Monday, February 21, 2011

Information Security Governance - Scalability

An organization might assume a particular security posture, but through a regular rotation of its security wheel, the organization might discover that it has unwittingly altered its posture.

Organizations can view security postures as falling into one of the following camps:

  • Basic

  • Modest

  • Comprehensive

An organization might have chosen a modest plan when it originally wrote its security policy, structuring its posture on the equipment and processes inherent in a modest level, as described in Chapter 4, "Putting It All Together: Threats and Security Equipment." Plans get set in motion, and normal-course business is conducted. Situations can occur, whether they involve malicious attacks by outsiders, inadvertent errors by insiders, or potential vulnerabilities that are recognized and plugged before they can become issues. An organization must respond quickly and effectively to every situation by ensuring that concerns are addressed directly, and any resultant change is promptly reflected in its security posture.

This process works well in theory, but it can be challenging to implement on a daily basis. When situations do occur, changes are made expeditiously, so the organization can quickly resume doing business. Making the security wheel a fundamental component of an organization's process ensures that changes made on the fly are always reflected in policy and, most importantly, that changes respect the posture the company already has in place.

Changes rarely occur in a vacuum; typically, one change begets another. For example, an organization faced with a particular situation might implement a variety of solutions to combat the problem, possibly resulting in the company moving markedly away from its modest security posture. If the newly implemented changes reveal that the organization is pursuing a posture that is fundamentally more comprehensive, the organization should ensure that related policies are changed to reflect a similar comprehensive structure. The concern is that an unplanned mix of modest and comprehensive security postures might leave the company with a sense that it is more secure than it actually is, and a false sense of security can be worse than no security. Firms with acknowledged low levels of security can ensure that users are particularly diligent in their dealings; those firms who think they have a high degree of security installed on their systems might be less concerned with employee activity. And that is where the seeds for great vulnerability are typically planted.

A continual rotation of the security wheel can ensure that a firm's physical and logical structure is created, implemented, and reviewed in a fashion that is commensurate with its desired security posture.

Information Security Governance - Remote-Access Policies

Users working from a remote office branch office (ROBO) or a small office home office (SOHO) can communicate using dedicated or nondedicated connections from their workplace. Access of this kind must be controlled to ensure that unauthorized persons cannot also gain entry to the company network.

Remote-access policies cover the following equipment:

  • T1

  • Frame Relay

  • VPN access

Dedicated T1 lines and Frame Relay technologies can be used to, as an example, interconnect offices such as branch offices to head offices. Individual users connecting from hotel rooms and homes would typically use xDSL or cable technology to build a VPN tunnel, which is discussed in greater detail in the section "VPN and Encryption Policies," later in this chapter. A VPN connection builds a secure encrypted tunnel between a user and her corporate network, allowing the same access as if she were in the office.

Information Security Governance - Physical Security Policies

These policies cover both perimeter and equipment, ensuring that physical access is limited to authorized persons.

While traveling has been discussed, "Policy, Personnel, and Equipment as Security Enablers," it is worthwhile to note that user common sense should ultimately prevail. When a remote user travels to the head office, as an example, equipment such as laptops should not be left unattended unless secured in a locked meeting room. When flying, laptops should always be regarded as carry-on luggage, and when parking an automobile, if the user is unsure about leaving a laptop bag in the vehicle's trunk, it should be carried with the user.

Perimeter security includes alarms on doors and windows, controlled parking facilities, fenced property, and similar types of physical deterrents. Certain hotels and prominent office towers have instituted preparking authorization. Security personnel stop users on their way into a parking facility and confirm that the driver is a registered guest of the hotel or an expected visitor to an office tower. After the visitor is approved, she can park her vehicle.

Server rooms should be locked at all times, and access to the room must be severely restricted. If a company's offices are located within an office building, the server room should be established within the office premises. If communications facilities and wiring closets are not housed within the server room, they should be treated in a similar fashion.

Information Security Governance - Social Engineering

An individual who purports to be someone he is not, or who assumes a persona and proceeds to engage insiders in verbal and written conversation for the express purpose of infiltrating their organization, is understood to be engaging in social engineering. These individuals possess persuasive communication powers, ably convincing their targets to reveal confidential network information. The social engineer rarely employs technology in the pursuit of information. The tool of choice is similar to that of the old-time conman: fast-talking conversation.

Social engineering is not a new phenomenon. Kevin Mitnick, a self-proclaimed social engineer, has publicly stated that he rarely used his technical expertise to garner information. He simply employed an endless range of communication tactics.

Examples of Social Engineering Tactics

The conman initiates telephone contact with an organization's IT department, claiming to be an official with the company's service provider. He speaks with authority, stating that he was delayed by an off-site project and couldn't return to his office in time to perform a required diagnostic analysis of the network. And therefore, he doesn't have the network passwords with him. Requesting the help desk agent's assistance, he asks for a favor: Could she provide the current network password so that the analysis could be done remotely? The help desk agent succumbs to the tired and weary technician, and she supplies the requested information.

Conversely, the conman can pose as the network administrator and contact a user in a remote office. He informs the branch employee that due to system maintenance performed overnight, his account needs to be reset right away. Peppering the conversation with technical jargon, he gives the employee every reason to trust him. When he inevitably asks for the password, the user doesn't hesitate to supply the requested information.

The conman has also been known to employ aggressive telephone tactics. Posing as a senior manager, she will intimidate a help desk agent, forcing the agent to divulge proprietary access information. Try as the agent might, when a senior manager is threatening him, the inclination is to provide the demanded passwords.

With millions of customers using personal identification numbers (PINs) daily to carry out financial transactions, the banking community was confronted with vulnerability in its ATM network. While the community fortresses had high walls, conmen focused on the bankers' weakest link: their customers. Assuming that the consumer wouldn't suspect an official request for information, the social engineer wily conned individuals into providing the keys to their personal safes. Posing as bank officials, the conmen made telephone contact with consumers and convinced them to expose their PINs. Swiftly responding to the attacks, the banking community informed their customers that under no circumstance would a bank representative ever telephone them and request that they reveal their PIN. But the damage had been done.

Social engineers have been quick to capitalize on the growing trend to outsource nonkey functions. A typical small- to medium-sized business (SMB) in cost-reduction mode might decide to maintain an in-house IT department for its key infrastructure needs, but to outsource such perceived minor functions as its help desk. Handling calls from a branch office whose network is down, or a remote user who can't access her e-mail, the help desk is seen as a quick-fix department, which is best handled by a third-party provider specializing in the field.

Depending on the service provider the SMB engages, the technicians fielding calls might be the weakest link in the chain. Possibly overwhelmed on a particular day, needing to get users off the telephone and get back online, they skip in-depth identification probes and unwittingly release proprietary network access information to an intimidating, angry, senior-sounding voice on the telephone. It is important to note that this scenario could exist even if the department remained in-house. Third-party services can impose authentication processes that are more stringent than those an organization might initiate, or enforce, in-house.

Using third-party relationships can be quite safe, assuming that the company has a verifiable track record and that rigid rules tie back to an enforceable security policy that doesn't tolerate shortcuts.

The conman has many faces, changing his identity and calling card as the situation warrants. The best protection is a specific and enforced security policy that dictates what, if any, information can be handed out. Most importantly, the document should detail how someone must present himself or herself to be in a position to even seek information. With all parties aware of the policy, the help desk representative can have the necessary strength to stand tall against the belligerent senior manager.

Information Security Governance - Recognizing Vulnerabilities

It is inevitable that threats will exist. The more one is exposed to any type of interaction, be it computer networks or any aspect of everyday life, the more vulnerable one is to risk. Organizations are becoming increasingly more dependent on the Internet for their daily operations. From just-in-time manufacturing to customer service and accounts receivables, the growing reliance on the Internet results in a heightened vulnerability that needs to be continually managed. Human nature suggests there will always be an element in society that hunts for a vulnerability to exploit. Threats are external to organizations, and these threats can appear as poisoned arrows, continually airborne, searching for weak armor, or network vulnerabilities, to pierce. The best defense is stronger armor, coupled with a keen awareness of potential cracks.

Most attack vulnerabilities fall into one of the following categories:

  • Design issues

  • Human issues

  • Implementation issues

Design Vulnerabilities Issues

Design issues encompass all network equipment, including both hardware and software. This discussion centers on the following topics:

  • Operating systems

  • Applications

  • Protocol weakness

Operating Systems

Operating system weaknesses have been known to wreak havoc within a network. In a rush to market, operating systems (OSs) have been promoted and installed, only to reveal later that flaws within the software enabled hackers to penetrate systems with ease. A well-known flaw in an OS caused the OS to lack so much security that it allowed hackers to install malicious software and then access it remotely, with all the flexibility of a legitimate administrator.


Issues can exist in both hardware and software, but it is typically the latter that is responsible for a higher frequency of cracks within a system. While it does not occur as often with newer software, it was not uncommon for applications to be devoid of security mechanisms; a newly installed workstation on a network, for example, might not have required authentication for it to operate. Today, while most network-ready products arrive with built-in authentication, key steps need to be followed to ensure that proper verification procedures are enabled.

Protocol Weakness

A protocol is a set of rules that devices follow when communicating with one another. When network protocols were originally developed, security was not a large issue. Even today, ISPs rarely require e-mail traffic routed from a user to be authenticated. In addition, exchanges between the user's home workstation and the provider's server are usually done in clear text, enabling anyone eavesdropping on the communication to clearly see the messages.

Human Vulnerability Issues

Human issues delve into administrator and user errors, with the discussion focused on the following topics:

  • Unsecured user accounts

  • Unsecured devices

  • Hardening devices

Unsecured User Accounts

It is not uncommon for users within an organization to be assigned network passwords when they are issued equipment. While some organizations force the user to create a new password when he first accesses the system, many companies still do not. Too often, the default password on a new system is the assignee's surname, or the company name, leaving it easy prey for a hacker. Informing a user that it is imperative to change her password might not be enough; a prompt forcing her to do so should be required. Even adept PC users can be unsure of the process to change passwords, and they might be reticent to speak up for fear of embarrassment.

Equally damaging are those users who utilize the same password for every function or, lacking a good memory, write their passwords on a piece of paper and tape it underneath their keyboard.

Unsecured Devices

Hackers are well aware that many new devices, from firewalls to routers and everything in between, often leave the factory with both the username and password preset to admin or another similar word. Because a tremendous amount of work is involved in just installing the new devices, the network administrator might not prioritize the resetting of the factory default passwords. But prior to the unit going live, changing the passwords can help to mitigate a vulnerability scanned for by most hackers.

Hardening Devices

Devices, operating systems, and applications often arrive set to behave in an open and trusting manner. It is the responsibility of the systems administrator to harden a device; this is the process of ensuring that all possible leaks get plugged. For example, some routers, by default, broadcast pertinent configuration information such as their network addresses, and host name. While publicizing that information internally might be expedient for the network administrator, broadcasting that same data on the Internet connection would only aid the hacker in his reconnaissance. By immediately deactivating the discovery protocol, unnecessary broadcasts are curtailed. At minimum, the interface, which faces the Internet, must stop such broadcasts.

Implementation Vulnerability Issues

Implementation issues deal with policy creation, configuration, and enforcement. This discussion focuses on the following topics:

  • Password policy

  • Access integrity

  • Extrapolating policy intent

  • Policy enforcement challenges

  • Peer group communication

The proceeding discussion on security policy is presented as it relates to attacks.

Password Policy

Password integrity and password expiration are vital to security, and it is critical that users understand what is expected of them. If the system accepts alphanumeric passwords or requires a concocted password derived from a combination of numbers and characters, it is incumbent upon the corporation to consistently relay that information to its users. While it might be noted in a security policy, continually reminding users can only aid in overall adherence to the program.

Access Integrity

To effectively maintain a secure border, communication with employees is essential. Certain seemingly innocuous actions could represent a breach of security and, unless otherwise advised, might continue to occur. A user should be cognizant, for example, that under no circumstance is it permissible to disconnect a fax machine and borrow its analog telephone line to connect his laptop to the Internet. Although a user might want to do this when the network is down, utilizing an analog line could open a back door into the network once it is live again.

Extrapolating Policy Intent

Technology often precedes formal policy, requiring employees to understand the intent of company guidelines and ensure that they conduct themselves within the spirit of the guidelines. Even if a situation is not explicitly mentioned, or there is a lack of formal written policy, an employee should be able to discern between acceptable and unacceptable behavior.

For example, wireless hubs are relatively inexpensive, and an employee might decide to purchase his own for office use so that he can still be connected while freely moving about the department. He might justify his actions by concluding that the personal expenditure has increased his productivity, so the company shouldn't have an issue. But inexpensive wireless hubs typically ship from the manufacturer with the encryption option not yet activated, and the employee's actions could place the corporation in a highly vulnerable position.

Organizations do not customarily allow unauthorized devices to be installed on their internal networks. Even if it was not specifically detailed in a policy, an employee should have been able to draw that inference.

Policy Enforcement Challenges

An organization faces many challenges, not the least of which is the consistent implementation of its policies. When the corporation is experiencing high employee turnover or has numerous varied-sized remote offices, periodical challenges to policy enforcement might exist. Even where formal policy is not lacking, various departments, or remote offices, could have differing interpretations of the same rules.

Equally important as a written policy is the policy's consistent implementation throughout an organization.

Peer Group Communication

Organizations continually stress the need for open lines of communication between departments but, in some instances, open dialogue within departments can be even more critical. A large enterprise acts as an example when it separates its IT department by responsibility. A typical IT group could be divided in the following manner, spreading responsibility, for example, over four distinct parties:

  • Workstations group Includes all in-house and remote users

  • Network infrastructure group Includes, but not limited to, routers and Ethernet switches

  • Network security group Typically includes firewalls and security policy

  • Network communications group Includes WAN (wide-area network), head officetobranch office communication

While each group bears an enormous responsibility, they all are, at their core, intricately interrelated. A policy that encourages communication and strives for consistent implementation will be better prepared to deal with the unknown.

Information Security Governance - Threats Classification

Hackers' motivations and actions determine the type of threat they represent, whether a user in the organization inadvertently left a back door open or a disgruntled employee is hell-bent on seeking personal revenge.

The four main categories of threats are as follows:

  • Unstructured

  • Structured

  • Internal

  • External

Table below provides a summary of these categories of threats.

Table 1-3. Threats Categorization

Generic Threats CategoryDescription
UnstructuredRandom hacking
StructuredUsually involves sophisticated hacking techniques
InternalTypically performed by sloppy, oblivious, or disgruntled employees
ExternalPerpetrators not affiliated with the organization

An unstructured threat describes a hacker's search for easy prey. He doesn't necessarily target a particular site; he merely searches for one he could break into easily. Similar to the potential criminal walking down deserted streets, his eyes dart everywhere, seeking that elusive unlocked door or open window. Randomly trying door handles and running through backyards, he searches for easy prey. He doesn't necessarily have a well-crafted plan; his goal is simply to slip through the first crack he finds. In the case of the hacker, he isn't necessarily looking to take anything from youhe just wants in. But he definitely wants to hack.

For reasons known only to the hacker, your organization has struck a chord with him and, with a minor amount of work, he can set about searching for doors that might be penetrable. Going to your website and selecting the Contact Us option, the company's format for e-mail addresses quickly becomes evident. Searching for contact names in remote locations, the hacker might use your web page to unearth the name of a sales manager that might be lurking not too far below the surface. Failing that, he simply poses as a customer, telephones the receptionist, and requests the name of the sales manager. With that information in hand, usernames can quickly be determined, because most companies typically don't stray far from a full surname and an initial. Software is readily available to then aid the hacker in cracking user passwords.

While relatively straightforward, breaking into a system requires keen problem-solving skills and the ability to optimize such hacking tools as war dialer, software that places phone calls within a given range of numbers and logs which ones are answered by a modem tone.

While this might not appear to be unstructured, it is still a game to the hacker at this point. Gathering random bits of information and stringing them together to successfully break in can be a goal unto itselfor an evening's entertainment.

A structured threat is usually the work of professionals. Nothing is random about an attack; it doesn't involve wandering through deserted streets searching for an elusive unlocked door. Their plans are well crafted, their entry points into the targeted network are well defined, their tools and tactics are highly sophisticated, and their execution is generally successful.

A structured threat has a specific goal. For example, the hacker might break into a specific website on December 23 at midnight of this year and attempt to do something quite specific. He will be in and out quickly, careful to cover his tracks as much as possible.

An internal threat involves hacking executed by someone inside an organization. It could be an employee with malice on his mind or merely a sloppy employee who means no harm, but nonetheless, causes significant damage.

An external threat can be structured or unstructured and can emanate from outside an organization, typically involving all the avenues the hacker sees fit to use.

Table below provides hacking examples according to threats categorization.

Table 1-4. Generic Hacking Classification and Examples

Hacking ClassificationStructuredUnstructured
InternalA salesperson who, upon hearing the rumor of his imminent layoff, contaminates the CRM (Customer Relations Management) database with false information.A user who inadvertently deletes a corporate spreadsheet because delete permission had accidentally been granted to all users.
ExternalA seasoned, resourceful hacker chooses a target network and proceeds to gather extensive data on it. Through his stealth detective work, he becomes familiar with the network and its vulnerabilities, eventually launching a surprise attack.An inexperienced individual using readily available hacking tools randomly searches the Internet, on the hunt for systems with known vulnerabilities. These script kiddies are searching for an intellectual challenge, and they are not typically motivated by malice.

Sunday, February 20, 2011

Information Security Governance - Analyzing Hacking

Mass media has long equated hacking with criminal, destructive, and malicious acts perpetrated on computers and the networks in which equipment resides. While the descriptions are correct, they are more aptly applied to the cracker, whose intent has always been more criminal. Thought to be associated with safecracking, cracking is the act of unlawfully accessing a network infrastructure to perform unethical activities. Conversely, a hacker is defined as someone who works diligently on programmable systems until they perform optimally. But for the purposes of this book, the widely accepted term hacker is used to represent criminal or malicious actions directed at computer networks and hosts.

This section discusses the following topics:

  • Assessing vulnerability and response

  • Hackers: motivation and characteristics

  • The enemy within: maliciousness and sloppiness

Assessing Vulnerability and Response

In today's fast-paced environment, the need for access, and in particular remote access, has made networks more vulnerable to infiltration than ever before. Organizations have employed independent white-hat hackers, professional troubleshooters, to infiltrate their networks and illustrate the damage that is capable of being inflicted. Although senior management conspires with the consultants, IT staff doesn't necessarily have knowledge of the planned intrusions. Aside from exposing an organization's weakest links, an important element of the program is to determine IT's ability to detect and deal with threats. In the Federal Bureau of Investigation/Computer Security Institute (FBI/CSI) 2003 security survey, 78% of respondents cited their Internet connection as a frequent point of attack, with their vulnerability rising markedly every year since 1999.[9]

White-Box and Black-Box Hacking

While there are many variations of company-sanctioned hackers that organizations might want to engage to independently test their systems, most fall somewhere between white-box and black-box hackers.

White-box hackers are usually given partial or complete knowledge of a network's infrastructure, while black-box hackers typically have no prior knowledge of the infrastructure they have been engaged to test or hack.

Hackers: Motivation and Characteristics

The reasons for hacking are almost as numerous as the hackers themselves, running the gamut from those simply curious and seeking peer recognition to professional types with criminal intent. Table below provides a summary of the different types of hackers.

Table 1-1. Generic Categories of Hackers

Types of HackersDescription
CuriousLooks around. Typically means no harm.
CleverSeeks challenges and potentially fame.
ProfessionalActs alone or on behalf of another party. Very skilled and disciplined.

Subsets of the professional hacker are as follows:

  • The hacktivist, who performs his acts as an expression of political statement.

  • The cyber-terrorist, who uses hacking as a means to carry out political and terrorist objectives.

PuristVery skilled. On a mission to return the Internet to its original open environment.

The most innocuous in the group is the curious hacker, the person who wants to observe an organization simply to see what is going on. Looking at e-mail, routing activity, or delving further into proprietary information, the hacker typically means no harm.

Related, but with an additional edge, is the clever hacker. This type is enthralled by the cerebral challenge the hack poses. He is goal oriented, typically setting forth with a well-constructed plan to maximize destruction and minimize the probability of getting caught. When he is inside a system, the challenge has been won. A further motivation for some of these hackers is the pursuit of their fifteen minutes of fame; the desire to be front-page news is a lofty goal for them.

As evidenced elsewhere in society, some people will always be enthralled by vandalism, and the computer world is not immune to such individuals. Hell-bent on destruction, the attacker attempts to inflict as much damage as possible. Searching the Internet for any network that might have left open a back door, a method of gaining access to a password-protected system without benefit of an actual password, the attacker randomly wanders into systems and inflicts damage.

A goal-oriented type, the professional hacker carries out assignments. A hired hand, he bears allegiance to no particular group and, similar to the professional criminal, is disciplined and skilled. Possibly stealing documents or proprietary information, he is in and out quickly, trying to minimize damage so that he leaves as few clues as possible.

The purist is the individual who believes the Internet is an open communication tool, and access to it should be completely unfettered. Possibly seeing it as their personal mission, these individuals set about unlocking doors and freeing the Internet from its corporate masters.

Regardless of their motivation, most intruders gain access by finding improperly secured network borders. Whether it's a virus that is let loose on an unsuspecting network or actual tampering of a company's main website, damage can range from embarrassment and diminished reputation to concrete revenue losses. A national newspaper was the victim of tampering when its main web page was successfully breached and one of its news stories altered. Had the hackers plastered the main page with streaks of paint or foul language, it would have been simpler for the company to rectify. Not only would the newspaper have discovered the breach sooner, but the public would have been more likely to accept the obvious break-in. By choosing to falsify a lead article on the newspaper's website, the hackers were attempting to damage the company's reputation for trustworthy and objective reporting.

All hacking poses a potential financial threat. Regardless of any damage a hacker might have caused, an organization must inspect, secure, and possibly even reinstall its software and data, should it ever discover that a hacker was in its midst. It is generally understood that hackers will continue to get craftier, and the bar will continue to be raised as they try to outdo one another, for the desire of hackers is to cause disarray and widespread disruption. Protecting his network, the hapless systems administrator is wildly outnumbered by unknown attackers whose full-time preoccupation is unearthing weakest links. The plight of today's busy IT department is protecting the organization on all fronts while optimizing applications and administering the network.

The Enemy Within: Maliciousness and Sloppiness

Although commonly portrayed as a computer-centric suburban teenager, the hacker can also be internal to an organization. It can be a trusted employee with lawful access who, for reasons immaterial, commits malicious acts on the computer network. The most difficult issue for many organizations is dealing with the attacker who is already cleared and residing comfortably within its secure walls. Table 1-2 provides a summary of the enemies within.

Table 1-2. Types of Enemies Within

Types of Internal EnemiesDescription
Disgruntled employeeWants to inflict damage
Careless employeeUnintentionally poses a threat by his actions or omissions
BraggartIs talkative and a show-off
Angry employeeIs quick to anger, with a strong need to fuel similar frustration in his fellow employees

The disgruntled employee can be found in the most unsuspecting corners. Whether a data-entry clerk in the warehouse, a marketing assistant in a new-products group, a director in finance, or a systems administrator with access to the corporate server, his ability to inflict damage cannot be underestimated. Indiscriminately deleting e-mails is tantamount to randomly shredding documents, and the potential to inflict damage can only be measured by each individual's access to the network infrastructure.

The FBI/CSI survey reveals the uncertainty organizations feel about who is doing what to them. While respondents feel the majority of acts perpetrated against them are from outside their organizations, they cannot be certain the acts are randomor if they're the targeted work of former employees. There remain a significant percentage of respondents who do not report intrusions to law enforcement officials. The reasons are varied, from issues of perceived loss of face to not knowing which law enforcement agency is interested in hearing about them. Conversely, the joint UK PricewaterhouseCoopers-UK Department Trade and Industry survey, published in 2002 and in 2004, determined that insiders were the perpetrators of that country's worst security breaches

Figure 1-1. Internal or External: Identifying the Perpetrators of Security Incidents

Former employees can pose a security concern, particularly if an organization does not have a strict policy to deal with departing staff. A company in India, solely dependent on its website for business, failed to change its network passwords after two employees departed. Angry and vengeful, they ventured to an Internet café and, over lattes and much keyboard clicking, deleted their former employer's entire customer database.

The careless employee is a type feared by many corporations. Never intending to cause harm, these employees unintentionally leave back doors open or innocently release information that can be helpful to potential intruders. They are underskilled or untrained IT personnel making configuration errors, front-line employees unwittingly engaging in conversations with strangers, users who unthinkingly open e-mail attachments containing viruses, and network administrators who mistakenly delete large files; they have the potential to put the company's network at risk. And they usually surface in the most unsuspecting areas. Even CEOs can add to the mayhem. At the close of an annual general meeting, a CEO left his podium and waded into the audience to converse with shareholders. Gone for only a few moments, he returned to the podium to discover his laptop missing. With the following quarter's projections loaded onto the computer, the company's proprietary information had just slipped into the wrong hands. Many times, the worst security breaches are those done inadvertently. A variety of threat-protection tools that organizations can use, "Security Technology and Related Equipment."

The braggart is someone who projects his voice while claiming victory for his latest triumph. He provides full-color commentary to everyone within earshot, even if he is in a public setting. He might have just completed a particularly difficult installation of a firewall, and in an attempt to impress his colleagues, he regales them with the specifics surrounding the configuration with which he was forced to contend. If he is known to frequent a particular pub after work, competitorsor would-be hackersmight even wander by and listen in, ensuring that they capture everything the braggart says.

Equally damaging is the angry employee who sits at the same bar, spewing out negative insider information for all to hear.

A subset of internal enemies can include the following:

  • Recently departed staff who pose a risk should their access not be duly terminated along with their employment

  • Former staff with thorough knowledge of an organization's network

Employees can be as dangerous as the average hacker, their insider knowledge enabling effortless access to the company's most vulnerable possessions. While conventional wisdom would rank the employee with high security clearance a greater risk than a lower-level employee, the reality is that the latter typically causes more damage to an organization. Finding it difficult to remember passwords, they use the same one for every program, or they write the passwords on a piece of paper and tape it to their keyboard. A hacker can do great damage with a minor password: With a crack in the door, his skills are those of a crowbar, forcing the network to open wider.

Certain security enhancements need not involve additional monetary expenditures,  "Policy, Personnel, and Equipment as Security Enablers, Creating Demand for the Security Proposal: IT Management's Role, Essential Elements of Security Policy Development." Proactively engaging employees in becoming aware of security can create a sense of duty and individual responsibility. IT staff bear witness to the realities of hackers every day; most computer users do not. By asking for users' assistance, the organization can ensure that whatever monetary investments in security it has already made are not needlessly negated by employee carelessness.

Leakage Scenarios

With the advent of smaller and more powerful technological tools, stealing is getting easier to accomplish. Inserting a compact flash card into a laptop, similar to the memory stick found in digital cameras, or plugging a USB key into the rear of a PC, data can be downloaded in moments and slipped out of the office buried deep in a pocket. While organizations can monitor movement of large files, they typically don't implement restrictive measures unless a serious breach has occurred. Companies might be reticent to introduce highly stringent security measures, fearing that the measures could make the internal movement of information too cumbersome. Tying movement of large files to a security policy can aid in protecting both employer and employee.

The UK-PWC survey determined that more than a third of organizations harbored concerns about employees abusing their networks, yet fewer than 60% of them performed background checks as part of their hiring process. Exacerbating the issue, many used contract employees in their IT departments, resulting in few or no checks being performed. This is disturbing, because those employees are typically the ones with the most ready access to compromising data.

Information Security Governance - Business Continuity Planning

Crises will inevitably occur. Whether they are physical, such as an earthquake or a terrorist attack, or cyber, such as a distributed denial of service (DDoS), preparedness is the key to effectively managing a crisis. The difference between falling victim to an event and working through a highly challenging time is planning.

A comprehensive continuity plan is essential in maintaining or restoring business operability. A hospital or public utility, as an example, would require a plan to maintain operations during a crisis. Conversely, a sporting goods distributor might decide to concentrate on a plan that restores its operability after a crisis has passed. The potential lost revenue might not justify the expense of a costly program that attempts to maintain operability regardless of challenges. A hospital or utility would not have a choice.

Continuity plans should consider the following items:

  • Knowing the parameters of a given situation that could warrant the use of the plan

  • Having a detailed inventory of standby systems, including the length of time required for each one to be fully operational

  • Determining what would constitute the completion of a critical period and a return to normal operations

  • Selecting an appropriate leader(s) to manage the crisis. While separate leaders could exist for technology and business requirements, one overall leader must be chosen

  • Knowing the actions that need to be performed and the persons (or job functionssee next bullet) responsible for performing them

  • Assigning job functions rather than specific people to specific continuity tasks so that if a person leaves a firm, the new occupant of the job function is the replacement for the continuity task

  • Assigning specific reporting sites if an alarm is sounded

  • Ensuring that users know the sites and are confident in their assignments, particularly if the continuity site is in another physical location

  • Using the expertise of individuals, particularly the IT staff

  • Formally testing the plan, rooting out all weaknesses

  • Defining the amount of time needed to bring the continuity plan online

  • Most importantly, keeping the continuity plan current, both in its practice and content

Continuity plans are similar to term life insurance policies: One plans for the worst but hopes never to realize the policy's payoff. A detailed and workable plan to maintain operations during trying times can allow a sense of confidence that is only achievable through comprehensive contingency planning.

Information Security Governance - Determining Rules and Defining Compliance

Users within a corporation must abide by its rules, making it incumbent upon the organization to ensure that its policies are logical, fair, ethical, and germane to computing and security jurisprudence. Corporations must ensure that they act not only within the law but also within the spirit of the law. This section considers the following topics:

  • Corporate compliance

  • User compliance

Corporate Compliance

Issues have recently surfaced that bring new emphasis to the phrase "acting within the spirit of the law." Many have argued that laws governing corporate behavior shouldn't necessarily dictate strict rules of conduct, because rules can be misinterpreted, misunderstood, or simply gotten around. It is argued that because one cannot misconstrue the spirit of a law, the business community might be better served by a system that encourages adoption of that spirit.

The Internet has made various materials more accessible than ever, and certain copyrights can prove difficult to protect. While legislation is working hard to keep up with technological advancements, enforcement can be another issue. Corporations have long respected copyright laws on software, ensuring that counterfeit copies of software are forbidden on company property. But inappropriate e-mail and file deletions are still a relatively new issue, and only recently have they become synonymous with document shredding.

HR departments are using security technology to protect individuals'privacy, and corporations are making certain that all copyrights they encounter are respected. Organizations are becoming exceedingly more diligent in all aspects of their computing environments, ensuring that compliance to laws is strictly adhered toboth to the letter and, increasingly, to the spirit.

User Compliance

User compliance, or more specifically, observance and adherence to company rules, plays a major role in security policy. The concept of "inspect what you expect" means that an organization should follow up on policy compliance and not just assume its users are following the stated rules. Whether the evaluation is log analysis or Internet tracking, the organization must check, or inspect, to ensure that rules are being followed. Note that most rules are not invasive and exist primarily for the safety of both the user and the employer.

Users are tasked with keeping company equipment safe while it is in their possession. For the typical corporate user entrusted with company property, that usually means a laptop computer. Keeping the equipment safe can run the gamut from restricting Internet browsing to appropriate sites and not loading third-party software, to ensuring that the laptop is locked when not in use. When traveling, a laptop and related equipment should be secured in a safe room. If one is not available, equipment should be placed in a locked suitcase. Thieves typically remove items from hotel rooms that are easy to conceal; suitcases are not typically stolen.

Users need to be aware of their surroundings, even when they are traveling within a city. Three employees of a large enterprise had just completed a sales call late one afternoon when they decided to have dinner before returning to their hotel. Traveling together in a nondescript sedan, their laptop computers securely hidden in the trunk, they confidently parked the car in a well-lit area and went into the restaurant for dinner. Potential criminals are everywhere, and the person watching the three clean-cut men in business suits emerge from their car at 5:30 p.m. and walk to the restaurant empty-handed, probably quickly surmised that laptop computers could be in the trunk. After dinner, the three men returned to their car to find the trunk lid damagedand their computers gone. Security means not merely following the rules but interpreting them so they are relevant for every situation.

While organizations compile comprehensive regulations that are relevant to their mandates when determining rules for user compliance, the following guidelines are applicable to most companies:

  • A clearly defined Internet policy must be acknowledged by all users.

  • A system policy must be in place that clearly states unacceptable computing behavior, requiring the user to consider the spirit of a policy and not merely its black-and-white rules.

  • A process must ensure that company confidential documents are never stored on a user's hard drive. Rather, any documents that are labeled private, or confidential, could only be stored on the company server, as an example.

  • Wide use of monitoring tools can aid in identifying misuse. For example, intrusion detection systems (IDSs) look inside a packet to ensure that the payload is what the header claims it to be.

  • The organization could provide constant reminders encouraging users to comply with safety rules, for example, pop-up screens that contain warnings, reminding users to log off when they have completed a session. Or, the organization can establish an enforced logoff after a specified period of inactivity.

  • Appropriate personnel should know relevant state, local, and federal law enforcement officials.

  • Appropriate personnel should be well versed in legal requirements that are germane to the specific industry to which the organization belongs, or the county in which it resides.

  • If certain users are responsible for employing third-party service providers, the user responsible needs to ensure that the service provider has adequate, and auditable, security to ensure the corporation's privacy.

Lists can be endlessthe challenge lies in delivering the organization's intent without the message becoming stale. By engaging in a practice that promotes continual education, users can be well versed in their employer's mandate, fully comprehending how its security posture is instrumental in helping the organization achieve its goals.

Information Security governance - Managing the Availability and Integrity of Operations

Maintaining availability and ensuring integrity of both physical and logical equipment are the bedrocks of operation management. Its goal is to protect the organization from interruption to its regular business activities and to minimize risk of system failure.

Safeguarding information requires that measures be in place before users begin to interact with one another or the Internet. For example, an organization could only ensure the integrity of its database if its appointed agents, typically in-house IT staff, were the sole persons responsible for loading software and performing maintenance on the system. Individual users would not be allowed to download or install software on their workstations, laptops, or local networks. IT would assume that responsibility, along with the task of deploying appropriate antivirus software throughout the network and its appliances.

IT staff would also ensure that discarded hard drives, prior to being recycled or trashed, get sanitized, a process that overwrites each block of a disk drive and fills it with 0s.

Safely managing the vast amount of information organizations typically generate requires that a consistent set of practices be instituted to ensure the following items:

  • Systems are backed up regularly, preferably daily.

  • Backed-up data is stored off-site, possibly using service providers who specialize in collecting and storing tapes and CDs. Whether in-house or third-party, storage facilities should be located in geographically secure areas.

  • Thorough logs are maintained, enabling audit trails to be followed should an attack ever occur and forensic analysis required.

Managing security operations should include a systematic process of checks and balances, which can reduce the probability of unauthorized modification or misuse of equipment. Policies should ensure that no individual could perform all the following functions:

  • Request a service

  • Approve the required funds for the service

  • Interview all vendors, contractors, or product providers

  • Place the purchase order for the service or product

  • Approve and make payment to the vendor

  • Reorder the service

A chain of responsibility ensures that multiple individuals must give their consent before plans are put in motion. While it has the potential to become overly bureaucratic, the end justifies the meanschecks and balances are the keystone of efficient operations, security or otherwise.

Migrating from XP to Windows 7

This guide is to assist experienced tutors to help a visually impaired user migrate to the Windows 7 operating system.  We have chosen to use keyboard control so you get used to how users with little or no sight manage without the mouse.

Start Menu:

When you bring up the Start Menu, type the first two letters of what you are wanting. E.g. type w then e to bring up a list which includes WebbIE; Press W then O to get to Microsoft Word. Unfortunately, most of the Windows programs start with the word “Windows” which is not convenient for us but you can type M then A for Windows Mail etc.

You can customise the Start Menu by going to “Taskbar and Start Menu”, (TA) and pressing Control + TAB to get amongst the customise options.

When you need to get to the Start Menu items on the right side, such as Control Panel or Connect To etc, press the Right Cursor then Cursor Down or press the first letter of what you want.

To shut down the computer, press the Right Cursor three times, then ENTER when you hear “Shut Down”. Cursor up for the other options such as Sleep or Restart etc.

Quick Launch:

Windows Key with 1 to 5 launches the most frequently used programs such as Media Player, MS Word, and Internet Explorer etc. But, with Thunder and WebbIE, it is easier to customise the Start Menu to deliver WebbIE and the other Accessibles as a quick launch.

Useful Key Combinations:

Windows Key + T = Cycle through applications on the Taskbar

Windows Key + M = Minimize all open windows

Windows Key + Shift + M = Undo all window minimization

Windows Key  + D Toggle showing the desktop

Windows + U = Open the ease of access centre

Windows +F =  Open the search window

Windows + E = Open Windows Explorer

Windows + R = Open the Run window

Ctrl + Shift + Esc =Open Windows Task Manager

Viewing Folders With Windows Explorer:

Alt + = Left Cursor Go back

Alt + Right Cursor = Go forward

Alt + Up Cursor = Go up a directory

Al t+ D = Move focus to address bar

Alt + D TAB = Move focus to search bar

Ctrl + Mouse wheel = Change print size on-screen; (Very useful for low vision users).

Windows + Spacebar = Move focus to Sidebar

Windows + G = Cycle through visible gadgets

Personalising The Appearance Of The Screen:

Most visually impaired home computers will have some useful vision and Windows 7 offers excellent tools.

From the Start Menu, type P then E (Personalisation) Cursor down and select. You will be presented by a screen offering the opportunity to make many visually appropriate changes. TAB and ENTER amongst the choices. Sometimes it might be enough to change the screen resolution, Windows theme colours and or the  DPI size. Control + the mouse wheel quickly varies the view of words on the screen within MS Office programs.

Alternatively, from the Start Menu type E then A (Ease of Access Centre) and here you will find more useful tools. Your pupils might have other problems in addition to their visual disability and the implementation of Sticky Keys, No Animation, or even an On-Screen Keyboard or Voice Recognition etc might make all the difference to their success.

MS Office 2007:

My experience is that MS Office 2007 is extremely accessible to Thunder users with little or no sight. But, without the traditional menu style, it is new and challenging at first.

Where possible, Thunder relies on mainstream Windows keystrokes and you can achieve most of what you need to in Office 2007 with the following keyboard routine;

Press the Alt Key.

Press the Down or Right Cursor Key until you hear a general function you need to involve with, such as page layout or insert etc.

Press the ENTER Key and again explore with the Down or Up Cursor Keys.

Press ENTER on your choice.

When you press Alt, you hear “Office Button” and you Down Cursor to hear familiar File Menu choices.

Pressing Alt then Right Cursor takes you to “Home”. Here, you can TAB amongst familiar formatting tools. The Cursor keys will refine your choices.

Pressing Alt then the Right Cursor takes you through  everything else.

We have it on good authority from Microsoft that the menus are gone for good and the Ribbon is here to stay.

If you are familiar with the shortcuts as used in Office 2003, some or many of them will serve you well in Office 2007.

The Thunder Spell check routine remains the same: CAPSLOCK + N then Cursor Down to your choice and press ENTER.

The Zoom function, Control + mouse wheel, is wonderful for partially-sighted users and speech feedback is retained.

POP Settings for Windows Live Mail in Windows 7

These settings will allow you to access your Windows Live Mail from most mail clients (Outlook, Outlook Express, Eudora, Thunderbird, etc…) and some web mail services such as Gmail.  Unfortunately, these settings will not work with Yahoo! Mail or Hotmail.

Incoming Server Settings

POP Server:

Security:          This server requires a secure connection (SSL)

Port:                Default SSL Port 995

Outgoing Server Settings

There are 3 options for Outgoing Server Settings listed below in order of preference.

1. If you are configuring your mail client to access Windows Live Mail from on campus, use the following settings:

SMTP Server:

Security:          None

Port:                25

2. If you are configuring your mail client to access Windows Live Mail from home, use the following settings:

SMTP Server: Enter the SMTP server of your Internet Service Provider. (E.g. if you have Road Runner)

Security:          None (unless your ISP states otherwise)

Port:                25

3. If you are configuring your mail client to access Windows Live Mail and want to use the Live Mail outgoing mail server, use the following settings.

Note: This is not recommended as this server is very slow.

SMTP Server:

Security:          This server requires a secure connection (TLS/SSL)

Port:                Default TLS/SSL Port 25

In Need of RAID data recovery service

The server has become the core of enterprise information, however, backed up by the cost of inputs and management measures to limit the restrictions, all kinds of people want to remember the RAID data to a disaster is always unexpected. Once the unfortunate experience of a server crashes, the whole enterprise will be very easy to fall into a passive situation, at a time when data recovery becomes the only resort. However, looking for data recovery service provider is not an easy task, because the data recovery operation itself is a certain risk. If you blindly valuable data delivered to the technical strength does not cross the boundary of the service providers, but will missing an opportunity, even cause irreparable damage.

One of the crises: after-sales service engineers to become a killer data

RAID in the face of the collapse, most IT departments are responsible people would first think of the server service provider. But the fact is that almost all hardware vendors are simply after-sales service equipment maintenance as a service base, which users to ensure data security is completely different from the starting point, so the end result often suffer greater losses for users, and even the formation of non - irreversible secondary damage.

RAID5 with some special case (such as RAID5 EE, RAID ADG), the entire disk array to allow two disks dropped. However, users will find that sometimes just dropped a plate can also cause RAID can not start, but this problem arises because of the diversity, and not merely in accordance with the server indicator to judge. For many server engineers are basically maintenance of equipment mainly for data storage are not familiar with. And if even forced implementation of the REBUILD operation is initialized, it is easy to make also want to restore the original data from total destruction. According to the nation's largest chain of data recovery service introduced fly passengers, the National branch RAID recovery cases received per month no less than 100, of which around 10% because of the server operating engineers, non-professional difficulties which led to the restoration or recovery??.

Crisis 2: strength of no use of service providers "no morality" to practice hand -

It is undeniable that the face of a large single-level RAID business, any data recovery service providers will not give up. Not only that, even its own technical strength can not meet the requirement, to suppress competition, as well as for the purpose of accumulating experience, so good "practice hand" would not of course the opportunity to give up easily. Customer data, however, priceless, what makes these companies lack the strength so bold it? Data recovery is like the same flutter Penalties: Puzhu is the great merit of a failure and without responsibility. Indeed, the particularity makes the data recovery service providers without having to take too much after the failure of responsibility, and even surgical procedures such as filling out the service in advance as a single, which also includes failures expected.

In this case, some service providers who naturally have no fear, bold hand, after practicing customer data is vulnerable to secondary damage, so that the final failure situation even worse. Even after the client was removed to find a regular data recovery service providers, because the data has passed through several operations and will make restoration much more difficult.

In fact, the users want service providers to determine whether there is capacity to restore RAID is very simple, as long as the service providers from the point of qualification and background can be measured. At present the State Secrecy Bureau has conducted a single data recovery qualification awarded, while the service provider to obtain this qualification in the technical strength of the natural level of professional recognition, business users are fully capable of its confidence. Moreover, most restructuring came from the hard drive repair data recovery service provider, and there is no strong technology base, on the contrary, from anti-virus software vendors such as data recovery service provider in transition amounted to more capable. Order by Jiangmin Science and Technology funding for the creation of flight passenger data recovery center and Rising data recovery center, for example, the technical strength of these companies is more reassuring, but flying off the State Secrecy Bureau also obtained the qualification recognition.

In choosing data recovery service providers at the same time, experienced IT executives tend to attach great importance to service providers, qualifications, including technical strength and the confidentiality of information capabilities, while large companies even require service providers across the country to provide localized service and thoughtful.

Wednesday, February 16, 2011

Cryptography resources

  • RSA Laboratories - FAQ covering what cryptography is, explanations of terms, tools and techniques used, applications of cryptography and related laws.

  • ArticSoft - PGP-based file and email encryption and digital signature software.

  • Averina Software - Library for Authenticode signing and verification of executable files, drivers, catalogs and scripts.

  • Bloombase Technologies - Encryption for enterprise storage systems/databases, email and Service Oriented Architecture (SOA).

  • Cryptomathic - Encryption and authentication products including EMV card preparation systems.

  • DESlock+ - Transparent encryption of files, folders and emails with an optional USB token. Supports AES, 3DES and Blowfish algorithms.

  • DISUK Limited - Supplier of data encryption devices for tape backup and archive drives.

  • DOMUS IT Security Laboratory - Accredited laboratory evaluates and certifies security and cryptographic products against Common Criteria, FIPS 140 and INTERAC (SPED).

  • Data Encryption Information Center - Guides ordinary users and students around the subject of data encryption.

  • Digital Security International - Backup tape drive encryption hardware. Product and company details, news and contact information.

  • Distributed Management Systems Ltd. - Manufacturer of user authentication tokens, including a CESG-certified version for UK Government use.

  • Encryption Wizard for Oracle - Offering data encryption software for the Oracle RDMBS. The Encryption Wizard can perform DES3 Encryption and obfuscation on a complete schema.

  • Futurex - Supplier of hardware security modules and key management systems for financial services.

  • Ingrian Networks - Offers a security appliance that encrypts critical data in applications and databases.

  • JSignPdf - Tool which adds digital signatures to PDF files. Written in Java and provided as open source.

  • MCSoft Security Solutions - Offers cryptography and wipe software.

  • PMC Ciphers Inc. - Company offering "polymorphic cryptography" i.e. variant algorithms and potentially huge keys.

  • Packet General Networks Inc. - Remotely-managed application servers with AES data encryption.

  • Pate Williams' Implementations - Cryptographic algorithms in C, C++, Java and other programming languages.

  • Proofspace - Cryptographic time stamping solution for document verification and authentication.

  • Red Iron - Software to encrypt credit card data between retail Point Of Sale, back-office and enterprise systems.

  • Sigaba - Secure e-mail, instant messaging and document transmission. Product details, news, customer portfolio, support options and contact information.

  • Thales eSecurity - Cryptographic products to secure electronic payments, network connections and SCADA systems, manage identities and more.

  • The Hardware Side of Cryptography - Blog outlining techniques to implement cryptographic and hash functions in PIC microcontrollers.

  • Voltage Security Inc. - Identity-based elliptic curve encryption for email, application data, laptops, removable storage devices and network shares.

  • Winzap - File, photo and email encryption software. Free demo download available.

  • xyzmo Software GmbH - Software to add digital signatures to electronic documents. Range includes software to generate a digital signature based on the biomentric generated by a handwritten signature.

Metadata related projects

Tuesday, February 15, 2011

List of computer technical support and service

  • - Online computer help and support from live computer technicians 24 hours a day.

  • ATS - On-site maintenance for HP computers and peripherals in selected cities nationwide. Also services obsolete equipment.

  • Alphatronics, Inc. - Sales and service of computer equipment and peripherals; specializing in the areas of desktop publishing, prepress, and graphic arts trades. Located in the Tampa area.

  • Atiwa Computers - Authorized service center, with certified technicians for computer repair.

  • BSG - Provides IT equipment and support.

  • Computer Magic - Offers repair, upgrade and technical support for the Whistle IBM Interjet.

  • ComputerWorks Technologies - Repair services for printer, desktop, notebook, monitor and LCD.

  • Computing.Net - Centralizing technical support for all operating systems and all computer types in one location.

  • Data Genius Company Ltd. - A multi-vendor of computer service provider in Hong Kong.

  • DeBug-It - Using state-of-the-art equipment and talented A-class technicians to help get home computer systems up and running.

  • ETC Support - Specializing in SUN computers and servers.

  • Europarts - European distributor of printer and computer spare parts and notebook batteries and AC adapters.

  • - Computer repairs and upgrades, with online assistance.

  • Guardian Computer Support - Global provider of computer services including on-site maintenance, repair and installation.

  • HiTech Solutions - Resource for Computers and PC Parts.

  • House Calls for Home Computers - Service, repair and training for home computer users in the Orange County, CA. area. Hardware and software experts.

  • Jensen Information Technologies. - Internet and computer solutions provider. Offers many services, including computer repair, and hardware upgrades.

  • KrystalBox Technologies, Inc. - Linux open source solutions, support and service.

  • LurkHere - Dedicated to providing in-depth information and technical support for computer users, and recommending quality products for their systems.

  • Npa Computers - Computer service and support. Retail peripheral and hardware sales. On-site service and help desk support. Network installation and management and custom configured computer systems.

  • Obsolete Computer Helpline - Information and or parts for old or obsolete computers.

  • PC Technical Services - Computer repair, upgrade and training- located in California.

  • PLASMA online - Delivers all kinds of hardware related information. Identify hardware by chip, picture, manufacturer or by expert system.

  • Priority 1 Computer Service - Repairs systems, provides upgrades, technical support, custom design computers. Serving all Vancouver Island, BC.

  • Segura Solutions - Independent services for enterprise anti-virus solutions.

  • - Maintenance and repair service for the full range of minicomputers from the 80's and early 90's.

  • Smartech - National provider of computer repair and maintenance solutions.

  • TCC Monitor Repair - Specializes in servicing terminal displays and LCD screens as well as CRT tubes.

  • Tac Depot - Provides hardware systems, support, parts and repairs for computer based on the TAC4, TAC3, and DTC2 systems.

  • Trend Network Services - Offering support for local and wide-area networking environments.

  • UK Technical Support - Provides technical information and support for computer products in the UK. Includes Acer, Compaq and Packard Bell.

  • Varcarme Computers Limited - Specialist IT and Network consultants. Located in Sheffield.

List of Internet TV providers

  • ANAM Electronics Co. Ltd. - Korean-based TV manufacturer providing digital set-top box and other TV products.

  • AV Science Forum - Forums about audio/video products, including ReplayTV, Tivo, UltimateTV and DishPVR.

  • BBC Reception Advice - Advice on receiving digital television on ITV Digital set-top box and integrated digital TV sets.

  • Broadcom Products - Integrated silicon solutions for digital cable-TV set-top boxes to enable advanced television services including high-speed internet, videoconferencing, and video-on-demand.

  • DVArchive - Allows to transfer TV shows from your ReplayTV and archive them.

  • Dagoras - Offers forums, reviews, hacks and news for digital technologies and products including ReplayTV and Tivo.

  • Dee Van Enterprise Co. Ltd - Specializing in power supplies for set-top boxes, cable modems and other consumer products.

  • Digital STREAM Technology - Provides digital TV and HDTV receivers including digital TV cards for PC and HDTV receiver set-top box to enable viewing of HDTV on analog TV sets.

  • Divitone - Manufacturer of digital satellite and digital cable receivers. Also offers digital audio recorders.

  • Focus Enhancements - Provides TView consumer products for of PC-to-TV convergence and also provides high-definition video processor, broadcast and production products.

  • GCT-Allwell - Provides broadband set-top box for residential gateway, Home Maestro Media server, video-on-demand client device, internet, wireless communication, MP3, and MTU/MDU ADSL.

  • Lidcom - Develops and markets consumer wireless products receiving digital television, telecommunication services and high speed internet transmission.

  • Linux4.TV - Information on Linux open-source set-top box platform based on National Semiconductor Geode processor.

  • MSN TV - Provides MSN TV (formerly WebTV) service using set-top box for internet-on-TV, email, instant messenger on TV, interactive program guide, and enhanced TV watching with on-screen links.

  • MeterNet Corporation - Provides SimpleBox set-top box for internet-on-TV targeting churches, schools, private groups, and organizations.

  • Moxi Digital Inc. - Provides Moxi Media Center entertainment set-top boxes for cable and satellite TV.

  • MyWeb - Integrated communications provider of set-top boxes and devices for interactive TV portal services in Asia Pacific.

  • Netgem - Provides internet technologies for interactive TV with Netbox set-top boxes and integrated TV solutions.

  • Nextbend Inc. - Provider of modular stackable console deck systems including set-top box and internet computer for PC-based component home entertainment systems.

  • Pace Plc - Developer of digital TV technologies for the payTV industry.

  • Planet Replay - Community, discussion, and news for owners of ReplayTV 4000 personal video recorders.

  • PrimeDTV - Offers DTV products, including digital TV set-top box, PC card and OEM reference platform.

  • ReplayTV - Information on ReplayTV Digital Video Recorder set-top box for personal video recording, broadband internet, and streaming video.

  • Ruel.Net Set-Top Page - Provides information, news, and links about set-top boxes, WebTV, interactive TV, PC-TV, and other related topics.

  • Sagem SA - Sagem provides digital interactive cable set-top box, digital integrated terrestrial set-top box, and internet digital set-top box.

  • Sejin Electron Inc. - Provides wireless keyboards for set-top boxes for internet TV, cable TV, multimedia PC, and PC-TV.

  • Sigma Designs Inc. - Provides semiconductors and software including MPEG-4 decoder for set-top boxes, DVD players, and streaming media devices.

  • Smart TV & Sound Magazine - Website for magazine covering interactive TV, set-top boxes, personal video recorders, internet-on-TV, EPGs, enhanced TV shows, video-on-demand, DVD, and related topics.

  • TVPC - PC-based system including DVD which connects to home stereo system, TV set, and internet.

  • Telelynx Inc. - Telelynx provides Dot TV set-top boxes for internet-on-TV and television watching.

  • Tvia Inc. - Provides streaming media gateway processors for broadband set-top boxes, digital TVs, internet-enabled devices,

  • UEC Technologies - UEC provides set-top technology products for MPEG2, DVB, digital TV, and OpenTV applications and which are compliant with multiple conditional access technologies.

  • UltimateTV - Information on their DirecTV Receiver set-top box and service for personal television and digital video recording.

  • Universal Electronic (Shanghai) Co. Ltd. - Provides set-top boxes for cable TV and satellite TV.

  • Vidiom Systems Corp - Provider of software engineering, training, consulting, and technical writing services for the Set-top, iTV, and VOD industries.

  • - Offers TiVo and DirecTV upgrade kits.

  • XtendedPlay - Offers TiVo, DigFusion and Sky+ large capacity drive upgrade kits for PVR set top boxes. UK-based.

Eassos Recovery 4.2.1 - Free as in Freeware - Only Today from Giveaway of the Day Eassos Recovery is professional data recovery software which provides complete soluti...