researcher

Top CIO concerns

Judi Hasson — Fri, 05 Sep 2008 17:00:30 -0400

A report by the Society for Information Management has found that IT and business alignment remain the top concerns for CIOs.

"One would think that over 30 years, with all the smart people, CIOs, academia, IT and business alignment would move further down the list, but it hasn't," said the study's lead researcher, Jerry Luftman.

The other top issues on the list: building business skills in IT; IT strategic planning; attracting new IT professionals; making better use of information; managing change; reducing the cost of doing business; improving IT quality; retaining IT professionals; and security and privacy.

The report found that IT strategic planning moved up the ranks of top worries because of fears about the economic downturn. IT alignment remains elusive because it is difficult and requires organizations to address numerous issues including communication and partnerships between the business and IT people, metrics, governance, human resources and technology.

For more on the CIO's top issues:
- check out this InformationWeek.com article

Passport RFID chips easily duplicated

Paul Mah — Fri, 08 Aug 2008 08:42:02 -0400

To get around the fact that passports could be forged, many nations are incorporating an additional layer of security in the form of an embedded RFID chip into the humble paper-based booklet. An RFID enhanced passport works by storing a duplicate copy of the information that is physically printed onto the passport into the electronic chip. The theory is that syndicates churning out fake passports will be unable to clone the RFID-stored data. Hence a simple comparison between the electronic data and printed versions would quickly reveal a forgery for what it is. However, it's not so hard to forge an RFID chip either, as demonstrated by a security researcher at the behest of The Times with just an $80 card reader, two $20 RFID chips and some programming.

For more about the report:
- check out this Times Online article

DNS flaws opens the door to an array of attacks

Paul Mah — Fri, 08 Aug 2008 08:41:12 -0400

Security researcher Kaminsky, who first discovered the DNS exploit that had organizations around the world scrambling to patch their Domain Name Servers (DNS), spoke to a packed session at the Black Hat conference this week. He took the opportunity to describe a dizzying array of attacks that can result from an exploited DNS. Two attack vectors caught my attention: one is the fact that even SSL connections are not impervious to a DNS-based attack. Kaminsky noted that "[c]ompanies that issue SSL certificates use Internet services like e-mail and the Web to validate their certificates."

The second vulnerability is described as a "forgot my password" style attack. Criminals could claim to have forgotten a user's password to get a site to send out a user's password. DNS hacking techniques could then be exploited to trick the targeted site into sending the secret password to the hacker's computer.

To learn more about DNS-based attack vectors:
- check out this NetworkWorld article

Exploit code for DNS flaw released

Paul Mah — Fri, 25 Jul 2008 06:23:25 -0400

Exploit code for a much touted flaw in the Domain Name System (DNS) has been released. This comes just days after details that the serious vulnerability was inadvertently disclosed by a reverse engineering specialist who independently worked out the weakness. A hacker could leverage upon this vulnerability to poison a DNS's cache and redirect a user's traffic without their knowledge.

Dan Kaminsky, the researcher who originally found the flaw, had known about the vulnerability for months. However, Kaminsky planned to publicly release further details only at the upcoming Black Hat conference in next month. This was to allow both hardware and software vendors to rectify the problem. Amidst reports of major ISP yet to apply this critical DNS patch, Kaminsky summed it up in a few words. "Patch. Today. Now. Yes, stay late."

For more on this serious DNS vulnerability:
- check out this vnunet.com article

Source code for 'cold boot' attack released

Paul Mah — Tue, 22 Jul 2008 09:03:00 -0400

The security researcher, who in February this year demonstrated a 'cold boot' attack, has released the utilities used at the Hackers on Planet Earth (HOPE) conference last weekend. You can read more about 'cold boot' attacks here, though the entire principle revolves around the reality that data stored in volatile RAM is, contrary to popular belief, not immediately lost upon powering down a system. Rather, it fades slowly over seconds or even minutes. The team has successfully demonstrated how a DIMM containing 128-bit AES encryption keys could be copied, reconstructing any decayed bits along the way.

