/2020chronicle

Archive for the 'Technology' Category

Home Depot B2B EDI “support” is a model of Asian outsourcing failure.

Home Depot outsourced it’s B2B and EDI (Electronic Document Interchange) support to India, Pakistan or somewhere in Asia long ago.  It’s a model demonstration of the failures that can come from outsourcing.  The long running jokes about Indian call center support embraced by US technology and telecommuncations companies have spread across almost all areas of I.T.   This particular failure on the part of Home Depot is of particular importance because it causes disruption in their vendor supply chain.

Honorable mention goes to Home Depot for their selection of unqualified candidates to work in their B2B support center.  Not only are they generally unhelpful and unknowledgeable regarding things like their own EDI mapping specifications, but Home Depot has found it acceptable to hire those who ONLY speak Farci or Urdu with almost zero ability to speak English.  This is no exaggeration or matter of interpretation.  My guess is the top of the totem pole in Atlanta probably isn’t even aware how bad the situation is with this language barrier.  I challenge anyone in their stateside senior management to call their own B2B support department and hold a conversation.  Our organization has been required to call in our Indian and Pakistani product managers to sit on calls and speak with the HD B2B support staff in their native language because they genuinely did not know the words in the English language to communicate high level technical information to our internal EDI staff or our application vendors.  This is when you know they’ve gone too far in their quest to offset costs.

Predictably Home Depot could play the “we can’t find U.S., Canadian or European workers with the skill set to fill these roles”.  Well, you didn’t find them in India or Pakistan either.  Furthermore the document specifications and translation sets are written in English code, specifically XML. If they can’t speak it my guess is they couldn’t read a map or the specification sets during training either.

We are at a point of impasse in our organization right now when it comes to turning up a new trading partnership for Home Depot Canadian distribution centers even though we have a signed supplier agreement because we literally can’t find anyone in Home Depot B2B who can communicate with us in English.  Furthermore when we engage our language translators they still can’t grasp technical concepts well enough to even provide us proper document specifications for their domestic and international programs.  This is why Home Depot’s long running B2B outsourcing initiative deserves a resounding FAIL.

Home Depot has millions of dollars to fix this problem and insure faster supply chain integration.  Apparently the decision not to fix the problem is completely based on trying not to pay U.S., Canadian or European technical specialists the wages such B2B and EDI expertise demands, opting instead for cheap, unqualified, outsourced Asian call center operatives who are at best ineffective in their roles and in many cases detrimental to vendor supply chain integration.

No comments

Google Translate poses a security risk.

There are plenty of articles to be found detailing why it’s not safe to translate sensitive internal business documents using Google Translate.  Most of these articles discuss accuracy and confidentiality.  But Google translate is also dangerous because it acts as a proxy by design, creating a security issue.  That means you can plug in a URL in any language, including English and Google will display the contents of the site.  This undermines any corporate security measures put in place to keep employees away from blocked or compromised sites.  The answer is a translation service from Google or a competitor built for business.  This would allow for administrative and user authentication logging what sites are translated and monitoring documents uploaded for translation.   It’s also a revenue generator for the first service to come up with such an administrative translation control.

No comments

Can I decrypt files encrypted by RYUK? Is it possible to decrypt .ryk files?

No.  There is no decryptor for RYUK at the time of this post.  If you need the file(s) and don’t have a backup you will need to reach out and pay the ransom for a decryption key.

No comments

Details of a ransomware attack and a way to thwart the ransom. Don’t plan to pay. Plan to recover.

Here are the basic steps included in a ransomware attack and how vulnerable people and ports are used to accommodate the attacker.  Conditions must be met.

  1. The attacker relies on stolen credentials.  The credentials are harvested by viruses delivering malware.  Specifically in recent attacks Emotet as the delivery agent for the Trickbot trojan.  All too easy with users susceptible to social engineering.
  2. Trickbot moves laterally across systems, relying on SMB to navigate the network as it steals passwords, mail files, registry keys and more.  It communicates the stolen material back to the bad actor, the Black Hat.
  3. Next Trickbot might launch the Empire Powershell backdoor and download the Ryuk virus upon the black hat’s command.  Armed with harvested credentials, the black hat is now ready to execute Ryuk and encrypt files at will.
  4. The black hat scans for any vulnerable port of entry on an external interface.

