Yahoo! has expanded its partnerships with four top U.S. universities to advance cloud computing research. The University of California at Berkeley, Cornell University and the University of Massachusetts at Amherst will join Carnegie Mellon University in using Yahoo!’s cloud computing cluster to conduct large-scale systems software research and explore new applications that analyze Internet-scale data sets, ranging from voting records to online news sources.

To date, academic researchers have had limited access to Internet-scale supercomputers for conducting systems and applications research. To help alleviate this obstacle, Yahoo! is granting these four universities access to the Yahoo! cloud computing cluster. The Yahoo! cluster, also known as M45, has been operational since November 2007 and in use by Carnegie Mellon. The cluster has approximately 4,000 processor-cores and 1.5 petabytes of disks.

“We have been using the Yahoo! cluster for more than a year now and have made significant progress in a number of key research areas, resulting in the publication of more than two dozen academic papers,” said Randal E. Bryant, dean of the School of Computer Science at Carnegie Mellon.

“Our researchers were able to extract and process documents from the Web in a way that was not possible before, changing the way we think about research problems. We were also able to conduct research over a corpus of 200 million Web pages, processing two orders of magnitude more data. We conducted systems software research, comparing, for example, the performance of the Hadoop file system and other parallel file systems. The simultaneous access to applications and systems software has been a real benefit and we look forward to our continued partnership with Yahoo! and joint contributions to the cloud computing community.”

Yahoo!’s M45 cluster runs Hadoop, an open source distributed file system and parallel execution environment that enables its users to process massive amounts of data. Apache Hadoop is an open source project of the Apache Software Foundation, to which Yahoo! engineers have been the primary contributors to date.

“Hadoop powers many of our most broadly used and complex systems at Yahoo!, from Web search to optimizing content for the home page,” said Shelton Shugar, SVP of cloud computing at Yahoo!.

“Continuing to invest in the open source community and in technologies like Hadoop is an important element in our efforts to drive breakthroughs in Internet-scale computing and ultimately to continually improve the quality of the consumer experience of Yahoo!. By partnering with these top educational institutions to share our M45 cluster and our technical expertise, we hope to further key insights into the next generation of systems software research and development.”

“We are very excited about the new research partnership with Yahoo!,” said Shankar Sastry, dean of the College of Engineering at the University of California, Berkeley.

“Access to the cluster is a first step in helping us analyze the vast amounts of societal-scale information available on the Web, such as voting records, online news sources and polling data. The Yahoo! cluster will also enable us to conduct computationally intensive econometrics research, combining economic theory with statistics to analyze and test large-scale economic relationships.”

“Our partnership with Yahoo! will enable us to attack problems ranging from wildlife preservation and biodiversity, to balancing socio-economic needs and the environment, to large-scale deployment and management of renewable energy sources,” said Bob Constable, dean of the faculty of Computing and Information Science at Cornell University.

“We recently established the Institute of Computational Sustainability at Cornell to focus on computational problems in these areas, and Yahoo!’s cluster will help us solve large scale optimization and machine learning problems to find better ways to manage our natural resources.”

“Our vision is to improve upon current technology through the processing of large data sets,” said Jim Kurose, dean of College of Natural Sciences and Mathematics at the University of Massachusetts, Amherst.

“Yahoo!’s supercomputing cluster will enable us to do data-intensive research on a large set of scanned books drawn from the Internet Archive’s million-book collection. The latter includes 8.5 terabytes of text and half a petabyte of scanned images. Research on such large datasets would not be possible without the use of clusters like the one Yahoo! is offering us access to.”

Partnership with these universities is the next step in expanding Yahoo!’s leadership in supporting cloud computing research. In July 2008, Yahoo! joined forces with HP, Intel, the University of Illinois at Urbana-Champaign, the Infocomm Development Authority (IDA) in Singapore, and the Karlsruhe Institute of Technology (KIT) in Germany to create Open Cirrus, a global, multi-data center, open source testbed for advancing cloud computing research and education. The partnership with Illinois also includes the National Science Foundation, creating a cloud computing cluster that is made available to the entire reach of the NSF academic community.

The international partnership promotes open collaboration among industry, academia and governments by removing the financial and logistical barriers to research in data-intensive, Internet-scale computing. As the Yahoo! M45 cluster is part of the Open Cirrus cloud computing testbed, the above universities will also gain access to and be part of the Open Cirrus community.

“Yahoo! is dedicated to working with leading universities to solve some of the most critical computing challenges facing our industry,” said Ron Brachman, VP and head of Yahoo! Academic Relations.

“The ability to access and analyze massive data sets is becoming increasingly crucial to the advancement of Internet-related computer science and cross-disciplinary research. By expanding our university-facing cloud computing program to partner with more universities, we hope to catalyze data-intensive computing research, furthering our commitment to the global, collaborative research community advancing the new sciences of the Internet.”

