Archive for August, 2013
How does ESX Server 3.x differ from VMware Server 2?
A. ESX Server 3.x supports multiple processors in a virtual machine and VMware Server2 does
B. ESX Server 3.x supports Intranet and application servers in a production environmentand
VMware Server 2 does not.
C. ESX Server 3.x manages the virtualization server application remotely through aweb-based
interface and VMware Server 2 does not.
D. ESX Server 3.x supports virtual switches with VLAN capabilities and VMware Server2 does not.
E. ESX Server 3.x runs on top of Linux and VMware Server 2 does not.
VMware Server does not support VLAN
What are two reasons why IT department .com would choose to use VMware Server 2.x instead of
using ESX Server 3.x? Select two.
A. ESX Server 3.x does not support the storage hardware the company wants to use.
B. The company wants to utilize NIC teaming for network path failover and loadbalancing.
C. The company wants to virtualize a large number of physical machines running legacyoperating
systems in their datacenter.
D. VMware Server 2.x is a lower-cost solution for departmental virtualization projects.
E. vm Server 2.x allows users to run the same number of virtual machines per CPU coreas ESX
Server 3.x does a the same performance levels at a lower cost.
Which of the following most closely describes the purpose of ACE (the Assured Computing
A. ACE helps desktop managers provision secure, standardized PC environments through out the enterprise.
B. ACE enhances system security for ESX Server by providing firewall protection fo rboth virtual machines and the Service Console.
C. ACE enhances virtual infrastructure manageability by acting as a proxy between Virtual Center
and the ESX and VMware Server systems under management.
D. ACE enhances reliability of the virtual infrastructure by providing hardware redundancy for ESX Server.
All VMware virtualization products are based on the same underlying virtualization technology, but
there are some differences among these products. Which one of the following statements is true?
A. VMware Server and VMware Workstation both provide tools for remote managementof virtual machines.
B. Because it runs on the bare metal, ESX Server supports a narrower range of physicalhardware
than either Workstation or VMware Server.
C. ESX Server supports more types of guest operating system than Workstation orVmware Server.
D. Only ESX Server allows virtual machines to be configured with multiple virtualCPUs.
64-bit CPUs are supported for VMotion in VirtualCenter 2.5
A. only when migrating 32-bit Guest OSes.
B. when migrating either 32-bit or 64-bit Guest OSes, so long as the Nxflag is hidden.
C. when migrating either 32-bit or 64-bit Guest OSes, regardless of CPU compatibility
D. when migrating either 32-bit or 64-bit Guest OSes, so long as the VMware CPUCompatibility
Tool detects two compatible CPUs.
Which of the following statements does not make sense?
A. Intrinsic interoperability is important because it helps increase the quantity of integration
projects that may be required to accommodate new business requirements, thereby fostering agility.
B. Intrinsic interoperability is important because it enables services to exchange data without
having to resort to transformation technologies.
C. Intrinsic interoperability is important because it is fundamental to enabling services to be repeatedly composed.
D. Intrinsic interoperability is important because one of the goals of service-oriented computing is to increase intrinsic interoperability.
Which of the following statements is true?
A. To apply service-orientation requires the use of Web services.
B. Web services are required in order to build service-oriented solutions.
C. When discussing SOA and service-oriented computing, the term “Web service” must always
be synonymous with (have the same meaning as) the term “service”.
D. None of these statements are true.
Which of the following statements is true?
A. “Contract first” design is important to SOA because it makes you think about service contract
design options at the same time that you are building the underlying service logic.
B. “Contract first” design is important to SOA because it forces you to establish standardized
service contracts prior to the development of the underlying service logic.
C. “Contract first” design is important to SOA because without a contract, services cannot be
invoked. However, there is no preference as to when, during the service delivery lifecycle, the
contract should be designed or established.
D. “Contract first” design is an unproven design technique that is not commonly employed when
delivering service-oriented solutions and is therefore not considered important to SOA.
Which of the following statements is false?
A. A service is a unit of logic to which service-orientation has been applied to a meaningful extent.
B. Services are designed to increase the need for integration.
C. Services are the fundamental building blocks of service-oriented solutions.
D. A service composition is comprised of services.
Which of the following statements accurately describes the strategic benefit of Increased
A. A target state whereby all services are always consistently delivered as Web services.
B. A target state in which the entire enterprise has been successfully service-oriented.
C. A target state whereby the enterprise has adopted SOA by replacing all legacy environments
with custom-developed services.
