Tech Gurus - Information Hub for everything Technology: September 2012

Researcher says security defect puts Galaxy S III and other cell phones using Android at risk.

Cellphones using Google's Android operating system are at risk of being disabled or wiped clean of their data, including contacts, music and photos because of a security flaw that was discovered several months ago but went unnoticed until now.

Opening a link to a website or a mobile application embedded with malicious code can trigger an attack capable of destroying the memory card in Android-equipped handsets made by Samsung, HTC, Motorola and Sony Ericsson, rendering the devices useless, computer security researcher Ravi Borgaonkar wrote in a blog post Friday. Another code that can erase a user's data by performing a factory reset of the device appears to target only the newly released and top selling Galaxy S III and other Samsung phones, he wrote.

Borgaonkar informed Google of the vulnerability in June, he said. A fix was issued quickly, he said, but it wasn't publicized, leaving smartphone owners largely unaware that the problem existed and how they could fix it.

Google declined to comment. Android debuted in 2008 and now dominates the smartphone market. Nearly 198 million smartphones using Android were sold in the first six months of 2012, according to the research firm IDC. About 243 million Android-equipped phones were sold in 2011, IDC said.

Versions of Android that are vulnerable include Gingerbread, Ice Cream Sandwich and Jelly Bean, according to Borgaonkar. He said the Honeycomb version of Android, designed for tablets, needs to be tested to determine if it is at risk as well.

Samsung, which makes most of the Android phones, said only early production models of the Galaxy S III were affected and a software update has been issued for that model. The company said it is conducting an internal review to determine if other devices are affected and what, if any, action is needed. Samsung said it is advising customers to check for software updates through the "Settings: About device: Software update" menu available on Samsung phones.

Borgaonkar, a researcher at Germany's Technical University Berlin, said the bug works by taking advantage of functions in phones that allow them to dial a telephone number directly from a web browser. That convenience comes with risk, however. A hacker, or anyone with ill intent, can create a website or an app with codes that instruct the phones linking to those numbers to execute commands automatically, such as a full factory reset.

The phone's memory card, known as a subscriber identity module, or SIM, can be destroyed remotely in the same way, Borgaonkar said. "Vulnerability in Android can be exploited to kill the SIM card permanently by clicking a single click," he wrote. "After the successful attack, the end user has to go to the mobile network operator and buy a new SIM card."

While Borgaonkar has drawn attention to the problem, it's unclear how useful the vulnerability would be to cybercriminals who are primarily interested in profits or gaining a competitive advantage, said Jimmy Shah, a mobile security researcher at McAfee. "There's no benefit to the attacker if they can't make money off it or they can't steal your data," Shah said. "It's really not that useful."

But the technique could cause huge headaches if it were harnessed to issue outbound phone calls, said Mikko Hypponen, chief research officer at F-Secure, a digital security company in Helsinki, Finland. "If that would be doable, we would quickly see real world attacks causing phones to automatically dial out to premium-rate numbers," he said.

Find Below the Link to the Researcher's Post.

___

Online:

Ravi Borgaonkar's blog post: http://www.isk.kth.se/~rbbo/ussdvul.html
Microsoft founder Bill Gates on Thursday finally gave the new Windows 8 his endorsement and public approval.

Bill Gates during an Interview with the Associated Press to discuss the Bill and Melinda Gates Foundation’s participation in a global mission to end polio, took some time out to comment about Microsoft's upcoming operating System.

He called the new operating system scheduled for release next month "a very exciting new product" and "a very big deal" for the world's largest software maker.

Windows 8 is Microsoft's biggest overhaul of Windows in more than a decade and the company's attempt to stay relevant and exciting in a world where mobile gadgets like the Apple Ipad, Android tablets and smartphones have started to overshadow personal computers.

He stated he is already using Windows 8 and is very pleased with it. Gates also believes Windows 8 will be a big deal partly because hardware partners are doing “great things” to take advantage of the OS' new features.

The release of Windows 8 has been scheduled for the 26th of October, 2012, and a new version of the Internet Explorer will be released alongside the new OS on the aforementioned date.

Of course, Microsoft is prepared should personal computers continue their downward spiral. Versions of the operating system will additionally be shipping on tablets and smartphones come October 26. It's an important step as the Windows & Windows Live division represented 27 percent of the company’s revenue in 2011. But as the numbers indicate, it’s not all about their legendary operating system these days.

Windows 8 will replace Windows 7 on practically all personal computers sold to consumers.

It features major changes in the way consumers interact with their machines, and versions of it will also run on tablet computers and smartphones.

