The Black Hat conference and its post-event, DefCon,  promise to be a security funhouse in the coming week, as experts in Las Vegas seek to shock and amaze by poking holes in today's network technologies. The Web, wireless LANs, routers and desktop software may all look different reflected in the Black Hat/DefCon hall of mirrors, where security vendors will be revealing their hacker sides.

"We're showing malware we created called Jinx," says Itzik Kotler, manager of the security operations center at Radware and a presenter at Black Hat, which runs through Aug. 7. Kotler describes Jinx as attack code that can be used to take over the machines of victims using versions of Mozilla's Firefox browser that pre-date Firefox 3, Mozilla's latest release . (You might want to upgrade now if you haven't already.)

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Javascript-based Jinx can index a victim's hard drive and send back files from Macintosh, Windows or Linux-based machines to the attacker, or turn the computer into a spam machine, he says.

"It's the first proof-of-concept of such malware, with no code injection, no interfering with the kernel," says Kotler, adding the Jinx exploit code will be published for all to see. He hinted Radware is working on similar Jinx-like malware aimed at Microsoft Internet Explorer.

Why all the effort? "We believe people need to be prepared for this. There's a popular demand for Web 2.0, but it's a bad situation in that we've given huge power to browsers, but these browsers often have logic flaws that allow these attacks," Kotler says.

For vendor AirTight Networks, which makes WLAN intrusion-prevention systems, its focus is how some wireless LAN vendors may not be implementing the IEEE's new 802.11w security standard correctly.

The 802.11w standard (Cisco calls it " management frame protection ") is supposed to make WLANs resistant to denial-of-service (DoS) attacks. But AirTight will show how it's possible with some implementations of 802.11w in vendor equipment to conjure up an attack that hits WLAN access points with malformed packets, not bringing them down but triggering a disconnection response in their WLAN clients.

"This attack involves a special packet which has the effect of disconnecting the endpoint," says Pravin Bhagwat, chief technology officer at AirTight, which dubs this the "autoimmunity disorder in WLANs."

The WLAN DoS attack, which involves tampering with the MAC address at Layer 7 by sending a continuous stream of injected packets at intervals of about 30 seconds, basically results in the WLAN access point being exploited as the vector for disabling WLAN endpoints.

Some of the WLAN equipment that will be shown to be vulnerable to this attack includes that of D-Link, Cisco, Buffalo, and open-source Madwifi. Either these vendors aren't implementing 802.11w correctly or the standard will need to be improved to prevent the "autoimmune disorder" in WLANs, according to AirTight.

All about the rootkit
Cisco gear will also get pounded in another session with Core Security Technologies, which is expected to show how it's possible to install a rootkit on the Cisco IOS. A rootkit is code designed to hide from detection so someone can control processes without being noticed.

"This does assume you have access to the Cisco device because you are the administrator or somehow broke in," says Ivan Arce, chief technology officer at Core Security.

The Cisco IOS rootkit would give an attacker the ability to do things such as change how traffic passes through a Cisco device. "People don't understand it's possible to have a rootkit on IOS," says Arce, adding that Cisco is aware of the research and earlier this year issued an advisory on it. 

Rootkits will be a hot topic at Black Hat as some of the world's foremost researchers on the subject reveal new discoveries they've made about subverting software.

Researcher Joanna Rutkowska, whose devastating insights into Microsoft software and rootkits impressed Black Hat audiences in the past, is expected to take on the Xen hypervisor, this time with help from colleagues.

But it doesn't stop there.

Google Gadgets, those small Web applications that allow users to customize Web pages, will be in for the Black Hat treatment, too.

"The current architecture in the security model around Google Gadgets is highly insecure," says Tom Stracener, senior security analyst at Cenzic. The Web application security assessment provider says it will prove how it's possible for Google Gadgets to take control over each another and steal information from each other.

Still, Black Hat isn't all about deconstructing security. Some experts will show how to take preventative measures to shore up perceived vulnerabilities — such as the "cold boot" encryption hack.

When Princeton University researchers earlier this year pointed out how it's possible for an attacker to swipe cryptographic keys off a computer through the cold boot technique, it sparked a debate over the safety of stored encryption keys and how they could be grabbed in memory when a machine is being turned off, particularly if subjected to cold temperatures.

"Information can take minutes or even hours to fade out on a computer," says BitArmor CEO Patrick McGregor. "There can be small pieces of information floating around." The Princeton University research generated a lot of concern that "full-disk encryption was useless," McGregor says.

But while the cold boot attack method is not particularly difficult to accomplish — "you could plug a USB drive into a laptop" to carry it out, says McGregor — the situation isn't as dire as some think. BitArmor claims to have a few basic defenses, including leveraging temperature sensors in Dell and HP computers, and a way to design a "secure enclave to protect full-disk encryption keys."

BitArmor says it is using these techniques effectively in its own products today and will share what they are at Black Hat.

People are beginning to use 64-bit Windows Vista on PCs in favor of the 32-bit version of the OS faster than they have previously, Microsoft said this week.

However, analysts warn the uptick may have less to do with customers' interest in a 64-bit OS and more to do with the fact that so few people have, until now, used a 64-bit client version of Windows.

[ Discover the top-rated IT products as rated by the InfoWorld Test Center. ]

A post by a member of the Vista team, Chris Flores, on the Windows Vista Team Blog claims that the installed base of 64-bit Windows Vista PCs as a percentage of all Vista systems has more than tripled in the United States in the past three months. He also wrote that worldwide adoption has more than doubled in the same time frame.

"Put more simply, usage of 64-bit Windows Vista is growing much more rapidly than 32-bit," Flores wrote, speeding up from the previously "glacial" movement toward the platform, driven mostly by "technology enthusiasts."

"Based on current trends, this growth will accelerate as the retail channel shifts to supplying a rapidly increasing assortment of 64-bit desktops and laptops," he wrote.

But don't be fooled by the numbers and think there is rampant interest among PC customers in 64-bit Vista, warned one analyst, who said that prior to Vista, use of 64-bit versions of the Windows client OS was virtually nil. "If you start from almost zero it's easy to triple," said IDC analyst Al Gillen.

He said that true adoption of 64-bit Vista — or any Windows client OS for that matter — is still a couple of years out. "Two things have to happen: people have to begin deploying Vista in a broad way, and have to believe that all of their applications are fully compatible with a 64-bit environment," Gillen said.

As for the latter, the inclusion of more peripheral drivers that are compatible with a 64-bit OS in Windows Vista Service Pack 1, released in April, may be responsible for the recent increase in 64-bit Vista users, said Mike Cherry, an analyst with Directions on Microsoft.

This adoption may continue to grow as PC makers are more comfortable putting a 64-bit version of Vista on PCs and selling them to customers now that they know third-party devices will be compatible with the OS, he added. But he still doesn't see people necessarily being "thrilled" by the idea of using 64-bit Vista.

"It's nice to see [64-bit use] tracking this way," Cherry said, then joked, "but I'm not going home to the wife and saying it's finally the time — I have to go out and buy a 64-bit Windows [PC]. I just don't think people are excited by this kind of thing the way they used to be."

He also noted that because 64-bit Windows has not had widespread adoption, "low expectations" for its use could also explain why a tripling in numbers is a big deal to Microsoft.

Flores cited better overall performance and better responsiveness when many applications are running at once as the benefit of 64-bit PCs running 64-bit editions of Vista, which typically have 4GB of memory or more. In contrast, 32-bit systems top out at about 3GB of memory, which limits their performance, he said.

However, while a 64-bit OS means better PC performance, it wouldn't really be noticeable to the "average office worker" who only uses a PC for e-mail, the Internet, and productivity applications, IDC's Gillen said.

"64-bit has some definite benefits, but it's about what kind of workloads you are pushing through your PC," he said.

VMware released Wednesday the second beta of its virtualization software, Fusion 2.0, adding such features as multiple backups, mirrored folders, and support for Mac OS X Server 10.5.

Fusion is one of the two available virtualization programs for the Macintosh — the other is Parallels' flagship Parallels Desktop for Mac — that lets users of Intel-based Macs run Windows, Linux, and other operating systems on their machines.

[ Stay up to date on the lastest virtualization developments with InfoWorld's Virtualization Report blog and newsletter. ]

According to Fusion 2.0 Beta 2's release notes and a blog posted to the VMware site Wednesday, users can now take and manage multiple "snapshots," VMware's term for saved versions of a VM (virtual machine). Fusion 1.0 and Beta 1 of Fusion 2.0 allowed only one snapshot per VM. A new auto-protect tool has also been added, which takes snapshots at user-set intervals.

Other changes and additions include improvements to Unity, the Mac-Windows integration feature that lets users run Windows applications in Mac-style windows and launch Windows-formatted files with Mac applications; and to the virtual machines' support for DirectX 9.0 3D acceleration.

