Economic Downturn Not Time to Reduce Focus on Disaster Preparedness

Spurred by a worsening outlook for the economy, many companies are taking a hard look at information technology (IT) expenditures to identify projects that can be cut or deferred. However, the business needs for available data and regulatory compliance requirements do not slow down, even in the face of an economic downturn.

“Focused on short-term pressures to make budget cuts, it often escapes companies that disaster preparedness needs may actually be greater during economic slowdowns,” said William P. DiMartini, senior vice president of consulting services at SunGard Availability Services. “For instance, many organizations are reducing costs by consolidating equipment. But because of e-discovery and compliance requirements, data must still be retained even with a cap on spending.”

Companies need to plan for a range of scenarios from short-term outages to full-blown disasters. Risk assessments provide a comprehensive review of a company’s current information availability strategies – and analyze the business impact of potential disruptions. When conducting assessments, it is essential to measure and assess three major areas:

- Information security, covering policy, procedure and regulatory response.
- Information management, examining program controls, the organization and flow of information, and continuity of services.
- Information architecture, looking at network design, facility and environmental infrastructure and system design.

“Risk assessments provide an objective evaluation to senior executives, describing how a firm’s information availability strategy compares to similar organizations – outlining strengths and weaknesses. They also contribute a valuable guide in determining where to spend money to address vulnerabilities,” said DiMartini.

Keep Essential Programs Going. Typically, during an economic downturn, internal IT resources become stretched. This leads to companies looking for outside support to fill gaps to get essential work done and still save money. One area third-party experts can provide assistance is maintaining and testing disaster recovery plans. Disaster recovery plans need to be viewed as ongoing programs – not projects that can be put on the shelf for a year.

Another area that often faces cutbacks in tight budgetary times is recovery environments. Companies are pressured to scale back an IT recovery site. This often leads to the recovery installation not matching a current production environment. Critical applications can then no longer be supported at recovery sites. To address this issue, companies can leverage third party managed services that host secondary applications at a third-party site and protect data with disaster recovery solutions.

Have Disaster Plans that Keep Pace with Technology Changes. Many organizations are moving today to virtualization technologies to generate IT cost savings by consolidating servers and storage. But moving to these environments with untested plans to recover data should an unplanned outage occur can turn a problem into a disaster that impacts an entire company.

“Data managed by virtualized systems still needs to be accessible. Business continuity plans need to be updated to account for virtual environments to assure information availability,” said DiMartini.
During economic downturns, remember to (1) assess the risks to the organization; (2) pinpoint which programs must be maintained – and the best approach for them to continue; and (3) consider the impact of technology changes to disaster plans.

Study Shows Cell Phones And Driving Are A Dangerous Mix

Carnegie Mellon University scientists have shown that just listening to a cell phone while driving is a significant distraction, and it causes drivers to commit some of the same types of driving errors that can occur under the influence of alcohol.

The use of cell phones, including dialing and texting, has long been a safety concern for drivers. But the Carnegie Mellon study, for the first time, used brain imaging to document that listening alone reduces by 37 percent the amount of brain activity associated with driving. This can cause drivers to weave out of their lane, based on the performance of subjects using a driving simulator.

The findings shows that making cell phones hands-free or voice-activated is not sufficient in eliminating distractions to drivers. “Drivers need to keep not only their hands on the wheel; they also have to keep their brains on the road,” said neuroscientist Marcel Just, director of the Center for Cognitive Brain Imaging.

Other distractions, such as eating, listening to the radio or talking with a passenger, also can divert a driver. Though it is not known how these activities compare to cell phone use, Just said there are reasons to believe cell phones may be especially distracting. “Talking on a cell phone has a special social demand, such that not attending to the cell conversation can be interpreted as rude, insulting behavior,” he noted. A passenger, by contrast, is likely to recognize increased demands on the driver’s attention and stop talking.

