In the business environment,  management leadership from the front on data security and privacy is a more effective (as in cheaper and stronger) countermeasure than technology when it comes to mitigating trusted insider threats.

In the family environment, we traditionally see parents as responsible for taking a leadership position on issues of ethics and responsible behavior.

Has mobile changed this?

Sprint recently announced new services that  will allow parents to set phone use limits by time of day or week, see daily calls, text messaging and application activity of their children.  Sprint Mobile Controls powered by Safely, a division of Location Labs,  allows parents to see rich graphical representations of how their family calls, texts and use applications and to lock phones remotely at specific times.

For example:

• Seeing who your son or daughter has been calling or texting recently – and how often.
• Establishing an allowed list of phone numbers from which your child can receive a call or text.
• Seeing a list of your child’s contacts with an associated picture ranked by overall texting and calling activity.
• Viewing what apps your child is downloading to their phone.
• Choosing up to three anytime apps that your child can use when their device is locked.
• Allowing your child to override phone restrictions in case of an emergency.
• Setting alert notifications for new contacts, or School Hours and Late Night time periods.
• Setting Watchlist contacts: Receive alert notifications when your child communicates with a Watchlist contact.

This seems like a similar play to product and marketing initiatives by credit card companies to control usage of credit card by children using prepaid cards like the Visa Buxx - except in the case of Visa the marketing message is education in addition to parental control:  Visa Buxx benefits for parents and teens include:

Visa Buxx was introduced almost 10 years ago. I don’t have any data on how much business the product generates for card issuers but fast forward to December 2011, the message of responsibility has given way to parental control in the mobile market:

In the case of mobile phones, I can see the advantage of a home privacy and security product. From Sprint’s perspective; controlling teens is a big untapped market. Trefis. (the online site that analyzes stock behavior by product lines) has aptly called it “Sprint Targets Burgeoning Teen Market with Parents Playing Big Brother“

The teen market, consisting of those in the 12 to 17 year age group, is plugged into cellular devices and plans to a much greater extent than you might imagine. According to a Pew Internet Research study, more than 75% of this group owns a wireless phone. This isn’t news to Sprint Nextel (NYSE: S) or mobile phone competitors such as Nokia (NYSE:NOK), AT&T (NYSE:T) and Verizon (NYSE:VZ).

I do not believe that technology is a replacement for education.

It will be interesting to track how well Sprint does with their teen privacy and security product and if parents buy the marketing concept of privacy controls as a proxy for responsible behavior.

Android 2.2 is now fulfilling the minimum enterprise security requirements, i.e. device locking and remote wiping – amidst a long list of other enterprise cloud computing must-haves.

It seems that with the latest Android release, v. 2.2, Google is stepping into the enterprise mobile cloud computing realm with its mobile platform. Android 2.2 is supposed to support many of the required security policies enforced in enterprises, especially concerning enterprise email. These include automatic handset lock due to inactivity and administrator remote wiping in the case of lost or stolen handset. More information is given on Google’s Enterprise blog

Another very interesting feature is the latest support for Android, and many other major platforms,  through Google Apps, enabling users to administer security features on their handsets from a browser and by installing the Google Apps Device Policy, that will soon be available from the Android Market. Google is clearly taking a big step in providing a multi-platform support for its Google App suite on mobile phones for enterprises. This service is free of charge for customers that have the Google App Premier Edition subscription ($50 pr. user/year). The Google Apps Device Policy can be used to synchronize data (email, contacts, calendar, and Picasa photos) between the supported device and a Google Apps domain.

Furthermore, with Andriod 2.2. handsets;

Google Apps Premier and Education Edition administrators can manage their users’ Android devices with a set of mobile device management policies designed to let users access their data while keeping organizational information secure. These policies include the ability remotely wipe data from lost or stolen devices, require a device password, set password complexity, and more.

With this development, Google is strengthening its position in enterprise class mobile cloud computing. Previously, Android users could of course access their Gmail and Google Apps remotely on their handsets, but enterprises generally haven’t been willing to accept the platforms due to its lack of control and security mechanisms. Now, Android 2.2 is fulfilling the minimum security demands required by enterprises, i.e. device locking and remote wiping. Then there are additional features, similar to what the MS Exchange Server Active Sync can enforce, like:

• Require a device password on each phone
• Set minimum lengths for more secure passwords
• Require passwords to include letters and numbers

These policies can be enforced on devices that have installed the Google Apps Device Policy application. So far, enterprise mobile cloud computing has been somewhat exclusive to Blackberry and platforms that support MS Exchange Active Sync policies, like Nokia E-series. However, it now seems that Google is entering this domain as well with its latest Android version and the Google Apps Device Policy application. It certainly will be exciting to continue to follow this progress and monitor Google’s success in the mobile cloud computing domain.

I have over 2,300 contacts on my iPhone and like any reasonable person, I wanted to backup  my contacts. I figure my iPhone wont last forever. Like a fool, I thought it might be a good idea to test the restore process also.

The Ubunutu One service based on Funambol doesn’t really work so that pretty much left me with the iTunes and Windows option.

It seems that the combination of two closed-source software companies intent on preventing users from seeing what’s going on and convinced that users are incompetent and low double digit IQ is a killer combination. As you will see from the events described below – it appears that both Microsoft and Apple believe firmly that users should backup their iPhone contacts but they will never really want to restore the data.

At 14:00 this afternoon – I started my exercise in backing up my iPhone contacts.

14:00 – Plugged in my iPhone to a new Windows 7 Pro PC.  Took iTunes forever to initialize and then I had to wait another 2 minutes for the iTunes software to discover the iPhone on a USB 2.0 connection.  In the meantime – Windows 7 was complaining that I should use a faster USB port – and offered a list of ports, none of which work. Go away. Zusu!

14:15 – Finally the iPhone and iTunes talk. I elected to sync the contacts to Google Contacts as I use Google Apps.   Interestingly enough – the task of transferring 2350 contacts to Google took about 30s on my 10MB/512k ADSL line. The only catch was – that no phone numbers were transferred – only email addresses.  Seems there is a bug. I don’t have time for this.

14:30 – Back into iTunes. This time, I choose to sync my iPhone contacts with the Windows Contacts – since I don’t use Outlook.  No dialogs about replacing or merging – and it worked.  Minor problem – the Windows Contacts sync with iPhone contacts wipes out the entire iPhone contacts since the Windows Contacts was empty (I imagine hardly anyone actually uses Windows contacts – a kludgy, slow and incredibly stupid way of storing one contact per file).  Well Dorothy, we are not in Kansas anymore, your iPhone Contacts is now empty.

15:00 – After a bit of thinking about where my contacts might have gone. I realize that I have 3 alternatives, (1) restore my contacts from our CRM system (which runs in the cloud and doesn’t have an iPhone Contacts sync option) and a bunch of other places I’ve cunningly stored contacts  (2) try and figure out where Apple has hidden their backup files or (3) ssh into the iPhone and try and restore manually with sqlite.  I choose option 2.

15:30 – After some googling, I discover that the iTunes backup files are hidden in a %AppsData% something path – which is impossible to find in Windows 7 using Windows Explorer.   But – if you type %AppsData% in the run program line you get access to the file path. Google is your best friend.

15:45 – iTunes backups into a file format that looks like an import to sqlite (the open source database that iOS uses to store the Contacts records – that is at least a step ahead of Windows Contacts, storing 1 contact per file…perhaps Microsoft Windows 7 team has not heard of SQL yet).  I pull up the data into a text/hex editor and of course, the phone numbers are encoded in some proprietary Apple format – so forget about pulling out the data and massaging it into a format suitable for another circuitous import into iPhone contacts.  More googling- if you have a mac there is a command line utility or you can pay $25 and get a Windows application that decodes the proprietary Apple backup file format into a CSV file or series of VCF files.

16:00 – My PayPal account is not up to date since the card linked to the account expired end of November and I haven’t reverified yet.   Got the software with my Visa and jumped through a few hoops to give a couple of identifiers and finally get a registration number, activate the application and I finally have my original iPhone contacts file, but we’re not out of the woods yet – we still have to restore.

16:05 – Uploaded the csv file to Google contacts. But – for some bizarre and inconceivably cruel reason – iTunes sync refuses to actually load data into the iPhone.

16:15 – After several more attempts, including rebooting both Windows 7, restarting iTunes and rebooting the iPhone I give up – iTunes refuses to sync from Google contacts.

