulent activity.  Horizon BCBSNJ’s Special Investigations Unit discovered that several perpetrators falsely established themselves as doctors or other healthcare professionals and obtained Horizon BCBSNJ member identification numbers, and potentially other personal information, through methods typically only available to legitimate doctors and healthcare professionals.” The perpetrators went on to make false claims of BCBSNJ for goods and services provided to members of Horizon BSBSNJ’s insured population.  According to, this fraudulent activity affected approximately 1100 of Horizon BCBSNJ’s insured.

The Horizon BCBSNJ compromised included the following data points:

  •  name
  • date of birth
  • gender
  • member ID number
  • mailing address.

They close ourt their statement with the admonishment, that the insured are the line of defense in protecting Horizon BCBSNJ against fraud. “As always, you should review your Explanation of Benefits (EOB) statements and medical bills, and report any suspicious activity to Horizon BCBSNJ.”

While Horizon BCBSNJ has had a non-stop string of privacy and information security incidents, they are not alone. All in the healthcare industry must lean in and ensure they have in place processes and procedures which adhere to the HIPAA physical and technical safeguards.

“HIPAA – Physical and Technical Safeguards”

Following is a direct extract from the Department of Health and Human Services HIPAA guidance

  • Physical Safeguards
    Facility Access and Control. A covered entity must limit physical access to its facilities while ensuring that authorized access is allowed.
    Workstation and Device Security. A covered entity must implement policies and procedures to specify proper use of and access to workstations and electronic media. A covered entity also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information (e-PHI).
  • Technical Safeguards
    Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
    Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
    Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.6
    Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
Prevendra - Putin's gambit fails

Kremlin’s Clinton Gambit Fails With Trump’s Election

A little over a month ago I wrote of the Russian gambit to influence the US national elections by seemingly backing the Republican party candidate Donald J. Trump in hopes that the US electorate would swing in mass to back Democratic party candidate Hillary R. Clinton. In my piece, US Presidential Election 2016: The Kremlin Prefers??? I made the argument that the Kremlin’s book on Clinton far exceed the quality of the information on Trump, and how they very much looked forward to another four years of being able to act with a great deal of prescience, given the treasure trove of materials in their possession.  Like any chess match, sometimes the gambit ensnares the opponent and sometimes the opponent doesn’t rise to the bait and the gambit failes. Putin’s gambit, his big gamble failed.

[x_pullquote cite=”Office of the President of the Russian Republic, Vladimir Putin” type=”left”] Mr Putin said he hopes to work together to lift Russian-US relations out of the current crisis, resolve issues on the international agenda, look for effective responses to global security challenges. The President said he is confident that Moscow and Washington can establish a constructive dialogue based on the principles of equality, mutual respect, and genuine consideration for each other’s positions. This would be in the interests of both peoples and of the entire international community. Mr Putin wished Mr Trump success in his important work as head of state.[/x_pullquote]This outreach was viewed with much speculation and ridicule by the media, the same media that grabbed hold of the Kremlin’s gambit.

With the failure of the Kremlin’s Clinton gambit, the Kremlin’s Foreign Ministry, Intelligence and Security Services are scrambling. On 09 November, like much of the world, it was an eye-opening, “OMG” moment. No doubt new directives and requirements were being created. The Trump transition team, squirreled away in Washington DC was and is a primary target.

We see Vladimir Putin, President of Russia, among the first to offer his congratulations, reaching out and playing to Trump’s significant ego, buying time.

This is quickly followed, five days later, with a one-on-one Putin-Trump phone conversation. Which the Kremlin described the Putin-Trump call as follows: “During the conversation Mr Putin and Mr Trump not only agreed on the absolutely unsatisfactory state of bilateral relations but also expressed support for active joint efforts to normalise relations and pursue constructive cooperation on the broadest possible range of issues. They emphasised the importance of establishing a reliable foundation for bilateral ties by developing the trade and economic component.” The Kremlin went on to say the two agreed to stay in touch and to arrange a face-to-face meeting to be arranged by their staffs (that’s diplomatic speak for, let’s see how this dance goes, before we commit).

The New York Times reports how Dmitry Kiselyov, anchor on Russia’s state run television said, “the American government would finally drop what the Russian anchor called its annoying slogans about human rights and democracy.”

Prevendra - Is Trump the Mule from Asimov's Foundation and the Empire?

Is Trump the Mule?

The Kremlin must be channeling Asimov right now, and opening the dog-eared copies to soak up all they can about the “Mule.”

The Mule has been described as, “one of the greatest conquerors the galaxy has ever seen, he is a mentalic who has the ability to reach into the minds of others and “adjust” their emotions, individually or en masse, using this capability to conscript individuals to his cause. Not direct mind-control per se, it is a subtle influence of the subconscious; individuals under the Mule’s influence behave otherwise normally – logic, memories, and personality intact.” (Source: Wikipedia)

Trump is a wildcard. The Trump transition team may have been fully engaged and targeted, but that target just blew up, as the new leader of the team, Vice President-elect Pence took over the transition and threw out the lobbyists and reshuffled the deck. The RNC, just like the DNC was warned back in January 2016, that they were being targeted, so they had ample time to harden their infrastructure. Just imagine the shredding of the files going on in the Kremlin as they, like all of us, try to keep up with the Trump transition team’s movements.

Let there be no doubt, there are going to be interesting times, ahead. What we can be guaranteed, the Kremlin may have lost this chess match, but they are back at the board immediately.

Their choice, Clinton did not win the general election of the United States. They are now in double-down mode working overtime to try and replace the treasure trove Prevendra - Donald Trump dossier from DNCof materials they had in acquired in anticipation of a Clinton transition.  Trump’s son-in-law, Jared Kushner currently occupies the position at the tip of the needle, and thus all who surround him have moved in the targeteers sights. A request to provide Kushner with a security clearance, has been made, and as an integral part of his Trump’s transition team, one should be expected it to be granted, albeit in an interim clearance status. 

Meanwhile, the Kremlin may wish to start their efforts, to understand the United State’s wildcard President-Elect Trump, by reviewing the piece they stole back in June 2016, and already have in their possession: The dossier on Donald J. Trump prepared by the Democratic National Committee … you can read it here:   Trump DNC Dossier (200+ pages pdf)

Additional reading:

President Putin’s congratulatory telegram to President-elect Trump

President Putin’s version of the telephone conversation with President-elect Trump



Prevendra - Canada - Privacy breaches in Canadian health services

Insider Threat – Canadian privacy breached as PHI/PII goes missing in Manitoba

Patients in Manitoba are receiving notification from their healthcare providers, that their personal and sensitive information has been lost or inappropriately accessed. As all who have responsibility for the security of information, the insider threat is very real. Often times we associate the insider threat to be associated with the actions of nefarious individual. As you’ll read below, the breaches involved an employee wanting to update their contact list and a hard-copy file walking out of a locked and access controlled office.

In both instances, the health authorities have an excellent opportunity to heighten the awareness of all employees as to the sensitivity of individual patient records. The security and privacy awareness training should include special admonishment on the requirement to follow the principles of least privileged access. That is to say, only access that which you must in order to do your assigned duties and then return the information to its secure, at rest location. Carelessness and curiosity are two very real insider threats which all entities need to address to ensure the protection of sensitive and private information of the individual.

#Insiderthreat: Does your DLP protect against inappropriate access? #privacy #infosec #Canada Click To Tweet

Inappropriate Access

In mid-November 2016, the Winnipeg Free Press, reported that a former worker of  the Manitoba Health, Seniors and Active Living (MHSAL) broke the trust between the MHSAL and their constituency, when the individual took a peek into the confidential protected health information (PHI) records of approximately 197 individuals. The reason? The employee wanted to update her address book. The Manitoba Health Minister, Kelvin Goertzen said Monday his department has wrapped up an internal investigation and the employee has moved on to other opportunities, outside of the MHSAL.