The 29 study volunteers used a driving simulator while inside an MRI brain scanner. They steered a car along a virtual winding road at a fixed, challenging speed, either while they were undisturbed, or while they were deciding whether a sentence they heard was true or false. Just’s team used state-of-the-art functional magnetic resonance imaging (fMRI) methods to measure activity in 20,000 brain locations, each about the size of a peppercorn. Measurements were made every second.

The driving-while-listening condition produced a 37 percent decrease in activity of the brain’s parietal lobe, which is associated with driving. This portion of the brain integrates sensory information and is critical for spatial sense and navigation. Activity was also reduced in the occipital lobe, which processes visual information.

The other impact of driving-while-listening was a significant deterioration in the quality of driving. Subjects who were listening committed more lane maintenance errors, such as hitting a simulated guardrail, and deviating from the middle of the lane. Both kinds of influences decrease the brain’s capacity to drive well, and that decrease can be costly when the margin for error is small.

“The clear implication is that engaging in a demanding conversation could jeopardize judgment and reaction time if an atypical or unusual driving situation arose,” Just said. “Heavy traffic is no place for an involved personal or business discussion, let alone texting.”

Because driving and listening draw on two different brain networks, scientists had previously suspected that the networks could work independently on each task. But Just said this study demonstrates that there is only so much that the brain can do at one time, no matter how different the two tasks are.

The study emerges from the new field of neuroergonomics, which combines brain science with human-computer interaction studies that measure how well a technology matches human capabilities. Neuroergonomics is beginning to be applied to the operation of vehicles like aircraft, ships and cars in which drivers now have navigation systems, iPods and even DVD players at their disposal. Every additional input to a driver consumes some of his or her brain capacity, taking away some of the resources that monitor for other vehicles, lane markers, obstacles, and sudden changes in conditions.

“Drivers’ seats in many vehicles are becoming highly instrumented cockpits,” Just said, “and during difficult driving situations, they require the undivided attention of the driver’s brain.”

Attack on computer memory reveals vulnerability of widely used security systems

A team of academic, industry and independent researchers has demonstrated a new class of computer attacks that compromise the contents of “secure” memory systems, particularly in laptops.

The attacks overcome a broad set of security measures called “disk encryption,” which are meant to secure information stored in a computer’s permanent memory. The researchers cracked several widely used technologies, including Microsoft’s BitLocker, Apple’s FileVault and Linux’s dm-crypt, and described the attacks in a paper and video published on the Web Feb. 21.

The team reports that these attacks are likely to be effective at cracking many other disk encryption systems because these technologies have architectural features in common.

“We’ve broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers,” said Alex Halderman, a Ph.D. candidate in Princeton’s computer science department. “Unlike many security problems, this isn’t a minor flaw; it is a fundamental limitation in the way these systems were designed.”

The attack is particularly effective against computers that are turned on but are locked, such as laptops that are in a “sleep” or hibernation mode. One effective countermeasure is to turn a computer off entirely, though in some cases even this does not provide protection.

Halderman’s Princeton collaborators included graduate students Nadia Heninger, William Clarkson, Joseph Calandrino, Ariel Feldman and Professor Edward Felten, the director of the Center for Information Technology Policy. The team also included Seth Schoen of the Electronic Frontier Foundation, William Paul of Wind River Systems and independent computer security researcher Jacob Appelbaum.

Felten said the findings demonstrate the risks associated with recent high-profile laptop thefts, including a Veterans Administration computer containing information on 26 million veterans and a University of California-Berkeley laptop that contained information on more than 98,000 graduate students and others. While it is widely believed that disk encryption would protect sensitive information in instances like these, the new research demonstrates that the information could easily be read even when data is encrypted.

“Disk encryption is often recommended as a magic bullet against the loss of private data on laptops,” Felten said. “Our results show that disk encryption provides less protection than previously thought. Even encrypted data can be vulnerable if an intruder gets access to the laptop.”

The new attacks exploit the fact that information stored in a computer’s temporary working memory, or RAM, does not disappear immediately when a computer is shut off or when the memory chip is taken from the machine, as is commonly thought. Under normal circumstances, the data gradually decays over a period of several seconds to a minute. The process can be slowed considerably using simple techniques to cool the chips to low temperatures.