Use Virtual Private Networks for Secure Internet Data Transfer

Data sent across the public Internet is generally not protected from prying eyes, but you can make your Internet communications secure and extend your private network with a virtual private network (VPN) connection. A VPN connection uses encryption and tunneling to transfer data securely on the Internet to a remote access VPN server on your workplace network. Using a VPN helps you save money by using the public Internet instead of making long—distance phone calls to connect securely with your private network.

To make a VPN connection, you must be already connected to the Internet. You can make a VPN connection by first dialing an Internet service provider (ISP) or by using an existing connection to the Internet.

•	If you connect to the Internet using a dial–up connection, you first connect to your ISP and then you make a VPN connection to the private network’s VPN server. After the VPN connection is established, you can access the private network.
•	If you are already connected to the Internet—on a local area network, a cable modem, or a digital subscriber line (DSL)—you can make a VPN connection directly to the VPN server.

To make a VPN connection

1.	Open Network Connections. (Click Start, click Control Panel, click Network and Internet Connections, and then click Network Connections.)
2.	Under Network Tasks, click Create a new connection, and then click Next.
3.	On the Welcome to the New Connection Wizard page of the New Connection Wizard, click Next.
4.	On the Network Connection Type page, click Connect to the network at my workplace, and then click Next as shown below.
5.	On the Network Connection page, click Virtual Private Network connection, and then click Next as shown below.
6.	On the Connection Name page, type the name of the connection or your company name, and then click Next. An example is shown below.
7.	If you are using a dial-up connection to an ISP to connect to the Internet, the Public Network page is displayed. In Automatically dial this initial connection, select the name of the connection used to dial your ISP, and then click Next. An example is shown below.
8.	On the VPN Server Selection page, type the Domain Name System (DNS) name or Internet Protocol (IP) address of your company’s VPN server on the Internet, and then click Next. An example is shown below.
9.	On the Completing the New Connection Wizard page, click Finish.
10.	A Connect dialog box is displayed. Type the user name and password to access your company’s private network and then click Connect. An example is shown below.

In computing, the SSH File Transfer Protocol (sometimes called Secure File Transfer Protocol or SFTP) is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with version two of the SSH protocol (TCP port 22) to provide secure file transfer, but is intended to be usable with other protocols as well.

Compared to the earlier SCP protocol, which allows only file transfers, the SFTP protocol allows for a range of operations on remote files – it is more like a remote file system protocol. An SFTP client’s extra capabilities compared to an SCP client include resuming interrupted transfers, directory listings, and remote file removal. For these reasons it is relatively simple to implement a GUI SFTP client compared with a GUI SCP client.

SFTP attempts to be more platform-independent than SCP; for instance, with SCP, the expansion of wildcards specified by the client is up to the server, whereas SFTP’s design avoids this problem. While SCP is most frequently implemented on Unix platforms, SFTP servers are commonly available on most platforms.

SFTP is not FTP run over SSH, but rather a new protocol designed from the ground up by the IETF SECSH working group. It is sometimes confused with Simple File Transfer Protocol.

The protocol itself does not provide authentication and security; it expects the underlying protocol to secure this. SFTP is most often used as subsystem of SSH protocol version 2 implementations, having been designed by the same working group. However, it is possible to run it over SSH-1 (and some implementations support this) or other data streams. Running SFTP server over SSH-1 is not platform independent as SSH-1 does not support the concept of subsystems. An SFTP client willing to connect to an SSH-1 server needs to know the path to the SFTP server binary on the server side.

The Secure Internet Live Conferencing (SILC) protocol defines the SFTP as its default file transfer protocol. In SILC the SFTP data is not protected with SSH but SILC’s secure packet protocol is used to encapsulate the SFTP data into SILC packet and to deliver it peer-to-peer. This is possible as SFTP is designed to be protocol independent.

For uploads, the transferred files may be associated with their basic attributes, such as timestamps. This is an advantage over the common FTP protocol, which does not have provision for uploads to include the original date/time stamp attribute.

Standardization

The protocol is not yet an Internet standard. The latest specification is an expired Internet Draft, which defines version 6 of the protocol. Currently the most widely used version is 3, implemented by the popular OpenSSH SFTP server. Many Microsoft Windows-based SFTP implementations use version 4 of the protocol, which has weakened its ties with the Unix platform.

The Internet Engineering Task Force (IETF) “Secsh Status Pages” search tool contains links to all versions of the Internet draft-ietf-secsh-filexfer which describes this protocol.

Chief strategy officer for security firm StillSecure and security consultant Alan Shimel woke on Sunday morning to discover that his personal blog, which is frequently visited by readers and press, was pointing to a website featuring explicit gay porn. Equally disturbing, he found someone had cracked open his Yahoo! Mail account and published sensitive documents he filed with the Internal Revenue Service. The attackers also sent crude pornographic images to parents on the Little League baseball team Shimel coached.

Shimel is one of three high-profile researchers in the security world known to have been attacked by unknown criminals over the past week. A personal Gmail account belonging to Petko D. Petkov, of the GNUCitizen ethical hacking collective, was ransacked and 2GB of its contents made public. Logs believed to come from the home blog of Security-Protocols.com researcher Tom Ferris have also been exposed.

