Digital technology, media and intellectual property
Random header image at GB Media

Weekend tech diversions: The Target data breach, 451 Security, Georgetown Law, my return to Davos, CES, and net neutralty. Oh, and Alan Alda.

January 18th, 2014 |  Published in Weekend tech diversions

Target data breach 2

 

Gregory P. Bufithis, Esq.  Founder/CEO

 

18 January 2014 – The tsunami of reporting and comment on the Target data breach keeps cresting, and cresting, and cresting. In Brian Krebs’ latest article on the Target breach (he was the chap who got the ball rolling on this data breach disclosure) we learn a few things about the nature of the attack. We learn from Brian through unnamed sources that the entry point was a Web server, which allowed attackers to eventually set up shop on an internal server used for exfiltration and install malware on an undisclosed number of store POS machines.

And in a brilliant piece by 451 Security (part of 451 Research) we learned about “segregated networks”, the basic goal of which is “to limit the ability of a threat to progress into or out of a network segment containing systems with some common role”. In short, to limit the exposure of internal networks if websites on those servers should get hacked. Something Target’s IT team was seriously in need of. For the full piece by 451 Security click here.

To understand the Target data breach issues … in fact any/all data breach issues (a general overview, the technical specifics, etc., etc.) … I rely on the Krebs site and the 451 Security site. Both sites provide information and analysis focused on the latest developments in enterprise IT security and insight and all of the up-and-coming technology in the security sector. 451 Security does one better by analyzing the activities of security vendors bringing products to market, as well as factors influencing funding and M&A in the security marketplace … a hot, hot, hot area if you have been following the Mandiant/FireEye merger.

 

[ A DIGRESSION: readers have noted I tend to wax lyrical about the 451 Research. With good reason. Please see my personal note at the end of this post. * ]

 

Meanwhile a report by iSIGHT Partners on the Target breach (which was commissioned by the Department of Homeland Security) calls this a “brand new ecrime”. I have summarized below a few points from the report (a report not publicly available but numerous media have obtained copies and commentary is appearing in The New York TimesThe Wall Street JournalNBC News, and elsewhere so I have read through them and collected a few of the highlights):

1. The report details the type of software used in the massive hack, how it was effective and mentions regions known to have the software coding prowess to pull off this kind of digital heist. This comment will be familiar to anyone who attended the inaugural Georgetown Law Cybersecurity Law Institute last year: “Memory scraping capabilities has been available in the Russian-language underground for some time. While Eastern Europe has been the focal point for POS malware development and use, cyber criminals in Brazil have used the technique since at least 2009. Globally, this trend will probably continue because malware offers important cost and risk advantages over hardware skimming techniques.” But the report does not draw conclusions on who is ultimately responsible for the attack.

2. The data breach was caused by a type of malware, similar to a computer virus, placed in a store’s point-of-sale systems. While some components of the breach operation were technically sophisticated, the operational sophistication of the compromise activity makes this case stand out: “the intrusion operators displayed innovation and a high degree of skill in orchestrating the various components of the activity.”

3. This stuff is very complicated. I spent some time this weekend with folks from Intercede (great contacts I met at MWC last year  who will be back this year) who walked me through the revelations to date. Here’s how the malware works: the insidious file triggers an exploit hook that starts to suck up information on transactions in the memory of the cash register system or the server that controls it. Since the data on credit cards is encrypted, the system works by getting it in the authorization stage while it is in the memory of the POS system, unencrypted. The tactic used during the Target holiday hackers is “new to eCrime,” the report says, and “covertly subverts network controls and common forensic tactics to conceal all data transfers.”

4. The report concludes that since this style of POS hacking can net big rewards for the cyber crooks with little risk, cardholders can expect more of this type of breach.

Sharon Nelson of Sensei Enterprises had nailed that point when she wrote on her blog Ride the Lightening that there certainly are breaches to be revealed: “After Target revealed that its breach may have impacted as many as 110 million customers and Neiman Marcus reported that an unknown (as yet) number of customers had been affected by its data breach, it appears that at least three more retailers have breaches yet to be publicly disclosed. The techniques used were similar to those used at Target.”

Meanwhile … over on The Dark Side … what are the odds of all this data actually being used by the cyber crooks behind the heist? Yes, we know a larger number of the stolen cards have been for sale on the underground market. But the stolen credit card info (CVV codes and PIN data) is encrypted in TripleDES.

