Developers around the world believe IBM Watson’s sophisticated analytics capabilities will transform industries that are managing massive amounts of data, according to the 2011 IBM Tech Trends Report released today. Survey respondents selected education and healthcare as the areas that could benefit the most, with financial services, life sciences and government also ranking near the top.

The 2011 Tech Trends Report surveyed more than 4,000 Information Technology (IT) professionals from 93 countries and 25 industries who provided their views on future IT trends. The results also show a growing need for technical skills in the areas of business analytics, social business, mobile computing, open source technologies and cloud computing. Read the report at: http://www.ibm.com/developerworks/techtrendsreport, share your opinions at #TechTrends and see what IBM experts are saying about the findings at: www.youtube.com/IBMEcosystem

According to the report, business analytics software is the most widely used technology of those surveyed. In fact, business analytics software is being incorporated in almost every business process within organizations. Forty-two percent of respondents believe that business analytics will continue to be in demand for software development. The report also outlines the growing importance of open source platforms such as Apache Hadoop and Linux for business analytics software developers.

The report provides IT and business professionals a roadmap of the technologies and skills that will be in greatest demand in the coming years. Key findings in the 2011 IBM Tech Trends Report include:

• Eighty-seven percent of respondents believe open source and open standard technologies will play a key role in the future of application development.
• During the next two years more than 75 percent of organizations will engage in cloud computing.
• Fifty-one percent of respondents cited the adoption of cloud technologies as part of their mobile strategy.
• Regional cultural differences impact social business adoption. India is strongly embracing social business with a 57 percent adoption rate, followed by the US with a 45 percent adoption rate and China with a 44 percent adoption rate. Russia shows the strongest resistance with a 19 percent adoption rate.

“The results are clear. Mobile computing, cloud computing, social business and business analytics have gone beyond niche status and are now part of any modern organization’s core IT focus,” said Jim Corgel, general manager ISV and Developer Relations, IBM. “IT professionals who can develop the skills needed to work across these technologies will be ready to meet growing business demand in the coming years.”

IBM developerWorks, the company’s online community for IT professionals is the industry’s largest and most visited global site for them to gain technology skills. More than eight million IT professionals have visited the community to gain no-cost access to software tools and code, IT standards and best practices across various industries. Visitors also tap skills training in open technologies, business analytics, cloud computing and mobile computing, among others. In addition, IBM Business Partners and entrepreneurs can access advanced training and resources at IBM’s network of 40 Innovation Centers around the world to further build their skills.

Source

British tabloid News of the World said today it is closing down over a phone hacking scandal in which workers for the Rupert Murdoch-owned newspaper allegedly snooped on voice mail messages left on the mobile phones of murder victims, as well as celebrities, politicians, and the British royal family.

If unethical journalists can do it chances are anyone can, right?

To test my theory I called up Kevin Mitnick, who wrote about the hacking and social engineering that landed him in jail in a fascinating book coming out this summer, “Ghost in the Wires,” and who serves as a security consultant, helping clients protect against privacy breaches such as this.

Phone hacking, also known as “phreaking,” is easy to do, Mitnick said, adding that he could demonstrate it on my phone if I wanted proof. So I gave him permission to access my voice mail and told him my mobile phone number.

He called me right back on a conference call so I could hear what was going on. First he dialed a number to a system he uses for such demonstration purposes and entered a PIN. Then he was prompted to enter the area code and phone number that he wanted to call (mine) and the number he wanted to be identified as calling from (again mine). Next thing I know I’m listening to a voice message a friend of mine left me last night that I hadn’t erased.

“See how easy it is?!” Mitnick says as my jaw drops.

He was able to get into my voice mail by tricking my mobile operator’s equipment into registering the call as coming from the handset–basically pretending to be me. To do this, he wrote a script using open-source telecom software and used a voice-over-IP provider that allows him to set caller ID, but there also are online services that provide similar capability that non-hackers could subscribe to. It might be easier or harder to accomplish depending on the mobile operator, he said. (I’m keeping some of the details sketchy to avoid providing a how-to for phreaking.)

“Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in about 30 minutes,” Mitnick said. “If you’re not adept at programming, you could use a spoofing service and pay for it.”

