BIG DATA: A REVOLUTION THAT WILL TRANSFORM HOW WE LIVE, WORK, AND THINK

June 12, 2013

POSTED ON APRIL 23, 2013 BY SANDER DUIVESTEIN

BIG DATA: A Revolution That Will Transform How We Live, Work, and Think,” is a revelatory exploration of the hottest trend in technology and the dramatic impact it will have on the economy, science, and society at large. Which paint color is most likely to tell you that a used car is in good shape? How can Con Edison catch the most dangerous New York City manholes before they explode? And how did YOU (well, Google) predict the spread of the H1N1 flu outbreak? The key to answering these questions, and many more, is big data, our newfound ability to crunch vast collections of information, analyze it instantly, and draw sometimes profoundly surprising conclusions from it. This emerging science can translate myriad phenomena—from the price of airline tickets to the text of millions of books—into searchable form, and uses our newfound computing power to unearth revelations that we never could have seen before.

A revolution on par with the Internet or perhaps even the printing press, big data will change the way we think about business, health, politics, education, and innovation in the years to come. It also poses fresh threats, especially the prospect of being penalized by for things we haven’t even done yet, based on big data’s ability to predict our future behavior.”

Fantastic presentation……

Thanks to 
http://vint.sogeti.com/?p=7165

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

The Dangers of Shared Links

June 12, 2013

Posted on June 11, 2013 by Rob Sobers

Chain Links

Many web applications give users the ability to share private information with unauthenticated users via obscure, publicly accessible URLs.  These URLs, often called “external links” or “shared links,” are a convenient way to collaborate with people without giving them a username and password.

But how in the world is it secure if the URLs are publicly accessible?

By generating a URL that isn’t hyperlinked, isn’t crawlable by search engines, and isn’t guessable by humans or computers (more on this later), you can be somewhat confident that only the people that have the shared link can access your data.  It’s a form of security through obscurity.

You’ve probably come across the option to create shared links in many of your favorite apps like Evernote, Dropbox, Trello, Github, etc.

I really like the way Google Docs describes its shared link feature:

Google Drive Sharing Settings DialogMany applications aren’t nearly as clear as Google is in explaining to the end-user what it is they’re doing by creating and distributing a shared link.

Sounds great!  What could possibly go wrong?

There are a few critical factors that are essential to the security of shared links and the data they point to.  The first is probably fairly obvious: we have to trust that the person we’re sharing with doesn’t expose the link to someone else, intentionally or otherwise.  The second, which I mentioned earlier, is that the URL is so obscure that it is not guessable by a human or machine.

What exactly do we mean by obscure and not guessable?  Much like we’re encouraged to have strong passwords, shared links need to be strong, too.  We have to prevent someone from writing a script that attempts to access random web application URLs, hoping to find something valuable.

Enter: the GUID.

GUID stands for globally unique identifier.  A GUID is a random 128-bit hexadecimal string that looks like this: 3F2504E0-4F89-11D3-9A0C-0305E82C3301.  The idea is that GUIDs are so enormous that it is highly unlikely for two people to pick the same one.

How unlikely is it for someone to guess your shared link if it contains a random GUID?  Put it this way: if you generate 1 billion GUIDs per second it would take you 36 years to produce a collision.

If your favorite web app created shared links that look like this, you’re in pretty good hands:



So everyone uses GUIDs, right?

Eh, no such luck.  There are some web apps that by default generate shared links that are simple and easy to guess (e.g., 
http://company.example.com/person/1234
).  I won’t name names.  Needless to say, this is an awful practice and should be avoided.

However, a much less awful, but still dangerous, practice is to let users customize shared links.  This is a feature that Box has and, recently, one of their users shot themselves in the foot by changing the default, unpredictable shared link for a sensitive document to something extremely easy to guess.

Box’s email response aimed at educating its customers was really well done:

The user was unaware of the implications of choosing the open access setting – meaning that anyone with the link was able to access it, anywhere on the internet. Custom links are easier for people to find than the random 20-character strings Box creates automatically for shared links, so it’s important to be aware of this potential risk and educate your users on when to keep access levels open or choose a different option like for collaborators only or for people within your company.

