Computer And Information Technology Article: November 2012

Tuesday, November 20, 2012

Software-defined datacentres demystified

The term software-defined datacentre (SDDC) rose to prominence this year during annual virtualisation conference VMworld 2012 with VMware touting it as the next best thing in IT.

A software-defined datacentre is an IT facility where the elements of the infrastructure – networking, storage, CPU and security – are virtualised and delivered as a service. The provisioning and operation of the entire infrastructure is entirely automated by software.

“It can bring a high degree of agility and flexibility to the infrastructure,” says Tony Lock, analyst at Freeform Dynamics. “But businesses may not be ready for such a transformation.”

In his keynote at VMworld Europe 2012, VMware chief executive Pat Gelsinger described today’s approach to the datacentre as “a museum of IT”, comprising legacy hardware and mainframes. “We need to make all aspects of infrastructure flexible,” said Gelsinger.

The software-defined datacentre was among the hot topics at Storage and Networking World (SNW) Europe 2012 in October. According to Hitachi Data Systems (HDS), the future needs more automation. “To put it frankly, you can’t make money with hardware,” a spokesman for HDS added.

Rob Jenkins, European director for VMware advisory services, claims that building largescale datacentres from standard high-volume servers was inefficient and complex, both for cloud service providers and large enterprises.

“Besides, it is not very reliable, which is why SDDC is the future,” Jenkins says. The software-defined approach has driven people to think differently about how we build
networks (wide-area networks and network fabrics in the datacentre), bind them with applications and manage them, says Nicolas Fischbach, director of network and IT platform strategy and architecture at Colt.

A big part of VMware’s SDDC strategy is its revised vCloud Suite – unveiled at VMworld – which includes technologies to provide datacentre managers with software-defined computing capabilities, software-defined storage and networking elements as well as management and cloud components.

VMware’s strategy for a fully automated datacentre can be traced back to July when it bought networking company Nicira for more than $1bn. Nicira was a software-defined networking supplier offering multi-hypervisor network infrastructure, enabling users to run the network from a software perspective and remove the control from the hardware elements.

SDDCs establish a single toolkit encompassing hybrid clouds
Naser Ali, Eaton Electrical Group

Software-defined networking (SDN) is an approach to networking in which control is decoupled from hardware and given to a software application called a controller.
Adding Nicira is complementary to VMware’s SDDC strategy, says independent IT consultant Enrico Signoretti.

VMware is not alone in cashing in on softwaredefined network and software-defined storage to power an SDDC. Citrix acquired NetScaler with similar intentions and suppliers such as Xsigo and Oracle are developing automation capabilities in their services to power an SDDC, Signoretti says.

“I feel Microsoft will announce something very soon around SDDC,” Signoretti adds.
Software-defined datacentres and cloud computing. As software becomes sophisticated, building in more management capabilities, the role of hardware in a cloud-like datacentre is shrinking. Storage products are already software-backed.

The same is true of networking. Many networking products have a software layer, says Andrew Mauro, a virtualisation expert and VMware User Group (VMU G) Italy’s co-founder and board member.

“But what’s interesting about VMware’s SDDC proposition is that it will bring all the software pieces together into your infrastructure,” Mauro says. “Two years ago, integrating storage, network and security products was very difficult, but today, a software-defined datacentre could make that a reality,” he says. VMware’s vCloud Suite brings together what customers need to build, operate and manage a cloud infrastructure – virtualisation, automation, policy-based provisioning, disaster recovery, and applications and operations management – says Mauro.

“SDDCs go beyond traditional abstraction above core hardware assets and establish a single toolkit that also encompasses hybrid clouds,” says Naser Ali, segment manager of datacentres at Eaton Electrical Group.

Potentially, an SDDC implementation could allow servers and other hardware to be shut down or run at lower power levels, which has implications for energy use, according to Ali. Some experts see SDDC as a more secure option to cloud. “SDDCs provide organisations with their own private cloud, allowing them to have far more control over hosted data,” says Tim Chambers, chief technology officer and co-founder of Data City Exchange. When data is stored in an SDDC, organisations can have on-demand access, rather than requesting the cloud provider for permission.

“This is far more flexible and it means enterprises have the power to access their data when they need it,” adds Chambers. It also means an organisation can decide the level of security rather than relying on the security put in place by a cloud hosting provider.

“More often than not, CIOs are looking for an efficient, robust business function to be delivered. However, far too often, they move first, and think later, to the detriment of process delivery and more critically, the user experience,” says Ali.

Architecting software-defined environments implies rethinking IT processes such as automation, orchestration, metering and billing, and executing on operating model step changes (such as service delivery, service activation and service assurance).

Upskilling for SDDC is only one aspect of the evolution needed to deliver on the promise of applying flexibility to networks and datacentres, says Colt’s Fischbach. It starts with the understanding of customer requirements and how to translate them into a system and a commercial and technical service wrap. Executives need experience across networks, systems and applications to operate SDDC and there cannot be single skills/operations teams silos, says Fischbach.

But some see SDDC as beyond the usual “service” or “dynamic” level of the datacentre maturity models, at a “visionary level”. This puts SDDC on the post-cloud leading edge for many CIOs and could take up to 10 years before we see it hit the mainstream, says Ali.

And as enterprises continue using legacy products such as mainframes, SDDC will co-exist with old datacentres for a very long time, adds Signoretti. But even for CIOs who want to adopt newer IT models such as SDDC, the road is not easy. “Licensing is one of the biggest challenges of moving to an infrastructure heavily driven by software,” says Signoretti. “Even in today’s highly virtualised world, we follow an archaic software licensing model. If we are talking about a software-defined facility, we need better, efficient and user-friendly licensing models,” he says. In addition, there are challenges around storage and networking components – two of the biggest elements of SDDC. But storage and networking virtualisation are not at the same maturity level as server virtualisation.

“There are standards on top of Openflow for SDN, but nothing SDDC-centric is fully mature, meaning you cannot move an SDDC to a different toolkit,” says Ali, warning users of supplier lock-in.

Enterprises must be mindful of other challenges too. Legacy applications could fail if they are simply dropped in without taking into account latency, suitability to distributed architecture and fault tolerance at application level.

Besides, none of the basics of physics or economics will ever go away. “Energy will still be finite, marginally discontinuous in supply and increasingly expensive, and you do not want to launch a new SDDC and trip a circuit breaker,” says Ali.

The less standardised (and hence less private cloud-friendly) the customer’s requirement and the faster the change, the more adoptive the customer will be. “In simple terms, if distributed, varied technology and rapid change are a big part of generating revenue, you’ll be ready sooner,” says Ali.

Picture credit: Thinkstock

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy$("a#eproductLogin").attr('href', function(i) { return $(this).attr('href') + '?fromURL=' + regFromUrl; });

This was first published in November 2012

Most UK citizens do not support draft Data Communications Bill, survey shows

Only 6% of UK citizens think the government has made a clear and compelling argument for the Draft Data Communications Bill, a survey has revealed.

In contrast, 71% of more than 1,800 adults polled said they do not trust that the data will be kept secure, according to the survey commissioned by privacy and civil liberties campaign group Big Brother Watch.

The draft legislation, aimed at making it easier for authorities to spy on electronic communications, requires internet and other service providers to retain records of all communications for 12 months, including emails, web phone calls and use of social media.

The government claims the proposals will cost ?1.8bn over 10 years from 2012, a figure questioned by experts and those familiar with government IT projects.

Half of those polled online by YouGov said the proposed legislation is bad value for money, with just 12% saying it represents good value.

With online services critical to economic growth and public service reform, the research also found that the bill could undermine internet use, with 41% of online respondents saying they would be less likely to use websites and online services if the proposed legislation is passed.

“The public have seen through the scaremongering rhetoric and see the snoopers’ charter for the waste of money that it is,” said Nick Pickles, director of Big Brother Watch.

Instead of spending ?2bn on another dodgy IT project, the Home Office should be making sure there are enough police officers with the right skills and equipment to investigate online crime, he said.

“While the real criminals take simple steps to hide their activity, the law would require every single person’s emails and messages to be monitored, and the public are right to be concerned that the data won’t be kept secure,” said Pickles.

Big Brother Watch believes the draft Communications Data Bill will hurt growth in the digital economy, undermine British foreign policy, create huge security risks and treat all citizens as suspects.

“The message from the public, technical experts and communications companies is clear: the only place this bill belongs is the bin,” said Pickles.

The survey comes as home secretary Theresa May is scheduled to give evidence to a special select committee of MPs and peers hearing pre-legislative evidence on the proposed bill.

Since the draft bill was published in May, the home secretary has insisted that the changes are needed to protect citizens from terrorists and paedophiles.

But in testimony to the Parliamentary committee hearing evidence on the bill in mid-October, information commissioner Christopher Graham said the proposed legislation would catch only incompetent criminals and accidental anarchists, but would have little effect on terrorism and serious organised crime.

A week earlier, Wikipedia founder Jimmy Wales said the Draft Data Communications Bill would constitute a security risk. Wales told the RSA Conference Europe 2012 the proposed bill would be useless and quite dangerous if enacted.

“It will force many relatively small companies to hang on to data that they would not otherwise retain, which puts the data at risk,” he said.

In September, Wales raised these and other concerns before the parliamentary select committee.

Monday, November 19, 2012

Stuxnet hit Chevron’s systems, the energy giant admits

US multinational energy firm Chevron has revealed that it was hit by the Stuxnet virus, widely believed to have been launched by the US and Israel to spy on and disrupt Iran's nuclear facilities.

Stuxnet was designed to target only the specific Siemens Programmable Logic Controllers (PLCs) of centrifuges and network cards, used by Iran’s nuclear enrichment facilities in Natanz.

But now Mark Koelmel, general manager of its earth sciences at Chevron, has told the Wall Street Journal that its network was infected shortly after Stuxnet's discovery in July 2010.

The news confirms speculation that Stuxnet could affect other organisations that use the same equipment as the nuclear facility in Natanz, suspected of being part of a secret weapons programme.

"I don't think the US government even realised how far [Stuxnet] had spread," said Koelmel.

"I think the downside of what they did is going to be far worse than what they actually accomplished," he added.

Chevron, however, claims that it was not adversely affected by Stuxnet because the company makes “every effort” to protect its data systems from that type of cyber threat.

Chevron is the first US company to acknowledge that its systems were infected by Stuxnet, although most security experts believe the vast majority of hacking incidents go unreported.

The fact that Chevron’s systems were infected, means that every industrial company around the world that uses similar equipment is at risk of being infected.

In October 2010, Stuxnet was reported to have infected millions of computers in China, but authorities downplayed the threat, saying it had not caused any severe damage.

According to Koelmel, companies are left to clean up the mess associated with viruses such as Stuxnet.

“We’re finding it in our systems and so are other companies,” he said.

In July 2012, Siemens finallyissued a fix for the software vulnerabilities in its PLCs that were exploited by Stuxnet.

Twitter apologises for unnecessary hacking warnings

Twitter has apologised after telling members their accounts had been hacked and forcing them to reset their passwords.

Twitter sent out a “large number” of emails telling members to change their log-in details, but gave no indication of the cause or source of the compromise, and would not share details of the size of the issue, according to the BBC.

“Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account,” the emails said.

Some users who received the warning noticed that some of their tweets had been deleted, while others said spam links had been posted without their knowledge, the report said.

However, in a subsequent blog post, Twitter apologised for sending out too many warning notices.

The microblogging site said password resets were a routine part of processes to protect users, but added: “In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised.”

Attempts to hack Twitter accounts are common, and are most frequently carried out by spammers, scammers and hackers to spread links to their malicious campaigns.

"In instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password," Twitter said.

But the apparent problems with this process are a setback for Twitter and a blow to is reputation for technical competence built up over the past two years, according to the Telegraph.

Twitter initially struggled to cope with its rapid growth and regularly suffered embarrassing outages, but remained online throughout last week’s US election despite the heavy load, the paper said.

In the email warnings, Twitter urged members to choose a strong password such as one with a combination of letters, numbers, and symbols, and to:

Always check that your browser's address bar is on a https://twitter.com/ website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your log-in information!Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don't recognise, click the Revoke Access button.
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy$("a#eproductLogin").attr('href', function(i) { return $(this).attr('href') + '?fromURL=' + regFromUrl; });

VMware seeks to increase support for Amazon Web Services

Virtualisation and cloud provider VMware is looking to increase support for Amazon Web Services (AWS), the frontrunner in the cloud computing services space.

VMware is conducting a survey urging its users to share their AWS usage details.

“VMware is improving integration with Amazon Web Services and would like your input,” said Duncan Epping, principal architect in the Technical Marketing group at VMware, on the company blog.

“We are interested in increasing support for AWS through enhancements to vCloud Automation Center (vCAC), in particular.”

The company’s tools ? such as vCloud Automation Center (based on its DynamicOps acquisition), Cloud Foundry and vFabric Application Director – already support provisioning on AWS.

VMware acquired DynamicOps in July this year to support heterogeneous virtualisation and cloud environments. In August, at VMworld 2012 San Francisco, the company further emphasised its multi-cloud vision by demonstrating how its new tools help users manage VMware-, Amazon- and Microsoft-based cloud infrastructures.

VMware will use its customers’ survey feedback to guide its initiatives around AWS support, its multi-cloud strategy and to help improve the vCAC tool. Multi-cloud strategy involves the use of two or more cloud services to cut the risk of data loss or downtime occurring out of reliance on a single platform.

Experts welcomed this move as the extension of support to other platforms that could free CIOs from fears of supplier lock-ins. IT executives will be able to easily move from one hypervisor to another as their business needs change.

"One of the great potential benefits achievable from virtualisation is the flexibility it can provide to move workloads around the available physical resources,” said Tony Lock, programme director at analyst firm Freeform Dynamics.

“The wider the span of platforms that can be used, the greater the options available to IT managers. If platform options can be expanded without adding complexity or risk, organisations will see benefits from the openness," Lock said.

Experts have said that even today, around 85% of public cloud-based workloads still run on Amazon’s cloud computing platforms.

But the increased integration would be for VMware to retain users who are increasingly looking at heterogeneous suppliers for flexibility.

“VMware has realised that it cannot ignore other hypervisors and cloud providers any more,” said Jens S?ldner, a German-based virtualisation consultant.

“Especially after the DynamicOps acquisition, they are trying to position themselves as the main management provider and now accept other hypervisors (Microsoft Hyper-V, Citrix XenServer and open source Kernel-based Virtual Machine - KVM) as possible counterparts to their own ESXi platform,” S?ldner added.

But official support VMware's help desk will probably require an agreement of some kind with AWS, said William Fellows, vice-president for research at 451 Research Group.

“But I'm sure they're working on it. Buying DynamicOps was a bust if they can't use it to claim true multi cloud support!” Fellows said.

Sunday, November 18, 2012

Skype in the workspace made public

Skype today launched a new platform to enable small businesses to connect with one another and potential customers.

Named Skype in the workspace, the website enables businesses to set themselves up with an online presence and begin connecting with a variety of other businesses that may be interested in establishing partnerships.

New users can sign up with their LinkedIn accounts and from there share any activity that takes place on the hub through their established social networks on the likes of Twitter or Facebook.

They can organise Skype calls with other companies, be it to get advice about building on their ideas to turn it into a business or for potential partnering. Special advice blogs are offered up for free.

Skype in the workspace also hopes to become a central database for customers looking for services from small businesses.

This means they will be able to contact the firms directly through the website and use Skype calling to make the interaction more personal.

The platform has been in beta since May and Skype boasts that 500 small businesses, start-ups and entrepreneurs have signed up, in areas ranging from photography to marketing.

Ural Cebeci, product marketing manager for Skype, wrote on his blog: “At Skype, we believe there's an opportunity for small business owners to share experiences with and learn from each other. This is why today we are opening the Skype in the workspace platform to the public.”

“Skype in the workspace brings you closer than ever before to the customers, partners, suppliers and prospects that you need in order to be successful.

"No matter what your business or where you're based, joining the Skype community allows you to make valuable personal connections in real-time, face-to-face.”

The site is free for all users but businesses will need to register for a Skype account to join.

Microsoft bought Skype for $8.5bn in October 2011.

UBM CIO leaves to move into consulting

The chief information officer (CIO) of media giant UBM (formerly United Business Media), Rorie Devine, has left the company to pursue other opportunities as a consultant.

UBM confirmed that the IT chief has left the post but the firm said that a replacement has not yet been appointed, and declined to make any comments about the reasons for Devin's departure. Devine did not respond to requests for comment either.

The IT executive will now be focusing on short-term interim management.

