Category Archives: Technology

Hacking Alive and Well When It Comes To iOS

 

The dark art of iOS app hacking presented at Black Hat.

 

Español: Este es un logo para IOS (Apple). Más...

(Photo credit: Wikipedia)

 

There are three ways to hack an iOS app. One involves a zero-day exploit, a previously-unknown security hole. These are rare but not unheard of for iOS apps. The other two involve getting physical access to the phone, Zdziarski said.

“You can infect the phone without a passphrase. The virus or bit of code sits on the phone, waiting for the user to unlock it.” Or, he explained, “Give me two minutes with somebody’s phone and I can dump the entire file system from it.” From there, he said he could look at apps for an exploit to take advantage of remotely.

He argued that this could become a serious problem as iPhones and iPads continue to increase in popularity. Enterprise use of iOS is growing, he said, as is government use.

 

All due to a double-edged sword.

 

The problem, Zdziarski explained, comes from the double-edged sword that is the iOS monoculture. It has benefits, he said, including a reduced attack surface, rapid prototyping, and fewer holes to blame on the developer. But, he added, its homogeneous attack surface means that if you can hack one iOS device, you can hack nearly all. (While it’s true that there are different versions of iOS in use, there are significantly fewer than the different flavors of Android.)

Zdziarski noted that security has become an afterthought for iOS app developers, since they’re trusting Apple’s iOS Keychain and runtime to be secure. Keychain is the iOS feature that stores passwords, certificates, and other security-related items under encryption. “Anybody with freely available open source tools can get around that encryption now,” said Zdziarski, who said the encryption has been busted for two years. Zdziarski also showed how he didn’t even have to have the passcode to an iPhone to break its encryption. With a phone in his possession, he was able to drop a small piece of code from his computer onto the otherwise-locked phone. The code sits on the iPhone idle until the owner enters in the passcode, decrypting the file system and giving the malicious code access to the entire file system. “Developers are not turning on the encryption for most of their apps, and most users defer to a four-digit PIN, or a simple keyboard friendly passphrase.” So, although the phone’s operating system may be protected, the level of data security on the phone presumes that iOS won’t be hacked.

Source: iOS app hacking alive and well | The Download Blog – CNET Download.com.

 

A great illustration of how developers need to understand the need for security trumps all.

 

 

 

Advertisements

“4 Simple Growth Strategies Any Breakthrough Blog Can Learn From Pinterest”

Bet you didn’t think that you could get growth strategies from Pinterest.

English: Red Pinterest logo

(Photo credit: Wikipedia)

You don’t need me to tell you about Pinterest do you? I’m pretty sure you’ve heard all the media outlets singing its praise:

  • the fastest growing site
  • its user base is mostly female
  • its breakthrough rise from obscurity
  • how marketers are using it
  • how marketers CAN use it
  • how its a step forward in the evolution of social media
  • …and etc.

I mean we’ve talked about it over here too, haven’t we?

But what else can we as bloggers and businesspeople learn from this recent phenom?

Read the strategies:  4 Simple Growth Strategies Any Breakthrough Blog Can Learn From Pinterest : @ProBlogger.

Windows Server GUI on way out

The GUI for Windows Server will eventually be no more.  Here’s what Don Jones, over at RedmondMag.com, had to say about this eventuality.

Image representing Microsoft as depicted in Cr...

Image via CrunchBase

  • The full GUI experience on the Windows Server OS is now optional. Software meant to run on a server should not assume a GUI will be there, nor should it take for granted any of the many other dependencies that the full server OS has traditionally included. My analysis on this: It’s Microsoft’s shot across the bow. You’ll see a stronger position on this sometime in the future — maybe a few years off, but sometime. They want server apps to assume they’re running on what we used to call “Server Core.”
  • The recommended way to run the Server OS is without the GUI. Didja see that? No, you don’t have to think it’s a good idea — I’m not pushing acceptance. I’m pointing out what’s happening. These are the facts on the ground.
  • Microsoft has taken a (what I think is a very good) middle-ground step by introducing a “minimal GUI” mode in the server OS. That means you can have your GUI tools on the Server OS, as well as on your client computer, provided those GUI tools play by a few basic rules and don’t assume too many dependencies (like the presence of IE). They’ll have the full .NET Framework at their disposal, for example, which should help — especially if they’re tools based on the MMC architecture. So this gets you a “lighter” version of the Windows Server OS, but still lets you manage right on the console.My opinion, for what it’s worth: Anyone who thinks “minimal GUI” mode is anything more than a holding measure is crazy. To me, this clearly says Microsoft is trying to get us off the console for good. They know we’re not ready to give it up completely, so this is them trying to wean us off. Maybe I’m wrong on this — it’s happened before — but it sure seems that way when I look at the big picture.
  • Notwithstanding the “minimal GUI” mode, Microsoft is recommending to software developers to not assume a GUI will be present. The full, rich GUI experience happens on the client. Not allowed connect to your servers from your client computer? The suggestion appears to be “rethink your architecture.”

In other words make sure you know command line interface and how to remote into a server because before long that will be your only way to access Microsoft Server.

My opinion is that Microsoft is pointed toward a world of “headless servers:” Minimal functionality from the console, rich management from a client computer. This is a step in that direction, and it’s intended to put us, and software vendors, on notice. Me, I’m going to take the hint. I hope y’all do as well. Windows Server “8” is a chance to start getting on board with what Windows will become — it’s not throwing us directly into the fire, but I think we have to take the opportunity to start adapting to this new direction.

Enhanced by Zemanta

New Network+ Exam Strengthens Objectives

It’s that time again where CompTIA updates its’ Network+ exam.

CompTIA released its updated CompTIA Network+ exam (English only, initially) on Dec. 1. The revised Network+ objectives address virtual networking and give increased attention to network security and coverage of the seven-layer OSI (Open System Interconnection) model. Click here to download a breakdown of exactly what is covered on the new exam.

Here’s what ComTIA’s research showed:

CompTIA research on US Small and Medium Businesses (SMBs) found that network efficiency and robustness were among the top items SMBs plan to address immediately, paving the way for other strategies such as cloud computing or unified communications.

Forty-eight percent of server technicians surveyed by CompTIA say that deeper networking knowledge is required when supporting servers in a cloud environment.

Among server technicians and managers of server technicians, 28% say that virtualization is a current focus, but 60% say that it is becoming a larger focus.

Enhanced by Zemanta

Tips to a successful IT job interview

So you’ve applied for that IT job and you’ve made it to the interview stage.  Here are some tips from Venture Loop CEO Jeremy McCarthy on how to make it a successful interview.

Regardless of how you view this prospective opportunity, always do your best in the interview for you never know where it may lead you. Some of his other suggested tips:

1) Research: With everything literally at our fingertips today, it’s close to blasphemy to enter an interview without having searched and studied as much about the history, fact and figures of the company with whom you are interviewing as possible. Savy online searching can turn up valuable information to prove to an employer they’d be hiring an expert in their industry.

2) Review your triumphs and faults: You can almost guarantee that typical questions such as your vision for five years down the road, strengths, weaknesses, tough work situations and best type of person to work for will be asked, so why not write down your answers ahead of time to review rather than spin your wheels while sitting in ‘hot seat.’

3) Behavioral question awareness: More firms rely on behavioral interviewing techniques to see how candidates answer when asked for specific examples of past professional situations. McCarthy presents some typical queries to prepare for ahead of time:

  • How you handled not meeting a deadline
  • How you dealt with conflict with a co-worker or boss
  • What you did when someone else’s actions caused failure
  • When did you show initiative
  • What did you do when a customer was upset with you
  • What did you do when a co-worker blamed you unfairly for something

For the rest of Mr. McCarthy’s tips check out the source.

Enhanced by Zemanta

Winter Wake-up app

This could be handy in snow areas like Wisconsin.

A new alarm clock application for the iPhone and Android wakes you earlier if it snowed last night. Called simply, “Winter Wake-Up,” the app lets you configure its settings to wake you up earlier than your scheduled alarm depending on weather conditions, with separate settings for both “Frost” and “Snow.”

There’s also an optional setting – a checkbox – which you can select that says “don’t bother to wake me if the weather’s too bad. I’ll work on Saturday.” (Or, as is more likely in today’s world, you’ll work from home that same day…just maybe a little later).

Is it something you would use?

Enhanced by Zemanta

Social Networking the most important technology of 2011

That would be social networking in general, not one aspect that is the most important technology of the past year.

From the “Arab Spring” to BYOD, social networking was clearly the most important “technology” of 2011. I’m not talking specifically about any one platform. Sure, Twitter is important if you want to keep tabs on the latest movements of people important in your life. Facebook is perfect for lurking around and leering at people’s (more or less) personal lives. LinkedIn has become the de facto standard for business-based networking. We’ve all heard the stories about Wikileaks, Anonymous, and how technology seems to play a role in building up and breaking down political figures of the day.

