Forgot your password?
typodupeerror

+ - Apple's Spotty Record Of Giving Back To The Tech Industry->

Submitted by chicksdaddy
chicksdaddy (814965) writes "One of the meta-stories to come out of the Heartbleed (http://heartbleed.com/) debacle is the degree to which large and wealthy companies have come to rely on third party code (http://blog.veracode.com/2014/04/heartbleed-and-the-curse-of-third-party-code/) — specifically, open source software maintained by volunteers on a shoestring budget. Adding insult to injury is the phenomenon of large, incredibly wealthy companies that gladly pick the fruit of open source software, but refusing to peel off a tiny fraction of their profits to financially support those same groups.

Exhibit 1: Apple Computer. On Friday, IT World ran a story that looks at Apple's long history of not giving back to the technology and open source community. The article cites three glaring examples: Apple's non-support of the Apache Software Foundation (despite bundling Apache with OS X), as well as its non-support of OASIS and refusal to participate in the Trusted Computing Group (despite leveraging TCG-inspired concepts, like AMDs Secure Enclave in iPhone 5s).

Given Apple's status as the world's most valuable company and its enormous cash hoard, the refusal to offer even meager support to open source and industry groups is puzzling. From the article:

"Apple bundles software from the Apache Software Foundation with its OS X operating system, but does not financially support the Apache Software Foundation (ASF) in any way. That is in contrast to Google and Microsoft, Apple's two chief competitors, which are both Platinum sponsors of ASF — signifying a contribution of $100,000 annually to the Foundation. Sponsorships range as low as $5,000 a year (Bronze), said Sally Khudairi, ASF's Director of Marketing and Public Relations. The ASF is vendor-neutral and all code contributions to the Foundation are done on an individual basis. Apple employees are frequent, individual contributors to Apache. However, their employer is not, Khudairi noted.

The company has been a sponsor of ApacheCon, a for-profit conference that runs separately from the Foundation — but not in the last 10 years. "We were told they didn't have the budget," she said of efforts to get Apple's support for ApacheCon in 2004, a year in which the company reported net income of $276 million on revenue of $8.28 billion."

Carol Geyer at OASIS is quoted saying her organization has done "lots of outreach" to Apple and other firms over the years, and regularly contacts Apple about becoming a member. "Whenever we're spinning up a new working group where we think they could contribute we will reach out and encourage them to join," she said. But those communications always go in one direction, Geyer said, with Apple declining the entreaties.

Today, the company has no presence on any of the Organization's 100-odd active committees, which are developing cross-industry technology standards such as The Key Management Interoperability Protocol (KMIP) and the Public-Key Cryptography Standard (PKCS)."

Link to Original Source

+ - Is Apple A Bad Citizen Of The Tech Community?->

Submitted by jfruh
jfruh (300774) writes "While much criticism and praise for Apple comes with its engagement with the larger world — politics, charity, labor practices, and so on — there hasn't been much discussion of how Apple contributes to the open source and standards communities of the tech world. It turns out the world's most valuable company doesn't give back much. Despite widespread reliance on open source software, Apple isn't a major corporate sponsor of any open source proejcts — for instance, Microsoft gives more to the Apache Foundation, despite selling a Web server that competes against Apache's free flagship product. Considering the fact that open source and open standards were all that kept Apple from extinction during the dark days of Microsoft dominance, you'd think they'd be more grateful."
Link to Original Source

+ - TCP/IP Might Have Been Secure From The Start, But...NSA!->

Submitted by chicksdaddy
chicksdaddy (814965) writes "The pervasiveness of the NSA's spying operation has turned it into a kind of bugaboo — the monster lurking behind every locked networking closet (http://en.wikipedia.org/wiki/Room_641A) and the invisible hand behind every flawed crypto implementation (http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331).

Those inclined to don the tinfoil cap won't be reassured by Vint Cerf's offhand observation in a Google Hangout on Wednesday that, back in the mid 1970s, the world's favorite intelligence agency may have also stood in the way of stronger network layer security being a part of the original specification for TCP/IP — the Internet's lingua franca.

