Insight Into the Zero-Day Vulnerability Business
August 14, 2015
An ironic security breach grants a rare glimpse into the workings of an outfit that sells information on security vulnerabilities, we learn from “Hacking Team: a Zero-Day Market Case Study” at Vlad Tsyrklevich’s blog. Software weak spots have become big business. From accessing sensitive data to installing secret surveillance software, hackers hunt for chinks in the armor and sell that information to the highest (acceptable) bidder. It seems to be governments, mostly, that purchase this information, but corporations and other organizations can be in the market, as well. The practice is, so far, perfectly legal, and vendors swear they only sell to the good guys. One of these vulnerability vendors is Italian firm Hacking Team, known for its spying tools. Hacking Team itself was recently hacked, its email archives exposed.
Blogger Vlad Tsyrklevich combs the revealed emails for information on the market for zero-day (or 0day) vulnerabilities. These security gaps are so named because once the secret is out, the exposed party has “zero days” to fix the vulnerability before damage is done. Some may find it odd just how prosaic the procedure for selling zero-days appears. The article reveals:
“Buyers follow standard technology purchasing practices around testing, delivery, and acceptance. Warranty and requirements negotiations become necessary in purchasing a product intrinsically predicated on the existence of information asymmetry between the buyer and the seller. Requirements—like targeted software configurations—are important to negotiate ahead of time because adding support for new targets might be impossible or not worth the effort. Likewise warranty provisions for buyers are common so they can minimize risk by parceling out payments over a set timeframe and terminating payments early if the vulnerability is patched before that timeframe is complete. Payments are typically made after a 0day exploit has been delivered and tested against requirements, necessitating sellers to trust buyers to act in good faith. Similarly, buyers purchasing exploits must trust the sellers not to expose the vulnerability or share it with others if it’s sold on an exclusive basis.”
The post goes on to discuss pricing, product reliability, and the sources of Hacking Team’s offerings. Tsyrklevich compiles specifics on dealings between Hacking Team and several of its suppliers, including the companies Netragard, Qavar, VUPEN, Vulnerabilities Brokerage International, and COSEINC, as well as a couple of freelancing individuals. See the article for more on each of these (and a few more under “miscellaneous”). Tsyrklevich notes that, though the exposure of Hacking Team’s emails has prompted changes to the international export-control agreement known as the Wassenaar Arrangement, the company itself seems to be weathering the exposure just fine. In fact, their sales are reportedly climbing.
Cynthia Murrell, August 14, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Chrome Restricts Extensions amid Security Threats
June 22, 2015
Despite efforts to maintain an open Internet, malware seems to be pushing online explorers into walled gardens, akin the old AOL setup. The trend is illustrated by a story at PandoDaily, “Security Trumps Ideology as Google Closes Off its Chrome Platform.” Beginning this July, Chrome users will only be able to download extensions for that browser from the official Chrome Web Store. This change is on the heels of one made in March—apps submitted to Google’s Play Store must now pass a review. Extreme measures to combat an extreme problem with malicious software.
The company tried a middle-ground approach last year, when they imposed the our-store-only policy on all users except those using Chrome’s development build. The makers of malware, though, are adaptable creatures; they found a way to force users into the development channel, then slip in their pernicious extensions. Writer Nathanieo Mott welcomes the changes, given the realities:
“It’s hard to convince people that they should use open platforms that leave them vulnerable to attack. There are good reasons to support those platforms—like limiting the influence tech companies have on the world’s information and avoiding government backdoors—but those pale in comparison to everyday security concerns. Google seems to have realized this. The chaos of openness has been replaced by the order of closed-off systems, not because the company has abandoned its ideals, but because protecting consumers is more important than ideology.”
Better safe than sorry? Perhaps.
Cynthia Murrell, June 22, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Amazon, Pages, and Research
June 21, 2015
I read “What If Authors Were Paid Every Time Someone Turned a Page.” As you may know, I have complained directly and through my attorney because IDC and its wizard Dave Schubmehl sold a report containing my information on Amazon. The mid tier consulting firm pegged a $3,500 price tag on an eight page report based on my work. Well, as Jack Benny used to say. Well.
The publisher / consultant behavior annoyed me, but I do not sell my content via Amazon. I would prefer to give away a report than get tangled in the Bezos buzz saw. Sure, I buy talcum powder from the Zon, but that’s because the grocery in Harrod’s Creek does not sell any talcum powder. The Zon gets the product to me in a few days. Sometimes.
