Cloud Computing with Pano Virtual Desktop

I found this little device after looking for a 'Zero Client' PC.

Not only has this little device no CPU, no memory, no operating system, no drivers, no software and no moving parts it's footprint is less than a tea coaster.

Pano connects keyboard, mouse, display, audio and USB peripherals over an existing IP network to an instance of Windows XP or Vista running on a virtualised server. Pano is power friendly, consuming only 3% of the energy consumed by a traditional desktop computer. For those organisations considering reducing their carbon footprint and driving a clear desk policy, this is the device of choice.

For the Enterprise user it is clear that in a virtual world, pano alongside Microsofts, Application & Server Virtualisation makes for a very strong solution offering. To deploy a Pano device, simply connect it to peripherals, network and power. There is no configuration to perform, no firmware to update, and no software to download. As soon as a Pano is connected to a network, a logon screen appears. Users enter their Windows credentials and are automatically connected to their virtual machines. From there on, it's the same Windows experience.

From a security point, the Pano is secure because it does not run an operating system or any other software. Because there is nothing in a Pano that can be infected by a virus or have malicious code installed, it doesn't need to be scanned for vulnerabilities or exploits.

Even when a peripheral such as a USB thumb drive is connected, Pano remains secure. Peripherals work only when the user is authorised via policies enforced by the Pano Management Server. If the user isn't authorised, Windows doesn't even see the peripheral that is connected to the Pano. If a user is authorised, the peripheral is connected directly to Windows. Pano enforces fine-grained access policies based on Active Directory user group membership, USB device class, and operation. As an example, a user may be authorised to read from a CD, but not write to it. This policy allows users to copy files or load software onto their virtual desktop, but prevents data from leaking out. Even when users are authorised, Pano can record USB operations so that the business can keep track of all its information assets. This is a great move for those organisations considering 'Rights Management'.

I believe this is one product worth watching

Government Security - Miss Security Target

Just 27 percent of IT systems at the Ministry of Defence and its agencies fully meet government security guidelines, the secretary of state for defence has admitted

Bob Ainsworth revealed the statistics on Monday in a written reply to a question from Conservative MP Shailesh Vara. In the reply, Ainsworth wrote that 58 percent of IT systems at the ministry and its agencies have been through the security accreditation process laid out by the government a year ago. The systems range from corporate IT set-ups serving thousands of users to business-level systems used by smaller groups.

Only 27 percent of these systems are fully security accredited and are being operated within the ministry's "senior information risk owner (SIRO)'s risk appetite", according to Ainsworth, which balances security risk against operational reward. The other 31 percent have conditional or interim accreditation, "with constraints placed on the operation of the system to ensure that identified risks are adequately managed within SIRO's risk appetite". The guidelines in question were instituted after an MoD laptop, containing the details of 600,000 people, was stolen. They cover issues such as the ability of staff to put sensitive or personal information onto flash drives or laptops — which may be mislaid — and the need to encrypt information. Forty-two percent of systems are not accredited at all. "This represents the significant workload undertaken to plan and develop solutions for new equipment systems or platforms," wrote Ainsworth. "This also includes applications from legacy systems, many of which will be migrated onto the developing defence information infrastructure."

Ainsworth's breakdown covered systems whose accreditation is controlled centrally by Defence Security and Standards Assurance (DSSA). These number in the hundreds. In addition to systems connected to Ministry of Defence networks, the total includes systems not connected but which contain sensitive or personal data — those given a rating of "stand alone above Secret" or "contain significant value to the MoD".

Platforms and systems that are not security-checked by the DSSA are not included.
On the same day, Ainsworth also provided a written answer to a question from the Tory MP Patrick Mercer, who had asked how many mislaid desktop computers, laptops, hard drives and USB flash drives had been lost then recovered by the MoD and its agencies in each year since 2003.

According to Ainsworth, a total of 43 such devices were recovered in 2008 by the MoD (up from 11 in 2007). This figure includes one desktop PC, 26 laptops, five hard drives and 11 USB flash drives. The answer did not state whether 2008 saw a jump in recorded recoveries because of improved recovery processes, or because more data-bearing devices were lost that year.

Do you think we should let them know IronKey exists.

Microsoft SideSight -"Look out Apple"

A new Microsoft-developed technology called SideSight looks like something that deserves to be on a next-generation iPod touch. Or in a magician's repertoire.