This time last year, Devine moved on from his previous role of UK chief technology officer at directory firm Yell, where he worked for a couple of years, to take on the group CIO job at UBM.

Prior to that, Devine was engaged with a number of consulting assignments off the back of his experience in online gambling - he led the IT team at betting exchange Betfair for four years - one of which being a seven-month assignment supporting the CIO at gambling firm Bwin.

Parliament reviews Microsoft Silverlight for Open Hansard platform

Parliament's ICT office is concluding a two-year review of whether its democratic responsibilities and technical ambitions will force it to purge Microsoft's Silverlight multimedia technology from its computer systems.

As part of a root and branch overhaul of parliamentary computing, the use of Silverlight will be an early test of the government's new open standards policy. The issue is to be settled in a matter of weeks.

Foremost in the systems overhaul is "Open Hansard", a platform that will publish official records of parliamentary proceedings as data feeds. The Parliamentary ICT office (Pict) is building this on a redevelopment of its seven-year-old Parliamentary Information System (Pims), which includes an open-source project that is being treated as a possible model for future work.

Parliament has employed both open standards and Open Hansard in pursuit of a long-standing aim to encourage democratic participation by giving people live, indexed data feeds derived from parliamentary proceedings.

John Angeli, director of parliamentary broadcasting, said he was looking at video formats as part of a relaunch of Parliament.tv, due in the New Year.

"We are absolutely in the thick of that right now," he said. "Our approach is always to maximise our reach and if it's possible to provide that in open standards then that is the road we would want to go down."

Parliament's choice of video format will have implications for other major technology initiatives it is pursuing, including the release of video streams under a revamped broadcast licence with an accompanying device that will allow anyone to embed footage of parliamentary proceedings in their websites or applications.

The Broadcast Unit is also working with the British Film Institute to digitise its archive of 85,000 video and audio tapes, an effort for which the choice of format will be crucial.

Parliament adopted Microsoft Silverlight, an alternative to Adobe's dominant Flash technology, to deliver its broadcasts on the Parliament.tv website, after its internet contractor Two Four became a Silverlight developer in 2007. It went with Microsoft's platform because its Broadcast Unit had already been digitising its recordings in Microsoft's proprietary Windows Media Video format.

The Broadcast Unit's choice tied Pict into using Microsoft software to deliver the recordings online in a Microsoft format. Pict had been pushing the broadcast team to adopt open standards and open source software formats since at least 2009, to remove any technological barriers between parliament and citizens.

The government's open standards policy, published earlier this month, decreed that government bodies must not allow their choice of computing standards to impose undue costs on citizens or businesses - for example, by making their digital interactions contingent on a particular brand of technology. It strove for the widest possible public participation, as well as preventing proprietary software standards tying public bodies into a particular supplier's application software.

The Broadcast Unit had been immovable because its broadcast licence - through which it sold retransmission rights of parliamentary recordings - strictly forbade redistribution of its media. Microsoft's Windows format was designed in a way that helped it impose licence controls.

But Angeli's office broke up Parliamentary Broadcasting Unit Ltd (Parbu), its 23-year-old cost-sharing venture with TV broadcasters BBC, ITV, Channel 4 and 5 last summer. It had been in operation since 21 November 1989, the date Parliament first allowed television cameras to record its proceedings.

Parbu was finally dissolved in May this year, just as Angeli went to the House of Lords Information Committee with his case for turning parliamentary broadcasts into a democratic, internet asset.

Angeli tore up the old broadcast licence and fee structure, arranged for Parliament to shoulder its broadcast costs - ?1m annually, according to Parbu's last accounts - and is now arranging to make it possible for anyone to embed parliamentary broadcasts in their web pages.

Pict has meanwhile been drawing up a list of open data standards to turn Hansard, Parliament's official written record, into a public asset.

"It will enable us to integrate our data into the emerging semantic web, so that others can interrogate and reuse it more effectively," said Tim Youngs, business manager for information and online services at Pict.

"It has also enabled us to reuse the work of others and thereby avoid reinventing wheels."

Pict spent three years rebuilding Pims as what Youngs described as a modular framework. It developed all but one of eight modules in-house. It has to date settled on seven open standards: http, Atom, RDF, SPARQL, Opensearch, XML and Dublin Core Metadata.

"We have plans now to build on the new framework over the next two to three years, making more material available for tagging and searching and using the enriched data produced to enhance the material we make available on the Parliament website," said Youngs.

Microsoft declined to comment.

Saturday, November 17, 2012

Apple and HTC bury the hatchet

Rival smartphone makers Apple and HTC have settled all outstanding disputes over patents.

The agreement has seen HTC both losing and winning court battles against Apple in just over two-and-a-half years of legal wrangling.

In addition to the global settlement to end more than 20 legal cases, the two firms have signed a 10-year licence agreement that extends to current and future patents held by both parties.

“HTC is pleased to have resolved its dispute with Apple, so HTC can focus on innovation instead of litigation,” said Peter Chou, CEO of HTC.

Apple CEO Tim Cook said: “We are glad to have reached a settlement with HTC. We will continue to stay laser-focused on product innovation.”

Now HTC can focus on innovation instead of litigation
Peter Chou, CEO, HTC

The terms of the settlement were confidential, the two companies said in a statement, but industry sources suggested that HTC may have agreed to pay Apple between $5 and $20 per handset it produces with Google's Android operating system, according to the Guardian.

Some analysts have suggested that the deal between Apple and HTC could signal the closing stages of the patent wars in the smartphone market, the paper said.

The deal comes after Apple secured $1bn in damages in its patent battle with Samsung, and amid speculation of a profit warning at HTC.

HTC’s profits have plummeted since September 2011, with quarterly profits for July to September 2012 down 79% compared with the same period a year ago.

Analysts said that unlike Samsung, HTC was not making a handset that looked like Apple’s iPhone, which meant a licensing deal was always a possibility.

BYOD devices to double by 2014

The number of consumer smartphone and tablets brought into workplaces will more than double by 2014, according to a recent study, but security on the endpoints is lacking.

Juniper Research claims the number of devices being used in the corporate environment will reach 350 million globally, compared with 150 million already used in 2012. This figure accounts for 23% of all consumer mobile devices on the market.

The study from Juniper Research predicts most of the bring-your-own-device (BYOD) activity will happen in western Europe. The region will account for 140 million devices in 2014. This is followed by North America and the Asia/Pacific area.

Yet only 5% of smartphones and tablets currently have security software installed, despite a steadily increasing threat from malware, fraud and theft.

“As smartphones are increasingly used for accessing remote data and carrying sensitive business and personal data, security apps are becoming an essential and integral part of the smartphone to make it less vulnerable to the different types of threats,” said the report, written by Nitin Bhas, senior analyst at Juniper Research.

“As both consumer and enterprise adoption of tablets has risen – following the success of Apple’s iPad – there is a pressing need to provide security solutions for these devices.”

As well as the increased use of both smartphones and tablets, it is the way they are used that is causing the security issues, claimed Bhas.

Both free and paid-for apps are posing more of a risk as they are easy to download and, if anything untoward is stored inside the programmes, it is hard to detect until they are on the device.

Also, with such a range of mobile operating systems on offer, maintaining security across devices is increasingly difficult. The research claims the increase of open operating systems, such as Android, makes the development of targeted attacks easier, but when any third party developer gets involved with apps, it increases risk.

Mobile commerce apps are of also particular danger as, without the right security measures in place, a lot of sensitive information could get into the wrong hands.

“While the mobile environment has been largely successful thus far in eluding the wide spread threats and attacks faced by the PC world, it is becoming both more appealing to cyber criminals and is inherently vulnerable to other security issues,” Bhas wrote.

"BYOD is actually blurring the line separating business devices from consumer devices"
Nitin Bhas, senior analyst, Juniper Research

“A combination of safe practice and modern software to counter these threats is becoming more important by the day.”

The report claims businesses should install the standard list of security software expected to be present on other endpoints onto mobile devices, including a firewall, antivirus, spam, malware and phishing protection.

This way both the consumer’s personal information is kept safe and the corporate network is protected.

The biggest threat, however, is if a phone is lost or stolen, and the fear of this occurrence will drive companies to thinking about the security of device.

“As smartphones users increasingly store personal and business data, then the risk of crimes such as identity theft, made possible by phone theft, will be a strong motivator in using mobile security suites.”

BYOD schemes are often called “a security nightmare” by industry experts but, again, with the right software protections on the phone, this becomes less of an issue.