It is not new that security researchers have always been the target of computer and internet based attacks. But the recent rash of attacks, which coincided with this year’s Black Hat and Defcon conferences in Las Vegas, are getting more attention in the security world than previous ones.

“You can immediately see how emotional this is,” said one well-known researcher who refused to allow his name to be published out of concern it would make him more of a target. “People are generally worried. You’re always worried you made some stupid mistake.”

Shimel stressed that the breach concerned only his personal blog and email and never extended to StillSecure. Shimel said he reported the breach to the FBI, and Petkov said unnamed law enforcement officials have also been notified. Petkov declined to discuss the attack in detail, except to say it occurred more than a year ago.

Shimel said his scrape with the attackers was a wake-up call for him to follow security best practices, including the use of different passwords for each online account. “It’s going to make me be a bit more vigilant,” he said. “I don’t think these people are worthy of much attention, except that you should do what you normally do to lock down your infrastructure.”

What separates the fresh attacks from previous ones is the degree of malice. The attackers here seem more interested in injuring the reputations and privacy of their victims than exposing mistakes they may have made in locking down their private information. The miscreants have publicly pledged on a mailing list to wage war against more than two-dozen researchers, firms and journalists in the security world. In addition to Shimel, Petkov and Ferris, others said to be targeted include Dan Kaminsky, Joanna Rutkowska, Gadi Evron, Matasano and Theo de Raadt.

Perhaps the most worrisome part of the attacks is that, so far, no one knows exactly how the they were carried out. In an email exchange, Petkov said he suspected his Gmail account was accessed through a cross-site scripting (XSS) flaw. Some posit the passwords were intercepted as a result of a colossal debacle in the Debian distribution of Linux, which for more than a year generated OpenSSL keys that are trivial to crack. Once the keys are broken, encrypted sessions, even those from years ago, can be decrypted.

Others guess that the miscreants gained entry through the victims’ blogs, which typically used blogging software from TypePad and WordPress. Those programs have routinely been found to contain gaping security holes. Indeed, Shimel admits the administrative password for his blog (which was parked at GoDaddy at time of writing) was also used to unlock his Yahoo Mail account.

Every minute that your computer is connected to the Internet, either through a dial-up (modem) connection or through a broadband (DSL or cable) service, it is at risk. Network security attacks can come at any hour of the day or night.

Ignoring computer Internet security threats can cost you thousands. Your computer is just one machine among the millions connected to the Internet at any given moment. And a moment is all it takes for a hacker to get in. All your private documents and photos, credit card numbers and passwords are available to anyone with bad intentions and basic computer skills.

Hackers can get in, take what they want, and even leave open a “back door” so they can turn your computer into a “zombie” and use it to launch network security attacks, often against high-profile computer systems such as government or financial systems. Having control of your computer gives them the ability to hide their true location as they launch their attacks.

Virus protection is not enough. Don’t think that antivirus software completely protects your computer from Internet security risks. Virus protection is as good as the latest virus definitions, which are created in response to the latest viruses – many thousands of people must be infected before the makers of antivirus software can create a defense. And antivirus software does nothing to protect your computer against direct network security attacks.

If you use dial-up Internet connection, it is more difficult (not impossible, just difficult) for a hacker to get in, since your computer only connects to the Internet when it has something to send, such as email or a request to load a Web page. Once there is no more data to be sent, or after a certain amount of idle time, the computer disconnects the call. Also, your computer is usually assigned a different IP address on each call.

Broadband services are more of a target for network attacks, since your computer is always on the network, ready to send or receive data and its IP address changes less frequently (if at all).

How to protect your computer against network security attacks and other accidents

1) Use a firewall

This is a software program that monitors all incoming and outgoing network traffic and allows only the connections that are known and trusted. It’s a mandatory tool for your computer Internet security.

The best balance between maximum protection and ease of use is ZoneAlarm Pro from Zone Labs, which is not just a classic firewall that stops all network security attacks, but also…

• Makes your computer invisible to anyone on the Internet.
• Automatically removes the most dangerous and useless spyware and viruses.
• Blocks banner ads and pop-up/pop-under ads.
• Automatically updates spyware and virus signatures.

Zone Labs has just released the new ZoneAlarm Security Suite - an easy to use computer Internet security package combining their firewall with antivirus, email security, content filtering, and communication protection.

2) Use antivirus software and keep it up-to-date

I recommend Kaspersky Anti-Virus. It detects more viruses than popular Norton AntiVirus and can protect you from even unknown viruses. It was the only antivirus program in the world that repelled attacks of all “ILOVEYOU” virus variations without any additional antivirus database updates. The program checks and cures both incoming and outgoing mail in real-time, is simple to install and use. You only need to choose from three levels of protection.

To find out if you have any viruses or spyware on your computer without having to uninstall your current antivirus or install a new one, you can scan your computer online for viruses and spyware with their free Online Scanner. Just click the link Free Virus Scan on their home page.

