Tandemworld eNewsletter for Jan 2014

My Jeep automobile can’t be hacked...so far. Unfortunately, others can. Recently, a pair of security researchers (aka legal hackers) demonstrated their abilities to remotely control a Jeep Grand Cherokee from a laptop located even thousands of miles away. For starters, Chris Valasek and Charlie Miller can turn on a Jeep’s air conditioner remotely, can change radio stations, can activate the windshield wipers, and can put the car in neutral while it’s driving on the highway. Worse yet, they can disable the brakes and even control steering and acceleration – all performed thanks to a zero-day vulnerability in the Jeep’s entertainment system.

In a recent Availability Digest article, “Can an Airliner be Hacked” (http://bit.ly/1GdgA7q), we introduced a security researcher who was able to access a plane’s flight controls via the cabin’s in-flight entertainment system. It turns out that the cabin intranet network and the flight-control intranet network were linked by a firewall that the researcher was able to breach. Now this same malicious technology has been extended to automobiles.

Valasek and Miller focused their hacking skills on the Uconnect entertainment system used by Fiat Chrysler, the parent company of Jeep. Uconnect controls a vehicle’s entertainment and GPS navigation systems. It enables phone calls and even offers a Wi-Fi hot spot. All services are voice command-enabled. Uconnect receives information over Sprint’s 3G network, and it was this cellular network that Valasek and Miller were able to access, exploit a vulnerability, and use a cell phone to place their code into the entertainment system’s firmware.

Scary stuff. In response, Fiat Chrysler has issued a safety recall of 1.4 million vehicles in the U.S. alone. The recall includes Fiat Chrysler cars – not just Jeeps – that are two to three years old. My Jeep is a 2010. Whew! How about yours?

- Bill Highleyman

The August Availability Digest will be published within a week. Take a moment to check out our other articles. In the meantime, enjoy “My Jeep Wasn’t Hacked” at http://bit.ly/1NrufJz.

The Availability Digest offers one-day and multi-day seminars on High Availability: Concepts and Practices. Seminars are given both onsite and online and are tailored to an organization’s specific needs. We also offer technical and marketing writing services as well as consulting services.

Digest Managing Editor Dr. Bill Highleyman will speak at the Mid Atlantic (MATUG) Chapter meeting on September 17th in Herndon, Virginia USA. Contact Susan Loeliger (sloeliger@gravic.com) for more information on the meeting agenda.

Published monthly, the Digest is free and lives at www.availabilitydigest.com. Please visit our Continuous Availability Forum on LinkedIn for our latest discussion thread: “Can humans be a single point of failure?” We’re at 708 members and counting. Follow us as well on Twitter @availabilitydig.

NuWave Technologies Welcomes New Team Member

NuWave Technologies is happy to announce and welcome their new marketing coordinator, Mandi Nulph, to the team. Mandi brings with her over a decade of experience in marketing and new media.

Mandi comes to NuWave from St. Petersburg, Florida. She attended the University of South Florida in Tampa where she earned her bachelor’s degree in mass communication, and since then she has worked as an editor and marketing specialist in multiple industries and across a variety of mediums, including print, search engine optimization (SEO), social media, and much more. This experience has provided her with a wealth of knowledge in a wide array of marketing techniques and best practices that she looks forward to using in the advancement of NuWave in the NonStop space.

Now that Mandi is trained and has met the team, she’ll be jumping right into NuWave’s social media marketing, so be sure to follow NuWave on Twitter, LinkedIn, and Facebook.

XYPRO - Protecting Healthcare Data: An Ounce of Prevention

2014 was a landmark year for the Healthcare Industry when it came to data breaches. 2015 is continuing that trend. According to the Identity Theft Resource Center, the Healthcare Industry accounted for 42 percent of all major data breaches reported in 2014.

Thieves have begun turning their attention to the 3 trillion dollar a year Healthcare Industry, whose data is turning out to be worth more than credit card numbers. The Healthcare Industry has not only seen a sharp uptick in the amount of large, widely publicized data breaches, but also in the value of the data stolen.

The average price of a single stolen credit card has dropped from $35 to under $1 because of flooded supply, causing thieves to look elsewhere for other more profitable sources of revenue. The Healthcare Industry, with its aging infrastructure, slow adoption of security and hasty need to move to electronic medical records, has turned out to be a treasure trove for cyber criminals. Medical data breaches are now rivaling those of the largest retail breaches. We no longer live in an era where the only threat to our privacy is credit card theft. Today’s cyber-attacks make payment data leaks look like petty theft. Our transition to this new era has been sudden; our medical records, social security information and personal data are all at risk. Because medical records are worth ten times more than credit card, they have become a high value target. With so many players in the Healthcare Industry as well as government agencies being compromised, it is difficult to trust anybody with your information.

When I discuss these facts with others, they tend to ask me “How do you even monetize medical data?”. Two words. Medical Fraud. Once medical data is compromised, thieves can submit fraudulent claims to an insurer for payment, costing you, me, healthcare providers, insurers and everyone in between billions of dollars a year. According to the 2015 Experian Data Breach Industry Forecast report, the cost of healthcare breaches are nearing the $6 billion a year mark. That number doesn’t take into consideration fines, fees, unreported fraud, as well as the side effect on other industries.

