Is it easier and better sometimes to pay a ransom on demand?

Following Talk Talk’s moment ‘hackus horribilis’ on 21st October 2015, details are emerging not of foreign extremists potentially being behind the attack, but rather a growing cabal of youngsters aged 14-16 have been arrested and released on bail by the British police after questioning over the incident. The latest advisory from TalkTalk is that only 4% of their customer base (157,000 customers and around 15,600 accounts) were actually affected by the breach of security (though obviously if you were one of that number, you wouldn’t care about the low percentages).

TalkTalk are not on their own though:  M&S had some of its users’ details accidentally shared with other customers online last week. This followed what was described as an internal error. The website was pulled down for 2 hours whilst the problem was fixed. Nonetheless, personal data including names, dates of birth, contacts and previous orders could be seen. Meanwhile, Barclays suffered problems with customers complaining of difficulties with ATM transactions during the weekend of 21st October. This incident was put down to a “network problem” resulting in a “tech outtage” by Barclays.

And in an interesting discussion at the 2015 Cyber Security Summit in Boston, the FBI’s Assistant Special Agent in Charge of CYBER and Counterintelligence Programmes, Joseph Bonavolanta advocated that sometimes it really might pay off the criminals in ransomware attacks, where a CryptoWall infection has breached a company’s IT systems. Often this advice is because the infected organisation has no way of recovering the files.  Often, the cause of failure is due to a lack of recovery options and the company has no back up, or one that is too old to be commercially useful.  Ransomware has been gathering traction since 2013 and much of the difficulty for government security agencies is that no two Ransomware attacks are the same.

Meanwhile, the Deputy Director of the US National Security Agency (NSA), Richard Ledgett commented last week in an interview with the BBC, that as the world becomes more connected and more vulnerable, nation states have to identify their red lines which cannot be crossed by other nation sabotage (eg. the Sony attack) and that where this happened it should lead to consequences. There should be a three prong plan:  build our defences, build offences against threat in others’ networks and “have a build up of international diplomatic regimes” through which the threat of sanctions could be levied.

Post the Edward Snowden leaks, he said real damage had been done, as the disclosures had led to changed behaviours in cyber attackers targeting many organisations.  He added “Several terrorist organisations and one in particular had a mature operational plot directed against western Europe and the US“. This had hampered the NSA’s ability he said to do their job.  Arguing the rights and wrongs of surveillance in a data-filled world, Ledgett said: “I think that the way the discussion (the Snowden leaks) came about was wrong. You hear claims that he was a whistle-blower and that he tried to raise things. Those are just not true…He didn’t try.”   On the subject of transparency, Ledgett advised that it was good to have a public discussion about what the authorities are and can do, but it got harder if it involved specific operations and specific targets.

With Teresa May updating the UK Government’s powers on mass surveillance there is a difficult path to tread for those who keep us safe, and those who would have liberty at the forefront of the argument.

(Pix below Richard Ledgett Deputy Director of the NSA).


Legal sector encryption failure gifts large payout to cyber criminals

A recent account published in the Telegraph newspaper, reported the alarming story of a London couple who inadvertently became the victims of a cruel cyber attack.  Completion funds on the sale of their property were intercepted by cyber criminals and the couple lost all proceeds, totalling £333,000.

The law firm handling the conveyancing, Perry Hay & Co in Surrey, had emailed owner Paul Lupton, requesting his bank account details for the proceeds of sale to be paid into upon completion.  Mr Lupton duly replied, giving both account and sort code.  The fraudsters, using ‘xray’ technology which identifies data patterns with financial information, intercepted this email and replied to the law firm, requesting the previous email be ignored and funds be transferred to a different account, theirs.

On discovery that the monies had not transferred, the owner alerted the bank (Barclays) and the police.   The account was frozen and £271,000 was returned.

With conveyancing a lucrative target for cyber criminals, law firms have to take responsibility for their clients money and use encrypted emails, requiring passwords, for confidential or financially sensitive information.

For email users, account numbers, sort codes, passwords and Pins should never be transmitted by email or be written down.  Online passwords should be strong (involving numbers and characters) and changed regularly.  Devices should also be protected with security software including regularly update installations to help defend accounts.

This is little comfort for the Luptons who are currently still out of pocket to the tune of £62,000 after Perry Hay & Co (and Barclays) rejected responsibility, despite legal watchdog, the Solicitors Regulation Authority (SRA) asserting that member firms were responsible for safeguarding client funds and must replace any monies “improperly withheld or withdrawn from a client account”.


The Week’s Technology News – 5th December 2014

Outsourcing priorities changing
The latest Forrester Research report across 435 Europe-based IT decision makers has found that whilst 60% of European businesses are satisfied with IT infrastructure service providers, there is a subtle shift in focus from simple cost reduction desire (66%) to businesses offering  services to help increase sales and improve customer experience (71%).

The overall feedback stats should give serious food for thought to MSPs when marketing and servicing their offerings:
• 34% said cost savings were lower than expected
• 29% said service quality or delivery was inconsistent or poor
• 26% said there is a lack of innovation and/or continuous service-level improvements
• 23% said there is a lack of flexibility in changing volume, scope, business needs or pricing models
• 22% said service providers lacked a fully developed and functioning global delivery model.

“Faced with this customer demand for better, faster and more cost-effective infrastructure services, and increased competition from emerging and India-centric suppliers, Europe’s leading providers are forced to bring new offerings and delivery models to the market,” said Forrester analyst Wolfgang Benkel. “The good news is some of them are finally listening to their customers.”

Businesses which have moved to cloud services are benefiting from accessing more flexible services and MSPs need to ensure that to deliver the most for their clients they have a) the right technical skill set b) the business skills to think strategically around the business objectives of their clients and c) the experience, diligence and ability to adapt to create a more innovative approach with their offerings, in order to stand out from the crowd.

The Euro responses indicate that just meeting an SLA is no longer what is needed in the MSP marketplace and that evidencing and thinking about all ones added values will be the key to retaining customers and winning new business in 2015.

Modular mobile phone developments and corporate tailored opportunities
Google was first out of the gate with a modular mobile phone announcement with Project Ara, planned for release in 2015, but not without competition. Finland based Circular Devices has announced its own plans to create and sell a modular smart phone called Puzzlephone next year.

The Puzzlephone approach is a simpler one with the smart phone being detachable into 3 parts; the spine (the main structure including the screen), the Heart (a large piece that slots into the bottom half of the back – this includes the battery and secondary electronics) and finally the Brain (This slots into the top half of the back – includes the processor and camera).   Google’s Project Ara approach is a lot more customisable with prototypes having 8 smaller, changeable parts – compared to Circular Devices larger 3.  However, it is possible that the simpler solution could win out with users finding Project Ara a bit too complex to get their head around.

With two companies now in preparations for a modular phone launch next year, making reality from the concept is s significant step closer. These devices should appeal to tech enthusiasts and organisations.  The potential for modular phones in the workplace is huge. Organisations would be able to create their tailored smartphone using selected prioritised modules according to their business need and deploy to employees. This would both have the benefit of cutting costs on unneeded or unused features but also being able to add in requested features such as larger capacity batteries or fingerprint scanners.   Another advantage of the modular approach is when things go wrong. Currently if a particular part of a phone fails, the whole unit has to be replaced or sent off to be repaired.  With a standard modular build, fixing future issues could be as simple as swapping the faulty part with stock.   Modular phones will be arriving next year, but their success will be dependent not only the cost of the phone and its modules, but how well the platform is supported by manufacturers providing unique hardware.  Over then to the android market and the likes of Samsung, HTC and Sony for part two of this evolving story…


Sony hacked again – leaking unreleased films and 47,000 personal records
Sony is no stranger to data breaches, infamously having to pull down their Playstation network in 2011 for 3 weeks after 77 million customers were potentially compromised, later to be fined by the ICO.

Now Sony Picture Entertainment is the next division to fall under cyber-attack. The attack itself appears to be malware and has been used not only to steal data, but also wipe machines at Sony.  With hugely damaging commercial potential, four unreleased films have been leaked online pre-launch with personal details of 47,000 people including Hollywood stars such as Sylvestor Stallone exposed.