My thoughts about Amazon ramped up a notch when I read this passage in the article from The Atlantic:
Soon, the maker of the Kindle is going to flip the formula used for reimbursing some of the authors who depend on it for sales. Instead of paying these authors by the book, Amazon will soon start paying authors based on how many pages are read—not how many pages are downloaded, but how many pages are displayed on the screen long enough to be parsed. So much for the old publishing-industry cliché that it doesn’t matter how many people read your book, only how many buy it. For the many authors who publish directly through Amazon, the new model could warp the priorities of writing: A system with per-page payouts is a system that rewards cliffhangers and mysteries across all genres. It rewards anything that keeps people hooked, even if that means putting less of an emphasis on nuance and complexity.
Several observations:
- I often buy digital and hard copy books because I need access to a specific passage. I recently ordered a book about law enforcement and the Web. I was interested in two chapters and the bibliographies for this chapter. The notion of paying the author, a police professional, for only those pages I examined rubs me the wrong way. I have the book and I may need to access other chapters at a different point in time. But I want the author to be paid for this very good work. If I understand the write up, Amazon wants to move in a different direction.
- When I get a book via Amazon for my Kindle, I thought I could use the book as long as I had the device. Well. (There’s the Benny word again) I have experienced disappearing content. My wife asked me where a title was, I said, “In the archive.” Nope. The title was disappeared. Nifty. I contacted Amazon via a form and heard nothing back. Who got paid? Amazon but I no longer have the digital book. Nifty, but I probably made a mistake or at least that’s what outfits operating like Time Warner-type companies tell me. My fault.
- Amazon, like the Google, is faced with cost projections that are likely to give accountants headaches and sleepless nights. Amazon, a digital Wal-Mart type operation, is going to squeezing revenue any way possible. Someone has to pay for the Amazon phone and other Amazon adventures. Same day groceries, anyone?
Net net: No wonder the second hand book stores in Louisville, Kentucky are crowded. Physical books work the way they have for centuries, thank you. You will be able to buy my new study from the electronic store we have set up. The book will even be available in hard copy if a person wants a tangible instance. Maybe I will sell fewer copies. That’s okay. I prefer to avoid being clever and making my work available to anyone who wants to access it. None of that IDC like behavior either. $3,500 for eight pages. Crazy, right?
I often purchase fiction books, read a few pages, and then decide the book is not in my wheel house. I want the author to get paid whether I read every page or not. I think the author wants to get paid as well. The only outfit who doesn’t want to pay may be the Zon.
Stephen E Arnold, June 21, 2015
Search Companies: Innovative or Not?
June 11, 2015
Forbes’ article “The 50 Most Innovative Companies Of 2014: Strong Innovators Are Three Times More Likely To Rely on Big Data Analytics” points out how innovation is strongly tied to big data analytics and data mining these days. The Boston Consulting Group (BCG) studies the methodology of innovation. The numbers are astounding when companies that use big data are placed against those who still have not figured out how to use their data: 57% vs. 19%.
Innovation, however, is not entirely defined by big data. Most of the companies that rely on big data as key to their innovation are software companies. According to Forbes’ study, they found that 53% see big data as having a huge impact in the future, while BCG only found 41% who saw big data as vital to their innovation.
Big data cannot be and should not be ignored. Forbes and BCG found that big data analytics are useful and can have huge turnouts:
“BCG also found that big-data leaders generate 12% higher revenues than those who do not experiment and attempt to gain value from big data analytics. Companies adopting big data analytics are twice as likely as their peers (81% versus 41%) to credit big data for making them more innovative.”
Measuring innovation proves to be subjective, but one cannot die the positive effect big data analytics and data mining can have on a company. You have to realize, though, that big data results are useless without a plan to implement and use the data. Also take note that none of the major search vendors are considered “innovative,” when a huge part of big data involves searching for results.
Whitney Grace, June 11, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Online Shopping Is Too Hard
June 10, 2015
Online shopping is supposed to drive physical stores out of business, but that might not be the case if online shopping is too difficult. The Ragtrader article, “Why They Abandon” explains that 45 percent of Australian consumers will not make an online purchase if they experience Web site difficulties. The consumers, instead, are returning to physical stores to make the purchase. The article mentions that 44 percent believe that traditional shopping is quicker if they know what to look for and 43 percent as prefer in-store service.
The research comes from a Rackspace survey to determine shopping habits in New Zealand and Australia. The survey also asked participants what other problems they experienced shopping online:
“42 percent said that there were too many pop-up advertisements, 34 percent said that online service is not the same as in-store and 28 percent said it was too time consuming to narrow down options available.”
These are understandable issues. People don’t want to be hounded to purchase other products when they have a specific item in mind and thousands of options are overwhelming to search through. Then a digital wall is often daunting if people prefer interpersonal relationships when they shop. The survey may pinpoint online shopping weaknesses, but it also helps online stores determine the best ways for improvement.
“ ‘This survey shows that not enough retailers are leveraging powerful and available site search and navigation solutions that give consumers a rewarding shopping experience.’ ”
People shop online for convenience, variety, lower prices, and deals. Search is vital for consumers to narrow down their needs, but if they can’t navigate a Web site then search proves as useless as an expired coupon.
Whitney Grace, June 10, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
SLI Systems Still Struggling
May 26, 2015
Early this year, we reported on the sudden personnel shift over at e-commerce search firm SLI Systems. Now, New Zealand’s National Business Review reports, “SLI Systems Says Second-Half Revenue Will Miss Expectations on Weaker American Sales.” It seems the staff shake-up led to disappointing sales, but the company is confident they will make up ground later this year, after the dust settles. They also cite a weak economy in Brazil as a limiting factor. Reporter Tina Morrison writes:
“Operating revenue will rise to $28 million in the year ending June 30, from $22 million a year earlier, the Christchurch-based company said in a statement. The forecast is lower than the $30.5 million expected by analysts in a Reuters poll. …
“The company is forgoing profits and dividends to fund growth in the expanding e-commerce market, particularly in the US, and says its software as a service is the second biggest after Oracle to provide online retailers with suggestive search engines. Analysts polled by Reuters before today’s announcement had expected the company’s annual loss to widen to $7 million this year, from $5.7 million last year. It expects to report its annual earnings in late August.”
Founded in 2001, SLI Systems now powers e-commerce on over 800 websites. The company is based in Christchurch, New Zealand, and maintains offices in San Jose, California; London; Melbourne; and Tokyo. Anyone who thinks they can help the company bounce back should note that (as of this writing) SLI is looking for new Sales Directors in Melbourne and San Jose.
Cynthia Murrell, May 26, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Yahoo Considers Options for Japanese Division
May 25, 2015
Despite a series of changes since former Googler Marissa Mayer took over at Yahoo, the search-and-entertainment company still struggles to find its footing in a tech landscape that shifted around it long ago. Bloomberg Business wonders whether the Yahoo’s next steps in Japan will set it on a sturdier path in, “Yahoo Weighs Options for Japan Stake; Sales Miss Estimates.” Writer Brian Womack reports that Mayer plans to make the most of her company’s Japanese assets. He posits:
“By telling investors she’s looking at options for Yahoo Japan, Mayer may be seeking to buy herself more time to jump-start growth at the company she’s been working to turn around for almost three years. Unless she can expand sales, investors may eventually lose patience with the strategy and question her leadership. Some analysts speculated earlier this year that Yahoo could become a takeover target for a larger Internet company after it spins off the Alibaba stake.
“Yahoo’s share of the U.S. online display ad market may slide to 3.5 percent in 2017 from 5.5 percent last year, according to EMarketer Inc. Quarterly revenue growth has come in at less than 4 percent or negative since the end of 2012.”
The success of China’s largest e-commerce firm, and Yahoo asset, Alibaba is responsible for much of the company’s recent growth, such as it is, but that boost will only last so long. Womack reports there has been investor pressure to spin off Yahoo’ Japanese division, but apparently Mayer prefers to consider a range of options. Will Yahoo find salvation in the land of the rising sun?
Cynthia Murrell, May 25, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
The Enterprise is a Jungle Search
April 16, 2015
The word collaboration has become one of those corporate power words like “synergy” and “KISS method.” Many people groan inwardly at new ways to “collaborate,” because it usually means another tool they have to learn and will fall out of use in under a year. With the myriad of ways to collaborate digitally, getting any actual collaborating done is difficult. The SAP News blog says enterprise collaboration might be getting a little easier in the article, “EnterpriseJungle Tames Enterprise Search.”
