Tagged: data

23
Aug
2020

Blockchain: Still Vaporware for Most

Jesse Frederik wrote a nice article over at The Correspondent which sums up what most of us in the technology space have been thinking for a long time. That thought is that blockchain technology is one of the most over-hyped technologies of the past decade or so. While the article is a little light on the technical details of blockchain concepts, its point is valid. Point to a situation outside of a crypto currency where blockchain technology is being used where it could not have been just as easily done by an existing technology. Not only that, but the existing technology likely is higher performing and easier to maintain. Ultimately I think Ehud Gavron over on Slashdot sums up the challenge with blockchain not fitting into most applications well with his comment written in the style of a press release:

Available immediately:
– new database
– stores records forever
– no purging of old records, obsolete records
– guaranteed to grow in size forever
– can’t edit records
– sequential processing with complex calculations so it’s not Order(1) or O(n) or even O(n^x) but a complex polynomial that grows by yet another O(n^y) each time another entry is added
– guaranteed to always get slower over time — it’s the nature of cumulative calculations to verify the data each and every time it’s accessed

Ehud Gavron via Slashdot

Some of the facets of blockchain are quite handy, such as not being able to modify a record once it has been written. Immutable records are very handy when it comes to transactional ledgers or document custody chains. The issues really start to come in when you can’t prune records off the end of the chain, when you need to find more and more systems to be peers to verify the chain, and when the number of transactions being processed hits the millions or billions per day. It no longer makes sense to bother with blockchain, you may as well go back to a tried and true data storage methodology where you can set field level permissions on data, prune data when needed, and not require substantial processing power to verify every transaction.

Don’t get me wrong, I think blockchain has a role to play in the future of data transmission and the management of the chain of custody for electronic records. Being able to track a contract document from creation to full execution where all parties agree it is in the correct state is very valuable. However, many people think that something with “blockchain inside” must be better than something without it baked in. Others, like the town mentioned in Jesse’s article, go so far as to ignore it when the developers of an app try and tell them they are not using blockchain. After all, how could the tout how advanced they are if it is just some old fashioned database application?

In the end, the moral of the story is use the right technology for the problem, not try and make the problem fit the technology. Blockchain isn’t magic, it won’t solve all your problems, and when your technology staff tell you it isn’t needed to solve a business problem, listen to them. When blockchain is the right answer, they will let you know.

03
Aug
2020

Credit Card Fraud: It’s a Thing

Brian Krebs has a great piece over at his Krebs on Security blog about “…Why Credit Card Fraud is Still a Thing.” The answer is can be summed up is just a few words. Because the United States lags behind the adoption of security standards the rest of the world has long since adopted.

The article is an analysis of the recent paper issued by Maxwell Aliapoulios, Cameron Ballard, Rasika Bhalerao, Tobias Lauinger, and Damon McCoyover at New York University that delves into the seedy underground of dark web data markets. Based on the data analyzed, the researchers found that

Around 97% of the inventory was stolen magnetic stripe data, commonly used to produce counterfeit cards for in-person payments.

Source: NYU

The authors then go further to state

Even multiple years into the U.S. EMV chip deployment, the supply of stolen magnetic stripe data continued to increase sharply.

Source: NYU

This suggests that in the US, there are still far too many merchants either not requiring the use of chip and PIN or simply have not bothered to implement the capability to use it at all.

As the paper goes on, it is clear that the buyers value magnetic stripe data significantly more so long as the data is fresh. However, after the first six weeks of the data being available, its value drops well below that of chip and PIN card data. In contrast, the chip and PIN card data does not fetch a premium early on as magnetic stripe data does, but retains a more consistent value for the long term. International account data are also valued more highly than US account data, especially from Spain, Germany, and France. This suggests that the illicit data buyers see issuing financial institutions in these countries as less likely to disable the cards in the short term than FIs in other countries.

Further on on the analysis, the crucial conclusion is reached about US card issuers by the authors:

From 2016 to 2018, however, the median remaining lifespan of non-EMV accounts increased by about 100 days; the non-EMV population was getting younger, whereas EMV accounts aged by the same amount. This suggests that new non-EMV cards continued to be issued after the liability shift.

Source: NYU

Which then leads me to believe that there is a major issue with how the card networks, like VISA, MasterCard, and others have structured their penalties for non-compliance. there have been too many exemptions and extensions for merchants that don’t need to comply with the EMV mandates. This then disincentivizes financial institutions to disallow fall back to mag stripe for transactions. This then makes more mag stripe data available via skimmers, where if people were using chip and PIN they would not have been compromised.

It’s a vicious cycle and we need to put an end to it. The industry needs to enforce compliance across all merchant categories, and financial institutions need to disable fallback to mag stripe. If this doesn’t happen soon, there is no end in sight for these types of data black markets.

If you want to read the article you can download a copy here.

02
Jul
2020

123456 – I bet I Just Guessed Someone’s Password

A GitHub user going by the name FlameOfIgnis has published a very interesting repository that holds a lot of statistical data for more than 1 billion passwords. These passwords were found in data dumps from any number of the hundreds of data breaches over the past several years and analyzed for a number of different patterns. The most striking results to me are the following:

  • 1 in 142 passwords is 123456
  • 763,000 of the passwords match a pattern that suggests a random password generator is creating passwords with high complexity but low entropy. Meaning there are duplicates occurring far more often than there should be.
  • 34.4% of passwords end with digits but only 4.5% start with a digit.

The rest of the statistics are interesting but I see the above statistics as particularly impactful. If I were a bad actor looking to write a password cracking script either using dictionary attacks or brute force attacks, I would always start with 123456, then I would move in to dictionary attacks with a digit at the end, and then I would start generating passwords with the pattern found in the 763,000. Essentially, statistical analysis like these create a cookbook for deigning attack patterns against web applications protected by a login.

What does this all mean? It means that despite years of being told to do things differently to secure our digital lives, people haven’t taken the guidance to heart. We are still stuck in our old insecure ways, allowing criminals to easily steal our credentials and hijack our digital lives. It amazes me that we have yet to collectively realize just how vulnerable our inability to adapt and change our ways has made us. The threat is obvious and has been exposed for all to see, yet we put our blinders on. Those that are very unlucky only realize the error of their ways when they find their bank accounts drained because someone took over their accounts online.

Take Action

If this scares you like it scares me, take action to secure your information now. Here are some very easy suggestions that will make large positive difference in your online security if you start following them today:

  1. Use a well regarded password manager – I would suggest 1Password, LastPass, or Dashlane if you need a place to start looking.
  2. Never reuse passwords. This is why you have a password manager.
  3. Always generate random passwords that are long and complex. Again, you have a password manager now. Go crazy with that 20 character password containing lowercase letters, uppercase letters, numbers, and special characters.
  4. Always use two-factor authentication when available.
  5. If time-based one-time passcode support is available for two-factor authentication with a specific application, use it. Normally for this type of authentication you would use an app like Authy or Google Authenticator.
  6. Check if your user names and/or email addresses have been found in any data breach data dumps. I highly suggest using Have I Been Pwned for this.
  7. If you know one of your logins is compromised, change your password immediately. If you reused this password in other locations, change all of those too and use unique passwords everywhere.

Stay safe, protect yourself, and make sure your friends and family do the same.

08
Jun
2020

Cox Communications is Looking for a Lawsuit

For the love of data caps Batman! Cox Communications is taking its ability to be a very bad corporate citizen to the next level this week. Not only are they throttling users with “unlimited” data, but they are punishing the whole network segment these users are on as well. Ars Technica reports, and Cox confirms, that they are doing this to keep their network experience consistent for all users… And by consistent they mean consistently bad.

Not only are their “gigabit” plans not actually gigabit (you only get “gigabit” download speeds, Cox caps you at 35 Mbps upload all the time), their “unlimited” data appears to not be the case either. When I hear of “unlimited” data that means that you can use all the data you want at the speed of the service tier you pay for. Apparently for Cox this means that you can do that until they decide that you have used too much data in your “unlimited” data plan and then the throttle you to 10 Mbps maximum for uploads. Then they start to threaten to terminate your account because you have used too much “unlimited” data on their network. So rather than getting what you paid extra for, you now get 72% less upload bandwidth and threatening phone calls.

The kicker is that not only does Cox take out their corporate wrath on the customer using more than their allotted “unlimited” amount of data, they also also take it out on everyone attached to that segment of the cable modem network. This is why I think the class action lawsuit is going to start really soon, likely for the following reasons:

  1. Cox is punishing others for a situation they didn’t cause nor can control.
  2. Cox is punishing people for using the service in a way that they reasonably should expect to be able to do given the plans they paid for.
  3. The “unlimited” data add-on is clearly false advertising if they are throttling connections based on using too much data.
  4. Cox is threatening the termination of contracts based on usage patterns that a reasonable person would expect to be allowed given the plans they are paying for.

I’m waiting to see the pandemonium that ensues when the attorneys start trying to pile on to this one. While Mike, who spoke to Ars, may only get a few bucks, the attorney fees will certainly be very enticing.