Read the full article:  Private data breach ‘not nefarious’; former Health worker wanted to update contacts

A file goes for a walk

Separately,  the CBC reports that the Winnipeg Regional Health Authority (WRHA) is dealing with a data breach involving the the PHI and personal identifying information (PII) on over 1,000 people, when an administrative file was taken from a “locked” office inside Winnipeg Health Sciences Centre on Oct. 7.  Réal Cloutier, the WRHA’s vice-president and chief operating officer said, “We take our responsibility as a trustee of health information seriously and we expect that we protect that information, and unfortunately in this case we have a situation where information was taken.” (See video below).

Read the full article: File with 1,000 patients’ personal details taken from Winnipeg hospital

Prevendra - blu phone's phone home

Chinese Cyber Espionage: What’s leaving your smartphone?

This week we saw, possible evidence of, yet another form of the Chinese cyber espionage. Smartphones calling “home” to China with user data. This is every government’s worst counterintelligence and cyber security nightmare. We are warned, repeatedly about the threat of Chinese cyber espionage, especially those in the national security arena. For those in the private sector, having the data from a smartphone being surreptitiously sent to servers in China, should make every company’s information security team skin crawl, as they watch their intellectual property fly out the window.

What’s a backdoor?

A backdoor is a means by which user information is provided without the user’s knowledge via device, software or other technical capabilities to a third party.

Smartphones forwarding user information to China?

Users of Android smartphones from BLU Products may be surprised to learn that security firm Kryptowire uncovered a backdoor in the firmware installed on their phones by their “firmware over the air” service provider. A quick online check shows their phones available via Google, Best Buy, and other retailers.  A deeper review shows that the company which handled the firmware updating, Shanghai ADUPS Technology Co., Ltd, has both ZTE and Huawei smartphones in their client list. Furthermore, ADUPS claims their service counts over 700 million active users.

Chinese Cyber Espionage: Are the backdoors in smartphones sending your data to China? Click To Tweet

What was compromised?

In this instance, per Kryptowire, the firmware provided the following to identified servers located in Shanghai, China.

  • Actively transmitted user and device information
  • The full-body of text messages,
  • Contact lists,
  • Call history with full telephone numbers,
  • Unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI).
  • The firmware could target specific users and text messages matching remotely defined keywords.
  • The firmware also collected and transmitted information about the use of applications installed on the monitored device
  • Firmware bypassed the Android permission model,
  • Executed remote commands with escalated (system) privileges, and
  • Remotely reprogram the devices

The real kicker is, because the backdoor is located within the firmware, the activity bypasses the anti-virus security protocols of the device as it is considered safe, white-listed. User’s didn’t stand a chance, their only defense, to upgrade the firmware to a “clean version” or junk the phone.

What does Adups Technologies have to say about their firmware?

Adups Technology has issued a statement, explaining, without explicitly using the words, “China cyber espionage,” that this version of firmware was designed for use in the local, China only market, and was mistakenly placed on smart devices in other markets. The statement continues that the data collected was deleted and the firmware updated on all devices to have this feature removed. In other words, a private company, providing services to their client company made a mistake.

Something to keep in mind should you be traveling to China or Hong Kong and wish to use a burner phone for your local telephone calls, this capability is likely to exist on any device you may purchase in China and therefore, your device may be easily compromised in a difficult to detect manner.

China Cyber Espionage: Thinking of using a phone purchased in China? Click To Tweet

What should you do?

You have two options.

Carry-on:  If you are using a BLU phone, and take Adups Tehcnology at their word, make sure your firmware has indeed been updated. The Adups Technology link above, provides an email address for contacting the company, who no doubt can identify which firmware version does not send your data to China.

Junk the device:  If you are using a BLU phone, and don’t believe Adups Technology, short of taking your devices to a lab for confirmation (not something many would have the ability to do) there is little you as an individual user can do to confirm the backdoor in their provided firmware isn’t still there.  Therefore, you may wish to junk the BLU phone or the phone from any other manufacturer which uses the Adups Technology services to update the smart devices.

Additional reading:

Chinese company installed secret backdoor on hundreds of thousands of phones (ARS Technica, 15 November 2016)

Firmware Secretly Sent Text, Call Data On Android Users To China (Dark Reading, 15 November 2016)

Prevendra - China Agro Espionage

Agro Espionage – China’s corn espionage lead, MO Hailong, sentenced to prison

[cs_content][cs_section parallax=”false” style=”margin: 0px;padding: 45px 0px;”][cs_row inner_container=”true” marginless_columns=”false” style=”margin: 0px auto;padding: 0px;”][cs_column fade=”false” fade_animation=”in” fade_animation_offset=”45px” fade_duration=”750″ type=”1/1″ style=”padding: 15px;”][x_columnize]One chapter of the saga of China’s agro espionage targeting US research and development of corn has come to a close with the sentencing Mo Hailong, a/k/a Robert Mo, 46, a Chinese national. According to the Department of Justice, Mo was sentenced to 36 months in prison for conspiracy to steal trade secrets. His prison time will be followed by three years of supervised release. A fine, restitution if you will, has not yet been determined. In addition to the prison term and the to-be-determined fine, Mo was forced to forfeit the two farms purchased by Mo, one in Iowa and another in Illinois. Mo emigrated to the US for educational purposes and then stayed, converting his status to that of a lawful permanent resident of the US.

Let there be no doubt, this was and is nation state agro espionage. Mo Hailong was employed as the Director of International Business of the Beijing Dabeinong Technology Group Company, commonly referred to as DBN. DBN is a Chinese conglomerate with a corn seed subsidiary company, Kings Nower Seed. During the multiple years Mo operated, he operated from his Boca Raton home and traveled throughout the heartland purloining contract and proprietary seed corn on behalf of China. His use of alias documentation, allowing him to pose as a Chinese executive so as to be included in agricultural meetings in Iowa during a Chinese presidential visit speaks to the presence of PRC national intelligence capabilities.

[x_alert type=”danger” close=”true”]”According to the plea agreement entered on January 27, Mo Hailong admitted to participating in a long-term conspiracy to steal trade secrets from DuPont Pioneer and Monsanto. Mo Hailong participated in the theft of inbred corn seeds from fields in the Southern District of Iowa and elsewhere for the purpose of transporting the seeds to DBN in China. The stolen inbred, or parent, seeds were the valuable trade secrets of DuPont Pioneer and Monsanto.”[/x_alert][/x_columnize][x_blockquote cite=”U.S. Attorney Kevin E. VanderSchel.” type=”center”]The theft of agricultural trade secrets, and other intellectual property, poses a grave threat to our national economic security,”
[/x_blockquote][x_columnize class=”man”][x_custom_headline type=”center” level=”h3″ looks_like=”h3″ accent=”true”]Agro Espionage Questions Remain[/x_custom_headline]
[x_gap size=”1.313em”]

  • What is the role of the US persons who assisted with the real estate and logistics.
  • Who are the insiders in Pioneer and Monsanto who are providing the identities of the test fields to Mo and the Kings Nower Seed crew.
  • What part, if any, did Pioneer and Monsanto’s foot print in China make them a target for espionage in the United States.
  • What role did Pioneer or Monsanto’s Chinese employees in China or the US play?
  • Who are the insiders within Pioneer or Monsanto who provided the geocoordinates of the unmarked contract grow fields
  • Was either/both Pioneer or Monsanto targeted by the Chinese offensive cyber capabilities?
  • Have Pioneer, Monsanto and every other research and development entity tightened up their cyber security?
  • How did this affect the seed dealers who violated their sales contract with Pioneer/Monsanto by selling proprietary seed to Mo?

