Successful Tips for Blogging

Want to have a successful blog?  Check out these tips and start following them.

There are at least ten characteristics off the top of my head that make blogs and bloggers successful. These characteristics give the blogs mentioned below fame, fortune, and loyal followings.

Want to build your blog and following? Here are some key ideas and takeways — as well as inspirational bloggers you might want to follow — who can help you realize that dream.

Read more: http://www.techipedia.com/2010/influential-bloggers-traits/?#ixzz0joGOOFQe

These are solid tips that I will be trying to follow in the coming weeks with this blog.

Related articles by Zemanta

• Want to be a successful blogger? (e1evation.com)
• Weekly Blogging Challenge #4 (internetmarketingformommies.com)
• Bloggers, I Hear You (davidrisley.com)

11 hidden security threats and how to stop

This is a must read.

Do you know how to guard against scareware? How about Trojan horse text messages? Or social network data harvesting? Malicious hackers are a resourceful bunch, and their methods continually evolve to target the ways we use our computers now. New attack techniques allow bad guys to stay one step ahead of security software and to get the better of even cautious and well-informed PC users.

Don’t let that happen to you. Read on for descriptions of 11 of the most recent and most malignant security threats, as well as our complete advice on how to halt them in their tracks. (Source: Infoworld)

Here are the threats:

1. Shortened URLs

2. Data Harvesting

3. Social Network Impostors

4. Web Snooping

5. Scareware

6. Trojan horse texts

7. Lost laptops, exposed data

8. Rogue Wi-Fi hotspots

9. Weak Wi-Fi security

10. Endangered data backups

11. Unpatched software

Go here to learn about the threats and how to protect against them.  And learn about 5 security myths as well.

Related articles by Zemanta

• 5 Top Tips on How to Stay Safe While Using WiFi Abroad (travelblissful.com)
• Fake Spyware Blockers Are the New Internet Threat In 2010 (prweb.com)
• Pop-Up Security Warnings Pose Threats (deurainfosec.com)

Widespread attacks against IE flaw

Image via Wikipedia

If you haven’t applied the patch yet beware.  If your still using IE 6, upgrade.

The first widespread attack to leverage a recently patched flaw in Microsoft‘s Internet Explorer browser has surfaced.

Starting late Wednesday, researchers at antivirus vendor Symantec‘s Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.

Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.

As of midday Thursday, Symantec had spotted hundreds of Web sites that hosted the attack code, typically on free Web-hosting services or domains that the attackers had registered themselves.

The IE flaw being leveraged in these attacks was also used to hack into Google‘s corporate network last December. It has been linked to similar incidents at Adobe Systems and 33 other companies. Microsoft patched the vulnerability in an emergency security update Thursday morning.

The Google attack hit IE 6 on Windows XP, but over the past week hackers have found ways to exploit the flaw on more recent versions of the browser as well. These latest techniques do not appear to be used on the Web sites Symantec has uncovered. They use the IE 6 exploit code, Talbot said.

Still, with IE 6 still being widely used, the move to more widespread attacks is worrying. “It may be an indication that attackers have finally ramped up their attack toolkits and are now ready to launch widespread attacks,” Talbot said.

Phishing is being used to gain victims.

He believes that the criminals are tricking victims into visiting their Web sites by sending spam e-mail or instant messages with links to sites.

On Thursday, Websense published some sample e-mails used in targeted attacks that exploit the IE bug. A typical subject line is “Helping You Serve Your Customers.” The e-mail reads, “I just heard the news: Helping you serve your customers” and includes a link to the malicious Web site.

The e-mails contain spoofed e-mail addresses, designed to fool victims into thinking that they were sent by a colleague. The malicious Trojan used in the attack is not the same one that was used in the Google attack, however.

Websense has seen these e-mails sent to targeted companies in the U.S. and the U.K., said Patrik Runald, a security research manager with Websense. “These attacks are actually continuing; they happened today; they happened yesterday and they happened the day before.”

However, Websense believes that the e-mails it has tracked are part of a small-scale targeted attack, similar to those used on Google and Adobe in attacks that are ongoing. Websense has counted only about 25 malicious Web sites to date, but the number is rising fast, Runald said. (Source: InfoWorld)

Related articles by Zemanta

• Widespread attacks exploit newly patched IE bug (computerworld.com)
• Microsoft Plugs Security Hole Used in December Attacks (bits.blogs.nytimes.com)
• 5 More Reasons Why IE6 Must Die (mashable.com)

May be easier than you think …

to steal a virtual machine and its data.

Remember the email server or payroll system that you virtualized? Someone with administrator access to your virtual environment could easily swipe it and all the data without anybody knowing. Stealing a physical server out of a data center is very difficult and is sure to be noticed, stealing a virtual machine (VM), however, can be done from anywhere on your network, and someone could easily walk out with it on a flash drive in their pocket.

