STE WILLIAMS

This October is National Cyber Security Awareness Month (NCSAM).

So I thought I would write my inaugural Naked Security article on a topic near and dear to my heart: two-factor authentication.

What is two-factor authentication?

It is an authentication process where two of three recognized factors are used to identify a user:

• Something you know – usually a password, passcode, passphrase or PIN.
• Something you have – a cryptographic smartcard or token, a chip enabled bank card or an RSA SecurID-style token with rotating digits
• Something you are – fingerprints, iris patterns, voice prints, or similar

Two-factor authentication works by demanding that two of these three factors be correctly entered before granting access to a system or website.

So if someone manages to get hold of your password (something you know), they still will not be able to access your account unless they can provide one of the other two factors (something you have or something you are).

For example, at Sophos we use secure tokens with rotating six-digit codes to remotely access internal systems. Every time I want to establish a VPN session, I need to provide my username, a password and the six digit code appended to a PIN.

At home I use similar methods to access many online and personal resources. In the last year, many social media sites, including Facebook, Twitter and LinkedIn, have all added some sort of two-factor authentication.

Many of these sites employ SMS code verification. This is where, in addition to correctly entering your password (something you know), you must also correctly enter a numeric passcode sent to your mobile phone via SMS (something you have).

The availability of mobile network service and the unreliable nature of SMS can make this difficult, however.

Some services allow you to use an authenticator app in addition to your password which present you with a different numeric one-time password (OTP) for each service that you register with the app. Both Google and Windows make these apps freely available in their respective stores.

Authenticator apps can be great for signing into sites like Google, Facebook and Twitter even when your phone does not have service (mobile or otherwise). As a matter of fact, I used this very method to log into to WordPress in order to publish this article.

Google’s authenticator app can also be used to provide additional security with Secure Shell (SSH) connections.

Things can still go wrong though. There is Android malware in the wild that is specifically designed to steal your SMS verification codes in an attempt to thwart 2FA. This is one reason why a good Android security app, like Sophos Antivirus and Security, is a must.

So, should you use two-factor authentication?

In my opinion, the answer is an emphatic YES! Two-factor authentication is not a silver bullet but it does dramatically increase your security by making it much harder for your accounts to be compromised.

Unfortunately, two-factor authentication is not available everywhere but it is used by many of the most popular sites and services on the internet. Hopefully the ease of use and increased security provided by two-factor authentication will compel the rest to follow suit.

If you’d like to learn more about two-factor authentication, have a listen to this short podcast which explains two-factor authentication in more detail:

(15 April 2013, duration 16’25”, size 9.9MBytes)

And if you’re interested in reading other stories related to National Cyber Security Awareness Month, read the 3 essential security tasks you can do for your family today, 10 tips for securing your smartphone and our 10 topical security tales.

Follow @NakedSecurity

Image of two-factor authentication courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/POZl8hUUYwk/

Supercharge your infrastructure

Google is expanding its bug bounty program to include awards for patches that make material security improvements to open source software – even when the software isn’t directly maintained by Google itself.

The Chocolate Factory has been rewarding developers for security fixes to its own software since 2010, when it kicked off its bounty program for the Chrome web browser. Now the company says it will also shell out cash to developers who submit fixes to select non-Google software, too.

To qualify for the program, developers must produce “down-to-earth, proactive improvements that go beyond merely fixing a known security bug,” according to a blog post by Google security team member Michal Zalewski on Wednesday.

Initially, the bounty program applies only to a select group of open source projects, such as the OpenSSL and OpenSSH secure communications libraries, the BIND DNS software, and security-critical components of the Linux kernel, to name a few.

After an initial trial period, it will be expanded to include even more projects, including such popular packages as the Apache webserver, the Sendmail, Postfix, and Exim email servers, and the Gnu software development tools.

Zalewski said Google chose this selective approach because it believes it will be more productive than offering bug bounties for just any old open source software.

“In addition to valid reports, bug bounties invite a significant volume of spurious traffic – enough to completely overwhelm a small community of volunteers,” he wrote. “On top of this, fixing a problem often requires more effort than finding it.”

Aside from ponying up the cash, Google’s approach will be mostly hands-off. Developers don’t need to clear their fixes with Mountain View before submitting their patches. Instead, they should submit them directly to the maintainers of the projects in question. Once the patches are accepted and the updated code has shipped, they can then email [email protected] with a description of what they did.

“If we think that the submission has a demonstrable, positive impact on the security of the project, you will qualify for a reward ranging from $500 to $3,133.7,” Zalewski writes.

In fact, the online ad giant may choose to cough up even more in cases of “unusually clever or complex submissions” – the actual amount of each award being left to Google’s sole discretion.

Then again, some developers may choose to contribute security patches strictly out of a sense of duty. In these cases, Google says they can opt to donate their bounty awards to charity and it will match their donations. Bounties that haven’t been claimed after 12 months will be donated to a charity of Google’s choice. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/10/google_open_source_bug_bounties/

Supercharge your infrastructure

The widespread vBulletin CMS has a vulnerability that allows remote attackers to create new administrative accounts.

Back in August, users of versions in the 4.1+ and 5+ series were advised to delete the /install/ or /core/install/ directories (depending on version) as a workaround against the bug, but vBulletin didn’t advise of the impact of the problem.

However, according to this article at Help Net Security, the vulnerability allows admin account injection using vulnerable PHP code.

A user whose site was compromised in September posted an Apache log that identified the attack source (below).

The vulnerable upgrade.php resource is attacked to inject the unwanted administrative user account.

The author of the article, Barry Shteiman of Imperva, notes that the exploit code and technique were found on hacker forums, meaning that the exploit is in the wild.

If the vBulletin user can’t, for some reason, delete the /install/ or /core/install/ directories, Shteiman advises that they implement redirects to block incoming requests trying to hit the upgrade.php file. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/10/vbulletin_vuln_opens_backdoor_to_rogue_accounts/

Turns out the big patch Microsoft issued for Internet Explorer yesterday covered not just one zero-day attack, but another one that had been under way for at least a month.

This second zero-day attack exploited a “use-after free” flaw (CVE-2013-3897) and was patched yesterday along with the memory corruption vulnerability that Microsoft had temporarily plugged with an emergency Fix It last month.

Security researchers at Websense, Symantec, and SpiderLabs all are investigating the malware and attacks, which appear to focus specifically on targets in South Korea and Japan. The attacks date back as far as August 23, according to Websense, and are focused on heavy industries and financial firms.

“It was just targeting XP machines, and very specific, looking for Japanese and Korean language packs,” says Alex Watson, director of security research at Websense. Watson says it’s not unusual for targeted attacks on heavy industries to also include attacks on financial firms that might have information on those high-technology and manufacturing companies.

The attacks have all the earmarks of Chinese cyberespionage campaign, he says.

SpiderLabs, meanwhile, in a blog post yesterday said the attacks appear to have begun in the first half of September 2013, and have Japanese and Korean XP users in the bull’s eye. But the researchers say the attackers are trying to steal user credentials from online gaming applications.

“In short, this payload is responsible for a number of malicious activities. It attempts to disable any security products that may be running on the victim machine, redirects banking sites to a malicious IP address and tries to steal credentials for popular on-line games,” says Daniel Chechik, a SpiderLabs researcher. “The various techniques used indicate that this payload is not meant for any targeted scenario but instead will simply try to target any Korean or Japanese users it stumbles upon.”

Websense’s Watson says while half of the targeted machines Websense spotted in the attack were in the U.S., those appear to be inadvertent, collateral damage. “Those industries and targets didn’t match what the exploit is looking for,” he says.

[A new model of cyberespionage is emerging that relies on cybermercenaries hired to break in, steal information, and then leave — with specific targeted information. See Rise Of The ‘Hit-And-Run’ APT .]

Microsoft’s blanket patch for ten flaws across multiple versions of IE — version 6 through 11 — supersedes the Fix It tool it issued for the IE 8 and IE 9 zero-day attacks (CVE-2013-3893), where an attacker could spread the malware via a drive-by download.

“In my opinion, [the blanket IE update] is a sign of really good software engineering practices,” Watson says. “They are making sure that they maintain as much of the common code base across all versions as possible.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/internet-explorer-zero-day-times-two/240162466

A decade ago, almost no one used online backup services to store their data in the cloud. Yet, as smartphones become ubiquitous, the need to synchronize data among multiple devices has boosted the use of cloud backups and put more personal and business data onto third-party servers.

While centralized storage and administration of data in the cloud is beneficial for users, large stores of data attract unwanted attention as well, and not just from cybercriminals and hackers. With the June revelations of the extent to which the U.S. National Security Agency (NSA) is collecting data on users, more businesses and people are concerned that their data may be accessed by a subpoena or search warrant.

In fact, legal access to such detailed data may be a greater threat than hackers, says Lee Tien, senior staff attorney with the Electronic Frontier Foundation (EFF).

“Our feeling for the major smartphone OSes — we don’t think there is a great threat from the classic bad guys,” Tiensays. The companies that maintain the largest collection of online backups, Google and Apple, “tend to have pretty good security practices, but obviously, given what we know about NSA PRISM, we think we have to say that is a completely different story,” he adds.

Today, almost all companies — 94 percent — have worries about employees mixing personal and business data on their mobile devices, according to a survey published by online-backup provider EVault in January. The problem will only get larger, with seven out of every 10 companies expecting the amount of data they manage to increase, the report states.

[Microsoft, Google, Facebook, and other tech firms have downplayed their participation in government spying programs, but U.S. and international companies should worry about access to their data in the cloud. See NSA Data Collection Worrisome For Global Firms.]

At the same time, mobile devices are also more attractive targets because of the variety of data that applications gather and store, says Troy Vennon, director of network-technology provider Juniper. While data from PCs can reveal a user’s online activities, mobile-device data also exposes location, additional images, potential voice recordings, and business files that have been synched with the device.

“A lot of personal data is being gathered into applications where it probably shouldn’t be, and that has the potential to end up in the cloud,” Vennon says.

A minority, but still a significant number, of companies do appear to be worried about the threat of legal access to their data, according to security firms. While the NSA’s access to data may not be a significant issue for U.S. companies, multinational firms have to worry about similar agencies in other countries accessing their data as well.

The extent to which governments have access to online data has caused general unease, says Raghu Kulkarni, CEO of cloud backup service IDrive. The company offers both private-key encrypted backups, where the data is encrypted at the user’s device before being sent to the cloud, and the more common data protection service, where the data is secured by the service’s encryption solution.

Although IDrive has seen a 25 to 30 percent increase in interest since revelations about the data-collection activities of the NSA were published in June, only about one-third of users opt to use the private-key service.

“There is a trade-off between ease of use and privacy,” Kulkarni says. “If you lose the key, then the data is gone forever. So it always depends on the users’ requirements.”

Companies that want greater control of their data need to either use a backup service that allows private keys or back up their data locally, he says.

Yet the trend in employee-owned devices is also a problem: Most businesses cannot know how much of their data has been backed up along with an employee’s data in the cloud, says Juniper’s Vennon. Companies that want to protect their data on mobile devices will need to gain more control over it using a secure container and mobile device management (MDM) software that can limit where the data can go, he says.

“Without some pretty intricate mobile device management that have been tinkered with in the past, but will be used pretty extensively from now on, can keep that data from co-mingling with user data,” Vennon says. “Once you containerize the data, split it into a personal profile and a work profile, then you they ability to focus those back ups.”

Government access to personal data stored in the cloud may remain a digital-rights issues, but because employees continue to use business data on their mobile devices, it’s an issue that businesses will need to watch.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/mobile/legal-fears-put-mobile-backups-in-spotli/240162467

In the quest to detect data breaches more quickly, indicators of compromise can act as important breadcrumbs for security pros watching their IT environments. Unusual activity on the network or odd clues on systems can frequently help organizations spot attacker activity on systems more quickly so that they can either prevent an eventual breach from happening or at least stop it in its earliest stages.

According to the experts, here are some key indicators of compromise to monitor (in no particular order):

1. Unusual Outbound Network Traffic

Perhaps one of the biggest tell-tale signs that something is amiss is when IT spots unusual traffic patterns leaving the network.

“A common misperception is that traffic inside the network is secure,” says Sam Erdheim, senior security strategist for AlgoSec. “Look for suspicious traffic leaving the network. It’s not just about what comes into your network, it’s about outbound traffic as well.”

Considering that the chances of keeping an attacker out of a network is so difficult in the face of modern attacks, outbound indicators may be much easier to monitor, says Geoff Webb, director of solution strategy for NetIQ.

“So the best approach is to watch for activity within the network and to look for traffic leaving your perimeter,” he says. “Compromised systems will often call home to command and control servers and this traffic may be visible before any real damage is done.”

2. Anomalies in Privileged User Account Activity

The name of the game for a well-orchestrated attack is for attackers to either escalate privileges of accounts they’ve already compromised or to use that compromise to leapfrog into other accounts with higher privileges. Keeping tabs on unusual account behavior from privileged accounts not only watches out for insider attacks, but also account takeover.

“Changes in the behavior of privileged users can indicate that the user account in question is being used by someone else to establish a beachhead in your network,” Webb says. “Watching for changes–such as time of activity, systems accessed, type or volume of information accessed–will provide early indication of a breach.”

3. Geographical Irregularities

Whether through a privileged account or not, geographical irregularities in log-ins and access patterns can provide good evidence that attackers are pulling strings from far away. For example, traffic between countries that a company doesn’t do business with offers reason for pause.

“Connections to countries that a company would normally not be conducting business with [indicates] sensitive data could be siphoned to another country,” says Dodi Glenn, director of security content management for ThreatTrack Security.

Similarly, when one account logs in within a short period of time from different IPs around the world, that’s a good indication of trouble.

“As to data breach clues, one of the most useful bits I’ve found is logs showing an account logging in from multiple IP’s in a short time period, particularly when paired with geolocation tagging,” says Benjamin Caudill, principal consultant for Rhino Security. “More often than not, this is a symptom of an attacker using a compromised set of credentials to log into confidential systems.”

4. Other Log-In Red Flags

Log-in irregularities and failures can provide excellent clues of network and system probing by attackers.

“Check for failed logins using user accounts that don’t exist — these often indicate someone is trying to guess a user’s account credentials and gain authorization,” says Scott Pierson, product specialist for Beachhead Solutions, explaining that unusual numbers of failed log-ins for existing accounts should also be a red flag.

Similarly, attempted and successful log-in activity after hours can provide clues that it isn’t really an employee who is accessing data.

“If you see John in accounting logging on to the system after work hours and trying to access files for which he is not authorized, this bears investigation,” says A.N. Ananth, CEO of EventTracker.

5. Swells In Database Read Volume

Once an attacker has made it into the crown jewels and seeks to exfiltrate information, there will be signs that someone has been mucking about data stores. One of them is a spike in database read volume, says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks.

“When the attacker attempts to extract the full credit card database, it will generate an enormous amount of read volume, which will be way higher than you would normally see for reads on the credit card tables,” he says.

6. HTML Response Sizes

Adams also says that if attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request.

“For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20- to 50MB, where a normal response is only 200KB,” he says.

7. Large numbers of requests for the same file

It takes a lot of trial and error to compromise a site — attackers have to keep trying different exploits to find ones that stick. And when they find signs that an exploit might be successful, they’ll frequently use different permutations to launch it.

“So while the URL they are attacking will change on each request, the actual filename portion will probably stay the same,” Adams says. “So you might see a single user or IP making 500 requests for ‘join.php,’ when normally a single IP or user would only request that page a few times max.”

8. Mismatched Port-Application Traffic

Attackers often take advantage of obscure ports to get around more simple Web filtering techniques. So if an application is using an unusual port, it could be sign of command and control traffic masquerading as “normal” application behavior.

“We have noticed several instances of infected hosts sending CC communications masked as DNS requests over port 80,” says Tom Gorup, SOC Analyst for Rook Consulting. “At first glance, these requests may appear to be standard DNS queries, however, it is not until you actually look at those queries that you see the traffic going across a non-standard port. ”

[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]

9. Suspicious Registry or System File Changes

One of the ways malware writers establish persistence within an infected host is through registry changes.

“Creating a baseline is the most important part when dealing with registry-based IOCs,” Gorup says. “Defining what a clean registry is supposed to contain essentially creates the filter against which you will compare your hosts. Monitoring and alerting on changes that deviate outside the bounds of the clean ‘template’ can drastically increase security team response time.”

Similarly, many attackers will leave behind signs that they’ve tampered with a host in system files and configurations, says Webb, who has seen organizations more quickly identify compromised systems by looking for these kinds of changes.

“What can happen is that the attacker will install packet-sniffing software to harvest credit card data as it moves around the network,” he says. “The attacker targets a system that can watch the network traffic, then installs the harvesting tool. While the chances of catching the specific harvesting tool are slim–because they will be targeted and probably not seen before–there is a good chance to catch the changes to the system that houses the harvesting tool.”

10. DNS Request Anomalies

According to Wade Williamson, senior security analyst for Palo Alto Networks, one of the most effective red flags an organization can look for are tell-tale patterns left by malicious DNS queries.

“Command-and-control traffic is often the most important traffic to an attacker because it allows them ongoing management of the attack and it needs to be secure so that security professionals can’t easily take it over,” he says. “The unique patterns of this traffic can be recognized and is a very standard approach to identifying a compromise.”

Gorup agrees that DNS exfiltration can be “extremely loud.”

“Seeing a large spike in DNS requests from a specific host can serve as a good indicator of potentially suspect activity,” he says. “Watching for patterns of DNS requests to external hosts, compared against geoIP and reputation data, and implementing appropriate filtering can help mitigate CC over DNS.”

Article source: http://www.darkreading.com/attacks-breaches/top-15-indicators-of-compromise/240162469

Email delivery: 4 steps to get more email to the inbox

A UK security researcher has secured the first Microsoft $100,000 bounty after uncovering ways to get around security defences built into Windows 8.1 Preview, the latest version of Redmond’s operating system.

James Forshaw, head of vulnerability research at Context Information Security, scooped the award for a new mitigation bypass technique.

Redmond debuted three bounty programmes in June that rewarded researchers for:

• techniques that bypass built-in OS mitigations and protections,
• defences that stop those bypasses and
• the discovery of vulnerabilities in Internet Explorer 11 Preview.

Earlier this week Microsoft announced payouts totalling $28,000 to six security researchers who collectively reported 15 different bugs in the preview release of Internet Explorer 11.

Forshaw has already benefited from discovering design level bugs during the IE11 Preview Bug Bounty, taking his total bounty earnings to $109,400.

Microsoft is not providing details of the new mitigation bypass technique uncovered by Forshaw until it can come up with a security fix. Microsoft does, however, praise Forshaw’s research in a post on its Blue Hat blog.

Redmond explains that payouts for new mitigation techniques are far more generous than come for fingering flaws in Internet Explorer because learning about new mitigation bypass techniques helps it develop defences against entire classes of attack.

Strengthening platform-wide mitigations makes it harder for attackers to exploit bugs in all software running on the Microsoft platform and not just Microsoft applications, Redmond said.

Coincidentally, Microsoft engineer Thomas Garnier found a variant of this class of attack uncovered by Forshaw but this doesn’t detract from Forshaw’s research or prevent him from claiming his well-earned reward.

Katie Moussouris, senior security strategist lead, Microsoft Trustworthy Computing, said: “We’re thrilled to receive this qualifying Mitigation Bypass Bounty submission within the first three months of our bounty offering. James [Forshaw’s] entry will help us improve our platform-wide defences and ultimately improve security for customers, as it allows us to identify and protect against an entire class of issues.”

Forshaw explained that he is driven the intellectual challenge of finding bugs rather than scoring prizes.

“Over the past decade working in secure development and research, I have discovered many interesting security vulnerabilities with a heavy focus of complex logic bugs,” Forshaw said in a statement. “I’m keenly interested in the intellectual puzzle of finding novel exploitation techniques and the creativity it requires.

“To find my winning entry I studied the mitigations available today and after brainstorming I identified a few potential angles. Not all were viable but after some persistence I was finally successful,” he added.

Redmond’s bug bounty programme is one of numerous schemes across the industry designed to reward researchers for reporting flaws to vendors, rather than selling details of bugs to TippingPoint’s Zero Day Initiative or hawking them through exploit brokers or vulnerability marketplaces.

“Microsoft’s Mitigation Bypass Bounty is very important to help shift the focus of bounty programs from offence to defence,” Forshaw explained. “It incentivises researchers like me to commit time and effort to security in depth rather than just striving for the total vulnerability count.”

Forshaw is due to speak at the Hack in the Box conference in Kuala Lumpur, Malaysia, later this month. ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/09/windows_bypass_bug_bounty/

Email delivery: 4 steps to get more email to the inbox

MI5’s newly appointed boss has suggested that his predecessor might have spoken too much about cyber-attacks rather than conventional terrorism in a speech attempting to justify controversial surveillance programs by GCHQ and the NSA.

Andrew Parker, director general of the security service, made the remarks in a speech to the Royal United Services Institute in London on Tuesday. It’s his first published speech as director-general of MI5, a position he took over from Sir Jonathan Evans.

“My predecessor spoke last year about cyber threats,” said Parker, according to an official transcript of the speech. “This evening I am majoring on terrorism. Describing the reality of the terrorism threat we face is challenging in public discourse. I’ve heard too much exaggeration at one end, while at the other there can sometimes be an alarming degree of complacency.”

Parker went on to describe how “terrorism, espionage, cyber attack, and weapons of mass destruction are all features of the darker side of our modern world” that MI5 strives to combat.

“Over recent decades new threats have emerged (Al Qaeda), old ones have fallen away (Cold War subversion), mutated (Northern Ireland-related terrorism) or branched out in new forms (cyber espionage),” he added.

The secret service boss, a 30 year veteran of MI5, led its response to the 7 July 2005 London bombings and the 2006 transatlantic aircraft plot as deputy director general. The vast majority of his speech focused on the international terrorist threat from Al-Qaeda and its affiliates as well as how accelerating technological change is altering MI5’s work.

Helping the bad guys

Parker controversially argued that Snowden’s leaks in publicising the “reach and limits of GCHQ techniques” has the effect of “handing the advantage to the terrorists”.

“Reporting from GCHQ is vital to the safety of this country and its citizens,” he said. “GCHQ intelligence has played a vital role in stopping many of the terrorist plots that MI5 and the police have tackled in the past decade. We are facing an international threat and GCHQ provides many of the intelligence leads upon which we rely. It makes a vital contribution to most of our high priority investigations. It causes enormous damage to make public the reach and limits of GCHQ techniques. Such information hands the advantage to the terrorists. It is the gift they need to evade us and strike at will. Unfashionable as it might seem, that is why we must keep secrets secret, and why not doing so causes such harm.”

Parker sought to explain how individuals known to MI5 have gone on to plan, or in some cases execute terrorist plots. “With greater resources since 7/7 we have worked very hard to identify as many as possible of the people in the country who are active in some way in support of terrorism,” he explained.

“Knowing of an individual does not equate to knowing everything about them. Being on our radar does not necessarily mean being under our microscope. The reality of intelligence work in practice is that we only focus the most intense intrusive attention on a small number of cases at any one time.”

He added:

The idea that we either can or would want to operate intensive scrutiny of thousands is fanciful. This is not East Germany, or North Korea. And thank goodness it’s not.

The MI5 boss went on to highlight “accelerating technology” change as well as the “diversifying threat landscape” as the two principal challenges facing the security service.

The impact of tech on the spooks’ legit work

Net technologies make it a bigger challenges for security services to track terrorists, Parker claimed.

“The internet is used by terrorists for many purposes: broadcasting their propaganda, radicalising vulnerable individuals, arranging travel, buying items, moving money and so on. But the primary issue is communication.

“The internet and related technologies offer a rather different world – better in so many ways, but better too for the terrorists. Through e-mail, IP telephony, in-game communication, social networking, chat rooms, anonymising services, and a myriad of mobile apps, the terrorist has tens of thousands of means of communication. Many of those routes are now encrypted.”

Parker controversially suggests that terrorist use of encryption justifies attempts by signals intelligence agencies such as the NSA and GCHQ to weaken internet standards, plant backdoors and capture all the traffic flowing through international cables as well as running dragnet internet surveillance programmes such as Prism. Parker did not refer to any of these directly, instead describing them as “tools” necessary to uncover the nefarious plots of terrorists.

“How the UK decides to respond to these developments will directly determine the level of security available against the threats we face. Retaining the capability to access such information is intrinsic to MI5’s ability to protect the country.

Staying at the cutting edge

“Shifts in technology can erode our capabilities. There are choices to be made, including, for example, about how and whether communications data is retained. It is not, however, an option to disregard such shifts with an unspoken assumption that somehow security will anyway be sustained. It will not. We cannot work without tools.”

The ongoing Snowden revelations suggest otherwise, but Parker sought to justify internet surveillance as proportionate and legally authorised under a regime operating with strict controls. This echoes the arguments of US spooks.

“Technologies advance all the time. But MI5 will still need the ability to read or listen to terrorists’ communications if we are to have any prospect of knowing their intentions and stopping them. The converse to this would be to accept that terrorists should have means of communication that they can be confident are beyond the sight of MI5 or GCHQ acting with proper legal warrant.”

Parker also dismissed the idea that GCHQ is indiscriminately snooping on the entire web, claiming instead that his agency only monitored those threatening national security.

We only apply intrusive tools and capabilities against terrorists and others threatening national security. The law requires that we only collect and access information that we really need to perform our functions, in this case tackling the threat of terrorism. In some quarters there seems to be a vague notion that we monitor everyone and all their communications, browsing at will through people’s private lives for anything that looks interesting. That is, of course, utter nonsense.

Parker concluded by seeking to deny criticism that the security services were operating dragnet surveillance programs:

“Far from being gratuitous harvesters of private information, in practice we focus our work very carefully and tightly against those who intend harm. The law requires it. All our internal controls, systems and authorisation levels are built accordingly and subject to independent inspection and oversight.” ®

Email delivery: Hate phishing emails? You’ll love DMARC

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/10/09/mi5_boss_net_surveillence_speech/

Provo, UT. – October 9, 2013 – Novell today announced that it has partnered with MobileIron, a leader in security and management for mobile apps, content, and devices, to enable more secure mobile file access and sharing through Novell Filr and MobileIron AppConnect. Novell Filr is a mobile file-sharing solution that gives IT complete control of all shared files and provides users with anywhere, any-device access. Novell is the pioneer of networked file and print services and unlike cloud-based file sharing solutions like Dropbox, Skydrive or Google Drive, Novell Filr is built specifically for the enterprise.

Novell and MobileIron simplify the task of offering and securing mobile file access. Novell Filr provides authorized mobile device access to the files that reside on corporate servers, while MobileIron AppConnect keeps managed and personal data separate creating another level of security for IT. With MobileIron AppConnect containerization, files accessed through Novell Filr are encrypted and protected from unauthorized access.

“Due to the enormous growth of mobile devices within the enterprise, IT faces a real challenge with protecting corporate data,” said Bob Flynn, president and general manager of Novell. “The strategic partnership with MobileIron allows only authorized employees the ability to access and share corporate files on-the-go through Novell Filr and our on-premise deployment.”

By combining the capabilities of Novell Filr with MobileIron AppConnect, IT can disable cut and copy controls for files, disable the opening of documents in certain applications, and whitelist select apps for opening documents. This partnership makes it easier for IT to remain compliant with corporate data loss prevention by securing access and controls by user, and controlling data leakage by restricting replication of the data and usage of restricted apps.

“As mobile becomes the central computing platform for the enterprise, employees need secure mobile access to all their critical files,” said Ojas Rege, VP Strategy, MobileIron. “Novell is a trusted name in collaboration and networking and we are excited to combine the app security strength of MobileIron AppConnect with the file-sharing power of Novell Filr.”

Novell Filr allows IT to leverage existing infrastructure and security policies, eliminating the need for new hardware investments to enable secure mobile file sharing. With the MobileIron AppConnect integration, only devices that have been approved by IT will be able to launch the Filr application and access files that are stored and shared.

Availability

Novell Filr is currently available, and integration with MobileIron AppConnect is now generally available through iTunes and Google Play. For additional information, visit http://www.novell.com/promo/filr-mobileiron.html or contact your Novell representative.

About Novell

Novell, Inc. believes that customers should have choice and control of their IT systems. A global software leader for enterprises worldwide, Novell delivers solutions that make people more productive and work environments more secure and manageable. Novell supports thousands of organizations around the world with collaboration, endpoint management, and file and networking technologies, all of which drive end-user productivity. With solutions including Novell Filr, Novell ZENworks Mobile Management and Novell iPrint, Novell focuses on today’s mobile, social and multi-platform world to help businesses stay competitive, minimize costs, and get more value from the software they already own. For more information, visit www.novell.com.

Copyright (C) 2013 Novell, Inc. All rights reserved. Novell is a registered trademark of Novell, Inc. in the United States and other countries. All third party trademarks are the property of their respective owners.

About MobileIron

The leader in security and management for mobile apps, content, and devices, MobileIron’s mission is to enable organizations around the world to embrace mobility as their primary IT platform in order to transform their businesses and increase their competitiveness. Leading global companies rely on MobileIron’s scalable architecture, rapid innovation, and best practices as the foundation for their Mobile First initiatives, including 8 of the top 10 automotive manufacturers, 7 of the top 10 pharmaceutical companies, 5 of the top 10 banks, 5 of the top 10 law firms, and 4 of the top 10 retailers. For more information, please visit www.mobileiron.com.

Article source: http://www.darkreading.com/mobile/novell-announces-strategic-partnership-w/240162428

TORONTO, Canada, October 9, 2013 – SecureKey, the leading provider of trusted identity networks, today announced that it has completed the transfer of its hardware security token group to newly founded Kili Technology Corporation. Afshin Rezayee, formerly vice president of hardware engineering at SecureKey, will lead Kili Technology, and along with the rest of the hardware engineering team will form the core of the new company.

Kili Technology was founded by SecureKey Chairman Greg Wolfond with funding from Toronto-based Blue Sky Capital.

“SecureKey’s core business is providing cloud-based authentication services,

so developing our own hardware devices is no longer the most efficient approach for us moving forward,” said Charles Walton, CEO at SecureKey. “Recognizing the potential that still exists for hardware security tokens, Kili Technology has acquired all of the relevant SecureKey patents and other IP, as well as the engineering team, to continue pursuing this market under the leadership of Afshin Rezayee.”

SecureKey’s groundbreaking, cloud-based briidge.nettrade platform is providing simplified secure access for citizens to a broad range of online services from the Government of Canada, and has recently been adopted by the U.S. Postal Service to provide the cloud-based authentication infrastructure for the new Federal Cloud Credential Exchange (FCCX).

“SecureKey’s hardware security token group will find a good home at Kili Technology, and we are excited by the opportunity to drive this business forward as an independent entity,” said Afshin Rezayee, co-president of Kili Technology. “With our excellent engineering team, technology and customer base, and the support of our backers, we are confident about the success of this new venture.”

About SecureKey Technologies Inc.

SecureKey is the leading provider of cloud-based, trusted identity networks that eliminate the burden, cost, and risks associated with user authentication. The company’s federated authentication solutions ensure that users are properly authenticated regardless of the service, device or credential they prefer to use. Organizations can quickly and easily deliver high-value online services to millions of consumers and citizens with improved transaction privacy, simplicity, and convenience. SecureKey is headquartered in Toronto, with offices in Boston, and Washington D.C. The company is backed by a world-class group of venture and corporate investors. For additional information, please visit www.securekey.com.

Article source: http://www.darkreading.com/management/securekey-divests-hardware-security-toke/240162443