VMware continued to warn users of possible problems with the beta implementation of 3D acceleration, however. "Performance may still vary, depending on your graphics card and game requirements," the company told Windows gamers.

Beta 2 also lets users mirror important folders in Windows XP and Vista — Desktop, My Documents, My Music and My Pictures — by mapping them to the corresponding folders in Mac OS X. It is also the first version of Fusion to support Mac OS X Server 10.5.

Fusion 2.0 Beta 1 was released nearly three months ago; VMware, however, has not set a schedule for shipping the final product.

"We're not publicly stating a [release] timetable," said Pat Lee , a VMware senior product manager. "But we're really happy with the feature set in the beta." Lee also declined to say how many betas VMware had planned for Fusion.

Fusion 2.0 Beta 2 can be downloaded free of charge from the VMware site. Current Fusion users will receive the update at no charge when it ships.

The current production version of Fusion was last updated in late May, when VMware fixed several bugs and removed an earlier workaround no longer necessary after Apple updated Mac OS X to 10.5.3. Fusion 1.1.3 costs $79.99 for a single license, $349.99 for five seats and $699.99 for 10.

Microsoft failed to meet its Windows Mobile sales target for its fiscal year 2008, the company said on Thursday.

By June 30, when the fiscal year ended, Microsoft had managed to sell more than 18 million licenses, less than its 20 million goal.

[ Get the latest on mobile developments with InfoWorld's Mobile Report newsletter. ]

While the iPhone 3G didn't hit stores until July 11, after Microsoft's fiscal year ended, it could have had an effect on Microsoft. "The iPhone 3G is causing people to hesitate," said Bill Hughes, an analyst at In-Stat. "That doesn't mean those 2 million all went to the iPhone." But some people likely decided to wait and see if the newest version of Apple's phone could be more attractive to them than a Windows Mobile phone, he said.

More so than the iPhone effect, delays with Sony Ericsson's first Windows Mobile phone, the Xperia, may have impacted Microsoft's sales figures, said Chris Hazelton, an analyst with The 451 Group. While Sony Ericsson has always maintained that the new phone will launch in the second half of the year, Microsoft may have expected the phones to start shipping in the second quarter in preparation for an early third quarter launch, he said. But delays in Xperia's shipment may have meant that Microsoft couldn't tally its sales to Sony Ericsson in its fiscal 2008, he said.

ABI Research analyst Kevin Burden suspects that Microsoft did ship the software to Sony Ericsson, but that the shortcoming in sales was due to a failure to make more headway among consumer users. While Microsoft has typically targeted Windows Mobile at enterprise users, it has recently begun talking more about the consumer-oriented features to the software. Microsoft may have inflated its potential Windows Mobile sales for the year based on hopes that it would gain customers attracted to the consumer-oriented message, he said.

Microsoft follows competitor BlackBerry and even struggling Palm in looking toward consumers to boost sales. BlackBerry found significant success marketing the Pearl to the consumer market, Burden noted. While Palm sales overall have flagged in recent years, it too found surprising success in marketing to consumers with its recently introduced Centro phone.

Microsoft continues to face tough competition overall from BlackBerry devices. During its fiscal year ending March 1, Research in Motion, the BlackBerry maker, shipped 14 million devices. "Competition in enterprise smartphones is going to be between BlackBerry and Windows Mobile," said Hughes. "Who wins could go either way."

While Microsoft has been in the smartphone market for many years, the mobile-phone operating system market is growing increasingly crowded. In addition to the new iPhone, Microsoft will soon also face competition from rival Google, which plans to release its Android mobile-phone software later this year.

Android phones, like the iPhone, are likely to appeal to the consumer market more so than enterprise users, which has traditionally been Windows Mobile's target. However, that could pose a problem for Microsoft. Hughes recently noticed an increase in the number of companies that don't dictate which phones employees should use, instead allowing them to make their own buying decisions. That shift could be good news for the iPhone, which now allows users to receive Outlook mail on the phones, and potentially for Android phones. Still, Hughes cautioned that in his experience, companies change their policies on phone-buying year to year, and so next year might find more companies dictating which phones employees can use.

Open-source content management vendor Alfresco is hoping to lure away some business from Microsoft Office SharePoint Server (MOSS) — with an assist from Microsoft itself.

Its Alfresco Labs v3 product, now in beta, takes advantage of the SharePoint and Office protocol documentation files that Microsoft released, among others, earlier this year.

