The Amazon A-Z guarantee. Not what it seems..

This post is a slight departure from my usual content, but as a long term Amazon customer who has recently lost a reasonable sum of money due to an unscrupulous market place seller, and Amazon’s misleading A-Z guarantee.  Given what we have lost, and the fact many people likely use the Amazon market place believing they have the protection from Amazon.  However based on this experience, when things go wrong, that ‘guaranteed’ protection may turn out to be worthless.

I’ll start with a quote from the A-Z ‘safe buying guarantee’ on the Amazon UK site;

What is covered under the A-to-z Guarantee?

  1. The buyer didn’t receive the item they ordered.

The very first item on the list states you are covered if you do not receive the item you ordered.

So now we are clear on the Guarantee, onto the tale of woe..

We ordered some furniture from a company called Decorious based out of this address;

Decorious Ltd
Unit 24
Business Innovation Centre
Sunderland
SR52TA

After a period of a couple of weeks when we had not received anything we contacted the seller, and were told the item had been delivered.  We obviously challenged this and received a response that the courier had said it was delivered, on a Monday at about 3.30pm.  We explained that it could not have been delivered to us as there were only two people living at our property both of whom were out at work at this time.

The courier then confirmed that the goods were indeed delivered to someone other than us and a different address, but that they didn’t seem to know where this was!

At this point we thought that would be fine, as UK trading standards clearly states that the seller of a posted item is responsible for ensuring it is delivered to the purchaser.  So we asked Decorious to resolve the issue and resend or locate our goods.  They stated they would investigate with the courier and come back to us.  Several chasing emails later they then changed their tune and started sending generic ‘please use this tracking number, apologies for any inconvenience caused’ emails.  No matter what we sent or what we asked we just got the same response from a lovely lady called ‘Kelly’.

At this point, while somewhat annoyed as realising Decorious and their employee Kelly were a less than honest company relying in the fact we wouldn’t take further legal action as is would be so time consuming, we were not too worried.  Assuming on past experience that Amazon were generally decent and resolved delivery issues, we contacted them to ask for the A-Z Delivery Guarantee to be invoked.  We explained the situation to them, how we were not in at the time of delivery, Decorious’ admission that we didn’t have the goods, then their change of mind etc. all of which is on record in the Amazon email system.

Amazon customer service duly went and ‘investigated’, then came back and said there was nothing they could do, so we asked why, and how the guarantee was satisfied when the goods were not received.  Further unhelpful standard responses followed.

Amazon doesn’t make it easy to escalate issues so I searched online and discovered some options;

buyer-guarantee@amazon.co.uk

Managingdirector@amazon.co.uk

cnorth@amazon.co.uk

Now I’m under no illusion that Mr North, the current MD of Amazon UK would actually respond to these emails, but we did get Anthony Bennis from ‘executive customer relations’ responding on his behalf.  Anthony said he would investigate, and surprisingly came back with the same helpful advice – there was nothing they could do and perhaps we could try trading standards.

So I asked him to explain what investigations they had carried out, this was not answered.  I then asked him to explain how the A-Z Guarantee of delivery had been fulfilled, this was also not answered.  I then asked him to state clearly that the guarantee had been fulfilled despite us having been out at the time of delivery and the courier admitting they didn’t know where the good went – again, not answered.

All we got was generic responses then ‘sorry we won’t talk to you about this issue any further’.

So the moral of the story is that the Amazon A-A guarantee is frankly not worth the html it’s written in, and buyer beware.  The market place is no worse than buying from anywhere else, but don’t be fooled that Amazon provides you any real protection should you face issues.

As for Amazon, Anthony Bennis, or Christopher North (as you allow people to speak for you), I ask you publically to explain how you supposed guarantee was satisfied in this situation.

Finally as for Decorious just don’t use them, there are many furniture sellers, most of whom are decent and honest, Decorious are not.

Normal service will be resumed with my next post J

K

Computing Summit – Enterprise Security and Risk Management 2014 part 2

Protecting against phishing and social engineering techniques – Neil Thacker – Websense

90% of all attacks begin with email – phishing / spear phishing.  Spear phishing is the most common vector into companies.

Success = Talent + Luck.

In spear phishing – Talent = making the email seem as real as possible.  Luck = someone clicking on it and the malware or similar running / user clicks link.

Take away points;

People and Process;

–          Limit the information you share about yourself online

–          Verify all messages with links and attachments

–          “Catch of the day” gameification program

Technology;

–          Link email and web events in real-time

–          Real-time user education at point-of-click

–          Measure and phish at risk employees… with permission

 

Useful link for people to see if a link they have been sent may be malicious; http://csi.websense.com

 

Securing Mobile – The new enterprise desktop

Presentation by Entrust

Mobile and traditional ‘desktop’ worlds are colliding.

People have multiple identities across devices and systems, both personal and work.

Huge numbers of people using personal, BYOD, devices to access corporate systems.

Growing mobile and ‘always on’ workforce.

–          Sensitive information now travels outside of the office to the home, car, gym, anywhere

One breach leads to..

–          A successful attack on one identity has the potential to open the door to all other identities; social engineering, same or similar passwords used etc.

Mobile – A unique blend of security and usability;

–          Mobile devices have powerful features built in that organisations can leverage

o   Application sandbox

o   Crypto

o   Biometrics

o   Secure elements

–          Users want to carry them – always in hand, always connected, convenient, support work / personal balance

–          The good – Applications signed and vetted, applications sandboxed, GPS, Bluetooth, biometrics and cryptography

–          The bad – Malware in apps, apps can view other data such as SMS etc, jailbroken devices, insecure logons (e.g. simple pins, finger print smudges, weak biometrics etc.)

 

Mobile Smart Credential Concept (Entrust product) – phone used for physical and logical access – Physical access to building, logical access to systems, digital signatures, encryption, cloud, vpn, out of band alerts to confirm transactions.

.Mobile – a catalyst for change.

Talk was pretty much a product sales pitch, but a few interesting points.

 

Redefining Network Security: Detecting and preventing Advanced Persistent Threats

Presentation by Paloalto

Another one starting with the attack kill chain;

–          Breach perimeter

o   Initial compromise

–          Deliver Malware

o   Deliver malware and communicate with attacker

–          Endpoint operations

o   Move laterally and infect additional hosts

–          Exfiltrate data

o   Steal intellectual property

Prevent attacks by stopping one step in the kill-chain.

Attackers disguise attacks in other traffic – specially crafted UPD packets, DNS, https, skype traffic (e.g. customised encryption, port hoping etc.).  Many ways to hide and exfiltrate data, it’s not always obvious, or obviously malicious traffic.  We focus heavily on web / email / known bad traffic, but are we looking in the right places? Are we missing data leaving via less obvious or assumed OK channels?

Requirements – Detect and Prevent

Detect unknown threats, prevent all known

–          Automatically detect unknown threats and makes them known.  Prevent all known threats – they are known after all so there should be little excuse for missing these!

Prevent across all networks – provide consistent security across the environment

–          Prevents threats at; internet edge, data centre edge, between VMs in the DC, between mobile devices and core systems etc.

Closed-loop protections

–          Closed feedback loop creates shared protections for all systems in your environment, and ideally all customers via sharing in the cloud.

Talk became a product overview of the Palo Alto solution, but the above points are I think relevant generally.

 

ISF Congress Post 5: Expect the worst; Operational risk quantification process

Expect the worst case;

Approach for quantifying operational risks – special focus on cyber security risks

Presentation by Hanno Lenz for the ERGO Insurance group

ERGO splits risk management into three categories / lines of defence;

  • Risk Taker (Owner) – Business line
  • Risk Controller – Risk Management
  • Independent Assurance – Internal Audit

 

This is then further split into lines of business and risk categories (Strategic Risks, Market and credit risks, operational risks, liquidity risks, repetitional risks).

This presentation had some excellent graphics highlighting their risk process, how they move from threats to risks, how to assess the probability, impacts and then the actual risk.  This process is outlined below.  Click on the images for a larger view.

