Three indicted for Comcast hack last year

Three hackers have been indicted for redirecting the Comcast.net Web site to a page of their own making in 2008. When Comcast customers visited the Comcast.net site during the attack on May 28, 2008, they were redirected to a Web site that displayed a message attributing the attack to members of the Kryogeniks hacker gang. At that time, about 5 million people connected to the Web site each day, the U.S. Department of Justice said in a statement. Because the site redirected to that page, customers were unable to access their Comcast e-mail accounts through the Comcast.net site.

Instead of the Comcast page, customers saw the message: "KRYOGENIKS Defiant and EBB RoXed COMCAST sHouTz to VIRUS Warlock elul21 coll1er seven." Immediately after Comcast was able to address the hack, the ISP (Internet service provider) and Network Solutions, the registrar, said they didn't know how the hackers managed to get the passwords necessary to switch the DNS servers and redirect the site. The suit said that one of the defendants, Christopher Allen Lewis, made two phone calls through which he got the information that he and his friends used to access Comcast's DNS information. The indictment sheds only a bit of light on how they did it. Another of the defendants, Michael Paul Nebel, allegedly logged onto a specific Comcast e-mail account that allowed him to communicate with Comcast's DNS registrar. During the attack, one of the defendants, Lewis, called a Comcast employee at his home and asked if the company's domains were working properly, the indictment alleges. Lewis was then able to sign onto Comcast's account at the registrar and point the Comcast.net Web site to the page he and the others made, according to the filing.

Comcast claims that it lost US$128,578 due to the attacks. The men are charged with one count each of conspiracy to intentionally damage a protected computer system. James Robert Black Jr. is the third defendant named in the indictment. The charges were filed in the U.S. District Court for the Eastern District of Pennsylvania on Thursday. If convicted they each face a five-year prison sentence and a $250,000 fine.

Google Voice Frees Your Voicemail, and Your Number

Until yesterday, signing up for a Google Voice account required you to pick a new phone number - not a pleasant option for those who have kept the same digits for years. When you sign up for Google Voice - which is still not widely available to the public (you need to get an invite or request one) - you can either choose Google one-stop phone number or keep your own for a more pared-down experience. Now Google has enabled users to keep their existing phone numbers and get (most of) the features Google Voice offers, including Google's excellent voicemail service. Keeping your old digits gives you: Online, searchable voicemail Free automated voicemail transcription Custom voicemail greetings for different callers Email and SMS notifications Low-priced international calling Going for the full-throttle Google experience gives you all of the above plus: One number that reaches you on all your phones SMS via email Call screening Listen In Call recording Conference calling Call blocking If you already have a Google Voice number, you can add the voicemail option to any mobile phone associated with the account.

Happily, Google circumvented this problem earlier this month. Some of the awesome benefits are explained in Google's YouTube explanation: Since voicemails are transcribed and placed online, even made publicly available for sharing purposes, there has been some danger of said voicemails appearing in search results. These new features are both freeing and limiting: you can keep your number but sacrifice some of the goodies that make Google Voice a powerful contender in the telephony business. Follow Brennon on Twitter: @neonmadman Full number portability is likely coming in the future, after, of course, Google deals with AT&T, Apple, and the FCC. But some have high hopes that eventually the opposition will grow to accept and embrace Google Voice.

Beware BlackBerry Browser Bug Until Carriers Offer Updates

BlackBerry smartphone users who frequently surf the Web via handheld will want to keep checking with their wireless carriers for BlackBerry Handheld Software updates in the coming weeks. The BlackBerry Browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name." The flaw relates to the BlackBerry software's certificate-handling functionality. That's because a new bug found in most current versions of Research In Motion's (RIM) device software, which makes it easier for malicious parties to execute "phishing" attacks on unsuspecting smartphone users, has been addressed via handheld software updates from RIM. From RIM's online security advisory: "This advisory relates to a BlackBerry Browser dialog box that provides information about web site domain names and their associated certificates.

A hacker could potentially recreate, or "spoof," a site commonly visited by BlackBerry users, such as RIM's BlackBerry.com, by purposely adding "null characters" to the site certificate's Common Name (CN) field. CVSS is a vendor agnostic, open standard for the security industry meant to depict the seriousness of vulnerabilities, according to RIM. The BlackBerry-maker recommends that all BlackBerry users running handheld OS 4.5 or higher check in with their wireless carriers to see if device software updates are available. The recently discovered flaw keeps the BlackBerry Browser from correctly identifying mismatched site certificates due to an inability to render said null characters. (See screenshot below for an example of how the BlackBerry Browser box should look when it encounters site certificate issues due to the presence of null characters in site CN fields.) The flaw was rated 6.8 (Medium Risk) on a Common Vulnerability Scoring System (CVSS) scale of one to ten, with one representing little or no risk and ten representing very serious risk. The problem: I just did a quick search of both AT&T and Verizon's BlackBerry download pages, but in a number of cases I could only locate earlier software versions than those recommended by RIM. Here's a list that specifies which software should be updated and to which new versions. If you encounter a BlackBerry Browser dialogue box like the ones shown in this post, you should choose to close the connection rather than subject yourself to potential phishing-related risk, according to RIM. More information on BlackBerry security can be located on the company's website. Current Software Version * BlackBerry Device Software v4.5.0.x to v4.5.0.173 or later * BlackBerry Device Software v4.6.0.x to v4.6.0.303 or later * BlackBerry Device Software v4.6.1.x to v4.6.1.309 or later * BlackBerry Device Software v4.7.0.x to v4.7.0.179 or later * BlackBerry Device Software v4.7.1.x to v4.7.1.57 or later Until you're able to sit down and update your device-or while you wait for your carrier to issue an update-RIM says to use caution when clicking unknown links in SMS text or e-mail messages, even if they're from what appears to be a trusted source.

Defunct airport fast-pass program may be revived

Tens of thousands of subscribers to a registered air traveler program, who were left feeling scammed when the company offering the service abruptly went out of business, may soon get a break. Subscribers to the Clear service, some of whom had signed up for two years or more of service just before VIP went out of business, will be offered a chance to continue their subscriptions after the deal goes through. A new investment group based in California has signed a letter of intent with Morgan Stanley, the defunct company's largest debt holder, according to the New York Times . Under a proposed plan, the investment firm will be allowed to buy the assets of Verified Identity Pass Inc. (VIP) and restart the Clear fast-lane security service, the Times reported, quoting the owner of the Emeryville, Calif.-based investment banking firm, Henry Inc. If an individual chooses not to, any personal data on that individual that had been collected by VIP for Clear, will be permanently destroyed, the Times said quoting the investment banker.

VIP was one of seven companies approved by the Transportation Security Administration (TSA) to operate a registered traveler program, which lets air travelers get through airport security checks faster. The news is likely to provide some comfort to thousands of customers of VIP who were left in the lurch when the company in June abruptly announced it could no longer offer the Clear service because it had run out of cash. It offered the service at 21 major airports, including New York's John F. Kennedy International Airport, La Guardia, Boston's Logan International and Atlanta's Hartsfield-Jackson airports. To sign up for VIP's Clear service, customers had to submit to background checks and provide identifying information, including Social Security and credit card numbers, home address, date and place of birth, phone numbers and driver's license number. More than 200,000 customers had signed up for the service when the company went out of business.

They also had to provide fingerprints, iris scans and digital images of their faces. The company made matters worse by hinting that it would sell the data it had collected to fulfill its debt obligations. VIP's decsion to shut the service raised concerns about the fate of the data that had been collected by the company. Many participants were left feeling scammed when VIP announced that it couldn't refund their subscriptions because it had run out of money. The motion was in response to a lawsuit brought by concerned customers.

Days after the company's closure, the chairman of the House Committee on Homeland Security asked the TSA to ensure that all information collected by VIP was properly protected and destroyed . In August, a federal judge in New York issued an injunction prohibiting VIP from selling, transferring or disclosing to any third-party the data it collected while operating the Clear service. The injunction, however, was later lifted on a technicality. For the moment, the purchase does little to alleviate the major complaint in the lawsuit, which is that VIP's customers didn't get a refund from their subscriptions. "That is something that they are entitled to regardless of whether or not other companies" purchase VIP, he said. Todd Schneider, an attorney with Schneider, Wallace, Cottrell, Brayton, Konecky LLP, a San Francisco law firm representing one of the parties in the lawsuit, today said he was unclear on the ramifications of the reported purchase of VIPs assets by the investment banking firm. A hearing in the case has been scheduled for Oct. 16, where Schneider plans to again ask the judge to bar VIP from selling its data assets to any third party.

News of the proposed purchase comes as the House Committee on Homeland Security is scheduled to hold a hearing today on the future of the registered air traveler program.

Sybase smooths enterprise path for iPhones

Sybase is extending its Afaria mobile-device management platform and database software to the Apple iPhone, taking advantage of new enterprise features in Version 3.1 of the iPhone's software to give IT departments more control and capabilities on the popular handset. Going on sale in the middle of this month, Sybase's Afaria 6.5 will finally give administrators the kinds of controls they have had previously for mobile platforms such as Symbian, Microsoft Windows Mobile 6.1, Research In Motion BlackBerry and PalmOS. Apple's recent iPhone 3.1 release added the capability to lock down certain settings on a device so the user can't change them using the phone's configuration utility, said Mark Jordan, senior product manager for Afaria. Though many enterprise employees bring iPhones into the office and rely on them for personal communications, the device originally caught on as a consumer gadget for music, Web browsing and entertainment applications, and has only gradually made inroads as a workplace tool. That allowed Sybase to give enterprise IT departments the power to do things such as block applications, define the required password strength and lock down Wi-Fi and VPN (virtual private network) settings.

With the new Afaria, enterprises can make and change settings on employees' iPhones over the air based on overall policies for certain departments, job descriptions and other criteria. Administrators can now establish a trusted relationship between Afaria and the employee's phone using a certificate, he said. Among other capabilities, they can also require device authentication for access to a corporate directory and set up compliance reporting on the employee's use of the phone. Also on Tuesday, it announced tools for the Sybase SQL Anywhere database to be used for synchronization of data between an iPhone application and a back-end database. Sybase announced Afaria's iPhone capabilities on Tuesday at the iPhone Developer Summit in Santa Clara, California.

Using SQL Anywhere, internal developers and software vendors can build in bi-directional synchronization between an on-device app and relational databases including Sybase, Oracle, SQL Server, DB2 and MySQL. This frees employees from having to depend on the cellular data connection to get work done while on the road, Jordan said. Also on Tuesday, the company's Sybase 365 subsidiary introduced a turnkey system for mobile banking on the iPhone. There is a beta test program now open for SQL Anywhere for iPhone. With it, banks can allow their customers to check balances, transfer funds among accounts, securely communicate with bank representatives, find branches and automatically dial the bank, Jordan said. The Sybase mBanking 365 iPhone platform is available now and is already deployed by BBVA Compass as the BBVA Compass Mobile application.

Cisco results top estimates

Cisco Systems on Wednesday posted first-quarter results that far exceeded Wall Street's expectations, though revenue and profits were down from a year earlier. Likewise, earnings per share for the quarter came in $0.05 better than expected, at $0.36. The non-GAAP figure excludes expenses, charges and other one-time items. Revenue for the quarter ended Oct. 24, the first of Cisco's fiscal year, was US$9.0 billion, compared to the $8.74 billion expected by financial analysts, according to a poll by Thomson Reuters.

Sales in the quarter were down 12.7 percent from a year earlier. On a sequential basis, revenue was up 6 percent from the fourth quarter, while earnings per share were up 16 percent. "Our Q1 results continued to reflect strong sequential growth trends that meet or exceed expectations during normal economic times," Cisco CEO John Chambers said in a statement. "We view the improving economic outlook, combined with solid execution on our growth strategy, as creating unparalleled opportunity to drive more value into the core of the network. The non-GAAP earnings per share were also down, by 14.3 percent. Simply said, we believe that key market transitions across collaboration, virtualization and video will drive productivity and growth in network loads for the next decade, and are evolving even faster than expected. "A new model of productivity based on collaboration is clearly emerging, and we believe this may be the most profound opportunity for businesses in our 25 years as a company," Chambers added. Cisco's board had previously authorized up to $62 billion in stock repurchases.

Cisco also said its board of directors authorized up to $10 billion in additional repurchases of its common stock. There is no fixed termination date for the repurchase program. The remaining authorized amount for stock repurchases under this program, including the additional authorization, is approximately $13.1 billion.

Benioff trumpets Force.com platform's success

Salesforce.com CEO Marc Benioff on Thursday attempted to cement an image of the vendor as a full-blown application development platform provider, not merely a purveyor of SaaS (software-as-a-service) applications. More than 135,000 custom applications have been built with Force.com and more than 200,000 programmers now belong to the company's developer network, the company said. The colorful CEO pulled a familiar arrow from his rhetorical quiver during a keynote address at the Dreamforce conference in San Francisco, decrying the annual software maintenance fees vendors like Oracle charge, and imploring customers of those companies to align themselves with Salesforce.com and its Force.com development platform. "They think it's their purpose in life to collect those taxes on software development [technologies] that were developed a decade ago," he bellowed. "When are you going to ask for innovation instead of paying maintenance?" But according to Salesforce.com, many already have. Salesforce.com claims its system, available by subscription starting at US$25 per user per month, allows companies to develop applications much more quickly and less expensively than with traditional development stacks.

Also, since companies are using Salesforce.com's own cloud infrastructure, there is no need to invest in hardware. Part of the reason for this is that developers do not need to test their applications against multiple combinations of databases, application servers and other components. But Force.com development also presents a trade-off, since it could difficult to port an application built there elsewhere. CA on Thursday announced plans to release CA Agile Planner, a Force.com-built system for managing agile software development projects. Still, Salesforce.com is beginning to attract ample interest from some of the industry's largest software vendors.

Agile development lets teams create many incremental iterations of an application, allowing for continual feedback from end-users and managers along the way. Both companies described how they built ERP (enterprise resource planning) applications on Force.com. BMC executives also took the stage to showcase the company's own Force.com project, a service-desk application that will be released in 2010. The keynote also showcased how Force.com is being used by businesses as well as ISVs. Benioff introduced officials from a variety of companies, including countertop maker Vetrazzo and the Japanese convenience-store chain Lawson. Force.com may indeed be a more convenient method of developing applications, especially if a company isn't dealing with a wealth of legacy systems, said Michael Coté, an analyst with Redmonk. "Just having a Web site to log into, that's a better way of getting IT in general," he said. IT shops will have plenty of cloud development platforms to choose from in the months and years ahead, including Microsoft's Azure, Coté said.

However, "not everyone is lucky enough that they can start from a clean slate," he added. Therefore, the best approach may be to initially experiment with small projects, especially because doing so will help companies determine "how this new way of delivering software affects the business," he said.

FCC identifies roadblocks to broadband adoption

Several factors, including a lack of a broadband subsidy program at the U.S. Federal Communications Commission, have contributed to gaps in broadband adoption in the U.S., a new report from an FCC task force said. The task force suggested that broadband deployment and adoption programs should be included in the FCC's Universal Service Fund (USF) program, which now subsidizes primarily telephone service for rural areas and low-income U.S. residents. Several "critical gaps" in the nation's broadband efforts must be filled before all U.S. residents can get broadband, said the task force, working on a national broadband plan for the FCC. The task force report identified several often-mentioned factors for a lack of broadband adoption, including the cost of the service and a lack of deployment in some areas, but it also focused on some less obvious issues.

