Kmart Australia Faces Security Breach
November 30, 2015
Oracle’s Endeca and IBM’s Coremetrics were both caught up in a customer-data hack at Kmart Australia, we learn from “Customer Data Stolen in Kmart Australia Hack” at iTnews. Fortunately, it appears credit card numbers and other payment information were not compromised; just names, contact information, and purchase histories were snagged. It seems Kmart Australia’s choice to use a third party to process payments was a wise decision. The article states:
“The retailer uses ANZ Bank’s CyberSource payments gateway for credit card processing, and does not store the details internally. iTnews understands Kmart’s online ecommerce platform is built on IBM’s WebSphere Commerce software. The ecommerce solution also includes the Oracle Endeca enterprise data discovery platform and Coremetrics (also owned by IBM) digital marketing platform, iTnews understands.
The article goes on to report that Kmart Australia has created a new executive position, “head of online trading and customer experience.” Perhaps that choice will help the company avoid such problems in the future. It also notes that the retailer reported the breach voluntarily. Though such reporting is not yet mandatory in Australia, legislation to make it so is expected to be introduced before the end of the year.
Cynthia Murrell, November 30, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
IBM and Digital Piracy: Just Three Ways?
November 27, 2015
I read “Preventing Digital Piracy: 3 Ways to Use Big Data to Protect Content.” I love making complicated issues really easy. Remember the first version of the spreadsheet? Easy. Just get a terminal, wrangle the team to install LANPAR, and have at it. Easy as 1-2-3, which came after VisiCalc.
Ah, LANPAR. You remember that, right. I have fond memories of Language for Programming Arrays at Random, don’t you? I still think the approach embodied in that software was a heck of a lot more user friendly than filling in tiny rectangular areas with a No. 4 pencil and adding and subtracting columns using an adding machine.
IBM has cracked digital piracy by preventing it. Now I find that notion fascinating. On a recent trip, I noted that stolen software and movies were more difficult to find. However, a question or two of the helpful folks at a computer store in Cape Town revealed a number of tips for snagging digital content. One involved a visit to a storefront in a township. Magic. Downloaded stuff on a USB stick. Cheap, fast, unmonitored.
IBM’s solution involve streaming data. Okay, but maybe streaming for some content is not available; for example, a list of firms identified by an intelligence agency as “up and comers.”
IBM also wants me to build a real time feedback loop. That sounds great, but the angle is not rules. The IBM approach is social media. This fix also involves live streaming. Not too useful when the content is not designed to entertain.
The third step wants me to perform due diligence. I am okay with this, but then what? When I worked at a blue chip consulting firm, the teams provided specific recommendations. The due diligence is useless without informed, affordable options and the resources to implement, maintain, and tune the monitoring activity.
I am not sure what IBM expects me to do with these three steps. My initial reaction is that I would do what charm school at Booz, Allen taught decades ago; that is, figure out the problem, identify the options, and implement the approach that had the highest probability of resolving the issue. The job is not to generalize. Proper scope helps ensure success.
If I wanted to prevent digital privacy, I would look to companies which have sophisticated, automatable methods to identify and remediate issues.
IBM, for example, does not possess the functionality of a company like Terbium Labs. There are other innovators dealing with leaking data. I could use LANPAR to do certain types of spreadsheet work. But why? Forward looking solutions do more than offer trivial 1-2-3.
Stephen E Arnold, November 27, 2015
Interview with Informatica CEO
November 26, 2015
Blogger and Datameer CEO Stefan Groschupf interviews Anil Chakravarthy, acting CEO of Informatica, in a series of posts on his blog, Big Data & Brews. The two executives discuss security in the cloud, data infrastructure, schemas, and the future of data. There are four installments as of this writing, but it was an exchange in the second iteration, “Big Data Brews: Part II on Data Security with Informatica,” that captured our attention. Here’s Chakravarthy’s summary of the challenge now facing his company:
Stefan: From your perspective, where’s the biggest growth opportunity for your company?
Anil: We look at it as the intersection of what’s happening with the cloud and big data. Not only the movement of data between our premise and cloud and within cloud to cloud but also just the sheer growth of data in the cloud. This is a big opportunity. And if you look at the big data world, I think a lot of what happens in the big data world from our perspective, the value, especially for enterprise customers, the value of big data comes from when they can derive insights by combining data that they have from their own systems, etc., with either third-party data, customer-generated data, machine data that they can put together. So, that intersection is good for, and we are a data infrastructure provider, so those are the two big areas where we see opportunity.
It looks like Informatica is poised to make the most of the changes prompted by cloud technology. To check out the interview from the beginning, navigate to the first installment, “Big Data & Brews: Informatica Talks Security.”
Informatica offers a range of data-management and integration tools. Though the company has offices around the world, they maintain their headquarters in Redwood City, California. They are also hiring as of this writing.