 

They created this Security and Continuity Risk management model;

Screen Shot 2013-11-04 at 09.38.08

This model for working through from threats to the actual risks;

Screen Shot 2013-11-04 at 09.39.15

The process they follow from threat to actual business risk and impact is outlined in the diagrams below.

Assessing the Probability of the threat occurring;

Screen Shot 2013-11-04 at 09.42.44

Assessing the Impact should the risk occur;

Screen Shot 2013-11-04 at 09.44.35

And finally, working out the actual risk by combining the probability with the impact;

Screen Shot 2013-11-04 at 09.46.09

 

I think this provides a very good, easy to understand overview of a relatively simple and workable risk assessment process.

Remember in order to make any risk assessment process success and for the results to be worthwhile you need to ensure the input data is as accurate as possible, and also that the analysis is performed by people with the relevant expertise.

For the inputs, ensure you consult with the business streams, have an in depth understanding of the organisation, it’s IT structure, where the data and applications are, the number of employees, office locations etc.  Also ensure you have engaged with the BCM teams to understand recovery requirements and plans, recovery costs, degree of outsourcing etc.

For the outputs, as well as the IT security and BCM teams, ensure you have the right experts for creating realistic examples, creating actual security situations, estimating the costs of the risk should it occur, and also experts in mathematical modelling so that the results are modelled correctly and not just estimates.

K

ISF congress post 3: The state of Quantum computing…

The state of Quantum computing…

… And the future of InfoSec

Presentation by Konstantinos Karagiannis from NT andJuniper Networks

 

Enough Quantum Mechanics to get by;

  • Richard Feynman “I think I can safely say that no one understands quantum physics”
  • Unlike macro objects, quantum ones exhibit weird behaviours that make amazing things possible
  • Max Planck proposed electromagnetic energy only emitted in discrete bundles or “quanta”: E=hf
  • Planck’s constant (h) and derivatives (Planck unit) may prove important in future information theory (one ‘bit of information = one planck unit..)
  • Light – made of waves (Thomas Young) made of photons, not waves (Einstein), Geoffrey Ingram Taylor – wave interference patterns even with one photon at a time – Particle wave duality!
  • Superposition – if you observe the light, the superposition is destroyed and it appears to work as you would expect.
  • This concept of decoherence is key to QC.
  • Entanglement – the key “mystery” of QM, and important for QC.
    • Created by a quantum event, entangled particles share a quality in superposition such as spin up or down.
    • If you observe the spin of one particle, the spin of the other is immediately known even if it is the other side of the galaxy.
    • No this doesn’t break the cosmic speed of light as it is effectively just random information.
    • This does have real applications in QC and quantum cryptography
  • QCs must maintain coherence / superposition in hundreds of particles e.g. via
    • Quantum optics
    • single atom silicon
    • Large artificial quits
    • NMR

 

Qubits and how a quantum computer (QC) will impact some areas;

  • Qubit
    • can be zero, one, or a superposition of both (with probabilities of each)
    • To over simplify: Qubits can perform certain functions with a percentage of effort of a classical computer
  • Public Key crypto, e.g. RSA;
    • Relies on classical computer’s difficulty in cracking certain mathematical functions
    • QC – Shor’s Algorithm – QC can easily reveal the factors of large prime numbers.
      • Shor’s algorithm puts quits through mathematical paces where likely answers interfere constructively, unlikely ones destructively.
      • Classical computers can’t so this in a timely manner.
    • Imagine the impact of being the first country with PKI-slicing capabilities!!
  • Grover’s Algorithm;
    • For searching databases / data;
    • Traditional DB – N/2 searches for N entries
    • QC Root of N searches for N entries..

Scanning with Quantum AI

  • Vulnerability scanners need to run and compare results quickly – Grover’s algorithm
  • Quantum algorithms may advance artificial intelligence – more useful for scanning web apps than networks
  • Traditional top-down AI approach fails – bottom-up may be easier to do with Quantum parallelism

Quantum networking

  • Routing quantum data is tricky – when you observe the quit, you destroy the data
    • create photon pair – one to observe, one to route

Quantum Teleportation

  • Entanglement allow for teleportation of quantum state – look up ‘Alice and Bob’ quantum entanglement example.
  • Teleport state of algorithms for distributed computing

 

Where are we now?

