,

Things you must understand for technical and business due diligence

Technical diligence starts when a startup or company has been approved for outside capital, but needs to be inspected to insure the value of the technology is “good enough” to accept investment. The average startup has something like 1/100 odds of receiving funding once they pitch a VC firm, which is why if investment is offered the ball shouldn’t be dropped during technical diligence. Most issues in technical diligence can be prevented. Since technical diligence is part of the investigation process to receiving venture capital, any business in theory could proactively prepare for technical diligence.

So advises my friend Ellie Cachette, General Partner at CCM Capital Management, a fund-of-funds specializing in venture capital investments. In her two-part series for Inc. Magazine, Ellie shares insights — real insights — in the following areas:

  • Intellectual property and awareness
  • Scaling
  • Security
  • Documentation
  • Risk management
  • Development budget
  • Development meeting and reporting
  • Development ROI
  • Having the right development talent in place

Here are the links:

Five “Business Things” to Understand for Technical Diligence: Part One

Five “Tech Things” to Understand for Technical Diligence: Part Two

While we’re at it, here’s another great article by Ellie in Inc.:

When Your Customers Want One Thing — And Your Investors Want Another

Got a business? Want to do better? Learn from Ellie Cachette. Follow her @ecachette.

/by
, ,

The art and science of endpoint security

The endpoint is vulnerable. That’s where many enterprise cyber breaches begin: An employee clicks on a phishing link and installs malware, such a ransomware, or is tricked into providing login credentials. A browser can open a webpage which installs malware. An infected USB flash drive is another source of attacks. Servers can be subverted with SQL Injection or other attacks; even cloud-based servers are not immune from being probed and subverted by hackers. As the number of endpoints proliferate — think Internet of Things — the odds of an endpoint being compromised and then used to gain access to the enterprise network and its assets only increases.

Which are the most vulnerable endpoints? Which need extra protection? All of them, especially devices running some flavor of Windows, according to Mike Spanbauer, Vice President of Security at testing firm NSS Labs. “All of them. So the reality is that Windows is where most targets attack, where the majority of malware and exploits ultimately target. So protecting your Windows environment, your Windows users, both inside your businesses as well as when they’re remote is the core feature, the core component.”

Roy Abutbul, Co-Founder and CEO of security firm Javelin Networks, agreed. “The main endpoints that need the extra protection are those endpoints that are connected to the [Windows] domain environment, as literally they are the gateway for attackers to get the most sensitive information about the entire organization.” He continued, “From one compromised machine, attackers can get 100 per cent visibility of the entire corporate, just from one single endpoint. Therefore, a machine that’s connected to the domain must get extra protection.”

Scott Scheferman, Director of Consulting at endpoint security company Cylance, is concerned about non-PC devices, as well as traditional computers. That might include the Internet of Things, or unprotected routers, switches, or even air-conditioning controllers. “In any organization, every endpoint is really important, now more than ever with the internet of Things. There are a lot of devices on the network that are open holes for an attacker to gain a foothold. The problem is, once a foothold is gained, it’s very easy to move laterally and also elevate your privileges to carry out further attacks into the network.”

At the other end of the spectrum is cloud computing. Think about enterprise-controlled virtual servers, containers, and other resources configured as Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS). Anything connected to the corporate network is an attack vector, explained Roark Pollock, Vice President at security firm Ziften.

Microsoft, too, takes a broad view of endpoint security. “I think every endpoint can be a target of an attack. So usually companies start first with high privilege boxes, like administrator consoles onboard to service, but everybody can be a victim,” said Heike Ritter, a Product Manager for Security and Networking at Microsoft.

I’ve written a long, detailed article on this subject for NetEvents, “From Raw Data to Actionable Intelligence: The Art and Science of Endpoint Security.”

You can also watch my 10-minute video interview with these people here.

/by
, ,

What the WannaCry ransomworm means for you

Many IT professionals were caught by surprise by last week’s huge cyberattack. Why? They didn’t expect ransomware to spread across their networks on its own.

The reports came swiftly on Friday morning, May 12. The first I saw were that dozens of hospitals in England were affected by ransomware, denying physicians access to patient medical records and causing surgery and other treatments to be delayed.

The infections spread quickly, reportedly hitting as many as 100 countries, with Russian systems affected apparently more than others. What was going on? The details came out quickly: This was a relatively unknown ransomware variant, dubbed WannaCry or WCry. WannaCry had been “discovered” by hackers who stole information from the U.S. National Security Agency (NSA); affected machines were Windows desktops, notebooks and servers that were not up to date on security patches.

Most alarming, WannaCry did not spread across networks in the usual way, through people clicking on email attachments. Rather, once one Windows system was affected on a Windows network, WannaCry managed to propagate itself and infect other unpatched machines without any human interaction. The industry term for this type of super-vigorous ransomware: Ransomworm.

Iturned to one of the experts on malware that can spread across Windows networks, Roi Abutbul. A former cybersecurity researcher with the Israeli Air Force’s famous OFEK Unit, he is founder and CEO of Javelin Networks, a security company that uses artificial intelligence to fight against malware.

Abutbul told me, “The WannaCry/Wcry ransomware—the largest ransomware infection in history—is a next-gen ransomware. Opposed to the regular ransomware that encrypts just the local machine it lands on, this type spreads throughout the organization’s network from within, without having users open an email or malicious attachment. This is why they call it ransomworm.”

He continued, “This ransomworm moves laterally inside the network and encrypts every PC and server, including the organization’s backup.” Read more about this, and my suggestions for copying with the situation, in my story for Network World, “Self-propagating ransomware: What the WannaCry ransomworm means for you.”

/by
, ,

Almost on my way to London for NetEvents to talk about endpoint security

If you’re in London in a couple weeks, look for me. I’ll be at the NetEvents European Media Spotlight on Innovators in Cloud, IoT, AI and Security, on June 5.

At NetEvents, I’ll be doing lots of things:

  • Acting as the Master of Ceremonies for the day-long conference.
  • Introducing the keynote speaker, Brian Lord, OBE, who is former GCHQ Deputy Director for Intelligence and Cyber Operations
  • Conducting an on-stage interview with Mr. Lord, Arthur Snell, formerly of the British Foreign and Commonwealth Office, and Guy Franco, formerly with the Israeli Defense Forces.
  • Giving a brief talk on the state of endpoint cybersecurity risks and technologies.
  • Moderating a panel discussion about endpoint security.

The one-day conference will be at the Chelsea Harbour Hotel. Looking forward to it, and maybe will see you there?

/by
,

Ransomworm golpea a más de 150 Países

Los informes llegaron rápidamente el viernes por la mañana, 12 de mayo – la primera vez que leí una alerta, referenciaba a docenas de hospitales en Inglaterra que fueron afectados por ransomware (sin darse cuenta que era ransomworm), negando a los médicos el acceso a los registros médicos de sus pacientes, causando demoras en cirujías y tratamientos en curso dijo la BBC,

El malware se propagó rápidamente el viernes, con el personal médico en el Reino Unido, según se informa, las computadoras “una por una” quebadan fuera de uso.

El personal del NHS compartió capturas de pantalla del programa WannaCry, que exigió un pago de $ 300 (£ 230) en moneda virtual Bitcoin para desbloquear los archivos de cada computadora.

A lo largo del día, otros países, principalmente europeos, reportaron infecciones.

Algunos informes dijeron que Rusia había visto el mayor número de infecciones del planeta. Los bancos nacionales, los ministerios del interior y de la salud, la empresa estatal de ferrocarriles rusa y la segunda mayor red de telefonía móvil, fueron reportados como afectados.

Las infecciones se diseminaron rápidamente, según se informa golpearon hasta 150 países, con los sistemas rusos afectados aparentemente más que otros.

Read the rest of my article, “Ransomworm golpea a más de 150 Países,” in IT Connect Latam.

/by
, ,

The ongoing challenge for women in high-tech companies

In the United States, Sunday, May 14, is Mother’s Day. (Mothering Sunday was March 27 this year in the United Kingdom.) This is a good time to reflect on the status of women of all marital status and family situations in information technology. The results continue to disappoint.

According to the Unites States Department of Labor, 57.2% of all women participate in the labor force in the United States. 46.9% of the people employed in all occupations are women. So far, so good. Yet when it comes to information technology, women lag far, far behind. Based on 2014 stats:

  • Web developers – 35.2% women
  • Computer systems analysts – 34.2% women
  • Database administrators – 28.0%
  • Computer and information systems managers – 26.7%
  • Computer support specialists – 26.6%
  • Computer programmers – 21.4%
  • Software developers, applications and systems software – 19.8%
  • Network and computer systems administrators – 19.1%
  • Information security analysts – 18.1%
  • Computer network architects – 12.4%

The job area with the highest projected growth rate over the next few years will be information security analysts, says Labor. A question is, will women continue to be underrepresented in this high-paying, fast-growing field? Or will the demand for analysts provide new opportunities for women to enter into the security profession? Impossible to say, really.

The U.S. Equal Employment Opportunity Commission (EEOC) shows that the biggest high tech companies lag behind in diversity. That’s something that anyone working in Silicon Valley can sense intuitively, in large part due to the bro culture (and brogrammer culture) there. Says the EEOC’s extensive report, “Diversity in High Tech,”

Modern manufacturing requires a computer literate worker capable of dealing with highly specialized machines and tools that require advanced skills (STEM Education Coalition).

However, other sources note that stereotyping and bias, often implicit and unconscious, has led to underutilization of the available workforce. The result is an overwhelming dominance of white men and scant participation of African Americans and other racial minorities, Hispanics, and women in STEM and high tech related occupations. The Athena Factor: Reversing the Brain Drain in Science, Engineering, and Technology, published data in 2008 showing that while the female talent pipeline in STEM was surprisingly robust, women were dropping out of the field large numbers. Other accounts emphasize the importance of stereotypes and implicit bias in limiting the perceived labor pool (see discussion below).

Moughari et al., 2012 noted that men comprise at least 70 percent of graduates in engineering, mathematics, and computer science, while women dominate in the lower paying fields. Others point out that in this is not uniformly the case in all science and math occupations and that, while underrepresented among those educated for the industry, women and minorities are more underrepresented among those actually employed in the industry. It has been shown, for example, that men are twice as likely as women to be hired for a job in mathematics when the only difference between candidates is gender.

and

Women account for relatively small percentages of degree recipients in certain STEM fields: only 18.5 percent of bachelor’s degrees in engineering went to women in 2008.

