Tag Archives: Encryption

The My Face Value “Tout Free” Guarantee

My Face Value is preparing for launch on 31st December 2017. To keep up to date with the latest news follow us on Facebook and Twitter

The My Face Value ability to tackle the problem of touts using our community is key to  earning and retaining the trust of the My Face Value community. The algorithms that My Face Value have developed to solve this problem are only one of many unique selling points in the My Face Value promise to genuine fans.

Using Innovative Technology To Beat The Touts

Similar to the auditable Random Number Generator algorithms that our Random Picking Software utilises to ensure fairness & transparency when selecting winners of our competitions & promotions, our approach to Phishing Prevention, Intercept “Man in the Middle” Attacks and our proprietary Automated Tout Detection systems use our own set of proprietary processes and algorithms to keep My Face Value secure and “tout free”.

My Face Value have developed sophisticated mechanisms that protect the data that the My Face Value community entrust us with and prevent the My Face Value community unwittingly assisting touts in their efforts to buy tickets at face value.

Protection from Trolls and Hackers 

My Face Value expects to be the target of concerted campaigns by trolls (on a simplistic level) and hackers (in a sophisticated manner) because My Face Value are dislodging and disrupting a lucrative “street level” business as well as a “respectable” corporate sector who make large amounts of money from ticket touting and price gouging tickets to events.

The first target of these hacks as we see it would be to undermine the trust in the My Face Value community by targeting our community members’ data, in all its forms. But in particular our community members credit card details. Aside from the myriad white-hat hacker tests that we have conducted, our operating systems, applications and network configurations have been comprehensively penetration tested by leaders in the field.

The Safety of Your Data – Security & Encryption 

My Face Value uses security protocols that protect the My Face Value community member from malicious interception attacks. My Face Value use a secure and encrypted connection (HTTPS/SSL) when handling My Face Value community members’ data.

The My Face Value EV SSL certificate offers the highest available levels of trust and authentication to our website. When performing transactions, the green address bar prominently displays our company name and provides highly visual assurance to customers that our site is secure – immediately giving the My Face Value community member the confidence to complete their transaction.

Sensitive Data Storage

For a further level of comfort My Face Value use an external provider with PCI Service Provider Level 1 Certification (the most stringent level of certification) to manage the process of no-hassle security and compliance that meets all PCI-DSS requirements for desktop and mobile transactions [PCI-DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.]

No sensitive data hits the My Face Value servers. To bolster this counter measure My Face Value have added an extra layer of security in the form of Two-Factor Authentication.

Phantom Community Members / Spam Accounts

But how do My Face Value detect touts posing as allegedly legitimate community members and avoid the scenario where the tout uses the My Face Value community as a source of leads to purchase tickets at face value and then tout.

The My Face Value community, without the measures that we have taken, would be a readily available environment with millions of community members which touts could “raid” for tickets.

The Value of Anonymity

This process is outlined in great detail on our website and on our social media pages. But in short, the answer to preventing the use of My Face Value as a ticket sourcing platform for touts is “anonymity”.

The information posted by My Face Value community members in relation to BUY/SELL/SWAP requests is not visible to the My Face Value community. Rather My Face Value store the data and identify matching BUY requests with SELL offers and SWAP requests with SWAP matches.

The relevant My Face Value Community members are then notified simultaneously by email. The email contains a link and when clicked this link will allocate the ticket on a First-Come-First-Served basis to the first My Face Value community member who secures the ticket by making the required payment.

The SELLER / SWAPPERS are then requested to send the ticket(s) to My Face Value for a counterfeit check and thereafter – assuming no issues relating to payment fraud or counterfeiting arise – My Face Value will post the ticket to the BUYER and pay the SELLER or in the case of SWAPS post the tickets to the respective My Face Value community members.

The process is managed from end-to-end by My Face Value to ensure compliance.

Detecting “Organised Touting” in the My Face Value Community

My Face Value will keep the community tout free. The BUY/SELL/SWAP Process is conducted thru a series of simple menu selections. This process is outlined in detail on our website and on our social media pages. Once completed and in order to SUBMIT the information to the My Face Value databases – the My Face Value community member is requested to LOGIN, if they have not already done so, or REGISTER – if they are not an existing My Face Value community member.

Now the science bit – the steps in the REGISTRATION process provide one level of protection against touting – but not enough. Sweat shops exist and the industry (organised crime element) are well capable of setting up hundreds of identities and email addresses using pre-paid cards in an attempt to circumvent this LOGIN or REGISTER Wall counter measure.

Tout Prevention & Community Compliance 

My Face Value have developed systems to encode expertise for detecting touts, in the form of rules. Employing Big Data Analysis / Data Mining to develop community member behaviour patterns and profiles for matching against a baseline to detect deviations and automatic responses / actions or in certain cases issue automated real time notifications to the  My Face Value Tout Prevention & Community Compliance Team for examination (See Level 1-4 below for details on this process).

The My Face Value Pattern Recognition techniques to detect clusters or patterns of suspicious behaviour are automated to ensure scaleability. Machine learning techniques automatically identify the characteristics of touting. The My Face Value algorithms learn suspicious patterns from samples which are then used later to detect breaches.

My Face Value deploy these detection algorithms on a number of levels using statistical techniques and artificial intelligence:

Level 1: Email addresses used by a community member, contact telephone number provided by a community member, frequency and time of day of logins by a community member, number and type of payment instruments used by a community member, transactions levels (numbers of transactions) by a community member, types of transactions conducted by a community member – BUY/SELL/SWAP;

Level 2: Combining source metadata, platform and device usage, IP address, browser type, geo-location (clustering), proxy spoofing and VPN detection to augment the Level 1 data My Face Value hold on behaviour patterns;

Level 3: Cross referencing My Face Value community member profiles with publicly available information on social media accounts for pattern matching and augmenting the community member risk profiling data to augment the Level 1 and Level 2 data;

Level 4: In the event that all the information points to a positive breach of the My Face Value Community Guidelines then the community member will be blocked. In circumstances where the information points to a possible breach of the My Face Value Community Guidelines then the My Face Value Tout Prevention & Community Compliance Team will request identification and documents to prove that the “member” is not a phantom account AND that the documents supplied to vouch for that assertion are genuine.

The My Face Value “Tout Free” Guarantee

By implementing Behaviour Analytics & Profiling with Context Data the My Face Value Machine-Learning Algorithms ensure a tout free environment. These processes reduce to almost zero the ability for touts to engage in the volume transactions that would make the effort commercially viable or feasible.

Whether dealing with touts as individuals or organised gangs their inability to fool the profiling algorithms and/or comply with the My Face Value escalating requests for proof of identity to determine if a suspicious account is in fact a genuine fan will keep our community tout free.

The My Face Value Tout Prevention & Community Compliance Team

 

Does anyone have experience of “KAYMERA MOBILE THREAT DEFENSE SUITE”

We are looking at this platform in parallel with the SaltDNA app which I previously posted about.

Kaymera has a pre-installed secured Android OS with integrated high-end security components to detect, prevent and protect against all mobile security threats without compromising on functionality or usability. A contextual, risk-based app uses a range of indicators to identify a risk in real-time and apply the right security measure so mitigation is performed only when needed and appropriate. Their Cyber Command Centre framework manages and enforces organization-specific permissions, security protocols and device policies. Monitors risk level, threat activities and security posture per device and deploys countermeasures.

Any thoughts welcome.

ENDS.

Using Stylometry DHS have id’d Bitcoin creator Nakamoto with help from NSA PRISM & MUSCULAR programs

Allegedly using word surveillance and stylometry the effort took less than a month. Apparently using encryption and complex obfuscation methods is not a defence when the “seeker” has access to trillions of writing samples from a billion or so people across the globe.

By taking Satoshi’s texts and finding the 50 most common words, the NSA was able to break down his text into 5,000 word chunks and analyse each to find the frequency of those 50 words. This would result in a unique 50-number identifier for each chunk. The NSA then placed each of these numbers into a 50-dimensional space and flatten them into a plane using principal components analysis. The result is a ‘fingerprint’ for anything written by Satoshi that could easily be compared to any other writing.

