Thursday, February 28, 2013

Splunk Makes Its Platform Play | The Big Data Blog – BETA



A Massachusetts company called Prelert released a new application yesterday that combines machine learning and predictive analytics to detect and report anomalous behavior emanating from  IT infrastructure. If that sounds a lot like what Splunk does, you’re right.
In fact,  Anomaly Detective is a downloadable app that runs on top of Splunk Enterprise. The release ties into Splunk’s push to position Splunk Enterprise as a Big Data application development platform as much as a suite of Big Data applications itself. Splunk released a software development kit for JavaScript to GA in October, followed by two new SDKs, one for Java and another for Python, in December.
Splunk Makes Its Platform Play | The Big Data Blog – BETA

Wednesday, February 27, 2013

Global Identity Management. Is it possible?



Because managing identities is a global problem, it requires a global solution, says Paul Simmonds of the Jericho Forum. A new organization has been established to address global identity. Simmonds offers insight.
As CEO of the newly created Global Identity Foundation and co-founder of the Jericho Forum, a global security group for CISOs, Simmonds says the core security challenge every organization faces is how to authenticate identity.
"Right now, with the systems we have in place, we don't have any connection to the person," he says during an interview at RSA Conference 2013.
The digital connection between the entity confirming the identity and the individual who possesses the identity has to be solid, Simmonds adds. "Banks and others need that information so they can make a risk-based decision, based on the identity," he says. Without that information, they are building risk profiles about identities, based on information that is not reliable, Simmonds explains.
"There is a challenge around doing this globally and doing this around bring-your-own-identity," he says. "So, one of the things that Jericho came to the conclusion about is that you and I need to be in control of our own identity. It's how humans operate. And doing anything else doesn't work."
Computer networks and systems get hacked, Simmonds says, making them unreliable for the management or authentication of identities. "Fundamentally, you and I need to bring our own identity to the game," he says.
At RSA 2013, Simmonds hosted a presentation about Jericho's plans for the new identity management group, as well as steps organizations should take now to educate themselves about what to expect in the future.
In this interview, Simmonds discusses:
  • The role of the Jericho Forum and the role it envisions for the newly established Global Identity Foundation;
  • Challenges current mindsets and infrastructure pose for global identity management and authentication;
  • How a global network can help to improve financial and national security.
In addition to his roles as a board member on the Jericho Forum and head of the new Global Identity Foundation, Simmonds also is an independent security consultant who formerly served as the CISO of AstraZeneca, a global biopharmaceutical research company. He also previously oversaw information security for a high security European Web hosting company and was the global information security manager for Motorola.
For the interview, please see: http://www.databreachtoday.com/interviews/managing-identity-risks-i-1808

Obama cybersecurity chief warns further regulations may be required - The Hill's Hillicon Valley


