Saturday, February 19, 2011

5 Reasons HP Should Acquire SAP


Hewlett-Packard needs an enterprise software offering to spur its next round of growth and to better compete against its newest nemesis, Oracle. And with HP's new CEO Leo Apotheker, who until early this year was CEO of SAP, HP has an intimate view into the inner workings of that company.
If HP is as serious about growing its software business as it seems to be, the most logical choice would be to acquire SAP. In fact, the stars could be aligned for an SAP acquisition.
Here are five reasons HP should do just that.

1. Who needs software? HP does
HP is currently the Earth's largest IT vendor thanks to its hardware and professional services strength. However, except for a smattering of storage and management offerings, HP has no serious software market presence.
Meanwhile, Oracle is racing to combine its software portfolio with its newly-acquired Sun server and storage products into appliance-like offerings that it hopes will eventually eliminate the need for customers to look outside the company for much of its enterprise hardware needs.
Apotheker has publically stated that software accounts for only about 3 percent of HP's total revenue, and that HP needs software not only as a revenue enhancer but also to differentiate the vendor across its hardware and services businesses.

2. Apotheker's intimate association with SAP
Before Apotheker took over as HP's CEO, he was a 20-year veteran at SAP who eventually rose to the position of CEO, only to leave less than nine months later during a period of rising customer discontent and his inability to boost the company's revenue.
That gives Apotheker an insider's insight into one of the world's largest software companies, and one of the few companies able to compete head-to-head against Oracle in the key enterprise markets served by HP's hardware business.

3. SAP cheaper than it has been, thanks to Oracle
If HP were to acquire SAP now, it would be getting a relative bargain thanks to the Oracle lawsuit.
SAP's shares were trading at $48.83 on December 6, a considerable drop from the $54-plus share price it saw in late October before the judgment phase of Oracle's SAP lawsuit began.
While that share price is up a bit off its lows, it still represents about a 12-percent discount over its recent high. And any price HP would pay for SAP would have to include some sort of discount to account for the $1.3 billion judgment against SAP, which might or might not be reduced in the future.

4. HP would get ammo to do battle with Oracle
Revenge is sweet, and the sweetest way for HP to right a couple of perceived wrongs might be to acquire SAP.
After all, Oracle, after acquiring Sun Microsystems and optimizing its hardware and software to work together, suddenly does not seem to consider HP as one of its top-tier strategic partners.
Then Oracle Chairman and CEO Larry Ellison hired his good friend Mark Hurd as Oracle's new co-president. Hurd was HP's chairman, CEO, and president until fired by HP over violations of its code of conduct.
Then Oracle tried to show Apotheker in his first week on the job by getting a subpoena for him to testify in person at Oracle's SAP lawsuit judgment trial, a subpoena he avoided by staying out of the country.

5. The deal leverages HP's strong enterprise channel
HP has one of the strongest enterprise channels in the computer business. The company’s top partners have experience either selling or working with Oracle software, and so would be a good base for igniting channel sales of the SAP software.
Getting those partners and their customers to switch from Oracle to SAP software would be difficult, but the deal still makes channel sense for both HP and SAP.

Oracle's New Office App Suites Target Microsoft, Google


Oracle may be better known as a supplier of data center hardware and software products, but it isn't ceding the desktop to Microsoft and Google. This week Oracle unveiled the Web-based Oracle Cloud Office 1.0 and Oracle Open Office 3.3 productivity application suites to compete against Microsoft Office, Microsoft Office 365 and Google Docs.
Both suites are based on the OpenOffice.org technology Oracle acquired when it bought Sun Microsystems in January. Oracle said the applications allow users to collaboratively create and edit documents through a browser.
Oracle is pitching the products as lower-cost alternatives to its competitors, especially Microsoft Office.
"With Oracle Office, enterprises can reduce costs while helping to increase productivity and speed innovation," said Michael Bemmer, Vice President of Oracle Office, in a statement. "Customers now have the flexibility to support users across a wide variety of devices and platforms, whether via desktop, private or public cloud."
Both suites, collectively known as Oracle Office, include word processing, spreadsheet, presentation, database and drawing applications. The applications incorporate the Open Document Format standard and other Web 2.0 publishing specs, making it possible to share files with Microsoft Office, Oracle said.
Both products run on Windows, Mac and Linux computers, as well as Web browsers and smartphones such as the Apple iPhone.
Oracle Cloud Office 1.0 is a Web and mobile office application suite for collaboration and mobile document access. The software can be used on-premise or in Software-as-a-Service deployments and Oracle said the software costs are "up to five times lower" compared to licensing costs for Microsoft Office.
Oracle Open Office is designed for enterprise users and the 3.3 release offers new connectors to Oracle Business Intelligence, Oracle E-Business Suite and other Oracle applications, as well as Microsoft SharePoint.
This week Oracle also said MySQL 5.5, a new release of the open-source database, is now generally available. Oracle said the new edition offers improved performance, scalability and availability for supporting large-scale Web applications.

