STE WILLIAMS

Microsoft is bullet-proofing email on Windows Phone in an effort to follow Apple and Google into the workplace.

Redmond has announced a deal with Good Technology to make Good for Enterprise available for use on Windows Phone 7.5 devices.

The US mobile specialist will deliver FIPS-certified, 192-bit AES encrypted messaging for Windows Phone devices, potentially making it easier for employees to bring their own phones to the office for work. The service will be available in the second quarter.

Good for Enterprise secures Microsoft Outlook or Lotus Notes for iPhones, iPads and Android for enterprise use. The company claims its service provides “military-grade security, end-to-end data loss prevention, and collaboration” for security and compliance to over 4,000 enterprise customers.

The news came in the week Microsoft effectively revealed the update to Windows Phone – codenamed Tango – without actually using the code name. Microsoft said, simply, that Windows Phone was being updated to enable it to run on phones with less memory and slower processors than currently available. Accompanying the news was Microsoft’s announcement that the Tango update to Windows Phone 7.5 would run on the Nokia Lumia 610 phone. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/winphone_email_encryption/

The government is to double the number of people required to have a biometric residence permit (BRP) to stay in the UK, raising the number to 400,000 a year.

The system is being expanded to include refugees and those given the right to live in the UK permanently. It will mean that all non-EEA (European Economic Area) nationals applying to remain in the UK for more than six months will now need the compulsory permits.

BRPs hold a person’s fingerprints and photograph on a secure chip, and can be used to confirm information on each individual’s work and benefits entitlements. From June, an online Employers’ Checking Service for BRPs will enable employers, and later in the year public authorities, to run real-time checks on whether individuals are eligible to work or access services in the UK.

Most of the 650,000 BRPs issued since their introduction in 2008 have gone to workers or students from outside the EEA wanting to stay in the UK for more than six months.

The new move extends the requirement to people applying for refugee status, humanitarian protection or discretionary leave settlement or indefinite leave to remain; those asking for temporary leave to remain; ‘No Time Limit’ applicants (migrants who require evidence of settled status to be re-issued); and applicants for a Home Office travel document, if they do not already hold a valid biometric residence permit.

The Post Office is to support the extension by rolling out a network of biometric enrolment sites, with the aim of adding 87 to the existing 17 sites by mid April. The sites will collect fingerprints, a digital photograph and an electronic signature and send them through a secure channel to the UK Border Agency.

The Post Office is also setting up a mobile fingerprint enrolment service.

Immigration minister Damian Green said the move is aimed at reducing immigration abuse by proving people’s right to work or access services.

“This will help ensure only those with the right to be here can take a job legally in the UK and enjoy the services to which they are entitled,” he said. “The new measures are a deterrent to all foreign nationals who are looking to exploit the UK for personal gain by breaking the law.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/number_of_biometric_permits_to_double/

Three big-hitters in the world of cyber security have launched a firm that intends to unmask hackers and their motives, and they’ve scooped up $26m to get it started. As one of its first acts, CrowdStrike plans to unveil an overview of Android’s weak spots in a demo at the RSA on 29 Feb.

CrowdStrike launched in “stealth-mode” last week. The firm is headed up by George Kurtz, former McAfee CTO. Dmitri Alperovitch, formerly threat research veep at McAfee, will be CrowdStrike’s CTO and Gregg Marston, former FoundStone CFO, will be the new firm’s CFO. Investors Warburg Pincus, which have employed Kurtz since November, have pumped in a cool $26m into the enterprise to help it hire in talent.

New strategy

Promising a “new strategy” on cyber security, CrowdStrike said it would home in on the people behind malware rather than the software itself in a bid to protect companies and government from hackers at the highest level.

“The person or organization pulling the trigger (or deploying the malware) is the one that you ultimately need to focus on. The type of gun or ammunition they may be using is interesting, but in most cases not strategically relevant,” Kurtz wrote in a blog announcing the launch.

These companies don’t have a malware problem, they have an adversary problem.

Instead of endlessly patching flaws, Kurtz argues, anti-hackers should target the soft mistake-prone humans behind the malware:

Attackers are creatures of habit and while they are fast to change their weapons, they are slow to change their methods. By identifying the adversary and revealing their unique Tactics, Techniques and Procedures (TTPs) ie, modus operandi, we can hit them where it counts – at the human-dependent and not easily scalable parts of their operations.

Targeting the hacker, not just the hack

It sounds good, but we weren’t sure exactly how a CrowdStrike product would actually work. We asked Kurtz and Alperovitch:

“We will not look to replace firewalls, these existing companies will continue to provide value,” said Kurtz. He stressed that it was valuable for companies to know who was attacking them and why, citing the example of a company he’d helped last year which had come under a heavy attack from competitors that had filched its loosely protected internal emails.

“The company had been protecting their financial information,” he explained, but that wasn’t what the hackers were after. “It was not info that any company would have expected to be hacked; the hackers were taking emails and internal messages, and handing them over to competitors.”

The hack resulted in a significant intellectual property loss as competitors got a lead on confidential information about future developments and deals.

As for the end product, George was reluctant to drop many details about what a CrowdStrike report would look like: “It’s not a static report, it’s not a powerpoint, it’s dynamic thing,” he told us.

New hires

Kurtz’s previous research into mobile security – particularly into mobile Remote Access Tools (RATs) – means that Crowdstrike will have a strong focus on the security of mobile devices and by crunching big data, Crowdstrike aims to gain insights that other security firms can’t see.

Kurtz said that with its launch, CrowdStrike wanted to get word out that they were looking for fresh talent. “[We’re letting] people know that we’re a company and we’re looking for the best and brightest.”

CrowdStrike expects to be up and running and landing clients in the second half of 2012. We’ll keep you updated. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/crowdstrike_launch_new_security_tactic/

RSA 2012 A survey of stress levels among IT security staff, thought to be the first of its kind, has shown that an alarming number of staffers are suffering dangerous levels of cynicism, leaving them depressed and unable to function properly.

The survey (securityburnout.org) was organized by Jack Daniel, founder of the Security B-Sides conference, joined by friends in the industry who are becoming increasingly concerned with the lack of support within the IT community for staff. So far, only 124 valid survey samples have been returned (which the team admit isn’t good on a sampling level ), but the results are worrying.

Less than half of those surveyed felt that they weren’t exhausted by their job, and 13 per cent reported levels of exhaustion and cynicism that are highly deleterious to someone’s health. As an industry, IT – and particularly IT security – showed an average score for job cynicism that was at the extreme edge of what’s healthy. Over a quarter of those surveyed felt that they were not achieving their job’s goals.

“Other professions know that this is a problem and have strategies to deal with it, but there’s no recognition of this in IT,” Daniel told The Register. “In part it’s because we’re a very young profession that’s constantly changing. But this needs a doctorate-level study, not something put together by six security professionals in their spare time.”

He pointed out that security professionals are known for workaholic tendencies – joking that most people loved 40-hour weeks so much they worked two of them every seven days – but warned the risk of staff burnout is very real. The nature of the job was also an issue, in measuring the effectiveness of what you do – with IT security it only takes one mistake and the end result can be disastrous.

“There’s a real business case for this,” team member and cofounder of the SOURCE security forum Stacy Thayer said. “Five year ago, when I looked at what underperforming staff cost the industry, the figure was $90bn in lost productivity. Now it’s $328bn.”

IT pros = rampant substance abusers

Thayer remarked that alcohol abuse was rife in the industry, and as an organizer she was constantly being asked to set up bar facilities in events at all hours. Team member Martin McKeay, security Evangelist at Akamai Technologies, agreed, saying that alcohol and drug abuse was common in the industry.

“When you go to conferences you realize how much stress behavior we show,” he said. “How many people get drunk and then get fired because of behavior at conventions – it happens with every ShmooCon and DevCon. That’s an indicator that there’s a problem.”

Some companies are at least recognizing there is a problem. Josh Corman, director of security intelligence at Akamai and a team member, praised companies like SpiderLabs and Trustwave, which allow staff to take time out during the week on research that really interests them. Staff were happier, he said, and the work fed back into the company.

Management may also be the problem, not the IT worker. “As an experiment,” Corman said, “explain to your children what it is you’re trying to explain to your chief security officer. If they get it and he doesn’t, then the problem isn’t with you.”

He also pointed out that security staff are at a premium at the moment, and there is zero unemployment in some sectors of the market. Staff shouldn’t be unwilling to jump ship – indeed, spending too long at a company is seen by some employers as a sign that a staff member has reached their intellectual limits.

IT staff should also learn from other high-stress professions. Security consultant Gal Shpantzer pointed out that in careers such as piloting or military special operations, people never work alone, and always worked in pairs at minimum. The industry could learn from this, he said.

“Despite the media portraying elite troops as lone wolves, in fact they never go out in units of less than two. It’s OK to ask for help, and it’s usually a really bad idea to rely solely on yourself – you can’t win this battle alone.”

The presentation, given at the RSA conference in San Francisco, was a popular one. RSA’s opening day is traditionally slow, with low attendance ahead of the main keynotes tomorrow. But Daniel’s session was packed, leaving many unable to participate due to overcrowding – and indicating that he could well be onto something. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/27/it_staff_stress_survey/

RSA 2012 Cisco plans to push security intelligence into its entire firewall line in an attempt to make its hardware a lot smarter and ease the load on IT managers.

On Tuesday, Cisco will announce the extension of its SecureX threat monitoring system into some of its largest firewalls, with the Cisco ASA CX firewall. It’s also upgrading its Trustsec and Identity Service Engine (ISE) to boost the company’s ability to monitor threats on the cloud and across a wide range of device types. Ultimately, the goal is to integrate the intelligence on the software side with no additional hardware.

“Long term, we’re going to be taking the power of SecureX, and bringing it into the Cisco core architecture, and delivering it on everything we do – our core router and switching, but also data, voice and video. We’re bringing security to all parts of the Cisco landscape,” said Cisco’s new senior vice president of security Christopher Young at the RSA 2012 conference in San Francisco.

Every day Cisco handles 35 per cent of the world’s email via its systems, accounting for 4TB of information, he explained, and routes 30 billion website requests. This kind of information is now being analyzed and fed into Cisco’s SecureX network. Cisco’s CSO John Stewart said this gave the company a unique selling point.

“We’ve got to work together – you’re not going to survive on your own. You’ve got to work in a community of data. Cisco’s been quietly successful in protecting customers from a phenomenal data source, which is ours,” Stewart said. Cisco claims the ASA CX system will be capable of identifying over a thousand individual applications such as Facebook and Google+, as well as 75,000 micro applications. For example, the system can be configured to allow access to Facebook, but not to specific applications within it.

As a first step, the company announced that SecureX will be built into the ASA 5500 Series X firewalls aimed at large and medium-sized business sector. The company declined to give any details regarding the roadmap of further roll-out plans. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/28/cisco_securex_rsa/

New variants of the Zeusbot/SpyEye cybercrime toolkit are moving away from reliance on command-and-control (CC) servers towards a peer-to-peer architecture.

CC servers are the Achilles heel of cybercrime networks, vulnerable to both takedown operations and monitoring by either law enforcement or police. Variants of Zeusbot/SpyEye released last year got around the takedown-leads-to-decapitation problem by building in peer-to-peer functionality that allowed compromised hosts to exchange information on replacement CC servers.

Now cybercrooks have built functionality into Zeusbot/SpyEye that allows instructions to be distributed via P2P techniques as well, eliminating the need for CC servers. Compromised systems are now capable of downloading commands, configuration files, and executables from other bots, a write-up by security researchers at Symantec explains.

“Previously, every compromised computer was a peer in the botnet and the configuration file (containing the URL of the CC server) was distributed from one peer to another,” Symantec researcher Andrea Lelli explains. “This way, even if the CC server was taken down, the botnet was still able to contact other peers to receive configuration files with URLs of new CC servers.”

“With the latest update, it seems that the CC server has disappeared entirely for this functionality. Where they were previously sending and receiving control messages to and from the CC, these control messages are now handled by the P2P network.”

Stolen data (banking login credentials) and the like can be transmitted over the P2P network, instead of dumped on servers that might be infiltrated. However preliminary analysis suggest that stolen data is still transmitted back to attackers directly rather than relayed through the P2P network.

Nonetheless tracking banking botnet activity and identifying the cybercrooks behind such networks is likely to become more difficult as a result of the architectural changes that have come with the latest version of ZeuS/SpyEye, Symantec warns. Other changes to the malware creation toolkit include greater reliance on UDP communications – a stateless protocol that’s harder to track and dump than TCP – as well as an extra encryption layer.

Both ZeuS and SpyEye are best described as cybercrime toolkits that can be used for the creation of customised banking Trojans. The code base of the two former rivals was merged last year, leading to the creation of strains designed to target mobile banking customers.

The source code of ZeuS was leaked last May, further propelling innovation in the underground cybereconomy. Previously licences to ZeuS – sold via carder forums and other underground forums – could fetch thousands of dollars a pop. But since the source code leak, any tech-savvy cybercrook can knit their own banking Trojan. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/27/p2p_zeus/

Security software-as-a-service specialist Qualys has branched out from vulnerability assessment and policy compliance for corporate networks with a cloud-based website protection service.

QualysGuard Web Application Firewall (WAF) is designed to protect sites from threats including SQL injection and DDoS. The service is also designed to improve website performance through caching, compression and content optimisation. The service, which will compete against existing offerings from the likes of Akamai, adds to Qualys’s existing Web Application Service.

“The existing service is a scanning/assessment tool,” explained Qualys director of engineering Ivan Ristic. “The WAF is a real-time monitoring and protection tool. They’re complementary.”

Qualys’s move is a further sign that the web application firewall market, which has dropped out of fashion over recent years, is back in vogue. Last week Juniper Networks bought web application security firm Mykonos Software for $80m.

Cloud security is unsurprisingly a big theme of this year’s RSA Conference. Other significant launches include a disaster-recovery software-as-a-service offering from CA, targeted at SMEs. ARCserve D2D on Demand is a hybrid service that combines on-site data protection with a cloud-based service, built using Microsoft Azure’s platform.

Elsewhere, vulnerability management firm Secunia launched a revamped version of its freebie patch management tool for consumers. Secunia Personal Software Inspector (PSI) version 3.0 includes more automated patching features and a dramatically simplified user interface. The software, which helps keep Windows users up to date with the latest patches from both Microsoft and third-party developers, is due to remain in beta trial until June, can be downloaded here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/27/cloud_security/

China’s infamous tool of internet censorship the Great Firewall appeared to fail last week, allowing hundreds of web users in the People’s Republic to access and post comments on US president Barack Obama’s Google+ page.

Google’s social networking service is blocked in China – like many other sites including Facebook and Twitter – for fear that it could provide a platform for social and political dissent. The Communist Party enforces its stance with a range of country-wide internet monitoring and IP-blocking technologies collectively known as the Golden Shield Project.

However, the leader of the Western world’s Google+ page was flooded with users posting in the simplified Chinese of the mainland from Friday, with content reportedly focused on issues of democracy and censorship in China.

Of those posting in English, some were clearly just happy to be there, while others used their time on the site to asking for freedom for political prisoners such as blind lawyer Chen Guangcheng and human rights activist Liu Xiaobo.

Several more claimed they were staging their own tongue-in-cheek ‘Occupy’ protest on the president’s Google+ page.

Another, clearly astonished at the sudden influx of Mandarin on the site, wondered aloud whether Google had been bought by Baidu overnight.

Some claimed that Google+ had been available in China since the beginning of the week, although most comments in Chinese appeared on posts on Obama’s page from Friday through to Sunday. It’s pretty clear from reading them that he’s more popular in China than in the US at the moment.

The party may be over for those Obama-mad Chinese web users, however, with online censorship monitoring site greatfire.org claiming that the pages are now being blocked as usual.

It’s still unclear what caused the failure of the Golden Shield. While it’s one of the most sophisticated and large-scale systems of its kind on the planet, it’s not infallible – although this has certainly been the most high-profile breach in recent memory. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/27/obama_google_china/

Facebook has dismissed allegations in The Sunday Times that the web giant’s Android app can hoover text messages from phones as “creative conspiracy theorising”.

Flatly denying the claim published by the broadsheet at the weekend, the social network’s UK office said its app’s ability to access text messages was open and transparent, and that Facebook isn’t actually looking at text messages anyway.

“The Sunday Times has done some creative conspiracy theorising,” the rep said in a statement: “The suggestion that we’re secretly reading people texts is ridiculous. Instead, the permission is clearly disclosed on the app page in the Android marketplace and is in anticipation of new features that enable users to integrate Facebook features with their reading and sending of texts.”

The permissions page for the Facebook app on the Android App Marketplace does clearly state this feature of the app:

Facebook added that although its app does have the permission to read, send and edit text messages in a user’s phone, it’s not something it does. The biz said it has been using the feature to a “limited” extent to road-test a messaging service:

However, other than some very limited testing, we haven’t launched anything so we’re not using the permission.  When we do, it will be obvious to users what’s happening.  We’ll keep you posted on our progress.

The product under tests will require the SMS part of the phone to talk to the Facebook app, Facebook asserted. It’s “a piece of dormant code used to run a limited internal test of a new feature,” said the spinner.

The permissions issue is as much one for Google as Facebook: Apple’s iOS walls off certain phone functions from third-party apps – including text messages and phone functions. But on Android phones that information is accessible to apps, provided the user agrees on downloading the app.

The Sunday Times article also highlighted that the YouTube app on Android was capable of remotely accessing and operating users’ smartphone cameras to take photographs or videos at any time. The app store permissions reads:

Allows application to take pictures and videos with the camera. This allows the application at any time to collect images the camera is seeing.

Google did not respond immediately to a request for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/27/facebook_android_app_sms/

A federal appeals court has ruled it improper to compel a child pornography suspect to decrypt his hard drive because such an act would violate his Fifth Amendment rights.

The ruling (PDF) by the Atlanta-based US 11th Circuit Court of Appeals in the case of an unnamed suspect from Florida (known in court papers as “John Doe”) goes against US legal thinking in previous cases where courts held a person ought to be obliged to turn over encryption codes or passwords in a criminal investigation.

The appeals court ruled that: “[the] Fifth Amendment protects [the man’s] refusal to decrypt and produce the contents of the media devices”, the Wall Street Journal reports.

The US Fifth Amendment holds that no one “shall be compelled in any criminal case to be a witness against himself”. But this protection against self-incrimination only goes so far.

Supreme Court rulings have previously found that a subject can be compelled to turn over a key to a safe containing potentially incriminating evidence, but is not obliged to supply the combination to a safe to investigators. US law is less clear on how this applies to encrypted files on computers (which might be considered akin to digital safes).

The US 11th Circuit Court of Appeals ruling goes against two district court cases on whether the government can compel subjects of investigation to turn over either the passphrase or a plain text version of the data held on an encrypted drive.

Courts in Colorado and Vermont have previously held that the government can order suspects to turn over encryption passphrases, in certain circumstances.

In the case heard by the 11th Circuit Court of Appeals, the suspect allegedly refused to supply the passphrases for five of his laptop hard drives and five external hard drives. His hard drives had been seized by police at the time of his arrest in a hotel room in October 2010, and encrypted using TrueCrypt, the court documents said.

The suspect refused to supply the passphrase in time for his appearance before a federal grand jury in Florida last April, the WSJ reported, and continued to refuse to do so in response to a later court order requiring him to decrypt the hard drives. A federal judge held the suspect in contempt of court but the appeal court overturned this ruling.

“We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files,” wrote Judge Gerald Bard Tjoflat, one of the three judges hearing the appeal, in the ruling (PDF).

The ruling continued: “It is not enough for the Government to argue that the encrypted drives are capable of storing vast amounts of data, some of which may be incriminating. Just as a vault is capable of storing mountains of incriminating documents, that alone does not mean that it contains incriminating documents, or anything at all.”

The Vermont case, which came before the courts in 2009, also involved child pornography but authorities in that case said they already had evidence that the suspect’s drive contained child abuse material before they requested the courts to order the suspect to supply the passphrase for an encrypted portion of the disk.

In the Florida case, all the drives are fully encrypted and the police have no certain knowledge of what they contain.

In January, a federal judge in Colorado ordered a woman charged with fraud to hand over decryption keys to her computer. A regional appeals court rejected her appeal, and she was ordered to decrypt the information last week.

The Electronic Frontier Foundation filed representations on behalf on the defence in both the Florida and Colorado cases.

In a statement, the EFF welcomed the ruling in the Florida case. “The government’s attempt to force this man to decrypt his data put him in the Catch-22 the 5th Amendment was designed to prevent – having to choose between self-incrimination or risking contempt of court,” said EFF senior staff attorney Marcia Hofmann. “We’re pleased the appeals court recognised the important constitutional issues at stake here, and we hope this ruling will discourage the government from using abusive grand jury subpoenas to try to expose data people choose to protect with encryption.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/27/forced_decryption_ruling/