[/x_columnize][cs_text][x_gap size=”2.313em”][x_feature_headline type=”center” level=”h3″ looks_like=”h3″ icon=”500px”]The co-conspirators, where are they?[/x_feature_headline]

Wang Hongwei –  A dual Chinese/Canadian citizen – On 28 September 2012, Wang HONGWEI entered the US via land-border between the US/Canada in Vermont. Drove to Burlington and then flew to Chicago, obtained a rental car and traveled to the farm in Monee, IL.  On 30 September 2013, gave FBI Surveillance in Burlington, Vermont the slip using aggressive counter-surveillance driving methods. At the US/Canada border crossing he was identified and subjected to a USCBP border inspection. He lied to officers and then recanted when evidence was shown that his story of visiting Burlington was compromised by his United Airline ticket in his possession. 44 bags of corn were found hidden in his luggage and in the vehicle. each of the bags was identical as those which were earlier confiscated at O’hare Airport. In addition, he had a notebook with GPS coordinates of farm plots and pictures of Monsanto and Pioneer fields and facilities. He claimed to have purchased the corn from Mo Hailong.[/cs_text][cs_text]WANG Lei – Vice Chairman of Kings Nower Seed – accompanied MO on his visit to the fields in Iowa, and was part of the VP of China delegation in Des Moines 15/16 February 2012
[/cs_text][cs_text][x_gap size=”1.313em”]

LIN Yong – PRC National and employee of Kings Nower Seed (per visa application) – involved over the course of the summer of 2012 in the collection of seed from farms located in the Northern Indiana, Illinois, Iowa farmland – in a conversation which the FBI surveillance obtained (pages 13-15 of the complaint) it is clear YE and LIN are knowledgeable as to the illegality of their efforts.

[/cs_text][cs_text][x_gap size=”1.313em”]
YE Jian – PRC National and employee of Kings Nower Seed (per visa application) – involved over the course of the summer of 2012 in the collection of seed from farms located in the Northern Indiana, Illinois, Iowa farmland – In a conversation which the FBI surveillance obtained (pages 13-15 of the complaint) it is clear YE and LIN are knowledgeable as to the illegality of their efforts.[/cs_text][cs_text]Prevendra - FBI - Jian YE

Prevendra - Lei Wang

Prevendra - FBI - Hongwei WANG

-FBI - Yong LIN








[x_gap size=”5.313em”][x_feature_headline type=”left” level=”h2″ looks_like=”h2″ icon=”500px”]The takeaway[/x_feature_headline]
The takeaway for all companies – have a security plan, educate your employees and contractors. Operate from a position of trust, have in place the capabilities to verify the trust if suspicion arises. Conduct strategic competitive analysis so you may be aware of what areas of research your competition is engaged?  Reward employees for reporting anomalies. When implementing protections, explain to your employees, contractors and vendors the why behind your intellectual property protection regimes, and never allow convenience to trump security.[/cs_text][/cs_column][/cs_row][/cs_section][/cs_content]

Prevendra - China Agro Espionage

Agro Espionage – Rice to China – Wengui Yan’s guilty plea

Prevendra - Wengui Yan guilty plea

Click to view Plea Agreement

On 24 October 2016, Wengui Yan, an Arkansas resident, an employee of the USDA Dale Bumpers National Rice Research Center since 1996, and a naturalized US citizen originally from the PRC, successfully negotiated a plea-bargain with the Kansas US Attorney in his agro espionage case. Yan and his co-defendant, Weiqiang Zhang, PRC citizen, facilitated the theft of genetic rice from the United States on behalf of the PRC. The plea-bargain saw all counts of espionage dropped against Yan, in exchange for his guilty plea of making false statement to the US Government, concerning the theft. Yan will serve a maximum of 20 months in prison and be fined $100.  Yan’s co-defendant, Zhang’s case continues to move forward (interestingly, Zhang dismissed his court-appointed attorney on 28 October).

Espionage in the Heartland: Rice to China

We discussed this case of agro espionage where the insider made possible the economic espionage against a US entity, the US Department of Agriculture and their private sector partners,Ventria Bioscience (Ventria) in our piece Espionage in the Heartland: Rice to China. We outlined how the fleecing of approximately $75 million worth of research and development by Ventria went out the door with the successful theft by the visiting Chinese scientists from the Crop Research Institute in China, part of the Chinese Academy of Agricultural Science, which also has State Key Laboratory affiliation.  The visiting Chinese scientists who were assisted by both Yan and Zhang. Whether or not the USDA or Ventria is happy to know that Yan plead guilty and has received a modest penalty for his criminal activity is unknown. From this seat, this modest sentence and fine levied upon Yan is light and will hardly serve as a deterrent to others.  It is therefore, safe to assume, the lenient sentence was designed to garner the cooperation of Yan, the US citizen, in securing the conviction of Zhang or to force his acceptance of a plea-deal. Perhaps Zhang read his tea-leaves and this is why Zhang is awaiting new counsel.

China’s Agro Espionage

What is known, is that the United States agricultural sector is sitting in the bullseye of the global agro espionage milieu. The PRC government has laser focus on increasing and sustaining their agricultural sector, as their cities and population continues to blossom. China always plays the long-game, eschewing quarterly forecasts and the like. Their entities, supported by PRC government resources will work assiduously to bypass and avoid the trials and tribulations involved in such complex research and simply steal their way to productivity and profitability. This places companies like Ventria, who may never had to think about putting together and insider threat program. The reality is they need to have an insider threat program in place or they will find themselves competing against their own creations in a marketplace where price and access is such an important differentiator.

With respect to China’s long term view on the agriculture sector, one needs only read what China is saying and how they back those words up with actions. As detailed in The IP Commission Report of May 2013, on the theft of intellectual property from the United States. The report details how the theft of US intellectual property is valued at “hundreds of billions of dollars per year. The annual losses are likely to be comparable to the current annual level of U.S. exports to Asia—over $300 billion.” 

In January 2016, the Chinese Ministry of Agriculture announced that for the 13th consecutive year, the “Agriculture, rural community and farmer related issues are once again the topic of China’s ‘No. 1 Central Document’.”  The goal, “marked progress” in agriculture by 2020 to ensure society becomes moderately prosperous. Thus we can read directly, for the past 13 years agricultural advancement has been and continues to be paramount. The case of Yan and Zhang are demonstrative of the manner in which China is willing to acquire their R&D to achieve their national goals.


What’s next?

The final acts germane to this case of agro espionage are:

  • The conviction of Zhang.
  • The US agricultural sector, invest in security infrastructure and awareness as the reality of their being firmly in the bullseye of the Chinese. The Chinese are both willing and able to use agro espionage is a tool to obtain expensive R&D in the most economic manner possible, steal it.
IP Theft - Counterfeit Goods - Prevendra

IP Theft: Crowdfunding sites harvested by Chinese counterfeiters

It should surprise no one to learn that the Chinese factories which are engaged the production of counterfeit goods produce goods which are identical or indistinguishable from the originals. The factories are engaged in intellectual property theft (IP theft) and are building their products by reverse engineering a product then creating the counterfeit version, or creating the counterfeit product by stealing the design plans. Now a seemingly new wrinkle in the acquisition of product specifications has evolved.

