News & Information
________________________________________________________________________
FLEXcompute
March 9, 2010
We recently started a new blog site at FLEXcompute.com. Feel free to click over and get some of our thoughts around the Data Center, cloud computing, and flexible computing space. We have been heavily engaged in that space for the past few years and decided to share some of our thoughts with a broader audience.
______________________________________________________________________
Key Applications -> Cloud
Computing
March 7, 2010
More and more companies are moving their customer-facing Apps to the cloud. This is simply the reality of the industry. Doing a quick google search you find a lot of news and information (some useful) about cloud computing. Currently it is still mainly talk in technology circles, though the term may soon find its way into non-tech conversations as well. Listen and look for the words "cloud" and "cloud computing" out of the tech world to know when things have shifted. When university professors and politicians say a tech term, it's moved from niche, to main-stream.
There are a few key players benefiting greatly from the cloud transition. These include the large incumbent providers you think of when you consider who provides the critical computing components of any virtualized network (Cisco, HP, VMWare, NetApp, etc). They should continue to get a nice resurgence in tech spending as companies will need to utilize faster and more virtualized systems to make this all work.
There is also a group of smaller companies who could benefit as well. This includes those which help move data faster across the networks - from the Data Center to Data Center, and of course, Data Center to the customer. These are important because customers want their data fast. They don't care that the applications are getting richer, or provide more services. They simply want to know the app works as quickly as their brain processes info. Barring that, they like seeing a little note assuring them their data is on the way (a flash sign saying, "Loading" usually seems to help keep customers from clicking away). These companies include WAN optimization providers, and software companies that synchronize your data - particularly large databases. It also includes some who actually can master the art of data compression (thereby making data transfer faster).
Another benefactor are companies which monitor the network and tell you when and where issues arise. In the cloud issues are going to happen, either on your own systems, or somewhere on the path from point A to B. Every system of logistics faces breakdowns. The trucks that used to carry your shrink wrapped boxes of software used to get flat tires. And yes, even the most redundant systems have kinks in the armor. Some of these points of failure are un-known until they happen, or someone has decided fixing them isn't worth the cost an extra 2 hours of re-assurance the fix would provide. With the case of the cloud though, you need to be able to pinpoint the issue immediately so you can deal with it (if it's within your control - which 98% of the cloud isn't).. That leads me to a discussion about telco providers and SLAs, though will digress that point for another posting.
The greatest long-term benefactor may be the Applications that figure out their place in the cloud. As with any disruptive technolgy, there is a window where anyone can step in and provide something customers really want. It will be intresting to see which incumbent App providers are caught off guard by a competitor they've never even heard of. Someone out there is figuring out what data your customers want to access from anywhere. That is, unless you are asking yourself the same thing, and doing something about it.
So is the cloud here to stay...? Based on the way customers want their data, the answer apears to be Yes. People seem to value convenience more than security. In the non-tech world things have already gone this way. Being able to access your money at an ATM is less secure than going to a bank, but it is so much easier and faster.
Or maybe people have simply become more trusting. They trust the companies holding their data to keep it in a secure place where only they can access it. This is of course nieve, but until they get an SB1386 notice, they will sleep well at night knowing they can access their information from anywhere - yes, even public libraries. And if customers want it, someone will provide it to them. Companies are simply going to keep moving their Apps to the cloud, unless there is a large catastrphic failure perhaps having to do with a large security breach. Even then, people may still feel the convenience is too valuable to take away.
The REAL question is what's next after the cloud? In 5-10 or so years the cloud may be nothing more than business as usual. By then everyone may be versed in cloud-speak, and come to expect it, rather than anticipate it. What Google and Amazon are doing today, may simply be what everyone does (and expects your company to do) tomorrow. 10 years ago digital media was trying to figure out it's place in the world. There were tech conferences, large digital media speaking events, companies raising millions of dollars trying to buy their piece of the market. Nowadays digital media is nothing more than what we expect every web-site to have. It won't be long till cloud computing faces the same fate. It will go from priority bleeding-edge technology your company needs to focus on, to another checkmark on a long list of "must haves" your customers will ask of you.
For the next 5-10 years though, keep an eye on which companies will benefit from the transition to the cloud.
______________________________________________________________________
Fly Clear Program -
Update
Jan 27, 2009
New reports are saying the company which managed the Clear program has shut down. This was the service that, for an annual fee, would help frequent travellers pass through security gates faster. I was on a flight to San Jose once when the friend I was travelling with was able to bypass normal security and whisk right through the Clear security check-point. Unfortunately for him it looks like that convenience is gone, as is any chance of a refund. Fortunatley for the rest of us this is one more security issue we don't have to worry about (until someone else raises enough funds to try the exact same idea). Bruce Schneier was against this program from the beginning which should tell you something about how secure it really was.
________________________________________________________________________
Law Firms - Social Engineering
Hack
Septmeber 8, 2008
We were recently hired by a law firm who was facing a
potential social engineering hack. A social engineering hack is one where
a "hacker" attempts to manipulate a person into doing something they shouldn't
do. In this case a person acting as a potential client was trying to get
the firm to transfar money to a 3rd party. It sounds ludicrous, but the
plan was actually well conceived, and could easily have worked. Our goal
in relating this story is to alert people of the fact that
everyone, including law firms, are subject to scam artists.
Here is what happened:
A
potential client contacted the law firm one day via email asking for
legal services. The lawyer who received the email assumed the
request was legitimate and started an email dialogue with the prospective
client. Over the course of a few weeks they discussed the nature of
the case and outlined the terms of an agreement. The lawyer said in
an email that the law firm had a policy of only accepting clients only
after at least one face-to-face meeting. The potential client agreed
to this initially, however they continuously made excuses on why they
couldn't meet with the attorney in person. They said they were
on vacation overseas and were not sure when they would be
back. As the conversation dragged on into weeks the potential
client kept saying that their vacation was being extended which
delayed their meeting.
The lawyer
decided they would at least start the process and only begin the actual work
once the face-to-face meeting was done and the contract was signed. The
lawyer sent the potential client a contract via email and asked for the
client to review it. The lawyer also sent them an email discussing a
retainer fee. The client immediately sent the lawyer a check to cover the
retainer fee, though it was above the amount the lawyer had
noted. The client then emailed the lawyer asking them to
send money via a wire transfer to a 3rd party who was also supposedly
involved in the legal dispute. Fortunately the lawyer was smart
enough at this point to have seen enough red flags to ask us
to step in.
We met with the firm and
discussed the potential client and everything that had transpired. After
reviewing the information we told the firm that this may or may not be a real
client. However, based on all of the information we believed there was a
better than average chance this was someone perpetrating a fraud. The
first thing we did was limit the law firm's legal liability in the event this
was a fraud. We instructed the firm to email
the prospective client letting them know that no contract was in
effect between them since both parties had not yet signed the
contract. The email went on to say that the contract would only be valid
once it was signed by BOTH parties, which would need to occur at the law
office. This email limited their liability, yet kept the door
open in case this was a real client who was simply on vacation and acting
suspiciously. We also instructed the firm to not deposit the
check. If they had deposited the check they may have
inadvertently agreed to the contract through this action. We asked
them to email the client mentioning that they money would not be deposited
until the contract was signed and agreed
to.
After a more thorough investigation
of the information we determined that this was in fact a potential fraud
case. We instructed the law firm to have no further contact with
the potential client until a meeting was done in person at the law
firm. We also instructed them to take necessary precautions if the meeting
was to take place. If this was someone perpetrating a fraud they would
probably never show up. However, you can never assume that someone won't
be desperate enough to include physical harm as part of their fraud.
We then submitted the information to the IC3 (FBI) so they
could be on the lookout for scams of this nature and alert other law firms of
this potential fraud.
Here are list of the Red Flags that other
law firms (and businesses) should be aware of:
1. The potential client would
not meet with the law firm in person.
2. They sent a check though
it did not have a person's name on it (just the name of the bank it was
from).
3. They asked the lawyer to send money to a 3rd party before the
lawyer had a chance to ensure the check cleared.