Amazon S3 also lets users name their own public buckets and, as Rapid7’s research has shown, not only will people use guessable names in their bucket URLs, they’ll also put loads of sensitive content there (hello, passwords.txt!) expecting it to be undiscoverable.

What are some other risks or concerns?

Robots.txt

Another misconfiguration that could expose shared links is on the application provider side.  If the provider misconfigures their robots.txt file, which instructs search engines which paths not to crawl, and one of its internal application pages is inadvertently crawled by Google, you could see private information show up in public search results.

SSL Encryption

If the web app you’re using doesn’t use HTTPS for all requests, someone could sniff shared links off public Wi-Fi connections at Starbucks using something like FireSheep.  Although, if the app doesn’t use HTTPS they could just steal your cookie and gain access to everything in the app, not just the stuff obtainable through shared links.

Rabbit stealing a cookie

Access Auditing

Many cloud apps don’t give you an audit trail that shows you a history of who is accessing your shared links.  This means that someone could be accessing your shared links without you even knowing about it.  How do you know for certain that people haven’t discovered your shared URLs and are accessing your data regularly?  Worryingly, you don’t.

Content Classification

Where is my sensitive data anyway?  One of the things Box advised in its educational email was that users might want to disable public access for particularly sensitive data.  But the fact is, with gigabytes or terabytes of data, most organizations have no idea what’s sensitive.  Only if you know where your sensitive data is located can you take the extra steps to protect it.

Will cloud providers like Box and Amazon ever scan and classify content for you?  I’m not sure, but it might be difficult given that they probably shouldn’t be looking at the contents of data that doesn’t belong to them (and might not even belong to you).

Link Destruction

What happens when someone leaves your company?  Or maybe you just don’t want to share data with someone anymore.  If they had full access to your system, you’d probably disable their username and password, but what if they make off with a few dozen shared links?  Does your app have a way to expire or destroy these links so that they’re no longer valid?

Final Thoughts

Shared links are awesome.  I can quickly share data with only the people I want to share with and I don’t have to clutter my user directory.  But, while security through obscurity is better than nothing, it’s certainly not great protection.  Couple that with the likelihood of user or admin misconfiguration through lack of understanding and poor user interfaces and, as we’ve seen with Box and Amazon, risk is high, so proceed with caution.

(Note: In DatAnywhere admins can easily search, sort, and deactivate any shared link.  We also give the ability to have shared links automatically expire after a certain date.  Further, we provide one-time-use pin-coded links which can only be accessed by the owner of the email account you’ve sent the shared link to.)

Photo credits (cc): 
http://www.flickr.com/photos/gozalewis/
and 
http://www.flickr.com/photos/texese/

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Quantifying Movie Magic with Google Search

June 7, 2013

Search has become a go-to source of information for moviegoers. Understand how Google search and paid click patterns can predict box office, and what digital engagement can tell us about the moviegoer decision-making process. By examining the timing and category of Google searches and paid clicks, we identify several factors that signal how a movie will perform at the box office.

Thanks to Google.

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

77% of Mobile Searches Happen at Home or Work [Study]

June 5, 2013

, March 19, 2013

Google and Nielsen recently teamed to understand when and why people turn to mobile search, and the actions they take as a result.

For its “Mobile Search Moments” report, Google and Nielsen asked 426 consumers to log their mobile searches over two weeks in a diary smartphone app, followed up each mobile search with an email asking for the results of that search, and then conducted an exit survey at the end of the study.

77% of Mobile Searches Were Conducted From Home or Work

Mobile devices may be replacing desktops as the preferred search tool: 77 percent of mobile searches taking place during the study period took place at home or at work. Respondents seemed to find it easier to pick up the phone for a search than to sit down at a desktop or even fire up a tablet.

Nevertheless, 59 percent of mobile searches occurred after 3 p.m., with 22 percent taking place from 8 p.m. to midnight, when people are more likely to be at home or on the go.

nielsen-mobile-searches

55% of Mobile Search Conversions Happen Within 1 Hour

Consumers were more likely to notice ads when in a store – and they found them useful. At the same time, searchers were 55 percent more likely to notice ads while in a store and to find them useful. Anecdotally, people in the study noticed that ads loaded faster than search results and provided relevant information.

Although the context for mobile searches was not usually when people were out shopping or looking for businesses, three out of four mobile searches did trigger additional actions:

  • Additional research (36 percent).
  • A website visit (25 percent).
  • A store visit (17 percent).
  • A purchase (17 percent).
  • A phone call (7 percent).

Marketers have limited time to capitalize on mobile searches, according to Google and Nielsen, with 55 percent of conversions happening within one hour and 63 percent of all follow-up actions, including conducting more research or sharing information from a search.

The next window of opportunity for marketers is within five hours, the study found. Within that period, 81 percent of conversions and 84 percent of all follow-up actions take place.

Forty-five percent of mobile searches were conducted to help make a decision, and that proportion rose to two-thirds when people were in a store. Not surprisingly, shopping searches were twice as likely to be done in-store, according to Google and Nielsen.

B2B Mobile Search Grows 143%

Meanwhile, mobile searches are rising in the B2B sector, according to a separate study from BizBuySell.com, an online business-for-sale marketplace. Prospective buyers are increasingly browsing for-sale opportunities via mobile devices, the report found.

Unique mobile visits to the site increased 143 percent year-over-year, now accounting for 28 percent of total unique visitors. While tablet traffic grew 155 percent in that time period, smartphone traffic still accounts for more than half of all mobile unique visitors.

This article was originally published on ClickZ.

Leave a Comment » | Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

5 Lessons on the Future of Video from Mary Meeker

June 3, 2013

This blog was originally published by ZoomTilt (www.zoomtilt.com)

Kleiner Perkins Caufield & Byer’s rockstar, internet-trend-watching analyst Mary Meeker has just released the 2013 edition of her annual internet trends report at the Wall Street Journal’s D11: All Things Digital Conference.

And while Meeker focuses the bulk of the report’s attention on sound, mobile and wearable tech, the 2013 Internet Trends Report also gives a big nod to the importance and evolving presence of video in the digital landscape. So without further adieu, here are 5 key lessons on the future of video courtesy of Mary Meeker (with some analytical interpretation via ZoomTilt).

Lesson #1: Mobile isn’t just a “second screen”

We are moving beyond an era where your smart phone is just the thing you use to Tweet during TV commercial breaks. The majority of mobile device use occurs somewhat counter-intuitively within people’s homes, the average phone user checks social media on their phone nine times per day, and mobile as a share of total internet traffic is showing exponential (not linear) growth.

Mobile Internet Growth

Lesson for the video community: If you work with digital video content, expect your content to be consumed (and hopefully shared) via mobile. Whether it’s a Twitter Vine or longer-form content, mobile is not just a second screen – in many cases it is a primary screen, so make sure (1) your content is discoverable on mobile and (2) anticipate the viewing experience on a small screen (potentially with poor audio and a time-constrained viewer). See also ReelSEO’s great article on 5 ways to optimize your video for mobile viewing.

Lesson #2: YouTube is a social network (and a big one, at that)

In addition to being a subsegment of the world’s largest search engine, YouTube is also the world’s second largest social network. YouTube is also demonstrating user growth at rates much higher than Facebook, Twitter, LinkedIn or Google+.

YouTube is a social network

Lesson for the video community: try actually being social both within and outside of YouTube. On YouTube: be active in the comments feed, comment on other videos you like and response to comments and messages about your own videos. Outside of YouTube: network and collaborate with other creators to formulate great original content, help get your work more exposure and get better economies of scale with audience-building.

