Tag Archives: OSI

An almost funny thing

I saw an article at the BBC and I will get to that in a moment, but it reminded me of a situation that happened in 2010. I needed a new laptop and I was looking in a shop at their Collection of laptops. A man came to me and was trying to convince me just how amazing this laptop was. My inner demon was grinning, I get it, the man was enthusiastic, he was giving the numbers, but in all this, did he realise what he was saying? I am not doubting the man’s skills, he was doing a good job, I was however in IT and had been there for 30 years, so I have pretty much seen it all, and there it was, my little demon, on my right shoulder calling me ‘pussy’. So as the man stated ‘this laptop has a one terabyte hard-drive, can you even imagine ho much that is?’, I could not resist and my response was ‘Yup, that would fit roughly 10% of my porn collection’, his jaw dropped to the ground, his eyes almost popped, the demon inside me stated ‘Nice!’ Actually, it was not quite true, it would only fit a rough 0.32114%. It was the impact of the shock factor. You see, there is a hidden agenda there, when you (appropriately) use the technique, you get to see the real salesperson and that was what I needed. He was thrown, but he recomposed and continued giving me the goods on the laptop, I bought that laptop roughly 132 seconds later.

So today I saw ‘The Rise of extortionware’ (at https://www.bbc.com/news/technology-56570862), here I notice “where hackers embarrass victims into paying a ransom”, it is not new, it is not even novel. I will also give you the second game after the people involved get arrested, they will demand anonymity and any bleeding heart judge will comply. I state that these people will be handed the limelight so that the people that faced ransomware attacks can take their frustration out of these people. But that remains wishful thinking. So next we get “Experts say the trend towards ransoming sensitive private information could affect companies not just operationally but through reputation damage. It comes as hackers bragged after discovering an IT Director’s secret porn collection.” I have the question was it a private or a company computer? You see, sone focus on the boobies, just what the advertisers on Twitter hope for, they want the click bitches, it makes them money. It is time that we set the larger stage, you see the entire mess would be smaller if Cisco and Microsoft had done a proper job. OK, I apologise, Cisco does a proper job, but some things slip through and in combination with Microsoft exchange servers it is not slipping through, it is a cyber hole the size an iceberg created on the Titanic and we need to set a much larger stage. So when we see “Thanks God for [named IT Director]. While he was [masturbating] we downloaded several hundred gigabytes of private information about his company’s customers. God bless his hairy palms, Amen!”, it seemingly answers that he might keep it on a corporate computer, or he uses his private computer for company stuff. Yet in that same light the hacker should not be allowed any anonymity, we all get to see who the hacker is. If there is something to be learned it is see with “Hackers are now actually searching the data for information that can be weaponised. If they find anything that is incriminating or embarrassing, they’ll use it to leverage a larger pay-out. These incidents are no longer simply cyber-attacks about data, they are full-out extortion attempts” There are two sides

  1. The station of ALWAYS ONLINE needs to change, there needs to be an evolving gateway of anti hack procedures and a stage of evolving anti hack routers and monitoring software. You think that Zoom is an option?
    Tom’s Guide gave us less than 2 weeks ago “More than a dozen security and privacy problems have been found in Zoom”, as well as “Zoom’s ease of use has made it easy for troublemakers to “bomb” open Zoom meetings. Information-security professionals say Zoom’s security has had a lot of holes, although most have been fixed over the past few year”, so whilst you contemplate ‘most have been fixed’, consider that not all are fixed and that is where the problem goes from somewhat to enormous. Well over 20% of the workforce works at home, has zoom meetings and that is how cyber criminals get the upper hand (as well as through disgruntled employees), a change in mindset is only a first station.
  2. Remember that Australian? (Julian Assange) We were told that soon there would be some leaks on issues on banks (Wall Street) then it suddenly became silent, now some will say that it is a bluff, but in light of the meltdown in 2008, I am not so certain, I reckon that some have ways to show the hackers who they are and they profit by not doing that. Can I prove this? Absolutely not. It is speculation, but when you look at the timeline, my speculation makes sense. 
  3. The third side is optionally the second side as the second side might not be a real side. When we see “Hackers are now actually searching the data for information that can be weaponised. If they find anything that is incriminating or embarrassing, they’ll use it to leverage a larger pay-out. These incidents are no longer simply cyber-attacks about data, they are full-out extortion attempts”, the underlying station is ‘information that can be weaponised’ and the IT sector is helping them.