The popular ZoneAlarm Internet Security Suite uses Kasperky anti-virus engine. Take a look also at Kaspersky Internet Security. It’s a package combining antivirus protection with a personal firewall and an antispam filter, specially developed to protect personal computers against the whole range of network security attacks – viruses, hackers, spyware and spam.

3) Regularly check for spyware and adware

Spyware and Adware are files that can be installed on your computer without your permission. These programs allow hackers to track your behavior on the Internet and retrieve your personal information such as pin, credit card, phone and social security numbers, passwords, usernames, etc. ZoneAlarm Anti-Spyware combines a spyware scanner with a firewall and email security.

4) Don’t open unknown email attachments

Don’t open any email attachments unless they are authored by a person or company that you trust. Also remember that email viruses can often originate from familiar addresses. If you need to open a suspicious attachment, first save it to your hard disk and scan the file using your antivirus software.

5) Disable hidden filename extensions

Windows operating systems contain an option to “Hide file extensions for known file types” (enabled by default). Some email viruses take advantage of a hidden file extension. They use an attachment which may appear to be harmless (.txt, .mpg, .avi) when in fact it’s a script or executable (.vbs, .exe). For example, “LOVE-LETTER-FOR-YOU.TXT.vbs”.

6) Keep your operating system and other applications patched

Most of the network security attacks would be stopped if all users kept their computers up-to-date with patches and security fixes. When holes are discovered (this happens frequently), computer vendors usually release patches for their software. Some applications automatically check for available updates, for others, you need to check periodically vendors’ websites.

7) Disable Java and ActiveX if possible

Java and ActiveX are used to write code that is executed by Web browsers. Although this code generally adds useful features, it can be used by hackers, for example, to monitor your Internet activity. You can disable Java and ActiveX in your browser at the cost of limited interaction with some websites.

Turn off your computer or disconnect from the network when not in use

If you use broadband (DSL or cable) Internet connection, turn off your computer or otherwise completely disconnect it from the network when you are not using it. This not only “protects” your computer from Internet security risks, it forces your ISP to change your computer’s IP address more frequently, thus making it more difficult for a hacker to get in.

9) Make regular backups of important data

A hard disk crash or physical theft of your computer results in the loss of all data stored on hard disk. Keep a copy of important files on removable media such as floppy/ZIP disks or recordable CD-ROM disks and store these disks somewhere away from the computer.

 

Once the iPhone connects online through Wi-Fi or the mobile network, it has all of the same vulnerabilities as any networked device; unencrypted data could be intercepted by casual hackers or proactive identity thieves. At press time, the iPhone hadn’t received any large-scale attacks or viruses, but you should still protect your data as a precaution.

Many iPhone features and Internet services offer ways to encrypt your data, but you have to turn them on (or make sure they’re already on) to stay safe. We’ll explain how to protect email, passwords, and other sensitive details no matter where you connect.

 

Use Email Securely

Internet email began as a trusted service, with both sides of a conversation expecting the recipient to be who he or she claimed to be. Encryption came as an add-on, and while common now, certain mail hosts offer different ways of enabling the feature.

When your iPhone (or any other device) checks your email, it can encrypt your login information as well as messages sent and received to prevent any snoopers from reading your email or intercepting your password. Use encryption, which the iPhone calls SSL (secure sockets layer), as long as your email provider supports it. The iPhone switches this on by default.

Some providers call SSL by its current, formal name, TLS, which stands for “transport layer security.” Check with your email provider to be sure it uses this protection, whatever name it goes by.

Of the preset account types recognized by the iPhone—Microsoft Exchange, apple’s MobileMe, Gmail, Yahoo Mail, and AOL— almost all offer SSL support to varying degrees. Exchange servers require complete SSL; MobileMe supports SSL for receiving and requires it for sending; Gmail requires it for both; and AOL requires it for sending but makes it optional for receiving. SSL doesn’t yet work with Yahoo Mail on the iPhone. The only reason not to use SSL would be because your email provider doesn’t support it; otherwise, verify that it’s on. From the home screen, tap Settings > Mail Contacts, Calendars, then tap the name of the account you want to check. To make sure you are receiving email securely, scroll down and tap Advanced. Under Incoming Settings, make sure that Use SSL is switched on.

To make sure you’re sending email securely, tap the account name to return to the previous screen, then scroll down to the Outgoing Mail Server, and tap on the server name (in case there are more than one). Make sure that Use SSL is switched on.

You can’t miss that SSL slider. Leave it on unless your mail provider doesn’t support it.

Yahoo Mail uses a proprietary login method called XYMPKI. In July 2007, security researcher Dave Cridland discovered that part of that method involved sending login name and password without encrypting them, which could enable a hacker to access your email by “sniffing” (recording) the login sequence, then replaying it later. Until SSL is enabled on the iPhone, avoid checking 
Yahoo Mail on an open (that is, unencrypted) network until Apple and Yahoo announce an update.

 

Use Webmail to Retrieve Messages Securely 

Look for the lock on the icon to verify security.

