ISACA reveals COBIT security secrets at Gartner Summit

London, UK, 30th September 2008 - Roger Southgate, from ISACA, an association serving more than 86,000 IT governance professionals from 160 countries - will deliver a workshop on the subject of COBIT and Val IT for the Security professional at the Gartner Security Summit in London this Wednesday. Given against the backdrop of regular data losses and breaches being reported in the media - Roger will reveal how COBIT (Control Objectives for Information and related Technology) can greatly improve information security for any size of organisation.

Roger Southgate, the immediate past President of the London Chapter of ISACA commented, “All the recent data loss catastrophes have their origins in people and process. The COBIT security baseline enables a focused holistic approach to the people, process and technology issues that organizations today have to face.”

Roger Southgate continued, “If organizations get their employees to consider the following key points from the COBIT security baseline user survival kit, people will make the connection between attention, understanding and appropriate action in order to achieve long term security”.

Top 6 tips from the User Security Survival kit are:

  1. Obtain guidance from qualified and reputable advisors (certified technicians) from time to time to ensure that the computer installation has no significant security flaws.
  2. If you depend on computers to do business, sign up for onsite support and ensure the availability of an on-call facility should anything go wrong.
  3. Obtain reputable security software. Protection packages can be obtained from all PC software dealers that include all the main functions necessary, e.g., antivirus, spyware, firewall and content filtering. If needed, use a specialist to ensure proper installation.
  4. Sign up for automatic updates and maintenance on the security software to ensure that the protection is current and up to date.
  5. Do not open unknown e-mail attachments, and be aware that e-mail addresses can be faked. Let the security software check all e-mails and follow the advice given by the tool.
  6. Install only official, up-to-date operating systems, security software and applications; avoid installing anything that is not needed.
With information and related systems becoming increasingly critical to organizations’ survival, the associated risks have grown in number and severity. The COBIT Security Baseline was developed to help minimize these risks. It identifies 44 security practices based on the COBIT 4.1 framework and offers guidance and tools to help computer users of all levels protect their systems.

Security Baseline features information security “survival kits” for six levels of computer users, from individuals who use computers to senior executives with responsibility for information security in the workplace. The kits contain essential questions to ask and checklists to complete to improve security and minimize risk.

"With the provisions of the Companies Act 2006 about to pass into law, corporate governance is poised to become top of the agenda at management board meetings across the UK, just as it did five and half years ago in the US when the Sarbanes-Oxley Act came into force. I plan to explain to attendees how COBIT can be used to benefit almost any public and private sector business," Southgate said.

For further details of Roger's presentation: http://agendabuilder.gartner.com/sec9i/WebPages/SessionList.aspx?Speaker=700196

With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. It also administers the globally respected Certified Information Systems Auditor (CISA) designation, earned by more than 60,000 professionals since 1978; the Certified Information Security Manager (CISM) designation, earned by more than 9,000 professionals since 2002; and the new Certified in the Governance of Enterprise IT (CGEIT) designation.

For further details of ISACA: http://www.isaca.org

Developed by the IT Governance Institute--the research affiliate of ISACA--COBIT is available as a free download at www.itgi.org/cobit

Source: EskenziPR
<>

Scammers turn on Social Networks

by Michael Smith

Scammers turn on Social Networks like LinkedIn, Facebook and others so researchers from BitDefender, the online security firm, have found. Social networks have become the latest target for Nigerian "419" scams. The scam has been put to use on the professional networking website LinkedIn, as well as other social networking websites. LinkedIn is like Facebook for grown-ups, being a business networking opportunity for 21 million users.

I am sure - or I at least hope so - that by now all Internet users are aware of the "419" scams. You know the one where Chief Abu Simba or whoever wants to give you millions of whatever nice currency, like US Dollars or British Pounds (or even Euro) for letting him use your bank account to spirit some money out of the country and such. Sometimes it is that you will have to forward them some handling fee first or, if this is not the case, they find a way to help yourself to money in your account. But many people seem to still fall for this. Greed, I guess, often overrides the brain.

In the recent outbreak of the Nigerian scam – an advance fee fraud that is estimated to gross hundreds of millions of dollars annually – the scam letter is sent as a LinkedIn invite to join the user’s network. A profile page is established with the social networking site to make the claims in the scam letter appear legitimate. Since the scams are only delivered to the social networking site’s user accounts, they completely bypass antispam filters.

"I think this new twist is more dangerous than the old "419" scheme because of the increased chance for network users to fall for the scam,” said BitDefender CTO, Bogdan Dumitru. “Since LinkedIn and other social networking sites are used to build up businesses or careers, users tend to view the invitations as trustworthy.”

I must say the ignorance of many users of the Internet entirely is beyond my comprehension at times. Those scams, as well as those emails they keep sending out to everyone in the address book, for instance, of Bill Gates wanting to give away his money, or other such spam, should by now, one would have hoped, known by all but those that for the last couple of years have been on a different planet.

Most social networking sites do not verify the identity of those who join, leaving the system open to abuse. However, LinkedIn recommends the following best practices when sending and receiving invitations in that (1) you only accept LinkedIn invitations from people you know and trust and (2) that you personalize your LinkedIn invitations and messages so that the recipient knows who you are. If necessary, remind the person of how you know each other.

BitDefender

LinkedIn

© M Smith (Veshengro), September 2008
<>

CMS Products Introduces the EasyEncrypt Upgrade Kit

Hardware-encrypted Disk Drive protects Laptop PC data from unauthorized access

Hook, UK, September 2008CMS Products, Inc., (www.cmsproducts.com) a leader in data security, backup, disaster recovery and content management technologies announces availability of its EasyEncrypt Upgrade Kit for Laptop PCs with SATA hard drives.

The EasyEncrypt upgrade kit allows laptop computer users to quickly and easily replace existing, non-encrypted system disk drives with a state-of-the-art, secure, hardware encrypted disk drive using AES 128-bit encryption and strong password support so data is always safe and secure. EasyEncrypt supports BIOS level ATA password locking for pre-boot authorization – during install you create and enter your password.

EasyEncrypt comes with all of the hardware required to connect its encrypted disk drive to your Laptop PC via the USB interface. The BounceBack transfer software transfers the PC’s Windows operating system, applications, data and personal settings to the EasyEncrypt disk drive, encrypting the files as they are written onto the disk. The new encrypted disk drive can then physically replace the non-encrypted disk drive within the laptop, then when you power on your PC it will prompt you for your password.

CMS Products Inc. will be presenting at Storage Expo, Olympia, London on 15th & 16th October 2008 on stand 490.

EasyEncrypt is available through resellers and at www.cmsproducts.com and prices start from £199 incl.VAT

CMS Products has sold more than two million units of software while installing more than four million complete storage solutions in 90-plus countries. The complete line of product offerings includes automatic backup solutions for both portable and desktop computers, RAID systems, backup and disaster recovery software, media management software, laptop hard drive upgrades and data transfer kits and high capacity desktop hard drives.

CMS Products, Inc., Velocity Series, BounceBack and QuickRestore are trademarks or registered trademarks of CMS Products, Inc. Any other product names are trademarks or registered trademarks of their respective companies.

For further information on CMS Products please visit: http://www.cmsproducts.com

Source: StorageExpo
<>

Web Foundation

20 years after the birth of the Internet establishes the inventor of the WWW a Foundation

by Michael Smith

On Sunday, September 14, 2008 the World Wide Web Foundation was founded in Washington, D.C.

Sir Tim Berners-Lee, who in 1989 was one of people who “invented” the World Wide Web at CERN-Institute, wants with the aid of this foundation to bring the Internet closer to the people and improve it further.

Together with Steve Bratt as CEO and a small team Sir Tim is working on the proper launch of the Web Foundation early in 2009. The John S. und James L. Knight Foundation gave the Web Foundation at the time of its founding a grant of USD 5 Million.

“The Web Foundation will bring together leaders, academics, governments, NGOs and experts to overcome all problems of the Web. The Web Foundation is able, through its unique position, to learn from previous projects and to speed up the further and future development and improvement of the Internet”, said Tim Berners-Lee in his speech,

The aims of the foundation were presented by its founder in a rough outline: an improvement of the Internet as an interconnected, free and open medium and the broadening of all possibilities through the Web.

In his speech Berners-Lee did not only illustrate the problems already overcome, such as convincing CERN to distribute the WWW technologies free of any license, but also to prevent any possible future attempts to make the Internet only accessible against payment or similar license restrictions.

The Web Foundation does not intend to interfere with the World Wide Web Consortium (W3C), and the Foundation only wishes to aid the Web Science Research Initiative (WSRI).

It is intended to make the Internet more palatable for the ordinary people, as well as more practical and more robust and reliable.

It must be said that some of the reliability issue of the Web is due to issues other than with the Internet per se, I am sure, such as at times inefficient Internet Service Providers. Some issues, yes, are due to the Net itself, such as the fact that there seems to be insufficient capacity there, especially when the US military seems to grab the share that it owns.

