2015: the Year of the Mobile Messaging Wars

Posted: December 15, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , | Leave a comment

whatsapp logoI’ve just finished another piece for IT Pro in Hong Kong covering the intensifying battle between WhatsApp and the slew of Asian mobile messaging firms in the chasing pack.

It’s shaping up to be an exciting 2015 for those in the space as these platform players look to differentiate in an increasingly crowded market, while the telecoms operators struggle to recoup the cash they’re losing from decreased SMS and voice call revenue.

Canalys analyst Jessica Kwee was quick to point out the pressure these traditional telecoms players are under.

“SMS/texting in the traditional sense has been impacted greatly, especially as people see more value in messaging apps – as in many cases they are considered ‘free’ as they are part of the data plans,” she told me via email.

“Plus, messaging apps are also more flexible and can handle more than traditional texting – no character limits, and on opposite spectrum, you don’t feel obliged to try to use up the character limit either, so it’s easier to text something very short and quick. Also, there’s the ability to communicate in groups, send pictures, videos, voice notes, emoticons, etc.”

However, there are some opportunities for operators.

“People will increasingly rely on an always-on connection and not be able to just rely on wi-fi at home or at work, as they will want to be connected all the time,” Kwee explained. “So even though it is much more difficult to get people to spend a lot of money on expensive data plans, especially in price-conscious markets, it could be a compelling alternative where telecoms provide cheaper data plans to exclusively use such apps.”

Frost&Sullivan principal analyst, Naveen Mishra, added that adoption of mobile messaging apps has soared over the past 12-18 months thanks to their added functionality and free price tag.

“Increasing smartphone penetration and growing internet adoption is driving this usage. Emerging markets like India, are growing extremely fast, both in terms of adoption and usage,” he told me.

“Between May 2014 and Oct 2014, WhatsApp’s monthly active users grew from 50 million to 70 million, which is 10% of the total user base. The next 3-5 years are also looking very promising, as key emerging markets have large opportunities of growth. In India alone, there are over 930 million mobile subscriptions out of which only 70 million are current WhatsApp users.”

As for the various market players, success will come down largely to innovating with new features.

“All the OTT application companies are constantly trying to innovate, however the success of the application largely depends on the value a new feature brings in,” he said.

“Line has tied up with LG Electronics, where through its chat session, LG appliances can be activated and controlled. On the other hand, WhatsApp is working on a voice calling service, which is expected to be launched in early 2015.”

Censor much? What to expect from the Great Firewall in 2015

Posted: November 21, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , , | Leave a comment

chinese flagI’ve been speaking to anti-censorship organisation Greafire.org about online freedoms in China and what we’re likely to see in 2015. It makes for pretty depressing reading.

First of all, the app market will see an ever-tightening regulatory regime following new regulations passed in October, according to co-founder Percy Alpha.

“I fear that in the future, apps will be like websites, i.e you have to get a license before publishing any,” he told me by email.

Then there’s the current trend for Man in the Middle attacks as a way to monitor and block access to various online services and sites.

The Great Firewall has already tried this tactic on Google, Yahoo and iCloud to name but three. It’s the only way the authorities can see what people are up to once a site switches to HTTPS.

The smart money is apparently on more of these attacks in 2015, but increasingly focused on smaller sites so as to not arouse much media attention.

The Chinese authorities have also been going after Greatfire itself of late, proof the anti-censorship group must be doing something right.

Their mirrored sites, which allow users behind the Great Firewall view blocked content, have been a minor irritant to the authorities until now. But since last week Beijing upped the ante in two astonishing moves against the content delivery networks (CDNs) Greatfire uses.

The first resulted in EdgeCast losing all service in China – which could mean tens of thousands of sites affected. Then another swipe took out an Akamai subdomain also used by HSBC. The result? Its corporate banking services became unavailable. It just shows the lengths the Party is prepared to go to control the flow of information.

The last word goes to co-founder Charlie Smith:

“I think we will continue to see the kinds of crackdown we have seen this past year. I think that for a long time, many optimists have said, give the authorities some time, restrictions will loosen up and information will flow more freely. If anything, the exact opposite is happening – I’m not sure why people seem to make comments otherwise.

