Tag Archives: Security

Setting Up A PHP Development Environment for Dreamweaver- Part 2

In the part one of this article, I explained you about things to do before installing a PHP development environment for Dreamweaver. After installing XAMPP and launching, you will see a screen with a short menu. To start the XAMPP Control Panel type ’1′ and press Enter. After this type X and press Enter. This will close the command prompt window.

Starting the servers

You need to go to the Windows Start Menu and launch the XAMPP Control Panel to start the Apache and MySQL servers. Then, click the Start button alongside Apache and MySQL. You will get a confirmation that you have successfully started them. After this you can view that the label on the Start buttons changes to Stop.

If you get a Windows Security alert, which asks you whether to keep blocking MySQL/ Apache, then choose Unblock for both the programs.

In case of errors note the following points:

If you are unable to start Apache, first ensure that you are logged into your computer with an Administrator account. Just selecting the Run As Administrator option may not give enough privileges to start the web server.

If you get an error while starting up, double-click the file C:\xampp\apache\logs\error.log in Windows Explorer, and scroll to the end of the file. It is at this place that you can read any error messages.

The error log for MySQL is located in the C:\xampp\mysql\data folder. It is usually present in a file that uses the same name just as your computer followed by an .err file name extension. If you want open it, you can double-click its icon. When you are prompted to select a program to use, you can choose Notepad.

To enable Apache or MySQL as Windows services so that they start automatically, you must go for the Svc check box alongside each one.

FileZilla and Mercury are File Transfer Protocols and mail programs, which are usually not indispensable for PHP Programming Long Beach in Dreamweaver. Hence, I would not be describing anything in detail about them.

To secure the database please note the following points.

If the installation process is error free and all files have been installed properly, then you can view a web page that asks you to select a language which you are comfortable with.

The menu on the left side of the home screen allows you to access different parts of XAMPP and also other security configuration options.

From the left menu click Security. This takes you to a new browser window or tab which gives a report on the present security status. Click on the link below the report.

You can now see the security console (see Figure 4), which prompts you to create a password for the MySQL superuser, root.

Source: http://www.spyghana.com/setting-up-a-php-development-environment-for-dreamweaver-part-2/

Did you like this? Share it:

9 top threats to cloud computing security

9 top threats to cloud computing security

Cloud computing has grabbed the spotlight at this year’s RSA Conference 2013 in San Francisco, with vendors aplenty hawking products and services that equip IT with controls to bring order to cloud chaos. But the first step is for organization to identify precisely where the greatest cloud-related threats lie.

To that end, the CSA (Cloud Security Alliance) has identified "The Notorious Nine," the top nine cloud computing threats for 2013. The report reflects the current consensus among industry experts surveyed by CSA, focusing on threats specifically related to the shared, on-demand nature of cloud computing.

First on the list is data breaches. To illustrate the potential magnitude of this threat, CSA pointed to a research paper from last November describing how a virtual machine could use side-channel timing information to extract private cryptographic keys in use by other VMs on the same server. A malicious hacker wouldn’t necessarily need to go to such lengths to pull off that sort of feat, though. If a multitenant cloud service database isn’t designed properly, a single flaw in one client’s application could allow an attacker to get at not just that client’s data, but every other clients’ data as well.

The challenge in addressing this threats of data loss and data leakage is that "the measures you put in place to mitigate one can exacerbate the other," according to the report. You could encrypt your data to reduce the impact of a breach, but if you lose your encryption key, you’ll lose your data. However, if you opt to keep offline backups of your data to reduce data loss, you increase your exposure to data breaches.

The second-greatest threat in a cloud computing environment, according to CSA, is data loss: the prospect of seeing your valuable data disappear into the ether without a trace. A malicious hacker might delete a target’s data out of spite — but then, you could lose your data to a careless cloud service provider or a disaster, such as a fire, flood, or earthquake. Compounding the challenge, encrypting your data to ward off theft can backfire if you lose your encryption key.

Data loss isn’t only problematic in terms of impacting relationships with customers, the report notes. You could also get into hot water with the feds if you’re legally required to store particular data to remain in compliance with certain laws, such as HIPAA.

