Tag: security

Homes to be packed with gizmos

chateauIn just eight years time, ordinary family homes will be bursting with technology.

That’s a prediction market research firm Gartner is making for 2022.  Its report said a home in affluent societies, at least, could have over 500 smart devices.

So what are these devices to be?  It estimates a wide range of domestic equipment will become “smart”, inasmuch as they’ll include some level of sensing and intelligence and the ability to communicate wirelessly.

And such vacuum cleaners and washing machines won’t cost more to have “smartness”, with semiconductor economies of scale meaning that a chip won’t cost more than about one US dollar.

Your cooker will be smart, your TVs will be smart, your fitness equipment will be smart, your security will be smart, your toaster will be smart. Everything will be smart as the internet of things starts to cast its spell over our world.

But it won’t be all plain sailing, because ordinary people might not want all this “smartness”.  Products which incorporate intelligence must be easy to use and not require a degree in geekiness. And if smartness can’t be relied upon and start failing – well your house might not be such a home.

HP beefs up security

HPAccessData and HP are to get closer to each other by increasing security assessment and quick fixes for global organisations.

HP’s service arm, Rapid Incident Respons Services is intended to help corporations quickly investigate what’s gone wrong after a hack and provide forensic evidence of incidents.

HP will now provide further services using AccessData’s Resolution One to give advance warning of security threats and provide alerts to prevent networks, endpoints, mobile devices and applications being compromised.

AccessData claims its ResolutionOne offering will extend HP’s own service with capabilities including root cause analysis, full packet capture network forensics, data on hardware, assessment of malware, and auditing across enterprises.  ResolutionOne also lets security and response teams collaborate in real time with automated batch processing to eradicate threats.

AccessData says it has over 130,000 users in law enforcement, at law firms, government agencies and corporations.

Apple iPhone is favoured by thieves

Apple_iPhone_5_white-330x330A report from the UK Home Office said that thieves are brand conscious and prefer stealing Apple iPhones compared to the rest of the pack.

The report said over 50 percent of all phones stolen between January 2012 to January 2014 were iPhones.  Other brands appealing to thieves are Blackberry and Samsung devices. People who have had their phones stolen believe the value of the personal data to be more than £760.

While vendors have made improvements to security that appear to have put off some thieves, the report analyses their effectiveness in some detail.

It suggests that the introduction of Apple iOS7 this time last year “has affected the black market value of some stolen iPhones”.  An analysis based in London suggests reduction in thefts because of iOS7.

phonechart

Samsung’s intro of Find my Mobile and the Reactivation Lock have also probably reduced thefts.

People worried about losing their mobile phones should register their mobile devices at no cost at immmobilise.com, use PIN locks, don’t leave your phone hanging about, install a tracker app.  If a phone is stolen, it should be reported to the network straight away, and report it to your local cop shop.

Apple wakes up to security

blue-appleApple’s CEO, Tim Cook, has admitted to the Wall Street Journal that it needs to improve security on its users accounts.

But Cook said that it wasn’t Apple’s fault that hackers had broken into iCloud.  He said the hackers used various methods to get passwords for iCloud accounts but none of the material came from Apple servers.

He did, however, promise to do something to beef up security.  He told the Journal that Apple will now tip people off if someone changes a password, or when a new device attempts to access the iCloud.

That’s going to be carried out within two weeks, said Cook.

Apple has been widely criticised for its laissez faire attitude towards the recent hacking, and no doubt Cook has agreed to do an interview to defuse a situation that might spoil the launch of  yet another iPhone next week.

Apple agrees to add alerts to iCloud

lawrrenceAfter denying that its iCloud security was as good as a tent flap, Apple has agreed to warn users when their privacy is being invaded.

Jobs’ Mob hit the news this week after numerous beautiful celebs had their iCloud accounts hacked and naked pictures posted online.

Apple denied that its security was below parr but saw its share price tumble as people failed to believe it.

Now it seems that Apple is planning additional steps to keep hackers out of user accounts and will encourage users to take stricter security measures.

CEO Tim Cook told the Wall Street Journal that Apple will alert users through email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time, the report said.

He added that Apple will broaden its use of the two-factor authentication security system to avoid future intrusions and  aggressively encourage people to turn on the two-factor authentication in the new version of iOS.