Although Microsoft has grown into much more than a maker of computer operating systems — providing computer services to corporations and Xbox gaming machines to game enthusiasts — Windows still accounts for a significant chunk of the company's annual revenue.

In 2011, Microsoft's "Windows & Windows Live" division generated 27 percent, or $19 billion, of the company's $69.9 billion in annual revenue.

Either way, there's no denying that there will be a lot of pressure on Microsoft to deliver big in the next several months.
More Passwords, More Problems

The more we depend on the Web, the more passwords we accumulate—and forget. Some startups think they have a solution.

Golden Cosmos

It's easy to remember one username and password. Keeping five or 10 straight is much harder. Password overload has long afflicted techies, but as we all spend more time doing everything from shopping to banking to playing games on the Web, it's become a more widespread problem.

A number of companies are trying to combat the problem. Approaches range from password managers that secure your login details with one master password to methods that eliminate the need for multiple passwords in the first place.

A 2007 study by Microsoft Research explored the strength, frequency, and usage of passwords belonging to 500,000 computer users. The study found that each person had an average of 6.5 passwords that they used for 25 different online accounts—meaning each password was being recycled about four times.

Five years later, most of us have many more accounts that we access across desktop computers, smartphones, and tablet computers. But we're probably no better at coming up with secure passwords—ones that can't be easily guessed or cracked using a computer—and, as high-profile security breaches at websites like LinkedIn and eHarmony show, weak passwords put our online identities at risk.

The most common tool for organizing a glut of passwords is the password manager, but few people use them, says Cormac Herley, an author of the 2007 Microsoft Research study. A startup called Dashlane is hoping to change this, with a simple password management and automated form-filling tool that it says can make it easier to shop online. Dashlane encrypts and stores passwords on a user's computer or smartphone. Then only the master password—which is not stored on Dashlane's servers—can be used to access the information.

The company emerged from a private beta test in April, and Daniela Perdomo, Dashlane's director of user growth, says it currently has hundreds of thousands of users who have collectively stored 1.5 million passwords with its desktop and smartphone software (most are using a free version of the service). She claims Dashlane's auto-form-filling technology is accurate about 90 to 95 percent of the time.

The weak spot here, of course, is forgetting your master password. But the approach also makes it more difficult for others to gain access to your data simply by stealing your device. And setting up a password manager could inspire you to make your individual passwords more secure, knowing that now you'll only need to remember that one master password to access all your accounts on your computer. Perdomo acknowledges that most people aren't ready to be proactive about weak or identical passwords. "The average person doesn't care until they get hacked," she says, echoing the opinion of several security experts.

Another key drawback of password managers is that they often need to be installed and synched on each device you use to access your accounts. This might be convenient if you're on your home or work computer, but less so if you're at a friend's house.

Chances are that you'll have your smartphone on you, though. It, too, is coming into play as a way to balance login security and convenience. That's the idea behind PhoneID, which software engineers Mike Thomas and Vahur Roosimaa created in early September at a hackathon—a marathon coding event where programmers come up with new ideas—hosted by tech blog TechCrunch. Currently a prototype, PhoneID lets you log in to websites with your desktop computer by using your smartphone to scan an on-screen QR code, Thomas says. This way, you would never have to type in a username and password.

The first time you visit a participating website on your desktop computer, a QR code would pop up on the screen. Scanning it with your phone would prompt your computer to ask for your phone number, and PhoneID would send your cell phone an SMS that could be clicked to log you in to the site and authenticate you. On subsequent visits, scanning an on-screen QR code would immediately log you in.

PhoneID requires a website to add several lines of code. And while it could be set up to work with sites where you already have an account and password, it's currently geared toward setting up a new account on a site. Thomas says the approach could save websites from having to store and guard password information, and save consumers from remembering their login credentials. "Even for someone who's technically savvy, keeping track of all your passwords is difficult," he says.

Gartner analyst Gregg Kreizman thinks solutions like PhoneID will become more common as companies take advantage of the cameras, sensors, and geolocation capabilities of smartphones. These features could help by providing other ways of authenticating users, he says.

But what if we could just cut down on passwords altogether? The most popular existing examples of this approach are Facebook Connect and Sign in with Twitter, two services that let you log in to websites with your Facebook or Twitter credentials. This makes things convenient for users, while also granting sites access to some of your personal information. It's not all that secure, though. Another approach came recently from Intel, which, at the Intel Developer Forum, announced a futuristic-sounding plan to authenticate people by reading vein patterns.

A startup called OneID has a different idea. It requires websites to use its login method, which uses public key cryptography—security technology that encrypts and decrypts data using two kinds of "key" belonging to each party, one kept secret and the other published openly—and knowledge of the devices you use to securely sign you in with a single click.

