Cryptolocker Virus Can Decimate a Business

In recent weeks, a new breed of virus has emerged: truly effective “Ransomware." Past iterations of Ransomware, most notably the “FBI Virus” have touted an urgent call to action, involving a transfer of funds, to the group that has infected your computer. The FBI Virus is removable; with the right geek involved, your data was not in jeopardy, the virus could be removed, and your computer returned to a functioning state. The current version of Ransomware, known as “Cryptolocker,” is no joke. Your files are truly gone. The only path to restoration involves paying the ransom, via Bitcoin.

So far, the standard rate for retrieval of your information is two bitcoins. Standard bitcoin exchange rates, averaging about $300 USD per bitcoin, have applied. In the majority of the cases reported, the paying of the ransom actually works. About a thousand PCs a day are infected, though this rate may vary in the future, as known successes are reported in the viral community.

Paul Ducklin, head of technology for the Asia-Pacific region at SOPHOS, described the impact of the virus: “It's kind of like losing your computer or smashing your hard disk or dropping your computer in the harbor. You are never going to get your data back.”

Let me be clear, removing the virus does NOT gain access to your data. The information is locked, not accessible, coded to a specific and complicated key. Cracking the key is a job for geeks armed with supercomputers and dual MBAs and is well beyond the scope of the average SysAdmin or corner computer geek. It is no joke, no post-Halloween spoof. Infected file types range the gamut of often used and critical files, and include documents, databases, spreadsheets, photos, videos, and music collections.

The virus is also written to lock “backed up” versions of the files. The operative function of cross platform infection pivots on real time links between data structures. If you are using a common and widely adopted platform such as Dropbox, iCloud, Google Drive, or SurDoc, then your file storage may also be locked. During the past decade, users have moved away from a truly “cold storage” approach to file protection, but that old-school approach is the best way to combat the current malware attack.

PCs and laptops that are attached, via VPN, or other linked mechanisms are also prime candidates for this viral attack. The virus authors are looking for files that are easy buy decisions for the unlocking keysets. A database of client information, current AR, banking info, ERP and CRM tables, etc. The data types targeted are obvious. This corporate infection strategy is reinforced by a development (in the past week) of a “buy more time” option in the ransom scheme. Initially, a 72-hour window was given, demanding two bitcoins for the unlock key. Now, a “buy more time” option has been given. The upcharge can range into the thousands of dollars (USD), allowing for more time to gather funds to purchase unfettered access to your files.

For personal computer users, an image backup of cold file storage of the to-be-protected data is recommended. USB capable storage is cheap. 32GIG flash drives, in the $30 range, are prolific. I would recommend backing up crucial data as often as needed. The question is, how many days can you afford to lose? Backing up your primary information monthly, at a minimum, is recommended. In the past, corporations and enterprises have used tape backup, some form of shelved cold storage, ensuring information integrity.

Returning to the trends of old, keeping a “cold copy” of primary data is critical. Even when the ransom is paid, there have been cases where the key is not provided. Ironically, the absence of a key, despite ransom payment, is laid at the feet of law enforcement. Should the authorities track the key generating server and shut it down before your key can be generated, your data is still locked.

Sticker Shock: ICAAN's New Rules for TLDs

Creating a website -- currently a fairly inexpensive proposition -- is about to become a lot more costly and complicated.

Nowadays, domain names, starting as low as $3, are readily available and traded openly. Typically, staking a claim to a specific URL or domain name does not present a financial barrier to entry. In fact, even the least technical businessperson can tackle website creation, although hiring a professional will doubtless deliver higher quality results and should take less time.

Regardless of size, financial status, marketshare, or talent, the web offers an inexpensive and readily available platform for users of all types. But volcanic change threatens the equality Tim Berners-Lee envisioned when he crafted the Internet.

Most domain names end in .COM and .ORG; in a “top 100 sites” listing by Ted.com, .COM accounted for half of the primary list. Another 39 used .ORG, while a mix of other top-level domains (TLDs) rounded out the ranking. Under ICANN's new rules, new and distinctive domain names will be released, after review by ICANN. These names will begin to become visible in the greater web in the fourth quarter of 2013.

A highly visible top-level domain, one of the first to gain approval and plan for market release, is.NYC. According to the City of New York’s information page about the .NYC TLD, pricing for these domain names will be based on estimates of related revenue, a model lending itself to more of an auction-based feel than the traditional domain pricing model.

Qualification for acquisition of a .NYC-related domain is also limited. According to City of New York officials, qualified applicants will have a “bona fide presence" in the City of New York, meaning regularly performing lawful activities within the city and maintaining an office or other facility in the city. This is a drastic departure from traditional domain acquisition practices, where anyone with a few dollars can start a named web entity, regardless of location or taxpayer status.