Disk encryption technologies rely on the use of secret keys — essentially large random numbers — to encode and protect information. Computers need these keys to access files stored on their own hard disks or other storage systems. Once an authorized user has typed in a password, computers typically store the keys in the temporary RAM so that protected information can be accessed regularly. The keys are meant to disappear as soon as the RAM chips lose power.

The team wrote programs that gained access to essential encryption information automatically after cutting power to machines and rebooting them. The method worked when the attackers had physical access to the computer and when they accessed it remotely over a computer network. The attack even worked when the encryption key had already started to decay, because the researchers were able to reconstruct it from multiple derivative keys that were also stored in memory.

In one extremely powerful version of the attack, they were able to obtain the correct encryption data even when the memory chip was physically removed from one computer and placed in another machine. After obtaining the encryption key, they could then easily access all information on the original machine.

“This method is extremely resistant to countermeasures that defensive programs on the original computer might try to take,” Halderman said.

The attacks demonstrate the vulnerability of machines when they are in an active state, including “sleep mode” or the “screen lock” mode that laptops enter when their covers are shut. Even though the machines require a password to unlock the screen, the encryption keys are already located in the RAM, which provides an opportunity for attackers with malicious intent.

None of the attacks required specialized equipment. “I think we’re going to see attackers doing things that people have previously though impractical or impossible,” Appelbaum said.

The researchers were able to extend the life of the information in RAM by cooling it using readily available “canned air” keyboard dusting products. When turned upside down, these canisters spray very cold liquid. Discharging the cold liquid onto a memory chip, the researchers were able to lower the temperature of the memory to -50 degrees Celsius. This slowed the decay rates enough that an attacker who cut power for 10 minutes would still be able to recover 99.9 percent of the information in the RAM correctly.

“Hints of problems associated with computers retaining their temporary memory have appeared in the scientific literature, but this is the first systematic examination of the security implications,” said Schoen.

The researchers posted the paper describing their findings on the website of Princeton’s Center for Information Technology Policy. They submitted the paper for publication and it is currently undergoing review.

In the meantime, the researchers have contacted several manufacturers to make them aware of the vulnerability: Microsoft, which includes BitLocker in some versions of Windows Vista; Apple, which created FileVault; and the makers of dm-crypt and TrueCrypt, which are open-source products for Windows and Linux platforms.

“There’s not much they can do at this point,” Halderman said. “In the short term, they can warn their customers about the vulnerability and tell them to shut their computers down completely when traveling.”

In the longer term, Halderman said new technologies may need to be designed that do not require the storing of encryption keys in the RAM, given its inherent vulnerability. The researchers plan to continue investigating this and other defenses against this new security threat.

Digital Music To Surpass CD Sales By 2012

Half of all music sold in the US will be digital in 2011 and sales of digitally downloaded music will surpass physical CD sales in 2012, according to a new report by Forrester Research, Inc. Digital music sales will grow at a compound annual growth rate of 23 percent over the next five years, reaching $4.8 billion in revenue by 2012, but will fail to make up for the continuing steady decline in CD sales. In 2012, CD sales will be reduced to just $3.8 billion.

“This is the end of the music industry as we know it,” said Forrester Research Vice President and Principal Analyst James L. McQuivey. “Media executives eager to stay afloat in this receding tide must clear the path of discovery and purchase, but only hardware and software providers can ultimately make listening to music as easy as turning on the radio.”

The Forrester report is based in part on a survey of more than 5,000 consumers in the US and Canada. Among the drivers of Forrester’s five-year forecast for music sales:

- MP3 player adoption. The average MP3 player is only 57 percent full, suggesting that the devices are underutilized, while more of the devices are being bought by households with more than one MP3 player. Moving forward, a majority of MP3 players will be sold to households that already have one.

- DRM-free music. With the four big music labels now committed to eliminating digital rights management (DRM), DRM-free music will extend beyond pioneer Amazon.com to Apple iTunes and the other major online music sites.