How did I get there? The cloud is not as secure as some state, and the salespeople need to take notice. Business Insider gave us about 6 months ago “70% of Companies Storing Data With Cloud Companies Hacked or Breached”, see the link we are now slowly getting presented? 

In the OSI model, we see layers 3-7 (layer 8 is the user). So as some have seen the issues from Cisco, Microsoft and optionally Zoom, we see a link of issues from layer 3 through to layer 7 ALL setting a dangerous stage. Individually there is no real blame and their lawyers will happily confirm that, but when we see security flaw upon security flaw, there is a larger stage of dangers and we need to take notice. And here the dangers become a lot more interesting when we consider the Guardian yesterday when we saw “Intelligence value of SolarWinds hacking of then acting secretary Chad Wolf is not publicly known”, what else is not publicly known? How many media outlets ignored the Cisco matter, how come ZDNet is one of the few giving us “it’s not releasing patches for some of the affected devices that reached end of life” less than 8 weeks ago. Again I say Cisco did the right thing by informing its customers close to immediately, yet when we see “More than 247,000 Microsoft Exchange servers are yet to be patched against the CVE-2020-0688 post-auth remote code execution (RCE) vulnerability impacting all Exchange Server versions under support” (source: bleepingcomputers.com) as far as I can see, a lot of the media ignored it, but they will shout and repeat the dangers of Huawei, without being shown actual evidence, and I state here, that unless we make larger changes, the extortion path will evolve and become a lot larger. With 70% of cloud systems getting hacked or breached, a large chunk of the Fortune 500 will pay too much to keep quiet and who gets to pay for that? There is a rough 99.867765% chance that its board members will not, it might be speculatively, so please prove me wrong.

A stage where the needs of the consumers changes in a stage where the corporations are not ready to adjust and all whilst the IT salespeople have that golden calf that does everything and make you coffee as well. Adjustments are needed, massive adjustments are needed and we need to make them now before the cybercriminals are in control of our IT needs and that is not mere speculation, when you see flaw after flaw and too little is done as too many are the victim of its impact is a serious breach and it has been going on for some time, but now it is seemingly out in the light and too many are doing too little and as we laugh at “God bless his hairy palms, Amen!” Consider that stage, and now consider that they invade a financial institution, these are clever criminals, they do not empty your account, they merely take $1, perhaps $1 every other month, this implies that they are looking at a $16,000,000 every two months. And this is merely one bank, one in a thousand banks, some a lot bigger than the Australian Commonwealth bank and lets face it, the fact that layer 3 to layer 7 is leaky in hundreds of thousands of customers, do you really think that banks are off-limits? Do you really think that this is a simple hick-up or that the scenery is changing this quickly by people claiming that it will be fixed in no-time? 

We need massive changes and we need them a lot sooner than we think.

1 Comment

Filed under IT, Law, Media, Science

As we grow expertise

An interesting story broke on the Guardian this morning, the title ‘Senior NSA official moonlighting for private cybersecurity firm‘ should catch our eyes in many ways, but for most of you it will seem wrong. The story is about an official named Patrick Dowd and how he, as an NSA official also worked in the late hours for IronNet Cybersecurity, yet never crossing the ethical boundaries.

You see, many will shout scream and all others of noises, but the plain and simple truth is that this happens ALL THE TIME. If you think that this is not true, then look at accountancy firms, look at Google and look at a host of other corporations. In this day and age, to get ahead you need to double dip your brain power.

Of course when doing this, knowledge, more precisely data cannot go from one to the other, yet the knowledge and the knowhow is there, which is the IP of the person holding the brain (aka the man with the thought out plan). Former General Alexander is heading a firm making well over 10 million a year (I will send him my resume shortly).

The article written by Spencer Ackerman in Washington (at http://www.theguardian.com/us-news/2014/oct/17/senior-nsa-official-moonlighting-private-cybersecurity-firm) gives the right nuance and is a good read. More important, between the lines he seems to be implying the question that follows from ““I just felt that his leaving the government was the wrong thing for NSA and our nation,” Alexander told Reuters“, he is of course correct, can we allow in certain areas to suffer a brain drain. Keith Alexanders pragmatic approach, if properly used earlier could have saved the intelligence hundreds of millions in the timespan 2003-2007; no one seems to be looking at that part. We seem to allow ‘dodgy’ accountants to sign off on unchecked quarters of billions, but when a soldier find alternative usage of his skills in non-criminal ways, we tend to shine the limelight on them. For this I only need to show the Reuters quote “(Reuters) – The new boss of Tesco (TSCO.L) has told staff he expects to be able to give a “clear and accurate indication” of the impact of a 250 million pound accounting mistake when the grocer reports delayed first-half results next week“, whilst trying to Google Pricewaterhouse Coopers reveals not one, I say again not one link that the press has taken one look at that part of the Tesco equation. So we can conclude at present (from the evidence as seen published) that for now, the backbone of the press is nothing more than a shoddy paperback!