But is it really new? Chinese counterfeiters have been harvesting ideas from crowdfunding sites for quite some time, and warnings aplenty have been made to entrepreneurs and inventors to protect their intellectual property from IP theft.  For example, in January 2013, The Guardian reported on  how “Using crowdfunding sites could destroy your nascent business idea.”  So let’s back up a bit, before we go forward and share some cases of IP Theft from crowdfunding sites, that date back well over half of a decade.

What is crowdfunding?

To take a paragraph from The Guardian,

Crowdfunding sites such as KickStarter, have grown in popularity. The concept is simple – you have an idea, formulate the logistics of the plan, and then upload the idea to a crowdfunding website, where millions of potential investors can scrutinise it, and if they like it, pledge to invest in the project. If the project raises the target capital, the funds are automatically transferred, and the idea becomes a reality. If the target is not met, no money is transferred, so no investors lose out. Essentially it’s Dragon’s Den (UK TV’s equivalent to Shark Tank) for the internet generation, leveraging the almost perfect liquidity of the online marketplace.

Protect your Kickstarter idea from #IPTHEFT - I might lose my intellectual property? Click To Tweet

Do I really need to protect my idea from ID Theft

The Guardian goes on to provide some excellent advice to individuals or startups which are creating hardware, protect your intellectual property from IP Theft by using the tools available to you prior to taking your idea public. Patent it!  So remember, patents are granted to novel inventions. Trade secret protection are granted to those concepts which have not been publicly disclosed. Absent a patent in place, litigating against another’s similar or identical product may be an uphill battle (consult with your legal counsel on this topic) after having presented your idea on a publicly available crowdfunding site.

[x_alert heading=”Protect Your Idea ” type=”warning” close=”true”]Always take steps to protect your creative idea prior to sharing in a public manner. Use of Non-Disclosure Agreements prior to private sharing go a long way toward demonstrating that appropriate steps have been taken to protect your trade secret. IP Theft is real. Use the tools available to you to protect your intellectual property, to include filing for a patent prior to seeking crowdfunding. [/x_alert]

What if your idea is infringing on the intellectual property of another. There is a difference between infringement and IP theft.  The example from The Guardian, discusses Formlabs, a team of PhD students, managed to raise just under $3m (£2m) to commercialise an accessible 3D printer. But the virtual high fives soon turned sour as an established company, 3D Systems, sued them for patent infringementThe suit was ultimately thrown out, but not after a significant amount of legal entanglement. This is not to say don’t pursue the idea and dreams, but be aware of the need to defend your creativity in the courts.  (NOTE: This case is included in the Netflix documentary, Print the Legend.)

Then, that which is at the root of this posting. Stealing the idea and taking it to market. As discussed in the co-authored book Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century, counterfeit goods accounted from more than $250 billion per annum and has since seen an increase to more than $450 billion (using 2013 figures).  My co-author, and I specifically call out the motivation of these individuals who harvest ideas.

[x_alert heading=”The Greed Factor” type=”warning” close=”true”]In most instances, the motive to pirate or counterfeit is simple: “economic greed”—to manufacture and sell goods without the overhead and costs incurred by the rightful owner of the IP. Thus, they are able to bring a product to market that is manufactured, marketed, and sold at a fraction of the cost borne by the original manufacturer. Innumerable examples exist; we offer a selection, across many industrial sectors. Additionally, given the infrastructure necessary, it is not surprising the most robust enterprises have ties to organized criminal networks.[/x_alert]

The Guardian shares the 2010 story of Scott Wilson was congratulated for successfully raising $942,578 on KickStarter to launch the TikTok Lunatik watch kit, a sleek new aluminium watch strap, which converted an iPod Nano into a touchscreen watch. The design and trade mark had not been protected. It proved immensely popular. Copycat imitations began to spring up around the web. The market is now flooded with fake Lunatik watches.  And in 2016, Lunatik’s innovation continues to be targeted by counterfeiters who are knocking off their products, most recently the  Lunatik: Taktik Extreme Cell Phone Cases.

A dive into the archives of IP Theft, shows us that Lunatik was not to be the last entity who lost their idea off of Kickstarter.  Take the case of the Pressy Button. In August 2013 it raised seven times its goal with more than 28 thousand contributors. By October 2013, they were faced with competing against themselves, as the Pressy Button was being counterfeited and marketed by a Chinese entity. Read, the January 2014, Tech Node piece, Crowdfunding sites makes copied-in-China even easier: All is needed is a Photoshopped image which details in depth the means by which Pressy Button became a victim of IP Theft.

Then in 2015, a Canadian inventor had their tale of woe detailed in WifiHifi, Crowd Funding Cloning, where their new fangled Anton strainer bowl which they had place on Kickstarter was purloined by a Chinese counterfeiter and then it shows up on Alibaba‘s Taobao shopping site.

Protect your Kickstarter idea from #IPTHEFT - Is it on Alibaba's Taobao? Click To Tweet

Which brings us to the 2016 case of one Yekutiel Sherman, an Israeli entrepreneur who designed and created a smartphone case which unfolds into a selfie-stick.  Clever indeed. As detailed in multiple media outlets (see below for links), the Shenzhen, China counterfeit manufacturers lifted his idea directly out of Kickstarter (as they did in 2010 to Lunatik) and not only beat the Sherman to market, they undersold him by a factor of five.  The counterfeiters had no R&D costs to recoup, therefore their pricing was cost of production plus margin. Now it remains to be seen, if Sherman has the ability to dive into Shenzen’s electronics market, Hauqiangbe (HQB) market and have the Chinese intellectual property authorities pull the knock-off from the shelves of the HQB wholesalers..

Protect your Kickstarter idea from #IPTHEFT - What happens when you don't? Click To Tweet

Sadly until retailers outlets, like Alibaba work together with manufacturers to keep counterfeit goods out of the portals, we will see this continue. Indeed, the Chairman of Alibaba Group, Jack Ma was quoted in the Wall Street Journal, as having said, “Fakes ‘Better Quality and Better Price Than the Real Names.‘”  Ma clearly signalling that he isn’t going to upset his rice bowl to protect the intellectual property of manufacturers from IP theft.

As noted in Secrets Stolen, This vector is on a near vertical growth path, and until governments and industries unite in both reactive and proactive steps, the criminal elements will always have the upper hand and the loss of intellectual property will continue.  In sum, the case of Sherman is catching the attention of media, the sad reality, its been a reality for quite some time. Company’s large and small must protect their infrastructure, their sharing of information in public manner and protecting their competitive advantage and revenue preservation through the implementation of security programs.

 Additional Reading 

China’s factories in Shenzhen can copy products at breakneck speed—and it’s time for the rest of the world to get over it  (October 2016)

Chinese Companies Are Stealing Kickstarter Product Ideas and Launching Them Faster and Cheaper (October 2016)

Using crowdfunding sites could destroy your nascent business idea. (2013)

Jack Ma says: Fakes better quality and better price than the real names (June 2015)

Buy Secrets Stolen, Fortunes Lost 

Secrets Stolen, Fortunes Lost

Click to Buy

Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress 2008 –  by Christopher Burgess and Richard Power)


Prevendra - Reliability

Reliability disrupted when your data isn’t stolen, it’s changed

[text_output]Competitors and nation states have long known that to disrupt your competition is often times all that is necessary in order to garner a competitive advantage. It is for this reason that all information security (infosec) practitioners have long understood the importance of the three status indicators of the network infrastructure and data/services within: Reliability, Availability and Serviceability (RAS).

We see “availability” being challenged on a regular basis, with the plethora of distributed denial of service (DDOS) attacks being conducted against companies, services and individuals. The adversary peppers the targeted entity with massive amounts of queries (see How Will the Internet of Things Be Leveraged to Ruin Your Company’s Day? Understanding IoT Security) which causes the servers to overload and effectively blocking legitimate queries.