Lesson #3: Short-form video is exploding in popularity

In large part thanks to the momentum of Twitter’s Vine, Meeker points out that short-form video creation and consumption is growing rapidly:

Twitter Vine

However, short-form video presents both a tremendous opportunity and a tremendous challenge. Because of the format, successful Vines must be immediately and impressively visual, and the medium makes telling a story, developing characters or provoking audience emotional engagement highly challenging. Unsurprisingly, the vast majority of vines get very low engagement, with few views and even fewer retweets. By comparison, the Vine’s that break through and achieve a degree of viral lift typically showcase highly clever, thoughtful cinematography optimized for the animated GIF-like repetitive format.

Lesson for the video community: despite what your agent or agency might tell you, Vine isn’t the holy grain for your branding, social media or content creation needs: it is a tool, and one that must be used wisely. Think your audience really wants to watch your Vine? No, your audience would rather sit down and watch a full-length episode of Mad Men with riveting plot development, so if you’re going to start cranking out Vines do your best to get creative with it and experiment.

Lesson #4: America does not equal the internet

One of the most awesome lessons from Meeker’s presentation is just how international the internet has become. Compared to America’s 244 million internet users (at a population penetration of 78%), India already has 137 million internet users at a population penetration of only 11%. Meanwhile, China boasts 564 million internet subscribers, while Brazil is coming on strong with 88 million web-connected people. Also, interestingly according to Meeker, we don’t share as much content on the internet as other cultures:

US social media sharing

Lesson for the video community: Think about an international audience when you’re creating and distributing digital video and look into things like foreign language programming or captioning on your YouTube content, both areas where Machinima typically does a great job.

Lesson #5: Content is becoming more democratic (and, thereby, more competitive) than ever before

Wondering why nobody’s watching your videos? Well, it might be because of this, but it probably also has something to do with the fact that 100 hours per minute of video are uploaded to YouTube every single minute. Talk about a flood of content that’s showing no sign of slowing down.

Damn Thats a Lot of Video

Lesson for the video community: be really deliberate about the content you create a give people a compelling reason to watch it. The best type of content to achieve this is video that creates value for the viewer – ideally a combination of emotional value (e.g., funny, exciting, shocking) and relevant information value.

2 Comments | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Personally Identifiable Information Hides in Dark Data

May 3, 2013

To my mind, HIPAA has the most sophisticated view of PII of all the US laws on the books. Their working definition encompasses vanilla identifiers: social security and credit card numbers, and all the other usual suspects. With the additional words “reasonable basis to believe that the information can be used to identify the individual”, HIPAA’s definition takes in digital handles such as emails, IP addresses and even facial imagery. But there’s a little more to HIPAA’s PII definition, and it applies specifically to free form text (commonly found in word processing documents, spreadsheets, presentations, etc.)

The complete list of HIPAA’s PIIs is enumerated in the law’s Safe Harbor guidelines. In plain-speak, these guidelines tell health IT administrators what information is considered private, requiring special authorization to view or process. It includes the aforementioned identifiers, as well as medical record numbers, health insurance IDs, and some others. By the way, we’ve conveniently put this PII list in our omnibus data protection compliance whitepaper.

An unstated assumption made by many is that PII only lives in structured formats—in other words, fields in a database. Readers of this blog of course know that PIIs are often likely to be harvested from the massive amounts of human generated dark data found on corporate files servers.

The HIPAA regulators have understood this as well. In clarifying the rules for removing PII —“de-identifying”—data for publication and general usage, they explicitly cover the possibility that PII can also reside in free-form text. I’ve excerpted the key paragraph from their de-identification best practices below :

PHI [protected health information] may exist in different types of data in a multitude of forms and formats in a covered entity.  This data may reside in highly structured database tables, such as billing records. Yet, it may also be stored in a wide range of documents with less structure and written in natural language, such as discharge summaries, progress notes, and laboratory test interpretations … The de-identification standard makes no distinction between data entered into standardized fields and information entered as free text (i.e., structured and unstructured text)— an identifier listed in the Safe Harbor standard must be removed regardless of its location.

Got that? PHI, which is essentially PII along with other sensitive medical information, embedded in spreadsheets, docs, and presentations is just as worthy of HIPAA privacy protections as fields in databases.