According to IntelCrawler “there is an active group of Eastern European cybercriminals who specialize in attacks on merchants and Point-of-Sale terminals by using sophisticated malware and targeted perimeter attacks. Their goal is the interception of payment and PIN blocks data, which many systems have sniffed and grabbed in the past. Just recently, several criminals in the underground expressed interest in decrypting of 3DES blocks and information intercepted from serial COM-port connected to POS (9600 7E1) and Man-in-the-Middle attack.” Over the weekend they even made a guess as to who was behind the Target attacks.

As I have noted in numerous posts before, this is not a new issue/problem. For years hackers have managed to intercept packets carrying this type of data, but were unable to decrypt it (sometimes even if they had the key). Their pleas for help are often answered by other hackers who apparently know how to decrypt them, but whether their claims are true or not can’t always be determined.

But IntelCrawler is not the only site buzzing about this.  I have seen it on others. It the reason every year I send a staffer to attend Black Hat and DEFCON : to obtain as many sources as possible … the hacker folks that really know how this tech works … on internet infrastructure, data security and emerging technology.

By the way, an event not to be missed: the Georgetown Law Cybersecurity Law Institute. Last year was the inaugural event and it was brilliant: chat about cyber criminals and terrorists, how governments ply their intelligence trade, the marketplace for credit card details and “how to attack  critical infrastructure” learning tools, industrial-scale theft of intellectual property … the whole world of cyber security. It will be repeated this May. Try to attend.

 

 

▪ The NSA, net neutrality and oh, the webs we weave

On Friday I watched Obama’s first comprehensive response to criticism of America’s electronic surveillance regime. As expected, he promised new checks to reduce the chance that innocent people around the world — oh, and their leaders, too — are swept into nets meant for terrorists and criminals. But those nets will still sweep. Obama endorsed the collection of information about most electronic communications, if not their actual content. Most of the big questions about the Snowden revelations remained unanswered. Well, at least until “Snowden II” emerges … a very real fear among members of the intelligence community, I am told.

But what the week really showed was the strange, contradictory approach the U.S. takes to regulating the internet. The U.S. is very happy to flex its muscles in the name of national security. But a major head fake with respect to the benefit of internet users. Obama entered office endorsing “net neutrality,” the idea that broadband providers must treat all data on their networks equally. But regulators, rather than directly enforcing that rule by declaring the broadband companies “common carriers”, like phone companies, tried to implement it via a circuitous route. This week as I … and many others … had predicted, the legal challenge mounted by Verizon overturned that approach.

These broadband firms … unlike the newer data companies like Amazon, Facebook and Google … made barely a peep of complaint about the intrusive surveillance that Snowden revealed. Mere coincidence the regulators were so reluctant to impose their will on a sector so complicit in that surveillance? Too cynical on my part? No.

Granted, nobody is pure in this business as I well know.  Apple, Microsoft, and the others, who treat you as a product to be bought and sold … and who have engineered laws like the DMCA to make it illegal to convert your files for use with rival products … will always protect themselves.  Anybody remember the old Amazon’s MP3 store? Until recently, it worked beautifully. Pay a reasonable price for your music, and Amazon would let you download it to your computer with as little fuss as possible. Recently, that changed. Amazon wants to promote its cloud drive services, so now it requires that you lock yourself into an Amazon-proprietary downloader to get your MP3s. The Amazon MP3 store started life with a lot of rhetoric about liberation (remember the t-shirts that trumpeted “DRM: Don’t Restrict Me!”?) that contrasted their offering with the locked-in world of the iTunes Store. Now that Amazon has won enough marketshare in the MP3 world, it’s using that position to try and gain ground in the world of cloud computing – at the expense of its customers. Ah, the walled garden.

 

 

▪ A return to Davos

This week I head for Davos. Every few years, courtesy of an IP client, I receive a pass to attend Davos.   Not the entire event, just 1-2 days. I pay my own travel/lodging and for my security pass but entrance fees and “imbibements” are covered by my client.  I do not go every year it is offered to me (it usually hits right before an annual FutureMed/Singularity event I usually attend). In 2011 I hit the jackpot because the theme at Davos was “Data: the new asset class”. But this year I am attending because the agenda includes two areas I have been following very closely: (1)  neuroscience and (2) machine learning.

These subjects fit in well because the theme at Davos this year is the technological forces that are transforming our lives, communities and institutions, crossing geographic, gender and generational boundaries.

Note: here is one of the more amusing comments. A side theme this year is “income inequality”. Attendees are paying around $40,000 to attend (it is a sliding scale and can run well beyond that, with some attendees paying $1 million to attend) so my legal assistant asked: “will there be a breakout session on irony?”