SAN FRANCISCO — President Obama’s executive order on national cybersecurity could result in new regulations for companies that operate key infrastructure, according to Michael Daniel, the White House’s cybersecurity coordinator.
Daniel said new regulations could be needed to create a “backstop” to address security gaps in the computer systems and networks of the nation’s water systems, electric grid and other critical infrastructure. 
 Some observers have said the administration’s order, issued earlier this month, lacks teeth because the bulk of its measures are voluntary. 
The order creates a program led by the Homeland Security Department where critical infrastructure operators would join on a voluntary basis and agree to follow a set of cybersecurity best practices and standards crafted jointly by the Commerce Department and the industry. 
But Daniel noted that a key part of the order directs primary regulators — including the Treasury and Energy departments — to review their current regulations and requirements and align them with the standards included in the cybersecurity framework developed by the Commerce Department’s National Institute of Standards and Technology. That could result in the agencies taking new executive actions or crafting updated regulations to bring their rules up to speed with the framework. 
“They’re to compare their current requirements and regulations against that framework, and if they are not sufficient and the companies [are] not participating in the voluntary program for whatever reason, that those regulators could take action to try to bring their requirements and regulations up to the level of the framework,” Daniel told The Hill in an interview at the RSA cybersecurity conference. “I think from the administration’s perspective, we view that as kind of the backstop.” 
“This is very significant stuff, and I think the president believes ... we need to have that backstop to make sure that we’re getting the cybersecurity of that critical infrastructure up to the level of the framework,” he added. 
The U.S. Chamber of Commerce criticized the executive order when it was issued, saying that it “opposes the expansion or creation of new regulatory regimes.” 
But the White House cybersecurity chief said this section of the cyber order is needed to help critical infrastructure thwart cyberattacks that could lead to catastrophic damage in the physical world. 
In the near term, the White House will focus on overseeing the implementation of the measures in the executive order, while it is also working on a set of legislative principles to help guide Congress’s work on cybersecurity legislation. 
Daniel said the principles will be similar to those outlined in the cybersecurity legislative proposal the administration delivered to Congress in May 2011, such as stiffening criminal statutes for cyber crime and creating a national data breach notification law that tells companies when they need to report a security breach to the government. 
He said the forthcoming set of principles will not include bill text, but will reaffirm the administration’s support of the 2011 legislative proposal.  
In Washington, the administration and Congress are engaged in an intense debate about the looming $85 billion automatic budget cuts. Daniel warned that the cuts will affect cybersecurity programs across the federal government and potentially the implementation of the executive order.
“There’s no question that it’s going to potentially have a negative impact on not just the [executive order], but all of our cybersecurity efforts across the board,” he said. “I don’t think it will be disproportionate to other government programs, but it will clearly negatively affect it and slow us down on our implementation, so I think that certainly it’s going to have a negative effect.” 
“It’s one of the many reasons why sequester is such a bad policy to begin with, because it doesn’t allow you to prioritize for things that are really important like cyber,” Daniel added.
In the meantime, he noted that, while the White House has engaged with various congressional committees that are in the midst of crafting cybersecurity legislation, it will be challenging to get a bill passed this year. 
Although lawmakers have sounded alarm about the cyber threat facing the U.S., Congress has so far failed to pass pertinent legislation. The Senate tried twice to pass a sweeping cybersecurity bill last year, but GOP members blocked the measure over concerns that it would saddle industry with burdensome new regulations.
“I think there’s actually a real window of opportunity here,” Daniel said. “This is a difficult environment to get any legislation passed. I’m sort of a natural optimist in that regard, so I will keep working on that, but it will be a challenge.”


Read more: http://thehill.com/blogs/hillicon-valley/technology/285133-cybersecurity-chief-further-regulations-may-be-required#ixzz2MA9PXAbv 
Follow us: @thehill on Twitter | TheHill on Facebook

Vulnerability Gives Hackers Access to Locked iPhones


Think your iPhone 5 is safe and secure with your password lock set up nicely? A new vulnerability has been discovered which could allow hackers to bypass password locks and gain access to users' personal information.
First detected by Vulnerability Lab in a Full Disclosure report and further detailed on Kaspersky Labs' Threatpost blog, hackers can get around the iPhone's lock screen by using the Emergency Call function. The workaround gives the user access to contact lists, voicemails and photos.
"The exploit involves manipulating the phone’s screenshot function, its emergency call function and its power button," Threatpost.com writes. "Users can make an emergency call (911 for example) on the phone and then cancel it while toggling the power on and off to get temporary access to the phone."
From there, a hacker can attach a USB cord to the smartphone and access data on the phone via a computer. The exploit works on iPhone 5 devices running iOS 6.1 software.
"The vulnerability allows the local attacker to bypass the code lock in iTunes and via USB when a black screen bug occurs," the Full Disclosure report notes. "Successful exploitation of the vulnerability results in unauthorized device access and information disclosure."
Apple has not yet responded to a request for comment.
For a deeper look at how the exploit works, check out the video below. The first part of the video demonstrates a vulnerability detected earlier this month.

Vulnerability Gives Hackers Access to Locked iPhones

Mobile Banking: Emerging Threats - BankInfoSecurity


Some of the biggest threats to mobile banking and payments are the ones over which institutions have no direct control. How can they mitigate these risks? Mobile banking expert Tom Wills offers advice.
Telecommunications infrastructure. Third-party applications. User behavior. All are among top security challenges for global banking institutions as they expand their mobile banking and payments initiatives. And most challenging of all: These threats fall outside the institutions' direct control. So, how can banks get a handle on emerging mobile risks?

2 New Malware Threats Identified - BankInfoSecurity


The sophistication of two newly identified malware strains reveals just how stealthy these attacks are becoming. And security experts who discovered these strains say detection is proving increasingly challenging.
Researchers at Trusteer in early January discovered a new malware variant that compromises online browsing sessions by injecting fake Web pages. So far, one leading bank and a handful of non-financial websites have been affected, and Trusteer expects the Trojan to spread. For more, see the link below

2 New Malware Threats Identified - BankInfoSecurity

Monday, February 25, 2013

Google Two-Factor Authentication Bug Allowed Account Hijacking


Google allows users to turn on two-factor authentication on their Gmail account for stronger security and generate special access tokens for applications that don't support two-step verification. Researchers at Duo Security found a way to abuse those special tokens to completely circumvent the two-factor process, wrote Adam Goodman, principal security engineer at Duo Security. Duo Security notified Google of the issues, and the company has "implemented some changes to mitigate the most serious of the threats," Goodman wrote.
"We think it's a rather significant hole in a strong authentication system if a user still has some form of 'password' that is sufficient to take over full control of his account," Goodman wrote.
However, he also said that having two-factor authentication, even with this flaw, was "unequivocally better" than just relying on a normal username/password combination.
The Issue With ASPsTwo-factor authentication is a good way to secure user accounts, since it requires something you know (the password) and something you have (a mobile device to get the special code). Users who have turned on two-factor on their Google accounts need to enter their normal login credentials, and then the special one-use password displayed on their mobile device. The special password may be generated by an app on the mobile device or sent via SMS message, and is device specific. This means the user doesn't need to worry about generating a new code every single time they log in, but every single time they log in from a new device. However, for additional security, the authentication code expires every 30 days.
Great idea and implementation, but Google had to make "a few compromises," such as application-specific passwords, so that users could still use applications that don't support two-step verification, Goodman noted. ASPs are specialized tokens generated for each application (hence the name) that users enter in place of the password/token combination. Users can use ASPs for email clients such as Mozilla Thunderbird, chat clients such as Pidgin, and calendar applications. Older Android versions also don't support two-step, so users had to use ASPs to sign in to older phones and tablets. Users could also revoke access to their Google account by disabling that application's ASP.
Duo Security discovered that ASPs actually weren't application-specific, after all, and could do more than just grabbing email over the IMAP protocol or calendar events using CalDev. In fact, one code could be used to log in to almost any of the Google's Web properties thanks to a new "auto-login" feature introduced in recent Android and Chrome OS versions. Auto-login allowed users who linked their mobile devices or Chromebooks to their Google accounts to automatically access all Google-related pages over the Web without ever seeing another login page.
With that ASP, someone could go straight to the “Account recovery page” and edit email addresses and phone numbers where password-reset messages are sent.
"This was enough for us to realize that ASPs presented some surprisingly-serious security threats," Goodman said.
Duo Security intercepted an ASP by analyzing requests sent from an Android device to Google servers. While a phishing scheme to intercept ASPs would likely have a low rate of success, Duo Security speculated that malware could be designed to extract ASPs stored on the device or take advantage of poor SSL certificate verification to intercept ASPs as part of a man-in-the-middle attack.
While Google's fixes address the problems found, "we'd love to see Google implement some means to further-restrict the privileges of individual ASPs," Goodman wrote.



Google Two-Factor Authentication Bug Allowed Account Hijacking

HP unveils 'Big Data Security' strategy - Network World


HP today took the wraps off its Big Data Security strategy, describing how combining the enterprise search and knowledge management resources from itsAutonomy subsidiary with its ArcSight security-event and information management (SIEM) can yield new ways to detect cyberattacks or rogue-employee behavior.
HP's approach, like that of rivals IBM and RSA, calls for use of SIEM tools as a foundation for so-called Big Data Security. The concept of Big Data Security presumes that artful analysis of massive amounts of data content, in addition to the traditional security-related event information that's collected through a SIEM, can produce a better way to quickly pinpoint security problems. For more, please see: 


HP unveils 'Big Data Security' strategy - Network World

Mozilla's Firefox OS to rival iOS, Android | ZDNet

Mozilla's Firefox OS to rival iOS, Android | ZDNet

Top 10 Mobile Security Tips for a New Smartphone - Mobile Security

Top 10 Mobile Security Tips for a New Smartphone - Mobile Security