STE WILLIAMS

Free ESG report : Seamless data management with Avere FXT

Karsten Nohl, the security researcher who broke into SIM cards with a single text, has told The Register he is dismayed by the mobile industry’s lukewarm response to his revelations – and has revealed, for the first time, exactly how he did it.

Nohl thought exposing the flaws in SIM security would force the telcos to fix them. Theoretically, the two flaws would have worked in tandem to intercept calls and threaten the security of wireless NFC applications – such as pay-by-wave and other contactless payments.

The German expert now claims that the most serious of the two flaws has been deliberately ignored by an industry that wants to, allegedly, keep the backdoor ajar so that it can silently roll out software updates to handsets… a gaping access route that may not be closed until it’s too late.

Nohl discovered he could infiltrate SIM cards by sending specially formatted SMS messages, and found a flaw that would enable him to break out from the cards’ inbuilt security sandbox. Yet he was astonished to discover that despite publicly announcing patches and giving every impression of caring, the industry had – according to Nohl – actually done nothing to fix the problems.

“We thought our story was one of white-hat hacking preventing criminal activities,” Nohl told El Reg, lamenting that “as there is no crime, so no investigation”. Despite CNN reporting that his own flaw had been used to distribute a fix, Nohl told us that the JavaCard bug was “here to stay” and was so “obvious” that it has to be “a backdoor, gross negligence, or both”.

Safety by numbers

The first exploit, enabling an attacker to install an application in the secure storage area of a SIM card, has been examined in these pages before, but that only represents a threat if the injected software can break out of the JavaCard sandbox. Nohl claimed that was possible, but until now hasn’t explained exactly how.

JavaCard is an operating system, sharing only a name and some syntax with the Java language. JavaCard licensees get a reference implementation from Oracle and then add their own secret source code to differentiate their products, so not all manufacturers’ SIMs had this flaw – but many did.

Java, even the version used by JavaCard, is supposed to be “memory safe” in that there are no pointers with which one can read, or write to, arbitrary locations in memory. Cardlets (as JavaCard apps are known) can only reference data structures they create themselves, and there’s no mechanism for inter-cardlet communications.

What Nohl discovered was that by referencing a variable which referenced a variable which referenced an array he could bypass the bounds check that JavaCard is supposed to perform. Create an array of 10 elements, reference it from a distance and address the eleventh location, and secured memory is yours to explore – and rewrite – as you wish. Exploiting this to malicious ends is left as an exercise for the reader.

Nohl says he warned Gemalto, the world’s largest SIM card manufacturer – which is among those SIM-makers whose cards exhibit the flaw – about the existence of the bug. Gemalto, Nohl alleges, told him that it didn’t matter – only signed applications could be run so their ability to breach the sandbox was irrelevant.

But the researcher points out that in 2010 Gemalto was able to upgrade bank cards in the field after a calendar bug broke millions of German cards. Bank cards are not designed to be upgraded after being issued, and Nohl contends that a similar flaw was exploited then.

The Register put both of Nohl’s allegations to Gemalto, but it had not responded at the time of publication.

GSM standard

It’s the combination of SMS exploit (to gain the application key) and JavaCard flaw (to break out of the sandbox) that makes the situation worrying, along with Nohl’s contention that network operators have become overly reliant on the GSM standard and are losing the skills necessary to secure their systems.

“Smaller networks don’t even know what the SIM cards are configured to do,” he told us. He claimed that in the US, network operator Sprint isn’t authenticating or encrypting SIM updates at all, and that both Vodafone and Telefonica are still issuing SIM cards with the insufficiently secure 56DES cryptography.

We’ve asked Voda and Telefonica about Nohl’s claims, but only had a response from Vodafone UK by the time of publication: the telco said that (in the UK at least) strong encryption has been mandated for “many, many, years”.

This is still quite an obscure attack, requiring a hacker familiar with the memory layout (the soft mask) of the SIM, and one prepared to send the multiple SMS messages necessary to crack the software update key. For the moment the effort probably outweighs the payoff, but that will change as SIMs increasingly host banking and loyalty apps (as well as popular social networking services like Facebook Chat), making them a more attractive hacker target.

As Nohl put it: “Skills are underdeveloped because the crimes are underdeveloped … crime is even more convincing than anything.”

Until there’s a serious crime using this insecurity, the vulnerabilities in our SIM cards will probably remain. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/23/white_hat_sim_hacker_disillusioned_and_dismayed_by_operator_response/

Security needs to be better automated, but while detecting attackers is great, all too often automation means that security teams are left with chasing down a list of security events that turn out not to be an attack but unexpected system, network, or user behavior.