OneID founder Steve Kirsch, who also founded the search engine Infoseek, says that when a user hits a OneID button on a website, the site sends his or her public "key" to the user's computer. That key is then forwarded to a OneID server, which can make a swift determination based on the website's specifications and user's preferences about what needs to happen next—if additional authentication is required, or if the user can simply be allowed to enter the site.

OneID users don't need to set a password. A smartphone app that approves higher-risk activities like making online purchases requires a PIN, though. While someone could still steal your computer and then gain access to some low-security websites that don't require two-factor authentication, you could disable that device's OneID access remotely to stop the breach.

OneID is in the process of rolling out its technology, though the company could not name any sites that are using it. Kirsch says the company is going after sites, such as e-commerce businesses and banks, that require high security. "As they give it a shot and people see the results, then more and more people will give it a shot," Kirsch says.

Moxie Marlinspike, a San Francisco-based computer security researcher, says single sign-ons that focus on security are a tough sell. "Most of those sites don't see the convenience of not having to manage a username and password as a real benefit," he says, and if they choose to enable one they'll typically go with the Facebook or Twitter options since that will give them access to some of a user's social information.

Marlinspike thinks that in order to get users to change their behaviors, developers will need to keep working to make security as invisible as possible. But, he says, passwords will likely be with us for a while.
Google Glass and the Future of Technology

New gadgets — I mean whole new gadget categories — don’t come along very often. The iPhone was one recent example. You could argue that the iPad was another. But if there’s anything at all as different and bold on the horizon, surely it’s Google Glass.

That, of course, is Google’s prototype of a device you wear on your face. Google doesn’t like the term “glasses,” because there aren’t any lenses. (The Glass team, part of Google’s experimental labs, also doesn’t like terms like “augmented reality” or “wearable computer,” which both have certain baggage.)

Jason LongoDavid Pogue wearing Google Glass.

Instead, Glass looks like only the headband of a pair of glasses — the part that hooks on your ears and lies along your eyebrow line — with a small, transparent block positioned above and to the right of your right eye. That, of course, is a screen, and the Google Glass is actually a fairly full-blown computer. Or maybe like a smartphone that you never have to take out of your pocket.

This idea got a lot of people excited when Nick Bilton wrote about the glasses in February in The New York Times. Google first demonstrated it April in a video. In May, at Google’s I/O conference, Glass got some more play as attendees watched a live video feed from the Glass as a sky diver leapt from a plane and parachuted onto the roof of the conference building. But so far, very few non-Googlers have been allowed to try them on.

Last week, I got a chance to try on a pair. I’m hosting a PBS series called “Nova ScienceNow” (it premieres Oct. 10), and one of the episodes is about the future of tech. Of course, projecting what’s yet to come in consumer tech is nearly impossible, but Google Glass seemed like a perfect example of a breakthrough on the verge. So last week the Nova crew and I met with Babak Parviz, head of the Glass project, to discuss and try out the prototypes.

Now, Google emphasized — that Google Glass is still at a very, very early stage. Lots of factors still haven’t been finalized, including what Glass will do, what the interface will look like, how it will work, and so on. Google doesn’t want to get the public excited about some feature that may not materialize in the final version. (At the moment, Google is planning to offer the prototypes to developers next year — for $1,500 — in anticipation of selling Glass to the public in, perhaps, 2014.)

When you actually handle these things, you can’t believe how little they weigh. Less than a pair of sunglasses, in my estimation. Glass is an absolutely astonishing feat of miniaturization and integration.
Inside the right earpiece — that is, the horizontal support that goes over your ear — Google has packed memory, a processor, a camera, speaker and microphone, Bluetooth and Wi-Fi antennas, accelerometer, gyroscope, compass and a battery. All inside the earpiece.

Google has said that eventually, Glass will have a cellular radio, so it can get online; at this point, it hooks up wirelessly with your phone for an online connection.

And the mind-blowing thing is, this slim thing is the prototype. It’s only going to get smaller in future generations. “This is the bulkiest version of Glass we’ll ever make,” Babak of Google said.

The biggest triumph — and to me, the biggest surprise — is that the tiny screen is completely invisible when you’re talking or driving or reading. You just forget about it completely. There’s nothing at all between your eyes and whatever, or whomever, you’re looking at.
And yet when you do focus on the screen, shifting your gaze up and to the right, that tiny half-inch display is surprisingly immersive. It’s as though you’re looking at a big laptop screen or something.
(Even though I usually need reading glasses for close-up material, this very close-up display seemed to float far enough away that I didn’t need them. Because, yeah — wearing glasses under Glass might look weird.)

The hardware breakthrough, in other words, is there. Google is proceeding carefully to make sure it gets the rest of it as right as possible on the first try.

But the potential is already amazing. Mr. Pariz stressed that Glass is designed for two primary purposes — sharing and instant access to information — hands-free, without having to pull anything out of your pocket.
You can control the software by swiping a finger on that right earpiece in different directions; it’s a touchpad. Your swipes could guide you through simple menus. In various presentations, Google has proposed icons for things like taking a picture, recording video, making a phone call, navigating on Google Maps, checking your calendar and so on. A tap selects the option you want.
In recent demonstrations, Google has also shown that you can use speech recognition to control Glass. You say “O.K., Glass” to call up the menu.

To illustrate how Glass might change the game for sharing your life with others, I tried a demo in which a photo appeared — a jungly scene with a wooden footbridge just in front of me. The theme from “Jurassic Park” played crisply in my right ear. (Cute, real cute.)

But as I looked left, right, up or down, my view changed accordingly, as though I were wearing one of those old virtual-reality headsets. The tracking of my head angle and the response to the immersive photo was incredibly crisp and accurate. By swiping my finger on the touchpad, I could change to other scenes.

Now, there’s a lot of road between today’s prototype and the day when Google Glass will be on everyone’s faces. Google will have to nail down the design — and hammer down the price. Issues of privacy and distraction will have to be ironed out (although I’m not nearly as worried about distraction as I was before I tried them on). Glasses wearers may have to wait until Glass can be incorporated into actual glasses.

We may be waiting, too, for that one overwhelmingly compelling feature, something that you can’t do with your phone (beyond making it hands-free). We’ve seen that the masses can’t even be bothered to put on special glasses to watch 3-D TV; it may take some unimagined killer app to convince them to wear Google Glass headsets all day.

But already, a few things are clear. The speed and power, the tiny size and weight, the clarity and effectiveness of the audio and video, are beyond anything I could have imagined. The company is expending a lot of effort on design — hardware and software — which is absolutely the right approach for something as personal as a wearable gadget. And even in this early prototype, you already sense that Google is sweating over the clarity and simplicity of the experience — also a smart approach.
In short, it’s much too soon to predict Google Glass’s success or failure. But it’s easy to see that it has potential no other machine has ever had before — and that Google is shepherding its development in exactly the right way.

Article adopted from the NewYork Times Technology page...
2012 Norton Cyber-crime report; A worrying scenario.
Here we are with the regular appointment with Symantec and its report on cybercrime ” The yearly Norton Cybercrime report“, a document that analyzes the evolution of cyber criminal activities and their impact on the society. The report covers different technologies including and social networking and mobile reporting the impact on final customers in economic terms.
The report involved 13018 participants across 24 countries aged 18-64 and a pool of expert collaborators.
The impact of cybercrime is worrying with 556 million of victims per year, 2 on 3 adults have been victims of on line illegals in their lifetime, the total economic loss is 110 Billion with an average cost per victim of $197.

The Asian region is the most affected by cybercrime, the global pricetag of consumer cybercrime for China amounts to 46 Billion , followed by US with 21 Billion and European Area with 16 Billion.
The highest numbers of cybercrime victims were found in Russia (92 percent), China (84 percent) and South Africa (80 percent).

The technologies that have suffered the major increase in cybercrime are social networking and mobile.
It has been registered an increase in cybercrime which takes advantage of social networks and mobile technology. Mobile users are very vulnerable to attacks, 2/2 adults use a mobile device to access the internet and the mobile vulnerabilities doubled in 2011 respect previous year.
44% of users aren’t aware of the existance of solutions for mobile envitonments, and 35 of adults have lost their mobile device or had it stolen.

Of particular concern is an improper use of social networks, wrong management of sessions, absence of validation of visited links and a total ignorance of any security setting expose users to fraudulent activities.
15 percent of users have had their account infiltrated, and 1 in 10 have been victims of fake links or scams.

Other behavior extremely worrying is the way in which people use public networks and operate on it, for example accessing to private services such as email.
The email account are one of the most appetible targets for cybercriminals because they represent a simple way to access to sensible information.

“When using public connections, 67 percent access email, 63 percent use social networking and 24 percent access their bank account, according to the report.”

