Remember to seek out, change and manage every password in your IT infrastructure, or you'll fail your PCI audit.
While corporations are struggling with PCI compliance after PCI 6.6 became mandatory June 30, they may be overlooking one of the most critical areas for compliance -- passwords.

Generally, enterprises do not revoke passwords when their owners move to other departments within the company or leave, resulting in orphaned accounts.

But user and system administrator passwords are just the tip of the iceberg -- literally thousands of other passwords are hidden from view, such as application-to-application passwords, passwords embedded in applications and the passwords every device on a corporate network comes with.

The last category includes laptops, desktops, appliances, routers, bridges and just any other device you can think of.
"If you don't change the default passwords applications and devices are shipped with, you could fail your PCI audit, because these are freely available online," Robert Grapes, chief technologist of Cloakware's data center solutions, told InternetNews.com.
"There's more than 3,000 vendors and products listed with the default passwords on the Internet; very few people go through their devices or operating systems and change the passwords," he added.

Identities and passwords that have been hard-coded into applications or servers are the most difficult to revoke or change, and are often ignored because of this.

"I talked to one company who had not changed passwords on particular systems of theirs for 17 years," Grapes said.
Passwords on applications and devices, and administrator passwords, are privileged accounts, meaning they have more permissions and rights than the average end user. Such accounts constitute one of the biggest potentials for enterprise security breaches.

"There are many times the number of privileged accounts operating on your network than there are end user accounts," Grapes said.


For example, in an enterprise with, say, 1,000 end users running on Windows, every laptop, desktop and server will have a local administrator account and service accounts that are not being managed, according to Grapes.

Then there are all the back-end applications running on other systems, such as Unix servers, blades and mainframes, the network management systems, the database accounts, each of which will have multiple privileged accounts.

The proliferation of privileged accounts is so great that "we recently completed a transaction with a large European bank with 80,000 employees, and they bought a contract for 525,000 accounts," Grapes said.

It's impossible to root out all the passwords and change them individually to comply with the PCI regulations, and Grapes said automation is the best solution.

The PCI regulations' password requirements proved a "major, major pain" for the large U.S. retail chain where Joey Peloquin used to work.

"We had more than 160,000 users, and automation was the only way we could solve the problem," Peloquin, now a senior security consultant in HP software professional services' application security division, told InternetNews.com.

His former employer selected a product from Cyber-Ark called the Enterprise Password Vault; Cloakware also offers a solution, called the Cloakware Server Password Manager.

Some enterprises let systems administrators share identities and passwords to contain password sprawl, but that generates problems of its own.

"If you have 10 administrators sharing a password and ID, how can you audit and trace who performed a particular function on that system?" Grapes asked.

Such tracking information is crucial to passing an audit.

The cost of failure can be high. When Peloquin's former employer failed a PCI audit, "we lost millions of dollars on the day we failed just through the increased commissions we had to pay," he said.

In the months following publication of the final part of the very popular series on integrating Google Maps into PHP applications, I've spent quite a bit of time working with another popular Web technology: Ruby on Rails. As it turns out, Rails developers have been hard at work creating a few amazing plugins capable of adding powerful mapping capabilities to your applications. In this new series, I'll introduce you to these powerful plugins, showing you a number of tips and tricks along the way.
I'll presume you're familiar with mapping fundamentals, including the basic ideas surrounding the Google mapping API syntax. If you haven't had the opportunity to experiment with the API, take some time to read this tutorial before continuing.
Introducing the YM4R/GM Plugin
Although there's nothing preventing you from linking to Google's mapping JavaScript API and referencing the library directly from your views, jumping between Ruby/Rails syntax and JavaScript can quickly become a tedious affair. The YM4R/GM plugin remedies this issue nicely, abstracting the API calls through Ruby's familiar object-oriented syntax. With it you can do everything from render simple maps to build complex maps complete with custom markers, information windows, and clusters for facilitating the rendering of large numbers of markers.
Installing and Configuring YM4R/GM
To install the YM4R/GM plugin, execute the following command from your project directory:%>ruby script/plugin install
svn://rubyforge.org/var/svn/ym4r/Plugins/GM/trunk/ym4r_gm
YM4R/GM manages the Google API keys within a file named gmaps_api_key.yml, found in the project's config directory. The developers save you the trouble of having to create your own API key for local testing purposes by including an API key that has already been tied to http://localhost:3000. However, if you're testing on a different host, you'll first need to create an API key and add it to this file (instructions for creating a key are provided in the aforementioned introductory tutorial).
Creating Your First Map

Figure 1: Centering the map over Youngstown, Ohio
As is standard Rails practice, you'll use the controller method to define the map and its features, and the view to render the results. In the following example, you'll define a map in the index controller's index action, complete with a pan/zoom control but minus the map type selector:def index
# Create a new map object, also defining the div ("map")
# where the map will be rendered in the view
@map = GMap.new("map")
# Use the larger pan/zoom control but disable the map type
# selector
@map.control_init(:large_map => true,:map_type => false)
# Center the map on specific coordinates and focus in fairly
# closely
@map.center_zoom_init([41.023849,-80.682053], 10)
end
Next, in the index action's corresponding view, add the following code:


<%= GMap.header %>
<%= @map.to_html %>


<%= @map.div(:width => 400, :height => 300) %>


The GMap.header call will output references to both the Google Maps API and YM4R/GM JavaScript libraries. The @map.to_html call outputs JavaScript code generated by YM4R/GM according to the specifications set forth in the action. Finally, the @map.div call outputs the map to a div as specified in the action's GMap.new call.
Also, you'll see that the map dimensions are defined in the view rather than the controller. This is keeping with the convention of separating application logic and design; the view designer can choose any dimension he pleases; the map will simply fill to the desired size. The initial zoom level is, however, defined in the controller, although the user can easily subsequently adjust the zoom using the control.

By : Jason Gilmore

Did you know that you can move sections of your Web.config file into other files? Whether it's to keep things tidy or simply to make it easier to find the settings you change often, it's easy to do and yet few people even realize you can.
The magic that makes this possible is the configSource attribute. It was added in .NET 2.0 and its value indicates the name of the file that contains the section that we're moving to another file. It's probably easiest to illustrate via a simple example. A normal connectionStrings section in Web.config might look something like this:
... ...
To move that section to a separate file, simply replace the connectionStrings section in the listing above with this line:

and then create a new "ConnectionStrings.config" file to hold the connectionStrings section's settings:

See... it really couldn't be much simpler. Now you can play with your connection strings as much as you want without fear of messing up any other settings in your Web.config file.
Oh... and just because I only showed you how to move the connectionStrings section, don't think that it stops there. You can just as easily move any section you want to an external file: appSettings, mailSettings, urlMappings, etc.
Source:ASP101

As your personal business life becomes accessible in digital form, using strong passwords to keep that information safe and secure is more important than ever. The proliferation of Web 2.0 services such as online payment, banking, accounting and payroll services means that your company’s most sensitive information is accessible to anyone with the proper login.

Relying on your pet’s name for a password just doesn’t cut it anymore. The only thing worse is having your passwords scrawled on a sticky note under your keyboard – you know who you are.

The Basics


Security experts agree: Most people have passwords that provide woefully inadequate protection against hackers and identity thieves. That’s because a password that’s easy to remember is also easy for an automated hacking program to guess, and one that’s hard to guess is also hard to remember—and winds up on that sticky note. But there are a few tricks that can help you come up with complicated passwords that will still be easy for you (and only you) to remember.
“A good technique is to come up with a base password, and then just change it a bit for every site,” advises David Ulevitch, CEO of OpenDNS, the leading provider of Domain Name System services. For example, your banking log-in for Bank of America could be ca$h!cowBoA, while your QuickBooks online accounting password could be ca$h!cowQB.
Which brings up a second point: Be sure to use a mix of upper- and lowercase letters, number, and symbols. The reason? Automated hacking programs can cycle through all known words (spelled both forward and backward), plus common names (including Fido and Queenie), in a matter of minutes.

“The best way to do strong passwords is to simply replace letters with characters and numbers, and make use of other keyboard tidbits,” advises Eric Green, president of ELG Consulting and a consultant to SCIPP International, the first non-profit security-awareness training certification organization. So while NYYankees is a weak password, it can be made stronger (and still remain memorable) with the simple tweak to NY_Y@nkee$$.
Another trick is to think of a passphrase that is meaningful to you and that can be turned into an acronym (again, with some symbols in place of letters). So, for example, the fact that my first car was a 1964 Buick Electra could become the PayPal password MfCw@!964BE!PP. And if you are worried about forgetting it, you could write down a reminder for yourself that will be useless to others, like “first car sentence.”
Other Observations


Ultimately, the security of your password (and hence your data) is only as secure as the site you enter it into. “When doing any work online and entering any kind of personal information at all, make sure the little pad lock is at the bottom of your screen indicating the site is using SSL (Secure Socket Layer) to encrypt your data,” cautions Green. “The strongest password in the world is a waste if someone can simply copy that information over an insecure network.”

Also be aware of keylogger programs and other malware that can lurk on a PC, recording your keystrokes and surreptitiously sending them to a hacker. The string “www.paypal.comjohndoefido” lets the thief know that a PayPal user name is John Doe and that the user’s password is Fido.

So never enter a vital password at a public computer terminal (such as at an Internet café), since you don’t know what programs people have installed onto the computers. And on your own home and business PCs, be very careful what you and your employees load (in fact, in Windows block employees from loading programs altogether) and be sure each PC’s spyware program (such as SpySweeper) is up to date.

Jamie Bsales is an award-winning technology writer and editor with nearly 14 years of experience covering the latest hardware, software and Internet products and services.
This article was first published on SmallBusinessComputing.com.

INNEAPOLIS -- What's worse than being 12 years out of high school and on your way to having $40,000 in debt?

Being 30 years old, with no college degree, making $15 an hour.

That's why Jesse Mullan has taken a risk and gone back to college, sitting in classrooms with college juniors who were 8 years old when he graduated from high school in St. Paul, Minn., in 1994.

Mullan, who expects to graduate from college in 2008, figures that taking on debt to further his education will pay off. He expects to triple his hourly pay shortly after collecting a degree in computer science from the University of Minnesota, allowing him to pay off his school loans in no more than 10 years.

"It's better than car loans," he said.

Mullan is still making a good bet, many economists agree. While the cost of college has soared, the incomes of college graduates are still staying well ahead of those who don't have four-year degrees.

How far ahead? Lifetime incomes of college grads in today's dollars average nearly $300,000 more than high school graduates over a 40-year career. And that's the net benefit, after deducting an average cost of more than $100,000 in tuition, room and board and potential income lost while attending college.


The income gap between those with and without a college degree continues to grow, though at not as fast a pace since the mid-1990s as in the 1980s. Why? A rising tide of economic prosperity has lifted most of the boats, providing higher incomes for even the undereducated.

"Since the mid-1990s, the average (inflation-adjusted) wages of college graduates have skyrocketed, increasing by 18 percent" as of 2004, a recent study found. In contrast, wages of high school dropouts rose at about half that rate -- 10 percent -- over the same period.

Economists Lisa Barrow and Cecilia Elena Rouse said in the same paper that "there are no signs that the value of a college education has peaked or is on a downward trend."

While many people have heard stories of degree-holders with nothing more to show for their high-priced education than a job behind a coffee counter, sticker shock about the rapidly rising cost of tuition and fees is largely misplaced, said Rouse, a Princeton University economist.

Rouse cites two factors to back up that claim: Significant numbers of students get some form of aid, income tax credits at the very least -- meaning they pay less than the posted price for their degrees. What's more, by far the largest cost of going to college is foregone income, and wages of high school grads have not climbed nearly as fast as the double-digit gains in tuition at many colleges in recent years.

To be sure, paying for college is a bigger gamble for some than for others.

Sixty-three percent of all students with family incomes of $79,000 or less face a gap between the annual cost of college and the money they can raise through grants, scholarships, work-study programs and family contributions, according to a national study released last month by the Southern Regional Education Board.

That gap is filled by debt.

For example, in the spring of 2005, nearly two-thirds of the students graduating from the University of Minnesota's Twin Cities campus left with debt -- an average of more than $22,000. That was up 65 percent from the average for indebted students in the class of 2002.

But the average return to a college education is large enough to overshadow those liabilities, many studies have found.

The Census Bureau in 2004 calculated that the average college graduate earns $27,800 more per year, adjusted for inflation, than the average high school graduate. That adds up to more than $1 million over a lifetime.

Barrow and Rouse calculated that over 40 years, the average payback for a college diploma comes to $402,959 in today's dollars. Subtract $107,277 in their estimated average total cost for a four-year degree and the average expected benefit would come to about $296,000.

And what about the English majors or art students who end up behind a counter at Starbucks after graduation? Their degree still is likely to make them more attractive as a management candidate than someone who didn't go to college.

"There probably are more opportunities open to these people who maybe aren't doing as well as the average," Barrow said.
source:seattlepi.com