These “false positives” are the bane of most machine-learning systems: valid e-mail messages blocked by anti-spam systems, unexploitable software defects flagged by software analysis systems, and normal application traffic identified as potentially malicious by an intrusion detection system. First-generation security information and event management (SIEM) systems, for example, would often deliver lists of potential “offenses” to security teams, leading to a lot of work in wild goose chases, says Jay Bretzmann, market segment manager for security intelligence at IBM Security Systems.

“If you cannot manage the list of offenses that come into the product in a day, then you need to do some tuning, or you need to go out and do some proactive defense, such as eliminating vulnerabilities by patching or looking at your configurations,” Bretzmann says.

Beating the false-positives problem is key to making the company more secure, and the first step is to not think of such alerts as false positives, says Paul Stamp, director of product marketing at RSA. There is always a reason why a security system flags some behavior as threatening, he says.

“There is no such thing as a false positive,” he says. “It is just that some positives are more important than others.”

To raise the bar on security events, experts recommend a few tactics.

1. Better tuning
The initial training of a security system — whether a network anomaly detector or the log analysis component of a SIEM — is a necessary step toward teaching the appliance what should be considered bad and what’s good on the network.

However, the training is a crash course for the device on what is typically normal, or not, in the network for a short period of time. The training set often includes previously detected malicious behavior at other companies, which are quickly turned into rules and exported to the rest of the client base. Most of the time that helps detect true threats, but sometimes a vulnerability scanner, uncommon user behavior, or other event can set off the security system.

“We can help you identify what is malicious traffic based on what our other customer thought was malicious traffic, but it’s only a start,” IBM’s Bretzmann says. “You really have to get in there and investigate what’s causing the false positives.”

Security administrators should work from a list of the most common types of alerts, or “offenses,” as IBM calls them. Alerts that occur frequently are likely false positives but should be remediated to reduce the noise.

[Companies analyzing the voluminous data produced by information systems should make sure to check user access and configuration changes, among other log events. See 5 Signs Of Trouble In Your Network.]

2. Proactive defense
If tuning fails to remove enough alerts to allow the security team to focus on the most severe events, then the IT security managers should consider proactive work that can reduce vulnerability and allow the rules to be tightened. For example, legacy systems that are not patched regularly can dramatically increase the vulnerable attack surface area of the company, resulting in a higher number of alerts.

“The rate of new vulnerability disclosures ranges between 12 and 15 a day,” Bretzmann says. “Trying to keep up with that is a never ending job.”

Patching vulnerable systems, shutting down unnecessary systems, and limiting the types of network traffic that can enter the network are all steps that can reduce the attack surface area of the business and allow the security systems to be tuned more tightly, reducing the number of alerts.

3. Add more context
Combining external threat intelligence can help focus security administrators on the most important threats, so they can prioritize security events, says Erik Giesa, senior vice president of business development at operational-intelligence provider ExtraHop.

“You want the ability to be very surgical and precise,” he says. “You don’t want it to be a firehose.”

False positives can also be eliminated by knowing more about the assets in the network, such as which systems are most important and which can effectively be ignored for the moment.

IT security should cooperate with business executives to collect data on what information-technology components are core to the business and should be closely watched, RSA’s Stamp says.

“A lot of the knowledge about the risk associated with a system isn’t held by IT — IT doesn’t know, the business knows,” he says. “So the question is how do you involve the business in the process?”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/3-steps-to-keep-down-securitys-false-pos/240161634

There’s a saying that too much of a good thing can be bad for you. We normally apply it to things like ice cream and chocolate, but the saying also applies to the threat intelligence world. You’d think that by doubling or even quadrupling the number of streaming intelligence feeds into your organization you’d be better off — better informed and more secure. Unfortunately, you’re likely to be wrong.

During the past couple of years, the threat intelligence service industry has really kicked into high gear. Many of the vendors in this area have been supplying their streaming intelligence services for upward of a decade to the manufacturers of popular security appliances and desktop protection suites, but it has only been more recently that enterprise businesses have found themselves in a position to consume the data directly.

The growing need for streaming security intelligence is a direct response to the rapidly evolving threat. As the threats that target an enterprise become more adaptive, more dynamic, and more evasive of legacy protection architectures, there’s a driving need for real-time analytics and providing inputs into a new generation of dynamic analysis systems. To this end, the common logic is “more is better” when it comes to threat intelligence. But is it?

Last week, I came across an opinion piece at SC Magazine by Kathleen Moriarty (global lead security architect, EMC’s office of the CTO), titled “Threat-intelligence sharing is dead, and here’s how to resuscitate it,” in which she touches on the problems of sharing intelligence data and using it effectively. While I agree with her that contemporary threat intelligence sharing has failed (and, by the way, is increasingly a target for subversion) — in particular, that those participating in threat-intelligence programs have suffered from too much information, and that they struggle to deal with information that is neither actionable nor relevant — I believe the requirement to rely on trusted parties is likely doomed to failure. “Trust” networks, if ad-sharing networks are any indicator, are an open invitation to new attack vectors.

The biggest problem that enterprise threat-intelligence customers are facing can be illustrated by the problem any of us would encounter is we were placed in an office surrounded by televisions each blaring away a separate TV news channel, and were expected to absorb and digest the days happenings. Too much information is overwhelming. Adding additional TVs and news broadcasts only adds to the problem.

But another analogy can be drawn from the same TV news illustration. You’d think things would become simpler if there’s a late breaking story that most of the channels then start covering at the same time. The simultaneous coverage is likely an indicator that something significant is happening and should be responded to.

Two significant wrinkles with this approach spring to mind. If the majority of the TV channels are covering the same national story, then what stories are not being covered? While they’re all repeating the same news — confirming among themselves the significance of the story — other local stories are being dropped from the day’s coverage. And then, as with practically any late-breaking story of significance, the TV channels — each searching for new “facts” and unique commentary — often end up repeating each others’ facts (sometimes providing attribution to a competitor if they can’t confirm it for themselves).

In the threat-intelligence community, what you end up with is a myopic fixation on the high-profile threat of the day (e.g., the latest APT that has made it to the news) to the detriment of other analysis and, I’m sorry to say, a framework that can be easily tainted by bad or mistaken information. There’s so much pressure on the various threat-intelligence providers to provide like-for-like coverage of competitor feeds that each vendor subscribes or monitors the other and will often add any missing intelligence data to their own feed, even if they can confirm it for themselves. This already happens daily among the dozens of blacklists and antivirus signature vendors.

The problems facing streaming threat intelligence feeds, their vendors, and their consumers are many and (unfortunately) endemic throughout the current intelligence-sharing model. Luckily, a new generation of machine-learning and clustering systems is making great headway in consuming the threat intelligence feeds from a bloating industry — weeding out superfluous and inaccurate information — and pre-emptively classifying threat categories, such as botnets and related domain abuse, but is still years away of forming the basis of prioritizing actions against the full breadth of today’s threat spectrum within the enterprise.

The incestuous nature of the streaming intelligence service industry causes many problems, but also new opportunities. While those responsible for safeguarding their corporate networks are overwhelmed with inactionable information from an avalanche of intelligence data, there is ample opportunity for boutique service providers to step in and provide distilled threat intelligence advice specific to their clients’ needs.

As kids, we’ve probably all dreamed about having a humongous bowl filled with every flavor of ice cream imaginable and consuming the whole thing until we exploded. As an adult, I’ve learned that the strategy of first asking the girl on the other side of the counter which flavored ice creams are the best in the store is often a more efficient and less explosive way to enjoyment.

Gunter Ollmann, CTO, IOActive Inc.

Article source: http://www.darkreading.com/attacks-breaches/dolloping-out-threat-intelligence/240161638

Alexandria, Va., September 23, 2013 – MeriTalk, a public-private partnership focused on improving the outcomes of government IT, today announced the results of its new report, “FISMA Fallout: The State of the Union.” The report, underwritten by NetApp, examines the state of cyber security at Federal agencies and looks at whether the Federal Information Security Management Act (FISMA) is hurting or helping agencies improve cyber security and protect data. According to the report, Federal cyber security professionals lack confidence in FISMA, and do not believe their agencies’ current cyber security solutions are sufficient and sustainable.

Federal agencies face cyber threats from every angle. In the past 12 months, agencies defended against insider threats or leaks (64 percent), non-state actors (60 percent), and state-sponsored threats (48 percent). Given the growing number and increasing sophistication of the attacks, just one in five (22 percent) cyber security professionals rate their agency’s cyber security solutions as sufficient and sustainable.

Although FISMA is designed to aid agencies in addressing these threats, it may be doing more harm than good. Just 53% of Federal cyber security professionals say FISMA has improved security at their agency, while 86% report that FISMA compliance increases costs. In addition, 28% view FISMA as encouraging compliance rather than risk identification and assessment, 21% believe it is insufficient in dealing with today’s cyber threat landscape, and 11% believe it is an antiquated law.