D-Wave claim to have a 512-qubit QC (with 439 operational qubits)  – There is currently some scepticism around this)

  • Google and NASA have teamed up on acquiring a D-Wave second generation machine (512-qubit)
  • Created the Quantum Artificial Intelligence Lab
  • University of waterloo has an advanced QC department
  • Lockheed Martin also using and developing a D-Wave QC

 

Moore’s Law;

  • QCs are not better than classical computers at everything
  • QCs still inevitable – we are getting to the single-particle level on transistors
  • No more miniaturisation possible to keep Moore’s Law going

 

Staying relevant – Encryption;

  • Shor’s algorithm only proven to work on PK, grover’s may help with
  • Toshiba developing quantum network with polarised photons, these provide encrypted, tamper evident networks.
  • We must stay relevant, new world of research and development coming – everything from the basics to security tool programming
  • Threat modelling
    • If AI improves scanning, hackers will have much better ways of finding application flaws

Closing thought;

  • Feynman’s first proposed QC was a universal quantum simulator
  • Seth lloyd showed a QC can perfectly simulate any quantum system in the universe
  • Turns out universe is a giant, 13.7-billion year old quantum computer
  • What will we be hacking one day?

This was a very thought proving and fast paced talk.  The above notes are very high level, but cover the main points of the talk and can be used to aid searches for more in depth reading.  This presentation really highlighted to me I need to read up more on this stuff.

We are not there yet, but Quantum Computers are coming and they will have huge ramifications for pretty much all areas of computing.  From a security standpoint, we will likely need a full overhaul of cryptography and threat modelling, along with application and system vulnerability scanning.  Of course not forgetting a whole new class of computers and networks to understand and secure!

Interesting times ahead, and I highly recommend further reading on this topic.

K

 

ISF congress post 2: Communicating information security value to the business

Communicating information security value to the business using words and pictures.

Presentation by Steve Jump from Telkom SA SOC ltd.

I have high hopes for the usefulness of this talk as we all seem great at explaining and discussing security issues with other security and technical people, but fairly terrible at getting the board and other business people to understand the issues and importance of remediating them!

 

Highlighted at the start that this is a work in progress, but already proving useful.

If you are trying to obtain budget for upcoming initiatives  you need to get the board on board and ensure they understand the risks from a business standpoint.

  • Why business gets turned off by security
    • Too much shouting about risks, creating policies and standards, more talking about risks – who is looking at your data (criminals, governments, hacktivists), where is your data, more standards and policies
  • What the business actually wants (and needs) to talk about
    • What do these threats mean to my business?
    • Why should I worry?
    • How does this affect the bottom line?
    • What happens if I ignore you? (e.g. is the cost of doing nothing lower than the cost if fixing the issue?)
    • Can you put a value on that?
    • If I do ignore you, will anyone notice?
  • Its all in the words we use;
    • Business Impact Taxonomy!

 

Regulatory

  • Non compliance to legislation, risk of fines, prosecution etc.

Fraud

  • Illegal access to information leading to fraud, Identity theft, mis-representation, corrupt practices, banking and card fraud etc.

Theft

  • Theft of information or revenue, direct theft of assets

Service Availability

  • Service denial or interference

Business Agility

  • Prevention of business growth and reduced opportunity for profit due to reduced agility of systems and increased need to deliver custom protection of solutions.

Reputation

  • Loss of business reputation resulting from information loss or device interruption resulting in loss of credibility with customers and investors.

 

So that’s all the jargon sorted out?

Think of creating threat cubes – they have a LOT more words than this and are technical.

So how do we bridge the gab between the jargon and output from threat analysis etc. to a simple taxonomy the business can understand, relate to and use in budget and planning discussions?

 

Add pictures!

