Friday, January 24, 2014

Cut the lines! Flood the moat! Pull up the drawbridge – we are under attack!

In the days of the cold war, we were all spectators to an arms race but with the end of the cold war, we rarely use this expression. However, events of the last couple of months have made us realize that indeed, the race is on, yet again …

This week I participated in the half-yearly sales meeting of Integrated Research, the company who brings you the much-deployed Prognosis monitoring solution. When it came time to sit down with the account teams responsible for NonStop systems and Payments platforms, the topic of fraud (and its detection and neutralization) wasn’t far from their minds – routinely through the day, we made references to the most recent attack on Target, affecting almost one in five Americans.

In the introduction to the post Cruising to EMV eventuality? to ATMmarketplace on May 17, 2013, I wrote of a trip only a few years before to St Petersburg, Russia. Back then, the topic of the day was the ATM attack that pilfered some US $40 million from unsuspecting banks, the majority of which were in New York. In that post I quoted a story that appeared in the Wall Street Journal  that told of one of the biggest ever bank heists, when a global cybercrime ring stole $45 million from two Middle Eastern banks by hacking into credit card processing firms and withdrawing money from ATMs in 27 countries.

I also wrote about the surprise I had when I read of how "investigators said they found an email exchange with an account associated with a criminal money laundering operation in St. Petersburg, Russia, describing wire transfers." Only a couple of years earlier Margo and I had paid a visit to St Petersburg when our cruise ship pulled into the port for an extended stay. We took the opportunity to take in the sites, and among the most stunning we have seen anywhere in Europe was the restored palace of Catherine the Great. The photo at the top of the post is of Margo in one of the restored gilded rooms, with myself as photographer visible in the mirror.

On shore, I couldn’t help noticing just how many cafes lined the canal and how full they were of people, oblivious to the tourists that passed by, hunched over their laptop computers. I recall being told at the time, I posted to ATMmarketplace, how it was sad to see so many unemployed PhDs simply filling in time before playing chess in the afternoon. However, it was left to others to suggest that their pastime included activities far removed from playing chess.

It would now appear that the attack on Target and other department stores had a connection with St Petersburg as well. According to, “the card-skimming malware used to steal the credit card data of up to 110 million Target customers was ‘off-the-shelf’ malware created by a 17 year-old Russian programmer from St Petersburg. In the article, Target Malware Written By 17 Year-Old Russian Teen From St Petersburg, Firm Claims the US security analyst, IntelCrawler, has claimed. IntelCrawler “names (the teenager) as 'ree[4]', a multi-talented Russian cybercriminal and author of a range of hacking tools, including BlackPOS itself. The firm even tracked down his real name, complete with photographs of the alleged culprit.”

Furthermore, while “It is not clear that this individual has any direct connection to the actual Target attack,” IntelCrawler’s president, Dan Clements, acknowledged, “He is still visible for us, but the real bad actors responsible for the past attacks on retailers such as Target and Neiman Marcus were just his customers.” So what is it with St Petersburg? If other visitors make the same observations as I did, why can’t we just cut all the phone lines into this city? With each attack I have to believe this café society will only get bolder and the sheer brazenness of their pursuits escalate further.

It’s tantamount to a declaration of war by the intellectuals of St Petersburg! Perhaps this is, indeed, what is taking place. For participants in the January 8, 2014, webinar Meg Whitman & George Kadifa: Transforming your IT Organization and Creating Business Value, HP CEO declared it an arms race, when the subject of security was raised. I cannot imagine a better description of what’s taking place than what HP’s CEO has observed; you can raise the bar but it simply creates a new objective for the bad guys, and they will eventually find a way over.

And, if it is war – what tools do we have to repel such attacks. Clearly, coming away from the IR sales meeting, monitoring represents a great starting point. As one recent IR hire with deep industry knowledge reflected, “surely someone should have noticed that along a string of ATMs there were withdrawals (all at the maximum allowed) from a rarely-used loyalty card connected with a bank almost nobody accessed!” You would have thought alarms would have sounded pretty quickly but now, in hindsight, we aren’t so sure. When you have displays showing groups of cards in buckets, according to type and issuer, then surely this had to have stood out for all and sundry to see!

Perhaps we shouldn’t be too hard on the operators. Perhaps the real answer lies elsewhere, and could lead us into discussions about one of the true value prospects from integration with Big Data. Central to much of what IR has begun deploying with its latest release of Prognosis are new capabilities providing Business Insight, and it’s not hard to see some of the properties of Business Insight being utilized to predict escalating hostilities from the bad guys. Indeed, predictive analytics is at the fore of many discussions involving financial institutions following the most recent attacks.

According to Itamar Ankorion, Attunity’s Vice President, Business Development and Corporate Strategy, these financial institutions don’t want to see a message informing them that they have lost $40million, preferring to be informed ahead of time that they are likely to lose $40milion. “Such analytics can be done in an analytic platform like HP Vertica, in Hadoop, or a combination of both,” acknowledged Ankorion. “Financial institutions should look at these new technologies as ways to enable this capability; and in doing so, look for ways to leverage the data from the NonStop to support this analytics.”

HP CEO, Meg Whitman’s, remark that when it came to security, businesses everywhere were in an arms race was made during a webinar on HAVEn. An integral part of HAVEn revolves around Enterprise Security and its presence in HP’s Big Data Platform is not an accident. Clearly, securing Big Data frameworks themselves is an obvious need, but for me turning HAVEn around and applying it to help become more proactive with respect to predicting potential attacks is perhaps an even more important outcome of the HAVEn program. Could Big Data used in defense of our switches and networks, and ultimately, our money, become the commercial equivalent of the 1980s “Star Wars” that ended the last arms race?

Recognizing the potential outcome of such a focus on Big Data and the impact it could have hasn’t escaped the attention of WebAction co-founder Sami Akbay. “Now that the attention of the world is turning to events in the US, as hackers penetrate the security systems at retailers like Target,” said Akbay, “ it’s more than likely that the work being done with Big Data (and the analytics relying on Big Data) may be re-prioritized to better detect the sophisticated security attacks we are all witnessing.”

Akbay then explained that even as “Credit card issuers like Visa and MasterCard have done a good job to date in identifying fraudulent transactions as they happen, and their cardholders are well protected against fraudulent transactions, there’s real money being lost and these card issuers would like to stem the flow. With Big Data and the inclusion of real time transactional data, as we are providing today with WebAction, we expect much better awareness of potential fraudulent transaction – not as they are taking place but in the minutes and seconds leading up to them about to take place!”

Cutting all the phone lines connecting St Petersburg to the rest of the world is not an answer. Perpetrators in other countries are every bit as active as St Petersburg, of course, as we are just finding out. South Korea, for instance, woke to news just a few days ago that a rogue “Worker at the Korea Credit Bureau, a company that offers risk management and fraud detection services,” took off with the personal information of 40% of the population. In this just-breaking story, Massive data theft hits 40% of South Koreans, CNN disclosed that, “Crucial personal data like identification numbers, addresses and credit card numbers were all stolen”. Clearly, what needs to be pursued has to be a lot better than what we have been relying on to date.

According to IR, what needs to be pursued more aggressively is greater Business Insight, including greater focus on predictive analytics – alerting business to potential trends when they first develop. Big Data certainly holds the potential to be extremely helpful in this respect and vendors specializing in Big Data are well aware of the potential upside from greater integration with daily operations.

If there truly is an arms race under way, as is being suggested, NonStop is right in the middle of it and remaining ambivalent even as the bad guys probe our defenses, is not an option. Equipping our operations personnel, standing as they do on the edge of imminent danger, with tools to stem the tide is of paramount importance for every business – the headlines are bound to continue, but there’s no reason why anyone in the NonStop community should suffer. It’s time to roll out Star Wars and turn the tide on these bad guys!  

1 comment:

Gerhard Schwartz said...

"Flooding the moat, pulling up the drawbridge ..." - that's a pretty excited headline. But it looks like there is no moat to flood and no drawbridge to pull up that would enable us to keep the evil out. IT experts keep telling us that perimeter defense does not work anymore. And a blockade of St. Petersburg will most certainly not help.

We are told that we now have to look out for and chase the bad guys everywhere, just like cowboys in the Wild West had to protect their cattle against thieves all the time. But there is a significant difference: The thieves are not only always at least one step ahead, in addition they do outnumber the cowboys dramatically. These bad guys are cloned robot thieves originating from giant botnets and are coming in millions, and are easily replaced when they get killed.

How did we get into this miserable situation ?

Actually - for anyone watching IT and the Internet for a couple of years, all these bad news on IT security can't really come as a surprise.

Today's prevailing mainstream infrastructures are just too vulnerable and brittle, and the Internet architecture was designed as if there were only good and honest people on this planet. The architects never thought about such a hostile environment as we find today. IT-wise, we really do live in the Wild West with no Sheriff in sight. And interestingly, not even the boldest marketeers dare to promise us that using their wonderful products or services would bring that fundamental change towards better security that is needed so badly.

Fundamentally poor design from a security point of view within the basic architectures of both the end user devices and the Internet leave no hope whatsoever for solving the fundamental security shortcomings, unless we push the big RESET button.

We need completely new and security-focused architectures for the Internet, for end user devices and for the server infrastructure too. This is certainly achievable, but we would have to do away with a few holy relics of the past, eg. with most of the PC technology.

And of course, getting there will take time and will cost money. So there are not many people daring to speak up demanding those radical measures. Collectively, we keep trotting down that wrong trail which is leading us only further into the swamp.

How can the IT Security dilemma be solved ?

A separate and much more secure worldwide network is needed. This will be expensive, and people can't expect that this premium network can be used for free just like our current Internet (which will certainly continue to exist, but critical applications will migrate to the new premium network providing much more security and better service levels).

Those who need it will pay for it. Frequent performance bottlenecks, along with outages and major security breaches are definitely more costly.