Virtualization offers many benefits over physical servers, but there are some pitfalls you should be aware of and protect against to avoid losing sensitive data. Because a virtual machine is encapsulated into a single virtual disk file that resides on a virtual host server it is not all that difficult for someone with the appropriate access to make a copy of that disk file and access any of the data on it. This is a fairly simple thing to do, and we will show you how to do it here so you can protect your environment against it.

There are basically two ways one could access the virtual disk (.vmdk) file of a virtual machine. The first would be using the ESX Service Console. If someone knew the root password or had a user account on the host, they could gain access to the VMFS volumes that contain the virtual machine files and use copy tools like Secure Copy, or SCP, to copy files from it. The second is using the vSphere/VMware Infrastructure Client which contains a built-in datastore browser; this is the method we will cover here.

The security key: Understand the unique challenges presented by a virtual environment.

The bottom line is there are multiple layers you need to protect to ensure your data is safe. Protect the data, the application, the operating system and the physical server, and make sure you also protect the virtualization layer. Don’t focus your security efforts in all those other areas and forget one that can compromise them all. Not understanding and addressing the security challenges that are unique to virtual environments can be a costly mistake that you don’t want to make. (Source: SearchVMWare.com)

Go to the source and read the rest of this interesting article.

Related articles by Zemanta

• A Fluid Network is the Result of Collaboration Not Virtualization (devcentral.f5.com)
• LiveCycle ES Virtual Appliance available (blogs.adobe.com)
• Is Your Secure Thumbdrive Really Secure? Don’t Bet On It (lockergnome.com)
• Tor Users Urged To Update After Security Breach (yro.slashdot.org)
• Vmware ESX3.5 Templates (invurted.com)

IPv6 and DNSSEC security concerns

Security administrators are anxious, perhaps with good reason.

Security architects who monitor and manage many of the underlying systems that ensure smooth data flow across the Internet are growing anxious over the deployments of some of the latest technologies designed to improve Internet security and reliability.

While domain name system security extension (DNSSEC) deployments and IPv6 offer a number of benefits, a lack of support and expertise could prompt an emerging wave of new botnet attacks, according to several security architects responding to a new survey from Arbor Networks Inc., a vendor that sells appliances that defend against botnet attacks.

The survey, in its fifth year, posed questions to 132 security professionals, many of them lead security architects at ISPs and large telecommunications firms. It is designed to highlight the security threats facing service providers.

Nearly 35% of those surveyed said sophisticated service and application-layer attacks represent the largest operational threat over the next 12 months, displacing large scale botnet-enabled attacks, which came in second this year at 21%.

“When Web services were located in single data centers in some aspects they were easier to defend, but now we’re dealing with more distributed environments,” said Craig Labovitz, chief scientist at Lexington Mass.-based Arbor Networks. “There are many more components today, and as Web services are evolving, so are the attacks.”

The big concern DDoS attacks which are becoming difficult to detect.

Distributed denial-of-service (DDoS) attacks, driven by botnets, have doubled in bandwidth since the attack was first identified in 2001. But according to the survey, botnet operators appear to be changing their tactics to make some DDoS attacks more difficult to detect and more focused on specific systems running a network.

DDoS attacks have risen from 400 Mbps in 2001 to more than 40 Gbps, but the survey found the attack scale growth slowing in 2009. Botnet operators also may be reaching the threshold for sustained malicious DDoS traffic, Labovitz said. In 2009, the highest sustained attack peaked at 49 Gbps.

“The lower bandwidth attacks are focused not so much on flooding the pipes and routers, but disabling and disrupting certain aspects of the distributed Web service,” Labovitz said.

And while high-profile volume attacks such as the DDoS attacks that brought down some South Korean and U.S. government websites are not sophisticated, the attacks are designed to remain undetected, which is what worries security architects the most, Labovitz said.

Another major concern: the lack of IPv6 security features.

Arbor said missing IPv6 security features in routers, firewalls and critical network infrastructure lacking support for IPv6 are a cause for concern. A lack of skilled professionals to test and deploy IPv6 supporting equipment may also result in more Internet-wide security vulnerabilities. Labovitz said most providers don’t believe all their routers can support IPv6 and provide the level of security necessary to sustain network up-time.

“The concern is that we’ve had issues with a string of availabilities of vanilla IPv4 and now we’re going to be introducing more things into the network,” Labovitz said. “They’re concerned it could tax technology operations and support, and cause significant challenges.”

Similar concerns exit for DNSSEC.

The survey found network operators concerned about an increase in attacks targeting DNS infrastructure, load balancers and large-scale SQL server back-end infrastructures.

The same concerns ring true for infrastructures that support DNSSEC. While the technology upgrade to DNS is expected to result in improved authentication and data integrity, deployments have been slow, but network security experts expect most top-level domains to be fully supporting DNSSEC by 2011.

Labovitz said the technology resolves many types of DNS injection attacks, but other underlying threats exist.

“There are many more moving parts,” he said. “It makes DNS messages bigger and more complicated.” (Source: SearchSecurity.com)

Related articles by Zemanta

• Targeted attacks replace botnet floods in telco nightmares (go.theregister.com)
• DNS Security Extensions are about to make the Internet a lot safer (downloadsquad.com)
• Internet Security Changes Coming Soon (lockergnome.com)
• DDoS attack hobbles major sites, including Amazon (news.cnet.com)
• What Researchers Are Learning About DDoS Tactics (computerworld.com)

In case you weren’t aware …

Mac’s are vulnerable to exploits too.

Proof of concept exploit code was posted today by a security researcher at SecurityReason to demonstrate a vulnerability in versions 10.5 and 10.6 of Apple‘s Mac OS X operating system.

The vulnerability is a potential buffer overflow error arising from the use of the strtod function Mac OS X’s underlying Unix code. It was first reported by researcher Maksymilian Arciemowicz last June.

SecurityReason’s advisory describes a flaw in the libc/gdtoa code in OpenBSD, NetBSD, FreeBSD, and MacOS X, as well as Google Chrome, Mozilla Firefox and other Mozilla software, Opera, KDE, and K-Meleon.

SecurityReason’s advisory rates the vulnerability’s risk as “high” and claims that the flaw can be exploited by a remote attacker.

A spokesperson for SecurityReason wasn’t immediately available to characterize the likelihood that this vulnerability could be exploited.

The vulnerability was addressed in FreeBSD and NetBSD last last summer.

And shortly thereafter Google and Mozilla, among other vendors, did the same.

But Apple apparently has not yet updated its software to incorporate the fix.

Apple did not immediately respond to a request for comment.

It looks like Apple devices could be targeted more frequently, so Mac users may want to start taking security seriously.

In their respective predictions for 2010, computer security companies Symantec, Websense, and Zscaler all said that they foresaw more attacks being directed at Macs and other Apple devices this year.

To some extent, such predictions represent wishful thinking. But Mac users should give some thought to security, if only in terms of using the built-in Mac OS X firewall and exercising caution in the Web sites they visit and the e-mail messages they open. (Source: Information Week)

Related articles by Zemanta

• Apple sits on critical Mac bug for 7 months (and counting) (theregister.co.uk)
• Open-source communities fight Apple Mail alone (news.cnet.com)
• BumpTop hits the Mac, covers your OS X desktop with piles just like your real desktop (video) (engadget.com)
• Apple Patches Massive Holes In OS X (apple.slashdot.org)

Gain more clout with these security certifications

Want a premium salary as an ISS professional?  Make sure to obtain certifications in addition to the degree.

Security service providers and other channel partners who have invested in Global Information Assurance Certification (GIAC) training for their employees or who have hired employees who already have GIAC certifications will have a little more to advertise in 2010 with the announcement last week that three of the major GIAC tracks were accredited under the ANSI/ISO/IEC 17024 Personnel Certification program.

…

The most recent GIAC tracks to get the check-mark from ANSI were the GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst (GCIA) and GIAC Certified Forensics Analyst (GCFA) programs.
One of the most well-known incident-handling certifications in the security world, GCIH was recently ranked as the No. 1 security certification that organizations pay a salary premium for according to the IT employment analysts with Foote Partners. Those certified with GCIH have proven they know about common attack techniques and tools used to penetrate enterprises and small businesses alike. The certification attests to their knowledge about how to defend against and respond to these attacks, as well as incidents caused by both innocently inept and malicious insiders.

Unique within the security industry, GCIA is designed to show that recipients understand how to manage any Intrusion Detection System, regardless of vendor. Those who hold this certification have shown they understand the fundamentals of network protection and are able to analyze traffic patterns well enough to spot and analyze anomalies.

The third program ANSI accredited last week, GCFA, is one of the most recognized digital forensic certifications. Those bestowed with this vendor-neutral certification have proven that they understand a panoply of computer forensics tools and know the most common criminal forensic analysis techniques to complete Windows- and Linux-based investigations.

It seems security skills are not only in demand but result in greater pay.

Though the premium for most IT industry certifications generally went down over the past year, security certifications such as those offered by GIAC, (ISC)2 and ISACA all managed to buck the trend.

“Unlike other technology job segments, pay and demand for security skills have risen steadily since 2007 and neither budget nor headcount has diminished in economic hard times,” wrote Foote Partners principal, David Foote. “Driving continued momentum for steady jobs investment and career safety is the ‘perfect storm’ of more regulation; constant fear of increasing threats; greater customer expectations and demands aimed at vendors; and the splitting of business/strategic risk and operational security activities, which has been accelerated by market forces.”

