2014 Cyber Threats

Where the Internet is stored

Where the Internet is stored (Photo credit: debs)

Georgia Tech just released its annual Emerging Cyber Threats Report for 2014. They have been publishing reports for several years that looks ahead to security issues with data and devices connected to the Internet. As usual, they have summarized a number of threats that companies should be aware of.

Companies Assume the Cloud is Safer than it is. Most companies store their data in the cloud in exactly the same format as it would be stored on a local LAN. This means there is no additional security other than whatever is provided by the cloud provider.

While companies can add additional encryption to cloud-stored data, there is a trade-off between encryption and the accessibility of data by employees, so few firms add the additional encryption.

Unencrypted data can be compromised as has been seen by some of the attacks by the Chinese on companies like Google. But aside from national cyberwar threats, data in the cloud can be hacked in much easier ways, including the next threat which is

Employees are Accessing Corporate Data with Bring-Your-Own Devices. Many companies are allowing BYOD since it saves them a lot of money from buying every employee smart phones and tablets, and it also lets each employee use devices they are comfortable with meaning a lot less training.

BYO Devices create an easy path to hacking into corporate data. For example, somebody hacking, or just coming into the possession of a phone from an employee might have wide-open access to corporate data.

Very Little Security for the Internet of Things. Today we are already starting to see the proliferation of devices that connect wirelessly to networks. This first generation of devices has not paid a lot of attention to security. I am not sure that I care that much if my coffee maker or smoke alarm or sprinkler system are not encrypted. It’s unlikely that anybody would take the time to hack them, and if they did all I might get are some really wet fruit trees.

But the Internet of Things is advancing faster in areas of business automation than it is in the home. The Internet of Things in an industrial setting already includes things like security cameras, devices that sense the presence of various chemicals, thermostats and the equivalent timing devices used during the manufacturing process. And soon the Internet of Things is going to include medical devices and other things that none of us want to see hacked.

And I certainly care if somebody hacks into a heat sensor or water control valve at a nuclear reactor site or hacks into the manufacturing process at an oil refinery.

Mobile Devices Will Become the Focus of Hackers. Until now there has not been a lot of successful malware used against smart phones and other mobile-connected devices. However, these devices are no less susceptible to hacking than are PCs and network servers.

Georgia Tech sees an uptick in attempts to hack into cell phones in various ways. Obviously there be malware that will be distributed in the same manner as with computer spam. But more insidious is the idea of hacking directly into apps so that millions of users download malware with a normal update of a popular application.

And of course, as mentioned above, hacking into cell phones is a lot scarier when those phones have access to work and government networks.

Expect Cyber Attacks Meant to Ruin Corporate Reputations. One thing that has been seen with attacks by foreign governments is that these attacks aren’t always aimed at government sites, but instead at the biggest and most popular companies in the country. The goal is to breach the data and security at big US companies in order to make the general population lose trust in using them. So we have seen attacks leveled at US banks and big companies like Google and Facebook.

Old is Not Necessarily Dead

Microsoft Windows XP wordmark official.

Microsoft Windows XP wordmark official. (Photo credit: Wikipedia)

For some reason, last month was a time when I kept running into legacy systems over and over. And by legacy systems I am talking about older technology platforms that everybody assumes are little used or dead and gone.

First, I ran into two separate CPA firms that are still using PCs with Windows XP. They said they are using it because the programs they use don’t require a higher version of Windows, and the XP platform is stable and trouble-free. As it turn out this is a fairly common opinion in the corporate world. It is estimated that one-third of worldwide computers, or 500 million computers still run XP. And this is a 13-year old operating system.

It turns out that Microsoft is going to officially stop supporting XP in April 2014, and that will drive a lot of corporations to upgrade to something newer. But many smaller firms (like these CPA firms) will choose to not upgrade and they will continue to run it without the Microsoft backstop. Their reasoning is that hackers are no longer concentrating on the older operating systems and the platforms will actually get safer over time as fewer and fewer people use them. And let’s face it, upgrading a Windows platform at a company is a lot more of a pain in the butt than doing it at home. I know I have spent a whole day before making my machine work right after an upgrade, and figure that same effort times many machines in an office.