It doesn’t stop at medical fraud. Having a patient’s medical history gives a criminal access to sensitive information about that patient, which leads to medical identity theft. Medical identity theft allows a fraudulent person to receive healthcare benefits they’re not entitled to, as well as access to prescription history. This enables thieves to purchase prescription drugs on a patient’s behalf, which are then resold online on black market websites, such as the former Silk Road.

The HP NonStop, with its unique fault tolerant features, high availability and mission critical capabilities, is often in a pivotal position in the healthcare industry and is therefore a prime consumer of medical data. With so much at stake and the ramifications of a healthcare breach so damaging, what can be done and why isn’t more being done about it?

We all understand the quicker you detect a breach, the sooner you minimize the amount of damage an attacker can cause, but the current mean time to detection of a breach is over 200 days. That means an attacker is in your network, on your systems for over 6 months on average, wreaking havoc and most organizations don’t even have a clue.

XYPRO’s XYGATE Data Protection (XDP) powered by HP Security Voltage has the ability to neutralize the damage caused by a breach by rendering useless that valuable medical and personal data stored on your mission critical systems. A proper implementation of XDP will encrypt or tokenize medical and personal data to ensure continuous interoperability with your applications, while rendering the data useless to a thief. This requires no modifications to your applications. XDP retains the data formats that your applications currently use.

The challenge of protecting sensitive data is no longer a concern only for those organizations who process card payments. The extremely valuable and sensitive nature of Personal Identifiable Information (PII), Personal Healthcare Information (PHI) and medical records have thrust the Healthcare Industry right into the cyber-security spotlight. Implementing the proper security infrastructure to make the ongoing protection of this data is no longer a nice to have, but a critical requirement.

Visit the XYPRO Blog

Stay Connected with XYPRO

Facebook
Twitter
LinkedIn Group
BlogSpot
YouTube

The cutoff date for our special room rate is Friday, October 23, 2015. Please reserve your room before 10/23/15 to secure the special room rate.

Please register via EventBrite for the Mid-Atlantic Tandem User Group (MATUG) meeting scheduled for 8am-5pm on Thursday, September 17, 2015 at the HP Federal Systems Headquarters, Herndon, VA USA. (Click https://eventbrite.com/event/16902004350/ for more information.) Expect several informative HP and vendor presentations, as well as a special presentation by Dr. Bill Highleyman.

Calling all VENDORS, ISV’s, and SOFTWARE PROVIDERS: There are only three 25-minute vendor presentation slots still available, for a small sponsorship fee (TBD based on overall meeting expenses, including meals). These slots will be filled on a “first-come first-serve” basis, based on the time of your email response to Susan Loeliger, MATUG Secretary/Treasurer. (User presentations take preference and are free.)

"Our intention in providing a deep port of Node.js to NonStop was to tap into the growing pool of expertise engaged in developing applications using Server Side JavaScript (SSJS)," said Infrasoft Managing Director Peter Shell. "We are anticipating considerable interest among solutions and middleware vendors as well as end users – any company today running NonStop and looking to port a modern application to NonStop no longer faces hurdles in the way of them exploiting the fault tolerant attributes that differentiate today’s NonStop X systems from any other system. Likewise, any company today running, or considering running Node.js applications, can now use HP NonStop systems so as to improve the reliability and scalability of their applications".

popular press that appeared in the April 29, 2015, article in InfoWorld, JavaScript and Node.js will change corporate technology like Java did, according to a Forrester report acknowledging that, "JavaScript in general and the server-side Node.js runtime environment in particular are setting the stage for ‘the biggest shift in enterprise development in more than a decade,’ contends a report by Forrester Research." Furthermore, reports InfoWorld, "JavaScript is addressing the scalability challenge, changing enterprise architectures and programming models, and Forrester advises becoming familiar with Node.js."

Infrasoft Pty Limited specialises in the creation of middleware software focused on communications, networking and development productivity. bomBora is the third product to leverage the internal framework developed by Infrasoft and joins the widely-deployed uLinga and maRunga products. By taking advantage of a well-proven framework not only was the time to port significantly reduced but bomBora was able to capitalize on numerous features all NonStop X users are familiar with and that are pre-requisite to support mission-critical applications.

Excerpts from the video:
“Our relationship with Lusis has been a tremendous asset to us…” - Randy Meyer, Vice President & GM, Mission Critical Systems, Hewlett-Packard Company

“The quality of people we dealt with at Lusis were Excellent!” - Chris Nolte, Chief Technology Officer, Bankserv Africa

Then register for a concise webex presentation on Lusis TANGO at www.lusisblog.com/tango_webex.html. TANGO is a recognized, mission-critical transaction processing software technology for acquiring, routing, switching, authenticating and authorizing payments across multiple channels including ATM, POS, eCommerce, Prepaid and Mobile.