Occasionally, you might find that a Wi-Fi access point firewall won’t allow you to contact your mail server. Try using your email provider’s webmail interface in Safari, but keep the transmission secure with SSL. Two indicators that SSL is working in Safari are that the website’s URL begins with “https://” instead of “http://” and a lock icon appears to the right of the URL.

Not every webmail provider offers secure webmail. Of the main iPhone options—MobileMe, Gmail, Yahoo, and AOL—only Gmail offers a secure web connection athttps://mail.google.com/mail/. (However, if you use Exchange or a different ISP, contact your administrator to see whether a secure webmail solution exists for you.)

Some websites, such as www.mail2web.com allow you to check another provider’s email with an SSL-encrypted connection. This can be secure as long as the website offering the service is also secure itself. Mail2web connects to all of the services we tried besides Yahoo, which doesn’t allow you to check your email with other programs unless you pay for to its Yahoo Mail Plus service ($19.99 a year, mailplus.mail.yahoo.com).

 

Encrypt Email 

If you’re close enough to friends that you have a secret language, they can retrieve an encrypted mail by answering a question only they know.

Security experts like to say that sending email is like using a postcard. Anyone can read it in transit. However, using encryption on an email message is like putting a letter into an envelope. It’s not totally unbreakable (otherwise, how would your recipient read it?), but very strong encryption provides good enough security for people who prefer their communications to be private. With well-encrypted email, even if someone intercepts a message, it could take years to decrypt the contents,  if they’re successful at all. OpenPGP is the de facto standard for encrypted email, although most people call it PGP (Pretty Good Privacy for short).

Right now there’s no way to encrypt your email using PGP on the iPhone through the Mail program. Instead, consider using Hushmail, which supports PGP encryption. It’s a webmail service, so you can access it from Safari.

With PGP, a public key is used only to encrypt mail; it has no function for unlocking messages. Only the recipient’s private key can open the data. That way, anyone can protect a message sent to you, but only you can read it. Ordinarily, to send email to a PGP user, you tell your mail program about this person’s public key. Hushmail works a little differently, by keeping the encryption transparent to users.

Hushmail users can send encrypted messages to other Hushmail users or to people who have uploaded their public keys to Hushmail. A slightly less secure option hides encrypted messages on the Hushmail server and emails the recipient with instructions on how to retrieve the message by answering a security question correctly. After five incorrect guesses, access is denied.

There are some catches to using Hushmail on the iPhone’s version of Safari. Before starting, be sure to close all other open Safari pages. When composing a message, once you tap the Send button, you’re not done; tap the pages icon in the lower-right and switch to the main Hushmail page. If you don’t, the message won’t send.

Hushmail is free, but it also offers subscription services, enabling 250MB of storage, access to customer support, and assurance that your account won’t be deleted due to inactivity. Hushmail is also working on a mobile Web client, but nothing yet for the App Store.

---

Be Less Promiscuous On Wi-Fi 

Use an uncommon network name to keep your iPhone from accidentally connecting to other routers.

 

 

When you connect to Wi-Fi, if no password is required to join the network, anyone can sniff your packets. This means that an eavesdropper within physical range of your network can listen in on anything that’s sent or received. If your iPhone is set to check email automatically, you might reveal sensitive data by joining such an open network, especially if you don’t use SSL. (If you do use SSL, intercepted communications will be garbled by that encryption.)

Under Settings > Wi-Fi, there’s an option called Ask to Join Networks. However, this option only does what it says the first time you connect; whether you have this option on or off, the iPhone will never ask before rejoining a network with the same name.
So, if you visit a network with a common name, like “linksys,” your iPhone will automatically join every network it discovers with that name. In a single cab ride, you could unintentionally expose your iPhone to dozens of networks with the same name.

If you use Wi-Fi at home, make sure your network has a unique name, so when you’re away from home, you don’t have to worry about someone else having the same name for their Wi-Fi network.

You can also tell the iPhone to stop automatically joining a nearby network by tapping Settings > Wi-Fi > The network’s name, then tapping Forget this Network.

If you plan to join an open network and aren’t using SSL in email, turn off automatic email checks by tapping Settings > Fetch New Data > Manually. Then join the network, and don’t check your email. Restrict your activity to things that don’t reveal sensitive data, like reading websites or playing Hold’Em.
Enable Show SMS Preview to see the beginning of an incoming text message before you’ve entered your passcode.

If you lose your iPhone, or if a thief manages to slip it out of your pocket, all of your email and data are in someone else’s hands. Stop them from peeking by locking your phone with a passcode.

It’s really easy to set up. Tap Settings > General > Passcode Lock, and set a 4-digit passcode by entering it twice. Just be sure to pick a different PIN than the one you use for your bank card.

Tap Require Passcode to change the duration of idle time before the iPhone asks for the passcode again, saving yourself from annoyance. As Apple suggests, a shorter time period is more secure. Chances are, you’ll be the one entering the code most frequently, so try to strike a balance between convenience and the need for security.

