Thursday, September 30, 2010

Many Android apps leak user privacy data

Researchers find permitted apps transmit phone numbers, location, and SIM card IDs

By John Cox
A recent test of prototype security code for Android phones found that 15 of 30 free Android Market applications sent users' private information to remote advertising servers, without the users being aware of what was being sent or to whom. In some cases, the user's location data was sent as often as every 30 seconds.
Android software piracy rampant despite Google's efforts to curb
The software, called TaintDroid, was designed to uncover how user-permitted applications actually access and use private or sensitive data, including location, phone numbers and even SIM card identifiers, and to notify users within seconds. The findings suggest that Android, and other phone operating systems, need to do more to monitor what third-party applications are doing under the covers of smartphones.
TaintDroid is a joint effort by Peter Gilbert and Landon Cox, Duke University; Jaeyeon Jung, Byung-Gon Chun and Anmol Sheth, of Intel Labs; and William Enck and Patrick McDaniel, of Penn State University. The team's paper, "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones" is online and is being presented next week at the USENIX Symposium on Operating Systems Design and Implementation (OSDI).
The team's resources on "Realtime Privacy Monitoring on Smartphones" can be found online. And an FAQ gives a quick summary of the TaintDroid project.
Smartphone apps can combine data from remote cloud services with data pulled from the phone and its sensors, such as GPS receiver, camera, accelerometer, and microphone. And there are legitimate reasons for applications to access a range of user privacy data.
But today, Android, and other mobile operating systems, offer only basic controls: users can allow or not allow an application to access such information. But they can't control how that data is subsequently used by the application. The online Android Market passed the 50,000 apps milestone last April.
"For example, if a user allows an application to access her location information, she has no way of knowing if the application will send her location to a location-based service, to advertisers, to the application developer, or to any other entity," the authors note. "As a result, users must blindly trust that applications will properly handle their private data. This lack of transparency forces users to blindly trust that applications will properly handle private data."
A controversial study released in June 2010 by smartphone security vendor SMobile (just acquired by Juniper) said that 20% of Android applications were seeking access to sensitive data. The report was trumpeted in an barrage of scare headlines implying the applications therefore were unsafe. (Network World's own headline was a more circumspect: "20 percent of Android apps can threaten privacy, says vendor".)  Many Android developers noted that users explicitly grant permission to these applications, and access to such data is often necessary
But the TaintDroid project digs deeper: the question is, once access is granted, what actually does the application do with the data?
TaintDroid begins with the assumption that every one of those 50,000 applications can't be trusted. Technically, says Duke's Peter Gilbert, TaintDroid is an extension to Android's virtual machine, called Dalvik, on which Android apps actually run. "In order to use TaintDroid, one must install our custom-built firmware," he says.
The code uses a technique called "dynamic tainting analysis," essentially labeling ("tainting") specific sensitive data, and then tracking the propagation of that data through files, programs and interprocess messages.
When tainted data are sent over the network, or leave the system in any way, TaintDroid logs the labels, the application responsible for the transmission and the transmission's destination. It creates a simple text alert for the user, showing what information was sent, and to whom.
"The current notification UI is just a preliminary prototype that we built to demo the TaintDroid system," says Jaeyeon Jung, research scientist with Intel Labs Seattle. "The research is well underway to build a privacy interface through which users can configure privacy settings and control data exposure on smartphones."
The prototype code was tested against 30 randomly selected, popular Android apps that use location, camera, or microphone data. The software flagged 105 instances in which these applications transmitted tainted data. The researchers concluded that 37 of those instances – just over one-third -- were legitimate. Fifteen of the apps reported users' locations to remote advertising servers. Seven collected the device ID and, sometimes, the phone number and the phone’s SIM card serial number.
"In all, two thirds of the applications in our study used sensitive data suspiciously," the paper concludes.
TaintDroid's information flow tracking is not foolproof: it can be circumvented by using what are called "implicit flows" to "leak" the data, according to the paper. The very use of implicit flows is an indicator of malicious intent, say the authors, who outline some countermeasures that can be applied.
One challenge in taint tracking is making it efficient, and the TaintDroid team focused a lot of work on using as few CPU cycles as possible. The researchers tested TaintDroid's performance, and found it created a runtime overhead of less than 14% in a CPU-bound benchmark

Preserving Written Treasures for the Ages via Digital Makeover

    Preserving Written Treasures for the Ages via Digital Makeover
  • When it comes to books, "the classics" are part of what makes Europe's history so rich in culture. Unfortunately, due to fire, water damage and/or simply the passage of time, many great works are in various states of decay. But IBM and the European Union are now deploying a series of innovative technology and collaboration efforts to ensure these treasures are digitally preserved forever.
  • When it comes to books, "the classics" are part of what makes Europe's history so rich in culture. Unfortunately, due to fire, water damage and/or simply the passage of time, many great works are in various states of decay. But IBM and the European Union are now deploying a series of innovative technology and collaboration efforts to ensure these treasures are digitally preserved forever.
    The book "Magic: Principles of Higher Knowledge" has maintained a following for centuries now because author Karl Von Eckartshausen conveyed such a profound sense of spiritual insight within the book's pages. His clarity helped demystify the issues of a chaotic world, according to one reviewer. "Great Secrets will reveal themselves to you. … All we have to do is ask!" Eckartshausen wrote when the book was published in 1788.

    The original copy was damaged by fire and water in 1943, and has remained that way for decades. But thanks to a partnership between IBM and the European Union (EU), Eckartshausen's "magical" book is getting a digital rebirth via a project called IMPACT (IMProving ACcess to Text). The goal of the project is to provide highly accurate digitization of rare and culturally significant historical texts on a massive scale—an effort that involves two dozen national libraries, research institutes, universities and companies throughout Europe.
    The new collaborative project seeks to digitally preserve rare and culturally significant texts.

    Unlike past digitization projects that have resulted in static, online libraries of texts, IMPACT will enable participants to efficiently and accurately produce quality digital replicas of historically significant texts and make them widely available, editable and searchable online. Funded by the EU, IMPACT's research combines the power of innovative, Web-enabled adaptive optical character recognition (OCR) software with "crowd computing" technology. Crowd computing will allow for groups of volunteers throughout the continent to verify the accuracy of processed texts and correct recognition mistakes using an online Web system.

    The IMPACT system is also capable of "learning" from its recognition errors and adapting automatically to the specific font's characters. The result is faster digital delivery: A small book's digitization would take 1 hour using standard OCR technology with manual correction. IMPACT can reduce that time to 15 minutes.
    The solution is also expected to decrease error rates by more than one-third. IMPACT improves review by avoiding the display of an entire scanned page, allowing reviewers to only see the actual letters or words in question in the IMPACT system. For example, the letter combination "r" and "n" ("rn") may appear indistinguishable from the letter "m." In these instances, the system collects many instances of the letter "m" and places the samples next to the letters in question, making it much easier to determine the letter's real identity.
    In cases where an entire word is suspect, it is added to a collection of other questionable terms, which are then arranged in alphabetical order. Volunteer reviewers need only accept or reject suggested substitutes with one keystroke.
    In addition, the system uses adaptive dictionary enrichment, a method by which new words are added to a central dictionary based on cross-identification and correction by other users.
    "The only way to make a large-scale digitization project work is to dramatically improve the quality of the initial OCR and cut down post-processing tasks as much as possible," says Hildelies Balk, head of European projects at Koninklijke Bibliotheek and the leader for the IMPACT consortium. "With this effort, we're expecting to see remarkable increases in productivity in the digitization process."

