Latest Entries »

International conflicts such as the current tensions over Ukraine could stand in the way of global cooperation on cybersecurity, according to the founder of Kaspersky Lab.

“Governments must cooperate, and I’m afraid that what’s going on … well, it doesn’t help,” said Eugene Kaspersky, chairman and CEO of the security research and technology company that bears his name. He spoke on Tuesday at a Kaspersky conference in San Francisco that highlighted the importance of cooperation and information-sharing to combat cyber threats.

Anything that decreases trust among governments can hurt such efforts, Kaspersky added. Last year’s Edward Snowden affair, in which the former National Security Agency contractor revealed evidence that the U.S. spied on foreign leaders, also hurt international trust, Kaspersky said.

“It will damage global Internet projects,” he said. “Nations will be more focused on the national projects. That’s good news for the local IT companies, but … the evolution of cyberspace will slow down.”

On Tuesday, Ukrainian troops clashed with pro-Russian insurgents in eastern Ukraine. The fighting came just weeks after the conflict in Crimea, which led to Crimea seceding from Ukraine. In response, the U.S. government imposed sanctions against Russia and cut back on some joint efforts with the country, including space programs.

Kaspersky Lab, founded and based in Russia, still does most of its research in Moscow but is an international company, Kaspersky said. As a cybersecurity company, it remains neutral in all political issues, other than abiding by international sanctions against pariah states such as Iran and North Korea, he said.

The company has a regional headquarters in Ukraine, but the conflict there has not hurt its business in any part of the world, Kaspersky said.

“We keep our distance and we are hoping that this situation will be fixed soon and in a peaceful way,” he said.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service.



In the race to protect themselves from the Heartbleed vulnerability, enterprises could be opening themselves up to new attacks if they aren’t careful.

Perpetrators of some of the most virulent cyberattacks on the Internet will try to take advantage of the chaos that’s bound to occur in some IT shops as administrators and developers hurriedly respond to Heartbleed, the widespread OpenSSL flaw that was discovered last week, a top researcher at Kaspersky Lab said.

Heartbleed could allow attackers to capture critical data such as passwords and encryption keys from servers and networking devices. It existed in the OpenSSL (Secure Sockets Layer) tool for encrypted communications for about two years before being disclosed on April 7. Since then, organizations have been scrambling to update their OpenSSL software, revoke old digital certificates, reissue private encryption keys and restart services.

That’s an attractive environment for groups pushing out APTs (advanced persistent threats), which can cause widespread damage and data theft, said Kurt Baumgartner, principal security researcher on Kaspersky’s Global Research & Analysis Team.

“This was all urgent, this is all unexpected, and what happens when people are in a situation where things are unexpected and urgent? Well, they break rules,” Baumgartner said.

As the repairs take place, administrators must pay attention to details such as where their certificates are being stored, he said.

“This is the sort of time when groups like these … can start pulling more of these assets out of the organization without it being noticed,” Baumgartner said. Misplaced certificates that get stolen could allow attackers to infiltrate systems later. That’s exactly what will happen in some cases, he said.

“I would expect to see the results of some of this theft in the next six months to a year,” Baumgartner said.

APTs are the most serious security threats on the Internet, typically developed and spread by expert hackers who in some cases may actually work for national governments, according to Baumgartner. At a Kaspersky conference in San Francisco on Tuesday, he listed the five most dangerous APTs as Red October, NetTraveler, Icefog and Careto, and a group called Winnti that primarily targets the game industry.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service.



Typo halted the sale of its add-on keyboard for the iPhone on Tuesday after an injunction took effect that bans it from being imported to the U.S.

The injunction is part of a patent lawsuit brought against it by BlackBerry and was triggered when BlackBerry put up a US$500,000 bond with the court. The money will be used to compensate Typo for its lost profits if it ends up winning the case.

Typo launched to considerable attention earlier this year, in large part because it was co-funded by TV and radio personality Ryan Seacrest.

