Wednesday, December 30, 2009

Motivational Moment

Thought for the Day

December 30, 2009

HAPPINESS IS FOUND IN DOING-NOT MERELY IN POSSESSING.

It’s true. Money can’t buy happiness. Most of us are motivated by aspirations of the lifestyle we desire to ourselves and our families, not by the physical possessions-homes, vacations, automobiles, etc. When you recognize this fact, you will know that you must constantly "raise the bar" to encourage yourself to reach higher goals. Your goals should include the possessions that you desire, but as former Apple Computer chairman and CEO John Sculley said, "Success is a journey, not a destination. Make sure you enjoy the trip."

This positive message is brought to you by the Napoleon Hill Foundation. Visit us at http://www.naphill.org.

Monday, December 28, 2009

A Positive Moment with Jon Gordon

A Positive Moment with Jon Gordon | Jon Gordon's Blog | Developing Positive Leaders, Organizations and Teams

Posted using ShareThis

Motivational Monday

FRIENDS MUST BE GROWN TO ORDER-NOT TAKEN FOR GRANTED.

Your friends will be what you make them. If you are the kind of friend who freely gives of your time and always shows consideration for others, your friends will be generous and kind. If you are the kind of person who takes your friends for granted, neither giving nor expecting much in return, you will attract friends who exhibit the same qualities. In friendship, like attracts like. Assess your behavior occasionally to determine what kind of friend you are. Are you the kind of person you would like to have as a friend? Do you freely give more than you expect in return, or are you always asking and never giving? Do you take the time to stay in touch, to remember friends’ special occasions? When you become so consumed with your own interests that you forget about your friends, you are well on your way to becoming friendless.

This positive message is brought to you by the Napoleon Hill Foundation. Visit us at http://www.naphill.org.

Wednesday, December 23, 2009

Obama selects tech veteran for top cybersecurity post

Obama selects tech veteran for top cybersecurity post

Howard Schmidt is respected by many but will have his work cut out for him
By Jeremy Kirk

Howard Schmidt was named as the White House's cybersecurity coordinator on Tuesday, a job that was reportedly difficult to fill as the U.S. strengthens its computer security defense.

The appointment marks a return to government for Schmidt, who left his job as vice chairman of former President George W. Bush's Critical Infrastructure Protection Board in April 2003, saying he was retiring from government service to join the private sector.

"As President Obama has said, this cyber threat represents one of the most serious economic and national security challenges we face as a nation," Schmidt said in a video statement on the White House's Web site.

Schmidt will be responsible for creating a U.S network security strategy that encompasses protocols for ensuring a unified response to cybersecurity incidents. He also will be in charge of strengthening partnerships between government and business, the research and development of next-generation technology and a national campaign for cybersecurity awareness.

Schmidt has a depth of experience in cybersecurity, most recently working in the U.K. for the Information Security Forum, a nonprofit that focuses on researching and evaluating cybersecurity risks. His private industry experience includes a stint as chief information security officer for auction giant eBay and chief security officer for Microsoft, where he worked on the company's Trustworthy Computing initiative, a massive revamp of Microsoft's security practices.

On the government side, Schmidt served in the U.S. Air Force in both active duty and civilian positions. He established the first dedicated computer forensic lab when he was a supervisory special agent and director of the Air Force's Office of Special Investigations (AFOSI) Computer Forensic Lab and Computer Crime and Information Warfare Division. Before that position, he headed the Computer Exploitation Team with the FBI at the National Drug Intelligence Center.

President Obama announced the cybersecurity coordinator position in May, but as months dragged on it became apparent that candidates were concerned over what sort of power the role would have. Possible candidates included Scott Charney, a Microsoft vice president for its Trustworthy Computing program.

Schmidt's experience across the public and private sectors -- and technical acumen -- will serve him well, said Alan Paller, director of research at the SANS Institute. "He was the only one being considered who knew what it was like to secure a system. That set him apart from everybody," Paller said.

