Microsoft's fine from the EU got me thinking. It says a lot that it is a software company that has been on the receiving end of a fine that is record breaking in size. It says a lot about the importance of IT capability today and how much we rely upon the availability of the infrastructure and the accuracy and availability of the applications and information. But what really got me thinking was the reason for the fine; repeatedly exhibiting behavior designed to stifle innovation. Houston...we have a problem. Daily, attacks with an assortment of motivations from the curious to the criminal to the military take place at a much higher rate than reported publicly. That most people only hear of massive problems and breaches occurring and not about the rest is perhaps testament to the fact that on the whole a lot of people work very hard to keep everything secure and operating. We certainly do not want to hamper any of those efforts such that they're anything less effective than "as absolutely best they can be in every way".
History has shown that the attacks not only multiply they also adapt - there is innovation there too. So does anyone really think that those developing and designing on the attack side are deliberately holding their innovation back? This is a fundamental problem. Stifling innovations that evolve IT, or even overly delaying releases of new features to suit sales over secureness and resilience is making us all less secure. This is the big picture I think and we must not accept it as industry behavior.
Wednesday, 27 February 2008
Tuesday, 26 February 2008
Physical security
I was away last week visiting the Outer Hebrides. It is a long drive, but we chose to self drive the small hatchback instead of generating a flight of Co2. Hence we crossed the Minch via car ferry. Cold, blowing a gale, and with waves literally crashing over the bow on the return trip. Spectacular. The handy passenger information told me that you would last 2 minutes if you found yourself in the water. and advised me to keep my woolen jumper on to extend my life by that crucial 10 seconds. But as I watched the salt water torrent heavily off the outer surface of the observation deck window I again wondered about the logic of having every passenger strip to their socks for every flight, while major car ferry crossings to and from the British isles are essentially never, ever checked. Meanwhile every vehicle can hold lot more explosive punch than 20 pounds of checkin airline luggage. Silly.
Thursday, 14 February 2008
HYPE POP - PHONE VIRUSES
With reference to this AFP reported story:
-snip-
-snip-
Conditions ripe for phone viruses to spread
Viruses and hacking on mobile phones are still rare but attacks are a looming danger as more people access the internet and download files with their handsets, experts say.
A survey released this week at the industry's Mobile World Congress showed that only 2.1 per cent of users had been hit by a virus themselves and only 11.6 per cent knew someone who had been affected by one.
The poll by IT security specialist McAfee, based on 2,000 people in Britain, the United States and Japan, showed that 86.3 per cent had had no experience of mobile phone viruses.
The survey did suggest, however, that the more developed the mobile market is, with high use of the internet and downloads, the more likely people were to be hit by bugs.
Virus attacks in Japan, the most developed mobile phone market in the world, were far more commonplace than elsewhere.
"We should look at places like Japan which is where the future of mobile technology is," said Graham Cluley, a consultant at Sophos, another IT security firm.
"I wouldn't be surprised if we saw this problem growing because the phone is going to grow into a sort of mobile computer."
The website http://www.mobilephoneviruses.com, which tracks incidents of mobile virus infections, lists a handful of examples such as Skulls, Velasco and Commwarrior.
The latter infected about 110,000 phones in Spain last year, attacking phones running Nokia's Symbian operating system. It spread via MMS messages, text messages containing an audio, video or picture file.
"Viruses aren't a huge issue now, but they have the potential to be so in the future when internet use is more widespread," said a telecom analyst at the Forrester market research company, Pete Nuthall.
The industry is keen for phone owners to use their handsets for more than just calls and texting - for which profits are declining in developed countries - with internet and video, games and mapping the basis of new product offerings.
"It's a risk that we should be aware of but one shouldn't make it dramatic and worry people," said Emmanuel Forgues from Russian IT security group Kaspersky. "But it's a risk that exists and is certainly going to develop."
"There are few viruses that attack the operating system now. What people are looking at is how to propagate viruses," Forgues added.
One use of a virus would be to implant something in a user's address book for publicity or fraudulent purposes, for example.
Cluley said there were about 350,000 viruses written to attack computers running Microsoft Windows and about 200 known ones for mobile phone operating systems.
Computer viruses were now being written by organised crime gangs to steal money and personal information, while mobile phone viruses "have tended to be written by kids to show off", he said
A 12-year-old boy wrote a virus for the new Apple iPhone which disables it, "turning it into a brick", said Cluley, and a user had to go to the boy's Internet site and download some software.
This crude bit of malware, which could not spread from phone to phone, was said to be an upgrade for the iPhone's operating system.
At French network operator Orange, a spokesperson explained that "with the convergence of the worlds of IT and telecoms the threat is going to get more and more serious".