Women Heading for the Exit

The EEOC report is very discouraging in its section on Existing Tech & Related Fields:

Over time, over half of highly qualified women working in science, engineering and technology companies quit their jobs. In 2013, just 26 percent of computing jobs in the U.S. were held by women, down from 35 percent in 1990, according to a study by the American Association of University Women. Although 80 percent of U.S. women working in STEM fields say they love their work, 32 percent also say they feel stalled and are likely to quit within a year. Research by The Center for Work-Life Policy shows that 41 percent of qualified scientists, engineers and technologists are women at the lower rungs of corporate ladders but more than half quit their jobs.

This loss appears attributable to the following: 1) inhospitable work cultures; 2) isolation; 3) conflict between women’s preferred work rhythms and the “firefighting” work style generally rewarded; 4) long hours and travel schedules conflict with women’s heavy household management workload; and 5) women’s lack of advancement in the professions and corporate ladders. If corporate initiatives to stem the brain drain reduced attrition by just 25 percent, there would be 220,000 additional highly qualified female STEM workers.

Based on a survey and in-depth interviews of female scientists, the report observes:

  • Two-thirds of women report having to prove themselves over and over; their success discounted and their expertise questioned.
  • Three-fourths of Black women reported this phenomenon.
  • Thirty-four percent reported pressure to play a traditionally feminine role, including 41 percent of Asian women.
  • Fifty-three percent reported backlash from speaking their minds directly or being outspoken or decisive.
  • Women, particularly Black and Latina women, are seen as angry when they fail to conform to female stereotypes
  • Almost two thirds of women with children say their commitment and competence were questioned and opportunities decreased after having children.

The EEOC report adds that in tech, only 20.44% of executives, senior officials and managers are women – compared to 28.81% in all private industries in the U.S. Women certainly are succeeding in tech, and there are some high-profile women executives in the field —think Meg Whitman at HP, Marissa Mayer at Yahoo (now heading for the exit herself with a huge payout), Sheryl Sandberg at Facebook, Susan Wojcicki at YouTube, Virginia Rometty at IBM, Safra Catz at Oracle, and Ursula Burns at Xerox. That’s still a very short list. The opportunities for and presence of women in tech remain sadly underwhelming.

/by
, ,

Open up the network, that’s how you enable innovation

I have a new research paper in Elsevier’s technical journal, Network Security. Here’s the abstract:

Lock it down! Button it up tight! That’s the default reaction of many computer security professionals to anything and everything that’s perceived as introducing risk. Given the rapid growth of cybercrime such as ransomware and the non-stop media coverage of data theft of everything from customer payment card information through pre-release movies to sensitive political email databases, this is hardly surprising.

The default reaction of many computer security professionals to anything that’s perceived as introducing risk is to lock down the system.

In attempting to lower risk, however, they also exclude technologies and approaches that could contribute significantly to the profitability and agility of the organisation. Alan Zeichick of Camden Associates explains how to make the most of technology by opening up networks and embracing innovation – but safely.

You can read the whole article, “Enabling innovation by opening up the network,” here.

/by
,

H-1B visa abuse: Blame it on the lottery

In 2016, Carnival Cruises was alleged to have laid off its entire 200-person IT department – and forced its workers to train foreign replacements. The same year, about 80 IT workers at the University of California San Francisco were laid off, and forced to trained replacements, lower-paid tech workers from an Indian outsourcing firm. And according to the Daily Mail:

Walt Disney Parks and Resorts is being sued by 30 former IT staff from its Florida offices who claim they were unfairly replaced by foreign workers— but only after being forced to train them up.

The suit, filed Monday in an Orlando court, alleges that Disney laid off 250 of its US IT staff because it wanted to replace them with staff from India, who were hired in on H-1B foreign employee visas.

On one hand, these organizations were presumably quite successful with hiring American tech workers… but such workers are expensive. Thanks to a type of U.S. visa, called the H-1B, outsource contractors can bring in foreign workers, place them with those same corporations, and pay them a lot less than American workers. The U.S. organization, like Carnival Cruises, saves money. The outsource contractor, which might be a high-profile organization like the Indian firm Infosys, makes money. The low-cost offshore talent gets decent jobs and a chance to live in the U.S. Everyone wins, right? Except the laid-off American tech workers.

This type of bargain outsourcing is not what the H-1B was designed for. It wasn’t for laying off expensive U.S. workers and hiring or contracting with lower-paid foreign workers. It was intended to help companies bring in overseas experts when they can’t fill the job with qualified local applicants. Clearly that’s not what’s happening here.

It’s Not Supposed to Be About Cheap Labor

Also, the goal was definitely not to let companies reduce their payroll costs. To quote from the U.S. Citizenship & Immigration Services website about H-1B requirements:

Requirement 4— You must be paid at least the actual or prevailing wage for your occupation, whichever is higher.

The prevailing wage is determined based on the position in which you will be employed and the geographic location where you will be working (among other factors).

The challenge is the way that H-1B visas are allocated – which is in a lottery system, based on the number of applications. There’s a cap of only 65,000 visas each year. Outsourcing companies flood the system with hundreds of thousands of applications, whereas the companies that truly need a few specialized tech experts ask for a relative handful. (There are separate rules for educational institutions, like universities, and for those hiring workers with advanced post-graduate degrees.)

H-1B visas have been in the news for decades, as tech companies lobby to increase the quota. Everyone, remember, likes the H-1B visa, except for American tech workers whose jobs are displaced.

Most recently, the U.S. government has warned about a crackdown on H-1B abuses. According to CNN,

While H-1B visas are used to fill the U.S. skills gap, the Trump administration has voiced concerns about abuse of the program. In some cases, outsourcing firms flood the system with applicants, obtaining visas for foreign workers and then contracting them out to tech companies. American jobs are sometimes replaced in the process, critics say.

In response, Infosys, the Indian outsourcing giant, has revealed plans to hire U.S. workers. Says Computerworld,

IT offshore outsourcing giant Infosys — a firm in the Trump administration’s H-1B reform bulls eye — said Tuesday it plans to hire 10,000 “American workers” over the next two years.

The India-based Infosys will hire those employees in four separate locations in the U.S., first in Indiana, which offered the company more than $30 million in tax credits. The other locations weren’t announced.

Look for the H-1B visa issue to remain in the U.S. news spotlight all year during the battle over immigration, employment, and the power of Silicon Valley.

/by
, ,

Last year’s top hacker tactics may surprise you, says Verizon

Did you know that last year, 75% of data breaches were perpetrated by outsiders, and fully 25% involved internal actors? Did you know that 18% were conducted by state-affiliated actors, and 51% involved organized criminal groups?

That’s according to the newly release 2017 Data Breach Investigations Report from Verizon. It’s the 10th edition of the DBIR, and as always, it’s fascinating – and frightening at the same time.

The most successful tactic, if you want to call it that, used by hackers: stolen or weak (i.e., easily guessed) passwords. They were were used by 81% of breaches. The report says that 62% of breaches featured hacking of some sort, and 51% involved malware.

More disturbing is that fully 66% of malware was installed by malicious email attachments. This means we’re doing a poor job of training our employees not to click links and open documents. We teach, we train, we test, we yell, we scream, and workers open documents anyway. Sigh. According to the report,

People are still falling for phishing—yes still. This year’s DBIR found that around 1 in 14 users were tricked into following a link or opening an attachment — and a quarter of those went on to be duped more than once. Where phishing successfully opened the door, malware was then typically put to work to capture and export data—or take control of systems.

Ransomware is big

We should not be surprised that the DBIR fingers ransomware as a major tool in the hacker’s toolbox:

Ransomware is the latest scourge of the internet, extorting millions of dollars from people and organizations after infecting and encrypting their systems. It has moved from the 22nd most common variety of malware in the 2014 DBIR to the fifth most common in this year’s data.

The Verizon report spends a lot of time on ransomware, saying,

Encouraged by the profitability of ransomware, criminals began offering ransomware-as-a-service, enabling anyone to extort their favorite targets, while taking a cut of the action. This approach was followed by a variety of experiments in ransom demands. Criminals introduced time limits after which files would be deleted, ransoms that increased over time, ransoms calculated based on the estimated sensitivity of filenames, and even options to decrypt files for free if the victims became attackers themselves and infected two or more other people. Multi-level marketing at its finest!

And this, showing another alarming year-on-year increase:

Perhaps the most significant change to ransomware in 2016 was the swing away from infecting individual consumer systems toward targeting vulnerable organizations. Overall, ransomware is still very opportunistic, relying on infected websites and traditional malware delivery for most attacks. Looking again through the lens of DBIR data, web drive-by downloads were the number one malware vector in the 2016 report, but were supplanted by email this year. Social actions, notably phishing, were found in 21% of incidents, up from just 8% in the 2016 DBIR. These emails are often targeted at specific job functions, such as HR and accounting—whose employees are most likely to open attachments or click on links—or even specific individuals.

Read the report

The DBIR covers everything from cyber-espionage to the dangers caused by failing to keep up with patches, fixes, and updates. There are also industry-specific breakouts, covering healthcare, finance, and so-on. It’s a big report, but worth reading. And sharing.

/by
, ,

No security plan? It’s like riding a bicycle in traffic in the rain without a helmet

Every company should have formal processes for implementing cybersecurity. That includes evaluating systems, describing activities, testing those policies, and authorizing action. After all, in this area, businesses can’t afford to wing it, thinking, “if something happens, we’ll figure out what to do.” In many cases, without the proper technology, a breach may not be discovered for months or years – or ever. At least not until the lawsuits begin.

Indeed, running without cybersecurity accreditations is like riding a bicycle in a rainstorm. Without a helmet. In heavy traffic. At night. A disaster is bound to happen sooner or later: That’s especially true when businesses are facing off against professional hackers. And when they are stumbled across as juicy victims by script-kiddies who can launch a thousand variations of Ransomware-as-a-Service with a single keystroke.

Yet, according to the British Chambers of Commerce (BCC), small and very small businesses are extremely deficient in terms of having cybersecurity plans. According to the BCC, in the U.K. only 10% of one-person businesses and 15% of those with 1-4 employees have any formal cybersecurity accreditations. Contrast that with businesses with more than 100 employees: 47% with more than 100 employees) have formal plans.