Cynthia Murrell, November 26, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Do Not Go Gently into That Dark Web
November 26, 2015
The article titled Don’t Toy With The Dark Web, Harness It on Infoworld’s DarkReading delves into some of the misconceptions about the Dark Web. The first point the article makes is that a great deal of threats to security occur on the surface web on such well-known sites as Reddit and social media platforms like Instagram. Not only are these areas of the web easier to search without Tor or I2P, but they are often more relevant, particularly for certain industries and organizations. The article also points out the harm in even “poking around” the Dark Web,
“It can take considerable time, expertise and manual effort to glean useful information. More importantly, impromptu Dark Web reconnaissance can inadvertently expose an organization to greater security risks because of unknown malicious files that can infiltrate the corporate network. Additionally, several criminal forums on the Dark Web utilize a “vouching” system, similar to a private members club, that might require an investigator to commit a crime or at least stray into significantly unethical territory to gain access to the content.”
A novice could easily get into more trouble than they bargained for, especially when taking receipt of stolen goods is considered a felony. Leave the security work to professionals, and make sure the professionals you employ have checked out this Dark Web reading series.
Chelsea Kerwin, November 26, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Profile of the Equation Group
November 25, 2015
Short honk: I overlooked a link from one of the goslings from early 2015. The Kaspersky report about the Equation Group triggered some media commentary. The report, quite to my surprise, is still available online (or it was when I verified the link on November 23, 2015). If you are interested in information access using unconventional or at least not Emily Post approved methods, you can download “Equation Group: Questions and Answers”, Version 1.5 from Secure List.
Stephen E Arnold, November 25, 2015
Improper Information Access: A Way to Make Some Money
November 24, 2015
I read “Zerodium Revealed Prices” (original is in Russian). the main point of the write up is that exploits or hacks are available for a price. Some of these are attacks which may not be documented by the white hat folks who monitor the exploit and malware suburbs connected to the information highway.
The paragraph I noted explained what Zerodium will pay for a fresh, juicy exploit.
Here’s the explanation. Please, recognize that Russian, unlike one of my relative’s language skills, is not my go to language:
For a remote control access exploit which intercepts the victim’s computer through Safari or Microsoft’s browser company is willing to pay $ 50 000. A more sophisticated “entry point” is considered Chrome: for the attack through Zerodium pays $ 80,000. Zerodium will pay $5,000 for a vulnerability in WordPress, Joomla and Drupal. Breaking the TorBrowser can earn the programmer about $30.000… A remote exploit bypassing the protection Android or Windows Phone, will bring its author a $100,000. A working exploit of iOS will earn the developer $500,000.
Zerodium explains itself this way:
Zerodium is a privately held and venture backed startup, founded by cybersecurity veterans with unparalleled experience in advanced vulnerability research and exploitation. We’ve created
Zerodium to build a global community of talented and independent security researchers working together to provide the most up-to-date source of cybersecurity research and capabilities.
The company’s logo is nifty too:
The purple OD emphasizes the zero day angle. Are exploits search and information access? Yep, they can be. Not advocating, just stating a fact.
Stephen E Arnold, November 24, 2015
No Mole, Just Data
November 23, 2015
It all comes down to putting together the pieces, we learn from Salon’s article, “How to Explain the KGB’s Aazing Success Identifying CIA Agents in the Field?” For years, the CIA was convinced there was a Soviet mole in their midst; how else to explain the uncanny knack of the 20th Century’s KGB to identify CIA agents? Now we know it was due to the brilliance of one data-savvy KGB agent, Yuri Totrov, who analyzed U.S. government’s personnel data to separate the spies from the rest of our workers overseas. The technique was very effective, and all without the benefit of today’s analytics engines.
Totrov began by searching the KGB’s own data, and that of allies like Cuba, for patterns in known CIA agent postings. He also gleaned a lot if info from publicly available U.S. literature and from local police. Totrov was able to derive 26 “unchanging indicators” that would pinpoint a CIA agent, as well as many other markers less universal but useful. Things like CIA agents driving the same car and renting the same apartment as their immediate predecessors. Apparently, logistics agents back at Langley did not foresee that such consistency, though cost-effective, could be used against us.
