STE WILLIAMS

Most mobile banking apps — including those of major financial institutions — contain configuration and design weaknesses that leave them with weakened security.

Security experts this month tested 275 Apple iOS- and Android-based mobile banking apps from 50 major financial institutions, 50 large regional banks, and 50 large U.S. credit unions. Overall, they found that eight out of 10 apps were improperly configured and not built using best practices software development. Among the big-name banks whose mobile apps were tested by security firm Praetorian include Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, Capital One Financial, and Suntrust Banks, but Praetorian did not disclose how each bank’s apps fared in the tests.

Praetorian’s research comes at a time when mobile banking is starting to take off, albeit slowly. Some 35 percent of U.S. adults conduct mobile banking, up from 24 percent in 2012, according to the Pew Research Center. A new report by NSS Labs says some banks say they’re seeing mobile banking grow by up to 70 percent per year.

Nathan Sportsman, founder and CEO of Praetorian, says the security weaknesses in the mobile banking apps he and his team tested are not pure software vulnerabilities, so they are relatively low-risk issues that could ultimately lead to exploitation.

“These aren’t business logic or application-specific issues. They are weaknesses across the mobile apps: things developers should be doing” but they are not, Sportsman says. The apps were downloadable from the Apple App Store and Google Marketplace.

The weaknesses the researchers tested for are well-known mitigation functions in software, and the tests were performed on the local device’s mobile app, not back-end Web servers and services. Sportsman says the test only represents a snapshot of the full attack surface of mobile banking because between 75- to 90 percent of mobile banking occurs on the back-end.

“This was not intrusive testing. We weren’t looking for SQL injection, and would need permission to do that, so we were really looking at the configuration of the mobile apps,” he says. His firm hopes to next test these apps for how information gets stored on the local device, he says.

The test was conducted using Praetorian’s Project Neptune, its new mobile application security testing platform.

Among the findings in the first test: Many of the iOS-based mobile banking apps did not have enabled Automatic Reference Counting (ARC), a memory management feature; Position Independent Excecutable, which prevents buffer overflows; and stack protection, which protects apps from “stack smashing.”

“Stack smashing and ASLR [address space layout randomization] have been around a long time, and these [protections] should be enabled” in the apps, Sportsman says.

And many of the Android-based mobile banking apps were discovered to be targeting older versions of the Android software development kits; lacking permission hardening; and with the debugging function enabled.

“Permissions for me as a consumer are most important: what permissions is the app requesting and do they really need them? Many overuse the permissions with more than they need,” he says.

For developers, the older SDK-targeting and the debugging features would be the biggest concerns, he says.

Large financial institutions not surprisingly faired better than credit unions or regional banks, but not dramatically: credit unions had 108 configuration weaknesses in their apps; regional banks, 97; and large financial institutions, 75.

Why the configuration issues in these apps? Overall, there’s a “rush to market” pressure for mobile banking in the technology-forward financial services industry, which can lead to some mistakes along the way, he says. “But we found that regional banks and credit unions tend to manifest this more than the mega-banks … and a lot of them tend to outsource the development and it’s more a one-and-done,” he says. “But mega-banks do theirs in-house, so there’s more [ongoing] maintenance” with the apps, he says.

NSS Labs’ Ken Baylor, meanwhile, notes that many mobile banking apps are still mostly rudimentary security-wise. “Most banks began offering mobile services with a simple redirect to a mobile site (with limited functionality) upon detection of the smartphone HTTP headers,” he wrote in a new report on mobile financial malware . “Others created mobile apps with HTML wrappers for a better user experience and more functionality. As yet, only a few have built secure native apps for each platform.”

“Many mobile banking apps are based on simplified HTML code, making them vulnerable to exploits – this should prompt more banks to develop secure native apps for mobiles, incorporating fraud-resistant features like hardened in-app browsers, encryption and geolocation,” Baylor said in the report.

Meanwhile, Praetorian is releasing a free tool that tests for these weaknesses in mobile apps, Sportsman says.

The full report on the mobile banking apps test is available here for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/weak-security-in-most-mobile-banking-app/240164731

San Diego, CA – December 11, 2013 – iboss today announced its new Threat and Event console, a core component of the company’s Secure Web Gateway platform. A provider of network security solutions, iboss is releasing new functionality that gives enterprises unparalleled access to possible cybersecurity threats, malware breaches on mobile devices and attacks entering the network from social media sites. This system increases insight, shortens mitigation response and reduces the total cost of ownership (TCO) by up to 30%.