As noted on Veracode's blog (http://blog.veracode.com/2014/04/cerf-classified-nsa-work-mucked-up-security-for-early-tcpip/), Cerf said that given the chance to do it over again he would have designed earlier versions of TCP/IP to look and work like IPV6, the latest version of the IP protocol with its integrated network-layer security and massive 128 bit address space. IPv6 is only now beginning to replace the exhausted IPV4 protocol globally.

“If I had in my hands the kinds of cryptographic technology we have today, I would absolutely have used it,” Cerf said. (Check it out here: http://www.youtube.com/watch?v...)

Researchers at the time were working on just such a lightweight cryptosystem. On Stanford’s campus, Cerf noted that Whit Diffie and Martin Hellman had researched and published a paper that described the functioning of a public key cryptography system. But they didn’t yet have the algorithms to make it practical. (Ron Rivest, Adi Shamir and Leonard Adleman published the RSA algorithm in 1977).

As it turns out, however, Cerf revealed that he _did_ have access to some really bleeding edge cryptographic technology back then that might have been used to implement strong, protocol-level security into the earliest specifications of TCP/IP. Why weren’t they used? The culprit is one that’s well known now: the National Security Agency.

Cerf told host Leo Laporte that the crypto tools were part of a classified NSA project he was working on at Stanford in the mid 1970s to build a secure, classified Internet.

“During the mid 1970s while I was still at Stanford and working on this, I also worked with the NSA on a secure version of the Internet, but one that used classified cryptographic technology. At the time I couldn’t share that with my friends,” Cerf said. “So I was leading this kind of schizoid existence for a while.”

Hindsight is 20:20, as the saying goes. Neither Cerf, nor the NSA nor anyone else could have predicted how much of our economy and that of the globe would come to depend on what was then a government backed experiment in computer networking. Besides, Cerf didn't elaborate on the cryptographic tools he was working with as part of his secure Internet research or how suitable (and scalable) they would have been.

But it’s hard to listen to Cerf lamenting the absence of strong authentication and encryption in the foundational protocol of the Internet, or to think about the myriad of online ills in the past two decades that might have been preempted with a stronger and more secure protocol and not wonder what might have been."

Link to Original Source

+ - Vint Cerf: CS Programs Must Change To Adapt To Internet of Things->

Submitted by chicksdaddy
chicksdaddy (814965) writes "The Internet of Things has tremendous potential but also poses a tremendous risk if the underlying security of Internet of Things devices is not taken into account, according to Vint Cerf, Google’s Internet Evangelist.

Cerf, speaking in a public Google Hangout on Wednesday, said that he’s tremendously excited about the possibilities of an Internet of billions of connected objects (http://www.youtube.com/watch?v=17GtmwyvmWE&feature=share&t=21m8s). But Cerf warned that the Iot necessitates big changes in the way that software is written. Securing the data stored on those devices and exchanged between them represents a challenge to the field of computer science – one that the nation’s universities need to start addressing.

Internet of Things products need to do a better job managing access control and use strong authentication to secure communications between devices."

Link to Original Source

+ - Hell Is Other Contexts: How Wearables Will Transform Application Development->

Submitted by chicksdaddy
chicksdaddy (814965) writes "Veracode's blog has an interesting post on how wearable technology will change the job of designing applications. Long and short: context is everything. From the article:

"It’s the notion – unique to wearable technology – that applications will need to be authored to be aware of and respond to the changing context of the wearer in near real-time. Just received a new email message? Great. But do you want to splash an alert to your user if she’s hurtling down a crowded city street on her bicycle? New text message? OK– but you probably shouldn't send a vibrate alert to your user's smartwatch if the heart rate monitor suggests that he’s asleep, right?

This isn't entirely a new problem, but it will be a challenge for developers used to a world where ‘endpoints’ were presumed to be objects that are physically distinct from their owner and, often, stationary.

Google has already called attention to this in its developer previews of Android Wear – that company’s attempt to extend its Android mobile phone OS to wearables. Google has encouraged wearable developers to be “good citizens.” “With great power comes great responsibility,” Google’s Justin Koh reminds would-be developers in a Google video.(https://www.youtube.com/watch?v=1dQf0sANoDw&feature=youtu.be&t=2m26s)

“Its extremely important that you be considerate of when and how you notify a user.” Developers are strongly encouraged to make notifications and other interactions between the wearable device and its wearer as ‘contextually relevant as possible.’ Google has provided APIs (application program interfaces) to help with this. For example, Koh recommends that developers use APIs in Google Play Services to set up a geo-fence that will make sure the wearer is in a specific location (i.e. “home”) before displaying certain information. Motion detection APIs for Wear can be used to front (or hide) notifications when the wearer is performing certain actions, like bicycling or driving."

Link to Original Source

+ - Fearing HIPAA, Google Rules Out Health Apps For Android Wear-> 1

Submitted by chicksdaddy
chicksdaddy (814965) writes "The Security Ledger reports (https://securityledger.com/2014/03/google-android-wear-isnt-ready-for-health-data/) that amid all the hype over what great new products might come out of Google's foray into wearable technology with Android Wear (http://www.android.com/wear/), there's one big category of application that is off the list: medical applications. The reason? HIPAA — the Health Insurance Portability and Accountability Act, which protects the privacy of patients personal health information in the U.S.

Deep down in Google’s Developer Preview License Agreement (http://developer.android.com/wear/license.html) is language prohibiting Android Wear applications that involve personal health information:

“Unless otherwise specified in writing by Google, Google does not intend use of Android Wear to create obligations under the Health Insurance Portability and Accountability Act, as amended, (“HIPAA”), and makes no representations that Android Wear satisfies HIPAA requirements."

Android Wear users who "are (or become) a Covered Entity or Business Associate under HIPAA... agree not to use Android Wear for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.”

Google’s prohibition of medical applications is interesting. The market for personal health devices is evolving quickly, and the U.S. government has already warned that – in some cases – mobile applications may count as a type of medical device regulated by the FDA.(https://securityledger.com/2013/09/fda-says-some-medical-apps-a-kind-of-medical-device/)

No word from Google yet on how it plans to enforce the ban on medical applications for Google Wear, or what process it will set up to vet and approve health-related wearables. Given the potential for wearables to be used in health monitoring and the delivery of medical care, however, its a problem that the company might want to jump on — fast!"

Link to Original Source

+ - Is Analog The Fix For Cyber Terrorism? ->

Submitted by chicksdaddy
chicksdaddy (814965) writes "The Security Ledger has picked up on an opinion piece by noted cyber terrorism and Stuxnet expert Ralph Langner (@langnergroup) who argues in a blog post that critical infrastructure owners should consider implementing what he calls "analog hard stops" to cyber attacks.

Langner is one of the world's foremost experts on the security of critical infrastructure, and a noted expert on cyber weapons and the Stuxnet Worm. He said the wholesale migration from legacy, analog control systems to modern, digital systems is hard-coding "the potential for a disaster into our future."

Langner cautions against the wholesale embrace of digital systems by stating the obvious: that “every digital system has a vulnerability,” and that it’s nearly impossible to rule out the possibility that potentially harmful vulnerabilities won’t be discovered during the design and testing phase of a digital ICS product.

"The question of whether to go digital or stay analog should not presuppose an answer, but rather a rigorous assessment as to the full set of options and the associated risks to the process being controlled as well as to society at large," Langner writes.

For example, many nuclear power plants still rely on what is considered “outdated” analog reactor protection systems. While that is a concern (maintaining those systems and finding engineers to operate them is increasingly difficult), the analog protection systems have one big advantage over their digital successors: they are immune against cyber attacks.

Rather than bowing to the inevitability of the digital revolution, the U.S. Government (and others) could offer support for (or at least openness to) analog components as a backstop to advanced cyber attacks could create the financial incentive for aging systems to be maintained and the engineering talent to run them to be nurtured, Langner suggests."

Link to Original Source

+ - Belkin WeMo Home Automation Products Riddled With Security Holes->

Submitted by chicksdaddy
chicksdaddy (814965) writes "The Security Ledger reports that the security firm IOActive has discovered serious security holes in the WeMo home automation technology from Belkin. The vulnerabilities could allow remote attackers to use Belkin’s WeMo devices to virtually vandalize connected homes, or as a stepping stone to other computers connected on a home network.

IOActive researcher Mike Davis said on Tuesday that his research into Belkin’s WeMo technology found the “devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.” (http://www.ioactive.com/news-events/IOActive_advisory_belkinwemo_2014.html) IOActive provided information on Davis’s research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday. (http://www.kb.cert.org/vuls/id/656302). There has been no response yet from Belkin.

