Monday, September 29, 2008

Do You Use Unprotected Instant Messaging? You Leaved The Backdoor Opened!

Everyone PC user has heard of Instant Messaging software or IM. Depending on your generation, you either are an avid user or your children use it. What started out as a social networking tool for adolescents on the home computer is now gaining recognition in the office environment as an alternative communication tool. Do you know all of the capabilities and risks of this casual tool?

Instant Messaging use has merit - it is quick, direct and conversational - like a phone conversation, yet you can still multi-process it supports group talk - several people in one conversation or session accounts and
usage is typically free via the major providers - MSN, Yahoo, AOL Since it is often not formally implemented by the company as a work tool, it is considered personal and lacks oversight. Many employers do not even have a written usage policy. IT views it as one less area to monitor and support. Here is where the problems can begin.

Two factors every employer needs to consider if you opt to ignore IM in your workplace:

With the recent Supreme Court clarification on e-discovery rules, responsibility and accountability for workplace behavior lies with the employer. Any digital data stream that occurs on a company asset (i.e. workstation, laptop) is subject to review and retrieval upon request. The history span covered is usually three to seven years, depending on your industry's compliance initiatives (i.e. SOX, HIPPA, NASD, etc.). An employer needs to show reasonable efforts to manage the entire corporate network. A company also needs capability to produce specified content reports and dialogues on requested employee(s) over a given time period. Typically, the courts allow up to thirty days complying. Failure to deliver has shown favor to the plaintiff in recent cases and in some rulings, punitive fines for non-delivery were rendered as well. That's the legal consequence and can be a daunting enough reason to take measures for controlling IM.

IM technology has become more versatile, and is continuing to evolve. You can still chat with your friends as originally designed. However, did you know you can also play interactive games, gamble, watch videos, draw on whiteboards, video chat or transfer files of all sizes? All of this activity is outside the network's scrutiny - 'under the radar' - with no record of activity. This is becoming a preferred way of passing along new viruses, mailware and worms.

Conclusion

Left unchecked, at minimum it can cost you productivity and bandwidth. It also can become a conduit for losing Intellectual Property, attracting viruses, sexual harassment, litigation or more. Your company could be in line for a PR nightmare and costly litigation.

A common reaction for a company is to 'shut it down and do not allow any IM'. Are you sure that is effective? We had a large prospect that was positive no personal IM took place on their corporate network due to controls they put in place. They allowed us to monitor (look only) at their network environment for one week with our systems. We counted 1.6 million unsanctioned messages that crossed their network - unchecked or tracked.

Instant Messaging is not coming - it is here. The laws now say we need to manage the technology the same as we do for email.

Enclave Data Solutions works with companies to assure their data and messaging is in compliance and secure. Our solutions are state of the art, quick to implement, cost effective and provide the comfort to know your data is secure. A phone discussion is a great way to assess your environment and what would be the best action plan. Visit our website Enclave Data (www.enclavedata.com) to learn more.

You have the responsibility to maintain your company's digital environment, with the right tools you can now also have the control to assure compliance and protect your company's assets.

Instant Messengers (IM chat) for Mobile Devices.

Mobile devices such as Cell Phone or usually called as Hand Phone not merely just a tools to make a phone call. Right now, Mobile Cell Phone is also used to make an Internet behaviority. With mobile phone we can browse our favourite site or even make a chat using our favourite Instant Messenger Service such as Yahoo Messenger. Combining Mobile Phone as Instant Messenger or Instant Message ability, we can call them as Mobile Messenger. Almost all platform IM Protocol Service can be handled by Mobile Messenger: MSN aka WLM, Jabber, GTalk, Yahoo, ICQ, AIM aka AOL Instant Messenger and many more. All we we need to have is a chat client or Instant Message Software that run in our Mobile Phone. Thus, we can make a chat from our Mobile Phone easily.

