Tag Archives: Infosec

Top Cybersecurity Threats in Sport (2025)

On October 10th, 2017 at a panel discussion about “Cybersecurity of the Olympic Games” at the University Club, California Memorial Stadium – Missy Franklin, (five-time Olympic medalist) said “We constantly get new technology thrown at us. It’s crazy, but that’s where sports are going.”

Extract:Digital technologies pose an increasingly diverse set of threats to Olympic events, and the newer forms of threat are likely to have more serious consequences. While most hacks today focus on sports stadium IT systems and ticket operations, future risks will include hacks that cut to the integrity of the sporting event results, as well as to core stadiums operations.”

The study The Cybersecurity of Olympic Sports: New Opportunities, New Risks identifies eight key areas of risk for future sporting events:

  1. Stadium system hacks
  2. Scoring system hacks
  3. Photo and video replay hacks
  4. Athlete care hacks
  5. Entry manipulation
  6. Transportation hacks
  7. Hacks to facilitate terrorism or kidnapping
  8. Panic-inducing hacks

Key Olympic sports technology trends that represent several vectors of additional risk:

  1. Gymnastics
    1. Artificial intelligence in scoring
    2. Possible Surprises: Embedded tracking in gymnastics equipment
  2. Swimming
    1. Automated start/finish technology
    2. Possible Surprises: Biometrics in swimsuits
  3. Rowing
    1. Drones above race
    2. GPS tracking of boats
    3. Possible Surprises: Virtual reality real-time viewing
  4. Track & Field
    1. Automatic field event measurement
    2. Possible Surprises: 3D images for track finishes

Selected known cybersecurity incidents from the last three summer Olympic Games include:

BEIJING:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure

LONDON OLYMPICS:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure
  3. False alarm threat to the electrical grid

RIO OLYMPICS:

  1. Ticket scamming
  2. DDoS and related attacks against IT infrastructure
  3. Athlete data hack

END

The Holistic Z: Selective Encryption gives way to “At-Rest” & “In-Flight” Data Protection with Pervasive Encryption

IBM Z encryption moves the market from a selective encryption model to one that is pervasive. This represents a significant modification in the basic structure of computing and its effect on security will, in my opinion, have a major disruptive effect.

The overall concept is to not introduce a decision layer that says what will or will not be encrypted. Instead, it will be possible to have encryption be part of normal processing. The removal of the decision for selective encryption is a further saving in the overall cost and a reduction in the difficulty in using encryption in the current market.

The Holistic Z

The new IBM Z provides a bullet-proof platform for digital transformation, a base for strong cloud infrastructure (fortified clouds, which can be open, private, public, and hybrid), and allows back-end services to be securely exposed through secure APIs.

IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

The Z is arguably more powerful, more open, and more secure than any other commercial offering and makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain.

Positive Disruption with Pervasive Encryption 

But for me the focus of my interest comes back to Pervasive Encryption. The Z (“Zero Downtime“) appeals to many, on many different levels but for me it is Pervasive Encryption that piques my interest.

It is a seismic shift and legitimately makes the z14 the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot. The z14 mainframe has a tried-and-true architecture and excels with security features that are built into the hardware, firmware, and operating systems.

PervasiveEncryption3

True Cost & Performance Mitigation 

The largest barrier to doing full-scale encryption has been the cost of the encryption and the performance load that such activity puts on the computing platform.

Bolted-on solutions that are being deployed have caused system capacity to grow such that there are loads of up to 61% of the system load that is being consumed by security processes. This translates into significant infrastructure costs and performance drags.

Even without the newest advances the Z architecture delivered encryption (selective encryption) more efficiently and with a lower resource expenditure than other platforms.

It delivers over 8.5 times the security protection, at 93% less cost in overall expenditure, and with 81% less effort. The full impact of the faster encryption engine and the ability to encrypt information in bulk on the z14 creates a fully pervasive solution that runs more than 18.4 times faster and at only 5% of the cost of other solutions.