So if we follow these ideas—PIIs can be anything that reasonably links to an individual, and this data can exist in text—to their logical conclusion, then we need to consider a new possibility. Suppose this sentence from a doctor’s notes were uploaded to a file server:

The patient, a technical content specialist at Varonis, a software company, has been complaining about tennis elbow.

The natural question to ask is whether “technical content specialist at Varonis” is a PII?

It’s not a PII in the sense of a uniquely coded key such as social security number or health insurance ID that links back to a person. But in another sense, it acts very much like PII. Don’t believe me? Try typing that phrase into Google and see what comes up.

We’re really talking more about the meaning of the text—or as experts would say, the semantic value—rather than actual letters, numbers, and other syntax. But HIPAA’s Safe Harbor rule even takes this into account: it specifically notes that the “knowledge” in free text can also be used to point back to a person.

As a practical matter, the HIPAA rules mean that any reference to a patient’s job title and company is a violation of the law’s privacy protections.

This leads to a broader discussion on what’s called the “semantic web”. In brief, Google and a few others are already doing leading edge work on extracting meaning and knowledge from web content. You can see for yourself how well Google does this by entering the keywords “height of the empire state building” in a search. You’ll get back an actual answer, 1454’, in addition to all the docs with that exact phrase.

The larger point is that along with stealing PIIs, hackers and cyber thieves are also getting better at mining and interpreting human generated text for personal details, and then building more convincing fake identities to be used in social attacks, such as phishing and pretexting.

Bottom line: these bits and pieces of personal information that are scattered across file servers in clear-text documents can be used to identify an individual with very high likelihood.

That’s important to keep in mind when someone in your company asks, “do we know what’s in our files and the risks involved if our servers are breached?”

Related articles

Leave a Comment » | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Customer Decision & Big Data: A possible Journey

April 26, 2013

Customer is king. Always. Whether in B2B or B2C settings. With much writing this week on the importance of a Customer Centric approach where B2B organizations need to develop a much deeper understanding of the modern Customer Decision Journey.

Questions have been raised as per whether Multichannel Marketing Mix approaches have been based on the right models and research to measure results.

With the hype of a report to be issued by the Council for Researchcurrently investigating measurement issues related to digital video advertising, report that in turn will form the basis of an Advertising Research Foundation inquiry into the quality of the models.

We believe it’s important to bring a combination of modeling, information and expertise to decisions “a P&G spokesman said in a statement to AdAge “We have clear evidence that marketing-mix modeling, combined with other information and expertise, has helped to improve return on investment of our marketing spending and media buying.

Beside, measurements what remains key is to reach the customer with a message which will limit the risk of ad avoidance, a phenomenon which has been noticed to be on the increase lately.

Can big data really improve the customer experience with personalized ads, products and service offerings?

For certain big data can say a lot about preferences and even location. But with constantly increasing terabytes of data, in structured, semi structured and unstructured formats. To make sense of it all is to say the least challenging.

The more so for businesses, which do not have their own platform from which to gather this data, nor the technical tools or analyst expertise to navigate and make sense of data gathered from their websites, blogs and external social platforms.

Some even ask the question whether Big Data is in reality an opportunity only for big players of the likes of Google.

What do you think?

Thanks to 
http://moniagalardi.com/2013/04/25/customer-decision-big-data-a-possible-journey/

 

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

EU to Google: We Really Mean it About Data Retention Limits

April 22, 2013

Are these data and privacy protection regulations serious or are they just for show?”  I’ve been hearing that question lately from the tech reporters and journalists who’ve been contacting me. Even after pointing out extensive case files and other documented incidents on government and legal sites, I’m still left with the feeling that it’s just not proof enough.

Fate has finally intervened.

With the EU Commission’s complaint against Google’s privacy policies reaching a conclusion, I now have a teachable moment to convince the naysayers that this stuff is serious business.