Top Three Mobile Messengers

Even we can use IM Mobile Messenger for each of IM Protocol, it is more easy and fast if we have a mobile messenger chat client that will work for all platform IM Protocol Network.

shMessenger (WAP, Mobile)

shMessenger is another Mobile Messenger that support Yahoo Messenger, GTalk and MSN aka Windows Live Messenger. Features available in shMessenger are Internet and WAP supported, Smileys, Buddy icons, Status change, Themes, Sounds and many more. You can download shMessenger directly from your mobile phone browser at www.shmessenger.ro/wap. We can also use shMessenger as Invisible Checker or Online Checker.

eBuddy Messenger (Web, Mobile Messenger, WAP)

eBuddy Messenger is a Mobile Phone Messenger or Mobile Messenger, likes Mig33 that support most popular Protocol of Instant Messenger. eBuddy Supports MSN, Yahoo!, AIM, Google Talk, ICQ and Facebook. You can download from your mobile phone browser by pointing your browser at get.ebuddy.com, or you can download eBuddy here. Just like Mig33 you can also chat from web browser at you computer desktop.

Mig33 (WAP, Mobile Messenger, Web)


Mig33 is one of favorite Mobile Messenger (it also has an ability to work with your computer desktop) that handle most of favorite IM Protocol Service. Mig33 supports MSN/WLM, Yahoo!, ICQ/AOL/AIM, Google Talk and SMS. If you use your mobile phone browser via WAP Browser you can download Mig33 chat client or Mig33 Mobile Messenger from wap.mig33.com. We can edit our profile and also has photo sharing. Mig33 has their own chat room or we can call as Mig33 chat room. You can make chat in Mig33 Chat Room or looking for new friend in there.

Sunday, September 21, 2008

Instant messaging software: Safety and Privacy.

In these days there is huge gain in popularity of Instant Messenger services. In fact there is over 1 billions of messages transfer each day using instant messaging (IM). With increase in popularity, the instant messenger networks are moving towards encrypted communication from plain communication.

Many of IM software send the messages as the plain text over the internet. This allows anybody to monitor your conversations. There are many tools available on the internet by which anybody can see your instant messages. Many of the users, unknowing all these security concern, communicate private/confidential information through instant messages. This gives the hacker a chance of hijack the private information which can cause the corporate disasters.

Now the use of instant messengers is well accepted and encouraged in the corporate world as the formal communication as it provides a synchronize communication mechanism which is faster than email and cheaper than phones. With the use of instant messaging in an organization, the security has become a main key. This security concern is motivating the IM service provider to provide a secure communication.

There are many add-on tools/utilities available in the market which helps in achieving the secure instant messaging. These utilities encrypt and authenticate messages and the file transfers.

Even though the increase in use and popularity of IM indicates the need of secure IM communication, there are only few IM networks like Skype, Google talk, AOL etc. which provides the security by encrypting the communication. May be in recent future we will see all networks going for secure communication.

By Omkar Singh
Source: http://somkar.blogspot.com

Friday, September 12, 2008

Trend Micro Offers Enterprise IM Security with New Suite.

Trend Micro is targeting e-mail, instant messaging and collaboration platform security with a suite of products that leverage its cloud-based Smart Protection Network. The suite is made up of four products: Trend Micro IM Security for Microsoft Office Communications Server, Trend Micro ScanMail for Microsoft Exchange, Trend Micro PortalProtect for Microsoft SharePoint and Trend Micro Control Manager.

Trend Micro has bundled together some of its messaging security products to bolster enterprise defenses using its cloud-based Smart Protection Network.

Dubbed Trend Micro Communication & Collaboration Security, the suite consists of four products—Trend Micro IM Security for Microsoft Office Communications Server, Trend Micro ScanMail for Microsoft Exchange, Trend Micro PortalProtect for Microsoft SharePoint and Trend Micro Control Manager. The suite is powered by the Smart Protection Network, Trend Micro's content security architecture.

The idea is to leverage Smart Protection Network to extend security for collaboration and instant messaging as enterprises accelerate their use of Microsoft SharePoint and OCS platforms. Citing figures from Osterman Research, Trend Micro said more than half of the organizations that participated in Osterman's recent IM Presence and RT Communication Survey reported using both Microsoft Exchange and SharePoint.

