Hong Kong’s online TV shambles

Posted: August 15, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

hong kong skylineI’ve just finished a feature slightly out of my comfort zone – Hong Kong’s online TV market, or lack thereof.

The Chinese SAR has a huge appetite for net TV – you just have to get onto an MTR, visit a dim sum restaurant or try and get past a local ambling on the pavement whilst staring at their phablet, to realise that.

The former colony also has an ideal set-up – 4G is commonplace; the locals are pretty tech-savvy early adopter types relative to the rest of Asia; and broadband penetration is amongst the highest in the world.

Yet thus far it still doesn’t have its own online TV service. Hongkongers have to get their content from mainland China or further afield to satisfy their lust for internet telly.

Local entrepreneur Ricky Wong tried his best with HKTV but hit a brick wall in the form of a government shamelessly protecting the vested interests of the region’s incumbent broadcasters.

It’s a shame because this model of broadcasting, whilst probably never fully replacing traditional modes, will definitely come to play a major part in our content consuming lives over the next decade.

Gartner’s Terick Chiu explained to me that it’s not just the online TV players and content producers who stand to benefit.

“In their efforts to drive engagement with consumers, both incumbents and new entrants are likely to invest in the technology of second-screen applications. These applications are built on top of automatic content recognition (ACR) technologies, which enable an application to detect content metadata — usually contained in a digital watermark — and synchronise the application with the on-screen programming,” he said.

“For service providers and advertisers, these second-screen apps will become an important element of the future of TV, given their ability to provide an ongoing stream of information about consumer preferences and interests. These apps also enable a form of e-commerce or ‘embedded merchandising’, which links a viewer to products/services that are featured in video programming”.

IDC’s Greg Ireland, meanwhile, argued that internet TV would “usher in a new wave of competition” in the broadcast industry – which should spell good news for viewers.

“One item to watch is how these services, or other new services, emerge as ‘true’ competitors to traditional pay TV,” he told me. “That is, will any begin to license linear content and offer a pay TV service of live and on-demand content entirely over the internet?”

It’s going to happen sooner or later in Hong Kong, as around the world, so the government might as well get out of the way and let it happen now.

Russian mega-hack: time to get serious about alternatives to passwords?

Posted: August 8, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

padlockAll the talk this week has been of the Russian mega-hack. A data breach revealed first in the New York Times by a security firm called Hold Security of an estimated 1.2 billion username and password combinations and 500 million email addresses.

So what can we say about it?

Well, according to the security experts I spoke to we can summarise as follows:

  • It won’t be enough to push website owners into adopting more secure authentication mechanisms like two-factor authentication; passwords are just too user friendly and the alternatives would be too expensive.
  • The best we can hope for is it will encourage people to use password managers, or at least stop sharing passwords across sites, and improve the strength of those passwords.
  • It’s still not clear if this was as big a breach as claimed. We don’t know whether the details are current passwords, where they were obtained and exactly how. Fixating on the size is also missing the point a bit, as there are huge breaches every year.
  • Online firms should see this as a wake-up call. Patch those SQL flaws and keep passwords more secure – by doing this you’ll remove the “lower hanging fruit” these Russian attackers clearly went for.

Beyond that, Thales UK head of cyber security, Peter Armstrong told me he was disheartened to see Hold Security already trying to monetise its findings by charging for breach notification services.

“Once of the key building blocks that underpins the improvement in the global cyber defence posture is the preparedness of organisations to share threat intelligence. The creed and ethos here is we are only strong if we are strong together,” he added.

“Threat Information Exchange must remain a philosophy of openness and community benefit not individual benefit. This organisation [Hold Security] has derived benefit historically from this free information exchange helping them to amass the capability and intelligence to make this discovery in the first place. This kind of behaviour is likely to trigger black listing of organisations for bad behaviours from a community perspective and under those circumstances it is only the cyber criminals who benefit.”

For KPMG cyber security director, Tom Burton, the main issue here is whether passwords are still fit for purpose. He thinks not.

“The pervasive nature of the internet means mere mortals cannot possibly remember a different password for each and every website they have registered with, let alone passwords with strength,” he told me by email.

“In the short term, individuals must take a more risk based approach, maintaining strong and unique credentials for those sites that would create the greatest impact if breached (bank accounts and email accounts are two such examples) while being pragmatic and using common passwords for sites that really would be little more than an irritation if breached.”

For CISOs it comes down to risk management, and in many cases fortifying the organisation against such breaches may come higher on the agenda than dealing with advanced targeted attacks, he argued.

“It is too easy with modern processing to crack a large file of password hashes, and there will always be vulnerabilities that enable criminals to gain access to those hash files,” concluded Burton.

“If there is one thing that I feel is certain it is that this is unlikely to be the last announced breach of this kind, and is probably not going to be the largest.  If it doesn’t prompt businesses and individuals to rethink how they are protecting themselves then the criminals will have a bright future ahead of them.”

Malaysia: another contender for Asia’s ICT crown?

Posted: August 5, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , | Leave a comment

malaysia flagIDG Connect has just published another of my forays into Asia’s ICT markets, this time focusing on Malaysia and whether it can possibly sneak in to take the crown of regional digital hub from its rivals in Hong Kong, Singapore and elsewhere.

The truth is that the country has flown under the radar for much of the past 20-odd years, although in reality the government had been pushing for foreign investment there since the early 1970s, when Intel and six other firms set up facilities in what was once nothing more than mud and rice fields.

Fast forward to today and Malaysia has something of an image problem, according to Ng Wan Peng, COO of Malaysia’s Multimedia Development Corporation (MDeC), the government agency leading the charge.

“While the country is fast-becoming viewed as a top Asian holiday destination, with beautiful beaches and luxury hotels, it doesn’t immediately spring to mind as a place for foreign firms to invest or in which to establish their Asian hub,” she told me.

Its efforts to change this and help the country move up the ICT value chain were spearheaded by the founding of the Multimedia Super Corridor (MSC) – a hi-tech investment zone running from Kuala Lumpur airport into the city centre. It’s designed to spur foreign investment (33% of which comes from the UK) and encourage that transformation into a “digital economy” by 2020.

The Malaysian government has put together a very generous set of inducements to invest here, including a “Bill of Guarantees” which promises MSC-status companies: a 10-year income tax “holiday” or investment tax allowance for up to 5 years; freedom of ownership; strong cybersecurity laws; and no internet censorship, according to Peng. The government also offers unrestricted employment of foreign knowledge workers, cutting visa-related red-tape.

So what else? This is what Peng had to say:

The answers range from the economical, to the cultural, to the financial. For one, we are politically and socially stable. We also believe our multi-cultural society holds a business advantage – we Malaysians are used to sitting across the table from someone of a different ethnicity to us from an early age, so we’re used to conducting business with people from all geographies and walks of life. Being a largely English-speaking population is also attractive to Western investors, while our world-class infrastructure helps to facilitate global commerce without fear of being disrupted by natural disasters.

So far so good. But there are challenges, as Frost & Sulivan APAC associated director Pranabesh Nath explained to me.

“Areas that stand out as challenges include inadequate technology infrastructure, lack of sufficient talent, small domestic market, and not enough ‘knowledge jobs’,” he argued. “Adoption of technology for consumers in terms of usage, and lower e-commerce penetration provides additional growth challenges. The government, though, recognises these shortcomings and is expect to be implementing policy to overcome them.”

Indeed, Peng explained separately without prompting that these areas of concern are being addressed by the government.

There’s certainly a will from the top to make this work which is heartening to see and some impressive growth stats already. Yet I wonder whether the problem Malaysia might face is in that delicate balance between encouraging foreign investment via tax breaks and other inducements and nurturing its home-grown companies.

