Tuesday, 26 January 2016

Lawsuit Could Impact Third-Party Cybersecurity Providers

A recently announced lawsuit in the US could affect how third-party cyber security providers go about their business. The lawsuit, filed by a Nevada-based gaming company, seeks damages against a cyber security firm whose work was found to be “woefully inadequate” by a secondary investigation months after the original work was done.

Various media reports say that Trustwave was hired by Affinity Gaming to investigate and mitigate a known data breach that the company believed could have exposed as many as 300,000 customers. Trustwave was enlisted to take care of things as quickly as possible in order to protect customer data. The original problem Trustwave was hired to deal with dates back to 2013; the secondary investigation did not take place until 2014.

New Regulations Force Secondary Investigation

The Affinity Gaming lawsuit alleges that, at the time of the original 2013 problem, Trustwave asserted that its management of the security breach resulted in complete containment. Affinity Gaming took them at their word and went on their way. However, they were forced to hire Ernst & Young in 2014 to conduct penetration testing in response to new regulations enacted by the Missouri Gaming Commission. That testing showed that the security problems Trustwave said had been mitigated were still active.

Affinity Gaming then hired Mandiant to audit the previous Trustwave work. That is from where the accusations of inadequacy arose. Mandiant investigators insist that Trustwave did not mitigate the issue they were contracted to handle and that the work they did provide was insufficient to the requirement at hand. Officials from Trustwave vehemently deny the allegations.

What It Could Mean

There is no way to say who is right and wrong without more detailed knowledge of the situation but it is noteworthy to take a look at the potential effects of this lawsuit. To begin with, let us assume that Trustwave did do everything within its power to contain the data breach at Affinity Gaming. Let's also assume they followed all the proper procedures and protocols, and then let us assume that they sincerely believed they had met their obligations when they reported the security issues closed.

In the era of virtualisation and ever-more complex data centre and collocation facilities, the instances of security breaches are growing exponentially. This is neither random nor unexpected. The more complex you make a system, the more vulnerable that system is to breach. We cannot expect to expand the capabilities of the digital age without also expecting increased security threats.

A successful lawsuit might be just what the industry needs in this case. But it may not be if it is determined that Trustwave did everything right. In such a case, the lawsuit could serve as motivation for third-party cybersecurity providers to be overly cautious and conservative in their approach so as to not face litigation from an unhappy customer.

Again, there is no way for us to know what the outcome of this case should be. We will have to leave it to the courts.

Wednesday, 20 January 2016

Yandex to Turn Waste Heat into Space Heat

Yandex, the Russian-language search engine that dominates the sector in Eastern Europe, is working hard to become as dominant in its market as Google is just about everywhere else. Now it turns out they are not competing just in the arena of organic searches and mobile computing; Yandex is also going after green technology. The company recently announced an agreement with a city in southern Finland that will turn waste heat from its data centres into space heat.

Yandex operates multiple data centres near the city of Mäntsälä, a rather small city just 40 miles north of Helsinki. The city's relatively modest size makes it an ideal candidate for tapping the waste heat produced by the two data centres as a means of providing municipal space heat for local residents. Yandex has struck a deal with Finnish energy company Mäntsälän Sähkö OY to harness the waste heat.

Turning the waste heat into municipal space heat is expected to reduce heating costs for local residents by as much as 5% over the next year. It should also significantly reduce natural gas consumption by the local utility provider. Both benefits will combine to help the EU get one step closer to reaching its CO2 emissions targets that need to be achieved by 2030. The city itself hopes the deal will cut its emissions by as much as 40%.

How It Will Work

Turning the heat produced by cooling data servers into usable space heat will require the city to move water from its municipal system to the two data centres. That water will pass through heat exchangers capable of transferring heat collected through ventilators in server areas. The water will then be returned through the system and back into the city network. It is a relatively straightforward principle that has proved successful in numerous other projects of a similar nature.

Yandex Data Factory CEO Jane Zavalashina spoke in her official remarks of her company's commitment to environmental responsibility. She noted that it was part of the Yandex ethos to use data centres efficiently and, where possible, to use that increased efficiency to reduce environmental impacts.

The news of the Finnish project is not all that unusual in terms of the technology being harnessed. What makes it unusual is Yandex' emergence as a green technology partner along the same lines as Google, Microsoft, Facebook, and others. The fact that the Russian company has decided to go this route shows the rest of the world that they have no intention of sitting idly by while other big names lead the way environmentally.

In a day and age where virtualisation and cloud computing is requiring ever-more powerful servers, the average data centre will be producing significantly more heat in the coming years. Harnessing that heat through efficient cooling technologies that also allow the exploitation of that heat for other purposes only makes sense. The citizens of Mäntsälä are on the verge of finding that out first hand.

