Sunday, 27 January 2013

Mobile Attacks Top the List of 2013 Security Threats - Computerworld

Mobile Attacks Top the List of 2013 Security Threats

by Thor Olavsru, m.computerworld.com
January 9th 2013 9:25 AM

CIO - Last year, the tech world saw a large number of high-profile attacks and data breaches, and security experts say threats will evolve and escalate in the coming year. BYOD, cloud and advanced persistent threats (APTs) remain top of mind for many, and experts agree that those threats will continue to play a significant role in the threat landscape in 2013. But will this finally be the year that mobile malware leaves its mark? What other new threats lay on the horizon?

Mobile Threats

For years, security experts have predicted the rise of mobile malware, and this year is no exception. Many experts expect mobile threats to escalate in 2013.

"We will see the first major malware on a mobile platform," Seth Goldhammer, director of product management at LogRhythm, provider of a security information and event management (SIEM) IT platform. "There has already been malware that has made it into the Android Play Store and even Apple's App Store. Given that the large majority of mobile devices run without any type of malware detection, it is inevitable that we are prone for a major, disruptive malware possibly posing as an update for a popular application."

"The BYOD phenomenon--that tablets and smart phones outpace laptops in sales--means it is very likely these devices are participating on corporate networks even though IT may have put up safety guards to prevent their use," Goldhammer adds.

"For enterprises, this means that IT needs greater visibility into how these devices are interacting with the environment and the specific behavior of these devices to recognize when communications alter," Goldhammer says. "A significant deviation in communication patterns may reflect malware spread. If these devices are participating inside the corporate network, this could prove to be very disruptive, not only due to the increase in network activity but malware moving from mobile to standard operating systems."

The popular Android mobile operating system, with its open ecosystem, may prove an especially attractive target to cybercriminals. Trend Micro predicts that the number of malicious and high-risk Android apps will increase three-fold from about 350,000 in 2012 to more than 1 million in 2013, broadly in line with the predicted growth of the OS itself.

"In terms of market share, Android may be on its way to dominating the mobile space the same way that Windows dominated the desktop/laptop arena," Trend Micro notes in its Security Threats to Business, the Digital Lifestyle and the Cloud: Trend Micro Predictions for 2013 and Beyond report. "Malicious and high-risk Android apps are becoming more sophisticated. An "arms race" between Android attackers and security providers is likely to occur in the coming year, much as one occurred a decade or more ago over Microsoft Windows."

One particular area of concern is malware that buys apps from an app store without user permission. McAfee points to the Android/Marketpay.A Trojan, which already exists, and predicts we'll see criminals add it as a payload to a mobile worm in 2013.

"Buying apps developed by malware authors puts money in their pockets," McAfee Labs suggests in its 2013 Threats Predictions report. "A mobile worm that uses exploits to propagate over numerous vulnerable phones is the perfect platform for malware that buys such apps; attackers will no longer need victims to install a piece of malware. If user interaction isn't needed, there will be nothing to prevent a mobile worm from going on a shopping spree."

McAfee also has concerns about the near-field communications (NFC) capabilities that are appearing on an increasing number of mobile devices.

"As users are able to make "tap and pay" purchases in more locations, they'll carry their digital wallets everywhere," McAfee Labs says. "That flexibility will, unfortunately, also be a boon to thieves. Attackers will create mobile worms with NFC capabilities to propagate (via the "bump and infect" method) and to steal money. Malware writers will thrive in areas with dense populations (airports, malls, theme parks, etc.). An NFC-enabled worm could run rampant through a large crowd, infecting victims and potentially stealing from their wallet accounts."

McAfee also reports that malware that blocks mobile devices from receiving security updates is likely to appear in 2013.

Mobile Ransomware

Ransomware-in which criminals hijack a user's capability to access data, communicate or use the system at all and then forces the user to pay a ransom to regain access-spiked in 2012 and is likely to keep growing in 2013, says McAfee.

"Ransomware on Windows PCs has more than tripled during the past year," McAfee Labs reports. "Attackers have proven that this 'business model' works and are scaling up their attacks to increase profits."

McAfee Labs says it expects to see both Android and Apple's OS X as targets of ransomware in 2013 as ransomware kits, similar to the malware kits currently available in the underground market, proliferate.