“There are frameworks and policies since the ’90s on encouraging home grown companies, however these don’t seem to have worked very well,” Nath argued. “Technology and markets have also changed rapidly in the last 20 years and it is always hard to keep up to date with the latest development and growth areas.”

However, he was optimistic of a way to surmount this problem and accelerate Malaysia’s ICT growth without this coming at the expense of home-grown companies.

“The internet of things and its applications in industry sectors such as automobiles, healthcare and consumer are enabling new business models and use-cases such as wearable technology. These highly integrated solutions use all key tech areas such as cloud, big-data and high speed connectivity,” he explained.

“A strong emphasis being a leader in this area, coupled with a focus on generating a knowledge intensive economy can propel Malaysian ICT to much greater growth in the next five years. Both foreign investment and local companies’ incubation can be simultaneously pursued in these cases. Now we just need strong policies that can implement the above.”

 

Keeping an eye on the coders: a new idea to eliminate flawed programs

Posted: July 21, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , , , , | Leave a comment

codeHere’s an interesting new idea from Microsoft – a radical solution to the problem of buggy code.

The new paper, posed by Redmondian Andrew Begel and a group of Zurich university boffins, suggests managers monitor programmers via EEG, EDA and eye-tracking sensors. These will alert them when the individual is struggling and therefore likely to introduce flawed code.

Now, it sounds like a pretty good idea in theory, and in practice has apparently performed pretty well. But one security expert I spoke to had some major misgivings.

Imperva co-founder and CTO Amichai Shulman argued that it might stray outside the boundaries of what could be construed “reasonable”.

“I think constantly monitoring the psychological status and the physical conditions of programmers, seems tremendously intrusive and probably strays way off from what I consider to be ‘reasonable means’,” he told me.

“However, I think that even if we review this in the cold eyes of a software professional there are some doubts about the usefulness of this method in general and its application to security vulnerabilities in particular.”

The first doubt he had relates to the tremendous commercial pressure coders are under to release “more functionality in less time”.

“On their way to achieving higher rates of LOC/sec, programmers as well as their employers are willing to sacrifice other attributes of the code such as efficiency, readability and also correctness – assuming that some of these will be corrected later during testing cycles and some will not be critical enough to be ever fixed,” he explained.

“If we introduce a system that constantly holds back on programmers because they are stressed for some reason we will effectively introduce unbearable delays into the project which will of course put more pressure on those who perform the job when schedule becomes tight.”

This is not to mention the fact that programmers should, at times, be “over” challenged to keep them sharp and happy with their roles.

“Additionally, there’s a big question of whether we can have a system like that can make a distinction between making a critical mistake or a minor one, which again impacts its ability to have a positive effect on the software development process in general,” said Shulman.

Then, of course, there’s the issue of what kinds of flaws the system will root out.

“I think that most security related mistakes are introduced inadvertently as a consequence of the programmer not having the faintest idea regarding the potential implication of some implementation decision,” he argued. “This is the case with SQL injection, XSS, RFI and many more vulnerability types.”

So, bottom line: nice idea Microsoft, but it’s probably not going to solve the problem of poor coding anytime soon. Until something genuinely revolutionary comes along we’ll probably have to stick to the usual suspects to reduce risk: security tools, patching, better QA and testing.

No-IP? No idea. Why Microsoft faces an uphill battle to restore trust

Posted: July 4, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , | Leave a comment

big dataTo say this week was a bad news week for Microsoft would be putting it mildly.

First, its heavy handed decision to stop emailing security updates to users (in response to new Canadian anti-spam laws) was u-turned in a rather embarrassing manner.

Then came something much worse as Redmond’s Digital Crimes Unit (DCU) unilaterally sought a court injunction to seize control of 22 domains belonging to DNS firm No-IP.

It did this to arrest the spread of malicious activity on some of the domains, but with good reason commentators are already calling its strategy misjudged this time around:

  • No-IP was not informed of the take-down, nor was it working in collusion with the cyber criminals. It also pleaded that it has always co-operated with the authorities when asked on such matters previously.
  • Microsoft was unable to filter good traffic from bad, leading to millions of legitimate No-IP customers left without a service earlier this week.