Office applications tightly integrate with SharePoint; the protocols allow Alfresco to act as a stand-in on the back end. Office "will believe it is talking to [MOSS] but it is actually Alfresco," said cofounder and CEO John Powell.

But the vendor is being realistic about how much business it could take away from Microsoft. "We're not coming out with this to say, 'replace SharePoint,' because I think that's a dry, futile argument," Powell said.

The Labs product, formerly called the Community edition, is available free. The enterprise edition of v3, which includes subscription support at $20,000 per CPU, for up to four cores, is not set to ship until September or October.

But greater flexibility, as opposed to cost savings, may be the main attraction of Alfresco, said Kathleen Reidy, an analyst with the 451 Group.

"Alfresco does charge for support, and it has very large deals. There's a potential for savings but it would depend on the specifics," she said. "One of the things you always hear about SharePoint is that Microsoft gives it away. That's not true, and neither is the idea that open source is free."

But Alfresco supports a fairly wide variety of underlying stacks, while SharePoint is dependent on other Microsoft technologies, such as Windows Server.

Therefore, Alfresco could prove useful to companies with "lots of different kinds of configurations" in their environments, Reidy said.

The London company, which was formed in 2005, has received its share of buzz in the marketplace and claims more than 500 enterprise customers. It also boasts a high-profile leadership team. Powell was formerly chief operating officer of Business Objects, while CTO John Newton founded the content management vendor Documentum.

After launching, Alfresco "quickly shifted their marketing from being an open-source alternative to Documentum to being an open-source alternative to SharePoint," Reidy said. "SharePoint is really the disrupter in the content management market now. Presenting itself as an alternative to that is a good story to tell."

"They're smart to not position it as a rip-and-replace, because so many people are early on in their SharePoint implementations," she added.

The new release also features Alfresco Surf, a Web development toolkit; and a preview version of Alfresco Share, a social-networking and collaboration application due in September.

Government agencies and private companies need to move their focus away from single-point security solutions to more holistic, information-based security, Symantec officials advised.

"Clearly we've moved to a point in time where our customers have to be much more focused on protecting the information itself, as opposed to protecting the PC or protecting the network," John Thompson, Symantec's chairman and CEO, said Thursday at the company's government symposium in Washington, D.C. "While those are necessary components of a protection strategy, they're not the end all. More has to be done."

[ Your source for the latest in government IT news and issues: Subscribe to InfoWorld's Government IT newsletter. ]

In recent years, U.S. lawmakers have focused their attention on data breaches and lost laptops, and federal agencies have scrambled to meet requirements for encrypting information on laptops and other mobile devices. On Monday, the U.S. Government Accountability Office released a report saying that only 30 percent of sensitive data on mobile devices at 24 major agencies had been encrypted as of last September.

Encryption can be an important piece of a cybersecurity strategy, but it's just one piece, Thompson and John McCumber, Symantec's strategic programs manager for the federal public sector, said in interviews Thursday.

Encryption isn't "the solution" to data-loss prevention, Thompson said. "Good data-loss policies start with the understanding of, what is the critical data that I have and where is it?" he said. "In many instances, there is some critical and sensitive information on every laptop. But not all information that's on that laptop is critical and sensitive."

McCumber recently had lunch with a member of the U.S. Congress who suggested that better encryption technology would solve the government's data-loss problems. But McCumber told the lawmaker that encryption can't protect data that's being processed.

"If you think cryptography is the solution to this problem, you don't understand the problem and you don't understand cryptography," said McCumber, a former encryption expert at the U.S. National Security Agency.

Instead of focusing on single-point security solutions, Symantec has been encouraging U.S. agencies to look at the information they hold. The security vendor recommends agencies create "thoughtful" data classification and retention policies, Thompson said. Such policies will make it easier to manage and find data in the long term, he said.

"You've got to look at what value you place on the information," added McCumber. "Nobody wants to pay $500 to protect a $50 asset."

Agencies looking at cybersecurity from that information-centric perspective may find that adopting industry best practices — what other agencies or private companies are doing — may not work for them, McCumber said. Each organization needs to look at its own security challenges and risk, and find a data protection plan that works best for it, he said.

Organizations need tools to understand and manage their risks, McCumber added.

If best practices aren't the answer, that means technology mandates from Congress or regulatory agencies will no longer work, he said. "Technology always changes," McCumber said. "They've had to learn the hard way. You can't solve technology problems with policies, and you can't solve policy problems with technology."

Correction: Due to a reporting error, this story as originally posted included an incorrect quote from Symantec official John McCumber. The article has been amended.