Tag: security

Blackberry puts security on IoT

Samsung Browses BlackberryTelephone outfit BlackBerry is launching a new certificate service that will help bring the security level it offers on smartphones to the Internet of Things

Certicom, a subsidiary of BlackBerry, announced a new offering that it contends will secure millions of devices, expected to be part of the Internet of Stuff (IoT).

It said that it had already won a contract in Britain to issue certificates for the smart meter initiative there with more than 104 million smart meters and home energy management devices.

The service will make it much easier for companies rolling out such devices to authenticate and secure them, the company said.

In another move BlackBerry also outlined a plan to expand its research and development efforts on innovation and improvement in computer security.

Dubbed the BlackBerry Centre for High Assurance Computing Excellence (CHACE) said that it will to develop tools and techniques that deliver a far higher level of protection than is currently available

 

Security companies peddling snake oil

snake oilThe CEO of a security company has accused his fellow competitors of peddling snake oil to clients and lifted the lid on how they are doing it.

Paul Vixie, CEO, Farsight Security said that as security breaches increasingly make headlines, thousands of Internet security companies are chasing tens of billions of dollars in potential revenue and are doing by telling porkies to clients..

“We are alarmed at the kind of subversive untruths that vendor “spin doctors” are using to draw well-intentioned customers to their doors. Constructive criticism is sometimes necessarily harsh, and some might find the following just that, harsh. But we think it’s important that organizations take a “buyers beware” approach to securing their business,” Vixie said.

The best trick uses is to communicate information graphically, especially using colour animation.

“Buyers, being human, are visual creatures, and they inevitably feel greater, although misplaced understanding when value propositions are presented in pictorial form. Because quarter-on-quarter and same-quarter-next-year revenue growth is the main indicator of commercial health, there’s an understandable tendency to show potential customers an “attack map,” he said,

“Attack maps show the world with attacks as some kind of missile, launched from a country of origin, landing on a victim,” Vixie said.

It sends a message that the customer is under attack from state-sponsored criminals, or just plain old “foreigners”, and your prospective vendor can track these attacks as easily as NORAD can track incoming ballistic missiles.

The marketing message is: If you buy from us, we will tell you where the attacks are coming from, so that you can defend yourself. Or, even better, if you buy from us, we can defend you in real-time, using our cool tool.

The only problem is that they can’t.

In the cloud most of the time vendors have absolutely no clue as to where an attack is really originating from. They cannot neatly distinguish benign user behaviour from attack behaviour. Vendors don’t have instant knowledge and visibility when an attack occurs, Vixie said.

“The latest statistics say it usually takes around 200 days to discover an espionage intrusion.”

To make matters worse. Most “attack maps” don’t show actual “attacks” They are populated by event data which is beautifully animated yet unfiltered, unverified, non-prioritized event data that while visually compelling is worthless from a security perspective.

“In the worse and more common case, [customers] will make decisions based on this garbage, either prioritizing resources or spending where they aren’t needed against where they are needed, or learning a false sense of security, or, just as likely, a false sense of insecurity,” Vixie said.

The only beneficiaries from the resulting wrong-think will be shareholders and employees of the garbage-spewing security vendor, and of course, the bad guys, who as it turns out will have even less to worry about as they go about their work attacking, Vixie said.

 

Symantec distances itself from Veritas sell off rumours

Symantec_Headquarters_Mountain_ViewSecurity outfit Symantec has been saying “oh look a badger” to reporters asking about its sale of its storage storage unit Veritas, for as much as $8 billion.

The dark satanic rumour mill claims that the floundering security vendor has approached NetApp, EMC and several private equity firms to gauge interest in the business. which the company purchased for $13.5 billion.

Veritas business has struggled to live up to expectations after sluggish demand for its storage and data management products.

The plan has been widely dismissed by Symantec, which wants to continue to split the company into two, independent publicly traded companies: one business focused on security and one business focused on information management.

Symantec said that it will separate Veritas and Symantec into two independently traded companies by the end of the calendar year. One focused on information management and one focused on security.

For the vendor, creating two standalone businesses will allow each entity to “maximise its respective growth opportunities and drive greater shareholder value.”

Michael Brown, president and CEO, Symantec has gone on record saying that Veritas remains a powerful brand that still has tremendous equity.

Trend says that destructive hacking on the rise

1858_4_CourseOfEmpire_Destruction_ColeHacking attacks which are designed to destroy a company, rather than just steal information, are on the rise.

A poll by the Organisation of American States found that 40 percent of respondents had battled attempts to shut down their computer networks, 44 percent had dealt with bids to delete files and 54 percent had encountered “attempts to manipulate” their equipment through a control system.

Less than 60 percent of the 575 respondents said they had detected any attempts to steal data, long considered the predominant hacking goal.

The survey went to companies and agencies in crucial sectors as defined by the OAS members. Almost a third of the respondents were public entities, with communications, security and finance being the most heavily represented industries.

The questions did not delve into detail, leaving the amount of typical losses from breaches and the motivations of suspected attackers as matters for speculation. The survey-takers were not asked whether the attempted hacks succeeded, and some attacks could have been carried off without their knowledge.

The survey did allow anonymous participants to provide a narrative of key events if they chose, although those will not be published.

The report was compiled by Trend Micro whose Chief Cyber security Officer Tom Kellermann said additional destructive or physical attacks came from political activists and organised crime.

“We are facing a clear and present danger where we have non-state actors willing to destroy things,” he said. “This is going to be the year we suffer a catastrophe in the hemisphere, and when you will see kinetic response to a threat actor.”

Destructive attacks or manipulation of equipment are infrequently revealed. That is in part because breach-disclosure laws in more than 40 states centre on the potential risks to consumers from the theft of personal information, as with hacks of retailers including Home Depot and Target.

 

RSA conference bans booth babes

Theatre_Cinderella_RAF60F5The RSA Conference next month will be missing “booth babes”.

According to a post by security expert Bill Brenner on the LiquidMatrix blog:

“All Expo staff are expected to dress in business and/or business casual attire. Exhibitors should ensure that the attire of all staff they use at their booth (whether the exhibitor’s direct employees or their contractors) be considered appropriate in a professional environment. Attire of an overly revealing or suggestive nature is not permitted.

Examples of such attire may include but are not restricted to:

  • Tops displaying excessive cleavage;
  • Tank tops, halter tops, camisole tops or tube tops;
  • Miniskirts or minidresses;
  • Shorts;
  • Lycra (or other Second-Skin) bodysuits;
  • Objectionable or offensive costumes.

The rules apply to all booth staff, regardless of gender, and will be strictly enforced. If someone attractive shows up in anything remotely skimpy they will be asked to change their attire or leave the premises immediately if organisers feel their appearance might be offensive to other exhibitors or attendees.”

Linda Gray, event manager, RSA Conferences said that the change in the language in the exhibitor contracts was the best way to ensure all exhibitors were made aware of these new guidelines.

“We thought this was an important step towards making all security professionals feel comfortable and equally respected during the show.” They have yet to receive any complaints, Gray said.

 

Biometrics come into their own

fingerprintBiometric systems, particularly in relation to smartphones, look like they’re going to boom during this year.

ABI Research, a market analysis company, said that worldwide revenues for such systems will deliver $3.1 billion this year.

The systems will be targeted not only at home users but at authentication systems for the enterprise market, according to ABI.

Algorithms linked to cloud computing are set to give better user authentication, with applications for mobile payments, bring your own device (BYOD) systems.

The research said that the leaders in the biometric pack are Apple and Samsung but there are other players who are introducing voice and face recognition into the equation.

We reported elsewhere today that Apple is rumoured to be brining out three more iPhones this year that incorporate fingerprint recognition.

Dimitrios Pavlakis, digital security research analyst at ABI, said: “Biometry is moving rapidly into the security ecosystem and its adoption by CE devices will jumpstart this phenomenon.”

 

Disconnected computers can be hacked

wargames-hackerFor years the most basic method of super security for a computer was to unplug it from the network or internet.

However a team of security experts from Ben-Gurion University of the Negev (BGU) have discovered a new method to breach air-gapped computer systems.

Dubbed “BitWhisper” the hack enables two-way communications between adjacent, unconnected PC computers using heat.

According to a paper penned by Mordechai Guri, computers and networks are air-gapped when they need to be kept highly secure and isolated from unsecured networks, such as the public Internet or an unsecured local area network. Typically, air-gapped computers are used in financial transactions, mission critical tasks or military applications.

According to the researchers, “The scenario is prevalent in many organisations where there are two computers on a single desk, one connected to the internal network and the other one connected to the Internet. BitWhisper can be used to steal small chunks of data (e.g. passwords) and for command and control.”

BGU’s BitWhisper bridges the air-gap between the two computers, approximately 15 inches (40 cm) apart that are infected with malware by using their heat emissions and built-in thermal sensors to communicate. It establishes a covert, bi-directional channel by emitting heat from one PC to the other in a controlled manner.

By regulating the heat patterns, binary data is turned into thermal signals. In turn, the adjacent PC uses its built-in thermal sensors to measure the environmental changes. These changes are then sampled, processed, and converted into data.

“These properties enable the attacker to hack information from inside an air-gapped network, as well as transmit commands to it… Only eight signals per hour are sufficient to steal sensitive information such as passwords or secret keys. No additional hardware or software is required. Furthermore, the attacker can use BitWhisper to directly control malware actions inside the network and receive feedback.”

 

Egyptians cloned Google security certificate

amumSearch engine Google is furious that an Egyptian networking company  managed to clone its security certificate.

According to Google’s bog, the search engine became aware of unauthorised digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. MCS is a Value Added Distribution focusing on Networking and Automation businesses based near Cairo.

This intermediate certificate was issued by CNNIC.

CNNIC is included in all major root stores and it means that the misused certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misused certificates for other sites likely exist.

Google got on the blower to the CNNIC and other major browsers about the incident, and blocked the MCS Holdings certificate in Chrome with a CRLSet push.

CNNIC said that it had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. But MCS installed it in a man-in-the-middle proxy which meant they could intercept secure connections by masquerading as the intended destination.

This was so that effectively it could use the certificate for customers who wanted to monitor their staff use of the world wide wibble.

“However CNNIC delegated its substantial authority to an organization that was not fit to hold it,” growled Google.

Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate

UK teams up with Israel over security

Screen Shot 2015-03-24 at 14.56.43Francis Maude, minister for the Cabinet Office in matters of cyber security, said that the UK and Israel have established three collaboration ventures to get government funding for cyber security.

The governments will contribute £1.2 million of funding to create a bilateral cyber research programme, he said.

The Universities of Bristol and University College London will team up with Bar Ilan University, while the University of Kent will tie up with the Israeli Ministry of Science and Technology.

The groups will work on six topics including identity management; governance; privacy assirance; mobile and cloud security; human aspects of security; and cryptography.

Maude said he wants the UK to be one of the safest places to do business online. “Cyber security is a shared global threat and I’m pleased that we are deepening our research relationship.”

The UK is a founding member of a global network called D5 – founding members also include South Korea, Estonia, Israel and New Zealand.

 

IBM sounds alarm over mobile app security

Screen Shot 2015-03-20 at 14.39.31The Ponemon Institute and IBM have jointly released a report which they said displays “the alarming state” of mobile insecurity.

According to the research, 40 percent of large companies – including many in the Fortune 500 – aren’t protecting the mobile apps they build.

And they’re not good against protecting their BYOD (bring your own device) gizmos against cyber attack. That leaves the gates to their corporate treasure chest effectively open.

The survey looked at security practices in over 400 large enterprises and claims that the average company doesn’t test half of the mobile apps they build. And what’s even worse is that 50 percent of these enterprises don’t devote any budget whatever towards mobile security.

IBM and the Ponemon Institute estimate that malicious code infests and infects over 11.6 million mobile devices.

The organisations surveyed spend an average of $34 million a year on mobile app development, with only 5.5 percent spending part of the budget on security.

“End user convenience is trumping end user security and privacy,” IBM said.

 

Opera buys privacy company

tim-cook-securityOpera Software bought a Canadian company called SurfEasy, for an undisclosed amount.

SurfEasy has a VPN (virtual private network) system aimed at securing smartphones, tablets and PCs, Opera said.

A VPN adds an extra level of net security to filter traffic between the web nd devices.

Opera said that over 90 percent of US net users are now worried about their online privacy and want to protect themselves when they’re online.

Opera, which has 350 million users worldwide said that privacy and security has always kept that as its top priority

The CEO of Opera, Lars Boilesen, said more and more people are looking for security on phones and other devices.

The said Opera will collaborate with the SurfEasy team to create joint products, using the Opera browser as the basic foundation for the collaboration.

 

Apple gatekeeper security broken

dottedborderemmelinagnome9thmarch2014 011FORMER NSA and NASA staffer Patrick Wardle, who heads up research at security start-up Synack, he has found a way to bypass protections in Apple Macs without getting caught.

Download files, known as .dmg files, for products including Kaspersky, Symantec, Avast, Avira, Intego, BitDefender, Trend Micro, ESET and F-Secure are all sent over unencrypted HTTP lines, rather than the more secure HTTPS. For some reason they trust Apple’s Gatekeeper security technology to recognise the digital signatures they sign in.

Anyone who intercepts a download to corrupt it won’t get away with it, as the Gatekeeper will see that the vendors’ original signature has been altered and ignore it.