When Google changed its privacy terms in early 2012, the fine print was also being looked at by EU regulators. Google may have thought it was making it easier for consumers with a single policy covering all its web services, but others felt a bit differently. The Article 29 Working Party is in charge of advising the EU Commission on their data security and privacy rules, which are contained in the Data Protection Directive or DPD. In late 2012, they filed a complaint against Google, and addressed aletter to Mr. Page.

In so many words, the Article 29 folks said the search engine company had not done enough to follow DPD rules on consumer privacy.

Security experts, compliance gurus, CIOs, and other interested players would normally have to get the real story about this intersection of legal and tech in niche publications or in the back pages of certain business sections, or perhaps in a blog of a major data governance player. Since this is Google, and it appears that the EU is willing to go to the mat on this one—in other words, there will be fines—the story is now moving up in importance and appearing more prominently in business sections of main-stream publications.

You can read from the regulator’s report to learn about the long list of Google’s privacy shortcomings, which are conveniently bold-faced. I offer a few of their choice phrases: “no valid consent”, “incomplete or approximate information”, and “retention periods must be appropriate in regards to the purpose.”

Whoa! The EU—technically the individual national data protection authorities led by France’s CNIL— will fine a major American online service provider over their …  data retention policy?

Of course, having data retention policies and procedures —what to keep, what to archive—in place is just IT common sense. But you’re probably thinking that just because an organization doesn’t have explicit data retention or migration plans doesn’t mean it has broken the law.

Actually, it’s not only the EU that takes this IT procedure seriously. Data retention limits also show up in the US’s HIPAA rules for personal health data and in some financial data security regulations. But usually the limits—measured in years—are the amount of time an electronic document must be kept.

The EU, though, views data collection and retention with a goal of “data minimization” in mind: companies should store the minimum amount of personal data and limit the duration to what “must be appropriate in regards to the purpose”. That’s essentially the language of the DPD law. In other words, you just can’t keep personal consumer data unless there’s a legitimate business reason, you have to say what that reason is, and you have to say how long you’re going to keep it.

According to France’s CNIL, Google has to this date refused to provide any information about its data retention policies after being requested to do so.

And the EU Commission has been very clear that there will be consequences for not following its rules. How bad could the fines be violating, either willfully or negligently, the DPD? The head of the Commission is suggesting they could run as high as 2% of global sales.

Last year Google earned revenues of over $45 billion. You do the math on what it means for not taking data compliance regulations seriously.

Leave a Comment » | Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Watch Google Show Off 4 Glass Apps

April 5, 2013

Leave a Comment » | Marketing, Retail IT Solutions | Tagged: , , , | Permalink
Posted by david ricketts

How the biggest DDOS attack in history could have been easily avoided, or not

April 5, 2013

The recent DDOS attacks aimed at Spamhaus hammer home three very important points that we must learn in our new digital society:  1.) How dependent we are on digital communication, 2.) How interdependent our networks have become, and 3). How drastic the consequences are when basic “blocking and tackling” measures are not taken.

This particular attack is not only affected Spamhaus, it has also affected the internet speed and availability for millions of users and sites in the UK and in Europe.  According to an article by John Markoff and Nicole Perlroth in the New York Times, “a number of computer security specialists pointed out that the attacks would have been impossible if the world’s major Internet firms simply checked that outgoing data packets truly were being sent by their customers, rather than botnets.”

The article also discusses how the attack would have been much less successful (or not successful at all) if more internet providers followed the best practice guidance released 13 years ago (2000) by the IETF (Internet Engineering Task Force) in Bcp38.

While the article does a good job explaining the high level concepts of the attack, here is a little more detail on how the attack works, and how these attacks can be stopped:

Imagine some “attacker” can “spoof” your phone number so that your number shows up on other people’s phones when they call. Now imagine the attacker calls a bunch of people and hangs up before they answer— you’ll probably get a bunch of calls back from those people, because it looks like you called and hung up when you didn’t. Now imagine thousands of attackers doing this—you’d certainly have to change your phone number. With enough calls, the entire phone system would be impaired.

