Archive for the ‘Security and Compliance’ category

AI why will it make any difference?

October 1st, 2018

For all the talk around the rise of AI, or Artificial Intelligence, the technology isn’t new. We use AI in our daily lives.

Predictive text is the most visible example.Google searches, Word spellcheck are examples. You frequently text a friend to meet at the mall. You type: “Meet me at the …” Your phone suggests “park” or another common place to meet. Over time, your phone learns, and the suggestions start to prioritize “mall” over other words.

A basic case is that AI:
• takes data,
• analyzes it,
• implements a solution (suggesting the next word),
• evaluates the results (recognizing that you almost always type “bar” with that friend),
• and then repeats the process with improved recommendations based on data.
• Over time, the system grows smarter.

Typically ‘triggers’ to execute a ‘script’ were ways to automate processes. A log fiel is mintored and akey word triggers a support ticket, or runs a script.Over time thje system learns and can predict and run checks before the error happens.
Other examples of AI in everyday life include pricing on ridesharing apps, facial recognition in social media and even non-player characters in video games.

Until recently, the technology was available to a few companies with deep pockets. To take advantage of AI, you had to have a big data center, specialized software and data scientists in house. We’ve reached a tipping point. With cloud-based technology, companies of all sizes can more easily plug into AI-infused applications at a much lower entry cost.
AI is the next big disrupter in many industries.

Let’s look at the wholesale trading industry. Here are two ways you can leverage AI to benefit a business:
Optimize where a team spends their time.
- Imagine the ability to direct your Accounts Receivable team to the late-paying customers that are most likely to respond.
– AI can help distributors differentiate between those who aren’t going to pay and need to be turned over to collections, and those who are more likely to pay with just one phone call.
- AI could also direct a call centre team to focus on certain times of day to increase the likelihood someone picks up the phone. Given the importance of cashflow to distributors, this is a powerful application of the technology.
- The same idea goes for a sales team. With which customers should they be spending more time? AI can identify the data points that influence purchasing, such as whether a prospect downloaded a whitepaper, they have an account exec assigned to them, or they have previously purchased related products.

It could even be something you can’t control, like the weather forecast. If it’s going to be 110 degrees, you can expect an uptick in sales of air conditioning units or parts to fix them in certain geographies. AI can identify these opportunities for salespeople. AI then adjusts those recommendations based on how customers respond, and the cycle continues.

Grow sales and margin with existing customers.
When a customer is checking out on a website, via your call center, at the counter or through another channel, how can you engage them more? Enter AI. For example, let’s say that data show that electrical contractor customers of a particular size regularly buy red, green, white and black 10-gauge copper wire at the same time. So when an electrical contractor of that size selects just red, green and white, a salesperson should be prompted to ask: “Are you forgetting black?” Chances are, the customer will add black wire to the basket.

To identify those relationships, however, and to code them into your system is a lot of work. We can do much of this already with BI analysis and on screen prompts.Add to that the evaluation of whether the offers were effective – how often they were accepted, how often they weren’t (and why) – and adjusting for that on the next sale, or updating sales scripts and offers. It becomes increasingly difficult if not impossible to do that manually across thousands of products.
AI can do this far more quickly and effectively than a human can, and can have a big impact on the top line. A foodservice distributor grew sales volume by 5% nearly overnight after turning on an AI-powered cross-sell and upsell recommendation engine on their website.

This is not just about selling online. Sure Distributors use cross-sell/upsell technology to grow share across their channels. However, they can also provide more meaningful, targeted content to make the customer’s selection process smoother and better informed, to draw his attention to designs or offers that are likely to be of interest, and so on. The ROI can be huge, and it requires very little upfront work by humans.

Pricing software is a more mature application of AI-based technology, determining the optimal price for a particular item based on lost sales, historical sales volume, competitor pricing, and potential for up sell or cross sell or repeat sell. and other data points. Hotels and airlines use revenue yield management. If it’s a business trip they may feel you will spend more in their restaurant on an expense account. I may only book when rates are cheap but I might always eat in house use, pay tv, and order wine with my meal and be a more profitable customer. If my rooms for tonight or my airline seats are less than 50% sold then I might discount heavily to ensure I sell enough to cover costs, but once past 80% I may charge a premium price because you may be desperate with little choice and a few high value sales will make up for the one or two I lose.

