• A comprehensive article that touches on cyber-crime laws, the limits to overcoming cyber-crime and the opportunity in the collective security of the human race.

    With the advent of the computer age, legislatures have been struggling to redefine the law to fit crimes perpetuated by computer criminals. This crime is amongst the newest and most constantly evolving areas of the law in many jurisdictions. The rise of technology and online communication has not only produced a dramatic increase in the incidence of criminal activity, it has also resulted in the emergence of what appears to be some new varieties of criminal activity. Both the increase in the incidence of criminal activity and the possible emergence of new varieties of criminal activity pose challenges for legal systems, as well as for law enforcement.

    The news said that another person had their identity stolen. It happened again. You might even know of someone that had it happen to them. We often hear of percentages - and they are surprisingly high. Enforcement is taking place, but we have to wonder if computer crime laws are really having any effect against cyber crime.


    Defining Cyber Crime

    Computer crime refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Net-crime refers to criminal exploitation of the Internet. Cyber-crimes are defined as: "Offenses that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm to the victim directly or indirectly, using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and groups) and mobile phones (SMS/MMS)"

    Hacking has a rather simple definition to it. Basically it is defined as the unauthorized use of a computer - especially when it involves attempting to circumvent the security measures of that computer, or of a network.

    Beyond this, there are two basic types of hacking. Some only hack because they want to see if they can do it - it is a challenge to them. For others, however, it becomes an attack, and they use their unauthorized access for destructive purposes. Hacking occurs at all levels and at all times - by someone, for some reason. It may be a teen doing it to gain peer recognition, or, a thief, a corporate spy, or one nation against another.


    Effectiveness of Computer Hacking Laws

    Like any other law, the effectiveness must be determined by its deterrence. While there will always be those that want to see if they can do it, and get away with it (any crime), there are always the many more who may not do something if they are aware of its unlawfulness - and possible imprisonment.

    In the early 1990's, when hacker efforts stopped AT&T communications altogether, the U.S. Government launched its program to go after the hackers. This was further stepped up when government reports (by the GAO) indicate that there have been more than 250,000 attempts to hack into the Defense Department computers. First there were the laws - now came the bite behind it. One of the effects of computer hacking brought about focused efforts to catch them and punish them by law.

    Then, more recently, the U.S. Justice Department reveals that the National Infrastructure Protection Center has been created in order to protect our major communications, transportation and technology from the attack of hackers. Controlling teens and hackers has become the focus of many governmental groups to stop this maliciousness against individuals, organizations, and nations.


    One of the most famous for his computer crimes hacking was Kevin Mitnick, who was tracked by computer, and caught in 1995. He served a prison sentence of about five years. Others have likewise been caught. Another case is that of Vasily Gorshkov from Russia, who was 26 years old when convicted in 2001. He was found guilty of conspiracy and computer crime.

    Other individuals have also been found guilty and sentenced -and many others remain on trial. If you are one who pays much attention to the news, then you know that every now and then, you will hear of another hacker that has been caught, or a group of hackers that have been arrested because of their criminal activities. The interesting thing is that it is often others who had learned hacking techniques, and are now using them to catch other criminal hackers.

    Another criminal hacker, who called himself Tasmania, made big news when he fled Spain on various charges of stealing into bank accounts online, and banks, and went to Argentina. There he went into operation again. He was quickly tracked to Argentina, and the governments of Spain and Argentina went after him with surveillance, first. Before long, he was arrested, along with 15 other men, and was then extradited back to Spain (in 2006) where he could face up to 40 years in prison.

    The simple truth is, these criminal hackers/cyber attackers get smarter everyday and they do everything possible to cover their tracks, making it difficult to find or locate them. We can’t help but wonder if this computer crime laws have any impact on the rate of computer crimes being committed day after day. We wonder if the existing laws in place are adequate to combat cyber crime and consequently if amendments need to be put in place.

    Today, criminal organizations are very active in the development and diffusion of malware that can be used to execute complex fraud with minimal risks to the perpetrators. Criminal gangs, traditionally active in areas such as human or drug trafficking, have discovered that cyber-crime is a lucrative business with much lower risks of being legally pursued or put in prison. Unethical programmers are profitably servicing that growing market. Because today’s ICT ecosystem was not built for security, it is easy for attackers to take over third party computers, and extremely difficult to track attacks back to their source. Attacks can be mounted from any country and hop through an arbitrary number of compromised computers in different countries before the attack reaches its target a few milliseconds later. This complicates attribution and international prosecution.






     SO, WHAT LAWS DO WE HAVE IN PLACE TO COMBAT CYBER CRIMES?








    1.  THE COMPUTER MISUSE ACT OF 1990: A law in the UK that makes illegal certain activities, such as hacking into other people’s systems, misusing software, or helping a person to gain access to protected files of someone else's computer.

    Sections 1-3 of the Act introduced three criminal offences:

    a) Unauthorised access to computer material, punishable by 6 months' imprisonment or a fine "not exceeding level 5 on the standard scale" (currently £5000);

    b) unauthorised access with intent to commit or facilitate commission of further offences, punishable by 6 months/maximum fine on summary conviction or 5 years/fine on indictment;

    c) unauthorised modification of computer material, subject to the same sentences as section 2 offences.


    2. COMPUTER FRAUD AND ABUSE ACT: A law passed by the United States Congress in 1986, intended to reduce cracking of computer systems and to address federal computer-related offenses. The Act (codified as 18 U.S.C. § 1030) governs cases with a compelling federal interest, where computers of the federal government or certain financial institutions are involved, where the crime itself is interstate in nature, or where computers are used in interstate and foreign commerce.
    It was amended in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforcement and Restitution Act. Subsection (b) of the Act punishes anyone who not only commits or attempts to commit an offense under the Act, but also those who conspire to do so.