BlackBerry quickly filed suit, alleging that Typo’s keyboard is an “obvious knock-off” of the keyboards on its BlackBerry phones. The $99 product slips onto an iPhone 5 or 5s.

BlackBerry noted in its suit that Seacrest was a longtime BlackBerry user and had said in interviews that he wanted to bring together the best of the BlackBerry typing experience with the iPhone.

In issuing the temporary injunction in late March, Judge William Orrick of the U.S. District Court for the Northern District of California said, “BlackBerry has established a likelihood of proving that Typo infringes the patents at issue and Typo has not presented a substantial question of the validity of those patents.”

A link to order devices on Typo’s website directed to an error page on Tuesday.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service.



The Heartbleed Bug disclosed by the OpenSSL group on April 7 has sent many vendors scurrying to patch their products and that includes security firms Symantec, Intel Security’s McAfee division, and Kaspersky Lab.

Heartbleed is basically a buffer-overflow vulnerability in the flawed versions of OpenSSL that would allow savvy attackers to steal data such as passwords or digital certificates. A German software engineer has admitted to unwittingly inserting the Heartbleed Bug vulnerability two years ago in OpenSSL, and it now has a significant portion of the high-tech industry patching servers, client software, network gear and security products. In investigating their own product lines in recent days, Symantec, McAfee and Kaspersky Lab, among others, have been busy de-bugging the Heartbleed Bug out of their products.

The process of investigating the impact of Heartbleed is still ongoing and in some cases, patches for products seen as vulnerable are still to be released.

Symantec’s long Heartbleed list of products considered vulnerable is being updated on a rolling basis. NetBackup Appliance, are impacted by Heartbleed and require a patch, but Backup Exec, is not impacted. Vulnerable products have gotten or will get patches.

+More on Network World: Heartbleed Bug hits at heart of many Cisco, Juniper products | McAfee tool for gauging site vulnerability to the Heartbleed Bug | Symantec advisory on Heartbleed | Symantec list of impacted products | McAfee list of products impacted by Heartbleed +

Agent software for EPM and Symantec Risk Automation Suite is impacted. So are some versions of Norton Security and Norton Identity Safe. But many Symantec products are not, including Symantec Web Gateway, Symantec Endpoint Encryption, the PGP products line, and Symantec Endpoint Encryption Manager. Symantec digital certificates are not vulnerable to Heartbleed but since swapping out certificates on servers patched for the Heartbleed Bug is recommended, Symantec is issuing new certificates at no cost for replacement.

But Symantec’s list also indicates it hasn’t yet determined for certain the status of Norton Mobile Security and Symantec Endpoint Protection Small Business Edition 2013, Symantec Security Information Manager, and Application High Availability, saying this is still “under investigation” in terms of Heartbleed vulnerability. Symantec was not immediately available to comment further on this.

According to its advisory, Symantec maintains that while the Heartbleed Bug does pose a serious threat to unpatched servers especially, it does not see evidence of widespread attacks based on the Heartbleed Bug flaw.

At rival security vendor McAfee, there was also considerable effort underway in the past few days to sort out what products and services were vulnerable to Heartbleed or not.

As of today, McAfee’s list of products vulnerable to Heartbleed include ePolicy Orchestrator, Next Generation Firewall (Stonesoft), McAfee Firewall Enterprise, McAfee Security Information and Event Management (Nitro), McAfee email Gateway, McAfee Web Gateway, McAfee Security for Microsoft Exchange, McAfee Security for Microsoft Sharepoint, McAfee Security for Lotus Domino on Windows. McAfee is providing updates for these products.

McAfee also notes it may have more announcements to make about vulnerable products in the future. But for now, it’s not naming them because of concerns about possible attacks.

“The safety of our customers is always our first priority,” McAfee said in a prepared statement. “McAfee is following a set methodology that evaluates vulnerabilities and potential vulnerabilities, and then helps impacted customers fix those vulnerabilities before making the details public. Going public with details without protecting our customers would make them vulnerable to attacks.”