Or just give us a call at (415) 829 – 4577 to learn how TANGO can save your organization costly transaction fees while providing a PROVEN (HP Benchmark tested) agile solution.

Meet Steve Anderson. Like most of us, he uses credit cards. As he went to pay for gasoline (petrol) one day, he realized that his credit card was missing. To his dismay, Steve learned from his credit card company that the card had been stolen and had been used for fraudulent transactions. Fortunately, Steve was not responsible for the unauthorized purchases. Unfortunately for the impacted merchants and or Steve’s credit-card company, the theft was a hit to their bottom lines. No wonder everyone is interested in fraud detection and in the OmniPayments Preauthorization Engine.

“The Fraud Blocker – Catching the Wrongdoers” is the lead story in the July/August issue of The Connection. http://bit.ly/1HUjGHE The article introduces Steve’s plight and the massive costs that fraudulence incurs on banks and retailers. The article identifies, details, compares, and evaluates fraud blockers and fraud monitors as two primary methods for fraud detection. Fraud blockers are proactive. Via a complex set of rules, they preauthorize transactions by identifying potentially deceptive transactions in real time and rejecting them without having to send the transactions to issuing banks for authorization. Fraud monitors are reactive. They also assess transactions via a rules set, but they have no “reject” capability. Instead, fraud monitors report suspicious activities as the card issuers are making authorization decisions. Often, a report may arrive only after the fraudulent transaction has been approved. In the aftermath, all that a card issuer can accomplish is to apply more stringent checks against a questionable card or for the card to be blocked for future transactions.

The OmniPayments Preauthorization Engine is a fraud blocker. It can be used by financial institutions either in conjunction with the OmniPayments Financial Transaction Switch or as a seamless interface to other providers’ switches via a custom support module (CSM). Modern and easy to manage, it preauthorizes millions of transactions far more effectively than its complex, compute-intensive competitors.

Each issuing bank’s preauthorization parameters initially can be set up via bulk file transfer, maintained via an OmniPayments-provided browser interface and accumulated in an Operational Data Store (ODS) for use by the OmniPayments Preauthorization Engine. Rules change and require continual maintenance. OmniPayments offloads from the banks this time-consuming responsibility via its Transaction Screening Module. The OmniPayments Financial Transaction Switch or that of another provider will route all transactions to the Preauthorization Engine for review. Only then will validated transactions be submitted to issuing banks.

OmniPayments is a comprehensive architecture by which financial institutions acquire, authenticate, route, switch and authorize transactions across multiple input channels. It supplies a full set of functionalities to support payment transactions and is guaranteed to save a company at least 50% of its current transaction processing costs. Based on a modern Service Oriented Architecture (SOA), OmniPayments consists of several service components, all built for the HP NonStop platform. One of those components is the OmniPayments Preauthorization Engine.

OmniPayments and the new OmniCloudX on NonStop X supply complete security functions for every financial transaction handled, including encryption-at-rest and encryption-in-flight. Available around the clock, OmniPayments and OmniCloudX will survive any single fault, require no downtime for maintenance or upgrades, and support a range of disaster-recovery solutions. Both expand easily to provide additional functionality when needed. Additionally, OmniPayments and OmniCloudX can manage multiple devices, can host application interfaces, and can interoperate with third-party products or other systems if required. Like OmniPayments, OmniCloudX supports EMV smart-card technology.

The OmniPayments pricing model is based not on transaction volume but instead on a one-time software license. This results in huge savings. OmniCloudX hosts numerous instances of OmniPayments on an attractive, pay-for-use basis.

OmniPayments, Inc. (www.omnipayments.com) is the product arm of Opsol Integrators Inc., a leading HP NonStop system integrator. For further information, contact Yash Kapadia at +1 408-446-9274 or at yash@omnipayments.com.

When scanning COBOL Code, ITP-PANORAMA checks all programs as the NonStop compiler does. While the compiler can only state that a program is calling other programs and using files, tables, records, data-fields a.s.o., ITP-PANORAMA is performing cross-reference checks over all scanned applications and programs. This finds all open links, missing and dead code. Entries on the error list are related to the relevant location in the HyperCube Repository and the program listing. Clicking on TAB “Scores” users find twenty-one graphics that show e.g. unclosed files and cursors, unused programs, sections, paragraphs, records, lines of code a.s.o.. Users can see statistics for all or selected parts of the meta-data in the repository.

ITP is now adding 57 additional quality checks and 44 statistics. They vary from severe errors that have to be corrected immediately to can be cleaned up later. It is easy to adjust the quality checks. The statistics will answer all questions about the scanned applications.

The best way to re-document your COBOL applications and to improve the quality is the Software Check with a 30 day trial. It only takes two days to install ITP-PANORAMA, scan your sources and train the first group of users. If you see your applications in the HyperCube repository of ITP-PANORAMA and perform analyses, searches and selections in less than a second, it will be the first time you really know your software.

You will only believe how transparent and easy to understand you software can be after you have seen a demonstration of ITP-PANORAMA in a free Webinar.