    3. ELECTRONIC COMMUNICATIONS PRIVACY ACT: Passed in 1986, Electronic Communications Privacy Act (ECPA) was an amendment to the federal wiretap law, the Act made it illegal to intercept stored or transmitted electronic communication without authorization.11 ECPA set out the provisions for access, use, disclosure, interception and privacy protections of electronic communications. Which is defined as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce." The Act prohibits illegal access and certain disclosures of communication contents. In addition, ECPA prevents government entities from requiring disclosure of electronic communications by a provider such as an ISP without first going through a proper legal procedure.


    4. CYBER SECURITY ENHANCEMENT ACT: Cyber Security Enhancement Act (CSEA) was passed together with the Homeland Security Act in 2002, it granted sweeping powers to the law enforcement organizations and increased penalties that were set out in the Computer Fraud and Abuse Act.

    The Act also authorizes harsher sentences for individuals who knowingly or recklessly commit a computer crime that results in death or serious bodily injury.
    The sentences can range from 20 years to life. In addition CSEA increases penalties for first time interceptors of cellular phone traffic, thus removing a safety measure enjoyed by radio enthusiasts.


    5.    Other Laws Used to Prosecute Computer Crimes

    In addition to laws specifically tailored to deal with computer crimes, traditional laws can also be used to prosecute crimes involving computers. For example, the Economic Espionage Act (EEA) was passed in 1996 and was created in order to put a stop to trade secret misappropriation. 15 EEA makes it a crime to knowingly commit an offense that benefits a foreign government or a foreign agent. The Act also contains provisions that make it a crime to knowingly steal trade secrets or attempt to do so with the intent of benefiting someone other than the owner of the trade secrets. EEA defines stealing of trade secrets as copying, duplicating, sketching, drawing, photographing, downloading, uploading, altering, destroying, photocopying, replicating, transmitting, delivering, sending, mailing, communicating, or conveying trade secrets without authorization. The Act, while not specifically.

    While we can’t measure all the computer crime laws here, different countries have different laws laid down to fight cybercrime and to prosecute the guilty ones.


    BUT EVEN WITH THE PRESENCE OF THESE LAWS:

    We’ve discovered that internationally, both Governmental and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Activity crossing international borders and involving the interests of at least one nation-state is sometimes referred to as cyber warfare. The international legal system is attempting to hold actors accountable for their actions through the International Criminal Court.


    And this leads us to discussing invasive monitoring by governments. Wikileaks claims that mass interception of entire populations is not only a reality; it is a secret new industry spanning 25 countries. Wikileaks has published 287 files that describe commercial malware products from 160 companies (http://wikileaks.org/the-spyfiles.html). These files include confidential brochures and slide presentations these companies use to market intrusive surveillance tools to governments and law enforcement agencies. This industry is, in practice, unregulated. Intelligence agencies, military forces and police authorities are able to silently, and en masse, secretly intercept calls and take over computers without the help or knowledge of the telecommunication providers. Users’ physical location can be tracked if they are carrying a mobile phone, even if it is only on standby (think RFID).

    To get a glimpse of the potential market size, the U.S government is required by law to reveal the total amount of money spent spying on other nations, terrorists and other groups. In 2010, the United States spent $80 billion on spying activities. According to the Office of the Director of National Intelligence, $53.1 billion of that was spent on non-military intelligence programmes. Approximately 100,000 people work on national intelligence. These figures do not include DARPA’s “Plan X” which seeks to identify and track the vulnerabilities in tens of billions of computers connected to the Internet, so they can be exploited.

    It is increasingly common for governments to use monitoring tools, viruses and Trojans to infect computers and attack civilians, dissidents, opponents and political oppositions. The purpose is to track the victim’s operation on the web, gather information about their activities and the identity of collaborators. In some cases, this can lead to those targeted being neutralized and even ruthlessly suppressed.

    According to F-Secure “News from the Lab” blog, during the Syrian repression the government discovered that dissidents were using programmes like SkypeTM to communicate. After the arrest of a few dissidents, the government used their Skype accounts to spread a malware programme called “Xtreme RAT” hidden in a file called “MACAddressChanger.exe” to others activists who downloaded and executed the malware. The dissidents trusted the MACAddressChanger programme because other files with that name had been successfully used in the past to elude the monitoring system of the government. The Xtreme Rat malware falls into the “Remote Access Tool” category. The full version can easily be bought online for €100. The IP address of the command and control server used in those attacks belonged to the Syrian Arab Republic — STE (Syrian Telecommunications Establishment).

    In the Trend Micro “Malware Blog”, experts at Trend Micro found that the Syrian government was also using the DarkComet malware to infect computers of the opposition movement. The malware steals documents from victims. It seems that it was also spread through Skype chat. Once executed, the malware tries to contact the command and control (C&C) server to transfer the stolen information and receive further instructions. It has been observed, in this example that the C&C server is located in Syria and the range of IP addresses are under the control of the Government of Syria.

    What the above partially illustrates is the very real conflict of interest in organizations and governments responsible for securing our digital world.

    African countries have been criticized for dealing inadequately with cybercrime as their law enforcement agencies are inadequately equipped in terms of personnel, intelligence and infrastructure, and the private sector is also lagging behind in curbing cybercrime. African countries are pre-occupied with attending to pressing issues such as poverty, the AIDS crisis, the fuel crisis, political instability, ethnic instability and traditional crimes such as murder, rape and theft, with the result that the fight against cybercrime is lagging behind. It is submitted that international mutual legal and technical assistance should be rendered to African countries by corporate and individual entities to effectively combat cybercrime in Africa.