Back to the Age of Cyber Alexander the Great, as we see the Huffington post, we see the quote “The FSR itself is a veritable tilt-a-whirl of revolving doors, with a steadily increasing lobbying budget on behalf of its corporate bankers and insurers and a roster of high-placed former government officials. For example, the FSR employs the firm of Barnett, Sivon and Natter to advocate its causes“, The Financial Services Roundtable (FSR) seems to be dealing with its ‘own’ mess by getting the bigger boys on the block involved. Now, whether the use of mess is qualified is depending on the view of where the responsibility of pro-active protection and support should be at. (at http://www.huffingtonpost.com/bea-edwards/the-nsas-keith-alexander_b_5515718.html), but there is no doubt in my mind, that those who would like to be (people like me), who have advanced data skills will have to clear the field to those with catered skills form the NSA, that is just a plain and at times, a little uncomfortable truth. If we look at the CCNA OSI layer as a comparison, then I would cover the layer two and higher, like most of us data boers (South African giggle), yet people like Patrick Dowd have layer one in addition. We all know layer one (physical layer), yet we do not actively interact with it other than a facilitation level. It is there that the difference of a million a month is easily spotted. We can all do it with time, but we were never able to work on that plain, that is where NSA bang for the buck resides. And let us be clear, this is a massive bang for all of the monthly bucks, because if you had not figured it out. RFID blockers are there for a reason, it is not a fab and it is not an overly worrying thing. The people (a very small group at the tip of the pyramid) would gain knowledge of a person beyond your imagination when they scan you as you pass by. The problem is not that you get scanned at times; it is where the flaws start on how thousands lose small amounts every day and no one is ever the wiser. Bloomberg reported in 2011 that hackers took a billion a year, that leak must be dealt with and this is just the small cash drains, when we consider other avenues, the loss of 1 billion might actually be the tip of another pyramid and as such the FSR will needed another game plan.

Keith Alexander saw this niche that was ignored for far too long and with the help of Patrick Dowd and others like him they are looking at changing the game and drastically reducing the losses. In a game of billions, 20 million would be a steal at twice the price. In the age of cutting down, a market hole was found and IronNet Cybersecurity is filling that niche nicely. Consider that the Securities Industry and Financial Markets Association (SIFMA), the Consumer Bankers Association and the Financial Services Roundtable (FSR) are only the beginning. It’s such a nice view where we see a former General turned data visionary could become the founder of a billion dollar company. This is not a boast, when we see that outside of the US the digital theft age is a lot more than just a simple 9 figure number, the exact amount is not known, we know of the fact that it is, but not how much, but when it is hushed up to this intent, we can safely assume it is to some extent worryingly high, so as such IronNet Cybersecurity is not the first, but it is likely to grow faster and larger then all others for simple reason of skills and access to knowledge, two elements the others do not tend to have to that degree on these fields.

What will be next? That is the question which is not answered with the final quote, but it shows a much larger field then many considered “Compounding the potential financial conflicts at the NSA, Buzzfeed reported that the home of chief of its Signals Intelligence Directorate, Teresa Shea, has a signals-intelligence consulting firm operating out of it. The firm is run by her husband James, who also works for a signals-intelligence firm that Buzzfeed said appears to do business with the NSA; and Teresa Shea runs an “office and electronics” business that lists a Beechcraft plane among its assets” If you think it has no bearing then think again. As the requirements for data retention grows as stated in more than one nation, the clear limits to skills and people, which have been noted by me and several others to some extend over several months, where do you think these telecom companies will get the consultants and knowledge from?

These places refused to grow expertise when they had the chance, pushing the need forward again and again, now these consultants are pretty much all that is left and training in house staff will get a lot more expensive soon enough, good business is where you find it, and it seems that Keith Alexander and Teresa Shea saw that companies were painting themselves into a corner, they only had to wait until the first one realised that they had no place left to go.

The consequence came to them as easy as eating pancakes, the cherry they got for free!

Leave a comment

Filed under Finance, IT, Law, Media, Military, Science