Archive for October, 2014

IBM’s chip business sale gets national security scrutiny

GlobalFoundries is already talking over security issues with the U.S. government

IBM’s plan to transfer its semiconductor manufacturing business to GlobalFoundries faces a government review over national security implications. It has the potential of being complicated because of IBM’s role as a defense supplier.

GlobalFoundries is based in the U.S., but is owned by investors in Abu Dhabi, which is part of the United Arab Emirates (U.A.E.). IBM is paying the firm $1.5 billion to take over its semiconductor manufacturing operations. IBM says it isn’t cutting back on R&D or its design of semiconductors, but will rely on GlobalFoundries for manufacturing.
MORE ON NETWORK WORLD: 25 crazy and scary things the TSA has found on travelers

IBM’s semiconductor manufacturing unit work includes production of components used in defense systems and intelligence.

“We are in discussions with the U.S. government on the security-related issues, and we believe there are solutions that can address national security interests,” Jason Gorss, GlobalFoundries spokesman, said in an email.

Gorss points to the fact that GlobalFoundries successfully completed a national security review by the government when it purchased AMD assets in 2008, “so we are familiar with the process.” GlobalFoundries was created out that divestiture.

Because of the foreign ownership issue, the sale will be reviewed by the Committee on Foreign Investment (CFIUS), said Gorss.

Retired U.S. Army Brig. Gen. John Adams, who authored a report last year for an industry group about U.S. supply chain vulnerabilities and national security, said the sale “needs to be closely studied and scrutinized.”

Adams said CFIUS will have to look at where the investors are. Some countries are more closely aligned with the U.S. than others, “and I don’t want cast aspersions unnecessarily on Abu Dubai — but they’re not Canada,” he said. “I think that the news that we may be selling part of our supply chain for semiconductors to a foreign investor is actually bad news.”

Gorss points out that the U.A.E. has purchased some of the U.S.’s most sophisticated defense equipment, including F-16s and missile defense systems. The Congressional Research Service, in a report last month to lawmakers, said about 5,000 U.S. military personnel are stationed in U.A.E. and noted its role in extending the U.S.-led efforts against the Islamic State organization, or ISIS.

GlobalFoundries has manufacturing operations in New York, Germany, and Singapore and it would keep operating IBM’s chip making operations in New York and Vermont once the sale is completed next year. It also plans to hire nearly all the workers. GlobalFoundries also has R&D, design, and customer support operations in the U.S., Singapore, China, Taiwan, Japan, Germany and the Netherlands.

Apart from the U.A.E.’s investment in the firm, U.S. officials have had long-standing concerns about foreign ownership of critical technology, including semiconductors.

In 2003, the U.S. Department of Defense called for a “Defense Trusted Integrated Circuit Strategy” that provides access “to trusted suppliers of critical microcircuits used in sensitive defense weapons, intelligence, and communications systems.”

That led to a pilot program with the NSA and formation of the “Trusted Access Program Office” and then to “a contractual arrangement with the IBM Corp., for the manufacture of leading-edge microelectronic parts in a trusted environment,” according to a Defense Department report released in July.

If the U.S. loses more of its industrial capacity, “we mortgage our ability to make national security decisions to investors who come from countries who have interests opposed to ours,” said Adams.

To give an example of how extreme foreign dependences can go, one problem cited in Adam’s report was the U.S. reliance on a Chinese firm as the sole source for a chemical needed to propel Hellfire air-to-surface missiles. Since that report, the U.S. has identified an American company that is scheduled now to begin production of this propellant component in the next few months. The U.S. is giving some tax incentives and other assistance to make that happen, said Adams.

The U.A.E., has seen its trade suffer because of the embargo with Iran. But the U.A.E is also viewed as a conduit for technology shipments to Iran that bypass the embargo.

In late 2007, Iran claimed to have built a small Linux supercomputer using 216 AMD Opteron chips. Imports of microprocessors and other technologies to Iran isn’t allowed under the U.S. embargo.

The Iranian High Performance Computing Research Center (IHPCRC) research center included a series of photographs on its Web site showing workers assembling the supercomputer. The chips could not be identified in the photos, but the shipping boxes and the name of company and the initials U.A.E. on the boxes were visibile.

AMD said it has never authorized any shipment of its products to the U.A.E., and said so again in a response to an SEC query2009.

It’s unclear how capable Iran’s supercomputing capabilities are at this point; Iran’s Amirkabir University of Technology, the home of the IHPCRC, had in 2010 a system with 4,600 CPUs, but it did not identify the processor maker.

After Computerworld published the initial story, Iran removed the photographs. The website of IHPCRC appears to have disappeared as well, replaced by a web page about acne medication.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Yahoo squeezes out growth in Q3

The company’s mobile revenue was material enough to report for the first time

Yahoo reported a 1 percent sales increase on Tuesday, a marked shift after multiple quarters of decline, though results in its critical ad business were mixed.

The company also said its mobile revenue had become significant enough to report for the first time, passing $200 million. That was a minor victory for CEO Marissa Mayer, who’s been trying hard to get more traction for Yahoo on smartphones and tablets.

“We had a good, solid third quarter,” Mayer said in the company’s announcement Tuesday.

Total sales for the quarter, ended Sept. 30, were $1.15 billion, up from $1.14 billion last year, the company reported. Excluding traffic acquisition costs, revenue was $1.09 billion and slightly ahead of analyst expectations, as polled by Thomson Reuters.

Net income was $6.77 billion, or $6.70 a share, driven largely by an after-tax profit of $6.3 billion from the sale of Yahoo’s stake in e-commerce giant Alibaba in the Chinese company’s IPO last month.

Yahoo’s adjusted earnings per share was $0.52, clobbering analyst estimates of $0.30.

Much of the success in mobile came from so-called native ads, which are designed to look like the editorial content that appears around them.

“We are moving from a company that makes web pages and money through banner ads to a company that makes mobile apps and monetizes them through native ads,” Mayer said in a conference call to discuss the results.

Since she took over as CEO in 2012, the company has made numerous mobile acquisitions and revamped mobile offerings in the areas of news, email, weather, and photos with Flickr.

But declines in traditional desktop display ads persisted, Mayer said.

Display ad revenue rose by 5 percent to $447 million, and the number of display ads sold increased by 24 percent. But the amount paid for those ads dropped by 24 percent.

In search advertising, revenue rose by 4 percent. The number of paid clicks was flat, and the price-per-click paid rose by about 17 percent, Yahoo said.

In the after-hours market, Yahoo’s stock was trading at $41.33 at the time of this report, up 2.3 percent from the close of regular trading.


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Gartner: IT careers – what’s hot?

Do you know smart machines, robotics and risk analysis? Gartner says you should

ORLANDO— If you are to believe the experts here a the Gartner IT Symposium IT workers and managers will need to undergo wide-spread change if they are to effectively compete for jobs in the next few years.

How much change? Well Gartner says by 2018, digital business requires 50% less business process workers and 500% more key digital business jobs, compared to traditional models. IT leaders will need to develop new hiring practices to recruit for the new nontraditional IT roles.

“Our recommendation is that IT leaders have to develop new practices to recruit for non-traditional IT roles…otherwise we are going to keep designing things that will offend people,” said Daryl Plummer, managing vice president, chief of Research and chief Gartner Fellow. “We need more skills on how to relate to humans – the people who think people first are rare.”

Gartner intimated within large companies there are smaller ones, like startups that need new skills.

“The new digital startups in your business units are thirsting for data analysts, software developers and cloud vendor management staff, and they are often hiring them fast than IT,” said Peter Sondergaard, senior vice president and global head of Research. “They may be experimenting with smart machines, seeking technology expertise IT often doesn’t have.”

So what are the hottest skills? Gartner says right now, the hottest skills CIOs must hire or outsource for are:
Mobile
User Experience
Data sciences

Three years from now, the hottest skills will be:
Smart Machines (including the Internet of Things)
Robotics
Automated Judgment
Ethics

Over the next seven years, there will be a surge in new specialized jobs. The top jobs for digital will be:
Integration Specialists
Digital Business Architects
Regulatory Analysts
Risk Professionals


 

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Biggest, baddest, boldest software backdoors of all time

These 12 historically insidious backdoors will have you wondering what’s in your software — and who can control it

The boldest software backdoors of all time

It’s always tough to ensure the software you’re using is secure, but it’s doubly difficult if the creators of the software — or some malicious unknown third party — has surreptitiously planted a back way in.

Here’s a look at 12 of the trickiest, subtlest, and nastiest software backdoors found in the wild yet.

Back Orifice
Far from being the first backdoor, Back Orifice brought backdoor awareness to a wider audience. Created in 1998 by folks from the Cult of the Dead Cow hacker collective, Back Orifice allowed computers running Microsoft Windows to be controlled remotely over a network (and cleverly played off the name of Microsoft BackOffice Server, a precursor to Windows Small Business Server).

Back Orifice was devised to demonstrate deep-seated security issues in Microsoft Windows 98, and so it sported such features as being able to hide itself from the user — something that endeared it to a generation of black hat hackers because it could be used as a malicious payload.

The DSL backdoor that wouldn’t die
Having a backdoor in your hardware product is bad enough; promising to fix it and then only covering up its existence is even worse. But that’s what happened at the end of 2013 with a number of DSL gateways that used hardware made by Sercomm, all of which sported a manufacturer-added backdoor on port 32764. A patch was later released in April 2014 to fix the problem, but the “fix” only concealed access to the port until a specially crafted packet (a “port knock”) was sent to reveal it. We’re still waiting for a real fix.

The PGP full-disk encryption backdoor
Here’s one for the “not a backdoor, but a feature” department: PGP Whole Disk Encryption, now marketed by Symantec, allows an arbitrary static password to be added to the boot process for an encrypted volume. (By default the password expires the first time it’s used.) When first unearthed in 2007, PGP replied that other disk-encryption products had similar functionality, although the lack of public documentation for the feature was unnerving. At least now we know it’s in there, but the jury’s still out on whether it should be there to begin with.

Backdoors in pirated copies of commercial WordPress plug-ins
WordPress may be one of the most popular and powerful blogging and content management systems out there, but its track record on security leaves a lot to be desired. Some of the sneakiest breaches have come by way of pirated copies of premium plug-ins surreptitiously patched to include backdoors, at least one of which was obfuscated so well that expert WordPress users might have trouble detecting it.

Yet another reason to avoid pirated software (as if you needed any more).

The Joomla plug-in backdoor
WordPress isn’t the only major CMS that’s experienced backdoor issues with plugins. Joomla installations have been victimized in a similar way — for instance, via a free plug-in, the code of which was apparently modified after the fact.

Such sneak attacks are generally performed as a means for getting back into a website that’s been hacked because few think twice about checking whether a CMS plug-in was the point of entry of an attack.

The ProFTPD backdoor
ProFTPD, a widely used open source FTP server, nearly had a backdoor planted in it as well. Back in 2010, attackers gained access to the source code hosting server and added code which allowed an attacker to spawn a root shell by sending the command “HELP ACIDBITCHEZ.” Irony abounded in this case: The attackers used a zero-day exploit in ProFTPD itself to break into the site and plant the malicious code!

The Borland Interbase backdoor
This one’s guaranteed to raise hairs. From 1994 through 2001, Borland (later Inprise) Interbase Versions 4.0 through 6.0 had a hard-coded backdoor — one put there by Borland’s own engineers. The backdoor could be accessed over a network connection (port 3050), and once a user logged in with it, he could take full control over all Interbase databases. The kicker, and a sign of some strange programmer humor at work, was the credentials that were used to open the backdoor. Username: politically. Password: correct.

The Linux backdoor that wasn’t
Back in 2003, someone attempted to insert a subtle backdoor into the source code for the Linux kernel. The code was written to give no outward sign of a backdoor and was added to the Linux source by someone who broke into the server where the code was hosted.

Two lines of code were changed — something that might have breezed past most eyes. Theoretically, the change could have allowed an attacker to give a specific, flagged process root privileges on a machine. Fortunately, the backdoor was found and yanked when an automatic code audit detected the change. Speculation still abounds about who might have been responsible; perhaps a certain three-letter agency that asked Linus Torvalds to add backdoors to Linux might know.

