Word of the Day Archive


January 22, 2009  2:29 AM

Overheard – Confliker / Downadup worm alert

Margaret Rouse Margaret Rouse Profile: Margaret Rouse
Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Confliker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability.

Robert Westerfelt, Confliker, Downadup worm hype? Get the facts

There’s a new variant of the Conficker worm. It’s known as ‘Downadup.’ Microsoft issued a patch for the worm last October but it’s still spreading and mutating.

The worm, which some authorities say has been able to build the largest botnet on record,  works by exploiting a vulnerability in remote procedure calls that allows remote code to be executed once a vulnerable machine receives a specially crafted RPC request.  In plain English, this means that if an end user views a specially crafted Web page using Internet Explorer, his computer will request malicious code to be executed. Like many of its malicious predecessors, this worm denies infected machines Internet access to security vendor websites.

Microsoft added routines to clean up Conficker infections to the January edition of its Malicious Software Removal Tool.  Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. The National Cyber Alert System recommends that to prevent further infections by infected USB devices, users should disable the Windows auto-play feature.

January 20, 2009  3:51 AM

Overheard – Amrit Williams’ open letter to President Obama

Margaret Rouse Margaret Rouse Profile: Margaret Rouse
Implementing a compliance program is only as effective as its controls are at identifying deviations from desired states. Since computers tend to quickly drift from desired good states in the absence of continuous assessment and correction, static compliance efforts that assess and enforce compliance at discrete points in time program are ineffective.

Amrit Williams, Open Letter to Barack Obama: Securing Critical Infrastructure – The First 90 Days

It’s quite a day here!


January 19, 2009  2:06 PM

Overheard – Security and the SSL VPN

Margaret Rouse Margaret Rouse Profile: Margaret Rouse
Despite the popularity of SSL VPNs, they are not intended to replace Internet Protocol Security VPNs. The two VPN technologies are complementary and address separate network architectures and business needs.

William Jackson, quoting from Special Publication 800-113

I started to add to a short definition we have for FIPS – Federal Information Processing Standard – to promote our newest site, SearchCompliance.com and somehow I got turned around and started reading about SSL VPNs.  (Somewhere in my reading I discovered that Federal agencies deploying SSL VPNs have to configure them to only allow FIPS-compliant cryptography and SSL.)

What got my attention was a blog post by someone named Shakya about how SSL VPNs are vulnerable to man-in-the-middle attacks. The reason? Because many SSL VPNs weren’t built with wireless in mind.  Shakya does a really good job explaining the vulnerability in simple terms.  His blog is not for the faint of heart, but it reinforces this warning — never check your bank account balance at Starbucks!

Circling round again to SSL VPNs, the Department of Commerce put out a Guide to SSL VPNs last summer.  It’s really well written. If you are making a business case for implementing an SSL VPN or you’re an admin who needs help with documentation for the business side, I suggest you take a look.  As the report from  points out, an SSL VPN is not a magic security bullet.  There are still many instances when a VPN application installed on the end-user’s computer is the way to go.  Not everything will be done in the cloud.


January 16, 2009  4:00 PM

Overheard – JBoss is Red Hat’s golden goose

Margaret Rouse Margaret Rouse Profile: Margaret Rouse
Red Hat’s JBoss business is growing twice as fast as its Linux business, and it delivers $10 in consulting fees for every $1 in subscription revenue. This means that JBoss is much more interesting to Red Hat’s channel than Red Hat Enterprise Linux is. It also means that JBoss should be the foundation for Red Hat getting into the application business in earnest.

Matt Asay, Red Hat: JBoss growing twice as fast as Linux

JEMS is available from Red Hat through subscriptions that include certified software, support, updates and patches, documentation and multi-year maintenance policies.

Note: I’m starting to hear “cloud services” being called “middleware” again.  Cloud computing = middleware as a service (MaaS)?  I don’t think it’ll stick.  The acronym is pronounced Mass and will just remind the user that when his stuff is in the cloud and he’s given up all that control,  he’d better pray.


January 15, 2009  12:13 AM

Overheard – Data leak prevention market is hot

Margaret Rouse Margaret Rouse Profile: Margaret Rouse
DLP, once seen as a quick-fix solution for reducing data breaches, is rapidly being recast as a core strategy for discovering sensitive information in the enterprise and controlling access to it. As that evolution occurs, DLP is increasingly becoming the spark that restarts previously stagnant data encryption projects.

Tim Wilson, Encryption: DLP’s Newest Ingredient

DLP stand for data leak or data loss protection. It’s a more popular product name with vendors than the old name they tried in 2007, extrusion protection.  (What an awful name!)   As DLP products have evolved and been integrated with other security tools like desktop and mobile device management, DLP vendors have tried out other names including the very silly name, anti-employee theft prevention (who would want to steal an employee?).

