Friday, January 29, 2010

Benevolent Hackers Shoot Holes in Banking Card Systems

Weaknesses in the Classic card's security first became apparent when researchers partially reverse engineered the card's encryption system in 2007. Now a group from the Ruhr University in Bochum, Germany, has built on that work to develop a quick and straightforward method to alter the credit stored on some types of the card.

The Classic cards use 16 separate encryption keys to protect the information stored on the card. Timo Kaspar and colleagues studied the codes on one set of the cards currently in use, which are being used as a payment system by a million people in Germany. They found that each card used the same set of 16 codes and, once the team had identified them by building on the 2007 hack, Kaspar was able to alter the information stored on any card that used the system, if given access to the card.

Using a card reader built by the team, Kaspar was able to add credit to blank cards. To prove that the hack worked, he used the cards to purchase items such as coffee and ice cream. The cards only have to come near a reader to be activated, so a hacker with Robin Hood-style inclinations could hide a system in a public place so that anyone walking close enough would find that their card had magically filled up.

Read the full article here ......

Benevolent Hackers Shoot Holes in eBanking Systems

ONLINE banking fraud doesn't just affect the naive. Last year, Robert Mueller, a director at the US Federal Bureau of Investigation, admitted he'd come within a mouse-click of being a victim himself. Now the extent of the problem has been brought into sharp relief, with computer scientists warning that banking culture is increasing the likelihood that customers are using vulnerable systems.

The convenience of online banking and electronic money has led to a revolution in the way we save and spend our earnings. Banking websites and payment systems are relentlessly targeted by criminals, though, so continuous improvements in security are needed to prevent fraud. But as was revealed at this week's Financial Cryptography and Data Security conference in Tenerife in the Canary Islands, some of the best-known security systems can still be compromised relatively easily.

All too often, banks' security systems are developed in secret, so their flaws are only identified when they are deployed, says Steven Murdoch, a security researcher at the University of Cambridge. This opens a window of opportunity for criminals.

Weaknesses in three widely used financial security systems highlight the extent of the problem. These systems, used by millions of people every day, can in some cases be breached using off-the-shelf technology and a little persistence, says researchers at the cryptography conference.

Read the full article here ......

Thursday, January 28, 2010

ESA Technology-testing Proba-2: A new eye on the Sun

Packed with novel devices and science instruments, Proba-2 is demonstrating technologies for future ESA missions while providing new views of our Sun. The team behind the small satellite now declared themselves extremely happy with its first three months in orbit and unveiled Proba-2’s first solar observations.

Gestalt Laws and Design: Slideshare

What is Gestalt?
When human beings look at a painting or a web page or any complex combination of elements, we see the whole before we see the individual parts that make up that whole. This idea of seeing the whole before the parts and even more the whole becoming more than the sum of its parts is Gestalt.

The German word gestalt can be translated as “shape” or “form” and the term refers to how visual input is perceived by human beings. Gestalt psychology was founded by Max Wertheimer and has been added to over the years by other authors.

Wertheimer’s original observation was that we perceive motion when there is nothing more than a rapid sequence of individual sensory events such as a series of lights flashing in sequence. Imagine a string of Christmas lights. Each light turns on and off in sequence along the string. We see the movement of light from one end of the string to the other, when in reality nothing has moved.

We see something that’s not really there and Wertheimer’s explanation is that we see the effect of the whole event that is not necessarily contained in the sum of the parts.

Wednesday, January 27, 2010

Poland Vindicated by not using H1N1 vaccine?

Poland Vindicated by not using H1N1 vaccine? - Washington Times

The decision seemed fraught with risk: a government refusing to import swine flu vaccines amid worldwide warnings of a spreading epidemic.

But Poland did just that, becoming the only country worldwide known to reject the vaccines over safety fears and distrust in the drug companies producing them — concerns international health experts reject as unfounded.

Now that the current outbreak appears to have peaked in much of Europe, many Poles say their government has been vindicated: Countries with large stockpiles often saw low public interest in the vaccines and face financial loss from unused doses set to expire. Poland's government didn't spend a cent fighting the epidemic.

All along, the decision by Prime Minister Donald Tusk and Health Minister Ewa Kopacz met with broad support. Even with 145 swine flu deaths in Poland to date, many Poles view the rejection of the vaccines as a laudable gesture of defiance against pharmaceutical companies, sentiment shaped by a strengthening anti-vaccine movement and conspiracy theories about the vaccines circulating on the Internet.

"I had the impression that the information about swine flu was manipulated in order to create a panic," said Barbara Lazniewska, a 38-year-old architect who was among the many Poles to applaud the government's stance.

Poles take pride in having a strong independent streak, and many respect the government for defying the European Union, the World Health Organization and other international groups that urged countries to implement vaccination programs — advice that smacked to some of meddling in internal affairs.

The prime minister described Poland as a country with the rare "courage" to refuse a vaccine that he said has not undergone sufficient testing.

"We are making this decision only in the interest of the Polish patient and the taxpayer," Mr. Tusk insisted in December. "We will not take part because it's not honest and it's not safe for the patient."

The anti-vaccine movement argues that the vaccine is untested or contains risky ingredients, such as the preservative thimerosal. However, there is little difference in the formulation for the swine flu vaccine and that of the regular flu vaccine, which is available in Poland, and all evidence so far suggests it is safe and effective. WHO says more than 150 million people have been vaccinated in more than 40 countries and no unusual or dangerous side effects have been seen.

"The saving grace for Poland is that this swine flu pandemic is so far very mild. It would be a big scandal if this were a virus that would cause many deaths," said Dr. Andrew McMichael, an immunologist and the director of the Weatherall Institute of Molecular Medicine at Oxford University.

Tuesday, January 26, 2010

Gartner Reports that User Authentication is not enough

Security measures such as the use of one-time passwords and phone-based user authentication -- considered among the most robust forms of IT defenses -- are no longer enough to protect online banking systems against fraud, a Gartner Inc. report warns.

Cybercriminals are using increasingly sophisticated tactics to outmaneuver security systems so they can steal customers' log-in credentials and pillage their bank accounts , according to Gartner analyst Avivah Litan , who wrote the report.

Trojan horse programs lurking inside a customer's Web browser can steal one-time passwords and immediately transfer funds, or intercept a transaction between a bank and a customer and make changes unbeknownst to the user or the bank, Litan said.

In cases where a bank uses a phone-based, "out of band" authentication system, criminals use call forwarding so that the fraudster, not the legitimate customer, gets the call from the financial institution, Litan said.

Banks need to quickly implement additional layers of security, she advised.

Because any authentication method that relies on a browser can be attacked and defeated, banks should start using server-based fraud detection to monitor transactions for suspicious patterns, Litan said. The goal is to monitor log-in, navigation and transaction activity to spot any abnormalities that suggest an automated program is accessing an application, she said.

Read the full Gartner report here.....

Saturday, January 23, 2010

The Most Popular Password Remains '123456'

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it.

RockYou, which had already been widely criticised for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.

The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.

For the full article click here ..........

Saturday, January 16, 2010

Security Manager's Journal: Conficker Worm Keeps on Coming

Security Manager's Journal: Conficker Worm Keeps on Coming

How did we get infected by Conficker? Computerworld has reported that this worm is infecting 50,000 computers every day and as of October had passed the 7 million-victim milestone. Some observers say that number will double by the end of this month. The worm takes advantage of a Microsoft security hole that, if not patched, leaves computers open to infection.

In my company, the use of USB thumb drives is prevalent, and the worm is infecting these portable storage devices and taking advantage of the autorun feature of Windows to spread. It then proceeds to take over the processor, shut down services and generally make the infected computer unusable. Of course, there's a patch for that (the worm has been around for over a year, and so has the patch), and Microsoft's (MSFT) removal tool for malicious software can clean it -- but as always, patching needs more attention in my company.

I still maintain that a good patching program would save us a lot of time and trouble, since we would have to expend only a little bit of effort upfront while avoiding a lot of work later in cleaning up problems. What's more, regular patching creates a generally more stable environment. But it will take time to get there. In the meantime, we have to deal with this outbreak.

The Conficker worm has gotten a lot of press, having infected some high-profile organizations such as military organizations and government agencies around the world. It uses some fairly sophisticated techniques to contact its controllers, avoid detection and spread itself, as well as random-seeming Web sites to update itself. It propagates via USB drives, networks and peer-to-peer software. It's easy to get, and hard to kill.

So, we've been chasing this annoying beastie, and cleaning it when we find it, but it keeps coming back. It's a persistent bug. Of course, when something like this happens, it helps my case by focusing attention on the importance of patching and proactive security measures, but that makes me feel slightly guilty, as if there should have been more I could have done to avoid the situation in the first place. I think it's unfortunate that it sometimes takes a security incident to get people to realize the risks the business is taking.

DDoS Attacks Are Back and Bigger Than Before

DDoS Attacks Are Back and Bigger Than Before

Distributed denial-of-service (DDoS) attacks are certainly nothing new. Companies have suffered the scourge since the beginning of the digital age. But DDoS seems to be finding its way back into headlines in the past six months, in thanks to some high-profile targets and, experts say, two important changes in the nature of the attacks.

The targets are basically the same -- private companies and government websites. The motive is typically something like extortion or to disrupt the operations of a competing company or an unpopular government. But the ferocity and depth of the attacks have snowballed, thanks in large part to the proliferation of botnets and a shift from targeting ISP connections to aiming legitimate-looking requests at servers themselves.

In fact, said Andy Ellis, CSO of Cambridge, Mass.-based Akamai Technologies (AKAM), the botnets launching many of today's DDoS attacks are so vast that those controlling them probably lost track of how many hijacked machines they control a long time ago. (Listen to the full interview with Ellis in The Long, Strange Evolution of DDoS Attacks.)

Ellis has been watching the trend from a pretty good vantage point. Many people use Akamai services without even realizing it. The company runs a global platform with thousands of servers customers rely on to do business online. The company currently handles tens of billions of daily Web interactions for such companies as Audi, NBC, and Fujitsu, and organizations like the U.S. Department of Defense and NASDAQ. There's rarely a moment -- if at all -- when an Akamai customer IS NOT under the DDoS gun.

"We see a lot less of the fire-and-forget malware-based attacks designed to bog down the machines that were infected," Ellis said, referring to old-school worm attacks like Blaster, Mydoom and Code Red. "Now the malware is used to hijack machines for botnets and the botnets themselves are used as the weapon."

In the last year, Akamai has seen some of the largest DDoS attacks in recent memory, which Ellis described as "huge attacks of more than 120 gigabytes per second." If you are on the receiving end of that much punch, Ellis said, "It's not a pleasant place to be."

Friday, January 15, 2010

Conficker worm hasn't gone away - Network World

Conficker worm hasn't gone away, Akamai says - Network World

Variants of the Conficker worm were still active and spreading during the third quarter, accounting for much of attack traffic on the Internet, according to Akamai Technologies.

"Although mainstream and industry media coverage of the Conficker worm and its variants has dropped significantly since peaking in the second quarter, it is clear from this data that the worm (and its variants) is apparently still quite active, searching out new systems to infect," Akamai said in its State of the Internet report for the third quarter of 2009, released Thursday.

During the third quarter, 78 percent of Internet attacks observed by Akamai targeted port 445, up from 68 percent during the previous quarter. Port 445, which is used by Microsoft Directory Services, is the same port that Conficker targets, aiming to exploit a buffer overflow vulnerability in Windows and infect the targeted computer.

Most attacks originated from Russia and Brazil, which replaced China and the U.S., as the top two sources of attack traffic. Russia and Brazil accounted for 13 percent and 8.6 percent of attack traffic, respectively, Akamai said. The U.S., which came in at No. 3, accounted for 6.9 percent of attack traffic and No. 4 China accounted for 6.5 percent, it said.

Thursday, January 14, 2010

What makes a good Leader?

What makes you a good leader? Click on this link......

Don't worry, you don't have to have your own horse but you will need to be sponsored!