© M Smith (Veshengro), September 2008
<>

CMS announces BounceBack Ultimate Recovery/Backup software

BounceBack™ Ultimate Recovery & Backup Software to be launched at Storage Expo London

Major Changes Implemented – Failsafe recovery from USB port / Hardware Encrypted backup drives supported / CDP improvements

Hook, UK, September 2008CMS Products, Inc., (www.cmsproducts.com) a leader in data security, backup, disaster recovery and content management technologies will launch its newest disaster recovery software, BounceBack Ultimate at Storage Expo London.


Several new features have enhanced CMS Products’s reputation as a major player in providing professional grade backup/recovery solutions to corporate clients.

“The most important aspect of a Backup/Recovery system for anyone with a PC is the ability to recover quickly and easily from a disaster”, said Brian Blanchard, Sales Director-EMEA at CMS Products Inc. “Recovery is especially important to the employee who is based remotely from the corporate IT group and to the mobile worker whose laptop PC is a vital tool in the business. With BounceBack Ultimate, recovery is as quick as re-starting the PC from the BounceBack drive attached to the USB port. Everything will be there, where you expect it, including your data files.”

Important BounceBack features include:

  • Easy install with the first backup making a spare system disk on the backup drive including all partitions, the operating system, applications and Data files.
  • Recovery is simple - just re-start the PC from the backup drive and you are working again in a few minutes.
  • Continuous Data Protection (CDP) will backup your files in the background while you continue to work or you can just plug the Backup drive into the USB port to launch an incremental backup.
“BounceBack Ultimate can backup to a hardware encrypted Backup drive so that the backup data is secure against unauthorised access. Even though the whole drive is encrypted it can still be used to start the PC and recover from a disaster”, said Ken Burke, President, CMS Products.

BounceBack Ultimate supports Windows Vista, XP and 2000 operating systems and will be available from leading resellers or from the company’s web site, www.cmsproducts.eu. Beginning in October it will ship with ABSplus automatic backup solutions.

CMS Products Inc. will be present at the Storage Expo show in Olympia, London on 15th & 16th October 2008 on stand 490 and will be discussing its range of Backup & Recovery and secure mobile storage products.

“Don’t buy just any backup software, insist on one that creates a ready-to-use replacement for your PC’s system disk and get data protection and the ability to recover your PC in minutes”, said Blanchard

CMS Products has sold more than two million units of software while installing more than four million complete storage solutions in 90-plus countries. The complete line of product offerings includes automatic backup solutions for both portable and desktop computers, RAID systems, backup and disaster recovery software, media management software, notebook hard drive upgrades and data transfer kits and high capacity desktop hard drives.

CMS Products, Inc., Velocity Series, BounceBack and QuickRestore are trademarks or registered trademarks of CMS Products, Inc. Any other product names are trademarks or registered trademarks of their respective companies.

For further information on CMS Products please visit: http://www.cmsproducts.com

Source: StorageExpo
<>

Kingston Technology Launches DataTraveler BlackBox USB Flash Drive

256-bit, Hardware-Based AES Encrypted and FIPS Validated Drive

Ideal to Safeguard Critical Data

London, UK - July, 2008 - Kingston Technology Company, Inc., the independent world leader in memory products, has announced the DataTraveler® BlackBox in EMEA, a hardware-based encrypted and Federal Information Processing Standard (FIPS) validated USB Flash drive. The DataTraveler® BlackBox is shipping immediately in 2GB, 4GB and 8GB capacities in the colours Black, Green and Red.

“We are very excited that our DataTraveler BlackBox met all federal requirements established by the National Institute of Standards and Technology (NIST) in the US,” said Kirsty Miller, European Flash Product Marketing Manager, Kingston Technology. “Gaining FIPS 140-2 certification requires a validation process that meets federal requirements set by the National Institute of Standards and Technology (NIST) in the United States, and the Communications Security Establishment of the Government of Canada. This is critical to European governments and corporations, as FIPS is a worldwide recognised standard and proof of the high security standards the DataTraveler BlackBox meets”.

The FIPS Level 2 standard requires the DataTraveler BlackBox to run a power-on self test which verifies that the encryption architecture is functioning each time it is plugged into a USB port, as well as to feature a tamperproof seal. Beyond the NIST certification, the DataTraveler BlackBox features 256-bit hardware-based AES encryption and is protected against water damage to depths of up to four feet (1, 22 metres). Additionally it is equipped with a titanium coated steel casing and an epoxy resin coating over the controller, making it a robust USB drive designed to withstand harsh working environments and operating conditions.

  • The DataTraveler BlackBox automatically locks down after ten consecutive failed password attempts, thus helping to prevent unauthorised access if the drive is lost, stolen or misplaced.
  • The DataTraveler Black Box is backed by a five-year warranty and 24/7 technical support.
  • DataTraveler BlackBox Features and Product Specifications:
  • Full Privacy – 100 percent of stored data is protected by 256-bit Advanced Encryption Standard (AES) hardware-based encryption
  • Ultra fast – data transfer rates of up to 24 MB/sec. read and up to 20 MB/sec. write1
  • Secure – drive locks down and reformats after 10 intrusion attempts
  • Enforced password protection – password is user set with minimum characteristics to prevent unauthorized access
  • Easy to use – no admin rights or application installation required
  • Waterproof– protected against water damage to depths of 4 feet (1, 22 metres)
  • Guaranteed – five-year warranty with 24/7 customer support
  • Ruggedized – waterproof and titanium-coated stainless steel casing
  • Dimensions – 3.06" x 0.9" x 0.47" (77.9 mm x 22 mm x 12.05 mm)
  • Capacities – 2GB, 4GB, 8GB
  • Minimum System Requirements –
  • USB 2.0 compliant and 1.1 compatible
  • Two (2) free consecutive drive letters required for use
  • Operating System – Windows Vista (32-bit only); Windows 2000 (SP3, SP4); Windows XP (SP1, SP2)
Speed may vary due to host hardware, software and usage.

Please note: Some of the listed capacity is used for formatting and other functions and thus is not available for data storage. For more information, please consult Kingston's Flash Memory Guide at kingston.com/Flash_Memory_Guide.

First free drive letters after physical devices such as system partition, optical drives, etc.

Source: Kingston Technology
<>

Kingston Technology Launches New DataTraveler 101

16GB Drives of DT100 Also Hit Market

London, UK – July 2008 -- Kingston Technology Company, Inc., the independent world leader in memory products, has announced the release of the new DataTraveler 101, a stylish USB drive that is available in a variety of colours and also features substantial data protection software .

The DT101 comes in a range of vibrant colours (cyan, pink and yellow), has a swivel design and capacities up to 8GB. For added peace of mind SecureTraveler software allows the user to create and access a password-protected, secure area of the drive.

“The new DT101 is a handy and practical USB drive that offers data protection in a lightweight, compact design,” said Kirsty Miller, European Flash Product Marketing Manager, Kingston Technology. “It is a valuable addition to the DataTraveler family and is ideal for the budget conscious user as well as those looking for significant storage capacity and data protection.”

Also shipping immediately is a 16GB version of the popular DataTraveler 100, an affordable, portable storage solution allowing users to save large amounts of data.

Kingston’s line of USB Flash drives are backed by the legendary Kingston reliability and 24/7 live technical support.

For more detailed information visit the Kingston Web site at: www.kingston.com/europe

Kingston DataTraveler 101 Features and Specifications:

· Capacities1: 2GB, 4GB, 8GB

· Safe: SecureTraveler2 security software for Windows

· Weight: 0.42 oz. (12g)

· Dimensions: 2.19″ x 0.68″ x 0.36″ (55.65mm x 17.3mm x 9.05mm)

· Operating Temperatures: 32°F to 140°F (0°C to 60°C)

· Storage Temperatures: -4°F to 185°F (-20°C to 85°C)

· Simple: Just plug into a USB port

· Practical: Capless swivel design protects USB connector; no cap to lose

· Guaranteed: Five-year warranty

· Fashionable: Available in multiple colors – cyan, pink, yellow

· Compatible Operating Systems: Windows Vista® (Windows ReadyBoost™ not supported), Windows XP (SP1, SP2), Windows 2000 (SP4), Mac OS X 10.3 and above (SecureTraveler not functional), Linux 2.6 and above (SecureTraveler not functional)

Kingston DataTraveler 100 Features and Specifications:

· Compliant: Designed to Hi-Speed USB 2.0 specifications

· Convenient: Pocket-sized for easy transportability

· Simple: Just plug and play into a USB port

· Practical: USB connector protected within case

· Guaranteed: Five-year warranty

· Dimensions: 2.35″ x 0.88″ x 0.37″ (59.7mm x 22.3mm x 9.5mm)

· Capacities1: 2GB, 4GB, 8GB, 16GB

· Operating Temperatures: 32°F to 140°F (0°C to 60°C)

· Storage Temperatures: -4°F to 185°F (-20°C to 85°C)

· Compatible Operating Systems: Windows Vista® (Windows ReadyBoost™ not supported), Windows XP (SP1, SP2), Windows 2000 (SP4), Mac OS X 10.3.x and above, Linux v.2.6.x and above

1Please note: Some of the listed capacity is used for formatting and other functions and thus is not available for data storage. For more information, please consult Kingston’s Flash Memory Guide at Kingston.com/Flash_Memory_Guide.