The SideSight technology is contained in yet another paper that company executives are presenting at the User Interface Software and Technology conference this week. (See Microsoft's take on new ways that cell phones could "talk" as well as guided tours of images.), The paper in question is titled "SideSight: Multi-"touch" Interaction Around Small Devices," and is authored by Alex Butler, Shahram Izadi, and Steve Hodges, all with Microsoft Research UK.

Touch was a revolutionary concept when it debuted with the iPhone, in part because it was implemented so well with gestures. Pinching, sliding and tapping the iPhone and iPod touch all directly impact the interface.

SideSight removes "touch" from the device and makes it a function of the paper, tabletop, or even the air that's next to the device. What does this mean? According to Microsoft, it opens up the possibility for "touch" functions to be built into tiny devices that don't actually need a touchscreen.

"Despite the flexibility of touchscreens, using such an input mode carries a number of tradeoffs," the paper's authors wrote. "For many mobile devices, e.g. wristwatches and music players, a touchscreen can be impractical because there simply isn't enough screen real estate. With a continued trend for ever-smaller devices, this problem is being exacerbated. Even when a touch-screen is practical, interacting fingers will occlude parts of the display, covering up valuable screen pixels and making it harder to see the results of an interface action."
So what can you actually do with SideSight? Quite a bit, as it turns out. By twisting one's hands appropriately on either side of the phone, objects could be rotated in place. Pages could be panned and scrolled by moving a hand up and down, and Microsoft also proved that text could be entered and edited on the main screen through a stylus while the other hand scrolled the page -- a movement that would be akin to the motions a user's hands would make if he or she were writing on a sheet of paper.

A quick motion toward the device could also be interpreted as a "click," according to Microsoft.
The key is a row of tiny optical sensors that look "outside" the device. In a prototype Microsoft built for the paper, the researchers took a HTC Touch mobile phone, and augmented it with two linear arrays of discrete infrared (IR) proximity sensors, specifically ten Avago HSDL-9100-021 940nm IR proximity sensors spaced 10 millimeters apart. Although only the sides of the phone were enhanced, the entire periphery of a device could include these sensors, the researchers said. The sensors can read inputs up to 10 centimeters away, just through reflected infrared light.

We were pleasantly surprised by the performance of the SideSight sensors in the typical office environments we tried given that we took no special precautions to reject ambient light," the paper's authors wrote. "We attribute this in part to the fact that the sensors are looking horizontally rather than vertically upwards towards overhead lighting."
Individual fingers are sensed as a "blob" by the sensor array. One problem: users tend to drift one or more fingers into the area covered by the sensor field, the authors noted. Because they were unable to consistent determine which fingers were actively controlling the device and which were simply incidental, Microsoft decided to only look for a single finger, and use that to control the phone.

(The authors noted as well that the sensors weren't directly connected to the phone. Instead, they were connected via USB to a PC, and then to the phone via Bluetooth. The convoluted interface reduced the effective sensing capability to 11 frames per second, a limitation of the test rig and not the circuits.)

What does the future of SideSight look like? Improved power consumption, improved sensor range, and an enhanced prototype: "In the future we believe that it may be possible to print or-ganic electronic versions of such sensors, and so we are also interested in exploring a SideSight configuration that has the entire casing covered in this type of proximity sensing material," the Microsoft Research employees wrote.

See the Microsoft Research paper:

http://research.microsoft.com/en-us/um/people/shodges/papers/sidesight_crv3.pdf

Malware on Unsecure Flash Drives - The IronKey Response Part I

The media has recently reported incidents involving the spread of the W32.SillyFDC worm, a low-risk piece of malware that sometimes infects PCs and networks via USB flash drives. Several government agencies have implemented a temporary ban on removable media.

IronKey have announced a comprehensive initiative to protect portable and mobile media from viruses, worms, trojans, botnets, crimeware and other malware threats. IronKey’s initial research was partially funded by the Department of Homeland Security’s (DHS) Science and Technology Directorate.

The IronKey secure USB devices can withstand both simple and sophisticated attacks and all IronKey products have been FIPS 140-2 Level 2 validated. IronKey devices are intelligent, secure storage devices with strong, two-factor authentication and on-board security co-processors. As security processor costs become more affordable, it is possible to embed increasingly sophisticated layers of protection inside portable devices to protect enterprise and government networks from media-borne malware and crimeware. This enables IronKey secure storage devices to provide the highest levels of anti-virus and anti-malware support in hardware. Hardware support for anti-malware provides an unbeatable layer of protection for mobile devices to prevent malware from spreading onto enterprise networks.