If a product has excess stock and is nearing the end of its shelf life, or a cinema is going to be half empty then AI can auto trigger instant sms sales promotions or happy hours but can it learn and predict and better tune the films shown in a given cinema, and whether average clothes sizes are trending bigger, or whether some colours and sizes will sell better in one branch than another and how that correlates with other data, How much is spent on marketing, what other sales are happening nearby, are temperatures going to rise, what si te epxcted change on the exchange rate or inflation rate or oil price and will that affect the number of tourist, and will revised parking fees affect who shows where and when?

is this a Big Brother nightmare, or does it mean that we are going to get better service because what we need to buy is going to be in stock even before we realise we need it.

As new younger generation z employees are hired into purchasing roles, they expect the kind of customer experience that AI-powered technology can deliver. This technology is here now. It’s not just a technical decision. There are real business benefits to using AI, including growing average order size, boosting margins and tightening customer relationships.

California Privacy Act, EU eprivacy, GDPR….

September 17th, 2018

The California Consumer Privacy Act of 2018 still doesn’t have either the public awareness nor the multi-year time to prepare as the EU’s GDPR.
Nonetheless, it will have a similarly huge significant impact on organizations that do business in the state of California.

Why should you care? Well California is the world’s fifth-largest economy, so that means it affects pretty much everyone.
Businesses – including yours- have less than two years until the January 2020 compliant deadline

Organizations are constantly at risk of paying a hefty penalty for not complying with rules and regulations that dictate how they should operate and do business.
A recent research by the Ponemon Institute and GlobalScape entitled, “The True Cost of Compliance with Data Protection Regulations” concluded that the average cost of non-compliance is now $14.82 million annually (a 45 percent increase from 2011) and is 2.71 times higher than the cost of compliance.

This means organizations are better off making the necessary investments on people, process and technology to comply with Data Protection regulations than incurring the cost of non-compliance. It’s clear that the topic of compliance is broader than just Data Protection regulations and covers other global and regional regulations, industry-specific mandates and trading partner specific contracts.

The worry is conflicting standards and how to stay abreast of everything. Colorado is also bringing out similar legislation. The UAE has also signalled that it may follow GDPR. This major implications for companies in areas of contract, insurance of liability, training, master data management, software security, encyrption, back up, policies, administration …… and a lot more cost. This not going away and it easier to start now – a plan t0 shut the stable door only after the horse has bolted is not a strategy,

An even stricter privacy law, known as ePrivacy Regulation, is currently pending abroad. The law, was approved in the last quarter of 2017 by the European Parliament and is currently under review by the Council of the European Union. While the policymakers had hoped that the ePrivacy Regulation would enter into force on GDPR Day, this obviously didn’t happened. In a nutshell, the ePrivacy Regulation is lex specialis to the General Data Protection Regulation (“GDPR”). While the GDPR applies to all categories of personal data—hard copy and electronic—the ePrivacy Regulation will typically only apply to electronic communications data, a subset. The Regulation, if adopted, would cover not only traditional telecommunications operators and providers of electronic communication services but also “over-the-top” communications services

It requires explicit consent from users for all messaging services—things like Apple’s iMessage, Facebook’s WhatsApp, and Microsoft’s Skype—before companies can place tracking codes on their devices or collect data about their electronic communications. In other words, a company could only collect data or metadata about users’ communications online when they get their explicit consent to use it for a specific purpose. When someone declines to share their data, companies will be required to provide them with the same service as someone who consents. The law was scheduled to go into effect this year, but has been held up by negotiations. https://iapp.org/resources/article/eprivacy-regulation-may-2018-draft/

The ePrivacy regulation is an update to the standing ePrivacy Directive, which was originally put into place to guarantee “right to privacy in the electronic communication sector,” according to the directive. The directive originally focused mainly on email and SMS messages, but the proposed regulation would also address data privacy in services like WhatsApp, Facebook Messenger, and Skype, along with Internet of Things (IoT) devices.
Additionally, the ePrivacy regulation will also protect metadata associated with electronic communications .

ePrivacy includes non-personal data. GDPR is laser-focused on the protection of personal data, but the ePrivacy regulation is focused more broadly on the confidentiality of communications, “which may also contain non-personal data and data related to a legal person,” the proposal states. The original ePrivacy Directive is often referred to as the “cookie law” because it imposed the need for informed consent before a firm could track an internet user with cookies. The regulation will add new clarifications and simplifications for the consent rule, along with other new tools for protecting against unwanted communication tracking and more.

Both GDPR and the proposed ePrivacy regulation reflect similar aspects of privacy, but they do so from the perspective of different legal charters. The basis for the ePrivacy regulation are Article 16 and Article 114 of the Treaty on the Functioning of the European Union. However, it also reflects part of Article 7 of the Charter of Fundamental Rights: “Everyone has the right to respect for his or her private and family life, home and communications.” GDPR, on the other hand, is based on Article 8 of the European Charter of Human Rights, which states: “Everyone has the right to respect for his private and family life, his home and his correspondence.” However, for ePrivacy, the proposal notes that the meaning and scope of Article 7 of the Charter of Fundamental Rights shall be regarded in the same way as Article 8 from the European Charter of Human Rights

Consent is just one of six lawful grounds for processing data under GDPR. If one of the other five grounds applies, consent might not be required.

The other five legal grounds are:
•Processing being required to fulfil a contract with a data subject.
•Having a legal obligation, the fulfilment of which requires you to process user data.
•Needing to process data to protect someone’s life.
•Processing being required to carry out a task in the public interest.
•Requiring data processing in order to protect your legitimate interests, or those of a third party (unless those interests clash with a good reason to protect user data).

If none of these other grounds applies then, clear consent must be given to process personal data for each specific purpose.

How you ask for consent forms a big part of the regulation. It must be presented with these features:
• Unbundled: No lumping consent for one usage of data in with another. This is particularly relevant to collecting data for marketing.
• Active opt-in: No pre-ticked boxes, with binary in/out options given the same prominence.
• Granular: Each type of data usage needs to be consented to separately.
• Named: All organisations involved in handling the data being collected must be listed by name, especially third-parties.
• Easy to withdraw: Withdrawing consent needs to be at least as easy as giving it.

Security GDPR and BA

September 16th, 2018

British Airways disclosed on Sept. 7 that it was the victim of a data breach that exposed details on 380,000 customers. The breach involved data from British Airways’ mobile application and website at ba.com. The airline noted in its advisory that stolen data did not include customers’ passport information or travel details. However, hackers stole names, addresses and payment card details of customers who used the British Airways website or mobile app between Aug. 21 and Sept. 5. To its credit BA respond promptly and apologized.

We are investigating, as a matter of urgency, the theft of customer data from our website and our mobile app, The airline has guaranteed that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between 22:58 BST August 21 2018 and 21:45 BST September 5 2018.” British Airways wrote in an advisory post.

The British Airways breach is the second in as many weeks that has involved a major international airline. On Aug. 29, Air Canada reported that its mobile app was breached, potentially exposing 1.7 million accounts to risk. Air Canada, however, estimated that information on only 20,000 customers accounts was stolen in the breach, which is thought to have taken place between Aug. 22-24.

The British Airways breach is potentially the first major test for the European Union’s General Data Protection Regulation (GDPR), which has strict requirements on disclosure of breaches, and non-compliance that could result in costly financial penalties.

RiskIQ detected the use of a script associated with a “threat group” RiskIQ calls Magecart. the same set of actors believed to be behind a recent credit card breach at Ticketmaster UK. The Ticketmaster UK breach was the result of JavaScript injected through a third-party service used by the Ticketmaster website, but the British Airways breach was actually the result of a compromise of BA’s own Web server, according to the RiskIQ analysis.
This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.
The suspect scripts were detected based on a daily crawl of websites conducted by RiskIQ, which gathers data on more than two billion pages a day. Focusing on how the scripts on the BA site changed over time, the RiskIQ researchers found a modified script within the BA site. Code added to a JavaScript library utilized by the BA site called an API on a malicious Web server at baways.com—a virtual private server hosted by a provider in Lithuania, using a TS certificate registered through Comodo (apparently to raise its appearance of legitimacy) on August 15.

The 22 lines of code are targeted to export the data entered in the BA website’s payment form to the malicious server when the “submit” button was clicked by a customer, with the data being sent as a JSON object. As a result, the transaction would go through for the customer without any errors, while the attackers received a full copy of the customer’s payment information despite the payment apparently being over a secure session. The attackers also added a “touchend” callback to the script, which made the attack functional for users of BA’s mobile app—which called the same, modified script.

While the modified script file’s timestamp matches with the beginning of the attack reported by British Airways, the registration date for the malicious site’s certificate, indicates that the attacker] likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late.

British Airways did not comment on the RiskIQ report, as a criminal investigation is still underway.

GDPR misses the mark

August 16th, 2018

GDPR took effect in May of this year, at least with regards to enforcement. A few days after the May 25 date, a German court ruled against ICANN, the company that registers domain names on the Internet and manages the global WHOIS database. The case revolves around the information collected when you register a domain. ICANN wants multiple contacts, which they’ve required for decades. However, a company in Germany that is a partner, argued that the additional technical and administrative contacts were not required for fulfilling the business that both ICANN and EPAG (the German registrar) are engaged in.
ICANN Is appealing the ruling, citing the need for clarification of what this means with regard to the law.

There is an interesting argument here to be made about what data is needed for a business purpose. I could see this being argued successfully either way, and not just in court. As a domain holder, does the registrar really need multiple different sets of personal information from me? Arguably, this is a convenience for them, that is based on tradition. However, one could argue the other way. It is a little scary that a court, with no expertise in some industry (Internet domain registration, in this case), will decide whether there is an actual business need. Can a lawyer or judge really understand what data a business needs in their daily activities?

Is it unreasonable to find technical people collecting data, not maliciously, but to anticipate what might be asked of a system, or to avoid rework. Is it wrong to collect everything that might be relevant or useful to save time on future queries?

So now we have the ridiculous situation where more and more transactions can only sensibly be done on line, but only if you agree to provide personal data as part of the terms and conditions. How does that protect anyone? I can understand that large IT companies with heavy investment in cloud data centres are happy to see legislation that makes it impossible for small companies to compete – encryption, additional training and audit costs, huge infrastructure and software protection costs to deal with hypothetical risks to data that is largely in the public domain on Face book and linked in and telephone directories. Governments have new reasons to fine companies. Auditor and lawyers have another source of income. This all drives up costs so how does that benefit the individual?

Why there is not more loud protest and outright rejection of this ridiculous legislation I don’t understand. I doubt even 20% of companies affected comply.

That does not mean that you should not take data protection seriously. The problem with GDPR is that it being applied as a sledgehammer, Companies are trying to enforce complex systems for protection of data to which there is no identified risk, or indeed where there may not even be any data stored.

If an organisation has no central documented overview of the data it holds and processes, it is highly vulnerable to fail in its stewardship of data. The will result in severe damage to that organisation. To protect anything, you have to know where it is, and who needs to use it. With data, you have to know at least its relative importance in terms of its confidentiality, integrity and accessibility. You also need to know why it is retained and how it is used within the organisation and by which role. With this information, you will then have a much clearer idea of the requirements for that data, sufficient to appropriately strengthen the organizational workflows and applications to minimize the risks to that data.

If your organisation is ever caught up in a data breach or other incident that might affect its reputation or even result in legal action, then the exercise of at least having taken information security seriously will provide mitigation for the organisation. Any organisation that takes its stewardship of data seriously and responsibly will take the next step and ensure that all data is held in an appropriate regime that will protect it from malice, disaster, conflict and human failings. They might even save on resources by reorganizing organizational data according to risk rather than by department or activity.

In a recent case not considered under GDPR the potential problems surfaced. In claimants v WM Morrisons Supermarket the High Court found that Morrisons was vicariously liable for deliberate and criminal disclosure by a rogue employee of personal data belonging to his co-workers.

The employee was an internal auditor for Morrisons. In that role he had access to personal data about other employees. However, he felt he had been unfairly disciplined over a conduct issue and as a result became disaffected. A couple of months later Morrisons’ external auditor asked for payroll data for audit purposes and the employee was asked to handle the request. The data at Morrisons’ request was downloaded onto the employee’s work computer. He passed the data to the external auditor but he didn’t delete it from his computer. Some weeks later he uploaded the data onto the internet, under the name of another employee. The individuals whose personal data was wrongly disclosed then sued Morrisons, arguing that Morrison’s was the data controller and so was responsible for the breach. Alternatively, if it was not the data controller that it was vicariously liable for the wrongful actions of the rogue employee.

The High Court accepted that Morrisons was not the data controller at the point at which the individual was loading the data onto the website. Similarly, although the Court accepted that Morrisons should have been more proactive in ensuring that the data on the employee’s computer was deleted as soon as it was no longer needed, this did not actually cause the damage. The Court’s view was that the employee would have sought to circumvent any precaution put in place, given that this was a deliberate breach designed to cause problems for Morrisons.

That left the claim for vicarious liability. Whether an employer is vicariously liable depends on there being a sufficiently close connection between what the employee was employed to do and their wrongful actions. Here, the Court accepted there was a sufficient connection and so Morrisons was vicariously liable. The employee was given access to the data through his work and was deliberately entrusted with the confidential information. Even though he had acted improperly and also used another employee’s name to post the information on the Web, his motive was irrelevant in deciding whether there was vicarious liability.