Among the problems discovered by Davis and IOActive: Belkin’s firmware reveals the signing key and password allowing an attacker with physical or logical access to a WeMo device to sign a malicious software update and get it to run on the device, bypassing security and integrity checks. Also, Belkin WeMo devices don’t validate Secure Socket Layer (SSL) certificates used with inbound communications from Belkin’s cloud service. That could allow an attacker to impersonate Belkin’s legitimate cloud service using any valid SSL certificate, potentially pushing a bogus firmware update or malicious RSS feed to deployed WeMo devices.

WeMo customers who are counting on their wireless router and NAT (network address translation) or a firewall to provide cover should also beware. Davis found that Belkin has implemented a proprietary 'darknet' that connects deployed WeMo devices by ‘abusing’ an (unnamed) protocol originally designed for use with Voice over Internet Protocol (VoIP) services. With knowledge of the protocol and a ‘secret number’ uniquely identifying the device, an attacker could connect to- and control any WeMo device over the proprietary network."

Link to Original Source

+ - IE 10 Zero Day Used in Watering Hole Attacks On Veterans->

Submitted by chicksdaddy
chicksdaddy (814965) writes "Visitors to the web site of the Veterans of Foreign Wars (VFW) are being targeted in an attack that exploits a previously unknown hole in Microsoft’s Internet Explorer 10 web browser, according to warnings Thursday by security firms.

Some visitors to the web site of the VFW, vfw [dot] org, were the victim of a ‘watering hole’ attack starting on February 11. The attacks took advantage of a previously unknown ‘use-after-free’ vulnerability in Microsoft’s Internet Explorer 10 web browser. According to a write-up by the firm FireEye (http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html), the VFW site was hacked and then altered to redirect users to a malicious website programmed to exploit vulnerable versions of IE 10 on systems running 32 bit versions of the Windows operating system.

Initial analysis of the attack suggests that it is part of a “strategic Web compromise targeting American military personnel.” FireEye said evidence points to hacking groups responsible for similar campaigns, including ‘Operation DeputyDog,’ which targeted high-profile Japanese firms as well as the US security firm Bit9, and ‘Operation Ephemeral Hydra,’ targeting military and public policy personnel.

FireEye dubbed the attack 'Operation Snowman,' saying that it was timed to coincide with a massive East Coast blizzard that affected the Washington D.C. area, as well as the President's Day federal holiday on Monday. Security Ledger notes that the attack was also timed to fall immediately after Microsoft issued its February security patches with the malware used in the attacks — standard operating procedure with attacks using Microsoft 0day exploits."

Link to Original Source

+ - Google 'Mob Sourcing' Patent Uses Video Metadata To Identify Public Gatherings->

Submitted by chicksdaddy
chicksdaddy (814965) writes "File this one in your (bulging) 'creepy big data applications' folder: Google has applied to the US government for a patent on what is described as a method for “inferring events based on mob source video,” according to the Web site Public Intelligence. (http://info.publicintelligence.net/GoogleMobVideoPatent.pdf)

According to the application, Google has developed the ability to mine metadata from videos, photos or audio submitted by Google users (to YouTube, etc.) to infer that “an event of interest has likely occurred.” The technology surveys time- and geolocation stamps on the videos and other data to correlate the activities of individuals who might be part of a gathering, The Security Ledger reports.

The Patent, US2014/0025755 A1, was published on January 23, 2014. The technology, dubbed “mob sourcing” will allow Google to correlate video and images to infer the existence of groups (i.e. a public gathering, performance or accident), then send notifications to interested parties.

“Embodiments of the present invention are thus capable of providing near real-time information to pertinent organizations when users of wireless terminals (aka ‘mobile phones’) upload video clips to the repository upon being recorded,” the application reads.

The mob sourcing capability could be used to analyze and correlate video clips submitted by users either with the user’s permission or without it, Google claims. Consumer applications could allow YouTube users who upload a video to associate it with an ongoing event –say “South by Southwest Festival 2014 – making it easier for others to enjoy a crowd-sourced view of events. As for the non-consumer applications? Well...we know what those are."

