A flaw in the widely-used open-source VLC media player could allow an attacker to execute harmful code on a PC.
The problem stems from a buffer overflow that can occur when the player processes subtitle files used for movies, according to a security advisory.
The vulnerability existed before VLC was upgraded to version 0.8.6e in late February, but the bug appears to have escaped the last round of patches, wrote Luigi Auriemma in a note.
"The funny thing is that my old proof-of-concept was built just to test this specific buffer overflow, and in fact it works on the new VLC version too without modifications," Auriemma wrote.
Video files can contain a link to a separate subtitle file, which VLC automatically loads when it plays the video. An attacker could use the buffer overflow flaw in VLC to execute malicious code contained in a subtitle file, and thus tamper with a PC. The flaw affects VLC players running on Windows, Mac, BSD and possibly more operating systems, Auriemma wrote.
The VLC media player is part of the VideoLAN project. The player is free, and it is released under the GNU General Public License. VLC can also be used as a streaming media server for a variety of platforms.
Tuesday, March 18, 2008
Notes comes to the iPhone, via iAnywhere
IPhone customers who use Lotus Notes at work won't be left out anymore with a new offering from Sybase iAnywhere.
Sybase iAnywhere is set to announce on Tuesday that it is adding support for the iPhone in its Information Anywhere Suite, initially only for e-mail. That means that companies using Lotus Notes will be able to securely push e-mail messages to iPhone users.
Apple recently announced that it plans to support Microsoft's ActiveSync technology in its second-generation iPhone software so that iPhone users can receive Exchange e-mail. But the announcement did not include a way for Lotus Notes users to receive e-mail on iPhones, so Sybase hopes to fill that gap.
IAnywhere also thinks companies that use Exchange e-mail will be interested in using its software to push e-mail out to iPhones, even after Apple's new iPhone software comes out in June.
"ActiveSync has some limitations that enterprises find, in some cases, not suitable to their environment," said Senthil Krishnapillai, director of product management for Sybase iAnywhere's mobile collaborations group. For example, ActiveSync opens Active Directory in a way that creates a security issue for some companies, he said. "Those enterprises may want to use our technology because we have a better model to secure the communications between the device and a server without compromising the firewall or other security policies in place," he said.
Information Anywhere contains a component that sits inside the enterprise firewall. Mobile device connections end there, so that IT managers don't have to open inbound communications ports to their messaging infrastructure. IAnywhere has enabled that proxy to support the iPhone coming in from outside of the firewall, either from the mobile network or Wi-Fi.
Using Information Anywhere, IT managers can also set policies that restrict attachments from iPhones.
Initially, the Information Anywhere Suite will only support e-mail for the iPhone. It synchs mail to the iPhone's e-mail client. In addition, the software suite will allow users to look up co-workers in their corporate directory and their contacts via the browser on the phone.
IAnywhere did not need the iPhone SDK (software development kit) that Apple recently released in beta in order to develop the capability, although it did receive guidance from Apple that helped ensure it was working in the right direction, Krishnapillai said.
In the future, iAnywhere expects to be able to support additional services for iPhones within the suite. "Now that the SDK is open, we'll be able to provide more features in the future," he said. That means device management capabilities should become available for iPhone users in the future, as well as the ability to access data from other corporate applications on the phone.
Users of iPhones and Lotus Notes have a couple of other options for getting e-mail on their phones. MartinScott Consulting offers WirelessMail for Domino, which lets iPhone users send and receive Notes mail from the browser on the phone. Visto Mobile synchs Notes e-mail with the iPhone's e-mail client using IMAP (Internet Message Access Protocol) in a way that it says is secure for enterprises.
IAnywhere first announced in October that it planned to support the iPhone in the software suite. Support for the iPhone will become available at the end of March.
Information Anywhere supports Lotus Domino R6, 7 and 8 and Microsoft Exchange 2000, 2003 and 2007. Information Anywhere already can push data out to Windows Mobile, Symbian and Palm devices.
Sybase iAnywhere is set to announce on Tuesday that it is adding support for the iPhone in its Information Anywhere Suite, initially only for e-mail. That means that companies using Lotus Notes will be able to securely push e-mail messages to iPhone users.
Apple recently announced that it plans to support Microsoft's ActiveSync technology in its second-generation iPhone software so that iPhone users can receive Exchange e-mail. But the announcement did not include a way for Lotus Notes users to receive e-mail on iPhones, so Sybase hopes to fill that gap.
IAnywhere also thinks companies that use Exchange e-mail will be interested in using its software to push e-mail out to iPhones, even after Apple's new iPhone software comes out in June.
"ActiveSync has some limitations that enterprises find, in some cases, not suitable to their environment," said Senthil Krishnapillai, director of product management for Sybase iAnywhere's mobile collaborations group. For example, ActiveSync opens Active Directory in a way that creates a security issue for some companies, he said. "Those enterprises may want to use our technology because we have a better model to secure the communications between the device and a server without compromising the firewall or other security policies in place," he said.
Information Anywhere contains a component that sits inside the enterprise firewall. Mobile device connections end there, so that IT managers don't have to open inbound communications ports to their messaging infrastructure. IAnywhere has enabled that proxy to support the iPhone coming in from outside of the firewall, either from the mobile network or Wi-Fi.
Using Information Anywhere, IT managers can also set policies that restrict attachments from iPhones.
Initially, the Information Anywhere Suite will only support e-mail for the iPhone. It synchs mail to the iPhone's e-mail client. In addition, the software suite will allow users to look up co-workers in their corporate directory and their contacts via the browser on the phone.
IAnywhere did not need the iPhone SDK (software development kit) that Apple recently released in beta in order to develop the capability, although it did receive guidance from Apple that helped ensure it was working in the right direction, Krishnapillai said.
In the future, iAnywhere expects to be able to support additional services for iPhones within the suite. "Now that the SDK is open, we'll be able to provide more features in the future," he said. That means device management capabilities should become available for iPhone users in the future, as well as the ability to access data from other corporate applications on the phone.
Users of iPhones and Lotus Notes have a couple of other options for getting e-mail on their phones. MartinScott Consulting offers WirelessMail for Domino, which lets iPhone users send and receive Notes mail from the browser on the phone. Visto Mobile synchs Notes e-mail with the iPhone's e-mail client using IMAP (Internet Message Access Protocol) in a way that it says is secure for enterprises.
IAnywhere first announced in October that it planned to support the iPhone in the software suite. Support for the iPhone will become available at the end of March.
Information Anywhere supports Lotus Domino R6, 7 and 8 and Microsoft Exchange 2000, 2003 and 2007. Information Anywhere already can push data out to Windows Mobile, Symbian and Palm devices.
Toshiba, Samsung top latest Greenpeace electronics ranking
Toshiba and Samsung top the latest Greenpeace environmental ranking of consumer electronics companies.
The ranking, which was published on Tuesday, scores the world's largest consumer electronics companies based on their recycling policies and the toxic content of their products.
Toshiba climbed six ranks to tie at the top with previous leader Samsung, thanks to moves towards taking care of the electronic waste generated when its customers discard its products.
Toshiba had previously been a member of the Electronic Manufacturers' Coalition for Responsible Recycling, a U.S. group that favors making consumers contribute to the cost of recycling, but like some other manufacturers it has now left the group.
"This was a major step for Toshiba and follows LG, Samsung and Sony," said Zeina Al Hajj, a campaigner for the Amsterdam-based group.
Toshiba declined to comment on the ranking.
One-time leader Nokia was again penalized for its take-back recycling program. Greenpeace previously found that staff in the Philippines, Thailand, Argentina, Russia and India were not informed about the program or that details of the scheme was not available in a local language. This time around improvements were seen but Russia and India remained problematic.
"They have to prove they are interested in recycling beyond the western world," said Al Hajj.
Had Nokia not been penalized it would have led the new ranking with a record-breaking score of 8.3.
One of the biggest jumps in the ranking since it was first published in August 2006 has been attained by Apple. The PC maker has risen from 2.7 points to 6.7 points in the new edition thanks to new products like the MacBook Air that use less toxic chemicals, said Greenpeace.
However Japan's Nintendo, manufacturer of the hugely popular Wii console and DS handheld gaming device, remains stuck near the bottom. It was introduced in the last survey and immediately became the only company to have ever scored zero. In the new ranking it has risen slightly to 0.3 points.
The low ranking reflects a failure on Nintendo's part to provide detailed information about its environmental policies.
"Nintendo has been sending out a pretty lame response to e-mails on the subject, which tells you mainly about office recycling," wrote the environmental group in a blog posting on its Web site.
Nintendo said it couldn't provide detailed comment on the report because it hadn't seen it.
A spokesman for the Kyoto, Japan, company, Yasuhiro Minagawa, said criticism of recycling information supplied with its products was "based on the assumption that recycling is good for the environment."
The next edition of the ranking is due out in June this year. The new ranking will be based on tighter criteria and be expanded to include measurements on energy consumption -- not just of the products but also their production -- and whether the company has eliminated the use of PVC and bromine flame retardants in products.
"It's not enough to tackle energy consumption of the products alone but also the production process and the amount of greenhouse gas emitted," said Al Hajj.
Earlier this month at the Cebit electronics show in Germany the environmental group called for consumer electronics companies to provide more information on the amount of energy used in the production and distribution stages of a product's life.
