WPS 7 – install an ifix silently with IBM Installation Manager

From WebSphere 7, IBM recommend to install all fixes with IBM Installation Manager for WebSphere. However, IBM, for now, still keeps UpdateInstaller for installing the ifixes for WAS7. Although UpdateInstaller can install ifixes for WPS7 through specifing the pak file location, you will not see the installed ifixes in IBM Installation Manager, which is not easy to managment the ifixes.

so I recommend to install WPS7 ifixes (JRXXXXX) using IBM Installation Manager. But, it is slower if you use Installation Manager UI which was installed UNIX platform (must using Xterm) to install an ifix.

Here is the way to install and ifix silently for WPS 7

(1) copy WPS7 ifix to the temp directory, and unzip it. In general, an ifix for WPS7 is a ZIP format file. for example,

(2) go to the directory /IBM/InstallationManager/eclipse

(3) create a installation response xml file, for example, JR38536_repsonsefile.xml, the content should be like this and change the necessary fields. see the bold type character

More Here


Windows Domain to Amazon EC2 Single Sign-On Access Solutions

David Chappell, the Principal of Chappell & Associates, US, has writtena whitepaper proposing several solutions for Single Sign-on (SSO) accessto applications deployed on Amazon EC2 from a Windows domain. InfoQexplored these solutions to understand what the benefits and tradeoffseach one presented.

The paper is: "Connecting to the Cloud: Providing Single Sign-On toAmazon EC2 Applications from an On-Premises Windows Domain." Excerpt:"Users hate having multiple passwords. Help desks hate multiple passwordstoo, since users forget them. Even IT operations people hate them,because managing and synchronizing multiple passwords is expensive andproblematic. Providing single sign-on (SSO) lets users log in just once,then access many applications without needing to enter more passwords.It can also make organizations more secure by reducing the number ofpasswords that must be maintained. And for vendors of Software as aService (SaaS), SSO can make their applications more attractive by lettingusers access them with less effort...

With the emergence of cloud platforms, new SSO challenges have appeared.For example, Amazon Web Services (AWS) provides the Amazon ElasticCompute Cloud (Amazon EC2). This technology lets a customer create AmazonMachine Images (AMIs) containing an operating system, applications, andmore. The customer can then launch instances of those AMIs (virtualmachines) to run applications on the Amazon cloud. Similarly, Microsoftprovides Windows Azure, which lets customers run Windows applications onMicrosoft's cloud. When an application running on a cloud platform needsto be accessed by a user in an on-premises Windows domain, giving thatuser single sign-on makes sense. Fortunately, there are several waysto do this..."

More Here


The Arrival of HTML 5: Lots of New Features

"HTML (Hyper Text Markup Language) is one of the underpinnings
technologies of the modern web with the lion's share of web users'
Internet activities founded on it. HTML now stands on the brink of
the next change -- the coming of HTML 5. At present, the Internet
already contains a handful of HTML 5 specification outlines which
partially cover HTML 5 features and conceptions. In this article, we
review the current state of HTML and describe the most significant
HTML 5 innovations.

Offline Potential: Some time ago, a new specification for client-side
database support with interesting applications was introduced. While
this feature had vast potential, it has been excluded from current
specification drafts due to insufficient interest from vendors which
use various SQL back-ends. As such, the only offline feature currently
available in HTML 5 is flexible online/offline resources management
using cache manifests. Cache manifests allow an author of a document
to specify which referenced resources must be cached in browser data
store (e.g., static images, external CSS and JavaScript files) and
which must be retrieved from a server (e.g., time-sensitive data like
stock price graphs, responses from web services invoked from within
JavaScript). The manifest also provides means for specifying fallback
offline replacements for resources which must not be cached. This
mechanism gives the ability to compose HTML documents which can be
viewed offline.

REST in Forms: REST application can be characterized by a clear
separation between clients and servers, stateless communications with
the server (no client context is stored on the server between requests)
and uniform client-server protocol that can be easily invoked from other
clients. Applied to HTTP, it encourages usage of URI for identifying
all entities and standard HTTP methods like GET (retrieve), POST (change),
PUT (add) and DELETE (remove) for entity operations. HTML 5 now fully
supports issuing PUT and DELETE requests from HTML forms without any
workarounds. This is an unobtrusive, but ideologically important
innovation which brings more elegance into web architecture and simplifies
development of HTML UI for REST services.

Communicating Documents: Now documents opened in browsers can exchange
data using messages. Such data exchange may be useful on a web page
that includes several frames with the data loaded from different origins.
Usually, a browser does not allow JavaScript code to access/manipulate
the objects of other documents opened from a different origin. This is
done to prevent cross-site scripting and other malicious and destructive
endeavors..." More Info See also HTML5 differences from HTML4:

More Here


PingFederate as an IdM suite federation alternative

PingFederate provides the same functionality as Identity Management suite federation components without requiring extensive upgrades, lengthy deployments or custom integration work- and all at a much lower cost.

Identity management suite customers often choose to implement PingFederate instead of the federated identity module offered by their suite vendor for one or more of the following reasons:

  • Easier to learn, deploy and use
  • Much faster time-to-connection
  • Out-of-the-box integration with other products, particularly those from their suite vendorʼs competitors
  • Extensive support for SaaS SSO: provisioning, mobile devices, email clients etc.
  • No need to upgrade to the latest version of the IdM suite just to use the federation module
  • Availability of PingEnable implementation and support services
  • Significantly lower total cost of ownership

Many IdM suite users choose PingFederate to deliver Internet SSO functionality instead of the federated identity module sold by their suite vendor.
Many IdM suite users choose PingFederate to deliver Internet SSO functionality instead of the federated identity module sold by their suite vendor.

More Here


Internet SSO for commercial applications PingIdentity

Companies in virtually every industry are now enhancing or expanding their product offerings via additional functionality delivered via the Internet.

These companies differ from pure on-demand (SaaS) providers in that their products are more than software. They also tend to be larger, more established companies such as Rearden Commerce or Morgan Stanley that have multiple federated identity use cases. These types of companies use PingFederate in a hybrid manner. They support both incoming Single Sign-On for their customers, as well as outgoing SSO for their employees.
PingFederate is a particularly good choice for this use case because pricing is connection-based, versus seat-based, the model most common with identity management products designed to manage employee identities.
SaaS and BPO providers use PingFederate both to establish SAML-based Internet SSO connections with their customers and to create services mashups. 

SaaS and BPO providers use PingFederate both to establish SAML-based Internet SSO connections with their customers and to create services mashups.

More Here


SaaS Connector PingIdentity

SaaS Connectors install within PingFederate running as an IdP to expedite and optimize creating connections to leading SaaS providers.
SaaS Connectors offer additional functionality including support for automated SaaS user account management, non-browser-based access devices, including email clients and mobile apps; support for advanced use cases, such as email links; and support for proprietary SSO APIs. Specific functionality varies depending on the capabilities and requirements of the target SaaS applications. Quick Connection Templates guide you through configuration of the SaaS connection, pre-populating configuration information where possible.
SaaS Connectors are currently available for Salesforce, Google Apps, Webex, and Workday with more connectors planned for future release.


More Here


SSO to external/SaaS Applications PingIdentity

Federated identity has evolved into an essential ingredient of Internet security technologies. As the number of Software-as-a-Service applications continue to grow the ability to implement Internet SSO and federated identity has become a fundamental use case for virtually every major SaaS provider.
While some SaaS providers started by offering a proprietary SSO mechanism, the industry trend is moving toward support of standards such as SAML 2. This allows employees, contractors or other members of an enterprise workforce to use their corporate credentials to access external applications.
In this use case, PingFederate connects to one or more service providers such as Software as a Service (SaaS) providers, enterprise applications hosted on an IaaS platform (Amazon EC2), enterprise applications developed using a PaaS provider (Force.com) or Business Process Outsourcing (BPO) suppliers that provide applications for employee use. The enterprise can provide SSO access to external applications from multiple devices including Web browsers, mobile devices and rich clients such as Microsoft Outlook. Employees benefit from SSO access whether they are in the office or on the road. PingConnect can also support this use case for small to medium enterprises who prefer a hosted solution, eliminating the need for on-premise hardware and IT resources.

SaaS Connectors provide support for advanced use cases, including user account management, and optimize the creation and configuration of connections.

In this use case, an enterprise uses PingFederate to give its workforce easy and secure access to external cloud based applications provided by IaaS, PaaS SaaS, outsourcers and other service providers.

More Here


One-Time Passwords with OneLogin and YubiKey

Using multiple authentication factors is an effective way of preventing someone from accessing your sensitive data even if they manage to get hold of your username or password. For a brief introduction to the topic, read the article Authentication Factors.
OneLogin supports both VeriSign VIP Access and Yubico's YubiKey for one-time password generation. These solutions fall the "something you have" category, which means that if you successfully authenticate, the authenticating party knows that the user has the key in their possession. This significantly reduces the chances of someone else hacking into that user's account.

Enabling OTP

In order to use OTP with OneLogin, one of your account's admins has to turn it on. This is done under Security -> OTP.
OneLogin lets you use VIP Access and YubiKey at the same time, which is an advantage if you have different users with different needs. For example, someone who works from an office all day maybe prefer YubiKey because of its easy-of-use while someone who travels may prefer VIP Access because always it's in their phone.
OTP can be required for all administrators only, all users or select users.

Registering OTP Devices


In order for an OTP device to be used, it must be associated with a user. This can be done manually by the administrator user by user, but that's not practical on a large scale, especially with VIP Access where only the employee has access to the device. If OTP is required for a user, the user will be prompted to register the device at the first successful login.

Configuring users

Once OTP is enabled for, you will be able to register the device on the individual users as shown below. Go to People -> Users and select a user. This is also where you deregister OTP devices.
To register a YubiKey, insert the key in the USB port and press the button. This will insert a 30 long string in the field of which the first 12 will be stored on the user. These 12 character uniquely identify the key and are now tied to this user.
To register VIP Access, enter the Credential ID shown in the mobile application.
Make sure you that you register your own key before you log out, or you will not be able to log in again.

When is OTP Required?

Use the required setting to enforce whether users have to use OTP at every login or just when they log in from an unknown or expired browser.

Logging in

Once OTP has been turned all, all users will see a login page as shown below. Once Email and Password have been entered, a YubiKey or VIP Access field will appear.

More Here


Configuring WebEx for SAML with OneLogin

Configure WebEx Enterprise in OneLogin

If you haven't already added WebEx Enterprise to your OneLogin account, you can do it via this link:
Now, configure the application.
  1. Choose SAML as authentication method
  2. Enter your subdomain, e.g. mycompany
  3. Select the roles you want to have access to WebEx
  4. Save the app

Configure SAML in WebEx

  1. Sign into your WebEx Enterprise account as the admin
  2. Click Site Administration in the menu bar
  3. Click SSO Configuration in the sidebar
  4. You should now see the page below

  5. Set WebEx SAML Issuer to "http://www.webex.com"
  7. Set Issuer for SAML to the SAML Issuer from the WebEx app in OneLogin
  8. Set Customer SSO Service Login URL to the SAML Login URL from the WebEx app in OneLogin
  9. Set AuthContextClassRef to "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

More Here


Configuring WordPress for SAML with OneLogin

OneLogin's SAML plugin for WordPress allows you to easily and securely sign users into WordPress. By default users will be signed in using the email address registered in OneLogin, but you can override this by editing the logins on the app if they don't match the ones in WordPress.
If you want to prevent users from signing into WordPress directly using a password, we recommend simply obfuscating the passwords in WordPress so that users don't know them. Just make sure the admin can still sign in using password.
  1. Sign into your WordPress account as a user who has privileges to install plugins
  2. Click Plugin in the left sidebar
  3. Now you can either search for OneLogin or you can upload the plugin attached to this article.
  4. Once the plugin is installed, activate it

  5. The next step is to configure your OneLogin X.509 certificate so the plugin can validate SAML responses coming from your OneLogin account. In OneLogin, go to Security -> SAML and copy.
  7. Click Settings in the sidebar in WordPress and then click SSO/SAML Settings

  8. Paste the certificate into the text field and click Save Changes. This completes the setup of WordPress.
  9. Now add WordPress to your OneLogin account. The Site URL should be the root URL of your wordpress site. VERY IMPORTANT: The URL must end with a slash (/) or the plugin will not pick up SAML responses.

More Here


New Active Directory Connector Simplifies User Authentication

OneLogin announces its Active Directory Connector that enables the authentication of cloud application users against an organization's Active Directory.

While IT benefits from having a single directory integration point, employees can use their Windows credentials to access web applications, hosted in the cloud and behind the firewall. By eliminating the need for employees to remember several usernames, passwords and login URLs, OneLogin increases the adoption of cloud applications and reduces the security risks inherent with the repeated use of weak login credentials.

“Enterprises are keen to reap the benefits of cloud computing, but do not want to abandon their existing IT infrastructure,” explains Thomas Pedersen, CEO at OneLogin. “Our new Active Directory Connector allows them to extend their directories deep into the cloud with no custom development required.”

As enterprises continue to adopt cloud computing, integrating their existing directory with various applications’ proprietary authentication APIs poses both security risks and maintenance headaches. OneLogin’s Active Directory Connector provides a single integration point that enables enterprises to centralize authentication, eliminate passwords and make it easier for employees to access web applications.

OneLogin enables any enterprise to get single sign-on within minutes via Security Assertion Markup Language (SAML). Users can easily and securely connect to SAML enabled applications, such as Salesforce, WebEx, Google Apps, Workday, Yammer, Central Desktop, SugarCRM, KnowledgeTree, SAManage and many others.

More Here


SAML Plug-In for WordPress

WordPress has long been one of the most popular integrations among our customers and some customers manage multiple WordPress accounts with many contributors. The original WordPress integration uses form-based authentication, which means we simply automate the login process using email address and password.

However, since we're on a crusade against passwords and WordPress has a nice plug-in framework, we decided to implement a SAML plug-in that you can use with OneLogin. In addition to simply eliminating passwords, the SAML integration provides these benefits:

* Easy, one-click access to WordPress
* Users can sign in with their Active Directory or LDAP credentials
* Multi-factor authentication for added security
* Centrally de-provision former employees and contractors

Plug-ins are available to anyone who hosts WordPress themselves (i.e. not on wordpress.com) and you can add it in a matter of seconds. Just click Plugins in WordPress' sidebar and search for SAML. OneLogin's plug-in will appear at the top.

More Here


How to Parse XML in CakePHP

Hi all, this is a basic tutorial on how to parse  xml file in cakephp.
We all know that cakephp vastly utilizes the array concept in php. Here, I am going to explain you how to parse XML in CakePHP and convert it into an array.
Get the XML Feed; for example you might be having an xml feed from a search engine or any other type of feed which is in xml. get the contents of the URL to do so, I’m going to create a function in my controller and utilize the XML helper.
create the function, say: parse_xml

function  parse_xml() {
$raw_xml = file_get_contents("type your xml url here");
$parsed_xml = & new XML($raw_xml);

$parsed_xml = Set::reverse($parsed_xml);  // reversing the xml to array. this can be also used to convert an array to xml also.

return $parsed_xml;
That’s all.. everything done
to get the array to a variable
$xml_array = $this->parse_xml();
now try printing the array
echo "

More Here


What is XML

* XML stands for EXtensible Markup Language
* XML is a markup language much like HTML
* XML was designed to carry data, not to display data
* XML tags are not predefined. You must define your own tags
* XML is designed to be self-descriptive
* XML is a W3C Recommendation

The Difference Between XML and HTML

XML is not a replacement for HTML.

XML and HTML were designed with different goals:

* XML was designed to transport and store data, with focus on what data is.
* HTML was designed to display data, with focus on how data looks.

HTML is about displaying information, while XML is about carrying information.
XML is Just Plain Text

XML is nothing special. It is just plain text. Software that can handle plain text can also handle XML.

However, XML-aware applications can handle the XML tags specially. The functional meaning of the tags depends on the nature of the application.
With XML You Invent Your Own Tags

The tags in the example above (like and ) are not defined in any XML standard. These tags are “invented” by the author of the XML document.

That is because the XML language has no predefined tags.

The tags used in HTML (and the structure of HTML) are predefined. HTML documents can only use tags defined in the HTML standard

XML allows the author to define his own tags and his own document structure.
XML is Not a Replacement for HTML

XML is a complement to HTML.

It is important to understand that XML is not a replacement for HTML. In most web applications, XML is used to transport data, while HTML is used to format and display the data.

My best description of XML is this:

XML is a software- and hardware-independent tool for carrying information.
XML is Everywhere

We have been participating in XML development since its creation. It has been amazing to see how quickly the XML standard has developed, and how quickly a large number of software vendors have adopted the standard.

XML is now as important for the Web as HTML was to the foundation of the Web.

More Here


Introduction to XACML: Access Control Policies in XML


This document discusses the eXtensible Access Control Markup Language (XACML), an XML language for specifying security policies. Security policies are ways to describe who has access to what resources under what conditions. For a large enterprise, there are multiple places at which such security policies must be enforced. It would therefore seem logical to define security policies in a technology neutral way, so that they can be reused. That is exactly the purpose that XACML serves.

Intended Audience

Anyone with an interest in security: developers, administrators, HR people, etc. Basic knowledge of XML is assumed.

XACML Overview

The following figure shows the components (orange rectangles) that make up an XACML-based security system and the data (blue ovals) that those components need as input:


  1. A Request comes in at a Policy Enforcement Point (PEP).
  2. The PEP forwards the Request to the Context Handler.
  3. The Context Handler asks the Policy Information Point (PIP) for Context Attributes.
  4. The PIP collects Context Attributes from the Subject (e.g. the role), the Resource (e.g. it's location), and the Environment (e.g. the location from where the Request is made) and returns them to the Context Handler.
  5. The Context Handler gets the Resource's content.
  6. The Context Handler presents the Request to the Policy Decision Point (PDP), along with the Context Attributes and (optionally) the Resource's content.
  7. The PDP makes a decision based on the security policies that the Policy Administration Point (PAP) has previously made available.
  8. The PDP returns its decision to the Context Handler, which returns it to the PEP.
  9. The PEP either grants or denies access to the Request, based on the PDP's decision

There are two main points to take away from this. The first is that the system is made up of components that can be standardized. For instance, the PDP takes well-defined data as input and provides a well-defined interface to the PAP and Context Handler. So organizations don't need to re-invent the wheel by implementing their own PDP, instead they can reuse an existing implementation and hook it up to their implementation of non-standard components, like the PEP.

The second important point is that security policies are specified separately from where they are enforced, which means that we can reuse them in multiple enforcement places. And there is yet another way in which XACML promotes reuse. To see that, we need to take a closer look at how security policies are specified in XACML.

Specifying Access Control: Rules, Policies, and Policy Sets


A Rule combines a Target, an Effect and a Condition. The Target specifies what the Rule is applicable for: any or all of the requested Action, the Subject requesting the Action, the Resource that the requested Action pertains to, and the Environment within which the Action is to be performed. The Effect of the Rule is to deny or permit the Action. The optional Condition further refines the applicability of the Target.

Here's a simple example of a Rule:

    Some optional text that explains the purpose of the rule

This piece of XACML specifies that anybody with the developer role can do anything to any resource. In the example above, we assume the role Attribute to be a single string value, but XACML also supports multi-valued Attributes.

Note that the PIP component needs to be able to extract a value from the Request (see below) that belongs to the Subject attribute named in the SubjectAttributeDesignator element (role in the above example). An alternative way of extracting values from the Request is by providing an XPath expression in the AttributeSelector element.

The PDP component needs to be able to understand the function specified using the MatchId attribute (urn:oasis:names:tc:xacml:2.0:function:string-equal in the example). XACML makes many standard functions available to policy writers, and the specification allows for adding custom ones as well.

A Rule can also contain a Condition that must be satisfied for the Rule to return its Effect. If the Condition returns Indeterminate, the Rule also returns Indeterminate. If the Condition returns False, the Rule returns NotApplicable. If the Condition returns True, the value of the Effect element is returned, which is either Permit or Deny. If the Condition is missing, as in the above example, it is assumed to be True.

Rules can be separately evaluated, but they cannot live on their own: they must be part of a Policy. Rules are the smallest unit of reuse in XACML, while Policies are the smallest unit of evaluation.


A Policy has a Target, a Rule-Combining Algorithm, some Rules, and some Obligations. We've seen the Target already as part of a Rule. Since a Policy also specifies a Target, a Rule need not specify one. If it doesn't, then it inherits the Target from the Policy. The Rule-Combining Algorithm specifies the procedure by which the results of evaluating the Rules are combined when evaluating the Policy. An Obligation is an operation specified in a Policy that should be performed by the PEP in conjunction with the enforcement of an authorization decision.

Here's the above example Rule wrapped in a Policy:

    Some optional text that explains the purpose of the policy


The RuleCombiningAlgId attribute on the Policy identifies the algorithm that combines Effects from multiple Rules into a single result. The PDP must implement such an algorithm. The Policy may also specify parameters to be used as input for combining algorithms.

The Rule in this Policy example does not specify a Target, but it could. In that case, the Rule would only be evaluated for the Policy if its Target is matched.

Policy Sets

Just as Rules can be reused in Policies, entire Policies can be reused in Policy Sets. A Policy Set contains a Target, a Policy-Combining Algorithm, a set of Policies, and some Obligations. The Policy-Combining Algorithm specifies the procedure by which the results of evaluating the component Policies are combined. Note that a Policy Set can reuse not just Policies, but also entire Policy Sets. This Lego-like structure makes it possible to build complex security policies without duplication.

Here's the above Policy wrapped in a Policy Set:

More Here


Migrating from Websphere 6.0 to Websphere 7.0

The application I manage at work is a client/server application written entirely in java. My company for years has been an IBM shop, so we have a large Websphere presence which is where the server is deployed. The application had been running on Websphere 5.1 for a few years and was fairly recently migrated to Websphere 6.0 to remain on a supported version of Websphere. Because the end of life for Websphere 6.0 is September 2010, we’re starting to plan for another upgrade now (we have major releases in January and June, so we’re targeting the June ’10 release for the upgrade). Websphere 6.1, if IBM holds to it’s pattern of every 2 years or so will remain supported until September 2012, however there’s no current end of life date documented yet (link). To get the longest life possible, I’m looking at Websphere 7.0 as the target platform for our June ’10 upgrade.

We have RAD 7.5 in house and a couple members of my team have installed it. I’ve been working on getting a local WAS 7.0 server up and running and getting our app deployed on it. There are some major differences between Websphere 5.1/6.0 and 7.0. I won’t go into details as those are readily available on IBM’s website, but would like to share some of my observations and pain so far.

Application Background: The server side of our application is effectively broken down into 2 pieces. One component is what we call a provision server that is essentially a cache of configuration data read from DB2. This configuration information contains rules which drive how the second component operates. The second component is the main workhorse app which receives a request, and creates a response based on configuration data retrieved from the provision server (if necessary) and data retrieved from any number of other applications we interface with. We have 2 provision server jvms for load balancing and fail over and roughly 20 app engine jvms spread across 2 data centers (the app engine hosts roughly 3500 end users and we target 200 users per jvm…roughly).

Unsolved Problem 1 – Remote EJB calls across separate local jvm/profiles doesn’t work: Now that you have a high level view of our applications architecture, here’s my first dilema which I haven’t found a solution to. Websphere now has the concept of profiles. Basically a profile equates to a jvm instance. It’s a little more than that, but that’s a good enough understanding for now. So if you want 2 distinct/separate JVMs configured differently, you would need to create 2 profiles and create servers associated with each profile. In all our lifecycles, we have distinct jvms setup for provision and app engine – we don’t cluster the app engine with the provision server because we want our dev/test lifecycles to mirror production, and production is separate because we don’t want a 1:1 correlation of provision server to app engine as the provision server is memory intensive and 2 jvms can handle the entire app engine load very effectively. So I want to replicate that with my RAD 7.5 setup – 1 app engine jvm and 1 provision server jvm running locally within RAD 7.5. That requires 2 separate profiles to be created, then a server defined and associated for each one. No problem. Where I run into problems is at runtime. The app engine makes remote (cross-jvm) EJB calls to the provision server. That requires a JNDI lookup of an EJB remote home object. For some reason, jvm 1 cannot see any JNDI objects that are stored in jvm 2. When I do an initial context and dump out the contents, all I ever get are the local JVM’s name server items. But if I point the local server at one of our test lifecycle provision servers, it sees those just fine. I have no idea why 1 local jvm can’t access another local jvm’s name server. I’m not sure if it’s because of the base version of Websphere that’s running, or some other limitation of the development environment, but that is one hurdle I can’t get over. So my workaround is to just deploy the provision server and app engine in the same jvm as local ejb calls work just fine.

Solved Problem 2 – creating a secure socket for an outbound ssl SOAP request: The app engine is a portal of sorts. It will call any number of external systems to retrieve data and aggregate that data as needed based on the request. There are several system we currently interface and several protocols we use to do so…SOAP over SSL, EJB, JDBD for example. We use apache soap (old, but still works) to call several external systems, one of which is the main system we interface with. In Websphere 5.1 and 6.0, we set our own JKS truststore for the request using the javax.net.ssl.truststore property. This truststore contains the SSL certificates of our target URL. It just worked. Now we move to Websphere 7.0 and the same requests which work in a local WAS 6.o server no longer work. After much digging and reading of documentation, it turns out WAS 6.1 (and 7.0) changed how SSL security was handled. Long story short, when WAS sees a secure socket being created, it assumes responsibility for securing that connection (Big Brother?) instead of letting you do your own thing. Now, there are ways around it, but the point is it is NOT backwards compatible. The quick fix for this was to put the SSL certs in Websphere’s default truststore (go to the admin console, under security and then ssl configuration and you can find a whole bunch of related config). There are several articles on this and I highly recommend reading the Websphere Application Server V7.0 Security Guide for background on this. It is extremely helpful.

More Here


Mozilla blocks Skype's glitchy Firefox toolbar extension

skype-large-logoThe Skype toolbar add-on has became a headache for Mozilla, and will be blocked from the Firefox browser until further notice. Mozilla announced yesterday that the Skype feature was responsible for roughly 40,000 crashed browsers in the last week, and was seriously slowing down page loading.

We can’t imagine there are too many people who are crushed about losing a toolbar plug-in, but for those of you that are – don’t worry too much yet. Mozilla reassures users that this is only a “soft block” while it looks into identifying and fixing the issues with help from the Skype Toolbar team. This also means that while the extension is currently disabled on Firefox’s end, you will be notified of the block and allowed to re-enable it as you see fit.

So what are you missing until the toolbar is fully functional? The plug-in cooperates with Skype software to identify phone numbers on individual web pages and making it that much easier to make VoIP calls.

More Here


New Firefox Feature Blocks Behavioral Ads

Mozilla, the developer of the Firefox browser, is working a feature that will allow users to opt-out of online behavioral advertising.

The goal is to give users "a deeper understanding of and control over personal information online," Mozilla's head of privacy said in a blog posted on Sunday.

The feature will allow users to configure their Firefox browser to tell websites and advertisers that they would like to opt-out of any advertising based on their behavior, Alex Fowler [cq] wrote in his blog post. The user's preference is communicated to websites and third party ad servers using a new "Do Not Track HTTP header", which is sent with every click or page view in Firefox.

The feature wouldn't block advertising altogether, only personalized ads. If the user has enabled the feature, the advertiser would have to exchange the personalized ad for a standard ad, according to a diagram included in the blog post.

Mozilla believes the header-based approach will be better for the Web in the long run, compared to cookies or blacklists. Using a header is less complex, more persistent than cookie-based solutions and at the same time simple to locate and use. It doesn't rely on a user's finding and loading lists of ad networks and advertisers to work, Fowler wrote.

However, rolling out the feature will be a challenge. For it to work, both browsers and sites will have to implement it. To get past this issue, Mozilla wants to work with the technical community to standardize the header across the industry, according to Fowler. It is also proposing that the feature be considered for upcoming releases of Firefox.

More Here


Business booming for cyber criminals: security firm

Cyber criminals are selling stolen credit card details for as little as two dollars each and renting computer networks for spam for 15 dollars as part of a vast online black market, according to a report released Thursday.
PandaLabs, the anti-malware laboratory of computer security company Panda Security, published the various prices for cyber crime-related products after conducting an undercover investigation into online crime networks.

"This is a rapidly growing industry and cyber-criminals are aiding and abetting each other's efforts to steal personal information for financial profit," PandaLabs said.

"PandaLabs discovered a vast network selling stolen bank details along with other types of products in forums and more than 50 dedicated online stores."

The computer security firm said cyber criminals had diversified from stolen bank and credit card details to a "much broader range of hacked confidential information" including log-ins, passwords, fake credit cards and other data.

"Since anonymity is of the utmost importance, many sellers use underground forums to keep out of sight," PandaLabs said. "Their offices are effectively the Internet.

"Some are more brazen about their activities, and have accounts on Facebook and Twitter which they use as shop windows."

PandaLabs said a credit card number or bank account details can be purchased for two dollars but that does not include any information on the available credit line or bank balance.