2Administrative privileges required

For more detailed information visit the Kingston Web site at: www.kingston.com/europe

Source: Kingston Technology
<>

Kingston Technology to showcase Virtualisation and Security Solutions for Enterprises at VM’08

London, UK, September, 2008Kingston Technology Europe Ltd., the independent world leader in memory products, announced that it will be showcasing its virtualisation and security solutions for the enterprise at VM’08, the UK’s first Virtualisation event. Kingston provides memory solutions that are high in quality and reliability; not only will Kingston Technology modules improve the performance of the hardware but they will allow the virtualisation software to run more efficiently, whilst reducing IT costs.

At VM’08 Kingston Technology will showcase a real life demo on the importance of memory as a hardware component and how installing larger memory modules can enhance existing hardware machines and enable more efficient virtualisation. Kingston Technology supports the move of corporate companies into virtualisation by offering system specific modules that are guaranteed to be compatible with any server. Kingston Technology memory modules are thoroughly tested by a patented process and are provided with free 24/7 technical support.

Kingston Technology have some of the most secure USB drives on the market, such as the Kingston Technology DataTraveler BlackBox and Vault Privacy Edition. These feature 100% automatic 256-bit AES hardware-based encryption, which is the same as used on many secure websites for credit card payments and can cost as little as £70 for 2 GB (capacities available up to 16 GB). Not only would it take a hacker more than a hundred trillion years to crack the code, those particular USB drives will completely erase the stored data after ten failed login attempts, meaning there would be no chance for the records to fall into the wrong hands. The Kingston Technology stand will also feature demonstrations on the importance of end user management via the use of Kingston Technology Secure USB drives that enable users to password protect their files on fully encrypted USB drives.

Kingston Technology Executives attending VM’08:

Steve Hall: Branded Marketing Manager EMEA

Steve Hall is responsible for the branded memory range for Kingston Technology across the EMEA Region. Steve has over 14 years’ experience of working in the IT Industry in various Sales and Marketing Positions and has an interest in issues regarding mobile security and virtualisation.

Lars Christensen: European Corporate Business Development Manager

Lars Christensen coordinates projects towards large Enterprise end-users across Europe. He has over 11 years experience in the IT Industry within Sales focused roles and has in-depth knowledge of channel developments for Kingston Technology Branded Memory and international market maturity assessment.

Ann Keefe: Regional Director for UK & Ireland

Ann Keefe is the regional director for UK & Ireland. Ann has over 24 years experience working within the IT Industry in various managerial positions and has an extensive understanding of the memory market and corporate initiatives such as virtualisation and secure USB drives.

Kingston Technology Company, Inc. is the world’s largest independent manufacturer of memory products. Kingston Technology designs, manufactures and distributes memory products for desktops, laptops, servers, printers, and Flash memory products for PDAs, mobile phones, digital cameras, and MP3 players. Through its global network of subsidiaries and affiliates, Kingston has manufacturing facilities in California, Malaysia, Taiwan, China and sales representatives in the United States, Europe, Russia, Turkey, Ukraine, Australia, New Zealand, India, Taiwan, China, and Latin America.

For more detailed information visit the Kingston Web site at: www.kingston.com.

VM’08 is the UK’s first dedicated event looking at server and desktop virtualisation, recently described by Gartner as the ‘highest-impact trend changing operations and infrastructure through 2012’. This year’s inaugural event is co-located with IP’08 and takes place at Earls Court on the 1–2 October. www.vmexpo.co.uk

Kingston Technology will be exhibiting at the VM’08 show on stand 826.

Source: Kingston Technology
<>

Effectiveness and Efficiency drive Storage into the Clouds

London, UK, 25th September 2008 - A survey of 875 organisations by Storage Expo has found that the main driver of their current storage policy is storage effectiveness (60%) necessitated by the need for reliability, scalability and access speed. The second most important driver was Storage efficiency (33%) resulting from the need to cope with cost vs. capability. The least popular drivers were Green criteria (7%).

Jon Collins, Service Director, Freeform Dynamics commented, “This is quite fascinating, and confirms a trend that we have seen in other studies: that organisations are prioritizing effectiveness over efficiency when it comes to setting policy and making purchasing decisions.”

With data storage volumes still growing at over 50% per annum, the need for effective and efficient Storage architecture has never been greater. In keeping with the current demands Storage Expo 2008 brings together an exciting and informative portfolio of Storage seminars that take an in-depth look at some of the latest trends in data storage and information management today.

According to Claire Sellick, Event Director for Storage Expo 2008, “one of our keynote sessions on the 15th at 11:30am led by Jon Collins include senior executives from six of the leading storage companies in the world discussing their interpretation of the drive for efficient architecture and exploring the hype around cloud computing and emerging technologies that may radically change the way business operates. Key challenges addressed in the session will include reducing storage costs, growing storage with your needs and understanding the rise of cloud computing amongst other things.”

Speakers at the session include:-

  • Adam Thew, Storageworks Director for UK&I, HP
  • Adrian Groeneveld, Director of Product Marketing EMEA, Pillar Data Systems
  • Ian Masters, UK Sales and Marketing Director, Double- Take Software
  • Johannes Kunz, Senior Director for Solutions Marketing and Business Development EMEA, Hitachi Data Systems
  • John Rollason, Product Marketing Manager EMEA, NetApp
  • Mark Kenealy, Director Technology Solutions, EMC2
On the same day at 11:15am Ben Ginster, VP of International Development, Idealstor will be talking about the effectiveness of cloud computing for efficient storage in his seminar called Cloud Computing – What does it mean for Storage?

The seminar will take a detailed look at cloud computing as it stands today and what the future roll out of cloud technologies will mean for effective and efficient storage. Included in this discussion will be the often overlooked aspects of cloud computing such as disaster recovery, data security and who will be held accountable for data loss.

Storage Expo 2008 at the National Hall, Olympia on the 15th and 16th October, is the UK’s definitive event for data storage, information and content management. Providing the opportunity to compare the most comprehensive range of solutions and services from all the leading suppliers, the show features over 100 of the world’s top storage vendors and an extensive, cutting-edge free education programme with over 62 experts speaking, including sessions that will address the latest issues on how to tackle data growth and disaster recovery.

The education programme for 2008 has been expanded to reflect the needs of today’s data storage and information management experts as they become as concerned with information and data management as they are with storage capability, scalability and infrastructure. With strategic and technical analysis, case studies and storage management reviews, this years programme will reveal expert knowledge of how information management can increase both storage efficiency and information utilisation for business application.

For more information or to register free to attend please visit www.storage-expo.com

Source: StoragePR
<>

Keyloggers beaten by new crypto utility

TurboCrypt can encrypt keyboard characters on-the-fly before keylogging or screen capture malware has a chance to record what is being entered.

A German company has come up with a program it claims can protect against the biggest weak spot of most encryption systems - keyloggers that record passphrases as they are entered.

Encryption is widely seen as a solution to the woes of data security, locking data behind near-unbreakable algorithms. But that assumes the password or phrase used to access the encrypted data is itself secure.

The system works around a virtual keyboard feature, built into the encryption utility TurboCrypt, which can encrypt keyboard characters on-the-fly, before keylogging or screen capture malware has had a chance to record what is being entered.

The system is said by its creators, PMC Ciphers, to be so secure, that it will work even if the computer is infested with malicious Trojans. The company also suggests that users test the tool by pitting it against commercial screen-grabbers or keyloggers.

The software exploits two interlocking concepts to render password or screen capture impossible in any practical sense. First, the virtual password entry screen for TurboCrypt's encryption function turns out to be a visual grid on which characters and numbers are drawn and deleted several times per second. The user chooses a character from within the flickering randomised grid, which then changes for the next character until the whole password has been entered.

Although difficult and slow to use - the flickering is incredibly distracting - it offers a very high level of security. The screen redraws faster than a capture utility can register the screen, while the grid changes randomly for every character entered, making it impossible for malware to relate mouse clicks to the on-screen image of the keyboard as a way of divining characters.

Second, underneath the hood, the software uses a number of ingenious techniques within the Windows task scheduler to keep out an incursion by a Trojan, such as raising its thread priority level to temporarily consume all the available CPU time on the first available CPU core. This effectively stops Trojans from loading processes at lower levels.

"It's flickering and somewhat exhausting to use, but this thing is one of the most decisive inventions in computer security," say its creators, who would like to implement the design in contexts such as banking website login if there is commercial interest.

TurboCrypt is available for Windows XP, and 32-bit and 64-bit versions of Vista free of charge up to a 32GB encrypted volume size as long as users register.

