November 12, 2013
Those of us with experience in IT may not be surprised by the revelations InfoWorld shares in “6 Dirty Secrets of the IT Industry.” This magazine of IT gospel asked its readers to share their observations of shady IT matters, then fact-checked the results. See the article for the whole roster, but I’ll share a few bits here.
Secret number one is the broadest; Writer Dan Tynan colorfully titles this one, “Sys admins have your company by the short hairs.” He quotes Pierluigi Stella, CTO of security firm Network Box USA, who gives each of us good reason to send our IT departments the random gift basket:
“There are no secrets for IT. I can run a sniffer on my firewall and see every single packet that comes in and out of a specific computer. I can see what people write in their messages, where they go to on the Internet, what they post on Facebook. In fact, only ethics keep IT people from misusing and abusing this power. Think of it as having a mini-NSA in your office.”
Speaking of the NSA, Tynan calls those government snoopers “punks compared to consumer marketing companies and data brokers.” He cites the practices in casinos as the epitome of this very individualized marketing tactic, and provides examples. He goes on to quote former casino executive and Louisiana State University professor Michael Simon, who emphasizes that the practice is far from limited to casinos:
“I teach an MBA class on database analysis and mining, and all the companies we study collect customer information and target offers specific to customer habits. It’s routine business practice today, and it’s no secret. For example, I bring my dog to PetSmart for specific services and products, and the offers they send me are specific to my spending habits. . . instead of wasting time sending me stuff I won’t use like discounts on cat food or tropical fish.”
Whether you, like Simon, appreciate targeted marketing or you find it creepy, it is worth remembering how much data these entities are collecting on each of us.
It is also good to keep in mind some pitfalls of another practice that has become commonplace—storing data in the cloud. In fact, this could be the most disconcerting item on this list. Though we tend to think of the cloud in nebulous terms, that data is actually stored on real servers somewhere. When our data shares rack space with that of other entities, we run the risk of intrusion and confiscation through no fault of our own. The article emphasizes:
“Your cloud data could be swept up in an investigation of an entirely unrelated matter — simply because it was unlucky enough to be kept on the same servers as the persons being investigated. . . . Users who want to protect themselves against this worst-case scenario need to know where their data is actually being kept and which laws may pertain to it, says David Campbell, CEO of cloud security firm JumpCloud. ‘Our recommendation is to find cloud providers that guarantee physical location of servers and data, such as Amazon, so that you can limit your risk proactively,’ he says.”
Another suggestion is to encrypt your data, of course. Keeping a local backup is another good idea, since law enforcement seems to be under no obligation to grant access to your own confiscated data. For some of us, this is just more evidence that sensitive information does not belong in the cloud. Caveat Emptor.
Cynthia Murrell, November 12, 2013
November 3, 2013
If you are tracking the evolution of open source enterprise search vendors, you may want to read “Enterprise Search Technology: Leading the Battle against Internal Threats without Sacrificing Employee Privacy.” In my years of covering the intersection of enterprise search, I marvel at a fresh conflation. In my talk next week at the search conference in Washington, DC, I may ask the audience about this issue. Until then, consider the LucidWorks’ viewpoint. Fascinating. Fascinating indeed. search continues to move in new and surprising directions. For case studies of vendors who have pioneered new directions in search, check out the case studies at www.xenky.com/vendlor-profiles.
Stephen E Arnold, November 3, 2013
October 10, 2013
As more and more information moves to the Cloud, questions arise about how to secure that data. CipherPoint has announced a new Cloud data security solution that hopes to help solve the problem. Read more in the EON article, “CipherPoint Announces Cloud Data Security Solution for SharePoint Online and Office365.”
The article begins:
“With CipherPoint Eclipse™ for SharePoint Online and Office365, organizations can now identify, secure and audit access to sensitive and regulated data stored in cloud collaboration platforms. This new solution provides customers with robust encryption, using industry standard encryption algorithms, access control, audit reporting and customer-controlled encryption keys to address real concerns that large enterprises have about cloud security.”