Kaspersky Lab is is also coping with Heartbleed. Kaspersky says the fixed web services it was using were vulnerable to Heartbleed, and Kaspersky also says it has already developed a “special fix which is already being delivered for technical support” for its enterprise products Kaspersky Security Center and Kaspersky Security Center MR1.

Consumer versions of the company’s anti-malware software also use OpenSSL but a Kaspersky spokesman says it did determine these “can’t be affected due to the Heartbleed vulnerability.” However, Kaspersky says it does intend to issue Heartbleed-related patches for Kaspersky Internet Security 2014, Kaspersky Internet Security 2013, Kaspersky Pure 3.0 and Kaspersky Internet Security for Mac as a precaution in the coming weeks.

Kaspersky downplayed the threat posed by the Heartbleed Bug, saying its specialists conducted tests to see whether exploitation of the Heartbleed vulnerability could lead to data being compromised and “no such scenarios were detected. The security firm is “also not aware of any in-the-wild malware samples exploiting this vulnerability that could be used to target the company’s products or web services.”

Kaspersky offered assurances to its customers that it believes “no data has been compromised as a result of Heartbleed OpenSSL library vulnerability used by Kaspersky Lab products and services.”

Ellen Messmer is senior editor at Network World, an IDG website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World’s Wide Area Network section.



Big data analytics are driving rapid growth for public cloud computing vendors with revenues for the top 50 public cloud providers shooting up 47% in the fourth quarter last year to $6.2 billion, according to Technology Business Research Inc.

The New Hampshire-based financial and technical research firm says the broader public cloud market, beyond just the top 50 vendors, grew 25% from the fourth quarter of 2012 to the fourth quarter of 2013 to be a $15.1 billion market.Those figures are in line with estimates from firms such as IDC, which said the cloud was a $47 billion annual industry last year and will grow to be a $107 billion annual industry by 2017. A

+MORE AT NETWORK WORLD: Akamai admits its OpenSSL patch was fault, reissues keys | 10 Big data companies to watch +

Perhaps the most surprising result in TBR’s latest figures are the extent to which public cloud providers are using big data to drive their own operations, get new customers and expand product portfolios.

TBR’s research encapsulates companies across the IaaS, SaaS and PaaS markets and vendors from each of these categories are using big data to drive their operations. On the SaaS side, companies like and Box – which is attempting to turn more into an enterprise collaboration tool than just simply a cloud storage feature – are using big data analytics tools to track how customers are using their products. “Public cloud vendors can leverage usage statistics such as seats deployed, data stored, modules used, how frequent usage is, and how people are accessing the tools, i.e mobile vs desktop,” wrote TBR senior cloud analyst Jillian Mirandi in an email. Doing so allows these providers to quickly resolve customer issues, mitigate potential renewal threats, and use the data to upsell to existing customers and cross-sell to new companies that are similar to their existing customers.

On the IaaS front, vendors such as Amazon Web Services, Microsoft, Rackspace and GoGrid are partnering or building out their big data platforms that customers can use on demand. These companies are offering Hadoop and other NoSQL databases as a service – meaning customers can spin them up, use them and pay based on the amount of usage. Meanwhile, PaaS companies like IBM for its Watson and BlueMix and HP for Vertica and Autonomy products are opening up their APIs to cater more to big data analytics tools.

Another trend TBR identified is the somewhat cooling of merger and acquisition activity in the market during the past few quarters. That could be changing however as companies like IBM build on their existing M&A strategy (IBM recently bought Cloudant, for example), and companies like HP and Cisco make major pushes in the public cloud market and may turn to acquisitions to fill out their portfolios.

Overall, public cloud vendors are expanding their relationships with consultants and system integrators to specify their platforms for specific vertical markets, Mirandi notes. Other public cloud vendors are expanding their channel market sales. These “ecosystem” approaches as TBR describes them are designed to cast the widest possible net for public cloud providers to reach customers across different industries and make customers they do bring on “sticky” to their platform.

These moves point to the continued maturity of the public cloud market from a business and sales perspective, and reflect the more complex strategies vendors are taking to increase their sales and continue driving growth. As that happens, technical challenges related to security, integration and a broader shift in how public cloud usage changes the IT department are still challenges that are being worked on in the enterprise.