Given that around 100,000 employees were affected by this data breach, compensation could be significant. Importantly, it is not necessary for the affected employees to show that they have suffered financial loss. Individuals can claim for distress merely from the disclosure of their data. This case has worrying implications for employers. Here the employee’s actions were entirely deliberate, and even though none of the employer’s actions led to the data breach it was still held liable.

Given the employee’s actions were designed to cause problems for Morrisons, by passing liability to the supermarket, the Court’s ruling has in many ways furthered the employee’s wrongful aims.

Unsurprisingly, Morrisons intends to appeal so all employers will be watching carefully to see what happens next.

While not decided under the principles of the GDPR, this case is representative of a new data privacy environment in the workplace, with greater accountability for employers and increased employee rights. More data breach claims may follow, particularly given that it is not necessary for an individual to show loss to claim compensation.

What is clear from the case is that employers will be responsible for the employee data they hold and must apply the strictest possible controls to try to mitigate the risks presented by rogue individuals. Such controls could include: limiting the number of people who have access to personal data for work purposes, ensuring individuals who have such access only have it for a limited period, and that data security measures are in place to flag misuse of the data. Further, the personal consequences of data breaches should be outlined to those who need to have access to colleagues’ personal data for their job.

This is becoming farcical – how should a company reply to for example a request for a reference, or a credit check.
If one employee volunteer’s another’s phone number is that really something for which an employer should have liability to pay compensation?
As with other misguided legilslation this will accelerate adoption of Ai and elimination of human workers.

If ever you want proof of the law of unintended consequences this legislation is going to be high on the list.

Microsoft Ignite agenda insights to the future road map

August 14th, 2018

Microsoft recently published the session list for its annual Ignite IT Pro conference happening at the end of the September. Alook at the topcis gives a clue to its roadmap. There sessionson on the next version of SQL Server. Surface Hub 2 and Surface Go with LTE, Intune and Windows Autopilot, Windows Server 2019. New Remote Desktop services.

Last year, Microsoft used Ignite to highlight AI, intelligent edge and its futuristic quantum-computing technologies but overall the listed sessions, look more down to earth. There are two mixed-reality sessions — including “Visio Immersive,” Almost 100 listed sessions touch on AI . At Inspire Microsoft told partners the “AI Accelerate Kit”would be coming in October and include AI use cases, best practices and “Ethical AI” guidance so that seems lilley to be included.

At Ignite Microsoft will again focus on Microsoft 365,- the bundle of Windows 10, Office 365 and Intune security/management technologies.

Expect to a lot of Dynamics 365 CRM and ERP content — because October is when the next feature update will arrive for the suite of Dynamics products.

There seems to be more developer content: . ASP.NET, Visual Studio Code and Visual Studio 2017, Node.js, and sessions on linux and Docket containers, Progressive Web Apps and MSIX, the new Windows 10 application-packaging technology Microsoft is rolling out.

There are 115 sessions listed for SQL Server /Azure SQL. Mayeb we will get an insight into the successor to SQL Server 2017 — codenamed “Aris,” which is currently in private Community Technology Preview testing.

Microsoft wil lalso show the new the Surface Hub 2 and Surface Go.

Expect Windows Server 2019, Microsoft’s next major release of Windows Server, to be a hot topic -it’s due to start roll out before year end.

https://www.microsoft.com/en-us/ignite

https://www.microsoft.com/en-us/ignite/faq

September 24–28, 2018 | Orlando, Florida

End of life for SQL 2008 and 2008 r2 is only a year away

July 14th, 2018

On July 9, 2019, Microsoft will end Extended Support, for SQL Server 2008 and 2008 R2hich means no more updates or support of any kind, potentially leaving you vulnerable to security and compliance issues.
Some considerations:
That is only a year away. So time to start planning and to get it into your 2019 budget.
What applications are affected? With what new SQL version are they compatible?
Will you need to rebuy licenses? The SQL license cost is now core based and it might prove lot higher than last time so take the time to consider all options.
Should any of your applications move to the cloud?
Should you also look at upgrades to Hardware? Windows, Office, Exchange, or Business finance/erp systems in conjunction with SQL?
Is now the time to review your security solutions?
Are you going to expand, or implement heavy new processes like consolidation, budgeting, BI in then next 2-3 years?
Is your mobile network growing?

There are major enhancements at QL 2016 sp1 so we recommend you should not consider any version lower than that. By next year SQL 2017 will also have settled down.

To discuss options callus o 0097143365589

Is your rdp access secure?

July 14th, 2018

A recently released report sponsored by IBM Security and conducted by Ponemon Institute estimated that a data breach costs Companies an average of $148 per lost or stolen record. This was based on interviews regarding meg breaches i.e. more than 1 million records.

According to the McAfee Advanced Threat research team, Cybercriminals are compromising and selling remote desktop protocol (RDP) access on the dark web for as little as $10, Cybercriminals will try to RDP access to: create false flags, spam, account abuse, credential harvesting, extortion, ransomware, and to cryptomine.

If you use RDP network access then you are vulnerable to such attack, which will concern everyone from government to healthcare institutions,

Remote access systems are needed by many organizations to conduct their businesses, McAfee’s research team recommendations:
• Use complicated passwords and two-factor authentication on your RDP, as this will make brute-force attack more difficult to complete
• Do not conduct or allow RDP connections across open internet
• Lock out or timeout users with too many failed login attempts
• Check event logs regularly for strange login attempts
• Use an account-naming convention that doesn’t give away details about your organization
• Make a list of all systems using the network and what protocols they are connected through, including POS systems and Internet of Things (IoT)

The good news is that the research found that security automation tools are doing their stuff.. Machine learning, artificial intelligence, analytics, and orchestration to identify and contain breaches are new tools in the fightback against malware.. Companies that extensively use automatic security tech saved over $1.5 million on the total of a breach, said the release.

Meanwhile

‘Hello’ -no passwords!

July 3rd, 2018

Microsoft plans to replace passwords with Windows Hello and other tools, starting from the Windows 10 April 2018 Update in S mode which allows cloud users an end-to-end experience that does not require any passwords.

Microsoft promises to rid the world of passwords and to replace those with more convenient and secure options, the company announced in a Tuesday blog post. “Nobody likes passwords. They are inconvenient, insecure, and expensive,” ………. end users “should never have to deal with passwords in their day-to-day lives,” and to replace passwords with “user credentials [that] cannot be cracked, breached, or phished.”

Windows Hello, which was introduced in Windows 10, uses biometric sensors to verify a user’s identity e.g. fingerprint or a face scan. It has since introduced the Authenticator app, which allows users to log into their Microsoft account on their desktop using their phone.

Hero Rat is targetting your android devices

July 3rd, 2018

HeroRat, a nasty new Android remote access Trojan (RAT) is capable of giving anyone GUI-based control over an infected device.

It is spreading via third-party app stores and messaging services and can take complete control of infected devices. Currently the main target region seems to be Iran. It uses offers, like free Bitcoin, to trick users into downloading it, at which point it says it will not work on the affected system before apparently “uninstalling” itself. Instead it deletes its icon and registers itself with the attacker as a newly accessible device

Hero Rat relies on traditional methods to infect Android devices. Users are advised to install apps only from official sources, to keep update anti-malware software, and to always check app permissions.

Password ‘Spray attacks’ target ADFS

July 1st, 2018

Be aware of ‘Password Spray’ style attacks which target ADFS. Attackers no longer simply launch ‘Brute Force Attack’ to guess someone’s password to gain access – they are adopting a stealthier approach to automate this process over a longer time frame so they don’t trigger any alerts.

The FBI released this Alert in late March 2018: Brute Force Attacks Conducted by Cyber Actors. This “Slow and Low” method is evermore commonplace and one area in particular tat has been targeted to externally facing ADFS. Malicious traffic can be hidden/masked amongst genuine traffic and when successful this offers very valuable credentials possibly even across more than one organisation .

ADFS must be connected to the public internet to work so it offers an attack vector. Review the informative article from Beau Bullock @ BlackHills InfoSec. Once you have determined the valid accounts, simply try all accounts with one password at a time and this should leave enough time between each attempt to allow the “lockout threshold” timeout to expire.

If ADFS itself is could be compromised to gain entry, then how can we improve the security around this authentication mechanism?

On 5 March 2018, Microsoft released an article on Azure AD and ADFS best practices –’ Defending against password spray attacks’, which covers how multi-factor authentication (MFA) and a number of other elements can be applied to improve security. Subsequently Microsoft released an updated and more improved article – ‘Monitor your ADFS sign-in activity using Azure AD Connect Health’s risky IP reports’.

With Azure AD Connect Health, Microsoft’s “Risky IP Reports” :
- Easily detect risky external IP addresses that are generating large numbers of failed logins
- Get instant email notifications when risky IP addresses are detected
- Download detailed reports to perform offline analysis or share within your organisation
- Customise your threshold settings to match the security policy of your organisation

A mechanism to differentiate a single user attack pattern versus multi-user attack pattern.

One simple indicator of malicious activity is: “Unique Users Attempted” ( a count of unique user accounts attempted from the IP address during the detection time window. This provides a mechanism to differentiate a single user attack pattern versus multi-user attack pattern.)

TSB upgrade – what lessons are there to learn?.

May 5th, 2018

By now most of us have heard about the catastrophic attempt by the Spanish-owned TSB to introduce a new IT platform for their UK customers.
As my first mortgage was with the TSB many years ago, and I was also in the U.K. when the story broke I took a little more interest.

TSB, (Trustee Savings Bank), merged with and was spun out of Lloyds Bank after the EU ruled that it was a monopoly, because of the state aid it had received at the time of the banking crisis. TSB used Lloyds IT at a cost of about £220 million a year, but later moved to the Proteo platform, also used by its new owners, Sabadell. The Proteo system design goes back to 2000 and was specifically for mergers, and was used for successful integration of the four Spanish banks.

Proteo is based on Accenture’s Cobol-based Alnova system, and is customized, installed and managed by TSBs staff and runs on Amazon Cloud.

At the launch of Proteo4UK, Paul Pester, CEO of TSB, boasted that they had “created a more digital, agile and flexible TSB”. Carlos Abarca, the CIO, agreed, “It’s the technology journey that we are on together with our customers!” Similar ‘digital transformation’ good news messages from cloud providers are all too familiar.

This was to be “customer-centric by design” platform to “enable the open banking revolution”.

Well there was a revolution alright – from the locking nearly two million banking customers out of their accounts for up to ten days.

This was over a month-end, when businesses rely more heavily on access to their accounts.

TSB turned to IBM, to help get the system under control and “to help identify and resolve performance issues in the platform”. This included customers : experiencing zero balances, incorrect currencies, massively inflated mortgage amounts, and e-mails saying that there are no records of recent direct debits. IBank customers puzzled over on-screen messages, such as: ‘BeanCreationNotAllowedException exception: Error creating bean with name ‘contextManagerPostController’: Singleton bean creation not allowed while the singletons of this factory are in destruction (Do not request a bean from a BeanFactory in a destroy method implementation!)’

Customers who tried to make transfers got errors like: ‘ArrayIndexOutofBounds’ and java.lang.NullPointer and some Branches reported the systems spewing out error messages in Spanish. When I travelled back form U.K. early May, problems with internet banking wee still being reported by customers.

Instead of saving TSB over £100 million a year, this has greatly reduced public confidence in the bank but also in other banks and other financial services on the cloud generally. TSB are likely to be fined by the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO), which is the last thing they need to get things sorted – the loss in reputation alone is huge.

Supporters of Peter Pester believe he is being scapegoated for tech disaster:
• Allies said he has been ‘betrayed’ by a ‘bunch of Spanish numpties’
• Software that caused the problems was installed by Sabadell’s technology offshoot, Sabis
• Regulators could put TSB under a Section 166 probe – a formal investigation by an independent expert

What are the lessons?
Well, the first is not to claim success until the job is done. ( A damning report on the Guardian website suggests there were plenty of warning signs, up to a year before this all happened. Quoting an anonymous insider, the report explains how a mixture of poor technical and business decisions led to the eventual crises TSB finds itself in today.)

Which leads to the second lesson- bearers of bad news may have appoint to consider and is a hint at least the challenge needs more attention.

It seems Sabadell, the company that bought TSB, was warned about the high risk of its migration plans, which were seen by some as having too short a deadline and not big enough a budget. But Sabadell was not to be discouraged, and it pressed ahead with its plans, confident that it could successfully transfer TSB customers to its own Proteo software, as it had done with other customers in the past.

If you are doing some thing big and complicated consider the worst case and what that means for: insurance, contingency plans, contractual and legal protection, (so far none of the original contractors on the TSB redesign and upgrade have acknowledged any culpability) and PR mitigation:

PR week called it the flop of the month …….. and recipe for reputational disaster. Pester is well respected in the industry, but took too long to accept responsibility, was too quick to assume the problem was over, and too slow to appease customers. Easy to say from an armchair in Dubai but why do corporate leaders fail to heed the lessons of the past and to recognise the potential for disaster and that that when disaster arrives the only way to avoid reputational damage is to offer maximum compensation and care and to call in reinforcements asap.
Sabis is understood to have given TSB a written assurance that the parts of the system for which they were responsible had been comprehensively tested- maybe TSB needed to be more involved in those tests.

How good is your password? Can it withstand an attack every 39 seconds?

April 27th, 2018

A Clark School study at the University of Maryland found a near-constant rate of hacker attacks of computers with Internet access—every 39 seconds on average—and non-secure usernames and passwords give attackers more chance of success.