One for each of the six words in the simple taxonomy;

 

Warning triangle – Regulatory

Credit card – Fraud (may need to be different for you if you work in a PCI environment as this may get confused with the regulatory one)

Money Bag – Theft

Road block sign – Service availability (things with this could impact our ability to do business)

Rocket ship – Business agility – faster, innovative

Happy / sad masks – Reputation

 

So the taxonomy now has words and images for each item.

So when you create a threat cube or other form of threat analysis you can then relate each item on the list back to one or more of the taxonomy words and images – images can be added to aid understanding.  For reporting, each should be mapped to the main area it impacts.

 

How this works in practice;

  • Formal Information Security Risk assessment process
    • Asess solution, change product or service against technical business threat models
    • Identify key threats, recommend mitigations and evaluate impact of residual threats
  • Summarise business impact in business terms
    • Use six key business impact areas to describe and prioritise impact areas
    • Use business impact icons in formal / technical risk assessment (in body text and headings) to ensure continuity
  • Technical risk assessment and Business risk owners still work in different areas
    • Icons bridge experience and jargon barriers
    • Technical designers and security specialists understand business drivers
    • Business owners understand where technical short cuts will affect overall risk model

 

 

The chosen icons work on mac and windows as standard keyboard short cuts so should work across most businesses using Word / PDFs / spreadsheets etc.

For larger threats, use more icons – so one, two, or three icons depending on low, medium or high issues size.

For reference, the symbols used to represent the 6 areas;

Fraud 1F4B3 <Alt-X>

Regulatory 26A0

Theft 1F4B0

Service Availability 1F6A7

Business Agility 1F680

Business Reputation 1F3AD

If Unicode character is used (Win7/8 – type code, press Alt-x) it will display automatically if font is Segoe.

UI Symbol on Windows (Word/Excel/PowerPoint/Outlook) or as emoji font on OS X, iOS, Android.

 

It will be interesting to test this method out at work to see if it helps get engagement from the board and wider business.  This definitely seems like a good idea, and anything that will help engage and lead to greater understanding of security issues has to be worth a try1

It would be great to hear from anyone who s trying this method, or a similar one in their business.

K

Training update 1..

Well I’ll obviously have to think of some more catchy titles for training related posts than 1..2..3.. but that will do for now. (ideas welcome!)

So I said I’d be posting these under the training page, however it seems WordPress doesn’t really like that idea and wants to just dump everything on the home page so we’ll just use category tags for now. There does appear to be come ways to change this by adding code to the pages / posts so I will probably look into this at some point, although it’s not exactly high on my agenda of interesting things to be getting on with!

Recent progress includes completing the foundation course at Crossfit Antaeus (http://crossfitantaeus.com/) and beginning to work more on cleans and false grip. False grip is a gymnastics inspired way of holding rings / the bar that makes the transition from chin up to dip more feasible in order to do muscle ups – they will be next on the list once I have mastered the grip.

Double unders continue to elude me in any real form – I can do one, then a few singles, then one and so on. I’ll no doubt get there soon.

Motivation is currently very high, and progress is in reality good although it is easy to get frustrated as I know where I want to get to and want to get there now. I have to keep reminding myself I have an 18 month to 2 year plan, not a 3 month plan!

In terms of gym, I can’t speak highly enough of Antaeus and Matt the head coach – he is an excellent coach and annoyingly good at all the technical movements.

This week has included, power and squat cleans, thrusters, skipping, rowing, kettle bells, push press, false grip chins, ring dips and squats amongst other things. In terms of strength I have dropped in a lot more low rep work so much of my squatting is 5 rep sets, and we also tend to do one or two 1 rep max sessions a week as well. This is great and a real departure from the approximately 10 reps per set for everything rut I was in before.

Tonights WOD was Elizabeth, first time I have done that one, and second set of cleans this week.. Took 11.32 which is pretty poor, but lots of room to improve once I get my clean act together. Luckily dips are easy so provided some respite! (Elizabeth = 21, 15, 9 reps of 60kg squat clean and ring dips. Shredded hands are an added bonus!)

I want to cover of diet in some detail as well, but I’m at the gym again in the morning so it’s time for bed!

Read this today which amused me;
On Being An Asshole
Basically work hard and don’t be lazy 🙂

K