But that doesn't mean the job will be easy, as Schmidt will have to propel a delicate and very broad agenda across many government agencies in order to deliver better computer security.

"The main fight in any cybersecurity initiative is between the people who want to put some more resources into protection against the people who want to get on with the job of business and not be delayed in any way," Paller said. "People who work with IT companies come to Washington with mandates to stop government from doing anything that will cost them money."

Schmidt will have to avoid getting bogged down in endless meetings and speeches about cybersecurity. "There really aren't that many hours in a day," Paller said.

Schmidt's office will be in the old executive office building next to the White House, a location that puts him in a better location for influence, Paller said. Schmidt will report to John Brennan, assistant to the president for homeland security and counterterrorism.

Pulling together the cybersecurity efforts across the U.S. government will be challenging, said Roger Thornton, CTO and founder of security vendor Fortify Software. "I think it will be a very tough job. He's going to have to herd some cats," Thornton said.

aid.

Monday, December 21, 2009

IronMAN 2

Motivational Monday

Thought for the Day

December 21, 2009

COOPERATION MUST START AT THE HEAD OF A DEPARTMENT IF IT IS EXPECTED AT THE OTHER END. THE SAME IS TRUE FOR EFFICIENCY.

In most large organizations, the amount of time and energy that is squandered in interdepartmental rivalry is enormous. Managers who compete with others inside the company waste valuable resources that should be directed at fulfilling the company’s mission to serve its customers better. Worse, a negative, internal focus can cause the company to miss opportunities, the full effect of which may not be realized for months or even years. Whether you are the head of the department or the newest worker on the staff, you can help your company immeasurably by refusing to become embroiled in internal strife. Compete with yourself to do the best job you can do instead of competing with others.

This positive message is brought to you by the Napoleon Hill Foundation. Visit us at http://www.naphill.org.

Thursday, December 17, 2009

Motivational Moment

Persistence

“Remember…You can do wonders if you keep trying. You can cope with anything; you really can. IN-depth faith always wins over difficulties. Keep going strong with the excitement principle.”


-Dr. Norman Vincent Peale

Wednesday, December 16, 2009

McDonald's to offer free, unlimited Wi-Fi

McDonald's to offer free, unlimited Wi-Fi

Fast-food chain wants customers to stay longer
By Matt Hamblen

McDonald's restaurants may soon be the easiest spot to find free Wi-Fi and browse the Web as long as you like.

The restaurant chain is lifting a $2.95 fee for two hours of wireless Internet access starting in mid-January, according to the Wall Street Journal and other reports.

McDonald's officials could not be reached immediately for comment.

The free Wi-Fi will reportedly be available at about 11,000 of 14,000 U.S. locations. McDonald's has used Wi-Fi provided by AT&T Inc. for several years, after first launching the service at 75 locations in San Francisco in 2003.

The free Wi-Fi will come with no time limits, all the better to encourage visitors to stay longer and buy McDonald's coffee drinks and hamburgers.

Obama Dedicates $88M More for Health IT

Obama Dedicates $88M More for Health IT

As part of the new Recovery Act funding, President Obama pushes health information technology systems for community health care centers.

Monday, December 14, 2009

Rather than patch, Microsoft blocks buggy code

Rather than patch, Microsoft blocks buggy code


By Gregg Keizer

Microsoft has decided to disable a 17-year-old video codec in older versions of Windows rather than patch multiple vulnerabilities, according to the company's security team.

Last Tuesday, the same day it issued six updates that patched 12 bugs , Microsoft released a security advisory that outlined the unusual move, which blocks the Indeo codec -- software that compresses and decompresses video data -- from being used by either Internet Explorer (IE) or Windows Media Player. The update also prevents other applications that access the Internet from loading the codec.

It's unclear exactly how many unpatched vulnerabilities the Indeo codec contains, but at least two security companies -- VeriSign iDefense and Fortinet -- issued their own Indeo bug alerts Tuesday. The vulnerability uncovered by iDefense was reported to Microsoft more than a year ago.

The update targets only the oldest editions of Microsoft's operating system: Windows 2000, Windows XP and Windows Server 2003. Windows Vista, Windows 7 and Windows Server 2008 already bar the Indeo codec from loading. Intel introduced the codec in 1992.

By blocking the codec from being used in IE and Windows Media Player, said Microsoft, it's protecting users against the known attack vectors, would rely on duping people into visiting a malicious site.

It's unusual for Microsoft to skip patching known vulnerabilities and instead disable -- "deprecate" in programming terminology -- bits of code. "This is a rare occurrence, as it is usually challenging to remove functionally from products that customers are currently using without affecting existing applications," a Microsoft spokesman acknowledged via e-mail Thursday.

Patching the codec wouldn't make much sense, said Richie Lai, director of vulnerability research at security company Qualys. "Microsoft already made these changes for Vista and Windows 7, and Indeo is rarely used anymore," Laid said. "I see this more of an attack surface reduction move."

Microsoft saw it that way, too. "In this case, we created defense-in-depth changes that reduce the attack surface and removed the functionality of this codec rather than addressing individual vulnerabilities because it provided more comprehensive protection for an older, less used codec," said the company's spokesman.

On-disk applications, such as games that still rely on the Indeo codec, will function normally, Microsoft added.

This isn't the first time that Microsoft has declined to patch valid vulnerabilities. Last September, Microsoft announced that fixing a flaw in Windows 2000 Server SP4's implementation of TCP/IP was not feasible because that would "require re-architecting a very significant amount of the Windows 2000 SP4 operating system," and doing so meant "that there would be no assurance that applications designed to run on Windows 2000 SP4 would continue to operate on the updated system."

"Maybe this is a new trend," said Jason Miller, the security and data team manager of patch management vendor Shavlik Technologies.

"We believe this approach should provide more security for customers than addressing single instances of vulnerabilities," the Microsoft spokesman said.

The codec-blocking update has been pushed to in Windows 2000, XP and Server 2003 users via Windows Update's automatic update mechanism.

Wednesday, December 09, 2009

Nanotech used to build batteries out of paper

Nanotech used to build batteries out of paper

Stanford researchers build bendable batteries that can be soaked in acid and still hold charge
By Sharon Gaudin


Researchers at Stanford University have used nanotechnology to create lightweight and even bendable batteries out of paper.

The paper batteries are designed to be folded, crumpled or even soaked in an acidic solution and still work, according to Yi Cui , assistant professor of materials science and engineering, at Stanford. The team created the batteries by coating a sheet of paper with ink made of carbon nanotubes and silver nanowires.

Stanford offered no indication of when the batteries would be ready for commercial use.

"The most important part of this ... is how a simple thing in daily life -- paper -- can be used as a substrate to make functional conductive electrodes by a simple process," said Peidong Yang , professor of chemistry at the University of California-Berkeley, in a statement. "It's nanotechnology related to daily life, essentially."

The nanotubes used in the paper batteries and supercapacitors are one-dimensional structures with a small diameter, which enables the ink made from them to stick tightly to the paper. The university noted that the paper supercapacitors may be able to handle 40,000 charge-discharge cycles, which is an order of magnitude more than lithium batteries can take.

Cui pointed out that the nanomaterials make better conductors than traditional materials because they can move electricity more efficiently.

This is just the latest incidence of scientists using nanotechnology to further battery research.

Last summer, IBM launched a multi-year battery research project using nanotechnology, materials science and supercomputing.

In April, researchers at MIT reported that they are combining nanotechnology with genetically engineered viruses to build batteries that could power hybrid cars and cell phones.

And before that, another team of researchers at Stanford used silicon nanowires to enable lithium-ion batteries to hold 10 times the charge they could before. That means a laptop could last for some 40 hours using the new battery, according to Cui.