What is the relevance of a 'cold boot' attack in the grand scheme of things? Consider just how this new attack vector renders current disk encryption schemes irrelevant. Indeed, the researchers were able to mount a BitLocker-encrypted volume put in an external USB drive in about 25 minutes. Anyway, you can find the research paper as well as explanatory video and the source code here.

For more on this chilling new attack vector:
- check out this Ars Technica article

Security researcher develops rootkit for Cisco routers

Dan Bowman — Fri, 16 May 2008 09:59:03 -0400

A security researcher claimed to have developed a rootkit for Cisco routers. The concern is that this could open the door for routers to be intercepted and tempered with at the supply-chain level. Article

SPOTLIGHT: Javascript attack gains control of routers

Mehan Jayasuriya — Tue, 08 Apr 2008 13:27:02 -0400

Running a D-Link or Linksys router with the default admin login and password? For shame. Need yet another reason to change it? Here you go: Researcher Dan Kaminsky has developed an attack that can gain control of your router, by simply directing the victim to a webpage containing a malicious Javascript app. Article

Linux survives "PWN 2 OWN"

Mehan Jayasuriya — Tue, 01 Apr 2008 11:27:01 -0400

As you might recall, the aptly-named "PWN 2 OWN" contest kicked off with a bang last week, when a MacBook Air was "PWNED" in 2 minutes flat by hacker Charlie Miller. While that might have been the beginning of the end, the contest was far from over: both Windows Vista SP1 and Ubuntu 7.10 remained in the last-man-standing contest. On Friday, however, Shane Macaulay finally cracked the Fujitsu laptop running Vista SP1; he claims that the extra security measures in SP1 made the machine harder to hack and forced him to seek out help from VMware researcher Alexander Sotirov. As for the Linux machine? While hackers tried throughout the contest to compromise the Sony Vaio laptop running Ubuntu, none had succeeded by the contest's end. "I was surprised that it didn't go," said Terri Forslof, manager of security response for TippingPoint.

For more on the conclusion of PWN 2 OWN:
- see this PC World article

Is your VoIP network secure?

Thu, 10 Jan 2008 06:59:58 -0500

Got VoIP security? Well if you don't, this may be the year that you see the first serious attacks on your VoIP networks. It may also be the year that the forthcoming presidential election and Olympic games face serious hacking attacks. The year 2008 is expected to be dominated by security issues, and that is no surprise. While you may not be anywhere near the Olympics, your systems may feel the impact of an attack. You may think you have the very best security, but you may not. Also on tap are Storm-like botnets with decentralized command-and-control structures that make them much tougher to stop, said Craig Schmugar, researcher at McAfee. "Storm is a trend setter," Schmugar said of the infamous botnet that traces back to a network attack launched one year ago. "A lot of the spam we see is coming across Storm-compromised machines." McAfee also predicts waves of malware looking for specific files and embedding themselves. It may not sound like the soap opera, "As the World Turns," but be prepared!

For more on this year's security threats:
- See Network World article

The CIO's job is about relationships

Thu, 15 Nov 2007 07:00:00 -0500

Nobody told you that to be a good CIO, you have to remember how people feel. And despite the sterile conditions that often exist in the IT department, letting people know how they are doing at work is just as important as getting the job done. "Building relationships is one of the strongest skills sets related to leadership effectiveness," Jean Leslie, a researcher at the Center for Creative Leadership,told CIO Magazine recently. "Managers with experience building relationships are seen as more effective." And that's why you can never let your department operate on auto-pilot. Speaker of the House Sam Rayburn once said, "If you want to get along, go along." I think it's important to modify this idea slightly. If you want to get along with everyone, you must listen. And when your staff raises the red flag about an issue, you better take it seriously. There are other skills that cannot be forgotten, and they have nothing to do with IT. In a recent CCL study, nearly every one of the 250 executives surveyed said that collaboration is critical to success. And that means not turning a deaf ear to an idea that may not be your own. It does not matter if you are the CIO or the CFO. There are management practices that cross lines and make a good workplace a better one. -Judi