Blog

Throwback Attack: Chinese hackers steal plans for the F-35 f…

Throwback Attack: Chinese hackers steal plans for the F-35 fighter in a supply chain heist As cyberattacks on national critical infrastructure and private industry increase, the U.S. Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) to standardize cybersecurity practices for defense contractors. This process is critical, as demonstrated by China’s 2007 theft of sensitive F-35 Lightning II documents, which was confirmed by Edward Snowden’s 2015 leak. Snowden’s documents revealed that a Lockheed Martin subcontractor data breach allowed China to access F-35 designs, contributing to the development of their J-31 stealth fighter. Supply chain attacks like this are becoming more frequent and damaging, as seen in high-profile cases such as the SolarWinds and Kaseya attacks. According to Ryan Heidorn, co-founder of Steel Root, adversaries are stealing intellectual property at an alarming rate, targeting large primes like Lockheed Martin and smaller suppliers that may lack sophisticated cybersecurity. The CMMC aims to curb this issue by ensuring DoD contractors implement strict cybersecurity practices. While many companies already face these requirements, CMMC enforces compliance through assessments and certification, making it a critical mechanism to prevent the loss of sensitive information. The goal is to protect valuable defense technology, like the F-35, from further theft as adversaries like China continue to target critical U.S. systems. In the context of the 2007 theft of sensitive F-35 Lightning II technical documents and other similar supply chain attacks, how could the PASTA (Process for Attack Simulation and Threat Analysis) methodology enhance defense contractors’ and DoD vendors’ overall security process to prevent future data breaches?

Hunter Biden Laptop Controversy In October 2020, a controver…

Hunter Biden Laptop Controversy In October 2020, a controversy arose involving data from a laptop that belonged to Hunter Biden. The owner of a Delaware computer shop, John Paul Mac Isaac, said the laptop had been left by a man who identified himself as Hunter Biden. Mac Isaac also stated that he is legally blind and could not be sure whether the man was Hunter Biden. Three weeks before the 2020 United States presidential election, the New York Post published a front-page story that presented emails from the laptop, alleging they showed corruption by Joe Biden, the Democratic presidential nominee and Hunter Biden’s father. According to the Post, the story was based on information provided to Rudy Giuliani, the personal attorney of incumbent president and candidate Donald Trump, by Mac Isaac. Forensic analysis later authenticated some of the emails from the laptop, including one of the two emails used by the Post in their initial reporting. Shortly after the Post story broke, social media companies blocked its links. At the same time, other news outlets declined to publish the story due to concerns about provenance and suspicions of Russian disinformation. By May 2023, no evidence had publicly surfaced to support suspicions that the laptop was part of a Russian disinformation scheme. The Hunter Biden laptop controversy involved allegations of unauthorized access to personal data and the subsequent public disclosure of potentially sensitive information. Examining whether this constitutes a false allegation of privacy violation requires addressing the elements of privacy violations and the case’s specifics. Using the assumption that the previous information is entirely TRUE, why could this case not be considered a privacy violation? Justify your answer. Can it be considered a security case if it is not a violation? If yes, define in the MITRE ATT&CK which goal(s) the malicious agent seeks to achieve. Justify your answer. Rubric Criteria Points Understanding of Privacy Violation (10 points) 10 points: Clearly explains why the case does not meet the legal or ethical criteria for a privacy violation, referencing definitions of privacy.3-9 points: Partially explain the criteria or reasoning behind why the case may or may not be a privacy violation. 0-2 points: Minimal or no explanation of privacy violation criteria or relevance to the case. Security Classification Justification (10 points) 10 points: Provides a clear argument for why the case could or could not be classified as security, with strong evidence and reasoning. 3-9 points: Offers some reasoning for classifying the case as a security case but lacks depth or clear justification. 0-2 points: Fails to address whether the case can be considered a security case or provides weak reasoning. Application of MITRE ATT&CK Goals (10 points) 10 points: Identifies specific MITRE ATT&CK goals (e.g., Credential Access, Collection, Exfiltration) and justifies with strong connections to the scenario. 3-9 points: Mentions applicable ATT&CK goals but with limited connection to the scenario details.               0-2 points: Fails to identify relevant ATT&CK goals or justify their relevance.  

Stadiums Are Embracing Face Recognition. Privacy Advocates S…

Stadiums Are Embracing Face Recognition. Privacy Advocates Say They Should Stick to Sports[1] Facial recognition technology is being increasingly adopted by major sports leagues like the MLB and NFL to streamline fan entry and enhance security. However, this trend has sparked concerns among privacy advocates who argue that the technology poses significant risks to individual privacy. Supporters of facial recognition argue that it offers several benefits, such as reducing wait times at stadium entrances and improving security measures. Facial recognition allows fans to opt for express entry lanes, often bypassing longer queues. Additionally, the technology can aid in identifying potential security threats and facilitating faster entry for authorized personnel. On the other hand, critics raise concerns about law enforcement agencies’ potential misuse of facial recognition data. They argue that the technology could track individuals’ movements, monitor their activities, and even identify protesters or dissidents. Furthermore, there are concerns about the accuracy of facial recognition systems, which can lead to false positives and wrongful identifications. While some teams and leagues have implemented strict privacy measures and obtained explicit consent from fans, others have been criticized for their lack of transparency and potential overreach. Facial recognition in sports raises broader questions about the balance between security, convenience, and individual privacy rights. As this technology continues to evolve, it is crucial to have open discussions and establish robust regulations to safeguard against potential abuses. Using LINDDUN, find why we can consider that the current procedure could threaten the users, considering Identifiability, Detectability, and Unawareness. Explain where the threat is found in the previous article, and justify why it could be regarded as a threat.   [1] Based on the WIRED article: https://www.wired.com/story/face-recognition-stadiums-protest/    Rubric threat Description Points 2. Justification of Threats (12 points)           Provides clear and logical justifications for why the selected privacy threats apply to the described facial recognition system. Justifications should reference key aspects of the event (e.g., surveillance use, data collection, and third-party involvement).   12 points: Thorough and well-reasoned justification for both threats, referencing event specifics. 3-11 points: Adequate justification, but may lack depth or specificity in some areas. 0-3 points: Weak or missing justification or the justification does not clearly relate to the event context. 3. Understanding of LINDDUN Categories (11 points)   Demonstrates a clear understanding of the LINDDUN framework by correctly applying the privacy threats to the relevant categories.   11 points: All threats are accurately classified within the LINDDUN framework. 4-10 points: Most threats are correctly classified but with minor errors. 0-3 points: Significant errors in classification or misunderstanding of the framework.   4. Clarity and Organization of Response (2 points) The answer is clearly written, well-organized, and easy to follow. The students present their ideas using proper language and logical flow.   2 points: The answer is clear, well-structured, and free of ambiguity. 1 point: The answer is mostly clear, with some minor issues in organization or clarity. 0 points: The answer is unclear, disorganized, or hard to follow.