Subscribe to:

Subscribe to :: TheGuruReview.net ::

MasterCard Testing A New Card With Fingerprint Reader

October 20, 2014 by mphillips  
Filed under Around The Net

MasterCard is trying out a contactless payment card with a built-in fingerprint reader that can authorize high-value payments without requiring the user to enter a PIN.

The credit-card company showed a prototype of the card in London on Friday along with Zwipe, the Norwegian company that developed the fingerprint recognition technology.

The contactless payment card has an integrated fingerprint sensor and a secure data store for the cardholder’s biometric data, which is held only on the card and not in an external database, the companies said.

The card also has an EMV chip, used in European payment cards instead of a magnetic stripe to increase payment security, and a MasterCard application to allow contactless payments.

The prototype shown Friday is thicker than regular payment cards to accommodate a battery. Zwipe said it plans to eliminate the battery by harvesting energy from contactless payment terminals and is working on a new model for release in 2015 that will be as thin as standard cards.

Thanks to its fingerprint authentication, the Zwipe card has no limit on contactless payments, said a company spokesman. Other contactless cards can only be used for payments of around €20 or €25, and some must be placed in a reader and a PIN entered once the transaction reaches a certain threshold.

Norwegian bank Sparebanken DIN has already tested the Zwipe card, and plans to offer biometric authentication and contactless communication for all its cards, the bank has said.

MasterCard wants cardholders to be able to identify themselves without having to use passwords or PINs. Biometric authentication can help with that, but achieving simplicity of use in a secure way is a challenge, it said.

 

Openstack Releases Juno

October 20, 2014 by Michael  
Filed under Computing

Openstack has reached another major milestone today with the release of Juno, its newest version.

The latest version of the cloud computing stack contains 342 new features, 3,219 bug fixes, almost 500,000 lines of modified documentation and a new Architecture Design Guide.

1,419 unique contributors including representatives from 133 companies made it all happen over six months.

Last month it was revealed that HP had overtaken Red Hat in terms of overall contributions to Juno, and is closing in on Red Hat’s overall lead.

However, Red Hat has shifted focus more towards the cloud market in recent strategy announcements, so that lead could widen again.

The new version adds storage policies, data processing provisioning for Hadoop and Spark and takes the initial steps towards being a platform for Network Function Virtualisation (NFV) in a future release, meaning that it would be capable of managing a number of functions currently fulfilled by expensive software.

Other new features include Nova Compute, a rescue mode improvement with the option to boot from alternative images via locally attached disks, update scheduling and internationalisation updates.

For networking, the Neutron module includes IPv6 and third-party driver testing, plug-ins, and migration support from Nova to Neutron.

The Keystone identity service allows users to share credentials for private and public OpenStack clouds.

The Heat engine, which manages orchestration, includes advanced rollback options in the event of failed deployment and the option for administrators to delegate creation of resources to non-admins.

The Horizon Dashboard now offers Hadoop deployment in a few clicks, enabling rapidly scalable data processing with custom parameters.

Finally, the Trove database allows users to manage relational database servcies in the OpenStack environment.

Of course, OpenStack waits for no-one. With this release safely out, work now begins on the next version, codenamed Kilo, which is due in April 2015.

Courtesy-TheInq

 

FCC To Explore Next-Generation Wireless Networks

October 20, 2014 by mphillips  
Filed under Mobile

U.S. Federal Communications Commissioner Jessica Rosenworcel, on Friday, stated that U.S. regulators will look “to infinity and beyond” to harness new technology that can help build a new generation of mobile wireless connections.

The FCC on Friday voted unanimously to open a so-called “notice of inquiry” into what it and the industry can do to turn a new swath of very high-frequency airwaves, previously deemed unusable for mobile networks, into mobile-friendly frequencies.

The FCC’s examination would serve as a regulatory backdrop for research into the next generation of wireless technology, sometimes referred to as 5G and which may allow wireless connections to carry a thousand times more traffic.

“Today we’re stepping in front of the power curve,” FCC Chairman Tom Wheeler said on Friday at the meeting.

In question are frequencies above 24 gigahertz (GHz), sometimes called millimeter waves, that have previously been deemed technically unweildy for mobile connections, though have the potential to carry large amounts of data and give the promise of lightning-fast speeds.

Millimeter waves work best over short distances and have required a direct line-of-sight connection to a receiver. They are now largely used for point-to-point microwave connections.

The FCC said it will study what technologies could help get around the technological and practical obstacles and what kind of regulatory regime could help a variety of technologies to flourish on those airwaves, including the potential for services other than mobile.

The U.S. wireless industry continues to work on deploying the 4G connections, though some equipment manufacturers, such as Samsung are already testing data transmission on the higher frequencies.

 

 

Facebook Doubling Reward For It’s Ad Based Bugs

October 17, 2014 by mphillips  
Filed under Around The Net

Facebook is doubling the bounty it will pay for security vulnerabilities related to code that runs its advertising system, the company announced.

A comprehensive security audit of its ads code was recently completed, but Facebook “would like to encourage additional scrutiny from whitehats to see what we may have missed,” wrote Collin Greene, a security engineer, in a blog post. “Whitehats” refers to ethical security researchers, as opposed to “blackhats” who take advantage of vulnerabilities.

According to bug bounty program guidelines, Facebook pays a minimum of $500 for a valid bug report. Until the end of the year, that has been increased to $1,000.

Greene wrote that the majority of reports it receives concern more common parts of Facebook’s code, but the company would like to encourage interest in ads “to better protect businesses.”

Facebook’s ad tools include the Ads Manager, the ads API (application programming interface) and Analytics, which is also called Insights, Greene wrote. The company also wants close scrutiny of its back-end billing code.

“There is a lot of backend code to correctly target, deliver, bill and measure ads,” Greene wrote. “This code isn’t directly reachable via the website, but of the small number of issues that have been found in these areas, they are relatively high impact.”

Greene wrote that Facebook typically sees bugs such as incorrect permission checks, insufficient rate-limiting, edge-case CSRF (cross-site request forgery) issues and problems with Flash in its ads code.

 

HP, EMC Call Off Merger Talks

October 16, 2014 by mphillips  
Filed under Around The Net

Hewlett-Packard Co has ended all merger discussions with EMC Corp, deciding to walk away from the deal after months of fruitless negotiations, people briefed on the matter told Reuters.

The official cessation of discussions to merge two of the tech industry’s largest enterprise-oriented firms may come as a disappointment to activist investors Elliott Management, which has pushed hard for storage products maker EMC to pursue merger or spinoff opportunities.

Pressure is building on EMC as rival technology companies, such as eBay Inc and Symantec, begin spinning off operations in an attempt to unlock shareholder value, become more agile, and capitalize on faster-growing businesses.

It is unclear when talks ended following months-long discussions, the people said on condition of anonymity because the talks were private.

Executives from the two companies were still trying to hammer out a deal as recently as last week, but talks bogged down on price and are now dead, the people said.

HP has temporarily suspended its stock buyback program ahead of its Nov. 25 earnings because the company said it is in possession of material non-public information. When pressed by stock analysts, Chief Financial Officer Cathie Lesjak noted on a conference call that the non-public information pertains to a possible acquisition.

HP and EMC declined to comment on Tuesday.

It is also unclear what specifically was discussed. A straight-up merger of the two companies would have created one of the industry’s largest providers of data storage, and created a computing giant with deep penetration in the business of providing computing hardware and services to corporations.

 

 

Cisco Warns Users To Lock Down Webex To Prevent Snooping

October 15, 2014 by mphillips  
Filed under Around The Net

Cisco has warned users to lock down WebEx after a security researcher and journalist discovered many big-name companies left some online meetings open for anyone to join.

Brian Krebs wrote on his blog that he found companies and organizations that failed to password protect WebEx meetings, which allowed “anyone to join daily meetings about apparently internal discussions and planning sessions.”

Meeting schedules for organizations were available through WebEx’s “Event Center,” he wrote.

Cisco has a variety of options for WebEx that are intended to accommodate sensitive meetings and ones intended for the public.

For example, Cisco requires a password to be set by default for a meeting, but that option can be turned off, wrote Aaron Lewis, who works in global social media marketing, on a company blog.

“The most secure meetings will always be protected by a complex password,” Lewis wrote.