Senior Writer Brandon Butler covers cloud computing for Network World and He can be reached at and found on Twitter at @BButlerNWW. Read his Cloud Chronicles here.



Wireless carriers in the U.S., handset makers and the industry’s lobbying group have made a significant concession on technology that could remotely disable stolen smartphones and tablets.

The companies say they will voluntarily offer software that can remotely disable and wipe phones, starting with new handsets sold in the second half of next year.

The mobile industry has faced mounting pressure from politicians and police to tackle an epidemic of smartphone and tablet thefts. But some critics Tuesday said the voluntary program does not go far enough.

“The wireless industry today has taken an incremental yet inadequate step to address the epidemic of smartphone theft,” said California State Senator Mark Leno.

Thefts of smartphones and tablets, often at gun- or knife-point, account for more than half of all street robberies in San Francisco and a fifth of those in New York. As a result, police officials in both cities have been asking the cellular industry for over a year to install a remote kill switch on devices.

The kill switch, which would be triggered by the user, would lock a phone so that it can’t be reused or reprogrammed. Advocates say that such a technology, if made standard on all phones, would dramatically reduce street crime.

The industry has so far rejected the idea, citing in part the inconvenience to consumers if a phone is accidentally disabled. But earlier this year, legislation was introduced in the U.S. Senate, the House of Representatives and California State Senate that would require the technology by law.

Tuesday’s announcement appears to be a move by the industry to avoid legislation by adopting a form of the technology voluntarily. But there are considerable gaps between what the carriers are offering to install and what the proposed laws would require.

“Today’s ‘opt-in’ proposal misses the mark if the ultimate goal is to combat street crime and violent thefts involving smartphones and tablets,” said Senator Leno, who is behind the California legislation.

The industry’s proposal covers only new handsets manufactured after June 2015, which means it will likely apply only to phones sold late next year. The proposed laws would apply to phones sold from the beginning of 2015.

And under the voluntary proposal, the technology would not be enabled or even installed by default. The agreement says it would be “preloaded or downloadable.”

“We strongly urge CTIA and its members to make their anti-theft features enabled by default on all devices, rather than relying on consumers to opt-in,” San Francisco District Attorney George Gascon and New York State Attorney General Eric Schneiderman said in a joint statement. The two have led the push for the wireless industry to do more.

“The industry also has a responsibility to protect its consumers now and not wait until next year,” they said.

The voluntary agreement has been signed by AT&T, Sprint, T-Mobile, U.S. Cellular and Verizon. Others who are on board include Apple, Google, HTC, Huawei, Motorola, Microsoft, Nokia, Samsung and Asurion, which sells smartphone insurance.

Apple is closest among those companies to already having a satisfactory technology in its products. Last year it introduced “Activation Lock” with iOS 7, which carries out most of the functions required. The only complaint levied at Apple is that the software is opt-in rather than being turned on by default.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service.



Google Glass is getting a big software update to coincide with its one-day sale on Tuesday, but video calling is one feature that’s been put on hold.

The Internet-enabled headset will get KitKat, the newest version of the Android operating system for mobile devices, allowing longer battery life and easier updates, according to Google.

The new software features will include photo bundles, which are groups of daily photos, videos and other material. Users will also be able to reply with photos in Google Hangouts and have their voice commands organized by frequency.

But the update will leave out video calls, which have been available to early adopters using Glass.

“We hold ourselves to high standards for the features that we build, and video calls aren’t living up to these standards,” the Google Glass team wrote in blog post.

The team said less than 10 percent of Glass users, which are known as Explorers, use the video calling feature.

Video calls will return to Glass when “the experience is better,” the team wrote without elaborating.

The post did not say whether privacy concerns were part of the decision to remove the function. Google did not immediately respond to a request for more information.

On its help page for Glass video calls, the search giant cautioned against improper use, writing, “Consider etiquette and common sense when taking video. For example, refrain from broadcasting events or content where such activity is prohibited (e.g. movie theater).”

Some Glass users reacted negatively to the update, with one lamenting on the Glass blog post, “I used video call recently to include my cousins from various countries in on a family funeral they couldn’t attend in person. They were so grateful to be included and have that opportunity thanks to advancement in technology with Google Glass.”

Google announced last week that Glass will go on sale for one day only on Tuesday to all residents of the U.S. who are 18 or older.

The head-mounted display is priced at US$1,500 plus tax. It could be officially released later this year.



Many organizations today are looking for things that talk to the Internet. Sensors, cameras, medical equipment and even snowplows are on that wish list.

The “Internet of Things” is not.

The municipalities that come to systems integrator AGT International are already sold on so-called IoT technologies, such as wireless traffic sensors embedded in streets, said Gadi Lenz, a senior technical fellow at AGT.

But they aren’t interested in IoT, nor in “smart cities,” another term that’s been getting a lot of play lately. What they want, Lenz said, is a solution to their problems.

Even Cisco Systems, one of the biggest evangelists for IoT, thinks the concept still needs some explaining. Enterprises, cities and utilities all could stand to benefit from IoT, but first they need a better idea of how it can help them do their jobs.

“We definitely need to spend more time educating the market,” Inbar Lasser-Raab, vice president of Enterprise Network Solutions, said last week at a meeting at Cisco. Leaders from IT vendors, industrial companies and governments came together there to hash out issues for IoT.

Networked devices have been talking to each other for years. What’s new in so-called IoT is the scale of those networks and the way advanced data analysis can draw conclusions from them. But getting this broad vision off the ground, including getting enterprises to adopt the new technology, raises several challenges, according to participants at last week’s meeting.

AGT’s Lenz said his company has been implementing sensor networks in cities for years, but as those devices get smaller and cheaper, they also become more plentiful. That can change the scale of projects as well as how the devices are deployed, Lenz said. More devices means new possibilities and new problems.

For example, devices that can measure a wide variety of environmental conditions are now small enough to put in backpacks, so ordinary citizens may be able to carry them around, Lenz said. Such devices used to be so big there could only be a few, strategically placed around a city. An exponential growth in the number of sensors means much more data but also calls for new techniques to distribute and manage those sensors, he said.

IoT may also mean dealing with multiple kinds of data and figuring out the best approach for each. For example, 10 years ago, the only data that electric companies collected from their grids was critical, time-sensitive information needed to operate and protect the grid, said Dean Siegrist, who is director for Utility Telecom at Black & Veatch, an engineering company serving utilities. Now the power companies are also gathering data about the power use of individual households, which they serve back to the customers to help them monitor their usage, he said.

Those two types of data have different requirements in terms of urgency and security, so utilities have to decide where to draw the line between them and what infrastructure is best for each, Siegrist said.

IoT also brings new ways of processing data in order to run more efficiently or even generate more revenue. For example, Ford Motor plans to collect data about how consumers use new technologies, including electric cars and new dashboard designs, in order to fine-tune future vehicles, said Jim Buczkowski, a Henry Ford Technical Fellow and director at Ford.

The services business of Xerox, which has helped enterprises plan and set up IoT systems, is trying to help them boost revenue and improve products. For example, the company is helping transit providers redefine routes based on fare data, said Rebecca Scholl, a senior vice president at Xerox.

“Our customers are no longer content with just a cost savings,” Scholl said.

The city of Chicago uses GPS (Global Positioning System) to track the location of its more than 400 snowplows and put that data in a real-time smartphone app. The app has helped to dispel a myth that the mayor and other high-ranking officials get their streets plowed first, said Deputy Mayor Steve Koch.

“It’s weirdly popular. People are sort of obsessed with this kind of stuff,” Koch said.

However, most enterprises aren’t yet organized to take advantage of all the information they may have, she said.

“Especially in large corporations, getting to the right person who’s going to have the full visibility over the impact of IoT across multiple business processes … you don’t have that person,” Scholl said. “Right now, everybody has a clear mandate, and it’s not yet that one.”