The tcpdump backdoor
One year before someone tried to backdoor the Linux kernel, someone tried to sneak a backdoor into a common Linux (and Unix) utility, tcpdump. A less stealthy hack than the Linux one — the changes were fairly obvious — it added a command-and-control mechanism to the program that could be activated by traffic over port 1963. As with the Linux backdoor, it was added directly to the source code by an attacker who broke into the server where the code was hosted. As with the Linux backdoor attempt, it was quickly found and rooted out (no pun intended).

The tcpdump backdoor
One year before someone tried to backdoor the Linux kernel, someone tried to sneak a backdoor into a common Linux (and Unix) utility, tcpdump. A less stealthy hack than the Linux one — the changes were fairly obvious — it added a command-and-control mechanism to the program that could be activated by traffic over port 1963. As with the Linux backdoor, it was added directly to the source code by an attacker who broke into the server where the code was hosted. As with the Linux backdoor attempt, it was quickly found and rooted out (no pun intended).

The NSA’s TAO hardware backdoors
Never let it be said that the NSA doesn’t have some clever tricks up its sleeve. Recent revelations about its TAO (Tailored Access Operations) program show that one of the NSA’s tricks involves intercepting hardware slated for delivery overseas, adding backdoors to the device’s firmware, and then sending the bugged hardware on its merry way. Aside from network gear, the NSA also apparently planted surveillance software in the firmware for various PCs, and even in PC peripherals like hard drives.

The Windows _NSAKEY backdoor that might have been
Speaking of the NSA, in 1999 researchers peered into Windows NT 4 Service Pack 5 and found a variable named _NSAKEY with a 1024-bit public key attached to it. Speculation ran wild that Microsoft was secretly providing the NSA with some kind of backdoor into encrypted data on Windows or into Windows itself. Microsoft denied any such activity, and security expert Bruce Schneier also doubted anything nefarious was going on. But rumors have swirled ever since concerning unpluggable backdoors into Windows.

The dual elliptic curve backdoor
Yet another from the NSA, and perhaps the sneakiest yet: a deliberate, stealthy weakening of a random number generator commonly used in cryptography. Theoretically, messages encrypted with the Dual_EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generator) standard, ratified by NIST, had a subtle weakness that could allow them to be decrypted by an attacker. Only after Edward Snowden leaked internal NSA memos did it come to light that said agency had manipulated the approval process for the standard to allow the backdoor to remain in the algorithm. Fortunately, plenty of other random number generators exist, and NIST has since withdrawn its recommendations for Dual_EC_DRBG. Small wonder people speculate what else the NSA may have hidden up its (and other peoples’) sleeves.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

 

Gartner: Top 10 strategic predictions for businesses to watch out for

For a session that is high-tech oriented, this year’s Gartner strategic predictions were decidedly human.

That is to say many were related to increasing the customer’s experience with technology and systems rather than the usual techno-calculations.
Gartner 2014

“Machines are taking an active role in enhancing human endeavors,” said Daryl Plummer is a managing vice president, chief of Research and chief Gartner Fellow. “Our predictions this year maybe not be directly tied to the IT or CIO function but they will affect what you do.”

Plummer outlined the following predictions and a small recommendation as to what IT can do to prepare for the item. Read on:

1. By 2018, digital business requires 50% less business process workers and 500% more key digital business jobs, compared to traditional models. IT leaders — need to develop new hiring practices to recruit for the new nontraditional IT roles.

2. By 2017, a significant disruptive digital business will be launched that was conceived by a computer algorithm. CIOs must begin to simulate technology-driven transformation options for business.

3. By 2018, the total cost of ownership for business operations will be reduced by 30% through smart machines and industrialized services. CIOs must experiment with precursor “almost smart machine” technologies and phantom robotic business process automation. Business leaders must examine the impact of increased wellness on insurance and employee healthcare costs as a competitive factor.

4. By 2020, developed world life expectancy will increase by 0.5 years due to widespread adoption of wireless health monitoring technology. Business leaders must examine the impact of increased wellness on insurance and employee healthcare costs as a competitive factor

5. By year-end 2016, $2.5 billion in online shopping will be performed exclusively by mobile digital assistants. Apple’s Siri is a type of assistant, but many online vendors offer some sort of software-assist that you may or may not be aware of. Marketing executives must develop marketing techniques that capture the attention of digital assistants as well as people. By the end of 2016, $2.5 billion in online shopping will be performed exclusively by mobile digital assistants.

6. By 2017, U.S. customers’ mobile engagement behavior will drive U.S. mobile commerce revenue to 50% of U.S. digital commerce revenue. Recommendation: Marketing executives must develop marketing techniques that capture the attention of digital assistants as well as people. Mobile marketing teams investigate mobile wallets such as Apple’s Passbook and Google Wallet as consumer interest in mobile commerce and payments grows.

7. By 2016, 70% of successful digital business models will rely on deliberately unstable processes designed to shift as customer needs shift. CIO need to create an agile, responsive workforce that is accountable, responsive, and supports your organizational liquidity.

8. By 2017, more than half of consumer product and service R&D investments will be redirected to customer experience innovations. Consumer companies must invest in customer insight through persona and ethnographic research.

9. By 2017, nearly 20% of durable goods e-tailers will use 3D printing to create personalized product offerings. CIOs, product development leaders, and business partners—evaluate gaps between the existing “as is” and future “to be” state (process, skills, and technology.)

10. By 2018, retail businesses that utilize targeted messaging in combination with internal positioning systems (systems that know you are in or near a store) will see a 20% increase in customer visits. CIOs must help expand good customer data to support real-time offers.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

7 killer open source monitoring tools

Network and system monitoring is a broad category. There are solutions that monitor for the proper operation of servers, network gear, and applications, and there are solutions that track the performance of those systems and devices, providing trending and analysis. Some tools will sound alarms and notifications when problems are detected, while others will even trigger actions to run when alarms sound. Here is a collection of open source solutions that aim to provide some or all of these capabilities.

Cacti
Cacti is a very extensive performance graphing and trending tool that can be used to track just about any monitored metric that can be plotted on a graph. From disk utilization to fan speeds in a power supply, if it can be monitored, Cacti can track it — and make that data quickly available.

Nagios
Nagios is the old guard of system and network monitoring. It is fast, reliable, and extremely customizable. Nagios can be a challenge for newcomers, but the rather complex configuration is also its strength, as it can be adapted to just about any monitoring task. What it may lack in looks it makes up for in power and reliability.

Icinga
Icinga is an offshoot of Nagios that is currently being rebuilt anew. It offers a thorough monitoring and alerting framework that’s designed to be as open and extensible as Nagios is, but with several different Web UI options. Icinga 1 is closely related to Nagios, while Icinga 2 is the rewrite. Both versions are currently supported, and Nagios users can migrate to Icinga 1 very easily.

NeDi
NeDi may not be as well known as some of the others, but it’s a great solution for tracking devices across a network. It continuously walks through a network infrastructure and catalogs devices, keeping track of everything it discovers. It can provide the current location of any device, as well as a history.

NeDi can be used to locate stolen or lost devices by alerting you if they reappear on the network. It can even display all known and discovered connections on a map, showing how every network interconnect is laid out, down to the physical port level.

Observium
Observium combines system and network monitoring with performance trending. It uses both static and auto discovery to identify servers and network devices, leverages a variety of monitoring methods, and can be configured to track just about any available metric. The Web UI is very clean, well thought out, and easy to navigate.

As shown, Observium can also display the physical location of monitored devices on a geographical map. Note too the heads-up panels showing active alarms and device counts.

Zabbix
Zabbix monitors servers and networks with an extensive array of tools. There are Zabbix agents for most operating systems, or you can use passive or external checks, including SNMP to monitor hosts and network devices. You’ll also find extensive alerting and notification facilities, and a highly customizable Web UI that can be adapted to a variety of heads-up displays. In addition, Zabbix has specific tools that monitor Web application stacks and virtualization hypervisors.

Zabbix can also produce logical interconnection diagrams detailing how certain monitored objects are interconnected. These maps are customizable, and maps can be created for groups of monitored devices and hosts.

Ntop
Ntop is a packet sniffing tool with a slick Web UI that displays live data on network traffic passing by a monitoring interface. Instant data on network flows is available through an advanced live graphing function. Host data flows and host communication pair information is also available in real-time.


MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Go to Top