Reporter Jonathan Haslam elaborates:
“Thus one productive line of inquiry quickly yielded evidence: the differences in the way agency officers undercover as diplomats were treated from genuine foreign service officers (FSOs). The pay scale at entry was much higher for a CIA officer; after three to four years abroad a genuine FSO could return home, whereas an agency employee could not; real FSOs had to be recruited between the ages of 21 and 31, whereas this did not apply to an agency officer; only real FSOs had to attend the Institute of Foreign Service for three months before entering the service; naturalized Americans could not become FSOs for at least nine years but they could become agency employees; when agency officers returned home, they did not normally appear in State Department listings; should they appear they were classified as research and planning, research and intelligence, consular or chancery for security affairs; unlike FSOs, agency officers could change their place of work for no apparent reason; their published biographies contained obvious gaps; agency officers could be relocated within the country to which they were posted, FSOs were not; agency officers usually had more than one working foreign language; their cover was usually as a ‘political’ or ‘consular’ official (often vice-consul); internal embassy reorganizations usually left agency personnel untouched, whether their rank, their office space or their telephones; their offices were located in restricted zones within the embassy; they would appear on the streets during the working day using public telephone boxes; they would arrange meetings for the evening, out of town, usually around 7.30 p.m. or 8.00 p.m.; and whereas FSOs had to observe strict rules about attending dinner, agency officers could come and go as they pleased.”
In the era of Big Data, it seems like common sense to expect such deviations to be noticed and correlated, but it was not always so obvious. Nevertheless, Totrov’s methods did cause embarrassment for the agency when they were revealed. Surely, the CIA has changed their logistic ways dramatically since then to avoid such discernable patterns. Right?
Cynthia Murrell, November 23, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
ACA Application Process Still Vulnerable to Fraudulent Documents
November 20, 2015
The post on Slashdot titled Affordable Care Act Exchanges Fail to Detect Counterfeit Documentation relates the ongoing issue of document verification within the Affordable Care Act (ACA) process. The Government Accountability Office) GAO submitted fake applications to test the controls at the state and federal level for application and enrollment in the ACA. The article states,
“Ten fictitious applicants were created to test whether verification steps including validating an applicant’s Social Security number, verifying citizenship, and verifying household income were completed properly. In order to test these controls, GAO’s test applications provided fraudulent documentation: “For each of the 10 undercover applications where we obtained qualified health-plan coverage, the respective marketplace directed that our applicants submit supplementary documentation we provided counterfeit follow-up documentation, such as fictitious Social Security cards with impossible Social Security numbers, for all 10…”
The GAO report itself mentions that eight of the ten fakes were failed at first, but later accepted. It shows that among the various ways that the fake applications were fraudulent included not only “impossible” Social Security Numbers, but also duplicate enrollments, and lack of employer-sponsored coverage. Ultimately, the report concludes that the ACA is still “vulnerable.” Granted, this is why the GOA conducted the audit of the system, to catch issues. The article provides no details on what new controls and fixes are being implemented.
Chelsea Kerwin, November 20, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Facebook Acts in Its Own Best Interest
November 19, 2015
The article titled Petition: Facebook Betrayed Us By Secretly Lobbying for Surveillance Bill on BoingBoing complains that Facebook has been somewhat two-faced regarding privacy laws and cyber surveillance. The article claims that Facebook publicly opposed the Cybersercurity Information Sharing Act (CISA) while secretly lobbying to push it through. The article explains,
“Facebook has come under public fire for its permissive use of user data and pioneering privacy-invasive experiments in the past. They have also supported previous versions of the cybersecurity info-sharing bills, and their chief Senate lobbyist, Myriah Jordan, worked as General Counsel for CISA’s sponsor, Senator Richard Burr, immediately before moving to Facebook. Facebook has declined to take a public position on CISA, but in recent days sources have confirmed that in fact Facebook is quietly lobbying the Senate to pass it.”
This quotation does beg the question of why anyone would believe that Facebook opposes CISA, given its history. It is, after all, a public company that will earn money in any acceptable way it can. The petition to make Facebook be more transparent about its position on CISA seems more like a request for an apology from a company for being a company than anything else.
Chelsea Kerwin, November 19, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Career Advice from Successful Googlers
November 18, 2015
A few words of wisdom from a Google veteran went from Quora query to Huffington Post article in, “What It Takes to Rise the Ranks at Google: Advice from a Senior Staff Engineer.” The original question was, “How hard is it to make Senior Engineer at Google.” HuffPo senior editor Nico Pitney reproduces the most popular response, that of senior engineer Carlos Pizano. Pizano lists some of his education and pre-Google experience, and gives some credit to plain luck, but here’s the part that makes this good guidance for approaching many jobs:
“I happen to be a believer of specialization, so becoming ‘the person’ on a given subject helped me a lot. Huge swaths of core technology key to Google’s success I know nothing about, of some things I know all there is to know … or at least my answers on the particular subject were the best to be found at Google. Finally, I never focused on my career. I tried to help everybody that needed advice, even fixing their code when they let me and was always ready to spread the knowledge. Coming up with projects but giving them to eager, younger people. Shine the light on other’s accomplishments. All that comes back to you when performance review season comes.”
Knowing your stuff and helping others—yes, that will go a long way indeed. For more engineers’ advice, some of which is more Google-specific, navigate to the list of responses here.
Cynthia Murrell, November 18, 2015
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
-
- Subscribe to Beyond Search
Feature archive
News archive
-