Monday, December 07, 2009

Motivational Monday

PHISHING SCAM - CDC Sponsored State Vaccination Program for H1N1

PHISHING SCAM - CDC Sponsored State Vaccination Program for H1N1

Centers for Disease Control and Prevention - Your Online Source for Credible Health Information

PHISHING SCAM - CDC Sponsored State Vaccination Program for H1N1

CDC has received reports of fraudulent emails (phishing) referencing a CDC sponsored State Vaccination Program for H1N1. The messages request that users create a personal H1N1 (swine flu) Vaccination Profile on the CDC.gov web site.

An example of the phishing email is below:

Sample H1N1 phishing email which states that the recipient needs to create a personal H1N1 (Swine Flu) Vaccination Profile on the CDC.gov site

Users that click on the embedded link in the email are at risk of having malicious code installed on their system. CDC reminds users to take the following steps to reduce the risk of being a victim of a phishing attack:

  • Do not open or respond to unsolicited email messages.
  • Do not click links embedded in emails from unknown senders.
  • Use caution when entering personal information online.
  • Update anti-virus, spyware, firewall, and anti-spam software regularly.



Modify/Update Subscriber Preferences | Unsubscribe | Send Feedback | Learn more about CDC Email Updates

To receive the latest news for your region, please update your profile with your country, state and zip code.

Questions or problems? Please contact support@govdelivery.com.

Department of Health and Human Services
Fight Flu with Facts! Visit flu.gov. Call 800-232-4636. Text FLU to 87000.
Centers for Disease Control and Prevention

Centers for Disease Control and Prevention (CDC) · 1600 Clifton Rd · Atlanta GA 30333 · 800-CDC-INFO (800-232-4636)

Fake Microsoft security e-mail spreads malicious code

Fake Microsoft security e-mail spreads malicious code

Spammers are cashing in on a recent stir over allegedly problematic Windows security patches

By Microsoft Subnet

It didn't take long for the bad guys to cash in on the confusion surrounding so-called faulty Windows patches. Cisco Security Intelligence Operations is reporting significant activity of spam e-mail messages that claim to offer a fix for security flaws in various Microsoft products.

This spam comes in a week where flaws in security updates affecting Windows were reported by security company Prevx, then denied by Microsoft and finally retracted by Prevx, leading to the security company issuing a public apology. Users however, remain unconvinced that the November Patch Tuesday security patches were not to blame for an increase in occurrences of the black screen of death. Many readers have posted personal accounts of their own black screens of death which they attribute to the patches.

The situation is ripe for the plucking for spammers using that fear to tempt users into downloading malicious software. Cisco reports that text in the e-mail message instructs the recipient to click on a link to download updates that will fix security issues in Microsoft Internet Explorer, Windows XP, Windows Vista, or Windows 7. However, the link downloads an .exe file that attempts to install malicious software on the user's system.

Cisco reports that the following text is a sample of the e-mail message that is associated with this threat outbreak:

Subject: URGENT!!Microsoft Updates!

Message Body:

MIME-Version: 1.0

Content-type: text/html; charset=iso-8859- 1

From: supportmicrosoft.com

Message-Id: <20091203080449.1 995838E2920teks aid.joinvps.c om
Date: Thu, 3 Dec 2009 08:04:49 +0000 (IJTj

H ello,A few microsoft products have been found to have ome holes in them allowing hackers to take over and control users PC. f you are running: Microsoft Internet Explorer, Windows XP, Windows =ista, or Windows 7 then you are at risk of losing your computer and all f your datakbr bIf you have not already got the pdate goto this link: httplfmssupport.sytes.et/lipdater.exe or this link: http :/ftinyur1.com/microsof-up dater and get the Updater to fix the holes to protect yourself team. Thanks, Microsoft Support Team.