It is worth noting that the original post is littered with comments that request more details on the source of the information that informed the post or some other such proof of the veracity of the claims being made but the author declared in response:

Many readers have asked that I provide third party citations to ‘prove’ the NSA identified Satoshi using stylometry. Unfortunately, I cannot as I haven’t read this anywhere else — hence the reason I wrote this post. I’m not trying to convince the reader of anything, instead my goal is to share the information I received and make the reader aware of the possibility that the NSA can easily determine the authorship of any email through the use of their various sources, methods, and resources.

Many readers have asked who Satoshi is and I’ve made it clear that information wasn’t shared with me. Based on my conversation I got the impression (never confirmed) that he might have been more than one person. This made me think that perhaps the Obama administration was right that Bitcoin was created by a state actor. One person commented on this post that Satoshi was actually four people. Again, I have no idea.

If it is true then “The moral of the story? You can’t hide on the internet anymore. Your sentence structure and word use is MORE unique than your own fingerprint. If an organization, like the NSA, wants to find you [sic] they will.

Full story by Alexander Muse is on Medium.

ENDS

The Holistic Z: Selective Encryption gives way to “At-Rest” & “In-Flight” Data Protection with Pervasive Encryption

IBM Z encryption moves the market from a selective encryption model to one that is pervasive. This represents a significant modification in the basic structure of computing and its effect on security will, in my opinion, have a major disruptive effect.

The overall concept is to not introduce a decision layer that says what will or will not be encrypted. Instead, it will be possible to have encryption be part of normal processing. The removal of the decision for selective encryption is a further saving in the overall cost and a reduction in the difficulty in using encryption in the current market.

The Holistic Z

The new IBM Z provides a bullet-proof platform for digital transformation, a base for strong cloud infrastructure (fortified clouds, which can be open, private, public, and hybrid), and allows back-end services to be securely exposed through secure APIs.

IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

The Z is arguably more powerful, more open, and more secure than any other commercial offering and makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain.

Positive Disruption with Pervasive Encryption 

But for me the focus of my interest comes back to Pervasive Encryption. The Z (“Zero Downtime“) appeals to many, on many different levels but for me it is Pervasive Encryption that piques my interest.

It is a seismic shift and legitimately makes the z14 the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot. The z14 mainframe has a tried-and-true architecture and excels with security features that are built into the hardware, firmware, and operating systems.

PervasiveEncryption3

True Cost & Performance Mitigation 

The largest barrier to doing full-scale encryption has been the cost of the encryption and the performance load that such activity puts on the computing platform.

Bolted-on solutions that are being deployed have caused system capacity to grow such that there are loads of up to 61% of the system load that is being consumed by security processes. This translates into significant infrastructure costs and performance drags.

Even without the newest advances the Z architecture delivered encryption (selective encryption) more efficiently and with a lower resource expenditure than other platforms.

It delivers over 8.5 times the security protection, at 93% less cost in overall expenditure, and with 81% less effort. The full impact of the faster encryption engine and the ability to encrypt information in bulk on the z14 creates a fully pervasive solution that runs more than 18.4 times faster and at only 5% of the cost of other solutions.

The Threat Landscape & GDPR Compliance 

IBM Z pervasive encryption provides the comprehensive data protection that organizations, customers, and the threat landscape demand.

Here are some stats on that threat landscape:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source:https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

By placing the security controls on the data itself, the IBM solution creates an envelope of protection around the data on Z.

ENDS

Extracts, Source Material, References, & Acknowledgements to IBM Z Systems, IBM Security, IBM Systems, IBM Systems Social Program, and Solitaire Interglobal Limited.  

The Laurel & Hardy of Cybersecurity

When Turnbull and Brandis shuffle off to some home for the bewildered in a few years it is all of us that will be left with the legacy of their carry-on.

Here are some of the victories that these two beauties have presided over, and they don’t even know how it works, not even a little bit:

In an effort to drag the continent out from under the “stupid boy” stereotype, the Lowy Institute for International Policy, has just attempted to polish a turd by proposing that despite everything “Australia might be on the right encryption-cracking track” after all.

