- +
Your World. . . Hacked 02 October, 2007 10:51:23
As your business becomes more collaborative and global, the risks to your company’s trade secrets rise proportionally. Fortunately, there are new strategies to protect the data that allows you to competeThe call to Bob Bailey, an IT executive with a major US government contractor, came on an otherwise ordinary day in October 2003. "Why are you attacking us?" demanded the caller, an IT leader with a Silicon Valley manufacturer. He wanted to know why Bailey's company had launched a denial-of-service attack against his network - +
Ticked Off at Tick the Box Mentality 04 February, 2008 13:01:15
Does your executive search firm know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients?Does your executive search firm know its MIS managers from its elbow? Does it even know the difference between an MIS manager and a CIO, and if it does, can it explain that difference to its corporate clients? - +
9 Paths to Higher Performance 10 December, 2007 14:09:23
When an organization brings together talented people in a creative, collaborative environment it fosters a culture of high performance, which in turn leads to superior business resultsLike high-achieving individuals, some organizations seem to have the Midas touch. Virtually every initiative they touch earns them gold and even those that fail never seem to cost them much of anything at all - +
Doing Your Sums on . . . Build, Buy or Rent 05 November, 2007 13:32:30
You’re trying to build a world-class IT team, but everyone’s going after the same talent pool. What mix works best? Should you grow your own, draft your players or barter your way to the line-up you want to field?CIOs should never forget that while new technologies have a maturity cycle, the maturity cycle for human beings in IT is even longer - +
Order Takers to Innovators 02 October, 2007 15:20:08
How four CIOs energized their staffs to take risks with new technology and generate fresh value for their businessesWhen David Behen became IT director for Washtenaw County, Michigan, the department was little more than an order-taker. And not a very good one. It was kind of like the waiter who makes you wait, then brings the entree with the mains and brings you a bottle of Grange when you asked for a carafe of the house red
- +
Bill Gates: A New Approach to Capitalism in the 21st Century 28 January, 2008 07:12:19
Transcript of Gates speech, and a Q&A at World Economic Forum in Davos, SwitzerlandAs you all may know, in July I'll make a big career change. I'm not worried; I believe I'm still marketable. I'm a self-starter, I'm proficient in Microsoft Office. I guess that's it. Also I'm learning how to give money away. - +
Five free Web apps we can't live without 02 October, 2007 12:15:21
From collaboration tools to database apps and more, these next-gen Web applications keep the Computerworld newsroom humming.The current explosion of AJAX-powered Web sites has helped spawn countless next-generation Web apps offering everything from simple to-do lists to complex project management, not to mention the ability to share all kinds of things -- documents, calendar listings, photos, video and more. - +
Luke Schierer discusses Pidgin, Open source and life 10 October, 2007 07:04:03
Pidgin developer discusses the project and also offers advice on why some open source projects fail.With over 3 million estimated users, Pidgin is an open source instant messaging program for Windows, Linux, BSD, and other Unix platforms. It works with AIM, ICQ, Jabber/XMPP, MSN Messenger, Yahoo, Bonjour, Gadu-Gadu, IRC, Novell GroupWise Messenger, QQ, Lotus Sametime, SILC, SIMPLE, MySpaceIM, and Zephyr.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Best Practice in Building an Integrated Information Management Strategy
Wireless LANs: Is my enterprise at risk?
Optimized Back-up and Recovery for VMWare for VMWare Infrastructure with EMC Avamar
Still Sneaking In: The Threats Your Security Tools Aren't Telling You About
Enterprise Wireless WLAN Security
Extending Business Solutions across the Organisation
Understanding Email Marketing: A Guide for SMBs
The IP Storage payoff: Turning your investment into efficient, affordable results
Newsletter Subscription
Last month, Stefan Esser, an independent security consultant and a founder of both the Hardened-PHP Project and PHP Security Response Team (which he has since left), launched his Month of PHP Bugs as a way of improving the security of PHP by outing flaws in its source code.
Making himself a target for criticism through this undertaking (the PHP developer community is a spirited bunch), Esser was surprised at the positive feedback he received at the conclusion of the project. He speaks here with Howard Dahdah.
The Month of PHP Bugs (MOPB) uncovered 44 bugs. Is this good or bad?
Lets say 41 bugs, because three bugs were not in PHP and are a bonus. And no matter if one considers this good and bad, this is not the end. I know about more bugs that are still open.
And yes it is a good thing. Disclosure of vulnerabilities is always good, because this allows users to be aware of the problems, to protect themselves and it helps developers to learn about their mistakes and maybe teaches them to be a little bit more careful about this.
Looking at the email reactions I got, it seems the MOPB was great, because there was NOT A SINGLE bad email. All emails were in favour of the MOPB. To be honest I expected to get flooded with hundreds of angry emails.
How would you describe the outcome of this PHP bug project?
The outcome is that I proved that there is substance behind things I claim, which is quite uncommon in PHP security where most is just marketing talk. I have especially demonstrated that my claims that PHP developers reintroduce bugs or never fix them correctly or introduce new vulnerabilities with security fixes are valid.
What do you think you have achieved by bringing PHP bugs to the attention of the world?
I am not sure yet what I have achieved. Most people seem to do not understand what the MOPB really means and the wrong (and maybe malicious) reports in the media destroyed the goals of the MOPB partly.
For example, the media was reporting such nonsense that I got angry at the PHP developers, quit [PHP Security Response Team] and then as revenge reported security bugs in PHP.
The truth, however, is that I am responsible for the disclosure of most of the PHP security bugs disclosed during the last six years and that the MOPB was just the result of a concentrated audit. And actually the idea of a MOPB was announced in my blog before I quit the PHP Security team.