Since the Sony attack, the FBI has sent an alert out to US businesses warning them of malicious software that matches up with reports from the Sony Pictures attack. The report warns of malware that overrides all data on a computer’s hard drive including the master boor record, preventing booting up successfully afterwards.  The geographical origin of the attack remains unknown, but a group calling itself Guardians of Peace is claiming responsibility.     With both the risk of data leaks and data deletion, the importance of both a truly secure infrastructure and multiple data stores is more important than ever. For Sony this is another huge wake up call for a household name, swiftly becoming synonymous with susceptibility to cyber-attacks.


Radio heads up some surgical changes for 5G
The race is on to deliver the fifth generation of our mobile network.  The build in excitement around 5G may in fact be wholly worthy of the buzz, if the latest news on this joined-up superfast technology pans out, as vaunted by Professor Rahim Tafazolli of Surrey University’s 5G Innovation Centre.  This means the opportunity for properly connected smart cities, remote medical surgery, driverless cars and the “internet of things”.  The thought of stalling videos and apps and load delays becoming a mere footnote in tech history would be thrilling news.  Prof Rahim Tafazolli says, “5G will be a dramatic overhaul and harmonisation of the radio spectrum”.

The difference comes from the 5G networks transmitting data via uninterrupted radio waves bouncing off small masts with improved antenna technology.  The waves split into bands (frequencies) with each band reserved for different communications ie.  one for TV broadcast, one for mobile data, one for aeronautical signals etc.  The system has got messy with new technologies squeezed into the gaps.  Now, the regulators, the International Telecommunications Union (ITG) are restructuring parts of the radio network used to transmit data to make more space whilst simultaneously creating efficiencies in the traffic flow, whilst 3G and 4G use carries on.  The network which scientists hope will kick in by 2020, will need to cope with vastly increased levels of communication. Through The Internet of Things (IoT), devices will ‘smarten’ and dynamically switch between three TBC ‘lanes’ (bandwidths) in order to avoid frequency overload and will rely on lower latencies (timelag between action initiation and response).  Ericsson predict that 5G’s latency will be around one millisecond – unperceivable to a human and about 50 times faster than 4G.

So what?  Well 5G is anticipated to run faster, much faster. In 2013 when Samsung announced it was testing 5G at 1Gbps, journalists reported that a high-definition movie could be downloaded in less than half a minute.  A speed of 800Gbps would equate to downloading 33 HD films – in a single second. This is 100 times faster.  To do this, it will need capacity – and lots of it.  By 2020 it is thought that 50 billion to 100 billion devices will be connected to the internet.

Whilst there is great competition between the giants Ericsson and Huawei, both are investing hugely in this research phase and despite the obvious rivalry and associated costs, each is co-operating with the other to bring on the technology to enable product development to advance.   Samsung hopes to launch a temporary trial 5G network in time for 2018’s Winter Olympic Games, whilst Huawei is racing to implement a version for the 2018 World Cup in Moscow. For Managed Service Providers and businesses alike the vast potential of 5G is a major game changer, but harnessing and directing opportunity to create an ‘intelligent’ and more intuitive commercial response for customers will be the real game changer for business.

Barclays seeks (again) to improve customer experience
Barclays is leading the way again in banking technology by seeking to deliver a more personal form of assistance to its customers.  Barclays Beacon service called ‘Barclays Access’ is being trialled in Sheffied and will work through an iPhone app.  iBeacon which uses Bluetooth to detect when a person using the app enters the branch will trap personal details, information on their requirements, plus the option of a photo, to assist with speedy ID on arrival.  An iPad at the front desk picks up the alert.  All of these touch points can then alert bank staff to react promptly, discretely and courteously when a customer with an assistance need arrives at the branch to improve the overall customer experience.

Previously, Barclays pioneered customer banking transfers using only a mobile number, plus enabling some businesses to swap PINs, passwords and authentication codes for fingerprint scanners.  Technological advances have not by themselves caused massive behavioural changes to get customers to switch or stay loyal, but a combination of technology and personal intervention with insight creates a whole new level of customer care.