She proposed companies establish a new role of chief digital officer, who would sit between the CIO, CFO and operations chief to coordinate efforts around IoT and data analysis.

Several speakers and participants also cited the overarching challenges of security and standardization.

The lack of standards can make IoT deployments far more expensive and time-consuming, according to Lenz from AGT. There are open standards for many types of IoT networks, but there seems to be resistance to using them, he said. For example, one city where AGT set up road sensors wanted to feed the sensor data wirelessly through Wi-Fi access points on light poles. But the sensors used a legacy protocol instead of Wi-Fi, so the access points had to be equipped with extra radios, Lenz said.

Stephen Lawson covers mobile, storage and networking technologies for The IDG News Service.



The spotlight will fall on Project Ara this week when Google holds a big event for developers, but it’s far from the first company to toy with modular smartphones.

Among the first was Japan’s NTT DoCoMo, which showed off a prototype modular smartphone at an exhibition in Japan in 2009. Users could attach modules to it to customize the phone to their needs. Ideas at the time included a blood tester, a rollable e-paper screen and an electronic flute.

The device never went on sale and appeared a good deal clunkier than Project Ara, which will allow users to snap components such as a processor, camera and extra memory into a fixed frame.

Israeli handset maker Modu had a similar idea around the same time, producing a concept phone that had a minimum of features but could be snapped into a larger case that performed other functions.

One version of the original Modu has made it to market in Tel Aviv. The case can serve three functions: a camera, a speaker or an exercise band.

More recently, in 2011, Microsoft applied for a patent for a smartphone in which components could be swapped in and out. Microsoft envisaged them including a keyboard, a gaming pad, a second battery pack or an additional screen.

Microsoft also proposed a different phone that would come in two parts: one holding the main display and a second, smaller unit with the microphone and earpiece. The idea was that the user could continue to use the touchscreen and apps while holding the other part to their ear.

More details on Ara are expected Tuesday, when Google begins a two-day developer event to stoke interest in an idea that was launched by Motorola engineers when that company was part of Google. Google is webcasting the event.

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service.



Google has confirmed its acquisition of drone maker Titan Aerospace and hinted that the technology could be used for a lot more than providing Internet access to remote parts of the world.

Titan makes unmanned, solar-powered aircraft that can fly at 65,000 feet and act as “atmospheric satellites,” beaming Internet access to parts of the world that are underserved today by wired and cellular networks.

That fits in with Google’s Project Loon, which is experimenting with high-altitude balloons as another way it can bring Internet access to remote areas.

But that’s not all Google has in mind. “It’s still early days,” a spokesman said via email Monday, but along with Internet access Titan’s drones could help in other areas, including disaster relief and combating environmental damage like deforestation.

He didn’t go into details, but it’s not hard to imagine how a fleet of camera-equipped drones could help build a more accurate picture of the destruction of rain forests, or feed information to rescuers on the ground after events like mudslides and earthquakes. They could also, potentially, greatly enhance Google Maps.

Google has already involved itself extensively with crisis relief efforts, including after last year’s Oklahoma tornadoes and the flooding in Uttrakhand, in Northern India. So far, the efforts have largely involved helping people to locate and communicate with each other, and building maps to aid relief and recovery efforts.

Using unmanned aircraft to provide Internet access isn’t a new concept — the U.S. Defense Advanced Research Projects Agency has been working on a similar technology since at least 2010.

And Facebook and Amazon are also looking at drones as a way to expand their businesses and push into new areas. Amazon has discussed using drones for package delivery, while Facebook is exploring them for Internet access.

Facebook was reportedly interested in acquiring Titan before Google, but the talks apparently broke down. Instead, the company brought on team members from Ascenta, another drone maker.

CEO Mark Zuckerberg has said Facebook expects to have a working version of its own drone in the near future. And Titan is expected to make its drones commercially available next year.

Zach Miners covers social networking, search and general technology news for IDG News Service.




Get every new post delivered to your Inbox.

Join 112 other followers