D. A target state whereby standardized service contracts have been established to express a
consistent and unified service endpoint layer.
In order to achieve __________ we have traditionally required __________ projects. With
service-orientation, we aim to establish an intrinsic level of __________ within each service
so as to reduce the need for __________ effort.
A. vendor diversity, integration, vendor diversity, design
B. agility, development, scalability, development
C. interoperability, integration, interoperability, integration
D. autonomy, integration, statelessness, integration
GIAC IT security certifications, among others, show strong gains in demand
A number of IT security skills certifications requiring candidates to pass exams have sharply gained in terms of demand and pay value, according to a new Foote Partners report.
The “2013 IT Skills Demand and Pay Trends Report” is based on the tracking of the demand for a wide range of IT skills at 2,496 private and public-sector U.S. and Canadian employers for a total of 151,864 IT professionals.
For the second quarter, seven IT security certifications gained 10% or more in market value in terms of demand from the previous quarter, according to Foote Partners. David Foote, chief analyst and research officer, says obtaining certifications in IT skills typically means the worker’s pay gets a boost, often as a bonus for having been certified for certain skills through training and passing an exam of some type.
Foote Partners tracks 61 separate IT security certifications overall, and over the past three months five of the seven hottest are produced by the Global Information Assurance Certification (GIAC) organization, which is affiliated with SANS Institute for training.
The five GIAC certifications singled out are:
Certified Incident Handler, which spiked 22.2% in demand according to the companies reporting to Foote Partners.
Foote says which typically translates into a 1% to 2% pay bonus to the employee holding the security certification.
Certified Firewall Analyst, rising 20%.
Certified Forensics Examiner, up 16.7%.
Certified Intrusion Analyst, up 10%.
Certified Forensics Analyst, up 10%.
Two other IT security certifications were also considered valuable in terms of boosting pay during the past three months.
One of them is the CWNP Certified Wireless Security Professional certification, up 16%, from the Certified Wireless Network Professional organization.
The other is the Infosys Security Engineering Professional certification, known as the as the ISSEP/CISSP certification, and which is up 10%. It recognizes advanced security engineering and was designed by the International Information Systems Security Certification Consortium (ISC2) in coordination with the U.S. National Security Agency.
Foote notes that while trends can show upward spikes in demand, they can also drop in a three- and six-month timeframe. He adds that security spending tends to be driven by corporate need to achieve regulatory compliance.
The GIAC IT security certifications cited in the Foote Partners report were among those considered to provide “the highest pay premiums” along with non-security specific ones, such as the Open Group Master Architect and the EMC Cloud Architect Expert (IT-as-a-Service). “Cloud certifications haven’t been around for a long time, so we’re just starting to put in this data during the past year,” Foote points out.
Other IT security certifications are also ranked among those earning the highest pay premiums, though they didn’t necessarily show the three-month market-value jump. These include the IT security certifications known as the GIAC Security Leadership; Certified Information Systems Security Professional; Certified Information Security Manager; CyberSecurity Forensic Analyst; and the Information Systems Security Architecture Professional (ISSAP-CISSP).
The Foote Partners quarterly report also cited significant rise in market value in a number of non-security-specific certifications, including the CWNP/Certified Wireless Network Expert and CWNP/Certified Wireless Network Administrator certifications. Some HP systems administration certifications rose sharply in value as did some project management certifications. Three Oracle database administrator certifications jumped 10% or more in pay value. However, a number of Oracle certifications also declined 10% over the previous quarter. These decliners were: Oracle SOA Infrastructure Implementation Certified Expert; Oracle Certified Professional Java EE Web Services Developer and Oracle Certified Master, Java EE Enterprise Architect.
The only IT security certification seen as falling 10% or more in pay value in comparison to the previous quarter was the GIAC Certified Penetration Tester certification, which dropped by 33.3%.
The Foote Partners report points out that overall, IT certifications in general have actually been falling in value since 2007, so it’s notable that 289 IT certifications increased last quarter, up 0.84% in value overall. Foote Partners also continuously tracks the demand for IT roles and responsibilities not based on IT certifications.