The BCC surveyed 1,285 business people in the U.K. in January 2017. Of the businesses surveyed, 96% were small or mid-sized businesses. About 22% operate in the manufacturing sector, and 78% operate in the services sector.

And all are woefully unprepared to defend themselves against direct target attacks – and against those which are totally generic. It’s like a car thief walking through a parking lot looking to see which vehicles are unlocked: There’s nothing personal, but if your door is open, your car belongs to the crook. Similarly, if some small business’s employees are click on a phishing email and end up victims of ransomware, well, their Bitcoins are as good as gold.

What can be done? Training, of course, to help ensure that employees (including executives) don’t welcome cybercriminals in by responding to phishing emails, malicious website ads, and social-media scams. Technology, which could be products like anti-malware software installed on endpoints, as well as services offered by internet service providers and security specialty firms. Indeed, the BCC survey indicated that 63% of businesses are reliant on IT providers to resolve issues after an attack,

Needed: A formal process for cybersecurity

Every company should have formal processes for implementing cybersecurity, including evaluating systems, describing activities, testing those policies, and authorizing action. After all, in this area, businesses can’t afford to wing it, thinking, “if something happens, we’ll figure out what to do.” In many cases, without the proper technology, a breach may not be discovered for months or years – or ever. At least not until the lawsuits begin.

As one would expect, small and very small businesses are extremely deficient in terms of having cybersecurity plans. According to the BCC, in the U.K. only 10% of one-person businesses and 15% of those with 1-4 employees have any formal cybersecurity accreditations. Contrast that with businesses with more than 100 employees: 47% with more than 100 employees) have formal plans.

While a CEO may want to focus on his/her primary business, in reality, it’s irresponsible to neglect cybersecurity planning. Indeed, it’s also not good for long-term business success. According to the BCC study, 21% of businesses believe the threat of cyber-crime is preventing their company from growing. And of the businesses that do have cybersecurity accreditations, half (49%) believe it gives their business a competitive advantage over rival companies, and a third (33%) consider it important in creating a more secure environment when trading with other businesses.

Again, one in five businesses in the United Kingdom have fallen victim to cyber-attacks in the past year. That number is probably comparable around the world. There are leading-edge service providers and software companies ready to help reduce that terrible statistic. With more and more hackers, including state-sponsored agents, becoming involved, the stakes are high. Fortunately, the tech industry is up to the challenge.

/by
, ,

Self-inflicted public relations disasters: United Airlines, Pepsi, Tanium, Uber

There are public-relations disasters… and there are self-inflicted public-relations disasters. Those are arguably the worst, and it’s been a meaningful couple of weeks for them, both in the general world and in the technology industry. In some cases, the self-inflicted crises exploded because of stupid or ham-handed initial responses.

In PR crisis management, it’s important to get the initial response right. That means:

  1. Acknowledging that something unfortunate happened
  2. Owning responsibility (in a way that doesn’t expose you to lawsuits, of course)
  3. Apologizing humbly, profusely and sincerely
  4. Promising to make amends to everyone affected by what happened
  5. Vowing to fix processes to avoid similar problems in the future

Here are some recent public relations disasters that I’d label as self-inflicted. Ouch!

United Airlines beats passengers

Two recent episodes. First, a young girl flying on an employee-travel pass wasn’t allowed to board wearing leggings. Second, a doctor was dragged out of a plane, and seriously injured, for refusing to give up his seat to make room for a United employee. Those incidents showed that gate agents were unaware of the optics of situations like this, and didn’t have the training and/or flexibility to adapt rules to avoid a public snafu.

However, the real disaster came from the poor handling of both situations by executives and their PR advisors. With the leggings situation, United’s hiding behind obscure rules and the employee-ticket status of the young passenger, didn’t help a situation where all the sympathy was with the girl. With the ejected and beaten passenger, where to begin? The CEO, Oscar Munoz, should have known that his first response was terrible, and his “confidential” email to employees, which blamed the passenger for being unruly, would be immediately leaked to the public. What a freakin’ idiot. It’s going to take some time for United to recover from these disasters.

Pepsi Cola misses the point

A commercial for a soft drink tried to reinterpret a famous Black Lives Matter protest moment in Baton Rouge. That’s where a young African-American woman, Ieshia Evans, faced off against heavily armored police officers. In Pepsi’s version of the event, a white celebrity, Kendall Jenner, faced off against attractive fake police officers, and defused a tense situation by handing a handsome young cop a can of soda. Dancing ensues. World peace is achieved. The Internet explodes with outrage.

Pepsi’s initial response is to defend the video by saying “We think that’s an important message to convey.” Oops. Later on, the company pulled the ad and apologized to everyone (including Ms. Jenner), but the damage was done, so much so that a fun meme was of White House spokesman Sean Spicer dressed up as an United Airlines pilot offering a can of Pepsi.

Tanium’s bad-boy CEO sends the wrong message

Tanium, a maker of endpoint security and management software, has fallen into the trap of owner hubris. As this story in Bloomberg explains, the top executives, including CEO Orion Hindawi, run the company more for their own benefit than for the benefit of their customers or other shareholders. For example, says Bloomberg, “One of the most unnerving aspects of life at Tanium is what’s known internally as Orion’s List. The CEO allegedly kept a close eye on which employees would soon be eligible to take sizable chunks of stock. For those he could stand to do without, Hindawi ordered the workers to be fired before they were able to acquire the shares, according to current and former employees.” As Business Insider reported, nine executives have left recently, including the president and top marketing and finance officers.

And then there’s the power-trip aspect, says Bloomberg. “The company’s successes didn’t do much to lift morale. Orion berated workers in front of colleagues until they broke into tears and used all-hands meetings as a venue to taunt low-level staff, current and former employees said.” Bloomberg reports that a major VC firm, Andreessen Horowitz, made note of Orion’s managerial flaws and presented them to partners at the firm early last year, saying that Orion’s behavior risked interfering with the company’s operations if it hadn’t already. This sort of nonsense is not good for a company with a decent reputation for intellectual property. The company’s response? Crickets.

Uber drives off the clue train

I’m a happy Uber customer. When traveling, I’m quite disappointed when the service is not available, as was the case on a recent trip to Austin, where Uber and Lyft aren’t offered. However, I’m not a fan of the company’s treatment of women and of the misdeeds of its CEO. Those PR disasters have become the public face of the story, not its innovations in urban transportation and self-driving cars. When a female engineer went public with how she was mistreated and how the company’s HR department ignored the issue, the Internet went nuts — and the company responded by doing a mea culpa. Still, the message was clear: Uber is misogynistic.

And then there were several reports of public naughtiness by CEO Travis Kalanick. The best was a video of him berating an Uber driver. Yes, Kalanick apologized and said that he needs help with leadership… but more crickets in terms of real change. As Engadget wrote in mid-April, the time for Uber leadership to step down is long overdue for the good of its employees, drivers, customers and shareholders. It’s unlikely the company can withstand another self-inflicted PR disaster.

It doesn’t have to be this way

When a PR disaster happens — especially a self-inflicted one — it’s vital to get on top of the story. See the five tips at the top of this blog, and check out this story, “When It Hits the Fan,” on tips for crisis management. You can recover, but you have to do it right, and do it quickly.

/by
, ,

Manage the network, Hal

Some large percentage of IT and security tasks and alerts require simple responses. On a small network, there aren’t many alerts, and so administrators can easily accommodate them: Fixing a connection here, approving external VPN access there, updating router firmware on that side, giving users the latest patches to Microsoft Office on that side, evaluating a security warning, dismissing a security warning, making sure that a newly spun-up virtual machine has the proper agents and firewall settings, reviewing log activity. That sort of thing.

On a large network, those tasks become tedious… and on a very large network, they can escalate unmanageably. As networks scale to hundreds, thousands, and hundreds of thousands of devices, thanks to mobility and the Internet of Things, the load expands exponentially – and so do routine IT tasks and alerts, especially when the network, its devices, users and applications are in constant flux.

Most tasks can be automated, yes, but it’s not easy to spell out in a standard policy-based system exactly what to do. Similarly, the proper way of handling alerts can be automated, but given the tremendous variety of situations, variables, combinations and permutations, that too can be challenging. Merely programming a large number of possible situations, and their responses, would be a tremendous task — and not even worth the effort, since the scripts would be brittle and would themselves require constant review and maintenance.

That’s why in many organizations, only responses to the very simplest of tasks and alert responses are programmed in rule-based systems. The rest are shunted over to IT and security professionals, whose highly trained brains can rapidly decide what to do and execute the proper response.

At the same time, those highly trained brains turn into mush because handling routine, easy-to-solve problems is mind-numbing and not intellectually challenging. Solving a problem once is exciting. Solving nearly the same problem a hundred times every day, five days a week, 52 weeks a year (not counting holidays) is inspiration for updating the C.V… and finding a more interesting job.

Enter Artificial Intelligence

AI has already proven itself in computer management and security. Consider the high-profile role that AI patter recognition plays in Cylance’s endpoint security software. The Cylance solution trains itself to recognize good files (like executables, images and documents) and malicious ones – and can spot the bad ones without using signatures. It can even spot those which have never been seen before, because it’s not training on specific viruses or trojans, but rather, on “good” vs. “bad.”

Torsten George is a believer, as he writes in “The Role of Artificial Intelligence in Cyber Security,”

Last year, the IT security community started to buzz about AI and machine learning as the Holy Grail for improving an organization’s detection and response capabilities. Leveraging algorithms that iteratively learn from data, promises to uncover threats without requiring headcounts or the need to know “what to look for”.

He continues,

Enlisting machine learning to do the heavy lifting in first line security data assessment enables analysts to focus on more advanced investigations of threats rather than performing tactical data crunching. This meeting of the minds, whereby AI is applied using a human-interactive approach holds a lot of promise for fighting, detecting, and responding to cyber risks.

Menlo Security is one of many network-protection companies that uses artificial intelligence. The Menlo Security Isolation Platform uses AI to prevent Internet-based malware from ever reaching an endpoint, such as a desktop or mobile device, because email and websites are accessed inside the cloud – not on the client’s computer. Only safe, malware-free rendering information is sent to the user’s endpoint, eliminating the possibility of malware reaching the user’s device. An artificial intelligence engine constantly scans the Internet session to provide protection against spear-phishing and other email attacks.