Keep in mind, however, that if someone wants to return your lost phone or contact your family in an emergency, they’ll be stuck at that input screen. To fix this, on your computer, use an image editor to create a picture containing your contact info. Email the graphic to your phone, and set it as wallpaper. Those details will appear behind the passcode prompt.

 

Use A VPN 

If VPN setup gets too complicated, talk to your job’s IT administrator or VPN provider for help.

Suppose you’ve found Wi-Fi access that you don’t trust, but you really need to check your email. As with a computer, you can encrypt your traffic by using a Virtual Private Network. The VPN sends all incoming and outgoing data to a server on another network, all while using encryption. Most people use this to pretend that they are on a network that they’re otherwise not connected to, such as reaching an internal office file server while away. But it has the added benefit of encrypting the connection, making it useful for people that use lots of open Wi-Fi networks.

The iPhone supports three VPN protocols (each of which are good): Cisco IPSec, L2TP over IPSec, and PPTP. If you are already running one of these at home—great! But, if like most people, you’re not, you may want to consider renting a VPN. Some iPhone-friendly VPN providers are listed in VPN Providers Love the iPhone.

 

Securely Erase the iPhone 

On the reset screen, only tap Erase All Content and Settings if you really mean it.

One of the features Apple touted about the iPhone 2.0 firmware update was the ability to remotely wipe all of the data from a missing or otherwise compromised iPhone, at least for corporate users. As we went to press, the only way to remotely wipe the iPhone was from a Microsoft Exchange server, and then only by an administrator on that server. For residential customers in the united States, there’s no way to remotely erase an iPhone by asking AT&T to do it.

If you decide to sell or give away your iPhone, it’s smart to erase it manually first. Tap General > Reset > Erase All Content and Settings. Connect your iPhone to a power supply first, because the process will eat up a lot of battery power as it overwrites the data. Apple says it takes about an hour per 8GB of space on the iPhone, so plan accordingly.

 

VPN Providers Love the iPhone 

The iPhone’s built-in VPN client supports common VPN standards. Here are some VPN providers that cater specifically to iPhone users. Renting a VPN is not the same as getting Internet access. Rather, it provides a secure connection from your iPhone (or any other networked computer) to a VPN server somewhere else on the Internet, confounding any snoopers on an unsecured Wi-Fi network.

Over the years there have been a number of technologies promised that would allow computer users and web developers the opportunity to run the same interactive code across multiple platforms, with native execution and related speed benefits. Early attempts at providing this capability were largely limited to single operating system families, such as Microsoft’s ActiveX, which, while it achieves this capability, is only for Windows systems.

Until now, the only real technology that has come close to providing a semi-native code experience on a truly cross platform level has been Java, through the sandboxed byte-code that can be delivered through the web and then interpreted using the local interpreter. For many years the sort of Java web applications that were being developed and distributed amounted to little more than intellectual curiosities, but that was at a time that predated even the first Web 2.0 application (Outlook Web Access) by three years (1995 for Java, versus 1998 for OWA).

More recently, Flash and Shockwave have developed the capability to run detailed applications without suffering too much performance hit, though there is very limited interaction with the local system (due to their evolutionary history as web plugins).

Each of the different solution types have had serious vulnerabilities affect them over the years, with the most concerning being vulnerabilities that allows code to escape the ‘sandbox’ that the downloaded content is meant to run in (where it is somewhat isolated from the underlying system – hopefully to prevent information leakage and system compromise, but this didn’t always work).

A new technology will soon join the mix, with Google inviting analysis and testing of their Native Client technology. Google’s stated intent with Native Client is to provide the capability to web developers to be able to develop more feature rich cross-platform web applications that can utilise more resources on the client side than just the HTML/XHTML interpreter and JavaScript, and have more capability reach than Flash / ActiveX / Java.

As with earlier technologies, Native Code will run inside a sandbox, designed to limit interaction with the underlying system to only the approved API calls. Probably of more interest to application security researchers is the claim by Google that static analysis techniques will be in use when running downloaded code, in an effort to preventatively neutralise malicious / vulnerable code. Effectively the interpreter will decompile incoming Native Code content and then assess the resulting x86 (no mention of other architecture support) commands as to whether they can reach underlying system resources that they shouldn’t.

While this relies on content having been developed in accordance with Google guidelines, it will be an interesting technology to keep track of and see how it copes when anybody can throw code at it.

With the project to be released under the BSD licence, it shouldn’t be too long before multiple architectures are supported and there are plugins supporting it running on most available software platforms.

Experts believe Personal Networks will run to a thousand devices by 2017, which presents an enormous networking challenge. European researchers are developing some very clever technology to create a Smart Personal Network that can cope with all those devices.

When sensors, personal and home devices and in-car technology are all counted, expert group, the Wireless World Research Forum, believes people will own and use up to a thousand devices by 2017.

It may not be that many in the end, but it will be an awful lot and it will be impossible for an individual to manage all the data, networking, functionality and services for so many tools. Smart Personal Networks will be essential.

A Personal Network (PN) links together a group of Personal Area Networks (PANs) and all devices and technology belonging to a private entity, whether it is a person, or eventually a car or an airplane. Developing a robust, effective and trustworthy network represents an enormous challenge.