I found really interesting the reading of the report of security firms that could give us a vision on the evolution of cyber threats and of course some practices to share for those users too “distracted” or unaware of the incoming risks.
The report confirms that cyber-crime industry is a factory that has no crisis and that moves amounts of money comparable to the economical revenue of a State.
What is worrying is the increasing trend that demonstrate the need to put in place further countermeasures and of course a massive awareness campaign.
If you are anything like me, you get to ask questions like what computer should i buy, what phone to buy, or what gadget to buy. More recently, a whole lot of people have been asking: “should I buy a notebook computer or should i just go for a tablet?” This question goes to show how much upside this tablet category has in the computing paradigm shift we are observing. However, with where we are in the early days of this category, does it really make sense to recommend a tablet over a notebook?

When laptops/notebooks entered the technology market, everyone wanted one of those small devices for computing on the go. Laptops received a lot of hype because of their portability and their ease of use. This new technology took the computing world by storm and dominated the portable computer scene until a new device entered the market: the tablet. This device offers several of the same features as laptops but with added portability. Some individuals may feel this is the new way to compute and they can’t live without their tablet, whereas others say laptops can never be replaced.

So, How do we now answer this Question, a Notebook or a Tablet?
We respond to their Question with a Question
Like any good or helpful IT person, the best way to answer any tech related question where multiple products, platforms and companies are being considered is always to ask “what do you plan to use it for?” This allows you to get to the heart of a person’s computing needs and then recommend a product based on their primary uses.

However more often than not I am still recommending a notebook over a tablet, especially when they are looking at replacing their primary computer. I don’t currently believe a tablet is a notebook replacement at this point in time. We can actually say that touch computing represents the opportunity to bring us into a new age of computing where tablets and other touch computing devices can replace a notebook, but I don’t feel we are there yet.

In some cases I have actually recommended the combination of an all-in-one desktop and a tablet over a notebook. I’ve found that the question of performance over portability comes up quite a bit in these conversations and the all-in-one desktop combined with a tablet hits both performance and portability in ways a notebook can not. There is decent sync software on the market from companies like DropBox or SugarSync which keeps content aligned across devices and is useful in the desktop / tablet combination.

Lets take a look at the advantages and disadvantages of each device to help decide which will best fit us and our needs.

Laptops
One of the benefits of using a laptop is the hardware included on the product. Laptops come with full keyboards, large screens and much higher screen resolution than you would find on any tablet. A full, physical keyboard is a desired feature for many individuals who do not like to type on a touchscreen. You can type much faster and more accurately using a full keyboard. The screen is also much larger for viewing photos, browsing the web or even enjoying entertainment content. For a full laptop, not a netbook, your screen size will be 13 inches or larger, depending on the type of product you purchase. Laptops are also more durable than tablets, and you won’t have to worry about scratching or damaging the touchscreen display.
However, bigger may not always be better. Originally, laptops were designed for portability. These devices accomplish work on the go but they can be a burden to carry with you. Most laptop computers weigh anywhere from 3 to 9 pounds. Not only can this heavy weight be an annoyance to carry in a backpack or briefcase, it can cause back pain if they are carried for extended periods of time.

Tablets
These highly portable computing devices give you full control of the screen, features and applications. By using your finger or a stylus, you can directly touch the screen to make gaming more interactive, and the hands-on approach provides a more tactile experience than a mouse for drawing and illustrating. Compared to laptop computers, these products are small. Most tablets offer anywhere from a 7-inch to a 10-inch display screen and weigh less than 1 pound. You can store all your music, capture photos or videos, video chat and even read books on their built-in eReaders.
Aside from some hefty price tags, you must take special precautions in the care of these devices. They may have a durable body, but the touchscreen display is exposed. And if the touchscreen is damaged, your device could become useless. You can buy a case to protect the screen, but these are not included with the product and require a separate purchase.
If you're trying to decide between a laptop and a tablet, it all depends upon you and your needs. If you are planning to carry your computer for extended periods of time, the lighter tablet may be ideal for you. Or maybe you want a physical keypad and don’t like the touchscreen display. If you are in the market, figure out what features you must have in your device. Compare and contrast different products to see which ones have the specifications you are looking for. Only by figuring out your needs will you discover which type of computing device you prefer.

What you should buy depends on what you expect to do with the device. So let's break it down a bit to help you make a decision...