The Threat Landscape & GDPR Compliance 

IBM Z pervasive encryption provides the comprehensive data protection that organizations, customers, and the threat landscape demand.

Here are some stats on that threat landscape:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source:https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

By placing the security controls on the data itself, the IBM solution creates an envelope of protection around the data on Z.

ENDS

Extracts, Source Material, References, & Acknowledgements to IBM Z Systems, IBM Security, IBM Systems, IBM Systems Social Program, and Solitaire Interglobal Limited.  

Cynic Modelling for Legacy Energy Infrastructure

A brief synopsis of my findings in “Legacy Energy Infrastructure Attack Surface Assessment, Threat Count, & Risk Profile” using my “cynic modeller”:

  1. Adversaries who are attracted to the contained assets: Everyone (hobbyists, criminals, state actors, your gran)
  2. Attack surface: As far as the eye can see
  3. Attackers who are capable of acquiring the assets starting from the attack surface: Lots
  4. Therefore the attacker population size is: Computer literate population of earth
  5. Threat count: Np-Complete;
  6. Emerging threats: IIoT and non-cybersec savvy devops rushing intodigital transformation projects
  7. Risk level: Orbital
  8. Impact of realized threat: Expansive (yes, expansive not expensive, but that too)

Assessment: Buy gas lamps, work on your natural night vision, learn to skin rabbits, move far far away from nuclear reactors, buy shares in candle companies.

ENDS

Boiling Privacy Frogs

I really wish that I understood more about psychology and the human condition. The behaviour that puzzles me over and over again and for which I have no explanation is our ability to observe something happening that is detrimental to us in every way and yet do nothing.

It is the “Boiling Frog Phenomenon” which was allegedly a 19th century science experiment where a frog was placed in a pan of boiling water, the frog quickly jumped out. However, when the frog was put in cold water and the water slowly boiled over time, the frog did not perceive the danger and just boiled to death. The hypothesis being that the change in temperature was so gradual that the frog did not realize it was boiling to death.

To demonstrate the same effect in terms of the privacy, surveillance, unwarranted government intrusion debate just trace the evolving public attitude to the J. Edgar Hoover’s Subversive Files, COINTELPRO, The Iraq WMD Lie, Snowden & PRISM, and WikiLeaks Vault 7.

I have come to the conclusion that in relation to our right to privacy that we are all frogs in tepid water, the temperature of which is starting to rise rapidly, and we have no intention of jumping out.

ENDS

People That Like To Throw Grenades Into Your Privacy

For good or for bad I have a tattoo that reads “Fidarsi è bene non fidarsi è meglio” which literally translated is “To trust is good but to not trust is better.” or colloquially “Better safe than sorry”. At least that’s what Google translate told me. I have to trust it. But Veritas Language Solutions have previously reported on the perils of foreign language tats. Like the man who wanted the Chinese symbols for “Live and let live” on his arm but ended up with the Mandarin for “Sweet and Sour Chicken”. I like sweet and sour chicken.

Your “Mass Surveillance” Reality 

In case you have forgotten the reality of the world that you live in right now (in terms of your Privacy), here is a reminder, before it gets exponentially worse:

“The attitude of these politicians (Trump, May, Valls & Co.) and their intelligence organisations and the new “laws” – in the form of the revised Patriot Act and the Investigatory Powers Act – means that’s the vast majority of the worlds English speaking population now live under governments who can – legally – invade their privacy at will – whether at home, at work or at leisure – store the information and use it for any purpose, at any time, at any point in the future – for any reason.”

But that is not good enough. Now they want all of your encrypted data too. Just in case.

Pop Quiz

With that as a backdrop here is a pop quiz and my answers to same (Note: I am a paranoid git, and grumpy):

  1. Do I trust Theresa May? – No;
  2. Do I trust Malcolm Turnbull – No;
  3. Do I trust Donald Trump – F**k No;
  4. Do I trust the Five Eyes Intelligence Alliance – No;
  5. Do I trust the Nine Eyes, the Fourteen Eyes, NSA, GCHQ, MI6, ASD, GCSB, CIA, or CSEC – No;
  6. Do I trust the government of the country of my birth or their national security credentials – No;
  7. Do I think that politicians are concerned with striking an appropriate balance between the right to privacy, freedom of speech, and the preservation of civil liberties with the need to maintain the rule of law – No;
  8. Do I trust any bugger who asks me to trust them with the infinite power to snoop on my personal, professional, online, offline, awake, asleep life – Eh, No.

Do you?

ENDS

Data Is The New Perimeter in Emerging Age of Corporate-Espionage-as-a-Service

Last Tuesday, July 11 2017 I was pleased to listen to Mike Desens, Vice President, IBM Z and LinuxONE Offering Management, IBM Systems as he took myself and some colleagues through a preview and introduction of the z14 prior to the July 17 announcements *.

The overriding theme of the briefing was that IBM view the z14 as “Designed for Trusted Digital Experiences”. The last twenty four months in particular have seen data breaches that have seriously eroded public confidence in erstwhile trusted institutions and organizations.

There have been hacks that have embarrassed nations, and led to real fears about the risk that insecure data poses to our energy and commercial infrastructures not to mention the veracity of election results but I am not going there.

Shadow Brokers dumps and WikiLeaks releases of alphabet agency backdoors and toolkits have given cyber criminals (even the opportunists), and terrorist outfits almost nuclear-grade hacking capability when compared to 2014.

IBM are hoping that these real fears, but more particularly their real solution, will be the key driver in convincing customers to adopt the new platform.

Been There, Done That

I have seen this before (IBM pinning their hopes of making the mainframe cool by leveraging an unexpected turn of events). I worked on the deep end of the ADSTAR Distributed Storage Manager (ADSM) ESP’s in the early 90’s (renamed Tivoli Storage Manager in 1999).

Back then entire banks ran on less DASD than your kid’s pot burner phone does right now (and that included all the IMS, CICS, and DB2 data). IBM pinned some of their hopes on maintaining their lucrative storage market share on ADSM in the face of EMC inroads. “Disk mirroring” however by EMC was the final blow when EMC turned an engineering weakness into a strength. It cost outsider Ed Zschau, ADSTAR Chairman and CEO, his job in 1995.

IBM had made a very valid argument for ADSM adoption. All that data on the newly acquired (mostly by accident and without permission by rogue business units – especially the capital markets mavericks), rapidly expanding, and poorly managed (in terms of Disaster Recover and Business Continuity at the very least) AS/400, Tandem, and NT infrastructure was best managed on the mainframe storage farm.

This also included using those new-fangled robotic tape libraries on Level 2 (which even appeared in a few movies with perspex exterior, the StorageTek one though, not the IBM Magstar 3494 Tape Library).

It didn’t work though. Mainly because the network couldn’t handle the volumes, and record level backup was never going to work to help reduce the bandwidth requirements to fit the overnight backup windows what with the quagmire of proprietary databases that had sprung up.

GDPR Unwittingly Making the Market for “Corporate-Espionage-As-A-Service”

But I digress so I will briefly digress again to another but equally valid potential driver for z adoption. And that is GDPR. Soon GDPR regulators will be gleefully fining corporates who fail to adequately protect their data the higher of EUR€20M or 4% of annual turnover, for each breach. That’s an instant laxative right there for the entire C-Suite.

But what the proposed GDPR penalty system also makes me wonder is how much of a market maker it is (unwittingly) for Corporate-Espionage-As-A-Service (CEAAS) and Industrial-Espionage-As-A-Service (IEAAS).

Back On Message – Pervasive Encryption

Consequently, IBM have put security at the core of the new platform with “Pervasive Encryption as the new standardAnalytics & Machine Learning for Continuous Intelligence Across the Enterprise, and Open Enterprise Cloud to Extend, Connect and Innovate”.