“BYOD is actually blurring the line separating business devices from consumer devices,” wrote Bhas. “This consumerisation of business devices reflects the change in consumer attitudes towards bringing in their own devices to the workplace.”

“There is a need to consider mobile devices as just another endpoint. They should be integrated with existing management platforms and there is a need to educate or inform enterprises of what solutions they should adopt.”

Despite of all this information, Juniper Research figures still only expect one in five devices to have third party security software installed in the next five years. But Bhas believes high-profile cases where mobiles are attacked will publicise the risk and raise awareness of both businesses and end users, seeing the revenue generated by mobile security vendors passing $1bn in 2013.

“Just as consumers are currently purchasing and installing internet security products on their PCs and laptops, mobile device users will also add their mobile devices to the list of electronic devices they must secure,” the report concludes.

“The number of protected consumer devices will overtake protected enterprise devices by 2015, driven by BYOD trends.”

Irish construction company reduces SQL Server storage with Avepoint

Walls Construction, an Irish construction services company, has saved upwards of €31,000 by moving stale content from a SQL Server to less expensive storage, using software from AvePoint – a SharePoint governance and infrastructure management provider.

Robbie Armstrong, IT Manager at the Walls Construction, founded in 1949 by PJ Walls, describes the business problem he and his small IT team of three people set out to solve three years ago, first with Microsoft SharePoint, then with AvePoint’s management software.

“The quantity and diversity of data on our servers was the issue. We had so much data, and people were storing project information on their own user folders," he said. "There was too much data in too many locations, and massive duplication. We needed to get the material into a central location and make it accessible to everyone."

Walls's content files are often large in size, since they feature photographs, blueprints, and other related data. There are 125 staff and 50 heavy users of the SharePoint environment.

“As a construction and development company, we deal with everything from tenders to final construction. There is a mass of data associated with that," said Robbie Armstrong.

“In the construction stage, we deal with a range of subcontractors – so there is a massive amount of email correspondence.

"There was a litigation with a sub-contractor, in which we had agreed on a certain figure that was subsequently revised. We were able to prove our case, thanks to SharePoint.

"It saved Walls a considerable amount of money," said Armstrong.

“But the big factor was to make ourselves more efficient with regards to project work. And drawings are a big demand on our storage”.

Walls has been using AvePoint for “close on two years. We had half a terabyte of storage in our head office and that was growing rapidly. Sharepoint SQL Server couldn’t handle such a big database so we had to get data out of the live database in such a way as to be completely transparent to the end-users”, he said.

The construction services company is using DocAve Archiver to reduce the size of its SQL Server content database, DocAve Backup and Restore, and DocAve Content Manager, which enables it to copy, move, and reorganise SharePoint content from a browser while maintaining all the content, configuration, security settings, and metadata.

The company is also subject to a 12-year Irish construction industry data-retention policy. All documents related to each build have to be retained and DocAve Archiver helps with storage.

“We were blown away by the product suite’s ease of use, and by the rapidity and simplicity of support”, said Armstrong.

Friday, November 16, 2012

Security Think Tank: Infosec needs to be part of all M&A processes

Businesses evolve, grow and shrink as market opportunities present themselves. Security professionals need to be ready for this change and it is important to understand the role of information security in mergers and acquisitions (M&As).

The primary rationale is that the information security function should form a vital part of the business process: to be included in the planning process of all M&A activities, thereby ensuring that the current posture is not undermined.

It is advisable to review the security architecture, especially the network topography and identity and access management (IAM), for its readiness for M&A, both in the role of acquiree and acquirer.

For example, designing the network and security control points, so that the network/ICT infrastructure can be segregated appropriately or accept new connections to preserve the security layers.

The IAM preparedness is even more important. By having a well-designed and documented centralised directory, single sign-on and identity federation capability, an organisation is better prepared for changes ahead.

Depending on the organisation’s size, there may be several security suppliers supporting your ICT activities. It is therefore fundamental to have contracts formulated so they can be expanded or shortened in volume of services being delivered.

For example, managed service provider (MSP) contracts are typically two to three years in duration.

Discussion with executives is key to understanding the likelihood of M&A during that period, so that the contract can be correctly and appropriately formulated.

In some cases, the information gleaned from that discussion may indicate the unsuitability of continuing with that particular MSP partner and lead to selection of a more suitable partner.

In summary, whether the organisation is the acquirer or the one being acquired, bringing the Information Security team on side will ensure that appropriate due-diligence forms part of a successful M&A.

They will be able to identify any issues early on and avoid any areas where regulatory or legislation obligations, especially regarding data, may be in jeopardy.

Vladimir Jirasek, director of research, UK chapter Cloud Security Alliance

This was first published in November 2012

Ofcom sets date for £1.3bn 4G frequency spectrum auction

Ofcom today told mobile operators that applications for the 4G spectrum auction must be submitted by 11 December 2012.

The telecoms regulator announced the date as part of a statement finalising the rules for the process, including the reserve prices of all the frequencies, totaling ?1.3bn.

“Today marks an important shift from preparation to the delivery of the auction, which will see widespread 4G mobile services from a range of providers,” said Ed Richards, CEO of Ofcom.

“The entire industry is now focused on the auction itself, with a shared goal of delivering new and improved mobile services for consumers.”

The spectrum auction will see the 800MHz and 2.6GHz spectrum – freed up after the digital television switchover – split into seven separate lots, with reserve prices ranging from ?100,000 for 5MHz of the unpaired 2.6GHz spectrum through to ?250m for 2x10MHz of the 800MHz spectrum, although this latter one includes a service obligation to extend 4G coverage across some areas.

EE – formerly Everything Everywhere – is currently the only operator in the UK to offer 4G services after Ofcom agree to the operator repurposing its existing 1800MHz allocation for 4G services.

During the consultation process, the operator complained to Ofcom that its methodology for working out the reserve prices put the starting bids for the 800MHz spectrum too high, but the regulator dismissed the claims, saying its rules were unlikely to deter bids.

Once the applications have been submitted, Ofcom will use December to decide who can go forward to the auction. January will then see the bidding begin, although Ofcom has warned the process could take several weeks.

In February and March, mobile operators will be told who has won which allocations and the licence fees will be taken by the regulator. Ofcom then expects 4G services to launch in May or June.

Ofcom has submitted a statutory instrument to pass this through as legislation and, if all goes to plan, the rules should come into force on 23 November 2012.

Thursday, November 15, 2012

Trusted computing for industrial control systems and infrastructure

Beyond the Stuxnet worm that targeted industrial software and equipment, supervisory control and data acquisition (SCADA) attacks are becoming increasingly common.

In an article for the Wall Street Journal on taking the cyber attack threat seriously, Barack Obama noted: “Last year, a water plant in Texas disconnected its control system from the internet after a hacker posted pictures of the facility's internal controls.

"More recently, hackers penetrated the networks of companies that operate our natural gas pipelines. Computer systems in critical sectors of our economy – including the nuclear and chemical industries – are being increasingly targeted.”

In October, US Secretary of Defense Leon Panetta warned about the growing threat of attacks against the country’s critical infrastructure.

"We know of specific instances where intruders have successfully gained access to these control systems," Panetta said.

"We also know they are seeking to create advanced tools to attack those systems and cause panic, destruction and even loss of life."

Industrial control systems (ICS) play a critical role in any nation’s infrastructure. Specific ICS areas include:

Resource extraction and transportation;Power generation, distribution and delivery;Healthcare equipment and data exchange;Process control;Transportation;Building automation;Manufacturing.

Communications in all these areas suffer from proprietary protocols in legacy and current hardware. In addition, security in these systems has historically not been a major consideration.

In the US, the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) is concerned with the disruption that can be caused by attacks on ICS and other enterprise equipment.

ICS-CERT has advised that the Shamoon virus, first detected by Symantec in August, could harm control systems even though it does not specifically target them. Vulnerabilities in ICS products are being disclosed at alarming rates, and new mysterious vulnerability markets present new dynamics for assessing risk and crafting strategy. In general, ICS attack targets can include power plants, chemical plants, water delivery systems, and many other facilities with control networks.

Adding trust to ICS

Companies and IT managers who want to avoid finding out how extensive the damage and disruption might be to their systems have a solution available that has been developed over several years as part of overall enterprise computer and network security protection. Developed by technical expert members who represent the leading companies that supply computing and network technology – as well as high-tech users including The Boeing Company, BAE Systems, and many others – the Trusted Computing Group’s (TCG’s) open standards now include specifications that address the connectivity management and network security of ICS environments.