Part of the fund, with an annual budget of about US$7 billion, should be shifted to broadband, the task force said. Freeing up new spectrum can take several years, and a handful of studies have predicted a spectrum shortage by the mid-2010s due to growth in subscribers and use of bandwidth-heavy applications, said Ruth Milkman, chief of the FCC's Wireless Telecommunications Bureau. "We know there's a spectrum gap, and we know we need to act in the near term," she said. In addition, the task force recommended that the FCC begin looking for additional wireless spectrum for mobile broadband. The task force report also suggested that video and a convergence between television sets and computers will drive the demand for broadband. There may be ways for the FCC to encourage a retail set-top box market, the task force said. But the TV set-top-box market has seen relatively few innovations in recent years, with most cable subscribers leasing their set-top boxes from their providers, commission staff said.

Another roadblock to broadband adoption is a lack of information about broadband services, the task force said. There is "no shortage of issues" that the FCC should address in its national broadband plan, due Feb. 17, said Eric Carr, general manager of the FCC's Omnibus Broadband Initiative. It can be difficult for consumers to compare the performance of their broadband service to advertised speeds or compare the performance of different broadband providers, the report said. FCC members generally praised the task force's report, but Commissioner Michael Copps said he wanted to see a greater emphasis on civic engagement as a driver for broadband adoption. I want to see a little more heightened emphasis on the point of civic engagement ... and on the point of how this encourages interactivity among the citizens of this great country of ours." Task force members talked about the need for a "fact-based" look at broadband needs, but there are bigger issues as well, Copps said. "This is an exercise that goes beyond metrics and beyond tangibles," Copps said. "I would urge you to look at the intangibles that are involved here.

India schedules 3G license auction for December

India's auction of 3G and WiMax licenses is now scheduled to be held in December, according to a notice on the Web site of the country's Department of Telecommunications. Bidding for 3G licenses will start Dec 7, with the WiMax auction scheduled to start two days after the 3G auction is complete, according to the notice. The auction was originally scheduled for January of this year, but was postponed after disagreement within the government on the minimum cost of the licenses.

Both Indian and foreign companies are allowed to bid for the licenses, but foreign companies will have to set up joint ventures with Indian investors to run services in the country. The Ministry of Communications will license four slots for 3G in each of India's 22 service areas, with a fifth slot reserved for two government-run telecommunications companies. A group of ministers, set up to resolve the dispute over pricing the licenses, has named Indian rupees 250 billion (US$5 billion) as the minimum revenue from the auction of the 3G and WiMax licenses in the country, India's Minister of Communications, A. Raja said last month. A telecommunications company bidding for 3G licenses in all 22 circles will have to pay at least Indian rupees 35 billion, according to the new minimum pricing proposed by the Indian government. Two companies, Bharat Sanchar Nigam Ltd. and Mahanagar Telephone Nigam Ltd., were allotted 3G spectrum ahead of the auction, and have started offering services. By the pricing announced last year, they would have to pay about rupees 20 billion.

The government said last year that these companies would have to pay license fees equal to the highest bid in each service area. The final date for applications from bidders is Nov 13.

Mozilla unblocks one sneaky Microsoft add-in

Mozilla has unblocked one of the two Microsoft-made add-ons that put Firefox users at risk from attack and will probably unblock the second in the next 48 hours, the company's head of engineering said today. "We've unblocked the .NET Framework Assistant," said Mike Shaver, Mozilla's vice president of engineering, on Monday morning. Late on Friday, Mozilla added .Net Framework Assistant and the accompanying Windows Presentation Foundation plug-in to its rarely-used blocking list , which then threw up a warning to users notifying them that the pair was being barred from Firefox. Shaver was referring to one of the two Microsoft components that Mozilla automatically disabled late Friday after deciding it needed to protect Firefox users from a critical vulnerability Microsoft disclosed, and patched, last week. "We got confirmation from Microsoft over the weekend that the add-on wasn't a[n attack] vector for the vulnerability in question," said Shaver.

Mozilla has also pushed out a change that will let users running Firefox 3.5 override the block, added Shaver. The block of Windows Presentation Foundation will likely be lifted in the next two days. "Microsoft is watching the patch deployment numbers, and sharing them with us," said Shaver. "At some point, we'll take the [Windows Presentation Foundation] plug-in off the blocker. That change came out of discussions with enterprise Firefox users who said that they needed the two components to run their .NET-based software within the browser. I expect that to happen in the next 48 hours." Last week, Microsoft's security team acknowledged that its software - which had been silently installed in Firefox as far back as February 2009 - contained a critical vulnerability that could be used by hackers to hijack Windows PCs through Firefox . The vulnerability also affected all versions of Internet Explorer (IE), including IE8. However, the MS09-054 bulletin, which provided details on the vulnerability, said nothing about Firefox. Friday, Shaver cited the severity of the vulnerability and the difficulty some users have had in removing Microsoft's software as Mozilla's reasons for engaging the blocking list.

Later last Tuesday, Microsoft expanded on MS09-054 in a blog post, and confirmed that Firefox users were in danger . Microsoft maintained that Firefox users who applied the patches would be safe from attack, but Mozilla felt that was not enough. Removing the Microsoft add-on and plug-in have been a contentious issue since Microsoft first slipped them into Firefox without users' permission last February as part of the .NET Framework 3.5 Service Pack 1 (SP1) update, which was delivered via Windows Update. Later, Microsoft issued a follow-on update that made it possible to uninstall the components without a registry edit. Users were also furious that the software was impossible to uninstall without editing the Windows registry. Shaver denied that there was miscommunication between Microsoft and Mozilla, and instead characterized it as a "lack of clarity." "We're going to be in better communication," he promised, "especially about things like the version number of the [affected] plug-in." One of the problems Mozilla had last week was determining what - .NET Framework Assistant or Windows Presentation Foundation, or both - was vulnerable, and specifically what versions were at risk to attack. "This was an unusual case of using the blocker," Shaver said. "Version information was not available to us at first, and since [the software] was installed by many users, many of them were unaware they even had it, and the add-on and plug-in were difficult to uninstall, we thought it best to block them, at least for a time.

We do that with add-ons in Firefox now, which checks for those added since the last time you ran the browser. Microsoft agreed." Mozilla has used its add-on/plug-in blocking tool only nine times, including last week's incident, since it first deployed it in 2007. In the future, Firefox will include built-in tools that check whether components have been added by third-party software, then disable the add-on or plug-in by default and notify the user and allow him or her to enable the component(s). That kind of check, if it had existed earlier this year, would have kept the Microsoft software from being installed without Firefox users noticing. "We're big believers in informed user choice," said Shaver. "So we're going to improve notifications to users when plug-ins are installed. We will do the same thing for plug-ins, likely in Firefox 3.7." That version of Firefox, the second of two minor upgrades scheduled for the next six months, is currently slated to ship in March 2010. Since Version 3.0, Firefox has notified users when any new add-ons, called "extensions" by Mozilla, have been installed since the last time the browser was launched. The plan now is to make those notifications clearer, and also to warn about system-installed items before they're running, Shaver said. "We're also building our plug-in check into the product for Firefox 3.6," added Shaver, referring to the outdated plug-in campaign that Mozilla kicked off last month, and bolstered last week when it launched a plug-in checking service . Firefox 3.6 will warn users of outdated third-party plug-ins, like Adobe's Flash or Apple 's QuickTime, when the browser reaches a site that calls upon such software. "We've learned a lot from this," concluded Shaver. "We're not trying to get into an adversarial model, but this was more visible than most [blocks in the past] because of the size of the company involved and the history of the plug-in. "I would call the communication between us and Microsoft 'greatly clarified' as of now," Shaver said. That notification, however, is "poor," acknowledged Shaver, since it simply highlights the new add-ons in a window and most importantly, does so after the add-on has already been installed.