Do you want to create stuff or consume it?
The tablet is more of a consumption device, whereas a notebook is more of a creation device. Ask anyone who has ever tried typing a document using a tablet's touch keypad and he will tell you that it can be quite a tedious task.
On the other hand, if your job requires you to mostly access your emails, browse the web, read reports (as opposed to creating them) and video conference, then the tablet is right for you. And whether it's watching a movie or reading a book, the slate is a far better option.
Which software do you need?
Software offerings for notebooks - especially office suites - are still superior to what's available for tablets. In terms of serious offerings, many mobile apps do not promise the same flexibility that the computer versions do.
On the flip side, tablets have apps that are not only cheaper, but also a lot of fun. And there are lakhs of them, both paid and free, spanning genres such as productivity, photography, gaming, social networking, music, reading, etc.
How much stuff do you have?
If you're a media junkie, with a huge collection of MP3s, photos and videos, or the type that deals with huge files, and softwares, then the notebook remains the best option. Most laptops will give a minimum of 200GB of space, going all the way up to 1terabyte (1024GB).
Tablets, on the other hand, come with just 16, 32 or 64 GB of storage, which is insufficient for high-definition multimedia content. Still if you don't need to store vast amounts of data, a tablet is not a deal-breaker.
Will you carry it around a lot?
There is no denying that a tablet is more portable than a notebook, offering better battery life in a significantly lighter package. Besides, if you're a frequent flyer, you will definitely appreciate the tablet when passing through the myriad airport security checks.
How well does it play with other gadgets?
In your professional life, you might need to hook up your gizmo to a projector, a broadband wire or a printer; and you might even need to connect other gadgets, like pen drives or a phone, to your device. A notebook is a clear winner here, since most come with at least three USB ports, one HDMI port, an Ethernet port for broadband as well as a card reader. These machines also support USB dongles or Wi-Fi for internet connectivity.
With a tablet, you will have support for Wi-Fi and 3G SIM cards work just as well. Most hotels provide wireless internet, so using your tablet when travelling should not be an issue. But unless you have the right cables handy, connecting your tablet to other gadgets is going to be a pain.

If a Tablet is the best option which do I recommend?
Often times, however, the person asking the question is looking to add a device to their home, not necessarily replace a primary computer. When this is the case a tablet is a great second, third or fourth screen in the home. It can do quite a bit of generic computing, but having a desktop or notebook as a primary computer is still recommended in some capacity.
When recommending a tablet it’s important to understand the technical savvy of the person asking the question. For those who I know, or find out, are very technical and love to tinker, customize, tweak etc their technology I know they will love Android. For those like my wife or her parents, or anyone who is not in the 12-15% of early adopters, I’m not as comfortable recommending the Android route yet.
The middle part of the consumer market is called the early majority and the late majority. Most of that market is made up people where technological understanding is not central. They are the consumers who just want their technology to work: they don’t want to have to think about it, they just want to use it.
For those consumers I overwhelmingly recommend the iPad. First of all because I don’t want to be tech support, which is also why I recommend Macs in general for these folks, second because the things that Android fans love don’t even enter the minds of these non-tech savvy consumers. It’s not because they are not enlightened, as some would claim, or indeed that they need to see the light, its simply because for them technology represents something very different. These consumers value something different and that is the point – value.

Laptops and tablet PCs are both viable options. However, there are some key differences, and the notebook offers more benefits than the tablet
This articles spark the imagination and enlighten us in ways and how our computer/devices connect to the internet. A brief overview of DHCP and the interaction processes that makes our internet connection possible.

Almost everybody uses Internet either in their homes and offices, and we get connected via an Internet modem, DSL, LAN or Wireless LAN connection.

All you need to do is to open up your modem application interface and click on connect, and for cable users, you plug in your network cable to your computer. In a matter of seconds, you are connected to the Network and to the Internet.

Have you ever wondered how that modem or cable connected to the service provider? Ever wondered about the series of process that went down within that short time before you could gain access to the network?

I think you do!

Well, DHCP makes all that possible.

What is DHCP?

DHCP is a network protocol used to configure network devices so they can communicate on an IP network. DHCP client uses DHCP protocol to acquire configuration information, such as an IP address, a default route, DNS server address and other needed configuration settings from the server.

This IP addresses are released and renewed when the devices leaves and re-joins the network.

Your ISP has a DHCP server. They can assign IPs by modem or computer MAC addresses. When your modem comes online, it communicates to the network indicating it is looking for an IP address. DHCP server listens to the communication and starts talking to the modem. At this point, the modem or computer transmits its MAC address to the DHCP server, and in return is assigned an IP address. With the IP address, a modem can now connect to the network and to the internet.

ISPs usually use DHCP to allow customers to join the internet with minimum effort. Likewise, home network equipment like broadband routers (Wired/Wireless) offer DHCP support for added convenience in joining home computers/devices to the LAN.

DHCP environments require a DHCP server set up with the appropriate configuration parameters for the given network. Devices running the DHCP client software can then automatically retrieve these settings from the server as required.

Using DHCP on a network means System Administrators do not need to configure these parameters individually for each client device connecting to the network.

The above explains how your modem, computer and devices connect to the network/internet.

Now, let’s see the DHCP Client/server interaction when allocating a new network address.

DHCP Client/Server Interaction

DHCP configuration is accomplished through the following sequence of steps:

1.       The DHCP client broadcasts a DHCPDISCOVER message on the local subnet.

2.       All servers on the subnet receive the DHCPDISCOVER message1. If the servers have any IP addresses available, they broadcast a DHCPOFFER message. The use of "serial numbers" in the packets lets the client know that a certain DHCPOFFER corresponds to a certain DHCPDISCOVER.

3.       The DHCP client receives all DHCPOFFER messages. Different servers may offer the client different network parameters. The client selects the best DHCPOFFER, and throws away the rest. The client then broadcasts a DHCPREQUEST message, filling in the "server identifier" field of the DHCPREQUEST with the IP address of the server whose DHCPOFFER it has chosen.

4.       The servers all receive the DHCPREQUEST. They all look to see if their IP address is in the "server identifier" field of the message. If a server does not find its IP address there, it knows the client has rejected its DHCPOFFER. If the server does find its IP address there, it can proceed in one of two ways. If the IP address is still available, and everything is going well, the server broadcasts a DHCPACK to the client. If there is some sort of trouble, the server sends a DHCPNAK instead.

5.       The client receives either a DHCPACK or a DHCPNAK from the server it selected. If the client receives a DHCPACK, then all is well, and it has now obtained an IP address and network parameters. If the client receives a DHCPNAK, it can either give up or it can restart the process by sending another DHCPDISCOVER. If, for some reason, the client receives a DHCPACK but is still not satisfied, it can broadcast a DHCPDECLINE to the server.

DHCP is very interesting; imagine the stress we would be going through to connect to a local or wireless network without the DHCP service.
A Review of Honeypots:Tracking Hackers by Lance Spitzner

The Bee in the Honeypot

I read recently Honeypots: Tracking Hackers by Lance Spitzner because I wanted to learn more about the technology behind these "hackable" computers. Very little technical information has ever been written on the subject. In fact, Lance is the first to complete an in-depth study of honeypots since Clifford Stoll's The Cuckoo's Egg in 1990. Overall, I was impressed with the detail of the book. Lance went to great lengths to make his readers aware of just what honeypots are. But I simply do not agree with the implementation of honeypots within a secured network.

The basic concept is simple. First, you build a computer with the purpose of allowing an attacker to compromise it. Then, you throw in a bunch of interesting files to lure him in. Finally, connect it to the internet with the least amount of security possible and wait. When an attacker connects to this computer, his attempts to compromise it are logged. The information collected during the session is then used to pinpoint the hacker's location and possibly serve as evidence in a criminal trial against him.

From this perspective a honeypot would seem like a formidable weapon in the battle against the elusive Blackhat hacker. However, Lance suggests inserting these systems directly into your internal network; placing them right beside the computers that you work so hard to keep secured. This is supposed to the give an attacker a more suitable target to compromise. The assumption is that the attacker will aim for the unsecured honeypot instead of the other, more sensitive computers within your network. The way I see it, assumptions are dangerous and working to build a secure network that's full of holes just don't add up.

Lance devotes a considerable amount of time in the book toward the proper placement of these systems. Basically, he suggests placing one honeypot per every zone of your internal network. This is not a logical security implementation. Opening a security hole in every zone of your network raises a number of issues. The first of which involves the chances of an attacker even compromising the honeypot once he has entered a particular zone.

For example, let's say that the DMZ zone of my home network consists of a file server, a web server, and a honeypot. The chances that an attacker will try to compromise the honeypot once he enters that zone are three to one. Not bad odds. Until you consider the level of security on the other two computers within that zone. The file and web servers are going to have as much security placed on them as possible, while the honeypot is left wide open to whatever threat comes its way. This is bound to raise suspicion within the hackers mind. Hackers are commonly perceived to be naïve script kiddies. In reality, they are meticulous in their art and are all too aware of the latest security defenses. The odds that a skilled hacker will just fall into any trap that has been placed in his path are slim to none. So, what's he going to do when he notices that unsecured honeypot sitting beside two highly secured servers? He's going to skip right over it and head straight for the goods.

Of course the chances are still good that he will try to compromise the honeypot, even though he knows it's a trap. Why? Because he knows that if he gains the honeypot computer, the he can use it to reach every other computer within that zone, unrestricted. Think about it. For the honeypot to be active in a particular zone, it must be able to communicate with the other computers that reside within that zone. For example, computer B must be able to accept connection requests to and from computer A in order to provide computer C with a stable network connection. So, gaining access to computer C could serve as a bridge to computers B and A.

What I found to be the most discouraging about the study was Lance's process for choosing a honeypot solution. He covers four of the most popular applications, including Back Officer Friendly, Specter, Honeyd, and Man Trap. There are many more available, but what they all seem to have in common is an overall lack of potential as a security solution. In fact, most of them offer services that only mimic those of other popular security applications. For example, let's take look at Back Officer Friendly.

Back Officer Friendly is a light weight honeypot solution designed to run as a watcher application on the Windows operating system. Lance includes a copy of the software on the accompanying cd-rom for evaluation. Once installed, it can be set up to emulate a variety services on your computer, including telnet, http, or smtp. When an attacker tries to connect to one of these services, the honeypot recognizes the attempt and takes over instead. The attacker will be greeted with a fake reply appropriate to the particular service and begins to interact with the honeypot as if it were the real thing. The user is then notified of the attack. Back Officer Friendly logs the attacker's ip address, as well as any passwords he uses to try to log into the system.

The drawback to this software is that it will only monitor services on your computer that are not being monitored or used by any other program. This means two things: 1) If you're using one of these services for any other purpose (for example, http to run a web server), then Back Officer Friendly cannot be employed to help secure it. 2) If you're not using one of these services and wish to have Back Officer Friendly monitor it for malicious activity, then you have to allow that service complete access through your firewall!

I don't know about you, but I'm not comfortable allowing a service as dangerous as telnet through my firewall. Further more, the thought of granting access to any service that allows an attacker to interact with it sends a shiver up my spine. A more logical solution would be to allow the firewall itself to monitor these services. Most good firewalls offer the same logging abilities as Back Officer Friendly and will monitor the same services whether they are being used or not. Further more, most of the software mentioned in the book is extremely expensive and each one is designed to run either on or for a particular operating system. If you're running a tight network with multiple operating systems, then you're going to be spending a considerable amount of money just to invite hackers to come and play on it.

The broad range of honeypot classifications adds yet another level of confusion to the decision making process. Lance classifies honeypots according to two main classifications, then three functionality classifications, and finally, two levels of interaction classifications. Lance defines the two main classifications like this, "...production honeypots provide value by protecting a specific resource or organization, such as acting like a burglar alarm and detecting attacks. Research honeypots are different; they add value by gaining information on a threat, such as capturing an attacker's keystrokes" (278). Fair enough. Let's move on to the three functionality classifications. They are prevention, detection and response.

Prevention honeypots are designed to deter an attacker's attempts to compromise the system. For example, by flashing a warning banner at him to let him know that you are aware of his presence and are monitoring his actions on the network. Detection honeypots are designed to detect attacks that have penetrated your firewall and identify the attacker who is responsible. For example, by logging his ip addresses, keystrokes, and hop points. Response honeypots are designed to capture and reveal new techniques and exploits that are being used by the Blackhat community. This helps to increase the security community's incident response time by learning how hackers do what they do.

This is where the confusion sets in. If the main goal of a production honeypot is prevention and detection, then what is the main goal of a production response honeypot? On the other hand, what would be the main goal of a research honeypot with the prevention and detection functions built into it? These three classifications seem absolutely redundant. In fact, they only exist to describe functions that are already present in the first two classifications. Let's look to the last two classifications for clarification.

These have to do with the level of interaction that the attacker has with the honeypot itself. In a low level of interaction honeypot, the attacker will be shown a simple logon prompt or an http error page upon successfully connecting with a service. Neither will let him go any farther, and both log his attempts to do so. A high level of interaction honeypot will do the same with the exception of actually allowing the attacker to use the logon prompt. This will give him physical access to the system. Or if he connects through http, he will be presented with a real website designed just for him to vandalize. Again, these are functions that can be found in the first two classifications.

This leads me to believe that there are only two classifications to choose from, production and research. A production honeypot is geared toward detecting and preventing attackers by limiting their level of interaction with the honeypot. A research honeypot is geared more toward understanding how attackers compromise computer systems by increasing their level of interaction with the honeypot. The other five classifications are simply functionalities that are contained within these two classifications. They are not separate entities that can be mixed and matched.

In concluding, I found the book to be very educational. It is easy to read and offers a pleasant change from the jargon riddled prose found in most technical writing. Subjects such as networking fundamentals and hacking methods are all covered in detail using language that even the layman can understand. However, I simply do not agree with Lance's implementation and placement of these systems. The assertion that a honeypot can add an extra layer of security to complex network environments defies common security logic. In fact, they may actually hinder the ability of other security implementations and compromise the integrity of the entire network.

Published by Matthew Austin

(read this article on the yahoo voices page, and thought it would be great sharing with our honorable readers in here.)