Top 10 IT Disasters of all time

Following the loss of the personal records of some 25 million child benefit recipients by Her Majesty's Revenue & Customs this month, the UK government will be acutely aware of how quickly mismanagement of technology can lead to serious problems.

While technology wasn't to blame per se in the HMRC data loss, there are plenty of recorded examples where faulty hardware and software have cost the organizations concerned dearly, both financially and in terms of reputation--and resulted in some near misses for the public.

Here's our considered list of some of the worst IT-related disasters and failures. The order is subjective--with number one being the worst--so feel free to comment using Talkback below if you disagree or have suggestions for disasters we may have missed.

1. Faulty Soviet early warning system nearly causes WWIII (1983)
The threat of computers purposefully starting World War III is still the stuff of science fiction, but accidental software glitches have brought us too close in the past. Although there have been numerous alleged events of this ilk, the secrecy around military systems makes it hard to sort the urban myths from the real incidents.

However, one example that is well recorded happened back in 1983, and was the direct result of a software bug in the Soviet early warning system. The Russian system told them that the United States had launched five ballistic missiles. However, the duty officer for the system, one Lt Col Stanislav Petrov, claims he had a "funny feeling in my gut", and reasoned if the U.S. was really attacking they would launch more than five missiles.

The trigger for the near apocalyptic disaster was traced to a fault in software that was supposed to filter out false missile detections caused by satellites picking up sunlight reflections off cloud-tops.

2. The AT&T network collapse (1990)
In 1990, 75 million phone calls across the U.S. went unanswered after a single switch at one of AT&T's 114 switching centers suffered a minor mechanical problem and shut down the center. When the center came back up soon afterwards, it sent a message to other centers, which in turn caused them to trip, shut down and reset.

The culprit turned out to be an error in a single line of code--not hackers, as some claimed at the time--that had been added during a highly complex software upgrade. American Airlines alone estimated this small error cost it 200,000 reservations.

3. The explosion of the Ariane 5 (1996)
In 1996, Europe's newest and unmanned satellite-launching rocket, the Ariane 5, was intentionally blown up just seconds after taking off on its maiden flight from Kourou, French Guiana. The European Space Agency estimated that total development of Ariane 5 cost more than $8bn (£4bn). On board Ariane 5 was a $500 million (£240 million) set of four scientific satellites created to study how the Earth's magnetic field interacts with Solar Winds.

According to a piece in the New York Times Magazine, the self-destruction was triggered by software trying to stuff "a 64-bit number into a 16-bit space."

"This shutdown occurred 36.7 seconds after launch, when the guidance system's own computer tried to convert one piece of data--the sideways velocity of the rocket--from a 64-bit format to a 16-bit format. The number was too big, and an overflow error resulted. When the guidance system shut down, it passed control to an identical, redundant unit, which was there to provide backup in case of just such a failure. But the second unit had failed in the identical manner a few milliseconds before. And why not? It was running the same software," the article stated.

4. Airbus A380 suffers from incompatible software issues (2006)
The Airbus issue of 2006 highlighted a problem many companies can have with software: What happens when one program doesn't talk to the another. In this case, the problem was caused by two halves of the same program, the CATIA software that is used to design and assemble one of the world's largest aircraft, the Airbus A380. This was a major European undertaking and, according to Business Week, the problem arose with communications between two organizations in the group: French Dassault Aviation and a Hamburg factory.

Put simply, the German system used an out-of-date version of CATIA and the French system used the latest version. So when Airbus was bringing together two halves of the aircraft, the different software meant that the wiring on one did not match the wiring in the other. The cables could not meet up without being changed.

The problem was eventually fixed, but only at a cost that nobody seems to want to put an absolute figure on. But all agreed it cost a lot, and put the project back a year or more.

5. Mars Climate Observer metric problem (1998)
Two spacecraft, the Mars Climate Orbiter and the Mars Polar Lander, were part of a space program that, in 1998, was supposed to study the Martian weather, climate, and water and carbon dioxide content of the atmosphere. But a problem occurred when a navigation error caused the lander to fly too low in the atmosphere and it was destroyed.

What caused the error? A sub-contractor on the NASA program had used imperial units (as used in the U.S.), rather than the NASA-specified metric units (as used in Europe).

6. EDS and the Child Support Agency (2004)
Business services giant EDS waded in with this spectacular disaster, which assisted in the destruction of the U.K.'s Child Support Agency (CSA) and cost the taxpayer over a billion pounds.

EDS's CS2 computer system somehow managed to overpay 1.9 million people and underpay around 700,000, partly because the Department for Work and Pensions (DWP) decided to reform the CSA at the same time as bringing in CS2.

Edward Leigh, chairman of the Public Accounts Committee, was outraged when the National Audit Office subsequently picked through the wreckage: "Ignoring ample warnings, the DWP, the CSA and IT contractor EDS introduced a large, complex IT system at the same time as restructuring the agency. The new system was brought in and, as night follows day, stumbled and now has enormous operational difficulties."

7. The two-digit year-2000 problem (1999/2000)
Many IT vendors and contractors did very well out of the billions spent to avoid what many feared would be the disaster related to the Millennium Bug. Rumors of astronomical contract rates and retainers abounded. And the sound of clocks striking midnight in time zones around the world was followed by... not panic, not crashing computer systems, in fact nothing more than New Year celebrations.