Tuesday, September 28, 2010

The 17 Most Dangerous Places on the Web

The 17 Most Dangerous Places on the Web

The scariest sites on the Net? They're not the ones you might suspect. Here's what to watch for and how to stay safe.

By Nick Mediati, PC World

Those photos of Jessica Alba may be murder on your PC. That Google search result that looks as if it answers all your questions may do nothing but create a serious tech headache. The fun you had watching that hilarious video you downloaded may not be worth the misery it can cause your system.
You've been warned that the Internet is something of a security minefield--that it's easy to get in trouble. You can do everything you can think of to protect yourself and still be taken by a malware infection, a phishing scam, or an invasion of on­­line privacy. We'd like to provide a little help. Here are some of the hazards you may encounter, how dangerous they are, and what you can do to stay out of harm's way.
Not all Web dangers are created equal. Thankfully, our friends at the Department of Homeland Security have made our work of classifying Web threats a little easier. Will you get taken just by visiting that unfamiliar site? Or will you have to look for trouble? Let our threat level indicator be your guide.
Threat 1 >> Malicious Flash files that can infect your PC
The Place: Websites that use Flash
Adobe's Flash graphics software has become a big malware target in recent years, forcing the company to push out frequent security patches. But another danger you might not know about is associated with Flash cookies. Flash cookies are small bits of data that their creators can use to save Flash-related settings, among other things. But like regular cookies, Flash cookies can track the sites you visit, too. Worse still, when you delete your browser's cookies, Flash cookies get left behind.
If You Have to Go There: To help protect against Flash-based attacks, make sure you keep your Flash browser plug-ins up-to-date. And you can configure the Flash plug-in to ask you before it downloads any Flash cookies.
Threat 2 >> Shortened links that lead you to potentially harmful places

The Place: Twitter
Scammers love Twitter since it relies so much on URL shorteners, services that take long Internet addresses and re­­place them with something briefer.
And it's very simple to hide malware or scams behind shortened URLs. A shortened link that supposedly points to the latest Internet trend-du-jour may be a Trojan horse in disguise.
If You Have to Go There: Simply don't click links. Of course, that takes some of the fun out of Twitter. The other option is to use a Twitter client app. TweetDeck and Tweetie for Mac have preview features that let you see the full URL before you go to the site in question.
Some link-shortening services, such as Bit.ly, attempt to filter out malicious links, but it seems to be a manual process, not an automatic one. TinyURL has a preview service you can turn on.
Threat 3 >> E-mail scams or attachments that get you to install malware or give up personal info

The Place: Your e-mail inbox
Although phishing and infected e-mail attachments are nothing new, the lures that cybercrooks use are constantly evolving, and in some cases they're becoming more difficult to distinguish from legitimate messages. My junk mailbox has a phishing e-mail that looks like a legitimate order confirmation from Amazon. The only hint that something's amiss is the sender's e-mail address.
If You Have to Go There: Don't trust anything in your inbox. Instead of clicking on links in a retailer's e-mail, go directly to the retailer's site.
Threat 4 >> Malware hiding in video, music, or software downloads

The Place: Torrent sites
Torrent sites (such as BitTorrent) are often used for sharing pirated music, videos, or software, and are a trove of malware. No one vets the download files--they may be malware in disguise.
Ben Edelman, privacy researcher and assistant professor at Harvard Business School, thinks torrent sites are the most dangerous places to visit, since they don't have a business model or reputation to defend (by comparison, many porn sites rely on being deemed trustworthy). "The [torrent] customers, they really don't want to pay," he says.
If You Have to Go There: It's probably best to avoid torrent sites entirely, given their untrustworthy content, but if you must visit, use a secondary PC to protect your main system. Use antivirus software, and keep it up­­dated. Scan downloaded files and wait a couple of days be­­fore opening them. Brand-new malware can be tricky to catch, but the delay in opening may allow your antivirus software to get the necessary signatures.
Threat 5 >> Malware in photos or videos of scantily clad women

The Place: ‘Legitimate' porn sites
Porn sites have a reputation of being less secure than mainstream sites, but that assumption doesn't tell the whole story. "There is no doubt that visiting Websites of ill-repute is deadly dangerous. If you make a habit of it, it's a given that you'll be attacked at some point," says Roger Thompson, chief research officer with security firm AVG. "Unfortunately, staying away from those sites won't keep you safe by itself, because innocent sites get hacked all the time, and are used as lures to draw victims to the attack servers."
And as mentioned earlier, many porn sites operate as actual, legitimate businesses that want to attract and retain customers. That said, it may be hard to tell the "legit" porn sites from malware-hosting sites that use porn as a lure.
If You Have to Go There: Be suspicious of video downloads, or sites that require you to install video codecs to view videos (see the next threat, below). Using tools like AVG's LinkScanner and McAfee's SiteAdvisor can help you weed out the malicious sites.
And, again, consider visiting such sites on a secondary machine. You don't want your browser history on the family PC.
Threat 6 >> Trojan horses disguised as video codecs, infecting your PC with malware

The Place: Video download sites, peer-to-peer networks
If you watch or download video online, you've likely been told to download a video codec--a small piece of software that provides support for a type of video file--at least once. Usually, these bits of software are perfectly legitimate (for example, the popular DivX codec), but some less-than-reputable download services or video sites may direct you to download a piece of malware disguised as a codec. Security software company Trend Micro provides a good example of what these attacks look like.
If You Have to Go There: Your safest option is to stick with well-known video sites such as YouTube and Vimeo. And for catching up on the latest episodes of your favorite TV shows, sites and services like Hulu, TV.com, ABC.com, and iTunes are safer than peer-to-peer networks.
Threat 7 >> Geolocation--your smartphone and perhaps other parties know where you are

The Place: Your smartphone
The smartphone market is still in its infancy, really, and so are the threats. One possible concern is the use--or abuse--of geolocation. Although plenty of legitimate uses for location data exist, the potential for inappropriate uses also exists. In one case, a game listed on the Android Market was in reality a client for a spy app. In a less invidious example, a site called pleaserobme.com showed that--for a time--a stream of FourSquare check-ins indicated that a person was away from their home (the site's goal, mind you, wasn't to condone theft, but to raise awareness of the issue).
Apple recently updated its privacy policy to reflect changes in how it handles location data in iOS 4. The policy now states that "to provide location-based services on Apple products, Apple and our partners and licensees may collect, use and share precise location data." You can read more on Apple's new privacy terms and what they mean for you.
If You Have to Go There: Be particular about the location-based sites, apps, and services that you use. As shown in the screenshot at right services such as Yelp provide good examples of useful location-aware apps. On the other hand, weigh the privacy implications of services like FourSquare or the new Facebook Places feature, and consider how much you feel comfortable divulging. (Read more on how to retain privacy on FourSquare and Facebook Places.)
Threat 8 >> 'Poisoned' search engine results that go to malware-carrying Websites