"[Enterprises] are bringing on more and more communications systems, [and] that's making their life harder and harder," David Finger, Trend Micro's global product marketing manager for messaging security, said in an interview with eWEEK. "If they need to keep bringing on individual point products to secure them, their life is going to be harder still."

The move continues Trend Micro's strategy of fighting malware in the cloud, something other security vendors are doing as well. McAfee also announced Sept. 8 a cloud-based approach to security as part of McAfee Total Protection Service for small and midsize businesses, and has plans to expand the technology to McAfee VirusScan Enterprise and its consumer products.

"The IM Security product … leverages the Web reputation threat intelligence that is part of Smart Protection Network to stop instant messages that may contain links to malicious or compromised sites," Finger said. "Similarly, our ScanMail for Exchange product supports the e-mail reputation of the Smart Protection Network and it helps stop spam, blended threats [and] malicious e-mail based on … that new cloud-client architecture rather than the old … pattern file engine update model."

The Trend Micro Communication & Collaboration Security suite is available immediately starting at $45.34 per user for 1,000 seats. For existing customers using Trend Micro ScanMail for Microsoft, upgrade prices start at $16.96 per user.

By Brian Prince
Source: http://www.eweek.com/c/a/Security/Trend-Micro-Targets-Enterprise-Messaging-Security-With-New-Suite/

Instant Messaging - new threat for a changeable communications scene

Instant Messaging (IM) has emerged as of the most successful and widely deployed applications on the Internet. Unfortunately, this success has come at a heavy price, with IT attackers shifting their attention to IM, propagating IM-born viruses, worms, spam over IM (SPIM), malware and phishing.

Alarmingly, despite its wide adoption and equally impressive security onslaughts, IM still remains generally unprotected in both consumer and enterprise environments, leaving it exceedingly vulnerable to attacks and exploits.

Gartner experts take it one step further stating that IM has become an e-mail alternative for distributing viruses and other malware. At the same time, only 10% of organisations have formal IM policies in place, according to a 2007 Burton Group survey. And of those, only half secure the application. Many don’t even know whether employees are using IM.

Looking purely from an enterprise perspective, IM poses the two key threats: it opens new vulnerabilities through which information can leak or be leaked, leading to user privacy concerns and the potential loss of intellectual property; and it creates invisible communications channels that operate below the radar of conventional information security measures, exposing the organisation to regulatory compliance breaches.

The reality is that IM has become a severe threat and requires considerable user awareness coupled with security solutions, both in the consumer and enterprise spaces, to ensure that it does not turn into a monster that we cannot control.

Here are just some examples of just how sophisticated IM threats have become. We are now faced with threats such as a talking worm, which essentially imitates an IM user by engaging the end-user in a dialogue. Even more shockingly is that many of these threats are even multilingual, talking to the end-user in his or her native tongue.

Threats have also become more agile and are able to cross from one network to another and cross from public IM networks to internal IM servers. This is particularly relevant given the trend toward IM interoperability.

Also, threats are increasingly avoiding anti-virus identification through the rapid multiplication of their payload signature. Attackers are also using root kit software to hide the process, files, and registry keys for the software used in their attacks. The impact will not be detected as quickly by the end-user, which makes it even more dangerous.

The bottom line is, while organisations have invested significant resources and time in protecting e-mail and Web communications, they have failed to recognise that IM represents a new wave of security onslaughts that not only harms end-users but also impacts company intellectual property.

In order to put a stop to IM attacks, organisations and users have to implement appropriate security precautions and technology to secure their messaging communications.

In the enterprise space, these solutions should address the threats posed by phishing, malware and blended attacks, since IM is particularly susceptible to social engineering tricks. Additionally, IM’s real-time nature causes malware to spread rapidly.

Plus, in order to stop the leakage of intellectual property, companies should invest in tools that track, audit and even block certain IM conversations, while enforcing acceptable-use policies and comply with regulations and legal restrictions.

