STE WILLIAMS

MINNEAPOLIS, Sept. 3, 2013 /PRNewswire/ — Shavlik is pleased to announce the release of Shavlik Mobile Device Management (MDM) for the management of smartphones, tablets and rugged devices. As IT departments realign to the new realities of User-Oriented IT, they are coming to terms with securing a mobile, global, 24-hour workplace. One of the central considerations in this IT shift is the need to secure a diverse set of mobile devices. To fulfill this pressing IT need, Shavlik has created Shavlik Mobile Device Management. This product is a rich addition to Shavlik’s legacy in agentless endpoint patching technology, virtualization security, and third party patching as well as an easy-to-use means of managing Windows, Android, and iOS devices.

The new world of device management and security extends beyond the office and the domain of servers, workstations and desktops to devices that roam the mobile space. Keeping track of mobile devices while ensuring a company’s data is safe presents a host of challenges to IT. These challenges are amplified by daily news headlines related to stolen or compromised data that have been contained on unsecured devices. In addition to the crush of corporate mobile devices, IT departments must manage employee devices used for business (BYOD). This increases the pressure to find robust, affordable and easy to use mobile management software.

Shavlik Mobile Device Management provides a comprehensive, integrated mobile device management solution that helps customers handle operational and IT transformation with ease and efficiency. Shavlik’s mobile device management solutions enable enterprise IT and business operations organizations to reduce the time, cost, and risks associated with managing mobile devices and business critical application delivery. Shavlik MDM streamlines and automates mobile device and infrastructure management tasks across, wireless LAN and WAN, and ensures that the wireless environment is secure.

“Today it is simply not enough to maintain the security of desktops, workstations and servers,” said Robert Juncker, vice president of engineering, Shavlik. “The new measure of protection is protecting your data wherever it is and Shavlik has its customers covered with Shavlik MDM.”

Shavlik MDM Suite Benefits

— Manage Any Device – Leverage a single consolidated mobile management

solution that allows you to manage every aspect of your mobile devices –

both rugged and smart devices – as well as the business critical and

consumer applications they utilize

— Minimize Risk – Eliminate complexity through a validated solution and

fully integrated mobile device and application management technology

— Improve ROI – Leverage the full functionality of a complete mobile

device and application management solution in a single integrated,

Web-based console

— Increase User Productivity – Redefine your user experience by providing

the industry’s most comprehensive mobile management solution designed to

dramatically increase business efficiencies and significantly increase

user productivity

Shavlik MDM enables companies to:

— Lock out apps

— Control rights and permissions to corporate systems (e.g. Exchange,

Intranet, CRM)

— Remote kill / wipe for lost or stolen devices

— Locate and map devices

— Remotely install and update applications and operating systems

— Troubleshoot and monitor the health of mobile devices For more information on the Shavlik Mobile Device Management suite please contact your Shavlik sales representative.

About Shavlik

Shavlik is a pioneer in agentless patch management and a leader in innovative network security and management solutions. Since 1993, Shavlik has been at the forefront of patch security, first by providing the only third-party patch management to Microsoft SCCM customers and later asserting industry leadership in the patching of virtual machines. Its products and solutions include Shavlik Protect, Shavlik SCUPdates, and Management Intelligence.Shavlik’s “Just Add Water and Stir” approach allows customers to get up and running in as little as thirty minutes.

Article source: http://www.darkreading.com/management/shavlik-powers-up-mobile-capability-with/240160738

Aberdeen City Council has been hit with a £100,000 fine (about $150k) by the Information Commissioner’s Office (ICO), after an employee took sensitive files home and accidentally uploaded them to a public website.

The data, which included information on vulnerable children and details of alleged crimes, was on display for three months before it was spotted and taken down.

The incident started in November 2011, when an unnamed female council worker worked on council files on her own second-hand computer at home. These files apparently included minutes of meetings and detailed reports relating to the care of children.