A TLD differs from a traditional domain in its length and its price. New generic top-level domains (GTLDs) change the playing field, allowing for different associations between companies or cities and their web presence. Essentially, the introduction of this new class of domains separates the big players from the little guys. I question not only this fundamental change in the way the web routes naming conventions, but the basic class-level distinction ICANN is allowing to emerge.

You can find the reasoning for this move by looking at ICAAN’s bottom line revenue. According to its FY13 Operating Plan and Budget, ICANN's total operating income was $14.2 million in 2012. However, the organization predicts income of $85.9 million only 12 months later. Six times the operating income, year over year, is enough to entice any company into a new direction. But I question at what cost this increased revenue will come.

If a wave truly becomes a sound at first hearing, then a product becomes a reality at first adoption. Based on the thousands of initial registrants for GLTDs -- despite the massive cost per registrant -- the market apparently believes this new TLD strategy will succeed.

Esther Dyson, founding chairperson of ICANN, states GLTDs "will create jobs [for lawyers, marketers and others] but little extra value." In 2012, the most expensive GLTLD, CDN.net, sold for $185,000, a clear separation from the traditional pricing model for domain names -- the cornerstone of commerce on the web.

The WWW has (for the most part) provided a level playing field for all entrants, regardless of size. True impact has been determined by the masses, nullifying the law of scarcity, and allowing for viral growth of brands and goods based on value -- not marketing might and size of company. How the new GTLD schema will affect search engines, ability to find products, and baseline competition on the web is still largely an unknown. Time will tell as the new web postfixes hit the digital street. Hopefully the final vote, rate of adoption by consumers, will hold the most weight.

Don’t Look Now... Google Glass Will Change Everything

Google Glass is coming, and it’s a large target for many points of controversy.

Given the open architecture Google traditionally uses, the applications for this product will continue to cause much debate while reaching for new heights of integration and digital layover into our daily lives. Competitive wearable-technology products by the likes of Leap Motion and SixthSense, and Kickstarter-based offerings entering into this 21st century gold rush will soon flood the marketplace.

The underlying issue for business of all sizes is how this new technology will impact revenue cycles and buying trends. It’s an issue that has been ignored, surprisingly. But I believe we will see a new trend across all markets and all products, based on this emerging technology.

Prepping your business for this new tech is crucial. The crux of the matter lies in availability, from a digital perspective, to the information that is crucial to buyers. Metrics like competitive analysis, up to-the-minute availability statistics, and auction-based pricing (real-time supply and demand) must be available to the consumer or prospect in order to be accessible to the wearable tech public. The appetite for real-time info will be voracious. Consequently, relying on people, not systems, to update relevant information about products and services will be a fool’s errand.

Welcome to Tommorrowland
I live in a tourist destination, near a hub of international activity -- International Drive, in Orlando, Fla. It’s a mash-up of languages and product offerings ranging from the bizarre to the predictable. I can find them all just a few miles from my front door. I expect, in the near future, wearers of layover technology -- aka Google Glass -- will peruse products and services without ever entering the purveyor’s place of business. Attraction-queue wait times, table wait times, dinner specials, arrivals and departures of local transportation shuttles, room specials -- all types of goods and services being offered by business will be displayed digitally. From afar a prospect may be lured or qualified without ever entering the business in question.

The delivery mechanism for this information will be web-based tech. Regardless of how you build your site (PHP/CSS, WordPress, Twitter Bootstrap, Dreamweaver, or Adobe Suite) all sites will end up with some sort of consumable HTML code structure. Making sure your info is consumable by a wearer-style interface will be crucial. Supplying information that is relevant and current to the user, even more so.

From movable to wearable
Currently this can be achieved by a "mobile capable” web extension -- capability that is already an issue in Google’s organic SEO ranking. But the missing link for many businesses lies in the capture of relevant sale information and the automatic updating of inventory/availability metrics to the mobile capable interface. This may entail tying in a node from a host- or hostess-stand POS (point of sale), enabling wait time information for a restaurant, actively pulling data from a booking engine for demand-rate structure (resort room pricing), demand-based pricing for retail outlets selling hard goods, or service wait times for hair and nail salons.

Traditionally a staff person provides this information to a prospect walking in the door. The prospect inquires about wait time, the hostess answers. This human-to-human interface is lost in the layover marketing world. The opportunity no longer exists. It’s replaced by a visual layover that is only visible with wearable tech.

The tourist market is a prime example of what is coming, but all markets will feel an impact. A layover tech user may get real-time competitive info by looking at a car in a showroom and seeing a list of all competitive offers within five miles. Patients may query information about drugs prescribed, related healthcare information, or wait times in a specific practice’s office. Concerned parents may "check in" on their children at daycare or find their child’s location at a family outing. The implementation of this new technology surpasses privacy concerns and digital tracking.

It will, in fact, change everything.

No Shortcuts Allowed in Website Design

There are some tried and true ways to help prevent against disasters such as that which has befallen healthcare.gov.

Yesterday, in Why HealthCare.Gov Crashed & Burned, & How You Can Avoid That Fate, I touched on the management perils involved with so many contractors as well as site availability concerns. Today, let's look at the difficulties involved in accurate forecasting and dealing with siloed information.

Predicting the number of users for your companies' newly released tools should also be a simple calculation. How many potential users exist? Are you replacing an existing paper-based process? Delving into the existing number of steps and tasks completed daily, with reference to the process, should allow for a "best-case scenari" when launching a new interface or process online. A number of tools exist, allowing for "on demand" scaling of web and LAN/WAN based applications. Your "Go To" geek should be able to address scaling issues with ease, if expected adoption metrics can be estimated.

Dependencies between data silos, a key to failure for healthcare.gov, is a tough nut to crack. Traditionally, paper-based process allow for data staging between steps, normally managed by a well trained employee or team manager. Housing data in specifically crafted spreadsheets or disparate databases allows for a managed flow of information between process steps. Automating these steps well relies heavily on discovery and scope of work for the project. Rules, segmented into a number of "if-then-else" statements, must be carefully crafted. Allowing for the majority of contingencies and access to needed data in real time, taking into account the number of systems included in crafting health care coverage, indeed presents a challenge.

When planning a process for your company, such as price quoting or inventory availability, you must ensure the data needed to calculate the needed information is available in real-time. Depending on a person or department to respond to a needed variable breaks the system of real-time responses to live users.

The bottom line, when outlining a process to be automated, is discovery, scope, and testing:

• Carefully document the existing process prior to project scope (discovery)
• Review the process, with the algorithmic replacement of well-trained staff (scope)
• Diligently run the new tool through end to testing, with the existing process team (testing)

A server is the perfect employee. It does not need sleep or vacation days, does not get jealous when another (better) server sits next to it, and ironically does not need health insurance. Moving your traditionally departmental- or team-based processes to a highly available application or portal is a logical step for any size business.

Healthcare.gov, though imperfect, represents a positive step forward. Using current tools to solve historically tough problems is a tried-and-true method in the world of businesses of all sizes. Hopefully, Washington can continue to improve and modify healthcare.gov. Obviously it is a work in progress.

Why HealthCare.Gov Crashed & Burned, & How You Can Avoid That Fate

The failure of the HealthCare.gov launch has been well documented. Problems with user registration, general site availability (downtime), and site functionality in general lead the hit parade. Our 21st Century IT community discussed it during last week's live chat. How can you avoid the same issues with your company's site launch?

Primary contractors, currently under great scrutiny, provided the bulk of the integration base for the healthcare registration and pricing tool known as HealthCare.gov. Breaking a large project into pieces (to allow for rapid development) is a tried and true method for launching applications. Before launch, a key misstep was made in failing to ensure all the components worked together well. Providing basic information for tool functionality is a product of emulating a good known (usually paper-based) process.

Catching the holes in pre-project scope, streamlining functions, and ensuring primary data gathered covers all needed variables for execution are not simple tricks. After many projects, with varying degrees of success, I have avoided functionality issues by hand picking a group of beta users -- thought leaders who are engaged in the process to be replaced.

While gathering initial information from users, HealthCare.gov initially failed to ask for the registrant's date of birth, a primary field needed for pricing. This screams at the lack of pre-launch testing. Programmatically, a workaround was used. Taking all pricing from a 20-year span and averaging the costs associated with coverage is not only an inelegant solution, but it also provided drastically low cost estimates for a large segment of site users. This tragic foible would have been caught with even a minimal amount of experienced user testing.

Site availability -- the ability to scale on demand for user registration -- always presents a specific set of challenges. As my business partner often says, "This is a high-grade problem." In the business world, a flooded site means a tsunami of clients and prospects have visited your new site or application. Providing an on-demand scalable solution for a toolset such as HealthCare.gov should have been a no brainer. The same goes for calculating initial and peak use metrics -- a simple calculation based on the number of underinsured and uninsured Americans. Load testing to prevent server stress is commonplace.

What do you think? How avoidable could most of these mistakes have been? What other areas could the contractors have foreseen as critical tasks and made sure they worked before launch? Tomorrow, I'll give you my take.