 If anything, I think the authorities will take censorship too far in 2015. They will push the Chinese over the limit of what they are willing to tolerate.”

China’s state-backed hacking plans for 2015

Posted: November 7, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , | Leave a comment

chinese flagI’ve just been putting together a piece for IDG Connect on tech predictions for China and Hong Kong in 2015. It’s always difficult to fit in all the comment I manage to get on these pieces, so here’s a bit more on the cyber security side of things, from FireEye threat intelligence manager Jen Weedon.

The long and the short of it is “expect more of the same” from China. The US strategy of naming and shaming PLA operatives ain’t really doing much at all.

“In the next six to twelve months, targeted data theft by China-based actors is likely to remain consistent with patterns we have observed in the past,” Weedon told me by email.

“We expect Chinese threat groups to conduct espionage campaigns that are in line with the Chinese central government’s political and development goals.”

So what exactly will these goals be in 2015? Well, according to Weedon we can expect data theft to focus on climate change and the tech sector.

“China’s ongoing pollution challenges provide strong incentive for threat actors to steal data related to technologies that can help China stem the environmental impact of its heavy reliance on coal,” she said. “We also expect cyber espionage activity against governments and policy influencers in the run-up to the 2015 UN Climate Summit as China seeks intelligence to enhance its negotiating position on global climate policy issues.”

As for the tech sector, China is stepping up its efforts to develop homegrown computing and semiconductor policies – ostensibly for reasons of national security, ie to close down the risk of NSA backdoors in US kit.

“As the country pursues these goals, we anticipate Chinese actors will leverage data theft to supplement knowledge acquired through legitimate channels such as joint ventures with experience foreign partners,” Weedon told me.

“We regularly observe China-based threat actors target firms engaged in joint ventures with Chinese enterprises.”

Territorial disputes in the South and East China Seas will also continue to drive cyber espionage activity, she said.

As for beyond that, we’ll just have to wait until after the National Development and Reform Commission (NDRC) outlines development priorities for the 13th Five Year Plan.

“As the central government solidifies its goals for the 2016 to 2020 timeframe, we expect further clues to emerge about which topics are likely to enter threat groups’ cross hairs in 2015 and beyond,” said Weedon.

It’s very much a question, therefore, not of whether China will continue its blatant state-backed cyber espionage campaigns, but where it will focus its considerable resources.

AWS an increasingly important tool for web app attackers

Posted: October 9, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , | Leave a comment

amazon web services logoIt should come as no surprise that the web application layer is one of the most vulnerable and highly targeted in any IT organisation. The latest report from Imperva I’ve just covered for Infosecurity Magazine, bears that out, and adds some interesting new insights.

Did you know, for example, that public cloud platforms like Amazon Web Services are increasingly being used by cyber criminals to launch such attacks?

According to Imperva, 20% of all known vulnerability exploitation attempts aimed at its customers came from AMS servers – that’s a pretty sizeable chunk.

Director of security research at the Israeli firm, Itsik Mantin, told me part of the reason:

“The ability of the attackers to utilize cloud services to mount their attack, makes it easier for them to carry out longer campaigns, and thus they can scan for more vulnerabilities in more pages in the target application,” he said.

Another point of note from the report is the continued growth in SQL injection attacks – up 10% since the last report – and the less well known Remote File Inclusion (RFI) attacks, which have increased 24%.

So what’s to blame? Well not necessarily bad coding, according to Mantin.

“Applications have become more complicated, with more pages and more functions, relying on more third-party modules that are hard to control, and thus the size of the attack ‘domain’ grows over time,” he explained.

Mantin also pointed out that the attack incidents analysed in the report included attacks that were detected and prevented.

“Thus the numbers in the research indicate more the attacker’s intention and less the vulnerability of the applications,” he said.

It’s finally time for governments to get all cloudy eyed.

Posted: September 24, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

cloudI’ve just finished a piece for a client charting the progress of cloud computing projects in the public sector around the world and I’ve got to say, it makes pretty miserable reading for the UK.