What if a machine does become compromised? It’s unlikely, but it can happen – and the price of a single breech can be incredible, especially if a hacker can take full control of the compromised device and use it to attack other assets within the enterprise, such as servers, routers or executives’ computers.

If a breach does occur, that’s when the AI technology like that of Javelin Networks leaps into action. The AI detects that the attack is in progress, alerts security teams, and isolates the device from the network. Simultaneously, the AI tricks the attackers into believing they’ve succeeded in their attack, therefore keeping them “on the line” while real-time forensics tools gather information needed to identify the attacker and help shut them down for good.

Manage the Network, Hal

Of course, AI can serve a vital purpose in managing a key element of modern networks beyond security. As Ajay Malik recently wrote in “Artificial intelligence will revolutionize Wi-Fi,”

The problem is that the data source in a wireless network is huge. The data varies at every transmission level. There is a “data rate” of each message transmitted. There are “retries” for each message transmitted.

The reason for not being able to “construct” the received message is specific for each message. The manual classification and analysis of this data is infeasible and uneconomic. Hence, all data available by different vendors is plagued by averages. This is where I believe artificial intelligence has a role to play.

Deep neural nets can automate the analysis and make it possible to analyze every trend of wireless. Machine learning and algorithms can ensure the end user experience. Only the use of AI can change the center of focus from the evolution of wireless or adding value to wireless networks to automatically ensuring the experience.

We will see AI at every level of the network operations center. There are too many devices, too many users, and too many rapid changes, for human and normal rule-based automation systems to keep up. Self-learning systems that adapt and solve real problems quickly and correctly will be essential in every IT organization.

/by
, ,

Look who’s talking – and controlling your home speech-enabled technology

“Alexa! Unlock the front door!” No, that won’t work, even if you have an intelligent lock designed to work with the Amazon Echo. That’s because Amazon is smart enough to know that someone could shout those five words into an open window, and gain entry to your house.

Presumably Amazon doesn’t allow voice control of “Alexa! Turn off the security system!” but that’s purely conjecture. It’s not something I’ve tried. And certainly it’s possible go use programming or clever work-around to enable voice-activated door unlocking or force-field deactivation. That’s why while our home contains a fair amount of cutting-edge AI-based automation, perimeter security is not hooked up to any of it. We’ll rely upon old-fashioned locks and keys and alarm keypads, thank you very much.

And sorry, no voice-enabled safes for me either. It didn’t work so well to protect the CIA against Jason Bourne, did it?

Unlike the fictional CIA safe and the equally fictional computer on the Starship Enterprise, Echo, Google Home, Siri, Android, and their friends can’t identify specific voices with any degree of accuracy. In most cases, they can’t do so at all. So, don’t look to be able to train Alexa to set up access control lists (ACLs) based on voiceprints. That’ll have to wait for the 23rd century, or at least for another couple of years.

The inability of today’s AI-based assistants to discriminate allows for some foolishness – and some shenanigans. We have an Echo in our family room, and every so often, while watching a movie, Alexa will suddenly proclaim, “Sorry, I didn’t understand that command,” or some such. What set the system off? No idea. But it’s amusing.

Less amusing was Burger King’s advertising prank which intentionally tried to get Google Home to help sell more hamburgers. As Fast Company explains:

A new Whopper ad from Burger King turns Google’s voice-activated speaker into an unwitting shill. In the 15-second spot, a store employee utters the words “OK Google, what is the Whopper burger?” This should wake up any Google Home speakers present, and trigger a partial readout of the Whopper’s Wikipedia page. (Android phones also support “OK Google” commands, but use voice training to block out unauthorized speakers.)

Fortunately, Google was as annoyed as everyone else, and took swift action, said the story:

Update: Google has stopped the commercial from working – presumably by blacklisting the specific audio clip from the ad – though Google Home users can still inquire about the Whopper in their own words.

Burger King wasn’t the first to try this stunt. Other similar tricks have succeeded against Home and Echo, and sometimes, the devices are activated accidentally by TV shows and news reports. Look forward to more of this.

It reminds me of the very first time I saw a prototype Echo. What did I say? “Alexa, Format See Colon.” Darn. It didn’t erase anything. But at least it’s better than a cat running around on your laptop keyboard, erasing your term paper. Or a TV show unlocking your doors. Right?

/1 Comment/by
, ,

Email clients and 3D paint applications do not belong in operating system releases

No, no, no, no, no!

The email client updates in the 10.12.4 update to macOS Sierra is everything that’s wrong with operating systems today. And so is the planned inclusion of an innovative, fun-sounding 3D painter as part of next week’s Windows 10 Creators Update.

Repeat after me: Applications do not belong in operating systems. Diagnostics, yes. Shared libraries, yes. Essential device drivers, yes. Hardware abstraction layers, yes. File systems, yes. Program loads and tools, yes. A network stack, yes. A graphical user interface, yes. A scripting/job control language, yes. A basic web browser, yes.

Applications? No, no, no!

Why not?

Applications bloat up the operating system release. What if you don’t need a 3D paint program? What if you don’t want to use the built-in mail client? The binaries are there anyway taking up storage. Whenever the operating system is updated, the binaries are updated, eating up bandwidth and CPU time.

If you do want those applications, bug fixes are tied to OS updates. The Sierra 10.12.4 update fixes a bug in Mail. Why must that be tied to an OS update? The update supports more digital camera RAW formats. Why are they tied to the operating system, and not released as they become available? The 10.12.4 update also fixes a Siri issue regarding cricket scores in the IPL. Why, for heaven’s sake, is that functionality tied to an operating system update?? That’s simply insane.

An operating system is easier for the developer test and verify if it’s smaller. The more things in your OS update release train, the more things can go wrong, whether it’s in the installation process or in the code itself. A smaller OS means less regression testing and fewer bugs.

An operating system is easier for the client to test and verify if it’s smaller. Take your corporate clients — if they are evaluating macOS Sierra 10/12/4 or Windows 10 Creators Update prior to roll-out, if there’s less stuff there, the validation process is easier.

Performance and memory utilization are better if it’s smaller. The microkernel concept says that the OS should be as small as possible – if something doesn’t have to be in the OS, leave it out. Well, that’s not the case any more, at least in terms of the software release trains.

This isn’t new

No, Alan isn’t off his rocker, at least not more than usual. Operating system releases, especially those for consumers, have been bloated up with applications and junk for decades. I know that. Nothing will change.

Yes, it would be better if productivity applications and games were distributed and installed separately. Maybe as free downloads, as optional components on the release CD/DVD, or even as a separate SKU. Remember Microsoft Plus and Windows Ultimate Extras? Yeah, those were mainly games and garbage. Never mind.

Still, seeing the macOS Sierra Update release notes today inspired this missive. I hope you enjoyed it. </rant>

/by
, ,

Windows 10 Creators Update will take forever to download, install, and update

Prepare to wait. And wait. Many Windows 10 users are getting ready for the Creators Update, due April 11. We know lots of things about it: There will be new tools for 3D designing, playing 4K-resolution games, improvements to the Edge browser, and claimed improvements to security and privacy protections.

We also know that it will take forever to install. Not literally forever. Still, a long time.

This came to mind when my friend Steven J. Vaughan-Nichols shared this amusing image:

Who could be surprised, when the installation estimation times for software are always ludicrously inaccurate? That’s especially true with Windows, which routinely requires multiple waves of download – update – reboot– download – update – reboot– download – update – reboot – rinse and repeat. That’s especially true if you haven’t updated for a while. It goes on and on and on.

This came to the fore about three weeks ago, when I decided to wipe a Windows 10 laptop in preparation for donating it to a nonprofit. It’s a beautiful machine — a Dell Inspiron 17 — which we purchased for a specific client project. The machine was not needed afterwards, and well, it was time to move it along. (My personal Windows 10 machine is a Microsoft Surface Pro.)

The first task was to restore the laptop to its factory installation. This was accomplished using the disk image stored on a hidden partition, which was pretty easy; Dell has good tools. It didn’t take long for Windows 10 to boot up, nice and pristine.

That’s when the fun began: Installing Windows updates. Download – update – reboot– download – update – rinse – repeat. For two days. TWO DAYS. And that’s for a bare machine without any applications or other software.

Thus, my belief in two things: First, Windows saying 256% done is entirely plausible. Second, it’s going to take forever to install Windows 10 Creators Update on my Surface Pro.

Good luck, and let me know how it goes for you.

/4 Comments/by
, ,

Listen to Tim Berners-Lee: Don’t weaken encryption!

It’s a bad idea to intentionally weaken the security that protects hardware, software, and data. Why? Many reasons, including the basic right (in many societies) of individuals to engage in legal activities anonymously. An additional reason: Because knowledge about weakened encryption, back doors and secret keys could be leaked or stolen, leading to unintended consequences and breaches by bad actors.

Sir Tim Berners-Lee, the inventor of the World Wide Web, is worried. Some officials in the United States and the United Kingdom want to force technology companies to weaken encryption and/or provide back doors to government investigators.

In comments to the BBC, Sir Tim said that there could be serious consequences to giving keys to unlock coded messages and forcing carriers to help with espionage. The BBC story said:

“Now I know that if you’re trying to catch terrorists it’s really tempting to demand to be able to break all that encryption but if you break that encryption then guess what – so could other people and guess what – they may end up getting better at it than you are,” he said.

Sir Tim also criticized moves by legislators on both sides of the Atlantic, which he sees as an assault on the privacy of web users. He attacked the UK’s recent Investigatory Powers Act, which he had criticised when it went through Parliament: “The idea that all ISPs should be required to spy on citizens and hold the data for six months is appalling.”

The Investigatory Powers Act 2016, which became U.K. law last November, gives broad powers to the government to intercept communications. It requires telecommunications providers to cooperate with government requests for assistance with such interception.

Started with Government

Sir Tim’s comments appear to be motivated by his government’s comments. U.K. Home Secretary Amber Rudd said it is “unacceptable” that terrorists were using apps like WhatsApp to conceal their communications, and that there “should be no place for terrorists to hide.

In the United States, there have been many calls for U.S. officials to own back doors into secure hardware, software or data repositories. One that received widespread attention was in 2016, when the FBI tried to compel Apple to unlock the San Bernardino attack’s iPhone. Apple refused, and this sparked a widespread public debate about the powers of the government to go after terrorists or suspected criminals – and whether companies need to break into their own products, or create intentional weaknesses in encryption.

Ultimately, of course, the FBI received their data through the use of third-party tools to break into the iPhone. That didn’t end the question, and indeed, the debate continues to rage. So why not provide a back door? Why not use crippled encryption algorithms that can be easily broken by those who know the flaw? Why not give law-enforcement officials a “master key” to encryption algorithms?

Aside from legal and moral issues, weakening encryption puts everyone at risk. Someone like Edward Snowden, or a spy, might steal information about the weakness, and offer it to criminals, a state-sponsored organization, or the dark web. And now, everyone – not just the FBI, not only MI5 – can break into systems, potentially without even leaving a fingerprint or a log entry.

Stolen Keys

Consider the widely distributed Content Scramble System used to secure commercial movies on DVD discs. In theory, the DVDs were encoded so that they could only be used on authorized devices (like DVD players) that had paid to license the code. The 40-bit code, introduced around 1996, was compromised in 1999. It’s essentially worthless.

Or consider the “TSA-approved” luggage locks, where the locks were nominally secured by a key or combination. However, there are master keys that allowed airport security staff to open the baggage without cutting off the lock. There were seven master keys, which can open any “TSA-approved” lock – and all seven have been compromised. One famous breach of that system: The Washington Post published a photograph of all the master keys, and based on that photo, hackers could easily reproduce the keys. Whoops!

Speaking of WhatsApp, the software had a flaw in its end-to-end encryption. as was revealed this January. The flaw could let others listen in. The story was first revealed by the Guardian, which wrote

WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman.

However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting of previously undelivered messages effectively allows WhatsApp to intercept and read some users’ messages.

Just Say No

Most (or all) secure systems have their flaws. Yes, they can be broken, but the goal is that if a defect or vulnerability is found, the system will be patched and upgraded. In other words, we expect those secure systems to be indeed secure. Therefore, let’s say “no” to intentional loopholes, back doors, master keys and encryption compromises. We’ve all seen that government secrets don’t stay secret — and even if we believe that government spy agencies should have the right to unlock devices or decrypt communications, none of us want those abilities to fall into the wrong hands.

/by
, , ,

Congress votes against Internet customer privacy; nothing changes

It’s official: Internet service providers in the United States can continue to sell information about their customers’ Internet usage to marketers — and to anyone else who wants to use it. In 2016, during the Obama administration, the Federal Communications Commission (FCC) tried to require ISPs to get customer permission before using or sharing information about their web browsing. According to the FCC, the rule change, entitled, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” meant:

The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, giving broadband customers the tools they need to make informed decisions about how their information is used and shared by their ISPs. To provide consumers more control over the use of their personal information, the rules establish a framework of customer consent required for ISPs to use and share their customers’ personal information that is calibrated to the sensitivity of the information. This approach is consistent with other privacy frameworks, including the Federal Trade Commission’s and the Administration’s Consumer Privacy Bill of Rights.

More specifically, the rules required that customers had to positively agree to have their information used in that fashion. Previously, customers had to opt-out. Again, according to the FCC,

Opt-in: ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. The rules specify categories of information that are considered sensitive, which include precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage history and the content of communications.

Opt-out: ISPs would be allowed to use and share non-sensitive information unless a customer “opts-out.” All other individually identifiable customer information – for example, email address or service tier information – would be considered non-sensitive and the use and sharing of that information would be subject to opt-out consent, consistent with consumer expectations.

Consumer Privacy Never Happened

That rule change, however, ended up being stuck with legal challenges and never took effect. In March 2017, both chambers of Congress voted to reverse that change. The resolution, passed by both the House and Senate, was simple:

Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, That Congress disapproves the rule submitted by the Federal Communications Commission relating to “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services,” and such rule shall have no force or effect.

What’s the net effect? In some ways, not much, despite all the hyperbole. The rule only applied to broadband providers. It didn’t apply to others who could tell what consumers were doing on the Internet, such as social media (think Facebook) or search engines (think Google) or e-commerce (think Amazon) or streaming media (think Netflix). Those other organizations could use or market their knowledge about consumers, bound only by the terms of their own privacy policy. Similarly, advertising networks and others who tracked browser activity via cookies could also use the information however they wanted.

What’s different about the FCC rule on broadband carriers, however, is that ISPs can see just about everything that a customer does. Every website visited, every DNS address lookup, and every Internet query sent via other applications like email or messaging apps. Even if that traffic is end-to-end encrypted, the broadband carrier knows where the traffic is going or coming from – because, after all, it is delivering the packets. That makes the carriers’ metadata information about customer traffic unique, and invaluable, to marketers, government agencies, and to others who might wish to leverage it.

Customers Can Shield — To Some Extent

Customers can attempt to shield their privacy. For example, many use end-to-end VPN services to route their Internet traffic to a single relay point, and then use that relay to anonymously surf the web. However, a privacy VPN is technically difficult for many consumers to set up. Plus, the service costs money. Also, for true privacy fanatics, that VPN service could also be a source of danger, since it could be compromised by an intelligence agency, or used for a man-in-the-middle attack.

So in the United States, the demise of the FCC ruling is bad news. Customers’ Internet usage data — including websites visited, phrases searched for, products purchased and movies watched — remains available for marketers and others who use to study it and exploit it. However, in reality, such was always the case.

/by
, ,

Three years of the 2013 OWASP Top 10 — and it’s the same vulnerabilities over and over

Can’t we fix injection already? It’s been nearly four years since the most recent iteration of the OWASP Top 10 came out — that’s June 12, 2013. The OWASP Top 10 are the most critical web application security flaws, as determined by a large group of experts. The list doesn’t change much, or change often, because the fundamentals of web application security are consistent.

The 2013 OWASP Top 10 were

  1. Injection
  2. Broken Authentication and Session Management
  3. Cross-Site Scripting (XSS)
  4. Insecure Direct Object References
  5. Security Misconfiguration
  6. Sensitive Data Exposure
  7. Missing Function Level Access Control
  8. Cross-Site Request Forgery (CSRF)
  9. Using Components with Known Vulnerabilities
  10. Unvalidated Redirects and Forwards

The preceding list came out on April 19. 2010:

  1. Injection
  2. Cross-Site Scripting (XSS)
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References
  5. Cross-Site Request Forgery (CSRF)
  6. Security Misconfiguration
  7. Insecure Cryptographic Storage
  8. Failure to Restrict URL Access
  9. Insufficient Transport Layer Protection
  10. Unvalidated Redirects and Forwards

Looks pretty familiar. If you go back further to the inaugural Open Web Application Security Project 2004 and then the 2007 lists, the pattern of flaws stays the same. That’s because programmers, testers, and code-design tools keep making the same mistakes, over and over again.

Take the #1, Injection (often written as SQL Injection, but it’s broader than simply SQL). It’s described as:

Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath, or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. Injection flaws are easy to discover when examining code, but frequently hard to discover via testing. Scanners and fuzzers can help attackers find injection flaws.

The technical impact?

Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.

And the business impact?

Consider the business value of the affected data and the platform running the interpreter. All data could be stolen, modified, or deleted. Could your reputation be harmed?

Eliminating the vulnerability to injection attacks is not rocket science. OWASP summaries three approaches:

Preventing injection requires keeping untrusted data separate from commands and queries.

The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Be careful with APIs, such as stored procedures, that are parameterized, but can still introduce injection under the hood.

If a parameterized API is not available, you should carefully escape special characters using the specific escape syntax for that interpreter. OWASP’s ESAPI provides many of these escaping routines.

Positive or “white list” input validation is also recommended, but is not a complete defense as many applications require special characters in their input. If special characters are required, only approaches 1. and 2. above will make their use safe. OWASP’s ESAPI has an extensible library of white list input validation routines.

Not rocket science, not brain surgery — and the same is true of the other vulnerabilities. There’s no excuse for still getting these wrong, folks. Cut down on these top 10, and our web applications will be much safer, and our organizational risk much reduced.

Do you know how often your web developers make the OWASP Top 10 mistakes? The answer should be “never.” They’ve had plenty of time to figure this out.

/by
, ,

Top Do’s and Don’ts for creating friendly calendar invites

“Call with Alan.” That’s what the calendar event says, with a bridge line as the meeting location. That’s it. For the individual who sent me that invitation, that’s a meaningful description, I guess. For me… worthless! This meeting was apparently sent out (and I agreed to attend) at least three weeks ago. I have no recollection about what this meeting is about. Well, it’ll be an adventure! (Also: If I had to cancel or reschedule, I wouldn’t even know who to contact.)

When I send out calendar invites, I try hard to make the event name descriptive to everyone, not just me. Like “ClientCorp and Camden call re keynote topics” or “Suzie Q and Alan Z — XYZ donations.” Something! Give a hint, at least! After all, people who receive invitations can’t edit the names to make them more meaningful.

And then there’s time-zone ambiguity. Some calendar programs (like Google Calendar) do a good job of tracking the event’s time zone, and mapping it to mine. Others, and I’m thinking of Outlook 365, do a terrible job there, and make it difficult to specify the event in a different time zone.

For example, I’m in Phoenix, and often set up calls with clients on the East Coast or in the U.K. As a courtesy, I like to set up meetings using the client’s time zone. Easy when I use Google Calendar to set up the event. Not easy in Outlook 365, which I must use for some projects.

Similarly, some calendar programs do a good job mapping the event to each recipient’s time zone. Others don’t. The standards are crappy, and the implementations of the standards are worse.)

There’s more than the bad time-zone mappings. Each Web-based, mobile, and desktop calendar app, even those that claim to conform to standards, has its own quirks, proprietary features, and incompatibilities. For example, repeating events aren’t handled consistently from calendar program to calendar program. It’s a real mess.

Here are a few simple do’s and don’ts for event creators. Or rather, don’ts and do’s.