Europol special advisor on internet security, Brian Honan, told me that the incident will further undermine the credibility of tech giants like Microsoft, which has already taking a pasting thanks to the NSA spying revelations from whistleblower Edward Snowden.

He raised a number of valid concerns with me by email:

• If No-IP were not contacted by Microsoft DCU regarding the abuse of their services what right have Microsoft DCU got to determine how good or bad the No-IP abuse mechanisms were? Indeed, what is the criteria and standards that Microsoft used to determine how responsive the No-IP abuse desk is? Are all service providers, including Microsoft, now expected to meet the requirements and expectations of Microsoft DCU? And if not can they expect similar interruptions to their business?
• Microsoft DCU also showed they do not have the technical capabilities in managing Dynamic DNS services and subsequently have impacted many innocent users and businesses, how will Microsoft DCU ensure
• There are also concerns over Microsoft infringing on the privacy of No-Ip’s legitimate customers.  In effect Microsoft diverted all of these customers’ internet traffic via Microsoft’s systems. An action that could place No-Ip and Microsoft in breach of their own privacy policies and indeed various privacy laws and regulations.

This is probably the first major mis-step by the Digital Crimes Unit, and it will need to re-examine its procedures and processes very carefully to avoid a repeat. Its loss of face in this incident will only benefit the cybercriminals if it makes Redmond and others more hesitant to take action in future cases.

News of the World hackers, hacked ATMs and celeb snooping

Posted: July 3, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , | Leave a comment

news of the worldNews of the World private investigator Glenn Mulcaire was this week revealed to have gone to extraordinary lengths to hide his illegal tapping of celebrities’ voicemails: hacking an ATM to use its phone line.

I covered the story here for Infosecurity Magazine but thought it was worth including some extra comments.

Mulcaire’s cover was finally blow when BT sent a bill for the landline to the ATM owner, who forwarded it to the convenience store in which it was located, in a scruffy part of south London.

Sophos senior security advisor, Paul Ducklin, explained to me that Mulcaire probably chose an ATM line rather than tapping a copper phone line via other means, for several reasons.

“1. Unlike a fax machine the line never plays through a speaker for feedback purposes. Fax machines usually play their modem noises for a few seconds as part of the ‘user interface’.

2. If you interrupt a data transmission, the system will probably sort itself out automatically later on and no-one will realise that it was deliberate, rather than just a glitch. And you’ll hear the modem trying to come on-line, so you can hang up temporarily to get out of the way.

3. It’s likely to be a rented service that bundles in the phone line, so the bills probably go through a convoluted route to the person where the line is actually installed, making detection more complex – as happened here.”

He stressed the important of business owners checking their phone statements, just as one should bank statements or those belonging to online accounts, for any signs of suspicious activity.

“Cybercriminality usually leaves traces, and the one thing you can be sure of if you don’t make a habit of looking for those traces is that you won’t find them,” Ducklin told me.

“In various recent high-profile credit card breach cases, the afflicted retailer found out because someone outside the organisation noticed suspicious patterns of fraud. Best not to wait until someone else finds out before you do.”

Is Taiwan’s last chance at tech survival the connected home?

Posted: June 25, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , | Leave a comment

taiwanI’ve just finished another piece for IDG Connect taking apart the Taiwanese technology industry – it seemed like as good a time as any on the back of Computex 2014.

If you haven’t heard of the show it’s the second largest IT event in the world and is held every year in Taipei as it has been for 34 years.

Well, the island formerly known as Formosa has been punching well above its weight on the tech scene for decades now, thanks to lots of government investment, a booming chip industry and a steady stream of bright young engineers and designers pouring from its universities.

But as I found out, many of its major firms are facing an unprecedented set of challenges which could threaten its long term future.

Firstly the PC market is in decline – which is bad news for 4th and 5th placed global brands Acer and Asus. Whether terminal decline we still don’t know but it has certainly meant Taiwan’s major ODM/OEM firms have had to adapt to a new mobile-centric output.

The two big brands mentioned above, however, haven’t done a very convincing job so far.

“The whole shift to mobility including smartphones and tablets is the new growth curve for the whole industry,” Forrester analyst Bryan Wang told me from Computex. “What I have seen is that Taiwanese companies are losing in this space.”

Gartner’s Amy Teng was not much more optimistic.

“These manufacturers have to rely on brand vendors to consume their production outcome. This business relationship is weak because today’s PC supply chain is advanced and standardised enough to transplant from vendor to vendor easily,” she argued.

Teng added that the move from high volume, low customisation products to low volume, highly customised products is a big challenge – especially when these manufacturers are being asked to be more cost effective and quicker to market.

All is not lost, though. The country’s semiconductor firms are still well placed and there are opportunities in other areas for those ODM/OEM giants like Wistron, Foxconn, Quanta and Pegatron.

“Regarding how to overcome, or thrive in the coming decade, I do not see any opportunity in the smartphone/tablet space now. However, Taiwanese companies still stand a chance in the connected home space, which is set to evolve in the next couple of years,” said Wang.

“Home/smart gateways, set-top-boxes and smart routers – these could be the angles. At Computex here, I do see home grid, smart plugs, smart home solutions are evolving as an interesting area.”

Can Hong Kong build a ‘Silicon Harbour’? Nah, probably not

Posted: June 10, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , , | 1 Comment

hong kong skylineI might be back in London now but I’m still keeping one eye on the East. My latest for IDG Connect is a piece on whether Hong Kong can really lay claim to the title “Silicon Harbour”, given its dubious track record of under-investment and the increasing strength of rival Asian cities including Tokyo, Shenzhen, Shanghai and Singapore.

Well, as always, the jury’s still out. There are a lot of good things going on in Hong Kong, as this upbeat infographic shows. It’s politically stable, safe from most natural disaster and you can use the internet freely (unlike in mainland China). It’s also well connected internet-wise and relatively cheap, as Frost & Sullivan analyst Danni Xu told me: “enterprises in Hong Kong using 100 Mbps Ethernet Point-to-Point (P2P) per month are paying only one third the price of a similar set up in Singapore”.

“However, despite these advantages/benefits, Singapore remains popular in certain cases over Hong Kong when it comes to selecting a destination to set up a data centre,” she added. “Google was a prime example of this when its plan to establish a data centre in Hong Kong did not materialise. The cost and difficulty of acquiring suitable land were cited as the key reasons for this.”

It also seems like HK’s key strengths, its value as a financial centre and proximity to China, are also its biggest drawbacks.  This means Singapore and other cities are usually preferred as regional hubs while HK is the choice as a base for firms looking to expand into China. It also means investors can be reluctant to plough their money into untried or tested tech start-ups as the culture is mainly about finance and property.

Forrester analyst Clement Teo had this:

“There are some structural factors may constrain ICT development in HK e.g. its relatively small domestic market and shrinking manufacturing and industrial sector do not provide sufficient incentives to spur technological developments. Moreover, HK needs to divvy up scarce resources – like land, office space and investment funding and talent – among established economic pillars such as financial services, real estates and retail.”

The HK government this year released an ambitious Digital 21 Strategy – the latest in a long line of such policy documents from the SAR – and certainly talks a good game. But I’m still hugely sceptical whether the political will is there to help smaller tech firms – the start-ups and similar which could genuinely turn the city state into a ‘Silicon Harbour’.

South China Sea: another cyber skirmish to worry about

Posted: May 29, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , , , | 1 Comment

south china sea mapI seem to have chosen the wrong time to come back from Hong Kong. Just a fortnight after landing back in Blighty, the US raised the stakes between the two superpowers, and mortally offended China’s honour, by indicting five PLA soldiers on charges of hacking US firms for economic gain.

