Cyberattacks on U.S. military jump sharply in 2009

Cyberattacks on the U.S. Department of Defense - many of them coming from China - have jumped sharply in 2009, a U.S. congressional committee reported Thursday. That's a big jump. Citing data provided by the U.S. Strategic Command, the U.S.-China Economic and Security Review Commission said that there were 43,785 malicious cyber incidents targeting Defense systems in the first half of the year.

In all of 2008, there were 54,640 such incidents. The committee is looking into the security implications of the U.S.' trade relationship with China. If cyber attacks maintain this pace, they will jump 60 percent this year. It released its annual report to Congress Thursday, concluding that a "large body of both circumstantial and forensic evidence strongly indicates Chinese state involvement in such activities." "The quantity of malicious computer activities against he United states increased in 2008 and is rising sharply in 2009," the report states. "Much of this activity appears to originate in China." "The cost of such attacks is significant," the report notes. Attacks on department systems have been rising steadily for years.

Citing data from the Joint Task Force-Global Network Operations, the report says that the military spent $100 million to fend off these attacks between September 2008 and March 2009. A Defense Department spokesman did not have any immediate comment on the report's numbers Thursday. In 2000, for example, only 1,415 incidents were reported. The department figures are "probably more accurate now," than they were nine years ago, he said. The increase is in part due to the fact that the U.S. military is simply better at identifying cyberthreats than it used to be, said Chris Poulin, the chief security officer of Q1 Labs, and formerly a manager of intelligence networks within the U.S. Air Force. Security experts have long known that many computer attacks originate from Chinese IP (Internet Protocol) addresses, but due to the decentralized nature of the Internet, it is very difficult to tell when an attack is actually generated in China, instead of simply using Chinese servers as a steppingstone.

Who knows. Q1's Poulin says that his company's corporate clients in the U.S. are seeing attacks that come from China, North Korea, and the Middle East. "We do definitely see patterns coming from specific nation states." He said that because China's government has taken steps to control Internet usage in the country, it could probably throttle attacks if it wanted to. "China's defiantly initiating attacks," he said. "State-sponsored? But they're certainly not state-choked."

What makes a carrier green?

ABI Research today released its rankings for "green" telecom carriers, rating major North American carriers based on how much they've invested in energy-saving IT technologies, internal telework initiatives and even recyclable mobile phones. Top 12 green IT vendors What is it that makes a carrier green? ABI analyst Aditya Kaul spoke with Network World Senior Writer Brad Reed and discussed the metrics ABI used to create its ratings, which carriers fared best in the study and the benefits of green IT to consumers and businesses. We have listed a number of requirements for an operator to be green.

As for CSR, we look at green vehicle fleets, green IT, green handsets, recycling, etc. This looks at both corporate social responsibility (CSR) green initiatives and green network infrastructure initiatives. As for network infrastructure, we look at things like use of alternative energy sources at cell sites, using innovative technologies to reduce energy consumption at cell sites, as well as how involved they are with their value chain to drive environmental standards and materials to be used; their openness to declare their carbon footprint and measure it; research and innovation budget dedicated to green networks or ecological initiatives; and so forth. We look at green from the telecom perspective across handsets, recycling Wi-Fi, network infrastructure and basically the complete value chain. What sorts of technological investments does ABI rate as "green investments?" Particularly, what do you define as green network infrastructure? Green to us means technologies that are used to reduce the impact of climate change.

For example, reduction in energy consumption at a cell site accounts for a reduction in operating expenses. But more importantly, it turns out that green also means dollar savings for operators. Green network infrastructure essentially means using technologies or methods to reduce energy consumption. We also evaluate the amount of carbon reduction reported due to green mobile infrastructure initiatives. The use of innovative technologies in base stations like lower power amplifiers, remote radio heads are good examples of green technologies; the use of alternative fuels for off-grid and on-grid site; use of green core network equipment such as super switches which aggregate switches into one unit saving energy; initiatives to reduce cell site power consumption including auxiliary site equipment. The study says both AT&T and Sprint have distinguished themselves well as far as green investments go.