The ranking, which was published on Tuesday, scores the world's largest consumer electronics companies based on their recycling policies and the toxic content of their products.
Toshiba climbed six ranks to tie at the top with previous leader Samsung, thanks to moves towards taking care of the electronic waste generated when its customers discard its products.
Toshiba had previously been a member of the Electronic Manufacturers' Coalition for Responsible Recycling, a U.S. group that favors making consumers contribute to the cost of recycling, but like some other manufacturers it has now left the group.
"This was a major step for Toshiba and follows LG, Samsung and Sony," said Zeina Al Hajj, a campaigner for the Amsterdam-based group.
Toshiba declined to comment on the ranking.
One-time leader Nokia was again penalized for its take-back recycling program. Greenpeace previously found that staff in the Philippines, Thailand, Argentina, Russia and India were not informed about the program or that details of the scheme was not available in a local language. This time around improvements were seen but Russia and India remained problematic.
"They have to prove they are interested in recycling beyond the western world," said Al Hajj.
Had Nokia not been penalized it would have led the new ranking with a record-breaking score of 8.3.
One of the biggest jumps in the ranking since it was first published in August 2006 has been attained by Apple. The PC maker has risen from 2.7 points to 6.7 points in the new edition thanks to new products like the MacBook Air that use less toxic chemicals, said Greenpeace.
However Japan's Nintendo, manufacturer of the hugely popular Wii console and DS handheld gaming device, remains stuck near the bottom. It was introduced in the last survey and immediately became the only company to have ever scored zero. In the new ranking it has risen slightly to 0.3 points.
The low ranking reflects a failure on Nintendo's part to provide detailed information about its environmental policies.
"Nintendo has been sending out a pretty lame response to e-mails on the subject, which tells you mainly about office recycling," wrote the environmental group in a blog posting on its Web site.
Nintendo said it couldn't provide detailed comment on the report because it hadn't seen it.
A spokesman for the Kyoto, Japan, company, Yasuhiro Minagawa, said criticism of recycling information supplied with its products was "based on the assumption that recycling is good for the environment."
The next edition of the ranking is due out in June this year. The new ranking will be based on tighter criteria and be expanded to include measurements on energy consumption -- not just of the products but also their production -- and whether the company has eliminated the use of PVC and bromine flame retardants in products.
"It's not enough to tackle energy consumption of the products alone but also the production process and the amount of greenhouse gas emitted," said Al Hajj.
Earlier this month at the Cebit electronics show in Germany the environmental group called for consumer electronics companies to provide more information on the amount of energy used in the production and distribution stages of a product's life.
JasperSoft claims to be most widely deployed BI tool
JasperSoft, the open-source business intelligence vendor, is claiming that it is now the world's most widely deployed BI product.
"That will probably come as a surprise to a lot of people," said CEO Brian Gentile.
The San Francisco company claims its core product has been downloaded more than 3 million times, and that it has 65,000 registered developers, greater than 80,000 "production deployments," 300-plus projects ongoing at JasperForge.org, and more than 8,000 commercial customers in 96 countries.
Observers of the BI space said the company's popularity claims should be viewed in the proper light.
"The key here is open source (free) vs. commercial license implementations," said Forrester Research analyst Boris Evelson via e-mail. "I don't really track open source BI that closely, since it's usually used by developers to embed some portion of the code in other applications. The commercial version of JasperSoft (that comes with support, upgrades, documentation and a few features not available under open source license) is far from being the most widely deployed in the world."
David O'Connell, an analyst with Nucleus Research, also said reality may differ from what the company's numbers suggest. "They're open source and have tons of downloads from developers, but I wonder how many BI end-users are out there," he said Friday. "Nucleus interviews lots of companies that have deployed BI. We always ask who they considered when they bought, and JasperSoft has never come up."
By "production deployments," JasperSoft means instances where an organization has taken one or more of its products and put it into some type of production use, Gentile said.
Nick Halsey, vice president of marketing at JasperSoft, said 30 percent of the company's 8,000 commercial customers are in the Fortune 500/Global 2000 category, while the remaining 70 percent lies in the midmarket. "'With larger companies you can guarantee they have more than one BI tool," he acknowledged, but added, "in the midmarket there's a significantly higher chance we're the first BI tool they've used."
The company said it also has integrations or OEM (original equipment manufacturer) relationships with a number of open-source relational database management systems (RDBMS), including Ingres, EnterpriseDB, MySQL and Greenplum Bizgres.
Gentile repeatedly cited the scope and strength of JasperSoft's developer base. To that end, the company is set to release a tool for tracking the health of an open-source community, under the Creative Commons license.
The Community Vibrancy Index derives a health score by weighing a broad series of metrics, including an open-source project's ranking on Sourceforge, the number of related forum posts and the number of downloads. "We tried to get more scientific about how we measured the health of the community," Gentile said.
In addition, the company is set to release a number of upgrades to the community edition of its BI suite. The features include a Flash exporter for working with Adobe's Flex development environment and support for the JSR-168 portal integration standard. The company also said its software now has support for more than 20 languages.
"That will probably come as a surprise to a lot of people," said CEO Brian Gentile.
The San Francisco company claims its core product has been downloaded more than 3 million times, and that it has 65,000 registered developers, greater than 80,000 "production deployments," 300-plus projects ongoing at JasperForge.org, and more than 8,000 commercial customers in 96 countries.
Observers of the BI space said the company's popularity claims should be viewed in the proper light.
"The key here is open source (free) vs. commercial license implementations," said Forrester Research analyst Boris Evelson via e-mail. "I don't really track open source BI that closely, since it's usually used by developers to embed some portion of the code in other applications. The commercial version of JasperSoft (that comes with support, upgrades, documentation and a few features not available under open source license) is far from being the most widely deployed in the world."
David O'Connell, an analyst with Nucleus Research, also said reality may differ from what the company's numbers suggest. "They're open source and have tons of downloads from developers, but I wonder how many BI end-users are out there," he said Friday. "Nucleus interviews lots of companies that have deployed BI. We always ask who they considered when they bought, and JasperSoft has never come up."
By "production deployments," JasperSoft means instances where an organization has taken one or more of its products and put it into some type of production use, Gentile said.
Nick Halsey, vice president of marketing at JasperSoft, said 30 percent of the company's 8,000 commercial customers are in the Fortune 500/Global 2000 category, while the remaining 70 percent lies in the midmarket. "'With larger companies you can guarantee they have more than one BI tool," he acknowledged, but added, "in the midmarket there's a significantly higher chance we're the first BI tool they've used."
The company said it also has integrations or OEM (original equipment manufacturer) relationships with a number of open-source relational database management systems (RDBMS), including Ingres, EnterpriseDB, MySQL and Greenplum Bizgres.
Gentile repeatedly cited the scope and strength of JasperSoft's developer base. To that end, the company is set to release a tool for tracking the health of an open-source community, under the Creative Commons license.
The Community Vibrancy Index derives a health score by weighing a broad series of metrics, including an open-source project's ranking on Sourceforge, the number of related forum posts and the number of downloads. "We tried to get more scientific about how we measured the health of the community," Gentile said.
In addition, the company is set to release a number of upgrades to the community edition of its BI suite. The features include a Flash exporter for working with Adobe's Flex development environment and support for the JSR-168 portal integration standard. The company also said its software now has support for more than 20 languages.
HP to sell Linux laptops and PCs
HP is planning to introduce desktop and laptop computers that come with Novell's Suse Linux Enterprise Desktop operating system preinstalled.
Systems are scheduled to start shipping worldwide in select geographies in the second quarter of this year, according to a source familiar with the matter. The two vendors will jointly develop software drivers and provide support to end-users.
HP didn't respond to several requests for comment.
In an interview at the Novell Brainshare conference in Salt Lake City, Roger Levy, vice president for open platform solutions with Novell, typified the HP deal as significant. "Having any additional distributor that has worldwide reach and has a large market share who will bring enterprise grade Linux in as an option, is very significant to us," Levy said.
Levy declined to provide further details on the deal that will make HP the latest vendor to start shipping pre-installed Linux systems. Dell currently sells Ubuntu computers to consumers worldwide and offers Suse in Asia. Lenovo has been shipping computers running Suse Linux worldwide. HP's Linux offerings so far have been limited to the workstation segment.
Novell primarily markets its desktop Linux software to businesses. Its Linux bundles come with an annual support contract that is uncommon in the consumer market. The company for now has no interest in offering Suse preinstalled consumer desktops, said Levy.
"We do look at the consumer side from the nature of increasing our [developer] community," said Levy. "But from a business point of view, our focus is on the enterprise."
Linux is becoming an increasingly viable alternative to Windows on the desktop, Levy argued. The operating system has all the features required by enterprises, including support for common business applications such as Active Directory and Exchange. Productivity software such as Open Office too has reached a maturity level that satisfies enterprise demands.
Lastly, Novell is banking on concerns about Windows Vista, said Levy. The operating system has high demands on hardware and is suffering from poor driver support. "Vista has left more questions in people's mind than past generations [of Windows] in terms of the value proposition."
Systems are scheduled to start shipping worldwide in select geographies in the second quarter of this year, according to a source familiar with the matter. The two vendors will jointly develop software drivers and provide support to end-users.
HP didn't respond to several requests for comment.
In an interview at the Novell Brainshare conference in Salt Lake City, Roger Levy, vice president for open platform solutions with Novell, typified the HP deal as significant. "Having any additional distributor that has worldwide reach and has a large market share who will bring enterprise grade Linux in as an option, is very significant to us," Levy said.
Levy declined to provide further details on the deal that will make HP the latest vendor to start shipping pre-installed Linux systems. Dell currently sells Ubuntu computers to consumers worldwide and offers Suse in Asia. Lenovo has been shipping computers running Suse Linux worldwide. HP's Linux offerings so far have been limited to the workstation segment.
Novell primarily markets its desktop Linux software to businesses. Its Linux bundles come with an annual support contract that is uncommon in the consumer market. The company for now has no interest in offering Suse preinstalled consumer desktops, said Levy.
"We do look at the consumer side from the nature of increasing our [developer] community," said Levy. "But from a business point of view, our focus is on the enterprise."
Linux is becoming an increasingly viable alternative to Windows on the desktop, Levy argued. The operating system has all the features required by enterprises, including support for common business applications such as Active Directory and Exchange. Productivity software such as Open Office too has reached a maturity level that satisfies enterprise demands.
Lastly, Novell is banking on concerns about Windows Vista, said Levy. The operating system has high demands on hardware and is suffering from poor driver support. "Vista has left more questions in people's mind than past generations [of Windows] in terms of the value proposition."
Microsoft, Intel to fund multi-core research at UC Berkeley
Microsoft and Intel on Tuesday will unveil a plan to fund university research into new ways to program software for multi-core processors, Microsoft confirmed Monday.
The companies will unveil funding for research at the University of California at Berkeley to tackle the challenges of programming for processors that have more than one core and so can carry out more than one set of program instructions at a time, a scenario known as parallel computing.
UC Berkeley quietly opened a Parallel Computing Lab in January, according to a UC Berkeley Web site, and the companies are expected to reveal that they will be funding research there.
In 2006, researchers at Berkeley's Electrical Engineering and Computer Sciences department published a white paper sharing their views on parallel computing, which spurred the creation of the lab. In the paper, they said the current evolution of programming models from single-core to the dual-core and quad-core processors available today from Intel and AMD won't work for a future where processors could have as many as 16, 32 or hundreds of processors. They set out to find a better way to develop programming models to meet the challenges of multi-core chips.
Intel plans to release a six-core processor, code-named Dunnington, in the second half of this year, and an eight-core processor, called Nehalem, at some point in the future. AMD has not publicly discussed its plans for chips beyond its current quad-core offerings.
Microsoft and Intel plan to hold a press conference on Tuesday at 10:00 a.m. PST to discuss the news, which was revealed in The Wall Street Journal and other published reports on Monday. A spokeswoman from Microsoft's public relations firm confirmed the WSJ report but said it was only part of what will be revealed Tuesday.
Those expected to unveil the research on the conference call Tuesday are Andrew Chien, director and vice president at Intel Research, and Tony Hey, a corporate vice president at Microsoft Research.
Agam Shah in San Francisco contributed to this story.
The companies will unveil funding for research at the University of California at Berkeley to tackle the challenges of programming for processors that have more than one core and so can carry out more than one set of program instructions at a time, a scenario known as parallel computing.
UC Berkeley quietly opened a Parallel Computing Lab in January, according to a UC Berkeley Web site, and the companies are expected to reveal that they will be funding research there.
In 2006, researchers at Berkeley's Electrical Engineering and Computer Sciences department published a white paper sharing their views on parallel computing, which spurred the creation of the lab. In the paper, they said the current evolution of programming models from single-core to the dual-core and quad-core processors available today from Intel and AMD won't work for a future where processors could have as many as 16, 32 or hundreds of processors. They set out to find a better way to develop programming models to meet the challenges of multi-core chips.
Intel plans to release a six-core processor, code-named Dunnington, in the second half of this year, and an eight-core processor, called Nehalem, at some point in the future. AMD has not publicly discussed its plans for chips beyond its current quad-core offerings.
Microsoft and Intel plan to hold a press conference on Tuesday at 10:00 a.m. PST to discuss the news, which was revealed in The Wall Street Journal and other published reports on Monday. A spokeswoman from Microsoft's public relations firm confirmed the WSJ report but said it was only part of what will be revealed Tuesday.
Those expected to unveil the research on the conference call Tuesday are Andrew Chien, director and vice president at Intel Research, and Tony Hey, a corporate vice president at Microsoft Research.
Agam Shah in San Francisco contributed to this story.
Intel to shrink upcoming Nehalem chips for laptops
Intel said Monday that its upcoming chip microarchitecture, Nehalem, will first be targeted at servers and high-end desktops but later will be scaled down for laptops.
The Nehalem architecture, a substantial upgrade to Intel's current Core 2 microarchitecture, will pack between two and eight cores, said Pat Gelsinger, senior vice president and general manager of the digital enterprise group at Intel, during a press briefing on Monday. He did not talk about plans for Nehalem laptops. Intel plans to touch on the subject at the Intel Developer Forum in Shanghai in early April, a company spokesman said.
Each core in Nehalem chips will be able to execute two software threads simultaneously, so a server could potentially run 16 threads at the same time. Each core will have 256K bytes of L2 cache and a shared 8M-byte L3 cache, so local cores can better execute threads, Gelsinger said. The QuickPath Interconnect will provide improved communication between system components.
The Nehalem architecture will include an integrated DDR3 memory controller that delivers three times the memory performance of today's highest-performance Xeon processor, Gelsinger said. Nehalem chips will come with an optional integrated graphics controller, Gelsinger said.
Overall, Nehalem chips are designed to deliver better performance-per-watt and improved system performance, Gelsinger said. The chips are due for release in late 2008 and will be made with a 45-nanometer manufacturing process.
The company will follow up Nehalem with the Westmere microarchitecture in 2009 and Sandy Bridge in 2010. Work has begun on microarchitectures to succeed Sandy Bridge, but code-names have not been assigned to those. Intel has said chips will be manufactured using a 22-nm manufacturing process by 2011.
Intel is also working on the Larrabee platform, which will combine lots of cores, lots of threads and graphics capabilities to deliver high speed for the high-performance computing segment, Intel CEO Paul Otellini said at an investor conference in early March. It may bundle a graphics processing unit with the CPU on a single chip, Gelsinger said. Intel rival Advanced Micro Devices plans to launch the Fusion chip, which will combine a graphics processing unit and CPU on one chip, in the second half of 2009.
Intel also said it would ship its first six-core Xeon processor, code-named Dunnington, in the second half of this year. The Dunnington chip will be part of Intel's Xeon MP 7300 series of processors and will allow a four-processor server to have as many as 24 cores. The chip will have 1.9 billion transistors and include a 16M-byte L3 cache. It will be part of the Caneland server platform, which also includes the Clarksboro chipset.
The Nehalem architecture, a substantial upgrade to Intel's current Core 2 microarchitecture, will pack between two and eight cores, said Pat Gelsinger, senior vice president and general manager of the digital enterprise group at Intel, during a press briefing on Monday. He did not talk about plans for Nehalem laptops. Intel plans to touch on the subject at the Intel Developer Forum in Shanghai in early April, a company spokesman said.
Each core in Nehalem chips will be able to execute two software threads simultaneously, so a server could potentially run 16 threads at the same time. Each core will have 256K bytes of L2 cache and a shared 8M-byte L3 cache, so local cores can better execute threads, Gelsinger said. The QuickPath Interconnect will provide improved communication between system components.
The Nehalem architecture will include an integrated DDR3 memory controller that delivers three times the memory performance of today's highest-performance Xeon processor, Gelsinger said. Nehalem chips will come with an optional integrated graphics controller, Gelsinger said.
Overall, Nehalem chips are designed to deliver better performance-per-watt and improved system performance, Gelsinger said. The chips are due for release in late 2008 and will be made with a 45-nanometer manufacturing process.
The company will follow up Nehalem with the Westmere microarchitecture in 2009 and Sandy Bridge in 2010. Work has begun on microarchitectures to succeed Sandy Bridge, but code-names have not been assigned to those. Intel has said chips will be manufactured using a 22-nm manufacturing process by 2011.
Intel is also working on the Larrabee platform, which will combine lots of cores, lots of threads and graphics capabilities to deliver high speed for the high-performance computing segment, Intel CEO Paul Otellini said at an investor conference in early March. It may bundle a graphics processing unit with the CPU on a single chip, Gelsinger said. Intel rival Advanced Micro Devices plans to launch the Fusion chip, which will combine a graphics processing unit and CPU on one chip, in the second half of 2009.
Intel also said it would ship its first six-core Xeon processor, code-named Dunnington, in the second half of this year. The Dunnington chip will be part of Intel's Xeon MP 7300 series of processors and will allow a four-processor server to have as many as 24 cores. The chip will have 1.9 billion transistors and include a 16M-byte L3 cache. It will be part of the Caneland server platform, which also includes the Clarksboro chipset.
Hannaford supermarket chain reports data theft
Data thieves broke into computers at supermarket chains Hannaford Brothers and Sweetbay, stealing an estimated 4.2 million credit and debit card numbers, Hannaford said Monday.
"The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization," said Hannaford CEO Ron Hodge, in a statement posted to the company's Web site.
Hannaford became aware of the theft on Feb. 27, following reports of suspicious credit card activity. The crime, which occurred some time between December and March, is one of the largest reported data thefts from a retailer in U.S. history.