Source: PMC Ciphers
<>

Linux - More and more authorities are migrating to free operating systems

by Michael Smith

More and more authorities are discovering the benefits of free and open software. Not only half of the desktop PCs of the Belgium Justice authorities have been converted meanwhile to Linux and OpenOffice.org, but Sachsen-Anhalt (Germany) has also now decided to change over entirely to Linux and OpenOffice.org for its public services. Primarily this is in order to save money and security to be enhanced significantly. It is rather a shame that neither the British governments nor the European Union bodies seem to have the same ideas.

The Belgium Ministry of Justice decided already in 2005 to install on all new PCs SUSE Linux and OpenOffice.org. In June of 2008 Sachsen-Anhalt followed suit.

The migration to Linux in Belgium started with the lower courts of the country and is being introduced step by step with the purchase of new PCs. The change is being accompanied by training and support for the users in order that they learn how to work with this new software; new to them at least. In addition to that their fears shall be overcome by those measures, fears of new software that they have not used before, especially a totally new operating system and feel.

The decision of the former Belgium minister Laurette Onkelinx to migrate to a desktop environment based on open source is the result of the recommendation of the Belgium government to implement open standards within the authorities. The migration affects at the current level 12,891 PCs, of which meanwhile about half have been converted to Linux and OpenOffice.org.

It still is going to take some time before we reach a complete changeover. According to information from the ministry there are still some peripherals in use, such as some printers, that do not work with Linux (time that was changed). An additional problem are the special applications of which some were developed by the ministry and other which were bought in that also do not work with Linux (as yet). Examples for those specific applications are programs that work with MS Access as database. In addition to that there are others, partly self-developed programs, that were developed with other Microsoft products. Those are, according to the ministry, difficult to migrate.

Meanwhile can Sachen-Anhalt be happy that it does not, as yet, have to battle with such problems and complexities. Its change-over is going to be done in a different style and, before all 25,000 Desktop-PCs in the state are being converted to Linux and OpenOffice.org, etc. it is aimed to introduce an open data format to all data and documents.

Other European Union countries and authorities have done a similar complete and/or partial migration to one or the other Linux operating system and to OpenOffice.org – and other Open Source software, as, for instance, was done by the French Gendarmerie, the cities of Munich and Vienna, and many many more.

Also in the British Isles some local authorities are moving to Open Source software in one way or another, whether, as the Mole Valley District, to the paid-for Star Office (nothing but a tarted up version of the FREE OpenOffice.org) or even, as in some cases to Linux OS and OpenOffice.org, and other Open Source software. Time too, one can but add.

© M Smith (Veshengro), September 2008
<>

Fake celebrity websites infect the unwary with malware

by Michael Smith

By all rights and also to all intents and purposes, using fake websites as a malware attack vector should have died out long ago.

Rather than dying, however, those attacks initiated through phony celebrity websites have continued to grow and expand. This is possibly because their intended victims – the celebrity-obsessed among us – either do not have an abundance of brains or a basic knowledge of how computers and the Internet actually work. One could probably assume that in the majority of the cases both would apply.

According to recent data from McAfee, a leading anti-virus program vendor and research company, an Internet user searching for a range of Brad Pitt-themed items, say wallpapers, screensavers, photos, and the like, has, on average, an 18% chance of running into malware in one form or another. Such malware is often served up by a "fake" celebrity website the primary purpose of which it is to push Trojans and worms onto the desktops of the unwary. These websites differ from standard malware landing pads, inasmuch as they try to appear as a legitimate source of news.

In order to create such sites, malware authors rely on an ever-changing list of "hot" celebrities. The turnover rate is fairly high – Paris Hilton was the most dangerous celebrity to search for in 2007, but doesn't even make the top 20 this year, while Britney Spears, which was #4 in 2007, is also missing in action.

This year, 2008, Brad Pitt, Justin Timberlake, and George Clooney are the top three dangerous male searches, and come in first, third, and ninth on McAfee's list and for the women we have Beyonce in first place, followed by Heidi Montag and Mariah Carey. I must say that, personally, I am not even sure who they are; the women, I mean.

McAfee's findings suggest that these sorts of searches are quite common, both at home and in the workplace. Aggressively searching such content while on the job is almost certainly against an employer's rules, even in a company with a fairly lax Internet policy, but that doesn't change the fact that such searches occur, and could expose company systems to any number of attacks. One form of damage control would be to present users with a list of verified "clean" news websites and encourage them to use these for news on any number of topics. Corporate policies that tacitly encourage non-work-related web use aren't going to find a warm reception in the boardroom, but practical advice on where to surf might do more to solve the problem than attempting to beat a basic understanding of the problem into employees' heads.

All of the usual rules about using an up-to-date virus scanner, avoiding suspicious-looking URLs, and not opening an unknown program just because a web browser shoves it in your face still apply, but in this case, the best protection is simply not to look. There are plenty of celebrity websites that make it their mission to stay right on top of the latest rumor, photo, or scandal, and they do so without serving up a healthy portion of Storm Worm on the side. If nothing else, try to remember that you don't actually need Brad Pitt wallpaper or a screensaver featuring outtakes from the Chinese movie My Wife is a Gambling Maestro. When in doubt—heck, even when not in doubt—it's best to stay away entirely.

Searching for desktop items such as Brad Pit screensavers of the like is not a recommended pastime whether or not you have all the relevant anti-virus protection even.

Aside from relying on the unwary to search for celebrity items the distributors of malware also try to trap the news hungry with fake news, such as “Third World War has started”, “USA has attacked Iran”, “Iran has sunk US aircraft carrier”, and similar. I am sure they will not cease to come up with new stuff. Invariably those attempts come via email with links in them which the recipient is meant to click on. He or she will then end up on a website specially created for the sole purpose of distributing this or that Trojan or worm.

News can be had from such a large variety of legitimate main stream and underground news sources – via RSS feed – that no one has to even go as far as opening such emails and clicking on the links therein. If the BBC or the CNN sites are not running it then it has not happened, such as an attack or such, we can rest assured of that. No need to fall prey to the virus distributors.

Whether fake celebrity sites or fake news sites as malware attack vectors, in most cases than not, aside from the above mentioned search for celebrity-themes items, are initiated by a spam email to the recipient. This should already have all possible alarm bells ringing and anyone with an ounce of brain should delete such mails without opening them.

The most dangerous thing on the Internet, and I have written about that before, is the unsecured PC and the user who has no idea what he or she is doing. This is how the spam and the viruses are being circulated.

Have proper anti-virus software (you do not have to pay for it to be secure) that is updates at least once a day. The same for spyware blasting programs – one is in fact called Spyware Blaster – and also have a browser that does not automatically download anything. Internet Explorer's greatest fault is that it just does that; any script and such it encounters and any .exe file it automatically downloads and runs. Use Firefox, for instance. It has a download manager that will ask you what you want to do with the file you have chose to open/download and, obviously, if you have not chosen to open/download anything directly it gives you the choice to cancel it. It is then high time to hightail it out of that site and, for safety, run a full systems check – just in case.

Without the gullibility of so many users and also the fact that so many just do not have the understand of how computers and the Internet work and how, and that despite us all telling them, viruses and such are being spread, such malware sites and spam would have ceases a long time ago.

If everyone would but listen and heed the advise that magazines and websites such as that of the ICT Review here give such malware would by now be either non-existent or very much diminished and would be headed for extinction; all of it.

Alas, as long as there are users out there who do think they know better and such we will continue to be plagued by this.

© M Smith (Veshengro), September 2008
<>

The identity crisis continues

A government report says the National Identity Scheme will fail if it does not primarily serve the public, including being free to join

by Michael Smith

Sir James Crosby's much delayed review of identity management, commissioned by Gordon Brown when he was still chancellor, was not available at the event in March 2008 where home secretary Jacqui Smith outlined her plans for the National Identity Scheme. That is not surprising: it makes embarrassing reading for the government.

The former HBOS chief executive recommends that the identity scheme should be free to join: it will not be. He thinks it should be run independently, perhaps by Parliament: it is run by a Home Office agency.

Crosby's main point is that the scheme should be so useful and easy that citizens actively want to use it, in the manner of Google. Yet it remains to be seen whether the government is listening. For example, it sounds as if students may have a tough time if they do not enrol, rather than the scheme transforming their lives if they do.

Crosby's report shifts the emphasis of government policy away from identity management and towards identity assurance. It states: "ID assurance meets a clear and growing consumer need, whereas ID management addresses the interests of the owners of any identity database."

He recommends that the scheme should be accountable to Parliament, rather than government; that the amount of centrally held data should be minimised; and that citizens should be able to block reuse of their data except for national security purposes.

The identity scheme's core problem was and is that the government wants it to be two things at once: a security system that stops people from doing things, and a enabling system that helps them.

Crosby believes there is very little common ground, and says that the scheme has to focus on enabling people - even for the purposes of national security, as otherwise citizens will minimise usage as far as possible, providing little data to be trawled.

If the scheme fails, he just got in his "I told you so".

The problem with this hair-brained ID card scheme of this government and that of other EU nations – and forgive if I am wrong but this to me would appear to be in fact a scheme that the European Union is demanding (for better control of all citizens – welcome to 1984) – that the British government and its agencies simply cannot, as is proven day-by-day with the losses of sensitive data, be trusted with the data of the subjects of Her Majesty. Nay, I did not say a wrong thing. Please remember that the British citizen is but a figment of imagination.

However, whichever way, the British government and it agencies and the contractors and sub-contractors used by said agencies has such a dismal record as to data protection that there is just no way, whether the scheme is free to join or compulsory – and I am sure we all remember that we were told in the beginning that it was going to be entirely voluntary (believing this government is not easy) – that no one in their right mind could be prepared to trust his or her data, including and especially biometric information and such, to such agencies.

I also doubt that it would be any different whether the Tories of the Liberal-Democrats would be in charge as to the data problems as the problems do seem to lie with the civil service and the departments rather than with the politicians.

On the other hand, though whether we can believe them or not, both the Tories and the Whigs have promised to get rid of that hair-brained scheme altogether. And pigs might fly, I know, for if this comes from Brussels and the new European Ministry of Security then there is no way that it can be abandoned.

Data can be made secure on a small and a large scale but whether the British government agencies would know how to work hardware encryption is questionable.

© M Smith (Veshengro), September 2008
<>

Bringing Linux to the public – in UK

Where are the Linux user and consumer shows?

by Michael Smith

While the US, Germany, and other countries seem to have one Linux Expo and other event after the others – aimed at the general public, the consumer, and the geek alike – in the UK it seems to be an absolute dearth. No proper attempt appears to be even made to get Linux, in whichever shape or form or distro, to the people and to get Linux known to the consumers in general.

The Linux Expo that used to be an annual event in the UK seems to be in a coma and it would appear very close to death's door if not having passed over already. At the same time it would appear that no other even to bring Linux to the general public, the general consumer, as well as businesses, is even attempted in Britain.

This is a very sad state of affairs for sure, especially as, as it would appear, some Linux distribution companies and organizations do have there base in the UK.

The previously mentioned Linux Expo in the UK used to be held in the Olympia exhibition center but that is hardly necessary. While the event should be in London – or at least one of them – there is no need to use one of those expensive venues for sure. Other venues are available, from race courses such as Epsom or Sandown, for instance, over the dog tracks, to halls of one kind or the other that are equally suitable, even school gymnasia, as it is done with so-called computer fairs.

If we, and especially those that stand behind Linux, are really serious in getting Linux, whether Ubuntu (and this to me is still the best version for the ordinary user) or SUSE or Fedora, or whichever other, to be taken up by the general PC user, the ordinary consumer then we better get the software and also the hardware that comes preloaded with Linux out to the consumer. The only way we will be able to do that, aside from, maybe, the Internet, is by consumer shows and expos dealing with the subject of Linux, with workshops and such like.

Whether those are going to be shows for which the customer will be charged an entry fee or not is another question. It would, obviously, be best if such shows could be free or for a nominal ticket price that people would not mind paying. Prices such as GBP15 or such for a ticket, as charged by some consumer shows, would mean that the footfall would be virtually zero. However, unless such shows are organized and in fact laid on and run Linux, especially Linux on the desktop, will, predominately, remain the domain of the geek, those in the know, and some governments and organizations. If Linux distros are serious in getting a market share away from MS Windows then Linux must present itself to the consumer proper. If this is not done then the uptake will either continue on the level as it is presently or it may, in fact, start sliding backwards; especially the take up of Linux by the general computer consumer.

© M Smith (Veshengro), September 2008
<>

Providing a Service is all about the client... yeah right!

By Guus Leeuw, President & CEO, ITPassion Ltd

There are two types of storage services that can be provided to organisations: in-sourcing and out-sourcing.

With in-sourcing, the client would receive, say, a storage administration team that then works on the premises and with the equipment of that client. The business model behind this type of service is quite easy to setup and to sell. Setting up an average cost, to be paid per team member per month, is quite easily done, as one only has to look at the salary ranges of these people to figure out how much the client should be paying for each one of them. As Junior Administrators are likely to be less expensive than a Senior Administrator, an average price covering all variants between Junior and Principal is easily made up.

The client side of this is that one would expect a good balance in skills, ranging from junior people to Principals. However, it is fairly easy to provide a lot more junior people than a good balance would suggest, and thus under-deliver on the quality of service.

The result of such a scheme would be that the client is over-charged for the service that it receives. After a while the client becomes unhappy with the service and starts looking for a different organisation to provide more of the same. Meanwhile, the storage provider gets a nice bonus for under-delivering on the quality and is doing well financially.

The difficulty in this scenario is to find and maintain the right balance, for the sake of the client. The interests of both parties are essentially conflicting, as the service provider wants to reduce cost, whereas the client wants to improve quality of service. Often, this conflict of interest is not understood at the client, who assumes that the service provider will do their utmost to provide good services, whereas the service providers eagerly make sure, that this remains so.

It would be a good thing, if the service provider would care more about profit in the long term, making clients happy. For the only good client is a happy client.

Out-sourcing is a lot trickier to setup from a business model perspective. There are several factors that play a role: Cost of data centre, electricity, cooling, equipment, and staff all play a vital role in making sure that the price for 1 TB of storage actually matches the cost that the service provider has in providing and managing that Terabyte of storage.

There are several ways to make sure one can over-charge a client, the most obvious is to hide the business model and the calculations that resulted in the price of that Terabyte of storage. Unless faced with procurement who already did the cost calculations for the organisation itself, not many clients understand the business model behind storage service providers.

Another easy way to reduce ones costs, from a provider perspective, is to utilise low-cost labour. Low-cost labour is often times also less experienced. Again, here is a conflict of interest: the client wants good quality storage services, whereas the provider wants to reduce the cost behind its business model.

In reality providing a service to a client is about making a profit off that client. The question that the client should ask and answer for himself is: How much of a profit do I want the service provider to make? And only when the answer is understood should one go about selecting a service provider.

Guus Leeuw jr. studied Software Development on the Polytechnics Highschool of Information & Communication Technology in Enschede, Netherlands. Soon after gaining his degree he was hired by EMC Germany to aid internal software development. Guus subsequently travelled and worked across Europe before, in 2007, setting up his own Software and Storage company ITPassion.

IT Passion Ltd is exhibiting at Storage Expo 2008 the UK’s definitive event for data storage, information and content management. Now in its 8th year, the show features a comprehensive FREE education programme and over 100 exhibitors at the National Hall, Olympia, London from 15 - 16 October 2008 www.storage-expo.com

Source: StoragePR
<>

Low cost automatic backup and remote data duplication solution for SMBs

By Ernesto Soria-Garcia, VP Sales IDS-Enterprise

When looking into products that solve our daily issues concerning the aspects of making sure our every day and all-important documents and databases are safely secured away, we find a host of different options and specialized products that do so with proficiency.

However If we look closely at the issues concerning data safety, and solutions to restore data in cases of accidentally deletion, or in the unfortunate case of losing a laptop under whatever circumstance or ‘force majeure’ as they say, it is clear that not all issues are covered by one solution, and that often we are obliged to build up a mecano-like assembly of products, and manage them fitting together.

In most small and medium businesses, not to mention micro enterprises or independent consultant’s cases, addressing these issues ourselves becomes almost impossible, as they are not necessarily knowledgeable enough to feel confident at having a crack at it, especially with the heavy burden of responsibility that goes with the management of such solutions.

So often we lay our hands down and decide that we’ll survive without, or accept a partial solution, or of course look for a third party to take care of this aspect of our business on our behalf. Often the more secure or complex the solution, the more costly it is, and the more dependent we are on the third party that we have called to our aid.

Linux based mini servers can offer SMBs and micro enterprises a solution that makes a backup of data from PCs in the office into a locally based unit and then duplicates it over existing ADSL lines to a second identical unit for disaster recovery of their choice, all automatically, extremely fast and at a surprisingly low cost. The server can integrate the most advanced enterprise-class technology and allow SMBs and micro enterprises with no more skills in IT than the general PC user to set up and run, providing for the first time real private and fully confidential outsourcing of duplication of one’s data. The intelligent server can monitor the whole process with security checks and counter checks, provided to the user as well as the manager/owner of the SMB.

Outlined below are what every enterprise whether a conglomerate or SMB needs to do in order to secure their data backup and the procedures and techniques needed to restore the data and files. To do this, the IT industry defines broadly the building blocks necessary to have a full fledged solution as follows:

For backing up data on the company site and then making copies of it for transportation to the remote site physically or perhaps to duplicate and transfer data via networks to a recipient unit elsewhere including media for remote storage:

Backup software to manage the daily ‘gathering’ of data from all ‘producers’ of data or clients.