The draw for such difficult technological subjects as neuroscience and machine learning is simple. Davos is primarily a huge, high-level business conference, in which senior executives from the world’s largest companies take advantage of their physical proximity to meet in person with partners and clients and would-be clients. But it also exposes these attendees to subjects and areas they have heard about and need to know … they aren’t going to attend normal conferences to learn because of their time constraints … so what better venue than Davos.

Neuroscience: There will be a detailed series of sessions on neuroscience with a focus on “The Neuroscience of Leadership” (what can brain science teach us about becoming better leaders), plus sessions on performance-enhancing technologies, the “precision patient” (from genomics into the metabonome), robotics and integrated care, assisted living through digital platforms, etc.

What we have learned over the last few years in neuroscience and neurobiology is staggering.   But the “brain porn” saturating our media often prevents a serious discussion of what neuroscience can (and cannot) do. It is great that neuroscience is enjoying unprecedented levels of funding and cultural influence, but their are limits to neuroscience. The speakers are top-notch so hopefully the benefits … and limits … will be made clear.

Machine learning: Cisco has put together the briefing notes and their thrust is clear, and pretty basic: traditional analytics have become become obsolete. The future of technology has been shaped by machine learning algorithms — algorithms that are able to learn from the data they process and can be trained to improve as they process more data.  Senior executives need to learn/know this. With the exponential growth of data, simple data analysis will no longer provide value. Real value has come with the application of machine learning algorithms that not only analyse but also predict and suggest. The material will show how personalized e-commerce and mobile shopping, personalized information and business-to-business intranet portals have made information easily accessible. Machine learning technologies have provide the information you need when it is needed.

To those of us who parse data on a regular basis, this is no great shake. But the sessions will bring together researchers, practitioners, and industry experts in the fields of machine learning, data mining, and related areas to present recent advances, to discuss open research questions, and to bridge the gap between data analytics research and industry needs based on concrete, real world problems. There will be discussion/demos of how to channel torrents of data into actionable information.

 

 

▪ CES: an evolution

Eric De Grasse, my CTO, made a 2 day visit to the Consumer Electronics Show (CES) a few weeks ago. Typically, CES  is a place for announcements with more light than heat. But amidst the bizarre and unnecessary gadgets that will soon be forgotten, big companies rolled out a handful of technologies that could be truly transformative. What’s noticeable about these “game-changers” (I actually hate the phrase but I am a bit lazy today so I’ll just use it) is that, despite CES’s doggedly gadgety nature, most of them weren’t gadgets. It was applications, it was use —- how best to use, manipulate the gadgets you already have. For example: while flat screen TVs may have reached the zenith of their development), the services piping content to them, mainly Netflix, are for the first time innovating in ways that are impossible for cable operators and with physical media like disks. Similarly, “connected cars” (a big part of the buzz at CES, but a much bigger part of MWC next month of which I will have more) the software for them is likely to be a much bigger industry. Meanwhile, Nuance showed its future (our future?) in which all of our devices accept voice commands.

But the “Comment of the Show” goes to a sales chap from “A Very Large Internet/Media Company” who said to Eric:

“Privacy? Hell, no! Our job is to abolish that. Our goal is to identify shoppers by their smartphones or with cameras and facial-recognition software. Then, we data mine the customer’s online history, so … as an example … we find out that last night she was looking for tennis shoes so that … WHAM! … she sees a sales pitch for sneakers flash up on her phone next morning. Or if she is in a store, it pops up on the in-store digital screens. That’s the goal, that’s the dream”.

[ No comment ]

 

▪ Alan Alda

For most of us Alan Alda is the American actor who played Hawkeye Pierce in the TV series M*A*S*H and Arnold Vinick in The West Wing. But he is also a director, screenwriter, and author. And six-time Emmy Award and Golden Globe Award winner. He is currently a Visiting Professor at the State University of New York at Stony Brook School of Journalism and a member of the advisory board of The Center for Communicating Science. He serves on the board of the World Science Festival and is a judge for Math-O-Vision.

And that has become his passion, communicating science to the public into something of an art form in and of itself. He thus inspired Stony Brook University to create a Center for Communicating Science, which has this unique mission of doing that communication with and through scientists themselves. He was host of Scientific American Frontiers on PBS from 1993 to 2005, and interviewed hundreds of scientists, drawing out of them their wonderful research in a plain, understandable manner. I had the opportunity to hear him speak last year at a Scientific American event.

In 2011 he initiated “The Flame Challenge” : challenging scientists to explain … to 11 year old minds … how a flame actually works. And then had hundreds of 11-year-olds do the judging. More than 800 scientists participated in that challenge.

