STE WILLIAMS

Quick guide to disaster recovery in the cloud

State-sponsored hackers are looking less like traditional hacking crews and more like military units as they share infrastructure and adopt strict hierarchies, according to new research.

Infosec firm FireEye has identified links between 11 APT campaigns, including use of the same malware tools, shared code, binaries with the same timestamps, and signed binaries with the same digital certificates.

The 11 APT campaigns targeted a wide swath of industries and appeared unrelated at first, until cyber-sleuths uncovered digital evidence linking the attacks.

The shared development and logistics operation used to support several APT actors in distinct but overlapping campaigns points to the role of a “digital quartermaster”. The role of this cyber organiser is different from that occupied by exploit brokers (firms and/or individuals who discovered or re-sell security vulnerabilities and exploits), according to FireEye.

“The main difference between the quartermaster that we identified and exploit-brokers is that we have no evidence to show the quartermaster also develops exploits for known or unknown vulnerabilities,” Ned Moran, a senior malware researcher from FireEye, told El Reg. “We know that the quartermaster develops custom remote access tools but we do not know if they also develop and supply operators with exploits.”

The emergence of a common development and logistics centre means that attackers are adopting an industrialised approach to cyber-spying, something that defenders of trade secrets and other digital assets are facing more organised and capable adversaries.

The mission of the digital quartermaster is to supply and maintain malware tools and weapons to support cyber espionage. The digital quartermaster also might be a cyber arms dealer, a common supplier of tools used to conduct attacks and establish footholds in targeted systems. However, common features in the campaigns tied together by FireEye suggest it’s more likely we’re dealing with someone who works exclusively with Chinese hacking groups, rather than the hi-tech equivalent of an arms dealer prepared to supply all and sundry.

“Based on the Chinese language user interface of the 9002 Builder, the tool used to build the 9002 remote access Trojans, we believe the digital quartermaster spoke or read Chinese,” Moran told El Reg. “It is also possible that the operators of the 11 different campaigns also spoke or read Chinese.”

FireEye’s report revealing the emergence of malware cyber arms dealer, entitled Supply Chain Analysis: From Quartermaster to Sunshop, can be found here (PDF). The main findings of the study are summarised in a blog post here. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/14/apt_digital_quartermaster/

Quick guide to disaster recovery in the cloud

Facebook is using a list of hacked Adobe accounts posted by the miscreants themselves to warn its own customers about password reuse.

The social network mined data leaked as the result of the recent breach at Adobe in an effort to provide timely warnings and prompt its users to secure their accounts. Facebook users who used the same email and password combinations on Adobe are required to both change their password and answer additional security questions, investigative reporter Brian Krebs reports.

A screenshot of the warning can be found here.

Facebook spokesman Jay Nancarrow told Krebs that the social network has responded in a similar manner to other high-profile breaches. “We actively look for situations where the accounts of people who use Facebook could be at risk – even if the threat is external to our service,” Nancarrow explained.

Facebook representative Chris Long explained the process to El Reg.

“I work at Facebook on the security team that helped protect the accounts affected by the Adobe breach,” Long explained in an email. “Brian’s comment above is essentially spot on. We used the plaintext passwords that had already been worked out by researchers. We took those recovered plaintext passwords and ran them through the same code that we use to check your password at login time.

“Like Brian’s story indicates, we’re proactive about finding sources of compromised passwords on the internet. Through practice, we’ve become more efficient and effective at protecting accounts with credentials that have been leaked, and we use an automated process for securing those accounts.”

Anatomy of a car wreck

It’s well known in the information security world that password re-use is rife and a major problem because any breach at one online service provider potentially exposes accounts held by the same people at other service providers. It’s child play for crooks to try leaked credentials on other (possibly more sensitive sites). Facebook is not saying how many of its users are getting the login credentials re-use warning.

Adobe original said hackers had stolen nearly three million customer credit card records, as well as undetermined volume of user accounts login credentials. The software firm later admitted that the encrypted account data of 38 million users had leaked.

But when a dump of the offending customer database appeared online it contained not online just 38 million, but 150 million credentials. Leaked information includes internal ID, user name, email, encrypted password and password hints.

That alone would be bad enough but Adobe compounded the problem by failing to follow industry best practices about only stored passwords credentials as properly salted hashes.

In particular, Adobe erred in using a single encryption key to encrypt user credentials, as explained in some depth by security veteran Paul Ducklin in a post on Sophos’s Naked Security blog. Security researchers have figured out a substantial proportion of the leaked user passwords using a variety of inferences, such as leaked data from other large password breaches.

For example, security researcher Jeremi Gosney of the Stricture Group came across the purloined passwords on one of several online dumps before analysing them to see which passwords are most-used by Adobe customers.

The resulting list of the top 100 most commonly used passwords in the Adobe dump is full of FAIL. “123456” and (of course) “password” are in the top three of the rest are hardly any better.

Gosney worked out that a whopping 1.9 million of Adobe’s customers use the string “123456” as their password. We can only hope that the majority of such users didn’t reuse these passwords elsewhere on more sensitive sites, such as e-banking, social networking and webmail. It could be that some people who didn’t really care about their Adobe account were more careful elsewhere. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/14/facebook_adobe_password_leak_warning/

Despite a high rate of concern about online threats, most consumers still do not pay much attention to their privacy settings in social media, and few have had any online security training, according to a study released Wednesday.

According to a Harris Interactive survey of more than 2,000 adults sponsored by security vendor ESET, consumers still have a lot of privacy learning to do.

More than half of consumers have not read the most recent privacy policy for their social media accounts, the survey says. About 20% of consumers have never made any changes to the default privacy settings in their social media accounts.

“This finding is worrying because of the very ‘open’ nature of most default social media settings, sometimes set by the social network operator to permit the widest possible use of your information,” ESET says in a blog about the study. “It is hard to think that everyone who leaves the default settings in place is aware of the implications.”

Only 27% of respondents has received any formal training in online security or privacy, according to the poll. “Given the level of threat activity reported to us, that 27% is a scary number,” ESET says.

And the lack of security savvy is resulting in system compromises, according to the study. Some 28% of consumers said they have had at least one social media account hacked. More than 20% said they had encountered malware or links to malware on social networks. Ninety-one percent said they have received a suspicious electronic message in the last year — about a third of consumers said they had seen a suspicious message in their social networks.

“In light of these numbers, it is not surprising that 86% of U.S. adults expressed concern about viruses and/or hackers when visiting their favorite websites,” the blog says. “Sadly, only 35% of people felt that websites do a good job of screening or filtering out malicious code.”

Have a comment on this story? Please click “Add a Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/study-many-consumers-still-untrained-on/240163917

A US court has turned the tables on child abusers who use technology to share images of the abuse.

Specifically, a federal district judge in the US state of Vermont on Friday ruled that putting data up on a peer-to-peer (P2P) file-sharing network means you’ve made it publicly available and can’t then turn around and claim it was private.

The case involves three men charged with possessing child pornography who had filed a motion to suppress the evidence collected from their computer systems, saying that the files were private and the searches violated their Fourth Amendment rights against unreasonable search.

As Computerworld’s Jaikumar Vijayan reports, District Court Judge Christina Reiss wrote in a decision released on Friday that the defendants had essentially given up privacy claims by making the data publicly available on the internet over a P2P network.

The three defendants – Derek Thomas, Douglas Neale and Stephan Leikert – had earlier this year asked that the evidence be suppressed, claiming it had been obtained illegally.

The men contended that law enforcement’s use of the automated P2P search tool that collected information on private files held on their computers constituted a warrantless search.

Police used information about the files to obtain probable cause warrants. The defendants were later charged with possession of child pornography.

To collect the information, investigators used a software suite known as the Child Protection System that automatically searches P2P networks for query terms commonly used with child abuse content.

The police didn’t need to access the files, per se.

As Vijayan explains it, if a query-hit message indicated that it had found a file matching the query term, the application recorded the IP address, the files’ hash values, the actual file names, date and time of response, and other computer details.

The hit message identified the files on a particular computer that matched the query terms and were available for download by other users on the same P2P network.

The searches found that the three defendants’ computers contained files with digital signatures that exactly matched files that were known to contain images depicting child abuse.

When rejecting the defendants’ motion to suppress evidence collected in this manner, Judge Reiss noted that the police’s automated search hadn’t opened or downloaded anything.

All the tool did was to point out files that the defendants themselves had made publicly available for download via a P2P network.

She wrote:

The evidence overwhelmingly demonstrates that the only information accessed was made publicly available by the IP address or the software it was using. Accordingly, either intentionally or inadvertently, through the use of peer-to-peer file sharing software, Defendants exposed to the public the information they now claim was private.

The court’s finding that privacy can’t be expected when using a P2P network is nothing new; it only reiterates what many other courts have found, as a search on the legal blog FourthAmendment clearly shows.

The case in question was originally highlighted on the site, which is kept by John Wesley Hall, a criminal defense lawyer.

When I asked him about this finding, he said that it’s “the same as probably 50 other cases.”

He continued:

The only thing that’s surprising to me is that people still raise that issue. It’s a settled issue beyond peradventure as far as I’m concerned.

But while the P2P privacy ruling isn’t ground-breaking, the increasingly sophisticated use of internet technologies to catch child predators is at the very least ground-altering.

As pointed out in a recent University of Massachusetts/Amherst research paper on measuring and analysing child porn on P2P networks, such networks are the most popular mechanism for acquiring and distributing such imagery.

It’s a relief to find that the courts aren’t allowing child predators to hide their P2P tracks behind claims of Fourth Amendment violations.

Likewise, it’s encouraging that researchers are using sophisticated animation technologies to create a predator-detection tool such as Sweetie, the lifelike character used to seed 19 public online chat forums with convincing live-action motion that allowed researchers to identify 1,000 child webcam sex tourists.

Child predators are sophisticated users of technology. It’s enabled them to carry out their abuse to a disheartening degree.

Now, thanks to the use of technologies to ferret them out, and thanks to the courts refusing to let P2P technology be used as a smokescreen, we can hope that the tide is turning.

Follow @LisaVaas

Follow @NakedSecurity

Image of silence courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/64bMHMLH5OI/

While yesterday was Patch Tuesday, Microsoft didn’t just release fixes for security vulnerabilities. It also announced moves to improve the cryptographic integrity of Windows as a platform.

First, Microsoft officially began discontinuing the use of the RC4 cipher. With the introduction of Windows 8.1 and Internet Explorer 11, MS products now default to TLS 1.2 and support for the RC4 cipher has been dropped.

The use of RC4 has been a bit controversial as it has many known weaknesses and calls for its retirement have been discussed for some time.

The problem is stream ciphers like RC4 were one the primary defenses used by many websites against the infamous BEAST and Lucky Thirteen attacks.

Fortunately TLS 1.2 and AES-CGM are not vulnerable to these attacks and can now officially be considered mainstream.

Not running Windows 8.1 with Internet Explorer 11? Google Chrome, Firefox, Safari and Opera also support TLS 1.2.

Microsoft also provides a mechanism to disable the use of RC4 in Windows 7, 8, RT, Server 2008 R2 and Server 2012.

With Microsoft on board, hopefully we can bid goodbye to old versions of SSL and TLS for good.

Microsoft’s second announcement was that beginning on January 1, 2016 Windows will no longer support the use of X.509 certificates issued using the SHA-1 hashing algorithm for SSL and software code signing.

This is a welcome proactive move by Microsoft after having been burned when MD5 certificates were abused through a collision in the Flame malware last year.

MD5 was considered weak for many years, but still supported by Windows because many certificate authorities were lax in updating and still issuing valid MD5 certificates long after they should have.

Microsoft seems to realize its job is to use its dominant market presence to lead, not follow. While SHA-1 is significantly stronger than MD5 was when it was dropped, Microsoft is dropping support before it is abused.

Be sure your certificates are using SHA-2 from here forward and when you renew your certificates make sure your Certificate Authority isn’t setting you up to fail in January 2016.

Follow @chetwisniewski

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/U-CO0xHaBO4/

Disaster recovery protection level self-assessment

Most Internet Engineering Task Force (IETF) debates pass unnoticed, because they’re very dry and detailed. However, a suggestion that the HTTP 2.0 specification might mandate encryption – in a post-Snowden world – is too tasty an idea to go under the radar.

The suggestion sparking the debate came from HTTPbis chair, Mark Nottingham, who put forward a discussion summary in which he suggested some kind of consensus is emerging that HTTP 2.0 should favour https:// to protect users (to some degree) against traffic snooping: “HTTP/2 to only be used with https:// URIs on the “open” Internet. http:// URIs would continue to use HTTP/1 (and of course it would still be possible for older HTTP/1 clients to still interoperate with https:// URIs)”, Nottingham wrote on the IETF HTTP working group list.

Other options he reported from the IETF Vancouver meeting were to use opportunistic encryption for http:// URIs without authenticating the server; or to add server authentication to the opportunistic encryption suggestion.

It’s regrettable that the story has turned into a “W3C wants to encrypt HTTP 2.0 by default”, because what’s more interesting is the strength of feeling that accompanies the debate.

Nottingham’s e-mail sparked two things: headlines giving the “SSL-only” idea a stronger status than it has; and a strong debate on the list about the merits of the proposal.

Since the ongoing debate is a clear indication that Nottingham’s proposal wasn’t any kind of a consensus position, but rather a summary of discussions, The Register would like to focus on how the list seems to see the pros and cons of the idea.

Would “mandatory” SSL make the Internet more secure?

Obviously the starting point is that if it were adopted – that is, HTTP 2.0 sites default to secure sockets layer (SSL) using transport layer security (TLS) as the mechanism, it would only impact HTTP 2.0 servers communicating with HTTP 2.0 browsers. Someone with an older browser landing on an http:// page sees no change.

Microsoft went on the record in the list as preferring to encourage TLS in HTTP 2.0 without making it mandatory; while the Chromium project takes the opposite view, and is planning on supporting HTTP 2.0 only over a secure channel.

The debate highlights the deep concerns those in the know – that is, those actually contributing to IETF discussions – have about the security of TLS, particularly in light of the Snowden-driven belief that man-in-the-middle attacks are widespread.

However, making TLS more secure lives off in a different working group. Clearly, if a “secure channel” implementation were mandated for HTTP 2.0, it can only use those security mechanisms that are available to it.

What might it break?

Once concern cited by the participants in the discussion is simply that a more restrictive specification would inhibit adoption of HTTP 2.0. Microsoft’s Rob Trace summed it up: “we should strongly encourage the use of TLS with HTTP, but not at the expense of creating a standard that is as broadly applicable as HTTP 1.1”.

In other words, there’s no point in having a “more secure” standard if it ends up being one that nobody uses.

Perhaps thornier is what the proposal would do between browser and server, in the proxies and caches that ISPs use to help manage their traffic. An ISP can only cache a popular story from The Register if the content is in the clear. Encryption makes every piece of content look like unique content.

This one’s got a long way to run … ®

ioControl – hybrid storage performance leadership

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/14/http_20_encryption_proposal_sparks_hot_debate/

Free Regcast : Managing Multi-Vendor Devices with System Centre 2012

Australia’s Federal Police force (AFP) has issued a tender for deep packet inspection (DPI) kit capable of processing data encapsulated by the European Telecommunications Standards Institute’s ETSI 102 232 format for lawfully-intercepted communications.

Why does the AFP need to listen to telecoms intercepts? Aside from the fact its a policing outfit, the Force’s “About” page says “The nature of the AFP and what is required of it, has changed significantly in recent years. The AFP has responded to a rapidly changing environment and this has required a greater focus on national and international operations.”

Some of those international operations are peace-keeping missions in Pacific nations where rule of law has broken down. Others concern terrorism and cyber-crime, matters that would make listening to telecom interceptions from abroad quite useful.

After reading the tender Vulture South is leaning towards the force needing kit capable of listening in on its own networks and processing data from outside sources, based on the following list of requirements the successful tenderer will be required to demonstrate:

• The appliance must analyse flows at 10 Gbps
• The appliance must be able to accept TCP/IP as an input
• The appliance must be able to receive IPv4
• The appliance must be able to receive IPv6
• The appliance must be able to identify services
• The appliance must be able to identify applications (Layer 7)
• It is recommended that the appliance can be expanded to higher speeds
• The appliance should be able to accept a network flow encapsulate as ETSI 102 232 as an input
• The appliance should be able to accept PCAP captures as an input
• The appliance should be able to separate flows based on multiple inputs of MPLS
• The appliance should be able to separate flows based on multiple inputs of VLAN
• The appliance should identify Anti-Virus
• The appliance should identify Malware
• The appliance should identify Communication Applications
• The appliance should identify Mobile Applications
• The appliance should extract and store metadata
• The appliance should de-capsulate tunnelling protocols
• The appliance should detect different types of encryption
• The appliance should filter based on keywords
• The appliance should filter based on protocols
• The appliance should filter based on applications
• The appliance should filter based on IP lists
• The appliance should filter traffic based on port lists

The tender also calls for the chosen appliance to possess the ability to create logs and to log filtered data, plus a requirement “not drop packets, both malformed or corrupt”.

Over to you, readers. Is the AFP rolling its own PRISM or just taking care of business? The tender is here if you want to read more for yourself. ®

Quick guide to disaster recovery in the cloud

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/14/australian_federal_police_seeks_deep_packet_inspection_kit/

Quick guide to disaster recovery in the cloud

Researchers attending the PacSec 2013 security conference in Japan have won nearly $70,000 after demonstrating how to compromise iPhones and a Samsung Galaxy S4 running Android in a mobile version of the legendary Pwn2Own hacking contest.

A Japanese team from Mitsui Bussan Secure Directions earned $40,000 after showing how they could steal sensitive data from a Samsung Galaxy S4 and install attack code using flaws in software that is factory installed on the device. The attack method required the user to go onto a specially constructed website, but other than that required no user interaction.

“The implications for this exploit are worrisome. While you may be reticent to click on links (heeding the commonly-given, if somewhat ridiculous advice to ‘click carefully’) it is unlikely that you assess risk and use caution the same way on your mobile devices as you do on your desktop,” blogged Heather Goudey, senior security content developer at HP, which co-sponsors the contest.

Meanwhile, an eight-person team from Keen Cloud Tech in China showed how to exploit a vulnerability in iOS version 7.0.3 to steal Facebook login credentials and a photo from a device running iOS 6.1.4, earning them $27,500 in prize money. The attack didn’t defeat Apple’s sandboxing technology; otherwise they would have earned a lot more.

Here’s the attack in action:

Youtube Video

In both cases the Apple hack would have required the user to click on a specific link, but that’s not tough to do with the right social-engineering techniques. It’s the first time a Chinese team has won Pwn2Own and their attack took less than five minutes to complete.

The Pwn2Own team has contacted all the manufacturers concerned about the hole and fixes should be coming down the line shortly, since all team members are required to give a detailed description of how their attacks worked and any code used.

The original Pwn2Own contest started as an event at the annual CanSecWest security conflab held in Vancouver each March. That was originally aimed at desktop systems but has moved into the mobile arena as the use and power of smartphones has grown.

In the current competition there’s still another $100,000 up for grabs if a team can successfully crack the baseband electronics of a smartphone behind its communications. Teams are already flexing their fingers and optimizing their code for that task and results are expected on Thursday. ®

5 ways to reduce advertising network latency

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/11/14/pwn2own_crackers_leave_ios_and_samsung_handsets_wide_open/

Copenhagen, Denmark – November 13, 2013 – Secunia, a leading provider of IT security solutions that enable businesses and private individuals to manage and control vulnerability threats, today launched the Secunia Partner Program to further enhance the company’s presence across EMEA. Thorough training and certifications will enable the distribution channel to position Secunia’s unique patch management solution with resellers in a number of countries.

Secunia is a market leader in the vulnerability management and patch management space worldwide and a highly respected provider of IT security for enterprises and government agencies worldwide.

Since it was founded in 2002, Secunia’s go-to-market strategy has been direct sales by dedicated teams working out of the company headquarters in Copenhagen, supplemented by a few partners in key areas such as the UK and Middle East. In January 2013, a US subsidiary was opened in Minneapolis staffed by sales and support teams, to cater to the North American market. Riding on the success of the US expansion, Secunia is now ready to push more aggressively into Europe, the Middle East and Asia-Pacific.

“I am confident that the channel approach is right for Secunia, in our efforts to better reach customers in EMEA and APAC. We have reached the point where we must establish a local presence if we wish to increase our market shares in those markets,” said Secunia CEO Peter Colsted, about the shift to a channel approach. Mr. Colsted was appointed CEO of Secunia in July 2013, and has since then been preparing the new go-to-market strategy.

Introducing the Secunia Partners

Secunia has already signed agreements with distribution partners in 9 different countries. The distribution partners are responsible for the regional fulfillment of the Partner Program, which features three levels of membership: Bronze Registered, Silver Certified and Gold Certified.

“Through careful selection and thorough training and certifications, we are building a network of dedicated distribution partners and resellers, who will be able to position Secunia’s security products locally. The vulnerability intelligence and third-party patch management space is complex. Therefore, partners representing Secunia to organizations who are looking to invest in vulnerability solutions, receive intensive training, in order to provide the end-users – IT security and operations teams – with the right level of information and support,” explained Peter Colsted.

Distribution Partners signed are:

UK: Alpha Gen; Germany: ADN; Austria: AOS; APAC: EMT APAC; Middle East: EMT ME; Poland: EDR; Hungary: Biztributor; Romania: Romsym; Italy: Computerlinks. Nordics: Infinigate.

Secunia combines vulnerability intelligence and patch management

Secunia is a highly respected provider of IT security for enterprises and government agencies worldwide, including Fortune 500 and Global 2000 businesses

Secunia’s flagship solution, the Secunia Corporate Software Inspector (Secunia CSI) provides a unique combination of vulnerability intelligence, vulnerability scanning, patch creation and patch deployment integration. Secunia does so by merging in-house vulnerability expertise and research with sophisticated patch management technology. The Secunia CSI provides an extensive patch catalogue, covering more than 300 products, seamless integration with Microsoft’s System Center 2012 Configuration Manager and WSUS, and is flexible and scalable to suit the requirements of most organizations.

Secunia memberships:

ISF, EDUcause, FIRST, The Open Group, FS-ISAC, Microsoft Technology Partner and System Center Alliance Member.

More information:

For more information, please visit secunia.com

For information about the Partner Program, visit secunia.com/partner

Read CEO Peter Colsted’s blog post about the channel strategy

About Secunia

Founded in 2002, Secunia is a leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia’s award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.

Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia is headquartered in Copenhagen, Denmark.

Article source: http://www.darkreading.com/management/secunia-ceo-launches-new-channel-strateg/240163900

ORLANDO, November 13, 2013 – iScan Online, pioneers of BYOD security scanning from the cloud to any device, anytime, anywhere, today announced an updated and enhanced suite of security scanning services, including the following:

• The availability of iScan Online Mobile for iOS;

• Major updates to its Android security scanning app; and

• The availability of Software Development Kit (SDK) for organizations that wish to embed mobile security scanning into their applications.

These initiatives build on iScan Online’s previous capability of scanning Android, Windows and Mac devices, which give administrators insight and confidence regarding all of the devices that have access to their organizations’ networks, applications and data.

The announcement was made as the IT Nation Conference gets underway in Orlando, Fla. iScan Online has partnered with McAfee and Intel, and will be promoting free security scanning during the conference at the McAfee Intel booth #502 November 13-15th.

“Most smartphone and tablet users are unaware that their devices contain vulnerabilities, sometimes direct from the factory,” said Carl Banzhof, CEO of iScan Online. “With the latest release of our mobile technology our goal is to help educate the market by providing free self service vulnerability scanning and remediation guidance.”

iScan Online Mobile for iOS – This app provides security scanning for iPhone and iPad smartphones and tablets by leveraging the power of the cloud and a native mobile app. iScan Online Mobile for iOS can provide rich detailed analysis and reporting of vulnerabilities, configuration issues and data discovery on Apple iOS devices.

iScan Online for Android – iScan Online has enhanced this app, rated 4.8 stars by users on Google Play, to improve the user interface. It is now easier to use and provides the user with more detailed information about security scanning results and step-by-step instructions for remediating vulnerabilities discovered during the security scan.

Software Development Kit (SDK) – Organizations that wish to embed mobile security scanning into their applications now can do so using the iScan Online SDK. This offering is primarily for developers of banking and financial applications interested in adding enhanced security and protection to their apps.

“As a developer of mobile technology we are keenly aware of the risks that can be found on users mobile devices,” said Andrew Levi, CTO and Founder Blue Calypso, Inc. (OTCBB:BCYP). “We believe that the iScan Online Mobile technology is a unique and innovative approach to helping users, companies and service providers address the growing security concerns raised by mobile devices and BYOD.”

Prior to iScan Online, ensuring BYOD devices were secure had been a near impossible task. While servers and desktops are relatively static, today’s organizations are comprised of transient users in many locations, using a plethora of devices and resources. These devices make up the “dark matter” of today’s networks. Managing these devices, and gaining visibility for regulatory compliance such as PCI and HIPAA, are all required tasks, but difficult to accomplish. In addition, scanning for traditional vulnerabilities or for specific data, such as unencrypted credit card data (PAN) and social security numbers, has never been addressed for mobile devices.

Users can download the iScan Online mobile app for free from iTunes or the Google Play Store and scan their device for operating system and application vulnerabilities without registration. An iScan Online subscription is required for full functionality including data discovery, compliance and MDM features.

The iScan Online solution is designed to scan thousands of devices simultaneously. Results are sent securely to the cloud where iScan Online can deliver per device scan results as well as organization-wide reporting through the iScan Cloud Console. Pricing is based on a per device model which includes the iScan Cloud Console.

Availability

iScan Online Mobile for iOS is available from the iTunes App Store.

https://itunes.apple.com/us/app/iscan-online-mobile/id658461644?mt=8uo=4

iScan Online Mobile for Android is available from the Google Play Store.

https://play.google.com/store/apps/details?id=com.iscanonline.iscanandroid

SDK

For more information on SDK licensing opportunities contact iScan Online Sales: [email protected], 214.276.1150.

Users can sign up for a 14 day iScan Online trial account by visiting https://www.iscanonline.com/page/buynav

About iScan Online

iScan Online is pioneering the use of opportunistic scanning on any device, anytime, anywhere. iScan Online scans for vulnerabilities, regulatory compliance and data discovery on Mac, Windows and Mobile devices. Based in Dallas, iScan Online is available via its website and through iScan Online partners. For more information and a free trial scan visit http://www.iscanonline.com.

If you would like more information about this topic, please contact Dan Keeney at 214.432.7556 or email at [email protected]

Article source: http://www.darkreading.com/mobile/iscan-online-announces-free-mobile-secur/240163901