Despite the launch, to great fanfare, of the G-Cloud project a couple of years ago, awareness among public servants seems pretty low still and sales not exactly setting the world alight – G-Cloud vendors brought in £217m in July, rising to just under £250m the month after.

That said, we’re a small country, and things are looking up. The technology is mature enough and use cases are starting to spring up all over the place, which will speed adoption. However, long term outsourcing contracts are still impeding the development of cloud projects, according to Nigel Beighton, international VP of technology at Rackspace – a G-Cloud vendor.

“The public sector’s move to the cloud is still in its infancy, and I applaud what Liam Maxwell and the whole G-Cloud team are trying to do. But it will take time,” he told me via email.

“Over the past few years the cloud has matured and grown, and is now able to do just about everything you need it to do. For public sector agencies that are yet to make the move to the cloud, one of the main benefits is that it offers great flexibility and that they won’t be locked into one provider. There are also many parts of the sector that are hit with large peaks in their service at certain times of the year, and they could really benefit from a pay as you go, or utility, cloud-model.”

Over in China there is no such reticence, mainly because many public sector bodies have no existing legacy contracts/infrastructure to encumber them. I remember EMC’s Greater China boss saying as much a couple of years ago in Hong Kong and it’s still true, according to Frost & Sullivan’s Danni Xu.

She said the central government threw RMB 1.5bn (£150m) at public sector cloud development in the five major Chinese cities in 2011. Then local governments – many with more money than some countries – followed suit: witness Guangzhou Sky Cloud Project, Chongqing Cloud Project, Harbin Cloud Valley Project and Xian Twin Cloud Strategic Cloud Town Project. An ecosystem similar to that which has grown up in the UK, US and elsewhere, has developed around this new investment, she told me.

“The formation of a more complete cloud ecosystem has benefited local enterprises and local government in many ways. With plenty of cloud offerings available in the market, the public sector itself has also emerged as an important spender for cloud services, among the various vertical sectors,” Xu said.

“For instance, the Ningxia municipal government works with AWS on building a large-scale data center in the region. Meanwhile, it will also leverage Amazon’s platform to deliver e-government services in the future.”

Forrester analyst Charlie Dai counselled that most public sector projects in China are still private cloud based, at least when it comes to SoEs.

“The government is also trying to strengthen the control and regulate the market,” he added.

“The China Academy of Telecommunications Research of the Ministry of Industry and Information Technology (MIIT) launched official authorisation on trusted cloud services (TRUCS) for public cloud early this year.”

Quelle Surprise.

What is obvious, in China as in the UK and elsewhere, however, is that we’re only at the beginning of a very long journey. Whether it takes 10 or 50 years, the cloud is ultimately where governments around the world will look to in order to work more productively and deliver public services more efficiently.

Is NATO about to make cyber war a reality?

Posted: September 3, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , | Leave a comment

nato meetingThis week I’ve been looking at the news that NATO’s set to ratify a new cyber policy which first made public back in June. So far, so boring you might think.

Well, actually this one is pretty significant in that it seeks to extend Article 5 – the collective defence clause that if someone strikes at one NATO member they strike at them all – to the cyber world.

In doing so NATO is going further than individual governments in trying to establish international principles that a cyber attack can be considered the same as a traditional military strike.

However, the chances of the alliance actually invoking Article 5 are pretty slim – as KPMG cyber security partner Stephen Bonner told me it has only happened once before, after 9/11.

“The reality is that few cyber attacks are likely to be of sufficient scale and impact to justify invoking Article 5 – and they would not happen in isolation from a broader deterioration in international security. In other words, if there was a state attack then it would have a broader context,” he added.

“This announcement is primarily a rhetorical point which is possibly aimed at having a deterrent effect.”

That said, I think it’s still an important step.

Some might argue that the lack of clarity around what would be considered an act of cyber war kind of diminishes its value, but as McAfee director of cybersecurity, Jarno Limnéll, told me, this is the right thing to do tactically.

“I think this is wise policy, spelling out a clear threshold would encourage adversaries to calibrate their attacks to inflict just enough damage to avoid retaliation,” he argued.

Elsewhere, consultancy BAE Systems Applied Intelligence also welcomed the news.

“Cyber criminals do not respect national boundaries so protecting national interests will require increasing international cooperation,” a spokesperson told me by email.

“It is therefore encouraging to see the increasing priority which cyber is being given in NATO’s agenda. This complements multiple other initiatives nationally and internationally to address a growing security risk and help secure the systems we are increasingly reliant on.”

The new policy will not just concentrate on collective defence clause, of course, and BAE also welcomed the increasing focus on intelligence sharing between member countries and with the private sector.

Whatever the efficacy of NATO’s move, it once again underscores the increasing importance being attached to cyber channels by politicians and military leaders.

As Limnéll said, these are necessary steps given the relative immaturity of the industry.

“We have to remember that we are just living the dawn of the cyber warfare era and the ‘cyber warfare playbook’ is pretty empty,” he told me.

“Most of the destructive cyber tools being developed haven’t been actively deployed. Capabilities to do real damage via cyber attacks are a reality but fortunately there has not been the will to use these yet. However, that is one option, as a continuation of politics, for countries nowadays.”

Hong Kong’s online TV shambles

Posted: August 15, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

hong kong skylineI’ve just finished a feature slightly out of my comfort zone – Hong Kong’s online TV market, or lack thereof.

The Chinese SAR has a huge appetite for net TV – you just have to get onto an MTR, visit a dim sum restaurant or try and get past a local ambling on the pavement whilst staring at their phablet, to realise that.

The former colony also has an ideal set-up – 4G is commonplace; the locals are pretty tech-savvy early adopter types relative to the rest of Asia; and broadband penetration is amongst the highest in the world.

Yet thus far it still doesn’t have its own online TV service. Hongkongers have to get their content from mainland China or further afield to satisfy their lust for internet telly.

Local entrepreneur Ricky Wong tried his best with HKTV but hit a brick wall in the form of a government shamelessly protecting the vested interests of the region’s incumbent broadcasters.

It’s a shame because this model of broadcasting, whilst probably never fully replacing traditional modes, will definitely come to play a major part in our content consuming lives over the next decade.

Gartner’s Terick Chiu explained to me that it’s not just the online TV players and content producers who stand to benefit.

“In their efforts to drive engagement with consumers, both incumbents and new entrants are likely to invest in the technology of second-screen applications. These applications are built on top of automatic content recognition (ACR) technologies, which enable an application to detect content metadata — usually contained in a digital watermark — and synchronise the application with the on-screen programming,” he said.

“For service providers and advertisers, these second-screen apps will become an important element of the future of TV, given their ability to provide an ongoing stream of information about consumer preferences and interests. These apps also enable a form of e-commerce or ‘embedded merchandising’, which links a viewer to products/services that are featured in video programming”.

IDC’s Greg Ireland, meanwhile, argued that internet TV would “usher in a new wave of competition” in the broadcast industry – which should spell good news for viewers.

“One item to watch is how these services, or other new services, emerge as ‘true’ competitors to traditional pay TV,” he told me. “That is, will any begin to license linear content and offer a pay TV service of live and on-demand content entirely over the internet?”

It’s going to happen sooner or later in Hong Kong, as around the world, so the government might as well get out of the way and let it happen now.

Russian mega-hack: time to get serious about alternatives to passwords?

Posted: August 8, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

padlockAll the talk this week has been of the Russian mega-hack. A data breach revealed first in the New York Times by a security firm called Hold Security of an estimated 1.2 billion username and password combinations and 500 million email addresses.

So what can we say about it?

Well, according to the security experts I spoke to we can summarise as follows:

  • It won’t be enough to push website owners into adopting more secure authentication mechanisms like two-factor authentication; passwords are just too user friendly and the alternatives would be too expensive.
  • The best we can hope for is it will encourage people to use password managers, or at least stop sharing passwords across sites, and improve the strength of those passwords.
  • It’s still not clear if this was as big a breach as claimed. We don’t know whether the details are current passwords, where they were obtained and exactly how. Fixating on the size is also missing the point a bit, as there are huge breaches every year.
  • Online firms should see this as a wake-up call. Patch those SQL flaws and keep passwords more secure – by doing this you’ll remove the “lower hanging fruit” these Russian attackers clearly went for.

Beyond that, Thales UK head of cyber security, Peter Armstrong told me he was disheartened to see Hold Security already trying to monetise its findings by charging for breach notification services.

“Once of the key building blocks that underpins the improvement in the global cyber defence posture is the preparedness of organisations to share threat intelligence. The creed and ethos here is we are only strong if we are strong together,” he added.

“Threat Information Exchange must remain a philosophy of openness and community benefit not individual benefit. This organisation [Hold Security] has derived benefit historically from this free information exchange helping them to amass the capability and intelligence to make this discovery in the first place. This kind of behaviour is likely to trigger black listing of organisations for bad behaviours from a community perspective and under those circumstances it is only the cyber criminals who benefit.”

For KPMG cyber security director, Tom Burton, the main issue here is whether passwords are still fit for purpose. He thinks not.

“The pervasive nature of the internet means mere mortals cannot possibly remember a different password for each and every website they have registered with, let alone passwords with strength,” he told me by email.

“In the short term, individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached (bank accounts and email accounts are two such examples) while being pragmatic and using common passwords for sites that really would be little more than an irritation if breached.”

For CISOs it comes down to risk management, and in many cases fortifying the organisation against such breaches may come higher on the agenda than dealing with advanced targeted attacks, he argued.

“It is too easy with modern processing to crack a large file of password hashes, and there will always be vulnerabilities that enable criminals to gain access to those hash files,” concluded Burton.

“If there is one thing that I feel is certain it is that this is unlikely to be the last announced breach of this kind, and is probably not going to be the largest.  If it doesn’t prompt businesses and individuals to rethink how they are protecting themselves then the criminals will have a bright future ahead of them.”

Malaysia: another contender for Asia’s ICT crown?

Posted: August 5, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , | Leave a comment

malaysia flagIDG Connect has just published another of my forays into Asia’s ICT markets, this time focusing on Malaysia and whether it can possibly sneak in to take the crown of regional digital hub from its rivals in Hong Kong, Singapore and elsewhere.

The truth is that the country has flown under the radar for much of the past 20-odd years, although in reality the government had been pushing for foreign investment there since the early 1970s, when Intel and six other firms set up facilities in what was once nothing more than mud and rice fields.

Fast forward to today and Malaysia has something of an image problem, according to Ng Wan Peng, COO of Malaysia’s Multimedia Development Corporation (MDeC), the government agency leading the charge.

“While the country is fast-becoming viewed as a top Asian holiday destination, with beautiful beaches and luxury hotels, it doesn’t immediately spring to mind as a place for foreign firms to invest or in which to establish their Asian hub,” she told me.

Its efforts to change this and help the country move up the ICT value chain were spearheaded by the founding of the Multimedia Super Corridor (MSC) – a hi-tech investment zone running from Kuala Lumpur airport into the city centre. It’s designed to spur foreign investment (33% of which comes from the UK) and encourage that transformation into a “digital economy” by 2020.

The Malaysian government has put together a very generous set of inducements to invest here, including a “Bill of Guarantees” which promises MSC-status companies: a 10-year income tax “holiday” or investment tax allowance for up to 5 years; freedom of ownership; strong cybersecurity laws; and no internet censorship, according to Peng. The government also offers unrestricted employment of foreign knowledge workers, cutting visa-related red-tape.

So what else? This is what Peng had to say:

The answers range from the economical, to the cultural, to the financial. For one, we are politically and socially stable. We also believe our multi-cultural society holds a business advantage – we Malaysians are used to sitting across the table from someone of a different ethnicity to us from an early age, so we’re used to conducting business with people from all geographies and walks of life. Being a largely English-speaking population is also attractive to Western investors, while our world-class infrastructure helps to facilitate global commerce without fear of being disrupted by natural disasters.

