STE WILLIAMS

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Systems administrators in charge of Australian parliamentarians’ computers have been dozing at the wheel, don’t read The Guardian, and have completely failed to notice PRISM or Edward Snowden, a Senate Estimates hearing has revealed.

Alternatively, Department of Parliamentary Services (DPS) sysadmins are today queuing at the boss’ office to protest that actually, their network is not a walk-in coffee-lounge frequented by NSA spooks taking time off from talking their girlfriends and exes, and that the Australian Signals Directorate watches it like a hawk.

The impression that there are holes in Canberra’s dam walls came courtesy of a session in which Greens Senator Scott Ludlam played all the best cards in the Snowden slide-deck, to the discomfiture of the Department of Parliamentary Services’ CIO, Eija Seittenranta.

“We know that Microsoft’s software contains a backdoor … do we provide for a specific patch against that backdoor, or is the parliament’s network open to intrusion by the US government?”, Ludlam asked (a question which The Register notes presumes the accuracy of Snowden’s leaks).

In answering, Seittenranta noted that the DPS has never received “any specific advice” about vulnerabilities that are actually built into products (something denied by Redmond).

“When you became aware that the security vulnerability existed, that has been built into the software that we are all forced to use in this building, did you notify the occupants of this building?” Ludlam asked.

Seittenranta’s response, that the DPS is “dependent on advice” from the ASD, did not satisfy the senator, who pressed on by observing that ““If the Chinese government had opened a backdoor in the operating system of every device in this room, and indeed this building, it would be a gargantuan scandal and presumably you would have called the ASD as soon as you were notified”.

If a backdoor exists and isn’t protected by anything else, Seittenranta conceded that computers on the DPS network would inherit such a vulnerability. She added that in other contexts, such as computers operated by members of the ministry, security would be the responsibility of different departments.

This irritated Ludlam, since that means “I would have to chase the departments around this building one-by-one” to see how ministerial computers are secured.

In Seittenranta’s support, another officer of the DPS said the department had never observed untoward outward messages from parliamentary computers. Since parliamentary computers are used, among other things, for communications such as e-mail, The Register presumes the statement that there were “no outward messages sent to Microsoft or any other organisation” didn’t include legitimate communications.

Ludlam also appears to be under the impression that parliamentary machines are using US-hosted Microsoft cloud services: “Are you aware that Microsoft is under a legal obligation to allow the NSA access to its servers and its hosting services?” he asked.

She said the department has no validation that any backdoor exists, which Ludlam disputed by referring back to his statements about cloud services – “the primary documents are in the public domain, that Microsoft is under a legal obligation to open that security hole … every device in this building has been backdoored,” he said. ®

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/19/oz_gov_sysadmins_asleep_at_the_wheel/

5 ways to reduce advertising network latency

JBoss sysadmins need to get busy hardening their systems, with a rising number of attacks against the system, according to Imperva.

The attacks are based on an exploit that was published back in October by Andrea Micalizzi. The exploit code gave remote attackers arbitrary code execution access to HP’s PCM Plus and Application Lifecycle Management systems without authentication.

The attack also works against McAfee, Symantec and IBM products using JBoss 4.x and 5.x.

Imperva’s advisory states that the compay is now seeing an increasing amount of attack traffic using the exploit.

What’s surprising, Imperva says, is that while the Micalizzi exploit code only hit the waiting world this year, the vulnerability has been known since 2011. The attack works by exploiting the HTTP invoker service in JBoss, used to provide access to Enterprise Java Beans.

Imperva says the Micalizzi exploit “abuses invoker/EJBInvokerServlet to deploy a web shell code that enables the hacker to execute arbitrary Operating System commands on the victim sever’s system.” In the HP environment, this would provide access to the PCM Plus and ALM management consoles.

There are currently 23,000 servers exposing their JBoss management interfaces to the Internet, up from 7,000 in 2011, Imperva says, with infections spotted in the wild.

In October, HP updated its JBoss implementation here. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/19/old_jboss_vuln_in_the_wild_needs_patching/

According to its own website, vBulletin is “the world’s leading community software,” and many forums, message boards and social networking sites use it.

From time to time, vulnerabilities in vBulletin make the headlines because they catch out vBulletin customers who haven’t patched in time (or who are unlucky enough to be the first victims of a new security hole).

For example, the Ubuntu Forums website was taken over back in July 2013, and popular Apple-related site Macrumors was breached just last week.

Both of those sites, it seems, were vBulletin users.

Another high-profile vBulletin user, of course, is vBulletin itself…

…and you can probably guess where this is going.

You wouldn’t know anything was amiss from vBulletin’s main page, but a visit to vBulletin’s own forum reveals the sort of message that every forum operator hopes never to have to write:

Important Message Regarding Your Account

Often, what comes up when you click through to the message itself is the sort of platitude that call centres use when they claim “your call is important.” (So important that it has just been placed in a lengthy queue rather than actually answered.)

And vBulletin fell into that verbiage trap:

We take your security and privacy very seriously.

A touch of customer-facing advice, if I may.

If you are about to apologise to your customers for having been bad at security, don’t start off by praising yourself for being good at it.

Start off by apologising for having been bad at it.

Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password.

You don’t need to use the word sophisticated.

It’s cold comfort to your customers, and all it really means is that you were less sophisticated than the crooks.

That doesn’t bode well for any claims you may make about defending successfully the next time there’s an attack.

Just say that you detected a breach, though sadly only after it had taken place.

Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems.

Avoid saying the passwords were encrypted if they were hashed.

The last company that admitted its stolen passwords were “encrypted” was Adobe, and that didn’t end well. (The passwords were encrypted, rather than hashed, all with the same key, and in such as way that repeated passwords produced repeated ciphertext.)

Also, tell your customers how you hashed their passwords so they can form their own opinion about how likely it is that a cracker might recover those passwords by trial and error.

For example, the Ubuntu Forums hacker claimed that the stolen passwords in that breach were “encrypted [sic] with the default vBulletin hashing algorithm (md5(md5($pass).$salt)”, which means just two single-block MD5 calculations for every password trial.

Modern password crackers costing no more than $20,000 can compute hundreds of billions of MD5s per second.

The breach notification ends like this:

Please choose a new password and do not use the same password you used with us previously. We also highly recommend that you chose [sic] a password that you are not using on any other sites.

That’s good advice, and given that vBulletin has just apologised for poor security of its own, I can fully understand why the company wasn’t more forceful here.

However, I’ll be more forceful on vBulletin’s behalf:

Do not chose a password that you are using on any other site. ONE ACCOUNT, ONE PASSWORD.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nyHl7aUDsGc/

5 ways to reduce advertising network latency

Yahoo! is going to start encrypting its intra-data-center traffic and will offer a similar service as an option to webmail users next year, CEO Marissa Meyer has pledged.

“I want to reiterate what we have said in the past: Yahoo has never given access to our data centers to the NSA or to any other government agency. Ever,” she said on her Tumblr page – which is now the preferred method of corporate communications following Yahoo!‘s $1bn acquisition of the site.

“There is nothing more important to us than protecting our users’ privacy. To that end, we recently announced that we will make Yahoo Mail even more secure by introducing https (SSL – Secure Sockets Layer) encryption with a 2048-bit key across our network by January 8, 2014.”

Last month documents released by NSA whistleblower Edward Snowden claimed that the NSA and Britain’s GCHQ have been tapping into the fiber used by Google and Yahoo! to connect their data-center traffic. The scheme, dubbed MUSCULAR, operated outside the US, to stay within the remit of the national laws.

The leaked documents sent two Google engineers into an apoplexy, and the search giant has already started adding encryption to its interlinks and now Yahoo! will follow suit, albeit at a more leisurely pace. Microsoft has said it is “reviewing” such a move, but doesn’t encrypt as yet.

The Yahoo! data center streams, which carry huge amounts of user and corporate information, will be encrypted by the first quarter of next year, and Yahoo! Mail users will have the option to encrypt, although it doesn’t look at this stage as though this will be the default setting.

Furthermore, Yahoo! is going to work with co-branded partners to set up HTTPS communications links overseas. Eventually Yahoo wants to encrypt all of its services, but hasn’t given a precise timescale.

“As we have said before, we will continue to evaluate how we can protect our users’ privacy and their data. We appreciate, and certainly do not take for granted, the trust our users place in us,” Mayer concluded. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/18/give_us_some_time_and_well_encrypt_promises_yahoo/

5 ways to reduce advertising network latency

Forumware giant vBulletin.com has admitted that it’s been turned over by hackers who made off with customer user IDs and encrypted passwords.

vBulletin said it was resetting account passwords in response the the breach, which it blamed on a series of “sophisticated attacks”:

Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologise for any inconvenience this has caused but felt that it was necessary to help protect you and your account.

It’s unclear what form of “password encryption” vBulletin actually used. In particular it’s unknown if the forum followed industry best practice and stored passwords only in a hashed digest format together with a pinch of salt as a defence against rainbow table-style brute-force attempts to decode its (now leaked) user credential database.

In any case, users who inadvisedly choose the same password for vBulletin as elsewhere also need to change their password at the second location – this time to something different from anything they use elsewhere.

The disclosure of a breach at vBulletin comes a week after forum site MacRumors (which runs on vBulletin) was hacked, exposing the credentials of more than 860,000 users. In a statement acknowledging the compromise, MacRumours apologised for the breach and advised commentards to change up their passwords.

The attacks against MacRumors and vBulletin may be linked.

A hacking group called Inj3ct0r Team claimed responsibility for both the MacRumours and vBulletin attacks before offering to sell the vulnerability exploit used – supposedly targeting an unpatched security hole in multiple versions of vBulletin’s server software – for $700 a pop through various exploit marketplaces, The Hacker News reports.

The quality and provenance of the goods on sale remains unclear, but even the possibility that the sale could lead to widespread attacks against online forums has given some site admins the jitters. Hacking conference DEF CON, for one, has suspended its forums as a precaution, pending the availability of a suitable patch; a move it is making out of an abundance of caution and during its quiet season, months before its annual hacker jamboree in Las Vegas.

For now all that’s available on the security con’s forum is a line drawing of a “super-shark-fin sad cat”, DEF CON’s riff on Twitter’s fail whale. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/18/vbulletin_hacked/

Munich, 18th November 2013 – Tackling fraud and extending banking services to previously underserved populations are just some of benefits Lorenzo Gaston, Technical Director of the Smart Payment Association (SPA) will highlight when he takes the stage on Thursday 21st November 2013 at www.cartes.com to explain why the Time is Now for Biometrics in Financial Services.

The introduction of biometric cardholder verification represents an important step forward for the finance industry, opening the way to eliminating fraud for issuers and cardholders, reducing costs, and providing the additional security and identity verification required to support remote or cross-border transactions.

Gaston will review how today’s proven biometric technologies deliver the security, privacy and performance the financial services industry needs, setting out the SPA position on how biometric Match-on-Card authentication delivers definitive advantages in terms of security and data privacy.

Andreas Strobel, President, SPA said: “The introduction of biometrics authentication would deliver significant benefits in terms of tackling card payment fraud, extending cardholder verification through the introduction of an additional validation factor.

Adding biometric functionality to an EMV card has the potential to facilitate access to financial services for previously hard to reach populations and opens the way to provisioning a range of services that require a legally accepted digital signature – from subscribing to a new financial service through to proceeding with a mobile commerce transaction or the download and transfer of electronic money.”

Lorenzo Gaston will present the SPA position on biometric cardholder authentication on 21 November at 12.30, during the Biometrics: Privacy and Security Concerns conference track of CARTES 2013.

In support of CARTES activity, the SPA is announcing the availability of a whitepaper on Biometrics for Payment Applications which sets out the SPA vision on financial match-on-card payment and provides a framework of the guiding principles, specifications and best practices required to underpin the expansion of biometrics into financial applications.

Download paper at www.smartpaymentassociation.com.

-Ends –

Note to Editors:

About Smart Payment Association (SPA)

The Smart Payment Association (SPA) addresses the challenges of the evolving payment ecosystem, offering leadership and expert guidance to help its members and their financial institution customers realize the opportunities of smart, secure and personalised payment systems services both now and for the future.

For more information on the SPA, visit our website: www.smartpaymentassociation.com or contact us by email: [email protected].

Article source: http://www.darkreading.com/intrusion-prevention/smart-payment-association-spa-sets-out-b/240164041

Turns out some of those hip iPod and iPad point-of-sale systems popping up at retailers and restaurants are not so hip at protecting payment card information.

Mike Park, managing consultant at Trustwave, says he and his team within 10 minutes of a penetration-testing engagement were able to pull credit card numbers off one of the iPod-based devices at a major retailer client after jailbreaking the device. The retailer was handling card data encryption in the software, Park says, which was “a terribly bad idea.”

That pen-test nearly two years ago was an eye-opener for Park, who since then has conducted several other mobile PoS engagements with other major retail clients with similar results. “A lot of retailers are moving to ‘i’ devices because they want to look trendy, hip, and be a cool retail location. They don’t want those bulky mobile PoS devices—they want the cool Apple devices,” he says. “The problem really is that it increases the attack surface,” and they don’t realize it, he says.

And that problem is underscored by how big a target retailers have become for hackers: Trustwave in its recent global threats report said that 47 percent of the breaches it investigated were in retail, and 24 percent in food and beverage.

Park will present the results of his research in iOS mobile PoS systems on Thursday at AppSec USA in New York City.

The retailer Park pen-tested with the iPods eventually switched over to hardware encryption once it became available, Park says, because when the company first wrote their app, that was not available.

In a recent retail customer engagement, Park discovered that the company wasn’t encrypting card data at all. “I was just shocked that they had gotten it so completely wrong. Their card reader was able to encrypt, but they were not doing it. And they accepted [card data] through the UI [user interface], which provides a lot of opportunities for the bad guy,” he says.

The retailer relied on the assumption that since only its employees had access to the iOS devices, then they were safe from abuse. “They were overlooking the insider attack,” Park says. Not to mention any man-in-the-middle attacks from the outside that could sniff information, he says.

More retailers are looking at iOS-based PoS systems as a modern way to minimize the wait for their customers in long lines around the holidays or special sale days, as well as to portray a more hip image for the stores. It also allows the salesperson to check on inventory via the device. “So the guy who just sold you shoes and several shirts can now [handle the transaction] and pull the receipt off his belt like the rental car guys do today” with their earlier-generation mobile PoS devices, Park says. The customer never has to go wait in a long line and consider scrapping the purchase, for example, he says.

But like many software development projects, security is an afterthought, if at all, in mobile PoS apps.

[The new PCI 3.0 changes focus on compliance as a business-as-usual process, rather than a snapshot. See New Version Of PCI Compliance Guidelines Released .]

“Retailers are making some poor choices at the beginning … that are going to allow these kinds of systems to be compromised unless they think from a security perspective,” he says. “The big thing [they are doing wrong] is encryption in software. Regular PoS systems don’t do that — it’s all done in the hardware.”

It would be more difficult for an outside hack of these mobile PoS systems than for an insider, but “not that difficult,” Park says, akin to a TJX-style wireless breach, for instance.

He says he hasn’t seen any breaches exploiting these mobile PoS systems to date. But with large retailers leaving these systems open to internal abuse, it’s only a matter of time. “I want to be the guy waving the red flag,” he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/ios-mobile-point-of-sale-fail/240164068

SUNNYVALE, Calif., Nov. 18, 2013 – Blue Coat Systems, Inc., the market leader in business assurance technology, today introduced the Blue Coat Content Analysis System with malware analysis to automate advanced threat protection at the Internet gateway. The Content Analysis System blocks known threats and detects and analyzes zero-day and advanced malware, sharing new threat intelligence to continually fortify the network. This allows organizations to bridge the gap between the day-to-day security operations team and the advanced security team that is focused on incident containment and resolution.

Today, enterprises are forced to use ad hoc malware analysis or sandboxing solutions that operate in a silo and cannot share the threat intelligence required to bridge the gap between blocking known threats and detecting and analyzing unknown threats or advanced malware. This gap is made worse because existing technologies fail to help security operations teams maneuver through the stages of the advanced threat lifecycle.

The Blue Coat Content Analysis System addresses this gap by combining whitelisting and malware scanning for known threats with dynamic malware analysis of unknown threats at the gateway. The new system also helps align security operations teams by sharing new threat intelligence locally across the security environment and worldwide through the Blue Coat Global Intelligence Network of 15,000 customers and 75 million users.

“To protect their networks from advanced targeted attacks and zero-day malware, businesses need a systematic approach that aligns security teams on the right strategy, process and action to block the threats they can, detect the ones they can’t and respond to the ones that are already on the network,” said Greg Clark, CEO at Blue Coat Systems. “Our Content Analysis System is a key technology for organizations that want to build an automated defense into their networks that continually fortifies the network by operationalizing new threat intelligence. This allows our customers to protect and empower their business.”

The Content Analysis System supports up to two leading anti-virus signature databases and provides application whitelisting and dynamic malware analysis. Together, these technologies deliver the following benefits for businesses:

Best-of-Breed Sandboxing: Powered by Norman Shark, a Blue Coat Business Assurance Technology partner, the Blue Coat malware analysis technology – available as an appliance today and via the cloud in the future – combines customizable virtual environments with sandbox emulation for the most comprehensive detection of unknown or advanced malware, including malware that employs evasive detection techniques.

Malware Analysis Orchestration: The Blue Coat Content Analysis System acts as a broker for multiple sandboxing or malware analysis instances, simultaneously sending unknown or suspicious files to both the Blue Coat sandbox as well as third-party sandboxes. By seamlessly integrating into existing security infrastructures, the Content Analysis System allows enterprises to optimize their existing investments in sandbox technologies while building out an advanced malware defense in-depth. The system also future proofs customers’ infrastructure via a scalable interface that can incorporate other advanced malware analysis technology via the broker capability.

Threat Intelligence Feedback Loop: New intelligence from the analysis of advanced or unknown malware is shared with Blue Coat ProxySG appliances to automate blocking of newly identified threats at the gateway for a more scalable defense. New intelligence is also shared with the Security Analytics Platform from Solera, a Blue Coat company, which delivers advanced threat profiling and remediation of the full scope of the attack. The network effect of the Blue Coat Global Intelligence Network further automates protection by sharing threat intelligence from 15,000 customers worldwide.

Blue Coat is partnering with Norman Shark to deliver flexible, customizable sandboxing. The malware analysis technology of the Content Analysis System is powered by Norman Shark’s leading IntelliVM and SandBox technologies, giving advanced security teams the ability to analyze any threat type, in any version of any application they choose. This allows security teams to gather intelligence on malware targeting their specific environment and application vulnerabilities in order to more effectively contain and resolve the incident.

“Existing sandboxing technologies cannot effectively replicate real-world environments, leaving organizations with little information that will help them contain or resolve an incident,” said Stein Surlien, CEO at Norman Shark. “The Norman Shark IntelliVM and SandBox technologies solve this problem by delivering customizable environments for more comprehensive and detailed detection of unknown malware.”

“Analysis of unknown and advanced malware is critical intelligence for security teams tasked with containing and resolving the threats that get past traditional preventive defenses. Dynamic, customizable sandboxing can provide an opportunity for organizations to improve their defensive posture and security response capabilities,” said Jon Oltsik with industry analyst firm ESG Global. “When used in conjunction with traditional front-line and advanced defenses, this enhancement can certainly improve an organization’s ability to defend against advanced persistent threats and targeted attacks.”

The Content Analysis System with malware analysis is a key component of the Blue Coat Advanced Threat Protection solution, which is purpose-built to bridge the gap in security organizations between day-to-day operations, incident containment and resolution. The new solution is the first to deliver a comprehensive Advanced Threat Protection lifecycle defense that fortifies the network by blocking known threats, proactively detecting unknown and already-present malware and automating post-intrusion incident containment. Please see today’s release titled, “Blue Coat Empowers Business with New Advanced Threat Protection Solution” for additional information. To learn more, please visit the Blue Coat Advanced Threat Protection Resource Center.

Availability

The Blue Coat Content Analysis System will be available in December with application whitelisting and support for anti-malware signature databases from leading anti-virus vendors. The malware analysis technology will be available as an appliance at the same time and via the cloud in the future.

About Blue Coat Systems

Blue Coat empowers enterprises to safely and quickly choose the best applications, services, devices, data sources, and content the world has to offer, so they can create, communicate, collaborate, innovate, execute, compete and win in their markets. For additional information, please visit www.bluecoat.com.

Article source: http://www.darkreading.com/perimeter/blue-coat-bridges-the-gap-between-threat/240164070

London, UK – EMBARGOED – November 14, 2013 – CertiVox, a leading provider of authentication and encryption software and services, today announces a mobile enhancement to M-Pin, allowing users to log into services on a PC using their own smartphone, eliminating security concerns around using different PCs. With over 93 million identities reportedly lost in 2012[1] alone by high profile organisations, M-Pin provides strong multi-factor authentication which is designed to replace the vulnerable username and password login system for digital services.

M-Pin is based on strong elliptic curve cryptography and delivers multi-factor authentication for websites, enterprise and mobile applications, using HTML5 web apps, meaning no browser plug-ins or software is required. The M-Pin platform removes the need for username/password combinations, often the target of choice for hackers, instead giving the end user a four digit PIN to enter for access to content and services. The M-Pin mobile client also alleviates concerns about accessing services from a PC not under a user’s control, by allowing login through the users’ smartphone.

M-Pin is able to eliminate usernames and passwords as an authentication mechanism entirely, and removes the largest cyber-security threat, the password database. Authentication is performed between the M-Pin Client and the M-Pin Authentication Server using the M-Pin Protocol, a zero knowledge proof construct. The result is that the M-Pin server has just one leakproof cryptographic key, which if compromised or stolen reveals nothing about users in an enterprise or your web application. In addition, M-Pin operates on a principle of distributed trust, whereby the root key generators are split between CertiVox’s servers and those belonging to the client, meaning that any attack would have to compromise both of these systems to have any chance of being successful.

Brian Spector, CEO, CertiVox comments, “The response of many companies to the increasing threat to usernames and passwords is to add additional layers of security. However these measures often frustrate users as they diminish the ease of use and experience of some services, and they do not solve the problem. The inherent problems with storing such complete information on one server and the fact that many users tend to use the same password across multiple online accounts also shows that it is time for companies to move beyond username and passwords. M-Pin offers an advanced, easy-to-use and cost effective solution to this problem, eliminating the inherent vulnerability – the username and password database.”

Eckhard Freund, Manager Infrastructure Europe at Dematic, a global logistics and materials handling company, made the following comments on their selection of M-Pin: “We chose M-Pin as part of our initiative to bring VPN and network services within our organisation, as we were impressed by the reinforced security that we are afforded by the product. We found M-Pin easy to deploy and work into our redesigned system architecture, and due to the success of the project we are considering extending M-Pin to cover our customer portal.”

About CertiVox

CertiVox was founded in 2008 based on one simple belief: that every business, enterprise, organization and individual has the right to secure their information simply and easily. Delivering on that belief has enabled us to build a customer base across many industries – government, legal, financial and cloud orchestration – that also includes some of the biggest names in the world. Organizations such as BAE Systems, Hitachi, Intel, Panasonic, Toyota, PKWARE and Parallels have put their trust in CertiVox to help secure their systems.

CertiVox’s proven expertise in both encryption and authentication means we are the only company in the global market today that can arm businesses and individuals with easy-to-use, certificateless security solutions for all things Internet. CertiVox is headquartered in London, UK with offices in Dublin, Ireland and Sofia, Bulgaria.

For more information, visit www.certivox.com

Article source: http://www.darkreading.com/authentication/certivox-launches-m-pin-upgrade-to-stem/240164071

IRVINE, Calif., Nov. 18, 2013 – SecureAuth, a leading provider of 2-Factor Access Control, released SecureAuth IdP 7.3 that now includes PUSH Notification and Social Identities to be used for authentication, as well as more extensive application integration support to deliver a more user-friendly approach to two-factor authentication and single sign-on for mobile applications and devices, cloud, and on-premise corporate resources.

“SecureAuth IdP 7.3 further advances our position as the world’s only 2-Factor Identity Provider for enterprises,” comments Garret Grajek, Chief Technical Officer, SecureAuth. “Our improved authentication, including PUSH Notification and the extension of OATH Tokens for all mobile devices, is coupled with full RADIUS support and OAuth 2.0 support for mobile and Social IDs. In addition, SecureAuth IdP 7.3 introduces GUI-driven wizards, which lowers integration times to only minutes.”

SecureAuth IdP 7.3 provides the following new benefits:

PUSH Notification is an unobtrusive authentication mechanism that also uniquely asserts users to applications via SSO and is managed internally by the enterprise.

Mobile OATH Token support for any iOS, Android, Windows, or Blackberry mobile device.

Full RADIUS support to deliver more accessible resources.

OAuth 2.0 support for increased mobile convenience and the utilization of Social IDs for authentication.

New configuration wizard that takes administrators through the installation process step-by-step and is completed in minutes.

Grajek further remarks, “SecureAuth IdP truly provides to the enterprise authentication/SSO mechanisms for all access requirements, including mobile, cloud, web, and network resources.”

To learn more about the latest SecureAuth IdP technologies, visit www.secureauth.com.

About SecureAuth

Located in Irvine, California, SecureAuth is a technology leader providing 2-Factor Access Control to mobile, cloud, web, and network resources, serving over 10 million users worldwide. The SecureAuth IdP all-in-one, completely scalable solution manages and enforces access based on existing user entitlements. For the latest insight on enterprise security, follow the SecureAuth Blog, follow @SecureAuth on Twitter, or visit www.secureauth.com for additional information.

Article source: http://www.darkreading.com/mobile/secureauth-adds-push-notification-and-fu/240164072