“From a cyber security perspective, as Patrick Gray has pointed out, sufficient safeguards could be placed around these ‘updates’ to ensure that they couldn’t be reverse engineered – they wouldn’t need to be a ‘backdoor,’ open to abuse. And by focusing on a device rather than a specific app, the displacement effect, so obvious in focusing government efforts on just What’s App or Telegram, would not apply.

In theory then, this model appears promising. How closely it aligns with the legislation promised by Turnbull and George Brandis last week remains to be seen. But whichever legislative model Australia pursues, its progress will be watched closely by governments across the world. And of course, by a whole host of technology and communications companies.

Recent developments suggest that underneath the techno-babble, political point scoring and counter-terrorism blame game, governments the world over are faced by a very real policy problem. Australia may prove to be the test case for a policy solution that has far reaching consequences for privacy, technological development and the future of law enforcement operations.”

Try again gents.

ENDS

Australia Is A Proxy War for the Five Eyes & Also Hogwarts

The Aussie government is pushing a Five Eyes agenda. Australia seems to have become a proxy war in the ongoing assault on privacy. They are to the Surveillance Wars what Yemen is to the Saudi-Iran ideological conflict. It is always a good idea to vary the cast but in reality they are May acolytes. A testing ground.

The amount of nonsense emanating from the encryption debate Down Under though is astonishing. If you have not been keeping up to speed with some of the recent comments down under then here is a quick recap for you:

  1. The George Brandis metadata interview;
  2. George again (36th Attorney-General for Australia) and the summary of his “over a cuppa” conversation with the GCHQ chappie on the feasibility of reading messages sent by platforms implementing end to end encryption such as WhatsApp and Signal – “Last Wednesday I met with the chief cryptographer at GCHQ … And he assured me that this was feasible.”;
  3. Malcolm Turnbull (the Prime Minister) and his alternative theory on the exceptional laws that govern Australian reality “Well, the laws of Australia prevail in Australia, I can assure you of that. The laws of mathematics are very commendable but the only laws that applies in Australia is the law of Australia”;
  4. And a much more eloquent articulation by Troy Hunt of the whole phenomenon “Firstly, a quick apology from Australia: we’re sorry. Look, our Prime Minister and Attorney General didn’t try to launch us onto the World Encryption Comedy Stage but unfortunately, here we are.

In an effort to find something of the same equivalence on the stupidity index as 1-3 above I chose to google “Harry Potter and places where the laws of mathematics do not apply, excluding Australia and Hogwarts”.

One of the things that I found in the search results was the perfectly reasonably comment by a HP fan on a Reddit forum that “Gamp’s Laws of Transfiguration and the Fundamental Laws of Magic spring to mind, they’re pretty much what you can and can’t do with magic. They’re a lot like Newton’s Laws in that they both deal with nature.

This guy really meant it and so did the other guys he was chatting with. They all really, really believed or rather really, really wanted to believe that it was all real and true and factual.

Just like Brandis and Turnbull believe.

Totally lost in a universe of their own creation where mathematics and people work differently.

And then I found a scholarly dissertation by Shevaun Donelli O’Connell of Indiana University of Pennsylvania titled “Harry Potter and the Order of the Metatext: A Study of Nonfiction Fan Compositions and Disciplinary Writing

” which said on P.24 that “I already knew that Harry Potter was an important part of my relationships with my family and friends, but increasingly I realized that Harry Potter metaphors and analogies were working their way into my thinking and teaching about writing.“.

And there it was. The struggle is real. It seems many, many people are having trouble distinguishing fantasy from reality.

Christ help us when VRSNs arrive on the scene.

ENDS

Data Is The New Perimeter in Emerging Age of Corporate-Espionage-as-a-Service

Last Tuesday, July 11 2017 I was pleased to listen to Mike Desens, Vice President, IBM Z and LinuxONE Offering Management, IBM Systems as he took myself and some colleagues through a preview and introduction of the z14 prior to the July 17 announcements *.

The overriding theme of the briefing was that IBM view the z14 as “Designed for Trusted Digital Experiences”. The last twenty four months in particular have seen data breaches that have seriously eroded public confidence in erstwhile trusted institutions and organizations.

There have been hacks that have embarrassed nations, and led to real fears about the risk that insecure data poses to our energy and commercial infrastructures not to mention the veracity of election results but I am not going there.

Shadow Brokers dumps and WikiLeaks releases of alphabet agency backdoors and toolkits have given cyber criminals (even the opportunists), and terrorist outfits almost nuclear-grade hacking capability when compared to 2014.

IBM are hoping that these real fears, but more particularly their real solution, will be the key driver in convincing customers to adopt the new platform.

Been There, Done That

I have seen this before (IBM pinning their hopes of making the mainframe cool by leveraging an unexpected turn of events). I worked on the deep end of the ADSTAR Distributed Storage Manager (ADSM) ESP’s in the early 90’s (renamed Tivoli Storage Manager in 1999).

Back then entire banks ran on less DASD than your kid’s pot burner phone does right now (and that included all the IMS, CICS, and DB2 data). IBM pinned some of their hopes on maintaining their lucrative storage market share on ADSM in the face of EMC inroads. “Disk mirroring” however by EMC was the final blow when EMC turned an engineering weakness into a strength. It cost outsider Ed Zschau, ADSTAR Chairman and CEO, his job in 1995.

IBM had made a very valid argument for ADSM adoption. All that data on the newly acquired (mostly by accident and without permission by rogue business units – especially the capital markets mavericks), rapidly expanding, and poorly managed (in terms of Disaster Recover and Business Continuity at the very least) AS/400, Tandem, and NT infrastructure was best managed on the mainframe storage farm.

This also included using those new-fangled robotic tape libraries on Level 2 (which even appeared in a few movies with perspex exterior, the StorageTek one though, not the IBM Magstar 3494 Tape Library).

It didn’t work though. Mainly because the network couldn’t handle the volumes, and record level backup was never going to work to help reduce the bandwidth requirements to fit the overnight backup windows what with the quagmire of proprietary databases that had sprung up.

GDPR Unwittingly Making the Market for “Corporate-Espionage-As-A-Service”

But I digress so I will briefly digress again to another but equally valid potential driver for z adoption. And that is GDPR. Soon GDPR regulators will be gleefully fining corporates who fail to adequately protect their data the higher of EUR€20M or 4% of annual turnover, for each breach. That’s an instant laxative right there for the entire C-Suite.

But what the proposed GDPR penalty system also makes me wonder is how much of a market maker it is (unwittingly) for Corporate-Espionage-As-A-Service (CEAAS) and Industrial-Espionage-As-A-Service (IEAAS).

Back On Message – Pervasive Encryption

Consequently, IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

Here are some stats to keep your CISO awake:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source: https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

The Z is arguably more powerful, more open and more secure than any commercial system on the planet and the box makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain. But again and again the focus comes back to Pervasive Encryption and that is the potential seismic shift that just might make the Z the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot.

Pervasive Encryption Is The New Standard

Back in the day as an MVS370 systems programmer I stressed about downtimes, availability stats, and the SLAs with business units. If I am being honest though I mostly stressed about the long holiday weekends spent in subterranean data centers upgrading ESP code or patching or migrating new releases from TEST to PROD LPARS or doing S390 disk mirrors.

Therefore when I first heard of the this bold new “encrypt it all” call to arms I wondered what the price for this would be in terms of the social lives and general marital stability of SPs globally.

However I am assured that the encryption “migration” involves no application changes, no impact to SLA’s, and that all of this application and database data can be encrypted without interrupting business applications and operations.

What’s Under the Hood

This section of the briefing was prefaced with the statement that the Z will deliver “unrivalled performance for secure workloads.” I have another post in the works with the tech spec dets on the encryption under the hood but for now here’s the 60k foot view:

“Industry exclusive protected key encryption, enabled through integration with a tamper- responding cryptographic HSM. All in-flight network data and API’s, true end-to-end data protection. 4x increase in silicon area allocated to cryptographic operations. 4 – 7x faster encryption of data with enhanced cryptographic performance. 18x fasterencryption than competition at 1/20th the cost to implement. 2x performance boost on Crypto Express6S. Securing the cloud by encrypting APIs 2-3x faster than x86 systems. Linux exploits Protected Key encryption for data at-rest.”

More later.

* From an article originally published on July 18 2017 on my Peerlyst blog

ENDS