    CONCLUSION: 

    While there is no silver bullet for dealing with cyber crime, it doesn’t mean that we are completely helpless against it. The legal system is becoming more tech savvy and many law enforcement departments now have cyber crime units created specifically to deal with computer related crimes, and of course we now have laws that are specifically designed for computer related crime. While the existing laws are not perfect, and no law is, they are nonetheless a step in the right direction toward making the Internet a safer place for business, research and just casual use. As our reliance on computers and the Internet continues to grow, the importance of the laws that protect us from the cyber-criminals will continue to grow as well.

    Efforts at combating cyber-crimes will all continue to produce futile results as long as governments and the OPS (organized public sector) are insincere in their drive towards protecting the sanity of the internet.
    Whatever efforts we make, we shouldn't ignore the fact that an enlightened citizenry is the key to safety of the internet but then, the battle of sovereign supremacy will continue to undermine our collective safety online.
    It behooves every one of us on the globe to look inward and think ahead that our collective safety is greater than the greed and ferocity of hegemonist both in the private sector and supremacist in government.






    References:

    “2003 CSI/FBI Computer Crime and Security Survey”.
    http://www.usdoj.gov/criminal/cybercrime/CSI_FBI.htm

    http://www.hackingalert.com/hacking-articles/computer-hacking-laws.php

    http://securityaffairs.co/wordpress/7619/malware/malware-its-all-about-you.html

    http://www.sans.org/reading_room/whitepapers/legal/federal-computer-crime-laws_1446

    http://en.wikipedia.org/wiki/Computer_crime

    http://nials-nigeria.org/pub/lauraani.pdf

    CYBER CRIME AND NATIONAL SECURITY: THE ROLE OF THE PENAL AND PROCEDURAL LAW
    http://nials-nigeria.org/pub/lauraani.pdf

    Computer Misuse Act
    http://www.lawteacher.net/criminal-law/essays/computer-misuse-act.php

  • BackTrack is a well-known specialized Linux distribution focusing on security tools for penetration testers and security professionals, but it now offers a lot in terms of forensics…

    Pros: BackTrack 5 has all the tools you need for testing network security and its nicely presented.

    Cons: Documentation is scarce and often outdated & upgrading from previous release isn’t supported
    Backtrack homepage

    The advantage of BackTrack 5 (BT5) is that it offers a slew of security and forensic tools on a live DVD, ready to use. It’s based on Ubuntu Lucid (10.04 LTS) with Linux kernel 2.6.38 and some patched WiFi drivers to allow injection attacks. You can download the distribution in a GNOME or a KDE version, for 32-bit or 64-bit x86 machines. It’s a live DVD ISO file, which you can burn to a DVD or write to a USB stick. On the desktop of the live session, there’s an installer icon if you want to install BackTrack permanently. For the first time, the project also has an image for ARM, which you can run on your smartphone or tablet to test the security of a wireless network.


    BackTrack 5 review - if you're serious about pentesting don't leave home without it!
    BackTrack 5 allows you to boot into a stealth or a forensics mode



    BackTrack 5 review - if you're serious about pentesting don't leave home without it!
    BackTrack organizes all tools in various menus
    BackTrack is filled with a collection of more than 300 open source security tools, which you can find organized in different submenus of the “Backtrack” menu: “Information Gathering”, “Vulnerability Assessment”, “Exploitation Tools”, “Privilege Escalation”, “Maintaining Access”, “Reverse Engineering”, “RFID Tools”, “Stress Testing”, “Forensics”, “Reporting Tools”, “Services”, and “Miscellaneous”. Each submenu is further subdivided into subcategories. The developers have added a nice touch to menu items of commandline utilities: when you click on such a menu item, it opens a terminal window with the tool showing its usage, e.g. with the –help option.




    BackTrack 5 review - if you're serious about pentesting don't leave home without it!
    Sniff a network with Wireshark
    BT5′s software collection is really a security professional’s dream. It has all you need to pentest a network, such as the exploit framework Metasploit, the network scanner Nmap, the network analyzer Wireshark, the browser exploitation framework BeEF, the information gathering tool Maltego, and so on. One disadvantage of BT5 is that you can’t upgrade to it from BT4, which is a pity if you have installed and configured a BT4 installation in the past. Moreover, some interesting tools like Pyrit, which uses your GPU’s processing power to accelerate WPA password cracking, and the vulnerability scanner OpenVAS have been dropped in BT5, although they can be installed manually.


    BackTrack 5 review - if you're serious about pentesting don't leave home without it!
    Scan all hosts on a network with Zenmap
    The bad thing about BackTrack is the documentation. It’s scarce, fragmentary, and often outdated. Many tips and tutorials we found on the BackTrack website and its wiki were for older versions and didn’t work on BT5, and other documents didn’t spell out which version they were talking about. However, there are also some extremely detailed and very good documents on the website, and obviously documentation is a work in progress, so depending on what you need your mileage may vary.


    BackTrack 5 review - if you're serious about pentesting don't leave home without it!
    Find all information you can about a website with Maltego

    Verdict: 4/5
    If you run BackTrack 5 on your laptop, you have all you need to test the security of a network. Of course you still have to know what you’re doing, but at least you have all the relevant tools at your fingertips. If you’re really serious about pentesting don’t leave home without it.

  •  

    How secure is Windows Remote Desktop?

    Remote Desktop sessions operate over an encrypted channel, preventing anyone from viewing your session by listening on the network. However, there is a vulnerability in the method used to encrypt sessions in earlier versions of RDP. This vulnerability can allow unauthorized access to your session using a man-in-the-middle attack. Remote Desktop can be secured using SSL/TLS in Windows Vista, Windows 7, and Windows Server 2003/2008.
    While Remote Desktop is more secure than remote administration tools such as VNC that do not encrypt the entire session, any time Administrator access to a system is granted remotely there are risks. The following tips will help to secure Remote Desktop access to both desktops and server that you support.