I also ran into XP when we started doing number portability and the NPAC system that everybody uses for number porting is also still on Windows XP.

But then I ran into something even older. One of my clients has recently started using MS-DOS as the software to control external access to his server. He has it set up so that somebody gets only three tries to log in and then the operating system shuts down. He thinks this is hacker-free since most LANs are hacked by programs that try millions of password combinations to get into a system. Many of you reading this are not going to remember the pleasure of turning on your computer and being greeted by a C prompt.

There are other legacy applications that are more telephone related. For example, I know a company who offers a very vanilla voice service where every customer gets a basic line and all of the features in the feature set. The cheapest way they could figure out to do this was to buy an old legacy TDM switch. They picked it up used for almost nothing including a big pile of spares. Since they aren’t trying to do anything unusual it’s easy to provision and it just hums along.

I have a lot of clients who just ditched legacy systems over the last decade. But the reason they ditched these switches was not because they didn’t work, but rather because the maintenance fees charged by the switch vendors was too high. But if you buy these same switches on the gray market you have zero vendor maintenance costs and operating the switch becomes a very different economical proposition.

As someone who is getting a little gray around my own edges I take an odd pleasure in knowing that people are finding uses for things that were used decades ago. I know I am nowhere near to obsolete and it makes me smile to see the value in older but still great technology.

Grasping the Internet of Things

Internet of Things IoT13 Forum June 2013 040

Internet of Things IoT13 Forum June 2013 040 (Photo credit: marklittlewood1)

I have written several blog entries about the Internet of Things. But I have not really defined it very well. I read as many articles about the topic as I can find since I find it personally fascinating. To me this is mankind finally using computer technology to affect everyday life and goes far beyond things you can do with a PC or tablet.

I recently saw an article that summarized the direction of the Internet of Things into three categories – and this is a good description of where this is all headed. These categories are:

Knowledge of Self. This part of the Internet of things is in its infancy. But the future holds the promise that the Internet can be used to help people with self-control, mindfulness, behavior modification and training.

Today there are gimmicky things people are doing with sensors, such as counting the number of times you have opened the refrigerator as a way to remind you to lose weight. But this can be taken much further. We are not far from a time when people can use computers to help them change their behavior effectively, be that in losing weight or in getting your work done on time. Personal sensors will get to know you intimately and will be able to tell when you are daydreaming or straying from your tasks and can bring you back to what you want to accomplish. Computers can become the good angel on your shoulder should you choose that.

Probably the biggest promise in this area is that computers can be used to train anybody in almost anything they want to know. The problem with the Internet today is that it is nearly impossible in a lot of cases to distinguish between facts and fiction. But it ought to be possible to have the needed facts at your fingertips in real-time. If you have never changed a tire your own personal computer assistant will lead you through the steps and even show you videos of what to do as you do it for the first time. But such training could bring universal education to everybody in the world, which would be a gigantic transformation of mankind – and would obviate the widespread ignorance and superstitions that still come today from lack of education.

Knowledge of Others. Perhaps the two most importance in this area will be virtual presence and remote health care.

With virtual presence you will be able to participate almost anywhere as if you were there. This takes the idea of video conferencing and makes it 3D and real-time. This is going to transform the way we do business, hire employees and seek help from others.

But perhaps the biggest change is going to come in health care. Personal medical sensors are going to be able to monitor your body continuously and will alert you to any negative change. For instance, you will know when you are getting the flu at the earliest possible time so that you can take medicine to mitigate the symptoms.

There is also great promise that medical sensors will make it possible for people to live in their own homes for longer as we all age, something just about everybody wants. Sensors might even change the way we die. Over 80% of people say they want to die at home, but in 2009 only 33% did so. Medical monitoring and treatment tied to sensors ought to let a lot more of us die in the peace of our own beds.

Perhaps the biggest promise of personal monitors is the ability to detect and treat big problems before they get started. Doctors are saying that it ought to be possible to monitor for pre-cancerous cells and kill them when they first get started. If so, cancer could become a disease of the past.

Knowledge of the World. The Internet of Things promises to eventually have sensors throughout the environment. More detailed knowledge of our surroundings will let us micromanage our environment. Those who want a different amount of humidity in the air will be able to have this done automatically in rooms where they are alone.

But remote sensors hold the most promise in areas of things like manufacturing and food production. For instance, sensors can monitor a crop closely and can make sure that each part of a field gets the right amount of water and nutrition and that pests are controlled before they get out of hand. Such techniques could greatly increase the production of food per acre.

And we can monitor anything. People living near to a volcano, for example, will know far ahead of time when there has been an increase in activity.

Monitoring the wide world is going to be the last part of the Internet of Things to be implemented because it is going to require drastic new technologies in terms of small sensors and the ability to interpret what they are telling us. But a monitored world is going to be a very different world – probably one that is far safer, but also one where there is far less personal freedom – at least the freedom to publicly misbehave.

Time for a New Spectrum Plan

The spectrum in this country is a mess. And this is not necessarily a complaint against the FCC because much of the mess was not foreseeable. But the FCC has contributed at least some to the mess and if we are going to be able to march into the future we need to start from scratch and come up with a new plan.

Why is this needed? It’s from the sheer volume of devices and uses that we see coming for wireless spectrum. The spectrum that the wireless carriers are using today is already inadequate for the data that they are selling to customers. The cellular companies are only making it because a large percentage of the wireless data is being handed off to WiFi today. But what happens when Wifi gets too busy or if there are just too many devices?

As of early 2013 there were over half a billion internet connected devices in the US. This is something that ISPs can count, so we know that is fairly accurate. And the number of devices being connected is growing really quickly. We are not device nuts in my house and our usage is pretty normal. And we have a PC, a laptop, a tablet, a reader and two cell phones connected to wireless. And I am contemplating adding the TV and putting in a new burglar alarm system which would easily double our devices overnight.

A huge number of devices are counting on WiFi to work adequately to handle everything that is needed. But we are headed for a time when WiFi is going to be higher power and capable of carrying a lot more data, and with that comes the risk that the WiFi waves will get saturated in urban and suburban environments. If every home has a gigabit router running full blast a lot of the bandwidth is going to get cancelled out by interference.

What everybody seems to forget, and which has already been seen in the past with other public spectrum, is that every frequency has physical limits. And our giant conversion to the Internet of Things will come to a screeching halt if we ask more of the existing spectrum than it can physically handle.

So let’s jump back to the FCC and the way it has handled spectrum. Nobody saw the upcoming boom in wireless data two decades ago. Three decades ago the smartest experts in the country were still predicting that cell phones would be a market failure. But for the last decade we have known what was coming – and the use is wireless devices is coming faster than anybody expected, due in part to the success of smartphones. But we are on the edge of the Internet of Things needing gigantic bandwidth which will make cell phone data usage look tiny.

One thing the FCC has done that hurts the way we use the data is to chop almost every usable spectrum into a number of small channels. There are advantages to this in that different users can grab different discrete channels without interfering with other users, but the downside to small channels is that any given channel doesn’t carry much data. So one thing we need is some usable spectrum with broader channels.

The other way we can get out of the spectrum pinch is to reallocate more spectrum to wireless data and then let devices roam over a large range of spectrum. With software defined radios we now have chips that are capable of using a wide variety of spectrum and can change on the fly. So a smart way to move into the future is to widen the spectrum available to our wireless devices. If one spectrum is busy in a given local area the radios can find something else that will work.

Anybody who has ever visited a football stadium knows what it’s like when spectrum gets full. Practically nobody can get a connection and everybody is frustrated. If we are not careful, every downtown and suburban housing area is going to look like a stadium in terms of frequency usage, and nobody is going to be happy. We need to fix the spectrum mess and have a plan for a transition before we get to that condition. And it’s going to be here a lot sooner than anybody hopes.

Should you Build a WiFi Network?

Free Wireless (WiFi) Minneapolis Hotspot in Su...

Free Wireless (WiFi) Minneapolis Hotspot in Sumner Field (Photo credit: Wikipedia)

For years I have had clients who have been building WiFi networks and then trying to figure out ways to make money with them. For the first time I think there is now enough opportunity to sufficiently monetize a WiFi network to make it look like a good investment. The following are some of the ways that other carriers are making money from WiFi. A good business plan will probably need to combine several of these together to make a viable business.

Cellular Data Upload. The biggest use of WiFi is becoming the uploading of cellular data to the network. Most cellular carriers sell data plans with low caps and they want and expect their customers to use WiFi to keep data traffic off the cellular networks. In most places the cellular networks are not nearly robust enough to handle all of the data they would need to carry if it wasn’t for WiFi. There are two different possible ways to monetize this.

If your service area has enough customers of one or more of the major cellular companies, the carriers might be interested in buying wholesale access into your WiFi network. This is something that is happening in big cities, and in many places the cellular carriers are deploying the WiFi directly. But there are now a number of markets where cellular carriers are buying bulk WiFi access from other carriers.

However, deals with cellular carriers are not yet something that has been commoditized, and the alternate plan is to sell data plans directly to cellular customers in your town for their smart phones. Many cellular customers already have WiFi in their homes, but with a city-wide WiFi network they could then get the WiFi benefits anywhere in town. Statistics say that 85% of cellular data is used in the home territory and you can sell data for less than the cellular carriers and make good money at it.

MVNO Wireless. Even better than selling cellular data to others is consider offering your own wireless plans using an MVNO. In this scenario you buy bulk cellular minutes, text messaging and cellular data and then package them your own cellular plans. If you have a city-wide WiFi network you have a big advantage because you can make sure that your cellular customers use your network for both voice and data when that is possible. This means that you can charge them cellular-level pricing for traffic that you are delivering at landline costs. The margins on MVNO wireless are already decent, but combining it with a robust WiFi network really enhances the bottom line.

Broadband Alternative. There are now a significant number of customers who don’t want traditional broadband delivered by wireline. In addition to smartphone users, there are many customers who now use pads and laptops instead of traditional PCs. So you can sell WiFi business plans as an alternative or as an adjunct to your existing data plans. WiFi-only plans can be priced similarly to traditional low-level landline plans and you might sell a ‘portability’ additive plan to your normal landline data customers. Finally, you can sell hourly, daily and weekly WiFi to visitors or occasional users.

VoIP / Local Only Phone. In every market there are customers who almost never leave town and with a WiFi network you can give them a much lower cost portable phone alternative than using a traditional cellphone carrier. This essentially is a cordless phone that will go anywhere in the town. You also can use WiFi to give local phones to kids and others for low prices, saving parents the cost of pricey cellular family plans.

Public Safety. Most towns and cities would be interested in using your network for public safety and public works. With a citywide WiFi network you can give all city employees access to data anywhere in town, making it easier for police and fire to operate using pads but also improving the productivity for inspectors and other city workers who are mobile in the town. You should be able to sell bulk access to the city and local utilities, particularly if you will arrange a QOS arrangement to give public safety a priority for the network when they need it.

Workforce Needs. And of course, a city-wide WiFi network will also increase your own productivity since your own installers and salespeople can always be connected to the network with a pad or smartphone. This is not a revenue opportunity but rather can save you money.

There certainly some issues to consider and it would make sense to pre-sell to the larger WiFi users before you build the network. But if you can sign up a cellular carrier or the City government as anchor tenants then you can build knowing that these other revenues will materialize if the network is built with good coverage.

Like any business there are operational issues to consider. For instance you will want to insure that only people who are paying for your service use the network so you will want a secure system to validate users and be prepared to boot off customers who give away passwords to others.

From a technical and cost perspective it has never been easier to get into the WiFi business. The price of equipment has dropped and it has become more science and less art to keep the network functioning well.