However, Apple is still insisting that celebrities’ iCloud accounts were individually targeted, and that none of the cases it investigated had resulted from a breach of its systems. [Who is that woman you keep throwing into these Apple cloud stories, Nick? Ed.]

Security experts said that Apple was to blame for failing to make its devices and software easier to secure through two-factor authentication, which requires a separate verification code after users log in initially.

Half of users share their passwords

face-palmMore than half of users risk their computer being hacked because they share their passwords or sign up for automatic log on to mobile apps and services.

Research by security outfit Intercede said that while more than half of users thought security was important they putting their personal data at risk by sharing usernames and passwords with friends, family and colleagues.

The survey of 2,000 consumers also questioned whether these passwords are strong enough to protect consumers’ applications and the data they hold.

Half of respondents stated that they try and remember passwords rather than writing them down or using password management solutions, suggesting that consumers are relying on easy to remember combinations and using the same password across multiple sites and devices.

Richard Parris, CEO of Intercede said that we need so many passwords today, for social networking, email, online banking and a whole host of other things, that it’s not surprising consumers are taking shortcuts with automatic log ins and easy to remember passwords.

The research revealed that consumers are not only sharing passwords but also potentially putting their personal and sensitive information at risk by leaving themselves logged in to applications on their mobile devices, with over half of those using social media applications and email admitting that they leave themselves logged in on their mobile device.

Parris said that consumers are also compromising their bank and credit card details by selecting ‘Remember me’ or ‘Keep me signed in’ options.

Of those that use Amazon and other shopping sites, 21 per cent said they were automatically logged in, while the figures stood at 16 per cent for mobile banking and 12 per cent for PayPal.

Don’t plug an iPhone into a PC

Apple_iPhone_5_white-330x330Security experts at the Georgia Institute of Technology have discovered that Apple’s already dismal record on security on its iPhone is made worse when the shiny toy is plugged into a  computer.

The attack takes advantage of design problems in iOS in which for some reason the Apple geniuses believed that they should trust anyone who connects to the phone with a USB,

Tielei Wang, a co-author of the study and research scientist at the institute said that Apple overtrusted the USB connection.

It all started when Wan and his team developed some malware called Jekyll, an iPhone application with well-masked malicious functions that passed Apple’s inspection and briefly ended up on its App Store.

However, that was not good enough, as it was pointed out that no one could see his or her malware in the huge App store.

Wang said they set out to find a way to infect a large number of iOS devices and one that didn’t rely on people downloading their malicious app.  The attack required the use of “botnet herders” to install malware onto PCs.

Apple requires a person to be logged into his account in order to download an application from the App Store. Wang and the researchers developed a man-in-the-middle attack that tricked the Apple device that’s connected to a computer into authorising the download of an application using someone else’s Apple ID.

As long as the application still has Apple’s digital signature, it does not even need to still be in the App Store and can be supplied from elsewhere.

To stop Apple refusing to publish the malware on its App store Wang’s team found they could sneak a developer-provisioning file onto an iOS device when it was connected via USB to a computer.

This allows a self-signed malicious application to be installed. Legitimate applications could also be removed and substituted for look-alike malicious ones. All this can be done without a user knowing.

While it sounds convoluted, it is worthwhile if you are attempting to take over a large number of iOS devices.

It is also worthwhile if you are state-sponsored hackers wanting to carry out a targeted attacks aimed at just a few users.

Apple has known about the problem for nearly a year now and is yet to fix it.  At the moment, Wang said, the best advice is to not connect your phone to a computer, especially if you think the computer might be infected with malware.

 

Firmware has more holes than Blackburn Lancashire

the_beatles_yellow_submarineA team of security experts has discovered that the code for firmware is so badly constructed that it could form an attack vector of cyber attacks.

Researchers with Eurecom, a technology-focused graduate school in France, developed a web crawler that plucked more than 30,000 firmware images from the websites of manufacturers including Siemens, Xerox, Bosch, Philips, D-Link, Samsung, LG and Belkin.

They found code which contained poorly-protected encryption mechanisms and backdoors that could allow access to devices. They reported all the problems to the vendors, but it had not been realised how bad the problem really was until now.

In one instance, the researchers found a Linux kernel that was 10 years out of date bundled in a recently released firmware image.