    Basic Security Tips for Remote Desktop

    Use strong passwords

    Use a strong password on any accounts with access to Remote Desktop. This should be considered a required step before enabling Remote Desktop.

     

    Update your software

    On advantage of using Remote Desktop rather than 3rd party remote admin tools is that components are automatically updated to the latest security fixes in the standard Microsoft patch cycle. Make sure you are running the latest versions of both the client and server software by enabling and auditing automatic Microsoft Updates. If you are using Remote Desktop clients on other platforms, make sure they are still supported and that you have the latest versions. Older versions may not support high encryption and may have other security flaws.

     

    Restrict access using firewalls

    Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389). Using an RDP Gateway is highly recommended for restricting RDP access to desktops and servers (see discussion below). As an alternative to off-campus connectivity, you can use a VPN software to get a private IP address, and add the VPN network address pool to your RDP firewall exception rule.

     

    Enable Network Level Authentication

    Windows Vista, Windows 7, and Windows Server 2008 also provide Network Level Authentication (NLA) by default. It is best to leave this in place, as NLA provides an extra level of authentication before a connection is established. You should only configure Remote Desktop servers to allow connections without NLA if you use Remote Desktop clients on other platforms that don't support it. To enable NLA for Windows XP SP3 clients, see http://support.microsoft.com/kb/951608.

     

    Limit users who can log in using Remote Desktop

    By default, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should limit remote access only to those accounts that need it. If Remote Desktop is not used for system administration, remove all administrative access via RDP and only allow user accounts requiring RDP service. For Departments that manage many machines remotely, remove the local Administrator account from RDP access at and add a technical group instead.
    1. Click Start-->Programs-->Administrative Tools-->Local Security Policy
    2. Under Local Policies-->User Rights Assignment, go to "Allow logon through Terminal Services." Or “Allow logon through Remote Desktop Services”
    3. Remove the Administrators group and leave the Remote Desktop Users group.
    4. Use the System control panel to add users to the Remote Desktop Users group.
    A typical MS operating system will have the following setting by default as seen in the Local Security Policy:



    The problem is that “Administrators” is here by default, and your “Local Admin” account is in administrators.  Although a password convention to avoid identical local admin passwords on the local machine and tightly controlling access to these passwords or conventions is recommended, using a local admin account to work on a machine remotely does not properly log and identify the user using the system. It is best to override the local security policy with a Group Policy Setting.



    To control access to the systems even more, using “Restricted Groups” via Group Policy is also helpful.
    If you use a “Restricted Group” setting to place your group e.g. “TECH-GURUS” into “Administrators” and “Remote Desktop Users”, your techies will still have administrative access remotely, but using the steps above, you have removed the problematic “local administrator account” having RDP access. Going forward, whenever new machines are added in the OU under the GPO, your settings will be correct.



    Set an account lockout policy

    By setting your computer to lock an account for a period of time after a number of incorrect guesses, you will help prevent hackers from using automated password guessing tools from gaining access to your system (this is known as a "brute-force" attack). To set an account lockout policy:
    1. Go to Start-->Programs-->Administrative Tools-->Local Security Policy
    2. Under Account Policies-->Account Lockout Policies, set values for all three options. 3 invalid attempts with 3 minute lockout durations are reasonable choices.

    Best Practices for Additional Security

    Change the listening port for Remote Desktop

    Changing the listening port will help to "hide" Remote Desktop from hackers who are scanning the network for computers listening on the default Remote Desktop port (TCP 3389). This offers effective protection against the latest RDP worms such, as Morto. To do this, edit the following registry key (WARNING: do not try this unless you are familiar with the Windows Registry and TCP/IP): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. Change the listening port from 3389 to something else and remember to update any firewall rules with the new port. Although this approach is helpful, it is security by obscurity which is not the most reliable security approach. You should ensure that you are also using other methods to tighten down access as described in this article.

    Use RDP Gateways

    Using a RDP Gateway is strongly recommended. It provides a way to tightly restrict access to Remote Desktop ports while supporting remote connections through a single "Gateway" server. When using an RD Gateway server, all Remote Desktop services on your desktop and workstations should be restricted to only allow access only from the RD Gateway. The RD Gateway server listens for Remote Desktop requests over HTTPS (port 443), and connects the client to the Remote Desktop service on the target machine.
    There are many online documents for configuring this embedded Windows 2008 component. The official documentation is here: http://technet.microsoft.com/en-us/library/dd983949(WS.10).aspx
    Installing and configuring the role service is mostly as described; however, using a Calnet issued trusted Comodo certificate is recommended. Using a self-signed cert is ok for testing, and using a CalnetPKI cert can work if all clients have trusted the UCB root. The Comodo cert is usually better accepted so that your end users do not receive certificate warnings.
    Configuring your client to use your RD Gateway is simple. The official documentation for the MS Client is here: http://technet.microsoft.com/en-us/library/cc770601.aspx
    In essence, a simple change on the advance tab of your RDP client is all that is necessary:

    Tunnel Remote Desktop connections through IPSec or SSH

    If using an RD Gateway is not feasible, you can add an extra layer of authentication and encryption by tunneling your Remote Desktop sessions through IPSec or SSH. IPSec is built-in to all Windows operating systems since Windows 2000, but its use and management is greatly improved in Windows Vista/7/2008 (see: http://technet.microsoft.com/en-us/network/bb531150). If an SSH server is available, you can use SSH tunneling for Remote Desktop connections. See https://kb.berkeley.edu/kb1266 for more information on IPSec and SSH tunneling.

    Use existing management tools for RDP logging and configuration

    Using other components like VNC or PCAnywhere are not recommended because they may not log in a fashion that is auditable or protected. With RDP, logins are audited to the local security log, and often to the domain controller auditing system. When monitoring local security logs, look for anomalies in RDP sessions such as login attempts from the local Administrator account. RDP also has the benefit of a central management approach via GPO as described above. Whenever possible, use GPOs or other Windows configuration management tools to ensure a consistent and secure RDP configuration across all your servers and desktops.
    By enforcing the use of a RDP gateway, you also get a third level of auditing that is easier to read than combing through the domain controller logins, and is separate from the target machine so is not subject to tampering. This type of log can make it much easier to monitor how and when RDP is being used across all the machines in your environment.

    Use Two-factor authentication on highly sensitive systems

    Departments & Organizations with sensitive data should also consider using a two-factor authentication approach. That is beyond the scope of this article, but RD Gateways do provide a simple mechanism for controlling authentication via two factor certificate based smartcards. Other two factor approaches need another approach at the Remote Desktop host itself e.g. YubiKey, RSA.

    Additional security with Network Access Protection (NAP)

    Highly motivated admins can also investigate the use Network Access Protection (NAP) with an RD Gateway, however, that technology and standard is not well developed or reliable yet. Many clients will not work if you enforce it, although by following the documentation, you can audit the system to see if it *thinks* the clients are security compliant.
  • The most successful people in business approach their work differently than most. See how they think--and why it works.

    Description: C:\Users\Collins\Desktop\9-beliefs-of-remarkably-successful-people_files\spacer.gif
    I'm fortunate enough to know a number of remarkably successful people. Regardless of industry or profession, they all share the same perspectives and beliefs.
    And they act on those beliefs:
    1. Time doesn't fill me. I fill time.
    Deadlines and time frames establish parameters, but typically not in a good way. The average person who is given two weeks to complete a task will instinctively adjust his effort so it actually takes two weeks.
    Forget deadlines, at least as a way to manage your activity. Tasks should only take as long as they need to take. Do everything as quickly and effectively as you can. Then use your "free" time to get other things done just as quickly and effectively.
    Average people allow time to impose its will on them; remarkable people impose their will on their time.
    2. The people around me are the people I chose.
    Some of your employees drive you nuts. Some of your customers are obnoxious. Some of your friends are selfish, all-about-me jerks.
    You chose them. If the people around you make you unhappy it's not their fault. It's your fault. They're in your professional or personal life because you drew them to you--and you let them remain.
    Think about the type of people you want to work with. Think about the types of customers you would enjoy serving. Think about the friends you want to have.
    Then change what you do so you can start attracting those people. Hardworking people want to work with hardworking people. Kind people like to associate with kind people. Remarkable employees want to work for remarkable bosses.
    Successful people are naturally drawn to successful people.
    3. I have never paid my dues.
    Dues aren't paid, past tense. Dues get paid, each and every day. The only real measure of your value is the tangible contribution you make on a daily basis.
    No matter what you've done or accomplished in the past, you're never too good to roll up your sleeves, get dirty, and do the grunt work.  No job is ever too menial, no task ever too unskilled or boring.
    Remarkably successful people never feel entitled--except to the fruits of their labor.
    4. Experience is irrelevant. Accomplishments are everything.
    You have "10 years in the Web design business." Whoopee. I don't care how long you've been doing what you do. Years of service indicate nothing; you could be the worst 10-year programmer in the world.
    I care about what you've done: how many sites you've created, how many back-end systems you've installed, how many customer-specific applications you've developed (and what kind)... all that matters is what you've done.
    Successful people don't need to describe themselves using hyperbolic adjectives like passionate, innovative, driven, etc. They can just describe, hopefully in a humble way, what they've done.
    5. Failure is something I accomplish; it doesn't just happen to me. 
    Ask people why they have been successful. Their answers will be filled with personal pronouns: I, me, and the sometimes too occasional we.
    Ask them why they failed. Most will revert to childhood and instinctively distance themselves, like the kid who says, "My toy got broken..." instead of, "I broke my toy."
    They'll say the economy tanked. They'll say the market wasn't ready. They'll say their suppliers couldn't keep up.
    They'll say it was someone or something else.
    And by distancing themselves, they don't learn from their failures.
    Occasionally something completely outside your control will cause you to fail. Most of the time, though, it's you. And that's okay. Every successful person has failed. Numerous times. Most of them have failed a lot more often than you. That's why they're successful now.
    Embrace every failure: Own it, learn from it, and take full responsibility for making sure that next time, things will turn out differently.
    6. Volunteers always win.
    Whenever you raise your hand you wind up being asked to do more.
    That's great. Doing more is an opportunity: to learn, to impress, to gain skills, to build new relationships--to do something more than you would otherwise been able to do.
    Success is based on action. The more you volunteer, the more you get to act. Successful people step forward to create opportunities.
    Remarkably successful people sprint forward.
    7. As long as I'm paid well, it's all good.
    Specialization is good. Focus is good. Finding a niche is good.
    Generating revenue is great.
    Anything a customer will pay you a reasonable price to do--as long as it isn't unethical, immoral, or illegal--is something you should do. Your customers want you to deliver outside your normal territory? If they'll pay you for it, fine. They want you to add services you don't normally include? If they'll pay you for it, fine. The customer wants you to perform some relatively manual labor and you're a high-tech shop? Shut up, roll 'em up, do the work, and get paid.
    Only do what you want to do and you might build an okay business. Be willing to do what customers want you to do and you can build a successful business.
    Be willing to do even more and you can build a remarkable business.
    And speaking of customers...
    8. People who pay me always have the right to tell me what to do.
    Get over your cocky, pretentious, I-must-be-free-to-express-my-individuality self. Be that way on your own time.
    The people who pay you, whether customers or employers, earn the right to dictate what you do and how you do it--sometimes down to the last detail.
    Instead of complaining, work to align what you like to do with what the people who pay you want you to do.
    Then you turn issues like control and micro-management into non-issues.
    9. The extra mile is a vast, unpopulated wasteland.
    Everyone says they go the extra mile. Almost no one actually does. Most people who go there think, "Wait... no one else is here... why am I doing this?" and leave, never to return.
    That's why the extra mile is such a lonely place.
    That's also why the extra mile is a place filled with opportunities.
    Be early. Stay late. Make the extra phone call. Send the extra email. Do the extra research. Help a customer unload or unpack a shipment. Don't wait to be asked; offer. Don't just tell employees what to do--show them what to do and work beside them.
    Every time you do something, think of one extra thing you can do--especially if other people aren't doing that one thing. Sure, it's hard.
    But that's what will make you different.
    And over time, that's what will make you incredibly successful.

    Article courtestv of:
    Jeff Haden learned much of what he knows about business and technology as he worked his way up in the manufacturing industry. Everything else he picks up from ghostwriting books for some of the smartest leaders he knows in business. @jeff_haden

  • Cloud Computing Disadvantages: 6 Major Concerns

    This article reflects on the role of cloud computing in the ICT and Business World; its pros n cons, but focuses majorly on its cons, its disadvantages and what a lot of people didn't know about it.

    NO DAMAGE MEANT HERE, but sometimes, we need to think twice before deciding to switch     to cloud computing.

    Cloud computing disadvantages? But, it’s the Cloud!

    It’s the latest buzzword that’s tacked on to every online service these days. If it’s on the web, it’s suddenly also on the cloud.
    But what does that really mean?
    We’re being told left and right that the solution to all our problems in this new and latest offering– in the cloud!
    The ‘Cloud’ isn’t a magic bullet.
    It’s a great platform, and makes online computing easier in many ways, but to really understand what you can use it for, you also have to understand its limitations.
    There’s a plethora of Cloud Computing disadvantages that you have to take into consideration before you plan any serious deployment.
    What Is The Cloud?
    Before you can understand the inherent Cloud Computing disadvantages, we have to clear up some terminology.
    Cloud Computing has been constantly redefined by everyone trying to sell their online platforms and services. If we ignore the hype surrounding the word, what is the Cloud all about?
    There are typically two primary schools of thought that come up in Cloud Computing. 

    bulletSoftware as a Service (SaaS): Rather than just being the software equivalent of outsourcing, SaaS offers mobile access, and stores your data for you.
    Examples include Gmail, Salesforce, many online billing and payment services. 

    bulletUtility Computing: This isn’t a novel concept, it’s been around for a long time.
    Purchasing time or computing power on someone else’s hardware to run your applications. These offerings are on-demand, and bill for exactly the resources you use.
    Examples include Amazon EC2, Google AppEngine, Force.com.
    Clouds provide Utility Computing, and there are two kinds of Clouds.

    bulletPublic Clouds: These are sold to customers, and are typically pay-as-you-go, with the cost of storage and processing time being passed on to the client (you). 

    bulletPrivate clouds: Are internal, and typically get budgeted into mysteriously large “operating costs.”
    Okay, you say. Thanks for ruining a perfectly good explanation. What am I supposed to take away from this?
    Most SMB users are going to be utilizing SaaS, or hosted solutions.

    So What Are The Cloud Computing Disadvantages?
    Since we’ve nailed down what the Cloud really is, we can talk about Cloud Computing disadvantages. To writ, what are the obstacles that we face when we try to use it? 

    bullet1.) Availability: What do you do when there’s an outage at the datacenter? If your business relies on someone else’s machines working correctly, you need to know your rights as a customer and have an iron-clad SLA.

    bullet2.) Bulk Data Transfers and I/O Bandwidth: Bringing a lot of data into or out of a cloud instance takes a good deal of time. Without a high-capacity connection, it could take days to load all that data.
    If you need to transfer a few terabytes, or even a couple hundred gigabytes, consider sending a physical copy to the datacenter. Most providers can help you load information from a disk into your instance and cut down on your startup time.

    bullet3.) High Latency: Latency is the time that it takes for your request to go to the target server, be acknowledged and a reply sent back to you.
    With your datacenter being in another state, or even another country, your connection might be spotty enough that you’re looking at problems with latency.
    If there’s a sudden surge in use of the particular Cloud that you’re working from, the latency could spike as well. 

    bullet4.) Data Lock-in: If you’re using proprietary systems, Data Lock-in can become a problem when you want to use that data elsewhere, or move to another provider.
    This can be combated by standardization of data. For the most part, this is a back-end item, but as the customer, you should only look to use SaaS that offer Import and Export of data. 

    bullet5.) Data Confidentiality: When you work with sensitive data (your customers’ information!) you don’t want it to be accessible to people you can’t trust.
    Your provider has access to anything you don’t encrypt, so be sure that you’re working with people you can trust, or you have systems in place that protect your data from unauthorized access.

    bullet6.) Software Licensing: Possibly the thornieset issue of the bunch, nobody has really caught up with licensing for virtual machines in the cloud. Prices could be too high, or the mechanisms that prevent piracy might not be able to handle overseeing virtual instances of the same machine.
    Cloud Computing disadvantages are rampant, and its general adoption and use by everyday users suffers from this, but there’s a great deal of potential for those that can overcome these issues. These problems arise because the datacenter hosting your Cloud is in a separate location from your business. 

    What Should I Be Leveraging It For?
    Despite current Cloud Computing disadvantages, as an SMB, you’re going to be using the Cloud in places where you can’t afford to host your own infrastructure, or need to cut hardware costs. There’s some applications which are perfectly suited for the Cloud, regardless of the size of your business, or what your other requirements might be.

    bulletEmail!: Look to Google’s GMail, and Microsoft’s Outlook Web App, and every other online email service.
    Everything they do is done ‘in the Cloud,’ and their email applications can be accessed from any computer, any time.
    Consider porting your email to the Cloud to make it more accessible and to free yourself from the restrictions of using a single workstation. 

    bulletOffice software: Microsoft has its own Office 365, which is a cloud-based version of the classic Microsoft Office productivity software. Google Apps offers a robust alternative
    So, are current Cloud Computing disadvantages enough to keep you away from them? Not really.
     
    SaaS is already an extremely solid platform, and its offerings work for all tiers of business.
    Utility Computing is primarily for Enterprise businesses that are looking to offload their server computational time, but has been making entrés into SMB as a tool for virtualizing redundant servers and creating “self-hosted” solutions for Exchange and Sharepoint.
    Have you suffered at the merciless hands of Cloud Computing, or you have any good information to share regarding it? Tell us your story by commenting below!

  • Tool Name & DescriptionURL
    7-Zip is a file archiver with a high compression ratio.http://www.7-zip.org/
    Acronis True Image with Universal Restore - Disk Imaging toolhttp://www.acronis.com/
    Belarc Advisor - Audits installed software, list keys, hardware, Microsoft patches, and generates a reporthttp://www.belarc.com/free_download.html
    Clonezilla is an OpenSource clone system with unicasting and multicasting! Goodbye to Ghosthttp://clonezilla.org
    CPUz. Accurate PC motherboard, RAM, graphics card details and MUCH more without opening up the boxhttp://www.cpuid.com/cpuz.php
    cURL a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS and FILE.http://curl.haxx.se/
    DBAN - Darik's Boot and Nuke (DBAN) is a self-contained boot disk that securely wipes the hard disks of most computers.http://www.dban.org/
    Desktop Restore is a tiny shell extension that records the position of your desktop icons and lets you easily restore your favorite desktop layout.http://www.midiox.com/desktoprestore.htm
    ExamDiff is a good file-comparison toolhttp://www.prestosoft.com/edp_examdiff.asp
    File-Rescue Plus is an easy to use recovery utility to remotely scan WindowsHard Drives, and removable mediahttp://www.softwareshelf.com/products/file_rescue_plus_enterprise.htm
    GParted is the GNOME partition editor for creating, reorganizing, and deleting disk partitions.http://gparted.sourceforge.net/livecd.php
    InfraRecorder is a graphical tool for burning ISO images. Supports many DVD and CD drives that are available, burn ISO images, CDs and DVDs.http://infrarecorder.org/?page_id=5
    Iometer is great to pound on hard drives - a good I/O subsystem measurement and characterization toolhttp://www.iometer.org/
    Kdiff3 is a file-comparison tool that does unicode, editing, directories and 3 way merge, all for free.http://kdiff3.sourceforge.net/
    Kon-Boot - Log into any local or domain account on a pc without a password. Very cool tool.http://www.piotrbania.com/all/kon-boot/
    Lansweeper is a network inventory tool that performs hardware scanning, software scanning, and reporting on Active Directory (AD) users. Needs SQL.http://www.lansweeper.com/
    LUA BugLight - For finding out where a program hangs with it run under restricted mode so you can make system changeshttp://blogs.msdn.com/aaron_margosis/archive/2006/08/07/LuaBuglight.aspx
    MyDefrag-4.0 - Flexible Hard Drive Defrag program with a scripting languagehttp://www.kessels.com/Jkdefrag/
    Nmap Security Scanner version 5.00.http://nmap.org/
    Norton removal tool. LOL:http://www.softpedia.com/get/Tweak/Uninstallers/Norton-Removal-Tool.shtml
    Notepad++ features a tabbed interface, syntax highlighting for all popular programming and scripting languages, bracket matching, and macro recording.http://notepad-plus.sourceforge.net/uk/download.php
    Offline NT Password & Registry Editor - Boot CD that can change local account passwordshttp://home.eunet.no/pnordahl/ntpasswd/
    Paint.NET is a huge improvement over Windows' built-in Paint program for image manipulation.http://www.getpaint.net/download.html
    Password Safe allows you to safely and easily create a secured and encrypted user name/password list.http://passwordsafe.sf.net
    PEESR - Periodic Emailed Event Summary Report. Order today and save 10% with coupon code SUNB-PXTO-SAUGhttp://jntae.com/peesr/peesr.html
    PING makes a sector-based image copy of a disk partition. The bootable PING ISO tool copies a full system disk to on a bigger disk.http://ping.windowsdream.com
    SpinRite Boot CD - Hard Disk recovery toolhttp://www.grc.com/sr/spinrite.htm
    Sunbelt Sandbox. Upload suspicious files to the Sunbelt Labs and have them scanned. Similar to VirusTotalhttp://www.sunbeltsecurity.com
    Superscan 3.0 - fast little port scanner. A quick way to tell whats on the network.http://www.foundstone.com/us/resources/proddesc/superscan3.htm
    Sysinternals - An sysadmin's best friend - especially Process Explorer that shows why a PC is slowhttp://technet.microsoft.com/en-us/sysinternals/default.aspx
    Total Commander is a powerful shareware file manager for all flavors of Windowshttp://www.ghisler.com/
    TrueCrypt. Brilliant file and whole-disk encryptionhttp://www.truecrypt.org
    UBCD4Win is a bootable recovery CD that contains software used for repairing, restoring, or diagnosing almost any computer problem.http://www.ubcd4win.com/
    Ultimate Boot CD has over 100 tools for diagnostics and repair.http://www.ultimatebootcd.com/
    Ultra VNC. Say no more:http://www.uvnc.com
    UltraTech's list of tools that needs some updating but has dozens of popular tools and their linkshttp://KB.UltraTech-llc.com/?File=Utils.TXT
    USB Deview. Untangle all those devices sensibly. In fact, most of Nir's utilities are pretty goodhttp://www.nirsoft.net/
    VIPRE Rescue is a command-line utility that will scan and clean an infected computer that is so infected that programs cannot be easily runhttp://live.sunbeltsoftware.com/
    VirtualBox is a powerful, free x86 virtualization tool for Windows, Linux and morehttp://www.virtualbox.org/
    Voidtools - everything search engine. Locate files and folders by name instantly.http://www.voidtools.com/
    WinDirStat is a very good disk space usage visualization and cleanup tool for Microsoft Windowshttp://windirstat.info/
    Windows Installer CleanUp Utility for failed or partially installed softwarehttp://support.microsoft.com/kb/290301
    Wireshark is a popular network protocol analyzer (sniffer), used in many industries and educational institutions.http://www.wireshark.org/
    XML Notepad is a specialized MS XML editor with a small footprint. It has a Tree View and a Node Text View and a built-in XML Diff capability.http://www.microsoft.com/downloads/details.aspx?familyid=72d6aa49-787d-4118-ba5f-4f30fe913628
    ZoomIt lets you magnify portions of your screen while doing demos and presos, as well as draw on and annotate the screen.http://technet.microsoft.com/en-us/bb897434.aspx