I’ve written enough about it here and here already, so I won’t go into the pros and cons of this high risk strategy again. Safe to say that Beijing already appears to be retaliating in the most effective way possible; by making things decidedly difficult for US tech firms in the Middle Kingdom. Already reports have emerged that Cisco and IBM could be in trouble.

Is a new Cold War about to begin?

Well, if it does, one company it might be worth keeping an eye on is threat intelligence firm Cyber Squared. The firm’s ThreatConnect Intelligence Research Team has an interesting and very thorough analysis of new APT-style cyber attack campaigns in the disputed South China Sea (SCS) region, as I wrote about here.

“What’s that got to do with us?” you might ask. Well, potentially quite a lot, according to Cyber Squared chief intelligence officer, Rich Barger.

“There is a risk of increased data loss for Western firms that routinely work with Vietnamese, Filipino, and other SCS region companies,” he told me. “Unit 61398/APT1 operates on the whim of the PRC, and cyber espionage has been adopted as the preeminent ‘low risk – high payoff’ medium for strategic intelligence collection.

“We typically see companies that are infrastructure related being targeted. Industries such as energy, oil & gas, mining, and transportation may find themselves directly or indirectly impacted.”

The message is loud and clear; if you have any military, economic or geopolitical stake in the SCS region, be aware that Chinese cyber operatives are increasing their activity.

“China has had a long standing national and regional interest within the South China Seas region,” explained Barger.

“It offers them a strategic economic advantage in terms of regional and global energy development and trade. From a military perspective, a strong Chinese presence within the SCS also counters the US pivot to South East Asia where China’s military modernisation, especially its navy, and regional assertiveness have come to an intersection.”

Barger argued that the various disparate groups at risk in the SCS need to start sharing information on attacks and “observing both the technical picture and the geo-political context”.

“It is important for those within these targeted industries to actively invest in threat intelligence processes as a standard business practice that supports internal information security operations,” he concluded.

“It is equally important that technical leaders effectively interpret and articulate regional threats and the context surrounding them to corporate business leaders.”

Cyber crime boss offers Ferrari to ’employee of the month’: truth or hoax?

Posted: May 13, 2014 | Author: | Filed under: Uncategorized | Tags: , , , , , , , , , | Leave a comment

ferrariI’m back in the UK for the time being and writing regular news for Infosecurity Magazine now so expect a fair spattering of off-cuts from this side of the globe for the coming year.

One of the first stories of note I covered was news, broken first by The Indy, that a cyber crime boss had released a video to the darknet offering up a Porsche or Ferrari to the cyber goon-for-hire who could come up with the most lucrative scam.

Now, if it’s true, the story is an interesting one in what it tells us, or confirms to us, about the economics of cyber crime.

Namely, that if the bad guys have this kind of money knocking about – to blow on a kind of bizarre “employee of the month” competition – then how can the police, government and even security vendors hope to attract and retain the best talent?

If nothing else, Rapid7 global security strategist Trey Ford told me by email, it shows the sheer professionalism of cyber gangs today and the vast scale of the underground economy.

“With every part of our lives revolving around increasingly connected technologies, the line between physical and virtual is gone, and the opportunities for attackers are immense,” he added.

“The general public needs to understand this is no longer a world of script kiddies and evil foreign governments, where the average person is unlikely to be a victim. Cyber crime is big business, and everyone is a potential target.”

It sounds obvious but it’s worth saying again, and stories like this at least raise these raise these problems in the public eye.

The other alternative, of course, is that it’s a hoax. Amichai Shulman, co-founder and CTO of Imperva, was not convinced by the story.

“I find it odd that criminal organisations resort to ‘advertising’ an ‘employee of the month’ program. I don’t think that we’ve seen this with recruiting skilled chemists for drug making and drug design or astute economists for money laundering schemes,” he argued. “This leads me to speculate that this is a hoax.”

← Older Entries
Newer Entries →