Wednesday, January 13, 2010

Reward Real Success Immediately: Positive Re-enforcement

It’s a management maxim that managers should freely issue praise where praise is due. Unfortunately, most business environments seem more focused on punishing failure and attributing blame.

Do not stray from the path, just yet. There is solid neuroscience behind the idea of recognising and acknowledging success, according to research led by neuroscientist Earl Miller of MIT and published in Neuron.

Miller and his team have created a unique snapshot of the learning process that shows us how single cells change their responses, in real time, as a result of information about what is the right action and what is the wrong one.

“We have shown that brain cells keep track of whether recent behaviours were successful or not,” Miller said. Furthermore, when a behaviour was successful, cells became more finely tuned to what the animal was learning. After a failure, there was little or no change in the brain – nor was there any improvement in behaviour.

The study sheds light on the neural mechanisms linking environmental feedback to neural plasticity – the brain’s marvellous ability to change and adapt in response to experience.

The experiments used our nearest and most interesting relatives, the monkeys. They were given a simple task of looking at computer images and by trial and error, they learned which way they were supposed to look depending on the picture. Correct decisions were rewarded and therefore an effect was caused by the correct behaviour. Wrong decisions were not, thus the behaviour was 'ineffective' or 'unaffecting.'

“If the monkey just got a correct answer, a signal lingered in its brain that said, ‘You did the right thing.’ Right after a correct answer, neurons processed information more sharply and effectively, and the monkey was more likely to get the next answer correct as well,” Miller said, “But after an error there was no improvement. In other words, only after successes, not failures, did brain processing and the monkeys’ behaviour improve.”

There’s one catch – the time period for this enhanced feedback mechanism appears to be very short, mere seconds after the moment of success. So, praise or other rewards need to happen in real time to exploit this particular neural mechanism.

With much of today’s work occurring in front of a computer screen, technology can also be employed to recognise when a success event has occurred and providing immediate positive feedback.

Regardless, managers should ensure that they do provide both real-time and subsequent re-enforcement of successful actions. In addition to the recent MIT research, there’s plenty of literature that shows that appropriately recognising and rewarding employee success has a positive impact on the workplace.

Asking favours: One can lead to more

The nature of collaborative and cooperative behaviour in business is that we need to persuade or motivate other people to do things. These are generally people we do not know, thus, adding to the difficulty.

Imagine you are a sales person who wants to close a big deal but first the sales clerk needs to persuade computer support to modify her computer, slightly.

Intitially, our first instinct in difficult situations is avoidance. Rather than being direct we avoid asking for too many favours. We don't want to turn them against us, do we?

After all, the only thing worse than being asked for a favour is being asked for multiple favours, right? Unfortunately, the obvious and logical conclusion is wrong.

Behavioural research now shows us that sometimes asking for one small favour first, can greatly increase the probability of success with subsequent favours. This may sound counterintuitive but it is true.

During a recent research activity, a researcher asked passers-by for complicated directions. Not surprisingly, not all subjects bothered to help. The second approach was different. Some subjects were asked first for an extremely small favour: the researcher inquired as to the time of day.

Virtually all of the passers-by checked their watch and provided the time. Subjects that complied with the small request were much more likely to respond positively to the request for complicated diretions.

The psychology seemed to be a sort of subconscious feeling that having granted one request, it would be inconsistent not to grant a somewhat bigger one.

Only Hire People Who Learn from Mistakes

Harness the power of learning from mistakes. Some of the great high achievers in this world give credit to their relentless focus on small mistakes.

Recently, researchers at Columbia University divided student subjects into two groups, “grade hungry” and “knowledge hungry” and then tested them with general knowledge questions.

The researchers provided immediate feedback as to whether the subject was right or wrong, and showed them the correct answer. The brain activity of the subjects was monitored throughout, using EEG caps.