16:30 – Plan B – use Windows Contacts – I attempt to import, but after 10′ and 1200 records, the import process fails on an error with no indication of what caused the error.  Must be a data problem, so I try and improve the quality of data by reducing the number of fields I import and making the phone numbers look more uniform. I make 7 more (abortive) attempts at importing to Windows Contacts, and every time, it imports fewer records. When it stops on the anonymous error message at 150 contacts, I break for supper.

17:30 – Plan C – use Outlook.  Here’s a gotcha, Outlook won’t import from the CSV file, claims it’s open by another application or insufficient permissions.  Too bad the programmers didn’t look at open file hooks and tell the user the name of the Windows application that is holding the file handle open.  Of course – it must be the Windows Contacts Import process, (which is not running if you look at the task manager) but after a few minutes I identify a hidden process related to Windows Contact import and I kill it.

18:00 – Outlook is slow as molasses on import but the same CSV file that was poison to Windows Contacts gets imported with flying colors to Outlook.  I try to run quick search to find the last contact I entered this morning (my 10am meeting in Tel Aviv), but the Outlook 2003 application claims that the indexing process is running and it cannot find the records (the indexing process never actually ran….) Forget it, I don’t have time to sing and play games with Outlook 2003.

18:05 – Back to iTunes.  And this time, ladies and gentlemen, adults and adulteresses, we are going to sync from Outlook to the iPhone contacts.  It works. But verrryyy verrryyyyy slowwwwwllyyyyyy. I have time. I have to babysit Carmel (who is fast asleep down the hall after a tough day in pre-school) as the wife and daughter are out shopping. Do what any man would do on a baby-sitting gig - fall asleep on the sofa.

20:00 – Wife and daughter back from shopping and the iTunes sync from Outlook process has finished in the meantime, in between dreams about user-unfriendly software.

23:55 – Conclusions

1. The iPhone backup process is slow and buggy on all versions of iOS, Just google for “iphone contacts backup problems” and you will get over 3 million hits.

2. Apple does not have a data restore from backup strategy.  Otherwise, iTunes would have a “Backup iPhone Contacts” and “Restore iPhone Contacts” menu.  Entertainment is more important than data.  This is why Apple stock is at 321.

3. The usability and reliability of Windows 7 Contacts is beyond contempt.  No entertainment either. This is why Microsoft stock is at 23.

4. My next smart phone will be an Android.

Enjoy.

A recent post “Can smartphones replace credit cards” wonders whether or not consumers are ready to  trade in their plastic for their cell-phone.

Mobile payment technology has been around for about 10 years and it has not really taken off in a big way – although there are niche applications.  In Tel Aviv for example, you can buy drinks in vending machines with your cell phone and pay for parking.

Clearly it’s not a technology barrier to entry but a cultural barrier to entry.

I had the privilege and then the scars to pay for that privilege, to be the chief technology officer for a startup called One Credit in 2001-2.  The idea was based on the fact that Americans carry around an average of 5 credit cards with a bewildering array of payment terms and conditions, APR, special deals, coupons, travel points, insurance and extended warranties etc. With multiple cards and difficult-to-grok terms and conditions, there is an opportunity to arbitrage between the cards and get the card holder the best deal on every transaction.   The startup tanked together with the rest of the dot.com boom but the idea had some merit apparently, as less than 3 years later, First USA launched a payment card with most of the features of the One Credit card we had designed (and also pitched to First USA among others….).

One of the features in the One Credit card was payment confirmation using location services and a smart cell phone.  If you receive a payment confirmation request for your credit card on your smart phone, and you’re currently in a meeting with a client in Singapore, you can deny the request – or confirm it, perhaps you made a purchase online at Amazon.  Visa launched a payment confirmation service for the Android in the US about 2 years ago – I’m curious how many card holders are actually using the service. As of now (September 2010) the Visa Web site only shows one issuer participating – USBank, which doesn’t suggest widespread adoption.

I would have to do a more detailed threat analysis and consider some of the software, people and networking vulnerabilities involved in using an iPhone or Android for mobile payments, but it seems almost a certainty that mobile payments or at the very least mobile payment confirmation could go a long way towards improving data security of payment cards and reducing (perhaps drastically) the quantity of identity theft due to stolen cards.

So once again – we have the technology to make mobile payments happen but my nose is telling me that the consumers are not ready  yet.

I’m collecting data for a couple of articles on data security in social networks and ad-hoc mobile networks so I’ve been a little slow on blogging lately – so I’m down to general management and risk management stuff.