Tuesday, 12 January 2016

Information Commissioner: Stronger Sentencing for Cyber Crooks

Sindy Nagra is a 42-year-old former administrative assistant for Enterprise Rent-A-Car. She is also a thief. Nagra was prosecuted for stealing sensitive customer information and selling it to cyber criminals for £5,000. In early January (2016), after being convicted of her crimes, the court ordered her to pay a £1,000 fine along with a £100 victim surcharge and £864.40 in prosecution charges. Her total bill: £1964.40. Her crime netted her a profit of just under £3,046.

This miscarriage of justice led the Information Commissioner to speak out. In an official statement from the Commissioner's office, Christopher Graham made it clear that sentencing options need to be stronger for these kinds of cases. He said he understands that courts might be limited by a defendant's ability to pay fines and charges, but courts still do not go far enough. In this case, the penalty did not even come close to matching the crime. There is no incentive for this woman to not repeat her crime in the future.

“Sindy Nagra got £5,000 in cash in return for stealing thousands of people’s information,” Graham said. “She lost her job when she was caught, and has no money to pay a fine, and the courts have to reflect that. But we’d like to see the courts given more options: suspended sentences, community service, and even prison in the most serious cases.”

Ironically, Nagra was not alone in her crime. She sold the information to another person who was found guilty by the same court of 55 offences. His fines and charges were even less than Nagra's. It is apparent from the two sentences that criminal networking can be rather profitable with favourable courts on one's side.

Enforcement Key to Fighting Crime

There is plenty to be disturbed about in this story. For a start, enforcement is always the key to successfully fighting crime. In this case, enforcement was mostly non-existent. It failed the victims harmed by Nagra. But taking things one step further, cybercrime requires a stronger action by enforcement authorities because of its potential to affect so many more people on such a large scale.

For example, consider a third-party vendor who might offer managed services to a large corporation with hundreds of thousands of customers. It only takes one or two employees willing to steal information to ruin the lives of thousands of individuals and permanently damage the reputation of the company. Prior to the digital age, crooks had to steal one person at a time. Now they can steal thousands or event millions in one, giant, electronic swoop.

The global proliferation of IT services and online data sharing have raised the stakes considerably. All of us face the very real threat of becoming victims of cybercrime in a world in which so much information seems to flow so freely. Furthermore, no amount of preventative measures will stop cyber criminals from doing what they do.  Essentially, we need stronger enforcement that includes sentences severe enough to dissuade criminals in the future.

Wednesday, 6 January 2016

Christmas Flooding a Reminder of Technology's Limits

The Christmas holiday season is usually one of general good cheer. For those living in the northernmost portions of England however, the 2015 holiday season brought with it severe rain and floods. The flooding was so bad in Leeds that the water knocked out data and voice services for customers of Vodafone. BT customers in York were also affected by flood waters in the north of England.

Yorkshire, Cumbria and local communities all over the North East and North West spent Christmas weekend trying to recover from heavy rains. In Leeds, the River Aire overflowed its banks to flood a good portion of the city, including a primary Vodafone data centre. The data centre lost power in addition to suffering water damage to both the premises and on-site hardware.

Vodafone officials said that their Kirkstall Road data centre was inundated with flood waters, causing intermittent service issues for customers in the North East. The company was not given access to the data centre until Boxing Day, slowing down repair efforts. Vodafone has since restored power with backup generators and is now in the process of repairing and replacing hardware.

Building and Infrastructure Limits

If nothing else, the Christmas floods in the north of England are a reminder that buildings and data communications infrastructure have their limits. We design data centre buildings and on-site hardware to be as robust as possible in the event of natural disasters and other emergencies, but there is nothing we can do to address every possible contingency. Flooding is but one example.

When rivers overwhelm their banks to inundate towns and villages, there's not much that can be done to stop the water. It goes where it wants, despite our best efforts to the contrary. We can design and build to minimise damage, but we can never stop Mother Nature from doing what she wants to do.

The good news is that the flooding was not nearly as bad as it could have been. Vodafone and other affected businesses, along with local homeowners, will recover in a relatively quick manner. Vodafone customers, despite having experienced intermittent service issues during the flooding event, have now been restored to full service thanks to the efforts of Vodafone staff. And so life goes on.

A Lesson in Redundancy
How did Vodafone recover so quickly after losing access to an entire data centre for an extended amount of time? Through built-in redundancy. That is the key to maintaining service in the modern era of technology. Redundancy is what has kept aeroplanes flying, hospitals operating, and military systems up and running in the face of all kinds of disasters. It is what keeps data communications going all over the world.

In the aftermath of the Christmas flooding in the north, Vodafone and other telecommunications companies will be taking another look at redundancy. Improvements will be made and new designs will be adopted. Then they will sit back and wait for the next emergency…  which will hopefully not be upon us too soon!