STE WILLIAMS

Beki Akins, a resident of the US state of Oklahoma, is the granddaughter of an elderly couple who were recently held at knifepoint by a masked man who threw Akins’s grandmother to the ground, ransacked their home, and physically and verbally assaulted her grandfather.

Thanks to her quick use of social media, Ms. Akins is also, now, the poster child for showing when it can be advantageous to post things publicly on Facebook.

The grandparents, who live in Broken Arrow, Oklahoma, were held captive early last week.

Police searched for the burglar for more than 24 hours.

A suspect is now behind bars, after Ms. Akins publicly posted a description of the assailant on Facebook, Tulsa World reports.

The suspect, Michael Lank, 30, of Tulsa, was jailed on Tuesday following the robbery.

Police had been tipped off by Lank’s brother-in-law, Ken Reddick, also of Tulsa, who saw Akins’s Facebook status update and immediately thought that her post might well be describing Lank.

That update had been shared nearly 9,000 times at of the time that NewsOn6.com reported on the story on Wednesday, 2 October.

Reddick first contacted Akins and her family, then he contacted the police.

Bail has been set at $52,500 on complaints of first-degree robbery by force or fear, stolen property, and false declaration of ownership, Tulsa World reports.

Broken Arrow Police Department public information officer Leon Calhoun told Tulsa World that the police are appreciative when the public shares information about crimes within the community on social media, but the practice can actually hinder police investigations:

Friends and family members of the suspect could see that and alert the individual we are out there looking for them. … The suspect then could try to hide, run away or even destroy evidence. We always want the public to contact the police first.

Akins told Tulsa World that she turned to Facebook because she knew that news of the crime would spread fast and far, thus getting more people involved in the search for the robber:

Word travels fast online. Without the power of social media, this guy would still be on the street trying to hurt someone else.

It sounds good, on the face of it, doesn’t it? Bad guy, off the streets, thanks to the effects of a public posting on Facebook having rippled out to catch the burglar. Good, yes?

I’m afraid that that conclusion doesn’t hold water, as simple and satisfying as it seems.

You know how security geeks are always clucking our tongues about checking Facebook settings to make sure you don’t wind up with, say, a mob of partygoers who saturate your home furnishings with vomit or that you don’t post truly embarrassing things like how you showed up to work late and hung over?

Party invitations and drinking spree histories should obviously be private.

Should descriptions of criminal suspects always be marked public on social media sites?

There are instances when internet vigilantism, fueled by the speed of viral spread and the public’s enthusiasm for nabbing the bad guys, has gone very bad, leading innocent people to be persecuted.

A recent example is the Boston Marathon bombing.

Social media site Reddit found itself apologising after dozens of self-appointed investigators in the Find Boston Bombers forum erroneously pointed fingers at innocent bystanders as “suspects”.

The incident showed that crowdsourcing can go very wrong, very fast.

When we post descriptions of possible criminals on social media, it sets up potentially innocent people to get singled out and harassed by righteous mobs.

I’m very glad that Ms. Akins’s grandparents only suffered scrapes and bruises.

But I’m not going to make her the poster child for when to post things publicly. Instead, I’m taking to heart the admonitions of Officer Calhoun.

Namely, we the public should stick to feeding information about crimes to law enforcement.

Follow @LisaVaas

Follow @NakedSecurity

Image of burglar and phone courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Lo-Offi7-RM/

SEATTLE, October 1st, 2013 – Datacastle, a market leader for protecting enterprises from endpoint data loss and data breaches, today announced that its flagship product, Datacastle REDtrade now supports secure backup and restore of company data when using major cloudsync and share services such as DropBox, Microsoft SkyDrive, Box, Google Drive, and Amazon Cloud Drive. This new capability is added to Datacastle’s recognized QuickCachetrade and RoamSmarttrade technologies that support intelligent backup and recovery roaming across hybrid cloud deployments with mobile broadband detection functionality.

“While many vendors in the enterprise IT sector are trying to provide companies with a “rip and replace” alternative to these wildly popular cloud sync and share services, we believe CIO’s should have an “embrace and extend” option,” says Datacastle CEO Ron Faith. “With our latest release of Datacastle RED, CIO’s can augment their data governance and compliance when employees use these services.”

In addition to enabling IT professionals to backup and restore company data stored in employee public sync and share accounts, Datacastle RED makes it possible to encrypt the sync and share data “at rest” on laptops, desktops, or high-end Windows tablets such as the Surface Pro. IT administrators can also remotely wipe the data at the endpoint by command or poison pill.

The most recent release also enhances Datacastle RED’s enterprise capabilities concerning automated silent deployment, Active Directory/LDAP integration, single sign-on support via SAML v2, and centralized policy management.

Datacastle RED is available on Microsoft Windows Azure, IBM SmartCloud, and on-premise deployments.

About Datacastle

Datacastle protects enterprises from mobile data loss and data breach with simplified and scalable endpoint backup and data protection. Datacastle RED provides secure and auditable access to enterprise data on critical devices, anytime, anywhere. Datacastle RED is available through a global network of partners. To learn more about Datacastle RED, visit http://www.datacastlered.com, follow on Twitter @Datacastle, or call 425.996.9684.

Article source: http://www.darkreading.com/applications/datacastle-announces-support-for-cloud-s/240162341

SAN DIEGO, Oct. 4, 2013 /PRNewswire/ — Due to the recent government shutdown, many government resources, including those which assist victims of identity theft, may be unavailable at this time.

During this interim period, the ITRC Victim Assistance Call Center is open and ready to assist callers who may be faced with issues of identity theft. The ITRC wants to ensure that victims nationwide are aware of our resources. Our call center and online resources at http://www.idtheftcenter.org remain available.

Our toll-free call center, 888-400-5530, is available from 7:30-4:30 PST. We will likely experience a high volume of calls which will increase consumer wait time; however, we are committed to responding to victims and consumers as quickly as possible.

About the ITRC

The Identity Theft Resource Center (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft. It is the on-going mission of the ITRC to assist victims, educate consumers, research identity theft and increase public and corporate awareness about this problem. Victims may contact the ITRC toll-free at 888-400-5530 or visit us online at www.idtheftcenter.org.

Article source: http://www.darkreading.com/end-user/identity-theft-resource-center-identity/240162358

As IT departments consider the potential security upsides of building out software-defined networking (SDN) infrastructure, they should also mull over the flip side of the coin. The earlier they can prepare for SDN control issues and bake in protection, the less likely they’ll be surprised by security issues that could present themselves without proper foresight, experts say.

Even if it can be used for the greater security good, SDN is a design strategy, not an out-of-the-box security tool. That means security needs to be thoughtfully architected from the beginning.

“In some ways, SDN is just another concern for security people — another thing that needs to be protected,” says Reuven Harrison, CTO of Tufin Technologies. “It’s not like security is automatically provided by SDN.”

And in spite of paradigm shifts in the way networking is done, some of the same problems will stick around, Harrison says.

“When SDN does become more popular, it will have a very similar problem to today’s problems because it will be different vendors with different APIs. Although there is a standard, the vendors aren’t actually following the standard, and so there will be multivendor complexity,” he says. “It’s another big business problem we’ll need proper management, automation, and orchestration to be able to control.”

According to Christofer Hoff, vice president of strategic planning for the security business group at Juniper Networks, the increased dependence on automation and the interconnectivity between network controllers in an SDN network will actually make the security basics even more imperative than it is today.

“We really have to make sure the Is are dotted and the Ts are crossed, so that we make sure we have strong authentication, and that we don’t allow elements like SSL/TLS and encryption be optional between, let’s say, a forwarding plane and a control plane,” he says, explaining that the increase in controllers will expose northbound interfaces to other applications that will interact with the controller and the rest of the network. “If I start opening up the crown jewels of my network, the control plane, to external elements that beforehand had to go through these disintermediated correlation elements, we really need to make sure we nail that.”

Additionally, with controllers requiring a secure, dedicated connection to elements they’re managing, the threat of denial of service and the risks caused by it go up.

“So we need to ensure that these different elements– the controllers, the forwarding nodes, the analytics planes — are protected against denial of service,” Hoff says.

Perhaps more importantly, though, is the issues arising from SDN’s consolidation of control.

“In a centralized architecture like SDN, the central control framework for network services is the absolute arbiter of connection rules, and if you compromise it, you have compromised everything,” says Tom Nolle, president of CIMI Corporation, a strategic IT consultancy. “With centralized SDN, now there’s this nice, convenient central place to attack, and if you successfully attack it, you gain complete control of the network.”

And attacks against that control plane aren’t the only risk posed by this central arbiter of policies. There’s also the issue of policy collisions, says Hoff, explaining that while SDN enables automation, without proper management of the policies that drive the automatic control of the infrastructure, problems may well lurk.

“There are any number of scenarios you can paint where you imagine administrator A and admin B, both of whom are trusted users and not doing anything bad,” he says, “but they could do things that could cause all sorts of problems with visibility and transparency that might be difficult to troubleshoot.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/sidestepping-sdn-security-woes/240162345

At first glance, the massive breach at Adobe that was revealed last week doesn’t neatly fit the profile of a pure cybercrime attack: Not only did the bad guys steal customer data and payment card information from the software company, but they also nabbed the source code for Adobe’s ColdFusion, Acrobat, and Reader software.

It’s still unclear just how the attackers got Adobe’s customer data and its source code, and what, if anything, they have done to tamper with the source code for fraud purposes. But what is clear is that the attackers either purposely or inadvertently accessed both Adobe’s valuable customer financial data and its intellectual property — netting themselves multiple avenues for making money.

“These guys were financially oriented,” says Alex Holden, CISO at Hold Security, who, along with Brian Krebs of KrebsOnSecurity, discovered the 40 gigabytes of Adobe source code on the same server as the stolen data from LexisNexis, Dun Bradstreet, Kroll, and others. “Whether they had access to the source code first … it remains to be seen.”

Adobe late Thursday revealed that it had suffered massive “sophisticated attacks” on its network that resulted in the theft of sensitive information, including payment card information on 2.9 million customers, as well as of source code for multiple Adobe software products, including Adobe Acrobat, ColdFusion, ColdFusion Builder, and other Adobe software. Brad Arkin, chief security officer of Adobe, said the attacks may be related.

Hold Security’s Holden says the attackers appear to have had the stolen data in their possession for at least two months. He says one of his biggest worries is that a zero-day attack may be under way against Adobe applications that hasn’t yet been spotted. “They might have attacked high-level targets. That’s an extremely disturbing and scary thought,” Holden says.

Cybercriminals typically try to quickly cash in on stolen payment card information or user credentials. While the stolen Adobe customer payment card data was encrypted, according to Adobe, it’s possible the attackers were able to glean the encryption keys or crack the crypto, depending on its strength and implementation, security experts say.

The attackers could monetize the source code by finding and selling exploits for Adobe apps, for instance, experts say. Or they could just keep the exploits for themselves to use in more widespread future attacks.

“If you’re going after Adobe or any company, you’re going to go after information you can monetize quickly, but also if you find some really good zero-days in Adobe Reader or ColdFusion, that might just lead to future attacks across several customers,” says Benjamin Johnson, CTO of Carbon Black. “Everyone has Adobe … it’s such a huge surface area to target.”

Exploit sales are lucrative, to the tune of tens of thousands of dollars for an Adobe app, for example. “The source-code is the money-making stuff — it helps you find the vulnerabilities in Adobe products. For example, a single zero-day exploit for Adobe Reader can be worth $50,000 in the black market,” says Timo Hirvonen, senior researcher at F-Secure.

Leveraging Adobe’s source code would provide the attackers with a more efficient way to steal information. “In the past, it was so easy for [cybercriminals] to do spree attacks — you could get millions of people through phishing and keyloggers,” says Dan Hubbard, CTO of OpenDNS. “But now it looks more sophisticated, and they are doing things that are more planned, so instead of going after the client and human element, they are going at some of the weaknesses in the infrastructure and pulling data back and figuring out what to do … It’s definitely an interesting change in operations.”

If the worst-case scenario becomes reality and the attackers actually poisoned the Adobe source code and then distributed it to Adobe customers, then the software firm was more of a means to an end for the attackers. “If indeed the source code stolen pertains to ColdFusion and Acrobat, this could leave thousands of Web servers open to at-will compromise and make it easier to compromise end-user systems. This breach is a chilling reminder that all software companies should be on guard, as they, too, could be a stepping stone to other targets,” says Chris Petersen, CTO and co-founder of LogRhythm.

[Today’s reality that you can’t stop all cyberattacks means security teams must double down on smarter detection of threats and attacks rather than the traditional approach of mainly trying to prevent them. See CISO Shares Strategies For Surviving The Inevitability Of Attacks .]

It may be some time before the full picture of the Adobe attack emerges — if it does at all. Security experts say if it indeed took Adobe up to six weeks to notice the attack, the software company is at a disadvantage from the start. “That’s a head start the bad guys had,” Johnson says. The key is always quick detection to mitigate the damage, experts say.

Another concern is whether the attackers already have made inroads in targeting Adobe’s customers. “One of my concerns is the lateral movement within the customer base,” Carbon Black’s Johnson says, where the attackers already have phished Adobe customers to steal information.

“It’s going to be a while until we know the full ramifications of this,” he says.

And Adobe is not the last victim of this cybercrime gang: Security experts say to expect further revelations of other organizations that were hit.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/attacks-breaches/hacking-the-adobe-breach/240162362

Evasion techniques.

No, not the type you find with SQLi, rather the type that database administrators like to use on security people. Yes, DBA’s know that most security people don’t know jack about databases. It takes years to know the in’s and out’s of complex relational platforms. Security folks are simply unaware of what security controls are possible and what the downsides might be. The administrators can choose to tell any fable or omit whatever information they choose; the security team will be none the wiser. I get it.

From the DBA’s perspective, why introduce security measures that make your job harder for the nebulous benefit of better security? So they omit capabilities from discussions. Or skew the difficulty of implementing security controls, or talk of “de-stabilizing” the database, or performance impact or something similar.

I had one such discussion with a security practitioner last week. There were three specific capabilities with the database that he wanted — user identities in the audit trail, segregation of admin roles, and data encryption — and the DBAs said they could not provide. Respectively, the reasons were “It can’t be done,” “The database does not support that,” and “It’s a performance problem.” The problem is none of these statements are true: In fact, they are all rather easy to do.

Since the database was Oracle, let’s get a bit more specific:

User ID and Connection Pooling:

When you use the connection pooling option for Oracle, you establish a bunch of connections to the database before you need them. The benefit is that you get a connection to the database, fast, without the timely authentication process. The downside is that these pools are set up under a generic service account user. And if you use audit trails to track activity, all activity is performed under the generic account, so you have no idea who did what. However, there is a client_id setting in the network connection string. If you add one or two lines of code to the application, you can — without performance impact or reliability issue — ties the real user ID to the event.

Segregation of Admin Duties

Oracle did a great thing with version 11 in that they made it possible to divvy up admin roles on a database. For example, the account for making backups could be different from the account for adding users, which could be different from the account which applies patches, and so on. So you knew which DBA did what. The downside is it requires DBAs log in with different credentials to do these tasks, but the upside is that a single compromised account does not have total ownership of the database. It takes a little work to set up, and it annoys DBAs for the first year or so, but entirely possible.

Disk Encryption

Oracle offers disk encryption as an add-on package to the database. which is seamless to database services and requires no code changes. Several third-party commercial vendors offer disk-level encryption that is also seamless to database operations. And I can say from personal experience that these options are very fast, with typically less than five percent performance overhead worst case. And as long as you use a good key management server, pretty secure. It’s as simple as setting an environment variable to turn in on, so it’s not complicated.

I can’t blame DBAs for being sneaky as they just want to keep their lives less complicated, but a handful of simple security controls goes a long way towards keeping databases secure.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading.

Article source: http://www.darkreading.com/database/evasion-techniques-and-sneaky-dbas/240162364

Cybercriminals typically steal data using a triad of techniques–malware, hacking, and tampering with hardware.

The arguably more serious espionage attacks aimed at robbing companies of their intellectual property, however, have a slightly different triumvirate of threats, dropping the physical theft of hardware in favor of socially engineering the human side of the business, according to Verizon’s 2013 Data Breach Investigations Report. In fact, 95 percent of all state-affiliated espionage attacks include a phishing component, the report’s review of 47,000 data-security incidents found.

For companies, the data highlights a weakness in their network security: Even with near-ubiquitous anti-spam technologies guarding most inboxes, spearphishing attacks get delivered. And that puts the workers on the front lines, because every user could be put in a position of defending, or infecting, the business’s network, says Trevor Hawthorn, chief technology officer of phishing-awareness service provider ThreatSim.

“Our customers are doing a lot of the right things that they are supposed to be doing [to filter out phishing], but they are still getting a high number of phishing messages,” he says. “At that point, the end user becomes the last element of defense.”

Phishing awareness allows companies to regularly test employees, raise the awareness of those employees who fail the test, and teach workers proper incident response, such as reporting phishing attempts. Phishing service firms give companies regular reports on how their employees performed in the tests and offer other metrics, such as how quickly employees reported a phishing e-mail.

[From fully undetectable malware to low-volume targeted trojans, digital threats frequently do not have a signature, but companies can still prepare. See 3 Steps To Secure Your Business In A Post-Signature World.]

Yet, while having more security-conscious users is a laudable goal, some security experts question whether it will make a difference as to whether a business suffers a breach. Finding a user who will click on a link in a well-crafted e-mail is a numbers game: Eventually, the attackers will succeed, says Kenneth Geers, senior global threat analyst with anti-malware provider FireEye.

“The thing with social engineering is, that if the attackers have done their homework, everyone is going to click,” he says.

While current data suggests that a technology-only and an education-only approach both have flaws, they both reduce risk as well. With regular phishing-awareness campaigns, companies have generally reduced the success of the attacks to the single-digit percentiles, according to ThreatSim. Another phishing-education service, PhishMe, has seen similar results.

Another hopeful trend: Companies are starting to see their employees reporting the phishing attacks before their less security-conscious colleague click on the link, says Aaron Higbee, chief technology officer of PhishMe. Lengthening the time between report and click give the company’s incident response team more time to find and eliminae similar attacks.

“It gives their incident response team a head start of 20 or 30 minutes,” he says.

On the technology side, sandboxing and virtual analysis environments are improving and are better able to jail potentially malicious files and protect systems from attack. So, adopting both approaches can deepen defenses and result in a cumulative reduction in risk, says ThreatSim’s Hawthorn.

“Security not about zero percent risk,” he says. “I don’t think there is a security control out there that guarantees anyone to have a zero percent chance of compromise. But by focusing on your biggest risks, and using defense in depth, you can have the most impact.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/services/technology-or-education-tackling-phishin/240162347

Last week, ISACA released a new guide for IT risk professionals that acts as a simple blueprint for organizations — whether they’re looking to comply with COBIT or not — to identify and prioritize technology risks in order to determine which risks to accept and which risks to mitigate under a reasonable time frame. Detailing well more than 100 risk scenarios in 20 categories of cyber, privacy, and operational IT risks, the COBIT 5 for Risk may provide a useful tool for organizations that haven’t already adopted some sort of framework. Dark Reading caught up with Robert Stroud, vice president of international vice president of ISACA, to get the skinny on the new guide, which he refers to as Risk IT.

Dark Reading: One of the big components of COBIT 5 for Risk is its detailed risk scenarios that act as examples for IT risk professionals. Can you walk me through a few of these and how they’re used?
Stroud: The risk scenarios typically will be based around some sort of loss-type event. So, for instance, you might have external competitors that might look to cause some way of accessing your business information, or understanding your business, or gaining some sort of competitive advantage.

That might be through just normal, general good business practices, or it could be through other processes. So as you look at that, what you’re going to do is take a good assessment of that risk, threat, and opportunity, you’re going to understand what it’s like, what the impact is, and that will give you a series of processes that you can then put in place to mitigate or accept the risk.

One scenario that we all like to talk about at the moment is cybersecurity, of course. If you think through cybersecurity as a risk exposure, with much of your business on the Internet, you’re going to have a situation where you’re going to need to determine what the relevant threats are to the business.

It could be productivity, it could be theft of information, denial of service, or it could be the fact that your trade secrets are going to go out the door without you knowing about it from a foreign force. Interestingly enough, the general rule says that you must put strong controls in place, but what Risk IT will do for you is it will go through and take you through the process to understand what the security or the risk threat is.

[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]

You can then determine what is the probability and what is the outcome, and then reinforce that with you how to put the appropriate processes in place so that you can counter that risk type based on your business type.

So, for instance, if you’re a financial organization doing a lot of your transactions over the Web, you’re going to want to provide multifactor authentication to your customers, whether they know it or not, so that they can identify themselves to your organization and that you’ve got valid people accessing accounts.

So it’s everything from large threats down to small scenarios you’re looking at, and what we’re trying to do is have organizations then document all these and quickly put them down in a list. Personally, I use the old Post-it note methodology and brainstorm, put them on the wall, then work with prioritizing an appropriate risk and impact for each of these to the organization. Then we take action. Risk IT gives you a framework and format to go through that whole process, plus some guidance as well.

Dark Reading: Based on your experience, especially as you were working to shepherd the process of framing this new document, what would you say are some of the biggest mistakes organizations are making with regard to IT risk today?
Stroud: There are a couple of easy ones. The first one is the perception that IT will mitigate every risk. And what do I mean by that? Typically, the decision-makers in IT are risk-adverse. They’ll put extensive process procedures and controls in place to mitigate everything. I think that’s a trap that many IT organizations are overcoming,, which is good. But that is a real trap.

Dark Reading: One of the parts of understanding risk is to measure it, but IT has generally had a hard time measuring security risks. Do you have any advice on how to get those metrics locked in so you can make better risk models?
Stroud: With Risk IT, what we’ve absolutely done is develop this whole notion that the risk framework is built on a value and benefits realization. Therefore, what you’re doing is working through the cascade. You’ve got your risk factors that you’ve identified, and you can look at the potential impact to the organization, and then you can link it back to the value of the organization. So what we’ve actually done in providing this model to balance your risk.

The first thing you’re going to do is identify your risk and look at what the impact of that risk to the organization. And how can we actually measure that risk? I have a strong belief if you actually don’t understand the impact of the risk in terms of business impacts, how will you consider whether it is a risk that’s mandatory for the business to mitigate or to accept?

You might not have truly documented hard numbers for every hour of downtime costs or whatever. But you can come up with measures that are usable across the organization. So that’s part of what we take you through in the Risk IT scenarios. You do a risk analysis, you understand your appetite, you understand what the impact is, and the exposure and the cost. And then you can make a determination on how you have to react to that risk.

And then going back, risk is not a one-time event. You then go back on a regular basis, whether that’s yearly, six-monthly, or after a risk exposure, and reassess your risk and the cost of it to see if your decision and determination metrics are true.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/management/developing-a-system-for-identifying-and/240162301

As corporate networks continue to succumb to the bleating call of “bring your own device” (BYOD) gadgets, more security teams are questioning the security and integrity of the application markets that drive the adoption of these devices. While the vast majority of corporations have heard the dangers of rogue app markets and the malware plague that infests them, many organizations continue to search for confirmation that the “legitimate” app stores are safe.

Numerous antivirus vendors have found it advantageous to monitor the many fledgling app stores and markets around the world and continue to publish their findings as they relate to the unique pieces of malware being uncovered. While the numbers follow a not unexpected exponential growth rate, it remains unclear whether there is a significant (or even noticeable) threat to corporate entities — especially if this maliciousness is almost entirely attributed to the aforementioned rogue markets.

It is inevitable that malware authors, and the criminal organizations that profit from malware’s proliferation, will continue to pursue their targets via their portable and personal devices in order to breach an organization.

The first and foremost defense against these attacks is likely to continue to be the app markets themselves — at last for the short-term. However, as malicious app developers are pushed and incentivized to innovate beyond this first generation of mobile malware in order to be reliably distributed from the primary app markets, it is inevitable that businesses will fall prey to more malware that targets their BYOD install-base.

The primary app markets are positioned well to limit the introduction of malicious software in to their application portfolio. They all employ a barrage of technologies and service conditions designed to scan new applications (and their updates) for malicious code and unwanted actions. Many of the methods employed, by necessity, remain blackbox systems to both their customers and authorized app developers. While the primary app market providers will continue to improve their inspection techniques in the yo-yo battle against malicious developers, it is inevitable that they will lose that battle. It’s just a question of time, unfortunately.

Some may argue that the blackbox inspection engines of the app market providers have the upper hand. I’d argue, if current corporate code inspection and reviewing technologies are anything to go by, that the automated techniques used for testing the security and integrity of mobile applications will always succumb to an even marginally informed or persistent developer.

Today’s commercial code analysis and inspection tools are fantastic for automatically plowing through millions of lines of code and flagging every poor coding choice that has historically been classed as a security concern. But, similar to the problems encountered with IDS and antivirus scanners, they’re limited to pedantically detecting threats they’ve encountered before and are easily evaded when a modicum of obfuscation is employed. Even forgetting about the security angle for a moment — speak with any experienced developer that’s worked for a major software vendor and what they think of the automated build checkers and QA systems, and they’ll happily tell you of the small tricks they had to employ to bypass those “hurdles to productivity.”

While automated security reviews can possibly catch many of the common coding flaws and a growing list of obfuscation techniques, they are not capable of interpreting every logic jump or nestled function call for deliberate maliciousness. One recent example can be found in the paper by GA Tech researchers Tielei Wang and Billy Lau titled “Jekyll on iOS: When Benign Apps Become Evil” in which they deliberately inserted exploitable bugs into the code that was submitted to the Apple app store. The automated analysis platform employed by Apple to identify malicious apps had no realistic chance of identifying this evasion vector and, inevitably, the malicious app was published to the store and could have been installed by a new stable of victims.

The tricks employed by malicious app developers will grow in sophistication faster than even the most advanced app inspection and approval platforms can counter them.

For the time being, you may as well make the most of the fact that the primary app stores are largely ahead of the threat – but don’t become complacent. The advantage will soon fall to the attackers and we can expect their mobile malware to become more prevalent in the markets we trust the most. Precisely when that’ll happen and when we’ll feel the pain remains uncertain, but a year or so is likely to be a good guess.

Gunter Ollmann, CTO, IOActive inc.

Article source: http://www.darkreading.com/attacks-breaches/distributing-malware-through-future-app/240162315

CHICAGO, October 7, 2013 – Authentify, the pioneer in employing telephony and telephones in authentication work flows, today announced that its services have been selected by HydrantID to strengthen the provisioning process for purchasing Secure Sockets Layer (SSL) Certificates via HydrantID’s customer portal. HydrantID joins a cadre of security conscious organizations who use Authentify.

“Authentify began in the high security space,” said Peter Tapling, president and CEO of Authentify. “Some of the customers who have been with us the longest engage us to provide secure out-of-band delivery mechanisms for digital certificate activation codes. We’re pleased to help HydrantID provide a more secure delivery mechanism.”

SSL Certificates are a mostly invisible yet critical component of e-commerce. A valid SSL certificate helps prove a website is legitimate and contains authenticated information about the certificate holder, including the domain to which the certificate was issued and the name of the Certificate Authority who issued the certificate.

“Authentify has a great reputation in our market segment,” offered Trell Rohovit, CEO of HydrantID. “Our cloud-based software-as-a-service (SaaS) offerings of trusted SSL and managed Public Key Infrastructure (PKI) enable our customers to reduce costs and complexity of acquiring trusted SSL certificates. HydrantID eliminates the need for running their own Certificate Authority. Authentify contributes to that value proposition by helping us deliver these services with security best practices without adding the normal associated complexity. Simply put – with Authentify as a partner, HydrantID’s customers can utilize industry-leading authentication services. Authentify helps us deliver the world-class PKI solutions that our customers demand. We designed the HydrantID SSL and managed PKI Web portal services to utilize a specific verified telephone number to deliver activation codes, putting friction in front of fraudsters who attempt to acquire certificates using false access credentials.”

There is also downstream anti-fraud value. “The telephone number can provide a valid red flag when multiple certificates under multiple names or locations are being activated via a single telephone number,” added Tapling.

Authentify delivers its phone-based authentication work flows as a Web service. HydrantID officially rolled out the service, effective September 2013.

About HydrantID

HydrantID provides trusted SSL and managed PKI services to help companies secure data and systems as well as e-commerce transactions. HydrantID’s cloud-based SaaS offering provides organizations the ability to obtain all their digital certificate needs in real time, on-demand, for one fixed subscription fee. HydrantID’s cloud-based SaaS service helps companies achieve industry best practices related to encryption and authentication while reducing operating complexity and costs.

HydrantID’s root Certificate Authorities are widely interoperable with all leading browsers and operating systems, and HydrantID’s Certificate Authority operations have achieved industry best practice accreditations and certifications.

For more information, visit HydrantID at: http://www.hydrantid.com.

About Authentify, Inc.

Authentify, Inc. pioneered the use of telephone-based out-of-band (OOB) authentication services, first introducing the concept to the security space in 2001. Authentify excels at adding strong security with two-factor and multi-factor authentication delivered via easy-to-use, user-centric work flows. Authentify’s services are used globally in online banking, e-commerce, healthcare and corporate security and anywhere a wired property owner must be sure who is on the end of an Internet connection.

For more information, visit Authentify at: www.authentify.com.

Article source: http://www.darkreading.com/end-user/ssl-certificate-provider-hydrantid-adopt/240162317