Get Organized: How to Change Your Mobile Email Signature
Does your phone always add some obnoxious sendoff line to all your emails? If you’ve procrastinated fixing it, take two minutes now to learn how to change that auto-signature on iPhones, iPads, and Android devices.
Do you hate reading “sent from my iPad” at the end of an email? I sure do. But what if you’re the culprit, the lazy person who has procrastinated getting rid of that automatic piece of advertising? It doesn’t take much time at all to update or turn off your automated email signature on an iPhone, iPad, or Android device. Here’s how to do it.
How to Change the Email Signature on iPhone and iPad
Go to Settings > Mail, Contacts, Calendar.
Scroll down to Signature.
On the next page, you’ll have the option to write whatever you want in your sendoff line, as well as apply it “per account” or all accounts.
If you choose per account, you can customize the signature line for each email account connected to the Mail app.
Bonus: Update Your “From” Name While you’re in those settings, you might as well check that the “from” name is what you want it to be. We at PCMag always chuckle when we get an email indicating someone named “Work” or “PCMag account” is running late to a meeting.
So back up a page (i.e., go to Settings > Mail, Contacts, Calendar).
At the top during Accounts, you’ll see all the accounts you have connected. Pick one by tapping it, and on the next page, pick Account. The page that pops up has a Name field. That’s your “from” name. Note that not all accounts contain the same fields (Gmail and Yahoo! Mail are the same, but Hotmail doesn’t have all the fields, for example).
I like to make mine just my name, except for the purpose of this image.
Tip: For the description, use the email address name. That way, you’ll never be confused about which account you’re accessing.
How to Change the Email Signature on Android
As with most instructions for Android phones, the details can vary slightly depending on the phone, service carrier, and email provider. The instructions here were validated using a Samsung Galaxy S III$360.78 at Amazon with MetroPCS.
Go into your Email app and select the account you want.
Tap the menu button and pick Settings.
You’ll see a Signature section, most likely turned on by default. On my phone, there’s a slider bar to turn the signature on and off. Tap it, and you can customize the sign off.
android email sig
While you’re there, you might want to check and update the Account name and Your name fields. I like the Account name to be the exact email address name so that I never get confused about which account I’m using.
For more email tips in the Get Organized series, see:
Prompted by blow-up over Chrome’s apathy about password security, expert urges Google to lock passwords with a master key
Google should lock up Chrome passwords with a master key to make casual thieves work harder, a security expert said Thursday.
“Google ought to at least be protecting the storage of [Chrome’s password] data with a master password,” said Andrew Storms, senior director of DevOps at CloudPassage, in an IM interview.
Storms was reacting to the blow-up this week after software developer Elliott Kember noticed that Chrome lets anyone with physical access to a computer easily spy and snoop on saved passwords.
Kember called Chrome’s practice an “insane password security strategy.”
Chrome stores passwords at the user’s request, then recalls them automatically for site and service log-ins. A quick trip to the browser’s address bar — type “chrome://settings/passwords” there — displays accounts, usernames and passwords.
Although the passwords are disguised with asterisks, one click on the “Show” button and the password appears in plain text.
Kember objected to Chrome’s system. “There’s no master password, no security, not even a prompt that ‘these passwords are visible,'” he wrote. Anyone with access to the computer — a co-worker, say, or a child or spouse on a shared system — could easily pilfer passwords from the browser. “Today, go up to somebody non-technical. Ask to borrow their computer. Visit chrome://settings/passwords and click ‘Show’ on a few. See what they have to say,” Kember said.
Chrome has always handled passwords this way, but the quick explosion of commentary on the Web signaled that few knew as much.
Google didn’t help its case, or Chrome’s long-touted reputation as a secure browser, when Jason Shuh, the browser’s security tech lead, dismissed the complaints in a message on Hacker News, where he said the password access wasn’t an oversight, but by design.
“We don’t want to provide users with a false sense of security, and encourage risky behavior,” Shuh said to the critics who wondered why Chrome did not, at least, require a second-level password — a “master key” in the parlance — to access the in-clear passwords. “We want to be very clear that when you grant someone access to your OS user account, that they can get at everything,” Shuh added. “Because in effect, that’s really what they get.”
