866-764-TECH(8324) · Subscribe to Application Solution Providers, Inc.News FeedSubscribe to Application Solution Providers, Inc.Comments

Popular ‘anonymous’ service reveals sensitive information, says researcher

A widely used proxy service thought to provide anonymous Web surfing and used to skirt network administrator bans on access to sites like Facebook frequently reveals sensitive information about its users, according to a Swiss security researcher.

Congratulations to NetApp, who is one of our Solution of the Year Award finalists.

NetApp solutions can be used everywhere- from corporate data centers to engineering departments and remote offices. NetApp Data Center Storage Infrastructure Solutions include consolidation and virtualization while providing data protection and retention. NetApp also offers Application Storage Solutions for business applications and databases, messaging ,collaboration, engineering applications and file services.

NetApp is a Citrix Ready partner and was awarded Solution Of The Year in 2008. The most recent product partnership that NetApp has had with Citrix is the Citrix StorageLink Site Recovery- powered by key NetApp technology including SnapMirror and FlexClone to offer the most complete and efficient Disaster Recovery solution for Citrix environments. Learn more here.

Please join me in congratulating NetApp!

                                               

Tell us how NetApp has brought greater value to your IT infrastructure…

Where an oil spill happens matters more than how big it is MORE than a week after an explosion on the Deepwater Horizon drilling rig in the Gulf of Mexico, 11 of the rig’s workers are still unaccounted for. The US Coast Guard reckons that 5,000 barrels of oil are leaking out every day, though this is really an informed guess. The great depth of the leaks from the rig makes staunching them a huge... (more...)

Microsoft is scrambling to fix a bug in its SharePoint 2007 groupware after a Swiss firm abruptly released code that could be used in an attack.

The proof-of-concept code was released Wednesday, just over two weeks after security consultancy High-Tech Bridge says it disclosed the issue to Microsoft on April 12.

Although Microsoft hasn’t said much about the seriousness of the bug, security experts worry that hackers could exploit the flaw in order to steal sensitive corporate information used by SharePoint customers, who use the software for building Web portals and collaborating on internal projects.

What’s new in SharePoint Server 2010 | Why developers like SharePoint 2010

High-Tech Bridge discovered what is known as a cross-site scripting flaw in SharePoint. If the attacker can get a SharePoint user to click on a link, the bug lets the attacker essentially take control of the user’s account.

“With a little bit of insider knowledge you can send a link to a SharePoint user, and if you can cross-site script them, you can do data exfiltration on whatever their account has access to,” said Jeremiah Grossman, chief technology officer with Web security consultancy WhiteHat Security.

“Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data,” High-Tech Bridge said in a note posted with its code. The company could not be reached immediately for comment.

By Jaikumar Vijayan | Computerworld US
Published: 12:14 GMT, 30 April 10

Global technology suppliers will soon face a new hurdle when selling their products in China, to disclose details of computer encryption used in their products and other trade secrets.

Starting Saturday, the Chinese government will require vendors in several product categories to comply with the rules in order for them to be able to sell to government agencies.

The new rules cover 13 technologies, including firewalls, routers, smartcards, database security tools, as well as anti-spam and network intrusion detection products. Under the new requirement, vendors who sell these products to government purchasers will need to first get them tested and certified by China’s Certification and Accreditation Administration (CNCA), a process that involves their sharing encryption key codes.

The information security testing and certification requirement was first proposed in 2008 by China’s General Administration of Quality Supervision, Inspection and Quarantine (AQSIQ). Initially, the rule was supposed to go into effect last May and applied to all sales of the covered products in China, not just those to government agencies. But following protests from the US and the European Union, the implementation deadline was pushed back a year, and the requirement was narrowed to cover only sales to government agencies.

Officially, at least, the rule is not really about encryption, said Christopher Cloutier, an associate partner with law firm King & Spalding’s intellectual property practice group. Rather, it is about certifying certain information security and technology products to China’s Compulsory Certification System (CCC) mark, Cloutier said. The CCC mark is a quality certification standard that is applied to a wide number of products sold in China. The standard is overseen by the CNCA and AQSIQ.