AT&T essentially wins on innovation and also in terms of green network infrastructure. Can you name some specific big-ticket investments they've made and how they're projected to save them energy? They have paid attention to how much energy is being consumed in their network infrastructure, have defined new metrics to measure carbon emissions, have implemented programs such as the reduction of dual-networks which saved them 207,549 metric tons of CO2 emissions. AT&T also is doing work through its research facility at Bell Labs related to technologies that could save energy in the network. They are also actively involved in smart grid projects across the United States, especially with initiatives targeting last-mile connectivity and two-way communication. On the other hand, Sprint leads in areas like green handsets with their Samsung Reclaim; recycling initiatives where they expect to recycle 90% of phones that it has sold by 2017; putting together initiatives to drive their supplier value chain to adopt greener practices; green IT initiatives including retiring servers, improving cooling efficiency of data centers, and recycling of e-waste.

Overall, the company expects to reduce carbon emissions by 15% by 2017. But while Sprint's green message is overarching and built around educating the customer, it fails to provide details on how those goals will be met. Sprint also has a clear strategy around educating the consumer, primarily driven through their green site. [Other initiatives include] recycling 50% of its operational waste; having 90% of suppliers complying with environmental standards; and securing 10% of its energy from renewable resources. The company's green message seems to lack in terms of the details of how they will achieve those goals, and falls behind in some critical areas such as green network infrastructure, where AT&T seems to have a better handle. Do they have any green IT investments of note? What do other carriers, such as say Verizon or Rogers, have to do to catch up?

The other carriers are way behind on most of the criteria measured and only have limited programs such as handset recycling which could be considered as green. Finally, what benefits, if any, are there for consumers and businesses of carriers investing in green technology? Although Verizon has some CSR initiatives like green IT, it loses out in terms of the breadth and depth of its green initiatives, which seem limited compared to competitors like Sprint and AT&T. The majority of carriers do not have an idea or any initiatives around reducing the energy consumption of their mobile network. There is the ethical standpoint of aligning with an operator that is doing its best to reduce its carbon footprint and has a strategy around doing that. I think for the consumer, the biggest advantage will be from the handset perspective in terms of recycling initiatives that the operator has, its goals around driving its supplier value chain to use environmentally friendly materials, etc. Being green is also good for shareholder value.

From the matrix perspective a lot of weight has been given to the network aspect of the operator as the mobile network makes up around 80% of the total energy consumption for an operator. Any savings that it can meet on the network costs, it can then pass onto the consumer.

Wipro, other Indian outsourcers expand in the US

Wipro, India's third largest outsourcer, is expanding its development center in Atlanta from 350 to 1,000 staff, reflecting a growing trend for Indian outsourcers to expand and hire locally in the U.S. market. India's largest outsourcer Tata Consultancy Services (TCS) said earlier this month that it was expanding its business alliance with The Dow Chemical Company, including setting up a services facility near the site of Dow's global headquarters in Midland, Michigan. The company said that 80 percent of its current 350 employees were hired locally, and includes recent graduates from reputable academic institutions in Atlanta, experienced professionals and retired army personnel.

TCS also announced that it was expanding a software services delivery center in the Cincinnati suburb of Milford, Ohio. Indian outsourcing companies are expanding both in India, and in the U.S., their key market, in anticipation of a pick up in business. Infosys BPO, the business process outsourcing subsidiary of outsourcer Infosys Technologies also said this month that it would acquire McCamish Systems, a BPO company in Atlanta focused on the insurance and financial services market. Employing staff in the U.S. is expected to go over well with the local community and politicians because of resentment in the U.S. about companies moving jobs to India and other countries, analysts said. Political considerations are evidently a factor for Indian outsourcers to expand in the U.S., said Siddharth Pai, a partner at outsourcing consultancy firm Technology Partners International (TPI) in Houston.

U.S. Senators Bernie Sanders, an Independent from Vermont, and Chuck Grassley, an Iowa Republican, last week introduced legislation, called the Employ America Act that would prohibit firms that lay off 50 or more workers from hiring guest workers. U.S. companies do not also want to be seen sending jobs abroad, he added. Certain types of work even in BPO, such as development of technology platforms for services delivery, and analytical work, require proximity to customers, he added. But there are also strong business considerations that require Indian companies to set up operations in the U.S., according to Pai. Indian outsourcers have to start looking like global players, Pai said. Japanese car makers, for example, manufacture all over the world, because some customers would like to buy locally produced goods, he added.