I think that cutting and running as soon as possible from unreliable business partners is an exercise in sound risk management.  Let me know if you agree after reading the following story.

I have an acquaintance, Eran Lasser who is co-founder and joint GM of John Bryce Training.  Back when I ran Bynet Software (a Microsoft distributor and ACS – Authorized Support Center), we did some training projects with Eran as we were launching Windows NT and later Microsoft Backoffice.

I reached out to Eran last week with some ideas for management level training courses in areas where I have some personal expertise – data security and more recently using social software for B2B sales. He asked their VP Business development, Ori Lapid to meet with me – and within a day or two a secretary made an appointment.  The morning of the appointment – the secretary called to confirm – I came in a few minutes early and waited patiently for Ori to start the meeting.

After 5, 10 and 15 minutes went by with the secretary giving me the usual disclaimer of “he will be with you in a few minutes” – I told the secretary that Ori’s 15 minute academic grace period had expired and I left.  I thought it was significant and also a vindication of my decision to walk out that neither the secretary nor Ori Lapid bothered to contact me and apologize for wasting my time.

This is  the epitome of what Israelis call “not being serious” or as they say in Israel.

הדבר היחיד שיותר גרוע מלהיות לא רציני זה לצאת פרייר.

An extremely obvious yet perhaps unpleasant observation for over-40 IT managers is that under 30 employees know a lot more about technology and ways to bypass the company security safeguards than they do.

A young, hip, mobile and techology-facile workforce may be a significant, yet unacknowledged vulnerability for companies.   Your information security group is doing  security awareness training  and evaluating DLP solutions from companies like Symantec and Fidelis Security to block blogging and Facebook but the action has moved to Twitter.

Your physical security officer has installed security cameras to deter theft of equipment but how are they going to block smart cell phones with 16GB memory, cameras and modern Unix-based operating systems like OS/X (the OS on the Apple iPhone) that can run any nix* application.    How about this exploit – download some data to your phone from the PC and then ssh to a private sshd server somewhere on a virtual host.  Don’t want to be tracked down ?  No problem – just take down the virtual host after your’e finished – don’t neeed more than an hour or so.

What about data loss by text messaging?   True – it’s limited by the quantity – but not by the quality.

I’m waiting for commercial applications of cell-phone blocking technology to the workplace – in this down market – it might be critical for the guys and gals in the board room.

I’m a little dubious about viruses landing up in the number 2 slot.  We haven’t even installed anti-virus software on our office workstations in the past 4 years and we haven’t had a single event.  It might be Symantec and McAfee gaming the numbers in order to prop up flagging anti-virus sales from people like me who use Google Applications and practice safe email and safe surfing.

However fraud and data loss are classic mainstream categories of operational risks.

I like the definitions in the Basel II regulation, which defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

Although originally designed for banks and protection of of the banking system and economy from large scale failure; a systematic approach to operational risk management is important for any kind of organization.  Operational risk is not about damage to the business from a bad strategic decision (like getting into a new market segment and losing your pants).

Basel II defines 6 types of operational risk:

1. Internal Fraud – misappropriation of assets, tax evasion, intentional mismarking of positions, corruption and bribery
2. External Fraud- theft of information, hacking damage, third-party theft (including data loss) and forgery
3. Employment practices and Workplace Safety – discrimination, workers compensation, employee health and safety Clients, Products, & Business Practice- market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning
4. Damage to Physical Assets - natural disasters, terrorism, vandalism Business Disruption &
5. Systems Failures – utility disruptions, software failures, hardware failures
6. Execution, Delivery, & Process Management – data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

In our experience:

• The most damaging attacks on a company are launched from inside the offices. Competitors and criminals exploit systems and employees in order to access and manipulate customer data, financials, marketing plans and intellectual property.

• Current security focus is on outside hackers, despite the fact that insider fraud and data theft are leading white-collar crimes worldwide. As a result, many companies cannot even detect,  let alone monitor, quantify and prevent fraudulent events inside their organization.

• Fraud and data theft can be committed through many methods, including mobile phones and the Internet. The difficulty of validating online identity, the speed with which hackers can exploit IT vulnerabilities, the international dimensions of the Web and ease with which users can hide their identity, all contribute to making the Internet the fastest growing area of fraud and data theft.