While on the surface the requirement is about quality, the fact that it touches upon sensitive encryption technologies could mean other motivations, Cloutier said.

“If I were a foreign-based producer of products with encryption, I would be very reluctant to give all my secrets to the government of China,” he said. “So now they have an excuse to buy only Chinese-origin technologies,” Cloutier said. The new requirements “feed into a sort of growing nationalism and assertiveness in China to openly favor Chinese companies versus foreign ones,” he said.

Foreign vendors covered under the new requirement will face a difficult choice, Cloutier maintained. “They either decide to sell to the government of China, or to everyone else,” he said.

“Let’s say you make a particular product and you have encryption in it and you sell it to the government of China,” Cloutier said. That fact could well influence purchasers outside of China who might be concerned about the security of that company’s encryption technologies, he said. “If you sell to the government of China you’ve got to tell them how the stuff works,” and that could be off-putting to other customers, Cloutier said.

There is also concern that sharing encryption technologies with China will enhance Beijing’s Internet monitoring and surveillance capabilities and result in the information being leaked to Chinese rivals.

An Intel spokesman said the regulations have “some very specific applications not related to our business.” Even so, the company has been working closely with the Information Technology Industry Council on the issue, the spokesman said without elaborating. The Washington, D.C.-based ITI is a trade association for high-technology companies.

Vendors Symantec, Cisco Systems and Gemalto did not immediately respond to requests for comments.

Harmon Nkenge, a spokeswoman for the US Trade Representative’s office, said US officials are continuing to press China to address the concerns of foreign governments and industry before implementing the new testing and certification requirement.

“In April 2009, China agreed to significantly reduce the scope of its planned information security testing and certification rules after the United States and other trading partners expressed serious concerns about the scope and content of the rules,” Nkenge said in an e-mail.. “We were pleased with that decision,” she added.

The chances of the Chinese government pushing back the implementation deadline or further reducing the scope of the requirement seems unlikely at this point, Cloutier added.

For years now, most of us have taken for granted the fact that we can access our contacts and calendars from our mobile devices. This convenience has become so engrained in our daily lives that many of us feel like we’ve lost a limb if our smartphone is not at our fingertips at any given moment. Not only that, but younger generations in particular expect to be able to do everything —... (more...)

There’s been much ado about social media as the latest, greatest customer service tool — but all that ado does little to help a corporation steer the conversation around perils and toward profits. So, buzz aside, where is the leverage in a set of tools that is seemingly all talk and little substance? Talk is all social media really is. Leveraging social media, then, requires a deep... (more...)

If you were at last weeks Microsoft Management Summit @ The Venetian in Las Vegas and you did not see Citrix, you need to have your senses checked. 2010 was our best year ever with Microsoft and System Center and we featured our joint integration efforts between Citrix XenApp, Systems Center Configuration Manager and Microsoft App-V. But don’t take my word for it, check out the day two keynote with Brad Anderson, vice president of the Microsoft Management and Services Division, where Brad demo’d our integeations and then self published the App-V app with Citrix Dazzle. Citrix and Microsoft continue our close alignment with our shared vision of User Centric Computing; XenDesktop and System Center are key components for delivering this vision. Also, don’t miss Brad’s follow-up keynote on day two of Citrix Synergy, May 12-14th…see you all @ Synergy 2010!

http://www.studiosevent.com/newscenter/?id=mms-2!MMS Booth 2.jpg|thumbnail,align=left!

Editor’s note: Carolyn Thompson is a scheduled speaker at Fordyce Forum 2010 in Las Vegas this June. I can’t remember the last time I had five placements in one week. As a member of the Pinnacle Society, I challenge myself to have, or be involved in, at least one transaction each week resulting in between 50 and 80 placements a year. Last year I worked hard to hit my minimums, but this... (more...)

Problem causes slow service and time outs on the site

Facebook announced late this afternoon that its engineers were working to fix a problem causing site trouble for users.