The third-greatest cloud computing security risk is account or service traffic hijacking. Cloud computing adds a new threat to this landscape, according to CSA. If an attacker gains access to your credentials, he or she can eavesdrop on your activities and transactions, manipulate data, return falsified information, and redirect your clients to illegitimate sites. "Your account or services instances may become a new base for the attacker. From here, they may leverage the power of your reputation to launch subsequent attacks," according to the report. As an example, CSA pointed to an XSS attack on Amazon in 2010 that let attackers hijack credentials to the site.

Source: http://www.infoworld.com/t/cloud-security/9-top-threats-cloud-computing-security-213428

Did you like this? Share it:

Software engineer ‘outsourced’ his entire job to China for a fifth of his salary

Flickr | China flag

Outsourcing has been a reality in the American workplace for years now, but we haven’t heard of an employee outsourcing his entire job — until now. According to the BBC, a software engineer was apparently outsourcing his entire job to China by paying a fifth of his six-figure salary to a local firm in Shenyang who handled his job for him. The employee reportedly did this through a "fairly standard" VPN connection that was set up to allow employees to work from home. The man actually mailed his RSA security token to China so that workers there could log in to his account, and on the surface it seemed as if he was performing a normal day’s work. However, further scrutiny revealed the connection to China, which at first was believed to be malware. Furthermore, a Verizon investigator told the BBC that evidence "suggested he had the same scam going across multiple companies in the area." It seems this was less a case of sheer laziness and more a case of someone using cheap foreign labor to pull off a fairly involved scam.

Source: http://www.theverge.com/2013/1/16/3882900/verizon-software-engineer-outsourced-his-entire-job-to-china

Did you like this? Share it:

US Software Developer Caught Outsourcing His Job to China

PHOTO: A U.S. developer was busted for outsourcing his job to Chinese programmers.

A software developer was busted for outsourcing his job to a programmer in China while he surfed the Web at work.

The case was described by Andrew Valentine, a principal with Verizon Enterprise Solutions, who published a blog post about the incident.

"We’ve seen plenty of employee misconduct cases, but not typically like this," Valentine told ABC News of his consulting caseload, which includes large scale data breach events.

Valentine’s team was contacted by another company based in the U.S. for assistance over "anomalous activity" it noticed in records of employees logging remotely into the company’s IT system.

Verizon Enterprise Solutions is not releasing the name of the company or the employee.

The company’s security team eventually found that someone was logging in from Shenyang, China with the American employee’s credentials — while that employee was staring at a computer monitor in his U.S. office.

In his blog, Valentine described the employee as being in his mid-40s with a "relatively long tenure with the company, family man, inoffensive and quiet. Someone you wouldn’t look at twice in an elevator."

A search of the employee’s computer found hundreds of PDF invoices from a third party contractor/developer from Shenyang.

Eventually, it was discovered that the employee had outsourced his own job to a Chinese consulting firm, paying about $50,000 to the firm out of his salary of several hundred thousand dollars.

Once on-site, Valentine said it took about two days for investigators to collect relevant evidence and put all the pieces together.

In the blog, Valentine wrote that according to his Web browsing history, "a typical ‘work day’" for the employee looked like the following:

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos

11:30 a.m. – Take lunch

1:00 p.m. – EBay time.

2:00 – ish p.m. – Facebook updates – LinkedIn

4:30 p.m. – End of day update e-mail to management.

5:00 p.m. – Go home

The employee had sent his company log-in key through FedEx to China so that the third-party contractor could log in under his credentials during his workday.

The "best part" of the story is that "for the last several years in a row he received excellent remarks" in his performance review, Valentine wrote in the blog.

"His code was clean, well written, and submitted in a timely fashion. Quarter after quarter, his performance review noted him as the best developer in the building."

Valentine said the employee was terminated for violating internal company policy.

"The employee denied everything at first, but then changed his story once we produced the invoices that were recovered from deleted disk space," Valentine told ABC News.

"Honestly? I thought it was pretty clever. I think he took a calculated risk by knowingly violating company policy, for sure — but it was clever."