So why include it here? That the predictions of doom came to naught is irrelevant, as we're not talking about the disaster that was averted, but the original disastrous decision to use and keep using for longer than was either necessary or prudent double digits for the date field in computer programs. A report by the House of Commons Library pegged the cost of fixing the bug at £400 billion. And that is why the Millennium Bug deserves a place in the top 10.

8. When the laptops exploded (2006)
It all began simply, but certainly not quietly, when a laptop manufactured by Dell burst into flames at a trade show in Japan. There had been rumors of laptops catching fire, but the difference here was that the Dell laptop managed to do it in the full glare of publicity and video captured it in full color.

(Unfortunately, the video capturing the incident appears to have vanished from the web. If you happen to own a copy, please send it to us as it should make interesting viewing again.)

"We have captured the notebook and have begun investigating the event," Dell spokeswoman Anne Camden reported at the time, and investigate Dell did. At the end of these investigations the problem was traced to an issue with the battery/power supply on the individual laptop that had overheated and caught fire.

It was an expensive issue for Dell to sort out. As a result of its investigation Dell decided that it would be prudent to recall and replace 4.1m laptop batteries.

Company chief executive Michael Dell eventually laid the blame for the faulty batteries with the manufacturer of the battery cells--Sony. But that wasn’t the end of it. Apple reported issues for iPods and Macbooks and many PC suppliers reported the same. Matsushita alone has had to recall around 54 million devices. Sony estimated at the time that the overall cost of supporting the recall programs of Apple and Dell would amount to between ¥20 billion (£90m) and ¥30 billion.

9. Siemens and the passport system (1999)
It was the summer of 1999, and half a million British citizens were less than happy to discover that their new passports couldn't be issued on time because the Passport Agency had brought in a new Siemens computer system without sufficiently testing it and training staff first. Hundreds of people missed their holidays and the Home Office had to pay millions in compensation, staff overtime and umbrellas for the poor people queuing in the rain for passports. But why such an unexpectedly huge demand for passports? The law had recently changed to demand, for the first time, that all children under 16 had to get one if they were traveling abroad.

Tory MP Anne Widdecombe summed it up well while berating the then home secretary, Jack Straw, over the fiasco: "Common sense should have told him that to change the law on child passports at the same time as introducing a new computer system into the agency was storing up trouble for the future."

10. LA Airport flights grounded (2007)
Some 17,000 planes were grounded at Los Angeles International Airport earlier this year because of a software problem. The problem that hit systems at United States Customs and Border Protection (USCBP) agency was a simple one caused in a piece of lowly, inexpensive equipment.

The device in question was a network card that, instead of shutting down as perhaps it should have done, persisted in sending the incorrect data out across the network. The data then cascaded out until it hit the entire network at the USCBP and brought it to a standstill. Nobody could be authorized to leave or enter the U.S. through the airport for eight hours. Passengers were not impressed.

Security Feature of Microsoft's new IM version Leaked

Windows Live Messenger 9.0 will feature SPIM, a new security feature that reports users who send unsolicited messages

Microsoft's next version of its instant messenger application will have a new security feature to report users who send unsolicited messages, known as SPIM (spam over IM).

That's one of several new features in Windows Live Messenger 9.0, which was released to some private beta testers on Tuesday, according to Liveside.net, a site that focuses on Microsoft's Live brand of Web-based applications.

The problem with SPIM is that it's annoying and, at worst, dangerous. The tricky part is that the hacker may have obtained someone's IM account details, so it appears that a genuine contact is sending the messages.

After compiling a list of IM contacts, hackers try to trick users into clicking links. Those links can often launch an unwanted installation of spyware or other malware via browser vulnerability or other security hole.

Further details on Microsoft's reporting tool were not available. However, other IM products on the market use reporting tools to compile blacklists of known IM spammers in order to block them.

Liveside published other new details of Messenger 9.0 on Wednesday but then deleted the post on Thursday. It wasn't entirely clear why the site decided to delete the post, but it could be retrieved via Google's cache.

Liveside said other new features include the ability to stay signed into the application from several computers, called Multiple Points of Presence Support. In the previous 8.5 version, users are automatically signed out of the application if they log in to the application on a new machine.

Other new features Liveside said will be in version 9.0 include:

-- Animated .GIF files can be used in the display photo area.

-- Allows users to associate a specific sound with an action performed by one of their contacts.

-- URLs (Uniform Resource Locators) can be clicked on in the status area.

How To Choose Right Data Recovery Software ???

Data recovering is a process to make available lost or damaged data that was previously available in either a hard drive or diskettes, either due to an accidental deletion or due to a disk physically damaged by shock. Data recovery was a feature accessible in older systems with MS-DOS 6 operating system.

However, the arrival of the 32 bits architecture in PC processors, and later upgraded to 64 bits, override this functionally. When data is lost, the opportunities to recover valuable or sensitive information are not lost at all. Computer data recovery software can do the job.

This type of software help people retrieve lost or inaccessible files from almost any imaginable data recovery disaster, and without the need to send your hard drive to a specialized technical service.

