Monthly Archives: August 2013

Tech

Clouds are backing up clouds, with more choices on tap

Nasuni and Backupify are introducing new offerings for their cloud-to-cloud backup services

Enterprises that rely on cloud-based services are getting more options for falling back on another cloud if necessary.

On Tuesday, Nasuni introduced a cloud-to-cloud mirroring option to give customers extra assurance that their data will be available in case of a service outage. The same day, cloud-to-cloud backup vendor Backupify added more choices for where users can have their data sent.

Both Nasuni and Backupify provide backup services that operate on top of larger cloud storage operations such as Amazon S3. Many enterprises are looking to cloud services for storage, often to get away from buying and operating gear of their own, according to Enterprise Strategy Group analyst Mark Peters. Services that store many customers’ data in many cases can do so more efficiently through scale, he said.

Cloud storage has proved pretty reliable, and using one cloud-based service as backup for another should make users safer, Peters said.

“Logic says the odds of Amazon and Google going down on the same day, with your data, and not being able to do something about it is hard to fathom,” Peters said.

Nasuni gives enterprises access to their data through on-site hardware that looks and feels like a traditional storage controller while actually storing the contents on S3 or Microsoft’s Windows Azure cloud. On Tuesday, it’s adding an optional feature to its service that will mirror the data on the primary cloud to a secondary one. With the Cloud Mirroring service, customers with S3 as their primary cloud would have their data mirrored to Azure, and vice versa, the company said.

The feature is designed to give customers more assurance that they will still be able to get to their data even if their primary cloud platform fails. Nasuni has never experienced a service outage and customers are already covered by service-level agreements, but Cloud Mirroring can give them one more layer of assurance, Nasuni said. The company said it will price Cloud Mirroring on a per-terabyte basis but didn’t give any more information on pricing.

Backupify backs up consumers’ and enterprises’ SaaS (software-as-a-service) data to Amazon S3 so they can maintain their own copy of the data from services such as Salesforce, Google Apps, Facebook and Twitter. That data is encrypted with a customer-specific key and stored in Backupify’s storage bucket on S3.

Its customers will now have the option of having their data backed up to a different cloud, CEO Rob May said. Those who already have their own S3 bucket can have their data backed up to it, and other initial options include Rackspace Cloud Files and Google Cloud Storage. Additional choices, including Azure and a customer’s own storage equipment, will be available later, he said.

As Backupify has moved upmarket from consumers to small businesses to large enterprises, it’s started to find customers who already have their own cloud storage accounts, May said.

Backupify will still use S3 to process those customers’ content, but it won’t keep the data in its own S3 bucket, May said. Instead, it will send the data along to the cloud that the customer chose.

Customers who choose their own storage will be charged in a different way from users of the company’s traditional service, which costs US$3 per user, per month with unlimited data. The new type of service should represent savings of 50 percent to 60 percent off that cost, May said.

By choosing their own cloud storage provider, those customers will be able to pay for capacity on their own terms, which may be a better deal if they buy a lot of it, May said. Backupify’s standard per-seat deal is priced to account for consumer and small-business customers as well as big enterprises, and the big customers may be able to get a better rate elsewhere because of volume discounts, he said.

“For most large customers, they’re going to be much better off under the new pricing,” May said.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

 

Tech

How employers can fight back against fake job references

How employers can fight back against fake job references

Here’s whats on the homepage of “The Reference Store,” which bills itself as the world’s leading virtual reference service: “Unemployed? Fired? Forced Out? Bad Reference? Create an entirely new work history using our fake reference service. Dont let these issues keep you from finding meaningful work. Explain away these periods using one of our Virtual Companies. Our fake companies are so real, our Virtual Companies actually get sales calls from the public.”

There are plenty of businesses that offer similar services to people looking to bolster their chances of getting hired in a competitive job market. And these types of offerings have been available for some time. The question is, what can companies do to keep themselves from getting hurt because of fake references and potentially bad hires?

Clearly, many businesses still rely heavily on references when they are evaluating potential hires, and there are lots of fake references being listed. According to a study by employment services company CareerBuilder released in November 2012, about 30 percent of employers surveyed reported that they have caught a fake reference on a candidate’s application.

The study, conducted by Harris Interactive and including 2,494 hiring managers and human resource professionals and 3,976 workers across industries and company sizes, says a healthy majority of employers (80 percent) reported that they contact references when evaluating potential employees, and 16 percent contact references even before they call the candidate for a job interview.

One obvious thing companies can do to avoid the problem of fake references is to not place so much importance in the references candidates provide when they apply for a job.

“Having set up advanced recruiting systems in [small and medium-sized business] and large multinationals, I( have always advised decision makers not to put too much stock in references,” says Tom Armour, founding partner at management consulting firm High Return(Selection in Toronto.

“They are easily manipulated and 99 percent of the time [are] positive,” Armour says. “Most (people don’t like to give critical feedback on a reference check, and large (companies, for legal reasons, provide only basic data.”

But if checking references must be part of the hiring process –and clearly for many types of jobs it’s a good idea to get the opinions of references such as previous employers –experts says recruiters and human resources departments should take advantage of legitimate online resources such as LinkedIn and other business social media sites.

“LinkedIn is becoming a powerful recruitment tool,” Armour says. “It can be used( for reference checking by looking for common contacts.”

References can be checked out in additional ways. One is to engage a reputable background vetting service thats adept at identifying fake references, and will provide some type of guarantee of this in their statement of work, says Hank Boyer, president and CEO of Boyer Management Group, a Holland, Pa., workplace services consulting firm.

“Many of the good services have deep sources that cross-check the validity of references,” says Boyer, who says he has conducted more than 10,000 hiring interviews and now advises employers on best practices in hiring.

If a company plans to do the validating itself, there are several steps Boyer recommends. One is to personally look up the reference via LinkedIn or some other database, and confirm via the information on the person’s profile that he or she worked at an organization at the same time as the candidate.

“I will often contact the employer through LinkedIn or an employer’s Web site to make sure I’m speaking to the actual person,” Boyer says. “When speaking to the reference, does what he or she says about the work environment in which the candidate was known match what you learned from the candidate?”

For more important positions, Boyer suggests not speaking with the references provided by the candidate, but asking the candidate’s references who else the candidate worked for or with, and then contacting that person.

“Few do this, but it is too easy for a candidate to give you a reference that he or she has pre-arranged to give only positive information,” Boyer says. “Secondary references are much more reliable.”

Executives have had some rude awakenings because of fake references –but it has led them to take steps to address the problem. As the head of human resources at his organization, Andrew Schrage, founder and co-owner of online financial services information site Money Crashers Personal Finance in Denver, has grappled with the issue of fake references.

“I once had a very well-qualified candidate that I was planning to hire; all I had left to do was check his references,” Schrage says. “I called two of them and both spoke glowingly about the candidate. However, I later came to find out that the references were fake &mdash: they were friends of the candidate.”

In the meantime, though, Money Crashers had hired the person.

“A few weeks later he must have had a falling out with one of his friends,” Schrage says. “That person called me, explained that he was a friend and not a professional reference, and that the person I hired had lied during the interview. I terminated the individual on the spot.”

Now, at the end of interviews Schrage asks candidates to review their resume one final time for any errors, “and I specifically mention their references,” he says. “Then I ask them to sign the resume. That has caused a candidate or two to ask if they can resubmit their resume to me at a later date.”

Also, background checks are now an important part of Money Crashers hiring process.

“Recently, there has been an abundance of fake job reference Web sites popping up, which makes the process of spotting fake references that much more difficult,” Schrage says. “So these days, I also ask the candidate to provide the names of three coworkers in addition to the reference, and I also do a generic Internet search on the name of the company to see if it’s real.” 3

Another hiring executive, Eric Lagerquist, senior consultant at Eliasen Group, an IT recruitment and staffing firm in Wakefiled, Mass., has been burned by fake references.

“In one instance, I had a consultant give me two manager references from his last assignment at a company in New Jersey,” Lagerquist says. “He told me that they were both current, fulltime managers at the company. I knew something was up when the phone numbers for each reference did not have New Jersey area codes.”

Lagerquist called the first number and got a glowing reference.

“I asked the manager how long the consultant had been in that office and was told five years,” he says. “When I asked the manager for his title, he gave me one. When I asked him for his landline office number, he hung up. The same thing happened with the second call.”

A fake reference “is far worse than a poor reference, and once I uncover the deception, I will not consider that candidate for any future openings I have,” Lagerquist says. “My rationale is simple: a fake reference tells me that the candidate knows that he or she is not fit for the role and is underhanded enough to try and fake his or her way in. If a candidate will lie about a reference, what will keep him or her from lying about other things?”

In Eliasen Group’s case, fake references can also hurt business.

“If a fake reference gets past us, the possibility of a bad client experience with the consultant increases, which is an outcome that staffing firms cannot allow to happen, ever,” Lagerquist says.

LinkedIn has played a vital role in combating fake references, Lagerquist says this.

“As soon as I get a reference name and title, I will look it up on LinkedIn,” he says. If the name, title and company all match up, he feels more secure about the validity of the reference.

“We use all of the available Internet tools to be sure that the person on the phone is really an employee of the referenced company,” Lagerquist says. “On the process side, we investigate until we are confident that we have strong, valid references.”

At online recruitment firm Mojo Master in Larkspur, Calif., “everyone that’s been fired has had great( references coming in the door,” says John Younger, (president. “So, there are some things we now do (throughout the interviewing and hiring process to mitigate this.”

That includes asking for at least two references from people who managed the candidate in the past.

“Peer and subordinate level references are significantly discounted,” Younger says.

Mojo Master also researches the profile of the reference, verifying that the relationship did actually exist in the form represented by the candidate. This is done via Web searches and social networks.

Finally, when the company connects with a reference, it verifies the relationship to the candidate, and asks a series of pertinent questions such as where the candidate struggled or did not succeed at projects, how the reference would suggest the candidate develop professionally and personally, and what is the optimal work environment and role for the person.

It might seem like a lot of extra work in the hiring process, but this kind of diligence might help companies avoid hiring people who jeopardize the trust factor even before walking in the door.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Tech

Black Hat: How to create a massive DDoS botnet using cheap online ads

Black Hat: How to create a massive DDoS botnet using cheap online ads
JavaScript in online ads can zombify browsers to carry out denial of service attacks

Las Vegas — The bad news is if you click on the wrong online ad, your browser can be immediately enlisted in a botnet carrying out a denial of service attack to take down Web sites.

The good news is that as soon as you move on to another Web site, the browser is released with no harm done, according to researchers who revealed the hack at the Black Hat security conference.

“Who’s problem is this?” says Jeremiah Grossman, CEO of White Hat Labs and one of the researchers. “Browsers? Ad networks? Who fixes this?”

GROWING THREAT: Shorter, higher-speed DDoS attacks on the rise, Arbor Networks says

MORE BLACK HAT: Top 20 hack-attack tools

QUIZ: Black Hat’s most notorious incidents

The bot-herding scheme relies on the fact that when a browser connects to a Web site, the site has near-complete control of the browser for as long as it’s on that page. It can run code from HTML to JavaScript in the browser that can set off a whole string of possible attacks, he says.

In the case of creating an on-the-fly botnet, Grossman and his associate Matt Johansen placed JavaScript within ads that they placed on Web pages via an advertising network. They paid to have the ad garner a certain number of clicks. The cost of a million-browser botnet is about $150, he says.

The JavaScript made the hijacked browser make repeated requests to a target Web server in an effort to overwhelm it. For the test it was the researchers’ own Apache server hosted in the Amazon cloud.

Each browser could generate six HTML requests at a time due to a connection limit set in the browser in order to maintain performance and stability. If the JavaScript instructed that the browsers make FTP requests instead, the number jumps to 100 requests or more, Grossman says.

“To scale [the botnet] up you need to get a lot of browsers running it,” he says.

Adding arbitrary JavaScript to ads is easy to do and in the experience of the researchers wasn’t checked very closely by the ad network. To make it more convenient to change the malicious script, rather than placing the script itself in the ad, they put in the script source. That way they could alter the script on their own servers and have the changes picked up by the ad without having to deal with the ad network again, Johansen says.

The researchers paid the ad network to distribute their ad and within 18 hours it was generating 8.1 million requests to the server coming in fast enough to take it down. That was using https: requests six at a time without using the FTP bypass, Grossman says. Since the users whose browsers were enlisted to the botnet were unwitting, they didn’t want to make any changes to the browsers, he says.

The upside for attackers is that the botnet is random with no command-and-control server that defenders could take down. Grossman says he is uncertain whether it would be possible forensically to track down the ad at the center of such a botnet and ultimately track it to the individuals who bought the ad. “You could be tracked by who paid for the guilty ad,” he says.

Ad blockers that are used to speed up the loading of Web pages and make them less annoying to users could become a security tool if this technique catches on, Grossman says, but he didn’t have a way to stop such attacks. “We used the way the Web works and took down our own server,” he says.

MCTS Training, MCITP Trainnig

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com