4. They
instructed the lawyer to wire transfer money to the 3rd party.
Scam artists typically request wire transfers as they are extremely fast, and
can be done before a check bounces.
5. The numerous emails from the potential
client changed in tone and grammar. This was a very bright red flag.
6.
The potential client told the law firm which country they were emailing them
from. However, in reviewing log data we determined that their emails were
not coming from that country. This could have been caused by numerous
factors such as a proxy server, though added together it all pointed towards a
scam.
It should be noted that none of these red flags offer any
assurance that someone is in fact perpetrating a fraud. However, these are
things that should you be aware of and on the lookout for. The Internet makes
fraud extremely easy as it allows a very far arms-reach divide between
parties. As an afterword, the potential client has yet to respond to the
last email from the firm.
________________________________________________________________________
Vantage Marketplace
August
27, 2008
One of our team members is now a "Thought Leader" in the
Technology and Digital Media verticals for the Vantage Marketplace.
Vantage is a service that connects clients with thought leaders in specific
verticals. The Vantage Marketplace is a subsidiary of Goldman
Sachs.
________________________________________________________________________
Security - Government or Companies... or
You?
August 26, 2008
As with many large scale issues there seems to be the never-ending question... Who's job is it? The Los Angeles Times today wrote an article asking if national cyber security was the task of the public, or the private sectors. While it is fun to ask and squabble over the pros and cons to each side, the solution may not be quite so simple as one or the other.
The issue seems to be that neither group is currently well equipped
to handle national cyber security. Look at how well our Congress is run to
see the potential pitfalls with handing things over to the
Government. And see how well our banking institutions are financially
doing to know that the public sector is not exactly in-tune with self
policing. Even working together the private and public sectors are not
exactly a dynamic duo of calmness and serenity. One look at the current
state of our financial markets and you will see them failing under the
strain of a fundamental lack of regulation from both sides. Does this mean
we should lock down the Internet? Hardly. What we need to do is ask
a few simple questions...
If the government stepped in, would anything
change? The answer is probably no. It would seemingly take a
blue-ribbon panel 2 years to come up-to-speed on what a web-browser is. By
the time they institute any security policies for Firefox 3, we will be on
Firefox version 159. They could staff the panel with "security
experts" though it is hard to believe much will be achieved by a group of 10
people meeting once a quarter to debate Vista vs. XP (my money is
on Linux). Undoubtedly these folks will come from companies
like Microsoft and Oracle with vested interests in the outcomes of any such
debate.
With the private sector at least there is accountability.
If your web-browser is unsecure you are opening the door to
someone else building a more secure one - and adding nice additions
like Tabs. Companies know that in the world of technology they are only as
good as their last product. And they know that any day now there
"app killer" can be taken out by someone else's. One look at the
iPod tells every other MP3 player that they moved too slowly and are now doomed
to failure (unless of course they build a better iTunes). If you are
a software developer you should stop focusing on the next best thing.
Instead think about how you could make a current product just a little bit
better. Odds are people will find you out and download whatever it is you
are offering.
In the end it should be up to the private sector to come up
with products and services that offer at least a minimum level of
security. People should feel relatively secure knowing if they go to your
web-site, their credit-card won't show up the next day on a Russian hacker
site. At the same time, the government should focus on offering customers
easy ways of learning about, and dealing with credit-card theft, identify theft,
and phishing scams. They should have user-friendly web-sites offering
information on protection and response.
For now this debate
seems to be a lot of talk with no one listening. Politicians are too
busy wondering if Obama or McCain will ask them to have a post in their
administration. Overall though what I noted above is an easy solution
that does quite a bit. It allows the market to have its say, and allows
the government to continue in its role of educator and enforcer. In the
end though it will of course be up to end-users to take security into their own
hands. No amount of government or company protection can stop someone from
opening an email that says, "Naked Pictures of Paris Hilton!!!" Who can
resist that?
Countrywide - Do they have a case?