"What interest developers is that their viruses spread as much as possible," the company said, adding that telephones used a number of different operating systems at present, making this difficult.
Nuthall predicts that "it'll take one big public mobile phone virus attack to create alarm".
In the future, he expects the network operators like Orange to provide protection for their clients.
"You'll end up seeing operators selling bundled services which include a McAfee solution, for example," he said.
-snip-
No
No
No
Word that rhymes with 'full'
Mobile platforms based on current phone paradigms WON'T be at large risk of malcode. Bring it on if we want to have an open debate on that subject.
Internet based mobile (PC alternative) platforms might be subject to some of the same risks but it doesn't mean we should replicate the protection model we are suffering under today on PC platforms.
POP
Hype bust moment.
Wednesday, 13 February 2008
Hacked by Cupid's arrow
Nearly eight years after the ILOVEYOU virus left us remorseful the morning after, apparently the FBI is warning of another lovestruck-themed attack. As various news reports document in the last 24 hours, according to the FBI we should expect another blow from the Storm Worm on Valentines Day.
Come the 14th, we might expect that the only hearts are broken ones as we are tempted into opening scam love letters in the way of online greeting cards. Be careful who you accept love from, or you'll catch a nasty infection.
But nearly a decade after 'the love bug' took a real toll on our inboxes and hopeful sensitivities we might reasonable ask whether this warning has been a bit hyped. In fact what the FBI reminds us is that the Storm Worm has "capitalized on various holidays in the last year by sending millions of e-mails advertising an e-card link within the text of the spam e-mail".
Not that we WILL be attacked, just a good old warning that we MIGHT be attacked.
Indeed what the FBI points out that given the pattern of behaviour of the Storm Worm, and given that Valentines Day is the next major event likely to have people hoping for an online greeting card we should merely "be on the lookout for spam e-mails spreading the Storm Worm malicious software (malware)".
What they're NOT saying is that they KNOW we're going to be the recipient of a large scale attack. They're NOT saying they have evidence, they are profiling past behavior and projecting forward.
This is valuable advice however we should keep in mind that the best tricks are the unexpected ones. We fall more wholeheartedly for what we aren't expecting. Expect the twist - that is the lesson in security. It is a harder one to explain and a harder one to teach, but it is nevertheless the one that will serve us all better in the long term.
Meanwhile, do be careful online or offline on Valentines Day. It is a jungle for the heart out there, but perhaps not a day you need the FBI to warn you of.
Come the 14th, we might expect that the only hearts are broken ones as we are tempted into opening scam love letters in the way of online greeting cards. Be careful who you accept love from, or you'll catch a nasty infection.
But nearly a decade after 'the love bug' took a real toll on our inboxes and hopeful sensitivities we might reasonable ask whether this warning has been a bit hyped. In fact what the FBI reminds us is that the Storm Worm has "capitalized on various holidays in the last year by sending millions of e-mails advertising an e-card link within the text of the spam e-mail".
Not that we WILL be attacked, just a good old warning that we MIGHT be attacked.
Indeed what the FBI points out that given the pattern of behaviour of the Storm Worm, and given that Valentines Day is the next major event likely to have people hoping for an online greeting card we should merely "be on the lookout for spam e-mails spreading the Storm Worm malicious software (malware)".
What they're NOT saying is that they KNOW we're going to be the recipient of a large scale attack. They're NOT saying they have evidence, they are profiling past behavior and projecting forward.
This is valuable advice however we should keep in mind that the best tricks are the unexpected ones. We fall more wholeheartedly for what we aren't expecting. Expect the twist - that is the lesson in security. It is a harder one to explain and a harder one to teach, but it is nevertheless the one that will serve us all better in the long term.
Meanwhile, do be careful online or offline on Valentines Day. It is a jungle for the heart out there, but perhaps not a day you need the FBI to warn you of.
Monday, 4 February 2008
What does the evidence tell us?
Let me start this post with a bit of ICT humour that I was just sent:
After having dug to a depth of 10 meters last year, Scottish scientists found traces of copper wire dating back 1000 years and came to the conclusion that their ancestors already had a telephone network more than 1000 years ago.
Not to be outdone by the Scots, in the weeks that followed, English scientists dug to a depth of 20 meters, and shortly after, headlines in the English newspapers read: 'English archaeologists have found traces of 2000 year old copper wire and have concluded that their ancestors already had an advanced high-tech communications network a thousand years earlier than the Scots..'
One week later, 'The Kerryman', a southwest Irish newsletter, reported the following: 'After digging as deep as 30 meters in peat bog near Tralee, Paddy O'Driscoll, a self taught archaeologist, reported that he found absolutely nothing. Paddy has therefore concluded that 3000 years ago Ireland had already gone wireless.
So what does the evidence really tell us. What of the emerging areas in information governance and information security is that of forensics. Back in 2000 (and beyond) most companies wanted to pretend that a security breach had never occurred. If the attack was conducted by an insider, it was more common for the individual (if they were caught) to be quietly asked to leave than it was for them to be taken to court. Of course, that just meant the problem moved elsewhere. Due to both the regulatory pressures of SB1386 and the like, and the maturing of the security industry, now we are far more likely to see companies taking efforts to investigate not only how an attack occurred and by whom, but also to gather data that might eventually be submitted as forensic in a subsequent legal proceeding.
There are a lot of catalysts for companies to search for evidence of the existence of information, and not just in the case of a cyber attack. Companies are now having to go to great lengths to retain and search their online (and offline) record stores. For example, in the case of a patent dispute or due diligence related to M&A activity and associated reviews by government competition watchdogs, companies may need to demonstrate that they have deeply examined their own records to prove whether they knew something, and if so when. Sometimes not finding something is as important as finding something.
I think we're just at the beginning of the maturity curve around information handling, governance, and information forensics. As an industry we have a lot to learn. Forensics is an area to watch in the coming years and one that we need to look at with a bigger picture in mind than simply that of investigating a cyber-attack after the fact.
PS. Thanks Panay for the joke
After having dug to a depth of 10 meters last year, Scottish scientists found traces of copper wire dating back 1000 years and came to the conclusion that their ancestors already had a telephone network more than 1000 years ago.
Not to be outdone by the Scots, in the weeks that followed, English scientists dug to a depth of 20 meters, and shortly after, headlines in the English newspapers read: 'English archaeologists have found traces of 2000 year old copper wire and have concluded that their ancestors already had an advanced high-tech communications network a thousand years earlier than the Scots..'
One week later, 'The Kerryman', a southwest Irish newsletter, reported the following: 'After digging as deep as 30 meters in peat bog near Tralee, Paddy O'Driscoll, a self taught archaeologist, reported that he found absolutely nothing. Paddy has therefore concluded that 3000 years ago Ireland had already gone wireless.
So what does the evidence really tell us. What of the emerging areas in information governance and information security is that of forensics. Back in 2000 (and beyond) most companies wanted to pretend that a security breach had never occurred. If the attack was conducted by an insider, it was more common for the individual (if they were caught) to be quietly asked to leave than it was for them to be taken to court. Of course, that just meant the problem moved elsewhere. Due to both the regulatory pressures of SB1386 and the like, and the maturing of the security industry, now we are far more likely to see companies taking efforts to investigate not only how an attack occurred and by whom, but also to gather data that might eventually be submitted as forensic in a subsequent legal proceeding.
There are a lot of catalysts for companies to search for evidence of the existence of information, and not just in the case of a cyber attack. Companies are now having to go to great lengths to retain and search their online (and offline) record stores. For example, in the case of a patent dispute or due diligence related to M&A activity and associated reviews by government competition watchdogs, companies may need to demonstrate that they have deeply examined their own records to prove whether they knew something, and if so when. Sometimes not finding something is as important as finding something.
I think we're just at the beginning of the maturity curve around information handling, governance, and information forensics. As an industry we have a lot to learn. Forensics is an area to watch in the coming years and one that we need to look at with a bigger picture in mind than simply that of investigating a cyber-attack after the fact.
PS. Thanks Panay for the joke
AutAvatar - MyCyberTwin
Today I spoke with the real Liesl Capper, CEO of MyCyberTwin.com. In an earlier post I mentioned MyCyberTwin and also posted a conversation I had with Liesl's own cyber twin - or AutAvatar as I am going to call these twins. The real Liesl is a lot smarter and a lot more interesting than her AutAvatar. AutAvatars are avatars that are able to function and interact with (real) people without having to be driven by their owners in real time. They are 'programmed' to respond by their owners, and can engage in detailed Q&A sessions via an IM dialogue. While the AutAvatars that are available to be set up free on the MyCyberTwin site are perhaps more suited to casual and 'fun' use (think social networks, dating sites and so on), the core technology has in my view a solid value to a corporate usage. I have written up my thinking around this and the full paper can be downloaded here: www.thinkingstring.com/stringthink.html. I'll also be talking about this topic in my keynote presentation at the ISGIG conference.
Saturday, 2 February 2008
New off-the-shelf services packages
There's a whole new range of off-the-shelf services offerings available from ThinkingString, to help both technology vendors and technology buyers navigate the marketplace maze. All these are in addition to any ad-hoc consulting services engagements.
For details see http://thinkingstring.com/services
For details see http://thinkingstring.com/services
Subscribe to:
Posts (Atom)