┌─[blackhat@parrot]─[~]

└──╼ $nmap -Pn -p 8443 xxx.123.xxx.456
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-09 16:47 EDT
Nmap scan report for system.contoso.com (xxx.123.xxx.456)
Host is up (0.029s latency).
PORT     STATE SERVICE
8443/tcp open  https-alt

Once a port of entry is found, in this case a very common and vulnerable port used as a remote access interface, the black hat can use the stolen credentials to log in to the network and rely on protocols such as SMB and RDP to access and exploit systems on the network, launching Ryuk to encrypt files on select systems, typically all of them.  Azure?  Too bad, encrypted.  Active directory authenticated AWS?  Ouch.ryk, every file owned.  Once the damage is found you’ll need to recover.

So how can you protect systems and most importantly backups so that rapid recovery, the best response to a live attack, remains possible?

  • The obvious first step in recovery is to neutralize all exploits.  It can also be the most time consuming.  Use Windows firewalls to block all SMB traffic and stop lateral movement across systems.  Deploy through domain level group policy.  Open only the ports necessary to deliver anti-malware utilities to clean all machines of any sign of exploits.  Windows 7 systems remain highly vulnerable to SMB attacks without proper patching and configuration.  Update 02/07/20: Windows 7 is depreciated, insecure and should not be used.  Best to get them off your network regardless of how annoyed some end users are by the thought of Windows 10.
  • Always be certain backup files and database backups reside on systems that are not authenticated to the network using domain level authentication.  Make sure they cannot be accessed using SMB or RDP protocols at all.
  • Of extreme importance is to make sure EVERYONE, especially your domain administrators are forced to change their login credentials routinely.  IT staff have a bad habit of being prime offenders of exempting themselves from password changes.  Take a stand.  Everyone changes their passwords and password complexity rules must be adhered to by every single account on the network.  Use 2 Factor Authentication 2FA every time possible, especially mailboxes and cloud accounts.
  • Make sure you have machine images that are not accessible using domain level authentication or credentials.  If you run a VMware environment make sure you administer VCenter only through local Vsphere credential logins, not AD authentication.  This serves not only to protect your production images, more importantly it protects your snapshots.  Hyper-V environments, God help you.  When you are solely reliant on Windows authentication to manage your virtual servers, you’re vulnerable.  I’d have to do more research on exactly how to stop propagation to all systems in a Hyper-V environment.  My first inclination would be spend some money on VMware or a Citrix XEN Hypervisor, Nutanix if you must.
  • Have snapshots.  Have recent snapshots.  If you don’t run virtual servers at least have Windows bare metal restore backups for physical machines.  Again these are to be written to appliances that are not connected to the network with domain level authentication.  Snapshot and bare metal backup files should remain recent enough to take into account all hardware and operating system changes that have been implemented.
  • Close vulnerable ports on your public interfaces or at minimum set them to random port numbers.  Obvious ports like 8443 are gonna get hit.
  • If you are a heavy transaction environment then you will also want to incorporate more more redundancy at the database server and application server level, such as SQL database replication with incremental transaction log offloads to drive space that is again, not domain authenticated.

Note: I did not specify anything related to archiving and compliance backups because while essential for certain industries and disaster situations they are not specific to rapid recovery in the event of any malicious disaster in which physical hardware assets are not compromised.  

Once you are able to quickly restore a virtual machine or physical system from a recent snapshot or bare metal recover file copies of data files and database backups can be moved into place for restoration to the most current backup set.  Daily is usually the best most small to medium “enterprises” can achieve.  With added expense in resources and configuration backups can be run with more frequency.   Unfortunately even hourly database log shipping won’t save a database from an encryption attack.  As my last point emphasized, unless log files are being off loaded in hourly increments to storage appliances that are not connected with domain level authentication they aren’t safe.  As always, the question of investment becomes: How much can you afford to lose?

The best defense against Ransomware is a good offence in the form of rapid recovery.  Since these exploits rely on social engineering (gullible people) you can never pretend your network is free of any vulnerability.  Don’t just design your backup and recovery environment in case something happens.  Make sure it’s tested it for when it happens.

 

No comments

Classless networks are in style. It’s just basic subnetting.

In Binary Net Masking each Octet contains exponential bits from right to left:

1     1   1   1   1 1 1 1
128 64 32 16 8 4 2 1 (128+64+32+16+8+4+2+1=255)

So..

255.255.248.0 in binary is
11111111. 11111111. 11111000. 00000000 = /21 (we’ll get to the identifier in a minute)

255-248 = 7
Therefore 255.255.248.0 – supports 7 networks per subnet
255 – 248 = 7 networks

Or

192.168.1.0/21 supports
192.168.1.0-255
through
192.168.7.0-255

The next subnet supports another 7 networks.

192.168.8.0/21
192.168.8.0-255
through
192.168.15.0-255

So where does the /21 identifier come from?

All net mask identifiers start at /32 and go down.
32-21 = 11 mask bits
Count the zeroes in the Binary Mask!

11111111. 11111111. 11111000. 00000000 = /21
11111111. 11111111. 11110000. 00000000 = /20 (32-20 = 12 mask bits)

What’s the full net mask for the /20 identifier above?

1     1   1   1   1 1 1 1
128 64 32 16 8 4 2 1 (8+4+2+1=15)

/20 = 255.255.240.0 because 25515 = 240

 

No comments

Billing customers for internal project management is a bad idea.

There’s a new phenomena in the service invoice category. Imagine this: Your company scores an account set for major growth. It could go from being a $10k account to $150k within a year. When scheduling your internal resources to work on this account and scheduling meetings or conference calls with the client you employ a “Project Manager”. Then you bill the customer back for this “Project Managers” time.

Sounds fantastic until the customer gets the invoice. Four hours @ $120+ per hour for “Project Management”??? Okay, where’s the Project Control document, the Gantt chart? Where is any deliverable at all? Where is there any value add to the customer what-so-ever for the hours you billed them to cover the cost of an internal resource scheduler? This is exactly what NWN Corporation tried to pass off to me over the last couple of weeks as billable work. I told them I would not pay another dime towards the salary of their internal project or resource planners. In fact there seems to be some confusion within some service providers these days as to what the title Project Manager means.

Yep, part of project management is resource scheduling. But unless you are scheduling THE CUSTOMERS RESOURCES you are providing precisely ZERO billable services to the customer. You are doing nothing but charging your Project Manager’s salary back to the customer. Put it in a scenario: I on a security component installation company. Imagine I win a contract to install 100 security cameras. Then imagine that I employ a Project Manager to come up with an INTERNAL project plan and schedule techs for the field. Now imagine I present that persons work as a line item on a bill to the client. WHAT? Why should any customer be forced to pay for someone to create our internal project control documentation and schedule when our techs will be on the job? Absurd. Next up, we will bill by the hour for the work our HR reps do in hiring the staff to do the work. Why not just go all the way to putting a line item for the Receivable Manager’s time to prepare the invoice? How about the janitor? I mean technicians have to pee right? Might as well bill back for toilet cleaning as a line item.

How about learning the difference between internal Project Management and genuine Project Management services for the customer. Nobody owes you a dime for the cost you incur for scheduling your staff or for a non technical person to listen in on conference calls.

No comments

LinkedIn is a security threat.

Scammers, spammers and phishers all have a solid source of information they can call upon to find out who holds what position in a company. LinkedIn provides a reliable, updated corporate hierarchy for them to find the names of Principals and management so they can forge emails in their names for delivery to accounting and payable’s staff they find the names and contacts for where else? LinkedIn.

How do they know the email address to send the message to even if they know the accounting representatives name? There’s a good chance your corporate email address is firstname.lastname@company.com or tsingleton@company.com. Not hard to guess the syntax in companies that don’t use obscurity for security in email address syntax. So the information on LinkedIn is almost like free Lexus Nexus for those with ill intent.

No comments

Google doesn’t convert Digital Storage correctly.

I clicked on “More info”….”Aaron is a Search expert and author of this help page”.

Well Aaron might want to let someone in a nearby nap pod know that there are 1024 bits in a Megabyte.  For about a year when I go to do a quick digital conversion using a standard Google search the answer comes back wrong.

The correct answer is of course 102400 MB in 100 GB.  I’m a little embarrassed for them.   Wait, should I be double checking how much Gmail storage I have left?

Here’s the more in depth explanation https://www.convertunits.com/from/100+GB/to/MB

“1 byte is equal to 9.3132257461548E-10 GB, or 9.5367431640625E-7 MB”.

 

 

 

No comments

More evidence of costly, ineffective EDI Document testing by SPS Commerce

Here’s another email between an EDI Analyst and a map developer regarding an SPS customers documents after they made the choice to let SPS hijack their customer base for an ineffective testing ransom.  Will it ever stop?  Will the incompetence and gouging ever be outed?

Hi Margarita,

 

We’re still trying to sort out the issues we’re having with these ALL*** Invoices since switching to their new connection.

We received the below communication from them advising the required freight charges are not showing on the 810 and that these should come through the SAC loop. The Specs for this is attached for your reference.