The investigation into the incident failed to pin down whether the documents were accessed using remote access to council email or carried home on a USB stick, but at some point after being copied to the My Documents folder on her laptop the files were posted online by some unspecified software, thought to have been installed on the system by a previous owner and either started automatically or accidentally activated by the hapless employee.

Once online they were not noticed until February 2012 when another council employee stumbled across them when doing a search for their own name, and they were promptly removed from the website. The exact location the four files were posted to is also unspecified in the ICO report.

The ICO found huge gaps in the council’s policies regarding home working, which seem to have focused entirely on health and safety with no regard for the security of sensitive data, and even those policies which had been drafted were not being enforced:

In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed.

The Data Protection Act, found to have been breached in this case, allows for fines of up to £500,000 for the most serious data breaches.

This case highlights a wealth of common problems with working from home and BYOD (Bring Your Own Device) practices. Any business or institution dealing with sensitive data – which is just about anyone really – needs to think carefully about how that data is secured when it’s being accessed remotely by staff, just as much as when handing it over to third parties.

Strict and comprehensive policies need to be put in place, clearly demonstrated to staff and strongly enforced with both technical and regulatory controls.

The rules need to cover what data can be accessed, from where and by whom, how data is accessed, transferred and handled, and what systems can be used to work on data.

The BYOD issue usually focuses on smartphones and tablets being brought in to work, but personal laptops remain the default tool to enable home working. Imposing the same level of application control, anti-malware and other security features is far more difficult than in systems built and monitored by dedicated IT staff.

So staff training is also vital – from the sound of this case, where the employee in question appears to have been unaware of what was running on her pre-owned laptop, it seems that IT skills were not considered an important part of her job, but people need to take more care to know what the tools they are using are capable of before they blindly trust them with information which could be incredibly sensitive to leakage.

Since the Aberdeen incident, auditing and assessment by the ICO earlier this year has noted some improvements, although there is still some way to go to achieve a satisfactory level of security.

Hopefully this good-sized fine will be an eye-opener to anyone dealing with personal information, particularly local government where data sensitivity is high but IT infrastructure tends to be disparate and creaky and skills are often minimal.

They need to wake up to the dangers of home-working and BYOD, and make sure they do all they can to minimise the risk.

Follow @VirusBtn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/o7e3l8n5gMo/

Catch up with everything we’ve written in the last seven days with our handy roundup.

General interest

• Lady Gaga rallies Little Monsters against Applause ‘hackers’

• Apple apps turned upside down writing right to left – you’re only 6 characters from a crash!

• Anatomy of a dropped call – how to jam a city with 11 customised mobile phones

• Whistleblower-friendly site Cryptome booted briefly offline for hosting “malicious content”

• SSCC 115 – XP “as a giant 0-day”, choosing and remembering passwords, and next-gen HTTP [PODCAST]

• Facebook transparency, Apple bugs, SEA DDoSes itself – 60 Sec Security [VIDEO]

Hacking and scams

• Secure Google Docs email results in mailbox compromise

• Google Palestine hijacked: hackers say rename Israel to Palestine, listen to RiRi

• Syrian Electronic Army brings down Twitter and The New York Times through domain name provider hack

Law and order

• Leak of kids’ social services info earns Aberdeen City Council £100k fine

• Internet dating scam – mother and daughter crime duo jailed

• Reality TV mother-of-eight Kate Gosselin sues husband for “hacking” email, phone, revealing private info

• Facebook pays out $20 million in personal ads settlement; each user gets $15

Social networks

• Facebook to include profile photos in its facial recognition database?

• Schools hire snoopers to monitor kids on social networks. Is it OK? [POLL]

• Surprise! First ever Facebook “Government Requests” report reveals the most inquisitive authorities

• Pinterest And StumbleUpon patch critical flaws that could have exposed over 100 million users’ email addresses

OS and software

• Apple neglects OS X privilege escalation bug for six months, gets Metasploit on its case…

Privacy and online safety

• Tor usage doubles in August. New privacy-seeking users or botnet?

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Days of the week image from Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3EWn3i7KH2w/

Twitter has lived up to its promise, made a month ago, to make it easier and more obvious how to report abusive messages published on its microblogging site.