"Somebody hacked into their system," said Mark Walker, vice president and counsel with the Maine Bankers Association, which started informing its 15 member banks of the breach last Friday.
Although only credit and debit card numbers were stolen -- not names or addresses -- Walker said that some cases of identity theft had been associated with the incident.
The Associated Press reported Monday that more than 1,800 cases of fraud had been linked to the theft, which affects 4.2 million credit and debit card numbers.
That's far fewer account numbers than in the nation's largest retail data theft. In 2005, hackers gained access to computer systems at Massachusetts-based TJX Companies, owners of T.J.Maxx, Marshalls and Bob's Stores. That breach affected more than 94 million credit and debit card accounts.
Hannaford is owned by Belgian supermarket giant Delhaize Group, which operates about 1,500 stores in the eastern U.S. In addition to Hannaford Brothers, it owns Food Lion, Bloom, Bottom Dollar, Harveys, Kash n' Karry and Sweetbay grocery stores.
Hannaford stores in New England and New York state were hit with the theft, as were the company's Sweetbay stores in Florida, according to the Hannaford Web site. The company warned that some independent retail locations in the Northeast that carry Hannaford products were also affected.
Close to 70 Massachusetts banks have been contacted by Visa and MasterCard about the incident, which occurred between December and March, the Massachusetts Bankers Association (MBA) said Monday in a statement.
"The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and is urging consumers to monitor their accounts," the bankers association said.
MasterCard characterized the incident as a "potential security breach" and issued a statement saying that the matter is being investigated by law enforcement. Because of the ongoing investigation, however, the credit card company declined to provide additional details.
A Secret Service spokesman confirmed Monday that his agency, which pursues financial crimes, is investigating.
Delhaize and Hannaford representatives did not return telephone calls and e-mails seeking comment on Monday. On its Web site, Hannaford is advising customers looking for help with the matter to call its support line at 1-866-591-4580.
Because Hannaford does not associate addresses or names with its credit card numbers, it is unable to notify those who have had their credit card numbers compromised, the company said.
"The stolen data was limited to credit and debit card numbers and expiration dates, and was illegally accessed from our computer systems during transmission of card authorization," said Hannaford CEO Ron Hodge, in a statement posted to the company's Web site.
Hannaford became aware of the theft on Feb. 27, following reports of suspicious credit card activity. The crime, which occurred some time between December and March, is one of the largest reported data thefts from a retailer in U.S. history.
"Somebody hacked into their system," said Mark Walker, vice president and counsel with the Maine Bankers Association, which started informing its 15 member banks of the breach last Friday.
Although only credit and debit card numbers were stolen -- not names or addresses -- Walker said that some cases of identity theft had been associated with the incident.
The Associated Press reported Monday that more than 1,800 cases of fraud had been linked to the theft, which affects 4.2 million credit and debit card numbers.
That's far fewer account numbers than in the nation's largest retail data theft. In 2005, hackers gained access to computer systems at Massachusetts-based TJX Companies, owners of T.J.Maxx, Marshalls and Bob's Stores. That breach affected more than 94 million credit and debit card accounts.
Hannaford is owned by Belgian supermarket giant Delhaize Group, which operates about 1,500 stores in the eastern U.S. In addition to Hannaford Brothers, it owns Food Lion, Bloom, Bottom Dollar, Harveys, Kash n' Karry and Sweetbay grocery stores.
Hannaford stores in New England and New York state were hit with the theft, as were the company's Sweetbay stores in Florida, according to the Hannaford Web site. The company warned that some independent retail locations in the Northeast that carry Hannaford products were also affected.
Close to 70 Massachusetts banks have been contacted by Visa and MasterCard about the incident, which occurred between December and March, the Massachusetts Bankers Association (MBA) said Monday in a statement.
"The MBA estimates that hundreds of thousands of credit and debit cards owned by consumers in Massachusetts and northern New England states could be affected, and is urging consumers to monitor their accounts," the bankers association said.
MasterCard characterized the incident as a "potential security breach" and issued a statement saying that the matter is being investigated by law enforcement. Because of the ongoing investigation, however, the credit card company declined to provide additional details.
A Secret Service spokesman confirmed Monday that his agency, which pursues financial crimes, is investigating.
Delhaize and Hannaford representatives did not return telephone calls and e-mails seeking comment on Monday. On its Web site, Hannaford is advising customers looking for help with the matter to call its support line at 1-866-591-4580.
Because Hannaford does not associate addresses or names with its credit card numbers, it is unable to notify those who have had their credit card numbers compromised, the company said.
RFID-hack hits 1B digital access cards worldwide
The Dutch government has issued a warning about the security of access keys that are based on the widely used Mifare Classic RFID chip.
Government institutions plan to take "additional security measures to safeguard security, " Guusje ter Horst, minister of interior affairs, wrote in a letter to parliament on Wednesday.
NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in 2 million Dutch building access passes, said ter Horst. One billion passes with the technology have been distributed worldwide, making the security risk a global problem. A spokesperson for the ministry told Webwereld, an IDG affiliate, that it had not yet notified other countries.
The warning comes in a week when two research teams independently demonstrated hacks of the chip's security algorithm.
On Monday, German researchers Karsten Nohl and Henryk Plötz, who first hacked parts of the chip last December, published a paper demonstrating a way to crack the chip's encryption technology. The duo declined to publicly demonstrate their hack. "We want to start a discussion first, allowing people to adjust or abandon their systems," Nohl told Webwereld last week. He added that he would provide a demonstration before June.
On Wednesday, Bart Jacobs, an information security professor at the Radboud University in Nijmegen, demonstrated a hack of the chip's security encryption. Jacobs had notified the security service prior to going public, which has since confirmed the hack. A video demonstration of the hack is scheduled for publication on Wednesday.
Criminals can use the hack to clone cards that use the Mifare Classic chip, allowing them to create copies of building access keys or commit identity theft.
The chip is used in payment systems worldwide, such as the Oyster Card in the U.K. and the CharlieCard that is used in Boston. Both offer payment systems that allow for wireless transactions.
In the Netherlands, the Mifare Classic chip has been at the center of a national controversy since Nohl and Plötz first published their findings at the Chaos Computer Camp in Berlin last December.
The chip is the basis of a national proof-of-payment system for public transport. A recently published government-issued study by the Netherlands Organization for Applied Scientific Research dismissed the potential security threat, claiming that hackers would take at least two years to crack the security codes.
Government institutions plan to take "additional security measures to safeguard security, " Guusje ter Horst, minister of interior affairs, wrote in a letter to parliament on Wednesday.
NXP developed the Mifare Classic RFID (radio frequency identification) chip, which is used in 2 million Dutch building access passes, said ter Horst. One billion passes with the technology have been distributed worldwide, making the security risk a global problem. A spokesperson for the ministry told Webwereld, an IDG affiliate, that it had not yet notified other countries.
The warning comes in a week when two research teams independently demonstrated hacks of the chip's security algorithm.
On Monday, German researchers Karsten Nohl and Henryk Plötz, who first hacked parts of the chip last December, published a paper demonstrating a way to crack the chip's encryption technology. The duo declined to publicly demonstrate their hack. "We want to start a discussion first, allowing people to adjust or abandon their systems," Nohl told Webwereld last week. He added that he would provide a demonstration before June.
On Wednesday, Bart Jacobs, an information security professor at the Radboud University in Nijmegen, demonstrated a hack of the chip's security encryption. Jacobs had notified the security service prior to going public, which has since confirmed the hack. A video demonstration of the hack is scheduled for publication on Wednesday.
Criminals can use the hack to clone cards that use the Mifare Classic chip, allowing them to create copies of building access keys or commit identity theft.
The chip is used in payment systems worldwide, such as the Oyster Card in the U.K. and the CharlieCard that is used in Boston. Both offer payment systems that allow for wireless transactions.
In the Netherlands, the Mifare Classic chip has been at the center of a national controversy since Nohl and Plötz first published their findings at the Chaos Computer Camp in Berlin last December.
The chip is the basis of a national proof-of-payment system for public transport. A recently published government-issued study by the Netherlands Organization for Applied Scientific Research dismissed the potential security threat, claiming that hackers would take at least two years to crack the security codes.
Supreme Court: Novell's antitrust suit against Microsoft can go forward
The U.S. Supreme Court on Monday denied a request by Microsoft to halt an antitrust suit that Novell filed against the company for anticompetitive behavior it said harmed its WordPerfect and QuattroPro business in the 1990s.
The Supreme Court denied a writ of certiorari request by Microsoft for a case Novell filed in a U.S. District Court in Maryland nearly 10 years after the Waltham, Massachusetts, company sold the programs in question to Corel. A writ of certiorari asks the Supreme Court to review and rule on a decision by a lower court and is typically filed by a losing party in a case.
In the ruling that denied the writ, posted on the Supreme Court Web site as part of the order list for Monday, Chief Justice John Roberts "took no part in the consideration or decision of this petition." According to published reports, Roberts abstained from ruling because he is a Microsoft shareholder.
In its original suit, Novell accused Microsoft of withholding technical information about Windows that would help its WordPerfect and Quattro Pro programs work with the OS and, as a result, the programs lost critical market share. Novell filed the suit shortly after Microsoft paid the company US$536 million to settle antitrust claims over Novell's NetWare OS.
Microsoft said Novell's claims in the case were not valid because its productivity software did not compete with Windows. However, in June 2005, Maryland Judge J. Frederick Motz ruled that Novell's antitrust claims could go forward based on the 2002 federal antitrust case brought against Microsoft by the U.S. Department of Justice. Both a federal district court and the 4th Circuit Court of Appeals upheld the Maryland court's decision.
The Supreme Court denied a writ of certiorari request by Microsoft for a case Novell filed in a U.S. District Court in Maryland nearly 10 years after the Waltham, Massachusetts, company sold the programs in question to Corel. A writ of certiorari asks the Supreme Court to review and rule on a decision by a lower court and is typically filed by a losing party in a case.
In the ruling that denied the writ, posted on the Supreme Court Web site as part of the order list for Monday, Chief Justice John Roberts "took no part in the consideration or decision of this petition." According to published reports, Roberts abstained from ruling because he is a Microsoft shareholder.
In its original suit, Novell accused Microsoft of withholding technical information about Windows that would help its WordPerfect and Quattro Pro programs work with the OS and, as a result, the programs lost critical market share. Novell filed the suit shortly after Microsoft paid the company US$536 million to settle antitrust claims over Novell's NetWare OS.
Microsoft said Novell's claims in the case were not valid because its productivity software did not compete with Windows. However, in June 2005, Maryland Judge J. Frederick Motz ruled that Novell's antitrust claims could go forward based on the 2002 federal antitrust case brought against Microsoft by the U.S. Department of Justice. Both a federal district court and the 4th Circuit Court of Appeals upheld the Maryland court's decision.
Appeals court gives Qwest's Nacchio a new trial
A U.S. appeals court has granted Joseph Nacchio, the former CEO of Qwest Communications International, a new trial, reversing his April 2007 conviction on 19 counts of insider trading.
A three-judge panel of the U.S. Court of Appeals for the 10th Circuit, based in Denver, Colorado, ruled that the district court judge who tried Nacchio's case erred by barring Professor Daniel Fischel, a University of Chicago law professor, from testifying. Nacchio's lawyers wanted Fischel to testify about the ex-CEO's stock trading patterns.
Nacchio was sentenced in July to six years in prison and ordered to pay US$19 million in fines, as well as repay $52 million from past stock trades. He was indicted in December 2005 on 42 counts of insider trading.
Nacchio, CEO at Qwest from January 1997 to June 2002, was accused of using insider information to sell US$100.8 million worth of stock between January and May 2001. Nacchio was tried in U.S. District Court for the District of Colorado.
Nacchio resigned in 2002 from Qwest, a telecommunications provider that serves several states in the West and Midwest, amid concerns from shareholders about his $27 million annual compensation package.
In 2005, the U.S. Securities and Exchange Commission charged him and other Qwest executives with fraud, saying they misrepresented one-time sales of network capacity as recurring revenue in order to boost the company's stock price. Nacchio unloaded his own stock while predicting strong growth, all the while knowing about problems with Qwest's performance, the U.S. government charged.
Nacchio's lawyer wasn't immediately available for comment.
A three-judge panel of the U.S. Court of Appeals for the 10th Circuit, based in Denver, Colorado, ruled that the district court judge who tried Nacchio's case erred by barring Professor Daniel Fischel, a University of Chicago law professor, from testifying. Nacchio's lawyers wanted Fischel to testify about the ex-CEO's stock trading patterns.
Nacchio was sentenced in July to six years in prison and ordered to pay US$19 million in fines, as well as repay $52 million from past stock trades. He was indicted in December 2005 on 42 counts of insider trading.
Nacchio, CEO at Qwest from January 1997 to June 2002, was accused of using insider information to sell US$100.8 million worth of stock between January and May 2001. Nacchio was tried in U.S. District Court for the District of Colorado.
Nacchio resigned in 2002 from Qwest, a telecommunications provider that serves several states in the West and Midwest, amid concerns from shareholders about his $27 million annual compensation package.
In 2005, the U.S. Securities and Exchange Commission charged him and other Qwest executives with fraud, saying they misrepresented one-time sales of network capacity as recurring revenue in order to boost the company's stock price. Nacchio unloaded his own stock while predicting strong growth, all the while knowing about problems with Qwest's performance, the U.S. government charged.
Nacchio's lawyer wasn't immediately available for comment.
Iomega likes new EMC bid
The second time may prove to be the charm in EMC's attempt to acquire Iomega, as the consumer and small-business storage maker said Monday that EMC's latest offer is superior to other potential deals
In an unsolicited, nonbinding "indication of interest," EMC is now offering as much as US$3.75 per share, according to an Iomega statement, up from about $3.25 per share in an offer earlier this month. With about 54.8 million Iomega shares outstanding, the new offer values the company at approximately $205.5 million.
Iomega agreed in December to acquire a Chinese partner, ExcelStor Great Wall Technology, and an affiliated company in a deal that would create a dramatically bigger vendor that could offer a broader product line. When EMC made its first offer, for about $178.1 million, Iomega rejected it as not being superior to the ExcelStor deal. Iomega said it remains committed to the ExcelStor transaction, which is pending regulatory approval, but its board has authorized the company to talk with EMC and give it information in pursuit of the proposed buyout.
Iomega made its name with its popular Zip drives and removable disks for consumer data storage and today sells external hard drives, networked storage, online storage and other products in addition to Zip and the newer Rev removable disks. The San Diego company was a pioneer in consumer storage and a hot stock in the 1990s, but as the market has grown and technology has changed, it has faced a growing number of competitors. Even big players such as EMC have tried to move into Iomega's territory.
When Iomega announced the ExcelStor deal in December, President and CEO Thomas Kampfer said his company just wasn't big enough to develop and market products beyond external storage. That combination would increase its workforce by ten times, to about 3,000, and boost its revenue from $300 million to about $1.1 billion per year. Being acquired by EMC, which reported more than $13 billion in revenue last year, would also boost Iomega's scale and resources.
"We're encouraged by Iomega's decision to move ahead with EMC discussions, and look forward to next steps," EMC said in a statement Monday.
In midday trading on the New York Stock Exchange, Iomega shares (IOM) were up $0.27 at $3.53 and EMC's stock (EMC) was down $0.44 at $14.35.
In an unsolicited, nonbinding "indication of interest," EMC is now offering as much as US$3.75 per share, according to an Iomega statement, up from about $3.25 per share in an offer earlier this month. With about 54.8 million Iomega shares outstanding, the new offer values the company at approximately $205.5 million.
Iomega agreed in December to acquire a Chinese partner, ExcelStor Great Wall Technology, and an affiliated company in a deal that would create a dramatically bigger vendor that could offer a broader product line. When EMC made its first offer, for about $178.1 million, Iomega rejected it as not being superior to the ExcelStor deal. Iomega said it remains committed to the ExcelStor transaction, which is pending regulatory approval, but its board has authorized the company to talk with EMC and give it information in pursuit of the proposed buyout.
Iomega made its name with its popular Zip drives and removable disks for consumer data storage and today sells external hard drives, networked storage, online storage and other products in addition to Zip and the newer Rev removable disks. The San Diego company was a pioneer in consumer storage and a hot stock in the 1990s, but as the market has grown and technology has changed, it has faced a growing number of competitors. Even big players such as EMC have tried to move into Iomega's territory.
When Iomega announced the ExcelStor deal in December, President and CEO Thomas Kampfer said his company just wasn't big enough to develop and market products beyond external storage. That combination would increase its workforce by ten times, to about 3,000, and boost its revenue from $300 million to about $1.1 billion per year. Being acquired by EMC, which reported more than $13 billion in revenue last year, would also boost Iomega's scale and resources.
"We're encouraged by Iomega's decision to move ahead with EMC discussions, and look forward to next steps," EMC said in a statement Monday.
In midday trading on the New York Stock Exchange, Iomega shares (IOM) were up $0.27 at $3.53 and EMC's stock (EMC) was down $0.44 at $14.35.
The top 10 security land mines
Many companies spend a small fortune and deploy a small army to secure themselves from the many security threats lurking these days. But all those efforts can come to naught when making any of these common mistakes. The results can range from embarrassing to devastating, but security experts say that all are easily avoidable.
And almost all can be done without spending one more dime.
Here are the 10 most common security land mines that experts say you need to avoid.
1. A slip of the finger reveals the company secret
Many of the most prevalent security issues are the result of small technological habits that can easily be avoided.
For instance, imagine how many inadvertent data loss events could be eliminated if more users were instructed to turn off the e-mail address "autofill" feature in Microsoft Outlook and other messaging systems, said Steve Roop, senior director of marketing and products at Symantec.
"When employees are quickly addressing their e-mails, they inadvertently tab and select the wrong name in haste. The employee thinks he is sending an e-mail internally to Eric Friendly, but autofill instead sent it to Eric Foe," Roop said. "We've all done this. [But] if the e-mail contained sensitive data about a proposed merger or acquisition, then the secret is out."
As much as 90 percent of all information leakage events are tied to inadvertent e-mail foibles, including the autofill accidents and mistakes in handling encryption or misinterpreting usage policies, Roop said. Just the simple act of turning off something like autofill could save businesses a lot of headaches at no extra cost, he said.
2. People give away passwords and other secrets without thinking
More often than not, users -- not outside intruders -- are responsible for coughing up the passwords and personal data that allow attackers to break into their computers and their employer's networks to wreak havoc and tarnish their names.