But Wardle noticed that the Apple Gatekeeper software doesn’t check all components of Mac OS X download files. This makes it possible to sneak a malicious version of what’s known as a ‘dylib’ (dynamic libraries) file into legitimate downloads done over HTTP to infect Macs and start stealing data.

Dylibs are designed to be re-used by different applications; they might be used for actions such as compressing a file or using graphics capabilities of the operating system.
If an attacker can “hijack” the dylib processes used by Mac apps, however, they can carry out nasty attacks and send user data to their own servers, the researcher explained.

It is not that easy to pull off. The attacker would have to get on the same network as a target, either by breaching it or simply logging on to the same public Wi-Fi.

They would also have to inject a legitimate yet vulnerable application into the download and shuffle around the content of the .dmg so that the injected legitimate software is shown to the user.

At the upcoming CanSecWest conference in Vancouver, he will be explaining 101 things you can do with an evil dylibs ajd discover which Coldplay and U2 single the Mac owners is listening to.

Wardle reverse engineered the iCloud protocol and set up a command and control server on a secondary malicious iCloud account, meaning the connection he used to “steal” from his own PC would also be trusted.

You would think that Jobs’ Mob would be worried about it all, but apparently Wardle said they did not really care.

He said that they didn’t seem to understand the full ramifications of it. It would mean that Apple would have to re-architect OS X and expand Gatekeeper’s capabilities to fully address the issues raised by his new class of attack.

Wardle was miffed that the security companies were placing users at risk with unprotected downloads of their software installers and failing to protect against more advanced attacks like his own.

 

A billion people get their data leaked

IBM logoA report from IBM’s security division estimates that in 2014 “at lease” a billion records of people across the world were leaked.

That’s about one in seven of this planet’s humanoid population.

IBM released its X-Force quarterly report and relays information about over 9,000 security “vulnerabilities” affecting over 2,600 vendors in 2014. That’s an increase of 9.8 percent compared to 2013 and Big Blue said it’s the highest single year total in the 18 years it’s been tracking such things.

The USA has suffered the most because at 74.5 percent that’s far higher than other territories. IBM said that 40.2 percent of the most common attacks didn’t get described by those surveyed but malware and DDoS accounted for as much as 17.2 percent each.

IBM said that there was a big rise in so-called designer vulnerabilities.

All operating systems seemed to be under attack – including Windows, Mac OS X and Linux.

One key vulnerability happened in October with a researcher showing there are thousands of security problems in Android apps.

 

Qualcomm gives fingers for ultra-security

Churchill-first-V-signQualcomm has announced details of its Ultrasonic Finger Print Reader which is part of its  new Snapdragon processor.

The idea is that the tech can be used by smartphone ODMs and OEMs to provide ultrasecurity for their phones.

Qualcomm’s tech uses ultrasonic waves to scan all of the ridges and wrinkles of your fingers. This means that it can do a deeper analysis than the 2D image created by a fingerprint mashed up against a capacitive sensor.

It can also penetrate beneath the surface of your skin to identify unique 3D characteristics of your print.

Ultrasonic waves can go through glass, aluminum, steel and plastic housings of any phone, they don’t need a dedicated touch pad or button to work. You could conceivably touch any part of the smartphone with a finger to gain access to the phone itself.

While many might see the technology as a stab in the eye of Apple, which uses the old style of fingerprint technology. Qualcomm’s major competitor is MediaTek, whose processors and related technology are used in millions of phones, especially in China and areas where low cost smartphones are selling well.

Qualcomm’s new Ultrasound fingerprint reader means it has a weapon to counter MediaTek.

The thought is that this could win Qualcomm a lot of business.

 

 

US advances cyber threat bill

National-Security-Agency--008A move that would allow the US government to share cyber information with private companies has been given the nod by a key committee.

The US Senate Intelligence Committee voted 14-1 on Thursday to approve a bill intended to enhance information sharing between private companies and intelligence agencies about cybersecurity threats.

The Bill will go to the Senate where it is expected to get a full backing – after all many private companies would like all that data that the US intelligence services collect and are quite happy to pay their tame Senators to change the law to get it.

Privacy advocates opposed the bill, worrying that it would do too little to prevent more data collection by the National Security Agency and other US intelligence agencies.

Privacy concerns were cited by the only member of the committee who voted against the bill, Democratic Senator Ron Wyden of Oregon who saw it as another surveillance bill.

In practice the law is targeted at preventing the major cyber attacks and co-ordinate companies and government departments better. Microsoft, Lockheed Martin and Morgan Stanley, had pushed for a such a threat-sharing bill.