Daniel Osburn

Cyber-Ark Software Inc. this week released an enhanced version of its Privileged Identity Management Suite, with new features designed to give IT officials a single tool for managing privileged accounts across both Windows and Unix environments. Adam Bosnian, vice president of product, strategy and sales at Cyber-Ark, said the new offering can help large companies more easily manage multi-operating system environments that generally require separate tools for each OS. There's a growing demand for tools that can manage manage, control and audit of privileged accounts across the enterprise, said Mark Diodati, an analyst with the Burton Group in Midvale Utah. The upgraded product adds support for managing so-called Unix 'superusers' who typically have a full range of rights and permissions to everything on a system. He cited the growing need meet state and federal compliance and governance requirements and growing concerns about the security risks posed by insiders with access to privileged accounts. "One of the things that is driving demand is that auditors are getting smarter," Diodati said. "They have figured that this thing about privileged access management is crucial." The demand for such tools has attracted the attention of a variety of vendors, including BeyondTrust, which last month unveiled what it termed the first first privileged account management product for heterogeneous IT environments, along with CA, Quest Software and Novell.

For example, in July a former computer support technician at Quantum Technology Partners (QTP) in Miami, was sentenced to a year in jail for illegally using his administrator account and password to shut down the company's servers from his home computer. The security concerns follow a string of highly public incidents where users holding administrator accounts created IT havoc for a variety of reasons. Lesmany Nunez also changed the passwords of all the IT systems administrators at the company and deleted files that made data restoration from backup tapes more difficult for the company. Perhaps the most sensational example of abuse by a privileged user came when Terry Childs , a former systems administrator at the City of San Francisco, allegedly locked access to a crucial city network for days by changing key network passwords. His actions resulted in more than $30,000 in damages to QTP. And in January, a Fannie Mae engineer was indicted for planting a logic bomb on the corporation's network that could have destroyed and altered all data on the company's servers.

After blasting off Monday afternoon, the crew of the space shuttle Atlantis is using a robotic arm to inspect the shuttle for damage while getting ready to dock with the International Space Station tomorrow. On the second day of the mission, the astronauts used the shuttle's 50-foot-long robotic arm , along with its 50-foot-long orbiter boom sensor system, to take pictures of Atlantis's wings and nosecap for any damage that might have occurred during takeoff. Loaded up with 27,250 pounds worth of spare parts for the space station, the shuttle lifted off from Kennedy Space Center in Florida yesterday on schedule at 2:28 p.m. The 11-day mission is focused on getting the station stocked up with equipment like gyroscopes, two nitrogen tank assemblies and parts for the onboard robotic system before the space shuttle fleet is retired and these kinds of shipments are much more difficult to make.

According to NASA, the astronauts running the inspection, which takes about five hours, will use a suite of cameras and lasers designed to give them 3-D views of the shuttle's heat shield. NASA noted that the astronauts also are inspecting their spacesuits today. The images will be sent back to ground control, where engineers will inspect them for any problems with the shuttle's thermal protection system, which will be needed to protect the craft during the blazing temperatures it will encounter during re-entry into the Earth's atmosphere. And in preparation for tomorrow's docking with the space station , they're extending the shuttle's Orbiter Docking System ring and going over their rendezvous tools. The equipment that needs to go up is being delivered in order of highest priority. The equipment being delivered during this mission is considered highly critical to the operation of the space station, according to NASA. At this point, there are only six flights left for the space shuttle fleet before it's scheduled to be retired.

Since this is the first mission to deliver what scientists hope will turn into a trove of spare parts, they're taking up the most important pieces. The astronauts are expected to make three space walks to unload the parts from the shuttle and connect them to the sides of the station's truss .

Hewlett-Packard has agreed to buy 3Com for about US$2.7 billion, pushing forward the giant IT vendor's strategy for combining computing, storage, services and networking under one roof. HP is offering $7.90 per share for 3Com, about $2 per share above the stock's price of $5.69 at the close of trading on Wednesday. The deal has been approved by both companies' boards of directors and is expected to close in the first half of next year. U.S. and foreign regulatory approvals will be required, the companies said. 3Com will add to HP's Ethernet switching portfolio, which is already a growing competitor to Cisco Systems, and add routing products to its lineup. "Companies are looking for ways to break free from the business limitations imposed by a networking paradigm that has been dominated by a single vendor," said Dave Donatelli, executive vice president and general manager, Enterprise Servers and Networking, at HP, in a prepared statement. "We will enable customers to build a next-generation network infrastructure that supports customer needs from the edge of the network to the heart of the data center." The acquisition will also give HP access to a research and development team and strong sales channels in China, where 3Com operates the H3C subsidiary it originally formed as a joint venture with Huawei Technologies.

As data centers are centralized and virtualized, the largest IT vendors are pursuing data-center strategies that span all parts of what is increasingly a single infrastructure of networks, storage, computing and software. The deal would also bring in 3Com's TippingPoint line of intrusion prevention products. Cisco's introduction of servers earlier this year made it a more direct competitor to HP as well as IBM. HP's own ProCurve networking line has already gained ground on Cisco in enterprises over the past few years. 3Com has trailed the dominating Cisco in the networking arena since the late 1990s and has pursued several different strategies to find its place in the market. Its TippingPoint acquisition gave it a strong position in intrusion prevention, and the company has also focused on networking gear for small and medium-sized businesses.

Brian Kendall has released an updated version of xGestures for Snow Leopard, which allows you to drive your Mac with "mouse gestures"-a particular combination of mouse movements that triggers a menu item, keystroke, or AppleScript. Users of recent MacBooks with multi-touch trackpads may also want to check out Macworld's recent review of Jitouch, which does similar things with multi-touch gestures. For example, I'm constantly hitting the wrong function key on my MacBook when I try to view all Spaces; with xGestures, I can hold the control key and flick up and down on my trackpad, and xGestures will zip me into the all Spaces view.

xGestures installs as a preference pane and, unlike Jitouch, you have to define all of your gestures from scratch. xGestures requires a mouse button or keyboard press to start listening. Getting started with xGestures was a bit frustrating; you have make sure that "Enable xGestures" is checked under Options and then click the "Start xGestures" button on the same pane. I used the Control-Shift keys along with "hold down key while gesturing" since this combination doesn't conflict with any of my other utilities. You can also set xGestures to change the mouse pointer and draw a line on the screen when it's active, both of which I recommend for testing out the software.

The Command or Option keys, though, could easily trigger a gesture when I don't wish to. Once you're set up, you can define either global gestures or specific gestures for each application. xGestures provides a drop-down menu of actions which a gesture can trigger; the most useful of these are probably "Perform Keystroke" and "Choose Menu Item." (Note: to assign a keystroke, you may need to turn it off first. For my testing, I made my Spaces actions global, but I set up different gestures for Web-browsing which were specific to Safari. Assigning F8 to my Spaces gesture didn't work so long as Spaces was intercepting it.) Be sure to click on "Apply Settings" whenever you set up a new gesture-skipping this led to some frustrating moments during my testing.

I'm on the fence about it, but if I find myself using gestures frequently in two weeks, the price makes this a no-brainer purchase. xGestures requires Mac OS X 10.3 or higher, and costs $5 after a 15-day free demonstration period.

Responding to criticism that its anti-piracy mechanisms could slow the growth of the eBook industry, Adobe Systems Inc. plans to liberalize its approach toward Digital Rights Management (DRM) with eBooks. Seemingly minor, the move is important both because of Adobe's growing behind-the-scenes importance in the burgeoning eBook industry, but also in how it moves ahead with content protection. The next major version of its Content Server software will give book publishers, authors and libraries the option to protect encrypted eBooks with a password. The current Adobe Content Server 4 software lets publishers choose whether or not to encrypt their eBooks.

That number is meant to give owners flexibility to move purchased eBooks among various devices. It also lets eBook buyers choose up to 12 devices - six desktop and six handhelds, including eBook readers or smartphones - on which they can read eBooks protected by encryption. But what if people want to share their eBooks with a relative, close friend or colleague? Users would then enter in a username and password to open up and read a book on any device or PC. On the flip side, that means a cracked Adobe ID and password could be distributed and used to let pirates read an eBook, just as stolen license keys are used to enable the installation of pirated software. Content Server 5 will allow that by letting owners link eBooks to an Adobe ID account. That possibility is why publishers want Adobe to provide the option for weak or strong encryption, said Nick Bogaty, senior business development manager for digital publishing at Adobe. "I think it's legitimate concern on publishers' part to make it somewhat difficult to mass copy their files, and that's what our DRM does," he said. "Their business is copyrights, and if they don't have that, they don't have a business anymore." Some critics point out that Adobe, by promoting its flavor of encryption on top of the open ePub standard, is promoting a version of vendor lock-in.

Critics also say that DRM measures remain confusing and unnatural for consumers. "Publishers always feel better if things are locked down, but consumers can't stand it," says David Rothman, editor of the eBook-focused blog, TeleRead. Users will be forced to rely on Adobe's eBook-reading software - either Digital Editions for PCs, or Adobe Mobile Reader on smartphones, E-Ink devices and tablets - to read their eBooks. Rothman is an advocate of "social DRM" techniques, such as watermarking eBooks with the owner's name and address, rather than preventing their redistribution. "It's using the forces of peer pressure in a good way. And that could stunt the eBook market, which remains small. But Adobe keeps wanting to think in terms of encryption," he said. Wholesale trade in eBooks in the U.S. for the first three quarters this year totaled $110 million , according to the International Digital Publishing Forum (IDPF). While that is up more than three-fold from last year, it remains a fraction of the paper-based publishing market.

Adobe's Bogaty, the former executive director of IDPF, is skeptical that such a revenue model would work in the book publishing business. "Until I see a book reading fill up Madison Square Garden, or a bunch of kids wearing Tom Wolfe t-shirts, I just don't see a big ancillary market for publishers," he said. Rothman and others point to the music industry, where some artists and record companies and retailers are starting to favor audio watermarks over DRM, employ P2P networks to give away songs for radio-like promotion , or substituting CD sales with concert tours and merchandise sales.

A federal court in Missouri has thrown out a class-action lawsuit that was brought against pharmacy benefits company Express Scripts over a 2008 data breach in which millions of customer records were believed to have been illegally accessed. In a 22-page ruling last week, Buckles said that the plaintiff in the case, John Amburgy, failed to show how the data breach caused him any direct injury or even put him in imminent danger of any injury. "Abstract injury is not enough to demonstrate injury-in fact," Buckles wrote. "The injury or threat of injury must be concrete and particularized, actual and imminent; not conjectural or hypothetical." The $22 billion Express Scripts in October 2008 disclosed that extortionists were threatening to publicly release millions of patient records that they had accessed from the company's databases unless the company paid an undisclosed amount of money. In dismissing the lawsuit, Magistrate Judge Frederick Buckles reiterated a position that has been taken by other judges in similar cases: Without any actual harm done, there can be no damages sought. St. Louis-based Express Scripts said it had received a letter with the names, birth dates, Social Security numbers and some prescription information for 75 patients, with the threat that more would be released if it did not pay up.

In his lawsuit, Amburgy accused Express Scripts of negligence in its duty to protect customer records. As of November, Express Scripts said it had notified about 700,000 individuals that their information may have been compromised in the incident. He accused the company of breach of contract, breach of implied contract and violations of data breach notification laws in various states. He claimed that he and others similarly affected had to spend time and money monitoring their credit accounts and reports, prescription records and other financial accounts. Amburgy claimed that as a result of Express Scripts' failure to maintain adequate security measures, he and others affected by the breach were at increased risk of identity theft fraud and extortion. But like other judges in similar cases , Buckles brushed aside those contentions and said Amburgy failed to show that he was directly affected by the breach and that his claims relied on too many "ifs." "Plaintiff alleges that he would be injured 'if' his personal information was compromised, and 'if' such information was obtained by an unauthorized third party, and 'if' his identity was stolen as a result, and 'if' the use of his stolen identity caused him harm." These multiple "ifs" put his claims in the realm of the hypothetical, the judge noted.

In October, for instance, a U.S. District Court judge in Maine asked the state's highest court to weigh in on the question of whether the time and effort spent in mitigating the fallout from a data breach constituted a cognizable injury under Maine law. Though other cases have ended the same way, some courts have begun to show a willingness to at least hear the sort of claims raised by Amburgy. The question stemmed from a motion filed by plaintiffs in a data breach lawsuit involving supermarket chain Hannaford Bros. In September, a federal court in Illinois allowed a couple's whose bank account had been depleted by cyber thieves to go ahead with their lawsuit against Citizens Financial Bank. The judge had previously thrown out all other claims in the case. The judge in the case noted the couple had shown there was a reasonable basis for arguing that the bank had failed in its duty to protect the couple's money.

For the fourth time this year, Adobe has admitted that hackers were using malicious PDF documents to break into Windows PCs. The bug in the popular Reader PDF viewer and the Acrobat PDF maker is being exploited in "limited targeted attacks," Adobe said yesterday. Adobe promised to patch the vulnerability on Tuesday, Oct. 13, the same day that Microsoft plans to issue its biggest-ever collection of security updates . The bug exists in Reader and Acrobat versions 9.1.3 and earlier on Windows, Mac OS and Linux, said Adobe in a security advisory published Thursday, but as far as the company knows, it is being exploited only to hijack Windows PCs. "There are reports that this issue is being exploited in the wild in limited targeted attacks," said Adobe. "The exploit targets Adobe Reader and Acrobat 9.1.3 on Windows." Adobe will plug the hole next week as part of its quarterly security update for Reader and Acrobat. That phrasing generally means hackers are sending the rigged PDF documents to a short list of users, oftentimes company executives or others whose PCs contain a treasure trove of confidential information.

Last June, Adobe announced it would follow the lead of companies like Microsoft and Oracle, and release regular security updates for Reader and Acrobat. It said more than a month ago that it would instead push the patch date into October. Originally, Adobe was to post patches last month, but a scramble during July to fix several flaws, including some introduced by Microsoft in a code "library" used by its own developers, as well as those in other companies, wreaked havoc on Adobe's schedule. Until a patch is released next week, Windows Vista and Windows 7 users can protect themselves by enabling Data Execution Prevention (DEP), a security feature designed to stop some kinds of exploits - buffer overflow attacks in particular - by blocking code from executing in memory that's supposed to contain only data. Windows XP users should disable JavaScript in Reader and Acrobat, added Adobe.

Instructions on how to enable DEP are available on Microsoft's support site. That wouldn't block all possible attacks, but will stymie the exploit now in the wild. In March, the company quashed a PDF bug that attackers had been using for more than two months . It again patched Reader and Acrobat in May to block another zero-day . In July Adobe fixed a Flash PDF-related flaw that was being used by hackers. Adobe has struggled this year to stay ahead of hackers. Next Tuesday's Reader and Acrobat updates will also patch a unknown number of other vulnerabilities, Adobe said.