Skip to main content

Cyber Saturday—MongoDB Bolsters Security, ASUS Hacked, NSO Group on ’60 Minutes’

MongoDB, a database software provider whose stock has been on a tear recently, just hired its first-ever chief information security officer. The appointment, which came Friday, signals that the company plans to take security more seriously even as it faces stiffened competition from the likes of Amazon and other tech giants.

The new boss is Lena Smart, a Glaswegian cybersecurity professional. Smart formerly held the same title at IPO-bound Tradeweb, a financial services firm that supplies the technology behind certain electronic trading markets. Prior to Tradeweb, she headed security at the New York Power Authority, where she worked for more than a decade. A cellist in her spare time, Smart told me in her Scottish brogue that her priority in the new job will be “knowing what the crown jewels are--that’s our customer data--and making sure that’s always protected.”

People leaving MongoDB and other databases unsecured on the web has been a persistent source of data-leaks over the years. Just this month, a security researcher discovered one such sieve that exposed to public view a trove of sensitive information, including location data, on millions of people in China. The misconfigured repository appears to have originated from SenseNets, a Shenzhen-based company that is likely providing the Chinese government with crowd-surveilling, facial recognition technology to track the country’s muslim Uyghur population. This is just the latest leak example; there are innumerable others.

Despite the frequency of these leaks, the situation seems to be improving. Most of these inadvertent leaks have sprung, in fairness, from people using outdated instances of the company’s so-called community edition software, a free, barer-bones version of the database product. Mark Wheeler, a MongoDB spokesperson, conceded that the 12-year-old company “struggled in its early years to find the right balance with security.” But he avers that updates to the default settings of MongoDB’s software over the past few years, plus key security team hires--including guardians Davi Ottenheimer, Kenn White, and now Smart--are changing the equation.

As Smart’s scope involves securing the totality of MongoDB’s business, the data-spillage issue ultimately falls to her. She says she’ll continue educating customers in best practices when it comes to security. She says she will also aim to imbue the company’s product development process with security, quality assurance, and testing from the earliest stages. If we can get in at the very start” of the software development lifecycle, Smart says, it will “save us time and money and make our products more reliable and secure.”

The leaky database issue is one that extends well beyond MongoDB. It’s also a problem for rivals such as Amazon, particularly its S3 buckets, Elastic, and others. Like so many companies, these database-makers are looking now to shore up their software in the hopes of turning a historical weakness--cybersecurity--into a competitive strength. As Dev Ittycheria, MongoDB’s president and CEO, tells Fortune: making the company’s products as secure as possible “is critical to our business.”

Indeed, it’s critical to MongoDB and, increasingly, every business.

Robert Hackett

@rhhackett

robert.hackett@fortune.com

Welcome to the Cyber Saturday edition of Data Sheet, Fortune’s daily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my about.me), PGP encrypted email (see public key on my Keybase.io), Wickr, Signal, or however you (securely) prefer. Feedback welcome.

THREATS

Step into the light. NSO Group, a controversial Israeli spyware outfit whose software has been implicated in the murder of Washington Post columnist Jamal Khashoggi, has been trying to clean up its image in the eyes of the public. Shalev Hulio, CEO of the notoriously secretive smartphone-cracking company, interviewed with CBS's 60 Minutes and permitted a tour of the offices. He denied any culpability in Khashoggi's assassination, despite having sold the firm's technology to the Saudi Arabian monarchy.

Order in the court. Hal Martin III, a contractor with the U.S. National Security Agency, pleaded guilty in federal court on Thursday for stealing state secrets in what may be the largest breach of classified information in U.S. history. The lawyer for the defense said Martin's "actions were the product of mental illness." Meanwhile, a New York Times dispatch from Guant?namo Bay alleges that the U.S. government has recordings of the mastermind behind the September 11th terrorist attacks hatching the heinous plot with co-conspirators.

Sipping the poisoned chalice. Nation state-linked hackers last year compromised roughly half a million Windows-running computers produced by ASUS, the Taiwanese tech giant, according to Kasperky Lab, the Russian cybersecurity firm. ASUS downplayed the software supply chain attack in a statement, saying "a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers." We echo the advice of Matt Blaze, a cybersecurity expert and Georgetown University professor, who says people should still regularly update their software.

Microsoft misadventures. Microsoft won a restraining order in U.S. court enabling the company to take control of 99 web domains used by a nation state threat actor. The domains were involved in alleged Iranian hacking campaigns tied to the defection of a U.S. Air Force counter-intelligence, Monica Witt, who is wanted by the FBI. Meanwhile, a 24-year-old, autistic security researcher pleaded guilty in a London court to hacking the computer networks of Microsoft and Nintendo. The judge issued short, suspended sentence, saying: "I am trusting this will be a lesson from which you will all learn."

Were you born yesterday?

Share today's Cyber Saturday with a friend:

http://fortune.com/newsletter/cybersaturday/

Looking for previous Data Sheets? Click here

ACCESS GRANTED

Alms qualms. Fast Company pries open the socioeconomics of privacy in this intriguing article. Ciara Byrne, the author, explains how many of the poorest Americans are forced to live under constant surveillance, a situation that exposes them to marketing for predatory financial services. Another set of the nation's poorest, including undocumented immigrants, day laborers, and homeless people, are often forced to live off the grid in what Byrne describes as a "surveillance gap," which prevents them from getting access to resources that might help them.

"Middle-class and wealthy Americans need to realize that novel surveillance techniques are typically used first on the poor," [law professor Michele E.] Gilman wrote in a 2012 article. "By the time these strategies spread beyond controlling the poor, any 'reasonable expectations' against their use have dissolved."

Low-income communities have historically been monitored by government and their privacy has been routinely invaded. In Colonial America, most towns had an "overseer of the poor" who tracked poor people and either chased them out of town or auctioned off their labor. Current public benefits programs ask applicants extremely detailed and personal questions and sometimes mandate home visits, drug tests, fingerprinting, and collection of biometric information.

ONE MORE THING

Dynamic Duo. A question for the entrepreneurs in the room: How did you meet your cofounder? If you said you bumped into each other in a stairwell while attempting to hack into the IT network of that other person's company, then you share something in common with the folks at Duo, a cybersecurity startup snatched up by Cisco for more than $2 billion last year.

I think they call that love at first cyber.



from Fortune https://ift.tt/2FLy3YQ

Comments

Popular posts from this blog

Photo finish: Crashing sales force Olympus to sell iconic camera business

Sometimes, the vicissitudes of capitalism force companies to exit the businesses for which they’re best known. Olympus, once a leading light in the photography industry, is now joining that list. On Wednesday, the company said it planned to quit its 84-year-old camera business. The imaging giant, known for its once-pervasive digital cameras, agreed to sell off the declining unit by year’s end. Japan Industrial Partners, a private equity firm best known for buying Sony’s struggling Vaio computer line in 2014, agreed to purchase the business. Terms of the deal were not disclosed. A glance at Olympus’s financial statements provides all the rationale for the divestiture; as at rival manufacturers, camera sales have plummeted over the past decade. For the fiscal year ended March 31, Olympus’s camera unit declined 10% versus the year prior to  ¥43.6 billion, or $407 million. The unit’s sales have collapsed by three-quarters from a decade ago, when the company brought in ¥175 billion, or $

WHO says common steroids can slash death risk for the sickest coronavirus patients

Our mission to help you navigate the new normal is fueled by subscribers. To enjoy unlimited access to our journalism,  subscribe today . An old drug can learn new tricks during the coronavirus pandemic. That’s the main takeaway from the World Health Organization (WHO) in a new analysis of corticosteroids—a class of drugs which have existed for dozens of years and are far cheaper than new, experimental COVID treatments in development—suggesting that drugs like dexamethasone can slash the chances of COVID-19 related deaths by as much as 35% in the sickest patients. The WHO analysis of coronavirus drugs encompassed seven separate studies. And while an analysis of this sort—what’s called a “meta-analysis”—isn’t as rigorous as other types of trials like a randomized controlled study, the data are compelling. Corticosteroids have a very different action mechanism from many of the other coronavirus drugs in development. COVID-19 is a peculiar disease. Some who have been infected may be