August 25, 2008
One of the men who allegedly stole customer information while
working at Countrywide has pleaded not-guilty to the charges. As with any
case it will be up to the prosecution to present their evidence to support the
claim that he did in fact steal personal info. Also, they probably have to
prove that this was not a part of his responsibility at the
company. How well the prosecution is able to prove these two factors
depends on the security protocols in place at the time, and the record keeping
of the Human Resources department. Hopefully they took security serious
enough to at least perform the minimum recommended security steps.
1.
Countrywide should be able to produce and secure the evidence, assuming they had
the proper security protocols in place. This would require that they were
logging access to the systems, as well as logging date and time stamps. If
this is the case they should be able to place the alleged perpetrator at the
scene of the crime.
2. The FBI will need to produce a "paper trail" showing how any personal information they were able to purchase can be tracked back to the computer the perpetrator was accessing at Countrywide. This should just be a matter of checking to see if the exact same information resides in both places (and is not readily available elsewhere). This requires that Countrywide still have access to these systems and the data that were on them the time of the breach. If the administrators were performing tape backups then this seems highly likely.
3. The alleged criminal may say that he was simply performing his duties for the company. It will up to the H.R. department to come forward with a "Roles and Responsibilities' document showing the exact work the person was responsible for while employed at Countrywide. This may also require going back through emails between the alleged criminal and his managers. His defense team will look for any "proof" that this was part of his job. This would not excuse the act from being criminal, but could shift the liability to Countrywide. It is highly unlikely this is the case, though it is something Countrywide needs to consider.
Overall Countrywide, the FBI, and prosecutors need to mount a very strong
case in order to put this alleged criminal in jail. If Countrywide had the
bare minimum of security steps in place they should be successful in doing
so. What is more likely is he pleads to a short sentence and
probation. This will hardly be justice to those who had their personal
information stolen.
This case more than anything shows that companies
need to carefully think through security before something like this
happens. Once someone steals your data it might be too late to put the
pieces back into place.
source: Contra Costa Times
________________________________________________________________________
FLY CLEAR Program
(Update)
August 7, 2008
Verified Identify Pass, the company behind the
airport Clear program, sent out an email today letting Clear members know their
data may have been on the laptop that was recently "missing" from the San
Francisco International Airport. The email campaign was probably done
per the requirement in California Bill SB1386*. What's interesting is
that the email went out the day AFTER the "missing" laptop was
found.
FLY CLEAR Program
August 6, 2008
Today
Investigators found the "missing" Clear laptop containing the personal
infornation of 33,000 people who had signed up for the Clear program.
This is the program that allows flyers to bypass the typical security screening
line handled by TSA. Fortunately the laptop was found in the
office it was supposedly taken from. For that reason it is doubtful any of
the information was stolen or used improperly. It was noted in the report
that the data was NOT encrypted on the laptop. What was
not mentioned was the fact that encrypting the data would have cost
almost nothing, and would have taken around 10 minutes (including the time
necessary to install the software).
What information does Clear have on
its members? Here are some of the key data points when enrolling in the
program: Social Security Number, Birthdate, Retina Scan, Fingerprints
(all 10), name of your first pet (probably a security question). Clear has
said in a Press Release that most of this personal information was not on the
"missing" laptop. That does not mean however that your data is safe
anywhere else they may be storing it. In a search of their site we could
not find any information about data storage, encryption or security
measures.
As an aside: On the Flyclear.com web-site it says the
following pertaining to the privacy policy, "We never sell or give visitor
personal information to any third party for marketing uses." What it fails
to mention is if they allow hackers to gain your personal information. Let the
record show that the people who I know use Clear love the program.
Hopefully this is the last time we hear about a security issue from the company.
________________________________________________________________________
Identity Theft
Ring
August 6, 2008
"Wardriving" once
again made a big splash in the news this week when it was uncovered that it was
the technique that allowed hackers to infiltrate a number of retail chains
including TJ Maxx and Barnes & Noble over a year ago. When TJ Maxx
reported the intrusion in January 2007 they stated that over 40 Million
credit-card numbers may have been stolen.
Wardriving is when people drive around an office building, house, etc. looking
for vulnerabilities in people's wireless networks. It is an inexpensive
and fairly easy way to search for security weaknesses. Typically
all one needs (presumably a hacker or security expert) is a laptop, a wireless
NIC, and software which scans for wireless networks.
Please note that it does not take much time
or money to properly secure a wireless network. There are numerous
hardware and software solutions on the market today that will greatly reduce the
effectiveness of wardriving. In addition, companies should hire
security consultants (small plug here for MBridge) to provide "safe"
wardriving in order to properly test out their wireless systems. This is
one way a company can some level of assurance of the efficacy of their
security program.
________________________________________________________________________
Countrywide - Internal Security
Breach
August 5, 2008
News reports state that an analyst at Countrywide Home
Financial was arrested for allegedly stealing 20,000 customer profiles each
week for 2 years. Assuming he took a 2 week vacation every year, this
would mean he stole around 2,000,000 profiles including people's
social security numbers. He would download the files to a personal thumb
drive plugged into the computer accessing the data.
After downloading the profiles he would sell them from a Kinko's for around
$500 a week. In all he claimed to have made around $50,000 to $70,000 over
the two year period. Supposedly while out on bail he offered to sell
someone more of the customer profiles. Perhaps he is attempting to raise
money to cover his legal fees.
Even with software
supposedly limiting access to the USB ports he was able to find a computer which
did not have the software installed. Perhaps companies should purchase
computers without USB ports on them. Or destroy the ports
physically on existing machines. If someone really needs to back-up
their data they can use an IT managed back-up
server.
However, even disabling the USB ports in not
a panacea. He could have simply downloaded the data and then emailed it to
a personal email account. Countrywide would have needed to have a secure
gateway programmed to look for specific data strings (such as XXX-XX-XXXX) in
order to catch him doing so.
On a side note, this is
not the first time someone has used Kinko's as a means of dealing in
illicit and illegal material. In 2003 a 25 year old woman in New
York City installed keylogger software on computers at
numerous Kinko's in the area. The software would keep track of what
people were doing on the computers including passwords to banking
web-sites. She would go back to the Kinko's and download the
information the software had obtained. The only reason she was
caught was because she had gotten information about a person who was accessing
their home PC using a web-site called GoToMyPC. She later
accessed his computer using GoToMyPC while he was at home on his
computer. He saw her going through his computer and called the
authorities. The Service Service got involved and was able
to apprehend her.
While out on bail she attempted to install the
software at another Kinko's.
Sources: SecurityFocus.com;
WashingtonPost.com
________________________________________________________________________
San
Francisco - Disgruntled Computer Engineer
July 15, 2008
A city employee held San Francisco's FiberWAN computer systems
hostage this week. He created a password that gave him exclusive access to
the computer systems which contained city payroll information, official's
emails, and law enforcement documents.
The news reported that
supervisors "had tried to fire him" in the past unsuccessfully. They say
he even went so far as to install a monitoring system on computers that would
let him know what administrators were doing and saying about his case. The
computer systems in question were left up-and-running though it seems no one
else was able to manage or administer them as he had the only password.
The city was unsure how much it would take to redo the damage though according
to the San Francisco Chronicle "authorities say undoing his denial of access to
other system administrators could cost millions of
dollars."
The reports also said
that he worked for the city for 5 years. This was probably not
some new employee who took the job to hijack the computer systems. He may
have gained control of the systems over time and used his power to blackmail the
city into not firing him. This plan seems to have backfired as he was
arrested and taken to jail.
Unfortunately, this type of
incident happens more often than people realize. Companies seem to hand
off full control to system and network administrators, and only think
about the systems when there is an outage. Obviously companies
need to be more thorough in their hiring practices (reports state he
had numerous prior arrests), and diligent in ensuring their systems are
safe from their own employees. While this is not what companies want to
do, it is a reality they must
face.
We recently helped a public Fortune 500 company successfully
fire two high-level I.T. employees without any incident or unforeseen
situation. The reason we were able to do so was because they handled the
situation proactively. We were asked to come in well before the employees
were aware of their possible firings. We held strategic planning sessions
with the company off-site at a hotel conference room. Plus we only
communicated with them using non-corporate email. In this way the two
employees about to be fired would have little to no chance of knowing our
plan.
