STE WILLIAMS

Free ESG report : Seamless data management with Avere FXT

Exclusive A top Huawei exec has dismissed claims that his company poses a threat to British and US national security – despite Western government officials’ fears over Huawei’s alleged connections to the Chinese Communist Party.

Professor Sanqi Li – speaking in an exclusive interview with The Register at the multinational’s RD centre in Stockholm, Sweden – repeatedly attempted to paint a picture of a benign company that simply deals with “packet in, packet out”.

When pressed about Parliament’s concerns that Huawei may have too much control over Blighty’s critical infrastructure and communications systems – based on claims that the company’s chairman (and erstwhile member of the People’s Liberation Army) Ren Zhengfei was helping Chinese authorities to spy on the Western world – Li said: “No, we are not a threat”.

He added: “There’s no substance, just more speculation.”

Li, the company’s Carrier Business Group CTO, said Huawei, which provides equipment to Britain’s one-time national telco BT, was an easy target because it is a Chinese company that operates in the Western world. But he insisted fears of compromised national security presented an industry-wide problem for all tech outfits.

“Because of the internet technologies and the security issues with the new digital age, it becomes much more challenging than what people originally expected,” Li said in a clear nod to this year’s NSA-GCHQ scandal: “Now you’ve seen what’s happened recently.”

He continued: “People thought the infrastructure was the corner point of the security, but it’s actually in the data centres and the devices… It’s a great challenge. Huawei’s position has always been, how to join the community of the world, work together to find the way to solve these security issues.”

Li said that the entire industry was having to deal with the fact that different countries and different governments had different controls, rules and regulations. But he described those challenges as being “secondary” to working with the open community to develop standards that help “to solve the security issue”.

But what of the specific allegations that Huawei helps the Chinese government’s espionage programme?

Li insisted that his company simply provides the kit to operators who then manage those systems.

“Yes, data are passing through the Huawei equipment from a network perspective… packet in, packet out. But it doesn’t store the data. We do develop the products to enable carriers to operate the network… most of the intelligence in the data centre is where the data is stored.”

He added: “We are the provider of network infrastructure to a great extent. People may have misunderstood a lot of things.”

More recently, however, Huawei has moved into the consumer devices market by developing its own range of smartphones, for example. The company’s CTO told us – as recently proved by Microsoft’s planned buyout of Nokia – it’s hard to survive on one technology now. Li said that infrastructure, cloud and devices were key for vendors in today’s market.

Li told us he was surprised to hear about claims that some unnamed tech companies based in the US and abroad were alleged to be collaborating with spooks to build backdoors into their equipment.

“I’m glad people recognise the issues are much more complicated in this new digital economy. How do you set the rules, the governance, the policy? It’s still unknown,” he said.

Li said that having so many apps located in the cloud meant that companies – such as Yahoo! and Google – were “exposed more in the data centre”.

He repeatedly claimed that Huawei was simply a provider of equipment to carriers. Li said he was routinely asked the same question about whether the company had provided entry points into its gear for China’s government to listen in.

“‘You are a Chinese company, you’re Huawei’, people say, but it’s a challenge to all.” ®

Email delivery: 4 steps to get more email to the inbox

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/huawei_sanqi_li_says_no_national_security_threat/

We all know horror stories of IT projects that run over budget, deliver the wrong result, or simply fail to cross the finish line at all. I bet you’ve been involved with such projects.

Even if businesses and governments rarely admit it publicly, IT disasters are more common than IT successes, and it’s a rare project that actually delivers a great solution on time, within budget.

No single type of project is immune. The victims include software development, hardware upgrades, compliance efforts, security measures, and, in a twisted irony, even audits of other IT projects.

If the failure of these toxic projects weren’t bad enough, their failure spreads in a ripple effect — or a tsunami effect, considering the potential loss — since late, overbudget projects likely have operational, compliance, and security shortcomings. This creates corrective projects, with their own risks of budget and schedule issues, to address the failures of the original, late, overbudget projects.

Generations of new approaches in project management, years of new technology, and thousands of new project tools have attacked the problem, but the chronic failure to deliver on time and within budget persists.

