Tag Archive for 2010

| April 9, 2010
Comments Off on First Broadband Over Powerline Net Dead

First Broadband Over Powerline Net Dead

First Broadband Over Powerline Net DeadThe Manassas, VA broadband over powerline (BPL) network is dead. DSLReports cites the chief protagonist of the BPL drama the American Radio Relay League (ARRL) which won when on April 05, 2010, the Manassas City Council unanimously voted to pull the plug as of July 01, 2010.

Broadband over powerline was once praised as the third alternative to the telco’s and cableco’s stranglehold on the broadband market. Former FCC chief Michael Powell called the Manassas installation, “the pinnacle of broadband achievement” just five years ago. In the meantime increased broadband speeds and the unwillingness of utilities to become broadband providers doomed BPL.

rb-

International Broadband Electric Communications (IBEC) to play on. They won’t have to deal with that pesky FCC or end-users since they can sell their broadband over powerline products to utilities as part of the U.S Department of Energy’s $3.3 billion smart grid technology development cash give-away grants.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| April 8, 2010
Comments Off on Update Email Policy

Update Email Policy

Update Email PolicyA court case coming out of New Jersey could impact most firms’ privacy and security practices according to an article on DarkReading. The New Jersey Supreme Court recently ruled in Stengart v. Loving Care Agency, Inc., 408 N.J.Super. 54, 973 A.2d 390 (Superior Ct., A.D. 2009) that an employer can not read email messages sent via a third-party email service provider, even if the emails are accessed during work hours from a company PC.

The court found the company’s policy on email use to be vague, noting it allows “occasional personal use.” “The policy does not address personal accounts at all,” the decision said. “The policy does not warn employees that the contents of such emails are stored on a hard drive and can be forensically retrieved.”

The ruling written by Chief Justice Stuart Rabner in part states that the employee could, “reasonably expect that emails she exchanged with her attorney on her personal, password-protected, web-based email account, accessed on a company laptop, would remain private.” Rabner continues that the employee, “Plainly took steps to protect the privacy of those emails and shield them from her employer. She used a personal, password protected email account instead of her company email address and did not save the account’s password on her computer.

The law firm of Jackson Lewis provides a legal overview of the case on their blog, The Workplace Privacy Data Management and Security Report recommends that employers consider modifying their existing electronic communication policies to include:

  • Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
  • Definitions of the specific technologies and devices to which the policies apply;
  • Warnings that web-based, personal e-mail can be stored on the hard drive of a computer and forensically accessed;
  • No ambiguities about personal use.

Rb-

I am no lawyer, be sure to consult your attorney about this and all legal issues, in my opinion, this ruling is new law-making. The new laws are applicable only in New Jersey for now. However, unless the U.S. Supreme Court overturns this new law it will be the starting point for all other ligation. Firms should begin reviewing and updating their technology policies to protect themselves from this new law.

An interpretation of the ruling suggests that employees have to be specifically warned that it is possible to forensically retrieve data from the firm’s computers. In this ruling, the Court found, “the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read.”

Sounds like another shot in the arm for the content filtering firms.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| April 3, 2010
Comments Off on NICs Latest Threat to PCs

NICs Latest Threat to PCs

NICs Latest Threat to PCsThe latest malware attack vector is the network interface card (NICs). According to a post at Gizmo’s Freeware, two separate presentations at the CanSecWest international security conference demonstrated exploits utilizing network cards. The article reports that both exploits focused on Broadcom (AVGO) NIC’s.

The post reports that in at least one of the demo’s the researcher used the Broadcom remote factory diagnostic mechanism to install custom firmware on the network card. The researcher used the compromised firmware to create a tunnel into the PC in such a way that packets sent via the tunnel were not visible to the system firewall. Using the network card’s access to memory,  the attacker could then run whatever code he wanted.

HP uses the vulnerable NICs in PCs

HP (HPQ) uses the vulnerable Broadcom NICs in many PCs. In response, the HP Software Security Response Team has released a Security Bulletin (Document ID: c02048471) “HP Small Form Factor or Microtower PC with Broadcom Integrated NIC Firmware, Remote Execution of Arbitrary Code.” In the bulletin, HP says this information should be acted upon as soon as possible.

HP has made softpaq SP47557 available to resolve the vulnerability. In the bulletin, HP says the following models contain the Broadcom Integrated NIC firmware

  • HP Compaq 6005
  • HP Compaq dc5700
  • HP Compaq dc5750
  • HP Compaq dc5850
  • HP Compaq dc7600
  • HP Compaq dx7200
  • HP rp3000 Point of Sale System
  • HP rp5700 Desktop PC
  • HP rp5700 Point of Sale System

Rb-

This is a new hole, not a new attack. The premise appears to be poor design. Why would a manufacturer leave “the remote factory diagnostic mechanism enabled.”  The article goes on to say that, ”by default, the remote factory diagnostic mechanism (ASFor Alert Standard Format 2.0) is normally turned off.” That’s a good thing unless it’s not then you got troubles.

This technique would allow a very low-level attack that is not visible to traditional desktop security software. The network security devices would have to pick up the threat and not desktop security software. This also proves the case for good asset management, I can think of one client who has 80+ of the HP 5700’s distributed at 80+ sites without a management tool such as Intel’s vPro to push these low-level updates to PC’s. There is no telling if these PCs will ever get patches unless Microsoft adds it Windows Update.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| April 2, 2010
Comments Off on What is eWaste?

What is eWaste?

What is eWaste?Electronic waste (eWaste) is classified as hazardous waste if it has components that are toxic (poisonous), ignitable/combustible, corrosive, or reactive. Most electronic devices contain heavy metals, such as lead. The BBC reports that the typical personal computer has many valuable, dangerous or valuable and dangerous materials.

Among the hazardous wastes included in the typical PC eWaste are according to the BBC are:

  1. Lead in cathode ray tube and solder.
  2. Arsenic in older cathode ray tubes.
  3. Selenium in circuit boards as power supply rectifier.
  4. Polybrominated flame retardants in plastic casings, cables and circuit boards.
  5. Antimony trioxide as flame retardant.
  6. Cadmium in circuit boards and semiconductors.
  7. Chromium in steel as corrosion protection.
  8. Cobalt in steel for structure and magnetism.
  9. Mercury in switches and housing.

eWaste risks

An article at CIO.com says that a firms major source of potential eWaste disposal liability comes from the Comprehensive Environmental Response, Compensation and Liability Act (CERCLA), aka the Superfund law. Under Superfund, the U.S. Department of Environmental Protection (EPA) identifies contaminated sites, arranges for cleanup, identifies responsible parties and seeks compensation for the cleanup costs. Many of these sites are landfills where a firm would typically send trash, including obsolete computer equipment.

Once the EPA targets a firm, they can pay the fine or fight the EPA in federal court. The court proceeding could be a costly and time-consuming investigation in to the environmental impact of the firm. Firms can be on the hook all clean-up costs, unless they can prove they never deposited so much as a printer cartridge at that site. The Superfund law states that all contributors to a contaminated site are jointly and severally liable for the entire cost of the cleanup.

Michigan eWaste rules

Enhancing the Superfund threats are state laws and regulations that affect the disposal of eWaste. For example in Michigan, Governor Granholm signed Senate Bill No. 897 into law in Dec. 2008. The law imposes a new annual registration tax of $2,000 to $3,000 on manufacturers of computers and related equipment sold in Michigan to fund a take-back program. Producers must pay for the collection, transportation and recycling.

The program is available for small businesses (10 employees or fewer) purchasing new computers and televisions. The take-back program is good for up to 7 units per day which may recycle covered electronic devices for free. Covered devices include  computers, peripherals, facsimile machines, DVD players, video cassette recorders, and video display devices. Printers will be added in 2011. Program collection must start by April 1, 2010. The Michigan Department of Natural Resources and Environment (DNRQ) is responsible for enforcing these eWaste laws. Larger firms are on their own and there is no current ban on disposal of e-waste. Firms with locations in New York or California faces much tougher requirements.

Many firms take the opposite approach to dumping eWaste into the landfill. Many firms are retaining their out of date IT assets. In 2007, the EPA estimated the number of desktop computers, monitors and notebooks in storage totaled over 110 million units. Despite the declining cost of office spare, storing obsolete equipment is a waste of money. Storing obsolete equipment creates data loss risks and any residual value in the equipment will disappear. There are steps a firm can take to deal with e-waste.

Disposal plan

CIO.com suggests the first step in disposing of eWaste is a well-thought-out technology disposal plan. The plan should start with an attorney or an environmental consultant to get a fuller understanding of the risks and opportunities. CIO.com says the eWaste plan should address:

  • A way to track regulatory changes.
  • Develop methods for achieving your business goals in an environmentally and legally sound way.
  • Determine the point at which your waste volume puts you in a more restrictive class of regulation.
  • Evaluate tax liabilities and incentives.
  • Preserve the confidentiality of legal and business-critical information.

The environmental consultant should be able to find alternative options for reusing and recycling out of date equipment. They should be able to identify a network of local computer resale shops, nonprofit groups, and government agencies where businesses can donate, upgrade or recycle used computer equipment. The consultant can develop agreements that shift the burden and financial risks to others who are better situated to manage the issue according to the CIO.com article. One way to defer the eWaste risk is to lease computer equipment rather than buying it. This was the manufacturer is responsible for disposal at the end of the term.

rb-

We have developed eWaste programs and PC life-cycle programs for clients. We try to bring home the problems of storing out of use IT assets including:

  • Wasted money for floor space to store equipment and the loss of residual value. especially with high-end equipment which could be re-sold on eBay.
  • Data protection regulatory and theft risks. After all. who checks on the old servers once they get stashed in the warehouse?
  • Environmental regulatory risks. If a firm stashes away enough obsolete systems and your storage area can change the firms EPA status to a hazardous waste generator.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| March 30, 2010
Comments Off on Digital Swiss Army Knife

Digital Swiss Army Knife

Digital Swiss Army KnifeVictorinox, the firm behind the legendary Swiss Army Knife, has introduced the Victorinox Secure Pro. The Secure Pro has a USB memory stick integrated into it along with the expected knives and screwdrivers. The firm claims it the most secure USB stick of its kind available to the public. The Secure Pro uses several layers of security to protect the data on it from being stolen.

The security layers included in the Swiss Army Knife include a fingerprint scanner linked to a heat and oxygen sensor. The sensor is capable of determining whether the user’s finger is still attached to a living person – so that a detached finger will not yield access to the memory stick’s contents. Any attempt to forcibly open the Victorinox Secure triggers a self-destruct mechanism that destroys the CPU and memory chip.

The Victorinox Secure Pro uses AES256 technology, together with MKI’s Schnuffi Platform Single Chip Technology. Martin Kuster, CEO of security chip specialist MKI, told InfoWorld,  “I’m concerned about the way technology is progressing, with all our personal data going into “the cloud.” Soon everything will go into the cloud – and I don’t like it! Perhaps one day I will have to buy back all this information from eBay!” The security integrates Single Chip Technology, meaning that there are no external and accessible lines between the different coding/security steps, as on multi-chip solutions; this makes cracking the hardware impossible.

Victorinox was so confident of Swiss Army Knife security that it offered a $150,000 prize to a team of professional hackers if they could break into it during the two hours product launch event. The money went uncollected. Victorinox Secure’s designer Kuster, stated, “Life is becoming more digital every day… And yet people do so little to protect their data. The world’s most common password is ‘12345’ – and even encryption can be broken given time.”

“We wanted to create not only a product for today’s modern lifestyle but a new generation of memory stick that had all the values of functionality and reliability that the iconic Swiss Army Knife has come to represent” stated Carl Elsener Jr., Victorinox’s CEO. “We think of the Victorinox Secure as the digital Swiss Army Knife.”

The Secure Pro Swiss Army Knife was launched 03-25-10 in London and is available in 8GB, 16GB, and 32GB sizes and will sell for $75 to $270. Additional features include:

  • LED Mini White Light
  • Retractable Ball Point Pen
  • Blade
  • Scissors
  • Nail File with
  • Screwdriver
  • Keyring

David Reinsel, group vice president of storage and semiconductor research at IDC was on-point when he stated, “It’s a cool product that will capture attention … adoption en-masse by corporations is quite another thing.” Reinsel told Newsfactor.com that there’s no doubt that data breaches are expensive for businesses in many ways. However, so is data on a computer that sits behind an encryption key that only the employee knows, he said. “Hence the age-old issue — corporations (most of them) want to control the encryption methodology and the keys,” Reinsel said. “Any corporate solution would have to allow for some type of master-key so that the company can get at a rogue employee’s data.”

rb-

Mr. Reinsel is on-point, this Swiss Army Knife, no matter the cool factor is a threat to the enterprise’s data. The size of the device can swallow a whole database and once it is encrypted with an individual’s key, it is pretty much gone. There is also the risk that some overambitious TSA agent will “confiscate” it if the user forgets to put the knife part of the device in checked baggage.

Despite all of that the cool factor is high and I want one.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , ,
« Older Entries   Recent Entries »