I’m talking about all of the related technologies that make social networking possible. Social networking as we currently know it wouldn’t exist without virtualization, HTML5, and all of those  “as a service” offerings such as Amazon’s EC2. And don’t forget all of those mobile devices, including the shiny, new and ever-so compelling Android or iPad you just got for Christmas. All of these cloud-based technologies are behind social networking.

So, while I could have just written about one technology or device is the technology of 2011, that wouldn’t reflect the current zeitgeist. Right now, social networking is the technology of the year. It’s not any one implementation of virtualization (sorry VMWare). It’s not any one SaaS or PaaS implementation.

So how does that affect one’s career path in IT?  As with any aspect you should have focus.

For your career, focus on the individual pieces that make social networking possible. Are you interested in becoming a virtualization guru? Then learn about how virtualization makes social networking possible. Interested in what Cisco is developing to make voice, video and data more efficient? Then focus on how these things are implemented in the cloud and in regards to social networking.

Enhanced by Zemanta

Incredible Deal!

Today of course is “Black Friday” and like every retail outlet across America, Host Gator is offering INCREDIBLE savings today only.

If you are in need of  hosting for you website(s), look no further than Host Gator. In case you aren’t aware Host Gator is one of the top recommended hosting sites for WordPress.  And the tech support is awesome, which contributes to the great reputation for hosting WordPress blogs and sites.

Here’s the details:

Save 50% on ALL hosting services

Until 11:59 CST on Friday, November 25 you can get 50% OFF on ALL hosting services.  This includes shared hosting, reseller hosting, VPS hosting, Dedicated servers and Windows hosting!  However, this does not include domain names.

Here’s what that means:

Competitively priced web hosting at Host Gator gets even more competitive!

Shared hosting: As low as $4.95 Now only: $2.48/month (pre-paid)

Reseller Hosting: As low as $24.95 Now Only: $12.48/month (pre-paid)

VPS Hosting: As low as $19.95 Now Only: $9.98/month (First Month)

Dedicated Servers: As low as $174 Now Only $87/month (First Month)

Note that the discount of 50% applies to only the first month on the VPS and Dedicated Servers plans as these are billed monthly.  Also note that this is valid for new hosting plans only so existing customers can’t use it on plan renewals (though you could add a plan to your account).

So head on over to Host Gator  to get in on this GREAT hosting services deal.

 

Enhanced by Zemanta

“Private cloud” skills

Diagram showing three main types of cloud comp...

Image via Wikipedia

Great piece over at the CompTia blog regarding the “private cloud”:

What is the “private cloud?” Well, it’s where the IT department is where the company itself provides all of the cloud-based services, but from within its own firewall. Remember when the term “Intranet” was coined to describe how IT could provide the best Internet-based services behind the firewall? Private cloud computing is basically the same sort of approach. Again, some folks think that private cloud computing is an oxymoron. Like Eric Knorr over at InfoWorld, I think the definition of the “private cloud” is a bit fuzzy, but it’s worth talking about.

The private cloud involves virtualized services offered as a service independent of any single hardware platform, usually through a Web browser. When offered privately, cloud services remain behind the firewall, and they are offered on a metered basis. This means that the IT department becomes the “X as a service” provider.

As well as skills that one should have to be an expert in the “cloud”:

If you want to become a private cloud computing expert, check out the following skills you should learn:

  • Understand business issues, including the concepts of the Service Level Agreement (SLA), and chargeback. Yes, chargeback. Yeah, it’s kind of a weird word. The first time I heard it back in 1997, I thought someone was talking about some sort of new defensive lineman position for the NFL. Basically, chargeback means metering services and then charging departments, making your IT department a business within your business. This way, your IT department becomes less of a cost center and more of a revenue generator, in a sense. Pretty cool idea if you can get it to work.
  • Know how to read a bill from a cloud provider, no matter which side of the firewall it comes from. From the people I’ve talked to, the numbers change pretty radically
  • Learn virtualization.
  • Get some consulting skills.

 

Enhanced by Zemanta

Metasploit 4.0 means ….

more tools for IT security pros & penetration testers.

Security product provider Rapid7 has updated its widely used open-source Metasploit exploitation framework, expanding the software so it supports enterprise IT security staff as well as its core audience of penetration testers.

“Originally the framework was focused on just running exploits. Penetration testers were our core base,” said Rapid7 Metasploit chief architect H.D. Moore, referring to the security professionals who are paid by organizations to break into — and thereby document the weaknesses of — computer systems. “But now we are seeing a huge demand from organizations that just want to put all their existing vulnerability data in one spot and validate all those vulnerabilities.”

Not sure what Metasploit is?  Go to the source to learn more.

 

Enhanced by Zemanta
%d bloggers like this: