2013 | Bach Seat

Tag Archive for 2013

RB | September 24, 2013

Comments Off

BYOD Love Affair Waning?

Tom Kaneshige at CIO.com warns that the “Bring Your Own Device” love affair is coming to an abrupt and bitter end, and the lawyers are circling. He argues that in the early days of BYOD, say, last year, employees, especially Millennials, fell madly in love with the idea of using their own Apple (AAPL) iPhones, Google (GOOG) Android smartphones, and newfangled tablets for work. Finally, they could finally ditch corporate-issued BlackBerrys (BBRY).

BYOD ushered in a new era of consumer tech in the enterprise, one that promised employees and employers will live happily ever after. But the BYOD romance has suddenly turned sour. Employees are questioning corporate intrusion on their personal devices. Did IT turn their beloved smartphone into a spy that tracks their whereabouts? The article says employees are beginning to sense companies taking advantage of BYOD by intruding on personal time to get free work time.

Now they’re thinking about suing. John Marshall, CEO at AirWatch, an enterprise mobile device management (MDM) vendor with 6,500 customers, told CIO, “I anticipate a bunch of little [lawsuits], then something big will happen that’ll be a class action and become headline news.”

CEO Marshall reports that the suits have already started. A federal case in Chicago is winding its way through the courts which claims that the city owes some 200 police officers millions of dollars in overtime back pay. The case centers on allegations that the city pressured officers into answering work-related calls and emails over department-issued BlackBerrys during off-hours.

There’s no question BYOD blurs the line even more between work life and personal life. The Airwatch CEO not surprisingly recommends a Mobile Device Management (MDM) application to control email delivery to BYOD devices. This way an employer can set a business rule that won’t allow delivery of corporate email to a subset of users during off-hours. Or a CIO can address this issue in the BYOD terms-of-use agreement. (rb– Both would be best)

Smashed BYOD The CIO article offers up another legal nightmare scenario: Lacking MDM tools to block out what can and cannot be seen on a BYOD smartphone, a help desk technician notices that an employee’s device has a lot of personal apps about a health problem—and mentions his concern to the employee in the cafeteria.

“The employee can say, ‘How in the world did you know that?‘” Mr. Marshall says. “All of a sudden, something that’s very benign and innocuous turns into something that’s blown out of proportion.” (rb- Help Net Security cites recent U.S. DHSS seven-figure settlements from healthcare institutions that failed to protect patients’ health information under HIPAA regs.)

Mr. Marshall recommends a comprehensive BYOD terms-of-use agreement, along with transparency about the capabilities and limitations of the technology, will help ward off such scenarios. The IT staff also needs to be educated about their role in a BYOD environment.

However, this doesn’t mean problems won’t crop up. Part of the problem, the article indicates, is that BYOD often puts business unit managers who aren’t well-versed in technical user agreements in a leadership position with mobile apps. They’re likely to give the green light to rogue mobile apps that violate such agreements.

For instance, employees are chiefly concerned about privacy and especially location-based services with BYOD, and so many user agreements stipulate that apps will not collect location-based information. But someone who wants to be helpful, builds a map app for the corporate campus that allows employees to schedule conference rooms and find safety information, such as where to go if there’s a tornado. Airwatch’s Marshall explains:

Maybe there’s also a button on there that says where you are in the campus … All of a sudden people wake up and realize that every single device using that app is collecting location-based information—that’s an issue. These are really plausible scenarios … There’s so much copy and paste and reuse of all these components that these things can happen very innocently.

Then there’s the dreaded remote wipe, which can land a company in some legal hot water according to the article. Help Net Security says there is little to no case law in this area. CIO.com reports that just last year, CIOs said they felt comfortable with BYOD because they held security’s holy grail: remote wipe, a scorched-earth capability for wiping all data on a mobile device.

But employees weren’t happy with the idea that the company can wipe personal data on their personal device. Some employees refused to take part in the BYOD program for this reason. Others waited days or weeks before reporting a lost or stolen device so that IT wouldn’t wipe it.

waited days or weeks before reporting a lost or stolen device MDM software advanced quickly and seemed to come up with a fix. Now companies can wipe only corporate apps from a BYOD smartphone or tablet, leaving personal apps untouched. In fact, AirWatch won’t even allow a full device wipe anymore for legal reasons. While this helps tremendously, it doesn’t completely solve the problem.

Mr. Marshall proposed a scenario where a company buys the popular productivity app, Evernote, for employees to put on their BYOD smartphones. Since the company paid for the app, the company can remove it at any time. The note-taking app collects company data but also might store personal data, too. An employee can use Evernote to create a shopping list, recipes, vacation plans, or perhaps something more critical to their job.

Guess what happens to this personal data when the employee leaves the company? The app, along with all the data, is wiped from the device and account. If the BYOD terms-of-use agreement about Evernote wasn’t spelled out clearly, who is liable for the lost data?

The bloom is off the BYOD rose, and so companies had better add protections against employee lawsuits in the BYOD terms-of-use agreement and leverage MDM to make sure the agreement is followed.

Truth is, employees tend to get a bit emotional when their privacy is violated or their location is tracked via a mobile device that they personally own. They don’t like their personal data to be wiped, either. When these things happen, companies can expect the wrath of a scorned employee. “That’s where it gets tricky,” Mr. Marshall told CIO.com.

Tony Busseri, CEO of Canadian digital security firm Route1, told Help Net Security:

Along with security concerns, BYOD has brought the potential of major legal issues for the Enterprise … Many current BYOD corporate policies leave enterprise data unprotected in the event of a security breach and during an employee’s exit from the company. The policy of tracking and wiping an employee’s personal device opens the enterprise up to the potential for mass litigation.

rb-

Misco in the UK reported that the majority of employees will not cooperate with employers’ BYOD efforts. According to the data:

82% of the survey participants viewed their employer’s ability to track their location as an invasion of privacy;
82% are concerned or extremely concerned about having their browsing history monitored;
76% stated that they would not allow their company to view the applications installed on their personal mobile devices;
75% said they would not go along with an installation made by their employer;
Only 15% had no concerns about employers tracking activities.

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2013, AirWatch, BYOD, Device, Evernote, iPad, iPhone, Legal, Management, MDM, Mobile, Risk, Security

RB | September 19, 2013

Comments Off

2013 Most Dangerous Celebrities Online

Anti-malware firm McAfee has released it annual Most Dangerous Celebrities list and daughter of rock musician Phil Collins actress Lily Collins is 2013’s most dangerous celeb to search for online. Ms. Collins has starred in such classic movies as “Mirror, Mirror” and “The Mortal Instruments: City of Bones” unseated “Harry Potter“ star Emma Watson who topped the list in 2012.

Rank	Celebrity	Risk %
1	Lily Collins	14.5
2	Avril Lavigne	12.7
3	Sandra Bullock	10.8
4	Kathy Griffin	10.6
5	Zoe Saldana	10.5
6	Katy Perry	10.4
7	Britney Spears	10.1
8	Jon Hamm	10.0
9	Adriana Lima	9.9
10	Emma Roberts	9.8

Female celebrities were the overwhelming lure to malware; “Mad Men” star Jon Hamm was the only man in the top 10. A person could be led to malware after doing a general search and clicking on dubious links, but risks increased when searchers added phrases like “free apps” or “nude photos.”

To better protect yourself on the web McAfee suggests:

Be wary of links to free content or too-good-to-be-true offers
Be extra cautious when searching on hot topics, which often lead to fake and malicious sites created by cyber-criminals
Check the web address for misspellings or other clues that the link might lead to a phony website
Protect yourself with comprehensive security, including a tool that identifies risky websites in search results

rb-

This is an annual thing from McAfee, but nobody pays attention. I covered Heidi Klum in 2010, Cameron Diaz in 2011, and Emma Watson in 2012.

Category: Uncategorized | Tags: 2013, Emma Watson, Heidi Klum, Jon Hamm, Lily Collins, Malware, McAfee, Security

RB | September 17, 2013

Comments Off

Did NSA Subvert IPv6 Security?

Cryptographer and Electronic Frontier Foundation (EFF) board member Bruce Schneier has given advice on how to be as secure as possible. “Trust the math,” he says. “Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.”

subverting the implementations of encryption

All UR emails R mine

Mr. Schneier confirms to Infosecurity that the growing consensus is that Bullrun‘s greatest success is in subverting the implementations of encryption and not in the ability to crack the encryption algorithms themselves. The general belief is that the NSA has persuaded, forced or possibly even tricked companies into building weaknesses or backdoors into their products that can be exploited later.

Infosecurity says the bottom line, however, is that the fabric of the internet can no longer be trusted. Meanwhile, John Gilmore, co-founder of EFF and a proponent of free open source software, has raised a tricky question: has NSA involvement in IPv6 and IPSEC discussions effectively downgraded its security? IPSEC is the technology that would make IP communications secure.

Mr. Gilmore told the author that he was involved in trying to make IPSEC “so usable that it would be used by default throughout the internet.” But “NSA employees participated throughout, and occupied leadership roles in the committee and among the editors of the documents.”

The result was “so complex that every real cryptographer who tried to analyze it threw up their hands and said, ‘We can’t even begin to evaluate its security unless you simplify it radically‘” – something that never happened EFF’s Gilmore observed.

Mr. Gilmore doesn’t explicitly say that the NSA sabotaged IPSEC, but the fact remains that in December 2011, IPSEC in IPv6 was downgraded from ‘must include’ to a ‘should include.’ He does, however, make very clear his belief in NSA involvement in other security standards.

Discussing cellphone encryption, the EFF co-founder says “NSA employees explicitly lied to standards committees” leading to “encryption designed by a clueless Motorola employee.”

To this day, Mr. Gilmore notes that “no mobile telephone standards committee has considered or adopted any end-to-end (phone-to-phone) privacy protocols. This is because the big companies involved, huge telcos, are all in bed with NSA to make damn sure that working end-to-end encryption never becomes the default on mobile phones.”

rb-

Following the Snowden leaks revealing Bullrun – the NSA program to crack the world’s encryption – the article states that there is an emerging consensus that users can no longer automatically trust any security.

Other articles say that NSA has compromised SSL so the NSA has access to credit cards and your 4G phones. This is another unnecessary attack on US e-commerce business who is going to buy something online when your account numbers are in the hands of US government hackers.

Category: Uncategorized | Tags: 2013, Bruce Schneier, EFF, Encryption, IPsec, IPv6, NSA, Security

RB | September 12, 2013

Comments Off

PoE Overworked

Gary Audin at No Jitter warns that Power over Ethernet (PoE) is not always a plug-and-play environment and PoE should be monitored, managed, and efficient. In this article, Mr. Audin observes that PoE has evolved into an electrical power device utility platform. POE started out as a centralized power source for IP phones, backed up with an Uninterruptible Power Supply (UPS). (rb- Click here and here for my overview of PoE) Since those early Cisco dominated days. The article says PoE now is called upon to support wireless access points; environmental controls; point, tilt, and zoom cameras; lighting control; clocks; door controls; Bluetooth devices; RFID; now laptops, and still more to come.

The LAN switch is the PoE source, but the article warns it can be overwhelmed with the power drain, which produces headaches for IT. Unless properly managed, the PoE function can experience:

A blown-out power supply. Smoke is an indicator of this condition.
Reduced power to all devices with degraded service from all the attached devices.
An added PoE device does not work.
The more power is drawn by PoE, the shorter the UPS battery life. The original UPS design could last 20 minutes. Added PoE devices could shorten this to 3 minutes.

PoE IP phones and other devices can signal to the PoE network what class of device it belongs to and how much power it may need. Class 0 devices, usually older devices, do not indicate their PoE power requirements. These devices may draw any power level from none to maximum. The other standard classes, 1-3, range from very low power to mid-level power consumption.

Class 4 is a newer class of device requiring PoE+ (802.1at) and needs to draw more than the 12.95 Watt maximum provided by the original standard PoE. Class 4 devices must be powered by PoE+ ports and may not function correctly on an 802.3af PoE port. Most IP phones are in class 2. IP phones with color screens and other advanced features may be categorized as class 3 devices.

PoE Access Points Wireless LAN access points are also common PoE devices, many of which started out as class 2 and 3 devices. As the wireless speeds increased, so did the power requirements. The 802.11ac standard means that the access points (AP) will have a 1 Gbps connection back to the switches and routers.

At issue is the PoE required. It is likely that each AP could need 20 to 30 watts, the limit that the 802.1at PoE+ standard delivers. Many installed switches cannot support PoE+. So the enterprise has to buy new switches or power supplies or power injectors. (rb- add this to your site-survey when you plan to implement 802.11ac)

Mr. Audin spoke to Tim Titus, CTO, and founder of PathSolutions, (they happen to sell a network management tool) about what he considers a good approach to monitoring and managing POE. He told No Jitter,

“Regardless of whether there are any PoE or PoE+ devices on a network, it can be very helpful to monitor the health of our network equipment’s power supplies. The best monitoring system watches the status and power consumption of each power supply, what percentage of utilization it is running, and which interfaces are drawing power, so power policing can be achieved.”

He provided this example of missing power management.

“Keeping an eye on power supplies avoids unpleasant discoveries. One unlucky network administrator had two power supplies installed in a network chassis (one primary and one backup). Unfortunately, when the primary power supply stopped working, nobody knew, since the backup power supply was doing its job of keeping everything running. The problem wasn’t noticed for over six months. Nobody was in the empty remote wiring closet to notice the lack of lights on the power supply. The users remained blissfully unaware of impending doom until the wee hours of a weekend when the second power supply was shut off by a circuit-breaker trip!”

Mr. Titus pointed out to Mr. Audin, that monitoring should happen at the port level,

“Not only will a monitoring system show you what mode a PoE port is operating in, but it should also provide a view of relevant error counters.

MPS Absent and Invalid Signature errors frequently point to broken or defective powered devices.
Overload conditions and short-circuits typically point to wiring problems (or somebody re-wiring devices in use).
Denied errors can point to devices asking for more power than the switch has available, and may indicate that it is time to consider adding another power supply to a large Ethernet chassis.”

How did that happen?

Finally, many network engineers try to buy limited PoE due to the cost premium of POE ports, only to find that half of their PoE ports are used by non-PoE devices such as PCs. With a monitoring tool, the engineers could have avoided buying expensive PoE ports or purchased less expensive “ordinary” Ethernet ports. The engineers should have an up-to-date PoE port inventory and use it to avoid over-buying the PoE by playing safe in their design. (rb- Been there done that, I’ve been in many customer’s closets and found POE switches full of PC and printer access ports.)

rb-

The author warns not to assume that PoE is always a plug-and-play environment. PoE should be handled like a utility–monitored, managed, and efficient.

I have tried to build custom fields by working with reports in SolarWind’s Orion by working with MIBs, it’s not the funnest thing in the world. I wonder if this product does a better job.

Have you ever stopped to think…that PoE is good for the environment? (lukefrostblog.wordpress.com)

Category: Uncategorized | Tags: 2013, 802.11ac, 802.3af, 802.3at, Access Point, Ethernet, IEEE, IP, Network, POE, Power, Security, Switch, UPS, Voice, Wireless

RB | September 10, 2013

Comments Off

Is Connected Car Data Worth $1,400 Annually?

Michael Strong at TheDetroitBureau.com reports that Continental AG and Cisco (CSCO) recently demoed a highly connected car using the internet to improve vehicle safety and infotainment options at the recent Center for Automotive Research Management Briefing Seminars in Traverse City, MI.

The firms believe they’ve produced a connected car that provides a balance between giving consumers a safe, connected driving experience while providing companies with a chance to offer services that enhance the driving experience: for a price.

According to the article, the companies involved in bringing the Internet to cars collect an enormous amount of information about drivers. This presents a variety of challenges when it comes to privacy, who owns the information, how can or should it be used and what’s it worth?

While privacy and data ownership issues are still up in the air thanks to the U.S. government. Andreas Mai, director of product management at Cisco, believes data generated by a connected car is worth about $1,400 a year. He breaks it down this way:

Drivers can save $550 through better fuel economy, less time stuck in traffic, lower insurance rates, etc.
Society can save $420 by employing car platoons to speed up traffic and increase a road’s capacity.
Service providers can earn $150 by providing traffic guidance, navigation, parking, emergency services, etc.
Automakers can save $300 in lower warranty costs, profitable apps, etc.

The key, according to the article, is to maximize the information that can be collected (and re-sold) is convincing drivers that they get a tangible benefit from releasing the data, such as shorter commutes or lower insurance rates (thanks Flo). According to a survey by Cisco, 74% of drivers were willing to share vehicle information. However, who or what owns that information still needs to be sorted out, he said. They must balance all of those things against the driver’s wants and needs: connectivity, infotainment, and cutting-edge safety features.

Continental and Cisco teamed up to keep the bits flying. As a vehicle moves it needs to prioritize the critical needs of drivers and passengers for network connectivity, according to the article. Digital Trends explains that Continental will supply the hardware and Cisco will provide the software. The car can switch between 3G, 4G, WiFi, and Dedicated Short Range Communication (DSRC) on the go, depending on service quality and cost to the customer. DSRC system is part of the emerging vehicle-to-vehicle (V2V) technology system that allows cars to communicate with each other directly – and autonomously.

A Cisco software router loaded in Continental hardware performs the network switching. The router sends signals first to a Cisco-managed “Connected Car Cloud,” which then relays information to whatever network appears optimal at the moment.

The Cisco on-board software system can seamlessly switch between available 3G, 4G, and other wireless networks based on cost and quality of service preferences. “Connected vehicles are opening up a vast field of opportunities for services to make driving safer, more efficient, and more comfortable,” said Ralf Lenninger, head of innovation and strategy, Continental’s Interior Division. “This is why we are looking at ways to connect the moving vehicle in a highly secure, fast, and reliable way.

The Cisco and Continental proof-of-concept connected car show how auto manufactures can provide the same amount of network security that is available at home (oh NO!) or in the office. Cisco provides one highly secure software gateway that delivers Cisco’s core networking capabilities and optimizes multiple communication links and mobility services to and from the vehicle. Security against cyber attacks will become more important as more vehicles include connected functions.

rb-

I recently covered Ford’s efforts to understand connected cars by studying the commlinks of space-based robots here.

The savings claims seem suspicious to me. The “lower insurance costs” are just cash savings. ~~Oh, yeah Walmart is still in business.~~ What is going to be the costs to the drivers after the insurance companies get their Hadoop big data analytics on the data from the magic boxes they are installing? Will they use the data you provided them to change the rules on your policy to raise your rates? It only takes a small leap to think about what the NSA could do with the data.

Just in case someone at Cisco or Ford or anybody else is reading this, here are some suggestions from Veracode to secure connected cars..

Infographic by Veracode Application Security

Cisco’s remedy for connected car security: Treat the car like an enterprise (gigaom.com)

Category: Cars | Tags: 2013, Automobile, Cisco, Cloud, CSCO, Insurance, IOT, M2M, Michigan, PII, Privacy

« Older Entries Recent Entries »

Bach Seat

Tag Archive for 2013

BYOD Love Affair Waning?

2013 Most Dangerous Celebrities Online

Did NSA Subvert IPv6 Security?

PoE Overworked

Related articles

Meta