Enter the MAGNET Beyond project, a huge European effort to develop a PN to respond to the challenge posed by 2017. The vision requires a lot of new software and hardware technology and key to the technical effort was the development of the architecture, optimized air interfaces and tailored security.

The architecture in MAGNET Beyond is based on four conceptual layers: connectivity, network, service enabler (middleware), and service layers.

The connectivity layer is able to handle connections to any mix of radio frequency (RF) networks, from Bluetooth to 3G and everything in between. It is also designed to cope with any emerging RF technologies, like Beyond 3G (B3G).

Promiscuous PNs

The connectivity layer masks the underlying RF system from the rest of the MAGNET platform, which provides seamless and hassle-free connections for the user.

The network layer handles the management or creation of Personal Networks and communications within and between PNs. It is also responsible for the creation of permanent or temporary PN federations. A federation exists when two separate PNs link together – to those belonging to friends, family, clients or colleagues, for example.

The federation can exist on a temporary or permanent basis. Similarly, when the user is traveling, the PN can federate with anyone he or she meets. It is known as a promiscuous PN.

The middleware layer provides overlays for service and context management and acts as a service enabler.

Software and beyond

MAGNET Beyond went beyond software and developed innovative new hardware prototypes for the support of the MAGNET system. The project designed two new optimized air interfaces for Low Data Rate (LDR AI) and for High Data Rate (HDR AI) communications.

The LDR AI is based on ultra-wideband (UWB) transmission with frequency modulation (FM) aiming at short-range applications with low data rates. Transmission is under 10 meters and lower than 100kbps. The interface is power efficient, cost efficient and simple to manufacture and integrate into common devices.

“The project has produced one of the first, if not the first, Ultra Wide Band (UWB) chipset for High Band operation,” explains Liljana Gavrilovska, Technical Manager of the MAGNET Beyond project (see photo 1, above).

UWB is a radio technology that can work with very low energy levels for short-range high-bandwidth communications by using a large portion of the radio spectrum collectively.

The HDR AI, on the other hand, relies on multicarrier transmission with frequency spectrum spreading (MC-SS) to maximize achievable data rates, which are impressive: the maximum data rate is approximately 130 Mbps. The two radio interfaces can coexist on the same device providing multimode operations (see photo 2)

The HDR achieves its data rate without using multiple-input multiple-output techniques (MIMO), which could push the rate higher. It means the technology has an upgrade path that can cope with higher data rate applications of the future.

The air interfaces are an impressive success, offering a new standard in optimized, low-cost communications.

Even better, other EU-funded projects are keen to take advantage of the new devices. Both ORACLE and WHERE projects are exploring the potential of the HDR AI and OMEGA has also shown an interest. Right now, the MAGNET Beyond HDR is in the patent process.

And that was just one element of the overall MAGNET programme.

Personal security

Security, too, was a major focus of the project and led to a suite of solutions. There were four core activities, with security working across all layers.

The first activity, Personal Network security architecture, looked at network security and group communication. Another activity, Lightweight crypto, examined improvements for pairing devices within a PN, establishing a link between two devices.

A third, Context aware security management, dealt with privacy, profiles, roles and associated security requirements relevant to the user’s context, whether at work or home, for example. Finally, the project undertook validation, implementation, performance and analysis of potential threats and attacks.

The methods developed by the group included a PN federation protocol suite, secured through separate lightweight public key infrastructure for authentication. It also uses a high performance group key management for access control.

The EU-funded MAGNET Beyond project also developed a new physical layer encryption concept that works with very low-power devices. Anonymity, too, was a focus of the security efforts, with the project developing an avatar concept to provide a virtual identity and ensure complete, anonymous access.

In all, the hard and soft technology developed by MAGNET Beyond responded to real, current needs, but designed solutions so that they are flexible and upgradeable, and can adapt to new standards and technology in the future.

It is an impressive list of achievements and finally delivers a platform that can create simple, transparent, effective and secure Smart Personal Networks capable of coping with the bewildering growth in personal technologies.

But the real proof of MAGNET Beyond’s technology lies in the real-world performance tests undertaken with the prototype in validations and pilot demonstrations.

The MAGNET Beyond project received funding from the ICT strand of the Sixth Framework Programme for research.

This is part two of a three-part series on MAGNET Beyond

 

A 17-year-old hacker known online as “Dshocker” has pleaded guilty to one count of computer fraud, one count of interstate threats, and no less than four counts of wire fraud. He has agreed to a sentence of 11 months of incarceration in a juvenile detention center.

Because the law protects the identity of juvenile offenders, the authorities only referred to the young cyber-troublemaker from Worcester, Massachusetts as N. H. According to the prosecutors, during a period of three years the hacker wrecked havoc on gaming forums, and terrorized users that he didn’t like, both online and in real life. Dshocker, also known as Aush0k, started his crime spree in 2005, when having control over several botnets, armies of infected computers, launched DDoS (distributed denial of service) attacks against other gamers or hackers, whom he held a grudge against. His botnets consisted of tens of thousands of computers, and he used this form of attack on numerous occasions over the years.