Despite all the education people have been given about phishing, spyware programs, and hacked Web sites, many users are still willing to hand out their data whenever it is requested without checking to ensure that they aren't be duped or misled, said Dave Marcus, security research and communications manager at McAfee. "People assume the legitimacy of sites as presented; this is fundamentally incorrect in a Web world," Marcus said. "The easiest way to steal someone's identity online is simply to ask them for it."
3. A trusted partner ends up not being so trustworthy with your data
Another common security error is found among users who assume that it is fine to send sensitive information such as human resources data to business partners or outsourcing services providers, Roop said. This land mine is made worse when the messages are sent unencrypted.
"The land mine is making the assumption that the person at the HR outsourcer isn't going to send the spreadsheet anywhere else or store the data improperly on their unsecured laptop," he said. "This land mine is true whenever sensitive data is shared via e-mail as part of a business process with third parties."
4. Web-based apps can be portals to leaks and thieves
A common behavior that leads to a lot of security problems includes the use of Webmail or allowing workers to access music-downloading and file-sharing services from the company network, said Marcus.
Such Web-based apps bypass your security filters, as in the case of Webmail, or open a channel to the outside that may carry viruses or worse into your organization.
And if your employees take work home, these risks are magnified. If they use your computers and also do personal activities over the Web, those computers could be compromised, Marcus said. If they bring the data home -- via e-mail or a thumb drive -- they risk it getting lost or stolen.
All of these problems can be avoided fairly easily through enforcement of policies that require the use of secure mail clients over VPNs or encrypted channels (in the case of e-mail), or not allowing users to install apps on their work computer or copy data to removable media (in the case of taking work home). Much of this can be managed through security policies and systems management apps. One difficult channel to block is the use by employees of e-mail to send themselves data, though encryption can help.
5. Hoping the worse doesn't happen only makes it worse
Nobody wants to have a data breach, but you need to act as if one will, advised Kevin Mandia, chief executive of Mandiant, which specializes in post-breach analysis services and software tools. Every organization can take steps to lessen the impact of a breach once it happens. Unfortunately, most companies wait until it is too late to test or even create their response strategies, he said.
Every company should record the data flow, from who had access when to what systems used the data. But few do, Mandia said. "There's no question, the most common error we see is failure to document what happened," he said. "People hire us and the first thing we ask for is any related documentation that people already have. Most often, people will hand terabytes of data and no formal documentation. Technicians stink at it, and lawyers don't mandate it. So in almost every incident, we go in and ask them what happened and the response is the sound of crickets chirping."
6. Avoiding or diluting response leadership makes breaches worse
Companies also seriously inhibit their ability to respond to breaches by failing to appoint a single leader or small team to spearhead efforts to respond to incidents and chase down important details.
In many firms, the process devolves into a game of pass-the-buck, while others involve so many people in the breach response effort that they actually become a hindrance to the related investigation.
"We often respond and no one is in charge, no one wants to be, and as a result, no one knows what dedication of resources to give the incident in terms of money, tools, or technologies, and no one person individually can balance their day job with the amount of resources needed to handle a major incident," Mandia said.
"On the flip side, some companies now bring too many people to the decision-making table while still trying to respond. We show up and we're immediately briefing 12 people -- and 10 don't need to be there," he said.
7. Handling breach details sloppily tips off the perp
Another common problem is that companies typically fail to establish a "need to know" approach to breaches, which makes it harder to carry out baseline investigations as workers find out about an incident and immediately try to protect their own interests.
If insiders are involved in the problem, they also gain the advantage of knowing that the gig is up and may stop telltale behavior useful to investigators -- and often try to cover their tracks, Mandia said.
8. Trusting "silver bullet" technology hides real threats
As regulatory measures that involve IT and data security interests continue to multiply, businesses have invested a lot in technological solutions to plug the holes. But companies commonly believe that installing a specific technology or meeting some individual aspect of a regulation is a silver bullet or a quick fix. It's neither.
"The biggest problem I see is people thinking that simple things like deploying anti-virus [software], patching, and running vulnerability scans are actually what it means to be compliant. They're not approaching it from a risk management standpoint -- they're just checking the boxes," said Mike Rothman, an analyst with Security Incite.
Companies often compound this fools' paradise by auditing their limited security fixes and taking a passing grade as confirmation that no more work is needed. "People often think that once they have a positive audit, they're done," Rothman said. "Then the bad guys prove to them that they're not."
9. Spending unthinkingly wastes resources you might need for important threats
Another compliance-related security trap that companies frequently fall into is spending the same effort or expense to protect IT systems with wildly different levels of importance to their organization's security and success, Rothman said.
"Some people make the mistake of treating all security issues equally, and spend the same amount of time and money defending an old application that only five people use that they spend on an online application used by all of their customers," he said.
That approach not only wastes money, but it also can leave more important problems to later consideration -- or maybe none at all, once the budget has dried up. "Security people often don't know how to prioritize," Rothman said. "They should look at what happens if something specific breaks and look at how to drive spending from there."
10. Don't save the wrong data
In another common scenario that spells disaster for both security and compliance interests, many companies that process credit and debit cards inadvertently leave transaction logging systems on that store account information. This logging can lead to customer data breaches and PCI (Payment Card Industry) audit failures.
"Naturally, they don't realize they are storing the data a hacker or malicious employee would need to create fake plastic credit cards," said Symantec's Roop. "This is the cardinal sin of PCI compliance. We actually saw this example at a [recent] prospect. It is a big land mine that most likely will result in a failed PCI audit."
Even companies not collecting card data need to make sure that they only save the information they actively need to do business, Roop said. Keeping anything on hand that could be misused by attackers without a clear need to store that data is asking for trouble, he advised. And if it must be retained, then be sure to build a protection method for it as well.
And almost all can be done without spending one more dime.
Here are the 10 most common security land mines that experts say you need to avoid.
1. A slip of the finger reveals the company secret
Many of the most prevalent security issues are the result of small technological habits that can easily be avoided.
For instance, imagine how many inadvertent data loss events could be eliminated if more users were instructed to turn off the e-mail address "autofill" feature in Microsoft Outlook and other messaging systems, said Steve Roop, senior director of marketing and products at Symantec.
"When employees are quickly addressing their e-mails, they inadvertently tab and select the wrong name in haste. The employee thinks he is sending an e-mail internally to Eric Friendly, but autofill instead sent it to Eric Foe," Roop said. "We've all done this. [But] if the e-mail contained sensitive data about a proposed merger or acquisition, then the secret is out."
As much as 90 percent of all information leakage events are tied to inadvertent e-mail foibles, including the autofill accidents and mistakes in handling encryption or misinterpreting usage policies, Roop said. Just the simple act of turning off something like autofill could save businesses a lot of headaches at no extra cost, he said.
2. People give away passwords and other secrets without thinking
More often than not, users -- not outside intruders -- are responsible for coughing up the passwords and personal data that allow attackers to break into their computers and their employer's networks to wreak havoc and tarnish their names.
Despite all the education people have been given about phishing, spyware programs, and hacked Web sites, many users are still willing to hand out their data whenever it is requested without checking to ensure that they aren't be duped or misled, said Dave Marcus, security research and communications manager at McAfee. "People assume the legitimacy of sites as presented; this is fundamentally incorrect in a Web world," Marcus said. "The easiest way to steal someone's identity online is simply to ask them for it."
3. A trusted partner ends up not being so trustworthy with your data
Another common security error is found among users who assume that it is fine to send sensitive information such as human resources data to business partners or outsourcing services providers, Roop said. This land mine is made worse when the messages are sent unencrypted.
"The land mine is making the assumption that the person at the HR outsourcer isn't going to send the spreadsheet anywhere else or store the data improperly on their unsecured laptop," he said. "This land mine is true whenever sensitive data is shared via e-mail as part of a business process with third parties."
4. Web-based apps can be portals to leaks and thieves
A common behavior that leads to a lot of security problems includes the use of Webmail or allowing workers to access music-downloading and file-sharing services from the company network, said Marcus.
Such Web-based apps bypass your security filters, as in the case of Webmail, or open a channel to the outside that may carry viruses or worse into your organization.
And if your employees take work home, these risks are magnified. If they use your computers and also do personal activities over the Web, those computers could be compromised, Marcus said. If they bring the data home -- via e-mail or a thumb drive -- they risk it getting lost or stolen.
All of these problems can be avoided fairly easily through enforcement of policies that require the use of secure mail clients over VPNs or encrypted channels (in the case of e-mail), or not allowing users to install apps on their work computer or copy data to removable media (in the case of taking work home). Much of this can be managed through security policies and systems management apps. One difficult channel to block is the use by employees of e-mail to send themselves data, though encryption can help.
5. Hoping the worse doesn't happen only makes it worse
Nobody wants to have a data breach, but you need to act as if one will, advised Kevin Mandia, chief executive of Mandiant, which specializes in post-breach analysis services and software tools. Every organization can take steps to lessen the impact of a breach once it happens. Unfortunately, most companies wait until it is too late to test or even create their response strategies, he said.
Every company should record the data flow, from who had access when to what systems used the data. But few do, Mandia said. "There's no question, the most common error we see is failure to document what happened," he said. "People hire us and the first thing we ask for is any related documentation that people already have. Most often, people will hand terabytes of data and no formal documentation. Technicians stink at it, and lawyers don't mandate it. So in almost every incident, we go in and ask them what happened and the response is the sound of crickets chirping."