The Place: Search engines
Search engine poisoning is the practice of building tainted sites or pages that are designed to rank high in a search on a given topic. For example, according to a recent study by the security firm McAfee, 19 percent of search results for "Cameron Diaz and screensavers" had some sort of malicious payload. Breaking news topics and Facebook are also common search targets for attackers.
If You Have to Go There: Pick and choose which sites to go to. Don't just blindly click search results; check each URL first to make sure that it really leads to the site you want. Although any site can be hacked, visiting the Washington Post's story on a hot news topic, for example, is probably a wiser choice than following a link to a site you've never heard of before.
Threat 9 >> Malicious PDFs that try to fool you into installing malware

The Place: Hacked Websites, plus your inbox
As Microsoft has become more serious about Windows security over the past few years, would-be attackers have had to find new ways to infect PCs. Attacking flaws in Adobe Acrobat is one of these newer methods. So-called poisoned PDFs are PDF files that have been crafted in such a manner that they trigger bugs in Adobe Reader and Adobe Acrobat; posted on a hijacked Website, they may let an attacker commandeer your PC and access your files and personal info.
A newer variant takes an otherwise innocent-looking PDF document and inserts malware into it. Adobe Reader may pop up an alert asking if you want to run the malware, but hackers can edit those messages to trick you into opening the file.
How serious is this problem? In 2009, attacks using malicious PDFs made up 49 percent of Web-based attacks, according to security firm Symantec.
If You Have to Go There: First, always make sure that you're running the latest version of Adobe Reader.
You can also use a different PDF reader, such as Foxit Reader. This can protect you from attacks on holes in Adobe Reader itself, but it won't make you immune to all PDF attacks, such as the newer ones that embed malware inside the PDFs. Make sure, also, that you update to Adobe Reader 9.3.3 or later (Reader 8 users should update to version 8.3.3 or later); these updates change the way Adobe Reader handles non-PDF attachments and reduce the risk from such attacks.
You can turn off Adobe Reader's ability to open non-PDF attachments by going to Preferences, clicking Trust Manager, and unchecking Allow opening of non-PDF file attachments with external applications.
The next major release of Acrobat and Reader will provide a new "protected mode" against these attacks.
Threat 10 >> Malicious video files using flaws in player software to hijack PCs

The Place: Video download sites
Attackers have been known to exploit flaws in video players such as QuickTime Player and use them to attack PCs. The threats are often "malformed" video files that, like malicious PDFs, trigger bugs in the player software that let the attackers in to spy on you, plant other malware, and more.
If You Have to Go There: Keep your player software up-to-date. Apple and Microsoft periodically release patches for QuickTime and Windows Media Player, respectively. Avoid downloading videos at random. Stick to well-known video sites such as YouTube, or to download services like iTunes.
Threat 11 >> Drive-by downloads that install malware when you visit a site

The Place: Hacked legitimate sites
A drive-by download occurs when a file downloads and/or installs to your PC without you realizing it. Such downloads can happen just about anywhere. Some sites are built to lure people into a drive-by download; but in a common attack method, criminals will hack a Web page, often on an otherwise legitimate site, and insert code that will download malware to your computer.
If You Have to Go There: The first thing to do is to keep your security software up-to-date, and to run regular malware scans. Many security suites can flag suspicious downloads.
Threat 12 >> Fake antivirus software that extorts money--and your credit card information

The Place: Your inbox, hacked legitimate sites
Fake antivirus programs look and act like the real thing, complete with alert messages. It isn't until you realize that these alerts are often riddled with typos that you know you're in trouble.
Most fake antivirus software is best described as extortionware: The trial version will nag you until you purchase the fake antivirus software-which usually does nothing to protect your PC. Once you send the criminals your credit card information, they can reuse it for other purposes, such as buying a high-priced item under your name.
You can get infected with a fake antivirus app in any number of ways. For example, in drive-by downloads (see the previous item), a malicious payload downloads and installs without the user realizing it or having any time to react.
If You Have to Go There: If you get an alert saying you're infected with malware, but it didn't come from the antivirus software you knowingly installed, stop what you're doing. Try booting into Safe Mode and running a scan using your legitimate antivirus software.
However, such a scan may not clean up all of the malware-either the scanner doesn't have a signature for one fragment, or that piece doesn't act like traditional malware. This may render behavioral detection (which spots malware based on how it acts on your system) useless. If all else fails, you may need to call in a professional.
Threat 13 >> Fraudulent ads on sites that lead you to scams or malware

The Place: Just about any ad-supported Website
Hey--ads aren't all bad! They help sites pay the bills. But cybercriminals have taken out ads on popular sites to lure in victims. Last year, the New York Times site ran an ad from scammers, and earlier this year some less-than-scrupulous companies were gaming Google's Sponsored Links ad program and placing ads that looked like links to major companies' Websites.
"The bad guys have become very clever at exploiting online advertising networks, tricking them into distributing ads that effectively load malicious content--especially nasty, scaremongering pop-ups for rogue antispyware," says Eric Howes, director of research services for security firm GFI Software.
If You Have to Go There: Most large sites, such as PCWorld.com, have ad sales departments that work frequently with a core group of large advertisers, so it's probably safe to click a Microsoft ad on the New York Times site. But as the Google Sponsored Links incident shows, nothing is entirely fail-safe.
Threat 14 >> Questionable Facebook apps

The Place: Facebook
Facebook apps have long been an issue for security experts. You don't always know who's developing the apps, what they're doing with the data they may be collecting, or the developers' data security practices. Even though you have to approve apps before they can appear on your profile and access your personal information, from there the security of your data is in the developer's hands.
If You Have to Go There: Be selective about the apps you add to your profile--don't take every quiz, for example. Check your privacy settings for Facebook apps, as well: Click the Ac­­count drop-down menu in the upper-right corner of Facebook's site, select Privacy Settings, and then click Edit your settings under ‘Applications and Websites'. There, you can control which apps have access to your data, and which of your friends can see what information from apps (such as quiz results); you can also turn off Facebook apps altogether.
Threat 15 >> Sites that lure you in, get you to sign up, then sell your e-mail address for spam

The Place: 'Free electronics' sites
You've no doubt seen sites around the Web blaring, Get a free iPad! Get a free notebook! A free iPod! It's easy! These sites aren't typically dangerous in the classical sense--you probably won't get infected with malware--but your personal information could be sold to other businesses, who can then use it to sell more stuff to you.
If You Have to Go There: Read the privacy policies. And then read them again. Also, beware of privacy policy loopholes--even though a site says that it won't sell your private data to third parties, depending on the language of the policy, they may still be able to give your information to "affiliates."
Threat 16 >> Phishing 2.0 on social networks that tricks you into downloading malware or giving your Facebook login information to a criminal

The Place: Social networks
Questionable Facebook apps and malicious shortened links aren't the only dangers lurking on social networks. Sites like Facebook have given rise to new forms of phishing. Scammers might hijack one person's Facebook account, then use it to lure that person's friend into clicking a malicious link, going to spam sites, or giving up their Facebook login information--thereby giving scammers one more Facebook account to hijack.
"One of the bigger dangers currently facing users is malware, adware, and spyware spread through social networks like Facebook and Twitter," says Eric Howes, director of malware research with Sunbelt Software. "Users may receive spam via these networks offering them free deals, links to interesting videos, or even widgets to enhance their Facebook profiles. In many cases what's really being pushed on users is adware, spyware, or even malicious software that can exploit users' PCs."
If You Have to Go There: Don't trust every link posted to Facebook, even if one of your friends posted it. Be especially suspicious if the post is out of the ordinary for that person. Check the person's wall or Twitter @-replies to see if anyone is concerned that the person's account has been compromised.
And if you suspect that your account has been hijacked, change your password immediately. Both Facebook and Twitter have resources to help you keep up-to-date on the latest threats on both sites. Facebook users should visit its security page; if you're on Twitter, be sure to follow @spam and @safety for Twitter security best practices.
Threat 17 >> Oversharing--exposing too much personal information on your social network profiles

The Place: Social networks
How many times have you seen friends on Facebook or Twitter publicly divulge a bit more information than is necessary? Oversharing isn't just a matter of getting a little too personal--it can leave your private information viewable to the general public. But it's avoidable.
"There is a subtle danger that few people understand with the social networking sites, and that is the idea of information leakage," says AVG's Roger Thompson. "People, particularly teens, put all sorts of information online, without realizing that many more people than just their friends can see that data."
Oversharing could very well lead to more serious privacy issues further down the road, Thompson adds. "As today's young teens reach an age to apply for a credit card, I fully expect an onslaught of fraudulent card applications on their behalf, because they un­­wittingly di­­vulged so much information. Harvesting is going on now, and we have no idea who is doing the harvesting."
If You Have to Go There: This particular threat is relatively easy to avoid, in that a little common sense can go a long way: Just be mindful of what you post. Do you really need to publish your home address and phone number to your Facebook profile?
Finally, be certain to check your privacy settings to make sure that you're not divulging your deepest, darkest secrets to all 500 million Facebook users.

Hosed!
What Happens When You Surf Unprotected
11:45 a.m. I start the experiment with a pristine, clean PC running Windows Vista.
11:55 a.m. I need to check my e-mail. I download what appears to be a résumé file. Strange, I'm not hiring. I open it anyway. My screen flickers a little, but nothing starts. Hmm...
12:00 p.m. I start poking around on the Web, and start out easy. I run a Google search for free smilies, and sure enough, I find some. Who am I to refuse?
12:29 p.m. A couple smiley packs later, I am up to three browser toolbars. Junkware, but no malware...yet.
12:41 p.m. I download some random freebie antivirus software I've never heard of. Let's see what this does...
12:48 p.m. More random downloads, and my desktop is getting junked up. I now have icons for free games and 1000 free songs littered all over, plus more browser toolbars than I care to have.
12:55 p.m. IE is hating me right now. Still no signs of malware, but something's sure eating up system resources.
1:03 p.m. My PC locks up for a few moments.
1:25 p.m. After a restart, Windows throws up a warning about a program at C:\Users\PCW\AppData\Roaming\host32.exe. I have no idea what it is.
1:40 p.m. I think I killed IE. I can't launch it. Malware? But I uninstall a couple of toolbars, and it seems to work again.
3:00 p.m. It's unclear whether I've gotten infected by anything on the Web, but so far I haven't done anything too terribly risky. However, I've got to check my e-mail again; I'm expecting an important file from a friend.
3:05 p.m. Whoops. I think I clicked on the wrong file. I've got fake antivirus!
3:25 p.m. I now have three or four fake antivirus programs running. Malware has also planted three shortcut links to porn sites on my desktop. And whenever I open something in IE, a fake antivirus app kicks in with a fake warning.
4:13 p.m. Something just forced my PC to shut down and restart. I think I've successfully hosed this computer.

Tips from the Pros:
Top 5 Ways to Stay Safe Online
Stay up-to-date, stay paranoid, stay protected. That's the message from the security experts we spoke with while developing this story. Here are a few of their top tips and suggestions for protecting your computer against malware and hackers.
1) Keep up on patches.
Be sure to run Windows Update, as well as the software update features in the other programs that you use every day.
2) Be password smart.
As tempting as it is to use the same password in multiple places, don't. And use longer passwords, too-they're harder to crack. If you have lots of accounts to manage, use a password manager. (See "GPUs Power Games, Crack Passwords," for more on this issue.)
3) Use security software.
That may seem self-evident, but it can help block malware or software that is acting suspiciously, and security software companies are hard at work devising new ways to stop infections be­­fore they ever reach your PC. Check our antivirus and security software page regularly for the latest on security products.
4) If it sounds too good to be true... well, you know the rest.
No, someone in a faraway land isn't really offering you millions of dollars. No, attractive women from Russia probably aren't seeking you out specifically. No, those aren't magic cure-all pills.
5) Assume that everyone's out to get you.
PC security is one area where it pays to be paranoid. Just remember that no security software is fail-safe, and that you're still the one sitting at the keyboard. Assume that no site is safe. And don't automatically trust a link or file download, even if a friend sends it to you.
And a few final thoughts:
From Eric Howes, director of research services for security firm GFI Software:
"The user is always the weak link. Even the best antimalware protection and security patches cannot protect a PC from malware if the user sitting at the keyboard is being irresponsible while surfing the Web."
From Roger Thompson, chief research officer, PC security firm AVG:
"Good software designed to detect this stuff (in our case, LinkScanner) helps, but unfortunately, these are areas where the problem is in relative infancy, and is going to get much worse."

The BDPA Insider

The BDPA Insider – September 26, 2010


The BDPA Insider – September 26, 2010
What better way to start the day than with your weekly message from BDPA!


In this issue:



3 Social Networks for African American Engineers



Click here for the latest issue of "The BDPA Insider":

Click here for "The BDPA Insider" Archives:

by Kai Dupé
I am always amazed when people gleefully proclaim that they are computer illiterate. Some even wear it as a badge of honor. The minute you asked them if they know how to do something remotely related to technology they quickly announce: “Oh you know I don’t know anything about computers” or "When it comes to computers I am TOTALLY ILLITERATE!"

Usually they are wearing a big bright smile and not giving any indication that they are ashamed or embarrassed by their lack of technical understanding. This needs to change.  Particularly in the African American community.  This is not something to brag about.  So let us stop it.  

Click here for the full article:

by Cliff Samuels Jr
http://i.ixnp.com/images/v6.46/t.gifI'm a huge advocate of Web 2.0 in general, and social networking in particular. Here are my favorite networks for education that targets technology literacy.

Click here for the full article:

by Cliff Samuels Jr
Thought for the Day
September 21, 2010

THOSE WHO WILL NOT TAKE A CHANCE SELDOM
HAVE ONE THRUST UPON THEM.

Success always involves risk. You must take a chance by investing your time, money, and effort. It pays to be thoughtful and deliberate in your analyses of opportunities, but don’t let timidity hold you back. Because you have worked hard to develop those things you must risk, it is natural for you to place a high value on them. But what use are they if you do not put them to use? You will recognize opportunity only to the extent that you are willing to consider risking your time, money, and effort. Being confident gives you the courage to face risk and act when opportunity arises. No one on earth is going to force success upon you; you will find it only to the degree that you actively seek it out.

Click here for the full article:

by Kai Dupé
One of the findings of recent research studying the problems of why African Americans are under represented in the science, technology, engineering, and math (STEM) fields is that African Americans are not the beneficiaries are support communities that help to deal with the challenges of pursuing careers in technology.

Recent research indicates that “social networks are ubiquitous among the middle classes, and provide vital paths to privilege and opportunity for them, students of color typically experience the opposite –that is, the ubiquity of network barriers and entrapments along with the resulting absence of an informed, active network is limiting, to say the least“ (Margolis, 2008, p.92).

Click here for the full article:

BDPA has 45 chapters around the nation. You can always find programs, services or networking activity here or here. BDPA supports your efforts for career advancement in the IT industry. Our hope is that you will continue to support Our Cause!

Click here for the full article:

With today's economic uncertainty, relationships and the potential doors they open are more important than ever. So it's a wise investment to put time and energy into expanding their reach. And that means networking.

Contrary to a common perception, good networking isn't about who can help you and how. In fact, it's not about you at all. It's about the people you meet. The most amazing networkers I know constantly keep this one question in mind:

"How can I help you?"

Click here for the full article:

Please accept our invitation to join us in the City of the Big Shoulders by registering for the 33rd Annual National BDPA Conference, August 3-6, 2011 at the Hilton Chicago.
Early bird registration for $350 now open!
Click here to register for the 2011 National BDPA Conference today!

Subscribe to the BDPA Foundation Blog via email: http://www.feedburner.com/fb/a/emailverifySubmit?feedId=649683

Subscribe to Blacks Gone Geek Blog via email:

Follow us on Twitter:

Find the buzz on Twitter #BDPA:
This message has been brought to you by the BDPA Social Networking Team. http://www.bdpa.org/socialnetworks.php

Contact the BDPA Social Networking Team: socialnetworking@bdpa.org
PS: Please share this information with your friends, co-workers, church members, etc so that they can help us pass the word. The key is that we must share what we know with others so we can all grow and prosper.

Meditation Proven to Boost Brain Efficiency

Meditation Proven to Boost Brain Efficiency
  • A team of researchers at the University of Oregon proves that meditation positively alters the structure of the brain.
  • A team of researchers at the University of Oregon proves that meditation positively alters the structure of the brain.Meditation was once the domain of fringe groups bent on instilling life-changing attitudes into their inductees by getting them to slow down, take deep breaths and let the stress melt away. Unproven until now, Chinese and U.S. researchers claim to have scientific evidence that guided meditation introduces positive structural changes in the brain, which help people regulate goal-oriented behaviors without all the stress.
    The research team led by professor Yi-Yuan Tang of Dalian University of Technology, working in collaboration with University of Oregon psychologist Michael I. Posner, found that just 11 hours of guided meditation is all you need to make positive structural changes in your brain. Their technique, called integrative body-mind training (IBMT), has been developed in China over the last two decades, but finally its positive benefits have been measured with the help of brain-imaging technology at the University of Oregon.
    The research project, sanctioned by the prestigious National Academy of Sciences, trained 45 University of Oregon students, half in IBMT and half in traditional stress-reducing "relaxation" training. Before and after each training session, the subjects' brain functions were measured with a magnetic resonance imaging (MRI) technique called diffusion tensor imaging. By examining the fibers that connect neurons together in the brain, the researchers were able to observe positive changes in the portion of the brain that regulates emotions and behaviors, called the anterior cingulate cortex. Changes in connectivity were observed in the test group, but not in the control group, after just 6 hours of IBMT and became statistically significant after just 11 hours.
    After just 11 hours of guided meditation, increases in fiber strength (colored) can be measured in the anterior cingulate cortex.

    The researchers have done no invasive experiments to actually inspect brain matter, but speculate that the observed MRI changes are the result of reorganization of the white matter that interconnects neurons in the brain. By increasing the myelin that surrounds those connections, the researchers claim the changes make those pathways stronger and more efficient. According to Posner—last year's recipient of the National Medal of Science—strengthening these particular pathways has already been shown to enable people to handle stress better, but this is the first time that meditation has been verified as a cause.
    Previously, Posner and Tang had published results verifying a positive correlation between IBMT and stress. In 2007, they found a correlation between IBMT and lower levels of a stress hormone called cortisol.
    University of Oregon professor Michael Posner receiving the National Medal of Science from President Obama last year. 
    Then, in 2009, with University of Oregon psychology professor Mary Rothbart, they showed that meditators had increased blood flow in the brain, lower heart rates, lower skin conductance and decreased respiration rates. However, the current study is the first to verify that enduring structural changes in the brain result from IBMT.
    IBMT uses a coach to guide meditation by providing real-time breath-adjustment guidance, mental imagery and posture suggestions. Read more about it here.

Friday, September 24, 2010

Top Ten Social Networks for Education

Top Ten Social Networks for Education by David Kapuler


I'm a huge advocate of Web 2.0 in general, and social networking in particular. Here are my favorite networks for education that targets technology literacy.

1.  Twitter  - Far and away one of the most popular social networks around. This micro-tweeting platform is used worldwide and especially in education (search hash tags, edchat or edtech).
2.  Classroom 2.0  - Created by Steve Hargadon and used by thousands of educators on a daily basis. This site alone changed the way I viewed education and ignited my passion for Web 2.0.
3.  Facebook -nuff said!!
4.  Plurk  - A social network similar to Twitter with a timeline view and fun karma-based platform.
5.  Educator's PLN - Built by Thomas Whitby, this social network is one of the fastest growing around and some of the top technology based innovators can be found here.
6.  Learn Central  - Sponsored by elluminate, Learn Central is an ideal place for educators to host or learn through its virtual conferences.
7.  ISTE Community  - International Society for Technology & Education is a great place for educators to collaborate on technology issues.
8.  Edutopia  - A very popular organization created by the George Lucas foundation.
9.  Collaborative Translation  - Created by well renowned educator James O'Reilly, CT is a great place to learn and share innovative ideas.
10.  IT4ALL  - Integrating Technology 4 Active Life-Long Learners is a nice place for educators to share best practices for technology integration.

Thursday, September 23, 2010

100 year data preservation

100 year data preservation

By Robin Harris

Summary

A 350 year old copy of Shakespeare is about as readable as a new one. But a 35 year old floppy? Preserving data is essential to digital civilization, but how? Here’s a new approach.

