STE WILLIAMS

One of the most common forms of attack is the SQL injection, and although the vector is ancient and well-understood, it’s notoriously difficult to defend against.

Kevin Kennedy, senior director of product management for Juniper Networks’ security business unit, is in Australia to demonstrate Juniper’s latest shot at defeating SQL injection – not with block-by-signature, but by trapping attackers. Spotlight Secure was first launched globally in February, 2013.

The idea behind Spotlight Secure is that signatures in Web application firewalls are no longer effective against the patient attacker, and input validation only goes so far.

Kennedy said it’s been proven that input validation must fail at some point. There will inevitably be a collision between a genuine input that should be passed, and a malicious input that should be blocked.

It’s also inevitable that even with a Web application firewall standing between the SQL server and the Internet, a patient attacker will find a combination of inputs that doesn’t trigger a signature alert on the firewall – but does give an attacker an SQL injection vector.

It’s not perfect – nothing is – but the idea is to make attacks slower and more expensive, while at the same time, using super-cookies to fingerprint the attacker.

To take a simple example of an attack on SQL, an attacker might first try changing parameters in a URL with the aim of generating errors that tell them things about the database behind the Website. From that starting point, the attacker then starts passing increasingly sophisticated parameters to the SQL engine with the ultimate aim of retrieving user Ids and passwords.

Rather than trying to create a perfect validation list, Juniper is instead slotting fake parameters into the URL – for example, offering database parameters such as columns that don’t exist.

If someone tries to access a “trap” parameter, the system starts treating the user as a likely attacker. Rather than simply blocking that user’s IP (which isn’t particularly useful long-term), there are a number of actions available to the system administrator.

One is to slow down system responses to that user – a very simple way to make the attack more expensive. Another is the super-cookie mentioned earlier. The principles of super-cookies will already be well-known to regular readers of El Reg, but in short, they’re harder to detect than the “standard” (for want of a better word) cookie, and they collect information to more accurately profile the machine they’re installed on.

With enough data captured – the browser, the installed fonts, timezone, screen resolution, pointer device, camera type and so on – the system can capture a fingerprint of the attacking machine that might not be unique, but is a pretty useful characterisation of the attacker. Rather than watching for something easily changed, like the IP address, the system is now looking for the fingerprint of the super-cookie, and acting accordingly.

The aim, Kennedy said, is to track attackers rather than merely blocking them. “We want to change the economics of the attack,” he said. “Slow them down, waste their time, plant the cookie so we can recognise them.”

In most circumstances, Kennedy said, the characteristics that the super-cookie uses to build its fingerprint change incrementally and slowly. It’s far more common for someone to replace a keyboard or buy a new screen than to configure a whole new machine.

And at the same time, since the ordinary user of a site is never going to try to get the SQL server to display the contents of the fake field, the company also hopes to address the false positive problem that makes even owners of Web application firewalls under-use the technology.

Is it perfect? Of course not: an experienced attacker will know how to protect themselves against super-cookies. However, Kennedy said, this doesn’t invalidate the trap, since the attack will still be identified and logged.

Another example: you can’t plant a super-cookie on a Linux machine booted from a USB stick with no write privileges. However, Kennedy said, the failure of the cookie will flag the machine as a likely attacker.

The Register asked Kennedy if the fingerprints collected by super-cookies wouldn’t be more useful if they could be shared between security vendors. The answer: yes – if the challenges involved could be overcome.

“The model of sharing fingerprints is not useful in isolation,” he said. “But we believe that sharing is very important – this industry does not share well together.”

As a start, he said, Juniper Networks has a partnership announced with RSA, but broader sharing is “hard, because it requires that you have an active proxy using the fingerprints.” That, he said, is more complex than scoring the reputation of IP addresses.

“What should be shared is granular, enforceable information. But what we need is for other vendors to say ‘yes, this is something we could do.’ We’re open to having that conversation.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/05/signatures_no_good_at_protecting_databases_says_juniper/

Prime Minister David Cameron aims to extend spooks and cops’ powers to snoop on Brits’ internet activities without bothering to pass any new laws.

While the Tory leader told MPs that he hoped to gain cross-party support (ie: Labour’s) on granting the authorities more access to communications data in the UK, he added that he was considering “non-legislative options”.

His comments come after his Coalition second-in-command, deputy prime minister and Liberal Democrat leader Nick Clegg, bulldozed Home Secretary Theresa May’s attempt to get her draft internet surveillance law, the Communications Data Bill, mentioned in the Queen’s Speech – which sets out the UK’s upcoming legislative programme.

Instead, her Majesty confirmed last month that narrow provisions were to be put in place to aid spooks and police in accessing information they need to supposedly protect the British public “in relation to the problem of the matching of IP addresses”.

With the Lib Dems opposed to the web-snooping proposals, Labour has made it clear that it would throw its weight behind the Tories and back a law enabling greater online surveillance in the name of fighting terrorists and crimelords.

(While in government, Labour was forced to abandon its efforts to bring in such legislation under its proposed and widely-derided Interception Modernisation Programme. In opposition, the Tories rejected that plan.)

Now the murder of soldier Lee Rigby in Woolwich nearly two weeks ago has reignited the debate on the government and police accessing information about our activities online. Labour used the shocking slaying as political currency to demand that the government revisits May’s draft comms data bill.

On Monday in the Commons, Labour leader Ed Miliband pressed Cameron to explain to the Commons what his current view was on the issue, in light of Rigby’s death. The Prime Minister replied:

On the issue of communications data, I think we need a frank debate in the House. There is a problem in that, currently, about 95 per cent of serious crimes involve the use of communications data.

This is not about the content of a fixed or mobile telephone call, but about the nature of the call: when it was made, who made it and when they made it.

As telephony moves from fixed and mobile telephony on to the internet, our intelligence and police services will have a problem.

We need to address that problem, and we should do so sensitively and carefully, looking at all the non-legislative options, but I hope for a measure of cross-party support, on both sides of the House, to try and get this right, because we will suffer if we do not.

He had earlier told MPs in the Commons he was concerned that Brits were being radicalised by websites stuffed full of inflammatory content. Cameron said “5,700 items of terrorist material have been taken down from the internet, and almost 1,000 more items have been blocked where they are hosted overseas, but it is clear we need to do more”.

Labour MP and Home Affairs Select Committee chairman Keith Vaz asked the PM if he would revisit the panel’s 2012 recommendation of a code of conduct for ISPs and search engines. He asked Cameron if he considered companies such as Google to be “far too laid back about removing extremist content” from services such as its video-sharing site YouTube.

Cameron said that he would look again at the code to “see what more can be done”.

Lib Dem MP Julian Huppert – a long-standing opponent of May’s proposals – was told by the prime minister that it was not “helpful to refer to taking action on communications data as a snoopers’ charter”.

Huppert had urged Cameron to agree that such powers would not have prevented Rigby’s vicious murder but instead “would treat us all as suspects”.

The PM said that a “grown-up debate” was needed in Parliament to discuss what the government should do as “telephony moves on to the internet”. He claimed failure to do so would put the UK at risk. He added:

The draft [communications] bill that we produced also had huge amounts of pre-legislative scrutiny. We have to recognise that there will always be civil liberties concerns about this issue, so we should look at how we can start moving the debate on, recognising that there is a block of telephony covered by fixed and mobile telephony that is dealt with.

The premier went on: “As we move to more internet-based telephony, how are we going to help the police deal with that? We may have to take this in short steps, so that we can take the House with us and listen to concerns about civil liberties, but I am convinced that we have to take some steps, otherwise we will not be doing our job.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/04/david_cameron_communications_data/

Updated Multiplayer spaceship game EVE Online has taken its systems offline after it was warped out of shape by a debilitating denial-of-service attack.

In a statement on Facebook, its developers at CCP Games explained that it disconnected its server cluster from the internet as a precaution while it reviewed the integrity and defences of its infrastructure:

At 02:05 GMT June 2nd, CCP became aware of a significant and sustained distributed denial-of-service attack (DDoS) against the Tranquility cluster (which houses EVE Online and DUST 514) and web servers.

Our policy in such cases is to mobilize a taskforce of internal and external experts to evaluate the situation. At 03:07 GMT, that group concluded that our best course of action was to go completely offline while we put in place mitigation plans.

While we initially reopened EVE Online and DUST 514, we have since re-evaluated. With the highest sense of precaution we have taken Tranquility and associated websites back down for further investigation and an exhaustive scan of our entire infrastructure. We will update you more frequently via our Twitter feed (www.twitter.com/eveonline), however, an extended service interruption of several hours is expected as this process should not be rushed.

Role-playing game EVE Online, once memorably described by a player as having “the learning curve of putting a 5-year-old through a nuclear physics masters degree” has, over recent years, become a forum where rival gamers, gold farmers and occasionally hacktivists such as LulzSec slug it out.

In some ways the real-world action is much colourful than the space-cruiser-on-battleship action that the game actually offers, but it’s rare for systems to be taken offline. Progress towards resolving the problem can be found on Eve Online’s Twitter feed here. ®

Updated to add

Eve Online’s Tranquility server cluster is now coming back online. The team said it discovered someone exploiting a vulnerability in its backend systems, and has patched the bug.

“We would like to stress that at no time was customer data compromised or accessible in any way. We will be looking at ways to compensate players in both EVE and DUST for the outage,” the developers said in a statement today.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/03/eve_online_ddos/

Scientists have invented a dangerous new charger capable of infecting iPhones with any malware they choose.

Eggheads from the Georgia Institute of Technology claim to be able to hack an iPhone in under one minute using a “malicious charger” called Mactans.

The team claimed their findings challenge the iPhone’s reputation as an über-secure platform.

Billy Lau, Yeongjin Jang and Chengyu Song will debut their evil plug at the Black Hat USA conference, which starts at the end of July.

Describing their discovery, the team said: “Apple iOS devices are considered by many to be more secure than other mobile offerings. In evaluating this belief, we investigated the extent to which security threats were considered when performing everyday activities such as charging a device. The results were alarming.

“Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system software. All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

Apple phones come with sophisticated security mechanisms to help prevent unauthorised software installing itself without permission. The team claimed that “USB capabilities can be leveraged to bypass these defense mechanisms” and then cloak the injected software, so it appears to be “hidden in the same way Apple hides it own built-in applications”.

They created Mactans using a Beagleboard, naming it after the Latin name for the Black Widow spider – Latrodectus mactan.

“This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed,” the team added.

“While Mactans was built with a limited amount of time and a small budget, we also [considered] what more motivated, well-funded adversaries could accomplish,” the team added.

Fanbois can rest easy: the mad scientists only wanted to probe the potential security flaws in your iPhone so Apple can protect you from the big bad world of malware. Although, seeing as one of the team trained at Peking University, it’s not difficult to imagine where these “well-funded adversaries” might be coming from. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/03/evil_charger_wants_to_destroy_your_iphone/

Hackers are increasingly turning to DNS reflection to amplify the volume of distributed denial of service (DDoS) attacks.

The technique has been known about for years but seldom used in anger, until the debilitating DDoS attack in March that peaked at 300 Gbps against anti-spam organisation Spamhaus and cloud-based DDoS mitigation firm CloudFlare.

DNS reflection attacks involve sending a request for a large DNS zone file to a DNS server, with the details of the request forged so that they appear to come from the IP addresses of the intended victim.

Open public-facing DNS servers respond to the request with a large file. The attackers’ requests are only a fraction of the size of the responses, meaning the attacker can effectively amplify his attack by a factor of 100 from the volume of bandwidth they control.

The same sort of technique has been used to run a series of other attacks since, according to Matthew Prince, CloudFlare’s chief exec. Traffic of 50-60 Gbps in each attack is becoming typical. The Spamhaus attack illustrated the open DNS server problem; mitigation actions since that attack mean there are less open resources to exploit.

Nonetheless, exploiting open systems to run debilitating attacks remains relatively straightforward, according to Prince: “All you need is 10 lines of code and a lot of patience.”

As well as the high volume attacks, CloudFlare is seeing a growth in smaller but more sophisticated attacks, often targeting online multiplayer games and similar targets.

In one example, gamers turned haters are targeting login credential servers by blitzing them with fake usernames and passwords. The tactic is designed to stop rivals of hackers being able to log back into online games after being turfed off by so-called booters. With rivals unable to log back into the game, hackers can win by default.

Initial “caveman with a club” SYN flood attacks designed to swamp an internet connection are being followed up by more sophisticated app layer attacks against credential servers, Prince explained. He added that, in many ways, DDoS attacks are getting run for much the same reasons IRC flamewars used to take place.

Prolexic, another DDoS mitigation firm, separately announced it had successfully blocked a massive DNS reflection DDoS attack that peaked at 167 Gbps against an unnamed “real-time financial exchange platform” on 27 May.

“This was a massive attack that made up in brute force what it lacked in sophistication,” said Scott Hammack, Prolexic’s CEO. “Because of the proactive DDoS defense strategies Prolexic had put in place with this client, no malicious traffic reached its website and downtime was avoided. In fact, the company wasn’t aware it was under attack.”

The DDoS mitigation for this attack was distributed across Prolexic’s four cloud-based scrubbing centres in Hong Kong, London, and the US. Prolexic’s London-based scrubbing center mitigated the majority of the malicious traffic, which peaked at 90 Gbps.

More background info on DNS reflection DDoS attacks can be found in a whitepaper by Prolexic here (registration required). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/03/dns_reflection_ddos_amplification_hacker_method/

Opinion Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence.

All these other industries we rely on have evolved codes of conduct, regulations, and ultimately laws to ensure minimum quality, reliability and trust. In this light, I find the modern technosphere’s complete disdain for obtaining and retaining trust baffling, arrogant and at times enraging.

A simple problem

Let’s use authentication systems as a fairly simple example. Passwords suck, we all know they suck, and yet the majority of us still try to use easy to remember (and thus easy to crack) passwords for virtually everything.

The use of password managers and two-factor authentication is on the rise, but we have once more run into a classic security versus usability issue with both technologies.

Two-factor authentication is a pain. I have to log in to over 20 different networks, websites and so forth every day. That number is only going to increase. I am not whipping out my phone and punching in a random string of numbers every time.

When you factor in session time-outs I probably have to enter a password over 100 times a day. Entering a password, pulling out my phone, bringing up the relevant application and then entering the code takes on average 30 seconds per login. If I were to use two-factor authentication for everything I would spend 50 minutes of every day just logging into things! This is inherently unsustainable.

The other alternative is a password manager. Password managers come in two basic types: ones that live on your local system and ones that store their information on a remote system.

Much to both Microsoft and Apple’s dismay, the era of individuals using only one device is long over. I have two smartphones, a tablet, a netbook, a notebook, a luggable, a desktop and three personal virtual machines. All of which get used every single day. I am an edge case, but in technology, today’s edge case is tomorrow’s mainstream.

This means that in the real world the system-local password manager is completely useless. If I am going to generate some uncrackable, randomly generated password string and store it in my password manager, then I need to get at that password from any device I use. This means I need a centrally accessible password store. Once more, this bifurcates my options.

The first option is to use a cloud-based service like LastPass. LastPass is amazing – simple to use and effective. It has browser plug-ins for all major browsers that can autocomplete your passwords for sites you have to go to, and it generally makes the whole process of logging in as unobtrusive as possible.

The basics of the service are that you put all of your passwords into LastPass and it stores them in the LastPass cloud. You then log in once (per browser) and LastPass handles your authentication to all websites you visit.

Of course, this still means having a password that you can realistically remember in order to get into LastPass in the first place. This might seem like a single point of attack, but the software solves it by offering various forms of two-factor authentication. So you still have to drag out the smartphone – or use the fingerprint reader – but only once, per browser, per system, per day.

The second option is to create something like LastPass but host it on a server you control. The problem with this approach is that every version of this kind of software I’ve seen so far is utterly pants and comes nowhere near to LastPass in terms of usability.

Trust factors into authentication

Both these options have their own significant problems. The centralised LastPass store is an unbelievably tempting target for every ne’er-do-well on the planet. Although it is defended by a team of über cyber ninjas, if LastPass should fall, everyone who uses it is screwed.

LastPass doesn’t store your master password anywhere that anyone can get at it, but the hashes of your passwords are stored on their servers; if you’ve been paying attention to advances in password-cracking techniques, you’ll know the “only got the password hashes” response is not nearly as comforting today as it once was.

While you would be far safer if you used random generated passwords for everything – which is sort of the point of LastPass in the first place – you can store non-randomly generated passwords within LastPass as well. Those passwords would ultimately be quite vulnerable.

Far more worrying to me than the somewhat difficult to imagine prospect of a random criminal breaching LastPass’s security, downloading all my hashed passwords and then decrypting them, is the vulnerability of those passwords to the United States government.

The US government has been pretty open over the past decade about the fact that it simply does not care one whit for privacy, civil liberties and other such petty concerns. Certainly, the US PATRIOT Act ensured that non-US citizens have even fewer rights than the (already heavily degraded) few that remain to Americans, something that has been upheld in court but which remains contentious (PDF, 24 pages).

Even assuming that LastPass has no back doors by which it can find out what the passwords are, US law lets the government demand that LastPass turn over the password hashes without even telling the individual affected by the order. The US government measures their computing in acres; they can find your passwords if they really want to.

Assuming that there was a Last-Pass-Alike that I could install on my own servers, I could solve one trust issue – the fact that I don’t trust the individuals who work for the US government not to abuse their powers – by ensuring that the password storage is located in my country and subject only to my nation’s laws. (An issue that many are concerned about.) That’s a great first step, but it falls down on the other side of the equation.

The only security from criminal attack I could gain by striking out alone is that of herd immunity: the hope that so many people deploy the same solution I use that the odds of them attacking my setup become small. That’s known as “gambling”, because a concerted effort would fold my servers like a cheap tent – even if I was doing my best to defend them.

A centralised cloud service like LastPass defended by the top industry experts in the field is going to be far more secure than anything I run on my own servers. I’m not a security expert, like one of the guys LastPass hires to audit their design and implementation. I am certainly not as good as all of them put together.

Next page: There are solutions

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/03/trust_nobody_with_your_personal_data_ever/

Oracle to lop off Java’s least secure bits to save servers

• 
• 
• 

More frequent patches, finer controls, planned

By Simon Sharwood, APAC Editor • Get more from this author

Posted in Security, 3rd June 2013 06:28 GMT

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Oracle has acknowledged Java’s recent security problems and outlined three new security initiatives to set things to rights.

The first may not please everyone, as the company has committed to including Java updates among the quarterly Oracle Critical Patch Update it provides for all its products, as of the October 2013 update. Java previously operated a thrice-yearly patch cycle of its own.

The Oracle Critical Patch Update usually includes dozens of patches, so the inclusion of Java could swell the amount of urgent work facing IT pros when the Update lands.

The second change is outlined in this blog blog post, which offers the following hint at the future:

“Local Security Policy features will soon be added to Java and system administrators will gain additional control over security policy settings during Java installation and deployment of Java in their organization. The policy feature will, for example, allow system administrators to restrict execution of Java applets to those found on specific hosts (e.g., corporate server assets, partners, etc) and thus reduce the risk of malware infection resulting from desktops accessing unauthorized and malicious hosts.”

The post goes on to say this plan is expected to “decrease the exploitability and severity of potential Java vulnerabilities in the desktop environment and provide additional security protections for Java operating in the server environment.”

The server side will also get the following security enhancements:

“In the future, Oracle will explore stronger measures to further reduce attack surface including the removal of certain libraries typically unnecessary for server operation. Such significant measures cannot be implemented in current versions of Java since they would violate current Java specifications, but Oracle has been working with other members of the Java Community Process to enable such changes in future versions of Java.”

Those changes are the third big reveal from the post, but there’s no timeframe for their advent or the arrival of the new Local Security Policy. ®

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

• Send corrections
• Be the first to post a comment!

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/03/oracle_java_security_improvement_plan/

The US Transportation Security Administration (TSA) says it has completed the process of removing all security scanners capable of creating detailed images of passengers’ bodies from US airports.

By Congressional mandate, all scanners using so-called advanced imaging technology (AIT), which rendered fliers’ nude bodies in Pixar-like detail, were to be either removed or retrofitted with software capable of performing automated target recognition (ATR).

With ATR, the scanner displays only a vague outline of a passenger’s body, with generic yellow boxes superimposed to alert security screeners to possible concealed objects.

“As of May 16, 2013, all AIT units deployed by TSA are equipped with ATR capability,” TSA administrator John Pistole wrote in a letter to Congress that was made public on Thursday, indicating that TSA actually beat its Congressionally ordered May 31 deadline by two weeks.

According to political news site The Hill, lawmakers on the House Homeland Security Committee were pleased with TSA’s timely handling of the matter.

“Because of this action and congressional oversight, TSA will never again use machines to screen passengers that do not obscure their images while maintaining security,” said Rep. Bennie Thompson (D-MS).

Scanners with automated target recognition might be less precise, but they’re certainly more flattering

At issue were scanners based on backscatter X-ray technology, one of two types that TSA had previously deployed. TSA announced that it would stop buying such devices and would begin removing them from airports in January, after manufacturer Rapiscan admitted that it would be unable to retrofit them with ATR software by Congress’s deadline.

Body scanners based on the competing millimeter wave technology were all retrofitted with ATR software in 2011 and will continue to be used. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/01/perv_scanners_pulled_from_us_airports/

Motorola has shown off an electronic authentication tattoo and an FDA-approved pill that uses the body to transmit passwords, and says it wants to see a new generation of smartphones geared towards such wearable – or edible – technology.

The Number of the Beast

Speaking at the D11 conference, Regina Dugan – the first female head of DARPA who moved to the Chocolate Factory last year – argued that with our plethora of devices, authentication needs to be simplified. The average user has to sign-on 39 times a day, and it takes them 2.3 seconds a time to do it each time – and that’s if you remember the password.

To crack this, she suggests either getting tattooed or using authentication in pill form as a way of saving those precious seconds that are being so wastefully lost. The industry is still stuck with the same login technology that it has used for 40 years, she said, and Motorola has the answer – or at least the partners to provide it.

She showed off a stick-on electronic tattoo on her arm consisting of a wireless power coil, temperature, ECG, phone sensors, and a small LED with a wireless antenna border. Motorola is working with the inventors, Cambridge, Massachusetts firm MC10, on a version for authentication, she said, and they would be available in a wide variety of designs.

“It may be true that 10-20 year-olds don’t want to wear a watch on their wrist, but you can be sure they’ll be far more interested in wearing an electronics tattoo, if only to piss off their parents,” she said. So-called theologians might disagree*.

The stick-on circuitry would last about two weeks before needing to be replaced, and the connections between the silicon and sensors are designed to flex 200 per cent, she said. The system would be sprayed with a plastic composite to assure your morning shower doesn’t leave you a non-person.

Dugan also showed off a pill containing a switch and what she described as an “inside-out potato battery” that uses stomach acids as an electrolyte and causes the switch to flick on and off. The resulting “18-bit ECG-like signal” is then broadcast throughout your body for as long as the device remains in it.

‘I crap authentication’

“It’s really true; it means that that becomes my first superpower. I really want this superpower,” she said. “It means my arms are like wires, my hands are like alligator clips, and when I touch my phone, my computer, my door, my car, I’m authenticated in.”

The system, developed by Proteus Digital Heath, was FDA-approved and CE-stamped for people to take up to 30 of these pills a day she said, for their rest of your lives, she said.

Interviewer Walt Mossberg declined to swallow a proffered sample.

“We’re not shipping that right away,” Motorola CEO Dennis Woodside said during the interview. But taking a long-game approach to the evolving mobile market is going to be key to reviving the company, he said. In 2010 Samsung was selling as many phones as Motorola is now, he said; there are opportunities to be had.

After Google bought Android it funded the team for two years before releasing the operating system, he said, a strategy some decried as madness. The results have been rather good, he pointed out, and Google’s willing to make a similar investment in the company that was there at the start of mobile computing.

The first stage of this is the Moto X, due to launch in the autumn. Woodside said he had it in his pocket, but refused to get it out. The new handset will be 70 per cent assembled in the US, coming from a plant in Fort Worth, Texas, and having manufacturing close at hand would allow the company to try out new manufacturing processes such as 3D printing.

Motorola is cracking a long-standing problem in mobile electronics by enabling low-power motion sensors without needing to boot the full operating system, he said. Phones should detect your location and movement and adapt their interfaces to match the situation.

The price for this “contextually aware” feature is battery power, and the fact that phones can’t last a week without recharging is a major issue the company wants to solve. Larry Page is also apparently frustrated that phones still break, so the engineers are trying to toughen up smartphones. ®

* Bootnote

One marketing problem Motorola may not have anticipated is the reaction of biblical literalists to its wearable authentication systems.

A surprising number of people in the US still adhere to an apparent literal translation of the current version of the Bible. These include Jehovah’s Witnesses, who refuse blood transfusions and shun those who take them, to those who look to the finale of the New Testament: The Book of Revelation – or, for you believers of the Catholic persuasion, The Apocalypse.

The text, thought to be written about 60 years after the biblical death of Christ, is regarded as either a description of the end times of humanity, a satirical pastiche on the increasingly subverted tenants of Christian bureaucracy, of a really bad mushroom trip on a Greek island. Nevertheless it contains the following warning:

It causes all, both small and great, both rich and poor, both free and slave, to be marked on the right hand or the forehead, so that no one can buy or sell unless he has the mark, that is, the name of the beast or the number of its name. This calls for wisdom: let the one who has understanding calculate the number of the beast, for it is the number of a man, and his number is 666.

Be reassured that the majority of people of faith in the US and elsewhere aren’t quite so inflexible. Those that aren’t may be shrill, particularly in the US, but do not form a representative sample of Christianity.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/31/motorola_tattoo_pill_authentication/

Apple’s two-factor authentication system does not protect users’ private files backed up to the iCloud, it is claimed.

Fanbois have been able to secure their Apple accounts with a two-step login process since March: these accounts are important because they are used to bung or retrieve backups into and out of Cupertino’s iCloud storage system, download software from the app store, and buy songs, movies, and TV shows for iTunes, among other things. Enabling the technology – which is available in the US, UK, Australia, Ireland, Germany and Italy – links an Apple ID username to a registered iPhone or iPad.

When a user wants to log into their account, a passcode is sent to this named device, and the user must submit this code in addition to their regular password to gain access. Of course, this should make life harder for account hijackers, because they must somehow steal the iPhone or iPad as well as obtaining a victim’s password in order to compromise an account.

But according to research from security biz Elcomsoft, Apple did a “half-hearted job” of implementing its verification system, “leaving ways for the intruder to access users’ personal information, bypassing the (optionally enabled) two-factor authentication”.

Specifically iOS Backups and iCloud data is not protected by two-factor authentication.

“In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device,” explained Vladimir Katalov, chief exec of ElcomSoft in a blog post. “In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud.”

iPush less secure than SMS for 2FA

iCloud has been exploited in the past and nothing Apple has done in introducing two-factor authentication will stop it being exploited in the future, according to Elcomsoft. This is because Apple made a string of mistakes in rolling-out the technology.

For one thing the verification code appears on the lock screen if sent to an iPhone, so it can be accessed without entering the correct passcode. This is not a text message, but rather a push notification delivered via the Find My Phone protocol service. The approach means that Wi-Fi only iPads and iPods can be used as a registered device even though they don’t support SMS.

Only if the Find My Phone service is disabled would a verification code be sent as a text message to a registered iPhone.

Worse still, providing an attacker has a valid Apple ID and password combination – something that might be obtained through a phishing attack or similar – they do not need this authentication code to get at backups, according to ElcomSoft.

Regardless of two-step authentication settings, backups and documents are still accessible from anywhere.

“We can restore an offline or iCloud backup onto a new Apple device (or use Elcomsoft Phone Password Breaker to download and access on the computer) without being requested or entering the second passcode,” Katalov explained.

“All you need is some software that can browse and analyze offline iTunes backups, such as iBackupBot or more advanced Oxygen Forensic Suite,” he added.

If an attacker just wanted to restore everything from the iCloud onto a new device then all they need is a user’s loginID and password.

“No two-factor authentication kicks in during the process,” according to Katalov.

ElcomSoft’s blog post features screen shots illustrating this security shortcoming.

Independent security advisor Per Thorsheim, founder and organizer of the annual Passwords conference, who alerted us to Elcomsoft’s research, confirmed the Russian security firm’s findings. He said that though Apple’s two factor-authentication would block unauthorised purchases it doesn’t protect data.

“People expect a 2FA solution to add additional security in order to protect their data, but in contrast to Dropbox Google, Apple doesn’t really do that,” Thorsheim explains. “It’s the ‘weakest’ 2FA solution launched so far by the big well-known services, it will only add an additional layer of false security to people’s minds – which may have dangerous results.

“As it’s done now, their 2FA doesn’t protect my data at all, they only protect my account with Apple from being exploited in terms of direct financial loss (unauthorised purchases, password change etc). In my opinion that is not enough,” he added.

Elcomsoft’s Katalov concludes that Apple’s approach in implementing two-factor authorisation “does not look like a finished product”.

“It’s not flawed or anything,” Katalov writes. “It does everything that it claims to be doing. What it doesn’t do, however, is protect users’ personal information stored in the iCloud from unauthorized access. It’s not on the spec list, either.

“In addition, the choice of the Find My iPhone service, while understandable, is clearly an afterthought, as supposedly secure verification codes are displayed in plain view on the lock screen,” he adds.

Despite his reservation about Apple’s implementation, Katalov recommends applying two-factor authentication on Apple accounts nonetheless.

Sean Sullivan, a security adviser at F-Secure, agreed with Katalov’s assessment of Apple’s two-factor implementation while taking issue with the idea that users ought always to enable it anyway.

“I would disagree with the idea that ‘it is a good idea to enable 2FA on all your accounts’. I think it depends on the type and purpose of the account,” Sullivan told El Reg.

Last week Sullivan criticised Twitter’s newly introduced, much anticipated two-factor authentication, because it was possible to add a phone number without said number being verified. All the web giants are rolling out two-factor authentication thanks to the growing realisation that passwords alone are fundamentally weak. Social engineering, keyloggers, Trojans, password re-use, rainbow tables and other factors contribute to the growing number of accounts compromised every month, resulting in Twitter hijacks of high-profile media accounts and other more serious (if less visible) problems.

Sullivan is more positive about the Google and Microsoft approach to introducing this technology.

“I think the Google and Microsoft Authenticator apps offer a nice approach,” he told El Reg. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/31/apple_2fa_security_weak/