6. Avoiding or diluting response leadership makes breaches worse
Companies also seriously inhibit their ability to respond to breaches by failing to appoint a single leader or small team to spearhead efforts to respond to incidents and chase down important details.
In many firms, the process devolves into a game of pass-the-buck, while others involve so many people in the breach response effort that they actually become a hindrance to the related investigation.
"We often respond and no one is in charge, no one wants to be, and as a result, no one knows what dedication of resources to give the incident in terms of money, tools, or technologies, and no one person individually can balance their day job with the amount of resources needed to handle a major incident," Mandia said.
"On the flip side, some companies now bring too many people to the decision-making table while still trying to respond. We show up and we're immediately briefing 12 people -- and 10 don't need to be there," he said.
7. Handling breach details sloppily tips off the perp
Another common problem is that companies typically fail to establish a "need to know" approach to breaches, which makes it harder to carry out baseline investigations as workers find out about an incident and immediately try to protect their own interests.
If insiders are involved in the problem, they also gain the advantage of knowing that the gig is up and may stop telltale behavior useful to investigators -- and often try to cover their tracks, Mandia said.
8. Trusting "silver bullet" technology hides real threats
As regulatory measures that involve IT and data security interests continue to multiply, businesses have invested a lot in technological solutions to plug the holes. But companies commonly believe that installing a specific technology or meeting some individual aspect of a regulation is a silver bullet or a quick fix. It's neither.
"The biggest problem I see is people thinking that simple things like deploying anti-virus [software], patching, and running vulnerability scans are actually what it means to be compliant. They're not approaching it from a risk management standpoint -- they're just checking the boxes," said Mike Rothman, an analyst with Security Incite.
Companies often compound this fools' paradise by auditing their limited security fixes and taking a passing grade as confirmation that no more work is needed. "People often think that once they have a positive audit, they're done," Rothman said. "Then the bad guys prove to them that they're not."
9. Spending unthinkingly wastes resources you might need for important threats
Another compliance-related security trap that companies frequently fall into is spending the same effort or expense to protect IT systems with wildly different levels of importance to their organization's security and success, Rothman said.
"Some people make the mistake of treating all security issues equally, and spend the same amount of time and money defending an old application that only five people use that they spend on an online application used by all of their customers," he said.
That approach not only wastes money, but it also can leave more important problems to later consideration -- or maybe none at all, once the budget has dried up. "Security people often don't know how to prioritize," Rothman said. "They should look at what happens if something specific breaks and look at how to drive spending from there."
10. Don't save the wrong data
In another common scenario that spells disaster for both security and compliance interests, many companies that process credit and debit cards inadvertently leave transaction logging systems on that store account information. This logging can lead to customer data breaches and PCI (Payment Card Industry) audit failures.
"Naturally, they don't realize they are storing the data a hacker or malicious employee would need to create fake plastic credit cards," said Symantec's Roop. "This is the cardinal sin of PCI compliance. We actually saw this example at a [recent] prospect. It is a big land mine that most likely will result in a failed PCI audit."
Even companies not collecting card data need to make sure that they only save the information they actively need to do business, Roop said. Keeping anything on hand that could be misused by attackers without a clear need to store that data is asking for trouble, he advised. And if it must be retained, then be sure to build a protection method for it as well.
YouTube API strategy may have business appeal
YouTube's new application programming interface (API) enhancements and other tools, aimed at helping the online community better connect and engage in the video sharing site, could very well have applicability for the corporate sphere, the company said.
YouTube is providing wholesale access to its video library, worldwide audience, and underlying video hosting and streaming infrastructure behind the site. Enhanced APIs allow developers to build Web-based applications with functionality to upload videos to YouTube, as well as interact with the site by commenting, rating and picking favorite videos. The APIs also allow better capabilities around user-generated content such as uploading video created from mobile devices. Also, developers can customize and control the Flash player upon which video content is run.
Product manager for YouTube, Jim Patterson, said the company is looking forward to discovering how a variety of users, including businesses, will incorporate the APIs in creative new ways. "Using the YouTube APIs and Tools has the potential to bring consumer and enterprise sites, software, or devices into the network," he said.
YouTube is a "global network of interconnected users and partners and videos accessible through multiple end points, on and off the Web," said Patterson.
Google bought the San Bruno, Calif.-based video-sharing site in late 2006.
Google's announcement of enhanced YouTube APIs initially appears minor, but the reality is it's "hugely important and is the most significant thing that Google has done with YouTube since they acquired it," said Michael O'Connor Clarke, vice-president of Toronto-based public relations firm Thornley Fallis Communications Inc.,
The news illustrates how YouTube has morphed from what was merely a destination for uploading and surfing video content to "a full service," he added.
YouTube's broadened scope presents some corporate use for those businesses with video-worthy content and the desire to share it internally or externally, he said. And Google's sturdy and free backbone infrastructure means businesses can "outsource the pain" of video hosting and sharing, and limited bandwidth to a company that does it well, said O'Connor Clarke.
Furthermore, in the realm of corporate training, he said businesses can build their "own nicely branded intranet or other corporate training facility" using the APIs.
The fact that YouTube is a free platform with a massive audience reach, makes it a ripe stage for businesses to realize a return on investment as part of their marketing strategy, said Warren Shiau, senior associate with Toronto-based consulting firm The Strategic Counsel. He said Google is "certainly trying" to extend the previously un-monetized YouTube platform to corporate users, besides its consumer audience, with the enhanced APIs.
Illustrating ease of access, Shiau said a company training video can be viewed at home on a 12-year-old computer without having to rely on corporate virtual private network.
O'Connor Clarke agreed that extending the business to the YouTube platform would require minimal investment because while developer skills are required to take advantage of the APIs, those skills are reasonably readily available.
And corporations need not be deterred by YouTube's image as a consumer platform, he added, because although it has been driven by user-generated content till now, companies are increasingly repurposing corporate material for the site. "The perception that it's consumer dominated is starting to go away with more forward looking organizations," he said.
YouTube's enhanced APIs are also a great opportunity for digital marketing agencies to help their clients understand and integrate this Web 2.0 platform into the business, he said.
YouTube is providing wholesale access to its video library, worldwide audience, and underlying video hosting and streaming infrastructure behind the site. Enhanced APIs allow developers to build Web-based applications with functionality to upload videos to YouTube, as well as interact with the site by commenting, rating and picking favorite videos. The APIs also allow better capabilities around user-generated content such as uploading video created from mobile devices. Also, developers can customize and control the Flash player upon which video content is run.
Product manager for YouTube, Jim Patterson, said the company is looking forward to discovering how a variety of users, including businesses, will incorporate the APIs in creative new ways. "Using the YouTube APIs and Tools has the potential to bring consumer and enterprise sites, software, or devices into the network," he said.
YouTube is a "global network of interconnected users and partners and videos accessible through multiple end points, on and off the Web," said Patterson.
Google bought the San Bruno, Calif.-based video-sharing site in late 2006.
Google's announcement of enhanced YouTube APIs initially appears minor, but the reality is it's "hugely important and is the most significant thing that Google has done with YouTube since they acquired it," said Michael O'Connor Clarke, vice-president of Toronto-based public relations firm Thornley Fallis Communications Inc.,
The news illustrates how YouTube has morphed from what was merely a destination for uploading and surfing video content to "a full service," he added.
YouTube's broadened scope presents some corporate use for those businesses with video-worthy content and the desire to share it internally or externally, he said. And Google's sturdy and free backbone infrastructure means businesses can "outsource the pain" of video hosting and sharing, and limited bandwidth to a company that does it well, said O'Connor Clarke.
Furthermore, in the realm of corporate training, he said businesses can build their "own nicely branded intranet or other corporate training facility" using the APIs.
The fact that YouTube is a free platform with a massive audience reach, makes it a ripe stage for businesses to realize a return on investment as part of their marketing strategy, said Warren Shiau, senior associate with Toronto-based consulting firm The Strategic Counsel. He said Google is "certainly trying" to extend the previously un-monetized YouTube platform to corporate users, besides its consumer audience, with the enhanced APIs.
Illustrating ease of access, Shiau said a company training video can be viewed at home on a 12-year-old computer without having to rely on corporate virtual private network.
O'Connor Clarke agreed that extending the business to the YouTube platform would require minimal investment because while developer skills are required to take advantage of the APIs, those skills are reasonably readily available.
And corporations need not be deterred by YouTube's image as a consumer platform, he added, because although it has been driven by user-generated content till now, companies are increasingly repurposing corporate material for the site. "The perception that it's consumer dominated is starting to go away with more forward looking organizations," he said.
YouTube's enhanced APIs are also a great opportunity for digital marketing agencies to help their clients understand and integrate this Web 2.0 platform into the business, he said.
ValueClick to pay $2.9 million to settle spam complaint
Online advertiser ValueClick has agreed to pay a record $2.9 million to settle a U.S. Federal Trade Commission complaint that it sent deceptive advertising claims in spam e-mail and failed to secure consumers' sensitive financial information.
ValueClick subsidiary Hi-Speed Media used deceptive e-mails, banner ads and pop-ups to drive Internet users to its Web sites, the FTC said Monday. The e-mails and ads promised that consumers were eligible for free gifts, including laptops, iPods and gift cards. The ads included promises such as "Free PS3 for survey," and "CONGRATULATIONS! Select your FREE Plasma TV," the FTC said.