Plex 0.8.3 brings extensive Snow Leopard compatibility

If you want to use your Mac as a media center, there's no better app for accomplishing that objective than Plex ( Macworld rated 4.5 out of 5 mice ). This modern media center application features a gorgeous interface, automated and intelligent metadata-fetching capabilities, support for a vast variety of formats, the ability to play full 1080p high definition videos smoothly, an extensible plug-in architecture, and a host of more advanced, powerful features. That's all over, however, because Plex 0.8.3 is out and it brings a whole bunch of important bug fixes to the table, putting the software right back where it was before Snow Leopard came prowling. As with many other applications, Apple's release of Snow Leopard left Plex playing catch-up and though there has been an update or two over the past couple of months to improve compatibility with the latest big cat, Plex's relationship with Snow Leopard has remained strained at best. The most important fix involves the installation of a Candelair driver for the Apple Remote that makes it once again work smoothly with Plex (without also triggering Front Row and controlling iTunes in the background). And that isn't all.

It's called dynamic range compression and it boosts the volume of downmixed 5.1 audio. The fine folks at Plex have finally put in a feature that addresses a longstanding complaint of Plex users around the world-myself included. To enable it, go to Preferences -> System -> Audio and change the Mixdown Volume Boost setting from Disabled to Normal. Once all that is done, go back and play a movie with 5.1 channel audio. You'll also need to change the Digital Output Support setting to Force Digital and then disable the Dolby Digital (AC3) Capable Receiver and DTS Capable Receiver settings.

And turn down the volume, please. And did I mention that Plex is a free application? The update weighs in at 104MB and is worth every iota of bandwidth you spend downloading it. Well, it is, so go ahead and give it a shot.

Secrets pref pane updated for Snow Leopard

Blacktree Software has released Secrets 1.0.6, a Snow Leopard-compatible version of their preference pane which exposes hidden features on your Mac. Secrets provides handy checkboxes to turn these features on and off, and doubles as a menu of secret settings. If you've ever read a Mac tip that starts, "Open a Terminal window and type 'defaults write...'", it's highly likely that you can save yourself that effort with this preference pane.

A "Top Secrets" entry shows a list of popular options, but many more options for various applications can be selected from the application sidebar. A few caveats before you go too nuts with the Secrets features: many of the features in Mac OS X that aren't official remain "secret" because they're not entirely debugged. Clicking on any of the listed features will show you a short description of what it does in the bottom of the window; click on the More Info button for a detailed description. You can expect to see some odd behaviors if you turn some of these on, so don't tick every checkbox at once; try out a change to see if you like it (and can live with any side effects) before you go on to something else. If this is happening with several of your third-party preference panes, you can set System Preferences to stay in 32-bit mode by selecting the System Preferences.app in the Finder, choosing Get Info, and ticking the "Open in 32-bit mode" checkbox.

The Secrets preference pane requires System Preferences to run in 32-bit mode, and will prompt you to relaunch if, as per Snow Leopard default, it's in 64-bit mode when you launch it. All of your Apple 64-bit preference panes will work just fine. Secrets requires Mac OS X 10.5 or later and is a free download. [via TUAW]

Data masking secures sensitive data in non-production environments

Last week's article covered the topic of protecting data in databases from the inside out. This week's article takes look at data masking, which another way to protect sensitive data, especially as it is being copied and used in the development and testing of applications.  Data masking is the process of de-identifying (masking) specific elements within data stores by applying one-way algorithms to the data. That is, watching every action involving data as it happens, and promptly halting improper actions. The process ensures that sensitive data is replaced with realistic but not real data; for example, scrambling the digits in a Social Security number while preserving the data format.

If you don't think this is important, consider what happened to Wal-Mart a few years ago. The one-way nature of the algorithm means there is no need to maintain keys to restore the data as you would with encryption or tokenization. 10 woeful tales of data gone missing Data masking is typically done while provisioning non-production environments so that copies of data created to support test and development processes are not exposing sensitive information. Wired.com reports that Wal-Mart was the victim of a serious security breach in 2005 and 2006 in which hackers targeted the development team in charge of the chain's point-of-sale system and siphoned source code and other sensitive data to a computer in Eastern Europe. Wal-Mart at the time produced some of its own software, and one team of programmers was tasked with coding the company's point-of-sale system for processing credit and debit card transactions. Many computers the hackers targeted belonged to company programmers.

This was the team the intruders targeted and successfully hacked. According to Gartner, more than 80%t of companies are using production sensitive data for non-production activities such as in-house development, outsourced or off-shored development, testing, quality assurance and pilot programs. Wal-Mart's situation may not be unique. The need for data masking is largely being driven by regulatory compliance requirements that mandate the protection of sensitive information and personally identifiable information (PII). For instance, the Data Protection Directive implemented in 1995 by the European Commission strictly regulates the processing of personal data within the European Union. U.S. regulations such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) also call for protection of sensitive financial and personal data.

Multinational corporations operating in Europe must observe this directive or face large fines if they are found in violation. Worldwide, the Payment Card Industry Data Security Standard (PCI DSS) requires strict security for cardholder data. That means companies must address their use of cardholder data for quality assurance, testing, application development and outsourced systems - and not just for production systems. In order to achieve full PCI compliance, organizations must protect data in every system that uses credit card data. In the Wal-Mart case discussed above, the retailer failed to meet the PCI standard for data security by not securing data in the development environment. A lack of processes and technology to protect data in non-production environments can leave the company open to data theft or exposure and regulatory non-compliance.

Many large organizations are concerned about their risk posture in the development environment, especially as development is outsourced or sent offshore. Data masking is an effective way to reduce enterprise risk. And while encryption is a viable security measure for production data, encryption is too costly and has too much overhead to be used in non-production environments. Development and test environments are rarely as secure as production, and there's no reason developers should have access to sensitive data. Many database vendors offer a data masking tool as part of their solution suites. An alternative solution is to use a vendor-neutral masking tool.

These tools, however, tend to work only on databases from a specific vendor. Dataguise is one of the leading vendors in the nascent market of data masking. So, even if someone has copied data to a spreadsheet on his PC, dgdiscover can find it. The dataguise solution has two complementary modules. dgdiscover is a discovery tool that searches your environment (including endpoints) to find sensitive data in structured and unstructured repositories. This can be a valuable time-saving tool as data tends to be copied to more places, especially as virtual environments grow and new application instances can be deployed on demand. dgdiscover also can be used to support audits and create awareness of data repositories.

Dgmasker works in heterogeneous environments and eliminates the common practice of having DBAs create masking techniques and algorithms. The second dataguise module is dgmasker, a tool that automatically masks sensitive data using a one-way process that can't be reverse engineered. The tool preserves relational integrity between tables/remote databases and generates data that complies with your business rules for application comparability. Instead, dgmasker obfuscates the real data so that it cannot be recovered by anyone - insider or outsider - who gains access to the masked data. In short, you have all the benefits of using your actual production data without using the real data.

Data masking is an effective tool in an overall data security program. Each of these technologies plays an important role in securing data in production environments; however, for non-production environments, data masking is becoming a best practice for securing sensitive data. You can employ data masking in parallel with other data security controls such as access controls, encryption, monitoring and review/auditing.

7 critical commercial spaceflight concerns the US must tackle

There has been a positive vibe around the commercial space industry in recent month, with NASA's potential changing role, predictions of increased investments and growth of new business opportunities such as space tourism.  But such optimism needs to be tempered because there are a host of issues the government, namely the Federal Aviation Administration needs to address before commercial space operations can truly blast off, according to a report out today from watchdogs at the Government Accountability Office. The FAA faces challenges in ensuring that it has a sufficient number of staff with the necessary expertise to oversee the safety of commercial space launches and spaceport operations. NetworkWorld Extra: 10 NASA space technologies that may never see the cosmos According to the GAO report the key problems that need to be resolved include: 1. Who's minding the store? The GAO said it raised concerns in the past that if the space tourism industry developed rapidly, the FAA's responsibility for licensing reusable launch vehicle missions would greatly expand.

Many companies are designing and developing space hardware that is being tested for the first time, requiring that FAA have a sufficient level of expertise to provide oversight. The FAA's experience in this area is limited because its launch safety oversight has focused primarily on unmanned launches of satellites into orbit using expendable launch vehicles, the GAO stated. The FAA's Office of Commercial Space Transportation has hired 12 aerospace engineers, bringing its total staff to 71 full-time employees. Numerous federal agencies have responsibility for space activities, including the FAA's oversight of commercial space launches, NASA's scientific space activities, the Department of Defense's national security space launches, the State Department's involvement in international trade issues, and the Department of Commerce's advocacy and promotion of the industry. In addition the FAA has established field offices at Edwards Air Force Base and NASA's Johnson Space Center in anticipation of increased commercial space launches, the GAO report noted. 2. Who's in charge here? According to the National Academy of Sciences, aligning the strategies of the various civil and national security space agencies will address many current issues arising from or exacerbated by the current uncoordinated, overlapping, and unilateral strategies.

The GAO stated that its research identified several gaps in federal policy for commercial space launches. A national space launch strategy could identify and fill gaps in federal policy concerning the commercial space launch industry, according to senior FAA and Commerce officials, the GAO stated. For example, while FAA has safety oversight responsibility for the launch and re-entry of commercial space vehicles, agency officials told the GAO that no federal entity has oversight of orbital operations, including the collision hazard while in orbit posed by satellites and debris such as spent rocket stages or defunct satellites, the GAO stated. 3. Is it safe? If the industry begins to expand, as senior FAA officials predict, to 200 to 300 annual launches, a reassessment of the FAA's resources and areas of expertise would be appropriate. The FAA will need to determine whether its current safety regulations are appropriate for all types of commercial space vehicles, operations, and launch sites, the GAO stated. Moreover, as NASA-sponsored commercial space launches increase, the FAA's need for regulatory resources and expertise may change, the GOA stated.

The FAA has interpreted this limited authority as allowing it to regulate crew safety in certain circumstances and has been proactive in issuing a regulation concerning emergency training for crews and passengers. The FAA is responsible for the protection of the uninvolved public, which could be affected by a failed mission. However, the FAA has not developed indicators that it would use to monitor the safety of the developing space tourism sector and determine when to step in and regulate human space flight, the GAO stated. 4. Airspace considerations: NextGen, the FAA's grand plan to transform the current radar-based air traffic management system into a more automated, aircraft-centered, satellite-based system—will need to accommodate spacecraft that are traveling to and from space through the national airspace system, the GAO stated. In addition, the agency will need to develop new policies, procedures, and standards for integrating space flight operations into NextGen. As the commercial space launch industry grows and space flight technology advances, the FAA expects that commercial spacecraft will frequently make that transition and the agency will need tools to manage a mix of diverse aircraft and space vehicles in the national airspace system. For example, the agency will have to define new upper limits to the national airspace system to include corridors for flights transitioning to space and set new air traffic procedures for flights of various types of space vehicles.

While the GAO said it found no evidence that FAA's promotional activities—such as sponsoring an annual industry conference and publishing industry studies—conflicted with its safety regulatory role, it noted that potential conflicts may arise as the space tourism sector develops. 6. Government sponsored insurance? The FAA has begun to consider such issues and has developed a concept of operations document, the GAO found. 5. Conflict of interests: The GAO said in 2006 the FAA faced the potential challenge of overseeing the safety of commercial space launches while at the same time promoting the industry. In an effort to back US commercial space ventures the US government has indemnified launch operators but the law that allows for indemnification expires in December 2009, the GAO stated. For example, industry players have called for the continuation of indemnification to support US competitiveness. The continuation of such federal involvement will assist industry growth, the GAO stated.

Indemnification secures another party against risk or damage. Currently, launch operators are required to buy third-party liability insurance for up to $500 million in addition to insurance for their vehicle and its operations, and the US government provides up to $1.5 billion in indemnification. 7. When bad things happen: What will be the role of the National Transportation Safety Board (NTSB) in investigating any accidents that occur? The U.S. government indemnifies launch operators by providing catastrophic loss protection covering third-party liability claims in excess of required launch insurance in the event of a commercial launch incident. According to the GAO, the NTSB does not have space transportation explicitly included in its statutory jurisdiction, although it does have agreements with FAA and the Air Force under which it will lead investigations of commercial space launch accidents. The 2008 commissioned report on human space flight suggested that Congress may want to consider explicitly designating a lead agency for accident investigations involving space vehicles to avoid potential overlapping jurisdictions, the GAO stated.