EnterpriseJungle created an application with the SAP Hana Cloud Platform to help companies connect quickly find and connect with experts within or outside their company. The Principal at EnterpriseJungle states that a company’s people search is vital tool to locate and harness information.
“ ‘Large companies are desperate to get a handle on understanding and accessing the expertise available to them at any given moment,’ said Sinclair. ‘Our solutions help companies solve fundamental questions like how do we find the people who are fantastic at what they do, but only known to their closest core group of co-workers? And, how do we easily bring their knowledge and expertise to the front line with minimal extra work? If we can help get information to employees that need it, we’re fundamentally making their lives easier, and making the company’s life easier.’ “
After a description of how EnterpriseJungle’s works and its usefulness for companies, it makes a claim to offer Google-like search results. While it might be a people search tool, the application is capable of much more. It can help people locate experts, track down skill sets, and even improve IT relations.
EnterpriseJungle is hitting on a vital tool for companies. People search has a severe need for improvement and this might be the start of a new enterprise niche market.
Whitney Grace, April 16, 2015
Stephen E Arnold, Publisher of CyberOSINT at www.xenky.com
AI Technology Poised to Spread Far and Wide
April 3, 2015
Artificial intelligence is having a moment; the second half of last year saw about half a billion dollars invested in the AI industry. Wired asks and answers, “The AI Resurgence: Why Now?” Writer Babak Hodjat observes that advances in hardware and cloud services have allowed more contenders to afford to enter the arena. Open source tools like Hadoop also help. Then there’s public perception; with the proliferation of Siri and her ilk, people are more comfortable with the whole concept of AI (Steve Wozniak aside, apparently). It seems to help that these natural-language personal assistants have a sense of humor. Hodjat continues:
“But there’s more substance to this resurgence than the impression of intelligence that Siri’s jocularity gives its users. The recent advances in Machine Learning are truly groundbreaking. Artificial Neural Networks (deep learning computer systems that mimic the human brain) are now scaled to several tens of hidden layer nodes, increasing their abstraction power. They can be trained on tens of thousands of cores, speeding up the process of developing generalizing learning models. Other mainstream classification approaches, such as Random Forest classification, have been scaled to run on very large numbers of compute nodes, enabling the tackling of ever more ambitious problems on larger and larger data-sets (e.g., Wise.io).”
The investment boom has produced a surge of start-ups offering AI solutions to companies in a wide range of industries. Organizations in fields as diverse as medicine and oil production seem eager to incorporate these tools; it remains to be seen whether the tech is a good investment for every type of enterprise. For his part, Hodjat has high hopes for its use in fraud detection, medical diagnostics, and online commerce. And for ever-improving personal assistants, of course.
Cynthia Murrell, April 3, 2015
Stephen E Arnold, Publisher of CyberOSINT at www.xenky.com
EBay Develops Open Source Pulsar for Real Time Data Analysis
April 2, 2015
A new large-scale, real-time analytics platform has been launched in response to one huge company’s huge data needs. VentureBeat reports, “EBay Launches Pulsar, an Open-Source Tool for Quickly Taming Big Data.” EBay has made the code available under an open-source license. It seems traditional batch processing systems, like that found in the widely used open-source Hadoop, just won’t cut it for eBay. That puts them in good company; Google, Microsoft, Twitter, and LinkedIn have each also created their own stream-processing systems.
Shortly before the launch, eBay released a whitepaper on the project, “Pulsar—Real-time Analytics at Scale.” It describes the what and why behind Pulsar’s design; check it out for the technical details. The whitepaper summarizes itself:
“In this paper we have described the data and processing model for a class of problems related to user behavior analytics in real time. We describe some of the design considerations for Pulsar. Pulsar has been in production in the eBay cloud for over a year. We process hundreds of thousands of events/sec with a steady state loss of less than 0.01%. Our pipeline end to end latency is less than a hundred milliseconds measured at the 95th percentile. We have successfully operated the pipeline over this time at 99.99% availability. Several teams within eBay have successfully built solutions leveraging our platform, solving problems like in-session personalization, advertising, internet marketing, billing, business monitoring and many more.”
For updated information on Pulsar, monitor their official website at gopulsar.io.
Cynthia Murrell, April 2, 2015
Stephen E Arnold, Publisher of CyberOSINT at www.xenky.com
-
- Subscribe to Beyond Search
Feature archive
News archive
-