  • The hardware (PC, Server) that orchestrates this collection
  • Local office storage media such as tape drives, disk drives to store the data collected
  • Software or procedures to create a copy or replication of the backed up data to local tapes or disks that are physically transported daily to the remote (outsourced) site
In case of sending data via the networks to a remote site:
  • Hardware( PC/Server) to orchestrate and send data execute this process to additional remote hardware (PC/Server) storage Disk or Tape drives and their media
  • Network infrastructure, whether SAN, LANS, or Internet ADSL
  • High –level IT engineer to put it all together, administrate and monitor.
Large enterprises can afford to piece together a full solution covering the aspects above which require good IT knowhow, and administration, as well as monitoring efforts to ensure that all is working well. All this has a naturally a cost that can go into the tens or hundred of thousand £s.

By covering in one fully integrated and purpose made software and hardware product that does all this linux servers can offer a huge opportunity for SMB and micro enterprises to once and for all equip themselves with a solution that brings an extremely affordable, high-level enterprise security to their data.

A typical end user wish list when looking for a backup and remote duplication solution are commonly identified as needing to be:
  • All inclusive with high performance. IDSbox integrates all under its Linux OS, and local office data modifications and updates only are transmitted to the remote IDSbox, therefore avoiding any clogs in the ADSL lines, and providing extremely high performance synchronization of local and remote (outsourced) backup.
  • Have completeness and integrity of data. Various monitoring control Checks are carried out at repertory, file levels amongst others
  • Robust. A robust system made of metal chassis including a reinforced PVC casing
  • Low operating cost. An electronic temperature and activity control lowers energy consumption to a meagre 9 Watts; could not be greener!
  • Easy to install and administrate. Linux OS has been adapted to not require human intervention during its operation. Any programming or planning is done via a web browser.
  • Provider of highest security levels. The local and remote servers as well as their disks containing the backed up data are mutually interchangeable. Data is transferred via encrypted data tunnels, validation and authentification certificates, password control and operate and Rsync/ssh protocol controls are used.
  • Independence. No additional services or third party products are needed so there are no hidden surprises. Only existing ADSL lines are used.
  • Easy Data backup definitions and restoration procedures. The software should provide a very easy way to define (simple drag and drop!) the files and folders one wants to permanently have secured by backup and remote duplication. The times to backup and frequencies should also be automated.
  • Flexibility in data outsourcing possibilities. Should the company be a micro enterprise with a couple of PCs only, then only a single server will be needed at the remote location to back up data from the PCs.
  • Confidentiality. Access to back up data should be provided through personal passwords only. This is different from NAS servers that share data.
  • Scalability. The data backup and duplication capacity can be upgraded by simply changing the server disk sizes, e.g. from 320 Gb capacity to 1TB, or by adding an external Disk of up to 1 TB. Tape drives and disks for snapshot functions can be attached.
  • Accompanying services such as warranty extensions, hot lines. Various warranties and extensions should be provided by the technology supplier, to provide maximum peace of mind.
  • Cost effective. Linux servers can provide the most economical solution in the market to back up locally data and duplicate it remotely. This type of solution can be as purchased for as little as £1,200 for an entry level twin box solution consisting of two mini Linux servers including 320 Gb disk capacity in them, and all the software necessary to backup as many as 20 PCs or servers locally, the software to duplicate the data, to create the secure encrypted transmission tunnel via the ADSL and monitor and report to the SMB manager and individual users. Other solutions in the market that can carry this service out, whether hardware, software based, or both can cost 20 to 50 times more.

In conclusion, for the first time an extremely affordable solution that integrates all the components required to back up data on a company site as well as creating and maintaining a permanently updated copy physically elsewhere via ADSL is available and can be set up and programmed by a typical PC user. A SMB can now physically posses and control not only its local but outsourced data, without requiring a third party. Many SMB owners have expressed strong interest in this, as their data remains now fully confidential, and in case of a major disaster or data loss they can themselves recover the data using the extremely simple and intuitive software provided.

IDS-Enterprise are exhibiting at Storage Expo 2008 the UK’s definitive event for data storage, information and content management. Now in its 8th year, the show features a comprehensive FREE education programme and over 100 exhibitors at the National Hall, Olympia, London from 15 - 16 October 2008 www.storage-expo.com

Source: StoragePR
<>

Whittington NHS Trust loses 18,000 sets of data

by Michael Smith

The personal details of nearly 18,000 NHS staff have gone missing in the post, it has emerged.

Four computer discs containing the details of 17,990 current and former staff were lost in July when they were sent between Whittington Hospital NHS Trust in north London and McKesson, a firm providing IT payroll services.

Those CDs contained the names, dates of birth, national insurance numbers, start dates and pay details of all staff of Whittington Hospital NHS Trust, Islington Primary Care Trust, Camden Primary Care Trust and Camden and Islington NHS Foundation Trust.

They also contained the addresses of some staff, although Whittington trust insisted they did not contain anyone's personal bank account details. Well, now there is a relief. But this has just be announced rather in a very slap happy way.

The more we hear about this the more we can but wonder as to whether there is somewhere in British government institutions, including NHS Trusts, the MOD, etc., a competition going on as to how many sets of data can be lost. This kind of criminal negligence just cannot be explained away in any other way unless gross stupidity also has something to do with it.

The trust said the discs went missing when an envelope they were in was placed in a post tray marked "recorded delivery" on Tuesday 22 July. But there was no record of the discs being sent.

The chief executive of the trust said that each one had a separate alpha-numeric passwords on them which, unless found by expert hackers, are very difficult to break. Let us just hope that this is indeed the case. But they have just password. They are NOT encrypted. Who the **** is running this asylum called British government?

He apologised to all those affected by the blunder, saying it was the first time information had been sent through the post and that the member of staff thought to be responsible has been suspended.

"It is trust policy to send any such information by courier," he said, and he added, “to our knowledge this is the one and only time that such information was directed through the post.

"An investigation is underway, with an enquiry panel taking place shortly. In the meantime, a member of staff has been suspended."

It is NOT the member of staff whose head should roll – at least not alone. The buck does not stop at the little guy or girl who may not even have been told how to send the CDs and never been told that they are to be sent by courier.

This revelation led both the Conservatives and the Liberal Democrats to call on the Government to scrap its planned electronic database of 50 million patient records in England. One can but add to that a call to scrap the National ID Card scheme and other such hair brained things. This country and its government are incapable of looking after data of its people.

Not that it would be impossible to make the systems safe. While it may not be possible to 110% guarantee that no one ever will be able to get hold of someone's details it is possible to encrypt the data to such an extent that it would take even a sophisticated hacker – even a hacker team – months if not more – to gain access to the data. If the protection would then be set in such a way that a limited attempts are permitted only and the data will after the limit be wiped c;lean then things would be safer still. This is NOT rocket science, as I keep saying. The technology is available and out there.

© M Smith (Veshengro), September 2008
<>

Nearline and Archiving in the Data Warehouse: What's the Difference?

By: Arthur Ritchie - Chairman and CEO at SAND

In recent years, data warehouses have begun to increase radically in size. To maintain acceptable performance in the face of this "data explosion", several techniques have been introduced. These include pre-building aggregates and Key Performance Indicators (KPI’s) from large amounts of detailed transaction data, and indexing as many columns as possible in order to speed up query processing.

As data warehouses continue to grow, however, the time required to do all the necessary preprocessing of data increases to the point where these tasks can no longer be performed in the available "batch windows" when the warehouse is not being accessed by users. So, trade-offs need to be made. Doing less preprocessing work reduces the required time, but also means that queries that depend on aggregates, KPIs or additional indexes may take an inordinately long time to run, and may also severely degrade performance for other users as the system attempts to do the processing "on the fly". This impasse leads to two possible choices: either stop providing the analytic functionality – making the system less valuable, and users more frustrated, -- or “put the database on a diet" by moving some of the data it contains to another location.

Putting the Database "on a Diet"
Both Nearline and Archiving solutions can help trim down an over-expanded database: the database can be made much smaller by implementing an Information Lifecycle Management (ILM) approach, removing unused or infrequently used detailed transactional data from the online database and storing it elsewhere. When the database is smaller, it will perform better and be capable of supporting a wider variety of user needs. Aggregates and KPI’s will be built from a much smaller amount of detailed transaction data. Additionally, column indexing will be more practicable as there will be fewer rows per column to be indexed.

The Key Differences between Archiving and Nearlining in a Data Warehouse
It is important to stress the differences between archiving warehouse data (using products from Open Text, Princeton Softech and so on) and storing it nearline (using SAND/DNA). Since both types of product are used to hold data that has been moved out of the main "online" system, it is unclear to some why one would need to be implemented if the other is in place. To clarify this question and make it easier to discuss why one or the other type of system (or both) might be required in a given situation, the major differences between nearline data and archived data are outlined below.

Archive
Normally, the concept of electronic archiving focuses on the preservation of documents or data in a form that has some sort of certifiable integrity (for example, conformity to legal requirements), is immune to unauthorized access and tampering, and is easily subject to certain record management operations within a defined process – for example, automatic deletion after a certain period, or retrieval when requested by an auditor. The archive is in fact a kind of operational system for processing documents/data that are no longer in active use.

The notion of archiving has traditionally focused on unstructured data in the form of documents, but similar concepts can be applied to structured data in the warehouse. An archive for SAP BI, for example, would preserve warehouse data that is no longer needed for analytical use but which needs to be kept around because it may be required by auditors, as would be the case if SAP BI data were used as the basis for financial statements. The archive data does not need to be directly accessible to the user community, just locatable and retrievable in case it is required for inspection or verification – not for analysis in the usual sense. In fact, because much of the data that needs to be preserved in the archive is fairly sensitive (for example, detailed financial data), the ability to access it may need to be strictly regulated.

While many vendors of archiving solutions stress the performance benefits of reducing the amount of data in the online database, accessing the archived data is a complicated and relatively slow process, since it will need to be located and then restored into the online database. For this reason, it is unrealistic to expect archived data to be usable for analysis/reporting purposes.

Nearline
In the Information Lifecycle Management approach, the nearline repository holds data that is used less frequently than the "hottest" most current data but is still potentially useful for analysis or for constructing new or revised analytic objects for the warehouse.

While the exact proportion of nearline to online data will vary, the amount of "less frequently used" data that needs to be kept available is normally quite large. Moving this out of the main database greatly reduces the pressure on the online database and enables continued performance of standard database operations within available time windows, even in the face of the explosive data growth that many organizations are currently facing.

Thus, the archiving requirements described above do not apply to a nearline product such as SAND/DNA, which is designed to reduce the size of the online warehouse database, while at the same time keeping the data more or less transparently accessible to end users who may need to use it for analysis, for rebuilding KPI's and so on.

In Brief

Why a Nearline Product is not an Archive

Nearline products do:

  • Make older data easily accessible to end users for enhanced analysis/reporting
  • Offer very good performance in delivering data to end users - typically not more than 1.x times slower than online, with little or no impact on online users
  • Allow greater amounts of relatively recent data to be moved out of the online system
Nearline products do not:
  • Offer methods for ensuring the compliance of data with regulations
  • Feature any special built-in security regime beyond the read-only status of the data
  • Take care of operational processes on data, such as enforcement of retention periods, automatic deletion and so on.
Why an Archiving Product is not Nearline

Archiving products do:
  • Provide controlled storage of older data that will probably not be accessed except in special circumstances
  • Enforce organizational policies with regard to data retention
  • Ensure compliance
  • Limit access to sensitive data.
Archiving products do not:
  • Make data easily accessible to users for analysis or reporting.
  • Offer fast performance in restoring data
  • Store relatively recent data that may be required for analytics/reporting
SAND is exhibiting at Storage Expo 2008 the UK’s definitive event for data storage, information and content management. Now in its 8th year, the show features a comprehensive FREE education programme and over 100 exhibitors at the National Hall, Olympia, London from 15 - 16 October 2008 www.storage-expo.com

Source: StoragePR
<>

RSA® Conference Europe - New keynotes and Sessions of Interest

There’s just a few weeks now to go until the 9th annual RSA® Conference Europe (27-29 October, 2008) at ExCeL London and here are a few updates as to what is happening:

New keynotes and Sessions of Interest:

In addition to the Information Commissioner, Richard Thomas’ keynote on Wednesday, 29 October, RSA Conference Europe has also confirmed Baroness Neville-Jones, Shadow Security Minister, UK will present the closing keynote.

Baroness Neville-Jones will focus on the issues, both practical and political, that government and society face when developing a national security agenda. During her early career, Neville-Jones was a British diplomat having served in then-Rhodesia, Singapore and the USA, amongst others.

Since then, she has held a number of security posts, including Deputy Secretary to the Cabinet and Head of the Defence and Overseas Secretariat in the Cabinet Office (’91 to ’94). In January 2006, she was appointed by David Cameron to head the Conservative Party's National and International Security Policy Group, and on 2 July 2007 she was appointed Shadow Security Minister and National Security Adviser to the Leader of the Opposition.

Olympic Games Information Security: The Ultimate Challenge is scheduled on Wednesday, 29th October at 9am. Marc Llanes, Information Security Manager, Atos Origin and Vladan Todorovic, Information Security Manager, Beijing 2008 Olympic Games are confirmed to lead the session.

They will cover how to address the challenges that come with securing the world’s most high profile event, and how to recognise real threats and ensure consistent and secure data flow in such information overloaded, widespread and heterogeneous high risk environment.

Other already confirmed keynotes

Richard Thomas, Information Commissioner of the UK’s Information Commissioner's Office is keynoting on Wednesday 29th October and will discuss the latest developments and topical issues of the ever-evolving landscape of information security and how the role of the Information Commissioner’s Office (ICO) is being strengthened and what the ICO’s approach will be following the recent high profile data losses across the UK’s public and private sectors.

Online Privacy and the World of Behavioral Targeting: Challenges and Options is the first keynote panel to be confirmed which will be moderated by Chris Kuner, Partner and Head of International Privacy and Information Management at Hunton & Williams, one of the worlds largest law firms.

Art W. Coviello, Jr., Executive Vice President, EMC Corporation and President, RSA, The Security Division of EMC will be giving his annual keynote at the first day of the Conference.

Enhanced content with new Tracks and Sessions

Last year, RSA Conference Europe attendees gave us our highest-ever rating for the Conference content. 70 + sessions over the following 9 tracks will take place over the 3 days:

Developers & Applications (formerly Developing with Security)
Security Services (formerly Authentication)
Business of Security (formerly Business Trends & Impact)
Hosts (formerly covered by Enterprise Defence)
Governance (formerly Policy & Government)
Networks (formerly covered by Enterprise Defence)
Professional Development
Research & Threats (formerly Hackers & Threats)
Sponsor Case Studies

2008 Conference Theme: Alan Turing

This year’s Conference theme is built around Alan Turing, British cryptographer, mathematician, logician, philosopher and biologist, and will celebrate his legacy and contribution towards digital computers today. Experts and historians agree that Turing had a deeper understanding of the vast potential of computer science than anyone in his era, and is often considered the father of modern computer science. Do you want to add in something about the Bletchley Park exhibit? More information is available here.

Bloggers Are Welcome!

We are pleased to let you know that for the first time bloggers will be able to obtain a free press pass. Registration will be judged individually and based upon the credibility of the blog itself. Bloggers must have covered information security topics for a minimum of three months with a consistent posting rate (at least 2 posts a week). Other information, like Technorati ratings and number of hits/page views, will also be taken into consideration.

ExCeL: Still Closer Than You Think!

Previously misconstrued as somewhat inaccessible, we hope that last year’s overwhelmingly well attended Conference (we had 100+ press and analysts attending from all over Europe) has gone a long way to dispelling those myths and justified the choice of ExCeL London again for RSA Conference Europe 2008. Do you want to add in that it’s hosting 7 games at the Olympics in 2012? Gives it a bit more kudos!

ExCeL is exceptionally well served by air, rail, underground/DLR and road, directions to which can be found here.

Useful Info for Press/Analysts/Bloggers on Website

As RSA Conference Europe 2008 wants to make access to information as easy as possible, the dedicated press area of the website has been re-designed and improved, and is accessible by going here.

Source: AxiCom
<>

10 Criteria to Selecting the Right Enterprise Business Continuity Software

By Jerome M Wendt DCIG, LLC

The pressures to implement business continuity software that can span the enterprise and recover application servers grow with each passing day. Disasters come in every form and shape from regional disasters (earthquakes, floods, lightning strikes) to terrorist attacks to brown-outs to someone accidently unplugging the wrong server.

Adding to the complexity, the number of application servers and virtual machines are on the rise and IT headcounts are flat or shrinking. Despite these real-world situations, companies often still buy business continuity software that is based on centralized or stand-alone computing models that everyone started abandoning over a decade ago.
Distributed computing is now almost universally used for hosting mission critical applications in all companies. However business continuity software that can easily recover and restore data in distributed environments is still based on 10 year old models. This puts businesses in a situation when they end up purchasing business continuity software that can only recover a subset of their application data.