This demand for such skills could prove profitable for channel partners who are able to hire and retain personnel on their consulting staff in order to market to those customers who don’t have the wherewithal or resources to maintain their own cadre of full-time security experts. (Source: Channel Insider)

Will be pursuing certifications following graduation in June.

Related articles by Zemanta

• Security through diversity (cdixon.org)
• Upcoming webinar: “Cloud Security for Dummies” hosted by SIIA (aws.typepad.com)
• BBB’s Data Security – Made Simpler Initiative (pindebit.blogspot.com)

FireFox 3.6 with Personas

Mozilla released it today.  You can now personalize your FireFox.

Related articles by Zemanta

• Firefox 3.6 Released! (siok.wordpress.com)
• Firefox 3.6 Portable Available for Your Thumb Drive Needs [Downloads] (lifehacker.com)
• Mozilla Delivers Firefox 3.6 to Millions of Users (Melissa Shapiro/The Mozilla Blog) (techmeme.com)
• Personas: At last, I get my way! (chickswhoclick.wordpress.com)

U.S. Army website hacked

Have to worry about the Romanian hackers too.

Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed.

“TinKode,” a Romanian hacker who previously found holes in NASA‘s Website, has posted a proof-of-concept on his findings on a SQL injection vulnerability in an Army Website that handles military housing, Army Housing OneStop. TinKode found a hole that leaves the site, which has since been taken offline, vulnerable to a SQL injection attack. “With this vulnerability I can see/extract all things from databases,” he blogged.

What’s with the weak security?

TinKode was able to gain access to more than 75 databases on the server, according to his research, including potentially confidential Army data. He also discovered that the housing site was storing weak passwords in plain text. One password was AHOS, like the site’s name.

“Four-character passwords that are the same name as the database table names are inexcusable,” says Robert “RSnake” Hansen, founder of SecTheory.

Hansen says the ease with which TinKode discovered the SQL injection flaw highlights the state of Web security. “[This is] a good example of how terrible our security posture is, and he didn’t even have to do anything tricky to find the exploit,” he says.

Considering SQL injection is a common vulnerability exploit this re-enforces the need to test systems regularly.

TinKode is among a group of hackers out of Romania who have been disclosing SQL injection flaws in high-profile Websites during the past few months. Most recently hacker “unu” demonstrated a major SQL injection hole in an Intel channel partner events Website that exposed personal passport information. Unu was able to hack into the front-end Web app and, like TinKode, found that the server administrators had their passwords stored in clear text.

SQL injection is a common Website vulnerability that is increasingly being used as a foot in the door to the back-end database.

“Every organization has these problems,” Hansen says. “They may not realize it, but they’re just waiting for a smart kid to come along and copy off every critical piece of information they have.” (Source: Dark Reading)

Of course common sense needs to be used when it comes to passwords as well.  Storing in clear text??  Using four character passwords that are the name of the database??  Come on.

Related articles by Zemanta

• Web site scripting flaws are common and slow to be fixed (infoworld.com)
• Web application security is growing problem for enterprises (infoworld.com)
• RockYou Hack: From Bad To Worse (techcrunch.com)
• Useful SQL Injection Info (arnoldit.com)

Dump IT assets and move to cloud?

An interesting prediction by Gartner.

Cloud computing will become so pervasive that by 2012, one out of five businesses will own no IT assets at all, the analyst firm Gartner is predicting.

The shift toward cloud services hosted outside the enterprise’s firewall will necessitate a major shift in the IT hardware markets, and shrink IT staff, Gartner said.

“The need for computing hardware, either in a data center or on an employee‘s desk, will not go away,” Gartner said. “However, if the ownership of hardware shifts to third parties, then there will be major shifts throughout every facet of the IT hardware industry. For example, enterprise IT budgets will either be shrunk or reallocated to more-strategic projects; enterprise IT staff will either be reduced or reskilled to meet new requirements, and/or hardware distribution will have to change radically to meet the requirements of the new IT hardware buying points.”

If Gartner is correct, the shift will have serious implications for IT professionals, but presumably many new jobs would be created in order to build the next wave of cloud services.

But it’s not just cloud computing that is driving a movement toward “decreased IT hardware assets,” in Gartner’s words. Virtualization and employees running personal desktops and laptops on corporate networks are also reducing the need for company-owned hardware. (Source: InfoWorld)

Check the source link above to see other Gartner predictions.

Related articles by Zemanta

• Gartner issues its own 2012 prediction: end of IT as we know it (blogs.zdnet.com)
• 5 must-have IT management technologies for 2010 (computerworld.com)
• Microsoft, HP push businesses to clouds (news.cnet.com)
• Gartner predicts: Mobile Web overtakes PCs, Facebook wins, more outsourcing (seattletimes.nwsource.com)