“FISMA’s compliance model is not keeping up with the evolving security landscape or the security demands,” said Mark Weber, president of NetApp U.S. Public Sector. “There is a shift in the industry from compliance to continuous monitoring, and a vast number of new technologies exist to support this change. Our Federal cyber professionals should be given the resources, regulation, and management support to take advantage of these technologies to help thwart cyber security attacks.”

Agencies’ current network speed and capacity limits also hinder security efforts. More than half of cyber security professionals (55 percent) say their agency is either overloaded or cannot keep up with the amount of data already crossing their network. The data deluge is not ending anytime soon – cyber security professionals expect the total amount of data their agency must protect to grow by 47% by 2015. As a result of the growing amount of data, cyber security professionals say users experience slower network connections (35 percent), agencies experience challenges in handling large amounts of data in real time (32 percent), and the network and security monitoring infrastructure cannot keep up with the network itself (18 percent).

Agencies may also be missing an opportunity to thwart attacks by not collecting and using data on previous breaches. Seventy-six percent of cyber security professionals say their agency records all data that leaves their agency but only 43% use that data to reconstruct the breach to determine where it took place. Twenty-one percent of cyber security professionals say their agency is unable to track where a security breach took place.

As a result of security challenges, just 40% of cyber security professionals are confident in their agency’s security. Those confident in their agency’s security are more likely to say their agency has an adequate budget (83 percent), their end users are compliant with cyber security policies (80 percent), and their cyber security department can identify and implement new cyber security technology effectively (91 percent).

To improve security, Federal cyber security professionals are looking beyond FISMA. The majority of cyber security professionals (83 percent) believe continuous monitoring will improve security at their agency. Most agencies (81 percent) have a system in place to continuously monitor their networks for cyber threats but one in four lack the capabilities and resources to effectively execute continuous monitoring.

To make agencies more secure, cyber security professionals recommend more focus on evaluating risk, additional budget and technology, and better accountability regarding end user unauthorized disclosure.

“FISMA Fallout: The State of the Union” is based on an online survey of 203 Federal cyber security professionals conducted in July 2013. The report has a margin of error of +/- 6.84 percent at a 95% confidence level. To download the full study, please visit http://www.meritalk.com/fismafallout.

About MeriTalk

The voice of tomorrow’s government today, MeriTalk is a public-private partnership focused on improving the outcomes of government IT. Focusing on government’s hot-button issues, MeriTalk hosts Big Data Exchange, Cloud Computing Exchange, Cyber Security Exchange and Data Center Exchange – platforms dedicated to supporting public-private dialogue and collaboration. MeriTalk connects with an audience of 85,000 government community contacts. For more information, visit www.meritalk.com or follow us on Twitter, @meritalk. MeriTalk is a 300Brand organization.

Article source: http://www.darkreading.com/government-vertical/federal-cybersecurity-professionals-to-l/240161647

Toronto (September 23, 2013) – Route1 Inc. (TSXV: ROI), a digital security and identity management company whose customers include the U.S. Department of Defense, the Department of Homeland Security, the Department of Energy, and the Government of Canada, today announced that one of the U.S. Department of Homeland Security’s largest and most complex components (DHS) has ordered 7,000 MobiKEY Fusion devices through the U.S. Department of Homeland Security FirstSource II contract vehicle.

DHS will be replacing their allotment of MobiKEY Classic devices with Route1’s MobiKEY Fusion devices. Route1 expects to ship the 7,000 devices between September 2013 and February 2014. The award has a sales value of approximately US $0.7 million.

“Route1 recently provided DHS with a technology refresh for their DEFIMNET platform. The new DEFIMNET platform allows them to use their PIV cards as part of the user authentication process. This is an important step, as all MobiKEY Fusion users at DHS will now comply with the United States Homeland Security Presidential Directive 12 (HSPD-12),” said Tony Busseri, CEO of Route1. “We have been working with leadership at DHS to assist with HSPD-12 compliancy and we are excited with today’s purchase order announcement.”

DHS accredited the MobiKEY solution in October 2011 and has 7,000 paid, active users of the MobiKEY technology.

MobiKEY Technology

MobiKEY is a complete desktop, secure remote access technology that integrates multi-factor authentication and identity management in a mobile computing environment. For more information on the tecvhnology please go to: https://www.route1.com/solution/overview.html.

MobiKEY Fusion Device

The MobiKEY Fusion device is a patented identity validation device that integrates with government issued identity cards such as CAC, PIV and FRAC. This multi-factor authentication technology combines physical possession of the MobiKEY Fusion device and an identity card, with computer and network access, helping government and defense organizations meet HSPD-12.

The MobiKEY Fusion device offers all of the same security features of the MC2 device while leveraging smartcards already issued to government personnel, aided by additional factors of authentication to secure the access component, while the MobiNET or the DEFIMNET platform universally manages the identities of users and entitlement to digital resources. Users can only access systems remotely with a combination of their MobiKEY Fusion device, an identity or access card and secret PIN.

ABOUT ROUTE1, INC.

Route1 delivers industry-leading security and identity management technologies to corporations and government agencies that require universal, secure access to digital resources and sensitive data. These customers depend on The Power of MobiNET – Route1’s universal identity management and service delivery platform. MobiNET provides identity assurance and individualized access to applications, data and networks. Headquartered in Toronto, Canada, Route1 is listed on the TSX Venture Exchange.

Article source: http://www.darkreading.com/mobile/route1-receives-us-dhs-order-for-7000-mo/240161656

SAN FRANCISCO, September 23, 2013 – Today, Interop, produced by UBM Tech, previews exhibitor announcements to break at next week’s Interop New York, taking place September 30 – October 4 at the Javits Convention Center. As the leading independent technology conference and expo series designed to inform and inspire the world’s IT community, Interop serves as a launch pad for vendors to introduce the most innovative technologies in business IT. To register or for more information, visit interop.com/newyork.

Click here for more articles from Dark Reading.
Click here to register to attend Interop.

“Interop New York exhibitors will showcase the most cutting-edge IT tools and solutions for increased business productivity,” said Jennifer Jessup, Interop General Manager. “We’re expecting big announcements from both the keynote stage and expo floor, and are proud that Interop proves to be a hub for news, setting the pace for the future of IT with opportunities to interact firsthand with the latest advancements in the marketplace.”

Below is a preview of announcements exhibitors will release from Interop New York:

AirWatch (Booth #513), the largest Enterprise Mobility Management (EMM) provider, will showcase AirWatch Workspacetrade, a secure containerized solution for all enterprise data including email, applications, content and browsing.

Chatsworth Products (CPI) will display its new F-Series TeraFrame Gen 3 Cabinet including CPI Passive Cooling Solutions, as well as Zone Cabling Enclosures. The TeraFrame Cabinet will feature CPI’s Glacier White finish, which is now a standard color for most products. Visit Booth #542 for hands-on interaction and more information.

Ciena (booth #419) will showcase its packet networking and converged packet optical solutions, and introduce new packet networking products designed to accelerate deployment of 10 Gigabit Ethernet services in the metro network.

Cisco’s CEO, John Chambers will discuss a hot industry topic and announce news from the keynote stage on opening day. Additionally, the company’s Enterprise Networking Group will announce exciting new updates appealing to retailers, hotels and other vertical markets, as well as to consumers.

Cube Optics launches a line of DWDM solutions permitting 100Gbps upgrades. They are enabling metro networks to evolve via a technologically seamless roadmap and are fully interoperable with existing and future equipment and deployable within the space and power constraints of existing infrastructure. Evolve to 100Gbps at Booth 648.

Elfiq Networks is pleased to announce the release of the company’s new Flex Multipath Routing Solutions, also referred to as FMR, designed for Enterprise and SMB businesses looking to optimize their bandwidth while lowering their costs by load balancing site-to-site WAN traffic between private and internet links.

FileCatalyst (booth 126) will unveil the latest version of its flagship accelerated and managed file transfer solution, FileCatalyst Direct 3.3. This release introduces the ability to streamline the transfer of large file sets using several concurrent connections and to dynamically pick up new files as they’re added in real time.

HP will announce big news around SDN at Interop NY next week, including new networking support and services.

Interface Masters announces an industry first, highest density modular sixteen segment Intelligent Active Bypass Switch, the Niagara 2822, that can handle 1Gb, 10Gb, and 40Gb Inline Network Monitoring Devices. Interface Masters also announces, Niagara 3225PT, a 25 segment passive TAP in a 1U. These will be presented at Booth #632.

NCP engineering (booth #729) will showcase the latest versions of its hybrid IPsec / SSL VPN gateway and centrally managed IPsec VPN client suite, which maximize enterprise security and remote access performance with elliptic curve cryptography. The company will also demo its Android IPsec VPN clients that optimize enterprises’ connections.