The IronKey Anti-Malware Initiative information can be found here.
Key points of the initiative include:- Always-on Milirary Grade hardware encryption.- Malware-protected software and firmware updates.- Secure manufacturing processes.- Secure provisioning and quality assurance processes.- Real-time anti-malware scanning.

Three Million Users hit by Windows Worm - Part 1

A worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users. The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.
Although Microsoft released a patch, it has gone on to infect 3.5m machines. Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch.

According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code. It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service. Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down. But Conficker does things differently. Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.

Speaking to the BBC, Kaspersky Lab's security analyst, Eddy Willems, said that a new strain of the worm was complicating matters. "There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems "The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism." "Of course, the real problem is that people haven't patched their software. If people do patch their software, they should have little to worry about," he added. Technicians have reverse engineered the worm so they can predict one of the possible domain names. This does not help them pinpoint those who created Downadup, but it does give them the ability to see how many machines are infected. "Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," F-Secure's Toni Kovunen said in a statement. "We can see them, but we can't disinfect them - that would be seen as unauthorised use." Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

Cisco Security Data Leakage White Paper

The findings from a global security study on data leakage revealed that the data loss resulting from employee behavior poses a much more extensive threat than many IT professionals believe. Commissioned by Cisco and conducted by U.S.-based market research firm InsightExpress, the study polled more than 2000 employees and information technology professionals in 10 countries. Cisco selected the countries based on their diverse social and business cultures, with the goal of better understanding whether these factors affect data leakage.
In the hands of uninformed, careless, or disgruntled employees, every device that accesses the network or stores data is a potential risk to intellectual property or sensitive customer data. Magnifying this problem is a disconnect between the beliefs of IT professionals and the realities of the current security environment for countless businesses. The new findings show that "insider threats" have the potential to cause greater financial losses than attacks that originate outside the company.
• 33 percent of IT professionals were most concerned about data being lost or stolen through USB devices.
• 39 percent of IT professionals worldwide were more concerned about the threat from their own employees than the threat from outside hackers.
• 27 percent of IT professionals admitted that they did not know the trends of data loss incidents over the past few years.
Mitigating data leakage from insider threats is a difficult challenge. Businesses must take advantage of every opportunity to better understand how employee behavior and intent relates to security issues, and to make security a priority in every aspect of business operations

Read the full story - http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-506224.html

Could Computing on Steriods

Salesforce.com is taking cloud computing to the next level:

Salesforce.com on Thursday announced Service Cloud, an extension to its software-as-a-service (SaaS) model that is intended as a way for companies to communicate with their customers over the web

The software provides an infrastructure through which companies can easily connect to their customers through various applications and services available on the web, such as blogs, Facebook, Google and Amazon.com.

Service Cloud will offer software bundles that will start at $995 (£680) per month and will include options to build online communities where customers can communicate with each other.
Introducing Service Cloud, Marc Benioff, chairman and chief executive of Salesforce.com, said: "This has been made possible through the emergence of native cloud-computing platforms like Force.com that are built to harness the power of other clouds like Facebook, Google, and Amazon.com."

Force.com uses platform-as-a-service software so customers can build applications and databases that can then be used as services on the Salesforce infrastructure.
According to Gartner analyst Michael Maoz, consumer demand will drive models such as Force.com. "[There is] consumer expectation that they can create answers and content as part of a community that will lead businesses and other organisations to adopt similar techniques to succeed."

These communities can be built by applications that gather information from websites such as Facebook, then feed that information into databases for use by a company's customer-service staff and partners. The communities build up and can then be used to improve relationships between companies and their customers.
Users of Salesforce software for these purposes include Dell and Starbucks.

Microsoft Seadragon

Microsoft Seadragon was profiled to a live audience of more than eleven thousand people in WPC Denver 2007. Every one present was blown away by the functionality of the platform and how the partner community could utilise the software in a solutions offering. In addition to this and keeping with the same theme, Blaise Aguera y Arcas demoed Photosynth along with Seadragon to show how the developer community could greatly enhance the end user experience and drive so much functionality into their web offering. You can see Blaise Aguera y Arcas live demo on Ted - http://www.ted.com/index.php/talks/blaise_aguera_y_arcas_demos_photosynth.html.

Microsoft Live Mesh - Cool Tool

What’s Live Mesh?

Live Mesh, enables you to synchronize and access information and files across your different PCs and it also lets you remotely control your PC through your web browser if you’re away from it.
Future releases will be adding support for more devices including Windows Mobile phones and Macs amongst others.

Live Mesh takes the best elements of the desktop and integrating them with the Internet to create a really valuable solution to keeping and sharing information and files.

https://www.mesh.com/Welcome/Default.aspx

Windows 7 Beta

Windows 7 has reached its first major milestone in the form of Beta 1, which is now available for public scrutiny. We did a clean install of Build 7000 (32-bit version) on a VMware virtual machine with 2GB of RAM and 16GB of hard disk space, and set out to examine the changes since the pre-beta Build 6801 that we reported on at the end of October last year.

Another of Windows 7's Mac OS-like UI tweaks is the ability to float gadgets anywhere on the desktop — just drag them out from the Gadgets dialogue box

USB drive containing details of over 6,000 prisoners has been lost by Lancashire Primary Care Trust.

Hi Folks. This is a great example of when an organisation should be using the Enterprise IronKey Platform. (https://www.ironkey.com/products)
While the data on the USB stick was encrypted, the password to access the data was attached to the drive on a Post-it note, a spokesperson from NHS Central Lancashire told ZDNet UK on Monday.
The drive went missing at HMP Preston on 30 December, and contained the details of up to 6,360 prisoners. The stick went missing as it was being taken from one area of the prison to another — from the medical clinic to the administration department — to be backed up. The clinic used a legacy, standalone computer to work with information on prisoners, and this was backed up using the data stick.
"We don't believe [transferring data on a USB drive within the prison confines] had been recognised as a security risk — it hadn't been highlighted as a potential issue," said the spokesperson.
The NHS Central Lancashirewas already in the process of developing a way to securely transfer medical data from the prison's healthcare system to an NHS server via a network connection, the spokesperson added. Three prisons served by the NHS Central Lancashire are currently being connected to NHS servers.
The prisoner details lost at Preston included surnames, age range, prison number, cell location, prison-clinic appointment times and review dates, said a PCT statement. In some cases, there was reference to clinics attended, medical condition and treatment offered. Conditions specified included asthma, diabetes and mental health, as well as "a very small number of sexual-health references", according to a statement from the PCT on Friday.

NHS Central Lancashire apologised for the loss of the USB drive. "We are deeply sorry — this never should have happened," NHS Central Lancashire chief executive Joe Rafferty said in the statement. "We have launched a full and thorough investigation, and we are taking all necessary steps to ensure it cannot happen again."
Rafferty said that the lost data relates to patients who have accessed HMP Preston's health clinic since the year 2000. Lancashire PCT will contact people affected, and a helpline has been set up for anyone concerned about the loss, details of which appear on the statement.
NHS North West, the Department of Health, the Home Office, the Information Commissioner and the Healthcare Commission have all been informed of the loss of the data stick.
The staff involved have been suspended pending the conclusion of an investigation, said the Lancashire PCT spokesperson, who declined to say how many staff had been suspended.
In addition, all of the PCT's USB drives, which are encrypted, have been recalled. They will be re-issued on a named basis. "People that have a data stick will have to understand how to use it, and use it within policy," the spokesperson said

Blogg Security

Twitter has been the victim of a massive hacking and phishing attack. Over 30 member accounts were hijacked, including those of President-elect Obama, Britney Spears and CNN correspondent Rick Sanchez. Fox news’ twitter feed was also hijacked and used to post “Bob O’Reilley is gay” comments over supposedly legitimate Fox news twitter feeds. Many hijacked accounts are being used to spread links to web pages that attempt to install malware on unsuspecting user’s computers, turning them into bots which can be controlled by cyber-criminals.
Here are some links to the various incidents:
http://blog.twitter.com/2009/01/monday-morning-madness.html
http://bits.blogs.nytimes.com/2009/01/05/twitter-hit-by-hacker-phishers/
http://www.readwriteweb.com/archives/twitter_security_collapses_oba.phphttp://www.eweek.com/c/a/Security/Twitter-Phishing-Scam-Takes-New-Turn-With-Promises-of-iPhone/