The Tesla Insider
Elon Musk sent out an email stating an employee had stabbed the company in the back like Brutus, changing production code, and leaking inside information. I'll admit that like many people who have talked about or written about insider threats in the past, I instinctively punched the air and yelled, "YES! I warned you but you didn't listen."
The incident is also notable for the impact it had on the company's share price which dropped more than 6% in trading.
"I was dismayed to learn this weekend about a Tesla employee who had conducted quite extensive and damaging sabotage to our operations, this included making direct code changes to the Tesla Manufacturing Operating System under false usernames and exporting large amounts of highly sensitive Tesla data to unknown third parties."
- Insider threats defined | AlienVault
- Tesla hit by insider saboteur who changed code, exfiltrated data | SC Magazine
Can't Fix Won't Fix, Don't Fix
Organisations cannot afford to view penetration testing as a tick box exercise. How should they mitigate the fact some vulnerabilities can’t be fixed, won’t be fixed, and in some instances, actually shouldn’t be fixed?
- Can’t fix, won’t fix, don’t fix: Is it time for businesses to rethink how they action pen test results?| IT Pro Portal
On the topic of pen tests, check out Adrian Sanabria's presentation slides from RSA earlier this year on killing the pen test.
- It's time to kill the pen test (PDF) | RSAconference
To add balance, and to convince you pen testers out there that I'm not a bad person who hates all pen testers, here's an awesome collection of penetration testing resources that include tools, online resources, books, courses, conferences, magazine...
- Awesome Penetration Testing | Kinimiwar, GitHub
A Case Study In Bad Disclosure
Imagine you're a researcher and have found a vulnerability, you then disclose it responsibly to a vendor, then that vendor fixes the issue - but instead of sending the chopper over to you with a care package, they pretend like you didn't exist. Akin to Tom Cruise getting disavowed in every single Mission Impossible movie.
Then imagine that vendor submitted the vulnerability details to Google and received a bug bounty award to the tune of $5,000.
Then to top it off, they sat back in a massive reclining chair, threw their head back and laughed as they donated the full $5,000 to a good cause.
It would make anyone want to go all Liam Neeson on wanting to hunt, find, and make them pay... or alternatively, write a blog post detailing the whole saga.
- Vendors, Disclosure, and a bit of WebUSB Madness | pwnaccelerator
Not So Anonymous Dark Web
This is a heart-warming tale of how a drug vendor pled guilty after feds traced his bitcoin transactions.
Seriously though, the best part of the story has to be, "US authorities arrested Vallerius in September last year, at the Atlanta airport after he arrived in the US to attend and participate in the World Beard and Mustache Championships that was being held in Austin, Texas."
I can imagine him paraphrasing Al Capone, "I got taken down for my magnificent beard and moustache, the least of my crimes."
- Dark Web Drug Vendor Pleads Guilty After Feds Traced His Bitcoin Transactions | Bleeping Computer
IBM Report On TSB'S IT Problems
For what seems like far too long now, TSB has been unable to fully service its banking customers after a complete botch job left systems unavailable.
An initial report by IBM has been published that outlines some of the preliminary findings. If you read between the lines it doesn't bode well for whoever was in charge of the program. Moving to new infrastructure, divesting, or even migrating core apps to the cloud is always great in theory, but it still needs a lot of hard work to make sure things go off smoothly. It's unfortunate to see what appears to be many captains asleep at the wheel and not asking the right questions at the right time.
- IBM report on TSB's IT problems published | Parliament UK
The Architecture Of GitHub
Not strictly security news, but a really thorough and comprehensive writeup of GitHub's database architecture.
- MySQL High Availability at GitHub | GitHub Engineering
$31M Cryptocurrency Hack In S.Korea
Bithumb, South Korea’s second-largest exchange, said cyberattacks from late Tuesday night to Wednesday morning led to the loss of 35 billion won worth of cryptocurrencies.
- South Korean cryptocurrency exchange Bithumb says it was hacked and $30 million in coins was stolen | Time
Randomness
A few other stories I enjoyed reading recently.
- How to find time in your busy schedule to learn | Freecode camp, Medium
- Bias detectives: the researchers striving to make algorithms fair | Nature
- How Magento changed its open source approach to get 50% community contributions | Tech republic