Cisco is reporting the outbreak because it owns the IronPort spam and anti-malware product. IronPort's security operations center analysts examine real-world e-mail traffic from over 100,000 contributing organizations worldwide. Cisco says the spam attack is a "hot" one in the wild and that potential damage from it is moderate. The attack is being kept in check because the spam should be fairly easy to spot with enterprise-class malware detection products like IronPort.

On the other hand, attacks against Windows are so popular because many of the naive masses have made Windows their operating system of choice. (Per comment below: By the term "naive masses" I mean that those who are least computer literate are most likely to use Windows and it would only be someone naive that would fall for such a scam as this one.) Even with such a poorly crafted e-mail attack as the one above, how many moms, pops and grandparents could fall prey?

SETI@home in spotlight following IT chief's job loss

SETI@home in spotlight following IT chief's job loss

Serves as reminder of how to properly partake in volunteer computing projects
By Alpha Doggs


UPDATE: On Dec. 3, Neisluchowski issued a statement denying misuse of or theft of school computers.

Reports this week out of Arizona about how a public school district IT chief lost his job have put the use of volunteer grid computing efforts in the spotlight.

According to the Arizona Republic and other news reports, Brad Niesluchowski lost his job earlier this fall as network systems administrator at Arizona's Higley Unified School District following an investigation into suspicious activity that included running the SETI@home distributed computing program across 5,000-plus school computers. The school district alleges that running the program on computers around the clock for nearly 10 years has cost it more than $1 million in energy and other costs, and interfered with teaching by messing up other programs, such as SMART board systems. In fact, Niesluchowski (or "NEZ") had gained a reputation as a sort of god among SETI@home users for his status as its most active user as documented via a public credit system.

The situation has generated strong opinions from many corners, with some upset by comments by school superintendent Denise Birdwell ("We support educational research and we would have supported cancer research but we however as an educational institutional do not support the search of ET.") that are seen as flip and showing a lack of understanding of how SETI@home really works. A Fox News report out of Las Vegas includes an interview with Niesluchowski's wife, who says use of the software was authorized by a previous administration. Others pointed out that Niesluchowski losing his job stemmed from much more than just his use of SETI@home.

On top of all this, a police investigation is ongoing and involves allegations of possible stolen computers and gear, according to the Republic.

One issue the Niesluchowski affair immediately brought to my mind has to do with the proper use of volunteer computing programs, which allow end users to donate the spare processing power on their computers via one of the dozens of ongoing volunteer computing projects, many based on open source software called BOINC.

In compiling a package of stories on volunteer computing this past summer, I asked David Anderson, a research scientist at UC Berkeley Space Sciences Laboratory who founded the BOINC project in 2002, about guidelines for using such software. His response: "The BOINC project's advice is to get permission from whoever owns the machine."

I circled back with Anderson today in light of the Niesluchowski situation, asking about whether it might harm SETI@home. His response: "I don't think S@h gets a black eye. Our policies explicitly forbid this."

He said it looks like "NEZ" got obsessed with SETI@home credit and made "some major errors in judgment."

On the plus side, Anderson said that SETI@home being in the news reminds the world that the project - which celebrated its 10th anniversary this year -- is still going.

Wednesday, December 02, 2009

MDCH Warns Residents to Avoid Fraudulent E-Mails

MDCH Warns Residents to Avoid Fraudulent E-Mails

Referencing CDC-sponsored State Vaccination Program

Phishing emails are a scam, attempts to obtain personal information

LANSING - The Centers for Disease Control and Prevention (CDC) and the Office of the Chief Information Security Officer (OCISO) Cyber Security Incident Response Team (CSIRT) have received reports of fraudulent emails referencing a CDC-sponsored State Vaccination Program for the H1N1 virus. The messages request that users create a personal H1N1 “Vaccination Profile” on the cdc.gov Web site. The messages then states that anyone who has reached the age of 18 has to have his/her personal “Vaccination Profile” on the cdc.gov site.

The CDC has NOT implemented a state vaccination program requiring registration on www.cdc.gov. These emails are a scam and residents are asked to ignore and delete them.

Users that click on the embedded link in the email are at risk of having a malicious code installed on their system. The OCISO reminds users to take the following steps to reduce the risk of being a victim of a phishing attack:

  • Do not follow unsolicited links and do not open or respond to unsolicited email messages.

  • Use caution when visiting un-trusted Web sites.

  • Use caution when entering personal information online.

For more information, please visit www.cdc.gov/hoaxes_rumors.html

###

Tuesday, December 01, 2009

Dell Customizes Chrome OS for the Dell Mini 10v

Dell Customizes Chrome OS for the Dell Mini 10v



A Dell employee has gotten Chromium OS, the code behind Chrome OS that Google released to open source, to run on a Dell Mini 10v netbook. The fact that a Dell programmer tinkered with the code and passed on his findings to others is a sign of how liberating and rich open source can be, as well as how Chrome OS is piquing curiosity. Still, some experts see Chrome OS as being five to 10 years away from mass adoption with consumers and enterprises, respectively. The world is, after all, still propelled by Windows. Read how to get Chrome OS running on a Dell Mini below ...

BackTrack4 Uses IPv6 to Cover Tracks

BackTrack4 Uses IPv6 to Cover Tracks

This past week I was working on performing a security assessment and I was using the latest version of BackTrack 4 [1]. I noticed that it has Miredo support to help auditors establish a secret IPv6 back-channel to their exploited systems. This shows that the security community is recognizing how IPv6 can be used as a backdoor to owned systems.

Let's face it; IPv6 deployments haven't been as numerous as many of us would have hoped. Several years ago we were expecting that at the end of 2009 migration to IPv6 would be in full motion. However, the fact that IPv6 is still fairly obscure to most security administrators means that is can fly under the radar of most organizations. However, IPv6 is starting to gain the attention of hackers as a means of creating a covert channel to compromised systems.

It is a fact that many organizations have a default outbound policy on their firewalls that allow virtually all outgoing connections. This means that the dynamic tunneling technique Teredo [2], which places IPv6 packets inside UDP 3544 packets, would be allowed outbound by most companies. If a similar technique were to use TCP port 80 to create encapsulated IPv6 tunnels outbound those would also be permitted to leave an organization. The organization's stateful firewalls would then allow the return traffic to be returned to that internal host and thus any protocol could be carried through the encapsulated IPv6 packets.

Let's imagine a malicious piece of software that finds vulnerable systems using IPv4. Unlike IPv6's sparse population of nodes, the dense population of IPv4 hosts makes them easy to find. Once those systems are exploited the malicious code would leverage that fact that the host operating system was already running IPv6. Mac, Windows, Linux, BSD, Solaris, HP-UX, AIX, and many other operating systems have IPv6 enabled by default. While that organization hadn't enabled IPv6 on their access routers, the host would still be able to create an IPv6-within-IPv4 tunnel to somewhere on the Internet. That infected host could create a 6in4 tunnel to a command and control server on the Internet. This traffic wouldn't be picked up my most IPSs because most of them lack the ability to peer deeper into the packet contents and fewer still know how to correctly decode an IPv6 header [3].

BackTrack is a Linux Live CD operating system that has many pre-compiled/pre-installed utilities for performing security assessments. The most current version, BackTrack 4, was recently released to help penetration testers get up and going quickly. BackTrack4 now contains Miredo [4] client/server software to maintain access to a compromised system that was successfully compromised by other tools in the BackTrack toolkit. Miredo is an open-source implementation of the Microsoft Teredo [2] IPv6 tunneling system. Following is a screen shot of BackTrack4 and the Miredo client.

Google

IPv6 will continue to grow in popularity and it will increasingly be used as a method to obscure connections until there are a greater number of tools to observe encapsulated packets. Hopefully the security defenders will start to take notice of IPv6 and the risks associated with having a default outbound policy.