Then we have “serviceability,” if part of the infrastructure fails, does the architecture include hot backup for automatic a failover, or is your company off the air. Many of us overlook the fact that manufacturers include an important data point on mechanical devices, MTBF (mean time between failures). MTBF should be a consideration in all infrastructructure, as equipment does fail, and not on a predictable schedule. This happened to me, when I found my hard drive had failed, Where’s Your data and Can You Actually Get To It?

And finally, we see “reliability”, the trust factor. If I can’t trust the data coming from this engagement, how can I trust this relationship?  In late 2015, Greensboro, NC television station, WFMY, ran a piece New Hacker Plan: Don’t Steal Data, Change It, which I recently re-reviewed. The content of the piece is absolutely on-point and accurate. The influx of ransomware is absolutely changing the landscape. In the healthcare arena, if you have had your servers compromised, it will be hard pressed to plead that patient data has not been compromised.  Indeed, in a recent piece, Healthcare Ransomware Increasing, Education Sector Top Target aptly points out the risk.

It goes one step further.  There will be those, who, as discussed in the WFMY piece, who simply want to get in and then out of your infrastructure in an undetected manner, so that while inside your protected and secured environment they can adjust and change your data. In doing so, they disrupt you, they create mistrust within and possibly with external facing customers. Indeed, there have been instances where the intruder went on to launch denial of service attacks from inside the network on the internal network.

In sum.  Security includes the addressing and mitigating all threats, not just those threats which result in your data being stolen. As noted supra, there are so many other ways to effectively disrupt the operational cadence of a company.


Below is the video of the WFMY piece.[/text_output][x_video_embed id=”” class=”” style=””][/x_video_embed]

Prevendra - Data backup

Where’s Your data and Can You Actually Get To It?

You arrive at work or home. You unload your laptop or go to your desktop and power up the system by pressing the “ON/OFF” button. Lights flicker; nothing happens. If you’re like me your mind races; you sigh and think, “I don’t need this today.” You repeat. You inspect. You scratch your head. This was my situation a few weeks ago. I had been away on a business trip, came home and powered up my desktop. The lights flickered, glowed and then nothing happened. I was stymied. I repeated the sequence; still nothing. I grabbed a screwdriver and dug into the system. It didn’t take me long for my inspection to reveal that the motherboard was toast (literally).

My initial reaction was one of relief that it wasn’t the hard drive, and I glowed knowing that I followed my own advice and had a multi-drive data backup regime. But then I quickly realized that while I had thought through the protection of data, I couldn’t get to it. I was offline. This was a scenario I had neglected to anticipate: the death of the primary client having nothing to do with accessing the data. I needed a new computer and a means to access the data from the now-deceased laptop. I removed the hard drive and secured it, along with the multiple external drive, data-backup devices. I took the remnants of the computer to the local technology recycle center. I began researching the type of computer I was going to purchase, and what my options were to access the data housed on the multiple devices in my possession.

Along with the new computer, I purchased an external-drive chassis that was compatible with the hard drive I had rescued from the defunct desktop. This allowed me to place the drive into the chassis and have the new computer recognized it as an external drive through a USB connection. I was able to transfer the data to the new computer as well as keep it on the old drive. The entire process took me three days to complete – three full days that I didn’t have access to data, email, and my life online.

My lesson learned: I need to establish a methodology to access my data in the event the primary routes have been corrupted or are unavailable. In my case, I acquired a used laptop with basic capabilities to serve as a backup device to access my data in the event my primary device fails. I was fortunate. My event happened on a Friday and by Monday I was back in business. Can you or your business afford to be without your data for three days?

I strongly advocate the back-up of data both at home and at the office, as you just never know when that media holding your data will receive a coffee-bath, run afoul with a magnet or simply go missing. I also recommend having a back-up device to access your data in the event your primary device fails. This will help you from having to ask yourself, “Why can’t I get to my data?”


Huffington PostThe above was originally published in Huffington Post in March 2010, authored by Christopher Burgess


Prevendra - Insider Theft

Insider Threat Becomes Insider Theft: What’s your plan.

In a prime example of insider threat, becomes insider theft, we saw the FBI arrest and the Department of Justice file a criminal complaint against Ralph Mandil, an employee of an unidentified distributor of “As Seen on TV” products (we believe to be Corvex Cookware). Mandil faces two federal charges: Theft of Trade Secrets and Wire Fraud.

Prevendra - Ralph Mandil - LinkedIn photo

Ralph Mandil – LinkedIn photo

A Ralph Mandil’s, LinkedIn Profile identifies him as the President of Corvex Cookware since May 2011.  Corvex’s “As Seen on TV” cookware fits the description found in the criminal complaint. Mandil’s LinkedIn bio can be viewed (here).

The crime

Mandil contacted an individual in early August 2016(soon after to become the confidential source (CS) of the FBI) and offered to sell the confidential trade secrets of his employer.  At the direction (and under the supervision) of law enforcement, the CS corresponded with Mandil. Mandil offered to the CS the log-in credentials of his employer’s DropBox account in which the CS would find the confidential market information on future products. This materials included:  sales sheets, product sheets, videos, inventory lists, account lists, etc. Mandil requested that in exchange for providing the CS with covert access to the employer’s DropBox  account he wished to be paid $197,500.

For complete details on how CS introduced Mandil to the FBI undercover special agent and the mechanics of the exchange of money and stolen information, please refer to the criminal complaint, which can be downloaded below).

#insiderthreat becomes insider theft - what's your plan? Click To Tweet

NOTE: The criminal complaint explains that Mandil’s employer’s Dropbox account was accessible by a limited number of employees, who use userid and password authentication to access the DropBox account. It is unclear if the employer enabled two-factor authentication which is offered by DropBox, though it is possible that such was the case, and Mandril was prepared to offer the CS ten offline backup codes which he had purloined and preserved.

According to Mandil’s employer, the proprietary information Mandil was offering to sell to CS had a value of between $30-125 million in revenue to the employer and his competitors (the market opportunity)

Insider Threat

Insider threat programs are a necessary evil for every company. The large the entity, the more robust the need. At a minimum, we recommend all companies take a moment and ensure that they know the state of their data. What’s that?  If you can’t answer yes to all of the following questions, you don’t know the state of your data, and should put it on your to-do list. You will be in a far better position to address unauthorized access and you will also be able to explain, with precision to your customers how their data is protected within your infrastructure.

  1. Can you trace the flow of your data from its arrival to storage?
  2. Do you know when your data is encrypted and when it is not?
  3. If your data is encrypted, how is the key protected?
  4. Do you know, precisely, who has access to your data?
  5. Are you logging each access to your data, with IP addresses, device, OS, etc.
  6. What are the various means to access your data?
  7. What credentials are required to access your data?  Are the credentials shared?
  8. When employees depart, can you confirm their access to your data has been curtailed?
  9. Do you have a process to train your employees on protecting trade secrets and intellectual property?

Additional Reading

Prevendra - US v. Ralph Mandil - Insider Threat becomes Insider Theft

US v. Ralph Mandil (Click to download)

Department of Justice’s Press Release: New Jersey Man Charged With Stealing Employer’s ‘As Seen On TV’ Trade Secrets And Attempting To Sell Them To Competition | USAO-NJ | Department of Justice

Department of Justice’s Criminal Complaint  US v. Ralph Mandil (October 12, 2016)




NOTE:  This post updates on 19 October to include information identifying Ralph Mandil, his LinkedIn profile, photo and employer.

Prevendra: Prevent data breaches

Data breach – Are you prepared? Most are not.

According to the new survey conducted by the Ponemon Institute on behalf of Experian, companies are complacent and lack confidence when it comes to data breach preparedness. A result which I found to be most astounding given the fact that every day we read of yet another company, institute, organization or governmental entity experiencing a data breach.  The study, “Is Your Company Ready for a Big Data Breach?” (registration wall), highlights the good and the bad which the surveyed companies declared. Pulling from the Experian press release:

The Bad

  • Among those organizations surveyed that do not practice their plan (26%), a majority (64%) don’t practice because it is not a priority.
  • Only 38% of companies surveyed have a data breach or cyber insurance policy. Of those that do not have such a policy, 40% have no plans to purchase one.
  • Less than half (46%) of survey respondents have integrated response plans into their business continuity plans, and only 12% meet with law enforcement or state regulators in advance of an incident.
  • Only 39% of organizations surveyed practice their plan at least twice a year.

The Good

  • 58% of surveyed organizations (compared with 48% in 2014) have increased their investment in security technologies in the past 12 months in order to be able to detect and respond quickly to a data breach.
  • 61% of surveyed organizations (compared with 44% in 2013) have a privacy/data protection awareness and training program for employees and other stakeholders who have access to sensitive or confidential personal information.
  • Companies understand that they need to take action after a breach occurs to keep customers and maintain their reputation. To do so, those surveyed believe the best approaches are providing free identity theft protection and credit monitoring services (71%), gift cards (45%), and discounts on products or services (40%).
Do not collect, what you can't protect #databreach #infosec Click To Tweet

But there’s more

Data breach preparedness is severely hampered, as the IT teams have little or no visibilityPrevendra - Experian data breach report figure 13. A full 73 percent of respondents lamented that their IT teams lacked visibility into end-user access of sensitive and confidential information. Really?  If the IT team does not have visibility into how the end-user is accessing the company’s sensitive and confidential data, who does.  In these entities, does the leadership ordain it’s every man or woman for themselves? Where is the security architecture demonstrating to the data custodians the state of their data with respect to security and privacy at all times. As we come to the end of 2016, this has long been table stakes for any entity involved in retaining or processing personal identifying information (PII).

The survey went on to show how the financial service industry was the most egregious and experienced 19 percent of the breaches within the population of the survey respondents, with the public sector following.

We can do better

What I found most disturbing though, was the lack of C-suite support, coupled with the lack of expertise addressing the protection of the sensitive and confidential data. Thus the C-suites choose to lead with their chins as they embrace the age-old infosec technique called, luck.

Therefore, we are forced to admonish any and all entities, do not collect what you can’t protect.   Do not rely on obscurity as a viable defense.  Do not assume because your company is small in size the PII in your possession, for employees, partners or customers does not have value.  And finally, do not allow any third party access to your data until you understand how they are accessing this data and how they are protecting your data. Do be a part of the 40 percent of respondents who wanted to know if a material breach occurs, and if you are the CISO, head of IT or CSO, please do ensure your board is aware of the security threats facing the company.

To do nothing is not an option. If you need help, reach out to the security, privacy and intelligence professional of your choice.

Prevendra - Gregory Allen Justice - arrest

Selling secrets to Russia? It’s a bad idea

The headline read:  Selling Secrets to the Russians? Jason Bourne Fan arrested in spy drama of his own.  Thus implying the motivation for Gregory Allen Justice was his sick wife, a job at which he felt unappreciated and a fascination with cinematic secret operatives such as Jason Bourne and James Bond. There’s more to the story.

When he was arrested for what the Federal Bureau of Investigation called in their filed criminal complaint: probable cause of Economic Espionage, violation of the Arms Export Control Act, and violation of the International Trafficking in Arms Regulations (ITAR),  Justice found out just how adroit the FBI, working with the Air Force Office of Special Investigations (AFOSI), can be when working an espionage case.


Justice allegedly broke trust with his employer, a cleared defense contractor (who, according to his father is Boeing Satellite Systems). He is alleged to have reached out to the Russian Embassy in Washington, DC to volunteer his services in late 2015.

His first attempt at contact involved sending a letter, followed by a brief phone call to the Russian Naval Attaché within the Russian Embassy (Military attaches in embassies, are on occasion associated with military intelligence). This letter, according to the criminal complaint filed in the United States District Court, Central District of California, contained a “technical schematic.”

On February 10, 2016, Justice again called the Russian Naval Attache’s office at the Russian Embassy and asked if there was interest in maintaining contact and obtaining similar things. At that point, the FBI does what the FBI does … then stepped in and provided Justice with all the rope he needed to hang himself.


Justice was contacted two days later by an undercover FBI special agent (S/A) who posed as a member of the Russian external intelligence service, the SVR. The S/A picked up the conversation and arranged to meet with Justice.  Over the course of the next few months (February – May 2016), Justice would meet the S/A face-to-face on five occasions. On each of the last four occasions, Justice brought information which was either proprietary or in violation of US export regulations, signed a receipt for cash received from the S/A and volunteer to expand his collection efforts in support of what he believed to the Russian SVR.  (NB: It is not revealed if the Russian intelligence apparatus acted upon Justice’s attempt to volunteer, or if they took a pass.)

Justice explained how all of the information he was providing was “ITAR.” And went on to compare his collaboration with the S/A as just like the “spy movies” of Jason Bourne, James Bond and “The Americans.”  Furthermore, Justice claimed to need money to fund his wife’s medical bills. Readers of the entire criminal complaint will see, while his motivation was financial, it was to fund his relationship with a woman other than his wife, and narcotics distribution. Furthermore, he provided information to the S/A on 16-gigabyte USB thumb drives.


The cleared defense contractor had in place a robust insider threat program. The program detected in November 2015, Justice coping a number of files to an external device, and then provided confirmatory information to the FBI/AFOSI on the information which Justice would purloin prior to each meeting with the S/A.


While Justice did not have access to classified programs, he did have access to the following satellite system programs:

  • Wideband Global Satellite Communication (WGS)
  • Global Positioning System (GPS)
  • Geostationary Operational Environmental Satellites (GOES)
  • Tracking and Data Relay Satellite (TDRS)
  • Milstar Communications Satellite (MILSTAR)
  • Tangential access to additional programs
    • MEXSAT
    • GPS IIF


Furthermore, as a cleared defense contractor, one would expect there to be a comprehensive cyber and counterintelligence briefing and training program, and there was.  Justice’s training folio showed he had taken a variety of courses.

  • Information Security 2015 (July 10, 2015)
  • Intellectual Property for Engineers and Technologists (July 10, 2015)
  • Threat Management Training for Employees (July 9, 2015)
  • Trade Secrets and Proprietary Information (July 9, 2015)
  • Enterprise US Export Awareness Overview (July 9, 2015)
  • Information Security 2014 (June 25, 2014)
  • 2014 Ethics Recommitment Training (May 6, 2014)
  • Enterprise US Export Awareness Overview (November 27, 2013)


The cleared defense contractor had in place a data loss prevention (DLP) monitoring program and as noted above, found Justice downloading data to a USB device. In addition, the resident DLP monitoring program captures screenshots of Justice’s computer, at a cadence of approximately every six seconds. In addition, when an external medium, such as an USB drive is inserted into a laptop/desktop, the system prompts to encrypt the data.

Physical access procedures were also in place at the cleared defense contractor’s facility.  To enter the building, Justice is required to display a badge to a guard or enter through a badge-controlled gate. In addition, access controls exist at Justice’s specific work area, via a badge swipe.  In order to access his work station, Justice was required to insert his badge and enter a pin (description fits that of a Common Access Card functionality). Access controls on specific data sets required a re-authentication by Justice in order to garner access. Furthermore, within the contractor’s IT system, when entering the collaborative data sets environment, all data is clearly marked and delineated as proprietary and/or requiring compliance with export controls.