Valentine said that if he was even cleverer, he would have set up a server at home, or somewhere else off-site, for the Chinese consulting firm to access. Then he could proxy their traffic, making it appear that the traffic was coming from his home.

"That would have been a smarter way to go about it. But yes, either way, pretty clever," Valentine said.

Source: http://abcnews.go.com/Business/us-software-developer-busted-employer-outsourcing-job-china/story?id=18230346

Did you like this? Share it:

iPhone lock screen hack prompts another Apple patch

iPhone lock screen

Apple is once again promising to patch iOS 6.1 – this time to address a serious security flaw that allows thieves to bypass the iPhone’s lock screen.

Earlier this week Apple released iOS 6.1.1 to address a flaw that left iPhone 4S users struggling to connect to 3G networks after the upgrade to iOS 6.1. Apple has also promised a further iOS 6.1 patch to fix a problem that sees the phone repeatedly pinging Exchange servers, draining the device’s battery.

Now another more serious bug has emerged, which allows phone thieves to bypass the lock screen on the iPhone 5 without entering the correct PIN code. The rather convoluted method involves making, and then quickly terminating, an emergency phone call, before holding down the power button twice. The hack could give thieves access to a user’s contacts, voicemail and phone call history.

A YouTube video demonstrating the attack is shown below:

iphone lock screen

An Apple spokesperson told All Things Digital that the company "takes user security very seriously" and that it "will deliver a fix in a future software update".

Source: http://www.pcpro.co.uk/news/security/379981/iphone-lock-screen-hack-prompts-another-apple-patch

Did you like this? Share it:

Cloud Computing Still in Its Infancy, Study Says

We all know how important and ubiquitous email has become, not just in business but in our lives. Can you remember when you learned about email (i.e., electronic mail, e-mail) for the first time and didn’t yet know how fundamentally this technology would change the way we communicate and do business? Now think for a minute about cloud computing as being in that same sort of unpredictable infancy.

That’s one of the findings of a study released last month by the Cloud Security Alliance (CSA) and ISACA. The two organizations surveyed more than 250 participants ranging from end users to C-level executives and from organizations of all sizes. Using factors such as market size and diversity, levels of acceptance and integration, and amount of innovation, the survey determined that cloud computing is still in its infancy.

CSA and ISACA have defined four stages of development for cloud technology:

+ Infancy: "potential for growth and innovation . . . has not been realized"
+ Growth: widespread adoption and innovation takes place and the technology is well understood
+ Maturity: the main players are well-established, and the technology is "business as usual"
+ Decline: the market becomes saturated, and there’s little room for new entrants or products

Within the study results, respondents rated Software as a Service (SaaS) as barely into the Growth phase and ahead of both Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), with the overall result putting cloud computing squarely in its squalling infancy. One of the characteristics of this stage is that it’s the era of early adopters, according to the study — and most businesses don’t want to be stuck changing the diapers for an untested technology.

Obviously, the cloud isn’t really untested if you consider that it’s just another way of thinking about the Internet, which has been around for — how long, now? Yeah, quite a few years. Nonetheless, for most businesses, this is a new way of thinking about getting important IT services, which takes some adjustment. Maybe the cloud just has a PR problem.

Another part of the Cloud Maturity study ranked the factors causing lack of confidence in the cloud. High among them are the sort of things we’ve come to expect: regulatory and compliance fears; data privacy and security concerns; contract lock in and exit strategies. The full survey results have a lot more information about these factors, but it essentially all comes back to a lack of trust in the cloud service providers to offer the same level of security or service that companies feel they can provide themselves on premises.

According to the study, "cloud computing can provide significant opportunities for enterprises to innovate in ways that could disrupt established ways of providing and using information technology. However, according to the participants in the CSA/ISACA survey, the cloud market has not yet reached a level of maturity that will support this scenario." However, it seems inevitable that such a maturity level will be reached, and the study predicts another two to three years before cloud computing will be firmly in the Growth stage of development overall.