The differences in the way the subjects handled the feedback was striking:
  • The Knowledge-Hungry paid attention (but not quite as obsessively) to whether they were right or wrong, and they paid significantly more attention to the correct answers. They took advantage of the chance to learn. This contrast was most dramatic when each group got an answer wrong.
  • The Knowledge-Hungry activated deep memory regions, indicating they were storing these new facts away for later.
  • The Grade-Hungry did not activate the memory regions as deeply, suggesting a far more cursory interest; instead, their brains seemed to feel threatened by learning they’d gotten an answer wrong.
  • The Grade-Hungry brains showed a far more emotional, fearful response. They clearly did not like being wrong, and they didn’t care about the acquisition of knowledge along the way.

When both groups of students were later 'surprised' by a retest, using only the questions they’d gotten wrong the first time around, the Knowledge-Hungry group did far better than the Grade-Hungry group. Clearly, they had 'learned' the new knowledge and had not only retained it, but were also able to recall it at will.

So, from a neuromanagement viewpoint, it would make a lot of sense to hire people capable of learning from their mistakes. Hiring the equivalent of the “grade hungry” students will yield employees who are motivated but who, over time, may not improve their performance nearly as much as individuals who internalise lessons learned, when things don’t work perfectly.

The question now is how do you screen candidates for this trait; the ability to learn from their mistakes?

Tuesday, January 12, 2010

Bullying and the Blame Game is not Management

Bullying and Blaming is not Management - New Scientist

BULLYING and abusive managers take note: every time you put on a disgraceful show of verbally attacking staff in the office, you are demonstrating your inability to manage people.

Simply witnessing your behaviour, i.e. blaming others in a degrading and unconstructive manner, is enough to set up a 'blame culture' that will go through your team like a plague.

Communication and co-operation breaks down because no-one will tell the difficult truths. No-one wants to take responsibility for decision making so, decisions will be left unmade. Procrastination will be the new watchword, which in turn causes delays in projects and stifles achievement, innovation and initiative.

People will become defensive and barriers will be built between members who need to openly collaborate. People will favour avoidance and delay as a self preserving strategy over confrontation and fast resolution.

Nathanael Fast report
"We already know that people are more likely to blame others when they themselves have been blamed - a 'kick-the-dog' knock on effect," says Nathanael Fast of the University of Southern California in Los Angeles.

According to his latest results, a blame attitude spreads to people who have had to witness a public dressing-down. Setting up a defensive avoidance mentality in the team.

True Leaders
Managers who want to be considered true leaders, must strive to prevent such a culture from spreading. Pointing fingers and accusing other people is a primitve and uncivilised behaviour that cannot be tolerated.

Arnold Schwarzenegger
In one experiment, his team asked one group of volunteers to watch footage of California governor Arnold Schwarzenegger blaming others for a failed strategy and another to view him accepting personal responsibility for it.

When asked to write about a failure of their own afterwards, those in the first group were 30 per cent more likely to blame this failure on others than those in the second

In a further, similar experiment, blame was less contagious if people wrote down values they held dear before they saw others blamed. Fast says this may have reminded them of why they made certain choices, reducing the need to defend themselves by blaming others.

Good People Management
Bullying and looking for someone to blame for all the negative occurences, is just bad management, plain and simple. You, as a manager, are responsible for the actions of all the people who work for you, their results and their conduct.

If they're making mistakes, provide better training. If the quality of the work is questionable, check th erequirements, the tools and the skills mix in your team. Give them the tools to succeed.

Coach and mentor them into performing better and stop passing the buck. Beat yourself up before you beat anyone else. After all, you are the one in charge, right?

For more information on the report check out the references: (Journal of Experimental Social Psychology, DOI: 10.1016/j.jesp.2009.10.007).

Saturday, January 9, 2010

Daytime Nap Can Benefit A Person's Memory Performance

Daytime Nap Can Benefit A Person's Memory Performance

A brief bout of non-REM sleep (45 minutes) obtained during a daytime nap clearly benefits a person's declarative memory performance, according to a new study.

Podcast: Richard Bradley on Understanding Decisions

Zoeken philosophybites UPC

Podcast by Richard Bradley on Risk based behaviour and Decision making theory - This discussion, hosted by Philosopy Bites, draws somewhat from the tragic figure of UK polymath Frank Ramsey

Wednesday, January 6, 2010

The Future of IT Project Management Software - Business Technology Leadership

The Future of IT Project Management Software - Business Technology Leadership

Today's information technology organisations are responding to the most treacherous recession in memory. Their actions range from classic belt-tightening to innovating and improving value-added services in their organisations. A primary value-adding strategy for the most effective organisations is to further improve project management.

In view of this strategy, the project management software industry's future looks especially promising. During the global recession, industrial countries around the world devoted billions in economic stimulus funds for infrastructure and other projects. This has created considerable demand for project management software.

China steals another Poland Infrastructure contract by underpricing strategy

Poland's motorway constructors have levelled claims that China is buying its way into the European infrastructure market by underpricing its bids.

Poland is claiming unfair competition against a Chinese group which has infiltrated their country's highways market.

"We note that the bid by the Chinese consortium is based on a price far below the value of the tender, which constitutes unfair competition," the constructors' lobby group, the OIGD, said in a letter to European Commission chief Jose Manuel Barroso.

The letter alleged that Beijing was helping Chinese firms skew foreign markets. It was sent to Barroso and cited the commission polices competition rules across the 27-nation European Union.

The OIGD urged the commission to take anti-dumping measures against the China Overseas Engineering Group Company (COVEC)

In September, COVEC beat several European competitors in the race to build 49 kilometres (30 miles) of the A2 highway linking the Polish and German capitals, Warsaw and Berlin.

The construction is part of Poland's ongoing issuing of tenders as it drives to upgrade its infrastructure in time to co-host the 2012 European football championships.

Cybersitter is suing the Chinese government for piracy and breach of copyright

A US software maker is suing the Chinese authorities and seven major computer maker, including; Sony, Toshiba, Lenovo, etc. Cybersitter is accusing China of openly pirating its Cybersitter content filtering software and using it for their own purposes.

The federal lawsuit has been filed in Los Angeles by Cybersitter and the compensation demanded is $2.2 billion (£1.37 billion).

The company alleges that the Chinese authorities have blatantly copied its codes and incorporated them into their 'citizen security' software. This software is used to monitor and block Chinese citizens' ability to access sites deemed politically undesirable by the government.

Cybersitter software was originally designed to help parents monitor and filter content seen by children.

The seven computer manufacturers, including Sony, Lenovo, and Toshiba, that are also being cited in this lawsuitsued, have been distributing the Chinese 'citizen security' software program with PCs sold in the country.

This was forced on PC manufacturers who wanted to distribute their products in China. It was done to comply with a mandate from the Chinese authorities to ensure that no computers were sold in China without the 'security' software bundle on it. This mandate was later amended.

Monday, January 4, 2010

GSM encryption key revealed | IT PRO

GSM encryption key revealed | IT PRO

The encryption key used to protect the privacy of calls on 80 per cent of the world's mobile phones has been made freely available – in order to highlight its vulnerability

Mobile phone security

A German security expert has published details of how to break the encryption algorithm used by GSM mobile phone technology, highlighting the ageing system's increasing vulnerability.

Karsten Nohl, 28, used a hacker conference in Berlin to publish the work of a collaborative research project to crack the 21-year-old GSM algorithm, a 64-bit encryption function known as A5/1, in a “code book” containing the the encryption key used in a GSM call.

Global System for Mobile Communications (GSM) is the standard form of digital voice encryption that keeps conversations on more than three billion handsets private – more than 80 per cent of the world's mobile phones.

Nohl and research partner Chris Paget said their research proves that with relatively modest funds and some widely available open-source tools, GSM encryption can be cracked, allowing virtually anyone – in theory – to listen in on phone calls.

However, the GSM Association (GSMA) played down the demonstration. It pointed out that the practical complexity of the so-called hack made it highly difficult both to set up and to perform unnoticed, and in any case – it said – the newer, far stronger A5/3 algorithm was in the process of replacing A5/1.

“We consider this research, which appears to be motivated in part by commercial considerations, to be a long way from being a practical attack on GSM,” a spokeswoman said. “A5/1 has proven to be a very effective and resilient privacy mechanism.”