Justice broke trust. The contractor’s DLP system identified his accessing and copying files to external devices. It is unclear from the criminal complaint if this actionable information was of sufficient caliber to warrant action or if the action occurred only after the FBI/AFOSI arrived on the scene post-Justice’s volunteering his services to the Russian intelligence apparatus.

Entities with insider threat programs are challenged with both the potential for a mountain of false-positives, as well as determination of what level of activity warrants action.  Each program will be different, but having access to the data, for archival review should be mandatory. The rationale, today’s actions may appear mundane and low-risk, but when added to additional pieces of data, which may also appear to be innocuous and of low-risk, creates a more complete picture of the mosaic of the risk being presented by the employee breaking trust.



A version of the above, written by Christopher Burgess, was original posted in Clearance Jobs in July 2016: Profile in Espionage – Curtailing a Satellite Spy with an Insider Threat Program

Prevendra - Kremlin

US Presidential Election 2016: The Kremlin Prefers???

[text_output]The US presidential election of 2016 is entertaining the world and Russia’s Kremlin. The sad reality is one of the two major party candidates, Donald Trump (R) or Hillary Clinton (D) will be the next president of the United States come Friday, January 20, 2017.

The US electorate dislikes them both.

Global leaders and their intelligence and foreign policy apparatus are burning the midnight oils as they try and put their arms around what is coming to the global stage come 2017. If it wasn’t scaring the shit out of me, and so many others, then it would actually be humorous.

While the decision day of November 8, 2016 is fast approaching the US electorate, it is regrettable many will find themselves voting for the presidential candidate they think sucks less.

putin_clinton_trumpThe Kremlin, led by Vladimir Putin, has made their choice early on.

A powerful statement. One may argue, countries don’t attempt to influence the affairs or elections of another country? To that I say, open your history books.The Russian Federation uses their intelligence community to achieve their goals, their “active measures” (активные мероприятия) capabilities are fully operational.They are not alone, the United States has used their intelligence community and covert action capability in a similar manner (Iran, Chile, Cuba), often times directed by Presidential findings and directives and congressional oversight. Every country takes steps to protect their national interests, to influencing the actions within another country. Scan the headlines you will see examples such as the one in the Indian Express, “Everywhere the foreign hand.”

Those familiar with the ways of the former Soviet Union, will recognize the Soviet Realpolitik toy box was never thrown out, it was simply repainted and refreshed by the Russian Federation, moreso under Putin than others. Their adroitness at chess (шахматы), a national pastime in Russia, is demonstrated as they move their pieces across the global landscape, reflecting their mastery of the gambit.

The US government is not naive as to the role of Russian active measures, and in fact, Section 501 of the Intelligence Authorization Act for Fiscal Year 2017 (which started 01 October) includes specific verbiage directing the President to  “establish an interagency committee to counter active measures by the Russian Federation that constitute Russian actions to exert covert influence over peoples and governments.”

Prevendra - clinton putinClinton
The Kremlin knows Clinton, they have danced with Clinton for more than 16 years, most intensively and directly during her term as Secretary of State. They respect her for her connectedness, both domestically and abroad, and marvel at 112 countries visited and the 956,733 miles she traveled as Secretary of State.


Prevendra - Putin-TrumpTrump
The Kremlin knows Trump, and the Russian oligarchs know him better than the politicos. They know his money, and he knows theirs. They respect the bazzari manner he displays, negotiate agree and negotiate some more. It is not alien in the Russian markets.


[icon_list_item type=”bullhorn”]Russian active measures[/icon_list_item]

The Democratic National Committee (DNC) hack has been well documented and discussed ad nauseum. I crafted a piece in June, Hacking Politics – Political Security in an Election Year, which discussed why Russia would be interested in the content of the DNC servers. I said then, “political parties plan to win, so lists and analysis on best candidates for key administration posts (cabinet and select appointees) will always be of interest to an adversary, as will the national security transition. Once the national primaries are concluded and the candidates for president solidified, these individuals will begin receiving national security briefings.”  Then on 09 October, President Obama points the finger at Russia, and accuses them of meddling in the US election … about time.

With the DNC hack, the Russian’s have Clinton’s transition game plan.

Are we tired of hearing about Hillary’s email server? Absolutely. Let’s step over the discussion on whether or not classified correspondence was kept on these servers kept in her personal residence. Indeed, let’s assume, all the content was considered only sensitive and intra-office discussions.

From a foreign intelligence perspective, the content may not be platinum, due to lack of classified information, but it sure as hell is a treasure trove of gold. Containing the thoughts, methodologies, connections, interconnections and other jewels to assist an adversary in determining the plans and intentions of a leader.

The FBI Director James Comey, concludes that it is possible that hostile actors gained access to the email servers. Comey’s statement on the topic in July 2016, “With respect to potential computer intrusion by hostile actors, we did not find direct evidence that Secretary Clinton’s personal e-mail domain, in its various configurations since 2009, was successfully hacked. But, given the nature of the system and of the actors potentially involved, we assess that we would be unlikely to see such direct evidence. We do assess that hostile actors gained access to the private commercial e-mail accounts of people with whom Secretary Clinton was in regular contact from her personal account. We also assess that Secretary Clinton’s use of a personal e-mail domain was both known by a large number of people and readily apparent. She also used her personal e-mail extensively while outside the United States, including sending and receiving work-related e-mails in the territory of sophisticated adversaries. Given that combination of factors, we assess it is possible that hostile actors gained access to Secretary Clinton’s personal e-mail account.

In summary, the Russian active measures produced reams of information from the DNC to include folio’s on every individual being considered for any number of the 100s of political appointee positions (to include intimate personal details). Coupled with correspondence on how Clinton engages her internal team, to include providing direction, redirection and decision making.  Who would not want this level of detail going into any negotiation with an adversary.  

The NSA tools go missing
In August 2016 the world realized that the National Security Agency’s offensive operations group lost their tool box. Indeed, the toolbox was splayed out for all to see by Shadow Brokers. In my piece, NSA’s Tools Go Missing to Shadow Brokers, I commented how this theft and subsequent exposure, was “a signal to the United States from Russia, let the cyber-espionage games begin, we have your toys.”  The aforementioned reaction of President Obama re Russia’s technological shenanigans within the US electoral process provides credence – let the cyber-espionage games begin.

[icon_list_item type=”bullhorn”]The Kremlin’s Preference: A Russian Gambit [/icon_list_item]

The Russian playbook when it comes to Hillary Clinton is robust, complex and complete. Trump is a wildcard. They know him only in the context of his business acumen. The current residents in the Kremlin view Trump in the same way they viewed Ronald Reagan, an unpredictable gadfly. But Trump isn’t Reagan. Say what you will about Reagan and his Hollywood roots, he surrounded himself with subject matter experts who were on point. Trump has no plan, they know he will wing-it, and that is not in their interests.

Thus Putin continues to snub and embarrass the US in the diplomatic scrums at the G20, Syria, Ukraine, Crimea, NATO, etc. They feed their propaganda machines, RT, Pravda and others with global opinion on how Trump’s isolationist policy is in their interests. They create opportunity for the US media to grab soundbites and relish when Trump provides his own, leaving the public without comment on the “bromance” between Trump and Putin.

They smiled when Clinton said, on many occasions during the second debate (09 October) how the Russians don’t want her in the White House.

Others agree with Clinton’s observation that the Russian activity is in support of Donald Trump, and there can be a cogent argument made which arrives at this conclusion.

I submit, this is a Russian gambit, a beautifully mastered piece of reverse psychology which is being consumed by the US media, like a child consumes cotton candy. Indeed, the US media is not only buying it, they are serving it up to the US electorate in an unending narrative, that a vote for Trump is a vote for Russia.

But the reality is, they prefer the devil they know. The Kremlin prefers Hillary Clinton


Note: A version of this article was published by Huffington Post on 12 October 2016


[callout type=”left” button_icon=”check-circle” circle=”true” title=”Vote” message=”I am apolitical, revolted by both candidates, Clinton and Trump. But I will vote, and I encourage every eligible US citizen both at home and abroad to exercise their vote for this election. And whether or not the Kremlin get’s who they wish in the White House, we the electorate aren’t embracing the behavior of the emu. We will be able to marshall our national resources and be both “stronger together“ and “a greater america“ at the same time, regardless of who is President of the United States on January 21, 2017.
Thank you for your time,
Christopher Burgess” button_text=”Don’t Forget To Vote” href=”” id=”” class=”” style=””]

Fake LinkedIn profiles engaged in global espionage targeting

Example of a fake LinkedIn profile

Via Symantec

The BBC reports that hackers are using fake LinkedIn profiles to befriend professionals and use their information in future attacks.

Source: Fake LinkedIn profiles used by hackers – BBC News

The BBC article pulls from a Symantec Threat Report “Fake LinkedIn accounts want to add you to their professional network” this report comes on the heels of the piece crafted by Prevendra’s CEO – Christopher Burgess on this very topic in August 2015. At that time he wrote, for years the counterintelligence efforts of the Federal Bureau of Investigation (FBI), Defense Security Services (DSS) and other U.S. Government entities have been sharing “stranger danger” type briefings for travel, conferences and elicitation over telephone calls. Every individual with a government security clearance has received their annual counterintelligence training, with emphasis on reporting contact with foreign nationals.  Most of these briefings and instructions focus on the in person solicitation or email query.

Now with the ubiquitous nature of social networks, it should come as no surprise that foreign intelligence services hostile to the interests of the U.S. have put another collection of arrows into their operational quiver so as to achieve their goals, collecting U.S. secrets (and those of the allies of the U.S.).

Governments warn us of fake LinkedIn Profiles

In fact the United Kingdom’s MI-5 (internal security service) sent a memo to government departments warning according to the UK’s Daily Mail: Foreign spies on LinkedIn trying to recruit civil servants by ‘Befriending’ them before stealing British secrets.”  The Daily Mail notes that the memo (not provided) warns government workers that Russia and China are both utilizing the LinkedIn social network to target government employees, are creating fake profiles within the site, and are trying to “find-connect-cultivate” government employees.  Those of us who do not suffer event amnesia will remember the well orchestrated “Robin Sage” sting of 2010, where a total persona was created by Thomas Ryan of Provide Security and over the course of several months engaged, befriended and elicited information from cleared government employees. The results of the sting were shared at the 2010 Black Hat conference in a talk, “Getting in bed with Robin Sage.”

The DSS and FBI have also issued their own counterintelligence brochures dealing with the broader cyber threat.  The rather robust FBI brochure on elicitation is especially apropos when it comes to social networks, as the techniques used in face-to-face personal engagement are applicable to social network engagement. Elicitation is an art form, and when exercised by the intelligence professional, it is difficult not to engage. The FBI suggests:

Deflecting Elicitation Attempts

Know what information should not be shared, and be suspicious of people who seek such information. Do not tell people any information they are not authorized to know, to include personal information about you, your family, or your colleagues.

You can politely discourage conversation topics and deflect possible elicitations by:

  • Referring them to public sources (websites, press releases)
  • Ignoring any question or statement you think is improper and changing the topic
  • Deflecting a question with one of your own
  • Responding with “Why do you ask?”
  • Giving a nondescript answer
  • Stating that you do not know
  • Stating that you would have to clear such discussions with your security office
  • Stating that you cannot discuss the matter

The DSS notes in their cyber threats brochure the myriad of reasons and methods used to target cleared personnel.  The DSS suggests:

Why Do They Target

  • Company unclassified networks (internal and extranets), partner and community portals, and commonly accessed website
  • Proprietary information (business strategy, financial, human resource, email, and product data)
  • Export controlled technology • Administrative and user credentials (usernames, passwords, tokens, etc.)
  • Foreign intelligence entities seek the aggregate of unclassified or proprietary documents that could paint a classified picture

Why should I care?

OPM breach + Health Care breach + IRS breach + Ashley Madison breach = Targeting bonanza 

While we have in the past admonished to be judicious on what you post as it can be culled, with the OPM data breach, many who have security clearances have had their information compromised. Knowing that it is probable the contents of their SF-86 are in the hands of hostile intelligence services can be disquieting. Couple this with the most recent compromise of the various medical provider data sets and the salacious Ashley Madison breach and it becomes clear there is no shortage of our information available to the targeteers of the foreign intelligence services. You do NOT get to decide if you will be targeted, you do however, have control over how you react to an approach.

Your responsibilities include understanding how individuals may use the various pieces of data public and private (compromised data sets) to approach you. Fictional LinkedIn profiles can be used to appeal to your professional interests. Facebook and Google+ groups and communities can be stepping stones to personal virtual relationships. As President Reagan is often quoted, “Trust, but verify.”

How can I spot a fake LinkedIn profile?

Back to the Symantec report, they advise there are a couple of easy ways to identify a “fake profile” (we don’t know why LinkedIn doesn’t self-police, but you can highlight and report a LinkedIn profile as bogus and they will take action).


Symantec says most of these fake accounts follow a specific pattern:

  1. They bill themselves as recruiters for fake firms or are supposedly self employed
  2. They primarily use photos of women pulled from stock image sites or of real professionals
  3. They copy text from profiles of real professionals and paste it into their own
  4. They keyword-stuff their profile for visibility in search results

There are a few ways users can identify these types of accounts:

  1. Do a reverse-image search (e.g., offers a browser plugin)
  2. Copy and paste profile information into a search engine to locate real profiles



Portions of the above article were originally written by Christopher Burgess and published within DICE’s ClearanceJobs: 

Beware Where You Share: British Intelligence Cautions Employees Against LinkedIn

Prevendra - China

Rest easy: China says U.S. OPM data breach was criminal

Prevendra: China US Cybersecurity


Reuters recently reported how the Chinese are claiming they have concluded their official investigation into the allegation that the Chinese government were responsible for the Office of Personnel Management data breach which compromised the identities of ~20 million individuals government clearance portfolios.

It is interesting to note, the Chinese government spokesperson did not indicate the US Government response to this revelation. Few, if any in the international security industry are taking China’s investigatory claims seriously. No doubt, this face-saving step, is a necessary political prerequisite to moving to deeper bilateral cyber security talks.

China’s official Xinhua news agency said on Wednesday an investigation into a massive U.S. computer breach last year that compromised data on more than 22 million federal workers found that the hacking attack was criminal, not state-sponsored.
Source: China’s Xinhua says U.S. OPM hack was not state-sponsored | Reuters


Update 04 December 2015 – 1200 hrs


The Chinese government says it has arrested several people allegedly connected to the massive Office of Personnel Management (OPM) data breach. The arrests reportedly occurred just prior to President Xi Jinping’s visit to the US in September.

Washington Post:  The arrests took place shortly before Chinese President Xi Jinping’s state visit in September.

SCMagazineChina has arrested the individuals it says are responsible for the OPM megabreach, according to The Washington Post.

The HillThe arrests took place prior to Chinese President Xi Jinping’s state visit in September.