“Brute force” hackers, use simple software-aided techniques to randomly attack large numbers of computers.The vast majority of attacks came from relatively unsophisticated hackers using “dictionary scripts,” a type of software that runs through lists of common usernames and passwords attempting to break into a computer.

Top usernames in the hackers’ scripts were “test,” “guest,” “info,” “adm,” “mysql,” “user,” “administrator” and “oracle’ so avoid use of these. The most common password-guessing ploy is to re-enter or to try variations of the username. Some 43 percent of all password-guessing attempts simply reentered the username. The username followed by “123″ was the second most-tried choice.

A password should never be identical or even related to its associated username.

The hackers’ most common sequence of actions is to check the accessed computer’s software configuration, change the password, check the hardware and/or software configuration again, download a file, install the downloaded program, and then run it.

http://www.eng.umd.edu/html/news/news_story.php?id=1881

Total meltdown – patch now and revisit patches mnay are bugged

April 27th, 2018

A person known as XPN, whose blog lists identifies as a hacker and infosec researcher, posted details of a working exploit that takes advantage of Total Meltdown on Monday. The source code for Total Meltdown, a vulnerability created when Microsoft tried to patch the initial Meltdown flaw, is available on GitHub.

XPN describes Total Meltdown as a “pretty awesome” vulnerability in that it allows “any process to access and modify page table entries.”

XPN also noted that the goal was to create an exploit that could “elevate privileges during an assessment,” but it was only to help other people understand the exploitation technique, not to create a read-to-use attack.

Total Meltdown was originally created from a botched patch Microsoft issued for the original Meltdown flaw–of the Spectre/Meltdown vulnerabilities reported earlier.

Whereas the original Meltdown flaw was read-only, Total Meltdown also provides write access. This only affects 64-bit versions of Win7 and Server 2008 R2.

See the Woody on Windows column in Computerworld, https://www.computerworld.com/article/3269003/microsoft-windows/heads-up-total-meltdown-exploit-code-now-available-on-github.
There have been a series of flawed patches and its not pretty reading so take tiem to check out the article in full.

To tell if you’re protected from Total Meltdown, you’ll have to check your patch history. If you have no patches from 2018, you should be good, according to Woody on Windows. If you do have patches, KB 4100480, 4093108, or 4093118 installed, you should also be protected. Without those, Woody on Windows noted, you’ll need to rollback your machine, manually install KB 4093108, or use “Windows Update to install all of the checked April Windows patches.”

However there is lot more cautionary advice to read.

Drupal CMS critical bug

April 2nd, 2018

The team behind the popular open-source CMS Drupal is urging admins to update their sites to ward off a nasty bug that could leave their sites “highly compromised” to attackers, according to the organization.

The effected versions (Drupal i 6, 7 and 8) of the CMS power over one million websites on the internet.

Drupal has marked the security risk as “highly critical” and warns that any visitor to the site could theoretically hack it through remote code execution due to a missing input validation.

“This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,”

“Meltdown” and “Spectre and azure.”

February 10th, 2018

Last month as reported on this blog, Intel revealed two critical vulnerabilities they found in Intel chips. These vulnerabilities allow cyber-attackers to steal data from the memory of running apps. This data can include passwords, emails, photos, or documents. Intel dubbed these as: “Meltdown” and “Spectre.”

Microsoft released a patch for Azure the very next day. Just as well because Microsoft Azure is a shared-computing environment by default. One server hosts applications and development of applications, and various Virtual Machines tap into the server to allow employees to and others to access these applications. As such, the Meltdown vulnerability allows an attacker to compromise the host and read all the data from every operating system tapping into it. Around 3-10 million physical servers host Azure, and these servers in turn host tens of millions of Virtual Machines. So impressively Microsoft developed deployed a patch for these vulnerabilities in less than a week’s time. Azure is a cloud-based application and so Microsoft could focus their security team to work on the cloud servers and only the cloud servers. This way, these millions of servers and users had a patch and all applications hosted on the Azure cloud-platform were immediately protected.

A good business case example for business to move to Azure cloud services.

Malware developers are still out there. German antivirus testing firm AV-Test reported 139 samples of malware trying to attack the Meltdown vulnerability in January to exploit those who have not patched.

Microsoft patched their cloud servers, but non-Azure users (as well as all Windows users, period) still need to apply their operating system patches to ensure complete protection. This is one vulnerability you definitely don’t want cyber-attackers to exploit, whether it’s your personal computer or your business’s server.