Making Sense of Rapid7's Metasploit Acquisition

News of Rapid7's Metasploit acquisition hit some in the information security community like a clap of thunder. But in the hours after Wednesday morning's announcement, cautious optimism began to take hold. The Metasploit Project has a deep, loyal user base, and it's always unsettling to those who rely on open-source tools when those tools are snatched up by a commercial vendor. Some IT security practitioners started to see the potential benefits of a Rapid7-Metasploit union - providing the vendor handles its new property and user base with great care. "They certainly have acquired an exceptional back-end research capability," said Pete Hillier, CISO at CMA Holdings in Ottawa. "The question is if they can ensure the continuity once the acquisition is complete?" Some are skeptical of that, including Richmond, Va.-based IT security practitioner Rick Lawhorn, who quipped in an e-mail: "The road to hell is paved with good intentions.

It also promised to "sponsor dedicated resources and contributions to the standalone, community-driven Metasploit Project to further its growth and success." "Metasploit and Rapid7 NeXpose are uniquely positioned to improve upon the industry-leading capabilities of both products and to raise the bar on the industry at large," Mike Tuchen, president and CEO of Rapid7, said in a press release. "With our broader solution portfolio, we are the first security provider to meet the demand of enterprises and government agencies in enabling them to identify and mitigate exploitable threats in their IT environment based on their security risk profile." The vendor said Metasploit Project founder HD Moore will become Rapid7's chief security officer and will remain Metasploit`s chief architect. Unfortunately, the ones who will be happy are the bad guys; with a potentially-reduced focus on making things secure and greater focus on profitability." Rapid7, a vendor of unified vulnerability management, compliance and penetration testing tools, said it will use Metasploit to enhance its NeXpose product. For his part, Moore predicts big dividends for his user base. "This acquisition provides dedicated resources to the project, accelerating our growth and allowing us to provide even better solutions to the community," he said in the Rapid7 press release. "Rapid7 recognizes the value of the community and is passionate about the success of the project." Nick Selby, a faculty member of the Institute for Applied Network Security (IANS) and managing director of Trident Risk Management, is among those expressing optimism. "The best thing about the acquisition is that enterprise customers now have three legitimate, sue-able and responsible organizations proffering tools for penetration testing," he wrote Wednesday in the IANS blog. "Quality will likely rise, average price will likely fall, and functionality will likely increase. The Rapid7-Metasploit union will likely shake up that dynamic, to the benefit of buyers and end users, he added. This is a good time to be in the market for pen-test software." See also: Why Pen Testing is Central to Pennsylvania's App Security Selby wrote that the dynamics of the pen-testing market have been that Core Security sat atop the marketplace in terms of price, scale and enterprise usability while Immunity Security "cleaned up at the lower end of the enterprise market" and dominated for vendors and professional services types who also used Metasploit as a free tool.

Boston-based IT security practitioner Zach Lanier said the acquisition is "phenomenal" news for Moore, Egypt (a Metasploit developer, now joining the project/Rapid7 full time), and Rapid7 as a whole. "Naturally, this acquisition will give Metasploit access to more resources, including more full-time team members; Rapid7's knowledge base; and technology and tools," he said. "This will also bring more visibility to Rapid7's vulnerability scanner, NeXpose, given the complementary nature of the Metasploit Framework." Though he's reluctant to simply accept that there will be little-to-no change in the Metasploit Framework's licensing and open source nature, Lanier said he's "pretty confident" Moore and others "will adamantly defend such important principles." Gadi Evron, a security strategist based in Israel, said the acquisition at least goes to show that not-for-profit work can exist in today's market and be competitive enough to draw commercial interest. Asked if he believes Rapid 7 will handle its new acquisition in a way that will benefit users or, at the least, do no harm, Evron said, "One would hope they would, just as one would hope HD made sure they would."

Facebook captures largest IT deal of quarter

The IT industry raised almost $2 billion in venture capital in the third quarter, regaining its position as the top money-grabber, Dow Jones VentureSource says in a new report. Facebook captured the IT industry's biggest investment in the quarter, with a $100 million round from undisclosed investors in mid-July. But overall, IT investment has hit its lowest point in 12 years. http://www.networkworld.com/supp/2009/outlook/hottech/010509-nine-hot-te... ">Web 2.0 companies are on the upswing, but software investments are dramatically lower than they were last year. "The slow recovery we've seen for venture capital has faltered," Jessica Canning, director of global research for Dow Jones VentureSource, said in a news release. "As liquidity and fundraising lag after the economic meltdown in 2008, investors have no choice but to keep a tight rein on investments until the industry is on more solid ground." IT companies raised $1.87 billion across 270 deals in the third quarter, compared to $1.94 billion across 248 deals in the second quarter for the IT sector. IT emerged as the top market for venture capital in the third quarter because the healthcare industry suffered a drop from $2.2 billion to $1.7 billion.

Despite receiving more venture money than the healthcare industry, investments in the IT industry are still at a 12-year-low and significantly below 2008 levels. While the IT sector is typically the leading recipient of venture capital, healthcare companies had briefly overtaken IT with their second quarter total, according to Dow Jones. Last year, IT companies took in $12.2 billion in venture investments across 1,328 deals. A bright spot for IT comes from the Web 2.0 sector, where investments surpassed the software market for the first time. With data from three out of four quarters in 2009, the industry is at just $5.4 billion across 747 deals. The information services sector - which includes most Web 2.0 companies - pulled in $627 million in new investments in the third quarter, up 11% over the same period last year.

For all industries, venture capitalists invested $5.1 billion in 616 deals in the third quarter, down 6% since last quarter and down 38% since the third quarter of 2008. If current trends persist, 2009 will be the worst investment year in U.S. venture-backed companies since 2003, according to Dow Jones. Software companies, meanwhile, raised just $581 million in the quarter, a 55% decline from the $1.3 billion invested in the same timeframe last year. "This is the [software] sector's lowest quarterly investment total since 1996," Dow Jones reports. Follow Jon Brodkin on Twitter: http://www.twitter.com/jbrodkin

Report says China ready for cyber-war, espionage

Looking to gain the upper hand in any future cyber conflicts, China is probably spying on U.S. companies and government, according to a report commissioned by a Congressional advisory panel monitoring the security implications of trade with China. Government agencies and military contractors have been hit with targeted, well-crafted attacks for years now, many of which appear to have originated in China. The report outlines the state of China's hacking and cyber warfare capabilities, concluding that "China is likely using its maturing computer network exploitation capability to support intelligence collection against the U.S. government and industry by conducting a long term, sophisticated computer network exploitation campaign." Published Thursday, the report was written by Northrop Grumman analysts commissioned by the US-China Economic and Security Review Commission.

But this report describes in detail how many of these attacks play out, including an attack that exploited an unpatched flaw in Adobe Acrobat that was patched earlier this year. Northrop Grumman based its assessment largely on publicly available documents, but also on information collected by the company's information security consulting business. Citing U.S. Air Force data from 2007, the report says at least 10 to 20 terabytes of sensitive data has been siphoned from U.S. government networks as part of a "long term, persistent campaign to collect sensitive but unclassified information." Some of this information is used to create very targeted and credible phishing messages that then lead to the compromise of even more computers. The report describes sophisticated, methodical techniques, and speculates on possible connections between Chinese government agencies and the country's hacker community, increasingly a source of previously unknown "zero-day" computer attacks. "Little evidence exists in open sources to establish firm ties between the [People's Liberation Army] and China's hacker community, however, research did uncover limited cases of apparent collaboration between more elite individual hackers and the [People's Republic of China's] civilian security services," the report says. The U.S. government has had a presence at the Defcon hacker convention for years now, and the U.S. Department of Defense has even started using it as a recruitment vehicle in recent years.