Additionally, the media was trying to downplay the MOPB in their reports with reports saying "it is not that bad, because the bugs were already fixed". Sorry, but these bugs were only fixed because I was nice enough to give them to the PHP developers in advance. Another nice claim in the media was that "most of them are only local vulnerabilities and therefore not dangerous". Well while many of them are indeed local vulnerabilities, most PHP installations are shared hostings. And for shared hosters local vulnerabilities are very dangerous, because they have to trust thousands of customers.
And what the media reporters also downplay is that many PHP applications are vulnerable and allow remote execution of PHP code. Without all those local vulnerabilities in PHP these remote PHP code execution vulnerabilities would be far less serious.
After a month of bug hunting, how would you describe the feedback you received from fellow PHP developers?
I have been doing bug hunting in PHP for years now. Only this time I collected the bugs and released them in a more dramatic way than I usually do. This kind of release is obviously needed, because in the media it sounds like I came out of the dark and suddenly started releasing PHP vulnerabilities. I have done this for years...
The PHP developers and many people in the PHP community were very, very quiet during the MOPB. The usual bloggers did not blog a single line about the MOPB. Actually, I am surprised, because I suspected that the PHP core developers would continue their attempts to discredit me. But they might have been too busy, because of all these PHP conferences.
What does this say about PHP in the enterprise. Should companies use PHP in their development environments?
Of course the Java (and Perl, Python, Ruby, ASP) fanatics will use the MOPB as argument against PHP in the enterprise. But the same people (at least the Java and ASP users) still use Microsoft or Oracle products, although both of them have far more reported vulnerabilities than PHP. I doubt any of the decision makers question that Microsoft and Oracle should be used in the enterprise. (Security researchers on the other hand might question this).
Will you do this again?
I don't know if there will be a "Return of the MOPB". But yes I will continue to uncover vulnerabilities in PHP and develop protections against those vulnerabilities.
I have been doing this for six years and I do not plan to stop. I still have more PHP vulnerabilities in my pocket.
2008 CIO Summit
19th August, 2008 Four Seasons Hotel, Sydney Developed in partnership with CIO Magazine, IDC, INTEP and the CIO Executive Council.
The world of the CIO is extremely complex and diverse. Multiple priorities demand attention and decisions are needed instantly. Individual teams need to be driven towards common goals, and businesses strive to become more mobile, agile and responsive. For CIOs, the challenge never ends.
Every year the CIO Summit identifies what is top of mind for CIOs across Australia and New Zealand, and offers insight for CIO benchmarking and vendor strategic planning alike.
Recent IDC research shows that over 59% of CIO's believe that 'to achieve their business strategies, technology should be used more aggressively than today.'
Join us on August 19th to discover how this is possible with the latest technologies including Virtualisation, Web 2.0, IP Surveillance and Software as a Service (Saas).
Click here for more information.
Please email Denyse_Robertson@idg.com.au for further information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
Information security governance: Centralized vs. distributed 05 September, 2008 10:15:00
Should security policies, procedures and processes be managed within a central body, or distributed at an individual level? You need to find the middle ground.The management of information risk has become a significant topic for all organizations, small and large alike. But for the large, multi-divisional organization, it poses the additional challenge of determining how to deploy an information security governance program among what are often disparate business units. Should the policies, procedures, and processes that define the program be developed and managed within a central, corporate body? Or perhaps responsibility would be better placed at the individual unit level? Is there a workable middle-ground? - +
DNS error brings Sophos antivirus updates to a halt 05 September, 2008 13:40:00
Optus, Internode and Equinix affected among others.A sporadic Domain Name Server (DNS) error has blocked Sophos anti-virus updates around the world. - +
Ouch! Security pros' worst mistakes 04 September, 2008 08:05:00
We've all done regrettable things on the job, but does any valuable wisdom come of it? Four security pros candidly explain their biggest blunders and what they learned in the processIt was a mistake so bad the person who made it asked that his name and company not be mentioned here. Let's call him Frank. - +
Security ROI: Fact or Fiction? 03 September, 2008 08:32:00
Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable. - +
Information Security and the Importance of Context 01 September, 2008 10:00:00
Those entrusted with information security must raise their contextual awarenessWhen the US Transportation Security Administration (TSA) was first created, it created a sudden need for tens of thousands of screeners. Getting a job as an airport screener was a pretty easy process. It seemed as though if you had a pulse, you were in. Jump forward to 2008 and becoming a screener is a bit harder as the TSA has instituted background checks, has upped the educational requirement to include a high school diploma or GED, and added other significant requirements.
Viva la Verticals! Key to Vendor Growth is Through Vertical Market Opportunities, Says IDC 05 September, 2008 11:05:00
F-Secure delivers fastest protection in the online world 04 September, 2008 16:50:00
Rogue security apps dominate Fortinet's Aug 2008 IT threat report 04 September, 2008 16:00:00
IntraPower Signs Deal with Australia’s Largest Service Station and Convenience Store Network 04 September, 2008 10:07:00
TANDBERG Begins Desktop Videoconferencing Roll-Out at New England Credit Union 03 September, 2008 16:01:00
|
||
|
||
|
|
||
|
Still Sneaking In: The Threats Your Security Tools Aren't Telling You About
Web 2.0 applications are all the rage, offering us tremendous value when it comes to collaboration and communication. They also open us up to new kinds of attacks however, and can cause problems in keeping systems and data secure. Read on to learn about the new attack methods and how you can defend yourself and your business.
Subscribe to CIO