So far so good. But there are challenges, as Frost & Sulivan APAC associated director Pranabesh Nath explained to me.

“Areas that stand out as challenges include inadequate technology infrastructure, lack of sufficient talent, small domestic market, and not enough ‘knowledge jobs’,” he argued. “Adoption of technology for consumers in terms of usage, and lower e-commerce penetration provides additional growth challenges. The government, though, recognises these shortcomings and is expect to be implementing policy to overcome them.”

Indeed, Peng explained separately without prompting that these areas of concern are being addressed by the government.

There’s certainly a will from the top to make this work which is heartening to see and some impressive growth stats already. Yet I wonder whether the problem Malaysia might face is in that delicate balance between encouraging foreign investment via tax breaks and other inducements and nurturing its home-grown companies.

“There are frameworks and policies since the ’90s on encouraging home grown companies, however these don’t seem to have worked very well,” Nath argued. “Technology and markets have also changed rapidly in the last 20 years and it is always hard to keep up to date with the latest development and growth areas.”

However, he was optimistic of a way to surmount this problem and accelerate Malaysia’s ICT growth without this coming at the expense of home-grown companies.

“The internet of things and its applications in industry sectors such as automobiles, healthcare and consumer are enabling new business models and use-cases such as wearable technology. These highly integrated solutions use all key tech areas such as cloud, big-data and high speed connectivity,” he explained.

“A strong emphasis being a leader in this area, coupled with a focus on generating a knowledge intensive economy can propel Malaysian ICT to much greater growth in the next five years. Both foreign investment and local companies’ incubation can be simultaneously pursued in these cases. Now we just need strong policies that can implement the above.”

 

Keeping an eye on the coders: a new idea to eliminate flawed programs

Posted: July 21, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , , , | Leave a comment

codeHere’s an interesting new idea from Microsoft – a radical solution to the problem of buggy code.

The new paper, posed by Redmondian Andrew Begel and a group of Zurich university boffins, suggests managers monitor programmers via EEG, EDA and eye-tracking sensors. These will alert them when the individual is struggling and therefore likely to introduce flawed code.

Now, it sounds like a pretty good idea in theory, and in practice has apparently performed pretty well. But one security expert I spoke to had some major misgivings.

Imperva co-founder and CTO Amichai Shulman argued that it might stray outside the boundaries of what could be construed “reasonable”.

“I think constantly monitoring the psychological status and the physical conditions of programmers, seems tremendously intrusive and probably strays way off from what I consider to be ‘reasonable means’,” he told me.

“However, I think that even if we review this in the cold eyes of a software professional there are some doubts about the usefulness of this method in general and its application to security vulnerabilities in particular.”

The first doubt he had relates to the tremendous commercial pressure coders are under to release “more functionality in less time”.

“On their way to achieving higher rates of LOC/sec, programmers as well as their employers are willing to sacrifice other attributes of the code such as efficiency, readability and also correctness – assuming that some of these will be corrected later during testing cycles and some will not be critical enough to be ever fixed,” he explained.

“If we introduce a system that constantly holds back on programmers because they are stressed for some reason we will effectively introduce unbearable delays into the project which will of course put more pressure on those who perform the job when schedule becomes tight.”

This is not to mention the fact that programmers should, at times, be “over” challenged to keep them sharp and happy with their roles.

“Additionally, there’s a big question of whether we can have a system like that can make a distinction between making a critical mistake or a minor one, which again impacts its ability to have a positive effect on the software development process in general,” said Shulman.

Then, of course, there’s the issue of what kinds of flaws the system will root out.

“I think that most security related mistakes are introduced inadvertently as a consequence of the programmer not having the faintest idea regarding the potential implication of some implementation decision,” he argued. “This is the case with SQL injection, XSS, RFI and many more vulnerability types.”

So, bottom line: nice idea Microsoft, but it’s probably not going to solve the problem of poor coding anytime soon. Until something genuinely revolutionary comes along we’ll probably have to stick to the usual suspects to reduce risk: security tools, patching, better QA and testing.

← Older Entries