IT Security Will Enable Cloud Adoption In 2011: CA


Every year CA Technologies polls its security experts for their predictions on what to look for in the coming year with respect to prevailing threats and industry shifts. According to the latest report, in 2011, IT security professionals will need to step-up their battle against the insider threat and leverage Identity and Access Management to shift the view of security to that of an enabler for cloud adoption.
“The 2010 Verizon Data Breach Investigations Report showed that the percentage of breaches attributed to insiders more than doubled over the previous year to 46 percent, and we expect that trend to continue,” said Tim Brown, Senior Vice President and Chief Security Architect, CA Technologies.
The insider will be the next attack vector. Today, companies have better and more sophisticated security. It may now be easier to social engineer the insider than continually create new malware to combat better security. WikiLeaks showed us that the insider is a direct line to sensitive data which in the end is more valuable and potentially lucrative data.  There are larger amounts of high quality data in a company compared to information associated with an individual, and more access points to get in as companies open up social networking sites to the enterprise and employee mobility increases. 
Organizations will begin using behavioral analysis to predict threat from the inside. There is case study research in this area that examines the psychosocial factors that can contribute to an insider breach. This data could be used to create predictive models that correlate psychological profiles or behaviors to insider breaches or crime.
Identity and Access Management will shift Security perception from cloud barrier to cloud enabler. Organizations will change their perception of cloud security as stronger, more advanced Identity and Access Management (IAM) security options are deployed by both cloud providers and as cloud services.  Cloud providers will realize that to continue their growth, they have to provide enterprise-level security to their clients, and they will therefore strengthen the identity models associated with their cloud service. IAM delivered as a cloud service also will give organizations the option to more easily adopt and deploy various identity-related security capabilities to strengthen their security profile and bolster confidence in secure cloud use.
Companies will improve information security by linking data and identities. They will realize the need to make access and information use policies identity-based. This realization ushers in next-generation IAM and makes IAM content-aware. Traditional IAM stops at the point of access; Content-Aware IAM goes a step further to not only help control identities and their access, but also control what they can do with the information based on their identity.
Nation state attacks will grow. There is a reason the government is placing increased importance on cyber warfare. Crippling our infrastructure would be highly disruptive. Attacks on the technical supply chain by way of compromised hardware and insecure software, or attacks similar to Stuxnet, could be viewed as a nation state attack, added the report.

Microsoft Launches WebMatrix


Microsoft India launched WebMatrix, a free Web development tool designed to help Website developers to create, customize and publish Websites. Microsoft has also made available a set of video tutorials, how-to tips and other resources for helping new Web developers get started.
 
“Available in nine languages, WebMatrix provides tools that developers need to build, customize and deploy Websites on Windows,” said Moorthy Uppaluri, General Manager, Developer Partner Evangelism, Microsoft India. It also uses free open source Web applications, such as WordPress, Joomla, DotNetNuke and Umbraco.
 
WebMatrix provides the Web server, database and Web frameworks. It increases development productivity with support for multiple programming syntaxes, such as ASP.NET Razor or PHP, and Web helpers, which give a single line-of-code solution for complex coding tasks, such as inserting Twitter feeds or video, the company said.

Microsoft, SAP Launch SAP-Microsoft Unite Partner Program


SAP and Microsoft have launched a new SAP-Microsoft Unite Partner Connection program.

The joint partner program will create new opportunities for partners to reach more customers. Created in direct response to partner feedback and requests, the program will help partners of both companies increase their business opportunities more effectively through a better understanding of Microsoft and SAP joint solutions and product road maps.

Designed for members of both the SAP PartnerEdge program and the Microsoft Partner Network, SAP-Microsoft Unite Partner Connection drives alignment and collaboration among SAP, Microsoft and participating partners. Partners can identify, plan and deliver innovative, cost-effective solutions that tap the full potential of SAP and Microsoft software to help customers maximize their existing IT investments and scale to meet dynamic business needs.


Initial members of the SAP-Microsoft Unite Partner Connection program include Atos Origin, Logica and Wipro. Through co-innovation, go-to-market support and training, partners will be better equipped to help customers optimize their business planning and technology investments, the companies said in a joint statement.


The two companies also announced the availability of Duet Enterprise software. Kurt DelBene, President, Microsoft Office Division and Vishal Sikka, Executive Board Member, SAP made the announcement at the Duet Enterprise Virtual Launch Summit.


“Customers and partners have frequently requested deeper integration between IT solutions from SAP and Microsoft. Duet Enterprise delivers on that need by combining the power of the SharePoint business collaboration platform and the familiarity of Microsoft Office 2010 applications with business process solutions from SAP,” said Eric Swift, General Manager, Microsoft SharePoint.


“We use Duet Enterprise at Infosys as a framework to standardize the delivery of scalable solutions integrating SAP applications and SharePoint,” said Mandar Kumar Ananda, Senior Project Manager, IT – CRM, Infosys. “We delivered an account workspace solution with information from SAP Customer Relationship Management, documents from Microsoft SharePoint and the tools for teams to collaborate.”


“Duet Enterprise extends the power of SAP applications for many of our customers who also use Microsoft SharePoint,” said Michael Reh, General Manager and Senior Vice President, Information Worker Solutions, SAP AG. “This provides users with streamlined productivity and better decision-making. It is built on project ‘Gateway,’ which enables easy and standards-based access to SAP applications. And together with SharePoint, the software delivers a layer of interoperability that allows customers and partners to focus on creating solutions that drive business growth while helping ensure that all technical integration aspects work reliably together.”

Microsoft Launches Cloud-based CRM Online


Microsoft has launched the Microsoft Dynamics CRM Online cloud service which will be available in India with a Hindi interface. The company is offering a 30-day trial to both customers and partners.

Microsoft has also launched an aggressive program to convert Salesforce.com and Oracle customers to Dynamics CRM Online. Customers who switch over to CRM Online before June 30, 2011 will receive an incentive of up to $200 per user, which can be used for availing services such as migrating data or customizing the solution.

The cloud offering is the first to feature the latest 2011 version of Dynamics CRM and is available at a promotional price of $34 per user per month for the first 12 months to customers that sign up before June 30, 2011. The on-premise and the partner-hosted versions will be launched on February 28, globally.

“With cloud computing becoming increasingly popular, Indian businesses are re-evaluating their CRM systems to ensure that they are getting the best fit for their business and most value from their IT investment,” said Subhomoy Sengupta, Group Director, Microsoft Dynamics India. "I am confident that this offering will add immense value to businesses across functions like sales, services and marketing by providing simplicity and enabling innovation for customers."

Microsoft claims that globally more than 11,500 customers, including those that converted from competing solutions and 2,000 partners have used Dynamics CRM 2011 as part of the beta program.

The 2011 release offers flexible cloud development, Azure interoperability, and contextual SharePoint capabilities. It also features the new Dynamics Marketplace that allows customers and partners to find qualified service providers online.

UPES And IBM Partner For B.Tech in IT


The University of Petroleum & Energy Studies (UPES) and IBM have signed a definitive agreement to launch a series of new, futuristic Bachelor of Technology (B Tech). courses which are industry-aligned. The courseware is being redesigned and a new delivery mechanism is being put in place to enable the students to learn industry –relevant skill sets.

As a part of the agreement, UPES and IBM India will partner to up-skill students by introducing ‘B.Tech in IT courses’ on the technologies which are in demand in the IT industry and the emerging growth industries such as oil & gas, retail, healthcare and insurance; as also open source software and the open standards.

The four full-time ‘B.Tech in IT courses’ include specialisations in Oil & Gas Informatics, Mainframe Technology, Cloud Computing & Virtualisation Technologies  and Open Source Software & Industry Vertical Domain Open Standards.


The Innovation Centre for Open Standards (iCos), an online platform, will be the underlying framework for the engagement between IBM and UPES for the delivery of the courses. The IBM iCos platform links students' project based learning with IT industry mentors and subject matter experts. UPES will deliver the course from their Dehradun campus, by using all the learning models such as face to face, online, state of the art lab facility, print based and self learning.


Parag Diwan, Vice Chancellor of UPES said, “This agreement opens up the modernization of IT and Computer Science education as well as their applications in different vertical domains. Our students stand to benefit immensely from this initiative, as it provides them with a platform to help them transition from academia to industry while they are still in our campus. Students graduating from this program will be equipped with the right skills to apply for jobs at leading technology companies in India, including IBM.”


Alok Ohrie, Director – Systems and Technology Group, IBM India/SA said, ‘To develop curriculum that meets the evolving needs of students and their employers. it is critical that businesses and academia work together to prepare students for these new opportunities. It’s a whole new thinking, and a cutting edge approach to technology meritocracy.”

India IT-BPO Market To Touch $285 Billion By 2020: Report


India’s IT-BPO market (including exports) could touch $285 billion in 2020 growing at a CAGR of 15 percent. According to a report release by KPMG and ASOCIO called Asia-Oceania Vision 2020: Enabling IT leadership through collaboration, India will cater to approximately 51 percent of overall global sourcing demand is expected to retain its leadership position by 2020.

The report claims that the IT-BPO industry in India has achieved impressive growth rates over the past decade.

“India is expected to achieve double digit growth rates in the IT-BPO industry, with a focus on innovation. However, the country needs to sustain its cost competitiveness and develop the requisite skills of its large workforce,” said Kumar Parakala, Global Head, Sourcing Advisory and COO, Advisory, KPMG India. “India could also develop complementary skills in hardware, so that it can showcase a more diversified portfolio of products and services.”

According to the report, the contribution of some of the developed countries like Japan, Australia and New Zealand in the regional demand for IT-BPO service is likely to decrease by 2020. However, the contribution of developing countries like India and Thailand is expected to increase in the coming years. Newer countries such as Sri Lanka, Pakistan and Bangladesh are also expected to make their mark on the global sourcing supply landscape by 2020.

The report emphasizes that if diversity within the Asia-Oceania region is effectively leveraged it could lead to collaborative growth. Collaboration is likely to act as a facilitator for nations to address common challenges, leverage each others’ competitive advantage and thereby aim for a much larger target market in the information, communication and technology (ICT) industry by 2020.

"While most economies are struggling with recessionary times, Asia-Oceania nations have already started experiencing an upturn. ICT is being used as a key enabler for growth, which is helping these economies move out of the downturn at a faster pace. ICT led growth is expected to push Asia-Oceania to greater heights, with some economies of the region achieving super-power status by 2020,” added Parakala.

Oracle To Buy Sun for $7.4B


After all the talk in the past weeks regarding the failed deal between IBM and Sun Microsystems, it turns out the tech company had another (more successful) suitor: Oracle.
Oracle and Sun Monday said they had struck a deal worth $7.4 billion, or $5.6 billion net of Sun's cash and debt. Under the terms, Oracle will acquire Sun common stock for $9.50 per share in cash.
The arrangement would provide Oracle ownership of Java and Solaris and give Oracle control of MySQL database software.
The Java brand has great visibility in the industry, and is considered by Oracle to be "the most important software the vendor has ever acquired," according to a satement. Oracle Fusion Middleware is built on top of Sun's Java language and software.
Sun's Solaris operating system is the leading platform for the Oracle database, which is Oracle's largest business. Through the buyout, Oracle would be able to optimize its database for some of the unique, high-end features of Solaris.
"Oracle and Sun have been industry pioneers and close partners for more than 20 years," said Sun Chairman Scott McNealy in a statement. "This combination is a natural evolution of our relationship and will be an industry-defining event."
Sun Microsystems' board approved the transaction. It is anticipated to close this summer, subject to Sun shareholder approval, certain regulatory approvals and customary closing conditions.

Analysis: The Oracle-Sun Deal And The Tech Fallout


Oracle buying Sun Microsystems will have a significant impact across several different layers of the IT space, from desktop software to midmarket to enterprise.
Here's how:
The first and most obvious benefit to Oracle will be with enterprise database offerings. Solaris running on SPARC-based equipment has always been a preferred platform for Oracle databases. This acquisition could mean the lessening of some of the pain points for partners that deploy and maintain a complex solution such as Oracle running on Solaris.
Furthermore, the acquisition would solidify Oracle's reign in the enterprise database space. Which company would be able to compete with database technology resulting from combined Oracle and Sun know-how? Even archrival Microsoft SQL Server 2008 running on Intel would be hard-pressed to meet the I/O demands in database-transaction-heavy environments such as those found in the finance and government sectors. The biggest competitor of Oracle-Sun in this space would be SAP. SAP potentially has a lot to lose with this merger.
There is even more Oracle can gain from this acquisition: a better entryway into the midmarket space. MySQL is a solid database acquired after Sun's purchase of open-source MySQL AB. Sun kept the product as an open-source option, only charging for some enterprise-level features. Oracle has been attempting to take out some of the complexity of its database deployment and maintenance, evidenced with some new features released in its 11g database product. Even with these features, Oracle's database platform has simply been out of reach for most SMBs, in both deployment requirements and sheer expense.
Perhaps if Oracle focuses on some of the R&D that went into making MySQL a viable database for SMBs, Oracle can deliver a robust-yet-affordable solution for SMBs that would not tax so many resources, both technically and financially, to deploy.
Oracle also would be smart to keep attention focused on other great software products that have been developed by Sun. For example, Sun's child, the OpenOffice.org productivity suite based on its Star Office software, has earned its place at the forefront of alternatives to Microsoft Office's stranglehold in the office productivity suite space. Netbeans, Sun's platform for Java desktop applications, is another viaduct for Oracle to make gains into the desktop and midmarket spaces. And let's not forget VirtualBox, Sun's free-for-download desktop virtualization software.
Other speculation surrounds the question of whether or not Oracle will keep Java open source. Oracle's Fusion Middleware is built on top of Java technology; it's a critical software component for Oracle. Oracle's sometimes-exorbitant fees for its products will hopefully not extend to Java.
It will be interesting to see just what exactly Oracle will do with Sun. Will it simply focus on the boxes Sun makes and scrap software such as GlassFish? Many are hoping that's not the case. A lot of innovation has come out of Sun Microsystems and many Sun fans are hopeful that Oracle will continue on that same trajectory.

VMware, Salesforce.com Unveil VMforce Java App Cloud


Salesforce.com and VMware are unveiling a partnership named VMforce under which the two will collaborate to bring Java applications to the cloud.

Under the new partnership, the two companies plan to jointly sell and support a new enterprise Java cloud, called VMforce, which VMware and Salesforce.com said will provide an open path to cloud computing.

VMforce takes advantage of VMware's Spring Java development framework. VMware acquired SpringSource, which spearheaded the Spring open source community, in August. SpringSource was a developer of applications based on open-source technologies, and the company leads a number of open-source communities.

VMware had been expected to use its Spring acquisition and other past and future acquisitions to expand its cloud computing platform. That is happening now with the VMforce program.

VMforce is slated to provide what the two companies call the first mission-critical deployment environment for enterprise Java apps in the cloud. Both companies will jointly deliver using Salesforce.com's trusted cloud platform, Force.com. The technology will run on VMware's vSphere virtualization platform.

"Enterprise Java developers, welcome to Cloud 2," said Marc Benioff, Chairman and CEO, Salesforce.com, in a statement welcomed enterprise Java developers to Cloud 2.

"This fundamental shift incorporates cloud computing, real-time collaboration and mobile devices like the iPad to meet the new needs of the enterprise. Now, in partnership with VMware, we are delivering VMforce and bringing Java to Force.com so enterprise Java developers can create powerful new innovative Cloud 2 apps," Benioff said.
Companies are looking for ways to offer the benefits of cloud computing while utilizing existing resources, said Paul Maritz, CEO, VMware, in a statement.

"By creating a dramatically simplified solution for modern application development, VMforce is a significant step forward in offering our customers a path that bridges existing internal investments with the resources and flexibility of the cloud," Maritz said.

VMforce is currently scheduled to be available in developer preview sometime this year, and pricing has yet to be announced.

How Green is your IT?



Inc
There is a high degree of sensitivity amongst organizations today to ensure that they do not add to
environmental abuse. In fact, it is no longer an exception to see customers specifying that their vendors
qualify for essential environmental standards.
Increasingly, vendors are running the risk of getting disqualified in the sales process unless their products
and services comply with international Green IT standards.
Is this talk about Green IT merely a fad?
Consider this!!!
The Servers that are running in Organizations consume power, air conditioning and generate heat that
adds to carbon emissions.
Take a scenario as below
If an inefficient server consumes 300 watts of power, that’s 2.62 megawatt hours/server/year
(300*24*365). Taking our calculations a little forward and translating electricity consumption into CO2
emissions. (Carbon dioxide "is the most prevalent greenhouse gas from the production of electricity.") It is
equivalent to 1.755 tons of CO2, which is equivalent to CO2 emission resulting from driving a sedan for
over 9500 kms.
http://www.roughtype.com/archives/2006/12/avatars_consume.php
The same calculations for 4 Servers will make it about 10.48 MWH/Year and CO2 emissions equivalent to a
CO2 emission whilst driving whopping 38000 kms.
An energy efficient server might bring down the CO2@ emission and green house gas effect by over 40%

SaaS
Besides Energy efficient servers, there are other ways of contributing to a Green IT revolutions. A
significant positive trend in the direction of Green IT is embracing the SaaS Model. The Software as a
Service (SaaS) delivery model offers a distinct approach carbon dioxide emission reductions.
Economies of scale realized from centralized processing and a shared services model automatically reduce
the number of decentralized servers thereby contributing to a smaller carbon footprint. Instead of
hundreds of thousands of customers individually operating their own servers and the power hungry
facilities to support those servers, the SaaS multi-tenant model centralizes data center operations to use
less equipment and a small fraction of the supporting facility costs.
Not only is it contributing to the Green IT revolution but it helps save costs by way of servers and
accompanied maintenance/upkeep expenditure.
Many businesses are now finding that switching to a Software-as-a-Service (SaaS) solution not only solves
this problem, but also offers many environmental benefits. In a time when "going green" is high on many
companies' priority lists, SaaS provides a great way to improve business processes on both fronts.

SaaS is Green!
When companies use SaaS applications, the vendor's central data center already provides the computing
resources to run the application. Customers do not need to consume critical resources to generate the
power for their own host machine. Further, the redundant backup power, HVAC systems, etc. are also
handled by the vendor data center and not the customer, which positively impacts the customer's bottom
line -- a very important benefit in a down economy.
Shared Resources such as in SaaS go a long way in optimal usage of infrastructure and not only preserve
the environment but save costs.
Green Data Center
A green data center is one which maximizes energy efficiency and minimizes environmental impact. All of
us need to make a difference in bringing in reforms and rethinking ways of optimizing equipment rather
than purchasing newer equipment. If scaling up is inevitable, it is important to consider energy-efficient
computing products.

Cisco Releases Security Specialist Certification In India


Cisco has introduced new Security Specialist certifications to recognize individuals who have attained competencies in network security skills that align with evolving job roles, technologies and business requirements.

The Cisco Security certification portfolio now supports six key technologies with certifications for these Security Specialists including Cisco IPS Specialist, Cisco NAC Specialist, Cisco ASA Specialist, and the new Cisco IOS Security Specialist, Cisco Firewall Security Specialist and Cisco VPN Security Specialist

The Cisco IOS Security Specialist certification recognizes security professionals who demonstrate the hands-on knowledge and skills that are required to secure networks, using Cisco IOS Security features embedded in the latest Cisco routers and switches as well as the widely deployed Cisco security appliances.