Link to Original Source

+ - In an age of cyber war, where are the cyber weapons? ->

Submitted by chicksdaddy
chicksdaddy (814965) writes "MIT Tech Review has an interesting piece that asks an obvious, but intriguing question: if we're living in an age of cyber warfare, where are all the cyber weapons?

Like the dawn of the nuclear age that started with the bombs over Hiroshima and Nagasaki, the use of the Stuxnet worm reportedly launched a global cyber arms race involving everyone from Syria to Iran and North Korea (https://securityledger.com/2013/03/dprkurious-is-north-korea-really-behind-cyber-attacks-on-the-south/). But almost four years after it was first publicly identified, Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed. Experts in securing critical infrastructure including industrial control systems are wondering why. If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'?

Speaking at the recent S4 Conference, Ralph Langner, perhaps the world’s top authority on the Stuxnet worm, argues that the mere hacking of critical systems is just a kind of 'hooliganism' that doesn’t count as cyber warfare.
True cyber weapons capable of inflicting cyber-physical damage require extraordinary expertise.

Stuxnet, he notes, made headlines for using four exploits for “zero day” (or previously undiscovered) holes in the Windows operating system. Far more impressive was the metallurgic expertise needed to understand the construction of Iran’s centrifuges. Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country’s uranium enrichment operation.

Thomas Rid, of the Kings College Department of War Studies said the conditions for using a cyber weapon like Stuxnet aren't common and the deep intersection of intelligence operations and cyber ops means that "all cyber weapons are bespoke." "If you want to maximize the effect of a cyber weapon," he said at S4," the way you do it is with more intelligence.""

Link to Original Source

+ - Cloud Providers Being Asked To Wall Off Data From US->

Submitted by chicksdaddy
chicksdaddy (814965) writes "The U.S. government is giving large Internet firms more leeway to discuss secret government requests for data.(http://www.nytimes.com/2014/01/28/business/government-to-allow-technology-companies-to-disclose-more-data-on-surveillance-requests.html?hp) But when it comes to trust, the battle may already be lost. IT World reports that U.S. hosting companies and cloud providers say they now face pressure from international customers to keep data off of U.S. infrastructure – a request many admit is almost impossible to honor.

The article quotes an executive at one, prominent U.S. hosting firm who says that the picture of NSA spying that has come as a result of leaks by Edward Snowden prompted a slew of requests from European customers to have data cordoned off from U.S. infrastructure. Customers in Germany are often the source of the requests, he said, but the phenomenon isn't limited to Germany, where revelations of NSA spying there, including a tap on the phone of German Chancellor Angela Merkel, have stoked a kind of economic nationalism.

Chris Swan, the chief technology officer at Cohesive FT, a cloud networking company, said that his company began fielding calls from European clients, Germany companies, in particular, last year. "They were asking for help finding and using non U.S.-affiliated infrastructure," he said.

"It’s a bit of a gradient with Germany at the top of the hill and the Swiss standing right alongside them," said Swan.

The requests take a couple different forms, according to the hosting company executive. Customers have asked for their data to be kept 'locally,' segregating it on infrastructure located within the geographic border of Germany or other EU nations that are not perceived to be subject to access from U.S. intelligence agencies. Others are asking for changes that at least give them plausible deniability with local press and government officials. For example, they might ask for hosting firms to transfer the registration IP addresses used to host content from U.S.–based entities to a German or EU-based subsidiary, according to the report."

Link to Original Source

+ - Best Windows 8.1 Antivirus Software According to Lab Tests

Submitted by SmartAboutThings
SmartAboutThings (1951032) writes "The search for the best free or paid antivirus software has been going on for years and years; and it’s pretty hard to decide a winner. Now, independent test lab AV-TEST has conducted a new research trying to determine which are the best anti-virus software solutions for Windows 8.1 users. AV-TEST has compared anti-virus software for business and consumer users, as well. According to their tests, Bitdefender’s Endpoint Security and Trend Micro’s Office Scans are the best to use for business environments, followed closely by the Kaspersky Lab Endpoint Security Solution. For consumer users, BitDefender is again the winner here, with its Internet Security 2014 anti-virus software solution. Kaspersky Lab Internet Security 2014 has managed to obtain the same score, being closely followed by Avira Internet Security."

Thus mathematics may be defined as the subject in which we never know what we are talking about, nor whether what we are saying is true. -- Bertrand Russell

Working...