A 350 year old copy of Shakespeare is about as readable as a new one. But a 35 year old floppy? Preserving data is essential to digital civilization, but how? Here’s a new approach.
I’m at the Storage Networking Industry Association’s Storage Developers Conference in Silicon Valley. Sam Fineberg, HP Distinguished Technologist, gave a talk on long-term digital data preservation. These are my notes.
The problem
SNIA surveyed businesses about their data retention requirements. 68% of organizations needed to preserve data for 100 years or longer.
Data is fragile. Threats include:
  • Media/hardware obsolescence
  • even if you have an 8 inch floppy drive, there may not be hardware capable running the software required to read it, let alone the application to open the files on the floppy.
  • Software/format obsolescence. Remember WordStar?
  • Lost context/metadata. A document’s contents may appear mundane, but if it is from the President to the Secretary of State, its context makes it important.
  • Disaster
  • Human error
  • Media fault
  • Attack
Preserving bits is hard
Saving 1 PB for 50 years, with a 50% chance of damage gives a bit half-life of 1017 years. That isn’t achievable for large data sets.
There is no simple technical fix: we can’t predict change but know it will occur. Processes are key. Processes for data preservation must evolve to get us to the next step. Standards make it easier, but aren’t the whole answer.
What to preserve?
Bits? Applications? Context?
Is it even possible to preserve everything? For example, with an old book: the content? Paper wear? Political context? Bookplate? Where it falls open?
We will lose information moving from physical to digital. And we can’t know what future generations will consider valuable. For example, scientists collect old hollow metal buttons because they contain air samples from when the buttons were made. Who dreamed 150 years ago that would be valuable?
Preservation must facilitate storage of objects. Map to a wide variety of devices and technologies. Resilient.
SIRF’s up
SIRF: Self-contained Information Retention Format. SIRF is the digital equivalent of a physical container that archivists already know how to manage. SIRF containers hold preservation objects, a catalog and an object that labels the SIRF container.
SIRF maintains referential integrity, links between objects and context. Any SIRF compliant app can read and interpret the objects. Objects are migrated easily.
Use cases
A couple of use cases show some of the problems:
  • Legal holds and e-discovery. In civil suits the parties are required to preserve all requested documents - legal hold - under threat of severe penalties. But not all documents are included, such as client-attorney emails. How can all documents be preserved and the right ones selected for disclosure?
  • Biomedical info. Medical images are needed for patient history. But what if the patient was 12 years old and now is an adult? How do we protect their privacy and ensure that only the “right” adults now get access to it?
The Storage Bits take
Massive data loss can threaten civilization. The burning of the ancient Library of Alexandria, destroying hundreds of thousands of handwritten books, contributed to Europe’s Dark Ages as knowledge of ancient art, science and math were lost. The little recovered through Muslim scholars helped create the Enlightenment, but how much more was lost?
But the threat of digital data loss is far larger. Cheap storage and sophisticated data mining allows us to derive value from datasets that once we couldn’t even afford to collect, let alone analyze.
This is important work.

Tuesday, September 21, 2010

Real Life Decepticons

  • Deceptive Robot Avoids Being Caught
       
       
    • A team of researchers has created a robot that can successfully deceive both humans and other robots—demonstrated by its ability to complete hide-and-seek games.
    • A team of researchers has created a robot that can successfully deceive both humans and other robots—demonstrated by its ability to complete hide-and-seek games.A few weeks ago, we here at Smarter Technology wondered if robots are taking over the universe. Well, these intelligent machines might be one step closer to total domination thanks to a team of researchers at the Georgia Institute of Technology. The engineers designed what they are calling the world's first deceptive robot—one that can create a false trail and hide to avoid being caught.
      "We have developed algorithms that allow a robot to determine whether it should deceive a human or other intelligent machine, and we have designed techniques that help the robot select the best deceptive strategy to reduce its chance of being discovered," said Ronald Arkin, a professor in the Georgia Tech School of Interactive Computing, according to the school's press release.
      The research analyzed robot deception from a general perspective—robots deceiving people and robots deceiving other robots—in a step toward broad applications. For example, deceptive robots could be useful for search and rescue operations, in which a panicking victim might refuse to cooperate. A deceptive robot could also be invaluable for military purposes, such as hiding from soldiers, misleading the enemy and keeping intelligence information safe.
      "Most social robots will probably rarely use deception, but it's still an important tool in the robot's interactive arsenal because robots that recognize the need for deception have advantages in terms of outcome, compared to robots that do not recognize the need for deception," said the study's co-author, Alan Wagner, a research engineer at the Georgia Tech Research Institute.
      In their research, the engineers focused on robots' beliefs, actions and communications when trying to deceive another robot.
      The robot successfully hides from its opponent (Georgia Tech/Gary Meek). 
      First, they taught the robot how to determine which situations warranted deception. The researchers created algorithms based on game and interdependence theory to test the value of deception. In order for deception to be initiated, the algorithm had to determine both a conflict and a potential benefit from deception. Next, the engineers programmed the robots how to deceive.

      In their study, the researchers ran 20 hide-and-seek games with two autonomous robots. The hiding robot was able to successfully deceive (by hiding from) the seeker robot about 75 percent of the time.
      "The experimental results weren't perfect, but they demonstrated the learning and use of deception signals by real robots in a noisy environment," said Wagner. "The results were also a preliminary indication that the techniques and algorithms described in the paper could be used to successfully produce deceptive behavior in a robot."
      Although the benefits of deceptive robots will likely outweigh any negative consequences, the researchers do emphasize some ethical concerns.
      "We have been concerned from the very beginning with the ethical implications related to the creation of robots capable of deception, and we understand that there are beneficial and deleterious aspects," explained Arkin. "We strongly encourage discussion about the appropriateness of deceptive robots to determine what, if any, regulations or guidelines should constrain the development of these systems."

Motivational Moment


 
Thought for the Day
September 21, 2010
THOSE WHO WILL NOT TAKE A CHANCE SELDOM 
HAVE ONE THRUST UPON THEM.
Success always involves risk. You must take a chance by investing your time, money, and effort. It pays to be thoughtful and deliberate in your analyses of opportunities, but don’t let timidity hold you back. Because you have worked hard to develop those things you must risk, it is natural for you to place a high value on them. But what use are they if you do not put them to use? You will recognize opportunity only to the extent that you are willing to consider risking your time, money, and effort. Being confident gives you the courage to face risk and act when opportunity arises. No one on earth is going to force success upon you; you will find it only to the degree that you actively seek it out. 

This positive message is brought to you by the Napoleon Hill Foundation. Visit us at http://www.naphill.org. We encourage you to forward this to friends and family. 

Friday, September 17, 2010

Three wicked cool car teams split $10M X Prize for advanced, fuel efficient vehicles

Three wicked cool car teams split $10M X Prize for advanced, fuel efficient vehicles


edison2 -- the big winnerAfter a brutal 30-month competition [1] that initially pitted 136 car development teams [2] against each other, the X Prize Foundation today split the $10 million Progressive Insurance Automotive X Prize to three teams who developed super fuel-efficient vehicles [3] capable of achieving 100 miles per gallon or the energy equivalent (MPGe).
Seven advanced car technologies the government wants now [4]
While the competition may be over, the real fun begins now. That's because one of the driving principles behind the X Prize is not only to win the competition but to be able to take those winning designs and turn them into real products.  Under a US Department of Energy [5]-funded technical assistance program, qualified Progressive Insurance Automotive X Prize competitors will get funding for access to key automotive expertise and test facilities. So you could see one of these cars on a street near you in a couple years.
Specifically the prizes broke down like this, from the X Prize Foundation:
$5 million: Edison2 [6] "Very Light Car #98"
Economy: 102.5 MPGe on E85 ethanol
Boasting the lowest drag coefficient of any car with four wheels tested in the GM wind tunnel and at the Chrysler Proving Grounds, this vehicle demonstrated over 100 MPGe on the test track, and verified in the lab, under stringent testing conditions using a highly innovative small displacement engine. Its low weight of just 830 pounds is a tribute to its use of light weight materials, reduced engine displacement and a host of other weight-saving innovations.
li-ion$2.5 Million: Li-ion Motors Corp [7] "Wave II"
Economy: 187 MPGe on electric battery
This side-by-side two-seat battery electric car was built on a lightweight aluminum chassis and weighs in at only 2,176 pounds, despite the weight of its lithium ion batteries. The Wave II demonstrated outstanding low mechanical and aerodynamic drag that resulted in 187 MPGe in combined on-track and laboratory efficiency testing, a 14.7s zero-to-60 mph acceleration time, and over 100 miles range over a real-world driving cycle.
xtracer $2.5 Million: X-Tracer Team Switzerland [8] "E-Tracer #79"
Economy: 205.3 MPGe on electric battery
This tandem two-seat vehicle combines the best of motorcycles and automobiles. This clever design has two extra outrigger wheels that deploy at low speed to stabilize the vehicle. At 1436 pounds, the E-Tracer is able to deliver over 100 miles in range, led the competition with over 200 MPGe in combined on-track and laboratory fuel efficiency and achieved a zero-to- 60 mph acceleration time of just 6.6 seconds.
From the X Prize competition's Web site some of the chief goals of the program were:
  • § Safety, Emissions: Vehicles must be designed so that a production vehicle would likely be able to meet US safety standards and US emissions standards
  • § Manufacturability, Cost: Vehicles must be capable of being manufactured in quantities of 10,000 per year, with vehicle production costs within levels consistent with historical examples of comparable vehicles
  • § Features: Vehicles must be desirable, addressing the most important features and factors consumers consider when purchasing an automobile
  • § Business Plan: There must be a credible plan to manufacture, sell, and service 10,000 vehicles (or conversions) per year by 2014. The plan must show that the national fuel infrastructure will support the vehicles, especially if any non-standard fuels or fueling-methods are to be used.

R2 finally gets in Space

Thursday, September 16, 2010

Red Hat tops list of hottest IT security certifications

IT security represents three of the top 10 IT certifications

By Carolyn Duffy Marsan,


 
Interest in IT security certifications is booming, as more U.S. companies tighten up the protection surrounding their critical network infrastructure and as a growing number of employees view security expertise as recession proof.


Three of the top 10 IT certifications in terms of demand among U.S. employers are security related, according to Foote Partners, a consultancy that tracks IT employment trends. These include the Red Hat Certified Security Specialist – which ranks as No.2 on the Foote Partners list – as well as the CompTIA Security+ (No.3) and the GIAC Security Essentials Certificate (No.6).
"Throughout the whole recession, security [expertise] has done nothing but keep going up in value," says David Foote, CEO of Foote Partners. "Companies are realizing that there's no such thing as perimeter security. A lot of breaches are internal. It's a question of not just how do you prevent intrusions, but it's a question of how do you protect data."
Worries about security breaches are prompting companies to get more IT employees trained and certified in information security, Foote says. "Employees are looking at security certifications as career safety," he adds. "Security is a great long-term career move because there's a steady drumbeat of regulations and compliance."
Infosec certifications have been gaining popularity since 2005, when the Defense Department issued a directive known as 8570 that requires military employees, defense contractors and other federal employees involved with information assurance to have security credentials. As vendor-neutral certifications, both the CompTIA Security + and GIAC Security Essentials Certificate meet this mandate.
"We've had record months throughout the year, driven by the government sector. The Defense directive 8570 is having a significant impact," says Terry Erdle, senior vice president of skills certification at CompTIA. "We're seeing interest from federal government, state and local government, education, defense contracting and federal contracting."
The fastest-growing infosec certification is Red Hat's. Launched in 2006, this certification is aimed at senior network administrators and is designed to prove that a person has deep skills related to running Red Hat Enterprise Linux in a secure fashion.
"Between this time last year and today, the number of people who have passed [the Red Hat Certified Security Specialist] exam has grown by 70%," says Randy Russell, director of certification at Red Hat. "Clearly, something is happening with this particular credential."
To qualify for this certification, network engineers must first pass the Red Hat Certified Engineer test and then be trained as a Red Hat Certified Security Specialist. Engineers must pass three exams – in advanced networking security, Linux policy administration and directory services/authentication — in order to earn this credential.
Russell says more IT professionals and their employers are interested in this certification because they understand the security risks that exist today.
"Security has become something that is much more evident. Exploits have become well known. It has become more ingrained in the public mind, the corporate mind and the IT mind that security is not an add-on; security is something that is fundamental to your practices in your IT shop," Russell says.
Another driver is tighter federal regulations about data privacy and security dating back to the Health Insurance Portability and Accountability Act of 1996 for healthcare companies and the Sarbanes-Oxley Act of 2002 for public companies. Another compliance-oriented driver is the Payment Card Industry Data Security Standard, which launched in 2004.
"There is a growing regulatory environment that mandates certain kinds of security controls and oversight in an organization," Russell says. "A lot of organizations are really upping their game and looking for ways to meet those requirements through skills [acquisition.]"
Another fast-growing security certification is the CompTIA Security+, which is aimed at network administrators with at least two years of experience. The number of IT professionals taking this exam — which measures competency in system security, network infrastructure, access control and organizational security — is double what it was a year ago.
For employees, the impetus to pursue an infosec certification is not only job security but a pay increase. "We do see that there are some salary…advantages to getting certified," Erdle says, adding that IT professionals who have the CompTIA Security+ certification report pay raises as high as 5% to 7%.
Erdle says he expects CompTIA's Security+ to remain a hot certification because of the industry-wide push toward healthcare IT, mobility and cloud computing will require security, too. "You're going to see us start to add modifiers around cloud, [software as a service], health IT and green IT," Erdle says.
Also popular are the suite of 20 Global Information Assurance Certifications, which have demonstrated about 25% growth during the last year, according to Jeff Frisk, director of the GIAC Certification Program.
"The Foote Partner reports have listed the GIAC family of certifications as maintaining and growing in value…not only the value in how people are being compensated and promoted but also the value that it brings to an organization," Frisk says.
Most popular is GIAC's general-purpose Security Essentials Certificate, but other job-specific GIAC credentials such as GIAC Certified Incident Handler, GIAC Certified Forensic Analyst and GIAC Certified Intrusion Analyst are also in demand. Overall, more than 32,500 GIAC certifications have been awarded in the 10 years since the program began.
"Our certifications mesh very well with specific real-world job duties and job tasks," Frisk says. "If you're a chief information security officer, you're going to need risk analysts, incident handlers, firewall experts, intrusion detection people, Unix people, Windows people and forensic specialists. A lot of the value of our certifications…is that they qualify or validate that specific skill set."
All of the popular infosec certifications claim to measure the real-world skills necessary to protect systems, software and information from attacks. That's why the organizations offering these certifications — and selling the training necessary to prepare for them — say they are growing.
"Our certifications are harder to obtain, more relevant and more prestigious," Frisk says of the GIAC program. "It's not the easy way out. We do not rubber stamp people. You have to demonstrate skills to hold a GIAC credential…That's part of the reason that demand is up."

Wednesday, September 15, 2010

11 hot skills for 2011

11 hot skills for 2011

By Stacy Collett
 
Christmas came in midsummer for Nicole Thompson, IS director of applications at HealthAlliance of the Hudson Valley.
Thanks to a federal mandate to implement electronic health records (EHR) systems, she has the funds in her 2011 budget to hire 11 new employees for projects ranging from database analysis and design to wireless device implementation.
Pockets of Hiring
What changes do you expect in your IT employee head count in the next 12 months?
* Increase: 23%
* Decrease: 22%
* Remain the same: 55%
Source: Exclusive Computerworld survey of 209 IT professionals, June/July 2010
"I'm bringing people on staff now who have extreme database experience," says Thompson, who works at the health care network's Benedictine Hospital campus in New York. She also needs someone with systems analysis and design experience, as well as someone who can communicate with clinicians about their workflow and then adapt a vendor's software to fit the hospital's needs.
"It's a very exciting time," she adds. "This is the first time in my entire IT career where I have been able to hire people. I'm loving this!"
After months of staff cuts or hiring freezes, many U.S. companies are planning to hire IT employees with highly valued skills. The percentage of respondents to Computerworld's annual Forecast survey who said they plan to increase staff size in the next 12 months increased slightly, from 20% in last year's survey to 23% this year.
"We're talking about hiring. It's happening now," says Dave Willmer, executive director of IT staffing services firm Robert Half Technology and a Computerworld.com columnist. "Companies that cut staff or implemented hiring freezes are realizing they need employees now to help upgrade IT systems and prepare their firms for potential growth."
What's more, IT managers are taking the opportunity to mold their departments into profit-making business units.
Computerworld's survey uncovered these 11 must-have skills.
1. Programming and Application Development
About 47% of the survey respondents who said they plan to hire IT professionals in the next year will be looking for people with programming or application development skills. Moreover, Monster.com reports that three quarters of 245 HR managers and recruiters it surveyed in May plan to hire IT staffers with applications expertise by the end of this year.
"Those skills are separate from enterprise business applications," says David Foote, CEO and chief research officer at Foote Partners LLC in Vero Beach, Fla. In this volatile market, companies need to quickly reposition, as well as use IT to grow the business through new products and innovation. So "RAD, rapid programming and agile programming seem to be coming back. Companies are starting to increase some of their pay [in these areas], which means they're looking for more capabilities in their companies," he says.
2. Project Management
Kathleen Kay has put project managers at the top of her 2011 hiring list at Comerica Bank. With some 140 IT projects on the schedule, she will need people to oversee Web and mobile initiatives, a treasury management product rollout and a legacy applications refresh, among other efforts.
The Dearborn, Mich.-based bank will fill those needs by hiring new people and retraining existing employees. "
We are very passionate about investing in our people and making sure they stay up to speed on skills with emerging technologies," says Kay, senior vice president of business technology services.
People with project management skills will be sought by 43% of Computerworld's survey respondents who plan to make new hires, and by more than half of those polled by Monster.com.
3. Help Desk/Technical Support
Only 20% of Microsoft customers had converted to Windows 7 as of July 2010, according to Microsoft. "That leaves 80%. They have to move over. It's not a matter of choice," Willmer says. That may be one reason why help desk and technical support skills will be high-priority in 2011 for 42% of survey-takers who are hiring.
What's more, major conversions like those in the health care arena, driven by the EHR mandate, require a lot of help desk support for users. "These aren't just people doing password resets. They're probably technically savvy as well as having that health care background," Willmer adds.
4. Networking
Networking skills are in demand among 38% of Computerworld survey respondents who said they're hiring. And those jobs were identified as the most challenging to fill in a Robert Half Technology survey of 1,400 CIOs.
"Networking is closely tied to virtualization," says Willmer. "Finding somebody with that virtualization experience and the ability to convert nonvirtual environments into virtual environments probably is the biggest reason" some networking skills are hard to find.
5. Security
"Security is the only area of certified IT skills that has never had a negative quarter throughout this entire recession," Foote says. "We've never had a three-month period with a loss or decline in premiums for these people." Demand is being driven by regulatory compliance needs and by customer demand for tools with built-in security features.
Valuable security skills include expertise in identity and access management, threat and vulnerability assessment, encryption, data loss prevention, incident analysis, governance, compliance and auditing, biometrics, Web content filtering, safeguards for voice-over-IP systems and e-discovery support for litigation.
6. Data Center
Of the Computerworld survey respondents who will be hiring in the next year, some 21% said that data center skills, including storage experience, will be in top demand.
"Storage is becoming more important as we go to network-attached storage [and storage-area networks]," says Suzanne Gordon, CIO at SAS Institute Inc. in Cary, N.C. Finding people with expertise in particular storage areas is important, she says, "but they should also be able to step back and look at it strategically: Are we putting the right things in the right places, and spending the right amount of money for safety and backup of the different types of data?"
7. Web 2.0
IT workers with next-generation Web skills will also be sought-after in 2011, according to 17% of Computerworld's respondents who plan to add new staffers in the next year. Hot Web 2.0 skills include expertise in Adobe Flex, JavaScript, Adobe Flash, AJAX and JavaScript Object Notation.
In the financial services industry, for example, "Web and mobile products are huge," says Comerica's Kay. "We have several projects ongoing that are geared around proving further Web and mobile functionality."
8. Telecommunications
At Palmetto Health in Columbia, S.C., Michelle Edwards wants to hire staff with skills in unified communications. The health care provider is seeking people who can design an infrastructure and integrate various communications tools, including instant messaging, IP phones and remote access.
"In a hospital, you have urgent needs for patient care, on-call needs and remote needs. We want to make sure we understand all those needs," as well as the security issues around those communications devices, says Edwards, senior vice president and CIO.
Some 16% of Computerworld's survey-takers who plan to hire will be looking for telecommunications skills into 2011.
9. Business Intelligence
As data proliferates and IT departments look for ways to contribute to the company's profitability, business intelligence skills will be highly sought-after in 2011, according to 13% of survey respondents.
Palmetto Health is using an EHR system and staffers have been "very good about putting information in, but we haven't done as well taking that data and making it usable," Edwards says. "We're being forced to do a better job with presenting the information that we're capturing" and sharing it through statewide health information exchange networks, she adds.
10. Collaboration Architecture
Collaboration architecture expertise is high on Campbell Soup Co.'s list of hot skills, says Donna Braunschweig, senior director of IT, enterprise portfolio and strategy. The company constantly looks at "how we can help the end-user experience be better by understanding how things like portals, Web and audio can integrate, and what does that need to look like to be able to have better collaboration across the company?" she says.
While most of Campbell's collaboration tools are hosted offerings from service providers, Braunschweig says she still needs employees who can manage those vendors and understand the technology.
11. Business Acumen and Communication Skills
You won't find this in any IT job titles, but most companies in 2011 will seek IT employees who understand the business and can communicate technical concepts to business units and customers.
Campbell requires IT employees to have four types of competencies: business and financial acumen, functional depth, leadership skills and a global mind-set. "Sometimes people think of IT as just technical skills, and it's not," Braunschweig says.
At HealthAlliance, Thompson recruits IT staffers who can communicate well both orally and in writing. "I also want to have a reference of someone who knows how you speak about IT issues to people who are not computer-savvy," she adds.
Overall, the outlook for 2011 remains volatile, and IT groups will need workers whose skills can help them adapt to rapidly changing market conditions. But as IT units move from a support role to a profitability model, "now they are able to move more quickly," Foote says. "I don't think the [IT] world is ever going to return to what it was in 2008, but it's a very positive thing."