Stephen E. Arnold, a longtime expert in search and founder of Arnold IT, has frequently noted that while SharePoint is the most widely used enterprise solution, it is not necessarily the highest functioning. Key features are still lacking and it might not be much longer before even the biggest enterprises go looking for other solutions, including open source. Enterprises still using SharePoint often have to supplement with additional add-ons, such as the security solution that CipherPoint now offers.
Emily Rae Aldridge, October 10, 2013
September 27, 2013
Microsoft’s recent SharePoint security bulletin left a few developers shaking in their the code. According to Threat Post’s article, “SharePoint Fixes Priority For September 2013 Patch Tuesday,” online SharePoint installations are vulnerable to thirteen critical threats and Microsoft only patched ten of them. The threats lead to remote code execution on the collaboration server. Nearly all versions of SharePoint are affected and any installation that has disabled the user highest risk.
The CVE-2013-1330 bug is the worst threat. It is a remote code execution that gives the attacker privileges in the context of W3WP service account, but it requires authentication to gain access. If that feature is turned off, your SharePoint installation is a delightful smorgasbord of hacked information.
Some are surprised about Microsoft’s alarm and user ignorance:
“ ‘It’s interesting that Microsoft prioritized the SharePoint bulletin as highly as they did. In theory, the vulnerability requires authentication. Given the frequency with which people disable SharePoint authentication and the ease of access to documentation on that process, the priority needs to be that high,’ said Tyler Reguly, technical manager of security research and development at Tripwire. ‘People know their computers and email need good passwords. It boggles my mind that we see so many SharePoint deployments in anonymous mode. ‘”
I have been told multiple times by online expert Stephen E Arnold of Arnold IT to always take security risks seriously and find a solution quickly or private information will be stolen faster than a Google search.
Whitney Grace, September 27, 2013
September 25, 2013
Search can be a lot of things, but “terrifying”? Yes, I’m afraid so. Forbes describes a thoroughly modern, search-related threat in, “The Terrifying Search Engine that Finds Internet-Connected Cameras, Traffic Lights, Medical Devices, Baby Monitors, and Power Plants.”
You may have heard the story about the hacked baby monitor, through which one truly deplorable individual viewed and harassed a sleeping two-year-old who was tucked into her own bed. In this piece, journalist Kashmir Hill examines the search engine Shodan, which she says probably facilitated that digital predator. Such a trespass is just the tip of the chill-inducing iceberg. She writes:
“Shodan crawls the Internet looking for devices, many of which are programmed to answer. It has found cars, fetal heart monitors, office building heating-control systems, water treatment facilities, power plant controls, traffic lights and glucose meters. A search for the type of baby monitor used by the Gilberts reveals that more than 40,000 other people are using the IP cam–and may be sitting ducks for creepy hackers. . . .
“Shodan’s been used to find webcams with security so low that you only needed to type an IP address into your browser to peer into people’s homes, security offices, hospital operating rooms, child care centers and drug dealer operations. Dan Tentler, a security researcher who has consulted for Twitter, built a program called Eagleeye that finds webcams via Shodan, accesses them and takes screenshots. He has documented almost a million exposed webcams.”
Scary stuff, but that is not all. The article notes that many modern buildings that house everything from apartments to businesses to government facilities have security, lighting, and HVAC systems connected to the Internet, where they could be hijacked. Even entire power grids could be usurped. The unnerving possibilities seem endless.
Like many scary things, Shodan can also be used for good. Folks working in security, academia, law enforcement, and white-hat hacking have used the tool to find susceptible devices and see that they are secured. It is also at least a bit comforting that the FTC is aware of Shodan’s capabilities and the vulnerabilities it reveals. The takeaway for consumers, of course, is to pay close attention to locking down devices from our end, with things like obscure user names (not “admin”!) and hard-to-guess passwords. Better yet, at least for now, we may wish to tune out the growing siren song that promises convenience through universal connectivity. The cost could be too high until security is significantly improved.
The programmer that developed and now runs the search engine, John Matherly, originally envisioned it being used by corporations for, let’s call it, competitor research. The sharp turn into creepy territory, though, does not seem to bother him. In fact, he seems to see this development as a good thing, shining light on inadequate security practices at companies that sell internet-connected devices. See the article for more about the man behind Shodan and the hornets’ nest that he has soundly thwacked.
Cynthia Murrell, September 25, 2013
September 21, 2013
HP Autonomy aims to bring stronger security to the cloud with Autonomy LinkSite, a solution that integrates WorkSite, the division’s on-site data management solution, with HP’s public cloud-based sharing and collaboration service Flo CM. Market Wired shares the details in, “HP Autonomy Delivers Proven and Secure Enterprise-Grade Alternative to Consumer File Sharing Services.”
It has not taken long for many of us to get used to today’s cloud-based, consumer file-sharing technology. We want to be able to share anything of any size with anyone from any device, synchronizing instantly. Such expectations brought into the workplace from our personal habits can mean real security headaches for businesses. At the same time, continuing to rely on the very limiting method of sharing files through email is becoming less and less tenable. The press release tells us:
“Autonomy LinkSite combines an enterprise-grade document and email management system with the ease of use and simplicity of a consumer solution. It provides the enterprise with a single, integrated, user-friendly tool for external file sharing and collaboration. Autonomy LinkSite enables a single file or an entire project folder to be shared in the cloud with internal and external collaborators, directly from the Autonomy WorkSite application. . . .
“‘For the first time, organizations no longer have to turn a blind eye to continued use of undocumented consumer file sharing services,’ said Neil Araujo, general manager, Enterprise Content Management, HP Autonomy. “Businesses now have a very attractive alternative that satisfies the needs of the users as well as the IT and compliance teams.’”
The write-up lists the following benefits of this new tool: collaboration across firewalls; the convenience of a single point of access for each user; synchronization across all employee devices; an ease of use that they say surpasses that of the consumer-grade file-sharing options; and, perhaps most importantly, the “seamless” extension of security, authorization, and audit properties from WorkSite into the cloud.
Tech giant HP purchased Autonomy in what was, let’s just say, a much-discussed deal back in 2011. Founded in 1996, Autonomy grew from research originally performed at Cambridge University. Their solutions help prominent organizations around the world manage large amounts of data.
Cynthia Murrell, September 21, 2013
September 17, 2013
Big Data comes with its own slew of security problems, but could it actually be used to keep track of them? The idea of using big data to catch security threats is a novel idea and a big one to stand behind. PR Newswire lets is know that, “AnubisBetworks’s Big Data Intelligence Platform Analyses Millions Of Cyber Security Threat Events.” AnubisNetworks is a well-known name in the IT security risk management software and cloud solutions field and its newest product to combat cyber threats is StreamForce. StreamForce is a real-time intelligence platform that detects and analyzes millions of cyber security threats per second.
StreamForce de-duplicates events to help speed up big data storage burden, which is one of the biggest challenges big data security faces.
“Within the new “big-data” paradigm – the exponential growth, availability and use of information, both structured and unstructured – is presenting major challenges for organizations to understand both risks as well as seizing opportunities to optimize revenue. StreamForce goes to the core of dealing with the increasingly complex world of events, across a landscape of distinct and disperse networks, cloud based applications, social media, mobile devices and applications. StreamForce goes a step further than traditional “after-the event” analysis, offering real-time actionable intelligence for risk analysts and decision makers, enabling quick reaction, and even prediction of threats and opportunities.”
StreamForce is the ideal tool for banks, financial institutions, telecommunication companies, government intelligence and defense agencies. Fast and powerful is what big data users need, but does StreamForce really stand behind its claims? Security threats are hard to detect for even the most tested security software. Can a data feather duster really do the trick to make the difference?
Whitney Grace, September 17, 2013
September 8, 2013
IBM is a respected technology company and it appears that hardly anything can bad can be said about them. There comes a time when every company must admit they have a fault in their product and IBM must step up to the plate this time. The news comes to us from Secunia, a Web site that monitors technology security, in the warning, “Security Advisory SA54460-IBM Content Analytics With Enterprise Search Multiple Vulnerabilities.” The warning is labeled as moderately critical and should worry organizations that use the software to manage their data. The bug messes with cross site scripting, manipulates data, exposes sensitive information, and a DoS.
Here is the official description:
“IBM has acknowledged a weakness and multiple vulnerabilities in IBM Content Analytics with Enterprise Search, which can be exploited by malicious people to disclose certain sensitive information, conduct cross-site scripting attacks, manipulate certain data, and cause a DoS (Denial of Service).”
Ouch! IBM must not be happy about this, but at least they discovered the problem and Content Analytics users can expect a patch at some point. Hate to bring up Microsoft at this venture, but whenever a big company has a problem I can’t help but think about how Microsoft never has a product launch without some issues. IBM is reliable and hopefully they will not go down the same path as Windows 8.
Whitney Grace, September 08, 2013
August 20, 2013
Calling all software developers, analysts and systems integrators. The leading semantic intelligence developer, Expert System is hosting a webinar entitled, “What’s Hiding In Your Data? Test Drive Our Semantic API.” The webinar is scheduled for August 28 at 12 pm ET/9 am PT and registration is now open.
We recommend that professionals who are interested in transforming content and data streams into actionable and strategic information should sign up. A unique offering of this webinar is the live product test drive so that those interested can see how their flagship Cogito Intelligence API works.
The webinar description summarizes Cogito Intelligence API:
Cogito Intelligence API is a unique API that uses the power of semantic processing—Text Mining, Categorization, Tagging—and deep domain vertical knowledge for Intelligence to help analysts access and exploit some of their most strategic sources of information. As the only semantics based system, Cogito Intelligence API provides complete understanding of meaning and context in the processing of data and resolves ambiguities in data more effectively than solutions based on keywords or statistics.
Another unique offering from the Cogito API revolves around corporate security. Their solution is already embedded with corporate security measures, which enables businesses to operate all applications with the same confidence that Cogito offers.
Megan Feil, August 20, 2013
August 6, 2013
The rise of metadata is here, but will companies be able to harness its value? Concept Searching points to the answer that ROI has not been successful with this across the board. A recent article, “Solving the Inadequacies and Failures in Enterprise Search,” admonishes the laissez-faire approach that some companies have towards enterprise search. The author advocates, instead, towards a hands-on information governance approach.
What the author calls a “metadata infrastructure framework” should be created and should be comprised of automated intelligent metadata generation, auto-classification, and the use of goal and mission aligned taxonomies.
According to the article:
The need for organizations to access and fully exploit the use of their unstructured content won’t happen overnight. Organizations must incorporate an approach that addresses the lack of an intelligent metadata infrastructure, which is the fundamental problem. Intelligent search, a by-product of the infrastructure, must encourage, not hamper, the use and reuse of information and be rapidly extendable to address text mining, sentiment analysis, eDiscovery and litigation support. The additional components of auto-classification and taxonomies complete the core infrastructure to deploy intelligent metadata enabled solutions, including records management, data privacy, and migration.
We wholeheartedly agree that investing in infrastructure is a necessity — across many areas, not just search. However, when it comes to a search infrastructure, we would be remiss not to mention the importance of security. Fortunately there are solutions like Cogito Intelligence API that offer businesses focused on avoiding risks the confidence in using a solution already embedded with corporate security measures.
Megan Feil, August 6, 2013