The problem is so common that nontechnical management has become almost universally skeptical of all IT projects. Many would rather buy a used car from a shady lawyer than commit to another large IT effort. Who can blame them?

So why do IT projects continue to run late and over budget? Why are we apparently powerless to correct a problem we have defined so thoroughly? Are we not learning the right lessons? Is the pace of technology overwhelming our ability to implement it? Are we just stupid?

I suggest that we can’t solve this problem because we are trying to solve the wrong problem. Many, if not most, of these failed projects are, in reality, neither over budget nor overdue. It’s much more likely that they are underestimated, not only for cost but also for time required.

Before they even start, these projects are destined to fail to meet either budget, time tables, or benchmarks.

The worst part of this problem is that everyone is complicit in this conspiracy of accepting, and contributing to, an appallingly high amount of failure.

Nontechnical management and staff often do not understand the “magic” of IT, so they focus their pressure on two things they do understand: cost and scope.

Many in management dislike the very nature of IT in business — the seemingly endless demands for funding, like a hungry teenage boy who always wants another pizza. Out of frustration, these managers start drawing the line on cost without due consideration to the lowered odds of success. Or for a given cost, they cram in more requirements — you know, to “get their money’s worth.”

Technical professionals are equally responsible and in a lot of different ways. The worst is the often-fatal group-created (and group-reinforced) false optimism. “Sure, we can pull that off!” is the groupthink of an entire industry filled with smart people who seek opportunities to show others how smart they are.

Some others allow their underestimated projects to become bloated because they are genuinely powerless to say no.

Everyone involved is at least sometimes guilty of poorly matching deliverables to realistic cost. If the project budget increases, so does the scope. The odds of delivering successfully drop accordingly, and everyone was a contributor in building a booby trap for themselves and their co-workers alike.

When outsourced bidding is involved, you get a deadly mix of 1) intentional low-ball bidders (win on price, hit them with change fees); 2) inadvertent low-ball bidders (they genuinely don’t understand their under-estimated winning bid may put them out of business); and 3) decision makers who are not equipped to evaluate bids using success as a metric.

In fact, in bid situations, low-cost-limited success usually beats higher-cost success.

This problem will only be resolved when IT and non-IT leaders learn to be grown-ups about cost, time, and realistic expectations. To save real time and money requires uncommon professional discipline. In the end, it may be too much to ask of people.

Glenn S. Phillips agrees with Walt Kelly, “We have met the enemy, and he is us.” Glenn is the president of Forte’ Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Article source: http://www.darkreading.com/compliance/you-are-not-over-budget-you-underesti/240161805

Cambridge, MA – Onapsis Inc., the leading provider of solutions to audit and protect ERP systems from cyber-attacks, today announces the addition of significant compliance checks to its product Onapsis X1. These checks will enable organizations to save a considerable amount of time and proactively enforce compliance policies by automatically auditing their SAP systems and validating that these requirements are being followed. Also, organizations will shorten external audit time and prevent audit failures by preparing in advance for these reoccurring compliance checks.

Robert H. Clark, PwC principal, leads PwC’s SAP security and controls team in the U.S. commented: “PwC has been working with Onapsis and our SAP clients to assess and remediate cyber-security related risks. I am looking forward to this new version and testing the anticipated capabilities to see how they can meet our client’s demands in managing risks across their SAP environments.”

Mariano Nunez, CEO of Onapsis, leads the company’s strategy and product direction, “Working together with the leading SAP customers and Audit firms in the world, we were able to identify the most critical SAP cyber-security IT controls that are now required by Sarbanes-Oxley (SOX) and North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) mandates. We’re excited to help our customers streamline their compliance audits, ensure they stay both compliant and secure regarding the latest SAP cyber threats affecting their industries,” stated Mariano.

Onapsis X1 is the industry’s first comprehensive SAP-certified solution for the automated application security assessment of SAP systems. Backed by the frequent updates from the Onapsis Research Labs, Onapsis X1 detects insecure SAP ABAP and Java configurations, missing SAP Security Notes and patches, dangerous user authorizations, insecure interfaces between SAP systems and threats affecting SAP mobile platforms. Following Onapsis X1’s detailed mitigation procedures, customers can increase the security level of their platform, decrease business fraud risks and enforce evolving compliance requirements.

Available in September, this new version of the Onapsis X1 product provides SAP customers with the ability to continuously check for any elements of their SAP systems that do not meet compliance mandates. These could include insecure configurations, changes to the SAP platforms, missing SAP Security Notes and other security risks that would prevent them from passing compliance audits. With this continued expansion of the product capabilities, Onapsis further enables enterprise customers to implement a holistic cyber-security process and mitigate threats targeting their SAP platforms.

About Onapsis

Onapsis Inc. is the leading provider of solutions to protect ERP systems from cyber-attacks. At the heart of the company the Onapsis Research Labs is composed of world-renowned experts with a proven track-record in the ERP and SAP security fields. Through its innovative software solutions, global customers can secure SAP and Oracle business-critical platforms from espionage, sabotage and financial fraud. More information at www.onapsis.com Follow us on Twitter: @Onapsis

Article source: http://www.darkreading.com/privacy/new-onapsis-x1-streamlines-compliance-fo/240161768

CUPERTINO, Calif. — Sept. 25, 2013 — Skyhigh Networks, the cloud access security company, today released the Cloud Adoption and Risk Report, the first industry report to analyze not only the actual usage of cloud services but also the risks they present to organizations. The full report is available on the Skyhigh website.

Even as headlines focus on the National Security Agency (NSA) controversy, the Cloud Adoption and Risk Report reveals that organizations lack the information to understand and mitigate a broader set of risks posed by the use of cloud services. “What we are seeing from this report is that there are no consistent policies in place to manage the security, compliance, governance, and legal risks of cloud services,” said Rajiv Gupta, founder and CEO at Skyhigh Networks. “Our cloud usage analytics suggest that enterprises are taking action on the popular cloud services they know of and not on the cloud services that pose the greatest risk to their organization. Lack of visibility into the use and risk seem to be crux of the problem.”

Cloud is the New Wild Wild West

Data from more than 100 organizations suggests broad and rampant use of cloud services.

2,204 cloud services are in use across 3 million users across financial services, healthcare, high tech, manufacturing, media and services industries.

545 cloud services are in use by an organization on average, and the highest number of cloud services used by an organization is 1,769.

It’s Not a Popularity Contest – It’s Risky Business

Corporate security measures are based on concerns related to productivity and bandwidth, or on the familiarity with the service as opposed to the risk of the services.

Low-risk services are blocked 40% more than high-risk services.

At 9%, tracking is the least blocked cloud service category despite the fact that it delivers zero business benefit and exposes organizations to watering hole attacks.

Among the top 100 services used, the top 10 blocked services in use are Netflix, Foursquare, Apple iCloud, Gmail, Skype, Amazon Web Services, Batanga, Dropbox, KISSmetrics, and PhotoBucket.

Cloud-based Code Repositories Gain Momentum – Develop Responsibly

In the development cloud service category, cloud-based repositories have gained momentum.

The shift to open source cloud-based code repositories presents security challenges as some sites are known to host malicious backdoors.

GitHub is blocked 21% of the time but Codehaus, a high-risk service, is blocked only 1% of the time.

The top 10 development services in use are MSDN, GitHub, SourceForge, Atlassian OnDemand, Apple Developer, Zend Server, HortonWorks Data Platform, CollabNet, Force.com, Apache Maven, and CodeHaus.

Microsoft – A Not-So-Sleeping Giant

While Microsoft may be falling out of favor with new users, it is too early to count it out.

The 3rd most widely used file sharing cloud service is SkyDrive

The software giant dominates in collaboration with Office 365, Skype and Yammer in the top 10 of the most widely used services in this category.

The top 10 collaboration services in use are Office 365, Cisco WebEx, Gmail, Google Apps, Skype, Yahoo! Mail, AOL, Slideshare, Evernote, and Yammer.

File Sharing Side Effects – Risk and Confusion

File sharing is widely used and the most misunderstood category by IT professionals.

19 file sharing cloud services are used by an organization on average, which impedes collaboration and increases security and compliance risks.

4 of the top most used file sharing services are high-risk.

Box, the lowest risk file sharing service, is blocked 35% of the time, but Rapidgator, a high-risk service, is blocked only 1% of the time.

The top 10 file sharing services in use are Dropbox, Google Drive, SkyDrive, Box, Hightail, CloudApp, Sharefile, Rapidgator, Zippyshare, and Uploaded.

About The Cloud Adoption and Risk Report

The Cloud Adoption and Risk Report is based on data from more than 3 million users across more than 100 companies spanning financial services, healthcare, high technology, manufacturing, media and services industries. The top 10 services are based on the number of users of the service. The risk of each service is based on Skyhigh CloudRiskTM, which assigns a 1-to-10 risk rating based on detailed, objective and weighted assessment of more than 30 attributes across data risk, user risk, device risk, service risk, business risk and legal risk.

About Skyhigh Networks

Skyhigh Networks, the cloud access security company, enables companies to embrace cloud services with appropriate levels of security, compliance, and governance while lowering overall risk and cost. With customers in financial services, professional services, healthcare, high technology, media and entertainment, manufacturing, and legal verticals, the company was a finalist for the RSA Conference 2013 Most Innovative Company award and was recently named a “Cool Vendor” by Gartner, Inc. Headquartered in Cupertino, Calif., Skyhigh Networks is led by an experienced team and is venture-backed by Greylock Partners and Sequoia Capital. For more information, visit us at http://www.skyhighnetworks.com or follow us on Twitter @skyhighnetworks.

Article source: http://www.darkreading.com/vulnerability/cloud-adoption-and-risk-report-reveals-o/240161814

Acton, Mass., September 18, 2013 – EiQ Networks, a pioneer in simplified security intelligence solutions, today announced the results of its survey, What Keeps IT Pros Up at Night, that reveals several concerns among IT professionals. The survey reflects responses from 272 IT decision makers including security managers, and network and systems engineers across a number of industries including healthcare, government, financial services and retail, among others.

The survey highlights that regulatory compliance to protect corporate data continues to be one of the greatest challenges faced by businesses and organizations across all industries. While an external data breach for financial gain is considered to be the biggest information security nightmare (34 percent), respondents indicated that failing an audit closely follows at 31%. The survey also reveals the two biggest challenges to demonstrating compliance are measuring and reporting on compliance (31 percent) and automating IT controls (24 percent).

While compliance mandates continue to keep IT professionals awake at night, the disconnect between security teams and business leaders is steadfastly becoming a problem. Over one-third (36 percent) of information security professionals admit to meeting infrequently or never at all with business unit leaders to understand business objectives and information security needs. And more disconcerting, two-thirds of information security professionals revealed that their IT security department is understaffed and could use more people. The information security needs of business have far outgrown the supply of qualified professionals to deal with them. It’s a gap most business hadn’t expected would be so wide.

“The survey results clearly highlight the many burdens that IT professionals are dealing with on a day-to-day basis,” said Brian Anderson, chief marketing officer at EiQ Networks. “Security concerns are now on par with compliance. This trend coupled with increased awareness and implementation of SANS critical security controls will help improve cyber defenses across organizations.”

Additional key survey takeaways:

Misuse by employees is considered the greatest risk facing enterprises today

Over 50% of respondents reveal that less than 25% of mobile devices are monitored in real time

25% of respondents said they don’t know how long it would take their organization to find a root cause of a breach

42% of respondents react to an incident after the problem has been identified

20% of respondents plan to implement SANS Critical Security Controls in the next 12-24 months

The full survey findings are available for download at: http://www.eiqnetworks.com/resources/it-pros-nightmares

About EiQ Networks:

EiQ Networks, a pioneer in simplified security intelligence solutions, empowers organizations with proactive detection of threats and incidents, and delivers timely remediation guidance by automating critical security controls to minimize loss of data, business disruptions and reputation. Security conscious organizations are now provided a cost effective option with the company’s SOCVuetrade security monitoring service built on EiQ’s advanced SIEM technologies to combat modern security threats. For more information, visit: http://www.eiqnetworks.com.

Article source: http://www.darkreading.com/management/it-pros-biggest-nightmare/240161807

Threat intelligence-sharing among businesses, government agencies, and organizations is considered crucial for getting a jump on potential or active cyberattacks, and while the number of these exchanges is growing, much of the process remains mostly ad hoc, manual, and fraught with legal hurdles.

Most intel-sharing today occurs one-on-one between companies, using mainly old-school communications. “The bulk of sharing is using 1900’s technology, email and phone,” says Lars Harvey, CEO of IID, which today published a new report on the state of intel-sharing. They share via email lists, server lists, spreadsheets, text files, and PDFs, he says.

“Certain exchanges are going on machine-to-machine sharing at some level–but very little,” Harvey says.

So when a company hit by an attack shares information on malware or other indicators of the attack with another company, it often does so via a phone call or an email. The recipient then has to manually convert the intelligence into a format that can be fed into its computer systems and security tools to automate any protections against the attack. But it’s that gap between the receipt and the application of threat data can make all the difference in thwarting an attack.

More advanced exchanges like that of the financial services FS-ISAC as well as Microsoft, which recently announced its own threat-intel sharing platform, are adopting emerging industry protocols such as Structured Threat Information eXpression (STIX) for a machine-readable language for threat intel, and the Trusted Automated eXchange of Indicator Information (TAXII) protocol for transporting that information, to automate the exchange and use of that intel.

The manual process remains one of the biggest hurdles to effective intel-sharing today, according to the IID report, as are the trust, legal, and manpower challenges. According to the white paper—which is based on interviews with Microsoft, Georgetown University, the City of Seattle, the Forum for Incident Response and Security Teams, a major U.S. bank and others involved in intel-sharing–many organizations are hesitant to share threat intel with their competitors and their government regulators.

One of the most mature intel-sharing exchanges is that of the City of Seattle, now in the sixth year in a program that includes the city, seven surrounding municipalities, universities, the FBI, and six maritime ports on Puget Sound, a hospital, and two energy utilities.

The so-called Public Regional Information Security Event Management (PRISEM) serves as a real-time analysis center of intel submitted by the participants, and alerts them of possible attacks or botnet activity. (Of the PRISEM acronym, City of Seattle CISO Michael Hamilton says: “It was an unfortunate branding coincidence. Thank goodness we bought an extra vowel.” There are plans to ultimately change the name to avoid any further confusion with the NSA’s recently revealed PRISM spying program, he adds).

PRISEM uses a custom security and information event management (SIEM) for analyzing and alerting its members of attacks and threats, and log and event information is gathered from members’ local networks and aggregated by PRISEM. The exchange has an arrangement with the federal government’s local Fusion Center that keeps a watch on potential terrorist plots or concerns.

When Hamilton earlier this year passed intelligence from the FBI on the Chinese APT1 military hacker group to the Fusion center, the analyst there scanned for devices communicating with the rogue Chinese IP addresses. He found that some universities and corporations were compromised, as were maritime ports, which made up about half of the “hits” communicating with the APT1 addresses. “It was very interesting that half of the positive hits were maritime ports. I don’t know what to make of that,” however, Hamilton says.

PRISEM is also about to link up with the US-CERT, he says, using STIX.

“By virtue of being local governments, we don’t have a competition problem, so we can share information like private sector organizations can’t,” he says. “We are using events that occur on our networks and providing those to the Fusion Center analyst, who searches PRISEM for similar IOCs … and monitors the jurisdiction and ports and notifies them if they have compromises. So we are integrating … homeland security into this.”

[An emerging standard is aimed at eliminating manual process of converting intelligence into useful defense. See Attack Intelligence-Sharing Goes ‘Wire-Speed’ .]

Trust and legal implications are tricky for the private sector, however. The FS-ISAC has been successful in establishing trust among its members, according to the IID report. Said one head of threat intelligence at a major national bank interviewed for the report: Ultimately, “you have to have the trust that what’s said or heard will be used for the purposes that it’s needed to be used for, and nothing else.”

Then there’s the legal department. “Lawyers hate the unknown,” IID’s Harvey says. “There is uncertainty [associated with intel-sharing], and uncertainty scares lawyers. So they clamp down and say ‘you can’t share.'”

The education sector, like financial services and the Defense industrial base, has been on the forefront of intel-sharing. Erick Burger, professor of computer science at Georgetown University, says even the leading-edge industries are struggling with effective intel-sharing.

“We’ve been working on this for 10 years and right now it’s still kind of abysmal,” Burger said in the report. “Most companies don’t even know that they could share information. Others know about it don’t want to. The ones that do, they find that it takes a few weeks to figure out who they want to share with and then it takes many, many months to get the lawyers to agree.”

Organizations also struggle with how much to share, or worries about sharing the wrong information and thus exposing too much about the attack they experienced, or sensitive company information, for example.

Then there’s the increasingly common problem of information overload. “They need to be able to organize it and deliver [to them] only the information they need,” Harvey says. “Data that hasn’t been analyzed or organized and put into packages can consume and not help me so much. So if I can say ‘I’m part of this community and I can pull out parts [of intel] that are useful to me,’ that’s the ideal.”

The full whitepaper, “Sharing the Wealth, and the Burdens, of Threat Intelligence; Why Security Experts Must Unite Against Cyberattacks, and What’s Stopping Them from Collaborating More Effectively” is available here for download.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/vulnerability/hacking-the-threat-intelligence-sharing/240161812

The bring-your-own-device (BYOD) business model is here to stay, much to the chagrin of security professionals. The arguments for allowing employees to work with company data on their personal devices and bring those devices into the workplace are almost unassailable: Increased productivity, flexible working hours and a more agile business.

While some companies may still limit workers to a single, or small selection, of devices and workstations, many firms are allowing employees to work from whatever device suits them. In many cases, a whole host of devices: Network security provider Bradford Networks, for example, has many higher education institutions among its customers, and some students use as many as 14 different devices to connect to the Internet.

“If companies think they are going to stop this, they really are not,” says Frank Andrus, chief technology officer for the firm.

Yet, companies should not allow employee devices onto the network or to store business data with some sort of security infrastructure in place to mitigate the vulnerabilities and compromises that the devices may bring with them, Andrus says. In a presentation at the Interop conference in New York, he will stress that the human element is, initially at least, the most important aspect in implementing security controls on devices. Almost all employees are leery of giving corporate IT security any sort of control that could jeopardize their own data, he says.

“End users are really becoming part of the security model,” he says. “The attacker is using them as a launching point into the network.”

To eliminate the bring-your-own vulnerabilities problem, mobile-security expert recommend three steps.

1. Survey the landscape
Companies should start by assessing the degree to which corporate assets are used by mobile workers.

Often a company does not have a lot of control over their IT infrastructure, and one employee who figures out how to connect to the e-mail or a collaboration service will educate others, until the business has a rogue IT problem, says Chris Isbrecht, director of product management for Fiberlink, a mobile-security provider.

[Despite naysayers, many security experts believe perimeter defenses have relevance when deployed as a part of defense-in-depth. See Is The Perimeter Really Dead?.]

“In a lot of cases, we find that people have no visibility nor understand how many people and how many devices are actually connecting,” he says. “The first step is education and visibility.”

Companies should use the asset discovery to come up with a list of devices and what servers and services those devices are using. After that, the firm can decide what approach best works to locking down their infrastructure and data, he says.

2. Win over the worker
Any strategy for implementing protection for employee-owned devices must also win over the workers. Because the device belongs to the user, the company will not be able to manage it in the same way that the firm could manage a corporate device. In some countries, the company may be extremely limited in what actions they are able to take: A blacklist could be leaking information on the apps that they worker uses and spam filtering could give the company insight into the worker’s personal life.

For any security product or service, protecting both the business data and the user’s privacy is a tricky line to walk, says Nicko van Someren, chief technology officer for Good Technology, a mobile-security provider.

“It’s a two-way street,” he says. “You have to be able to protect the employer’s data against accidental loss or disclosure by the user, but you also have to protect the user against the employer in terms of (the fact that) this is not the employer’s device.”

3. Protect the right “D”
Finally, companies have to focus on what really matters: The data, not the device. Convincing workers to take better precautions and secure their device is good, but the company should focus on protecting its data, says Good’s van Someren. Many mobile device management products are focused on the wrong “D,” he says.

“It is all about the data and not the device,” van Someren says. “The businesses should not care about the device.”

Because the worker’s habits on the device focus on using apps, a data-driven security approach also has to focus on the apps as well, he says.

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/mobile/protecting-the-network-from-bring-your-o/240161770

Supercharge your infrastructure

Oracle’s latest update to the Java SE Development Kit (JDK) version 7 adds new security features designed to help businesses avoid being stung by critical vulnerabilities in out-of-date versions of Java.

After a string of embarrassing Java security flaws was disclosed by independent researchers, Oracle has made addressing vulnerabilities its top priority for JDK 7, even going as far as to delay the release of JDK 8 so it could devote more resources to fixing bugs.

But many businesses still keep older versions of Java installed on client PCs because certain custom applications require them. That’s bad, because these out-of-date versions contain critical vulnerabilities that in some cases will never be fixed. Oracle discontinued support for JDK 6 in June.

JDK 7 Update 40, issued on Tuesday, implements a new feature called Deployment Rule Set that aims to address this problem. It allows businesses that centrally manage their Java desktop installations to establish a set of rules specifying which Java applets and Java Web Start applications – collectively termed Rich Internet Applications (RIAs) – are allowed to run on client PCs.

For example, an admin could create a rule blocking execution of all RIAs and then add additional rules to whitelist specific ones. Rules can be written to match any portion of an application’s URL, including the port number, and they can even specify the version of Java that should be used to run it. Full documentation on how this is done is available here.

By creating such rules, companies should be able to avoid many of the most serious Java exploits that have cropped up in recent months, most of which attack systems via the Java web plugin and do not affect server-side Java applications or desktop applications installed on the local machine.

Rules can additionally allow whitelisted RIAs to run without certain security prompts, such as warnings that the user is running an out-of-date version of Java.

The one caveat is that the Deployment Rule Set feature requires all client PCs to have the version of the Java web plugin that was distributed with Java SE 6 Update 10 and later. If a Deployment Rule Set is installed on a machine and the older version of the plugin is detected, all RIAs will be blocked.

Oracle also cautions companies to be careful not to let their rule sets fall into the wrong hands:

The Deployment Rule Set feature is optional and shall only be used internally in an organization with a controlled environment. If a JAR file that contains a rule set is distributed or made available publicly, then the certificate used to sign the rule set will be blacklisted and blocked in Java.

In addition to Deployment Rule Set, JDK 7 Update 40 brings several other new features and improvements, including Retina Display support for OS X, advanced monitoring and diagnostic tools for developers, new security warnings for unsigned and self-signed applications, and restrictions on use of certificates with keys less than 1024 bits in length. It also includes a number of bug fixes.

The update is available from the usual Java download website. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/java_deployment_rule_set/

Supercharge your infrastructure

Microsoft’s promotion of visual passwords, based on tapping pictures and making gestures instead of conventional text passwords, might be a boon for usability. Yet security experts warn the technology is less secure than even a simple 4-digit PIN.

The increased power of brute force attacks, password hash database leaks and the difficulty of getting users to choose secure text passwords in the first place means that attempts to create alternative login techniques are well worth exploring.

Windows 8 and Windows RT come with a feature called Picture Passwords. Users can choose any picture, and then “annotate” it with three finger movements: tapping a point, drawing a stroke, or sweeping a circle. This pattern becomes a users’ means to open or unlock a device as an alternative to a text password or PIN unlock code.

The picture helps you to remember where you made the gestures, so you can repeat them reliably enough to pass the test and unlock your device.

Tap, tap, pinto, stroke. Hack?

Four security researchers from Arizona State University and Delaware State University tried to measure the safety of picture passwords in a research paper, titled On the Security of Picture Gesture Authentication (PDF). The paper was presented at last month’s USENIX Security Symposium (summary and video here).

Microsoft’s own paper on the design, implementation and likely strength of picture passwords estimates that there are just over 1.155 billion possible picture passwords if three gestures are used.

The sounds like a lot, but is “only about four times as many as there are six-character passwords using the characters A to Z,” says security watcher Paul Ducklin. “No-one is seriously suggesting six-character, letters-only passwords these days,” he notes in a post on Sophos’s Naked Security blog.

“Furthermore, the equivalent of a dictionary attack is possible, too, if you can identify the most likely Points of Interest (PoIs) in the password picture. So a brute force attack is certainly possible, where you ignore the picture entirely and just try every possible tap-click-circle combination,” he adds.

All is not lost, however. Like credit cards that automatically block after three failed PIN entry attempts, making five mistakes in inputting a picture password obliges users to switch to using an old-fashioned text password. This, combined with the need for physical access to the device, limits the potential for potential misuse.

Can you see what it is yet?

The weakness, according to the researchers behind the USENIX paper, is that the point of interest in a picture users might tap on and the gesture they might make can be guessed. Microsoft’s own ad for picture passwords features a picture of someone’s two young daughters, heads close together and looking at some distant object. The password involved circling their heads and then drawing a line in the direction they were looking.

The chosen pattern is easily guessed. Using a test set of just over 10,000 passwords and 800 subjects, the Arizona State University and Delaware State University team reckon that automated point of recognition and other techniques can be used to guess visual gesture-based passwords correctly in 19 out of 1000 cases, given five attempts. The first guess alone would work in around nine in 1000 cases. Manual point of interest recognition offers even better results with a 26 in 1000 chance of hitting on the right gesture within five attempts.

So the security of picture passwords is a lot less than the three-in-10,000 chance of correctly guessing a randomly chosen four-digit SIM or credit card PIN before subsequent re-tries are blocked. In practice, however device unlock numbers are often not chosen randomly; something that limits their security.

Picture this

Picture gesture authentication has many of the same limitations of text passwords, as a blog post by Kaspersky Labs’ Threatpost news service notes. The computer scientists behind the USENIX research urge Microsoft and other suppliers to be more upfront to users about this point, as well as developing tools to provide an indication of the strength of visual passwords, similar to text password strength meters.

Those not deterred by these figures and still attracted by convenience of gesture-based visual passwords would be well advised to select hard-to-guess picture passwords.

“If you use Picture Passwords, don’t make it easy for the crooks: choose pictures with lots of PoIs, and don’t just ‘do the obvious’ when you choose the gestures you’re going to use,” Ducklin advises.

Microsoft itself offers tips on picking a secure picture password.

Per Thorsheim, an independent security consultant, who runs a set of conferences about password security, has a good overview of the multiple password options bundles with Windows 8 here.

Mapping function

Security researchers have shown how to extract passwords, hashes and password hints from Windows 8. Extracting PIN and picture password data might also be possible, and this wouldn’t need any attempt at guessing picture passwords. Both Ducklin and Thorsheim expressed interest in seeing more research into this area of offline attacks.

“How Picture Password data is stored, and how password attempts are tested against the database, is proprietary,” Ducklin writes. “With an effective key size of just 30 bits, it is vital to set a very high cost for testing each potential password against an offline copy of the password database. That requires a computationally expensive Key Derivation Function (KDF).”

Ducklin called on Microsoft should go public on how Picture Passwords work, from how they’re stored to how the KDF is calculated.

“You’d let outside experts assess the risk of offline attacks, which would be technically valuable. And you’d get great positive publicity for openness, considering the current brouhaha facing proprietary software vendors over the cryptographic influence of the world’s intelligence services,” he writes. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/picture_passwords/

Supercharge your infrastructure

Problems with Microsoft’s last round of operating system and application patches have forced the company to reissue part of the update on Friday.

“Since the shipment of the September 2013 Security Bulletin Release, we have received reports of updates being offered for installation multiple times, or certain cases where updates were not offered via Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM),” said Redmond’s Office team in a blog post.

“We have investigated the issue, established the cause, and we have released new updates that will cease the unnecessary re-targeting of the updates or the correct offering of these updates.”

Register readers – and many other Microsoft users – started complaining about the patches shortly after their release on Tuesday. Some readers reported detection issues that left servers stuck in a loop of patching when the updates weren’t recognized, while others reported being unable to install flaw fixes.

Eight patches have now been reissued, covering security flaws in Excel, SharePoint Server, and Office suites going back to 2007. Two non-security patches for PowerPoint have also been reissued.

Unusually for Microsoft, not all the patches it promised for Patch Tuesday were in the final release, with one being pulled for quality-control issues. El Reg suspects there have been some harsh exchanges between management and the software testing teams at Redmond. ®

5 ways to prepare your advertising infrastructure for disaster

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/13/microsoft_reissues_september_patches_after_user_complaints/