"The price increases to 80 dollars for smaller bank balances and upwards of 700 dollars to access accounts with a guaranteed balance of 82,000 dollars," it said.

PandaLabs said the price for rental of a botnet, a network of infected computers, for sending spam or other purposes begins at 15 dollars.

More Here


Twitter Targeted With Fake Antivirus Software Scam

Twitter has been resetting passwords for accounts that started distributing links promoting fake antivirus software in an attack that used Google's Web address shortening service to conceal the links' destination.

The links, masked by Google "goo.gl" URL shortener, bounce through a series of redirect URLs before landing on a Ukrainian top-level domain that then redirects to an IP address associated with other fake antivirus software scams, wrote Nicolas Brulez of Kaspersky Lab on a company blog.

Victims landing on the fake antivirus software page are prompted to scan their computer. If they approve the scan, the page asks if they want to remove threats from their computer: doing so starts the download of a bogus security program called "Security Shield."

Fake antivirus programs remain a pervasive problem on the Internet, with hundreds of variations. The applications target Windows users, and the programs are often installed by exploiting vulnerabilities in a computer's software. Once installed, the applications badger users to pay for a full version of the program. Many of the programs are totally ineffective at actually removing malware from a computer.

Del Harvey, head of Twitter's Trust and Safety Team, wrote on her Twitter account that "we're working to remove the malware links and reset passwords on compromised accounts."

"Did you follow a goo.gl link that led to a page telling you to install 'Security Shield' Rogue AV?" she wrote. "That's malware. Don't install."

Although Brulez classifed the attack as a worm, implying it spreads from account to account, Harvey said the issue was not related to a worm.

More Here


Cybercrooks Tire of Windows -- They're After Your iPhone Now

Cybercrime is moving away from traditional targets, like Windows PCs, and focusing more on mobile devices, according to Cisco's 2010 Annual Security Report (PDF)]. As Microsoft becomes more savvy about patching holes in its OS, cybercriminals are treading into new territories, with a strong focus on iOS and Android.

When the Federal government declared jailbreaking cellphones legal, intrepid hackers sought and discovered more exploits in mobile operating systems. A prominent example used by Cisco is JailbreakMe 2.0, the Safari-based iPhone flaw -- which has since been patched -- that allowed users to jailbreak with very little tampering of iOS.

Cisco threat research manager Scott Olechowski also said that the proliferation of Android will likely lead to major attacks on Google's OS in the future. Olechowski noted that the more devices that adopt Android -- such as smartphones, tablets, even vehicles -- the more enticing the open-source OS becomes, especially when it comes to the big bucks in the enterprise.

Most concerning for mobile hacks are apps, many of which access user information without permission. Just yesterday, Trapster, an app that warns drivers when a speed trap is ahead, was hacked, exposing millions of iPhone, Android, BlackBerry, and Windows Mobile phone passwords -- some of which may also have been linked to a user's PayPal account.

Many companies using smartphones for work do not have a cybersecurity strategy planned or in place, according to Cisco. This is a major concern for iOS business consumers, given that the iPhone is being used at 88 percent of the Fortune 100 companies and 83 percent of the Fortune 500.

And for you PC users out there: Tired of your Mac-using friends' snooty condescension about how their machines are impervious to viruses? Turns out that hackers are targeting Mac users more and more.

More Here


Beware Goo.gl Fake Antivirus Worm on Twitter

Twitter and Twitter users are being targeted by a malicious worm. The worm sends out tweets with a goo.gl shortened URL link directed to a rogue antivirus application. The attack demonstrates once again how URL shortening can be a Pandora's box as users click on links with no clue where they might lead.
A post on Naked Security by Sophos' Graham Cluley describes the threat. "Thousands of Twitter users are finding that their accounts have been tweeting out malicious links without their permission, pointing to a fake anti-virus attack," adding, "A quick search on the popular micro-blogging network finds many tweets from users containing no message other than a goo.gl shortened link (Google's equivalent to bit.ly or tinyurl), which itself points to a URL ending with "m28sx.html".

Attacks hiding behind shortened URLs are not new, and are also not technically challenging to execute. By their very nature, URL shortening services like goo.gl and bit.ly take cumbersome, long URLs and condense them down to a nice, short alias that can be used in its place. The concept makes it much easier to send some exceptionally long links, and is a necessity for a site like Twitter which caps messages at 140 characters.
Adam Wosotowsky, principal researcher at McAfee Labs, explains, "Shortened URL sites are not 100 percent malicious, so blocking the domain completely can cause false positives, which is something researchers try and avoid. Goo.gl is an example of a site associated with Google, so blocking the domain may be frowned upon by Google, allowing the spammer to continually abuse the site."
Wosotowsky elaborates, "As we stated in our 2011 Threat Predictions, we currently track and analyze--through multiple social media applications and all URL shortening services--more than 3,000 shortened URLs per minute. We see a growing number of these used for spam, scamming and other malicious purposes, and we expect to see shortened URL abuse invade all other forms of Internet communications."
Shortened URLs provide attackers a simple, and commonly accepted means of obscuring malicious links. McAfee recommends using its proprietary URL shortening service--mcaf.ee. McAfee's shortened URLs are scanned and filtered to weed out malware. Of course, you can't really control what URL shortening service other people use to send links to you.

More Here


Google: Search Engine Spam on the Rise

If you've noticed lately that Google's search results are a bit spammy, you're not alone.

In a blog post, Google Principal Engineer Matt Cutts acknowledged that "we have seen a slight uptick of spam in recent months," and that tech watchers are growing critical. Cutts then outlined a few new initiatives to improve the quality of Google's search results.

Among them: Google has a new "document-level classifier" that's better at detecting the hallmarks of spam, such as oft-repeated keywords; Google is improving its ability to detect hacked sites, which were a big source of spam last year; and the company is evaluating other changes, including a crackdown on Websites that primarily copy other sites' content.

But on the issue of "content farms," Cutts didn't have all the answers. If you're not familiar with the term, you've probably stumbled upon some content from purveyors. For example, many in the media call sites Demand Media and AssociatedContent content farms. Rich in search keywords and produced on the cheap, content from these sites appears prominently in search results but seem geared solely towards appeasing search algorithms.

Although Google tweaked its algorithms last year to give content mills less prominence, the problem hasn't gone away, and Cutts' blog post offered no further solutions. "The fact is that we're not perfect, and combined with users' skyrocketing expectations of Google, these imperfections get magnified in perception," he wrote. "However, we can and should do better."

Cutts reiterated that Websites don't get preferential treatment by purchasing or displaying Google ads. Their rankings don't improve and they're just as likely to be punished for violating Google's quality guidelines.

I suppose it's comforting to hear Google address issues of search quality, especially as criticism grows louder. Notably, new search competitor Blekko has created a spam clock to count how many spam pages have been created since the start of the year. Google says its results have half the spam they did five years ago, but that count is meaningless if low-quality content mills are able to game the system and get high page rankings.

More Here


Don't Fear the Android Security Bogeyman

Academic security researchers have created an ingenious piece of malware that runs on Android cell phones and steals credit card details.
As is typical, many are heralding it as a sign of a smartphone security apocalypse, but they need to calm down. Cybercriminals simply aren't that smart, and there's nothing new to be worried about.
The so-called Soundminer malware listens in on phone conversations and uses speech recognition to decode credit card and PIN details that users might mention when calling their bank, as an example. DTMF tones heard when keys are pressed are also recognized and decoded.
The data is then passed to another piece of malware, called Deliverer, which sends it off to the hacker's HQ via the Internet.
The clever part is how the two pieces of malware bypass Android's built-in security.
Individual permission is required from the user for each newly-installed app that wants to access a specific hardware component.

A program that wanted permission to access the microphone and also send data would be a little suspicious, so Soundminer only requests to use the microphone. The Deliverer malware only requests to send data.
Data exchange between the two programs would also be viewed as suspicious, so they use system communication channels built into Android that are designed to share system settings information. These only allow a handful of bytes to be transferred, but that's enough for a credit card number.
Soundminer could be hidden in simple app that, for example, required microphone access permissions in order to make an on-screen balloon blow-up based on how much the user shouted. Deliverer could easily be integrated into a simple game that requests data transmission permission in order to report high scores, for example.
In all, Soundminer is a well thought-out and ingenious piece of programming.
And that's why we'll never, ever see anything like it in the real world.
Criminals always prefer a quick and dirty approach. It's one of their defining characteristics
There are two ways to rob a bank. You could get a job there and embezzle money secretly. Or you can run in, wave guns, and run out as quickly as possible with bags of money.
Guess which is more popular?
Sophistication, subtlety, and mastermind intelligence is limited to the movie criminals. The most successful criminals in the real world are those who keep things simple, and cybercrime is no different.
I'm not suggesting we underestimate cybercriminals but the chances of them creating something as clever as Soundminer are extremely limited. It took a team of university researchers to come up with Soundminer, working at the City University of Hong Kong and Indiana University.
Ultimately, why would cybercriminals want to bother with something as elaborate as Soundminer, when they can just send phony e-mails that catch-out gullible users and rake in the money?
Good malware doesn't need to be clever or well made. It just needs some way of fooling people into handing over useful personal details, which history has proved is actually pretty easy. It also needs some way of travelling around from device to device and, crucially, there's nothing new in the Soundminer research to indicate how this might be done.
Soundminer highlighted some design flaws within Android, that hopefully will get addressed quickly, but there's really nothing else to cause concern.
Security companies are hailing 2011 as the year smartphone malware goes mainstream but we should guard against such pronouncements. The more scared we are, the more likely we are to buy malware protection products. We can't trust the word of people who are trying to sell us something.

More Here


Android-powered Motorola Xoom tablet poised for Feb. 17 launch?

The rumor mill was buzzing all weekend with word that Motorola's sleek, upcoming Android "Honeycomb"-powered tablet could arrive as early as next month, although the supposed price tag looks a little steep.
Both Droid Attic and Engadget managed to get their hands on screenshots of Best Buy's internal inventory database, which shows a 32GB version of the Xoom with a $699 sticker price.
If that sounds high, at least it's better than the initial rumors Friday night, which had the Xoom going for a "minimum advertised price" of $799 based on leaked Verizon Wireless documents.

Oh, and don't forget that the 3G-enabled 32GB iPad currently sells for $729—not exactly cheap, either.
Also revealed over the weekend: internal Best Buy employee training documents that list the official launch date for the Xoom as February 17, less than a month away.
Unveiled earlier this month at the Consumer Electronics Show in Las Vegas, the Motorola Xoom is poised to be among the hottest of the coming wave of Android "Honeycomb"-powered tablets.
Samsung's Galaxy Tab already made a big splash when it hit all of the Big Four U.S. carriers last fall. But the Tab is based on Android 2.2 "Froyo," a version of Android that Google execs say wasn't designed with tablets in mind.

Android "Honeycomb," however, is squarely aimed at tablets, with Android director Andy Rubin demonstrating the new Android OS late last year—on an early version of the Xoom, no less.
The 10.1-inch Xoom is slated to arrive with two cameras—a five-megapixel camera in back, with a 2MP lens in front for video chat—along with a dual-core processor and support for Verizon's 3G network.
Motorola promises that the 3G version Xoom will go on sale sometime this quarter, while another model that words on Verizon's 4G LTE network will arrive in the second quarter. Moto CEO Sanjaw Jha was careful to reassure early adopters of the 3G Xoom that their tablets would be upgradable for 4G support.
As for the supposed $699 to $799 price tag for the Xoom … well, yes, expensive, but Verizon may offer the tablet at a subsidized price with a two-year contract, with further discounts to follow.
The 16GB, 3G-enabled Galaxy Tab, for example, initially went on sale for $599 without a contract or $399 with a two-year service agreement, but Verizon, Sprint, and others have already shaved $100 or more off the Tab's stick price.

More Here


Samsung Vibrant gets Android 2.2, after evil delay

After facing mounting criticism for its extremely slow pace of upgrading its T-Mobile Vibrant phone, Samsung is finally ready to deploy Android 2.2 to the device.
Samsung has become legendary for the amount of time it has taken to make Android 2.2 available for its line of Galaxy S Android phones, while rolling out numerous new phones with Android 2.2 pre-installed.
But none caught as much attention as the Vibrant, after rumors picked up that Samsung was intentionally preventing T-Mobile from releasing the update in a bid to spur sales for the Vibrant 4G, which is more expensive and has Android 2.2 natively built in. The story went that by not having Android 2.2 available, customers would avoid the Vibrant and be willing to spend more to buy the Vibrant 4G, even if they didn't have 4G coverage in their area.

A quote from an anonymous T-Mobile tipster to the website AndroidSpin grew viral. "Samsung has NOT allowed us to push the update OTA for 2.2 because they feel it will decrease the value of the upcoming Vibrant 4G," said the source.
Samsung denied the allegations, saying the upgrade was technical in nature and was the subject of ongoing testing. Conveniently enough, though, the company announced a rollout schedule just days after the rumors began circulating.

More Here


iPhone vs. Android: Google May Be Winning the War in China

One of my favorite Wall Street technology analysts is Jonathan Goldberg of Deutsche Bank. He combines his big-picture analysis with ear-to-the-ground sentiment reporting, meshing the virtues of a beat reporter with a series number cruncher. In the Jan. 18 edition of the Digits newsletter, Goldberg dropped what felt to me like a bombshell about Google (GOOG), considering all the positive press that Apple (AAPL) has gotten from its most recent earnings and gains in the Asia Pacific region.

Namely, Goldberg's sources in China say Google's Android operating system has already pulled away from the pack there and assert that it'll be the big winner in the Middle Kingdom and, most likely, in Asia as a whole. "Our latest visit to China made it clear that Android has become the faraway leader in mobile operating systems [OS]," wrote Goldberg.

An Explosion of Opportunity

That's particularly interesting because Asia is likely to be the largest market in the world for advanced smartphones for the foreseeable future. That Google is pulling away in this critical geography not only lends credence to the search giant's decision to get into the operating system business but also hints at a real explosion of Android-related revenue opportunities in the not-so-distant future.

Apple is now pulling in at least $2 billion per year from App Store sales. The potential upside for Google could be far higher due to the sheer vastness of the addressable market. Incidentally, Goldberg reported that phones running Android likely outsold the iPhone in Asia in December. His prediction is that Android devices will outsell both the iPhone and the iPad during 2011 and pull further ahead in 2012.

Sponsored Links
Equally important, Goldberg ran into strong evidence that Android had gained real traction in a huge swath of the OS market for a wide range of devices. Said Goldberg of the time he spent talking to tech firms in China: "Every company highlighted that Android was being used in far more than phones and tablets. We saw or heard of Android laptops, set-top boxes and ATMs among other categories."

In other words, Google has a real shot at controlling vast chunks of the technology landscape and, by extension, inserting its advertising network into those devices, either via hooks in the Android operating system or via sales of applications for Android devices of various flavors.

More Here


Management Shakeup at Google: Larry Page to Replace Eric Schmidt as CEO

 As part of its quarterly earnings release issued today, Google announced changes to its top-level management structure, with the most high-profile change seeing co-founder Larry Page replacing Eric Schmidt as CEO as of April 4th. Page will take charge of day-to-day operations at the company, while Schmidt will become Executive Chairman and focus on business deals, partnerships and outreach. Google co-founder Sergey Brin will direct his energies to new and strategic product efforts.
- Starting from April 4, Larry Page, Google Co-Founder, will take charge of Google's day-to-day operations as Chief Executive Officer.
- Sergey Brin, Google Co-Founder, will devote his energy to strategic projects, in particular working on new products.
- Eric Schmidt will assume the role of Executive Chairman, focusing externally on deals, partnerships, customers and broader business relationships, government outreach and technology thought leadership--all of which are increasingly important given Google's global reach. Internally, he will continue to act as an advisor to Larry and Sergey.

Commenting on these changes, Eric said: "We've been talking about how best to simplify our management structure and speed up decision making for a long time. By clarifying our individual roles we'll create clearer responsibility and accountability at the top of the company. In my clear opinion, Larry is ready to lead and I'm excited about working with both him and Sergey for a long time to come."
Schmidt has posted additional thoughts on the changes in a blog post.

Google and Apple have had a complicated relationship over the years, with the two companies previously sharing a close relationship in facing off against Microsoft in the personal technology market and Schmidt joining Apple's board of directors in 2006.

More Here


Apple Researching Physical Keyboards with Motion Control to Replace Mouse

Apple's patent applications have always been a topic of interest here at MacRumors. They give us a rare look into Apple's research and development labs, although many of the concepts never see the light of day.

For years, we've seen Apple patent applications for touch-sensitive keyboards. Those patents have been based on the pioneering work of FingerWorks, a company which was acquired by Apple in 2005 and served as the basis for much of Apple's multi-touch technology. Prior to the acquisition, FingerWorks had produced several touch-sensitive multi-touch keyboards that garnered positive reviews, although they never became mainstream products. The one major hurdle in the adoption of these touch-only keyboards has been the lack of tactile feedback as compared to traditional keyboards.

A new Apple patent application that we've uncovered seems, however, to try to address that issue by creating a hybrid physical keyboard that will also double as a motion-sensitive input device. The patent application is authored by John Elias, one of the co-founders of FingerWorks.

First, Apple acknowledges that the physical keyboard remains the preferred input device:
Over the last forty years there have been numerous attempts made to introduce an alternative to the standard keyboard. The changes include, but are not limited to, non-QWERTY layouts, concave and convex surfaces, capacitive keys, split designs, membrane keys, etc. However, although such alternative keyboards may provide improved usability or ergonomics, they have failed to replace or duplicate the commercial success of the conventional mechanical keyboard.

More Here