There are currently a number of comprehensive security options available catering to both individual users and enterprises. High-end products offer comprehensive solutions that address and mitigate the potential risks associated with the use of IM in the enterprise while for individual users or smaller organisations anti-virus and Internet security software suite includes integrated IM security features.

IM security must enjoy the same priority as e-mail and Internet; it is a real threat that is creating a playground for attackers to exploit us when we are at our most vulnerable. Invest in a reputable security solution and apply due diligence, enforcing same measures as you would in the case of suspicious-looking e-mails, attachments and Web sites.

Author: Tich Mugwara, Symantec security product manager at DCC
Source: http://www.computingsa.co.za/article.aspx?id=841434

Wednesday, September 10, 2008

Unified communications (UC) will not replace unsafe IM

Dealing with clients often means leaving the light on for AIM, Skype and others IM.

When software localisation vendor Lionbridge Technologies started rolling out Microsoft's unified communications software in 2006, it let its 4300 employees keep on using public instant messaging services such as AIM or Yahoo Messenger.

Today, its Office Communications Server software handles a million IM conversations per month. That has lessened employees' use of outside IM services but hardly eliminated it, according to IT director Oyvind Kaldestad.

"We are encouraging people to use Office Communicator for all internal IMing," he said. "But we are a client-driven company and some of our customers like to use Skype or GoogleTalk. So we don't lock down our employees' computers."

Unified communications (UC) software such as IBM's SameTime, Cisco's Unified Personal Communicator and Microsoft's Office Communicator may offer instant messaging along with powerful related features, such as the ability to detect the "presence" - or availability - of co-workers, and instantly call or videoconference with them via your PC if they are available. And they may also be more secure than public IM systems.

But most companies are unlikely to clamp down on public IM and similar services as they roll out UC software, choosing instead to try to steer employees to approved, safer communication channels while monitoring and managing the insecure ones.

Take Avanade, the Seattle-based corporate systems integrator that is a joint venture of Accenture and Microsoft.

Avanade's own internal approach was to allow use of public IM software but to try to weave Office Communicator in so tightly with its employees' software that they would, for convenience's sake, voluntarily choose to use Office Communicator over public IM for most workday communication.

No company is an island

Public IM services are notoriously good at hopping around to seek open network ports, according to Larry LeSueur, vice president of technology infrastructure solutions at Avanade. And preventing employees from installing IM software on their PCs seemed too harsh.

"You'll restrict employee productivity and start turning your company into an island," he said.

Projections from The Radicati Group appear to agree. The research group expects the number of public IM messages this year to dwarf enterprise IM by a factor of eight to one. That ratio will hold in 2011, when 82 billion public IM messages are expected to be sent.

Radicati does see the number of enterprise IM users world-wide doubling to 127 million in 2011 from 67 million this year.

But it also sees the installed base of IM seats managed by third-party tools growing more than six times, from 15 million this year to 97 million projected in 2011.

Such software helps ameliorate risks from use of public IM and similar software. According to a survey commissioned and released this week by one such vendor, FaceTime Communications, nine out of 10 IT managers experienced a security problem related to public IM, Web conferencing or voice-over-IP services such as Skype in the past six months.

Such management software is less necessary with UC software, which is run on a server controlled by the company. IMs mostly flow between authenticated users within a corporate network. Most can be set to encrypt all IM traffic, too.

That makes it hard for a hacker to impersonate an IM user or for malware to be sent via IM to a user - or, if the proper rules or monitoring tools are set, for employees to send out private company data.

"They are, a priori, more secure and trustworthy than public IM, without a doubt," LeSueur said.

By: Eric Lai, Computerworld US.
Source: http://www.techworld.com/networking/features/index.cfm?featureID=104055&pagtype=samecatsamechan

Tuesday, September 9, 2008

Some advices for boosting IM security

* Adopt a user policy for instant messaging. Your employees need to know whether you view instant messaging as an appropriate vehicle to communicate with customers or business partners. Any policy should contain at least general guidelines for its use. -- Julie Lancaster, director of marketing, Visualware Inc., Turlock, Calif.

* Integrate IM into your existing corporate directory. This is very important, as the corporate directory is the lifeblood of "who's who" in an enterprise. Requiring a third party to maintain a list of your employees creates an opportunity for a security breach. -- Brian White, senior product manager for presence and instant messaging, and Kevin McLellan, marketing manager for workplace collaboration products, IBM's Lotus Software Group, Cambridge, Mass.

* Integrate your IM application with the internal personnel system as a way to securely register IM names. This is an easy way to capture identities and manage changes in users' IM screen names while maintaining a record of their previous conversations under their old screen names. -- Tommy Wright, vice president and manager of information systems development, FTN Financial, Memphis

* An ounce of prevention is worth a pound of cure. Keep your IM client and server software patched. There is simply no substitute to maintaining the patch levels of your IM software and ensuring that you are protected against known vulnerabilities. -- Andre Yee, chief technology officer, NFR Security Inc., Rockville, Md.

* Be aware of virus infections and related security risks. Most IM services allow you to transfer files with your messages. IM file attachments carrying viruses penetrate firewalls more easily than e-mail attachments. Instant messages that carry viruses will run and dip into a firewall until they find an opening. If you collaborate on documents for your business, file transfer is important. It's wise to learn more about the quality of your own firewall protection to decide whether or not to restrict transferring files through IM.-- Julie Lancaster, Visualware

* Be your own host. Host your own IM server if possible. That will allow you to ensure that the server is secured, as opposed to using a general public server for which you have no control. -- Andre Yee, NFR Security

* To work in real time with those outside your own company, it is vital to connect to that company's secured users. The new SIP/SIMPLE standard for IM interoperability provides that capability without requiring both parties to leave their secure IM to jump onto an unsecured public network. -- Brian White and Kevin McLell, Lotus Software Group

* Be original. Avoid using the same password for IM as you would for other authenticated means of communication. This ensures that if the IM password is compromised, it doesn't lead to a breach of other communication mechanisms. -- Andre Yee, NFR Security

* Be aware that instant messages can be saved. You may think IM is great because you can let your guard down; make bold statements; chastise a boss, employee or co-worker; and have it all wiped away from the record when you are done. What's often forgotten is that one of the parties to your conversation can copy and paste the entire chat onto a notepad or Word document, and some IM services allow you to archive entire messages. -- Julie Lancaster, Visualware

* Handle with care. Reject content from unknown sources. As you would with e-mail, avoid opening files or accessing links sent to you from unknown contacts. -- Andre Yee, NFR Security

* Don't use instant messaging to communicate confidential or sensitive information. If your company is in the business of providing professional advice regarding stocks, finances, medicine or law, it's not smart to do so through instant messaging. IM is better suited to quick information about project status, meeting times or a person's whereabouts.-- Julie Lancaster, Visualware Inc.

* Mum's the word. Regard IM as a nonconfidential communication channel. Users should be strongly advised against communicating proprietary and sensitive information over IM.-- Andre Yee, NFR Security


Source: Computerworld

Beware of UC Security Threats

Unified communications opens up your VoIP network to new avenues of collaboration, including instant messaging, video, business applications and e-mail. And that opens up your network to new avenues of attack.

While the biggest actual threats to VoIP networks remain attacks to the underlying IP network infrastructure, UC opens up new angles of attack by creating connections between VoIP networks and corporate data networks.

Typically, most corporate deployments these days try to segregate VoIP as much as possible, creating islands that protect the voice network by broadly restricting access for devices unnecessary to supporting calls, says Ted Ritter, an analyst with Nemertes Research.

Unified communications changes all that. "With UC, by definition you are opening up your infrastructure and focusing on collaboration, reaching outside the enterprise to trading partners and customers," Ritter says.

Eavesdropping, altering conversations, stealing phone access to commit toll fraud and flooding targeted extensions with calls -- all of which were possible before -- become easier, he says.

Don't Ignore Basic IP-Network Attacks

In reality, however, few of these theoretical VoIP-specific attacks have occurred in the wild, says David Endler chairman of Voice Over IP Security Alliance and senior director of security research at Tipping Point. Endler has co-authored a book about such attacks called "Hacking VoIP Exposed", but acknowledges that the basic step of protecting the IP network that underpins VoIP is still the best protection.

"People may tend to look at some of the sexier types of attacks out there to prevent them -- things such as eavesdropping or impersonation or caller ID spoofing -- the truth is the most prevalent threat right now is the very basic network-level type of attacks," Endler says.

Still, businesses deploying VoIP should be aware of security cracks that UC can open up, says Stuart McLeod, the course director for IT training firm Global Knowledge who teaches its VoIP security courses. "Security is always about having as many layers of obstacles as possible between the hacker and his goals. We lose a couple once you move to unified communications," he says.

For example, UC may introduce the use of softphone clients on PCs, which can cause trouble, says Jason Ostrom the director of Viper Labs, the security research arm of Sipera, a vendor that specializes in VoIP security. With an eye toward testing business VoIP networks, Ostrom develops VoIP-specific attacks in his lab, automates existing attacks and makes them more sophisticated.

He says the Microsoft Office Communications Server client and Cisco Communicator softphone client for call-center applications can be potential sites for attack, particularly from insiders. They could break into the data virtual LAN via the clients, which have listening voice services to tap into the VoIP VLAN, he says.

Also, UC applications live on the voice VLAN that are tied into LDAP and Active Directory servers, creating another exposure for the data network. "User passwords and corporate data can be stolen through the voice VLAN," Ostrom says.

Risk assessment is essential to making decisions about defending VoIP tied to UC, says Paul Kocher, president and chief scientist at Cryptography Research, a data security consultancy. UC represents a series of sophisticated integration points with applications that can create other risks, but not all of them are urgent, he says.

For example, within UC software, programs can be configured to trigger phone calls, but that's not a major problem. "There are potential eavesdropping scenarios or the application could be corrupted to call the wrong phone number," Kocher says. "But those aren't the types of things you lie awake at night and worry about."

It's possible to defend these networks, Ritter says, but the increased complexity means that more corporate business units need to be involved at a higher level than was required for standalone VoIP.


Don't Ignore the Compliance Factor

Compliance is a big issue in industries such as finance, health care and the payment-card industry, which have regulations that can impact VoIP. UC must be defended against data leaks whether it be voice mail that gets e-mailed, an IM sent outside the company or an archived videoconference that's sitting on a disk and contains patient information.

UC also creates new legal complexities that can affect policies about storing call data, Ritter says. Voice mail attachments to e-mails, for instance, are classified as electronic data that must be made available during the discovery phase of lawsuits, he says. If such voice mail is stored on a thumb drive that sits in a desk drawer for three years, it's discoverable as electronically stored data, he says. "The voice mail is still around even though the voice mail system itself purged it years ago," Ritter says.

Businesses that are most successful with UC deployments bring their security teams in early on in the planning process, Ritter says, but that is not the usual case. "Unfortunately we still find security is typically one of the last teams to be involved in planning," he says.

Ritter recommends getting the security and compliance teams together early in the planning for UC and VoIP. That offloads much of the responsibility for security from the implementers who are more likely telephony experts or general infrastructure experts. Even corporate litigation teams should be brought in.

The exposure of VoIP will continue to increase with new technologies, he says. Nemertes found that 46% of IT executives surveyed who are planning service-oriented architectures say they also plan to integrate UC with their SOA applications such as CRM or ERP.

"That adds another layer of complexity because it extends UC and VoIP into the application domain," Ritter says. Despite this exposure, Nemertes found that security teams had the least amount of input into SOA deployments.

Part of the problem may be that business executives see security as just saying no to anything that exposes networks and data to more risk even if it means blocking useful ways of doing business.

"We don't know if they see security as business prevention and that's why they don't bring them in, or organizationally they're still in silos," Ritter says "We don't think the security teams are being brought in early enough in the planning to deal with the complexities and the vulnerabilities that are putting the organization at risk."

Perhaps the biggest threat to VoIP security is that many if not most users don't consider security thoroughly, the experts say.
"Most VoIP deployments I have seen do not have recommended best practices in place like strong encryption, authentication and access control protecting the VoIP network from the rest of the network," Ostrom says.

Beyond that, some businesses don't recognize that they use protocols that may be readily tampered with. "The most common mistake I see is the use of insecure protocols for things like VLAN assignment," says Andy Zmolek, senior manager for Security Planning and Strategy for Avaya.

"They should use link layer discovery protocol and 802.1X authentication to make sure VLAN assignments and access control are secure," Zmolek says. Without secure authentication, a PC could masquerade as a phone, get access to the VoIP VLAN and then wreak havoc."

Another problem has nothing to do with technology but rather the communication within the teams that are supposed to deploy it, he says. For instance many customers send out RFPs that include features that never get turned on after they make the purchase. "They have the ability of encrypting signaling and media, and they rarely turn that on. You could argue the security organization should handle that, but the security teams are just beginning to understand how to make sure the desired security is enforced," he says.

Businesses should beware of automatically trusting their own employees, Ostrom says. He says he finds faulty thinking among corporations relying on VoIP: because VoIP users are on the internal network, and those users are trusted so there is no VoIP security problem. That is a dangerous assumption because if they are wrong, an attacker with network access can do vast damage, he says.

A user with network access can piggybacking on the successful 802.1X authentication of an IP phone by inserting a rogue laptop on a hub shared by the phone, he says.

The phone authenticates to the switch port, but there is no per-packet authentication after that. If an attacker shares the authentication with a hub that the phone uses to connect to the network, it gains access to the VoIP network and can create man-in-the-middle attacks for eavesdropping or changing the content of phone calls, he says.

"We've developed a proof-of-concept tool to demonstrate this attack," he says. "With it they can target other phones or VLAN hop to attack the data network."

Most of the concern businesses have about VoIP still centers around protecting the underlying data network from assaults like denial-of-service attacks, says Irwin Lazar, an analyst with Nemertes.

"Overall though I'd say that security doesn't rank all that high among IT executive concerns around VoIP right now," Lazar says, "though as enterprise VoIP networks are extended beyond the network boundary via peering and SIP trunking, concerns will increase."

It may take serious consequences, though, to prompt better VoIP security practices like encryption, McLeod says. "I think the average Fortune 500 company is going to have to have some security event occur to have a wake-up call before they spend the money," he says. "Then there will be more pressure placed on the vendor to make security like it is in Wi-Fi -- automatic, easy and every piece of gear includes it."

Source: Tim Greene, Network World
URL: http://www.pcworld.com/businesscenter/article/150808-2/beware_of_uc_security_threats.html

Friday, September 5, 2008

Some 40% of all Romanians waste time in the office using instant messaging services.

39.5% of all Romanian employees with access to the Internet use instant messaging programs during their working hours, a poll conducted by BestJobs, answered by 1,627 people, indicates. "Most companies in Romania loss 25% of their employees' productivity because they spend time chatting with friends. As an average, employees waste at least 2 or 3 hours on the Internet", said Neogen marketing manager Constantin Ferseta, quoted by NewsIn.

The recruiting specialist says that employers may put an end to this situation by banning the use of programs like Yahoo Messenger, Skype or Google Talk.

Representatives of another recruiting company, Psihoselect, consider that employees who waste time "on the mess" are those who don't have enough work to do in the office. According to the specialists, this kind of conversations is not the reason why labor productivity is affected, instead the managers who allow too many hours for completing a job are to blame.

On the other hand, Eliza Nechifor, marketing and communication coordinator at Manpower, believes that using instant messaging services boosts productivity, since it brings more ease in the interior communication.

According to a study conducted by IT Secure Pro, a company distributing software for monitoring the network traffic, the Internet surf to websites that have nothing to do with the employees' activity causes productivity losses up to 40% per year.

A Romanian employee produces a 400 euros profit for the employer every year, 10 times less than the European average and less than half than the Eastern and Central European average.

Source: de Radu Rizea HotNews.ro

Balancing client communication with the flow of productivity.

Staying focused on work can be a challenge when clients expect to be able to contact you 24/7. Chip Camden shares his thoughts about the effectiveness and hindrances of some common ways to communicate with clients.

Any IT consultant who has been through at least one failed project can tell you that accurate and timely communication with your client is one of the most important factors of success. But it’s also possible to have too much communication — or rather, too frequent. Too many interruptions, even when they’re from your client, can fragment your concentration to the point that you can’t get anything accomplished.

Here’s my take on the effectiveness of communicating with clients via instant messaging (IM), phone, e-mail, wikis/blogs/Web sites, and face-to-face meetings.

IM

I’ve tried using IM with a couple of my clients. While it speeds up communication, the interrupt factor is too high unless you can effectively ignore it when you need to concentrate. Clients will often shoot you “just one quick question” – it may only take a few minutes to answer, but that interruption can cost you an hour or more of reassembling the ideas you were holding in your head before your chat client bleeped it out of your thoughts. Of course, you can always set your status to Busy, but is there ever a time when you’re not busy?

AndrĂ©a Coutu asks “Should you give clients your IM account info?” She makes a good case for only giving her IM address to clients that have become so trusted that they’re more like personal friends.

Phone

I’ve seriously considered going completely phoneless but, of course, you need to have one sometimes. A ringing phone is even more of an interruption than IM. Besides that, half of the calls are marketers or outsourcing firms. I have been known to turn off the ringer while working, and I always check caller ID before answering. I’ll let it go to the answering service if it isn’t one of my clients — and sometimes even if it is a client when I’m deep in a project. I try to train my clients to schedule calls, so they aren’t an interruption.

By contrast, many consultants can always be reached by mobile phone, even when they’re on another client’s site. I don’t even carry a mobile phone unless I’m traveling.

E-mail

Most of my client communication is via e-mail. E-mail has a number of benefits: It doesn’t interrupt me; I check my e-mail at regular intervals during the day, when I’m between projects or on a break; I can take more time to think about my response before I have to answer; and I automatically have a written record of the conversation.

But e-mail does have its drawbacks: It isn’t very secure or reliable, and the spam noise can sometimes drown the signal. Also, it doesn’t happen often, but occasionally an e-mail will be delayed or never received at all.
Private blogs, wikis, or other Web sites

A Web site that has secure access and rules for who can modify which content is probably the best solution currently available for reliable written communication without interruptions. If the site provides a secure RSS feed for new entries, you can subscribe in a feed reader to find out about them — when you want to know, instead of the moment they’re authored. This approach has yet to receive widespread adoption, perhaps because it takes some thought and effort to set these sites up, whereas almost everyone already has e-mail.

In person

There is still no more effective medium than a face-to-face meeting. It prevents you from doing everything else, which means that you get concentrated communication at the cost of dedicated time. So, it needs to be planned.

The worst case is the in-person interruption. When someone drops by and asks, “May I interrupt you for a moment?” I usually respond, “You already have.” That channel needs to be reserved for emergencies.

On the other hand, a planned in-person meeting can be one of the most effective ways to brainstorm or design solutions — just make sure that someone is taking good notes. Being a mostly remote worker makes the cost of in-person communication even higher for me — it usually involves a day or two of travel time. But I like it that way because clients don’t abuse face time with interruptions.

Which communication methods work best for you?

What’s your preferred medium for communicating with clients? Do you provide different clients with different options for contacting you? (For instance, do you only give some clients your IM address?) Do you carry a mobile device with you at all time so clients can reach you? How do you manage interruptions? Share your answers in the discussion forum.

By: Chip Camden
Source: http://blogs.techrepublic.com.com/project-management/?p=239

Durov: The phone of the richest man in the world was hacked through WhatsApp.

The founder of "VKontakte" and Telegram Pavel Durov said that back in November 2019 he warned about the vulnerability of the Whats...