These new specifications build on other TCG open standards for protecting enterprise information in hard drives, through TCG’s Trusted Storage, or the network, through TCG’s Trusted Network Connect (TNC) including entry points such as machine-to-machine (M2M) interfaces. The increased security provided by these systems can additionally be anchored in the Trusted Platform Module (TPM) hardware, an integrated circuit, hardware-based root of trust that delivers substantial endpoint protection.

The existing networks in enterprises, including the internal intranet and virtual LANs (VLANs), external connectivity to internet, cellular and WiMAX, present provisioning, operational management, health monitoring, system reliability, security and other scaling challenges. These challenges are exacerbated by ICS environments, where traditional IT management tools do not apply well. TCG’s Interface for Metadata Access Points (IF-MAP) provides a solution for publishing, searching and subscribing to metadata, the data about data. The open standard protocol was designed for security coordination use cases. It provides a highly scalable architecture optimised for loosely structured metadata.

Adding to the protection that IF-MAP enables, TCG recently announced a new standard that extends TNC IF-MAP for greater network security. IF-MAP Metadata for ICS Security specification addresses the deployment, management, and protection of large-scale industrial control systems by creating secure virtual overlay networks on top of the standard, shared IP network infrastructure typically used in ICS.

IF-MAP metadata and extended identifiers are defined in the specification along with a prescribed set of MAP client behaviours. Together, they provide the necessary coordination and configuration management functionality for creating secure logical overlay networks for communication between and with ICS devices.

To better understand the situation and available improvement, consider a typical industrial enterprise. There are distributed ICSs that are isolated from the corporate network through a variety of traditional mechanisms, each with varying tradeoffs between cost, management, security, and performance. Since many of the ICS environments represent the revenue-generating components of an enterprise, there are significant business drivers to add connectivity between corporate network services and these systems.

Adding increased connectivity into what has traditionally been isolated with an air gap presents significant people, process, and technical challenges. Naturally, the goal is to make an investment in an architecture that has a clear ROI, and to determining the level of defensive layers appropriate to the surety and risk required for a given enterprise. The TCG ICS Security specification bridges gaps between IT management tools and the operational requirements of ICSs, while simplifying the application of additional defensive layers of security.

Building on the soon-to-be-published ISA 100.15 architectural model for secure ICS communications over untrusted shared networks (TR100.15.1, “Wireless Backhaul”), the ICS domain-specific network architecture defined in the new specification:

Operates with legacy (existing) ICS devices and infrastructureEnables isolation between ICS security domains and/or individual ICS componentsEnables the use of cryptographically bound identities for ICS devices and Policy Enforcement Points (PEPs)Enables the use of overlay networks for isolating and protecting key componentsEnables the creation of extended metadata for defensive layers such as firewall and deep packet inspection (DPI)Provides operational access controlEnables self-provisioning ICS Devices

Taking the first step

With enough effort, any physical or cyber security system can ultimately be breached, yet businesses interested in strengthening their defenses against attackers need to explore the protection that can be added to their network infrastructure, including the ICS elements. The Trusted Computing Group with its established history of providing improved trust to enterprise computers, networks, and more, has the standards-based tools to implement this higher level of security. For ICS and SCADA equipment, the new ICS Security Metadata specification provides the means to add a layer of management and security into new and existing ICS environments. The alternative of doing nothing could provide first-hand experience to the destruction and disruption that increasingly dangerous malicious software can cause.

David Mattes is an invited expert to the Trusted Computing Group and founder of Asguard Networks

This was first published in November 2012

Video interview: Why develop for Windows 8?

In this interview, Anand Krishnan, director, developer & platform group, Microsoft UK speaks about Windows 8 development.

He says: "We're making a big shift to becoming a devices and services company." He believes Microsoft is on the edge of a revolution to redefine the idea of a device.

"It used to stand for phones and tablets. But we are walking into a world where a device is just a computer."

As Computer Weekly has previously reported, Windows 8 represents a departure from how applications are currently developed. "To truly take advantage of the new UI, you will need to redevelop applications," he adds.

BT trials 10Gbps line in Cornwall

BT is trialling a 10Gbps broadband connection to a business in Cornwall in an attempt to future proof its network.

The line runs from the Truro exchange in the centre of the county to Arcol’s factory in Threemilestone, where the firm makes resistors for a number of customers, including Aston Martin, Siemens and British Airways.

The connection is based on equipment from Chinese technology firm ZTE and known as xGPON. GPON is what is currently used by BT to get superfast broadband connections of up to 330Mbps to homes and business, but using ZTE’s kit, this can be increased to 10Gbps.

A content server and xGPON box sits in the exchange, with a large router based at Arcol, meaning the company can achieve the high speeds with no change to the fibre network running the 5km between the two.

Director of the Superfast Cornwall Programme for the BT Group, Dr Ranulf Scarbrough, said nothing on the internet needed these speeds yet but testing the capabilities meant BT could look to the future.

This technological proof of concept trial is not just about great broadband speeds now, but about future proofing our network and staying ahead
Dr Ranulf Scarbrough, director, Superfast Cornwall Programme, BT Group

“This technological proof of concept trial is not just about great broadband speeds now, but about future proofing our network and staying ahead,” he said.

“We have proved we can do it, we can get 10Gbps which is 10,000 times faster than what Arcol was getting just six months ago, and although we may be limited by electronics, it is not the fibre that will hold these networks up.”

Alun Morgan, technical director at Arcol, said the ability to connect at such fast speeds was “opening the door” for the company to achieve much more.

“The ability to communicate is imperative for us. Before, we couldn’t even listen to a radio stream from the internet without connection speeds of less than 2Mbps,” he said.

“Superfast broadband is making such a difference, allowing us to use services such as cloud back-up, that we couldn’t have dreamed of before.”

Scarbrough said there was “no plan for 10Gbps to become a product” at present, but concluded: “This type of connection exercises every other component that can’t handle it, but the fibre can.”

Wednesday, November 14, 2012

CW500: Alistair Maughan, Partner, Morrison & Foerster (UK) LLP

Cloud computing is a key consideration for any IT strategy but still poses many questions to IT leaders, whether in terms of data security, training or moving legacy applications to the new environment. In this CW500 Club video Alistair Maughan, Partner, Morrison & Foerster (UK) LLP, talks to Computer Weekly editor in chief Bryan Glick about best practice in moving to the cloud.

CIOs distrust public cloud for mission-critical work, says IDC

Enterprise mission-critical applications and workloads are rising, but IT executives are still not confident about running them on public cloud platforms, according to research firm IDC.

Mission-critical systems remain at the core of the datacentre.

“For CIOs, mission-critical workloads are the life of business operations and they see it as critical to run business efficiently,” said Thomas Meyer, vice-president, EMEA systems and infrastructure solutions at IDC.

“But only a minority of CIOs are willing to deploy these crucial workloads on to the public cloud.”

Enterprises are more confident in deploying mission-critical apps on to their private cloud but remain wary about public cloud-based platforms, Meyer said.

While security, data protection, compliance and data location are the crucial factors holding CIOs back, there are other factors too.

Many enterprises do not have much experience of public cloud and are hesitant to transfer their mission-critical apps to it, Meyer said. This lack of experience also means they are not sure about the cost benefits of transferring all workloads to the cloud.

“Lastly, when it comes to public cloud, no one takes liability for service levels for critical apps and for an enterprise, mission-critical apps have to be up 24/7,” Meyer said.

According to IDC’s research, IT executives perceive business processing and database applications to increase significantly in their mission-critical status.

Most enterprises still run their business processing systems such as ERP and CRM on Unix servers, The IDC study found.

Meyer said that a third of CIOs are looking to adopt a cloud-first strategy by 2014.

“But even then, they are aggressive about cloud use for non-critical workloads such as web service tools, and collaboration tools rather than for database apps or business processing systems,” Meyer said.

IDC’s comments came at a HP event where the supplier strengthened its mission-critical converged infrastructure portfolio with enhanced HP Integrity systems, HP-UX software and services.

The new tools aim to provide enterprises with three times faster performance, more resiliency and security for critical workloads deployed into the next decade, according to Mark Payne, European head of HP’s business-critical systems.

Tuesday, November 13, 2012

Millions worldwide use insecure browsers, says Kaspersky

Nearly a quarter of worldwide internet users are still running outdated browsers, creating huge gaps in online security, a study has revealed.