This technique, called Caller ID Spoofing, has been used and abused for years. In 2006, a caller ID spoofing account in the name of Paris Hilton was suspended for voicemail hacking, with other celebrities, including Lindsay Lohan, allegedly being victims, according to IDG News Service.

The method is more sophisticated than that allegedly used by the British journalists who are accused of using default PINs to access victims’ voicemail accounts, assuming correctly that many people wouldn’t bother to change the PINs. Since the phone hacking scandal first erupted about five years ago, mobile operators in the U.K. have changed their practices and most now require people to set their own PINs for remotely checking voice mail.

If I want to avoid having anyone use Caller ID Spoofing to access my voice mail again, I need to change my phone settings to require a PIN even when checking voice mail from my mobile device. But that doesn’t address the fact that mobile operators don’t authenticate caller ID. “The magic is that my VoIP provider allows me to set any caller ID and the other operators trust it,” Mitnick said. “Caller ID is automatically trusted.”

Mobile phone industry specialist David Rogers suggests on his blog that operators should consider preventing people from accessing mobile voicemails remotely at all.

Meanwhile, the Truth in Caller ID Act of 2010, which was signed into law late last year, prohibits anyone intending to defraud, cause harm, or wrongfully obtain anything of value from knowingly causing any caller ID service to transmit or display misleading or inaccurate caller ID information. This could send the caller spoofing services off shore but likely won’t put an end to the practice.

Little is known for certain about the federal grand jury investigation of Infosys and its sponsorship of B-1 business visas.

In May, the Indian IT outsourcing company revealed that it had received a subpoena from a U.S. grand jury to provide records in connection with its use of B-1 business visas. A current* American employee of Infosys (INFY) alleged that the company was using the easier to obtain B-1 visa—intended to be used for travel to attend a specific event, receive short-term training, or conduct contract negotiations—in a fraudulent manner to import foreign workers to fill company roles stateside that actually required H-1B visas.

“It’s hard to say what the State Department and U.S. Customs and Immigration Service (USCIS) are doing with respect to the investigation,” says Ron Hira, associate professor of public policy at the Rochester Institute of Technology and co-author of Outsourcing America. “Neither agency has been forthcoming.”

Some industry watchers predict that the probe could hamper the IT outsourcing industry’s ability to use of a variety of guest worker and business travel visas, which in turn could lead these companies to hire more American IT workers.

“This could have some serious ramifications with the issuances of temporary work visas for employees of Indian-based service providers and non-Indian service providers seeking to bring Indian staff into the U.S.,” says Phil Fersht, founder of outsourcing analyst firm HfS Research. “While valid H-1Bs and L-1s should still go through, the USCIS has the ability to probe visa applications hard when under scrutiny, and slow down the whole process for all providers, not only for Infosys.”

Any media attention the Infosys case garners, particularly with the 2012 elections approaching and continued high unemployment rates, could drive further visa restrictions. “The publicity surrounding the investigation likely will generate continued Congressional interest and calls for further changes to the H-1B and L-1 programs to limit their perceived adverse effects on U.S. workers,” says Carl W. Hampe, a partner in the immigration law group at Baker & McKenzie. “Companies sponsoring H-1B employees and those seeking the temporary transfer of their key personnel to the U.S. could face more obstacles.”

Recent Visa (V) Reform Initiatives

IT service providers have been facing increased scrutiny of their use of visas to bring foreign workers to the U.S. in recent years. In 2004, Congress passed the L-1 Visa Reform Act, which increased limitations on the visas IT service providers use to bring specialized knowledge workers to client sites.

In recent years, USCIS has been more stringent in its assessment of H-1B visa petitions, reportedly beefing up its anti-fraud auditing efforts. Guidance issued by USCIS associate director Don Neufeld in 2010 required evidence of an actual employee-employer relationship between the visa petitioner and the H-1B employee. The so-called Neufeld memo “represented a significant change in policy and imposed substantial limitations on third party placement of H-1B visa holders. [It] was an example of efforts by USCIS to eliminate so-called [body shops],” says Paul W. Virtue, a partner in the immigration law group at Baker & McKenzie. Now, Virtue says, the U.S. government is turning its attention to B-1 business visitor visa abuse.