Aurélien Francillon, a coauthor of the study and an assistant professor in the networking and security department at Eurecom said that most of the firmware analysed was in consumer devices, a competitive arena where companies often release products quickly to stay ahead of rivals.

This has an ethos of being first and cheap and to do that you don’t want a secure device.

Keith Alexander is a programming genius

KeithAlexanderThe former head of the NSA, Keith Alexander, has been getting into trouble for charging companies millions of dollars to tell them how to keep his former employers out of their systems.

The argument is that he is using all the material he gathered at the NSA to make a nice little earner in retirement. If he were a whistle-blower, they would lock him up, but since he is an adviser to corporates and is not giving out military operations details he can do what he likes.

However we think that the security community and the Senate is being a little hard on Keith, after all if a patent application is correct he is clearly a programming genius.

In the six months since he left the NSA, Alexander has come up with brand new anti-hacking concept that will have shedloads of patents. The former NSA chief said that IronNet has already signed contracts with three companies and that he hopes to finish testing the system by the end of September.

Now he could not have come up with that idea when he was at the NSA, because he would have been expected to use it for his job and to help his country, which is more or less what he was paid for.

This means that he had to come up with it after he left office in March. This means he not only wrote the code managed to make it work. This makes him a software genius and an organisational wiz-kid who displays skills we have not seen in a former military man.

In an interview to the Associated Press he said that if he retired from the Army as a brain surgeon, it be OK for him to go into private practice and make money doing brain surgery.

“I’m a cyber-guy. Can’t I go to work and do cyber stuff,” he asked. But he’s not. In the Army, he just managed “cyber guys.”

His system involves “behavioural modelling” as its secret sauce. The technology has been looked at by security experts but so far no one has got it go. Well other than Alexander which shows what sort of genius he must have been.

Government hackers take down Tor

glastonbury-torOne of the last refuges of dissidents in oppressive regimes has been taken down by hacker agencies working for the US government.

The Tor system, which was often the only way that dissidents could communicate in repressive regimes or that whistle blowers could leak their information, warned that many of its users might have been identified by government-funded researchers.

Tor Project leader Roger Dingledine said the service had identified computers on its network that had been altering Tor traffic for five months in an attempt to unmask users connecting to what are known as “hidden services.”

Dingledine said it was “likely” the attacking computers were operated on behalf of two researchers at the Software Engineering Institute, which is housed at Carnegie-Mellon University, but funded mainly by the US Department of Defence. The computers have been removed from the network, but the damage has already been done.

The pair had been scheduled to speak on identifying Tor users at the Black Hat security conference next month. After Tor developers complained to Carnegie-Mellon, officials there said the research had not been cleared and cancelled the talk.

Dingledine said that users who operated or accessed hidden services from early February through July 4 should assume they were affected.

Those navigating to ordinary websites should be in the clear.

Hidden services include underground drug sites such as the shuttered Silk Road, as well as privacy-conscious outfits such as SecureDrop, which is designed to connect whistle blowers with media outlets.

Dingledine said the physical locations where the hidden services were housed could have been exposed, although probably not the content on them that was viewed by a visitor.

All that matters now is if the spooks will just pop around to the researchers with a warrant and ask that they hand over all the details.

The FBI had no immediate response to questions about whether it would seek the data and the Defence Department was not sure if it had the right to raw research from the Institute.

Dingledine advised users to upgrade to the latest version of its software, which addresses the vulnerability that was exploited. He warned that attempts to break Tor were likely to continue.

 

 

 

Apple installed back doors into iOS

gala_appleThe fruity purveyor of expensive smartphones, Apple, might have to explain to its users why it installed back doors into its gear.

Security researcher Jonathan Zdziarski has revealed that Apple might have deliberately installed security holes in all of their iOS devices.

In his talk to the HOPE security conference Zdziarski demonstrates “a number of undocumented high-value forensic services running on every iOS device” and “suspicious design omissions in iOS that make collection easier.” He also provides examples of forensic artefacts acquired that “should never come off the device” without user consent.

Zdziarski said Apple did that all the while it shored up the security in the rest of the iOS to make it harder to break in.

The irony is that according to Zdziarski the iPhone is “reasonably secure” to a typical attacker and the iPhone 5 and iOS 7 are more secure from everybody except Apple and the government.

For example, he has noticed that just because you lock your Apple device, it does not mean that your device’s data is encrypted. The only way to encrypt it is to shut it down. This means that as long as your device is on, you are “at risk of spilling all data”.

Commercial forensic tools will be able to perform deep extraction using these backdoor services.
He thinks Apple might have bowed to the demands of the security services and law enforcement to install such security holes to make it easier for them to break in with a warrant.

Apple has stated that it will be transparent when faced with government requests, but Zdziarski thinks that this is still a breach of customers’ trust. The back doors are obviously undocumented and not mentioned to customers at all.

Avnet starts new unit

avnettsMega distie Avnet said it has set up a new business unit in the European, Middle East and Africa markets.

The dvision, called Avnet Security and Networking Solutions (ASNS), is intended to boost its share of this sector and will include the opening of specialist technical and commercial competence centres in the region.

Network security is predicted to be worth over $10 billion in revenues, according to market research firm IDC.

The first commercial competence centre will open in the Netherlands this quarter, and be a hub for delivering security and networking services.

Graeme Watt, president of Avnet in EMEA said his company will use existing people in the company to bring in external specialist skills to bolster the market.

Balabit spreads its reseller wings

hungarySecurity outfit Balabit said that following an £8 million cash injection from C5 in the UK, it is set to extend its indirect model to new territories.

Balabit’s Baldor Kiszei  told ChannelEye  here in Hungary that 95 percent of its revenue stream is already indirect, but it has ambitious plans to extend its existing model to the UK and to the USA too.  It has just hired local man Robert Billingham to build up relationships in Blighty and perform similar tasks in different territories.

It will open a US office in the first quarter of next year, said Kiszei.

“Balabit is a channel driven company,” he said. “Businesses are all different in every country. Historically we targeted local integrators.” They’re essentially VARs – he said but, Balabit has ambitious plans to grow its channel in France. It’s already using Nomeos and iTracenet but is expected to strike a deal with Orange France very soon. It already has five employees in France and so we can expect to see sales staff rise in the UK too.

He said that 15 percent of Balabit’s revenues were generated in the USA in 2013, but basically that’s through its software offerings.  It also intends to penetrate the potentially lucrative Middle Eastern market.

Wireless devices threaten factories

cheap-tabletsA report from a market research company said that security is becoming a key question for wireless networks used in industry.

IHS said that wireless network devices in factories worldwide will rise from 2.1 million in 2012 to 3.4 million by 2017.

Mark Watson, an associate director at IHS, said there’s a gorwing trend in the bring your own device (BYOD) in the manufacturing sectors, with people using both smartphones and tablets to monitor and control industrial equipment.

“Such devices may lack adequate security, offering hackers easy access to confidential data – or allowing them to spread malware through factory automation systems,” he said.

To counter the threat, some manufacturers are employing the so-called honeypot method – essentially a fake system that lets business monitor hacking threats.

He said that WirelessHAT and ISA 100.11a are the major industrial wireless technologies and used more in process industries, while WLAN and Bluetooth are more common in discreet industries.

BYODs mean IT departments have lost control

A monolithGartner said that while many businesses think it’s time for them to go mobile, there are obstacles to that move and many don’t know how to proceed.

But, said Darryl Carlton, a research director at the market research company, the key to success is appplications architecture and design,

“Designing your applications to meet the demands of BYOD is not the same as setting usage policies or having strategic sourcing plans that mandate a particular platform,” he said. “BYOD should be a design principle that provides you with a vendor neutral applications portfolio and a flexible future-proof architecture. If the applications exhibit technical constraints that limit choice and limit deployment, then the purchasing policy is irrelevant.”

IT departments are losing control of tools accessing corporate systems and data because of changes in the workforce and processes outside organisations’ boundaries.

“The community of users has expanded to include suppliers, customers, employees and a very broad range of stakeholders,” Carlton said. “We are no longer developing applications for deployment to an exclusive user base over which we exert standards and control.”

Partly, IT departments don’t realise that there are users that IT departments can’t control, and that means standards can’t be dictated and proprietary controls can’t be imposed.

“For CIOs to consider BYOD activities within their organization to be a temporary problem generated by a few disaffected employees would be a tragic mistake. This is a leading indicator of change for which an appropriate response is required. Reasserting control is not an appropriate response. This is a permanent and irreversible shift in the way that IT is procured and implemented to support the organisation, suppliers and customers.”