Out of a random sample of 10 million customers, security firm Kaspersky found 23% were using browsers that are not enabled with the latest security features.

Nearly two-thirds of these are using the previous version of a browser, while the rest are using obsolete versions.

Browsers are continually updated to defend against the latest security threats, but most internet users still take a month to upgrade and the rest take considerably longer, analysis of web usage patterns through the cloud-based Kaspersky Security Network revealed.

With cyber criminals increasingly exploiting vulnerabilities in web browser applications or outdated plug-ins, not updating browsers can have serious security implications for users, security researchers warn.

According to the findings, the most popular browser was Internet Explorer (IE), used by 37.8% of users, followed by Google Chrome (36.5%) and Firefox (19.5%).

While 80.2% of IE users were using the most recent browser in August 2012, followed by 79.2% of Chrome users, 66.1% of FireFox users and 78.1% of Opera users, 3.9% were using obsolete browsers IE 6 and 7, representing hundreds of thousands of users worldwide.

“Our new research paints an alarming picture. While most users make a switch to the most recent browser within a month of the update, there will still be around a quarter of users who have not made the transition,” said Andrey Efremov, director of whitelisting and cloud infrastructure research at Kaspersky.

“That means millions of potentially vulnerable machines, constantly attacked using new and well-known web threats. This is strong evidence of the urgent need for proper security software which is able to react to new threats in a matter of minutes, not days or even weeks,” Efremov said.

Researchers said that, although the study is mainly made up of consumer user data, corporations should pay particular attention to the results because as employees’ abilities to install updates are limited, using obsolete software is a common, and potentially dangerous practice in business environments.

According to the study report, if users are unable to update software by themselves, it has to be done in a centralised way. Alternatively, businesses could allow employees to install and update certain programs, while maintaining restrictions for unwanted software.

BT trials 10Gbps line in Cornwall

BT is trialling a 10Gbps broadband connection to a business in Cornwall in an attempt to future proof its network.

This technological proof of concept trial is not just about great broadband speeds now, but about future proofing our network and staying ahead
Dr Ranulf Scarbrough, director, Superfast Cornwall Programme, BT Group

“This technological proof of concept trial is not just about great broadband speeds now, but about future proofing our network and staying ahead,” he said.

Alun Morgan, technical director at Arcol, said the ability to connect at such fast speeds was “opening the door” for the company to achieve much more.

“The ability to communicate is imperative for us. Before, we couldn’t even listen to a radio stream from the internet without connection speeds of less than 2Mbps,” he said.

“Superfast broadband is making such a difference, allowing us to use services such as cloud back-up, that we couldn’t have dreamed of before.”

BlackBerry 10 approved for US government

BlackBerry maker Research In Motion (RIM) has announced that its yet-to-be-launched BlackBerry 10 platform has been awarded the US government’s FIPS 140-2 security certification.

The Federal Information Processing Standard certification could open the way for the use of BlackBerry smartphones in US government agencies concerned about data breaches, according to US reports.

"Achieving FIPS 140-2 certification means BlackBerry 10 is ready to meet the strict security requirements of government agencies and enterprises at launch," said Michael Brown, vice-president, security product management and research at RIM.

"What differentiates BlackBerry is that it integrates end-to-end security, and includes certified encryption algorithms for data at rest and data in transit. No other mobile solution has achieved the level of security accreditation that the BlackBerry solution has,” he said.

FIPS 140 is issued by the National Institute of Standards and Technology (NIST), which helps to rate and certify devices for use by federal government agencies and regulated industries.

This is the first time a BlackBerry product has been FIPS certified ahead of launch, and may give embattled RIM a boost as it fights to claw back market share lost to rivals.

BlackBerry’s share of the government market dropped from 77% in 2009 to less than half by late 2011 as Apple’s iPhone and Google’s Android platform gained popularity.

In October, the US Immigration and Customs Enforcement agency announced plans to switch from BlackBerrys to iPhones, and more recently UK government departments were given the go-ahead to use iPhones to send and receive sensitive emails as part of moves to broaden the number of approved public sector mobile devices beyond BlackBerrys.

A review by CESG, the UK equivalent of NIST in the US, concluded that iOS6, the latest operating system (OS) for iPhones and iPads, is now secure enough to handle restricted government information, providing departments build in additional security controls.

BlackBerry 10 is ready to meet the strict security requirements of government agencies and enterprises at launch
Michael Brown, RIM

CESG has warned that security on iO6 requires organisations to extend their network monitoring and security systems and relies on users correctly using the iPhone security features. Failure to follow any of these controls could compromise information security, the guidelines said.

"IDC expects the mobile enterprise security market to experience a high rate of growth from 2012 to 2016," said Stacy Crook, programme manager for mobile enterprise research at IDC.

"Maintaining the BlackBerry solution's reputation for security while introducing an enhanced user experience gives BlackBerry 10 the opportunity to be a highly competitive platform in the government, enterprise and consumer sectors,” he said.

Monday, November 12, 2012

CW 500: Spencer Izard, research manager, IDC, on cloud computing

Cloud computing is a key consideration for any IT strategy but still poses many questions to IT leaders, whether in terms of data security, training or moving legacy applications to the new environment. In this CW500 Club video Spencer Izard, research manager, IDC talks to Computer Weekly editor in chief Bryan Glick about best practice in moving to the cloud.

Gartner: BYOD will encourage self-support

During the Gartner Symposium, earlier in November the analyst firm predicted that IT departments will be expanding their budget to support bring-your-own-device (BYOD).

As Computer Weekly previously reported, Gartner expects IT budgets will grow 1.4% driven by the take-up of mobile technology like smartphones and tablet computers.

There is likely to be increased helpdesk costs if IT expands desktop PC support to other devices. However, Gartner thinks many users of smartphones and tablets will develop their own support communities.

Self-support communities will offset the cost and manpower of providing a helpdesk for staff who use their own devices, Gartner has predicted.

This means IT departments will not need to replicate desktop support efforts on personal mobile devices that may be running operating systems (OS) such as variations of Android, iOS and Windows Phone.

Instead, users will likely share their expertise in configuring these devices with other users, which will ease the burden on the helpdesk. However, IT departments will need to ensure their security systems and policies do not prevent these devices from connecting to the company system – unless there is a legal or commercial requirement for the company to control data leakage.

Rather than continue with a lock-down IT strategy, Gartner has recommended that CIOs embrace BYOD by opening up corporate networks and supporting non-Windows devices like tablets and smartphones.

Gartner vice-president, Monica Basso, said: “It is not new for enterprise to push back on BYOD. We are in the phase of post-consumerisation. CIOs must begin to support devices from the consumer space.”

She said businesses will need to look at how they share the cost of device ownership with employees who bring in their own devices.

Basso warned that IT departments will need to shift from standardisation and control to better ways to enable people to use their own devices at work.

Since there is no alternative to the Blackberry Enterprise Server for Android or iOS, IT will have to rethink security and invest, instead, in mobile device management (MDM) Basso added.

According to Gartner, the increasing penetration of Android in the enterprise will continue to pose challenges for the IT department and the CIO to ensure that security and manageability remain a priority.

However, Android and iOS-based devices will continue to increase their presence in the enterprise side-by-side and, in most cases, instead of RIM.

“As businesses are looking for a multi-device strategy and a rich application portfolio, it is clear that RIM has a huge challenge ahead in regaining its key presence in the enterprise,” said Gartner.

Wednesday, November 7, 2012

Parliamentary committee joins criticism of draft communications data bill

Home secretary Theresa May faced stern criticism when appearing before a special select committee of MPs and peers hearing pre-legislative evidence on the Draft Communications Data Bill.

The committee said her ?1.8bn internet monitoring proposals will be a "honeypot for hackers and criminals around the world", according to the Guardian.

But the home secretary (pictured) revealed that she plans for the legislation to reach the statute book by 2014 before the next general election and be in effect within a few years.

The draft legislation, which is aimed at making it easier for authorities to spy on electronic communications, requires internet and other service providers to retain records of all communications for 12 months, including emails, web phone calls and use of social media.

The committee heard from senior police officers that the web monitoring plan was a vital operational tool in infiltrating criminal gangs and tackling security threats.

But the proposals have drawn widespread criticism from members of the technology industry, notably Wikipedia founder Jimmy Wales, and civil liberties groups such as Big Brother Watch.