Companies may publicly list a meeting for webinars that anyone can join, but “if your WebEx site administrator or IT department allows listed meetings, then we recommend listing your meeting only if there is a true business reason,” Lewis wrote.

Another tip is to disable the option “join before host,” which will then give the host visibility on who has joined. Also, setting the “host as presenter” prevents someone else form joining the meeting and sharing content, Lewis wrote.

Krebs wrote he found meetings not protected by a password from a host of companies and organizations, including Charles Schwab, CSC, CBS, CVS, The U.S. Department of Energy, Fannie Mae, Jones Day, Orbitz, Paychex Services and Union Pacific.

 

Dell Launches New SuperMassive 9800 Firewall

October 15, 2014 by Michael  
Filed under Computing

DELL is showing off ”enterprise class” security for small to medium businesses with the launch of a SuperMassive 9800 next-generation firewall, which it claims will protect against high-profile bugs such as Shellshock and Heartbleed.

Touted as the most powerful in the fresh 9000 line-up, and sounding a little like a gang of rappers, the SuperMassive 9800 offers services such as advanced Deep Packet Inspection with speeds up to 20Gbps, and Dell’s patented Reassembly-Free Deep Packet Inspection (RFDPI) single-pass threat prevention engine.

RFDPI scans multiple application types and protocols to spot internal and external attacks and application vulnerabilities, Dell said, making it better at detecting attacks.

The SuperMassive 9800 is also bundled with Dell’s Global Management System 8.0, a tool designed to manage systems and offer real-time event monitoring, analytics and reporting from a single centralised dashboard.

Dell claims that this makes it easier to meet compliance regulations while managing and monitoring network security processes.

The firm claimed that the SuperMassive 9800 provides 97.9 percent “security effectiveness” and helps to protect customers from Shellshock and Heartbleed-level vulnerabilities.

“The recent disclosures of the ShellShock and HeartBleed industry-wide vulnerabilities demonstrate that organisations are literally a few well-formed packets away from infrastructure disaster, proving the need for instant and automated security scaled to meet the needs of the network,” said executive director of Dell Security, Patrick Sweeney.

“The SuperMassive 9800 provides that level of instant security on a flexible, feature-rich platform.”

Shellshock was uncovered in September, and some experts claim that it could be more serious than the Heartbleed SSL bug uncovered in April.

The Bash bug, as implied by its name, is a vulnerability that allows unscrupulous users to take control of Bourne Again Shell (Bash), the software used to control the Unix command prompt on some Unix-like systems.

Researchers at FireEye and Trend Micro warned later in September that hackers were still mounting cyber attacks across the globe thanks to exploits of Bash bug vulnerabilities, made worse by an unsuccessful patch.

Courtesy-TheInq

Does Samsung Fear A Processor War?

October 15, 2014 by Michael  
Filed under Computing

Kwon Oh-hyun has said he is not worried about a price war in the semiconductor industry next year even though the firm is rapidly expanding its production volume.

“We’ll have to wait and see how things will go next year, but there definitely will not be any game of chicken,” said Oh-hyun, according to Reuters, suggesting the firm will not take chip rivals head on.

Samsung has reported strong profits for 2014 owing to better-than-expected demand for PCs and server chips. Analysts have also forecast similar results for the coming year, so things are definitely looking good for the company.

It emerged last week that Samsung will fork out almost $15bn on a new chip facility in South Korea, representing the firm’s biggest investment in a single plant.

Samsung hopes the investment will bolster profits in its already well-established and successful semiconductor business, and help to maintain its lead in memory chips and grow beyond the declining sales of its smartphones.

According to sources, Samsung expects its chip production capacity to increase by a “low double-digit percentage” after the facility begins production, which almost goes against the CEO’s claims that it is not looking for a price war.

Last month, Samsung was found guilty of involvement in a price fixing racket with a bunch of other chip makers stretching back over a decade, and was fined €138m by European regulators.

An antitrust investigation into chips used in mobile device SIM cards found that Infineon, Philips and Samsung colluded to artificially manipulate the price of SIM card chips.

Courtesy-TheInq

Cyber criminals Remotely Erasing Smartphone Data

October 14, 2014 by Michael  
Filed under Mobile

Smartphones taken as evidence by police in the UK are being wiped remotely by crooks in order to remove potentially incriminating data, an investigation has uncovered.

Dorset police told the BBC that six devices were wiped within the space of a year while they were being kept in police custody, and Cambridgeshire, Derbyshire, Nottingham and Durham police also confirmed similar incidents.

The technology being used was originally designed to allow device owners to remove sensitive data from phones or tablets if they are lost or stolen.

“We have cases where phones get seized, and they are not necessarily taken from an arrested person, but we don’t know the details of these cases as there is not a reason to keep records of this,” a spokeswoman for Dorset police told the BBC.

A spokeswoman for Derbyshire police also confirmed one incident of a device being remotely wiped while in police custody.

“We can’t share many details about it, but the case concerned romance fraud, and a phone involved with the investigation was remotely wiped,” she said. “It did not impact upon the investigation, and we went on to secure a conviction.”

Software that enables this remote wiping has been available from a variety of security firms for some time now.

For example, BitDefender announced a product a while back intended to track  lost or stolen Android devices. Not only did it allow users to connect remotely and ‘wipe’ data from a web profile via the internet, but to activate commands with text messages.

Pen Test Partners’ digital forensics expert, Ken Munro, said it is common practice to immediately put devices that are seized as evidence into a radio-frequency shielded bag to prevent any signals getting through and stop remote wipes.

“If we can’t get to the scene within an hour, we tell the client to pop it in a microwave oven,” he said. “The microwave is reasonably effective as a shield against mobile or tablet signals – just don’t turn it on.”

Courtesy-TheInq

Is Apple, Microsoft And Oracle Code At Risk?

October 10, 2014 by Michael  
Filed under Computing

Hackers are phishing for the source code of numerous tech companies, including Microsoft, Apple, Oracle and Adobe, for use in future advanced, targeted attacks, according to FireEye CEO David Dewalt.

Dewalt made the claim during a keynote speech at the MIRcon cyber security conference attended by V3, claiming that the firm has detected an alarming spike in attacks targeting technology companies.

“The [hackers] are focused on high value targets and one of the most breached areas we see is high tech. [We're seeing them] go for source code as if they can get the source code and find a hole to get round [users'] defences,” he said.

“Using malicious email, using web, using mobile applications they’re trying to lure [victims] to a credential-stealing tool. The amount of activity we see going for the big technology platforms – Microsoft, Apple, Adobe, Oracle – is huge.”

Dewalt said that the news is disturbing as developments in the cyber crime and state-sponsored hacking community mean that the attacks are becoming increasingly effective.

“We’ve never seen such a dislocation between offence and defence. The balance has never been wider. The offensive community is so advanced the defence workers are playing catch up. We’re tracking hundreds of groups from hundreds of countries engaged in cyber activity,” he said.

“Now 97 percent of organisations are breached; 1,279 companies we deal with have evidence of breach. Of those, 76 percent saw the breach and saw the malware.”

The FireEye chief highlighted companies’ ongoing reliance on layered security models, which he said are ill-suited to deal with multi-layered attacks.

“We’re fortunate at FireEye to be involved with customers in 60 countries. In most we’re seeing the same defence culture – let’s put many layers of defence in place from as many vendors as possible to catch the bad guys,” he said.

“We’re seeing massive holes in this architecture that mean every day people are being breached. [Hackers] are getting through hundreds of millions of dollars worth of defence spending. The effectiveness of the defence is not indicative of the spend.”

Dewalt said that firms will have to rethink their security strategies to deal with the increased threat and focus on threat intelligence and analytics as well as perimeter defence. FireEye is one of many security firms and government agencies calling for organisations to rethink their security practices.

Interpol opened a Global Complex for Innovation information centre on 1 October in a bid to centralise and co-ordinate anti-cyber crime efforts at security firms, law enforcement agencies, academia and wider industries.

FireEye launched an Advanced Threat Intelligence tool on 18 September designed to help firms deal with the next-generation, multi-layer threats detailed by DeWalt.

Courtesy-V3

Nearly 45% Of Android Devices Have Browser With Security Holes

October 10, 2014 by mphillips  
Filed under Mobile

Around 45 percent of Android mobile devices have a browser that is vulnerable to two serious security issues, but some countries have a considerably larger percentage of affected users than others, according to data from mobile security firm Lookout.

The two security issues were uncovered over the past month by a security researcher named Rafay Baloch and were described as a privacy disaster by other researchers. They allow an attacker to bypass a core security boundary, called the same-origin policy (SOP), that exists in all browsers.

The SOP prevents scripts from one domain from interacting with data from a different domain. For example, scripts running on a page hosted on domain A should not be able to interact with content loaded on the same page from domain B.

Without that restriction, attackers could create pages that load Facebook, Gmail or some other sensitive sites in an invisible iframe and then trick users into visiting those pages in order to hijack their sessions and read their emails or send Facebook messages, for example.

The SOP bypass vulnerabilities found by Baloch affect Android versions older than 4.4, which according to data from Google are installed on 75 percent of all Android devices that actively visit the Google Play Store. Android 4.4 is not vulnerable because it uses Google Chrome as the default browser instead of the older Android Open Source Project (AOSP) browser.

Google has released patches for the two vulnerabilities through AOSP, which serves as the base for the customized Android firmware installed on devices by manufacturers. The task now falls on device vendors to import those patches and release firmware updates to end users.

However, history has shown that the availability of Android firmware updates varies greatly among manufacturers, different devices from the same manufacturer and even among countries, as local carriers also play a role in the distribution of over-the-air updates.

 

Symantec Exploring Possibility Of Splitting Business Up

October 9, 2014 by mphillips  
Filed under Around The Net

Security software maker Symantec Corp is in advanced negotiations to split its business into two entities – one that sells security programs and another that does data storage, Bloomberg reported, citing people with knowledge of the matter.

An announcement may be a few weeks away, according to Bloomberg.

Symantec declined to comment on the report.

Reuters reported in April that Symantec, the biggest U.S. security software maker, was in the process of hiring banks to help advise on strategy and defend against possible activist investors.

Private equity firms were also looking at the possibility of breaking up Symantec into smaller pieces, some of which may also be attractive to industry peers, sources told Reuters at that time.

A breakup may position Symantec’s separated businesses as acquisition targets, given that large companies including EMC Corp and Hewlett-Packard Co are interested in the stand-alone security business or in an independent storage business, Bloomberg reported.

Earlier this year, the company, known for its Norton antivirus software, abruptly fired its CEO as it struggles to revive growth amid eroding PC sales.

Symantec, which also offers data storage products, has seen revenue growth turn negative in recent quarters, unlike the rest of the security software market, which is growing at least 10 percent to 15 percent annually.

The slowdown is partly due to eroding PC sales, affecting demand for its software, which often comes bundled with new computers. It has failed to gain a strong footing in the market for mobile security.

If it goes ahead with the breakup, Symantec would join technology companies that are spinning off operations in an attempt to become more agile and capitalize on faster-growing businesses.

 

Kaspersky Working To Thwart Tyupkin ATM Malware

October 9, 2014 by Michael  
Filed under Around The Net

Kaspersky has revealed that it is working with Interpol in attempting to foil a gang of cash machine (ATM) hackers who have found a way to make it spit out its contents without even using a card.

The hack is incredibly carefully thought out. Hackers gain access to cash machines, through mole employees or perhaps cleaners, and add the malicious code, named Tyupkin by Kaspersky. The cash machine continues to function as normal.

The malware is triggered only at set times – Sunday and Monday nights – thus avoiding being accidentally triggered by a member of the public.

At that time, the mule is sent to the machine and types in a series of digits unique to that raid based on an algorithm known to the gang.

He then makes a second call to the gang who generate the second half of the code from their end, thus ensuring that the mule isn’t tempted to swan off with the dough.

At that point, it’s Winsday. The machine will display how much is in each cash compartment and willingly spits it out to the waiting mule who goes back to distribute the swag.

“Offenders are constantly identifying new ways to evolve their methodologies to commit crimes, and it is essential that we keep law enforcement in our member countries involved and informed about current trends and modus operandi,” said Sanjay Virmani, director of the Interpol Digital Crime Centre.

“We strongly advise banks to review the physical security of their ATMs and network infrastructure and consider investing in quality security solutions,” added Vicente Diaz, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team, who, coincidentally, knows a company that can offer those solutions. Fancy.

Among the recommendations Kaspersky offers is a reminder to switch away from default passwords for systems including the system BIOS for each cash machine.

In June of this year, two Canadian teenagers showed how they had broken into an in-store ATM simply by downloading the instructions from the internet and using unchanged default passwords.

Malware for ATMs first came to the fore in 2008 when two Louisiana criminals reconfigured a cash machine to make it believe that it had smaller denomination bills than it really did.

Courtesy-TheInq

 

Marriott Ordered To Pay $600K In Wi-Fi Blocking Lawsuit

October 6, 2014 by mphillips  
Filed under Around The Net

This might come as good news for anyone who has ever felt gouged by hotel charges for Wi-Fi service: Marriott International has to pay $600,000 following an investigation into whether it intentionally blocked personal Wi-Fi hotspots in order to force customers to use its own pricey service.

The U.S. Federal Communications Commission looked into allegations that employees of Marriott’s Gaylord Opryland Hotel and Convention Center in Nashville used signal-blocking features of a Wi-Fi monitoring system to prevent customers from connecting to the Internet through their personal Wi-Fi hotspots, the regulator said in its consent decree. The hotel charged customers and exhibitors $250 to $1,000 per device to access Marriott’s Wi-Fi network.

The hotel’s Wi-Fi blocking violated the U.S. Communications Act, the FCC said.

“Consumers who purchase cellular data plans should be able to use them without fear that their personal Internet connection will be blocked by their hotel or conference center,” FCC Enforcement Bureau chief Travis LeBlanc said in a statement. “It is unacceptable for any hotel to intentionally disable personal hotspots while also charging consumers and small businesses high fees to use the hotel’s own Wi-Fi network. This practice puts consumers in the untenable position of either paying twice for the same service or forgoing Internet access altogether.”

Marriott said it believes its actions were legal.

“Marriott has a strong interest in ensuring that when our guests use our Wi-Fi service, they will be protected from rogue wireless hotspots that can cause degraded service, insidious cyber-attacks and identity theft,” the company said in a statement. “Like many other institutions and companies in a wide variety of industries, including hospitals and universities, the Gaylord Opryland protected its Wi-Fi network by using FCC-authorized equipment provided by well-known, reputable manufacturers.”

The company will push for the FCC to create rules that “eliminate the ongoing confusion” from the settlement, Marriott said.

 

 

 

States Fret Over Ability To Hire Info Security Pros

October 6, 2014 by mphillips  
Filed under Around The Net

States’ attempts to beef up cybersecurity are being hindered by lack of money and people. States don’t have enough funding to keep up with the increasing sophistication of the threats, and can’t match private sector salaries, says a new study.

In a recently released report by Deloitte and the National Association of State CIOs (NASCIO) about IT security in state government received responses from chief information security officers (CISOs) in 49 states. Of that number, nearly 60% believe there is a scarcity of qualified professionals willing to work in the public sector.

Nine in 10 respondents said the biggest challenge in attracting professionals “comes down to salary.”

But the problem of hiring IT security professionals isn’t limited to government, according to Jon Oltsik, an analyst at Enterprise Strategy Group (ESG).

In a survey earlier this year of about 300 security professionals by ESG, 65% said it is “somewhat difficult” to recruit and hire security professionals, and 18% said it was “extremely difficult.”

“The available pool of talent is not really increasing,” said Oltsik, who says that not enough is being done to attract people to study in this area.

Oltsik’s view is backed by a Rand study, released in June, which said shortages “complicate securing the nation’s networks and may leave the United State ill-prepared to carry out conflict in cyberspace.”

The National Security Agency is the country’s largest employer of cybersecurity professionals, and the Rand study found that 80% of hires are entry level, most with bachelor’s degrees. The NSA “has a very intensive internal schooling system, lasting as long as three years for some,” Rand reported.

Oltsik said if the states can’t hire senior people, they should “get the junior people and give them lots of opportunities to grow and train.” Security professionals are driven by a desire for knowledge, want to work with researchers and want opportunities to present their own work, he said.

Another way to help security efforts, said Oltsik, is to seek more integrated systems, instead of lot of one-off systems that require more people to work on them.