Archive for March, 2011

Today, if you take half of the articles on the web, or have a conversation with an IT guy, some or the other the article or the conversation will cross the topic Cloud Computing. In the recent years the word Cloud Computing has become an industry BUZZ word. What ever you take has the cloud portion in it. Everyone talks about cloud computing. But what exactly is this, so called cloud computing? where did the term “cloud” derive from for this technology?

For me, cloud computing is simply “Hosted Services” over the internet or a dedicated private network. If you look at todays world IT has become one of the key points to run a business. A successful business needs, hardware, software, IT experts, designing, implementation, maintenance, support, upgrade, etc. Cloud Computing helps a business to forget all those components and focus only on the core business for organizations. That is an organization can host their application somewhere in a datacenter and access the application through the internet, by doing this the employees of that organization only needs a PC and an internet connection to access this application and the management does not have to worry about hardware, backups, upgrades, etc. as all of those will be taken care of by the hosting company. How did this become so feasible now? well with the recent improvements with virtualization and the improvements gained on the connectivity speed to the internet has made this possible. An example for cloud services is a total mail solution is offered through the internet where the users only require a PC and an internet connectivity to retrieve their emails ( no servers, backup, downtime, etc).

How did we end up with the term “CLOUD”? If you look at the network diagram charts (Microsoft Office Visio is a tool which generates such diagrams), the cloud symbol depicts the internet, so the name CLOUD was derived from that.

A Public Cloud delivers services to anyone on the internet – either free or for a fee. Some of the example for this would be email services provide by hotmail, gmail, yahoo Or Google Apps, Microsoft Office 365, etc.

A Private Cloud delivers services to a target audience or a target group from a private datacenter over a private network. Sometimes to create a Private cloud we might use the resources of a Public Cloud and this creates a Hybrid.

There are 3 major Offerings through Cloud Computing

1) Iaas – Infrastructure As A Service

2) PaaS – Platform As A Service

3) SaaS – Software As A Service.

I will write about these later where as I hope the above is informational..


EC-Council Launches Center for Advanced Security Training (CAST) to Address the Growing Need for Advanced Information Security Knowledge

Mar 9, 2011, Albuquerque, NM – According to the report, Commission on Cybersecurity for the 44th President, released in November 2010 by Center for Strategic and International Studies (CSIS), it is highlighted that technical proficiency is critical to the defense of IT networks and infrastructures. And there is evidently a shortage of such personnel in the current cyber defense workforce.

The United States alone needs between 10,000 to 30,000 well-trained personnel who have specialized skills required to effectively guard its national assets. In essence, there is a huge shortage of highly technically skilled information security professionals. The problem is both of quantity, and quality, and this is not a problem just for the government space. Public and private companies are also in dire straits trying to fill such staffing needs.

The information security workforce requires not just technically proficient people to operate and support existing systems that are already deployed. There is a great demand for highly skilled professionals who can design security systems, application engineers who can write secure codes, as well as forensics experts who are well trained with highly advanced computer examination skills. Threats to SCADA and Critical Infrastructures are mounting and nations cannot ignore that these threats needs effective methods and manpower to be mitigated, should it ever occur. With the exponential growth of mobile devices adoption, and higher dependency on wireless communications, hackers are finding more ways and means to exploit these technology, and crippling organization and agencies alike.

One of the keys to address these issues will be to be adequately train and equip cyber defenders with cutting edge technological skills that are required to prevent such attacks and build a sound perimeter defense to deter these threats. A company needs to ensure that its current cyber workforce is well-trained, and as an individual, one needs to maintain technical proficiencies that are up-to-date in order to stay employable. Without a doubt, training is essential.

Recognizing this gap, EC-Council has launched the Center of Advanced Security Training (CAST), to address the deficiency in the lack of highly technically skilled information security professionals. CAST will provide advanced and specialized information security training for specific domains such as application security, penetration testing, computer forensics, social engineering, malware and botnet analysis, among others. These highly technical training programs are designed with industry practitioners to ensure that content are current and relevant, and the focus of CAST training will be its thorough extensive hands-on approach, to enable participants to combat real life scenarios.