Implications of Infosys Visa Probe on American IT Workers

“The companies and stock market analysts have said that the effect will be that the firms will hire more American workers in lieu of bringing in foreign guest-workers,” says Hira.

Donna Conroy, executive director of Bright Future Jobs, a grassroots lobbying group for IT professionals, thinks the Infosys investigation will be a tipping point in favor of American IT workers. “We are entering a period where foreign workers will be training their replacements. It’s happening in one of our member’s offices right now,” she says. “It’s curtains for the corporate culture that has avoided hiring experienced, highly-skilled Americans and new science and technology grads whom we’ve paid dearly to educate.”

Others say the consequences of the Infosys investigation may be more limited. “I think that the opponents of skilled immigration are getting unduly excited again,” says Vivek Wadhwa, visiting scholar at the University of California-Berkeley School of Information and senior research associate in Harvard Law School’s labor and worklife program. “Infosys may have abused these visas and will likely get slapped on the wrist if it did. [But] we’re talking about a very small proportion of its workforce being on these visas.”

Dr. Lindsay Lowell, director of policy studies at Georgetown University’s Institute for the Study of International Migration, says any fallout will depend on how widespread the alleged visa abuse is. “Will other companies be investigated? The blogosphere suggests the complaints may be there. But the investigation arm tends not to seek out problems,” Lowell says. “Policymakers and companies that play by the rules need to decide if they’ll police the system so that it serves U.S. employers as intended, or let regulations and enforcement slip, which is not in the best long-term interest of the United States.”

Norm Matloff, professor of computer science at the University of California-Davis, says the Infosys investigation is a distraction from the real problem with America’s skilled worker visa program. “The major problem is the legal underpayment of the foreign workers, due to loopholes,” Matloff says. “Investigations of possible violations of the rules distract attention from that loopholes issue.”

Increased scrutiny of visa petitions will be a headache for IT service providers reliant on foreign employees working at U.S. sites, but “it’s not a game changer,” says Fersht of HfS Research. “The leading service providers are quite adept these days at deploying onshore staff—local Americans or Indians already living in the US with valid visas—to facilitate offshore work transition over to locations like India. [They] can work around issues created by prolonged visa applications and tougher guidelines.”

Virtue of Baker & McKenzie is counseling clients to ensure that any employees visiting the U.S. on B-1 visas do not engage in any activities that could be construed as employment and that the employee-employer relationship for any sponsored H-1B and L-1 visa holder is clearly documented. Virtue is also advising outsourcing customers to make sure their contracts are for specific deliverables and not for the assignment of specific personnel, in order to avoid liability in any visa audit or investigation.

Source

Percento Technologies

Gartner on Thursday upgraded its forecast for worldwide IT spending, saying it will grow 7.1 percent this year to US$3.7 trillion as companies migrate to the cloud and spend more on software and IT services.

The research firm previously forecast a growth of 5.6 percent in worldwide IT spending compared to last year, in which spending totaled $3.4 trillion and increased 5.9 percent from 2009. Growth in IT spending will continue through 2012, said Richard Gordon, research vice president at Gartner, in a statement.

The revised projections reflect the minimal impact on tech spending of the Japan earthquake and tsunami on March 11, which affected supply chains and caused extensive damage to buildings and factories along the country’s eastern coast. The earthquake may have caused problems in supply of components, but it hasn’t affected overall IT spending, Gordon said.

The hardware segment is poised for the fastest growth, but the greatest amount of spending will take place on telecom, according to Gartner’s forecast. Spending on telecommunications will increase to $2.1 trillion, growing year-over-year by 6.9 percent, but slower than the 7.3 percent growth last year. Hardware spending is expected to grow faster that other sectors, at a rate of 11.7 percent to $419 billion, albeit slower than last year’s growth rate of 12.1 percent.

Spending will grow in the software and IT services segments, partly driven by the growing adoption of public cloud services and software-as-a-service. On a percentage basis, spending on IT services will more than double, growing by 6.6 percent to reach $846 billion. Last year, spending on IT services totaled $793 billion, growing only by 3.1 percent. Software spending is expected to grow by 9.5 percent year-over-year to $268 billion, Gartner said.

Though a marginal part of overall IT spending, cloud computing services are emerging as a driver for IT spending in some markets, growing by more than four times than overall IT spending, Gordon said. The effect of migration to public cloud services spending likely will spill over to the software sector as companies spend more on software-as-a-service.

“At about $10 billion, software as a service … already accounts for 10 percent of enterprise applications software spending, and by 2015 this share is expected to increase to close to 15 percent and to exceed $20 billion in annual spending,” Gordon said.

But the overall spending on the cloud is still nominal, Gartner said. Spending on public cloud services will be roughly $89 billion this year, compared to $74 billion last year. The market will continue to grow and reach $177 billion by 2015, but at the time be only 5 percent of the total IT spending.

Source

Managed IT Support Services – Percento Technologies

Information about RSA’s SecurID authentication tokens used by millions of people, including government and bank employees, was stolen during an “extremely sophisticated cyberattack,” putting customers relying on them to secure their networks at risk, the company said today.

“Recently, our security systems identified an extremely sophisticated cyberattack in progress being mounted against RSA,” Executive Chairman Art Coviello, wrote in an open letter to customers, which was posted on the company’s Web site.

“Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat. Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products,” the letter said.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” Coviello wrote. “We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

The company said it has no evidence that other products are affected or that personally identifiable data on customers or employees was compromised. RSA, the security division of technology giant EMC, did not elaborate and a spokesman said he could not provide additional information at this time.

The tokens, of which 40 million have been deployed, and 250 million mobile software versions, are the market leader for two-factor authentication. They are used in addition to a password, providing a randomly generated number that allows a user to access a network.

The tokens are commonly used in financial transactions and government agencies; one source who asked to remain anonymous said SecurID users in those sensitive areas were scrambling to figure out what to do in light of the breach.

What exactly did the bad guys get?
Because it’s unclear exactly what type of information was stolen, sources told CNET they could only speculate as to what the potential outcome could be for companies using the devices.

“It’s hard to say [how serious the breach is] until we know the extent of what the bad guys got a hold of,” said Charlie Miller, a principal analyst at consultancy Independent Security Evaluators. “Any time a security company gets broken into, it reminds you that it could happen to anybody.”

He used to work for a financial services firm that “basically ran everything on” SecurID, he said. “They would be very unhappy if they found out” it could be compromised somehow.

“The real story here is what was stolen. It definitely seems mysterious,” said Ravi Ganesan, an operating partner at The Comvest Group and former founder and CEO of single sign-on provider TriCipher. “SecurID is a token authenticator device that flashes a new number every 60 seconds. The number is calculated from two things, a ‘secret seed’ unique to that device and the time of day. So your one-time password is output of [that] algorithm.”

RSA has historically kept their algorithm secret, but that is not a good defense against a sophisticated attacker who could get a software version of the token or the back-end server and reverse engineer the code, Ganesan said. “So what on earth could have been stolen? I certainly hope RSA did not put some back door into the software and that was what got stolen.”

While details were scarce, hints about the breach could be gleaned from a message to customers filed with the SEC. It recommended that customers increase focus on security for social-media applications and Web sites accessed by anyone with access to their critical networks; enforce strong password and PIN policies; as well as remind employees to avoid opening suspicious e-mails and providing usernames or other credentials to people without verifying the person’s identity as well as avoid complying with e-mail or phone-based requests for such information.

Additionally, the message said customers should pay special attention to securing their active directories and use two-factor authentication to control access to them; watch closely for changes in user privilege levels and access rights; harden monitor and limit remote and physical access to infrastructure that hosts critical security software; shore up practices against social-engineering attacks; and update security products and patch operating system software.

Advanced Persistent Attacks often target source code and other information useful in espionage and involve knowledge of the company’s network, key employees, and workings. Attackers use social engineering and exploits hidden in e-mail and other messages to sneak keyloggers and other snooping tools onto employees’ computers. Google announced last year that it and other companies had been targeted in such an attack and it later came out that attackers used an unpatched hole in Internet Explorer to get into the company computers. Google said at the time that intellectual property was stolen and that the attacks appeared to originate in China.