Here are some stats to keep your CISO awake:

  1. Nearly 5.5 million records are stolen per day, 230,367 per hour and 3,839 per minute (Source:http://breachlevelindex.com/);
  2. Of the 9 Billion records breached since 2013 only 4% were encrypted (Source: http://breachlevelindex.com/);
  3. 26% is the likelihood of an organization having a data breach in the next 24 months(Source: https://www.ibm.com/security/infographics/data-breach/) ;
  4. The greatest security mistake organizations make is failing to protect their networks and data from internal threats. (Source: https://digitalguardian.com/blog/expert-guide-securing-sensitive-data-34-experts-reveal-biggest-mistakes-companies-make-data)

The Z is arguably more powerful, more open and more secure than any commercial system on the planet and the box makes serious moves in the rapidly evolving domains of Machine Learning, Cloud and Blockchain. But again and again the focus comes back to Pervasive Encryption and that is the potential seismic shift that just might make the Z the go-to platform for organisations who can afford their own and the Cloud platform of choice for those who cannot.

Pervasive Encryption Is The New Standard

Back in the day as an MVS370 systems programmer I stressed about downtimes, availability stats, and the SLAs with business units. If I am being honest though I mostly stressed about the long holiday weekends spent in subterranean data centers upgrading ESP code or patching or migrating new releases from TEST to PROD LPARS or doing S390 disk mirrors.

Therefore when I first heard of the this bold new “encrypt it all” call to arms I wondered what the price for this would be in terms of the social lives and general marital stability of SPs globally.

However I am assured that the encryption “migration” involves no application changes, no impact to SLA’s, and that all of this application and database data can be encrypted without interrupting business applications and operations.

What’s Under the Hood

This section of the briefing was prefaced with the statement that the Z will deliver “unrivalled performance for secure workloads.” I have another post in the works with the tech spec dets on the encryption under the hood but for now here’s the 60k foot view:

“Industry exclusive protected key encryption, enabled through integration with a tamper- responding cryptographic HSM. All in-flight network data and API’s, true end-to-end data protection. 4x increase in silicon area allocated to cryptographic operations. 4 – 7x faster encryption of data with enhanced cryptographic performance. 18x fasterencryption than competition at 1/20th the cost to implement. 2x performance boost on Crypto Express6S. Securing the cloud by encrypting APIs 2-3x faster than x86 systems. Linux exploits Protected Key encryption for data at-rest.”

More later.

* From an article originally published on July 18 2017 on my Peerlyst blog

ENDS

IBM Mainframe Ushers in New Era of Data Protection with Pervasive Encryption

Main take-outs in IBM Z Systems announcement:

  1. Pervasively encrypts data, all the time at any scale;
  2. Addresses global data breach epidemic;
  3. Helps automate compliance for EU General Data Protection Regulation, Federal Reserve and other emerging regulations;
  4. Encrypts data 18x faster than compared x86 platforms, at 5 percent of the cost (Source: “Pervasive Encryption: A New Paradigm for Protection,” K. R. E. Lind, Chief Systems Engineer, Solitaire Interglobal Ltd., June 30, 2017);
  5. Announces six IBM Cloud Blockchain data centers with IBM Z as encryption engine;
  6. Delivers groundbreaking Container Pricing for new solutions, such as instant payments.

The new data encryption capabilities are designed to address the global epidemic of data breaches, a major factor in the $8 trillion cybercrime impact on the global economy by 2022. Of the more than nine billion data records lost or stolen since 2013, only four percent were encrypted, making the vast majority of such data vulnerable to organized cybercrime rings, state actors and employees misusing access to sensitive information.

In the most significant re-positioning of mainframe technology in more than a decade, when the platform embraced Linux and open source software, IBM Z now dramatically expands the protective cryptographic umbrella of the world’s most advanced encryption technology and key protection. The system’s advanced cryptographic capability now extends across any data, networks, external devices or entire applications – such as the IBM Cloud Blockchain service – with no application changes and no impact on business service level agreements.

“The vast majority of stolen or leaked data today is in the open and easy to use because encryption has been very difficult and expensive to do at scale,” said Ross Mauri, General Manager, IBM Z. “We created a data protection engine for the cloud era to have a significant and immediate impact on global data security.”

ENDS

* From an article originally published on July 17 2017 on my Peerlyst blog