The Cisco VPN Security Specialist certification recognizes security professionals with the skills and knowledge to configure, maintain, troubleshoot and support various VPN solutions, using Cisco IOS Software and the robust Cisco ASA adaptive security appliance.


The Cisco Security certification portfolio now supports six key technologies with certifications for these Security Specialists including Cisco IPS Specialist, Cisco NAC Specialist, Cisco ASA Specialist, and the new Cisco IOS Security Specialist, Cisco Firewall Security Specialist and Cisco VPN Security Specialist.


The combination of new security threats, regulatory compliance mandates, and the need to protect customer and organizational data has driven the demand for a more efficient use of network security technologies within architectures such as Smart+Connected Communities. The increasing complexity of network security responsibilities with mobility, social networking, voice, video, virtualization, cloud computing and physical safety and security requirements is driving greater specialization and advanced skills on the products that facilitate these solutions, including virtual private networks, firewalls, authentication and intrusion prevention.


Recently, Cisco enhanced its Security portfolio with the introduction of the CCNP Security career certification program, which specifically addresses the growing demand for network security engineers. Cisco Security Specialist certifications complement these industry-recognized security career certifications by focusing on skills assessment for critical product and technology areas.

Thursday, February 10, 2011

Hacking techniques


Attacks on a company or organization's computer systems take many different forms, such as spoofing, smurfing, and other types of Denial of Service (DoS) attacks. These attacks are designed to harm or interrupt the use of your operational systems. This article deals with a single wide-spread form of attack known as password cracking.
Password cracking is a term used to describe the penetration of a network, system, or resource with or without the use of tools to unlock a resource that has been secured with a password. In this article I will take a look at what password cracking is, why attackers do it, how they achieve their goals, and what you can do to do to protect yourself. I will briefly take a look at the attackers themselves: their psychological makeup and their motives. Through an examination of several scenarios, I will describe some of the techniques they deploy and the tools that aid them in their assaults, and how password crackers work both internally and externally to violate a company's infrastructure. Finally, the article provides a checklist to help protect you from password cracking.
Before exploring the methods for doing this, let's first peer into the mind of the attacker and learn why they might want access to your network and systems.
There is an on-going debate about the definition of the word hacker. A hacker can be anyone with a deep interest in computer-based technology; it does not necessarily define someone who wants to do harm. The term attacker can be used to describe a malicious hacker. Another term for an attacker is a black hat. Security analysts are often called white hats, and white-hat analysisis the use of hacking for defensive purposes.
Attackers' motivations vary greatly. Some of the most notorious hackers are high school kids in their basements planted in front of their computers looking for ways to exploit computer systems. Other attackers are disgruntled employees seeking revenge on a company. And still other attacks are motivated by the sheer challenge of penetrating a well-secured system.
Password cracking doesn't always involve sophisticated tools. It can be as simple as finding a sticky note with the password written on it stuck right to the monitor or hidden under a keyboard. Another crude technique is known as "dumpster diving," which basically involves an attacker going through your garbage to find discarded documentation that may contain passwords.
Of course attacks can involve far greater levels of sophistication. Here are some of the more common techniques used in password cracking:
  • Dictionary attack 
    A simple dictionary attack is by far the fastest way to break into a machine. A dictionary file (a text file full of dictionary words) is loaded into a cracking application (such as L0phtCrack), which is run against user accounts located by the application. Because the majority of passwords are often simplistic, running a dictionary attack is often sufficient to to the job.
  • Hybrid attack 
    Another well-known form of attack is the hybrid attack. A hybrid attack will add numbers or symbols to the filename to successfully crack a password. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: first month password is "cat"; second month password is "cat1"; third month password is "cat2"; and so on.
  • Brute force attack 
    brute force attack is the most comprehensive form of attack, though it may often take a long time to work depending on the complexity of the password. Some brute force attacks can take a week depending on the complexity of the password. L0phtcrack can also be used in a brute force attack.
Next, take a look at some of the tools attackers use to break into a system.
One of the most popular tools is L0phtCrack (now called LC4). L0phtCrack is a tool that allows an attacker to take encrypted Windows NT/2000 passwords and convert them to plaintext. NT/2000 passwords are in cryptographic hashes and cannot be read without a tool like L0phtCrack. It works by attempting every alphanumeric combination possible to try to crack passwords.
Another commonly-used tool is a protocol analyzer (better known as a network sniffer, such as Sniffer Pro or Etherpeek), which is capable of capturing every piece of data on the network segment to which it is attached. When such a tool is running inpromiscuous mode, it can "sniff" everything going around on that segment such as logins and data transfers. As you'll see later, this can seriously damage network security allowing attackers to capture passwords and sensitive data.
Let's take a look at a few scenarios and examine how attackers launch their attacks and how they might be stopped or prevented. I'll first describe a couple of scenarios involving internal attacks (that is, attacks that originate within an organization), and then take a look at a couple of scenarios involving external attacks.
Internal attackers are the most common sources of cracking attacks because attackers have direct access to an organization's systems. The first scenario looks at a situation in which a disgruntled employee is the attacker. The attacker, a veteran systems administrator, has a problem with her job and takes it out on the systems she is trusted to administer, manage, and protect.
Jane Smith, a veteran system administrator with impeccable technical credentials, has been hired by your company to run the backup tapes during the late evenings. Your company, an ISP, has a very large data center with roughly 4000+ systems all monitored by a Network Operations Center. Jane works with two other technicians to monitor the overnight backups and rotate the tapes before the morning shift comes in. They all work independently of each other: one technician works on the UNIX Servers, one technician covers the Novell Servers, and Jane has been hired to work on the Windows 2000 Servers.
Jane has been working on the job for six months now and is a rising star. She comes in early, stays late and has asked to transfer to another department within the company. One problem: there are no open positions at the time. During the last month you (security analyst) have noticed a dramatic increase in the number of attempts at Cisco router and UNIX Server logins. You have CiscoSecure ACS implemented so you can audit the attempts and you see that most of them occur at 3 a.m.
Your suspicions are aroused, but as a security analyst, you can't go around pointing fingers without proof.
A good security analyst starts by looking deeper into the situation. You note that the attacks are from someone of high caliber and occur during Jane's shift, right after she is done with her tape rotation assignment and usually has an extra hour to study or read before the day operations team comes in. So you decide to have Jane supervised at night by the night operations manager. After three weeks of heavy supervision, you notice that the attacks have stopped. You were right. Jane was attempting to log into the Cisco routers and UNIX servers.
A good security analyst also needs to employ a good auditing tool, such as Tacacs+, to log attacks. Tacacs+ is a protocol used by applications such as CiscoSecure ACS that will force Authorization, Accountability, and Authentication (AAA for short). If you have Authorization, then the person requesting access needs to be authorized to access the system. If you have Authentication, then the user accessing a resource needs to be authenticated with rights and permissions to have access. What happens when you are authorized and also authenticated? You must be held Accountable. Accounting logs alone solve many password cracking problems by forcing an attacker to be held accountable, authenticated and authorized.
Next, I'll give an example of an old (but still widely used) attack, which involves sniffing passwords right off the network. You can see how a network supervisor had his Cisco routers and switches cracked by a help desk technician within the company.
Tommy is hired for the position of help desk technician to work with the after hours help desk crew. The after hours help desk staff is made up of roughly 10 technicians who provide coverage for eight remote sites that the company needs to support during off hours. Tommy always brings his laptop with him to work. When questioned about the laptop by his manager, Tommy explains that he is using his break time to prepare for a certification test. This seems harmless and is approved, even though there is a company-wide security policy in place about bringing machines from the outside into the corporate network without corporate security looking the device over.
Tommy is eventually caught by a surveillance camera leaving a small wiring closet with something under his arm. But since nothing is reported missing, there is no way to prove that Tommy has done anything wrong. And when questioned by the help desk manager about why he was in the closet, Tommy says that he mistakenly entered it thinking it was a break room.
The company's security manager, Erika, sees the report filed by the guards responsible for the physical security of the building. She wonders what Tommy was doing in that closet and is not satisfied with the answer he gave to the help desk manager. Upon searching the closet, she finds an unplugged patch cable hanging from one of the patch panels and an empty hub port. When she plugs the cable back in, the link light does not come back on suggesting that this is a dead port. Cable management Velcro straps neatly hold all the other cables together. With Erika's years of experience and keen sense of security exploitation, she knows exactly what happened.
Erika assumes that Tommy has brought his laptop in the wiring closet unseen. He most likely looked for a dead port on the hub and plugged his laptop in with a packet sniffer installed on it, which promiscuously picks up traffic on a network segment. He returns later to pick up the laptop, which is caught on the surveillance camera, to take home for analysis after saving the capture file.
Using the company's security policy, she confronts Tommy and explains that all personal property, such as laptops and palm pilots, are subject to search if on the premises illegally. Since Tommy never should have had his laptop there in the first place, he hands it over to Erika. Upon careful examination, Erika finds the following trace decode as seen in Figure 1.

Figure 1. Captured telnet traffic with a protocol analyzer
A close examination of the Hex pane of the Sniffer Pro analyzer in Figure 2 reveals ASCII data in clear view on the right side of the pane. While attached to a switch in the closet, Tommy ran the configuration while connected via a telnet session. Since the telnet protocol is unsecure and sent via cleartext, it is easy to see the password: "cisco."

plaintext data
This is one of the most basic principles of security: Never use a product name as a password. But in spite of how basic a principle it is, it's remarkable how often it is still done.
Next, turn your attention to some external threats.
External attackers are those who must traverse your "defense in depth" to try and break into your systems. They don't have it as easy as internal attackers. The first scenario involves a fairly common form of external attack known as Web site defacing. This attack uses password cracking to penetrate the systems that the attacker wants to deface. Another possible password cracking attack is when an attacker tries to obtain passwords via Social Engineering. Social Engineering is the tricking of an unsuspecting administrator into giving the account ID and passwords over to an attacker. Lets take a look at both.
Figure 3 demonstrates a fairly common and simple example of external password cracking: defacing a Web site's home page. It takes little effort and is usually accomplished by simply exploiting an Internet Information Server (IIS) that has its permissions set incorrectly. The attacker simply goes to a workstation and tries to attack the IIS server with an HTML editing tool. When trying to attach over the Internet to the site, the attacker uses a password generator tool, such as L0phtCrack, which launches a brute force attack against the server.

Figure 3. Home page replaced by an attacker
Your company's reputation is on the line. Business vendors and associates will lose faith in you if they perceive that your data is kept on unsecured servers. Make sure you look at inside and outside threats equally.
Non-tool related tricks to crack passwords are called social engineering attacks. Read this a scenario to learn more.
Jon is the new security analyst for a large company. His first job is to test his company's security stance. He of course lets management know what he is about to do (so he doesn't get labeled as an attacker himself). He wants to see how hard it is to crack into the network without even touching a single tool. He tries two separate but equally devastating attacks.
As a new employee in a large organization, John isn't known to many people yet, which makes it easy for him to pull off his first social engineering attack. His first target is the help desk. Jon makes a routine call to the help desk and asks for a password reset as a supposed remote user. Jon already has half the information he needs since he knows that the company's naming convention is simply first name and the first initial of the user's last name. The CIO's name is Jeff and his last name is Ronald, so JeffR is his login ID. This information is readily available from the company's phone directory. Masquerading as the CIO, Jon calls the help desk and asks for a password reset because he has forgotten his password. This is a normal ritual for the help desk technician who resets forgotten passwords 100 times a day and calls the requestor back letting them know what their knew password is. The help desk technician calls Jon back five minutes later and lets him know that his new password is "friday" because it happens to be Friday. Within another 5 minutes, Jon is in the CIO's shared files on the server and in his e-mail.
Jon's next social engineering attack involves a good friend of his who works for the local telephone company. Jon borrows some of his gear and his belt and badge on his friend's day off. Jon takes his new gear and heads to another part of the organizations campus where all the disaster recovery routers and servers are located. This hardware contains a working copy of all the company's current data and is considered confidential. Jon walks into the campus security office in his Telco costume and explains that he has been called out by the Local Exchange Carrier (LEC) because a circuit appears to be looped from the Telco. He needs to be let into the data center so he can check out if there are any alarms on the Smart Jack.
The onsite administrator escorts Jon to the data center not even checking his ID. Once inside, the administrator wisely sticks around, so Jon starts his test. After a few minutes, Jon informs the administrator that he will have to call his office and have them run some more tests so he can loop off the Smart Jack and try to troubleshoot. Jon lets the administrator know that this will take about 45 minutes, so the administrator gives Jon his pager number and asks that he page him when he is done to let him out. Jon has now successfully eliminated the only obstacle between him and the 30 servers all lined up in racks along the back wall of the data center.
Jon has a few different opportunities now. He can go to every server and start looking for unlocked consoles, or he can plug his laptop into an open port and start sniffing. Since he really wants to see how far he can go, he decides to look for open consoles. After five minutes of looking through all the KVM slots, he finds a Windows NT server running as the Backup Domain Controller for the Domain. Jon pulls a CD out of his bag and enters it into the CD tray of the server. He installs L0phtCrack onto a BDC for the companies Domain and runs a dictionary attack. Within five minutes produces the following password: Yankees. It turns out the lead administrator is a New York Yankees fan. He now has access to the company's most vital information.
Now look at how this was done.

Figure 4. Using L0phtCrack to break the Administrator password
Here is a checklist of things you can do to make password cracking more difficult:
  • Audit your organization! Do a walk through and make sure passwords are not stuck to monitors or under keyboards.
  • Set up dummy accounts. Get rid of the administrator (or admin) account or set it up as a trap and audit it for attempts.
  • Use strong, difficult to guess passwords, and never leave a console unlocked.
  • Backups are necessary in case you are compromised. You need a working set of data, so make sure you have it. Keep the tapes secure too, or the data there will be compromised as well.
  • Prevent dumpster diving. Don't throw sensitive information away; shred it or lock it up.
  • Check IDs and question people you don't know. When you have visitors, check them out and make sure they belong.
  • Educate your end users. Make sure they aren't prone to social engineering and educate and remind internal users of the company's security policies.
In this article I've described some of the psychology behind an attacker's motivation and some of the low-tech and high-tech methods used to crack passwords. You've looked at several attack scenarios, including attacks against major companies by a veteran administrator, a help desk technician, and an outside vandal. You also saw how password crackers use techniques both internally and externally to your infrastructure. Finally, some ideas on how to properly secure yourself and your systems from the possibility of a password cracking attack were offered. Combating these attacks ultimately requires a conscious effort, trained individuals, useful tools, and sound security policies. Hopefully, as a proactive security analyst, you can make a difference in helping to slow down this malicious activity within your organizations as well as outside of them. Otherwise, you may find Jon in your server room with a smirk on his face and your data in his hands.