NEC plans to demonstrate its ProgrammableFlow Software-Defined Network suite, which includes the latest version of its data center-grade SDN controller. The company also plans to showcase its SDN ecosystem, which contains SDN-powered applications from multiple NEC partners.

NetSupport Inc is showcasing all new NetSupport Manager 12, Remote Control software; with the addition of Windows 8 / 8.1, and improved mobile device support. Together with a new look and feel, connectivity is enhanced by a unique PIN Connect feature and innovative GEO locate for geographical user grouping plus more.

Obsidian Strategics (#347) presents their Obsidian Longbowtrade products, which enable remote InfiniBand LAN fabrics to be transparently, securely and natively connected across standards-based metro or global area networks.

One Convergence will preview their Network Virtualization and Service Delivery solution for Openstack cloud environment. The software overlay based solution enables self-service multi-tenant networks and network services to be created, provisioned and managed on demand and provides significant value proposition for delivering L4 to L7 services.

Opengear (booth #638) continues its growth in integrating information and operational technology (IT-OT) through new remote management solutions that offer enhanced environmental monitoring, more robust memory capabilities, and faster out-of-band connectivity. Opengear’s popular ACM5000 product line will be on display and feature new iterations with strategic IT-OT functionality.

ScienceLogic (booth #511) announces a number of new powerful features for its IT monitoring solution,

including: the ability to take actions on groups of devices at the same time and new and enhanced monitoring for AWS, VMware, NetApp, F5, and others. ScienceLogic’s new release was selected to manage the InteropNet NOC.

SolarWinds, IT management software provider, will demonstrate SolarWinds Server Application Monitor 6.0, which offers IT professionals one complete solution for greater visibility across server, application and database environments with new Microsoft SQL Server monitoring, baseline thresholds and IT asset inventory management. Stop by booth #337 for more information.

Verax Systems at booth #137 will be demonstrating the latest version of their IT Management Suite, a set of pre-integrated, service-oriented applications covering end-to-end IT Management with short turn up times enabling IT departments to simplify, automate and reduce costs of IT management.

Xi3 Corporation will showcase its ecofriendly, small form factor desktop computers, servers and data center solutions in booth #401 at Interop NY 2013, including the new Z3ROtrade Pro Computer and X7A Modulartrade Computer, and the forthcoming Xi3 microSERV3Rtrade, as well as Xi3’s Motorized dataCENT3Rtrade and its FreeForm dataCENT3R.

Zoom Video Communications and AVer Information Inc. announce their technology partnership combining Zoom’s cloud HD meeting platform with AVer’s sub-$1000 EVC100 endpoint to bring affordable, interoperable video conferencing to large corporations, SMBs and universities. This move democratizes enterprise-grade video conferencing for businesses looking to cut costs and streamline communications. #605.

These sponsors and vendors will join 120 exhibitors on the Expo show floor, open both Wednesday and Thursday, 11:00 am to 5:00 pm. In addition, Interop New York presents a robust conference program with keynote presentations and six presentation tracks, including Cloud Computing Virtualization, Mobility and Business of IT. Interop features the InteropNet and includes two full days of workshops, as well as the InformationWeek CIO Summit and the Mac iOS IT Conference. For a full schedule and to build your own agenda, see the Interop Session Scheduler.

Watch Interop video updates on YouTube.

Follow Interop on Twitter; tag tweets #Interop.

Like Interop on Facebook.

Add Interop to your circle on Google+.

Post Interop photos to Instagram.

About Interop

Interop provides the knowledge and insight to help IT and corporate decision-makers bridge the divide between technology and business value. Through in-depth educational programs, workshops, real-world demonstrations and live technology implementations in its unique InteropNet program, Interop provides the forum for the most powerful innovations and solutions the industry has to offer. Interop Las Vegas is the flagship event held each spring, with Interop New York held each fall, and annual international events in Mumbai and Tokyo, all produced by UBM Tech and partners. For more information about these events, visit www.interop.com.

About UBM Tech

UBM Tech is a global media business that provides information, events, training, data services, and marketing solutions for the technology industry. Its media brands and information services inform, educate and inspire decision makers across the entire technology market–serving engineers and design professionals, software and game developers, solutions providers and integrators, networking and communications executives, and business technology professionals. UBM Tech’s industry-leading media brands include EE Times, Interop, Black Hat, InformationWeek, Game Developer Conference, Byte, CRN, and DesignCon. The company’s information products include research, education, training, and data services that accelerate decision making for technology buyers. UBM Tech also offers a full range of marketing services based on its content and technology market expertise, including custom events, content marketing solutions, community development and demand generation programs designed to help vendors identify and participate in technology buying decisions. UBM Tech is a part of UBM (UBM.L), a global provider of media and information services with a market capitalization of more than $2.5 billion.

Article source: http://www.darkreading.com/interop-new-york-sponsors-exhibitors-la/240161697

Free ESG report : Seamless data management with Avere FXT

Well, that lasted a long time: the Chaos Computer Club has already broken Apple’s TouchID fingerprint lock, and warns owners against using biometric ID to protect their data.

As the group explains here, it seems that the main advance in Cupertino’s biometrics was that it uses a high resolution fingerprint scan. The post states:

A lot of bogus speculation about the marvels of the new technology and how hard to defeat it supposedly is had dominated the international technology press for days.

“In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake”, said the hacker with the nickname Starbug, who performed the critical experiments that led to the successful circumvention of the fingerprint locking.

All the CCC needed to defeat the scanner was an image of a user’s fingerprint at 2,400 dpi resolution. That scan was “cleaned up”, inverted, and printed into a transparent sheet. The image of the print is then lifted from the sheet using latex milk or woodglue.

“After it cures, the thin latex sheet is lifted from the sheet, breathed on to make it a tiny bit moist and then placed onto the sensor to unlock the phone,” the post states, adding that this technique can be used against “the vast majority” of fingerprint scanners.

At the time of writing, the CCC hadn’t announced whether it will claim any of the prizes on offer for a successful attack.

The video below demonstrates the attack. ®

Watch Video

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/22/iphone_5_touchid_broken_by_chaos_computer_club/

Free ESG report : Seamless data management with Avere FXT

Security researchers have spotted a surge in attacks against online banking customers, thanks to a new strain of Java-exploiting Trojan Caphaw (aka Shylock).

Over the last month or so the malware has targeted customers in at least 24 financial institutions, including Bank of Scotland, Barclays Bank, First Direct, Santander Direkt Bank AG and Capital One Financial Corporation, according to security researchers at cloud security firm Zscaler. There’s no word on whether or how successful its attacks have been and which bank’s customers have been affected. Caphaw (Shylock) is most active in the UK, Italy, Denmark and Turkey.

“We have detected hundreds of infections, but there is no way to calculate the losses,” Zscaler researcher Chris Mannon told El Reg.

The Trojan hooks itself into the browser processes of victims before using a self-signed SSL certificate to trigger encrypted “phone home” communication with remote command and control servers. This encryption is designed to keep the malware under the radar of corporate and ISP-level network security tools. Detection by endpoint security scanners is also low, according to Zscaler.

Caphaw appears to be spreading using a Java exploit from compromised websites as part of a drive-by download attack. However evidence for this theory remains circumstantial, as an advisory from Zscaler explains.

“At the time of research, we were unable to identify the initial infection vector,” Mannon and fellow Zscaler researchers Sachin Deodhar explain in a blog post.

“We can tell that it is more than likely arriving as part of an exploit kit honing in on vulnerable versions of Java. The reason we suspect this is that the User-Agent for every single transaction that has come through our Behavioral Analysis (BA) solution has been: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_07.”

Mannon added: “We suspect it is coming from a Java exploit on the version listed in the blog. Other vectors this threat has used in the past include Skype, social media, and email spam.”

Caphaw features a domain generation algorithm that generates a large number of quasi-random domain names that are then used to “dial home” and receive/send commands/data. This is far from a new tactic in botnet administration but it’s still a successful approach in making life difficult for law enforcement.

“The large number of potential rendezvous points with randomised names makes it extremely difficult for investigators and law enforcement agencies to identify and ‘take down’ the CnC [command and control] infrastructure,” said Mannon. “Furthermore, by using encryption, it adds another layer of difficulty to the process of identifying and targeting the command and control assets.” ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/23/caphaw_banking_trojan/

Free ESG report : Seamless data management with Avere FXT

The New York Police Department’s motto, Fidelis Ad Mortem – or “faithful unto death” – could easily pass as the utterance of a fanboi pleading lifelong allegiance to the late Steve Jobs.

And it would seem that New Yorkers also keep faith with the Jesus phone – judging by the police force’s latest crime-prevention campaign which directly targeted them. Officers hit the streets over the weekend to hand out leaflets calling on iPhone owners to download iOS7, which comes with beefed-up security measures.

The pamphlets say “Attention Apple users” and point out that iOS 7 “brings added security to your devices”. Cops said the iOS update was “avaialble” [sic] right now. Let’s hope the cops are better at chasing down perps than they are at spelling.

Twitter user Michael Hoffman posted a picture of the leaflet along with with the tweet:

Four uniformed NYPD officers were at my subway stop tonight asking me to upgrade to iOS 7. Not a joke! pic.twitter.com/CGdR2RqtKJ

— Michael Hoffman (@Hoffm) September 21, 2013

Apple’s updated mobile OS features an improved version of Find My iPhone, which makes it impossible for anyone to switch it off without an Apple ID and password, as well as Activation Lock, which requires an Apple ID and password to be entered before a user can perform a remote wipe or reactivate the phone.

The iPhone 5S also features a fingerprint sensor, although this has already been hacked. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/23/nypd_wants_new_yorkers_to_download_ios_7/

Free ESG report : Seamless data management with Avere FXT

Security biz RSA has reportedly warned its customers to stop using the default random-number generator in its encryption products – amid fears spooks can easily crack data secured by the algorithm.

All encryption systems worth their salt require a source of virtually unpredictable random values to create strong cryptographic keys and similar things; one such source is the NSA-co-designed pseudo-random-number generator Dual_EC_DRBG, or the Dual Elliptic Curve Deterministic Random Bit Generator, which is well known for being cryptographically weak: six years ago it was claimed that someone had crippled the design, effectively creating a backdoor [PDF] so that encryption systems that relied on it could be easily cracked.

RSA’s BSafe toolkit and Data Protection Manager software use Dual_EC_DRBG by default. Now the EMC-owned company “strongly recommends” customers pick another pseudo-random-number generator (PRNG) in their setups. This comes after documents leaked by whistleblower Edward Snowden allegedly show that the NSA nobbled Dual_EC_DRBG during its inception – which could allow the spook nerve-centre to crack HTTPS connections secured by RSA’s BSafe software, for example.

The suspect algorithm, championed by the NSA according to security expert Bruce Schneier, was given the seal of approval and published by the US government’s National Institute of Standards and Technology (NIST) in 2006. But a year later researchers at Microsoft highlighted fundamental flaws its design: crypto-prof Matthew Green lays out the history and faults of the PRNG here.

Since Snowden’s leaks came to light, NIST has denied weakening this particular PRNG – one of four approved for wider use in 2006 – at the behest of shadowy g-men. However, earlier this month, Schneier said NIST needs to go much further to restore confidence in its practices and procedures, especially when doubts linger about the robustness of Dual_EC_DRBG.

Cryptographers have known for literally years that Dual_EC_DRBG was slow and not especially effective, leading to criticism that RSA was wrong to pick it as a default option for BSafe – and the more paranoid to question its motives.

“Despite many valid concerns about this generator, RSA went ahead and made it the default generator used for all cryptography in its flagship cryptography library,” noted Green late last week. “The implications for RSA and RSA-based products are staggering. In a modestly bad but by no means worst case, the NSA may be able to intercept SSL/TLS connections made by products implemented with BSafe.”

“So why would RSA pick Dual_EC as the default? You got me,” shrugged Green, who is a research professor at John Hopkins University in Baltimore. “Not only is Dual_EC hilariously slow – which has real performance implications – it was shown to be a just plain bad random number generator all the way back in 2006. By 2007, when [cryptographers Dan] Shumow and [Niels] Ferguson raised the possibility of a backdoor in the specification, no sensible cryptographer would go near the thing.”

RSA’s CTO Sam Curry defended RSA’s choices in an interview with Ars Technica. RSA is reviewing all its products, he confirmed. Green was unimpressed by the RSA man’s claims.

Curry was quoted as explaining in an email: “The hope was that elliptic curve techniques — based as they are on number theory — would not suffer many of the same weaknesses as other techniques (like the FIPS 186 SHA-1 generator) that were seen as negative, and Dual_EC_DRBG was an accepted and publicly scrutinized standard.”

The NSA’s alleged weakening of encryption algorithms was part of a wider campaign aimed at making it easier for spooks to decrypt supposedly secure internet communications, first outlined in the New York Times two weeks ago. Other tactics include attempting to persuade technology companies to insert backdoors in their products, including it is claimed Microsoft’s Outlook.com, and running so-called man-in-the-middle attacks to hoover up the world’s online chatter and transactions. ®

Free ESG report : Seamless data management with Avere FXT

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/23/rsa_crypto_warning/