I try to promote Alan’s work every chance I get. And since I have a lot of scientists/techies who subscribe to this listserv I want to take the opportunity again. The challenge for 2014? How do you explain color to an 11-year-old. First, here is the challenge:

 

And here is Alan explaining it:

 

Flame scientists from Alan Alda Center on Vimeo.

 

▪ And lastly, my weekend book note:

Last week I received a copy of Sandy Pentland’s new book Social Physics. Pentland is a pioneer in big data, computational social science, mobile and health systems. He is one of the most-cited computer scientists in the world and was named by Forbes as one of the world’s seven most powerful data scientists. He currently directs the computational social sciences at MIT Media Lab.

He pretty much pioneered the experiments of fitting employees with biometric devices to track all their movements, physical conversations and email interactions to analyse performance, to help improve performance. His experiments yield gigabytes of behavior data.

We have known for centuries that cultural and social dynamics influence how we behave but until now academics could usually only measure this by looking at micro-level data, which were often subjective. Pentland and others like him are now convinced that the great academic divide between “hard” and “soft” sciences is set to disappear, since researchers these days can gather massive volumes of data about human behavior with precision.

His discussions in Social Physics raises a plethora of privacy issues, especially if you tag people. And while Pentland insists that these can be managed with sensible co-operation and laws, others such as Edward Snowden and Glenn Greenwald disagree. And there is another more subtle problem with this idea of people-watching. Although computer scientists tend to think that digital breadcrumbs are as neutral as atoms, and can be analysed using the tools of physics, in reality they can be culturally influenced too. And the issue will always be if these powerful new tools will be mostly used for good or for more malevolent ends.

Below is a short video that Pentland did for Edge.org and which is a nice overview of his work: reinventing society in the wake of big data. And I have two extra copies of his book, sent to me via my publishers cooperative (I receive 10 books a month and cannot possibly review/read them all, and often get duplicates). The first two listserv members who send me a DM on Twitter get them):

Reinventing Society in the Wake of Big Data from Edge Foundation on Vimeo.

 

Follow me on Twitter by clicking here

For our comments/posts on AI, Big Data, analytics, data visualization, and other cool stuff click here)

And to get off … or onto … this distribution list just email me here: gbufithis@gbmediastudios.com

 

* POSTSCRIPT: 451 Research: readers have noted I tend to wax lyrical about 451 Research. With good reason. They have a brilliant team of researchers and analysts who totally understand the competitive dynamics of innovation in scores of technology segments: Matt Aslett, Michelle Bailey, Rory Duncan, David Horrigan, Andy Lawrence, Javvad Malik, Matt Mullen, Wendy Nather, Katy Ring, Owen Rodgers, Simon Robinson, William Fellows. To name but a few.

They are a company you simply need to know. But my link is quite personal. I had met one of the founders, Nick Patience, some years ago at an e-discovery conference. We stayed in touch, met often, and he invited me to several 451 events where the knowledge I gained has continued to inform my work and my blog posts.

But the real kicker for me was a few years ago at the annual Hosting & Cloud Transformation Summit Europe (by the way, it’s coming up shortly). Nick introduced me to Brian Cox, who was the keynote speaker. Brian, as most of you know, is Professor of Particle Physics and one of the leaders on the ATLAS experiment at the Large Hadron Collider (LHC) at CERN in Geneva. He is a physics star turned pin-up professor whose several series on the solar system and science have sent his career into orbit. Universities who have seen a surge in applications for physics programs over the last 2 years call it the “‘Brian Cox effect”. (Physics was my minor in college).

At the conference … populated by folks who certainly work with large amounts of data … Brian dazzled the crowd with real data loads: how about 40 terabytes  created –  per second.  That’s how much data is thrown off by the LHC, the world’s largest and highest-energy particle accelerator.

That introduction led to an email exchange, and an invitation to CERN. It rekindled my interest in physics and led to a whole string of further introductions at the Swiss Federal Institute of Technology, the Swiss AI Lab, the Delft University of Technology, the Grenoble Institute of Technology, etc., etc.  And it led to my current studies in neuroscience, plus the restart of my informatics program.

So for all that, a big thanks to 451 Research.

 

 

About the author


Email | All posts by

"The mind that lies fallow but a single day sprouts up follies that are only to be killed by a constant and assiduous culture."
Latest Videos

Un aperçu de la FIC 2017 / A quick look at FIC 2017 (Lille, France)

Cybersecurity: a chat with John Frank, Vice President EU Government Affairs for Microsoft

From Legaltech NYC 2017: a chat with Andy Wilson of Logikcull

5G is coming ... and it's going to blow you away. Yes. Really.

The Internet of Things ... or the cybernetic consortia? (Part 1)

From the Mobile World Congress 2016: an introduction