- Social networks. DRM-free music enables every profile page on MySpace.com or Facebook to immediately become a music store where friends sell friends their favorite tracks.

Forrester believes digital downloads are the logistical mass market for the future, satisfying all the needs that people have when it comes to music — easy to find, easy to buy, and easy to listen to, regardless of the device. On the other hand, subscription music services will show modest growth, reaching just $459 million in revenue in 2012 according to Forrester’s projections, while experiments in ad-supported downloads will be silenced by the powerful combination of DRM-free music and on-demand music streaming on sites like imeem.com.

“The industry has to redefine what its product is,” said McQuivey. “Music executives have spent years tracking CD sales. But the artist is the product — not just the source of it. New forms of revenue will come from unexpected sources. For example, the industry has failed to capitalize on the growing popularity of video games such as Guitar Hero and Rock Band. In a market where musicians are happy to sell a million copies of a CD, a video game market where titles can sell five million copies is enough to motivate even the most depressed music executive.”

People Prefer Shopping To Buying With Mobile Phones – Gartner

Forthcoming improvements in mobile technology, such as better form factor and faster data speeds, are causing many retailers to think about adding a mobile commerce (m-commerce) channel in the next 12 to 24 months, according to Gartner Inc. However, in order to drive m-commerce revenues in the future, both retailers and m-commerce vendors must seriously consider how far consumers are willing to shop using their mobile phones.

“Focusing solely on driving m-commerce revenue will not deliver what customers are really looking for when using their mobile phones during the shopping process,” said Hung LeHong, research vice president at Gartner. “Retailers developing a B2C mobile phone strategy must enable a multichannel shopping process as well as driving m-commerce revenue.”

Mr. LeHong said that a few of the more-likely shopping activities that consumers will want to do on their mobile phones, such as finding stores and checking prices, will be provided by portals and price comparison engines. He advised retailers to ensure that they were aware of the options that exist in working with these portals, mobile map providers and comparison engines.

Gartner recently undertook a survey of more than 2,000 consumers in the U.S. and the U.K. to assess the likelihood that they would undertake a variety of mobile shopping activities, from price checking and product browsing to ordering and paying for a product from a mobile phone.

Key survey findings:
- Consumers are more likely to shop rather than to buy from a mobile phone. In the U.S., consumers were twice as likely to check for prices of items as to buy items from their mobile phone (24 percent were likely to check price, and 12 percent were likely to buy on a mobile phone). U.K. consumers posted similar responses (18 percent check price and 11 percent buy).

- Checking item prices and finding stores are two shopping activities particularly suited to consumers on the go. These two activities were in the top three activities to be done on a mobile phone in both the U.S. and U.K.

- Openness to receiving promotions on a mobile phone ranked third in the U.S. and fourth in the U.K. Twenty percent of U.S. and 16 percent of U.K. respondents stated that they would be likely to want to receive promotions on their mobile phones.

- The younger the consumer, the more likely he or she is to use the mobile phone to conduct retail activities. In the U.S., the “digital native” respondents (ages 18 to 27) were, on average, 1.98 times more likely to do mobile shopping activities than the “boomer” generation respondents (ages 43 to 61). In the U.K., the digital natives were on average 2.63 times more likely to do mobile shopping activities than their boomer counterparts. This is consistent with the assumption that mobile use in the U.K. is considered more advanced than in the U.S.

- U.K. consumers were slightly more conservative in stating their likelihood to use the mobile phone to shop, but the relative ranking of the preferred activities was very similar to U.S. consumers. However, digital natives in the U.K. were slightly more aggressive (7 percent more) in stating their likelihood to do mobile shopping activities than U.S. digital natives.

“M-commerce technology vendors should differentiate themselves by providing multichannel capabilities, such as enabling mobile-phone-generated orders to be picked up in a store or allowing consumers to save mobile-phone-created shopping sessions to be later continued on a Web browser,” Mr. LeHong said.