Source: http://www.windowsitpro.com/blog/cloud-computing-7/cloud-computing2/cloud-computing-infancy-study-144514

Did you like this? Share it:

Why You Should Consider Outsourcing Computer Security

Laptop Online Search

Cybercriminals are relentlessly hacking websites to attack unsuspecting visitors, breaking into databases to steal customer information and trade secrets, and infiltrating executives’ PCs to filch financial-account information.

Typically, only the largest of companies can afford an in-house security team with the tools and expertise to defend them in this kind of cyber war. Other firms, experts say, are now largely outgunned.

That’s why a growing number of smaller companies are outsourcing the job to so-called managed security services providers. They offer state-of-the-art technologies and seasoned security pros at affordable prices because they spread the costs across many clients. Indeed, small- and medium-sized companies are expected to drive a near doubling in spending on managed-security services to $14.9 billion in 2015 from $8 billion in 2011, according to Stamford, Conn.-based research firm Gartner Inc.

Should you jump on the bandwagon?

Turning over computer security to an outside firm makes many managers nervous because they must give up direct control of critical systems. But doing so typically brings better security at a lower cost, industry watchers say.

Even if you can afford to hire your own security staff, it could be a challenge. "Security is so hot that good people are hard to find, and they’re expensive," says Edward S. Ferrara, a security and risk analyst at Forrester Research. "So even if you wanted to build an organization [to provide your security], it would be hard to do that."

Security-service firms, however, have office parks full of experts. They likely employ people who have worked with other companies in your industry facing similar risks and challenges.

With these outside experts, you pay for only as much service as you require rather than the ongoing costs of a full-time staff and equipment. The size of your bill is typically determined by the number of computers and other devices being monitored or some other measure of the volume of work involved. For a small business, such flexible pricing is often appealing because expenses can grow or shrink along with your business.

Beyond potential financial benefits, security-service firms also can help small businesses focus on running their companies, says Ferrara. "If you make lawn mowers, make lawn mowers. Don’t fiddle around with information security."

How to choose a provider

A dizzying number of companies provide managed security services, including such giants as IBM, Hewlett-Packard and Verizon. You’ll probably want to select a company with technology that can meet your specific security needs and provide a responsive support team. If you handle financial or medical data, the provider also should help you comply with data-security regulations.

If you’re planning to outsource all your basic security needs — including the defense of your network and the devices on it and the filtering of your email for spam, scams and malware — you’ll probably want to consider one of the soup-to-nuts services. Some of these companies offer cloud services that monitor your systems by running your traffic through their data centers before it comes to you. Some install equipment on your network that sends data to them for analysis and investigation. And others combine in-house and cloud technologies.

Among the companies serving small businesses are security-software giants such as Symantec Corp. and McAfee Inc. There are also a slew of specialized service providers to choose from, including Solutionary Inc., Perimeter E-Security and Dell’s SecureWorks Inc.

If you’re primarily concerned about securing your website, you might consider a new breed of startups offering specialized technology to sites of all sizes. CloudFlare Inc. and Incapusla Inc. can block security threats to sites while boosting site speed and performance.

Dasient Inc. can help keep malicious programs and ads off your site. And firms such as Prolexic Technologies defend sites from so-called denial of service attacks, or floods of bogus traffic that make a site unavailable to visitors.

You don’t have to fend off cybercriminals all by yourself. There are plenty of services that can give your company effective protection at a reasonable cost.

source: http://smallbusiness.foxbusiness.com/technology-web/2012/01/19/why-should-consider-outsourcing-computer-security/

Did you like this? Share it:

Cloud computing raises security issues

The Internet “cloud” has become the hottest topic in computing, but the trend has created a new range of security issues that need to be addressed.

The cloud is associated with things like personal emails and music which can be accessed on computers and a range of mobile devices.

But the US military and government agencies from the CIA to the Federal Aviation Administration also use cloud systems to allow data to be accessed anywhere in the world and save money—and, ostensibly, to enhance security.

Microsoft, Google, Amazon and others are major players in the cloud, which seeks to transfer some of the data storage issues to more sophisticated data centres.

Strategy Analytics forecasts US spending on cloud services to grow from $31 billion (around Rs1.7 trillion) in 2011 to $82 billion by 2016.