DUBAI, UAE — Senior business and technology leaders will convene at InterContinental Dubai Festival City from 21-22 February 2011 for CACS in Dubai, an internationally respected event that features governance, security, assurance and risk management experts from around the world.

Hosted by ISACA, a global information technology (IT) association of 95,000 IT professionals, CACS (Computer Audit, Control and Security) will include a keynote presentation by Neeraj Kumar, Senior Vice President of Internal Audit and Chief Audit Executive of Emirates Group. Neeraj Kumar will explain how to use technology to improve proactive risk-focused auditing and continuous monitoring.

CACS in Dubai will also offer educational sessions on key IT security and governance issues facing enterprises today, including:

• Implementing COBIT: A Public-sector Case Study, presented by Naveed Ahmed, CISA, CISM, CGEIT, Dubai Customs, UAE
• IT Governance to Support Corporate Governance: A Case Study, presented by Avinash Totade, CISA, CGEIT, Dubai Aluminium Company, UAE
• E-government Security: Threats and Challenges, presented by Abbas S Kudrati, CISA, CISM, CGEIT, eGovernment Authority, Kingdom of Bahrain
• Metrics and Indicators for a Changing Security Landscape, presented by Ramsés Gallego, CISM, CGEIT, Entel IT Consulting, Spain
• Social Media: Business Security, Governance and Assurance Perspectives, presented by Urs Fischer, CISA, CRISC, IT GRC Consultancy, Switzerland
• Designing Next Generation Security and Audit for Cloud Computing Environments, presented by Eddie Schwartz, CISA, CISM, NetWitness Corp., USA
• The Future of Information: Real Challenges and Opportunities, presented by Norman Marks, SAP, USA
• Automating IT Risk and Compliance to Reduce Costs: A Series of Case Studies, presented by Anil Jogani, CISA, CGEIT, Milan Solutions Limited, UK

ISACA chose Dubai as the location for the conference because it is an important city in the global economy as well as the region’s crossroads, serving as a center of business and technology. ISACA’s United Arab Emirates Chapter was established in 1997 to bring together business and information technology leaders in the region. The ISACA UAE Chapter is a strong network of professionals from all the emirates of the UAE: Abu Dhabi, Dubai, Sharjah, Ajman, Umm Al Quwain, Ras Al Khaimah and Fujairah.

“CACS in Dubai will help attendees add value to their enterprise by providing them with practical guidance on critical IT-related issues facing organizations worldwide,” said Vatsaraman Venkatakrishnan, CISA, CISM, CGEIT, CRISC, Vice President of IS audit at Emirates Airlines and Chair of ISACA’s Conference Development Task Force.

Attendees who register by 12 January 2011 will receive an early-bird discount. Registration forms for the conference and two pre-conference workshops–Using COBIT for Effective IT Assurance and the Risk Management Workshop: Featuring ISACA’s Risk IT Framework and Guidance–are available at www.isaca.org/cacsindubai.

About ISACA

With 95,000 constituents in 160 countries, ISACA^®  is a leading global provider of knowledge, certifications, community, advocacy and education on information systems assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit ISACA develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the Certified Information Systems Auditor^® (CISA^®), Certified Information Security Manager^® (CISM^®), Certified in the Governance of Enterprise IT^® (CGEIT^®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.

ISACA continually updates COBIT^®, which helps IT professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.

Source

Information Technology Professionals: Percento Technologies International

The United States government is falling behind in making critical and productive investments in research related to networking and information technology (NIT), a government panel reported Thursday.

Federal agencies have used funds designated for direct pioneering research and development in NIT for alternative purposes, such as the creation of information technology products and infrastructure expansion in support of research in other fields, the President’s Council of Advisors on Science and Technology (PCAST) noted.

This failure to properly prioritize NIT research and development “could seriously jeopardize America’s national security and economic competitiveness,” the Council cautioned.

“We’re investing less than we think and less than we need,” said PCAST member David Shaw, chief scientist at D.E. Shaw Research. “If America is to retain its historical position of international leadership, its funding priorities must include high risk, high reward research with the potential for producing unanticipated, truly transformative advances.”

More Transparency

The report was based on the performance of a coalition of 14 agencies participating in the federal Networking and Information Technology Research and Development program (NITRD). These agencies target US$4 billion annually for NIT research and development. However, much of that spending goes to NIT-related projects that support research and development in other fields.

One example cited by PCAST is the National Institutes of Health (NIH): Less than 12 percent of its top 100 funding awards totaling $600 million was spent directly on NIT research and development. The remainder went to NIT components of biomedical research projects.

The panel concluded that the absolute level of federal NIT research should be boosted by at least $1 billion per year over the current level on a variety of initiatives that would benefit such sectors as energy, healthcare, transportation and national security. Some of that funding could come from redirecting the current pattern of investment to more cutting-edge purposes, both in hardware and software, according to the report.

One reason for the imbalance in research funding is that the agencies themselves have flawed systems for properly tracking expenditures. However, a program is under way to monitor funds better.

“We committed in February of this year to improving the transparency of these programs, and we will have that up and running by next February,” Aneesh Chopra, the federal government’s chief technology officer, told TechNewsWorld at a briefing on the report.

The improved transparency will lead to better analysis and better investment decisions, he said.

Public and Private Sector Roles

The report triggered a discussion about the role of the public and private sectors in IT research. Several panelists at the briefing stressed that federal-level spending for NIT research is essential for the future development of appropriate technologies. While private sector firms can contribute somewhat in the research effort, they are not geared to investing in pioneering research and are interested in more practical research investment in NIT, they contended.

The crossover between public and private sector investments in IT research actually involves more of a balance between the two, according to one business observer.

“There is a constant challenge in finding the synergies between government and private sector research. Private companies invest a lot in IT research and most of it is related to applications whereas government has the ability to go beyond that,” Mark White, chief technology officer at Deloitte Services, told TechNewsWorld.

“But there is a connection between the two in that the private sector can utilize the results of government research, which enhances the return on investment,” he said. “The value of the NITRD program and the report is that helps to create an awareness of the roles of each sector for the greatest benefit.”

Another close observer of the federal IT research program agreed that government investments have an impact far beyond the government agencies that direct those investments.

“The private sector benefits from these investments,” Peter Harsha, director of government affairs for the Computing Research Association, told TechNewsWorld. “First, the research helps to advance technology generally — and the support to academia helps to develop the workforce needed by the IT businesses.”

Whatever the direct role is for the private sector in funding IT research, the government values the contributions that business can make in shaping the direction of research, Chopra said.

“There is a significant role for the private sector here, just as there is for the reforms the administration is initiating in information technology and procurement across the federal government,” he said. “We will be conducting outreach and seeking feedback from the private sector on the future direction of NIT research.”

Source

The United Nations is considering whether to set up an inter-governmental working group to harmonise global efforts by policy makers to regulate the internet.

Establishment of such a group has the backing of several countries, spearheaded by Brazil.

At a meeting in New York on Wednesday, representatives from Brazil called for an international body made up of Government representatives that would to attempt to create global standards for policing the internet – specifically in reaction to challenges such as WikiLeaks.

The Brazilian delegate stressed, however, that this should not be seen as a call for an “takeover” of the internet.

India, South Africa, China and Saudi Arabia appeared to favour a new possible over-arching inter-government body.

However, Australia, US, UK, Belgium and Canada and attending business and community representatives argued there were risks in forming yet another working group that might isolate itself from the industry, community users and the general public.

“My concern is that if we were to make a move to form a governmental-only body then that would send a very strong signal to civil society that their valuable contribution was not required or was not being looked for,” an un-named Australian representative told the meeting.

Debate on the creation of a new inter-governmental body stemmed from a UN Economic and Social Council resolution 2010/2 of 19 July.

The resolution invited the UN Secretary-General “to convene open and inclusive consultations involving all Member States and all other stakeholders with a view to assisting the process towards enhanced cooperation in order to enable Governments on an equal footing to carry out their roles and responsibilities in respect of international public policy issues pertaining to the Internet but not of the day-to-day technical and operational matters that do not impact upon those issues.”

Much debate concerned the meaning of “enhanced cooperation” and whether a new inter-governmental body was required. Participants also debated the roles of existing organisations – such as the Internet Governance Forum, ICANN and the ITU.

The IGF – an organisation that informs the UN but makes no decisions – is running close to the end of a five-year mandate, due to expire at ?the end of the year.

The likes of ISOC, ICANN and more recently the World Information Technology and Services Alliance (WITSA) have recently expressed concerns that a working panel to decide on the future of the IGF has been limited to representatives from member-states.

“Australia is a very strong supporter of the Internet Governance Forum,” the unidentified Australian UN representative said at the New York meeting this week. “That is very much due to the multi-stake-holder approach of the IGF. It is an inclusive process.”

Australia’s Department of Broadband, Communications and the Digital Economy said that Australian Government welcomed the resolution of the Second Committee of the United Nation General Assembly (UNGA) to extend the Internet Governance Forum (IGF) for a further five years.

The DBCDE said it would like to see the organisation retain an open and participatory membership.

“Australia has always supported the participation of civil society and the private sector in the IGF and regards their participation as being integral to the IGF’s success,” a spokesman told iTnews.

Source

Perhaps it was only a matter of time. But wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available.

Malicious insiders can exploit the vulnerability, named “Hole 196″ by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried.

Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight.

The researcher who discovered Hole 196, Md Sohail Ahmad, AirTight technology manager, intends to demonstrate it at two conferences taking place in Las Vegas next week: Black Hat Arsenal and DEF CON 18.

The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key.

Ahmad explains it this way:

WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and 2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network. PTKs can detect address spoofing and data forgery. “GTKs do not have this property,” according to page 196 of the IEEE 802.11 standard.

These six words comprise the loophole, Ahmad says.

Because a client has the GTK protocol for receiving broadcast traffic, the user of that client device could exploit GTK to create its own broadcast packet. From there, clients will respond to the sending MAC address with their own private key information.

Ahmad says it took about 10 lines of code in open source MadWiFi driver software, freely available on the Internet, and an off-the-shelf client card for him to spoof the MAC address of the AP, pretending to be the gateway for sending out traffic. Clients who receive the message see the client as the gateway and “respond with PTKs”, which are private and which the insider can decrypt, Ahmad explains.

From there, “the malicious insider could drop traffic, drop a [denial-of-service] attack, or snoop,” Ahmad says.

The ability to exploit the vulnerability is limited to authorized users, AirTight says. Still, year-after-year security studies show that insider security breaches continue to be the biggest source of loss to businesses, whether from disgruntled employees or spies who steal and sell confidential data.

What can we do about Hole 196?
Solution Video – Business-Class Teleworker : Download now

“There’s nothing in the standard to upgrade to in order to patch or fix the hole,” says Kaustubh Phanse, AirTight’s wireless architect who describes Hole 196 as a “zero-day vulnerability that creates a window of opportunity” for exploitation.

Source

Microsoft released a beta of the new version of its Security Essentials antimalware software on Tuesday, sporting a few changes and enhancements.

Following version 1.0 of the free Security Essentials released in September, the folks in Redmond outfitted the 2.0 beta with an updated antimalware engine. The new engine is smarter at detecting and removing security threats and offers a better performance, according to a Microsoft blog. The software also now integrates directly with Windows Firewall and gives users the option to turn the firewall on or off.

By integrating with Internet Explorer, the Security Essentials beta provides greater protection against Web-based threats, Microsoft said. It can also watch for attacks that come via a network, though this option is only available in Windows Vista and Windows 7. Users of Windows XP can’t take advantage of this particular feature because XP lacks the necessary Windows Filtering Platform.

You can find and download the new beta at Microsoft’s Connect page where you’ll need to log in with a Windows Live account. You’ll then be directed to the download page where you choose whether to grab the 32-bit or 64-bit version.

Microsoft has promised to keep the beta current with the latest virus and spyware definitions and also provide ongoing updates to the software itself. To receive the software updates, you’ll need to subscribe to Microsoft Update and set your preferences to automatically download and install new updates, according to the company.

The beta is only for people in the U.S., Israel (English only), China (Simplified Chinese only) and Brazil (Brazilian Portuguese only). And it’s available on a first-come, first-served basis, apparently just until a certain quota has been reached.

Source

IT Security Services