In time, the juvenile hacker added other attack techniques to his arsenal, like a practice called swatting. Swatting is a new twist on the older illegal practice of reporting fake crimes to emergency services. It involves spoofing the phone number through various means, and calling in serious incidents that would prompt the authorities to send special intervention teams, such as S.W.A.T. According to the prosecutors, Dshocker made several such calls, spoofing the phone numbers of his victims located in other states, like Seattle or Georgia. His fake reports prompted armed law enforcement teams to show up at those locations.

In addition, the teenage hacker is guilty of hacking into the computer servers of several Internet service providers and stealing the personal details of his victims from the customer records. This enabled him to find out the addresses used in the fake phone calls and the phone numbers he spoofed. The affected ISPs include Comcast, Road Runner and Charter Communications.

His list of computer crimes doesn’t stop here. The hacker is responsible for using stolen credit card details to purchase various merchandise from the Internet. He has also modified his networking equipment in order to get free Internet access from his ISP with the help of stolen, unlicensed high-end software. According to The Register, all of these offenses would have brought him a maximum sentence of 10 years behind bars, if he had been an adult.

 

Security researchers Erik Tews and Martin Beck have succeeded in partially cracking the WPA (Wi-Fi Protected Access) encryption, which until now had been considered safe. The two hackers will demonstrate their feat at the upcoming PacSec security conference in Tokyo, Japan.WPA is a protocol that has been widely adopted as a replacement for WEP (Wired Equivalent Privacy), which has been known to be insecure since as far back as 2001. The initial attack on WEP was actually a dictionary attack, thus requiring great computational resources. This meant that attack scenarios on a large scale were highly unlikely.

The uncertainty ended at the beginning of 2007, when Erik Tews, along with two student colleagues from the Darmstadt University of Technology in Germany, developed a new technique which allowed them to break WEP security in only two minutes. Their method, which became known as the PTW attack, prompted all security professionals to declare WEP a high security risk. In fact, the use of WEP as encryption protocol is what allowed hackers to steal millions of credit card details in the T.J. Maxx hit.

NetworkWorld reports that, according to Dragos Ruiu, the PacSec organizer, in order to crack the TKIP (Temporal Key Integrity Protocol) key, the researchers found a way to trick the router into sending them large amounts of encrypted data. Combining this with what Ruiu calls a “mathematical breakthrough”, the attack time was reduced to a matter of minutes, between 12 and 15.

This is even more impressive as it is not a dictionary attack, because just as in the case of WEP, the idea that WPA might be vulnerable to a dictionary attack has always been voiced by researchers. However, considering the amount of resources, computational and time-related, needed to pull off such an attack, this has never been considered a big threat to WPA security.

The two researchers only succeeded in cracking WPA’s TKIP key, but they haven’t been able to actually decrypt the individual keys generated by the TKIP, which are used to encrypt the data packets sent between a computer and the router. Even so, this is “just the starting point,” Dragos Ruiu pointed out. “Erik and Martin have just opened the box on a whole new hacker playground,” he explained.

Mr. Ruiu also outlines the problems raised by this achievement, mainly the fact that WPA is now a requirement for security standards compliance almost everywhere. As a result, WPA has been adopted and is being used by many organizations and not just by individuals. “Everybody has been saying, ‘Go to WPA because WEP is broken’. This is a break in WPA,” concluded Ruiu.

Robert Graham, of Errata Security, begs to differ. According to him, WPA  or WPA-RC4-TKIP as it is technically known, has been designed from the start as just a temporary fix to WEP and everybody should have known that. The entire reason for WPA-RC4-TKIP’s existence was to reduce adoption costs by accommodating older WEP hardware, which wasn’t able to support WPA2 (WPA2-AES-CCMP) at that time. The WPA2, which uses the AES “block cypher” and not the RC4 “stream cypher” implemented in both WPA and WEP is not affected by this new attack and, according to Mr. Graham, will continue to be secure for a long time to come.

“There are no weaknesses in AES or the WPA2 standard based upon it. It’s going to last for the next 20 years,” claims Robert Graham. He adds that since WPA and WPA2 have been basically standardized at the same time, but one as a temporal fix and the other as a long term one, “you should always have been planning WPA2-AES-CCMP eventually, and been planning to rely upon that for many years. If you planned to only do WPA-RC4-TKIP, then you were wrong”.

Regardless of whether you considered or were even aware of the temporal nature of WPA or not, you should immediately start planning for full WPA2 implementation, as it’s likely that not much time will pass until it is completely compromised. If you are a home user, check if your router has WPA2 support, which is the case for newer ones, and switch to it.

In addition, Erik Tews plans on publishing the findings in an academic journal in the near future, while Martin Beck has released parts of the attack code as tkiptun-ng, a tool incorporated in the popular and freely available Aircrack-ng suite, a collection of applications aimed at cracking wireless encryption.