We worked with Human Resources to
draft the exit interview questionnaire in order to capture all of the
information we would need once the employees had left. And we did not
let the employee leave until we verified all of the information was
correct. This was done by offering them a severance package dependant on
them fully cooperating with our work. Even during the exit interview we
monitored the critical systems to ensure they were acting appropriately.
After the two employees left the office we caught one of them trying to
access the VPN. We captured the information and provided it to H.R. for
them to act upon. By thinking through the process and putting together a
plan, the company was able to circumvent a situation like the one in San
Francisco.
In the end the FBI and ATF
were both called in based on forensics evidence found on one of the
computers managed by one of the fired employees. Fortunately they were
able to properly gather the evidence before the Director could erase his hard
drive. Again, this was only the case because the company was proactive and
handled things the right
way.
The good news is most
I.T. engineers are working for your company, and not against you. At the
same time, it makes sense to ensure your company is protected. This
involves making backup configuration files, knowing the usernames / passwords to
your critical systems, and doing period background checks. Most
importantly you should have a plan in place just in case you need to deal
with a situation that you'd rather not face.
Side note: Some news
reports have questioned the San Francisco employee's I.T. certification.
We were able to determine through Cisco that he, or someone with his same name,
did receive a Cisco certification (CCIE) in 2004 for "switching and
routing."
Source: San Francisco Chronicle, PC World
________________________________________________________________________
Activision -
MBridge
July 2008
This month MBridge signed on Activision Blizzard
as a client. Activision is one of the world's largest video game
publishers.
________________________________________________________________________
CampusBooks.com
May 2008
CampusBooks.com, an online retailer targeting college students, has
signed on with MBridge, LLC for I.T. services. The relationship
covers numerous aspects of CampusBooks's I.T. systems. You can learn
more about CampusBooks at their web-site CampusBooks.com .
________________________________________________________________________
Fortune 500
Client
May 2008
A Fortune 500 company in Southern California has hired MBridge to
help deal with a major security issue they are facing. The name of the
company is being with-held for security purposes. The relationship will
also encompass Network support services.
________________________________________________________________________
Effects of
Online Fraud on Your Business
May
2008
According to a research report by Javelin Strategy &
Research, data breaches do have a very negative effect on consumer's
purchase behaviors. These were some of the more interesting results from
the 441 person survey:
Relationship-Changing Reactions of US Data
Security Breach Victims to Breached Company or Institution:
33% said they
"Closed company
accounts"
30% said they " Would never purchase company products or services again."
23% said
they " Switched
providers (eg medical, insurance or banking)"
Source: eMarketer
What this tells you is you need
to take online fraud seriously. In the event of a hack / breach /
intrusion a lot of your customers won't care what happened, how it
happened, or what you are going to do to fix it. They will simply find
another company claiming to offer the same products and services you do - only
more securely. Using tools like the lifetime value of a customer may help
you determine how much you should budget and spend in order to shore up any
security difficiencies. Of course, you should also take into account any
non-financial obligations as well. If people trust your company, you don't
want to throw that away to save a few dollars.
________________________________________________________________________
Top 10
US Online Fraud Categories
January, 2008
The IC3 (Internet Crime Complaint
Center) released its survey results regarding offenses reported to the
IC3 in 2007. Over the year over 90,000 complaints were filed.
As you can see Auction Fraud and Non-Delivery of goods lead the list this
year. Credit/Debit Card Fraud represented 6.3% of all complaints.
The top States in terms of number of Perpetrators were California, Florida, New
York, and Texas. It should be noted that this is only for complaints
registered with the IC3, and not necessarily with law enforcement.
Source: http://www.ic3.gov/media/annualreport/2007-IC3Report.pdf
________________________________________________________________________
DISCLAIMER: The information on this site does not necessarily
represent the views of MBridge, LLC. The information may be satirical
in nature. If you have an issue with any of the information here contact us at
info@mbridge.com.
Copyright MBridge,
LLC (c) 2008, All rights Reserved.