Organizations now need a new set of criteria that accounts for the complexities of distributed systems environments. Today’s business continuity software must be truly enterprise and distributed in its design. Here are 10 features that companies now need to identify when selecting business continuity software so it meets the needs of their enterprise distributed environment:

  • Heterogeneous server and storage support. In distributed environments, companies generally have multiple operating systems and storage systems from multiple different hardware vendors. Companies want the flexibility to recover applications running on any of these operating systems while using storage that they have available at the DR site to do the recovery. Many business continuity solutions require the same configurations (host software, network appliance, storage system) at the production and DR sites. New enterprise business continuity intended for distributed environments should not.
  • Accounts for differences in performance. A major reason that companies implement specific business continuity solutions for specific applications is due to how they manage high numbers of write I/Os. High performance (i.e. high write I/Os) applications put much different demands on business continuity software than those that protect application servers with infrequent write I/Os. To scale in enterprise distributed environments, the business continuity software needs to provide options to scale under either type of application load.
  • Manages replication over WAN links. Replicating all production data to the target site is great until the network connection becomes congested or breaks. Enterprise business continuity needs to monitor these WAN connections, provide logical starting and stopping points if the connection is interrupted and resume replication without loosing data or negatively impacting the application which it is protecting.
  • Multiple ways to replicate data. Not every application server needs all of its data replicated. Some application servers need only select files or directories replicated while other application servers need all data on one or more volumes replicated to ensure the recoverability of the system. Enterprise business continuity software should give companies the flexibility to replicate data at whatever layer – block or file – that the application server requires.
  • Application integration. Replicating data without any knowledge of what application is using the data or how it is using the data represents a substantial risk when it comes time to recover the application. Recovering applications such as Microsoft Exchange, SharePoint or SQL Server that keep multiple files open at the same time can result in inconsistent and unrecoverable copies of data at the DR site. Business continuity software must integrate with these applications such that it provides consistently recoverable images at the DR site.
  • Provides multiple recovery points. A problem with a number of existing business continuity solutions is that it only provides one recovery point – the one right before the disaster occurred. However disasters are rarely ever that neat and tidy. Sometimes companies are not even aware a disaster has occurred until hours after the disaster (think database corruption or wrong file loaded). Business continuity software needs to provide multiple recovery points so companies can rollback to a point in time right before the disaster occurred as well as give them multiple options to recover the data.
  • Introduces little or no overhead on the host server. Putting agents on host servers provides a number of intangible benefits – application awareness, capture of all write I/Os, and even a choice as to where the replication (block or file) of the data will occur. However if using agent on the server consumes so many resources on the server that the application can not run, it negates the point of using the business continuity software in the first place.
  • Replicates data at different points in the network (host, network or storage system). Getting agents on every corporate server is usually never an option. Whether it is because of corporate service level agreements (SLAs), ignorance about the presence of new virtual machines or just good old fashioned corporate politics, agents are great but not an option in every situation. In this case, the business continuity software should also provide options to capture data at either the network or storage system level.
  • Centrally managed. Enterprise business continuity software needs to monitor and manage where it is installed in the enterprise, what applications it is protecting, how much data it is replicating and the flow of replication from the production to DR sites. It also should provide a console from which administrators can manage recoveries anywhere in the enterprise.
  • Scales to manage replication for tens, hundreds or even thousands of servers. Enterprise companies sometimes fail to realize just how many application servers they actually have in their organization. Tens of servers is a given in even most small organizations with hundreds or even thousands of servers more common than not in any large company. The business continuity software should include an architecture that scales to account for this number of servers without breaking the replication processes or the bank.
The requirements for providing higher, faster and easier means of enterprise business continuity have escalated dramatically in the last decade while the criteria for selecting the software remains rooted in yesterday’s premises and assumptions. Today’s corporations not only need to re-evaluate what software they are using to perform these tasks but even what criteria on which they should base these decisions. The 10 criteria listed here should provide you with a solid starting point for picking backup continuity software that meets the requirements of today’s enterprise distributed environments while still providing companies the central control and enterprise wise recoverability that they need to recover their business.

InMage is exhibiting at Storage Expo 2008 the UK’s definitive event for data storage, information and content management. Now in its 8th year, the show features a comprehensive FREE education programme and over 100 exhibitors at the National Hall, Olympia, London from 15 - 16 October 2008 www.storage-expo.com

Source: StoragePR
<>

UK Information Commissioner to Keynote at RSA® Conference Europe in October

Details of the Event's Comprehensive Educational Track Session Programme Also Unveiled

RSA® Conference, the world's leading information security conference group, announced in August 2008 that Richard Thomas, Information Commissioner in the UK's Information Commissioner's Office (ICO), will be keynoting at the ninth annual RSA® Conference Europe, which is taking place from 27th-29th October 2008 at ExCeL London.

Mr. Thomas will be discussing the ever-evolving landscape of information security, how the role of the ICO is being strengthened and what the ICO's approach will be following the recent high-profile data losses across the UK's public and private sectors.

Educational Track Sessions at RSA Conference Europe 2008

Central to RSA Conference Europe are its 70+ high-quality educational track sessions, a unique feature that distinguishes RSA Conferences from other professional events. Technology companies and their end-user customers are invited to submit papers for sessions in which to share experiences around real-life security demands and deployments - and to discuss today's most burning security issues.

After an extensive review process in the Spring by an independent selection panel, the RSA Conference Europe 2008 session agenda will include speakers drawn from across the whole value chain, including major brands such as Nokia, eBay, BT Global Services and Verizon Business. Representatives from research houses such as Cryptography Research, Freeform Dynamics and Forrester Research will also be presenting.

This year's session tracks are:

-- Business of Security

-- Developers & Applications

-- Governance

-- Hosts

-- Networks

-- Professional Development

-- Research & Threats

-- Security Services

-- Sponsor Case Studies

"Moving RSA Conference Europe to ExCeL London last year started a new phase in the Conference's development. Not only have we grown our attendee base significantly, but the attendees gave us our highest-ever ratings for Conference content in 2007," said Linda Lynch, RSA Conference Europe Manager. "I'm delighted that Richard Thomas will use the Conference as the platform to discuss one of the most critical issues in information security - that of safeguarding personal data."

This year's RSA Conference theme is built around Alan Turing - the British cryptographer, mathematician, logician, philosopher and biologist - and will celebrate his legacy and contribution towards digital computers today. Experts and historians agree that Turing had a deeper understanding of the vast potential of computer science than anyone in his era, and is often considered the father of modern computer science.

Full details about registration and deadlines for special discounts are available at

http://www.rsaconference.com/2008/Europe/Registration.aspx

For more information about press registration please visit the Conference website at

http://www.rsaconference.com/2008/Europe/For_Press.aspx

RSA Conference is helping drive the security agenda worldwide with annual events in the U.S., Europe and Japan. Throughout its history, RSA Conference has consistently attracted the world's best and brightest in the field, creating opportunities for Conference attendees to learn about IT security's most important issues through first-hand interactions with peers, luminaries and both emerging and established companies. As the IT security field continues to grow in importance and influence, RSA Conference plays an integral role in keeping security professionals across the globe connected and educated. For more information and Conference dates, visit http://www.rsaconference.com

Source: AxiCom
<>

Top Tips for Email Management and Archiving

By Dave Hunt, CEO of C2C

Introduction: with only 20% of companies demonstrating good control on email management, Dave comments on the state of email management and archiving and notes what resellers can do to position themselves as protectors of companies’ most used and valuable communication method.

Just how bad does it get?

Though around 30% of organisations have some form of archiving in place, most consider that this would not constitute adequate control. A recent survey by C2C found that 65% of respondents had set mailbox capacity limits meaning in effect, that end users were responsible for managing their own mailboxes. In practice, this self regulation probably results in significant lost productivity and constitutes a poor strategy for managing and discovering data. In this article, we consider the top five questions being by resellers interested in recommending email management:-

1. Is Email control a management or archive issue?

It is a management issue and archiving is part of the solution. Resellers should identify a solution that identifies unnecessary emails, handles attachments and provides automated quota management which should be part of a strategic ‘cradle to grave’ management of email. It isn’t a case of archiving email merely to reduce the live storage footprint, but part of a well thought-out strategy, designed hand-in-hand with the customer that aids productivity and time management and that can be implemented by an IT department simply and economically.

2. What is the biggest problem for email management – storage costs, ‘loss’ of information or compliance issues?

All of these are problems. Some will cost your customers on a daily basis; others could result in huge fines in liability. Failure to preserve email properly could have many consequences including brand damage, high third-party costs to review or search for data, court sanctions, or even instructions to a jury that it may view a defendant’s failure to produce data as evidence of culpability.

3. What guidelines should be in place for mailbox quotas – and how can these be made more business friendly?

Most specialists in email management agree that mailbox quotas are a bad idea. The only use would be a quota for automatic archiving, whereby, on reaching a specific mailbox threshold, email is archived automatically (and invisibly to the user) until a lower threshold is reached. Our C2C survey also found that those who self-manage email to stay within quotas frequently delete messages, delete attachments, and/or create a PST file. The over-reliance on PST files as a means to offload email creates several challenges when companies must meet legal requirements, since PST files do not have a uniform location and cannot be searched centrally for content with traditional technologies. Resellers can explain that reliance on PST files is poor practice.

4. Once retention schedules and compliance have been met, does the email need to be destroyed – and if so, how should resellers’ recommend companies go about this?

In some instances it is necessary to delete emails once the retention period has passed, in others it is only an option. Deletion also depends on the industry type, for instance, does it have to be guaranteed destruction, such as to US DoD standards, or is a simple removal of the email sufficient?

5. What would be your top tips be for email management?

Resellers that wish to add true value should consider the whole picture of email data management, from the instant an email is sent to the time it is finally destroyed.

C2C is exhibiting at Storage Expo 2008 the UK’s definitive event for data storage, information and content management. Now in its 8th year, the show features a comprehensive FREE education programme and over 100 exhibitors at the National Hall, Olympia, London from 15 - 16 October 2008 www.storage-expo.com

Source: StoragePR
<>