Storms didn’t see it that way. And from the digital fisticuffs triggered by Shuh’s comments, nor did most users.
Shuh was missing the point, said Storms. “Let’s agree that one needs access to the computer where the passwords are stored,” said Storms. “But they ought to be offering an additional layer of security, a master password, like Firefox does.” Otherwise, he continued, there was no barrier to even spontaneous spying.
Google declined to comment on the brouhaha or whether it will react to the online beat down by changing Chrome’s password handling.
Click on the ‘Show’ button in Chrome’s saved-password UI and anyone with access to the machine sees the goods.
Chrome isn’t the only browser than lets anyone with access to the machine see passwords: Mozilla’s Firefox does too, although as Storms noted, it does offer an option of locking access with a second, or master, password.
Apple’s Safari and Microsoft’s Internet Explorer (IE) are more secure from ad hock password theft. Both require users to again enter their user account password — the operating system’s overarching log-in password — to view saved passwords, in effect treating the user account password as a master key.
All four browsers encrypt the password file, some using stronger encryption than others. But Chrome and Firefox automatically call on the existing user account password to decrypt the file without asking the person in front of the key to lift a finger.
Put plainly, the casual thief who steps up to the keyboard of a running PC or Mac has to also know the user account password to view Safari’s and IE’s password file. But they can immediately see its contents on Chrome, as well as on Firefox if no master key has been set earlier.
Thus, Storms’ call for Google to add an optional master password to Chrome so that it’s at least on par with Firefox. Requiring people to type in the user account password once again would be even better.
This week’s Chrome password crisis was not news: The issue has come up before, although the blow-back this time has been staggering in comparison. “That was my first reaction, actually,” said Storms when asked whether the new brouhaha is a tempest in a teacup, or is legitimate. “It’s been like that for a long time … [so] why now and doesn’t everyone already know this?”
But Storms wasn’t downplaying the concern of critics. “It is a rather strange situation, since Chrome drove to the top of the list [based on it being] the most secure browser from online malware,” he said.
Inserting a master key requirement into Chrome should not be a big deal, code-wide, Storms said. “I wouldn’t think it would be that difficult for them,” he said.
Users reluctant to let Chrome or any other browser save passwords have options, Storms said, notably password managers that are specifically designed to secure passwords while still making them readily available for site log-ins.
Storms suggested 1Password (Windows, OS X; $49.99). But there are lots of other choices, including KeePass (Windows; free), LastPass (Windows, OS X; free or $12/year for premium version) and RoboForm (Windows, OS X; $29.95).
From anywhere on the planet, a hacker could open and close the lid to your smart toilet, turn your child’s smart toy into a covert surveillance device, or unlock the doors of your smart home.
Disregard for a moment why you would ever want to connect a toilet to the Internet to “record a toilet diary,” and instead ask why would a person hack a smart toilet? Because it’s there; it’s vulnerable and it helps to highlight new security risks associated with smart devices connected to the web, making up the Internet of Things.
LIXIL Satis Bluetooth smart toilet
Since the Japanese manufactured LIXIL Satis smart toilet is extremely expensive, as much as about $6,000, and not readily available in the U.S., researchers at the security firm Trustwave reverse-engineered an Android app for the bluetooth-controlled Satis. It has a hard-coded PIN of “0000,” according to the security advisory, and:
any person using the “My Satis” application can control any Satis toilet. An attacker could simply download the “My Satis” application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user.
Although that hack is more of a prank, you might take the security risk more seriously if an attacker could secretly access the webcam in your child’s toy, capture video and then upload it to a remote server.
Violet’s Karotz Smart Rabbit
The toy in question is a Karotz plastic bunny that “can connect to the Internet (to download weather forecasts, read its owner’s email, etc.),” stated the bunny security advisory. It “can be controlled from a smartphone app and is outfitted with a video camera, microphone, RFID chip a speakers.” In fact, an attacker could “take control of it from a computer and remotely watch live video, turning it into an unwitting surveillance camera.”
Hacking smart houses
At the Black Hat Home Invasion v2.0 presentation, Trustwave researchers showed serious topics as well, such as how someone other than the home or business owner can unlock doors from anywhere in the world. As an example, Trustwave security researcher Dan Crowley took a random four-digit number from a hacking conference attendee and then changed the lock’s PIN. They also discussed poor security issues discovered when testing a Belkin WeMo Switch, Linksys Media Adapter, Radio Thermostat, and Sonos Bridge.
Although one of the benefits of having a smart home is that you remotely control it via a smartphone, tablet or PC, that convenience comes with a plethora of personal security and privacy risks. During the Black Hat session [pdf slides], the researchers showed how the home automation gateways Mi Casa Verde Veralite and Insteon Hub have “vulnerabilities that, if not fixed, could result in covert audio and video surveillance, physical access to buildings or even personal harm.”
“The big risk is that a compromise could give you access to hundreds of thousands of homes all at once,” Crowley stated. “I could see that as an attack someone could actually use to launch a crime spree.” He added that if someone broke into your house, but there was no sign of forced entry, then how would you get your insurance company to pay?
Granted the toilet hack is invasive but more like a prank, yet an attacker could also seriously mess with a person’s mind by simply running a web search for smart homes with Insteon and then remotely taking control of the lights as if the house were “haunted.”
The potential for hacking smart homes and the Internet of Things—from exploiting network connected toys, thermostats, wireless speakers, to automated door locks—will only continue to grow as more people adopt these technologies. There are plenty of privacy risks in addition to the security vulnerability issues as their white paper [pdf] states:
There are also privacy concerns in the compromise of these devices. Compromise of a device with a built-in microphone or camera comes with the ability to perform audio and video surveillance. Compromise of a motion sensor could be used to determine when there are people at a physical location. Reading the status of door locks and alarm systems as could be achieved by compromising the VeraLite could be used to determine when the building in which it resides is occupied.
Legally, devices that store data on third party servers also enjoy a lower level of privacy protections due to the 3rd Party Doctrine. Many of the devices in this paper fall into this category.
DroidWhisper: How to make an Android spy phone
If loaded on a BYOD device the spyware could spell trouble for businesses, Black Hat speaker says
Las Vegas — Injecting malicious code into legitimate Android mobile applications can turn smartphones into spyphones with little effort, which could pose a problem for businesses that support BYOD programs, a researcher told the Black Hat security conference.
Climbing a very low learning curve, researchers at Kindsight (part of Alcatel-Lucent) with no previous experience with the Android software developers’ kit were able to crank out a custom version of the game Angry Birds that ran on an Android phone, says Kevin McNamee, director of security architecture at Kindsight.
MORE BLACK HAT: Top 20 hack-attack tools
ANDROID WOES: Fixes released for Android ‘master key’ vulnerability
The altered app gave access to the device’s GPS, microphone, camera, Wi-Fi radio, email, text messages and contact lists, he says. Attackers can record conversations in the vicinity of the phone, record phone calls and take pictures without the user knowing about it and send them to a command and control server.
If such an altered application were loaded on a device that connected to a corporate network it would become a spy node that could scan the network and launch attacks. The malicious code could be updated after it is installed on a phone to customize it to attack specific vulnerabilities it finds in the network, he says.
“It’s a remote-access Trojan in the phone, and I think it’s pretty scary,” McNamee says. The bug that allows this is related to the Android master-key flaw that was discussed at a separate Black Hat briefing.
Called DroidWhisper, the code was dropped into a legitimate version of Angry Birds, taking advantage of characteristics of Android that aren’t very rigorous in checking the certificates used to sign applications, McNamee says.
Getting the app on a phone in the first place is a challenge but it could be met with clever spear phishing, he says. In the case of the Angry Birds app, an email advertising a free version of the game with a link to a site to download it could draw in the target.
The malicious piece of the application runs in the background and boots up when the device is rebooted so it is always available, even when the app itself is turned off. It is then signed with a digital certificate, but it could be self-signed. “Any certificate will do,” he says.
DroidWhisper uses standard Android APIs to gain access to services on the device. The original legitimate app is broken down into its components using the Android application package tool. Then the app is rebuilt, adding DroidWhisper, McNamee says.
Fighting such an espionage application could be done by anti-virus software seeking communications with the command and control server, he says.
A modified legitimate application would have to be downloaded from a phone application store, for example, because it could not be posted to Google Play where the actual legitimate app is available, he says.