If true, that wouldn't be much of a surprise. The Adobe Acrobat attack was supplied by black hat programmers to attackers who targeted an unnamed U.S. firm in early 2009. Working nonstop in shifts, the attackers snooped around the network until an operator error caused their rootkit software to crash, locking them out of the system. It might be disguised to look like the schedule or registration form for an upcoming conference, for example. In a typical targeted attack, the victim receives an email message containing a maliciously crafted office document as an attachment. When it's opened, the zero-day attack executes and cyberthieves start collecting information that might be used in future campaigns.

In some cases they've installed encrypted rootkits to cover their tracks, or set up staging points to obscure the fact that data is being moved off the network. They sniff network and security settings, look for passwords, and even alter virtual private network software so they can get back into the network. In another case cited by Northrop Grumman, the attackers clearly had a predefined list of what they would and would not take, suggesting that they had already performed reconnaissance on the network. "The attackers selected the data for exfiltration with great care," the report states. "These types of operational techniques are not characteristic of amateur hackers." Earlier this year, Canadian researchers described a similarly sophisticated cyberespionage network, called GhostNet, launched against international government agencies and pro-Tibetan groups such as the Office of His Holiness the Dalai Lama. Although the GhostNet report authors did not link the spying to the Chinese government, some researchers did.

Facebook Prototypes Lets You Test Latest Apps

Facebook launched a new applications feature late Tuesday that will let you test the latest tools the social network is working on. Here's a breakdown of the five features you can try out: Desktop Notifications (Mac OS X only): A Mac OS X growl notification app that sits on your menu bar and alerts you when someone writes on your Facebook Wall or sends you a message. Called Facebook Prototypes, it's similar to Google Labs as it allows you to try out new features that, as Facebook says, are "not quite ready for prime time, are a bit esoteric, or don't quite fit." There are five new features currently available, most of which were created during a recent Facebook Hackathon event-an all-night coding session where Facebook techies work on projects they don't have time to develop during regular business hours.

You can also update your Facebook status within the application or navigate directly to your profile, News Feed, or Compose Message window. With one click, your friends can add the event to their personal calendar program like Google Calendar, Microsoft Outlook, or iCal. Enhanced Event E-mails: Adds an iCal file to event notifications sent to your Facebook friends via regular e-mail. For this feature to work, your friends must have event e-mail notifications enabled in their Facebook account settings. Click on the tag and Facebook will try to find other News Feed posts with similar attributes.

Similar Posts: Adds a "Similar Posts" tag under posts in your News Feed, such as status updates, shared links, and videos. Photo Tag Search: Integrated into the Facebook photo dashboard, Photo Tag Search lets you search photos posted by you and your friends for up to fifteen people at once. Plug your name and your friends' names into the search bar, and Facebook will show you all the photos where all of you are tagged. Say you want to find a photo of you and three friends. This feature will only find photo tags for people you're connected to on Facebook.

Click on it, and your News Feed will show the most recent Facebook posts your friends have been commenting on. Recent Comments Filter: Places a "comments" button on the column to the left of your News Feed. The Prototype applications include several great features, and while some of them are a little rough, they do add great functionality to your Facebook experience. Sometimes it inexplicably asks you for your login credentials, but it's a great little program if you want to stay on top of Facebook without logging on to the service. If you're on Mac OS X, I highly recommend trying out the Desktop Notifications app. To activate the prototypes, click on the Facebook Applications page and then click on 'Prototype' in the left hand column.

Connect with Ian Paul on Twitter (@ianpaul).

Oracle profits rise but sales fall in Q1

Oracle's first-quarter net income rose by 4 percent year-over-year to US$1.1 billion, but revenue fell by 5 percent to $5.1 billion, the company said Wednesday. New software license sales fell 17 percent year-over-year to $1 billion, indicating that customers are still reluctant to make new software investments amid the ongoing recession. Earnings per share were $0.22. Excluding one-time charges, Oracle reported earnings per share of $0.30, partly meeting the expectations of analysts polled by Thomson Reuters, who had on average predicted earnings of $0.30 per share and $5.25 billion in revenue.

Oracle managed to increase profits even as revenue fell by "substantially improving" its operating margins, company President Safra Catz said in a statement. Associated expenses were just $226 million, meaning the profit margin for this part of Oracle's business was greater than 90 percent. Oracle's results were also bolstered by growth in revenue for software license updates and support, which jumped 6 percent to $3.1 billion. Oracle blamed the dip in new license sales partly on weak business at other software vendors. "They sold less of their applications, and so they drive less database with them," Catz said in a conference call. Oracle announced plans to acquire Sun earlier this year, but the acquisition is being held up by an antitrust review by European authorities. The earnings report comes a day after Oracle announced a new Exadata data warehousing and OLTP (online transaction processing) appliance jointly developed with Sun Microsystems.

Oracle executives offered no new details about the deal Wednesday, but said integration planning work is proceeding. The company is well-positioned to compete against IBM with its recently updated database and middleware products, he said. During the call, CEO Larry Ellison repeatedly targeted IBM, who Oracle will soon be battling in both software and hardware markets. Oracle shares were down $0.78 in after-hours trading to $21.35.

Lenovo founder shares slogans, tells tales of 1980s China

The chairman of Lenovo, the world's number four PC maker, shared Chinese revolution-spirited slogans and the unlikely story of his company's growth out of a government-managed economy in a motivational speech to Chinese small business owners on Friday. Lenovo faced tough odds even though its founders were from the Chinese Academy of Sciences, a Chinese state-controlled institute for national research projects. Liu Chuanzhi, one of 11 former government researchers who founded the predecessor to Lenovo in 1984, recalled how the company fought through trade barriers, high component prices and domination by foreign brands in a talk that highlighted how fast China's economy has grown in the last three decades. "In 1993 almost the whole market was foreign-branded computers," Liu said at the forum for small and medium businesses in Hangzhou, a scenic city in eastern China.

The academy gave the company founding capital of 200,000 yuan, or about US$30,000 today. Things only grew worse when the company was scammed out of two-thirds of the money, he said. "When we came out, we not only lacked funds but also had no idea what to do," Liu said. That sum, far from enough, would not have been enough to buy three computers in China in the 1980s, Liu said. Lenovo, formerly called Legend Group, was founded early in China's process of market economic reforms and had to work in a tightly regulated environment. The low quality of components such as hard drives in China also hindered the company, he said.

China tried to protect domestic PC makers in the 1980s by charging a massive 200 percent tariff on foreign computers, said Liu. "The result of this protection was that foreign computers were very difficult to get into China and could only be smuggled, but China also could not make its own computers very well," he said. Lenovo's first PC did not reach the market until 1990. Lenovo struggled with low margins even as it built market share against foreign brands like IBM and Compaq in the 1990s. Government regulation also continued to slow the industry's growth. Lenovo's global presence gained a huge boost when it bought IBM's PC unit in 2005. The company's sales in developed markets have since slumped in the global economic recession and it has restructured to bring its focus back to China and other emerging markets. Chinese residents had to register with the government to become Internet users even late in the decade, said Liu. Lenovo today is the top PC vendor in China. Liu also emphasized the importance of company culture, describing Lenovo's as an example. "Make the company's interests the top priority, seek truth in forging ahead, take the people as the base," Liu said.

To succeed like Lenovo, companies must "love to battle, know how to battle, and conduct campaigns with order," Liu said, using language reminiscent of "The Art of War," an ancient Chinese book on military strategy by Sun Tzu. Chinese president Hu Jintao has promoted the slogan "take the people as the base" as a part of socialist theory. Liu attended a Chinese military college in the 1960s and worked on a Chinese farm during the Cultural Revolution, a chaotic period when many graduates were sent to the countryside for re-education.

China's Alibaba expects India joint venture this year

Top Chinese e-commerce site Alibaba.com aims to announce an Indian joint venture this year as the company expands its global footprint, it said Friday. A deal in India, where Alibaba.com recently surpassed 1 million registered members, would be the latest in the site's efforts to grow abroad. "I've got a lot of confidence in India," said Jack Ma, CEO of Alibaba Group, the parent company of Alibaba.com. Alibaba.com is in talks with an Indian reseller about forming a joint venture, CEO David Wei told reporters at a briefing.

Alibaba.com is a platform for small and medium businesses to trade everything from lumber and clothes to iPods and PC components. Alibaba.com already works with Indian publishing company Infomedia 18, its likely joint venture partner, to promote its platform in the country. Its main member base is in China, but the site also has 9.5 million registered users in other countries and facilitates many cross-border trades. The site also has a joint venture in Japan and recently launched a major U.S. advertising campaign to attract more users there. Ma said Alibaba knows it needs to "do something" in Latin America as well. Ma and other top Alibaba executives visited the U.S. early this year for meetings with potential partners including Amazon.com, eBay and Google.

When asked if the company would also seek to expand in Eastern Europe, Ma said, "I will be there." Alibaba will not hold a majority stake in joint ventures it forms, instead taking a share similar to the 35 percent it has in its Japan operation. "Our global strategy means partner with local people," Ma said. "We want partners and we want partners to control their business." Users place total orders of more than US$200 million each day on the Alibaba.com international platform, Wei said. About 50 percent of those orders go to Chinese exporters, he said.

Users Want Answers on Oracle-Sun Future

When Oracle Corp. Analysts said the arrival of the jointly built package shows that engineers at Oracle and Sun Microsystems Inc. have started working together in advance of the closing of Oracle's $7.4 billion acquisition of Sun , now expected in January. CEO Larry Ellison hosted a webcast last week to unveil the next generation of his company's Exadata appliance , a label reading "Oracle-Sun" was prominently displayed on the high-end database and storage system.

But Ellison and webcast co-host John Fowler, executive vice president of Sun's systems business, only touted the joint engineering effort that created the Exadata Database Machine Version 2. They said nothing about the postmerger plans for the products of either company, keeping users mostly in the dark about the future of Oracle and Sun offerings. Oracle did take an unusual step two weeks ago by running advertisements promising to spend more on Solaris software and UltraSparc hardware development than Sun does now. Oracle had hoped the deal would be closed by now, but it was held up earlier this month when the European Commission opened an in-depth investigation in response to what it called "serious concerns" that Oracle's ownership of Sun's MySQL database could blunt competition in the database market. The ads came in the midst of aggressive efforts by Hewlett-Packard Co. and IBM to court Sun's customers. He also acknowledged that he has concerns about Oracle's plans for Sun's open-source offerings. "In the open-source community, Oracle doesn't have a particularly friendly reputation," he said.

The ads somewhat reassured Richard Newman, president of Reliant Security Inc., which uses Solaris-based systems to deliver data security products and services to retail industry customers. "We're crossing our fingers that what [Oracle] stated in print is in fact going to happen," he said. Nathan Brookwood, an analyst at Insight64 in Saratoga, Calif., called Oracle's ad "a very unequivocal statement of support for the Sun hardware." However, Brookwood added that he doesn't expect the move to placate Sun's customers. "It's not time to stop biting your nails," he said. Richard Toeniskoetter, technology director at the W.A. Franke College of Business at Northern Arizona University in Flagstaff, said he wants to know Oracle's plans for Sun's Virtual Desktop Infrastructure software and its Sun Ray thin clients. "We are already running a fairly mature VDI model, and we just want to see Oracle recognize that it's a viable platform," Toeniskoetter said, adding that NAU is also interested in Oracle's plans for MySQL. This version of this story originally ran in Computerworld 's print edition. Among the Sun customers most in need of quick answers are resellers, such as PetroSys Solutions Inc., which sells repackaged systems for the government and education markets. "A lot of our clients are nervous," said Irene Griffith, who owns PetroSys. "They want to know what's going to happen." Sun's sales representatives have been mum on the subject. "They're not talking to us, they're not reaching out to us," Griffith said. It's an edited version of an article that first appeared on Computerworld.com.

Companies patch OS holes, but biggest priority should be apps

Corporations appear to be much slower in patching their applications than their operating systems - even though attackers are mainly targeting vulnerabilities in applications, according to a new report. "Now we know which vulnerabilities are being patched and which are not," says Alan Paller, director of research at the SANS Institute.   The report, "The Top Cyber Security Risks," is based on data collected between March and August and was a collaborative effort by SANS, TippingPoint and Qualys. The report shows that 80% of Microsoft operating system vulnerabilities are being patched within 60 days, but only 40% of applications, including Office and Adobe. The group analyzed six months of data related to online attacks, collected from 6,000 organizations using the TippingPoint intrusion-prevention system, along with data related to more than 100 million vulnerability scans performed on behalf of 9,000 customers of the Qualys vulnerability assessment service.

Meanwhile, the majority of online attacks are aimed at applications, particularly client-side applications, making this the No. 1 priority named in the report. The main attack methods used against Web sites were SQL injection and cross-site scripting. During the six-month timeframe, more than 60% of all attack attempts monitored by TippingPoint were against Web applications in order to convert trusted Web sites into malicious sites serving up malware and attack code to vulnerable client-side applications. In terms of vulnerability and exploitation trends, popular methods include attempting to brute-force passwords by guessing, with Microsoft SQL, FTP and SSH Servers among the most popular targets. Zero-day vulnerabilities - which occur when a flaw in software code is discovered and exploit code appears before a fix or patch for the flaw is available - were popular in targeted attacks, according to the report. Some of the main vulnerabilities being exploited include the malicious Apple QuickTime Image File download (CVE-20009-0007); Microsoft's WordPad and Office Text Converter Remote Code Execution Vulnerability (MS09-010); and multiple Sun Java vulnerabilities.

Six notable zero-day flaws in the past six months include: * The Adobe Acrobat & Flash Player Remote Code Execution Vulnerability (CVE-2009-1862)  * Microsoft Office Web Components, Active X Control Code Execution Vulnerability (CVE-2009-1136)  * Microsoft Active Template Library Header data Remote Code Execution Vulnerability (CVE-2008-0015)  * Microsoft Direct X DirectShow QuickTime Video Remote Code Execution Vulnerability (CVE-2008-0015)  * Adobe Reader Remote Code Execution Vulnerability (CVE-2009-1493)  * Microsoft PowerPoint Remote Code Execution Vulnerability (CVE-2009-0556) The report concludes by pointing out that finding zero-day vulnerabilities seems to be getting easier as "a direct result of an overall increase in the number of people having skills to discover vulnerabilities worldwide."

Gonzalez pleads guilty to TJX, other data heists

The man described by federal authorities as the mastermind of the massive data thefts at TJX Companies Inc., Heartland Payment Systems and other retailers today pleaded guilty to charges in a 19-count indictment that include conspiracy, wire fraud and aggravated identity theft. That case was being prosecuted separately in New York but was merged with the case in Boston under a plea agreement negotiated with prosecutors a few days ago. Albert Gonzalez, 28, of Miami, also pleaded guilty to one count of conspiracy to commit wire fraud related to a data theft at Dave & Buster's restaurant chain.

Gonzalez is scheduled to be sentenced Dec. 8 by U.S. District Court Judge Patti Saris in Boston. Under the plea agreement, Gonzalez will serve between 15 and 25 years for both cases and will be fined as much as $250,000 for each of the charges. He faces a maximum of 25 years in prison for the charges in Boston and 20 years for the case in New York. Gonzalez will also forfeit more than $2.7 million in cash as well as multiple pieces of real estate and personal property, including a condominium in Miami, a BMW and several Rolex watches that he is alleged to have acquired through his ill-gotten gains. Gonzalez was arrested in Miami in 2008 along with 10 other individuals on charges relating to the thefts at TJX, Dave & Busters, BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW. In August, federal authorities in New Jersey indicted Gonzalez on charges involving breaches at Heartland Payment Systems, Hannaford, 7-Eleven Inc. and two other unnamed retailers. About $1 million of the money being forfeited was recovered from a container buried in Gonzalez' back yard, according to a statement released today by the U.S. Department of Justice.

Prosecutors alleged that Gonzalez, along with two unnamed Russian conspirators, stole more than 130 million credit and debit cards from the five retailers. It is not clear if Gonzalez was the leader of a worldwide criminal gang or merely acting at the behest of powerful crime gangs based in Russia and East Europe. Today's plea brings to an end, for the moment, to the career of a hacker who federal authorities say has been the mastermind of the biggest data thefts in U.S. history. But his actions, which his lawyer has claimed stemmed from a computer addiction , have caused millions of dollars in losses to his victims. In addition, some of the companies that were Gonzalez's victims have had to pay fines to Visa and the other card brands for being noncompliant with the credit card industry's Payment Card Industry Data Security Standard and to spend more money to revamp their security controls.

TJX has publicly estimated that costs to the company from the data breach will touch $200 million . Heartland has already spent or set aside more than $12 million and is facing numerous lawsuits from affected institutions.

U.S. Expands H-1B Fraud Case Against N.J. Firm

The U.S. government late last month filed a new, expanded 18-count indictment that now seeks $4.9 million from a New Jersey IT services firm it has accused of fraudulently using H-1B visas.

The government alleges that South Plainfield, N.J.-based Vision Systems Group Inc. paid its H-1B workers in multiple states based on low prevailing wage rates in Iowa through the creation of shell businesses in that state.

The indictment charges that the methods used by Vision Systems "have substantially deprived U.S. citizens of employment."

The initial 10-count indictment against Vision Systems , filed on Feb. 12, was part of a government investigation dubbed Operation Pacific Vision that led to the arrest of 11 people in six states on H-1B fraud charges.

Court documents show that the expanded indictment cut the amount sought by $2.5 million; no explanation for the reduction was given. But it is still the largest H-1B fraud case ever brought by the government.

The figure "represents he total amount of gross proceeds obtained as a result of offenses," according to the indictment.

Vision Systems and its executives are fighting the charges in U.S. District Court in Iowa.

"Workers were paid at or above the prevailing wage rates of the places that they were working," Mark Weinhardt, a Des Moines attorney and a member of the legal team representing the company, contended last week.

Visions Systems' defense has not yet been outlined but is hinted at in the indictment papers.

According to prosecutors, Vision Systems told its H-1B hires that green cards could be obtained more quickly from U.S. Immigration and Customs Enforcement (ICE) offices located outside of New Jersey.

Thus, Vision Systems might claim that it has been using the faster service available at the Iowa ICE offices as a recruiting tool for H-1B workers interested in getting green cards quickly.

Weinhardt did note that the defense team believes that the "indictment is based on a number of misconceptions about immigration law and procedure."

Teradata 13 focuses on speed, geospatial data

Teradata has announced the general availability of Teradata 13, the latest incarnation of its data warehousing software platform.

The product, which was first announced in October, has 93 new features, according to Teradata. It runs on all members of Teradata's family of specialized appliances.

A major new focus of Teradata 13 is support for geospatial data. This capability allows users to factor in geographic conditions when analyzing large stores of information. For example, a trucking company could use spatial data to more effectively map routes against customer buying patterns.

Teradata 13 speeds up this process because the geospatial information resides in the same system as other enterprise data, rather than being stored and processed in a separate data mart, according to the vendor.

While geospatial capabilities are far from new, Teradata apparently believes customer demand for them will grow. Competitor Oracle appears to have the same mindset, recently raising the cost of the Spatial option for its database by about 50 percent.

Meanwhile, Teradata 13 also includes workload management improvements, allowing information to move into data warehouses up to twice as quickly.

In addition, Teradata has updated the software's query optimizer, which determines how to execute users' queries while minimizing the hit to system resources. Query performance has been boosted by up to 30 percent, according to the vendor.

Teradata's announcement comes amid a busy period for the data warehousing and analytics market.

On Monday, competing appliance vendor Netezza announced a faster, lower-cost product called TwinFin, and last week, IBM said it would spend US$1.2 billion to acquire Teradata partner SPSS, maker of predictive analytics software.

Microsoft Office Web Apps still cloaked in mystery

Microsoft Monday shed little light on its forthcoming Office Web Applications, which were announced nine months ago, leaving more questions about the depth of features, their integration with Office on the desktop, how they would run inside a corporate network, and how they stack up to online alternatives.

Microsoft had no beta test code to offer attendees at its annual Partner Conference, where it unveiled a technical preview of Office 2010. Office Web Applications will be delivered as part of the software in the second half of 2010. Microsoft isn't planning a private beta test of Office Web Applications until August.

In fact, Monday's message was strikingly similar to what the company said in October when it announced Web-based versions of its popular Office suite.

The Office Web Apps - Word, Excel, PowerPoint and OneNote - are targeted at online alternatives including Google Docs/Apps and Yahoo's Zoho.

Microsoft did announce the applications will be made available in three ways: free through Windows Live, free to Volume Licensing customers with Software Assurance to run as a service inside their firewalls, and for a fee via Microsoft Online Services in the same hosted manner that Exchange and SharePoint are delivered.

Forrester Research analyst Ted Schadler says he thinks Microsoft is building an augmentation strategy that will not cannibalize its desktop Office franchise. Microsoft said in October that Office Web Applications would not allow offline use.

"You have to have a desktop client for reasons of continuity," Schadler says. "For people who want to work offline, for reasons of confidence and being able to back up and have access to files. But there are times when a Web client makes sense and a lot of those are collaborative situations, when you are working on a document you want a lot of people to see simultaneously, or to know you are always looking at the latest version. The other thing is access to documents when you are not on your work PC."

Microsoft is positioning Office Web Applications as completing the puzzle of documents available anywhere - PC, browser or mobile device.

Microsoft was coy on most everything else to do with Office Web Applications.

A Microsoft spokesman says the company is not sharing any level of detail about the features of the applications beyond the fact they will have "essential editing and formatting" functions. Microsoft described the applications as "lightweight" versions of desktop Office applications.

Microsoft did say that SharePoint will be the back-end repository for companies that choose to run the Office Web Applications inside their firewalls. Those applications, the spokesman says, would be hosted in much the same way Outlook Web Access is run from back-end servers.

SharePoint is also rumored to be a required hub that will support printing and other features from the online Office applications and most likely would be the staging platform for the applications themselves because it can act as a Web server.A video that Microsoft made available showed the applications at work and mentioned that Office Web Applications would run on Internet Explorer, Firefox and Safari.

Microsoft is lining up to battle online competitors such as Google Docs, which are available for free; Google Apps Premier Edition, a $50 per use suite of applications that include Google Docs; and Yahoo's Zoho suite.

Office Web Applications don't look to be as sophisticated or feature rich as those offerings, but then Google and Yahoo do not stack up to the desktop version of Office.

Microsoft says Office Web Applications will be free to some 400 million Windows Live consumers, 90 million corporate Office customers with Software Assurance consumers and 510 million existing Office users via online hosting.

Follow John on Twitter: twitter.com/johnfontana

IBM unveils 3D virtual meetings, puts social networking in cloud

IBM/Lotus Wednesday released a 3D virtual environment conferencing service complete with avatars and whiteboards as part of its Sametime line of real-time collaboration software.

The company also said next week it will introduce LotusLive Connections, a hosted version of its social software, including instant messaging, file sharing and activities.

"We are putting social networking in the cloud," said Bob Picciano, general manager of IBM Lotus Software.

Lotus, which made its announcements during the Enterprise 2.0 conference in Boston, also showed new micro-blogging features for Lotus Connections 2.5, its on-premises version of the software.

Picciano said Lotus would offer a Notes plug-in so users can have micro-blogging as part of their Notes sidebar along with Sametime, telepresence and third-party applications such as Twitter.

LotusLive Connections includes file storage and sharing, activities management, online charts and business contact capabilities. IBM offers a similar service called LotusLive Engage, which includes all the features of LotusLive Connections along with Web conferencing and application sharing.

Pricing for LotusLive Connections will start at $10.

IBM's new Virtual Collaboration for Lotus Sametime (VCS), or Sametime 3D, is a hosted service that provides virtual boardrooms, auditoriums or collaboration spaces with the ability to set up meetings via Sametime clients. Users can tap their Sametime contact lists to invite participants. The service supports the Lotus Sametime 8.0.1 client or later.

Meetings participants can use text or voice chat, share documents and take notes on a virtual flip chart. Sametime 3D has a "brainstorming wall" and the ability to vote on ideas.

Lotus quietly demonstrated the technology in January at its Lotusphere conference with the caveat that the technology might never see the light of day. Now six months later, the service is live. IBM said more than 2,500 IBM employees have been testing the service since February.

In addition, IBM officials say they are working with Vivox to add an option for integrated voice using VoIP.

IBM/Lotus officials plan to release other hosted services this year, but have not detailed what functionality they will provide. IBM/Lotus also promised in January other bundles targeted at specific industries and business needs.

Picciano said he has nothing to announce about upcoming services.

Follow John on Twitter

10 things you didn't know about cyberwarfare

NEW YORK CITY - Imagine a situation where a powerful country wants to annex its small neighbor, so it launches a week-long campaign of cyberattacks aimed at disrupting the financial, energy, telecom and media systems of its neighbor's biggest ally. A week later, the aggressor launches a full-scale cyberwar on its neighbor that includes air and naval defenses. With its ally's defenses weakened, the neighbor agrees to become a province of the aggressor in less than a week.

This scenario is not so far-fetched, according to several experts from the National Defense University who spoke at the Cyber Infrastructure Protection Conference held here last week.

More from the conference:

New DOS attacks threaten wireless data networks

CIOs: Your networks have already been compromised

The panel discussion on cyberwarfare is timely given the Obama administration's push to raise awareness and federal spending on cybersecurity initiatives. The president issued a cybersecurity plan earlier this month that includes naming a new high-level cybersecurity coordinator who reports to both the National Security Council and the National Economic Council.

President Obama has said it's clear that the cyberthreat is "one of the most serious economic and national security challenges we face as a nation. It's also clear that we're not as prepared as we should be, as a government, or as a country."  

Experts from the National Defense University, the premier academic institution providing professional education to U.S. military forces, say it is critical for the private sector to realize it will be a target of future cyberwarfare.

"Our adversaries are looking for our weaknesses," says Dan Kuehl, professor of information operations at the National Defense University. "We conduct military operations that are increasingly information dependent and becoming more so. We have a global society that is increasingly dependent on critical infrastructure, and those infrastructures are increasingly interconnected in a global economy."

Kuehl points out that it's inexpensive for terrorists or hactivists to launch a cyberattack, but it's very expensive and difficult for a country such as the United States to defend its networks and systems against these threats.

"The weaker party may have a very important asymmetric advantage," Kuehl says. "And the first actor may have a very important advantage….Winning in the cyber realm may decide the course of the war."

One example of how weaker parties have an advantage in cyberwarfare is the recent terrorist attacks in Mumbai. Stuart Starr, distinguished research fellow at the National Defense University, said the attackers used Google Earth and GPS technology to locate themselves with respect to everybody else.

"They took advantage of hundreds of billions of dollars of investment by buying low-end equipment," Starr said. "These guys are getting a phenomenal benefit from taking advantage of commercial investments."

Based on conventional wisdom of these military experts, here is a list of 10 things you probably didn't know about cyberwarfare:

1. You need to win the first battle.

In conventional warfare, the country that wins the first battle doesn't necessarily win the war. Think Pearl Harbor. But with cyberwarfare, you need to win the first battle because there may not be a second. The enemy may have so wiped out your critical infrastructure through coordinated cyberattacks that you can't mount an effective defense and are forced to surrender.

2. The first battle could be over in nanoseconds.

Unlike Pearl Harbor, cyberattacks are stealthy. The enemy has already penetrated your networks, attacked your systems and stolen or manipulated your data before you realize that anything is wrong. Once you discover the cyberattack, you have to figure out who did it and why. Today, this type of computer forensics can take days or weeks. By then, you may have lost the war.

3. Cyberwarfare may involve subtle, targeted attacks rather than brute force.

Most people equate cyberwarfare with the massive denial-of-service (DoS) attacks that Russian activists aimed at Estonia in 2007. But cyberwarfare doesn't need to be waged on such a large scale. Instead of taking out the entire electric grid, a hacker could take out a substation that supports a particular air defense system. Much as we have precision-guided missiles in conventional warfare, we may have precision-guided cyberattacks.

4. The enemy's goal may be to cause chaos rather than destruction.

We tend to think about an enemy blowing up buildings or transportation systems during war. But the political objective of cyberwarfare may be to generate chaos among citizens rather than to destroy infrastructure. For example, what if an enemy launched a cyberattack against a country's financial systems and it appeared that everyone's money was gone from their banks? That kind of attack wouldn't require bombing any bank buildings to create chaos.

5. Data manipulation - rather than data theft or destruction - is a serious threat.

During the Persian Gulf War, a group of Dutch hackers allegedly penetrated dozens of U.S. military computer systems and offered to provide their help to Saddam Hussein. When the breaches were discovered, the military had to stop some deployments and verify that the data in their databases were accurate and hadn't been manipulated by the hackers. This incident demonstrates how misinformation inside hacked computers systems could harm a country's ability to respond to a cyberattack.

6. Private networks will be targets.

Most of our country's critical infrastructure - energy, transportation, telecommunications and financial - is privately owned. The companies that operate these networks need to understand that they are certain to be targeted in cyberwarfare, and they need to spend money accordingly to secure their networks, systems and data. This is one reason military experts recommend that operators of critical infrastructure engage with government officials and set up procedures and protocols before they are attacked.

7. When private sector networks are hit, the Defense Department will assume control.

There's a misconception that the owners and operators of critical infrastructure are responsible for cybersecurity. That perspective won't hold up in the face of cyberwarfare, experts predict. Just as the military is responsible for securing the airspace and ground around an electricity plant, so it is going to assume responsibility for the cybersecurity of that plant if a cyberattack should occur, they warn.

8. Private networks might be used to launch a cyberattack.

If companies don't properly secure their networks, their systems may be taken over by a botnet and used in a cyberwarfare incident. For example, two-thirds of the computers used to launch DoS attacks against Estonia were inside the United States although they were controlled by Russian hactivists, experts say. Typically, the machines used in a cyberattack are not owned by the attacker. Most companies don't realize they are vulnerable to having their network assets being used for cyberwarfare.

9. Don't ignore the insider threat.

One of the biggest vulnerabilities in networks is from insiders with legitimate access to computers and data. The same threat exists in cyberwarfare. One way this threat might occur is for the enemy to kidnap a family member of a network operator and then force the network operator to install malware. That's one reason government agencies and private companies running critical infrastructure need adequate security controls over their employees.

10. Cyberwarfare is warfare.

Looking at cyberwarfare as separate from traditional warfare is a mistake; it has to be tied to physical warfare, experts say. For example, an enemy might blow up a building on the ground that disables a satellite, which in turn disables Internet access. In a cyberwar, network attacks will likely be combined with physical attacks. So protecting against cyberwarfare needs to be considered as part of a broader military strategy.