  • DON’T just put the name of the person you are meeting with in the event name.
  • DO put your name and organization too, and include your contact information (phone, email, whatever) in the calendar invite itself. Having just a conference bridge or location of the coffee shop won’t do someone any good if they need to reach you before the meeting.
  • DON’T assume that everyone will remember what the meeting is about.
  • DO put the purpose of the meeting into the event title.
  • DON’T think that everyone’s calendar software works like yours or has the same features, vis-à-vis time zones, attachments, comments, and so-on.
  • DO consider putting the meeting time and time zone into the event name. It’s something I don’t do, but I have friends who do, like “ClientCorp and Camden call re keynote topics — 3pm Pacific.” Hmm, maybe I should do that?
  • DON’T expect that if you change the event time on your end, that change will percolate to all recipients. Again, this can be software-specific.
  • DO cancel the event if it’s necessary to reschedule, and set up a new one. Also send an email to all participants explaining what happened. I dislike getting calendar emails saying the meeting date/time has been changed — with no explanation.
  • DON’T assume that people will be able to process your software’s calendar invitations. Different calendar program don’t play well with each other.
  • DO send a separate email with all the details, including the event name, start time, time zone, and list of participants, in addition to the calendar invite. Include the meeting location, or conference-call dial-in codes, in that email.
  • DON’T trust that everyone will use the “accept” button to indicate that they are attending. Most will not.
  • DO follow up with people who don’t “accept” to ask if they are coming.
  • DON’T assume that just because it’s on their calendar, people will remember to show up. I had one guy miss an early-morning call he “accepted” because it was early and he hadn’t checked his calendar yet. D’oh!
  • DO send a meeting confirmation email, one day before, if the event was scheduled more than a week in advance.

Have more do’s and don’ts? Please add them using the comments.

/by
, , ,

What’s the deal with Apple iCloud accounts being hacked?

The word went out Wednesday, March 22, spreading from techie to techie. “Better change your iCloud password, and change it fast.” What’s going on? According to ZDNet, “Hackers are demanding Apple pay a ransom in bitcoin or they’ll blow the lid off millions of iCloud account credentials.”

A hacker group claims to have access to 250 million iCloud and other Apple accounts. They are threatening to reset all the passwords on those accounts – and then remotely wipe those phones using lost-phone capabilities — unless Apple pays up with untraceable bitcoins or Apple gift cards. The ransom is a laughably small $75,000.

What’s Happening at Apple?

According to various sources, at least some of the stolen account credentials appear to be legitimate. Whether that means all 250 million accounts are in peril, of course, is unknowable.

Apple seems to have acknowledged that there is a genuine problem. The company told CNET, “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.” We obviously don’t know what Apple is going to do, or what Apple can do. It hasn’t put out a general call, at least as of Thursday, for users to change their passwords, which would seem to be prudent. It also hasn’t encouraged users to enable two-factor authentication, which should make it much more difficult for hackers to reset iCloud passwords without physical access to a user’s iPhone, iPad, or Mac.

Unless the hackers alter the demands, Apple has a two-week window to respond. From its end, it could temporarily disable password reset capabilities for iCloud accounts, or at least make the process difficult to automate, access programmatically, or even access more than once from a given IP address. So, it’s not “game over” for iCloud users and iPhone owners by any means.

It could be that the hackers are asking for such a low ransom because they know their attack is unlikely to succeed. They’re possibly hoping that Apple will figure it’s easier to pay a small amount than to take any real action. My guess is they are wrong, and Apple will lock them out before the April 7 deadline.

Where Did This Come From

Too many criminal networks have access to too much data. Where are they getting it? Everywhere. The problem multiplies because people reuse usernames and passwords. For nearly every site nowadays, the username is the email address. That means if you know my email address (and it’s not hard to find), you know my username for Facebook, for iCloud, for Dropbox, for Salesforce.com, for Windows Live, for Yelp. Using the email address for the login is superficially good for consumers: They are unlikely to forget their login.

The bad news is that account access now depends on a single piece of hidden information: the password. And people reuse passwords and choose weak passwords. So if someone steals a database from a major retailer with a million account usernames (which are email addresses) and passwords, many of those will also be Facebook logins. And Twitter. And iCloud.

That’s how hackers can quietly accumulate what they claim are 250 million iCloud passwords. They probably have 250 million email address / password pairs amalgamated from various sources: A million from this retailer, ten million from that social network. It adds up. How many of those will work in iTunes? Unknown. Not 250 million. But maybe 10 million? Or 20 million? Either way, it’s a nightmare for customers and a disaster for Apple, if those accounts are locked, or if phones are bricked.

What’s the Answer?

As long as we use passwords, and users have the ability to reuse passwords, this problem will exist. Hackers are excellent at stealing data. Companies are bad at detecting breaches, and even worse about disclosing them unless legally obligated to do so.

Can Apple present those 250 million accounts from being seized? Probably. Will problems like this happen again and again and again? For sure, until we move away from any possibility of shared credentials. And that’s not happening any time soon.

/by
,

The cybersecurity benefits of artificial intelligence and machine learning

Let’s talk about the practical application of artificial intelligence to cybersecurity. Or rather, let’s read about it. My friend Sean Martin has written a three-part series on the topic for ITSP Magazine, exploring AI, machine learning, and other related topics. I provided review and commentary into the series.

The first part, “It’s a Marketing Mess! Artificial Intelligence vs Machine Learning,” explores probably the biggest challenge about AI: Hyperbole. That, and inconsistency. Every lab, every vendor, every conference, every analyst, defines even the most basic terminology — when they bother to define it at all. Vagueness begets vagueness, and so the terms “artificial intelligence” and “machine learning” are thrown around with wanton abandon. As Sean writes,

The latest marketing discovery of AI as a cybersecurity product term only exacerbates an already complex landscape of jingoisms with like muddled understanding. A raft of these associated terms, such as big data, smart data, heuristics (which can be a branch of AI), behavioral analytics, statistics, data science, machine learning and deep learning. Few experts agree on exactly what those terms mean, so how can consumers of the solutions that sport these fancy features properly understand what those things are?

Machine Learning: The More Intelligent Artificial Intelligence,” the second installment, picks up by digging into pattern recognition. Specifically, the story is about when AI software can discern patterns based on its own examination of raw data. Sean also digs into deep learning:

Deep Learning (also known as deep structured learning, hierarchical learning or deep machine learning) is a branch of machine learning based on a set of algorithms that attempt to model high level abstractions in data by using a deep graph with multiple processing layers, composed of multiple linear and non-linear transformations.

In the conclusion, “The Actual Benefits of Artificial Intelligence and Machine Learning,” Sean brings it home to your business. How you can tell if an AI solution is real? How can you tell what it really does? That means going beyond the marketing material’s attempts to obfuscate:

The bottom line on AI-based technologies in the security world: Whether it’s called machine learning or some flavor of analytics, look beyond the terminology – and the oooh, ahhh hype of artificial intelligence – to see what the technology does. As the saying goes, pay for the steak – not the artificial intelligent marketing sizzle.

It was a pleasure working on this series with Sean, and we hope you enjoy reading it.

/by
, ,

The Russians are hacking! One if by phishing, two if by Twitter

Was the Russian government behind the 2004 theft of data on about 500 million Yahoo subscribers? The U.S. Justice Department thinks so: It accused two Russian intelligence officers of directing the hacking efforts, and also named two hackers as being part of the conspiracy to steal the data.

According to Mary B. McCord, Acting Assistant Attorney General,

The defendants include two officers of the Russian Federal Security Service (FSB), an intelligence and law enforcement agency of the Russian Federation and two criminal hackers with whom they conspired to accomplish these intrusions. Dmitry Dokuchaev and Igor Sushchin, both FSB officers, protected, directed, facilitated and paid criminal hackers to collect information through computer intrusions in the United States and elsewhere.

Ms. McCord added that scheme targeted Yahoo accounts of Russian and U.S. government officials, including security staff, diplomats and military personnel. “They also targeted Russian journalists; numerous employees of other providers whose networks the conspirators sought to exploit; and employees of financial services and other commercial entities,” she said.

From a technological perspective, the hackers first broke into computers of American companies providing email and internet-related services. From there, they harvested information, including information about individual users and the private contents of their accounts. The hackers, explained Ms. McCord, were hired to gather information for the FSB officers — classic espionage. However, they quietly went farther to steal financial information, such as gift card and credit card numbers, from users’ email accounts — and also use millions of stolen Yahoo accounts to set up an email spam scheme.

Was this state-sponsored cybertheft? Probably, but it’s not certain. What we have are serious allegations, but we don’t know if the FSB agents were working on orders from the Kremlin, or if they were running their own operation for their own private benefit. It’s simply too soon to tell.

The Turkish/Dutch Hacking Connection

Similarly, it’s too soon to know who is behind this week’s use of hijacked Twitter accounts to fling some nasty rhetoric against the Netherlands. This comes on the heels of the Dutch government’s efforts to block Turkish government ministers from traveling to the Netherlands to encourage Turkish ex-pats to vote in a Turkish referendum. At the same time, the Netherlands themselves were having an important election, with one of the leading candidates offering an isolationist, anti-Muslim platform. According to Reuters,

A diplomatic spat between Turkey, the Netherlands and Germany spread online on Wednesday when a large number of Twitter accounts were hijacked and replaced with anti-Nazi messages in Turkish.

The attacks, using the hashtags #Nazialmanya (NaziGermany) or #Nazihollanda (NaziHolland), took over accounts of high-profile CEOs, publishers, government agencies, politicians and also some ordinary Twitter users.

The account hijackings took place as the Dutch began voting on Wednesday in a parliamentary election that is seen as a test of anti-establishment and anti-immigrant sentiment.

The hackers did a good job getting access to Twitter accounts. Reuters continued,

The hacked accounts featured tweets with Nazi symbols, a variety of hashtags and the phrase “See you on April 16”, the date of a planned referendum in Turkey on extending Erdogan’s presidential powers.

Among them were the accounts of the European Parliament and the personal profile of French conservative politician Alain Juppe.

They also included the UK Department of Health and BBC North America, along with the profile of Marcelo Claure, the chief executive of U.S. telecoms operator Sprint Corp.

Other accounts included publishing sites for Die Welt, Forbes and Reuters Japan and several non-profit agencies including Amnesty International and UNICEF USA, as well as Duke University in the United States.

How did the hackers get access to Twitter? In part by breaking into a Dutch audience analytics company, which would have had access to some or all of those accounts. As Reuters reported,

At least some of the hijacked tweets appear to have been delivered via Twitter Counter, a Netherlands-based Twitter audience analytics company. Twitter Counter Chief Executive Omer Ginor acknowledged via email that the service had been hacked.

Meanwhile in a separate action, Reuters said,

Last Saturday, denial of service attacks staged by a Turkish hacking group hit the websites of Rotterdam airport and anti-Islam firebrand Geert Wilders, whose Freedom Party is vying to form to form the biggest party in the Dutch parliament.

So – as with the Yahoo hack in 2014 – are these the work of state-sponsored hackers? Or of hackers who believe in a cause, and who are working on their own to support that cause? It’s too soon to tell, and in this case, we may never know; it’s unclear if any organizations as powerful as the U.S. Justice Department and FBI are investigating. What we do know, though, is that nearly everything is vulnerable. A reputable analytics service can be hacked in order to provide a backdoor means to take over Twitter accounts. Internet access companies can be subverted and used for espionage or for staging man-in-the-middle attacks.

How many more of these attacks will be unveiled in the weeks, months and years ahead? One safe prediction: There will be many more attacks — whether state sponsors are behind them or not.

/by
,

Repurposing, solution, robust, best of breed, mission-critical, next-generation, web-enabled, leading, value-added, leverage, seamless…

Let’s take a chainsaw to content-free buzzwords favored by technology marketers and public relations professionals. Or even better, let’s applaud one PR agency’s campaign to do just that. Houston PR, based in the UK, has a fun website called “Buzzsaw” which removes those empty phrases from text, such as press releases. Says the agency:

This free tool automatically hacks PR buzzwords out of press releases to make life more bearable for Britain’s hard-working journalists.

The Buzzsaw can also be used for speeches, strategy documents, advertising copy or any other collections of words that need to be as clear as possible.

You’ll find that toe-curling terms like repurposing, solution, robust, best of breed, mission-critical, next-generation, web-enabled, leading, value-added, leverage, seamless, etc, are struck out by the Buzzsaw.

It also takes a scythe to cutesy Hipster-style words and phrases like “totes amazeballs”, “awesome” and “super excited”.

To compile the Buzzsaw database we asked thousands of journalists to supply examples of the PR terms that irritate them the most.

Here are some of the words and phrases that Buzzsaw looks for. Note that it does tend to be British-centric in terms of spelling.

“win rates”, “business development lifecycle”, “market-leading”, “global provider”, “simple mission”, “optimal opportunities”, “unmatched capabilities”, “big data”, “pace of investment”, “priority needs”, “Blue Sky Thinking”, “Descriptor”, “Packages”, “Manage expectations”, “collegiate approach”, “oxygenate the process”, “low hanging fruit”, “Happy Bunny”, “Robust procedures”, “keep across”, “Stewardship”, “Solutioning”, “net net”, “sub-ideal”, “action that solve”, “expidite the deliverables”, “park this issue”, “suite of offerings”, “sunset”, “horizon scan”, “110%”, “Socialise”, “Humble”, “Special someone”, “Super”, “Shiny”, “Taxing times”, “Do the math”, “Sharing”, “Nailed it”, “Bail in”, “Revert”, “Sense check”, “Snackable content”, “higher order thinking”, “Coopetition”, “Fulfilment issues”, “Cascade”, “Demising”, “Horizon scanning”, “Do-able”, “Yardstick”, “Milestone”, “Landmark achievement”, “Negativity”, “True story”, “So True”, “Next-generation”, “Voice to voice”, “So to speak”, “Step change”, “Edgy”

Check it out — and if you are a tech PR professional or marketeer, maybe try it on your own collateral.

/by
, , ,

Exciting News: BZ Media sells InterDrone to Emerald Expositions

As many of you know, I am co-founder and part owner of BZ Media LLC. Yes, I’m the “Z” of BZ Media. Here is exciting news released today about one of our flagship events, InterDrone.

MELVILLE, N.Y., March 13, 2017 BZ Media LLC announced today that InterDrone™ The International Drone Conference & Exposition has been acquired by Emerald Expositions LLC, the largest producer of trade shows in North America. InterDrone 2016 drew 3,518 attendees from 54 different countries on 6 continents and the event featured 155 exhibitors and sponsors. The 2017 event will be managed and produced by BZ Media on behalf of Emerald.

Emerald Expositions is the largest operator of business-to-business trade shows in the United States, with their oldest trade shows dating back over 110 years. They currently operate more than 50 trade shows, including 31 of the top 250 trade shows in the country as ranked by TSNN, as well as numerous other events. Emerald events connect over 500,000 global attendees and exhibitors and occupy over 6.7 million NSF of exhibition space.

“We are very proud of InterDrone and how it has emerged so quickly to be the industry leading event for commercial UAV applications in North America,” said Ted Bahr, President of BZ Media. “We decided that to take the event to the next level required a company of scale and expertise like Emerald Expositions. We look forward to supporting Emerald through the 2017 and 2018 shows and working together to accelerate the show’s growth under their ownership over the coming years.”

InterDrone was just named to the Trade Show Executive magazine list of fastest growing shows in 2016 and was one of only 14 shows in the country that was named in each of the three categories; fastest growth in exhibit space, growth in number of exhibitors and in attendance. InterDrone was the only drone show named to the list.

InterDrone 2017 will take place September 6–8, 2017, at the Rio Hotel & Casino in Las Vegas, NV, and, in addition to a large exhibition floor, features three subconferences for attendees, making InterDrone the go-to destination for UAV educational content in North America. More than 120 classes, panels and keynotes are presented under Drone TechCon (for drone builders, engineers, OEMs and developers), Drone Enterprise (for enterprise UAV pilots, operators and drone service businesses) and Drone Cinema (for pilots engaged in aerial photography and videography).

“Congratulations to Ted Bahr and his team at BZ Media for successfully identifying this market opportunity and building a strong event that provides a platform for commercial interaction and education to this burgeoning industry”, said David Loechner, President and CEO of Emerald Expositions. “We have seen first-hand the emerging interest in drones in our two professional photography shows, and we are excited at the prospect of leveraging our scale, experience and expertise in trade shows and conferences to deliver even greater benefits to attendees, sponsors, exhibitors at InterDrone and to the entire UAV industry.”

/by
, ,

Look out iOS, Android and IoT, here comes the CIA, says WikiLeaks

To absolutely nobody’s surprise, the U.S. Central Intelligence Agency can spy on mobile phones. That includes Android and iPhone, and also monitor the microphones on smart home devices like televisions.

This week’s disclosure of CIA programs by WikiLeaks has been billed as the largest-ever publication of confidential documents from the American spy agency. The document dump will appear in pieces; the first installment has 8,761 documents and files from the CIA’s Center for Cyber Intelligence, says WikiLeaks.

According to WikiLeaks, the CIA malware and hacking tools are built by EDG (Engineering Development Group), a software development group within the CIA’s Directorate for Digital Innovation. WikiLeaks says the EDG is responsible for the development, testing and operational support of all backdoors, exploits, malicious payloads, trojans, viruses and any other kind of malware used by the CIA.

Smart TV = Spy TV?

Another part of the covert program, code-named “Weeping Angel,” turns smart TVs into secret microphones. After infestation, Weeping Angel places the target TV in a ‘Fake-Off’ mode. The owner falsely believes the TV is off when it is on. In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.

The New York Times reports the CIA has refused to explicitly confirm the authenticity of the documents. however, the government strongly implied their authenticity when the agency put out a statement to defend its work and chastise WikiLeaks, saying the disclosures “equip our adversaries with tools and information to do us harm.”

The WikiLeaks data dump talked about efforts to infect and control non-mobile systems. That includes desktops, notebooks and servers running Windows, Linux, Mac OS and Unix. The malware is distributed in many ways, including website viruses, software on CDs or DVDs, and portable USB storage devices.

Going mobile with spyware

What about the iPhone? Again, according to WikiLeaks, the CIA produces malware to infest, control and exfiltrate data from Apple products running iOS, such as iPhones and iPads. Similarly, other programs target Android. Says WikiLeaks, “These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the smart phones that they run on and collecting audio and message traffic before encryption is applied.”

The tech industry is scrambling to patch the vulnerabilities revealed by the WikiLeaks data dump. For example, Apple said,

Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.

Enterprises should expect patches to come from every major hardware or software vendors. IT must be vigilant about making those security updates. In addition, everyone should attempt to identify unpatched devices on the network, and deny those devices access to critical resources until they are properly patched and tested. We don’t want to help mobile devices to become spy devices.

/by
, , ,

Apple replaces Videos mobile app with TV — confuses iPad users

Apple isn’t as friendly or as as communicative as one would think. Earlier today, I received a panic call from someone trying to sync videos to her iPad from a Mac – and receiving a message that there was no suitable application on the iPad. Huh? That made no sense. The app for playing locally stored videos on an iPad is called Videos, and it’s a standard, built-in app. What’s the deal?

In short: With the iOS 10.2 operating system update, Apple renamed the Videos app to TV. And it has to be installed from the Apple App Store. It’s a free download, but who knew? Apparently not me. And not a lot of people who queried their favorite search engine with phrases like “ipad videos app missing.”

What’s worse, the change had the potential to delete locally stored video content. One dissatisfied user posted on an Apple discussion forum:

New TV App deleted home videos from iPad

I had a bunch of home videos on my iPad, and when I updated to iOS 10.2, the new TV App replaced videos. On my iPhone 6, this process went fine. I launched TV, and up popped the Library, and within it was a sub-menu for Home Videos. The one and only one I had on my iPhone is still there.

But I had dozens on my iPad and now they are all gone. Not only are they all gone, but there is no sub-menu for Home Videos AT ALL! I can probably replace them by synching to my laptop, but this is a time-consuming pain in the *$$, and why should I have to do this at all?

This change was unveiled in October 2016, with much fanfare, claiming:

Apple today introduced the new TV app, offering a unified experience for discovering and accessing TV shows and movies from multiple apps on Apple TV, iPhone and iPad. The TV app provides one place to access TV shows and movies, as well as a place to discover new content to watch. Apple also introduced a new Siri feature for Apple TV that lets viewers tune in directly to live news and sporting events across their apps. Watching TV shows and movies across Apple devices has never been easier.

The update appeared, for U.S. customers at least, on December 12, 2016. That’s when iOS 10.2 came out. Buh-bye, Videos app!

The change moved a piece of core functionality from iOS itself into an app. The benefits: The new TV app can be updated on its own schedule, not tied to iOS releases, and iOS releases themselves can be smaller. The drawback: Users must manually install the TV app.

Once the TV app is installed, the user can re-sync the videos from a Mac or Windows PC running iTunes. This should restore the missing content, assuming the content is on the desktop/notebook computer. How rude, Apple!

Let me add, snarkily, that the new name is stupid since there’s already a thing from Apple called TV – Apple TV.

/by
,

Snapchat IPO goes big — let’s hope it doesn’t go poof!

What’s the Snapchat appeal? For now, it’s a red-hot initial public offering and the promise of more public offerings to come, after a period of slow tech movement on Wall Street.

The Snapchat social-media service is perplexing to nearly anyone born before 1990, myself included. That didn’t stop its debut on the New York Stock Exchange from ringing everyone’s bell. According to Fox News, Snapchat’s (SNAP) wildly successful trading debut, which bested Facebook’s (FB), Alibaba’s (BABA) and Google’s (GOOGL). At the outset of trading Thursday, the stock jumped more than 40 percent to $24 a share, no thanks to Main Street investors who were largely left out of the action. Snapchat surged 44 percent Thursday, closing at $24.48, which valued the social media company’s market cap around $28.3 billion.

Not bad for a social media service whose appeal is that its messages, photos and videos only stick around for a little while, and then vanish forever. That places Snapchat in stark contract against services like Facebook and Twitter, which saves everything forever (unless the original poster goes back a deletes a specific post).

Snapchat’s hot IPO came on one of the biggest recent days on stock markets, with the FTSE 100 and Dow breaking records. As reported by the Telegraph:

“Animal spirits have taken over,” said Neil Wilson, of ETX Capital, as the FTSE 100 charged to a fresh intraday record high of 7,383.05. It closed at a new peak of 7,382.9, up 119.46 points, or 1.64pc, on the day, while the more domestically-focused FTSE 250 also hit an intraday high of 18,983.01.

and

On Wall Street, the Dow Jones crossed the 21,000 mark for the first time ever, as industrial and banking stocks rallied. Clocking in at 25 trading sessions, the rally from 20,000 to 21,000 is the Dow’s fastest move between thousand-point milestones since 1999.

Which 2017 IPOs will come next?

According to MarketWatch, possible hot IPOs to watch for in 2017 include:

  • Spotify: Spotify raised $1 billion in debt financing in March, according to The Wall Street Journal, with conditions that essentially force it to go public in 2017 or pay greater interest on its debt and increased discounts to its investors.
  • Palantir Technologies Inc.: Palantir sells its software to government agencies, including the Defense Intelligence Agency and other military branches, which could become more relevant under Trump’s administration.
  • Uber: In 2017, the ride-hailing startup is expected to face continuing battles over regulation as it fights with cities over self-driving cars as well as the operation of its driver-based business. Additionally, the company faces lawsuits over whether its drivers are employees or independent contractors, and a widespread ruling that finds the drivers are employees could have major implications for Uber’s business model.
  • Lyft Inc.: In 2016, Lyft was followed by rumors of a possible sale because it had hired investment bank Qatalyst Partners, which helps companies find a buyer. But John Green, Lyft’s co-founder, denied pursuing a sale in October and said the company could go public within a few years.
  • Airbnb Inc.: Like Uber and Lyft, Airbnb is also up against a bevy of regulations. But the company appears to be chipping away at short-term housing regulation city by city, with the most recent example coming in New York City. That will likely continue through 2017, Rao said, at least until the company can develop solid working relationships in major cities.
  • Dropbox Inc.: It feels like the file-storage company has been forever rumored to go public, but 2017 may finally be the year for Dropbox.

It will be a rollercoaster ride this year. Let’s hope the market exuberance doesn’t go the way of Snapchat’s messages: Poof!

/by
, ,

AWS, Azure, Google: The three big cloud providers keep getting bigger

You keep reading the same three names over and over again. Amazon Web Services. Google Cloud Platform. Microsoft Windows Azure. For the past several years, that’s been the top tier, with a wide gap between them and everyone else. Well, there’s a fourth player, the IBM cloud, with their SoftLayer acquisition. But still, it’s AWS in the lead when it comes to Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS), with many estimates showing about a 37-40% market share in early 2017. In second place, Azure, at around 28-31%. Third, place, Google at around 16-18%. Fourth place, IBM SoftLayer, at 3-5%.

Add that all up, and you get the big four (let’s count IBM) at between 84% and 94%. That doesn’t leave much room for everyone else, including companies like Rackspace, and all the cloud initiatives launched by major computer companies like Alibaba, Dell, HP Enterprise, Oracle, and all the telcos around the world.

Of course, IaaS and PaaS can’t account for all the cloud activity. In the Software-as-a-Service realm, companies like Salesforce.com and Oracle operate their own clouds, which are huge. And then there are the private clouds, operated by the likes of Apple and Facebook, which are immense, with data centers all around the world.

Still, it’s clear that when it comes to the public cloud, there are very few choices. That covers the clouds telcos want to monetize, and enterprises need for hybrid clouds or full migrations,  You can go with the big winner, which is Amazon. You can look to Azure (which is appealing, of course, to Microsoft shops) or Google. And then you can look at everyone else, including IBM SoftLayer, Rackspace, and, well, everyone else.

Amazon Web Services Inside?

Remember when computer makers were touting “Intel Inside”? In today’s world, many SaaS providers are basing their platforms on Amazon, Azure or Google. And many IaaS and PaaS players are doing the same —except in many cases, they’re not advertising it. Unlike many of the smaller PC companies, who wanted to hitch their star to Intel’s huge advertising budget, cloud software companies want to build out their own brands. In the international space, they also don’t want to be seen as fronting U.S.-based technology providers, but rather, want to appeal as a local option.

Speaking of international, the dominance of the IaaS/PaaS market by three U.S. companies can create a bit of a conundrum for global tech providers. Many governments and global businesses are leery of letting their data touch U.S. servers, and in some cases, even if the Amazon/Azure/Google data center is based in Europe or Asia, there are legal minefields regarding U.S. courts and surveillance. Not only that, but across the globe, privacy laws are increasingly strict about where consumer information may be stored.

What does this add up to? Probably not much in the long run. There’s no reason to expect that the lineup of Amazon, Azure and Google will change much over the next year or two, or that they will lose market share to smaller players. In fact, to the contrary: The big players are getting bigger at the expense of the niche offerings. According to a recent report from Synergy Research Group:

New Q4 data from Synergy Research Group shows that Amazon Web Services (AWS) is maintaining its dominant share of the burgeoning public cloud services market at over 40%, while the three main chasing cloud providers – Microsoft, Google and IBM – are gaining ground but at the expense of smaller players in the market. In aggregate the three have increased their worldwide market share by almost five percentage points over the last year and together now account for 23% of the total public IaaS and PaaS market, helped by particularly strong growth at Microsoft and Google.

The bigger are getting bigger. The smaller are getting smaller. That’s the cloud market story, in a nutshell.

/by
, ,

An intimate take on cybersecurity: Yes, medical devices can be hacked and compromised

Modern medical devices increasingly leverage microprocessors and embedded software, as well as sophisticated communications connections, for life-saving functionality. Insulin pumps, for example, rely on a battery, pump mechanism, microprocessor, sensors, and embedded software. Pacemakers and cardiac monitors also contain batteries, sensors, and software. Many devices also have WiFi- or Bluetooth-based communications capabilities. Even hospital rooms with intravenous drug delivery systems are controlled by embedded microprocessors and software, which are frequently connected to the institution’s network. But these innovations also mean that a software defect can cause a critical failure or security vulnerability.

In 2007, former vice president Dick Cheney famously had the wireless capabilities of his pacemaker disabled. Why? He was concerned “about reports that attackers could hack the devices and kill their owners.” Since then, the vulnerabilities caused by the larger attack surface area on modern medical devices have gone from hypothetical to demonstrable, in part due to the complexity of the software, and in part due to the failure to properly harden the code.

In October 2011, The Register reported that “a security researcher has devised an attack that hijacks nearby insulin pumps, enabling him to surreptitiously deliver fatal doses to diabetic patients who rely on them.” The insulin pump worked because the pump contained a short-range radio that allow patients and doctors to adjust its functions. The researcher showed that, by using a special antenna and custom-written software, he could locate and seize control of any such device within 300 feet.

report published by Independent Security Evaluators (ISE) shows the danger. This report examined 12 hospitals, the organization concluded “that remote adversaries can easily deploy attacks that manipulate records or devices in order to fully compromise patient health” (p. 25). Later in the report, the researchers show how they demonstrated the ability to manipulate the flow of medicine or blood samples within the hospital, resulting in the delivery of improper medicate types and dosages (p. 37)–and do all this from the hospital lobby. They were also able to hack into and remotely control patient monitors and breathing tubes – and trigger alarms that might cause doctors or nurses to administer unneeded medications.

Read more in my blog post for Parasoft, “What’s the Cure for Software Defects and Vulnerabilities in Medical Devices?

/by
, ,

Advocating for safer things: On the road, in the home, in business, everywhere

Think about alarm systems in cars. By default, many automobiles don’t come with an alarm system installed from the factory. That was for three main reasons: It lowered the base sticker price on the car; created a lucrative up-sell opportunity; and allowed for variations on alarms to suit local regulations.

My old 2004 BMW 3-series convertible (E46), for example, came pre-wired for an alarm. All the dealer had to do, upon request (and payment of $$$) was install a couple of sensors and activate the alarm in the car’s firmware. Voilà! Instant protection. Third-party auto supply houses and garages, too, were delighted that the car didn’t include the alarm, since that made it easier to sell one to worried customers, along with a great deal on a color-changing stereo head unit, megawatt amplifier and earth-shattering sub-woofer.

Let’s move from cars to cybersecurity. The dangers are real, and as an industry, it’s in our best interest to solve this problem, not by sticking our head in the sand, not by selling aftermarket products, but by a two-fold approach: 1) encouraging companies to make more secure products; and 2) encouraging customers to upgrade or replace vulnerable products — even if there’s not a dollar, pound, euro, yen or renminbi of profit in it for us:

  • If you’re a security hardware, software, or service company, the problem of malicious bits traveling over broadband, wireless and the Internet backbone is also not your problem. Rather, it’s an opportunity to sell products. Hurray for one-time sales, double hurray for recurring subscriptions.
  • If you’re a carrier, the argument goes, all you care about is the packets, and the reliability of your network. The service level agreement provided to consumers and enterprises talks about guaranteed bandwidth, up-time availability, and time to recover from failures; it certainly doesn’t promise that devices connected to your service will be free of malware or safe from hacking. Let customers buy firewalls and endpoint protection – and hey, if we offer that as a service, that’s a money-making opportunity.

Read more about this subject in my latest article for Pipeline Magazine, “An Advocate for Safer Things.”

/by