The parliamentary committee has now also raised concerns that the increase in the storage of sensitive personal data required could lead to invasion of privacy on a new scale, and be open to criminal attack.

Liberal Democrat peer Lord Strasburger described the proposals as a "honeypot for casual hackers, blackmailers, criminals large and small from around the world, and foreign states".

A former Labour minister, Nicholas Brown, said the public were frightened they "were going to be spied on" and that "illegally obtained" information would find its way into the public domain.

Brown supported a call by information commissioner Christopher Graham for the enactment of powers already on the statute book to impose prison sentences of up to 12 months, and not just heavy fines, for those who unlawfully obtain personal data.

In testimony to the Parliamentary committee in mid-October, Graham said the proposed legislation would catch only incompetent criminals and accidental anarchists, but would have little effect on terrorism and serious organised crime.

A week earlier, Jimmy Wales said the proposed Bill would constitute a security risk because it would force many relatively small companies to hang on to data that they would not otherwise retain.

In September, Wales raised these and other concerns before the parliamentary select committee.

The proposals will create a honeypot for casual hackers, blackmailers, criminals large and small from around the world, and foreign states
Lord Strasburger, Liberal Democrat peer

According to reports, the home secretary has now agreed to look at the detail of the custodial powers specified in sections 77 and 78 of the 2008 Criminal Justice and Immigration Act, and to reconsider a clause that would give her very widely drawn powers to make orders requiring internet and phone companies to hand over an individual's communications records to "relevant public authorities".

Ducking questions about the UK becoming the first democracy to use web monitoring so far only used in China, Iran and Kazakhstan, the home secretary insisted it was a myth that the state was going to read everyone's emails.

"There is a limited scope for the data we want to have access to. We have been very clear about that at every stage. The police would have to make a clear case for requesting access to data when there was an investigation that required it.

"The aim of this is to ensure our law enforcement agencies can carry on having access to the data they find so necessary operationally in terms of investigation, catching criminals and saving lives,” she said.

Police made urgent requests for communications data in 30,000 cases in 2011, and between 25% and 40% of them had resulted in lives being saved, which matters to the public, May told the committee.

Big Brother Watch had earlier published the results of a survey which revealed that only 6% of UK citizens think the government has made a clear and compelling argument for the proposed bill.

In contrast, 71% of more than 1,800 adults polled said they do not trust that the data will be kept secure.

“The public have seen through the scaremongering rhetoric and see the snoopers’ charter for the waste of money that it is,” said Nick Pickles, director of Big Brother Watch.

Instead of spending ?2bn on another dodgy IT project, the Home Office should be making sure there are enough police officers with the right skills and equipment to investigate online crime, he said.

IT security budgets mismatched to hacker targets, study shows

IT security budgets are not being used to provide defence technology in some of the areas the enterprise is most likely to need it in, a study has revealed.

About 33% of hacker forum discussions are about training and tutorials for data theft techniques, such as SQL injection (SQLi), according to the latest hacker intelligence report by security firm Imperva.

However, analysts estimate that less than 5% of IT budgets include technologies designed to mitigate attacks on datacentres and defend against SQLi attacks.

“By examining what information hackers seek out or share in these forums, we can better understand where they are focusing their efforts,” said Amichai Shulman, chief technology officer (CTO) at Imperva.

“If organisations neglect SQLi security, we believe that hackers will place more focus on those attacks,” Amichai Shulman said.

The study also revealed that SQLi, along with distributed denial-of-service (DDoS) attacks are the most popular attack methods, each accounting for 19% of forum discussion topics.

Analysis of the hacker forum revealed a rise in a market for social network endorsements. In a keyword search relating to social networks, Imperva found that Facebook (39%) and Twitter (37%) were the most frequently discussed social networks.

In reviewing social network related posts, Imperva observed a black market for buying and selling illegitimate social network likes, followers and endorsements, with particular attention given to the origin of these likes and followers.

According to the research report, hacker education comprises a third of all forum conversations. Roughly 28% were related to beginner hacking and hacker training, while another 5% related to hacking tutorials.

Both aspiring and veteran hackers visit forums to exchange techniques, build credibility and publish their hacking successes, Imperva said.

The report is the based on the security firm’s second annual analysis of a hacker forum containing around 250,000 members.

Tuesday, November 6, 2012

Apple squashes BlackBerry as Brent Borough deploys iPads

London Borough of Brent is planning to provide staff with up to 3,000 iPads and iPhones as it phases out Blackberry smartphones.

London Borough of Brent will use MobileIron’s mobile device management software to secure the devices.

Brent had previously deployed 490 Blackberry smartphones for email. By February 2013, these will be phased out, and replaced by iPads and iPhones, which will give the borough greater flexibility in terms of access to mobile applications over the locked-down email system from Research in Motion (RIM).

Brent Borough Council wants to equip more of its employees, particularly its field workers who are constantly on the move, with iPads to improve productivity across all public service divisions including transport, education, housing and social care, leisure and waste management. It needed a way of effectively securing and managing these devices and the data on them.

The new building will mainly use thin clients running Quest thin client access software to provide a Windows 7 desktop. There will also be up to 150 task-specific PCs deployed.

Stephan Conaway, CIO, at London Borough of Brent is hoping to move away from the idea of the Microsoft desktop, where IT departments generally deploy 50 to 60 Windows applications. “The desktop paradigm is not valid anymore,” he said.

Conaway believes the standard Microsoft desktop will not be around in 10 years’ time. “Microsoft has had a stranglehold over industry for 25 years. Suddenly there is a paradigm shift, so we don’t have to go back to paying ?25 to upgrade each Windows PC and the tie in with Microsoft Enterprise licensing. This model is collapsing.”

He said Brent Borough Council has licensed Microsoft PowerPoint and Excel for every user, as part of an Enterprise Agreement, but only about 350 people use them, which is a significant waste in terms of licence fees.

However, Conaway believes Microsoft’s Surface tablet may be a winner, so long as the supplier does not tie it into any Microsoft volume licensing schemes.

“The industry has just broken out of jail, and now it all depends on how Microsoft behaves next,” he said.

The borough runs several version of the Windows operating system, which complicates rolling out applications compared to the way apps are deployed via the Apple AppStore.

“There is no image management on iOS. We haven’t needed to pay for iOS upgrades and they all install automatically across all iPad and iPhone devices," he said. "If I had to upgrade on Windows, I would shoot myself.”

But not all applications are suitable for the iPad. And even the ones that are browser-based may need to be re-developed.

Conaway believes local authorities will struggle, as the line-of-business applications they tend to use are developed by smaller who may not have the resources to rework software for new devices like the iPad or Android tablets.

He said, “The industry is heading to HTML5. But, in local government we have small suppliers, who have no margin to redevelop software, and their skill set is tied up in the technology they already have. It will take years for an industry shift.”

The iPads are being used to run line-of-business applications including forms-based applications, presentations, Microsoft SharePoint, file sharing, document writing, and some lightweight spreadsheet work. The council is also looking at front-end applications for social services and new modules for highways, and schools, which will run via the iPad’s Safari web browser.

The MobileIron software is used to secure iOS, enabling the borough’s mobile staff to use the full functionality of their iPads and iPhones without restrictions. They will need to download MobileIron software before connecting with the borough’s network. MobileIron enforces the borough’s PIN policies on each device to prevent unauthorised access and allows IT staff to remotely wipe data from lost or stolen machines

London Borough of Brent has been able to benefit from a contract with Vodafone, which will enable staff to use iPhones as an extension to the borough’s existing telephony system using call routing.

Stephan Conaway, CIO, at London Borough of Brent said the borough was able to lower device costs by opting for refurbished iPhones, rather than brand new ones, although 100 executives will be issued with the latest iPhone 5.

He said: “Other staff will get reconditioned 3Gs,which will allow us to standardise iOS 6.”

Conaway was able to source 2,700 iPhone 3Gs devices from a supplier specialising in shipping large numbers of refurbished iPhones. The savings through buying refurbished iPhones meant the cost to the borough of each device was about the same as the cost of a low-end Android smartphone, according to Conaway.

He was also able to negotiate a discount on licensing the MobileIron mobile device management software across the estate of iOS devices at Brent. Conaway said the overall cost of the licensing was comparable to the previous BlackBerry Enterprise Server,

Brent Borough Council has experienced direct productivity benefits since the introduction of iPads at the borough, Conaway said: "Being able to deploy iPads securely has been a huge productivity boost for our staff. We had previously tried to have caseworkers carry laptops with them, but found that approach not right for many front line workers. Having MobileIron in place lets us provision the right device for the right person at the right time."

The roll-out fits with the borough’s move to a new office in December 2012, which will support hot-desking.

The new premises will be a fully wireless building, which will support both public and private wireless access.

Conaway said: “The security we have gone for is to trust no one. We don’t care what network you have, we will consider you hostile.”

The iPads and iPhones will be checked before they can connect securely.

Brent Borough Council hired integrator Qolcom to configure the MobileIron system.

Keith Reading, director of Qolcom, said MobileIron was being used at Brent Borough Council to manage the borough’s iPads and provide infrastructure and automation.

He said: “The MobileIron software provides secure management of devices, using configuration files to setup iPads with privacy, security, calendar task settings.”

MobileIron is also used to provision WiFi and VPN access. In addition, MobileIron Sentry software is used to control access to Microsoft Exchange for email. Reading said Sentry basically acts as a middle man to check that the iPhone or iPad has the correct security settings, before allowing access to the Exchange email server.

Qolcom also mapped user credentials in Brent’s Windows Active Directory to user policies with MobileIron’s own database, which associates iPhone and iPad users with groups, each of which can be given differing levels of access to the borough’s IT systems.

Delivery of the pre-configured MobileIron system took three days, which included a preconsultation. Qolcomm provided Brent with software images to install on the borough’s VMware infrastructure.

Free mobile apps a threat to privacy, study finds

Free mobile apps pose a serious threat to privacy because of their ability to capture large amounts of user information, a study has revealed.

Free mobile applications are 401% more likely to track user location and 314% more likely to access user address books than paid-for apps, according to research from Juniper Networks.

Many apps analysed had permission to access the internet, which could provide a means for exposed data to be transmitted from the device.

Analysis of 1.7 million apps on the Android market by Juniper’s Mobile Threat Center also found that many apps solicit personal information or perform functions not required for the apps to work.

For example, the study found that 94% of free gambling apps that have permission to make outbound calls do not describe why the app would justifiably use this capability.

Similarly, 83.88% of free gambling apps have permission to use the camera and 84.51% have permission to send SMS messages.

There is an overall lack of transparency as to who is collecting information and how it is used, said Dan Hoffman, chief mobile security evangelist at Juniper Networks.

24.14% of free apps have permission to track location, compared with 6.01% of paid apps6.72% of free apps have permission to access to your address book, compared with 2.14% of paid apps2.64% of free apps have permission to silently send text messages, compared with 1.45% of paid apps6.39% of free apps have permission to initiate background calls, compared with 1.88% of paid apps5.53% of free apps have permission to access the device camera, compared with 2.11% of paid apps

The study found that other permissions being requested from applications include the ability to initiate outgoing calls, send SMS messages and use a device camera without the user's knowledge.

“An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device,” said Hoffman.

Similarly, access to the device camera could enable a third party to obtain video and pictures of the area where the device is present, he said.

Silently sending SMS messages can also be a means to create a covert channel for siphoning sensitive information from a device.

“Further, the potential for stealth SMS messages or calls can have monetary repercussions by communicating with services that will subsequently charge a fee, such as sending premium SMS messages,” said Hoffman.

Research firm Gartner predicts that the number of mobile applications downloaded this year will double to 45 billion.

In the light of this prediction, Hoffman said more needs to be done to inform people about the information being captured, particularly as an increasing number of people use personal devices in the workplace to access business-critical information.

The problem, he said, is that the companies, consumers and government employees who install these apps often do not understand with whom they are sharing personal information.

“Even though a list of permissions is presented when installing an app, most people do not understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust,” said Hoffman.

While the European parliament is working to update its data privacy legislation to better reflect today’s connected world, it could be a couple of years for these changes to come into play, leaving businesses and consumers highly vulnerable in the meantime, he said.

Based on the research, Juniper Networks is calling on mobile app industry to:

Correlate permissions to actual app functionality.

Simply saying an app has the permission to track location, read contacts or silently perform an outgoing call does not provide the necessary context of why this functionality is necessary for a specific app. Developers should provide a means to communicate how permissions align with how the app works.

Better differentiate between permissions.

There is a big difference between a Spyware app clandestinely placing an outgoing call to listen to ambient conversations within hearing distance of the device, and a financial app that provides the convenience of calling local branches from within an application. The manner in which permissions are currently presented does not provide a means for users to differentiate between the two. More needs to be done to provide developers with differentiated permissions and to perform the very different actions.

Accept some exposure with free apps.

It seems there is no such thing as a free lunch in mobile. If people choose to use free applications, they will likely need to provide information in exchange. Often, the value provided by the app is well worth the information given up by a user; however, many do not realise that this tracking is happening and may not be making informed choices. Communicating why information is needed in a concise and easy-to-understand manner could help people become more comfortable with sharing.

A smaller amount of actionable data is beneficial.

Helping people understand what is actually occurring on their device and with their data has considerably more value than a list of permissions. More educated users means they are more comfortable installing apps and less likely to uninstall once they see the number of permissions being requested without explanation.

Image: iStockphoto/Thinkstock

Top cyber threats underline need for security awareness

Malicious key generation (keygen) software is one of the fastest-growing types of a malware, according to the latest Microsoft Security Intelligence Report (SIR).

In the past year, malicious keygen software has increased from a million detected instances to five million – and 26 times as frequent as the first half of 2010, when this type of malware was first detected.

In the first half of 2012, malicious keygen software escalated rapidly above malware exploiting the Win32 Autorun vulnerability, to establish itself as the top malware family.

Some 76% of this malware is linked to other malware, Tim Rains, director of Microsoft Trustworthy Computing told Computer Weekly, underlining the need for user awareness as a first line of defence.

Keygen software typically generates a licensing key, serial number or some other registration information necessary to activate a software application.

Attackers are using this kind of software to lure people who are seeking to activate unlicensed copies of popular software, particularly Adobe Photoshop, Autocad and Nero Multimedia, said Rains.

Malicious keygen software, which relies heavily on social engineering, was among the top 10 threats of a handful of countries in 2010, but now features in the top 10 of 98% of regions featured in the SIR.

Researchers have even seen instances of malicious links for downloading free software such as Adobe Flash.

“It is always safer to go directly to software makers rather than through third parties,” said Rains.

Similarly, he said, web users should be wary of free music or video because these are popular ways used by cyber criminals to trick people into downloading malware or lure them onto compromised sites.

Ensuring that all software, including browsers, are up to date to include the latest security is an important basic step in protecting against drive-by infections from compromised websites, said Rains.

Another trend highlighted by SIR volume 13, is that vulnerability disclosures across the software industry in the first half of 2012 were up 11.3% from the second half of 2011.

Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability or confidentiality of the software or the data it processes.

“We have seen a gradual decline since 2008, but now there is this sudden increase, mostly in web and line-of-business applications rather than operating systems and browsers,” said Rains.

Known exploits feature in the top 10 threats in many countries, including the UK, which means that it has never been more important to patch applications with security updates than now, he said.

The top 10 threats in the UK include three exploits, which is on the high side said Rains. These are the Blacole or Blackhole exploit kit, Java exploits and .pdf exploits.

Exploits of old Java and JavaScript vulnerabilities have shown a marked increase in the past year, according to the SIR, despite the fact that Oracle has issued security updates.

“Attackers continue to take advantage of organisations that are failing to update all the software they are using,” said Rains.

Conficker also remains a top threat for both the consumer and enterprise markets, he said, despite the fact that there have been no new variants in over four years.

The main method of propagation is using common or default passwords like “password123” or abusing vulnerabilities in Win 32 Autorun.

But simply by implementing complex passwords throughout and updating to the latest Windows operating system (OS), businesses can go a long way to blocking further Conficker infections, said Rains.

The best primary form of defence remains keeping software up to date, he said, although enterprises should ensure they are using Microsoft update rather than Windows update to ensure that all Microsoft products are updated automatically, and not just the OS.

Search This Blog

Tuesday, November 20, 2012

Monday, November 19, 2012

Sunday, November 18, 2012

Saturday, November 17, 2012

Friday, November 16, 2012

Thursday, November 15, 2012

Wednesday, November 14, 2012

Tuesday, November 13, 2012

Monday, November 12, 2012

Wednesday, November 7, 2012

Tuesday, November 6, 2012