Consumers who went to ValueClick's Web sites because of these promises were led through a "maze of expensive and burdensome" third-party offers, including car loans and satellite television subscriptions, which they were required to "participate in" at their own expense in order to receive the promised merchandise, the FTC alleged.
ValueClick's use of deceptively labeled e-mail messages offering free gifts and its failure to disclose that consumers must spend substantial sums of money to obtain the promised merchandise violated the Can-Spam Act and the FTC Act, the FTC said.
The settlement with ValueClick and subsidiaries Hi-Speed Media and E-Babylon was filed with the U.S. District Court for the Central District of California last Thursday. In addition to the $2.9 million fine, the largest ever for violations of the 2003 antispam law the Can-Spam Act, the settlement requires ValueClick to clearly disclose the costs and obligations consumers must incur to receive the products it touts as free. It also bars deceptive claims about the security of the consumer information collected at the company's Web sites.
ValueClick announced last month it had agreed to a settlement with the FTC. It recorded a $2.9 million charge on its financial results in the fourth quarter of 2007 in anticipation of the settlement, the company said in a February news release.
"We have worked with the FTC and have reached an agreement on the standards and practices that will govern our lead generation business going forward," David Yovanno, chief operating officer of ValueClick's U.S. media, said in a statement. "We believe this settlement will also help set the guidelines for the lead generation industry as a whole, and we will continue to participate in the Interactive Advertising Bureau to help establish best practices to that end."
In addition to the spam-related complaints, the FTC charged that ValueClick, Hi-Speed Media and E-Babylon misrepresented that they secured customers' sensitive financial information consistent with industry standards. The companies claimed in online privacy policies that they encrypted customer information, but either failed to encrypt the information or used a nonstandard and insecure form of encryption, the FTC said. Several of the companies' Web sites were vulnerable to SQL injection, a commonly known form of hacker attack, contrary to claims that the companies implemented reasonable security measures, the FTC said.
The settlement bars ValueClick, Hi-Speed Media and E-Babylon from making misrepresentations about the use of encryption or other electronic measures to protect consumers' information. The order also requires the companies to establish and maintain a comprehensive security program, and obtain independent third-party assessments of their security for 20 years.
This is the FTC's third case targeting the use of deceptive promises of free merchandise by Internet-based lead generation operations, and the commission's 18th case challenging data security practices by a company handling sensitive consumer information.
ValueClick subsidiary Hi-Speed Media used deceptive e-mails, banner ads and pop-ups to drive Internet users to its Web sites, the FTC said Monday. The e-mails and ads promised that consumers were eligible for free gifts, including laptops, iPods and gift cards. The ads included promises such as "Free PS3 for survey," and "CONGRATULATIONS! Select your FREE Plasma TV," the FTC said.
Consumers who went to ValueClick's Web sites because of these promises were led through a "maze of expensive and burdensome" third-party offers, including car loans and satellite television subscriptions, which they were required to "participate in" at their own expense in order to receive the promised merchandise, the FTC alleged.
ValueClick's use of deceptively labeled e-mail messages offering free gifts and its failure to disclose that consumers must spend substantial sums of money to obtain the promised merchandise violated the Can-Spam Act and the FTC Act, the FTC said.
The settlement with ValueClick and subsidiaries Hi-Speed Media and E-Babylon was filed with the U.S. District Court for the Central District of California last Thursday. In addition to the $2.9 million fine, the largest ever for violations of the 2003 antispam law the Can-Spam Act, the settlement requires ValueClick to clearly disclose the costs and obligations consumers must incur to receive the products it touts as free. It also bars deceptive claims about the security of the consumer information collected at the company's Web sites.
ValueClick announced last month it had agreed to a settlement with the FTC. It recorded a $2.9 million charge on its financial results in the fourth quarter of 2007 in anticipation of the settlement, the company said in a February news release.
"We have worked with the FTC and have reached an agreement on the standards and practices that will govern our lead generation business going forward," David Yovanno, chief operating officer of ValueClick's U.S. media, said in a statement. "We believe this settlement will also help set the guidelines for the lead generation industry as a whole, and we will continue to participate in the Interactive Advertising Bureau to help establish best practices to that end."
In addition to the spam-related complaints, the FTC charged that ValueClick, Hi-Speed Media and E-Babylon misrepresented that they secured customers' sensitive financial information consistent with industry standards. The companies claimed in online privacy policies that they encrypted customer information, but either failed to encrypt the information or used a nonstandard and insecure form of encryption, the FTC said. Several of the companies' Web sites were vulnerable to SQL injection, a commonly known form of hacker attack, contrary to claims that the companies implemented reasonable security measures, the FTC said.
The settlement bars ValueClick, Hi-Speed Media and E-Babylon from making misrepresentations about the use of encryption or other electronic measures to protect consumers' information. The order also requires the companies to establish and maintain a comprehensive security program, and obtain independent third-party assessments of their security for 20 years.
This is the FTC's third case targeting the use of deceptive promises of free merchandise by Internet-based lead generation operations, and the commission's 18th case challenging data security practices by a company handling sensitive consumer information.
EBay to take over affiliate program's management
EBay will soon take over management of the affiliate programs for its core marketplace and for its Half.com site from ValueClick in the hopes that it can operate them more efficiently.
In early April, EBay will begin to migrate the roughly 100,000 affiliates away from ValueClick's Commission Junction to the new in-house platform, the company was due to announce Monday.
One affiliate looking forward to the change is GetItNext, a search engine for eBay listings that gets a commission every time its visitors click over to eBay and buy a product.
"ValueClick's Commission Junction does a fairly good job, but the product over the years has grown a bit stagnant and hasn't been keeping up with the demands affiliates have had," said Ron Stewart, GetItNext's CEO.
For example, GetItNext routinely has to manually "dig out" data it feels is essential about its referrals, sales and commissions from the ValueClick reports, Stewart said.
In addition, the company has encountered data integrity problems with the information it receives from ValueClick, forcing GetItNext to engage in very time-consuming data reconciliation efforts, Stewart said.
GetItNext has been beta testing the eBay system and is encouraged by its tests so far, and in particular by the development road map, which promises a significant improvement over the ValueClick tools, he said.
From eBay's perspective, a key goal is to establish a closer relationship with its affiliates, which are an important part of the company's marketing and sales operation, said Matt Ackley, eBay's vice president of Internet marketing.
By eliminating the inherent latency of having a third party involved in the process, eBay hopes to be able to more quickly analyze affiliate data and make more effective decisions about the program, Ackley said.
Migrating to the eBay affiliate platform will involve what Ackley described as a simple process of swapping listing tags, but how manual or automated the process is on the affiliates' end will depend on how they have set up their systems, he said.
GetItNext's Stewart expects the migration will be smooth for his company. "Because of the way we built the site, changing the parameters will be very simple, with a slight change of code," Stewart said.
Later this year, eBay might take over other of its affiliate programs that ValueClick manages, which include the ones for StubHub, ProStores and eBay Stores, Ackley said.
Affiliates come in a variety of shapes and sizes, including Web publishers that carry sellers' listings, merchants that market their products on their own Web sites, Web sites that display eBay banner ads and firms that do e-mail marketing, he said.
ValueClick, which has managed the eBay and Half.com affiliate programs since 2001, didn't immediately reply to a request for comment.
In early April, EBay will begin to migrate the roughly 100,000 affiliates away from ValueClick's Commission Junction to the new in-house platform, the company was due to announce Monday.
One affiliate looking forward to the change is GetItNext, a search engine for eBay listings that gets a commission every time its visitors click over to eBay and buy a product.
"ValueClick's Commission Junction does a fairly good job, but the product over the years has grown a bit stagnant and hasn't been keeping up with the demands affiliates have had," said Ron Stewart, GetItNext's CEO.
For example, GetItNext routinely has to manually "dig out" data it feels is essential about its referrals, sales and commissions from the ValueClick reports, Stewart said.
In addition, the company has encountered data integrity problems with the information it receives from ValueClick, forcing GetItNext to engage in very time-consuming data reconciliation efforts, Stewart said.
GetItNext has been beta testing the eBay system and is encouraged by its tests so far, and in particular by the development road map, which promises a significant improvement over the ValueClick tools, he said.
From eBay's perspective, a key goal is to establish a closer relationship with its affiliates, which are an important part of the company's marketing and sales operation, said Matt Ackley, eBay's vice president of Internet marketing.
By eliminating the inherent latency of having a third party involved in the process, eBay hopes to be able to more quickly analyze affiliate data and make more effective decisions about the program, Ackley said.
Migrating to the eBay affiliate platform will involve what Ackley described as a simple process of swapping listing tags, but how manual or automated the process is on the affiliates' end will depend on how they have set up their systems, he said.
GetItNext's Stewart expects the migration will be smooth for his company. "Because of the way we built the site, changing the parameters will be very simple, with a slight change of code," Stewart said.
Later this year, eBay might take over other of its affiliate programs that ValueClick manages, which include the ones for StubHub, ProStores and eBay Stores, Ackley said.
Affiliates come in a variety of shapes and sizes, including Web publishers that carry sellers' listings, merchants that market their products on their own Web sites, Web sites that display eBay banner ads and firms that do e-mail marketing, he said.
ValueClick, which has managed the eBay and Half.com affiliate programs since 2001, didn't immediately reply to a request for comment.
Subscribe to:
Posts (Atom)