But seriously,  the goal of any DLP product is to plug leaks by monitoring and documenting data as it leaves an organization.

In the past, you’d only find a DLP product at a network gateway in a large corporation.  Services industries, healthcare and insurance quickly jumped on the DLP bandwagon, motivated by compliance regulations —  but increasingly vendors are targeting the mid-market.  Forrester predicts that 20% of all small and mid-sized businesses (SMBs) will be shopping for a DLP solution in the next 12 months and 25% have already adopted email encryption, network storage encryption and data leak prevention.


January 13, 2009  9:18 PM

Podcast – IPv6 in 10 minutes

Margaret Rouse Margaret Rouse Profile: Margaret Rouse

In ten minutes,  you’ll learn what IPv6 is, how and when it will replace IPv4, why we skipped IPv5 and why IPv6 adoption has been slower in the United States than in Asia or Europe.

Listen now.


January 13, 2009  9:13 PM

Overheard: IPv6 is tomorrow’s Y2K

Margaret Rouse Margaret Rouse Profile: Margaret Rouse
Most industry watchers agree that organizations must support connections to and from IPv6 networks by 2011, at least at the gateway. This also is the year that IPv4 addresses are expected to run out. But adoption is likely to be slow going until then.

Adam Ely, IPv6 Makes Slow Progress

Obstacles include the continued widespread use of IPv4, because upgrading to IPv6 means replacing operating systems and software that isn’t IPv6-aware.


January 12, 2009  4:41 PM

Overheard – Why IPTV needs IPv6

Margaret Rouse Margaret Rouse Profile: Margaret Rouse
The promise of TV delivered via IP is gaining momentum globally the more the Internet merges with consumer electronics, especially televisions. But plenty of challenges remain, not the least of which is the pending depletion of the IPv4 address space.

Sean Michael Kerner, IPv6: The Future of IPTV?

The move to IPv6 has been slow around the globe, with a few exceptions. One of them is in Japan, where deployment of IPv6 by telco NTT could provide a blueprint for carriers preparing for the rise of IPTV.


January 9, 2009  2:31 PM

Video – AMD virtual trade show (last year)

Margaret Rouse Margaret Rouse Profile: Margaret Rouse

[kml_flashembed movie="http://www.youtube.com/v/6FBvAsJjRu0" width="425" height="350" wmode="transparent" /]


January 9, 2009  3:42 AM

Overheard – Move over Second Life. Web Alive has come to town.

Margaret Rouse Margaret Rouse Profile: Margaret Rouse
Lenovo unveiled a virtual world called eLounge, which is powered by Nortel’s recently announced virtual world platform, web.alive. Lenovo appears to be using this venue as a social and interactive platform for providing information on their products and services — notably, their laptops.

Dennis Shiao, Review: Lenovo’s eLounge Virtual World

When I woke up this morning, I felt like I’d been out late to a party at the Consumer Electronics Show in Las Vegas. (Unfortunately, I was still in upstate New York surrounded by snow.)

You see, last night I went to virtual trade show hosted by Lenovo. They are using a platform called web.alive. It’s Web-based and like nothing else I’ve experienced in browser-based virtual world software. I actually felt as if I had been at the conference, meeting people, looking at laptops and Lenovo’s new netbook. The only thing that was missing from the conference experience were the free pens and the chance to enter a raffle.

I’ve spent a fair amount of time in Second Life. I’ve probably installed it and uninstalled it at least five times over the past year. I’ve been to virtual events at Cisco and IBM. Second Life for business is interesting, but nowhere as exciting as what I experienced last night at Lenovo’s virtual store.

There’s something different about web.alive’ platform.  For one thing the navigation is intuitive and it only takes a first-time visitor a few minutes to figure out how to get around. You don’t see avatars standing around with their heads down and arms out — wiggling their fingers as they type on some invisible keyboard.  That’s what happens when you visit a business site in Second Life — everyone looks like zombies.

At Lenovo’s eLounge, however, you see energetic people walking around with their heads up. You can talk to the software developers, you can talk to the Lenovo sales representatives or you can talk to other people who’ve wandered in and are marveling at the experience of being in this rather wonderful virtual world. And if you’re not all that social?  You can just wander around and eavesdrop. The experience feels real.

I’ve been to other virtual trade shows on line. They’re interesting, but they’re flat.  Literally flat, clickable images. And the experience is flat.  Here’s a tour of AMD’s virtual trade show last year, for example. It’s nice, but it’s so…last year. 🙂

The architects at web.alive are on to something big. And they’re marketing it to the right audience — business people whose budgets are tight — who need to collaborate — who want to stay on the cutting edge.

If you have a few minutes today I strongly suggest you stop by Lenovo’s virtual store.  You’ll view the virtual environment as a Web page after you download and install a small browser plug-in.

I think you’ll be surprised, not only by the high quality graphics and the amazing audio, but by the real feeling of community you’ll experience.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: