sorted by: recent | see : popular

Content Tagged with access + Web

In Beijing, Internet access will soon be in high demand: Half a million people are expected to visit the city of 17 million for the Olympics, and most of them will want web-based access to personal and corporate sites. This may well be the largest international remote access event ever. Much of the attention has been around whether visitors can surf the Internet. But some people are wondering whether they should. Is it safe to surf from China?

“With Software-as-a-Service applications, more users will access their applications across the Internet, so companies can’t rely on physical or firewall access,” said Marc Gaffan, director of product marketing for RSA’s Identity and Access Assurance Group. “The risks are significantly increased.” The U.S. government’s head of counter-espionage, Joel Brenner, is also cautioning travelers to Beijing about identity theft and other threats.

Most users assume that a secure web connection makes them safe. After all, that little yellow SSL padlock doesn’t just mean your traffic is encrypted, it also tells you the URL you’re visiting is the one you wanted — right? Not always, said Jayson Agagnier, a security consultant who specializes in corporate counter-espionage. “On older browsers, the padlock will still be there even if the user accepts a certificate that is not publicly signed.”

To collect passwords, hackers only need to trick surfers into logging in. Many casual users won’t think twice about typing in www.mybank.com and being redirected to mybank.login.com, provided that the new site looks the same. “Obtaining a certificate is fairly easy,” said Gaffan, “and no one really checks the certificate in the lock.”

Phishing for usernames can happen anywhere, but when half a million people descend upon a country that heavily regulates its Internet, it’s an excellent opportunity for mischief. So how can organizations protect themselves? Here are some suggestions:

• Have vacationing workers check URLs closely to be sure the site they’re on matches what they entered, even if it looks the same.
• Get a more trusted — and more costly — Extended Validation certificate. These are harder for a fly-by-night operation to get because they require more thorough background checks.
• Use dynamic passwords that change every minute, so even if someone intercepts a password it quickly expires.
• Use “fat client” VPNs based on IPSEC or SSL instead of relying on a secure web login. VPN clients can’t be tricked into thinking they’re at the right site.

Capturing logins isn’t the only risk, however. It would take a real conspiracy to present a completely faked site, complete with the right URL and a valid SSL certificate. But if a government owns the network, it’s the lawful man in the middle, and it has the resources for such schemes. “You can control the DNS, display any page you like, entice people to log in,” said Gaffan. As IOC president Jacques Rogge said on July 31, “We are not running the Internet in China. The Chinese authorities are running the Internet.”

Agagnier says Olympics-related travel presents a huge industrial and economic espionage opportunity, but Gaffan says he thinks an elaborate network attack may be more work than it’s worth. “If I were a fraudster, I would just spend two hours in Beijing hotels and Internet cafes installing key loggers. You could collect names and passwords, even things like frequent flier numbers that could be used for corporate espionage to track the travel patterns of a competitor’s employees.

Syntenic CTO Daniel Koffler agrees: “I would be concerned about malicious WiFi access points … You don’t really need to own the back-end pipe; a cheap access point and an SSL proxy is all anyone on the street would need to collect some serious information. While you’re in Beijing, if the state wants your data, they’re going to get it. It’s the billion or so citizens you have to watch out for.”

Perhaps the best defense is to take the week off. Several enterprise IT professionals I interviewed for this story said they’re simply telling their users not to log in from China.

Apple’s Mac OS X Leopard, released last week, has over 300 new features. Too bad the latest Java SDK isn’t one of them. And the Java developers that use Mac OS are fuming.

They’re feeling slighted: In January, Apple (AAPL) CEO Steve Jobs told the New York Times that “Nobody uses Java anymore.” Fast-forward to the release of the new operating system — JDK 1.6 isn’t in there.

While Jobs might have been referring to the iPhone and its notoriously locked-down development environment, the developers may have a point. James Gosling, the creator of Java, suggests that Apple doesn’t view developers as their core demographic. That’s in pretty sharp contrast to Microsoft’s (MSFT) developer focus.

Mac releases of Java lag those for Linux and Windows, and release 1.6 speeds up applications considerably, something Java needs in its fight with Adobe (ADBE) and Microsoft. Apple teased Java developers at its worldwide development conference with details on how Leopard would work well with Java and the community got its hopes up.

Part of the problem is that Apple insists on developing the JDK for MacOS. But another part is the company’s attitude towards innovation: That’s Apple’s Job.

As a company that makes both the hardware and the operating system, Apple has imposed more restrictions and regulations on its products than other computer manufacturers.

It’s possible that giving developers tools and open access to platforms will further reduce Apple’s control over the desktop. But by limiting development tools Apple is playing a risky game that may send developers looking for more friendly development platforms.

It has been a summer of virtualization: the blockbuster IPO of VMWare (VMW) followed by the $500 million acquisition of XenSource by Citrix Systems (CTXS).

For now, the key driving force behind virtualization is money - rather need to save money. “The cost of power in the data center is surpassing the amount of the equipment. It didn’t used to be that way,” Sun Microsystems (SUNW) CIO Bob Worrall told Earth2Tech. And virtualization seems to be one way to tacking the issue:

Virtualization right now is at the tip of the iceberg. It is going to be complementary to solving the whole power problem. It’s a dirty secret in the industry that most data centers today run inefficiently. Virtualization makes it easier for CIOs who want to run servers at 80 or 85 percent. It’s the only way to get there.

Full interview with Worrall @ Earth2Tech.