“Certification has grown to become a necessity. It is critical for information security professionals to be equipped with the baseline knowledge and skills that any certification provides,” said Jay Bavisi, president of EC-Council. He adds, “However, it is the advanced skills and technical proficiency that will make one stand out from its peers. Such skills can only be acquired through specialized and highly technical training. And these are the components that CAST aims to provide to the infosec professional community.”

Some of first CAST programs that will be rolled out are Advanced Penetration Testing course by Joseph McCray, an air force veteran who has tested over 150,000 machines in his career alone, and the Digital Mobile Forensics Deep Dive, by Wayne Burke, former cyber crime investigator with the South African police department. There is also the Advanced Application Security course by Tim Pierson, the well-traveled information security consultant and trainer, who had co-authored a book on Virtualization security.

10 predictions for Windows 8

Posted: March 6, 2011 in Analysis

1: ARM support

The one firm detail that Microsoft has released is that Windows 8 will support the ARM architecture. ARM processors are common in various consumer electronics devices, and it seems clear that Microsoft is positioning itself to allow Windows 8 to run on PCs, tablets, and cell phones.

2: Separation from the server

Before the days of Windows XP, Windows Server and the Windows desktop clients were two completely different operating systems. In recent years, Microsoft has tried to cut development costs by designing its desktop and server operating systems to use the same kernel. Even so, I think we may see Microsoft make a departure from the strategy. In my opinion, Windows client operating systems (especially with the newly announced ARM support) are simply becoming too different from Windows Server operating systems. I think Microsoft will eventually have no choice but to resume completely separate development cycles. Whether this happens in the Windows 8 timeframe remains to be seen, though.

3: OS on a diet

For as long as I can remember, people have complained that Windows is an overly bloated operating system. Since Microsoft is going to design Windows 8 to run equally well on PCs and devices with ARM processors, I think that it will have no choice but to trim down the operating system.

Consumers have been driven to adopt tablets and other mobile devices because of their speed, simplicity, and the fact that they boot instantly. Windows 7 is far too bloated to meet any of these expectations. Therefore, if Microsoft wants to use Windows 8 on mobile devices, it will have to get rid of many of the things that make Windows 7 so bloated and inefficient.

4: Goodbye to 32-bit support

Even though there are rumors to the contrary, I expect Microsoft to do away with 32-bit support in Windows 8. Every PC that has been manufactured in the last several years includes a 64-bit processor. There is absolutely no reason why a brand-new operating system needs to continue to support legacy 32-bit hardware.

Whether Windows 8 will support 32-bit applications remains to be seen. In the previous item, I mentioned that Microsoft needs to design Windows 8 to make it less bloated and more efficient. One of the easiest ways Microsoft could do this would be to design the kernel so that it runs only 64-bit applications. However, there are still so many 32-bit applications in use, I think Microsoft will continue to provide support for those applications, even if it’s not in a traditional way.

5: Virtual plug-ins

Believe it or not, I think that Windows 7 was actually a model for Windows 8 in some ways. As you will recall, Microsoft offers something called Windows XP mode in some editions of Windows 7. With Windows XP mode, Windows XP runs as a virtual machine, but in a rather unique way. Users can either use the Windows XP desktop or they can run applications transparently through the Windows 7 desktop, even though those applications are actually running on Windows XP.

I think that Microsoft may bring the same model to Windows 8. Rather than provide backward compatibility to legacy operating systems within the Windows a kernel, Microsoft may create virtual instances of legacy operating systems (including 32-bit operating systems) that function as plug-ins to Windows 8. This would be an ideal solution because this approach would help keep the Windows 8 kernel small and efficient, while still providing a means of achieving backward compatibility for those who need it.

6: Heavy reliance on the cloud

This past summer at TechEd in New Orleans, Microsoft placed extremely heavy emphasis on cloud computing. I don’t expect Microsoft to completely abandon its cloud focus just because it has a new desktop operating system on the horizon. Instead, I look for Windows 8 to include heavy cloud integration. For example, I think that Windows 8 will probably provide the ability to make cloud applications appear to users as if they are installed and running locally.

7: Native support for virtualized apps

I think we can expect Windows 8 to offer native support for virtualized applications. Among these applications, I think Windows 8 will be designed to run Internet Explorer in a sandbox. This would help put an end to all the security issues that Microsoft has previously had with the browser, because virtualizing and sandboxing Internet Explorer would prevent malicious Web sites from infecting the core operating system. It may even be possible to reset Internet Explorer to a pristine state after each use.

8: A bigger distinction between consumer and enterprise versions

Ever since Windows XP, Microsoft has offered different editions of its desktop operating systems with at least one version geared toward consumers and another toward businesses. I think that in Windows 8, we will see a greater distinction between the consumer and enterprise editions than ever before.

If my prediction about the core operating system being small and efficient holds true, I think that Microsoft will market the lightweight OS to businesses as being more secure than previous versions of Windows because of its smaller footprint. At the same time, though, I doubt that Microsoft will be able to resist the temptation to load up the consumer version with unnecessary software, such as software to provide native support for Zune.

9: Using hardware to drive sales

One thing that was abundantly clear from the Consumer Electronics Show in Las Vegas this year is that the PC is in real trouble. Consumers have begun to shy away from purchasing desktops and laptops in favor of purchasing tablet devices. As a result, I look for Microsoft to use native operating system support for specialized hardware to try to woo customers back to the PC. For example, I think we will see an adaptation of Microsoft Kinect for the PC, which will allow interacting with the PC via hand gestures. Just how practical it will be to work with a PC in this manner remains to be seen, but I think it will make a great marketing gimmick.

10: Name change

Even though everyone has been using the name Windows 8, I don’t think that will be the official name of the new operating system. At the moment, Microsoft has a serious image problem. It’s perceived by many as being out of touch and late to the party. While other companies are focusing on tablets and mobile devices, Microsoft is still writing software for the PC. I think that in an effort to lose its dated image, Microsoft may rebrand Windows as something completely different. It might even lose the name Windows.

If you think this sounds farfetched, consider what recently happened with Microsoft Flight Simulator. Flight Simulator has been around for roughly 30 years, which puts its longevity more or less on par with Windows. Even so, Microsoft has announced that the next edition will be called Microsoft Flight. It is rebranding the product to try to change its image in order to attract gamers and not just pilots (or aspiring pilots).

Microsoft has patched a bug in its malware scanning engine that could be used as a stepping stone for an attacker looking to seize control of a Windows box.

The bug is fixed in an update to the Microsoft Malware Protection Engine that was pushed out to users of Microsoft’s security products on Wednesday. It’s what’s known as an elevation of privilege vulnerability — something that could be used by an attacker who already has access to the Windows system to gain complete administrative control.

Microsoft hasn’t seen anyone take advantage of the bug yet — the flaw was reported to the company by security researcher Cesar Cerrudo — but Microsoft thinks that hackers could develop code that reliably exploits the issue.

In an instant message interview, Cerrudo, the CEO of security research firm Argeniss, said he disclosed the bug publicly at the Black Hat security conference in July 2010. But because the hacker would already need have access to the machine to pull off this attack, he doesn’t believe that it presents a major security risk to most users.

“This vulnerability could be exploited remotely, for instance on Internet Information Server, but the attacker will need to be able to upload an execute code on IIS,” he said. “Sites that allow users to upload Web pages, they are more at risk.”

Microsoft rates the issue as “important.”

An attacker could take advantage of the flaw by changing a Windows registry key to a special value, which would then be processed by the malware engine at its next scan.

This would be useful if the criminal was already on a machine that had locked-down user privileges. “An attacker who successfully exploited this vulnerability could execute arbitrary code… and take complete control of the system,” Microsoft said in a security advisory, released Wednesday. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

The issue is fixed in Version 1.1.6603.0 of the Malware Protection Engine, which is used in Windows Live OneCare, Microsoft Security Essentials, Windows Defender, Forefront Client Security, Forefront Endpoint Protection 2010, and the Microsoft Malicious Software Removal Tool.

Consumers should get the fix automatically as part of Microsoft’s monthly update to its malware scanner.

This isn’t the first time that Microsoft has found bugs in its security software. It reported bugs in the Malware Protection Engine back in 2007 and 2008.