The iboss platform provides visibility of everything going in and out of a network, across every single network port, identifying the known and the unknown. As an example, there are 65,535 ports on a network and legacy Web security vendors, if port focused, typically monitor only ports 80 and 443. Advanced threats, applications and even SaaS services are increasingly utilizing non-standard ports outside of port 80 and 443. iboss provides the visibility to identify what is traversing your network regardless of the port utilized, providing administrators more content visibility and allowing them to establish more actionable policy.

Unlike legacy network security vendors that focus on log-based threat detection and reporting, iboss approaches the network in a completely different manner by addressing who, and from where, a person connects. iboss’ cloud-based platform drills deep into a network, identifying odd behaviors and surfacing ‘shadow IT’. This allows companies to create actionable policies that address the high-risk user behavior.

The new Threat and Event console utilizes exclusive features, such as threat GeoMapping and heat map technology, to provide an instant visual pinpoint of threats across a global map. A few examples of the advanced levels of visibility include:

Packet level visibility across all network activity to identify Shadow IT and high-risk user behavior

Advanced data collaboration that dynamically maps connections to the organization they represent and then correlates the information to the directory user creating the event

Ability to track data movement to high-risk countries and organizations based on data quantity, type and where the data is originating from (i.e. company database servers)

Live dashboards that provide information up-to-the second to identify high-risk activities, threats and data movement allowing for more effective mitigation

“Cybersecurity and privacy concerns are now front and center, thanks to the NSA revelations and advanced ways hackers can get into networks. These threats include mobile devices too, as malware is focusing on Android and iOS devices. These devices can be compromised when they are outside the network, infecting upon return,” said Peter Martini, COO and co-founder of iboss. “Today’s network security vendors and most enterprise environments are just not prepared to track, analyze and understand that type of traffic. Since we started shipping our iboss platform a year ago, we’ve replaced many legacy vendor installs at enterprises who need to have more insight and visibility into their networks. Many IT administers just don’t realize what can actually be seen on the network, as outdated technology doesn’t provide that option.”

The Threat and Event console benefits include:

Live threat and bandwidth dashboards

Instant URL / ad-hoc reporting capabilities, including compliance reporting and automated backups

A dynamic drill-down interface that includes mobile device threats to allow IT to easily see the issues with the network

The iboss Secure Web Gateway combines:

Web Security (HTTP/S)

Scanning Inside SSL

Layer 7 Application Management DPI/Heuristics/Signatures

BYOD Management- Authentication, Bandwidth, High Risk Quarantine

Mobile Security – On/Off Premise Security

Bandwidth Throttling and QoS

Integrated Threat Event Console

Other comments related to the news:

1. According to a January 2013 Forrester report by John Kindervag and Heidi Shey, “Data defense is the fundamental purpose of information security…Too often, organizations create data policies without a clear understanding of feasibility and purpose within their business because they themselves are in the dark about their data — from what data they have to where it resides…In today’s evolving data economy, data identity is the missing link that security and risk (SR) leaders must define in order to create actionable data security and control policy.”

Article source: http://www.darkreading.com/management/iboss-launches-threat-and-event-console/240164732

HUDSON, MA – December 12, 2013 – New research from Corero Network Security (CNS: LN) reveals that many businesses are failing to take adequate measures to protect themselves against the threat of a DDoS attack. A survey of 100 companies revealed that in spite of the reports about the cost of downtime and the potential for DDoS attacks to mask greater threats, businesses are failing to put in place effective defenses or plans to mitigate the impact of a DDoS attack against their organization. More than half of companies lack adequate DDoS defense technology, and 44% of respondents have no formal DDoS attack response plan.

The survey asked respondents about the effectiveness of their plans to prevent, detect and mitigate the damage of a cyber attack including examining their incident response plans from the standpoint of: infrastructure, roles and responsibilities, technology, maintenance, and testing. The findings revealed a lack of planning on multiple levels: whilst nearly half of businesses lacked a formal DDoS response plan, the problem was compounded by out of date network visibility as more than 54% of respondents have outdated or non-existent network maps. Furthermore, approximately one in three businesses lacked any clear idea of their normal network traffic volume, making it more difficult to discern between routine traffic peaks or high traffic volumes that could signal a DDoS attack.

Corero also found that many companies have under invested in their security infrastructures and have done little to verify that the solutions they have implemented will work when needed. Respondents are continuing to rely on firewalls to mitigate the impact of DDoS attacks, reaffirming the findings of previous surveys. Approximately 40% of respondents depend on firewalls, while 41% have a dedicated DDoS defense technology in place. However, even amongst those companies that had invested in DDoS defense technology, many are failing to optimize the systems with regular tuning and updating. Nearly 60% do not test their DDoS defenses regularly with network and application-layer tests.

Beyond the technology implementations and planning, Corero’s survey also found that nearly half of the businesses surveyed do not have a dedicated DDoS response team. For the organizations that do have a team in place, most of them do not have specifically defined roles and responsibilities for responding to DDoS attacks. This lack of preparation could lead to additional delays in initiating the appropriate response, leaving the corporate network in the hands of attackers until the response team coordinates its activities.

“With an increase in malicious attacks on organizations from cyber criminals, ideological hacktivists, nation states and even competitors, there is no foreseeable end in sight to the use of DDoS as a common method of intentional disruption,” said Ashley Stephenson, CEO of Corero Network Security. “It is concerning to see the lack of preparedness of some businesses to a type of attack which has the potential to cause significant lost revenues and serious brand damage.”

View an infographic of the survey results by visiting http://bit.ly/IqYsKl

To learn more about how Corero helps businesses around the world defend themselves against DDoS attacks with its DDoS Defense System, visit http://www.corero.com/en/products_and_services/dds.

About Corero Network Security

Corero Network Security, an organization’s First Line of Defense, is an international network security company and a leading provider of Distributed Denial of Service (DDoS) defense and next generation security solutions. As the First Line of Defense, Corero’s products and services stop attacks at the perimeter including DDoS, server targeted, and zero-day attacks, protecting IT infrastructure and eliminating downtime. Corero’s solutions are dynamic and automatically respond to evolving cyber attacks, known and unknown, allowing existing IT infrastructure – such as firewalls which are ineffective at stopping much of today’s unwanted traffic at the perimeter – to perform their intended purposes. For more information, visit www.corero.com.

Article source: http://www.darkreading.com/management/lack-of-planning-and-visibility-increase/240164733

SAN MATEO, Calif., Dec. 12, 2013 /PRNewswire/ — Norse, a leading provider of live threat intelligence solutions, today announced availability of Norse IPVikingtrade 2.0, the next generation of its cloud-based IT security solution, which provides context-rich, dark-threat intelligence about the darkest segments of the Internet. New to IPViking are unique threat intelligence capabilities that detect malware while it is in the development phase, before cybercriminals can use it as part of an attack. Norse has also added capabilities that identify mobile and desktop devices, appliances, servers and even satellites in space attempting to connect to networks via malicious IP addresses. Pre-attack malware detection and malicious-device-type identification capabilities allow customers to reduce their risk of falling victim to costly compliance violations, compromises and data breaches. Norse’s fully automated threat intelligence capabilities improve threat identification and detection accuracy and eliminate delays caused by manual processes.

(Logo: http://photos.prnewswire.com/prnh/20131212/AQ32329LOGO)

Tweet This: Detecting #malware ahead of release, @NorseCorp #IPViking2.0 provides live threat intelligence from the #darkside of the Internet http://norse-corp.com/ipviking.html#prod

“The threat landscape evolves faster than most IT security solutions can keep pace with. Intelligence and visibility into what is taking place in the darkest corners of the Internet is an essential component of any effective security strategy,” said Richard Stiennon, noted cybersecurity expert, author and IT-Harvest analyst. “As a start-up, Norse is providing innovative and effective threat intelligence solutions that allow their customers to strengthen their defenses against the most advanced threats.”

Pre-Attack Malware Intelligence

Malware is an insidious problem for all connected enterprises, government agencies and consumers. With the emergence of the Internet of Things (IoT), where virtually all electronic devices, from consumer appliances to industrial systems, are connected to the Internet via an IP address, cybercriminals and nation-backed operators are finding it easier to execute advanced attacks. Malware, used to infect computers to siphon data, engage in cyber espionage and even inflict physical damage, is at the forefront of most attacks. Pre-attack detection capabilities added to IPViking allow customers to detect and take action to defend against malware while it is in the development, Zero Day or identified (signature) phase.

Device and Operating System Threat Intelligence

IPViking customers have benefited from the solution’s ability to detect malicious IP-based attacks before they develop into compromises and data breaches. IPViking 2.0 adds device type and OS identification, providing more context to Norse’s already detailed threat intelligence. IPViking now identifies devices such as desktops, iPads or other mobile devices as well as servers and appliances on IPs conducting high-risk activity. To provide customers with more threat-intelligence context and enable them to make better decisions, IPViking also classifies the high-risk devices it identifies into categories such as government, consumer, education and corporate.

“The Internet is the most widely used business communications and transaction platform and at the same time, the most dangerous. There is no real way to remain protected against attacks and exploits without visibility into what the bad actors are doing and planning,” said Sam Glines, CEO, Norse. “IPViking 2.0 delivers the most comprehensive threat intelligence available today and true early warning that enables enterprises and government agencies to detect threats and take action before they inflict financial and reputation damage.”

For more information on IPViking 2.0, visit: LINK

Follow Norse on Twitter: @NorseCorp

Like Norse on Facebook: https://www.facebook.com/NorseCorporation

Follow Norse on LinkedIn: http://www.linkedin.com/company/norse-corporation

Subscribe to Norse YouTube Channel: http://www.youtube.com/user/norsecorporation

Add Norse to G+ Circles: https://plus.google.com/+Norse-corp/posts

About Norse

Norse is the leading innovator in the live threat intelligence security market. With the goal of transforming the traditionally reactive IT security industry, Norse offers proactive, intelligence-based security solutions that enable organizations to identify and defend against the advanced cyberthreats of today and tomorrow. Norse’s synchronous, global platform is a patent-pending infrastructure-based technology that continuously collects and analyzes real-time, high-risk Internet traffic to identify the sources of cyberattacks and fraud. Norse is the only provider of live, actionable, cyberthreat intelligence that enables organizations to prevent financial fraud and proactively defend against today’s most advanced cyber threats including zero day and advanced persistent threats. Norse has offices in Silicon Valley, St. Louis, and Atlanta. Visit us online at norse-corp.com.

Article source: http://www.darkreading.com/norse-expands-threat-intelligence-to-inc/240164734

TeamBerserk hackers are back.

They’ve sided with a sheriff in the US state of Texas in a dispute over a teacher picking thrown-away school furniture out of the trash, have leaked 23 documents stolen from the judge’s computer, have used the judge’s credit card to order what Softpedia reports is a total of 18 sex toys, and have shown prodigious talent at making images out of keyboard characters that will forever change the way you view “x”, “@” and “s” if you click through to their Pastebin message.

(Warning: At least one of the Pastebin images are probably NSFW, albeit they’d be very appropriate for a gallery show on keyboard character artwork.)

The TeamBerserk crew align themselves with the Anonymous hacktivist brand but carry out their own operations.

In October, they announced that they were taking a breather from their attacks, which they say have been carried out against such organizations as the US Office of Personnel Management, HITRUST, Interactive Data, CITIC, the Chinese University of Hong Kong, New Mexico ISP Plateau, The West Australian, Loretto Telecom, and California-based ISP Sebastian.

Now, they’re back, as spotted by Softpedia’s Eduard Kovacs, and they’re ready for more lulz, as they said in their comeback message:

After many days at port, days filled with rum, women and lulz – which have recovered us. We have again united for an explosive several weeks of exploitation, mayhem and LoLz.

In the Pastebin message, they threatened “corporations and governments”, with Judge Souli A. Shanklin appearing to be their first target as part of ProjectMayhem, a campaign Anonymous first announced in 2011.

The dispute with Judge Shanklin dates back to a conflict that flared up in September between Edwards County Sheriff Pam Elliott and Rocksprings Independent School District Superintendent David Velky.

After claiming to have analyzed the case, the hackers said that they’re on the sheriff’s side:

We TeamBerserk agree with Sheriff Pam Eliott [sic]. You have been placing pressure on board members to do your bidding and you have concealed information. This information will be publicly available soon.

At this very moment we are sorting through and analyzing all of your accounts. We have gained remote access to your cell phones and we have conversation logs between you and various, shall we say.. characters of shady backgrounds.

All of your Android devices are under our control as well as your personal nets.

TeamBerserk claims to have ordered several dildos from Velky’s Amazon account, as they did from Judge Shanklin’s account, and published screenshots as proof.

Kovacs reported on Wednesday that the hackers hijacked Velky’s LinkedIn account and leaked seven more documents related to Judge Shanklin.

Although some might see these antics as amusing, let’s get serious kids. Don’t try this at home.

As it is, when TeamBerserk went on hiatus in October, it noted that various members had just finished jail terms.

Credit card fraud is illegal, as it should be, even if you use the stolen credit card to send truly tasteful Christmas gifts such as those selected by TeamBerserk.

The US legal system doesn’t have much of a sense of humor.

For evidence of that, you don’t have to look any further than to the $183,000 penalty dished out to Eric Rosol this week for participating in an Anonymous-organized DDoS against Koch Industries for one measly minute.

High financial penalties and jail terms against hackers and ‘hacktivists’ alike are rife.

Is it really worth the lulz?

Follow @LisaVaas

Follow @NakedSecurity

Image of XXX button courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/G4MYQVD_yu8/

Email delivery: 4 steps to get more email to the inbox

The already strained relationship between Google and the NSA has got a little bit worse, after claims in the latest Snowden leak that intelligence agencies are using the Chocolate Factory’s cookies to track targets.

Documents seen by the Washington Post show that the NSA and the British snoops at GCHQ have found a way to piggyback on a Google tracking cookie dubbed PREFID. This doesn’t contain personal data, but does contain an identifier unique to each browser, so by subverting the Google code a particular user can be easily identified in a large data dump.

You just don’t pick up PREFID cookies if you’re a Gmail or Google+ user, they’re included in everything from simple search requests to websites that have a link to Mountain View’s mapping of social networking system. As such, most internet users will have one somewhere.

Once a particular browser is identified, the Google cookies can then be used for “remote exploitation” the documents state, presumably anything from monitoring usage to complete pwnage. It can also be used for “on the ground survey options,” and used to brief the FBI for domestic action.

The latest trove from ex-NSA-contractor-turned-whistleblower Edward Snowden also shows details of a location-tracking system implemented by the intelligence agencies (and presumably their Canadian, Australian and New Zealand counterparts) called HAPPYFOOT – say what you like about the coders, at least they have a gift for naming this stuff. That effort also uses advertising networks’ cookies to track the location of users.

HAPPYFOOT monitors location data sent back by mobile apps to provide localized content. GPS doesn’t need to be on for this kind of data – the phone user’s location can be triangulated pretty accurately based on cell tower and Wi-Fi locations, particularly in urban environments. As seen in last week’s FTC settlement, this location data doesn’t always need user approval to activate.

In both cases, intelligence agencies can use data from the Department of Defense’s National Geospatial Intelligence Agency, for target tracking. According to Snowden’s data the agency has an annual budget of $4.9bn to collect and analyze satellite and photo imagery from around the world.

“As we’ve said before, NSA, within its lawful mission to collect foreign intelligence to protect the United States, uses intelligence tools to understand the intent of foreign adversaries and prevent them from bringing harm to innocent Americans,” said the NSA in a statement.

Privacy experts have long been nervous about the ability of cookies to track internet users. While there are beneficial uses of cookies, besides being vital to the online advertising market, the ability to store arbitrary data in a browser is seen as a fundamental flaw in protecting privacy on the web.

It’s a measure of success that the “do not track” movement against cookies is now supported by almost all the major browser manufacturers and is often the default setting – something that is infuriating the advertising industry. It would seem, from these latest documents, that the NSA would like tracking to continue as well.

“These revelations make it ever clearer that we need to fight back against non-consensual tracking of web users, by deploying and adopting technology that allows users to block online tracking,” said privacy campaigners at the EFF in a statement.

“In the past we’ve been concerned about the profiles that web companies could build up about users without their knowledge or consent. Now we’ve seen that this tracking technology is also being hijacked for government surveillance of Internet users.” ®

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/12/12/snowden_latest_nsa_using_google_cookies_to_id_internet_users/

Change is in the wind on malware’s Mount Olympus: the notorious ZeuS Trojan is now armed with a 64-bit version that uses the Tor network to communicate with its command and control infrastructure.

“The more people switch to 64-bit platforms, the more 64-bit malware appears,” blogs Kaspersky Lab researcher Dmitry Tarakanov. “We have been following this process for several years now.”

A new twist for ZeuS to be sure, but also a confusing one, as 64-bit browsers are not widely used by the public.

“ZeuS is mostly intended to intercept data passing through browsers, and modify that data allowing the operator to steal information related to online banking, to wire transactions or to cover his tracks,” he continues. “But nowadays people still use 32-bit browsers — even on 64-bit operating systems. So, 32-bit versions of ZeuS have been sufficient to keep the thieves satisfied with their earnings.”

Fortinet’s Richard Henderson agreed, calling 64-bit malware “very uncommon.” The real question however is how long it will be until it is not the exception but the norm.

“Typically, malware is written in order to cast as wide of a net as possible, and that means sticking with what has the greatest chance of capturing the largest number of infections,” says Henderson, security strategist for Fortinet’s FortiGuard Threat Research and Response Labs. “Win32. 64-bit Windows still run 32-bit applications, and as the analysis mentioned, the vast majority of 64-bit Windows users are still running 32-bit Internet browsers. It’s also the main reason why we don’t see a lot of Mac malware in the wild — the number of computers out there running 32-bit Windows or 64-bit Windows with the ability to run 32-bit software is orders of magnitude larger.”

The 64-bit version of the malware has been in the wild for at least six months. According to Kaspersky Lab, the 64-bit version was actually found inside a 32-bit ZeuS sample that injected malicious code into target processes and injected the 64-but version into the process if it belonged to a 64-bit application. If the process belongs to a 32-bit application, then the malware pushes the 32-bit version.

The 64-bit version behaves like any other variant of ZeuS, installing files into folders with randomly generated names placed inside the %APPDATA% directory.

“Interestingly, the configuration file for this version of ZeuS includes a long list of programs that the malware can function on if they are found on the infected system,” blogs Tarakanov. “There are different types of programs, but all of them contain valuable private information that cybercriminals would love to steal — login credentials, certificates and so on. Don’t forget that ZeuS is capable of intercepting key strokes and data before encryption/after decryption that is sent/received on a network with the use of some typical system API functions. So, when operating inside these programs ZeuS is able to intercept and forward a lot of valuable information to the botnet operator.”

In addition to the 64-bit component, this version of ZeuS maintains a tor.exe utility from the 0.2.3.25 version inside its body, he adds.

“Tor.exe is launched indirectly — ZeuS starts the system svchost.exe application in suspended mode, then injects the tor.exe code into this suspended svchost.exe process, tunes the code to run properly and resumes execution of the suspended svchost,” he explains. “As a result, instead of the system svchost.exe, the process actually starts executing tor.exe. The Tor utility under the cover of the svchost.exe process creates an HTTP proxy server listening to the TCP port 9050.”

ZeuS variants using Tor however is nothing new; in actuality, Kaspersky Lab has tracked samples with signs of Tor communications as far back as 2012. There are even step-by-step instructions on the Internet on how to use tor.exe to pass ZeuS or SpyEye traffic via the Tor network as well as how to create onion domain hosting for command and control for these banking Trojans.

“But these earlier samples mostly had CnC [command and control] domains specified in their bodies as localhost or 127.0.0.1 meaning that samples of ZeuS or Spyeye themselves were not tied too strictly with Tor communications, whereas the version of ZeuS described [here]…has CnC onion domain egzh3ktnywjwabxb.onion defined in its internal block of settings,” the Kaspersky researcher notes. “And tor.exe is included directly in its body and is run by ZeuS itself. So Tor communications and the 64-bit version are inseparable parts of this ZeuS sample, with the functionality included at the very development stage.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/new-zeus-banking-trojan-targets-64-bit-s/240164713

Mountain View, Calif – December 12, 2013… The FIDO (Fast IDentity Online) Alliance, an industry consortium revolutionizing online authentication with the first standards-based specifications, today announced that Microsoft has joined the Alliance as a member of the Board of Directors. Microsoft is committed to working with the FIDO Alliance to produce open standards that will ensure interoperability among strong authentication methods and technologies. Representing the preeminent desktop and enterprise software vendor, and as the third leading mobile platform provider to join the FIDO Alliance board, Microsoft joins Google, BlackBerry and many other industry leaders in making FIDO specifications the global standard for post-password authentication.

FIDO members commit to share technology and collaborate to deliver open specifications for universal strong authentication that enables FIDO-compliant authentication methods to be interoperable, more secure and private, and easier to use. Microsoft software runs on hundreds of millions of devices, and the technology leader maintains clear leadership in enterprise, desktop and laptop markets. Users of Microsoft products and services will have a variety of choices for better authentication that overcomes the prevailing reliance on passwords. FIDO authentication is designed with a core focus on privacy − all biometric or personal identifying information (PII) stays local on the user’s device and is never shared to the cloud or over the network.

“Microsoft and the many global leaders joining our endeavor in the last ten months validates the work of the FIDO Alliance, and clearly indicates the imminent sea change set to move the world from a dependency on passwords to universal strong authentication,” said Michael Barrett, president of the FIDO Alliance. “Clearly, the Alliance is recognized as the foremost place to effect the changes needed to ensure future authentication that is simultaneously easier to use, more secure, and private. We welcome Microsoft to our board of directors and value the contributions that only Microsoft can make to benefit enterprises and users everywhere.”

“Microsoft has a track record of unwavering commitment to security and significant contributions to open standards organizations. Joining the FIDO Alliance board of directors is a logical step for us as a way to serve our customers and the community,” said David Treadwell, Corporate Vice President, Microsoft. “As a contributor to the FIDO Alliance working groups on next generation authentication, we look forward to furthering our innovation and thought leadership in the identity space.”

“Microsoft joining Fido Alliance’s Board is a key milestone to reaching the post UN/PW Authentication era of strong Authentication,” said Sami Nassar vice president general manager Authentication, NXP Semiconductors. “With the support from industry leaders across the value chain, from semiconductors to relying parties, FIDO adds cloud security without compromising privacy and simplicity for consumers and enterprise users.”

Open FIDO specifications will support a full range of authentication technologies for operating systems, including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC). The open specifications are being designed to be extensible and to accommodate future innovation, as well as protect existing investments. FIDO specifications allow the interaction of technologies within a single infrastructure, enabling security options to be tailored to the distinct needs of each user and organization.

About The FIDO Alliance

The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The Alliance plans to change the nature of authentication by developing standards-based specifications for better authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. Better authentication is stronger, private, and easier to use when authenticating to online services.

Article source: http://www.darkreading.com/management/microsoft-joins-fido-alliance-board-of-d/240164719

PORTLAND, Ore. — December 12, 2013 — MIDAStrade–Medical Identity Alert System–the latest software solution from ID Experts, was announced today, for health plans to engage consumers (health plan members) to monitor their healthcare transactions and take control of their medical identities. MIDAS was developed to lower healthcare costs through early detection and prevention of healthcare fraud by using mobile alerts, similar to proven approaches utilized by the financial services industry.

MIDAS Helps Health Plans Engage Members in the Healthcare Process; MIDAS is Safe, Secure, and Easy to Use

MIDAS uses real-time text messages and emails to alert members when a healthcare transaction is submitted to their health plan. The alert leads the member to a secure site that displays summary information in plain language. The member can either validate the transaction or mark it as “suspicious.” If suspicious, a notification is sent for prompt follow-up by the MIDAS resolution experts. If fraud or medical identity theft has indeed occurred, MIDAS deploys proven resolution processes to diagnose the problem, address the issue, and mitigate any harm.

“Consumers have easy access to their personal financial data yet their medical care transactions are a closed door,” said Bob Gregg, CEO of ID Experts. “MIDAS will change this by bringing transparency to healthcare transactions, engaging members as the first line of defense in protecting their identities and uniting health plans with their members to combat fraud.”

Reducing Healthcare Fraud by Early Detection

Healthcare fraud is skyrocketing, costing the United States at least

$80 billion annually, according to the FBI, and medical identity theft has affected more than 1.8 million victims, according to the 2013 Survey on Medical Identity Theft. As millions more Americans enter the healthcare insurance market under the Affordable Care Act, fraud and abuse are expected to escalate.

Flagging and resolving suspicious healthcare transactions earlier in the process will aid health plans in reducing healthcare costs. Today, the misuse of a medical identity is typically discovered long after the member’s medical record has been compromised. MIDAS streamlines the investigation of fraud and medical identity theft and leverages ID Experts’ proven expertise in dispute resolution so that health insurers can better protect members, reduce fraud losses, and lower their costs.

MIDAS Gives Members Control

According to the 2013 Survey on Medical Identity Theft, 54% of patients do not currently check their health records and Explanation of Benefits (EOBs) for inaccuracies because they either don’t know how or say it’s too difficult. Of those who found unfamiliar claims, 52% did not report them.

Engaging members throughout the healthcare process is also a key compliance component of the Affordable Care Act. MIDAS will engage members to monitor their healthcare transactions and allow them to take control of their medical identities.

“Consistent with our focus on providing innovative member programs, Moda was an early adopter of MIDAS,” said Robert Gootee, CEO of Moda Health, one million-member plus health plan servicing Oregon, Washington and Alaska. “In the face of consumer choices resulting from healthcare transformation, we feel this distinguishes us by allowing our members more control of their healthcare transactions.”

“We have been talking to a lot of payers. They tell us their members demand simple, timely access to relevant information,” said Christine Arevalo, vice president, healthcare fraud solutions at ID Experts.

“MIDAS provides an elegant solution, by communicating to members in plain language, in a way that increases patient engagement.”

More information about MIDAS can be found here: www2.idexpertscorp.com/MIDAS.

About ID Experts

ID Experts creates software and delivers services that address the organizational risks associated with regulated personal data. The RADARtrade data incident management software platform and professional privacy/security and data breach response services, provide organizations with complete data breach care. Newly announced MIDAStrade (Medical Identity Alert System) addresses the growing national issue of healthcare fraud. ID Experts serves leading healthcare providers, insurance organizations, universities, and government agencies and is exclusively endorsed by the American Hospital Association. Founded in 2003, ID Experts is an advocate for privacy; an active contributor to legislation; a member of IAPP, HIMSS, and HCCA; a founding member of Medical Identity Fraud Alliance (MIFA); chair of PHI Protection Network (PPN); and chair of the ANSI Identity Management Standards Panel PHI Project. For more information on ID Experts, join the LinkedIn All Things HITECH discussion at bit.ly/AllThingsHITECH; All Things Data Breach at http://linkd.in/TsbwgJ; follow ID Experts on Twitter @IDExperts; and visit http://www2.idexpertscorp.com/.

Article source: http://www.darkreading.com/government-vertical/id-experts-adds-medical-identity-alert-s/240164720

IRVINE, Calif., Dec. 12, 2013 – SecureAuth, a leading provider of corporate 2-Factor Access Control, today launched SecureAuth 2-Factor as a Service (2FaaS), a completely cloud-hosted authentication solution that offers flexible security without compromising the user experience or information. SecureAuth 2FaaS delivers flexible authentication options while maintaining user credentials on-premise. The patent-pending Device Fingerprinting mechanism avoids placing a thick client or an insecure cookie on users’ devices making SecureAuth 2FaaS ideal for enterprise-wide, B2C, and OEM integration.

“SecureAuth 2-Factor as a Service is an intelligent authentication solution that has taken a heuristics-based fingerprint of the device and become transparent to the user to give them access to web, mobile, and cloud resources,” said Garret Grajek, Chief Technology Officer at SecureAuth. “Two-factor authentication can be as easy or demanding as enterprise policies dictate, and can be required for all users or only specific users like customers or contractors. We developed SecureAuth 2FaaS to be flexible and convenient to meet the varying needs of enterprises who have BYOD and desktop users, and for OEMs that prefer our codeless capability.”

SecureAuth 2FaaS Optimum User Experience

SecureAuth 2FaaS enables authentication via SMS, telephony, or PUSH notification OTPs, eliminating the need for hard tokens. It can be deployed for any corporate web application, including Microsoft OWA, SharePoint, and IBM WebSphere; and enterprise mobile application, including Android, Apple and iOS apps. By being compatible with any device, employees, partners, contractors, and customers can easily accesses sensitive data in a secure manner.

Flexible Administrator Console

SecureAuth 2FaaS is completely cloud-based, yet no user information or password credentials are ever stored with SecureAuth or in the cloud. IT administrators have confidence that their corporate identities remain on-premise and they retain user credentials. SecureAuth 2FaaS is self-provisioning, resulting in no help desk required for revoking or managing access to corporate resources.

A graphical user interface (GUI) console gives administrators a selection of authentication protocols through easy to use dropdown menus and wizard installations. This makes integration into their applications and deployment across the enterprise easy and fast.

Organizations interested in learning more about SecureAuth 2FaaS can attend today’s webinar, visit the SecureAuth blog, or contact a representative.

About SecureAuth

Located in Irvine, California, SecureAuth is a technology leader providing 2-Factor Access Control to mobile, cloud, web, and network resources, serving over 10 million users worldwide. The SecureAuth IdP all-in-one, completely scalable solution manages and enforces access based on existing user entitlements. For the latest insight on enterprise security, follow the SecureAuth Blog, follow @SecureAuth on Twitter, or visit www.secureauth.com for additional information.

Article source: http://www.darkreading.com/secureauth-launches-2factor-as-a-service/240164723