The combination of Twitter’s short messages, high volumes and “always logged in” style of use make it easy for internet pests (and worse) to pepper victims with the internet abuse equivalent of never-ending birdshot from a auto-repeating shotgun that never runs out of ammunition.

UK journalist Caroline Criado-Perez found this out to her personal alarm recently.

She’d run a campaign to promote a well-known female British author for inclusions on a banknote: Charles Dickens and Charles Darwin have both had a go in recent years; Criado-Perez thought that Jane Austen deserved a turn.

When it was announced that Jane Austen would, indeed, grace the £10 note, not everyone was happy at the result, and Criado-Perez was blasted by at least one detractor’s considerable anger.

She was swamped with a giant wave of abusive Tweets, reaching a peak rate of close to one a minute and allegedly including threats of sexual violence, for which a 21 year old man was arrested in Manchester, UK.

A petition quickly started to urge Twitter to make it easier for victims of this sort of online rage to report their problems.

It worked: Twitter agreed, and now it’s easier to do something about problem tweets.

Just click on the …More tag under a Tweet, and you’ll see Report Tweet:

→ You have to be logged in to get the Report option, which makes sense. This makes it easier for Twitter to sort out abusers of the abuse button, by tying complaints to a specific account, and thus preventing the abuse queue from being flooded by anonymously-reported complaints. And you can’t report your own Tweets, which make sense too. (If you think they should be deleted, just delete them!)

The next step is to choose your reason for reporting the Tweet, which defaults to Abusive:

Note that you can also report two other common Twittersphere problems in a similar way, namely Spam and Compromise. (The latter is a good way to help your friends if you realise before they do that someone has nabbed their password and is now misusing their account.)

There’s still more to abuse reports, since you need to say what sort of badness the offending Tweet has displayed:

And then you are asked to provide yet more information, such as this for the Report an ad option:

It sounds long-winded when shown here, but the system does make you think about what you want to report, and it’s definitely helpful to Twitter to pre-filter the abuse reports into various categories so that its responses can be prioritised.

You can argue that Twitter ought to have had this all along, and decry the microbloggers for being slow to the abuse-prevention table.

Or you can chalk it up as a victory for common sense, and say, “Well done” to the organisers of the petition for not trying to prove their point by more, well, pointed means (such as hacking back, or some sort of counterabuse), and say, “Thanks, Twitter for listening and reacting quickly.”

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xj5fye-BU-8/

The ongoing data leak saga between medical firm LabMD and “The Man,” in the form of the Federal Trade Commission (FTC) of the United States, has entered its next stage.

This is a curious story that would be amusing were its import not so serious.

If everyone who has contributed to the story is to be believed, it unfolded over a five year period, and goes something like this (remember, this is not necessarily what happened, but what has been variously alleged):

• In 2008, Tiversa, a “Peer to Peer (P2P) intelligence services” company out of Pittsburg, Pennsylvania, finds a stash of Personally Identifiable Information (PII) from over 9000 patients of LabMD. Apparently, a 1,718-page spreadsheet of health insurance billing information was accessible via a P2P file sharing network.
• LabMD, out of Atlanta, Georgia, declines to deal with Tiversa’s complaint, on the grounds that Tiversa is using the data in its possession to shill LabMD into inking a deal for security consultancy.
• In 2009, Tiversa decides to hand over the data to the authorities.
• The FTC gets involved in 2010, asking LabMD to provide documents so it can review the case.
• LabMD digs its heels in, refusing to agree to a so-called consent decree imposing to a security audit every two years for the next 20 years.
• In 2011, the FTC begins a formal investigation.
• LabMD files a petition to squash the investigation, on the grounds that Tiversa is an unobjective witness.
• The FTC disagrees, though not without one dissenting opinion stating that “the commission should avoid even the appearance of bias or impropriety by not relying on [Tiversa’s] evidence or information in this investigation.”
• On 29 August 2013, the FTC files a formal complaint against LabMD, for “failing to protect consumers’ privacy.”
• On 17 September 2013 (which, of course, is the one part of the story that hasn’t actually happened yet), Michael J. Daugherty, the CEO of LabMD, will publish a book about the saga so far, The Devil Inside the Beltway [*].

Daugherty’s doughtily-named book claims to document “a government power grab and intimidation that if not for the fact that it is all real, would make for an a brilliant novel.”

The book’s marketing material says that what “began with medical files taken without authorization from a laboratory, turned into a government supported extortion attempt,” and vows “to ensure that this does not happen to any other American.”

Wow!

I’m going to sit on the fence here, and decline to take sides (I’ll leave that to you, our readers, in the comments below).

Instead, I’ll just point out that there is one thing that doesn’t seem to be in doubt: the fact that the offending data was, indeed, grabbable via P2P, five long years ago.

And, as the FTC very plainly points out in its latest communication on this issue:

P2P software is commonly used to share music, videos, and other materials with other users of compatible software. The software allows users to choose files to make available to others, but also creates a significant security risk that files with sensitive data will be inadvertently shared. Once a file has been made available on a P2P network and downloaded by another user, it can be shared by that user across the network even if the original source of the file is no longer connected.

How serious, then, can it possibly be that this data “got out” back in 2008?

How long does the risk last after a data leak?

Well, according to the FTC:

[I]n 2012 the Police Department [in Sacramento, California,] found LabMD documents in the possession of identity thieves. These documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers. The complaint alleges that a number of these Social Security numbers are being or have been used by more than one person with different names, which may be an indicator of identity theft.

Rather a long time, apparently.

Follow @duckblog

[*] Inside the Beltway is a US English term meaning related to the federal government, its public service, and those who lobby it. It refers to Interstate Highway 495, the Capital Beltway, an orbital motorway that encircles the US federal capital, Washington DC.

Image of interlinked people courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8WNatsr9S-0/

An Indian electronics and communications engineer who describes himself as a “security enthusiast with a passion for ethical hacking” has discovered a Facebook vulnerability that could have allowed for any photo on the site to be deleted without the owner’s knowledge.

Arul Kumar, a 21 year old from Tamil Nadu, discovered that he could delete any Facebook image within a minute, even from verified pages, all without any interaction from the user.

For his efforts in reporting the vulnerability to Facebook’s whitehat bug bounty program Kumar received a reward of $12,500.

The vulnerability that he discovered was based around exploiting the mobile version of the social network’s Support Dashboard, a portal that allows users to track the progress of any reports they make to the site, including highlighting photos that they believe should be removed.

When such a request is submitted, and Facebook does not remove the photo in question, the user has the option of messaging the image owner directly with a photo removal request.

Doing so causes Facebook to generate a photo removal link which is then sent to the recipient of the message (the photo owner). The owner can then opt to click on that link to remove the image.

Kumar discovered that a couple of parameters within this message – ‘photo_id’ and ‘Owners Profile_id’ – could be easily modified.

With this information he then sent a photo removal request for an unrelated image on another account that he controlled. By changing the two parameters in the message received by the second account, Kumar could then choose to delete any image from any user on the network.

The victim of this photo removal technique would not be involved in the process in any way and wouldn’t receive any messages from Facebook – indeed the first they would know of this would be when they logged in to discover their photo(s) had disappeared.

Kumar explained that the exploit could be used to remove photos from any verified user, pages or groups as well as from statuses, photo albums, suggested posts and even comments.

As part of the process of responsible disclosure Kumar forwarded details of the bug to the Facebook security team who, at first, could not delete any photos by following his instructions:

Yeah I messed around with this for the last 40 minutes but cannot delete any victims photos. All I can do is if the victim clicks the links and chooses to remove the the [sic] photo it will be removed which is not a security vuln obviously.

Kumar then explained his bug by using a demo account, as well as sending Facebook a proof of concept video in which he showed how he could have removed Mark Zuckerberg’s own photos from his album.

This time, Emrakul from Facebook’s security team was able to see the vulnerability:

Ok found the bug, fixing the bug. The fix should be live sometime early tomorrow.

I will let you know when it is live so you can retest. Wanted to say your video was very good and helpful, I wish all bug reports had such a video :)

Unlike Khalil Shreateh who, two weeks ago, became frustrated with Facebook’s bug reporting process and hacked Mark Zuckerberg’s own timeline, the way in which Kumar reported this bug shows just how responsible disclosure should work.

By following Facebook’s whitehat guidelines he was able to pick up his deserved bounty.

Follow @Security_FAQs
Follow @NakedSecurity

Image of Facebook ‘F’ courtesy of Shutterstock. Image of Arul Kumar courtesy of Arul Kumar.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/HfNC9kFKVmY/

The ongoing data leak saga between medical firm LabMD and “The Man,” in the form of the Federal Trade Commission (FTC) of the United States, has entered its next stage.

This is a curious story that would be amusing were its import not so serious.

If everyone who has contributed to the story is to be believed, it unfolded over a five year period, and goes something like this (remember, this is not necessarily what happened, but what has been variously alleged):

• In 2008, Tiversa, a “Peer to Peer (P2P) intelligence services” company out of Pittsburg, Pennsylvania, finds a stash of Personally Identifiable Information (PII) from over 9000 patients of LabMD. Apparently, a 1,718-page spreadsheet of health insurance billing information was accessible via a P2P file sharing network.
• LabMD, out of Atlanta, Georgia, declines to deal with Tiversa’s complaint, on the grounds that Tiversa is using the data in its possession to shill LabMD into inking a deal for security consultancy.
• In 2009, Tiversa decides to hand over the data to the authorities.
• The FTC gets involved in 2010, asking LabMD to provide documents so it can review the case.
• LabMD digs its heels in, refusing to agree to a so-called consent decree imposing to a security audit every two years for the next 20 years.
• In 2011, the FTC begins a formal investigation.
• LabMD files a petition to squash the investigation, on the grounds that Tiversa is an unobjective witness.
• The FTC disagrees, though not without one dissenting opinion stating that “the commission should avoid even the appearance of bias or impropriety by not relying on [Tiversa’s] evidence or information in this investigation.”
• On 29 August 2013, the FTC files a formal complaint against LabMD, for “failing to protect consumers’ privacy.”
• On 17 September 2013 (which, of course, is the one part of the story that hasn’t actually happened yet), Michael J. Daugherty, the CEO of LabMD, will publish a book about the saga so far, The Devil Inside the Beltway [*].

Daugherty’s doughtily-named book claims to document “a government power grab and intimidation that if not for the fact that it is all real, would make for an a brilliant novel.”

The book’s marketing material says that what “began with medical files taken without authorization from a laboratory, turned into a government supported extortion attempt,” and vows “to ensure that this does not happen to any other American.”

Wow!

I’m going to sit on the fence here, and decline to take sides (I’ll leave that to you, our readers, in the comments below).

Instead, I’ll just point out that there is one thing that doesn’t seem to be in doubt here: the fact that the offending data was, indeed, grabbable via P2P, five long years ago.

And, as the FTC very plainly points out in its latest communication on this issue:

P2P software is commonly used to share music, videos, and other materials with other users of compatible software. The software allows users to choose files to make available to others, but also creates a significant security risk that files with sensitive data will be inadvertently shared. Once a file has been made available on a P2P network and downloaded by another user, it can be shared by that user across the network even if the original source of the file is no longer connected.

How serious, then, can it possibly be that this data “got out” back in 2008?

How long does the risk last after a data leak?

Well, according to the FTC:

[I]n 2012 the Police Department [in Sacramento, California,] found LabMD documents in the possession of identity thieves. These documents contained personal information, including names, Social Security numbers, and in some instances, bank account information, of at least 500 consumers. The complaint alleges that a number of these Social Security numbers are being or have been used by more than one person with different names, which may be an indicator of identity theft.

Rather a long time, apparently.

Follow @duckblog

[*] Inside the Beltway is a US English term meaning related to the federal government, its public service, and those who lobby it. It refers to Interstate Highway 495, the Capital Beltway, an orbital motorway that encircles the US federal capital, Washington DC.

Image of interlinked people courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/8WNatsr9S-0/

Win a Samsung 40-inch LED HDTV with The Reg and HP!

UK data privacy watchdogs have fined Aberdeen City Council £100,000 after a council employee published vulnerable children’s details online.

The sensitive social services information was released after a council worker accessed documents, including meeting minutes and detailed reports, from her home computer. A file-transfer program installed on the machine automatically uploaded the documents to a website, publishing sensitive information about several vulnerable children and their families, including details of alleged criminal offences.

The files were uploaded between 8 and 14 November 2011 and remained available online until 15 February 2012 when another member of staff spotted the documents after carrying out an online search linked to their own name and job title. The documents were removed before the incident was reported to data watchdogs at the Information Commissioner’s Office (ICO).

The ICO’s investigation found that the council had no relevant home-working policy in place for staff. The local authority also erred in a lack of technology safeguards to restrict the downloading of sensitive information from the council’s network.

Ken Macdonald, assistant commissioner for Scotland at the ICO, said: “As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.

“In this case Aberdeen City Council failed to monitor how personal information was being used and had no guidance to help home workers look after the information. On a wider level, the council also had no checks in place to see whether the council’s existing data protection guidance was being followed. The result was a serious data breach that left the sensitive information of a vulnerable young child freely available online for three months.”

Macdonald expressed the wish that the case would act as a wake-up call for other social work departments to improve their data protection practices. Aberdeen City Council has agreed to undertake an audit that will evaluate how it can improve its compliance with the Data Protection Act.

Only four of the penalties imposed by the ICO in the year to April 2013 fell on private sector firms, with the public sector copping fines of £2.09m out of a total of £2.61m. Take away the £250k fine against Sony over the 2011 breach of the PlayStation Network and the figures are even more slanted.

The most-penalised organisations by the ICO in the last financial year were local councils (accounting for eight penalties) and the NHS (accounting for six). NHS trusts alone were hit by fines of £945,000 while local council were stung for £845,000.

The fine against Aberdeen is further evidence that there’s a poor data security culture in local government that appears to be deeply ingrained. ®

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/02/aberdeen_ico_fine/

A soldier was made to sign a non-disclosure agreement by the US Army after pointing out a security flaw which allowed accounts on shared PCs to be accessed without proper authentication.

The trivial login issue, which seems to allow soldiers to operate shared PCs with the access rights of the previous user, was exposed last week in a report on BuzzFeed, and has since been confirmed by senior US Army staff.

Army staff authenticate on shared computers on bases and in the field using Common Access Code (CAC) smart ID cards. On completing a session the card is removed from the reader and the session should be terminated. However, it appears that the logoff process is often slow and can easily be cancelled by the next user, who can then continue to access the system under the previous user’s account.

The issue itself is not hugely serious, although it’s not difficult to imagine a rogue member of staff easily manipulating it to gain access to information they should not have, or to carry out actions unmonitored – something which should be a high priority in US defense and intelligence circles, given the many high-profile problems keeping control of their data in recent years.

The way the problem was dealt with, on the other hand, could serve as a textbook example of how not to deal with security problems.

The issue has been known about for over two years, with one Army lieutenant who spotted it facing all manner of troubles when he tried to report it to senior staff. Having been told that the problem was too tricky to fix, he was then allegedly made to sign a non-disclosure agreement and told he could face imprisonment if he broke it.

Others who pointed out the flaw to superiors were faced with silent inaction.

A statement issued by senior Army IT security staff after the problem appeared in the news has advised soldiers to be more careful when logging out of shared PCs.

It really shouldn’t be beyond the abilities of IT staff to fix a problem like this, especially within a two-year time frame.

Admittedly army funds are not unlimited, like any budget, and rolling out a fix to machines scattered all over the world might be quite a task, but the problem should at the very least be noted down and added to requirements for any future redesign or upgrade.

