Monday, January 19, 2015

A very interesting version of the Sony hack. Consider: It is much harder to hide your penetration activity in a low volume of target data. Most of your “penetration” has to be via devices (and their logs) that the target does not have access to. Still, I find it difficult to believe the North koreans are both “incredibly careful” and “sloppy” at the same time.
N.S.A. Breached North Korean Networks Before Sony Attack, Officials Say
The trail that led American officials to blame North Korea for the destructive cyberattack on Sony Pictures Entertainment in November winds back to 2010, when the National Security Agency scrambled to break into the computer systems of a country considered one of the most impenetrable targets on earth.
Spurred by growing concern about North Korea’s maturing capabilities, the American spy agency drilled into the Chinese networks that connect North Korea to the outside world, picked through connections in Malaysia favored by North Korean hackers and penetrated directly into the North with the help of South Korea and other American allies, according to former United States and foreign officials, computer experts later briefed on the operations and a newly disclosed N.S.A. document.
… The extensive American penetration of the North Korean system also raises questions about why the United States was not able to alert Sony as the attacks took shape last fall, even though the North had warned, as early as June, that the release of the movie “The Interview,” a crude comedy about a C.I.A. plot to assassinate the North’s leader, would be “an act of war.”
… Only in retrospect did investigators determine that the North had stolen the “credentials” of a Sony systems administrator, which allowed the hackers to roam freely inside Sony’s systems.
In recent weeks, investigators have concluded that the hackers spent more than two months, from mid-September to mid-November, mapping Sony’s computer systems, identifying critical files and planning how to destroy computers and servers.
They were incredibly careful, and patient,” said one person briefed on the investigation.
… Mr. Comey told the same Fordham conference that the North Koreans got “sloppy” in hiding their tracks, and that hackers periodically “connected directly and we could see them.”
… The skeptics say, however, that it would not be that difficult for hackers who wanted to appear to be North Korean to fake their whereabouts. Mr. Comey said there was other evidence he could not discuss.

(Related) This isn't (or at least should not be) news, but I'll toss it in as a reminder.
The Digital Arms Race: NSA Preps America for Future Battle
Spiegel Online – The NSA’s mass surveillance is just the beginning. Documents from Edward Snowden show that the intelligence agency is arming America for future digital wars — a struggle for control of the Internet that is already well underway, by Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach, Leif Ryge, Hilmar Schmundt and Michael Sontheimer, January 17, 2015.
“According to top secret documents from the archive of NSA whistleblower Edward Snowden seen exclusively by SPIEGEL, they are planning for wars of the future in which the Internet will play a critical role, with the aim of being able to use the net to paralyze computer networks and, by doing so, potentially all the infrastructure they control, including power and water supplies, factories, airports or the flow of money… The US Army, Navy, Marines and Air Force have already established their own cyber forces, but it is the NSA, also officially a military agency, that is taking the lead. It’s no coincidence that the director of the NSA also serves as the head of the US Cyber Command. The country’s leading data spy, Admiral Michael Rogers, is also its chief cyber warrior and his close to 40,000 employees are responsible for both digital spying and destructive network attack. One NSA presentation proclaims that “the next major conflict will start in cyberspace.” To that end, the US government is currently undertaking a massive effort to digitally arm itself for network warfare. For the 2013 secret intelligence budget, the NSA projected it would need around $1 billion in order to increase the strength of its computer network attack operations. The budget included an increase of some $32 million for “unconventional solutions” alone.”

I have my own “war stories” along this line. My solution was to call internal audit departments rather than the top brass. These are the guys who will have to investigate the claim in any case, might as well start them with all the data.
I haven’t kept strict statistics, but in general, most entities that I try to notify of a breach fail to respond at all. Others may respond that they’re looking into claimed hacks, but then fail to get back to me with a definitive answer or statement.
Here’s another case in point:
On January 10, I emailed the Commissioner of Insurance for Kansas, as well as the contact, webmaster for their site, and one other.
In my email, I pointed them to a claimed hack that had been posted on #TeamCarbonic’s web site at
The data that had been dumped included residents complaining about auto insurance rate hikes due to credit score rating and how unfair that seemed. Some of the residents complaining included personal information as well as their contact details, such as the individual who noted his wife had been in a coma for two years.
As breaches go, this was not a huge one. There were no SSN in the data dump and no financial account information. But there was personal information such as names, postal and email addresses, phone numbers, and their experience with insurance rate hikes. There was also other kinds of financial information in another database.
Did the Commissioner of Insurance’s office respond to the notification from this site? Did any of those cc’d on the notification respond to the notification?
No, they did not.
Did they investigate and do anything?
We have no clue.
This does not inspire confidence, does it?

Perspective. How will this change the world?|editorspicks|&par=google&google_editors_picks=true#.
Janjuah on 2015: Oil at $30; bonds to go crazy
If you thought 2014 was volatile, hold on to your hats this year as the price of oil could hit $30 a barrel and the bond markets will outperform, according to Bob Janjuah, a closely-watched strategist from Nomura Securities.
… On Monday morning, benchmark Brent crude futures were trading at $50.06 per barrel and U.S. crude was trading at $48.47 a barrel. Last week, oil prices dropped to around $45 a barrel – near six-year lows – but prices rebounded Friday after the International Energy Agency said that there were signs "the tide will turn" in the oil market.
… Janjuah believed that Saudi Arabia – the leading member of OPEC -- would be content to maintain that pressure on the U.S. along with other major oil producers such as Russia.

For my Students. Both the Data Management and the Business Intelligence classes should find a way to use this infographic in their projects. (Very strong hint here students)
Will This New Internet of Things Platform Justify Intel Corporation's $8.6 Billion Security Tech Buyout Binge?
Intel spent $880 million on embedded systems specialist Wind River in 2009. Two years later, the chip giant picked up security software veteran McAfee for another $7.7 billion.
This multibillion-dollar buyout binge didn't make much sense at the time. But behind the scenes, Intel had a plan. The company recently presented a brand-new Internet of Things platform that might justify those princely buyout sums -- and then some.
As Intel's handy infographic above shows, the Internet of Things consists of several connected parts. There are devices collecting data in the field, systems that store and manage the information flow, and number-crunching servers or workstations where you extract business decisions or personal benefits from the whole process. In many cases, the information flows both ways, and everything is networked together into a larger system.
At least two of these process blocks -- data collection and management/storage -- are often exposed to the wide-open Internet. That crucial ability to gather data from anywhere and analyze it with tools that would never fit in a wristwatch is what gives the Internet of Things much of its power.

Perspective. Sears is using tablets to scan bar codes and allow customers to sign with a finger. This is the same idea but uses smartphones which every small business should have.
PayPal Here EMV Reader Coming to Small Business
PayPal announced this week that its mobile credit card processing system, PayPal Here, will soon include support for EMV (chip-and-pin) credit and debit cards. PayPal also announced that it will make the PayPal Here SDK available on Windows mobile devices.
Here's what we know so far about PayPal Here's upcoming changes and how they will affect your business. [27 Ways to Accept Mobile Payments]

For my Math students.
Top >10 Mathematics Websites
An updated version – always a work in progress – but these are sites I use for my teaching to help my students learn. A new format, so the presentation is more complete in itself. If you would like a copy of the presentation: Top 10 Mathematics Websites 2015

Dilbert perfectly illustrates our perception of managers.

No comments: