SIM card maker Gemalto apparently now holds the world's record for fastest security audit?

Subject: General Tech | February 26, 2015 - 01:02 PM |
Tagged: Gemalto, SIM, encryption, fud, security

In just under a week SIM card maker Gemalto claims to have done a complete security audit of their systems in 85 different countries and reports that "its office networks were compromised, the servers holding the SIM card encryption keys weren't."  This is a  record worthy of Guinness as most security audits take months or years to complete and the findings tend to discuss probabilities, not absolute certainties.  As you might expect The Register and security experts everywhere are doubtful of the claims from a company that did not even know if was compromised less than a week ago that the UK based GCHQ and USA based NSA are unable to compromise your SIM cards encryption when they have the keys in hand.  It has not been a good week for anyone who thinks about security.

17225.jpg

"Six days ago Gemalto, the world's largest SIM card manufacturer, was told that back in 2010 it had been ransacked by NSA and GCHQ hackers. Today the company gave itself the all-clear: no encryption keys, used to secure phone calls from eavesdroppers, were stolen, it claims."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Roll over Superfish, PrivDog is just as bad but doesn't come directly from Comodo

Subject: General Tech | February 25, 2015 - 12:36 PM |
Tagged: SSL, security, PrivDog, idiots, fud, Comodo

This has been a bad week for the secure socket layer and the news just keeps getting worse.  Comodo provides around one out of every three SSL certs currently in use as they have, until now, had a stirling reputation and were a trusted provider.  It turns out that this reputation may not be deserved seeing as how their Internet Security 2014 product ships with an application called Adtrustmedia PrivDog, which is enabled by default.  Not only does this app install a custom root CA certificate which intercepts connections to websites to be able to insert customized ads like SuperFish does it can also turn invalid HTTPS certificates into valid ones.  That means that an attacker can use PrivDog to spoof your banks SSL cert, redirect you to a fake page and grab your credentials, while all the time your browser reports a valid and secure connection to the site. 

The only good news from The Register's article is that this specific vulnerability is only present in PrivDog versions 3.0.96.0 and 3.0.97.0 and so has limited distribution.  The fact that this indicates the entire SSL certificate model is broken and even those who create the certs to assure your security feel that inserting a man in the middle attack into their software does not contravene their entire reason for existing is incredibly depressing.

Update: The Register's article was originally based on research from Hanno Bock who referred to PrivDog as being distributed by Comodo. Comodo does not distribute the standalone desktop version of PrivDog only the browser extension application which was never vulnerable to the TLS interception.

picarddoublefacepalm.jpg

"The US Department of Homeland Security's cyber-cops have slapped down PrivDog, an SSL tampering tool backed by, er, SSL certificate flogger Comodo.

Comodo, a global SSL authority, boasts a third of the HTTPS cert market, and is already in hot water for shipping PrivDog."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Your aggregate battery consumption isn't Li-On about your location

Subject: General Tech | February 24, 2015 - 12:56 PM |
Tagged: fud, security, smartphone

Tracking your smartphones location via aggregate battery usage is not the most efficient or accurate method but it can be done and Samsung (and others) have not provided a switch which makes that particular data private.  Researchers have shown that by tracking the battery drain of the 3G cellular radio on the battery one can determine distance from the cellular base station the phone is connected to and a coarse location based on interference environmental factors such as buildings which partially block the signal.  It is only a very coarse locator but does give better information than just the base station the phone is connected to and as we are creatures of habit it allows tracking normal patterns of movement.  This is nowhere near as accurate as GPS tracking and does require a bit of work to pull off but as battery usage and levels are sent by the phone in the clear with no method of preventing that it should cause some privacy concerns for users.  You can read the research paper (in PDF) by following the link from The Inquirer.

index.jpg

"SCIENTISTS have warned of a new smartphone risk after discovering that battery power can be used to track a person's movements."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer

Just wait, blacklisting dangerous root certificates will lead to a legal battle

Subject: General Tech | February 23, 2015 - 01:35 PM |
Tagged: superfish, mozilla, komodia, security

Firefox can remove any threat that Superfish presents with a simple step and 24 hours; indeed they could prevent any similar issue using a questionable or downright poisonous SSL Certificate simply by blacklisting them.  They specifically quote the ability of OneCRL to block even obfuscated certs before the Network Security Services level if the certs are properly recorded on the blacklist in this Register article.  This would lead to a much more secure web, requiring attackers to invest significantly more effort when attempting to create fake or dangerous SSL certs.  There is a flip side to this, for there are those who may attempt to have valid certs added to the Blacklist and so there must be a way of policing the list and a way to remove certs which should not be on the list due to being placed there in error or because of a change in the software associated with that certificate.  It is also likely that there will be court cases attempting to have the blacklist removed if it does come into being as Superfish is not the only business out there whose business model requires phishing or at least a way around proper SSL certification and best practices which will no longer be viable if we are allowed to block their mutant SSL certs.

images.jpg

"Firefox-maker Mozilla may neuter the likes of Superfish by blacklisting dangerous root certificates revealed less than a week ago to be used in Lenovo laptops."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Of gaps of air and hats of tinfoil

Subject: General Tech | February 12, 2015 - 12:51 PM |
Tagged: security, fud

In networking, an air gap refers to a security measure that separates a network from the public infrastructure, either physically or through the use of extremely secure tunnelling.  This prevents access to that network over the internet or less secure LANs and is used in high security locations as it is generally considered one of the best ways of securing a network.  As with all things silicon, it is not perfect and this article at The Register should not be read by the faint of heart.  They describe several methods which have been developed to overcome air gaps, thankfully most require that the attacker had been able to gain physical access to the air gapped systems to infect them from within and as you have heard many times, once an attacker can gain physical access to your systems all bets are off.

What is interesting is the ways in which the infected systems transmit the stolen data without the need for physical contact and are incredibly difficult to detect.  Some are able to use the FM frequencies generated by GPUs to send data to cellphones up to 7m away while another uses the pixels to transmit hidden data in a way that is invisible to the user of the machine.  Other attacks involve spreading infection via microphones and speakers or a thumbdrive which was attached to an air gapped machine which could transmit data over a radio frequency up to 13 kilometres away.  It is a wild world out there and even though many of the attacks described have only been done in research labs; don't let strangers fondle your equipment without consent!

KiwiconV_c_1600x1200.png

"The custom code had jumped an air gap at a defence client and infected what should have been a highly-secure computer. Sikorski's colleagues from an unnamed company plucked the malware and sent it off to FireEye's FLARE team for analysis."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Flustered over Win10's surveillance habits? Have you met Predix?

Subject: General Tech | October 14, 2014 - 06:28 PM |
Tagged: predix, Cisco, Intel, GM, verizon, Privacy, security

GM's Predix asset management platform has been used for a while now, after they came to the realization that they were in the top 20 of the largest software developers on the planet.  They found that by networking the machines in their factories as well as products that have been shipped to customers and are seeing active use that they could increase the efficiency of their factories and their products.  They were aiming for 1% increase, which when you consider the scale of these industries can equate to billions of dollars and in many cases they did see what they had hoped for.

Now Cisco and Intel have signed up to use the Predix platform for the same results, however they will be applying it to the Cloud and edge devices as well as the routers and switches Cisco specializes in.  This should at the very least enhance the ability to monitor network traffic, predict resource shortages and handle outages with a very good possibility of a small increase in performance and efficiency across the board.  This is good news to those who currently deal with the cloud but it is perhaps worth noting that you will be offering up your companies metrics to Predix and you should be aware of any possible security concerns that may raise because of that integration to another system.  You could however argue that once you have moved to the cloud that this is already happening.

img_predix_feature_big_data.jpg

"GE, Intel, Cisco, and Verizon have announced a big data deal to connect Predix — GE’s software platform — to machines, systems, and edge devices regardless of manufacturer."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

Symantec starts a non-destructive reformat

Subject: General Tech | October 10, 2014 - 12:30 PM |
Tagged: symantec, security, norton, billions

Symantec is splitting its self down the middle, with one side focusing on their antivirus and security products, which apparently still sell and are not just bundled with new laptops and computers, and the other handling information management.  Considering they made nearly $7 billion last year someone must be buying their software and even more shocking they must be renewing the license which came with the new machine. Those commenting on Slashdot immediately tried to help Norton out by suggesting that one side should create and spread viruses while the other should come in like a white knight and slay them.  That would certainly make it a more interesting read; even so the fact that Symantec is still alive and prospering is enough of a shock for a Friday morning.

Symantec-Logo.jpg

"Symantec announced plans on Thursday to split into two separate, publicly traded companies – one focused on security, the other focused on information management. The company's security business generated $4.2 billion in revenue in fiscal year 2014 while its information management business meanwhile hit revenues of $2.5 billion. "As the security and storage industries continue to change at an accelerating pace, Symante c's security and IM businesses each face unique market opportunities and challenges," Symantec CEO Michael A. Brown, who officially took over as CEO last month, said in a statement."

Here is some more Tech News from around the web:

Tech Talk

Source: Slashdot

Rooting your Android in the name of security

Subject: General Tech | August 22, 2014 - 01:30 PM |
Tagged: byod, security, Android

In the new BYOD corporate crapshoot Android devices are frequently connecting to secure resources which raises security concerns for many IT workers.  The OS is not as secure as many would like it to be; good enough for home use but not for those who truly want to keep their data secure.  The majority of the exploits come from insecure apps as opposed to an inherent problem with the OS which has lead to a group proposing an Android Security Module Framework.  Root the phone once to add these to Android and enable the ability to restrict the capability of apps to share unnecessarily while not preventing the apps from running.  The example offered to The Register was the ability to stop Whatsapp from uploading contact information without preventing the app from functioning.  This could also allow you to configure a phone in a way similar to Blackberry's Balance feature, segregating work data from personal.

images.jpg

"An international group of researchers believes Android needs more extensible security, and is offering up a framework they hope either Google or mobe-makers will take for a spin."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register

A Summary of the Recent Open Source Security News

Subject: General Tech | June 1, 2014 - 04:04 AM |
Tagged: TrueCrypt, security, openssl, openssh, heartbleed

This week has been most notable for security, as previous news suggests. TrueCrypt, the popular file encryption suite, lost its developers when they wanted to call it quits -- right in the middle of its audit. While on that topic, OpenSSL is being given money and full-time developers, in response to the recent Heartbleed fiasco. OpenSSH and Network Time Protocol, and others in the future, are also being given love.

Yes, these are two separate pieces of news that are combined into a single article.

TrueCrypt_Logo.png

Earlier, we reported on TrueCrypt's mysterious implosion. The developers' alleged last advice, use closed source solutions or whatever comes up on a random package manager search, I considered too terrible to have been from them. Seriously, from "Trust No-One" to "Trust Who Knows". Just does not seem right...

Since the article, they have apparently been contacted and confirmed that the project is being shut down. That said, it seems like basically every source cites the third-party auditors and no-one else seemed to have direct contact with them -- so who knows. Regardless, the audit is apparently still going on and might lead to a usable fork maintained by someone else.

As for the second piece of news -- several other libraries are getting serious security audits. Apparently, The Linux Foundation has arranged for a long list of companies to commit $5.4 million, over three years, to audit and maintain these projects. As mentioned, OpenSSL, OpenSSH, and Network Time Protocol are the first three mentioned, but others will be included later. Also, that budget can increase as other companies and donors step up.

Currently, the donors are: Adobe, Amazon, Bloomberg, Cisco, Dell, Facebook, Fujitsu, Google, HP, Huawei, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, Salesforce, and VMware. Eighteen companies, each pledging $100,000 per year for three years.

All in all, it seems like the world is on the path to righting itself, somewhat.

Source: Ars Technica

Securing the Internet of Things

Subject: General Tech | May 23, 2014 - 01:27 PM |
Tagged: internet of things, security, Intel

Karen Lomas is Intel's director of the Internet of Things, from smart buildings to fridges and watched and she sat down to discuss the security of these devices and the future of ubiquitous computing.  Intel expects that by 2020 there will be 26 billion internet connected devices and if we do not start to think about how to secure them now it will have serious repercussions in the future.  There is a balance which needs to be struck so that consumers will not avoid using these devices because of security concerns nor because they are too restrictive to easily be used.  As befits a Friday the discussion comes in video form.

Smart-Light-Bulb-Philips.jpg

"THE INQUIRER and Intel held an Internet of Things (IoT) event in London this week, where we sat down with IT professionals from a range of industry sectors to discuss how the growing thirst for internet-connected devices can be used in business, and how this should be done."

Here is some more Tech News from around the web:

Tech Talk

Source: The Inquirer