White House joins solar surge, installs panels

Pres. Carter had installed panels in 1979, Pres. Reagan removed them in 1986.    

Manning: “I understand that I must pay a price for my...

Convicted leaker Pvt. Bradley Manning speaks at sentencing hearing, apologizes.    

Quick thinking security consultant Secarma saves charity data loss

Hypoparathyroidism charity HPTH UK avoided a big fine from the information commissioner thanks to quick thing from security consultant Secarma. The charity experienced a SQL Injection attack on a Linux server, which resulted in the personal details of more than 1,000 sufferers of the life-threatening illness, stored by HPTH UK, being published on infamous hacker website PasteBin. One of Secarma's experts saw the data dump on PasteBin, alerted the charity and worked with web developers to identify the vulnerability. Secarma also removed the data from PasteBin and all Google searches related to it and contacted the police. Liz Glenister, CEO HPTH UK : “We feel that the recent decision from ICO not to take action is down to Secarma's early intervention and willingness to share their knowledge so freely for which we shall be ever grateful.” Secarma found a vulnerability within the forum software that the charity was using.

The vulnerability was patched and the forum software was updated. Secarma also ran a penetration tested to ensure the security holes were fixed. Lawrence Jones, CEO of Secarma’s parent company UKFast said:  “Hackers are unscrupulous and if they can steal your data, they will. It doesn’t have to cost a lot of money or take a lot of time, simple measures like strong passwords and regular testing can ensure that you won’t be easy pickings for hackers, nor fall foul of the ICO and the Data Protection Act. “ Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Public cloud limitations drive enterprises to hybrid cloud, shows study

The limitations of using public cloud as a one-size-fits-all service are becoming more apparent, causing a growing number of UK and US enterprises to adopt a hybrid cloud infrastructure instead, according to research. The study, commissioned by managed hosting services and cloud provider Rackspace and conducted by market research firm Vanson Bourne, found that 60% of respondents have moved or are considering moving certain applications or workloads, either partially (41%) or completely (19%), off the public cloud because of its limitations or the potential benefits of other platforms, such as a hybrid cloud. The respondents defined hybrid cloud infrastructure as a public cloud, private cloud and dedicated servers working together in any combination. The research also showed that 60% of IT decision-makers view hybrid cloud as the culmination of their cloud journey, rather than a stepping stone to using the public cloud alone for all their cloud needs.  Some 72% of US respondents agreed that hybrid was their final destination, while 49% of UK respondents said the same. Action for Children made switch from public to hybrid cloud For instance, UK charity Action for Children has previously used public cloud services for many of its applications and workloads, but found it couldn't cope with growth. “As we grew it became clear that some of these applications were becoming too complex for a public cloud-only deployment,” said Darren Robertson, digital communications data scientist at Action for Children. Today, its infrastructure comprises Rackspace cloud services to host its website, the charity’s internal datacentre to host sensitive data about the children it deals with, and a Rackspace hosting service to run some of its other applications. “We chose a hybrid cloud solution, which includes public cloud, to ensure adequate control over our infrastructure, and have also enjoyed performance, reliability, security and cost benefits,” Robertson said. Action for Children uses the hybrid cloud platform to ensure the privacy, security and control of dedicated servers, with the ability to burst into a public cloud when necessary. The charity uses the cloud for big data analytics, placing on it a Hadoop cluster of customer, donor and fundraiser data, so that it can provide its diverse user groups with customised online experiences and improve engagement. Study reveals hybrid cloud migration “The findings indicate that hybrid cloud is the next step for many organisations.

They may have started with a public cloud-only architecture, but have come to realise the limitations of this approach as they’ve continued on their cloud journey,” said John Engates, CTO of Rackspace. The research also found that hybrid cloud is now used by nearly three-quarters (72%) of respondents for at least a portion of their application portfolio, with more US organisations (80%) likely to use it than UK ones (64%). Respondents cited better security (52%), greater control (42%), and better performance or reliability (37%) as top reasons for moving away from a public cloud-only approach to a hybrid one. Some 60% of IT decision-makers view hybrid cloud as the culmination of their cloud journey The study also questioned existing users of hybrid cloud platforms to assess the benefits of the infrastructure. Users reported more control, better security, better reliability, reduced costs and better performance as its top advantages. The average reduction in overall cloud costs from using hybrid cloud, for those who have seen a reduction, was 17%. Hybrid cloud gives Bunches.co.uk best of both worlds  One UK business that moved from in-house IT to hybrid cloud IT is online florist Bunches.co.uk. “In the past we used dedicated servers for almost all of our applications and workloads, but as we grew it became clear that some of these applications were better suited to a public cloud deployment,” said Barry Parkin, IT manager at Bunches.co.uk. The company’s hybrid infrastructure includes the use of public cloud to handle seasonal peaks in online demand and dedicated servers to ensure adequate control over other parts of its IT infrastructure. “Having these two platforms working together in combination means we enjoy performance, reliability, security and cost benefits.

The flexibility of the hybrid infrastructure has also improved our testing and development capability and allows us to support BYOD [bring your own device],” Parkin said. IT architecture tailored to fit Businesses turn to the hybrid cloud because it can combine the best of public cloud, private cloud and dedicated servers, delivering a common architecture that can be tailored to create the best fit for their specific needs, according to Rackspace's Engates. “For example, instead of trying to run a big database in the public cloud on its own, which can be very problematic, businesses can use the hybrid cloud to run that database more efficiently on a dedicated server that can burst into the public cloud when needed,” he said. But public cloud still remains important to IT decision-makers at UK and US enterprises involved in the research, media or multiple geographical locations. Organisations such as News International, Netflix and Domino’s Pizza use elements of public cloud infrastructure. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

US, Germany agree not to spy on industry or government

In the wake of the Snowden leaks, the US has been trying to patch up its relationship with its long running ally Germany. The German government said it was furious when it discovered US spooks were spying on its government. Now it seems that the US has verbally committed to enter into a no-spying agreement with Germany. But this will just block government and industrial espionage, so presumably citizens are fair game. According to IT World, the verbal commitment was given in talks with the German Federal Intelligence Service (Bundesnachrichtendienst, BND). According to the German government, this means that there must be no governmental or industrial espionage between the two countries. Standards for the cooperation of EU intelligence services are being hammered out.

While the US has no problems trusting Germany, there are others in the EU it wants to keep an eye on. The no spying agreement talks were part of an eight-point programme proposed by German Chancellor Angela Merkel. Germany found that US intelligence services comply with German law.

The operators of large German Internet exchanges and the federal government did not find any evidence that the US spies on Germans, the government said. We would have thought that meant that the US was pretty good at it. The NSA spying revelations should lead to an acceleration of data protection agreement negotiations between the EU and the US, Merkel said in an interview on German radio. 

Internet of Things lighting systems hacked

While Intel and its ilk talk up the Internet of Things idea, it turns out that some of the early moves into the field are completely insecure. Philips created a Hue LED lighting system, a smart lightbulb which uses wi-fi to connect to the net. Users can use their smartphones or computers connected to the web or local networks to turn lights on and off and control the colour of ambient lighting.

Unfortunately it is so insecure a hacker can get in and turn your lights off. Nitesh Dhanjani, the researcher who discovered the weaknesses and developed proof-of-concept attacks that exploit them, wrote in his blog that smart lightbulb systems are likely to be deployed in current and new residential and corporate constructions. The flaw means an intruder can remotely shut off lighting in locations such as hospitals and other public venues. The Philips wireless controller has an authentication controller which consists of a security token containing the device's unique media access control identifier, that has been cryptographically hashed using a known algorithm. These hardware addresses are trivial to detect by anyone on the same network or often by people within radio range of a device, making them unsuitable for authentication. Dhanjani's hack uses Java which is delivered when browsing compromised websites or websites dedicated to serving attack pages. It combs through the address resolution protocol cache of a local network to find all connected devices. The hack runs the MAC address of each discovered device through the MD5 hash algorithm and includes the output in a security token used to send commands to the light controller. If a command is successfully executed, the hack will repeat it.

If a command doesn't succeed, the malware will register a new token every second or so using a different MAC address until a valid one is found. It is just as well the lighting system is not that popular yet. Dhanjani said that a remote botnet system could cause a perpetual blackout of millions of consumer lightbulbs. The other problem is that Philips has not really worked out how to deal with security problems yet. Dhanjani found it impossible to notify the company of its problems. 

IBM extends cloud business with Trusteer mobile security

IBM is to acquire financial fraud specialist Trusteer, as part of a bid to boost its cloud software and services business. Through the acquisition, IBM said it will take on 200 Trusteer researchers to create a cyber security software lab in Israel. The lab, which will also house IBM researchers and developers to focus on mobile and application security, advanced threat, malware, counter-fraud and financial crimes. Trusteer develops software to help secure customers in online banking environments.

The Trusteer software performs malware detection on smartphones. Nine of the top 10 UK banks use Trusteer’s software to help secure customer accounts against financial fraud and cyber attacks. Brendan Hannigan, general manager, security systems division, IBM, said: “Together with IBM’s capabilities in advanced threat detection, analysis and remediation, we will now be able to offer our clients several additional layers of defence against sophisticated attackers.” Earlier this year, IBM launched SmartCloud – its enterprise-class cloud computing services for building private, public and hybrid clouds. IBM plans to add Trusteer’s cloud-delivered security software to its portfolio of 100 SaaS (software as a service) products. It said it would also use Trusteer’s SaaS architecture to protect PCs, desktops, smartphones and tablets against emerging threats.  “Because Trusteer software can be delivered through the cloud, organisations can receive accurate, real-time updates on malicious activities and the latest threats, better protecting data from fraud and compromise.,” IBM said. As Computer Weekly has previously reported, US regulatory watchdog Securities and Exchange Commission (SEC) is conducting an investigation into how IBM reports cloud revenue, IBM has disclosed in its quarterly filings to the SEC on Wednesday. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Security and accreditation obstacles act as G-Cloud barriers, claim SMEs

A group of SMEs called the 10% Group has claimed that security and accreditation are limiting  small and medium-sized enterprises’ chances to win more G-Cloud contracts. The 10% Group – which includes IT suppliers Asidua, Automated Intelligence, Hao2, Digi2al, Magic Milestones and Shaping Cloud – claims that while the G-Cloud is starting to change the way the public sector buys commodity IT services, “it still has a long way to go”. The 10% Group said it was concerned that the G-Cloud accreditation process was a moving target and very labour-intensive.

The PSN accreditation process adds to this workload. New entrants are being stalled by the lack of IL3-accredited connection services on the Public Services Network (PSN). According to data from the Cabinet Office, 56.4% of total sales by value of government contracts procured through on G-Cloud  have been awarded to SMEs,  plus, over 60% of contract wins on the G-Cloud go to SMEs. A Cabinet Office spokesperson told Computer Weekly, “G-Cloud allows the public sector to buy the IT services they need when they need them, rather than forcing them to design complex solutions from scratch.” There are currently 832 suppliers and over 7,000 services on the G-Cloud frameworks, with cumulative spend now crossing £31m. The Cabinet Office stated: “We anticipate that our cloud-first policy will result in 50% of new central government IT spend being procured through the CloudStore by 2015." “SMEs are a key driver for the country’s economic growth, and G-Cloud is reducing red tape and making it simpler and cheaper for smaller companies to join the G-Cloud supplier framework and win business. Our latest G-Cloud sales information shows that this is working.” The 10% Group’s members said it had been “impressed with the cultural and behavioural changes in getting the public sector behind the G-Cloud”. But it added that the number of G-Cloud contracts awarded to SMEs would increase significantly if SMEs received 25% rather than the current 10% of  total public sector spending. A government report showed that direct spending in the public sector on SMEs increased from £3bn in 2009-2010 to £4.5bn in 2012-2013. However this still represented just 10.5% of overall public sector spending..

The government aims to award 25% of central government business to SMEs by 2015, directly and through the supply chain. “G-Cloud is starting to change the way the public sector buys commodity IT services,” said Kate Craig-Wood, the convener of the 10% Group and founder of Memset. “With the help of my team I am collating the views, issues, troubles and successes of these SMEs and feeding them back into Intellect, the Cabinet Office and the G-Cloud programme,” she said. The Cabinet Office recently opened the fourth iteration of G-Cloud 4 (G4) to accept tenders.

New cloud providers and existing G-Cloud suppliers can register their services in the next round of government IT procurement until 23 September. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com

Homeland Security Picks IBM Software, Services for Cybersecurity Program

The Department of Homeland Security has selected IBM software and services to be part of a cyber-security effort. IBM announced that its security software and services offerings will be part of the U.S. Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program. The CDM Program will provide specialized IT tools and Continuous Monitoring as a Service (CMaaS) offerings to combat cyber-threats in the civilian and “.gov” networks including various network endpoints and mobile devices.

The CDM Program moves the nation’s networks to a more real-time approach for the combat of advanced threats from the current legacy historical compliance reporting model, IBM said. DHS awarded the $6 billion contract to 17 companies, including IBM, Lockheed Martin, General Dynamics, CSC, Northrup Grumman and others. As part of the up to $6 billion CDM Program, government agencies can leverage IBM consulting services as well as security intelligence software including IBM Security Endpoint Manager, IBM Security Appscan and IBM Security QRadar. “This award from DHS demonstrates that IBM’s $4B annual investment in cyber-security and security analytics research puts IBM in a unique position to help government agencies meet evolving cyber-security threats,” said Anne Altman, general manager of IBM US Federal, in a statement. “IBM will draw from our decades of experience working with federal agencies and worldwide clients and our own internal experience in securing the worldwide networks used by our 400,000-plus employees.” Software technologies from IBM will help securing the thousands of endpoints on vulnerable networks as well as integrating “threat and event data” in real time. IBM Security Endpoint Manager offers a unified management platform that automates and streamlines systems and security management. IBM QRadar Security Intelligence Platform provides a dashboard and unified architecture for integrating Security Information and Event Management (SIEM), log management, anomaly detection, and configuration and vulnerability management. State and local agencies can also benefit from the CDM Program leveraging the buying power and consistency offered by the program.

The CDM Program will help transform the way federal and other government entities manage their cyber-networks through strategically sourced tools and services and enhance the ability of government entities to strengthen the posture of their cyber-networks.

The CDM Program brings an enterprise approach to continuous diagnostics, and allows consistent application of best practices. IBM provides the security intelligence to help organizations protect their people, data, applications and infrastructure. IBM operates a broad security research and development organization.

For instance, Big Blue monitors 15 billion security events per day in more than 130 countries and holds more than 3,000 security patents, IBM officials said. In October 2011, IBM announced an agreement to acquire security intelligence software vendor Q1 Labs and finalized the deal later that year.

At the time, IBM also created a new security division--IBM Security Systems division–in a move to accelerate Big Blue’s efforts to help clients more intelligently secure their enterprises by applying analytics to correlate information from key security domains and creating security dashboards for their organizations. The technology IBM acquired from Q1 Labs featured QRadar, which includes advanced analytics and correlation capabilities that automatically detect and flag actions across an enterprise that deviate from prescribed policies and typical behavior to help prevent breaches, such as an employee accessing unauthorized information. In a recent blog post, Brendan Hannigan, former CEO of Q1 Labs and current general manager of the IBM Security Systems Division, said, “IBM’s security intelligence mission is to harness all of the security-relevant information across your organization (people, data, applications, infrastructure) and then apply advanced intelligence and analytics to help organizations detect threats faster, prioritize risks more effectively and automate compliance activities.” IBM employs thousands of security experts globally such as security operations analysts, consultants, sales and technical specialists, and strategic outsourcing delivery professionals, the company said. A recent Forrester report on Security Consulting Service indicates that IBM has some 6,000 security consultants. According to the research firm, IBM came out as the most improved vendor in the recent Forrester Wave, substantially improving its scores as compared with other leaders, thanks to solid global delivery capabilities supported b the more than 6,000 consultants with an average of 9.5 years of experience. “The purchase of Q1 Labs in late 2011 has added to IBM’s technical capabilities and provided it with additional insight and expertise to feed into a growing consulting and solution delivery organization,” Forrester said in a report. “IBM has an understandable focus on managed security services and is confident in its delivery capability that it chooses to share client risk, often in the form of fixed-price engagements. IBM has the largest client base of the participants in this Forrester Wave.” However, Forrester also cited some areas for improvement including price, back-office formality and an overly heavy focus on technologies and processes rather than people. ${QSComments.incrementNestedCommentsCounter()} {{if QSComments.checkCommentsDepth()}} {{if _childComments}}

Google confirms Android flaw that led to Bitcoin theft

While the tech giant explains the cause of the vulnerability that left Bitcoin digital wallets susceptible, Symantec researchers warn that hundreds of thousands of apps are at risk of similar attacks. August 14, 2013 7:26 PM PDT Google has conf...

Bill Gates still helping known patent trolls obtain more patents

New Gates patent continues his partnership with Intellectual Ventures.    

Google says no “legitimate privacy” for Gmail users

Gmail users should not expect "legitimate privacy" when they send emails using the service, according to a legal brief representing Google. In a brief filed in federal court, Google lawyers said users "cannot be surprised if their emails are processed by the recipient's email provider in the course of delivery". "Indeed, a person has not legitimate expectation of privacy in information he voluntarily turns over to third parties," the brief said. A highly redacted copy of the complaint is available at the Consumer Watchdog website here (PDF). It argues that, due to Google's silence, users do not consent to Google reading the content of email messages, as well as asserting Google is violating state and federal wiretap laws because the company combs through emails to help it with its targeted advertising. Google's motion to dismiss is available here (PDF) and repeatedly references how the process is automated, and suggests users are aware. Google also says if the way it access emails are changed, it could criminalise services like spam filtering and search. The motion reads: "Plaintiffs' claims should be rejected because they would lead to anomalous results with far-ranging consequences beyond the allegations in the Complaint. Plaintiffs' theory–that any scanning of email content by ECS providers is illegal–would effectively criminalize routine practices that are an everyday aspect of using email. Indeed, Plaintiffs' effort to carve out spam filtering and virus detection from their claims underscores the fact that their theory of liability would otherwise encompass these common services that email users depend on." District judge Luck H Koh will hear the case on 5 September in a San Francisco District Court. Consumer Watchdog's privacy project director, John M Simpson, said users should take Google at its word. " If you care about your email correspondents' privacy don't use Gmail," Simpson said. "Google's brief uses a wrong-headed analogy. Sending an email is like giving a letter to the Post Office, I expect the Post Office to deliver the letter based on the address written on the envelope. I don't expect the mail carrier to open my letter and read it".  TechEye has approached Google for a response.