Computer data recovery software makes it possible for the rescue of any file more often than everybody might think. Like the old MS-Dos, modern applications not only can undelete accidentally deleted files, but also partitions, and even when power failure, software failure, or virus caused the deletion attack.

Choose the right data recovery software, which is associated with your needs. Some applications can get your files back using different utilities after the disk command, while others can retrieve the data even if the hard drive has been formatted.

System restore is another function handled by computer data recovery software. Whether logical hard drive failures or RAID reconstruction and recovery, data recovery is possible, even when your system does not recognize the drive to be rescued.

The key for you to choose the right software is by taking some time to do a search. Recognize if your data recovery problem is beyond your immediate control and even having old undelete software installed, most of the time it will not work because all of them were programmed to work in systems developed with 16 bits architecture.

Double check what every computer data recovery software offers, and be aware of those claiming to recover your files in a way outside all limits of reality, because of the saying; "if something looks too good to be true, it probably is."

Data recovery is not a matter of a high price, in fact, sometimes smaller and cheaper or freeware programs can recover the files as well as the costly versions using mega-gigabytes. However, most of the small gems usually can make a few tasks in comparison with large, full-featured versions.

Again, make sure you do research and comparison before deciding on the best computer data recovery software to fit your needs.

Overcoming SQL Server Sprawl

Quest Software
Overcoming SQL Server Sprawl

With the success of SQL Server, a new trend has emerged: a server for each application. The result is the uncoordinated deployment of tens, hundreds or even thousands of database servers -- also known as “SQL Server sprawl”. For many IT departments, this means low levels of performance and poor availability.

Get started on an effective consolidation project by joining SQL Server MVP, Kevin Kline for an archived webcast. Kevin explores the major risks, considerations and activities in streamlining your SQL Server environment. You’ll find out why consolidation ultimately saves significant amounts of time and money, while yielding big efficiency benefits.

Webcast: Stop the Sprawl with Kevin Kline: Is Server Consolidation Right for Your Organization?

Archived Webcast from
Wednesday, October 24/07

Quest Software
Worldwide Headquarters
5 Polaris Way | Aliso Viejo, CA 92656 | U.S.A
To learn more about our solutions,
contact your local sales representative
or visit www.quest.com

© 2007 Quest Software Incorporated. ALL RIGHTS RESERVED.
Quest Software and its products are trademarks and registered trademarks of Quest Software, Inc. in the U.S.A.
and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
View Quest Software's Privacy Policy

What If Gmail Had Been Designed by Microsoft?

Today I want to ponder the question: what if Microsoft, not Google, had created Gmail? What would be the differences in that web mail client for users today? What if we apply some of the same design rules that brought us Hotmail, for instance?

To start, here’s the current Gmail homepage after you log-in:

First of all, we need to rebrand the application name to something longer. Let’s call this Windows Live Gmail, and add some of the visual elements connected with Windows. Also, as in Hotmail, there needs to be less space for the email subjects to make place for a reading pane, which is full of verbose explanatory help text*:

*Not shown in the screenshot, we’ll also throw in a security measurement that will prevent you from clicking on links in emails, unless you discovered the switch to mark a mail as safe. Another security measurement we’ll add is that you won’t be able to log-in with just username anymore but are required to enter the full username@gmail.com. Furthermore, we will change the browser URL from http://gmail.microsoft.com to the more professional looking http://by114w.bay114.gmail.live.com/mail/mail.aspx?rru=home.

For another design iteration in our inbox, we will need to camouflage the checkboxes next to the messages by putting a mail icon on top of them. Also, we need to break up messages from conversation threads into their individual parts. Furthermore, this version of Gmail needs to change from context-aware text ads to context-unaware graphic banners, which we’ll require to carry at least one clip art. Gmail currently has a chat box which I don’t use and thus find annoying, so I think we can build on that and expand it to a more full-featured chat widget, replacing the labels box. We’ll also adjust the spam filter slightly to show a couple of more bulk mails in the inbox:

There’s still not enough banner space available though, so let’s add a top row for ads and move the rest a bit more down. Also, to go back to the real Microsoft spirit, the inbox will now carry a maximum of 2 MB of messages – that was the amount Hotmail offered when Gmail was released with 1 GB in April 2004. Also, Microsoft-style, the actual start page of this service will not be the inbox, but a “welcome” splash screen. Please imagine the ads blinking at this point:

Somehow, this still misses part of the Microsoft feeling – the current design is just too bright & light, and it doesn’t have enough glamor. I’ll darken the colors a bit and add some smooth shades. Also, admittedly, Hotmail is a bit slower than Google’s competing service, so we’ll add some “loading” messages. Usually there’s less focus on unclutteredness with the Redmond guys, so we’ll add some MSN news bits and “special offers” where space is left. Plus, to increase user lock-in, let’s get rid of the “sign out” link. I’m also putting less emphasis on search, moving the box to the bottom right and replacing it with a dog:

Internet could run out of capacity in two years

Nemertes Research Group has published a study indicating that consumer and corporate demands on the Internet could outstrip capacity very soon

By Grant Gross, IDG News Service

November 19, 2007

Consumer and corporate use of the Internet could overload the current capacity and lead to brown-outs in two years unless backbone providers invest billions of dollars in new infrastructure, according to a study released Monday.

A flood of new video and other Web content could overwhelm the Internet by 2010 unless backbone providers invest up to $137 billion in new capacity, more than double what service providers plan to invest, according to the study , by Nemertes Research Group, an independent analysis firm. In North America alone, backbone investments of $42 billion to $55 billion will be needed in the next three to five years to keep up with demand, Nemertes said.

The study is the first to "apply Moore's Law (or something very like it) to the pace of application innovation on the 'Net," the study says. "Our findings indicate that although core fiber and switching/routing resources will scale nicely to support virtually any conceivable user demand, Internet access infrastructure, specifically in North America, will likely cease to be adequate for supporting demand within the next three to five years."

The study confirms long-time concerns of the Internet Innovation Alliance (IIA), an advocacy group focused on upgrading U.S. broadband networks, said Bruce Mehlman, co-chairman of the group. The group, with members including AT&T, Level 3 Communications, Corning, Americans for Tax Reform, and the American Council of the Blind, has been warning people of the coming "exaflood" of video and other Web content that could clog its pipes.

The study gives "good, hard, unique data" on the IIA concerns about network capacity, Mehlman said. The Nemertes study suggests demand for Web applications like streaming and interactive video, peer-to-peer file transfers, and music downloads will accelerate, creating a demand for more capacity. Close to three quarters of U.S. Internet users watched an average of 158 minutes of video in May and viewed more than 8.3 billion video streams, according to research from comScore, an analysis group.

Internet users will create 161 exabytes of new data this year, and this exaflood is a positive development for Internet users and businesses, IIA says. An exabyte is 1 quintillion bytes or about 1.1 billion gigabytes. One exabyte is the equivalent of about 50,000 years of DVD-quality video.

Carriers and policy makers need to be aware of this demand, Mehlman added.

"Video has unleased an explosion of Internet content," Mehlman said. "We think the exaflood is generally not well understood and its investment implications not well defined."

The responsibility for keeping up with this growing demand lies with backbone providers and national policy makers, added Mehlman, also executive director of the Technology CEO Council, a trade group, and a former assistant secretary of technology policy in the U.S. Department of Commerce.

"It takes a digital village," he said. "Certainly, infrastructure providers have plenty to do. You've seen billions in investment, and you're seeing ongoing billions more."

U.S. lawmakers can also help in several ways, he said. For example, the U.S. Congress could require that home contractors who receive government assistance for building affordable housing include broadband connections in their houses, he said. Congress could also provide tax credits to help broadband providers add more capacity, he said.

Consumers also pay high taxes for telecommunication services, averaging about 13 percent on some telecom services, similar to the tax rate on tobacco and alcohol, Mehlman said. One tax on telecom service has remained in place since the 1898 Spanish-American War, when few U.S. residents had telephones, he noted.

"We think it's a mistake to treat telecom like a luxury and tax it like a sin," he said.

7 Tips To Starting A Successful Small Business

Getting a small business off the ground is challenging to say the least. Here are some tips which will prepare the ground for running a successful small business.

Have Goals

This is where it all starts - the foundation for success. Know exactly where you are heading. What will the business 'look' like in the future? How will you know when your business is a success? When you wake up in the morning, do you know what actions you have to take to get you on the road to success?

Take Action

The difference between success and failure is down to the actions you take. The failures in life are the people who know what they have to do but never do it. The successful small business owners are people who take action on their ideas, ones who never say, "I wish I had done …”

Seek Feedback

There is a saying that feedback is the breakfast of champions. During the early days of your business you must continually seek feedback about all aspects of your business. What works? What doesn't work? What needs changing slightly? Speak to customers, suppliers, your bank manager, your accountant - anyone who can provide you with a fresh perspective.

Find Out What Do You Don't Know

You can't expect to know everything about running a business. Undertake your own skills analysis and find out your areas for development. Once you know your knowledge gaps seek out courses, books and advice, which will get you on track.

Be Focused

Let no one distract you from achievement of your goals. At the start of every day get yourself into the frame of mind that you will only do tasks which will get you closer to your goal - nothing else matters.

Take Risks!

You will never achieve anything if you're not prepared to jump off the cliff a few times! We're not talking about risks which will put the business in jeopardy; just risks which are planned and thought out, yet at the same time test the edge!

Think Positive

Yes, the oldest cliché in the book, but totally true. See the positive in everything. If something has not gone right train yourself to ask, "What good has come out of this?” Understand that in every problem there is potential for good.

© Robert Warlow Small Business Success

Seven Ways To Enhance Organizational Culture

As a young employee I was transferred to work in an office tower in downtown San Francisco. I wasn't the only person to arrive in this new office space - the group had changed significantly due to reorganization and many of us were working together for the first time.

My boss, the Marketing Manager, asked me to help him with some unusual projects. First, I organized an ugly tie contest. Next, we created a puzzle where everyone told me their fantasy identity (who they would be if they could be anyone) and I created a quiz. People had several days to try to figure out who was who. This culminated in a party and the revealing of all the secret identities (and prizes for those who had done the best guessing).

Along with many other events, we eventually instituted the first casual Friday in this company (hey, this was 1987).

At the time I knew what was happening and why it was important to the development of the culture in this organization. But I didn't understand it the way I do now. . .

For a whole variety of reasons, organizational culture is important to the health or viability of any organization.

It is one thing to know something is important. It is another thing entirely to know what to do about it. This article will give you some specific things you can do to act on the importance of your organizational culture.

Get help. Wherever you sit in the organizational structure or hierarchy you can impact organizational culture in a positive (or negative - but why would you want to do that?) way. Admittedly, if you are in a position of leadership, it might be easier, but we can all have an impact. But we can't do it alone. Form a team of like minded, interested and enthusiastic people, and get them on board with developing and enhancing your culture.

Get a vision. Get your team to discuss the current culture. Define the parts of the culture that are already great and need to be supported. And honestly determine where the culture could use some polishing. Then create a vision of the culture you want to create, taking into account the entire current picture -the warts and the beauty marks.

Get strategic. Your team will recognize that this is important - you've picked people who already understand that and you have developed a deeper understanding as you created a vision of a desired future culture. Help everyone understand - the team and organizational leadership - that this isn't a band-aid, quick fix; but an ongoing, strategic intention to build a more attractive culture that fits the needs of the organization.

Get people excited. Chances are your culture team will be excited. If not, get them excited! Help the team recognize that not everyone else in the organization is going to think that these efforts are worthwhile immediately. Remember that enthusiasm is contagious. Do what you can to keep the enthusiasm of your team high. If their excitement falters, remind them of the vision they created to re-invigorate them.

Get a champion. That person may be you, or it may be someone else on the team. In my case, I took on an alter ego of the "phun phantom.” While a moniker might not be necessary, a point person, whether anonymous or not, is important. Culture change is like any other change - it requires champions. The champion needs to be someone who is passionate about creating the new culture. As in my case, this might be a perfect role for a young energetic person, but don't assign the role. The best champions will rise up and "select” themselves.

Get started. Yes, I have listed the first five suggestions in a chronological order. But that doesn't mean you can't so something today, as soon as you finish reading this article or right now. You already know some things that need to change in your culture, so role model one of them starting immediately. Maybe your first step is to invite a couple people to lunch that you think might want to be on your team. Whatever your first step is - do it.

Get momentum on your side. Any change will have a greater chance of success with momentum. Don't form your team today if you don't think you'll be able to get them going quickly. Don't think of this something that can be done in a couple of weeks. A single event that you hope will permanently change the culture - won't. In fact, it might have the opposite effect entirely. Get started but be committed to building momentum and staying with it. It will be one of the most rewarding efforts you and your team will ever engage in.

I haven't given you specific cultural events to try. Why? Because I don't know what kind of changes you want to create. In my case we were trying to create higher levels of camaraderie and more fun in the workplace. You may have that and may want to enhance your culture in completely different ways. You and your team will figure out what to do. This list is meant to help you figure those things out for yourselves.

These seven things are by no means a complete list - but they are a great place to start. And getting started is the most important next step of all.

Visual Studio 2008 Is Really Imminent

By Darryl K. Taft
November 17, 2007

Microsoft will ship its latest developer tool set as soon as Nov. 19 and by the end of November at the latest.


Be the first to comment on this article


Microsoft has signed off on Visual Studio 2008 and is expected to release it early next week—on Nov. 19, sources said.

Earlier this month Microsoft committed to ship Visual Studio 2008, formerly code-named Orcas, by the end of November. The company is making good on that commitment and is expected to have Visual Studio RTM (release to manufacturing) on Nov. 19, according to sources and Microsoft blogs. The tool-set will be available on the MSDN (Microsoft Developer Network).

According to the MSDN Subscriptions WebLog, an ongoing blog run by the managers of the online and offline MSDN Subscription program, the release of the software is imminent. "Visual Studio 2008 is anticipated out early next week, with availability for subscribers," the MSDN blog said in a late-night post on Nov. 16. "Check out the 'Top Subscriber Downloads' area on http://msdn2.microsoft.com/subscriptions for VS 2008 downloads."

Visual Studio 2008 and the .Net Framework 3.5 enable developers at all levels to rapidly create connected applications for Windows Vista,Windows Server 2008, the 2007 Microsoft Office system, mobile devices and the Web.

Microsoft's Visual Studio Team System is also expected to ship by the end of November.

In a blog post from Nov. 7, Jeff Beehler, Team System chief of staff, said: "We're very close to shipping Team System 2008 and expect to make it available by the end of this month. This will include all of the team editions (Development, Database, Test, Architect, Suite) as well as the Load Test Agent and of course Team Foundation Server."

The 30 Top Paying Jobs in IT

By Eric Chabrow

No one is surprised that CIOs are the highest paid IT professionals, with a projected average annual salary of between $126,750 and $210,000 in 2008. But, 30 other IT titles also are projected to have average annual salaries that will top $100,000 next year, according to the just-released Robert Half Technology 2008 Salary Guide.

Robert Half Technology, an IT staffing firm, projects that nine new occupations will for the first time have starting salaries averaging, on the high end of the range, in six figures:

* Business Continuity Analyst, $100,250;
* IT Auditor, $102,750;
* Data Modeler, $103,000;
* Network Security Administrator, $103,000;
* Systems Security Administrator, $103,500;
* Data Security Analyst, $104,000;
* Data Warehouse Analysts, $104,250;
* Software Engineer, $104,500.

Next page: 10 Top Paying IT Jobs for 2008

10 Top Paying IT Jobs for 2008

Here are the average salary ranges for the top 10 paying IT job titles in 2008, as projected by Robert Half Technology.
Title Average Salary Range
Low High
Chief Information Officer $126,750 $210,000
Vice President/Information Technology $112,250 $166,250
Chief Technology Officer $107,250 $165,250
Chief Security Officer $100,750 $150,000
Consulting/Systems Integration Director $93,240 $137,500
Consulting/Systems Integration Practice Manager $92,500 $125,500
Database Manager $88,750 $122,750
Information Technology Manager $86,750 $122,000
Data Warehouse Manager $90,750 $120,750
Applications Architect $87,250 $120,000

Next page: The 30 Six-Figure IT Jobs

Here are the 30 IT job titles with high-range average salaries topping $100,000 in 2008, according to Robert Half Technology:

* Applications Architect
* Applications Development Manager
* Applications Development Project Manager
* Business Continuity Analyst
* Business Intelligence Analyst
* Chief Information Officer
* Chief Security Officer
* Chief Technology Officer
* Consulting and Systems Integration Director
* Consulting and Systems Integration Practice Manager
* Consulting and Systems Integration Project Manager/Senior
* Consultant
* Data Architect
* Data Modeler
* Data Security Analyst
* Data Warehouse Analyst
* Data Warehouse Manager
* Database Administrator
* Database Developer
* Database Manager
* Information Technology Manager
* IT Auditor
* Lead Applications Developer
* Network Architect
* Network Security Administrator
* Senior IT Auditor
* Senior Web Developer
* Software Development Project Manager
* Software Engineer
* Systems Security Administrator
* Vice President/Information Technology

The top 10 reasons Web sites get hacked

Experts say the people who actually build Web applications aren't paying much attention to security; a non-profit group is trying to solve that

By Jon Brodkin, Network World

October 05, 2007

Web security is at the top of customers' minds after many well-publicized personal data breaches, but the people who actually build Web applications aren't paying much attention to security, experts say.

"They're totally ignoring it," says IT consultant Joel Snyder. "When you go to your Web site design team, what you're looking for is people who are creative and able to build these interesting Web sites... That's No. 1, and No. 9 on the list would be that it's a secure Web site."

The biggest problem is designers aren't building walls within Web applications to partition and validate data moving between parts of the system, he says.

Security is usually something that's considered after a site is built rather than before it is designed, agrees Khalid Kark, senior analyst at Forrester.

"I'd say the majority of Web sites are hackable," Kark says. "The crux of the problem is security isn't thought of at the time of creating the application."

That's a big problem, and it's one the nonprofit Open Web Application Security Project (OWASP) is trying to solve. An OWASP report called "The Ten Most Critical Web Application Security Vulnerabilities" was issued this year to raise awareness about the biggest security challenges facing Web developers.

The first version of the list was released in 2004, but OWASP Chairman Jeff Williams says Web security has barely improved. New technologies such as AJAX and Rich Internet Applications that make Web sites look better also create more attack surfaces, he says. Convincing businesses their Web sites are insecure is no easy task, though.

"It's frustrating to me, because these flaws are so easy to find and so easy to exploit," says Williams, who is also CEO and co-founder of Aspect Security. "It's like missing a wall on a house."

Here is a summary of OWASP's top 10 Web vulnerabilities, including a description of each problem, real-world examples and how to fix the flaws.

1. Cross site scripting (XSS)

The problem: The "most prevalent and pernicious" Web application security vulnerability, XSS flaws happen when an application sends user data to a Web browser without first validating or encoding the content. This lets hackers execute malicious scripts in a browser, letting them hijack user sessions, deface Web sites, insert hostile content and conduct phishing and malware attacks.

Attacks are usually executed with JavaScript, letting hackers manipulate any aspect of a page. In a worst-case scenario, a hacker could steal information and impersonate a user on a bank's Web site, according to Snyder.

Real-world example: PayPal was targeted last year when attackers redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were redirected to a phishing site and prompted to enter PayPal login information, Social Security numbers and credit card details. PayPal said it closed the vulnerability in June 2006.

How to protect users: Use a whitelist to validate all incoming data, which rejects any data that's not specified on the whitelist as being good. This approach is the opposite of blacklisting, which rejects only inputs known to be bad.

Additionally, use appropriate encoding of all output data. "Validation allows the detection of attacks, and encoding prevents any successful script injection from running in the browser," OWASP says.

2. Injection flaws

The problem: When user-supplied data is sent to interpreters as part of a command or query, hackers trick the interpreter -- which interprets text-based commands -- into executing unintended commands. "Injection flaws allow attackers to create, read, update, or delete any arbitrary data available to the application," OWASP writes. "In the worst-case scenario, these flaws allow an attacker to completely compromise the application and the underlying systems, even bypassing deeply nested firewalled environments."

Real-world example: Russian hackers broke into a Rhode Island government Web site to steal credit card data in January 2006. Hackers claimed the SQL injection attack stole 53,000 credit card numbers, while the hosting service provider claims it was only 4,113.

How to protect users: Avoid using interpreters if possible. "If you must invoke an interpreter, the key method to avoid injections is the use of safe APIs, such as strongly typed parameterized queries and object relational mapping libraries," OWASP writes.

3. Malicious file execution

The problem: Hackers can perform remote code execution, remote installation of rootkits, or completely compromise a system. Any type of Web application is vulnerable if it accepts filenames or files from users. The vulnerability may be most common with PHP, a widely used scripting language for Web development.

Real-world example: A teenage programmer discovered in 2002 that Guess.com was vulnerable to attacks that could steal more than 200,000 customer records from the Guess database, including names, credit card numbers and expiration dates. Guess agreed to upgrade its information security the next year after being investigated by the Federal Trade Commission.

How to protect users: Don't use input supplied by users in any filename for server-based resources, such as images and script inclusions. Set firewall rules to prevent new connections to external Web sites and internal systems.

4. Insecure direct object reference

The problem: Attackers manipulate direct object references to gain unauthorized access to other objects. It happens when URLs or form parameters contain references to objects such as files, directories, database records or keys.

Banking Web sites commonly use a customer account number as the primary key, and may expose account numbers in the Web interface.

"References to database keys are frequently exposed," OWASP writes. "An attacker can attack these parameters simply by guessing or searching for another valid key. Often, these are sequential in nature."

Real-world example: An Australian Taxation Office site was hacked in 2000 by a user who changed a tax ID present in a URL to access details on 17,000 companies. The hacker e-mailed the 17,000 businesses to notify them of the security breach.

How to protect users: Use an index, indirect reference map or another indirect method to avoid exposure of direct object references. If you can't avoid direct references, authorize Web site visitors before using them.

5. Cross site request forgery

The problem: "Simple and devastating," this attack takes control of victim's browser when it is logged onto a Web site, and sends malicious requests to the Web application. Web sites are extremely vulnerable, partly because they tend to authorize requests based on session cookies or "remember me" functionality. Banks are potential targets.

"Ninety-nine percent of the applications on the Internet are susceptible to cross site request forgery," Williams says. "Has there been an actual exploit where someone's lost money? Probably the banks don't even know. To the bank, all it looks like is a legitimate transaction from a logged-in user."

Real-world example: A hacker known as Samy gained more than a million "friends" on MySpace.com with a worm in late 2005, automatically including the message "Samy is my hero" in thousands of MySpace pages. The attack itself may not have been that harmful, but it was said to demonstrate the power of combining cross site scripting with cross site request forgery. Another example that came to light one year ago exposed a Google vulnerability allowing outside sites to change a Google user's language preferences.

How to protect users: Don't rely on credentials or tokens automatically submitted by browsers. "The only solution is to use a custom token that the browser will not 'remember,'" OWASP writes.

6. Information leakage and improper error handling

The problem: Error messages that applications generate and display to users are useful to hackers when they violate privacy or unintentionally leak information about the program's configuration and internal workings.

"Web applications will often leak information about their internal state through detailed or debug error messages. Often, this information can be leveraged to launch or even automate more powerful attacks," OWASP says.

Real-world example: Information leakage goes well beyond error handling, applying also to breaches occurring when confidential data is left in plain sight. The ChoicePoint debacle in early 2005 thus falls somewhere in this category. The records of 163,000 consumers were compromised after criminals pretending to be legitimate ChoicePoint customers sought details about individuals listed in the company's database of personal information. ChoicePoint subsequently limited its sales of information products containing sensitive data.

How to protect users: Use a testing tool such as OWASP'S WebScarab Project to see what errors your application generates. "Applications that have not been tested in this way will almost certainly generate unexpected error output," OWASP writes.

Another tip: disable or limit detailed error handling, and don't display debug information to users.

7. Broken authentication and session management

The problem: User and administrative accounts can be hijacked when applications fail to protect credentials and session tokens from beginning to end. Watch out for privacy violations and the undermining of authorization and accountability controls.

"Flaws in the main authentication mechanism are not uncommon, but weaknesses are more often introduced through ancillary authentication functions such as logout, password management, timeouts, remember me, secret question and account update," OWASP writes.

Real-world example: Microsoft had to eliminate a vulnerability in Hotmail that could have let malicious JavaScript programmers steal user passwords in 2002. Revealed by a networking products reseller, the flaw was vulnerable to e-mails containing Trojans that altered the Hotmail user interface, forcing users to repeatedly reenter their passwords and unwittingly send them to hackers.

How to protect users: Communication and credential storage has to be secure. The SSL protocol for transmitting private documents should be the only option for authenticated parts of the application, and credentials should be stored in hashed or encrypted form.

Another tip: get rid of custom cookies used for authentication or session management.

8. Insecure cryptographic storage

The problem: Many Web developers fail to encrypt sensitive data in storage, even though cryptography is a key part of most Web applications. Even when encryption is present, it's often poorly designed, using inappropriate ciphers.

"These flaws can lead to disclosure of sensitive data and compliance violations," OWASP writes.

Real-world example: The TJX data breach that exposed 45.7 million credit and debit card numbers. A Canadian government investigation faulted TJX for failing to upgrade its data encryption system before it was targeted by electronic eavesdropping starting in July 2005.

Furthermore, generate keys offline, and never transmit private keys over insecure channels.

It's pretty common to store credit card numbers these days, but with a Payment Card Industry Data Security Standard https://www.pcisecuritystandards.org/ compliance deadline coming next year, OWASP says it's easier to stop storing the numbers altogether.

9. Insecure communications

The problem: Similar to No. 8, this is a failure to encrypt network traffic when it's necessary to protect sensitive communications. Attackers can access unprotected conversations, including transmissions of credentials and sensitive information. For this reason, PCI standards require encryption of credit card information transmitted over the Internet.

Real-world example: TJX again. Investigators believe hackers used a telescope-shaped antenna and laptop computer to steal data exchanged wirelessly between portable price-checking devices, cash registers and store computers, the Wall Street Journal reported.

"The $17.4-billion retailer's wireless network had less security than many people have on their home networks," the Journal wrote. TJX was using the WEP encoding system, rather than the more robust WPA.

How to protect users: Use SSL on any authenticated connection or during the transmission of sensitive data, such as user credentials, credit card details, health records and other private information. SSL or a similar encryption protocol should also be applied to client, partner, staff and administrative access to online systems. Use transport layer security or protocol level encryption to protect communications between parts of your infrastructure, such as Web servers and database systems.

10. Failure to restrict URL access

The problem: Some Web pages are supposed to be restricted to a small subset of privileged users, such as administrators. Yet often there's no real protection of these pages, and hackers can find the URLs by making educated guesses. Say a URL refers to an ID number such as "123456." A hacker might say 'I wonder what's in 123457?' Williams says.

The attacks targeting this vulnerability are called forced browsing, "which encompasses guessing links and brute force techniques to find unprotected pages," OWASP says.

Real-world example: A hole on the Macworld Conference & Expo Web site this year let users get "Platinum" passes worth nearly $1,700 and special access to a Steve Jobs keynote speech, all for free. The flaw was code that evaluated privileges on the client but not on the server, letting people grab free passes via JavaScript on the browser, rather than the server.

How to protect users: Don't assume users will be unaware of hidden URLs. All URLs and business functions should be protected by an effective access control mechanism that verifies the user's role and privileges. "Make sure this is done ... every step of the way, not just once towards the beginning of any multistep process,' OWASP advises.

Half million database servers have no firewall

Survey finds that more databases are exposed to hackers than ever before, putting corporate data at risk, and many of these unprotected databases are also unpatched

By Robert McMillan, IDG News Service

November 14, 2007

Think your database server is safe? You may want to double-check. According to security researcher David Litchfield, there are nearly half a million database servers exposed on the Internet, without firewall protection.

Litchfield took a look at more than 1 million randomly generated IP addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle's database. The results? He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion: "There are approximately 368,000 Microsoft SQL Servers... and about 124,000 Oracle database servers directly accessible on the Internet," he wrote in his report, due to be made public next week.

This is not the first time that Litchfield, managing director of NGSSoftware, has conducted this type of research. Two years ago, he released his first Database Exposure Survey, estimating that there were about 350,000 Microsoft and Oracle databases exposed.

This 2007 version of the Database Exposure Survey is set to be published Monday on Litchfield's Databasesecurity.com Web site. IDG News was given a preliminary copy of the findings.

With no firewall, databases are exposed to hackers, putting corporate data at risk. Litchfield said that, given the amount of press generated by corporate data breaches over the past two years, it's amazing to find that there are more databases exposed than ever before. "I think it's terrible," he said in an interview. "We all run around like headless chickens following these data breach headlines... organizations out there really don't care. Why are all these sites hanging out there without the protection of a firewall?"

This year's Oracle tally is actually down from Litchfield's 2005 estimate, which counted 140,000 Oracle systems. That same study placed the SQL server total at 210,000.

The security researcher wasn't sure why Oracle's numbers had declined while Microsoft's had risen. "Microsoft's technology is certainly easier to install. Maybe the increase in SQL server numbers is simply a function of that," he said.

In the 2005 survey, Litchfield found an even larger number of the open source MySQL databases outside of the firewall. The 2007 survey does not count MySQL, however.

There was one other disturbing finding in Litchfield's 2007 survey: Many of these unprotected databases are also unpatched. In fact, 4 percent of the SQL Server databases Litchfield found were still vulnerable to the flaw that was exploited by 2003's widespread SQL Slammer worm. "People aren't protecting themselves with firewalls, and the patch levels are atrocious," he said.

About 82 percent of the SQL Servers were running older SQL Server 2000 software, and less than half of those had the product's latest Service Pack updates installed. On the Oracle side, 13 percent of the servers were running older versions of the database that no longer receive patches. These Oracle 9.0 and earlier databases are known to have security vulnerabilities, Litchfield said.

Litchfield, who wrote the proof of concept code that was eventually used by Slammer, said that this many unsecured databases is enough to sustain another worm outbreak. "There's certainly potential there," he said. "So the question is what's the likelihood? [That's] much more difficult to answer."

With Reference of www.CodeProject.com