Aside from the class action lawsuit though, this is yet another example of cable companies abusing their customers because they can’t actually provide the service levels they promise. Or at the very least, this is a greed ridden money grab targeted at the customers that are already paying more for services to supposedly guarantee a positive experience. Instead of improving their networks, or better yet, just running fiber, carriers choose to act as parasites. They get away with this because in many areas there is only one broadband provider available so consumers have no choice. The perfect example of why monopolies are not supposed to be allowed by US laws and regulations.

What can you do to try and avoid Mike’s fate, or if you can’t avoid it, at least try and improve your situation? Start with these:

  1. Avoid cable companies whenever possible, or if you can’t try and sign up for fiber service if they offer it. Always choose fiber over a cable modem.
  2. Complain loudly and frequently to the carrier. The squeaky wheel gets the grease.
  3. Push for net neutrality regulation. Don’t let the FCC off the hook for pandering to big carriers and not the consumers that have to put up with this type of abuse.
  4. Report deceptive or unethical business practices to federal, state, and local regulators.
  5. Talk to news outlets about what you are experiencing. Nothing is better than shining the light on these situations. If the negative PR gets bad enough, these carriers will backpedal.
  6. And if you really feel like the case warrants it, talk to an Attorney.

I am curious to see what happens to Cox over the coming weeks as this story gains traction. Will they backpedal? Will we see a class action lawsuit? Will Cox realize the error of their ways and become a beacon of corporate benevolence in a corrupt world?

Who knows, but it will certainly be interesting to watch.

23
Jan
2020

Microsoft Exposes Elasticsearch Database to the World

Security Week reports that Microsoft has suffered a mishap with a handful of its Elasticsearch databases causing approximately 250 million customer support records to be exposed. While financial information for these clients was not exposed, it does appear that the data could be used for phishing attacks and tech support scams.

Of course the kicker is that Microsoft runs one of the largest cloud services on earth where users must take great pains to secure these systems that they setup. Now it turns out the company running these types of services can’t secure their own systems. While I know that these Elasticsearch databases were not really part of the Azure cloud service, it does beg the question that if Microsoft can’t secure their own systems, how can their clients ever hope to completely secure their own systems in the Azure cloud. If nothing else, this should serve as a reminder that no company, person, organization, etc. is immune to security lapses and great care should always be taken to secure both internal and cloud systems.

11
Nov
2019

Your People Are Your Biggest Threat

The Hacker News has an article posted from November 7th about a rogue TrendMicro employee stealing customer data and selling it to a tech support scammer. This goes to show, once again, that your people are always your biggest threat. Whether they are clicking on malicious links in from that prince who sent them an email or actively stealing data to sell on the black market, they are likely going to do something to cause you serious pain. Many companies don’t know how to combat these threats or are completely oblivious to what their people may be doing. Here are some ideas to help protect your organization:

  1. Invest in training – Train, train, train, and then train your staff again to be vigilant and know how to recognize a malicious email, phone call, or text message before they divulge any information. If they fall for one, deliver on-the-spot training to help them learn from their mistake.
  2. Invest in more than your average anti-virus software – Advanced Persistent Threats (APTs) are the buzzword of the decade. While you don’t need to listen to all the marketing hype, you should have a host based security solution on your PCs and servers that does more than just look for known signatures. It needs to identify unknown threats as well as known threats, block ransomware, stop data being transferred to removable storage, and more.
  3. Adopt a policy of least privilege – Does that receptionist really need local administrative privileges on their PC? Does that staff trainer really need access to the marketing database? I don’t think so. If people don’t need access to data, make sure they can’t get to it.
  4. Classify your data – What is in that random word document on the accounting shared drive? Is it something that shouldn’t leave the building? If it is, make sure you are tagging the document and putting restrictions in place on your firewalls to stop it from leaving. Do this for all of your data and put rules in place to protect it where it is stored.
  5. Invest in Data Loss Prevention (DLP) tools – Make sure data isn’t leaving your organization. Have tools that can observe data movement, alert, and stop it from happening if needed.
  6. Protect your data from and in the Cloud – Invest in Cloud Access Security Brokers (CASBs) if you allow your staff to store data and work in the cloud. You don’t want data stored improperly in services like Slack, Office 365, Dropbox, Gmail, or somewhere else.

There are many other things you could do as well, but I would argue if you have these tools in place and configured properly, you just might avoid ending up like TrendMicro.

03
Apr
2019

Facebook is at It Again

Our friends over at ZDNet just released another report on Facebook and their ongoing security woes. This time, Facebook has been caught asking users to confirm their identity by entering their email address and their password for their email service provider so that the platform can login to handle this confirmation. It goes without saying that anyone asking you for the user name and password you use at another service provider is not looking out for your best interests. With Facebook asking for these credentials and their recent issues, you know they are definitely not looking out for your best interests.

TL;DR – Don’t give Facebook your credentials to other services. It’s bad.