That’s similar to what’s happening in this DDOS attack. Attackers are spoofing Spamhaus’s IP addresses (IP addresses are like a phone number on the internet), sending traffic (let’s call this “stimulus”) to servers that they know will respond to this traffic, and these servers dutifully send their responses back to Spamhaus’ servers. Armed with the power of thousands of computers in a botnet, the attackers are sending a lot of stimulus. To make matters worse, the responses are much larger, in terms of size, than the stimulus. This means that for every packet of stimuli, there are many more response packets. (In our example above, imagine that all those hang up calls were to phone numbers that would automatically leave 3 minute messages on your voicemail or keep calling back over and over).

So what servers are drowning Spamhaus (and the rest of us) in response packets?  These servers are called domain name servers, or DNS, and perform a critical function—they match a human friendly name (e.g. google.com) with a machine friendly number (i.e. an IP address). Computers need to know each other’s IP addresses in order to communicate (or the IP address of the firewall that is protecting the computers).

DNS in friendly terms? When you try to browse to google.com, your computer queries a DNS to learn its IP address. If your computer can’t connect to a DNS, or the DNS can’t resolvegoogle.com to an IP address, you’re out of luck. You can see this in action by going to a command prompt or shell on your computer, and typing:

nslookup http://www.google.com

If successful, you’ll see one or more IP addresses for Google.

Without DNS, instead of typing http://www.google.com in our web browser, we’d be typing, “173.194.75.105” or something similar. I can’t even remember my own phone number anymore—imagine if we had to remember these?

Why is DNS so vulnerable? The primary protocol that DNS servers happen to use is called UDP (User Datagram Protocol). This is important because UDP is “connectionless,” meaning there is no “handshake” when the initial connection is set up. “Handshakes,” like those used in TCP communications, offer a reasonable amount of host authentication—in other words, with TCP connections, you can be reasonably certain that both computers are who they say they are. With UDP, you cannot be sure, especially with short bursts of communications like DNS queries.

So, using a botnet, the attackers are sending millions of DNS queries that appear to be from the victim’s computer (“spoofing” the victim’s IP addresses), and the much larger responses from the DNS servers actually go to the victim’s computers. It’s kind of the ultimate “crank call.”

How can these attacks be stopped? Follow the guidance in BCP38, which explains how internet providers can filter out spoofed traffic. The idea is simple— every router (the devices that connect the internet) understands which addresses should be coming from which direction (interface, in router terms). If a packet arrives that says it’s coming from an IP address that shouldn’t be arriving from that interface, the packet should be dropped.

Why is this hard? It’s not. So why haven’t internet providers taken these simple steps?

Actually, most of them have—according to research by the MIT ANA Spoofer Project, cited in anarticle on Senki written in June of 2012, 80% of internet providers had already implemented the recommendations in BCP38, and were already blocking spoofed traffic. It’s the remaining 20% that remain responsible for allowing “spoofed” traffic.

We’re seeing more and more that when fundamental blocking and tackling is missing, our interdependence shows – when a few parties don’t take basic security measures, other parties suffer. Just like on the road, where a few (or many) distracted or careless drivers can cause harm to countless others, a group of sloppily configured routers can allow attackers to disrupt critical infrastructure that we’ve come to depend on.  80% just isn’t good enough.

We can’t turn off DNS. Though it’s theoretically possible to make everyone use TCP instead of UDP for DNS queries (which would make these queries much more difficult to spoof), so many people would be adversely affected during the transition that this might make things worse than just living with the DDOS attacks.

Our best choice is to create a culture of security and responsible computing, where it becomes unacceptable to be in the remaining 20%. Imagine if 20% of the drivers on the road didn’t obey traffic signals—it would no longer be safe to drive. It should be equally unacceptable that so many computers are now in botnet armies that can do such tremendous damage—80% isn’t really good enough there, either. If 20% of the computers in the world are allowed to become part of a botnet, we’re going to have much bigger problems. The culture of security and responsible computing needs to extend to internet providers, and internet users.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 753 other followers