Responding to helpful bug reports by enforced vows of silence and threats of jail is no way to encourage people to be open about problems they may spot.

More advanced, specialised vulnerability research may be restricted to dedicated experts, but the everyday users of a system are an invaluable resource for spotting simple, easily-exploited security holes.

Encouraging people to take more care and have responsibility for their own security clearly has some value. In an institution which relies heavily on discipline this approach may provide a powerful check on violators, but in normal situations it should only be part of the solution, not the only layer of protection.

Rules for accessing secure systems should be backed up with technical controls too; even the army can’t trust everyone it employs, as they now know to their cost.

In business settings, this approach to dealing with IT issues would be inexcusable. But then, most businesses don’t have the threat of 30-year prison sentences to dangle over potential data miscreants.

Follow @VirusBtn
Follow @NakedSecurity

Image of army figures courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/6TvpXNHhQq8/

Win a Samsung 40-inch LED HDTV with The Reg and HP!

Over recent years, the gap between theoretical security of quantum crytography and practical implementation has provided plenty of fun for super-geniuses the world over.

Yes, quantum cryptography is supposed to be unbreakable. After all, if anybody even observes the state of a qubit that Alice has prepared, entangled with another and sent to Bob, the entanglement is destroyed, and Bob will know something’s wrong.

However, practical implementations of quantum cryptography left various possible attack vectors. To close these attacks (described in more detail below), the quantum crypto community proposed a new protocol, MDI-QKD (measurement device independent quantum key distribution), and now, two research groups working independently have verified that MDI-QKD gets a long way towards a provably-secure quantum crypto scheme.

One group worked out of Canada’s University of Calgary (paper available at Arxiv, here), while the other was an international group comprising researchers from the University of Science and Technology, Hefei, Tsinghua University in Beijing, and Stanford University.

The scheme common to the two tests is to include a third party, Charlie, in the key-exchange process. First proposed by Hoi-Kwong Lo at the University of Toronto, the protocol asks Charlie to perform a single measurement on both Alice’s and Bob’s photons to determine whether their pulses are polarised at right angles to each other.

Importantly, the Charlie detector doesn’t report on Alice’s / Bob’s polarisation – only the difference between their polarisations. Hence: if both Alice and Bob send vertically polarised pulses, Charlie will tell Bob “no”, Bob will adjust his polarisation, and Alice and Bob will use this as their key. Otherwise, Charlie will tell Bob “yes”, and the two ends will use their key without adjustment.

Since Charlie never reports polarisation values, all a third party (Eve) would be able to determine is whether Alice and Bob are synchronised. Eve can’t tell from observing Charlie what the secret negotiated between Alice and Bob is.

The Canadian experiment took the MDI-QKD proposal on a field test – not using it to generate random keys, but to determine whether the measurement scheme would work over realistic distances. Charlie was kept on campus, while Alice and Bob were 6 km and 12 km away, respectively.

In the US-China test, Alice, Bob and Charlie were confined to the lab (albeit using a 50 km fibre on a reel): their test was demonstrating that MDI-QKD allows truly random keys to be generated. Not only that, but the test showed that realistic key generation rates of 25 kbit secure keys can be generated using the technique.

In both cases, the answer was “yes”. So while companies making commercial QKD kit had already started responding to the earlier attacks, there is now a protocol available for future designs. ®

Bootnote: Attack types

Let’s look first at working with a single photon. If the eavesdropper, Eve, takes a guess at the polarisation Alice is sending, and gets it right, Bob will see a bright pulse from Eve and register it as a hit. If she gets it wrong, the avalanche photodiode at Bob’s end would receive too dim a light to register anything at all – it would be a missed pulse and would count not as a “yes” or “no”, but as an error.

The problem here is that in older schemes, Bob might expect an error rate as high as 20 percent. That gives Eve enough opportunities to test her guesses before Bob decides the channel is considered to be compromised.

And no, El Reg is not aware of any successful real world attacks using these techniques.

Win a top of the range HP Spectre laptop

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/09/02/your_secrets_are_safe_with_quanta_after_all/