  • Thursday morning, the 12th of July 2012, the world woke up to yet another news of a high profile cyber-attack. This time, the victim being one of the internet giants - YAHOO.

    The attack was carried out by a Hacker Group named D33D on one of Yahoo’s sub-domain (yahoo voice), unencrypted usernames and passwords of over 400,000 users were released online.
    The Hacker group claimed responsibility for the attack and said it hope Yahoo and the others would see this as a wake-up call rather than a threat.

    What seemed to surprise many was the method of attack used against Yahoo.
    An SQL INJECTION; a technique often used to attack databases through a website, and for exploiting security vulnerability in websites software.
    SQL to me is old-school, an old method of hacking, something almost every IT person knows about. It’s even a joke among hackers and geeks due to its utter simplicity, and the preventive method has been published severally by different individuals and companies in the past.


    Attacks like SQL injections, were used to take down at least 18 Sony sites and networks earlier this year.
    XSS (cross-site scripting) is so well-known and widely-exploited, a vulnerability that elementary school kids use XSS exploits to log in to their accounts at school because it's simpler than trying to
    remember a good password.
    Nevertheless…SQL injections and flaws that allow XSS exploits are just two of 10 incredibly common security flaws that continue to appear in eight out of 10 new commercial and corporate applications, according to security software vendor Veracode, which publishes an application-security benchmark report twice per year .

    Obviously, heavily exploited flaws like SQL, XSS are still present in majority of new web apps.
    With all this attacks happening here and there, it can be concluded that most of the big organisations are not paying the right amount of attention to security.
    The only rules that seems to be accurate about corporate security is that no one has a good handle on either digital or physical security.

    Most companies are so clueless about holes in their airtight defences that they'll brag about their anti-spam or intrusion protection while strangers wander in from the sidewalk to use the CISO's private rest room while the CFO drags an oversized bank bag filled with "laundry" toward the nearest exit on the way to a "vacation" in the Cayman Islands.
    Companies that do pay some attention to security, on the other hand, end up so obsessive about the smallest risk that the whole company behaves as if they manufactured guilty consciences or just heard James Bond was spotted outside.

    Most failed because of stupidly obvious flaws that could be exploited including poor implementation of protections that would prevent XSS or SQL injection attack.

    The unencrypted user names and passwords were pulled from a database that stored them in plain text and without the added security of a hashing technique -- an otherwise common practice for any company that handles sensitive user information.

    The list of emails released stretches just beyond just the Yahoo.com domain and includes login information for more than 106,000 Gmail accounts and 55,000 Hotmail accounts, among others.
    Aside from exposing Yahoo's flawed security apparatus, the hackers exposed an all too common fact: too many users have dumb, simple passwords. The most common was "123456," followed by "password." "welcome,"  "ninja," and "superman," were also among the commonly used password according to an analysis by CNET.

    If there's one thing to learn from the Yahoo security breach, it's that we need to be more creative with our passwords.
    We need to start using strong passwords.


    Simple tips for creating stronger passwords:
    • Use a combination of letters, numbers and special characters, lowercase and uppercase make it long; at least 8, preferably many more characters

    • Use a passphrase instead of a word if that is easy to remember

    • Avoid sequences such as 123456 or common dictionary words or common names
    Why does it matter? This image from Thomas Baekdal shows how long it takes to hack passwords based on their composition:


    This year will be remembered as a year of high profile cyber-attacks. But there are two angles to this that will have long-reaching effects.
    First, for users that continue to have one password for everything, it’s time to change them, and quickly.
    The second angle – primarily prompted by Yahoo – is the responsibility of corporations to protect
    their users. With security threats becoming increasingly more sophisticated, corporations need to be more proactive and predictive about security. Otherwise, they’re just reactive, end up cleaning up after the fact and probably lose their noble customers.

    We've witnessed series of cyber-attacks and intrusions this year 2012,
    'Sony' being one of the victims. LinkedIn, Last.fm , Eharmony and Formspring were also recently hacked, compromising millions more passwords.

    NOW, WHO'S NEXT? Google? Apple? Facebook? or the big dawg - Microsoft?
    The answer to that question is rather elusive. We can only wait for now.
    Time will Tell!

    To confirm if your email is in the list of the hacked emails, click here or visit http://dazzlepod.com/yahoo/
Subscribe to: Posts (Atom)