 

I’m not sure why this is happening? as I copied the Tested TP kit when switching to their new EDI Connection. So everything that was tested and confirmed as passed should match. I’m beginning to think SPSCommerce did a poor job with handling ALL***’s document testing because when I look back to TEST invoices, none of them included this SAC segment. Therefor it should have failed during the testing period.   

 

Reminder: We do not receive POs via EDI for this TP.

TDOC Name: ALL_810_4010X_TRIM2

 

Example of 810 (All Pro New)

ISA*00*          *00*          *01*044381234      *ZZ*ALLPROCORP     *180105*1008*U*00401*000000036*0*P*>

GS*IN*044381234*ALLPROCORP*20180105*1008*70*X*004010

ST*810*000000005

BIG*20171229*INV0670665*20171228*366884***DI

REF*SW*SOD0141885

N1*SE*Trimaco, LLC*92*7950

N1*BY*Miller Paint Co. – AllPro*92*5240

N4*Puyallup*WA*98373-2414**SN*0195

N1*ST*Miller Paint Co. – AllPro

N3*14207 Meridian E*Bldg C

N4*Puyallup*WA*98373-2414

ITD*01**2*20180128***0*****2% EOM/Net 15th

DTM*011*20171231

IT1**64*EA*8.85**MG*84075*BP*84075

CTP***8.85

PID*F****One Tuff Wiping Cloth  75/box 8bx/cs

TDS*69647

CTT*1

SE*17*000000005

 

 

 

 

Thank you,

 

Desireé ******* | Systems Analyst – EDI | *******, LLC

D: ***.***.***

No comments

Why “Geo-targeted” social media advertising will not work for most small firms.

Has your business been offered the opportunity to run “geo-targeted” social media ads by a small, local digital marketing firm?  This is a simple enough concept in printed media, run an ad in a publication exclusive to Atlanta, GA and an audience in that area sees it.  This is quite a bit different when it comes to social media and it’s track record for small businesses is abysmal.  It’s a matter of those pushing the product, smaller social media digital marketing firms, not understanding the underlying technology and it’s limitations.

Digital geo-marketing relies primarily on data collected by a couple of firms in attempts to obtain legitimacy.  Maxmind and Digital Envoy TRY to collect geo-location data using ping responses.  Ya, if you’re a network admin go ahead and laugh.  Ping data.  “Pinging” IP addresses is a technology older than the World Wide Web.  It’s a command used to identify latency times between computers and network appliances.  On wired and private networks these ping response times measuring latency are pretty reliable.  On public networks and more specifically mobile networks ping latency is far less reliable when it comes to pinpointing IP address locations.  It’s literally a guessing game, full of of too many assumptions to list.  Even the geo-location companies admit it’s “a bit like solving a mystery”.

Geo-location companies do not know with any precision where an ISP is delivering an address, certainly not with any accuracy down to 30km or less, just over 20 miles.  Most often that level of accuracy cannot be achieved.  So the smaller the area you want to target your advertising, the less likely it is any marketing will reach that designated audience.  If you want to advertise in the entire state of GA exclusively, you might get the results you’re looking for.  Maybe.  Assuming none of the internet service providers re-address or redesign their network in a broad area.

There are other limiting factors in using IPv4 internet addresses to try to identify audience locations.  Many ISPs, especially those in Asia and Europe are switching to IPv6 public network addresses, abandoning IPv4 entirely, the address model used by these geo-data aggregation firms.  Spectrum Communications is doing this in the US now.  This is not information digital media marketing firms want you to know.  The geo-targeted marketing they are trying to sell is an inaccurate science, relying on assumed information and technology that is becoming more irrelevant every day.

All that said geo-targeted marketing is possible and is currently working for several large enterprise organizations.  I say “enterprise” because I am referring to Google, Yahoo, Facebook and other organizations which have millions to spend on entire departments to make sense out of network addresses and their delivered locations using Ping Triangulation, a sophisticated and manual process.  For example Google uses cars in every major metropolitan city in the world to triangulate and confirm IP addresses and subnets delivered by local ISPs to subscribers.  They do not provide this collected information to third parties, not even for a price.  Google will target your ad geographically for you at their rates.

So unless your local digital media marketing firm has a few cars checking IP addresses on a daily basis in every market you may wish to advertise it’s likely they are working off bad and inaccurate data.  Of course they won’t tell you this which is why my opinion is that most, but not all, digital marketing firms should be relegated to the same receptacle as the stale and now irrelevant firms still pushing search optimization, SEO, the trash bin.

No comments