But some experts say security implications of the cloud have not been fully analysed, and that the cloud may open up new vulnerabilities and problems.

“If past is prologue I don’t think any system is absolutely secure,” said Stelios Sidiroglou-Douskos, a research scientist at the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory. “The analogy most people give is having a lock on your door. It’s not a guarantee no one will break in, but it’s a question of how much time it will take, and if your lock is better than your neighbour’s.”

In a cloud environment, “this makes the job of the attacker so much harder, which means the amateur hacker might be obsolete,” said Sidiroglou-Douskos, who is working on a US government-funded research project to develop “self-healing” clouds.

But if a system is breached, analysts say, the amount of information lost could be far greater than what is in a single computer or cluster. “You can have better defences” in the cloud, “but if an attack happens, it’s highly amplified,” says Sidiroglou-Douskos.

The four-year MIT project funded by the Defense Advanced Research Projects Agency seeks to develop systems that automatically fix data breaches in a manner similar to “human immunology”, says the researcher.

A number of cloud security breaches have raised concerns, including attacks on the Sony PlayStation Network, LinkedIn and Google’s Gmail service. One hacker recently claimed to have stolen credit card numbers from 79 major banks.

“Crimes target sources of value. Large company networks offer more targets to hackers,” says Nir Kshetri, a professor of economics who studies cybercrime at the University of North Carolina at Greensboro.

Source:

http://www.livemint.com/2012/06/24215806/Cloud-computing-raises-securit.html

Did you like this? Share it:

Android and Linux re-merge into one operating system

QQ截图20120320101317

Android has always been Linux, but for years the Android project went its own way and its code wasn’t merged back into the main Linux tree. Now, much sooner than Linus Torvalds, Linux’s founder and lead developer, had expected, Android has officially merged back into Linux’s mainline.

The fork between Android and Linux all began in the fall of 2010, “Google engineer Patrick Brady stated that Android is not Linux” That was never actually the case. Android has always been Linux at heart.

At the same time though Google did take Android in a direction that wasn’t compatible with the mainstream Linux kernel. As Greg Kroah-Hartman, the maintainer of the stable Linux kernel for the Linux Foundation and head of the Linux Driver Project, wrote in Android and the Linux kernel community, “The Android kernel code is more than just the few weird drivers that were in the drivers/staging/androidsubdirectory in the kernel. In order to get a working Android system, you need the new lock type they have created, as well as hooks in the core system for their security model. In order to write a driver for hardware to work on Android, you need to properly integrate into this new lock, as well as sometimes the bizarre security model. Oh, and then there’s the totally-different framebuffer driver infrastructure as well.” That flew like a lead balloon in Android circles.

This disagreement sprang from several sources. One was that Google’s Android developers had adopted their own way to address power issues with WakeLocks. The other cause, as Google open source engineering manager Chris DiBona pointed out, was that Android’s programmers were so busy working on Android device specifics that they had done a poor job of co-coordinating with the Linux kernel developers.

Source: http://www.zdnet.com/blog/open-source/android-and-linux-re-merge-into-one-operating-system/10625?tag=content;search-results-river

Did you like this? Share it:

HP looks to ease cloud management with SIAM services

HP has released Service Integration and Management (SIAM), a management service which will help firms get a handle the growing number of enterprise cloud platforms.

The company is hoping that its SIAM platform will allow enterprises to manage and enforce policies for cloud-based applications and external services.

The system will also allow administrators to ensure compliance on data being stored on cloud platforms.

The platform will combine HP’s IT management tools and services with consulting and training programmes for IT staff and administrators. Additionally, the SIAM platform will offer integration with the company’s IT Performance Suite.

Michael Garrett, vice president of professional services for HP software, told V3 that in addition to helping provide visibility into cloud services, the SIAM platform would reduce the complexity firms face from relying on a greater variety of service providers.

"You have different services that require different levels of sourcing, compliance and security," he explained.

"They have a very complex layer which was not the same when you have one supplier."

Source: http://www.v3.co.uk/v3-uk/news/2151783/hp-looks-wrangle-cloud-services-siam

Did you like this? Share it: