Tag Archive for 2016

| May 8, 2016
Comments Off on Wearables – Growing Enterprise Risk

Wearables – Growing Enterprise Risk

Wearables - Growing Enterprise RiskMarket research firm Tractica predicts that the high levels of interest will drive worldwide shipments of wearable computing devices for enterprise and industrial from 2.3 million in 2015 to 66.4 million units by 2021 and could reach 75.4 billion by 2025. This means there will be a total of 171.9 million wearables in the wild by 2021.

The report at FierceMobileIT cites a large number of trials or deployments with a diverse set of wearables across a variety of industry sectors for the growth.  Tractica research director Aditya Kaul explained the prediction,

diverse set of wearablesIn the past year, the enterprise and industrial wearables market has moved into an implementation phase, with the focus shifting from public announcements to the hard work that needs to be done behind the scenes to get wearables rolled out at commercial scale.

Tractica noted a range of new IoT use cases are emerging for workplace wearables. The new uses are focused on application markets like; retail, manufacturing, healthcare, corporate wellness, warehousing and logistics, workplace authentication and security, and field services.Estiamted wearbable device shipments

The market research firm believes the primary wearable device categories will be; smartwatches, fitness trackers, body sensors, and smartglasses, There will also be other niche categories that will play a role for specialized use cases.

Internet of ThingsThe report does concede that in terms of unit volumes and revenue, enterprise and industrial wearables are still a very small part of the IoT overall market. Wearable’s share of the total market will grow over time, according to Tractica.

Wearables proliferation does not bode well for IoT or enterprise security. A recent survey of 440 IT pros by IT networking company Spiceworks found that enterprise wearables are most likely to be the cause of a data breach out of all Internet of Things devices connected to a workplace network.

IoT most likely to be source of a security threatAccording to FierceMobileIT, the survey found that 53% of IT pros believe wearables are the least secure of all IoT devices. Overall, 90% of those surveyed think IoT makes workplace security more difficult. Spiceworks also found that only one in three of those surveyed are preparing for the tidal wave of these devices.

IoT security threatThe number of companies allowing wearables on the network has jumped from 13% in 2014 to 24% in the current Spiceworks survey. That’s a significant jump, and especially worrisome for the two-thirds of organizations putting off a proper security protocol. 41% of those surveyed said that their organizations have a separate network for connected devices, 39% allow them on the corporate network and 11% don’t allow IoT in any capacity.

Enterprise IoT devices aren’t the only reason IT pros should worry, as Andrew Hay, CISO of DataGravity, told FierceMobileIT at the RSA conference this year. Workers are bringing consumer-grade IoT devices into enterprise environments, too. In other words, IT pros don’t have a choice at this point but to seriously consider security measures for IoT.

rb-

I first covered IoT security holes in 2011. In 2014, I wrote about HP research which found on average 25 security flaws per device tested. If these stats are right, there will be almost 4.3 billion security flaws in the wild.

Some of the security flaws HP pinpointed in wearables during 2015 included:

  • Mobile interfaces lack two-factor authentication or the ability to lock out accounts after login failed attempts.
  • Watch communications to be easily intercepted.
    • Firmware is transmitted without encryption.
    • Half of the tested devices lacked the ability to add a screen lock, which could hinder access if lost or stolen.
    •40% were still vulnerable to the POODLE attack, allow the use of weak ciphers, or still used SSL v2. Transport encryption is critical because personal information is being moved to multiple locations in the cloud.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| May 1, 2016
Comments Off on How Much Cash Do Tech Firms Stash Overseas

How Much Cash Do Tech Firms Stash Overseas

How Much Cash Do Tech Firms Stash OverseasA new report (PDF) from charity Oxfam says American companies stash a significant part of their cash overseas to take advantage of more favorable tax laws in other countries. They claim that tech companies take particular advantage of this practice, also known as “tax havens.” Oxfam which is crusading to get the U.S. government to crack down on this practice says tax havens costs the United States more than $100 billion a year in lost tax revenue.

Tech firms are hoarding nearly $500 Billion overseasThe Business Insider brought us this Statista chart, based on the Oxfam report. Tech firms are hoarding nearly $500 Billion in cash overseas. The chart shows how much money major US tech companies have stashed overseas, and how many subsidiaries they have set up in countries that Oxfam defines as tax havens, “which can be characterized by secrecy, low- or zero-tax rates, and the almost complete lack of disclosure of any relevant business information.

U.S. tech firms with most cash held overseas

While tech is the most prominent sector on Oxfam’s list, the article claims tech is not alone — large companies in other sectors like General Electric ($119 billion), Pfizer ($74 billion), Merck ($60 billion), and Exxon Mobile ($51 billion) also have lots of cash stashed overseas.

There’s nothing illegal about this practice. But Oxfam believes it contributes to income inequality. They are urging U.S. lawmakers to make it harder for companies to use international tax laws to their advantage in this way.

money stashed overseasOverseas tax havens have been the focus of recent revelations about tax scams by wealthy people, based on the leak of the “Panama Papers,” documents from a single Panama-based law firm, Mossack Fonseca, involving 214,000 offshore shell companies. The firm’s clients included 29 billionaires and 140 top politicians worldwide, among them a dozen heads of government.

rb-

This list looks a lot like the one for the top lobbying spender firms. I wrote about the tech titans lobbying efforts just a couple of weeks ago here.

RankFirmCash $ held off shoreLobbying rankLobbying $ spending
1Apple181.1B104.5M
2Microsoft108.3B78.5M
3IBM61.4B114.6M
4Cisco52.7B142.7M
5Alphabet/Google47.4B116.6M
6HP42.9B
7Oracle38.0B134.5M
Related articles
  • Obama urges Congress to take action on corporate tax reform (bnn.ca)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,
| April 18, 2016
Comments Off on Schools Face RansomWare Risk

Schools Face RansomWare Risk

More than 2,000 machines at K12 schools are infected with a backdoor in unpatched versions of JBoss that could be used at any moment to install ransomware such as Samsam. TargetTech defines ransomware as malware designed for data kidnapping, an exploit in which the attacker encrypts the victim’s data and demands payment in Bitcoins for the decryption key.

JBossRansomware has typically been spread through drive-by downloads or spam emails with malicious attachments. One of the latest victims of Samsam was MedStar Health, a not-for-profit organization that runs 10 hospitals in the Washington, D.C., area.

PCWorld reports that the Cisco (CSCO) Talos threat-intelligence organization, announced that roughly 3.2 million machines worldwide are at risk. The article says that many of those already infected run Follett’s Destiny library-management software, used by K12 schools worldwide. According to Cisco, Follett responded quickly to the vulnerability,” Follett identified the issue and immediately took actions to address and close the vulnerability”.

BitcoinIn a presser, Follett offers patches for systems running version 9.0 to 13.5 of its software and says it will help remove any backdoors. The author states that Follett technical support staff will reach out to customers found to have suspicious files on their systems. Follett even offers SNORT detection rules on the presser page.

Snort is a highly regarded open-source, freeware network monitoring tool that detects attack methods, including denial of service, buffer overflow, CGI attacks, stealth port scans, and SMB probes. When suspicious behavior is detected, Snort sends a real-time alert to Syslog, a separate ‘alerts’ file, or to a pop-up window.

JBoss the vulnerable underlying system is described as an open-source Red Hat product that serves as an application server written in Java that can host business components developed in Java. Essentially, JBOSS is an open source implementation of J2EE that relies on the Enterprise JavaBeans specification for functionality.

PCWorld reports that compromised JBoss servers typically contain more than one Web shell. Talos advises that it is important to check the contents of a server’s jobs status page. “This implies that many of these systems have been compromised several times by different actors,” the company said.

BackupWeb shells are scripts that indicate an attacker has already compromised a server and can remotely control it. The list of those associated with this exploit is listed in Talos’s blog post.

Companies that find a Web shell installed should begin by removing external access to the server, Talos said in the article. The security firm recommends quick action.

Ideally, you would also re-image the system and install updated versions of the software … If for some reason you are unable to rebuild completely, the next best option would be to restore from a backup prior to the compromise and then upgrade the server to a non-vulnerable version before returning it to production.

rb-

I have worked with a number of customers on their library automation projects. The cost of these systems is as usual in the data. There is a great deal of time and effort that goes into creating the proper MARC records, especially for books that are out of print and kiddie books. If these files get locked up by ransomware, the system is useless and expensive to replace.

K12 schools are notoriously cheap, but the advice is the same as always,

  1. Keep your software UP TO DATE
  2. Use a real virus scanner on your servers and administrative stations
  3. Back-Up – Back-Up – Back-Up – With a good backup, you can just blow the machine away, re-install and restore the data. and be back in business.
Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , ,
| April 16, 2016
Comments Off on Hey Lobbying Tech Spender

Hey Lobbying Tech Spender

-Update 04-26-2016- As if to prove my point, Democratic Presidential candidate Bernie Sanders just named Verizon one of America’s Top Ten Tax Avoiders. VZ has a corporate tax rate of -2% for the last 6 years according to the post. Verizon has the #4 lobbying spender.

Hey Lobbying Tech SpenderJust in time for the U.S. tax deadline, the Business Insider has a report which details the amount of money the tech titans spent on bribing lobbying the politicians in DC. Thanks to one of the small bits of transparency in the gooberment, the U.S. House of Representatives requires companies to file government lobbying records. You can search their disclosures here at the Office of the Clerk of the House. (rb- Use this while you can, it’s likely to be shut down at any time by politicians with things to hide.)

Amazon was the most aggressive tech lobbyist in 2015The most aggressive tech spender on lobbying in 2015 was Amazon (AMZN) according to research by Consumer Watchdog. The company spent $9.07 million (a company record) on lobbying in 2015, an incredible 91.4% surge from its 2014 spend dedicated to influencing federal regulations last year according to BI.

Amazon lobbied Washington about

tech firms spent over $122M lobbying Washington politiciansDespite Amazon’s aggressive lobbying, Google (GOOG) topped the list of tech companies for the second year in a row. Google spent $16.6 million in 2015 vs $16.83 million in 2014. The biggest spending tech firms spent over $122M lobbying Washington politicians.

How the tech titans spent their money

  1. Google: $16.6 million in 2015 vs $16.83M in 2014.
  2. Comcast (CMCSA): $15.63 million vs $16.8M in 2014
  3. AT&T (T): $14.86 million, up from $14.56M in 2014
  4. Verizon (VZ): $11.43 million, up 1.9% from $11.22M in 2014.
  5. Facebook (FB): $9.85 million from $9.34M in 2014, a company record.
  6. Amazon (AMZB): $9.07 million up 91.4% from 2014 .
  7. Microsoft (MSFT): $8.49 million vs $8.33M in 2014.
  8. Time Warner Cable (TWC): $6.8 million in 2015, down 13.2% from 2014.
  9. T-Mobile (TMUS) $6.14 million, up 1.7% from 2014.
  10. Apple (AAPL): $4.48 million in 2015 compared to $4.11M in 2014.
  11. IBM (IBM): $4.63 million, a 6.5% decrease from $4.9M in 2014.
  12. Intel (INTC): $4.55 million in 2015, up 19.7% from $3.80M in 2014.
  13. Oracle (ORCL): $4.46 million in 2015, down 23.5% from $5.83M in 2014.
  14. Cisco (CSCO): $2.69 million compared to $2.35M in 2014.
  15. Yahoo (YHOO): $2.84 million in 2015 vs $2.94M in 2014.

Tech titans with boxes of meney for politicansBI reminds us that these may seem like big numbers, they’re a tiny part of these companies’ overall expenditures — in the third quarter of 2015, Google spent $3.47 billion on traffic acquisition costs (such as the price of its deal to stay the default search on Apple’s iPhone), and another $6.93 billion on other operating expenses.

rb-

I haven’t written about the tech’s industry lobbying efforts since 2010. Many of the names have remained the same, ATT, Verizon, Google, IBM, Yahoo, and Intel have been bribing lobbying the gooberment for a very long time.

However, just 5 years ago, Apple and Facebook were barely in the lobbying racket.  In 2015, they both ranked at the top in lobbying spending.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , ,
| April 7, 2016
Comments Off on 9 Emails You Should Never Open

9 Emails You Should Never Open

9 Emails You Should Never OpenThe increasing pace of life coupled with mobile computing which bombards us with emails and messages, from more sources, and across more devices than ever before has created what Proofpoint calls a generation of trigger-happy clickers.

fake emails from cyber criminals.Trigger-happy clickers are falling more and more for fake emails from cybercriminals. These fake emails are so convincing and compelling that they fool 10% of recipients into clicking on the malicious link according to the article. To put that into context a legitimate marketing department typically expects <2% click rate on their advertising campaigns.

So, despite the best efforts of security professionals, too many people are still falling prey to email scams at home and work. Whether it’s a get-rich-quick scheme or a sophisticated spearphishing attack, here are some emails to steer clear of:

1. The government scam

These emails look as if they come from government agencies, such as the IRS, FBI, or CIA. If these TLA’s want to get a hold of you, it won’t be through email.

2. The “long-lost friend”

tries to make you think you know themThis scammer tries to make you think you know them, but it might also be a contact of yours that was hacked.

3. The billing issue

These emails typically come in the form of legitimate-looking communications. If you catch one of these, log into your member account on the website or call the call center.

4. The expiration date

A company claims your account is about to expire, and you must sign in to keep your data. Again, sign in directly to the member website instead of clicking a link in the email.

5. You’re infected

you’re infected with a virusA message claims you’re infected with a virus. Simple fix: Just run your antivirus and check. In a recent twist, scammers claiming to be computer techs associated with well-known companies like Microsoft. They say that they’ve detected viruses or other malware on your computer to trick you into giving them remote access or paying for software you don’t need.

Scammers have been peddling bogus security software for years. They set up fake websites, offer free “security” scans, and send alarming messages to try to convince you that your computer is infected with malware. Then, they try to sell you software to fix the problem. At best, the software is worthless or available elsewhere for free. At worst, it could be malware — software designed to give criminals access to your computer and your personal information.

But wait it gets worse – If you paid for their “tech support” you could later get a call about a refund. The refund scam works like this: Several months after the purchase, someone might call to ask if you were happy with the service. When you say you weren’t, the scammer offers a refund.

Or the caller may say that the company is going out of business and providing refunds for “warranties” and other services.

The scammers eventually ask for a bank or credit card account number. Or they ask you to create a Western Union account. They might even ask for remote access to your computer to help you fill out the necessary forms. But instead of putting money in your account, the scammers withdraw money from your account.

6. You’ve won

you won a contest you never enteredClaims you won a contest you never entered. You’re not that lucky; delete it. It’s illegal to play a foreign lottery. Any letter or email from a lottery or sweepstakes that ask you to pay taxes, fees, shipping, or insurance to claim your prize is a scam.

Some scammers ask you to send the money through a wire transfer. That’s because wire transfers are efficient: your money is transferred and available for pick up very quickly. Once it’s transferred, it’s gone. Others ask you to send a check or pay for your supposed winnings with a credit card. The reason: they use your bank account numbers to withdraw funds without your approval, or your credit card numbers to run up charges.

7. The bank notification

An email claiming some type of deposit or withdrawal. Give the bank a call to be safe.

8. Playing the victim

emails make you out to be the bad guyThese emails make you out to be the bad guy and claim you hurt them in some way. Ignore.

9. The security check

A very common phishing scam where a company just wants you to “verify your account.” Companies almost never ask you to do this via email.

What To Do Instead of Clicking Links

In the case of your bank or other institution, just go to the website yourself and log in. Type in the address manually in the browser or click your bookmark. That way you can see if there’s something that needs taken care of without the risk of ending up on a phishing site.

In the case of your friend’s email, chances are that they copied/pasted the link into the message. That means you can see the full address. You can just copy/paste the address into the browser yourself without clicking anything. Of course, before doing that make sure you recognize the website and that it’s not misspelled.

Proofpoint’s bottom line is that unless you explicitly know and trust it, avoid it. That’s all there is to it. Make this a habit and you can avoid one of the biggest mistakes in internet safety.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , , ,
« Older Entries   Recent Entries »