"One limitation for many malware authors seeking profit from mobile devices is that more users transact business on desktop PCs than on tablets or phones," McAfee Labs says. "But this trend may not last; the convenience of portable browsers will likely lead more people to do their business on the go. Attackers have already developed ransomware for mobile devices. What if the ransom demand included threats to distribute recorded calls and pictures taken with the phone? We anticipate considerably more activity in this area during 2013."

AlienVault, provider of a unified security management solution, agrees, "We will see new ransomware tactics in 2013 as a result of the poor economy and the success of this type of attack (reportedly, cybercriminals raked in $5 million using ransomware tactics in 2012)."

Windows Still a Target

On the Windows front, Trend Micro reports that Windows 8 will offer consumers key security improvements-especially the Secure Boot and Early Launch Anti-Malware (ELAM) features—. However, enterprises are unlikely to see these benefits in the coming year. Analysts from research firm Gartner believe most enterprises won't begin to roll out Windows 8 in large numbers until 2014 at the earliest.

McAfee suggests that attackers targeting Windows of all varieties will expand their use of sophisticated and devastating below-the-kernel attacks.

"The evolution of computer security software and other defenses on client endpoints is driving threats into different areas of the operating system stack, especially for covert and persistent attackers," McAfee Labs says.

"The frequency of threats attacking Microsoft Windows below the kernel are increasing. Some of the critical assets targeted include the BIOS, master boot record (MBR), volume boot record (VBR), GUID Partition Table (GPT) and NTLoader," McAfee Labs says. "Although the volume of these threats is unlikely to approach that of simpler attacks on Windows and applications, the impact of these complex attacks can be far more devastating. We expect to see more threats in this area during 2013."

HTML5 Creates a Greater Attack Surface

This year will see continuing adoption of HTML5. McAfee notes that it provides language improvements, capabilities to remove the need for plug-ins, new layout rendering options and powerful APIs that support local data storage, device access, 2D/3D rendering, web-socket communication and more. While HTML5 offers a number of security improvements-McAfee believes there will be a reduction in exploits focused on plug-ins as browsers provide that functionality through their new media capabilities and APIs-it also suggests the additional functionality will create a larger attack surface.

"One of the primary separations between a native application and an HTML application has been the ability of the former to perform arbitrary network connections on the client," McAfee Labs says. "HTML5 increases the attack surface for every user, as its features do not require extensive policy or access controls. Thus they allow a page served from the Internet to exploit WebSocket functionality and poke around the user's local network."

"In the past," McAfee reports, "this opportunity for attackers was limited because any malicious use was thwarted by the same-origin policy, which has been a cornerstone of security in HTML-based products. With HTML5, however, Cross Origin Resource Sharing will let scripts from one domain make network requests, post data, and access data from the target domain, thereby allowing HTML pages to perform reconnaissance and limited operations on the user's network."

Destructive Attacks

Experts also expect a rise in destructive attacks in 2013 by hacktivists and state actors.

"In 2013, we will see further destructive attacks (cybersabotage and cyberweaponry) on utilities and critical infrastructure systems," says Harry Sverdlove, CTO of security firm Bit9. "We saw Shamoon wipe out the systems of a major oil company in the Middle East, and that company's cybersecurity was no more lax than comparable companies in the United States or Europe. We know the bad guys have the ability to disrupt these systems, all they need is motive."

LogRythm's Goldhammer agrees: "We should also expect to see an increase in nation state attacks and hacktivism. It might be hard for some people to believe that we'll see an increase in 2013 after so many well-documented and publicized attacks, but I expect we'll see hacktivists take much more aggressive measures."

While earlier attacks may have just embarrassed a country or company via website defacement or exposing their databases publicly, Goldhammer says he expects that to change: "I can see splinter cells of hackers take more aggressive means to cripple networks or corrupt data, or use ransom tactics, in order to financially punish or tactically weaken. In 2012, more and more evidence shows nation states using malware or using exploits to gain information or to attack infrastructure. In 2013, I expect to see headlines talking about a growing number of nation states building exploits against each other, both for data retrieval, data corruption and damage to infrastructure."

McAfee and Trend Micro both concur.

"Destructive payloads in malware have become rare because attackers prefer to take control of their victims' computers for financial gain or to steal intellectual property," McAfee Labs says. "Recently, however, we have seen several attacks-some apparently targeted, others implemented as worms-in which the only goal was to cause as much damage as possible. We expect this malicious behavior to grow in 2013."

"Whether this is hacktivism taken to a new level, as some claim, or just malicious intent is impossible to say, but the worrying fact is that companies appear to be rather vulnerable to such attacks," McAfee adds. "As with distributed denial of service (DDoS) attacks, the technical bar for the hackers to hurdle is rather low. If attackers can install destructive malware on a large number of machines, then the result can be devastating."

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com

Read more about security in CIO's Security Drilldown.

Original Page: http://pocket.co/sG3B9

Shared from Pocket

^ed

Wait, so why do we need phones again? - Computerworld

Wait, so why do we need phones again?

by Mike Elgan, m.computerworld.com
January 19th 2013 7:00 AM

Computerworld - Facebook this week unveiled voice calling through its iPhone Messenger app.

The reaction to this news was the sound of crickets.

Announcing an app that lets you talk over the Internet is like opening a coffee shop in Seattle, a casino in Vegas or a Famous Original Ray's Pizza in New York City: Nice, but it's something we already have too much of already.

In fact, the sole benefit of Facebook's new talk feature is that if I'm already using the Messenger app, and want to make a call, I can save the three seconds it might take me to open another app.

Not exactly a communications revolution.

Why phones service is obsolete

I haven't used a mobile or landline phone service since July.

I've talked to people using my iPhone (and also my laptop), but I've done it using Google Voice, Google+, Google Talk and Skype over Wi-Fi.

I've been giving out my Google Voice number for years. People call me. I answer the phone. We have a conversation. We hang up. No big deal.

Most of the people who call me, and whom I call, don't know I'm using the Internet, rather than the phone system, to converse. More importantly, they don't care.

They also often don't know I'm in Africa.

I'm old enough to remember when a long distance call was a big deal. ("Hurry up and pick up the phone! It's long distance!")

It was a big deal because a long distance call used to cost a lot. Then it got cheap. And now it's free. I don't pay a penny for Google Voice, and make calls from Europe and Africa to the U.S. all the time.

Yet most of us still use phone service with our mobile phones or even -- gasp! -- landline phones. The reason is not that we need phone service. The reason is that the companies that provide phone service need the money.

How we got here

It's simple. First we got the landline telephone. Then we got mobile phones. Then we got Internet-connected PCs. Then Internet connectivity was added to mobile phones. Then we got applications and apps that let us make calls over our Internet connections.

Now we don't need phone service anymore.

I know that Internet-based, or voice-over-IP (VoIP), service has a longer voice delay and is in that way worse than your typical mobile phone call. And, for that matter, landline phone service offers higher quality than a mobile call. (And records are higher quality than MP3s. And letters are higher quality than email. Yet we routinely choose lower quality in some respects in order to have more features and lower cost.)

The truth is that Internet-based phone calls are good enough. There's a delay, but the sound quality can be superior. More to the point, voice communication itself has been sidelined for most communication. Young people are gravitating to IM or social network messaging. Business people and others are embracing video conversations. All kinds of apps are providing innovative voice communications that aren't phone calls, exactly.

These "intercom," "push-to-talk" or "walkie-talkie" apps are cheap or free, and so common as to be a banality.

For phone conversations, we can use Google Voice, Google Talk, FaceTime, Skype or any number of similar VoIP apps.

My preference by far is Google Voice. It lets me set up custom voice-mail greetings for specific people or groups of people. It sends my voicemail and text conversations to my email inbox. It lies to telemarketers for me, faking a "this number is no longer in service" recording. It enables me to do both calls and SMS text-messaging via a browser on my laptop, if I want. It's secure because I use Google's two-step authentication.

Google Voice is not a pure VoIP service. It jumps in and out of the normal phone system for various purposes, which makes the service slightly more feature rich. But a great Internet-calling service does not need a phone system, just the Internet.

Google Voice has a long list of features that I've wanted from my mobile carrier, AT&T, for years, but they've never delivered. AT&T has been too busy throttling my data usage and trying to keep me from using alternatives to its exploitive SMS service.

The difference between AT&T and Google highlights exactly the problem with the old model for phone calls and the new one.

Why I want Google to provide phone service

The fundamental difference between carriers like AT&T and advertiser-supported online app and information service companies like Google is that AT&T's model loses money when I use more data, and Google's makes money when I use more data.

Here's an example. I signed up long ago for an "unlimited" data plan with AT&T, which has since been discontinued for new subscribers. However, as long as I maintain my AT&T account, I have been "grandfathered in" and can continue using it. I'm supposed to be grateful for their generosity.

When I reach 5 GB monthly data usage on AT&T, they throttle my data speed. When I called to complain about this, they told me that the government requires it.

Google, meanwhile, is building up massively fast, massively cheap home Internet connectivity in Kansas City, Kan., (and soon elsewhere, they say) because they want everybody to use the Internet a lot more.

Imagine how much better, more cost effective and efficient it would be if "carriers" provided only mobile broadband data connectivity, instead of that plus phone service.

Imagine how much smaller, lighter, cheaper and more battery-efficient our phones would be if they didn't have phone capability, only Internet connectivity.

And imagine if the people running those networks worked night and day to figure out ways to get you to transmit more data, not less.

The wireless carriers spend all their time and all our money trying to avoid becoming a dumb pipe of data. But now that we've got smartphones, a dumb pipe is exactly what we need -- just a much bigger one.

Phone service is obsolete. The ability to talk to someone using a phone is just another app.

So let's dismantle the AT&T model and replace it with the Google model, in which phone service is an app that's integrated into other communications services, and where there's competition between many companies to provide us with the best possible service at the lowest possible price.

Mike Elgan writes about technology and tech culture. Contact and learn more about Mike at http://Google.me/+MikeElgan. You can also see more articles by Mike Elgan on Computerworld.com.

Read more about Applications in Computerworld's Applications Topic Center.

Original Page: http://pocket.co/sG3BG

Shared from Pocket

^ed

Disaster recovery: Don't forget mobile - Computerworld

Disaster recovery: Don't forget mobile

by Mary K. Pratt, m.computerworld.com
January 14th 2013 6:00 AM

Computerworld - SAP had two priorities when the earthquake and tsunami hit Japan in 2011: Contact its 1,000 employees there and ascertain their needs.

Given the sheer scope of the devastation, and the subsequent nuclear crisis, the task would seem herculean. But SAP leaders quickly connected with their Japan-based workers, most of whom had mobile devices, either company-issued or their own.

The next step, says SAP executive vice president and CIO Oliver Bussmann, was getting back to work, even though the company had to temporarily close its Tokyo office. With redundant systems and its global reach, SAP was able to shift some workload out of Japan while its employees there were able to use their smartphones, tablets and laptops to access corporate assets.

To continue reading, register here to become an Insider

It's FREE to join

Learn More

Already an Insider? Sign in

Computerworld - SAP had two priorities when the earthquake and tsunami hit Japan in 2011: Contact its 1,000 employees there and ascertain their needs.

Given the sheer scope of the devastation, and the subsequent nuclear crisis, the task would seem herculean. But SAP leaders quickly connected with their Japan-based workers, most of whom had mobile devices, either company-issued or their own.

The next step, says SAP executive vice president and CIO Oliver Bussmann, was getting back to work, even though the company had to temporarily close its Tokyo office. With redundant systems and its global reach, SAP was able to shift some workload out of Japan while its employees there were able to use their smartphones, tablets and laptops to access corporate assets.

"There's much more potential out there from a disaster-recovery perspective," Bussmann says, noting that SAP in the past two years has more deeply incorporated mobile devices into its disaster-recovery and business continuity plans.

CIOs like Bussmann are increasingly considering how mobile capabilities can help their companies get through catastrophes. In the 2012 AT&T Business Continuity Study, 67% of the 504 U.S.-based IT executives surveyed said that they include wireless network capabilities in their business continuity plans.

Despite that high percentage, though, the effectiveness of those plans varies widely, IT leaders and consultants say. Organizations using mobile devices for everyday tasks are more likely to have plans to use them in disasters, while those that don't are less able to rely on them in crisis situations.

However, as more people use smartphones and tablets to do their jobs, CIOs will have no choice but to figure out how to effectively fit mobile into their disaster-recovery plans. To do that, they must consider what data -- if any -- is stored on the devices, how workers access corporate systems on a regular basis as well as during a crisis, and what barriers they would encounter during any sort of incident.

That, in short, means analyzing the opportunities and challenges related to such a strategy.

"The more mobile you can make your workforce, the better off you'll be, so it's certainly a tool CIOs need to think about from a business continuity perspective," says Michael Porier, the Houston-based managing director of consulting firm Protiviti.

Companies are incorporating mobility into their emergency plans in part so they'll be able to send out blast messages via email, text and voice -- an approach that increases the odds that at least one type of message will get through, Porier says. Companies often use such blasts to check on workers who are in harm's way and to provide information on safety programs and work processes.

Computerworld - SAP had two priorities when the earthquake and tsunami hit Japan in 2011: Contact its 1,000 employees there and ascertain their needs.

Given the sheer scope of the devastation, and the subsequent nuclear crisis, the task would seem herculean. But SAP leaders quickly connected with their Japan-based workers, most of whom had mobile devices, either company-issued or their own.

The next step, says SAP executive vice president and CIO Oliver Bussmann, was getting back to work, even though the company had to temporarily close its Tokyo office. With redundant systems and its global reach, SAP was able to shift some workload out of Japan while its employees there were able to use their smartphones, tablets and laptops to access corporate assets.

To continue reading, register here to become an Insider

It's FREE to join

Learn More

Already an Insider? Sign in

From there, he says CIOs are determining which employees can use their mobile devices for work during an incident and how that will happen. Porier says IT leaders need to have security measures in place, whether that's mobile device management software to secure, monitor, manage and support the devices or some other process that protects corporate data. And they need to determine whether to allow employees to download data to their devices or require them to access it through secure channels, such as a VPN.

Ray Thomas, a senior associate who oversees business assurance at consulting firm Booz Allen Hamilton, says he and his colleagues have been weighing such issues in recent years as the firm has endeavored to make its workforce more mobile. "We've been building mobility into how people work on a day-to-day basis, and that same flexibility works to our advantage during a disaster. As long as there's connectivity, our employees can continue to be productive," Thomas says.

Booz Allen has a notification system that uses email, voice and text messaging to push out messages that workers can access via smartphones or tablets. Employees can also access the corporate network with smartphones, tablets, laptops and personal desktop PCs.

Meanwhile, Thomas says employees routinely download work files onto their laptops, and they're reminded to plan to take work home on their devices in advance of expected events, such as Hurricane Sandy, so they can work even if connections with the corporate network are sketchy.

But that approach underscores the limits of a policy that relies on mobile devices during disasters: Power, connectivity and access to corporate networks are no guarantee. "There are weak links all over," says Gregg "Skip" Bailey, director of technology, strategy and architecture at Deloitte Consulting.

He points out that when a magnitude 5.8 earthquake hit the Washington, D.C., area in 2011, cellular networks were overloaded, and many people couldn't make or receive calls, although some texts were able to slowly make it through. And Hurricane Sandy took out some cell services completely and left many areas without the power needed to recharge devices.

Companies with workers accessing the corporate network from handheld devices also need to consider whether they can accommodate added network traffic during an emergency, says Joe Nocera, principal in PwC's Advisory Technology Consulting practice. He says a typical VPN might be used by 20% to 25% of a company's employees on a daily basis, but usage can spike to more than 80% during a disaster.

The Benefits of a Virtual Desktop

When CIO Gary L. Bateman started deploying desktop virtualization technology three years ago, he figured it would help him save some money and simplify IT support -- both crucial as his employer, the Iowa Workforce Development agency, was facing drastic budget cuts.

The new infrastructure combined with a new bring-your-own-device policy allows the agency's 1,000 workers to easily access corporate files from any computer, whether it's a client PC in the office, a personal smartphone or an agency-issued tablet. Members of the public can also connect with the agency through the virtual desktop.

"We had positioned ourselves to compute from anywhere you could get an Internet connection, and from a disaster-recovery perspective, that works out great," Bateman says.

Of course, it's not quite that simple, Bateman adds. His IT department distributes workloads between its two data centers to cushion against the chances of all systems being disabled during a disaster -- a turn of events that would leave employees unable to work at all.

"As long as we have power and connectivity to at least one, you can still get to virtual environment," he says. "We can stay in business, because anything I can run from an office, I can run from a virtual desktop."

Interest in desktop virtualization is high. In a 2012 Cisco survey of 600 enterprise IT leaders, 68% of the respondents said that they agreed that a majority of knowledge worker roles are suitable for desktop virtualization, and 50% said that their organizations are implementing desktop virtualization strategies.

Survey respondents listed business continuity as one of the three areas that would benefit most from desktop virtualization (employee productivity and IT costs being the other two). Moreover, the respondents saw desktop virtualization as key for mobile computing, with 81% citing laptops as a priority, 76% choosing desktops, 64% citing smartphones and 60% naming tablets.

Computerworld - SAP had two priorities when the earthquake and tsunami hit Japan in 2011: Contact its 1,000 employees there and ascertain their needs.

Given the sheer scope of the devastation, and the subsequent nuclear crisis, the task would seem herculean. But SAP leaders quickly connected with their Japan-based workers, most of whom had mobile devices, either company-issued or their own.

The next step, says SAP executive vice president and CIO Oliver Bussmann, was getting back to work, even though the company had to temporarily close its Tokyo office. With redundant systems and its global reach, SAP was able to shift some workload out of Japan while its employees there were able to use their smartphones, tablets and laptops to access corporate assets.

To continue reading, register here to become an Insider

It's FREE to join

Learn More

Already an Insider? Sign in

Moreover, Bailey and others say, workers have to be accustomed to using smartphones and tablets for daily tasks before a disaster strikes. Executives shouldn't assume that workers will be able to easily switch from their regular desktop habits to working on their handhelds. Nor should they expect workers to learn on the fly how to use a VPN to access corporate systems from their home computers. And even if they could, let's face it: Working on a smartphone or tablet doesn't match the ease of working with a desktop's full-size keyboard and screen.

Of course, all this talk presupposes that corporate systems will remain up and running during a disaster. If they don't, that's a whole other ballgame.

"If you have a data center that gets wiped out, it doesn't matter if you have mobile devices," Bailey says.

With that in mind, IT needs to understand the role mobility plays in keeping a business running as it plans its back-end recovery efforts, making it a priority to restore the servers that support mobile device management and applications that enable mobility, Nocera says.

"It's knowing where those applications are being served up and making sure you have them covered in your recovery plan," he says.

More CIOs are bumping that up the priority list.

Buddy Cox, executive vice president and CIO at Houston-based Cadence Bancorp, is seeing that firsthand. According to industry statistics, 18 million people bank via mobile devices today, and that figure is expected to grow to 50 million by 2015. Faced with those kinds of figures, along with workers' changing work styles, he says he's enabling more mobile devices to handle a growing number of mission-critical applications.

"We looked at what our customers and [employees] need to access in an event, from minor interruptions to catastrophic ones. And we know who carries iPads or iPhones and what options we have," he says, explaining that his disaster-recovery plans also include regional recovery sites where employees can work. Those sites even have satellite-based communications systems.

But, for now, experts agree: Mobile isn't a panacea, but rather one piece of what should be a multilayered approach that also includes land-based connections, alternative office sites and some redundant systems.

"We haven't gotten to the state where [we can] just fail over to mobile devices," says Dan Waddell, senior director of IT security at eGlobalTech, an IT consultancy in Arlington, Va., and a member of the board of the International Information Systems Security Certification Consortium. "They should be considered, but they should not be the only option."a

Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at marykpratt@verizon.net.

Read more about Mobile/Wireless in Computerworld's Mobile/Wireless Topic Center.

Original Page: http://pocket.co/sG3BM

Shared from Pocket

^ed

Inside BlackBerry: Top 5 Questions

Top 5 BlackBerry 10 Questions

by Authors, blogs.blackberry.com

I picked a great time to start blogging for BlackBerry. The anticipation for BlackBerry 10 has been so exciting for us community managers, and we know how excited you are too! We’ve received a lot of questions about BlackBerry 10 recently, and while I’d love to answer all of them, I focused on the five questions that kept coming up.

Here’s a list of the top five questions for BlackBerry 10:

  • Question 1: How will BlackBerry10 make our lives easier? What makes it more user-friendly?
    • Answer: I’m lucky enough to have had a lot of hands-on experience with a new BlackBerry 10 device. While it took a little getting used to, I quickly became its biggest fan. There are so many features that make using your smartphone easier; BlackBerry Hub and the peek feature are my new best friends!
  • Question 2: What is your favorite feature of BlackBerry 10?
    • Answer: I love that BlackBerry 10 is customizable enough for mobile techies, but simple enough for beginners. And BlackBerry Balance allows you to use your BlackBerry 10 device for both. It’s a smartphone you (and your IT manager) will love.
  • Question 3: Which BlackBerry device will be available?
    • Answer: We’ve showed many videos of the BlackBerry 10 touchscreen devices on the Inside BlackBerry Blog. While we love the touchscreen device, we know BlackBerry fans also love the physical QWERTY keyboard. Rest assured, we will have both versions available in the future. We’ll have more info available on January 30th.
  • Question 4: What is the one defining characteristic that truly sets BlackBerry 10 apart?
    • Answer: The reengineered operating system, or OS! As Thorsten Heins told the world: We went right back to the drawing board to create BlackBerry 10. BlackBerry 7 OS is a great operating system, but we wanted to bring our customers something brand new. And with BlackBerry 10, we have.
  • Question 5: What’s new in BlackBerry 10 that you haven’t told the media yet?
    • Answer: Oh, there are more features coming, believe me. And the best place to hear about everything BlackBerry 10 is right here on the Inside BlackBerry Blog.

What’s your burning question about BlackBerry 10? Let us know in the comments below and stay tuned for more answers!


Every BlackBerry 10 detail, update, and feature, as soon as it’s released: BlackBerry.com/BlackBerry10. Test out BlackBerry 10 features hands-on, watch exclusive video interviews with the minds behind BlackBerry 10, and receive product and carrier updates straight to your inbox. Sign up today!

Original Page: http://pocket.co/sG3uK

Shared from Pocket

^ed

Inside BlackBerry

Updating Your BlackBerry Apps: Why It Matters

by Authors, blogs.blackberry.com

When you blog about BlackBerry devices, your family and friends automatically assume you’re a “tech guru” and know everything about every BlackBerry device ever created — not to mention how to program your grandparents’ VCR. You’re the person in the group who knows just a little more than everyone else, and now by default, you are the expert. That said, I do know a little something about BlackBerry apps.

A friend recently asked a question that prompted this post. He asked, “When should I update my apps, and when should I just ignore the “spark” () prompting me to update?” I answered, “As soon as possible!” Here’s why:

  • Updates may improve app and device stability. If your app is experiencing periodic “crashes” or issues with a feature, the developer may be aware of it and may have fixed it in an updated release. Staying current may just solve the issue you’re having.
  • Updates may improve app and device security. Keeping their apps secure is one of the most important things to a developer since their reputation may depend on it. By making sure your app is up to date, any new security issues may be identified and patched.
  • Updates may add exciting new features. App updates aren’t always “all work and no play“– updates may also contain new features you’ll find useful or even crucial to your usage.
  • Updates may improve app and device speed. There may be times where an app update simply increases the efficiency of an app or service, making the app run faster. Who wouldn’t benefit from some additional speed?
  • Updated apps may be the first step of a support call. In the event you have to connect with our support team, many times the first thing they ask you to do is to update the app or your BlackBerry smartphone OS; you might as well save the step before you call.

One last thing before you go running for your BlackBerry device to start downloading updates: Perform software updates over Wi-Fi whenever possible. Downloads will typically happen faster, and if you have a limit on your monthly data plan, you may save some room later in the month to download kitten pictures.

Do you update your apps when you see the spark? Share your reasons why or why not in the comments below.

Original Page: http://pocket.co/sG3uN

Shared from Pocket

^ed

BlackBerry Enterprise Service 10 Now Available for Download

BlackBerry Enterprise Service 10 Now Available for Download

rim.com | Jan 23rd 2013

RIM’s New Multiplatform Enterprise Mobility Management Solution Makes Mobility Easy for Businesses

Waterloo, ON – Research In Motion (RIM) (NASDAQ: RIMM; TSX: RIM) today announced that its new Enterprise Mobility Management (EMM) solution, BlackBerry® Enterprise Service 10, is now available for download. BlackBerry Enterprise Service 10 re-invents RIM’s EMM by bringing together device management, industry leading security*, and mobile applications management for BlackBerry® smartphones, BlackBerry® PlayBook™ tablets, and new BlackBerry 10 smartphones in a consolidated solution. It also provides a single console for managing BlackBerry, Android™ and iOS® devices.

BlackBerry Enterprise Service 10 builds on more than a decade of RIM’s enterprise mobility management expertise and the most widely deployed mobility solution in enterprises today. BlackBerry Enterprise Service 10 offers mobile device management, mobile application management and secure mobile connectivity, and delivers a cost-efficient and reliable solution for business customers.

“BlackBerry Enterprise Service 10 empowers employees to be more productive and better equipped to serve customers while it provides business and IT leaders with the confidence that corporate data is protected and manageable in the same way they have long enjoyed with BlackBerry,” said Peter Devenyi, Senior Vice President, Enterprise Software, Research In Motion. “BlackBerry Enterprise Service 10 makes mobility easy for businesses to help keep them moving.”

Flexible Enterprise Mobility Management

BlackBerry Enterprise Service 10 gives organizations a highly scalable solution and the flexibility to manage their mobile deployment as needed. It supports both corporate-owned and personal-owned (BYOD – Bring Your Own Device) device deployments and mixed environments of BlackBerry and other devices, providing mobile device management, mobile application management, and secure access to corporate data. It includes an intuitive, unified, web-based administration console to manage devices and users. It also supports BlackBerry® Balance™ technology, which elegantly separates and secures work applications and data from personal content on BlackBerry devices.  BlackBerry Enterprise Service 10 is built on the same security and connectivity model for BlackBerry 10 smartphones that enterprise customers have always trusted and relied upon with BlackBerry® Enterprise Server.

Key Features for BlackBerry 10 smartphones with BlackBerry Enterprise Service 10

• Support for secure separation of work and personal applications and data on BlackBerry 10 smartphones through BlackBerry Balance technology.

• Support for seamless and secure access to work email, content and secure connectivity to “behind the firewall” applications and data.

• BlackBerry® World™ for Work, the new corporate app storefront for BlackBerry 10 smartphones that allows organizations to easily manage apps for employees. Administrators can push and install the organization’s mandatory apps to both corporate and personal-owned devices and publish recommended apps to employees.

• Rich management controls for securing and managing work profiles including hierarchical group management with Active Directory integration, support for customizable administrative roles with granular capabilities, an intuitive enterprise enrollment process for employees that offers a self-service console, and centralized control of assignable profiles for email, SCEP, Wi-Fi®, VPN and proxy servers.

What Customers Are Saying

“The BlackBerry solution has been meeting our enterprise mobility needs for 10 years and it’s been incredibly exciting to be among the first UK customers to try out BlackBerry 10,” said Craig Allcock, Head of Networks, Group Technology, The Co-operative Group. “The re-designed UI is excellent, providing a smooth experience which enables you to seamlessly switch between applications and content across both the personal and work profiles. We’re confident that BlackBerry 10 smartphones and the new BlackBerry Enterprise Service 10 will enable us to both anticipate and meet the existing and future enterprise mobility needs of our individual employees.”

“We’ve been testing BlackBerry 10 and BlackBerry Enterprise Service 10 in our environment and we’re pleased with the manageability, security and reliability that the solution offers, along with expanded management capabilities to other devices within our network,” said Peter E. Lesser, Director of Global Technology, Skadden, Arps, Slate, Meagher & Flom LLP. “BlackBerry has been a trusted partner of ours for many years, and we’re excited to implement BlackBerry Enterprise Service 10 in our organization.”

What Industry Analysts Are Saying

“BlackBerry Enterprise Service 10 brings some important technology, cost and operational improvements to existing BlackBerry customers,” said Nick McQuire, Research Director Mobile Enterprise Strategies EMEA for IDC. “We believe RIM is poised to capitalize on its strong history in delivering reliable, scalable and secure mobile enterprise management solutions to help organizations address an increasingly diverse mobile environment.”  

“Companies require maximum flexibility and diversity in mobile deployments,” said Jack Gold, principal analyst of J.Gold Associates, LLC. “Products that manage multiple platforms, while at the same time enabling the segregation of personal and corporate data, represent an optimum solution by offering the lowest total cost of ownership, most end-user friendly, and highest security approach to enterprise mobility.”

Availability

The BlackBerry Enterprise Service 10 software as well as a limited sixty (60) day free trial (includes client access licenses) is available to be ordered here.

Through the BlackBerry 10 Ready Program, existing customers can take advantage of the free license trade up program at www.blackberry.com/licensetradeup, which is available until December 31, 2013.**

* BlackBerry Enterprise Service 10 has been FIPS 140-2 certified.

** Terms and conditions apply. 

About Research In Motion

Research In Motion (RIM), a global leader in wireless innovation, revolutionized the mobile industry with the introduction of the BlackBerry® solution in 1999. Today, BlackBerry® products and services are used by millions of customers around the world to stay connected to the people and content that matter most throughout their day. Founded in 1984 and based in Waterloo, Ontario, RIM operates offices in North America, Europe, Asia Pacific and Latin America. RIM is listed on the NASDAQ Stock Market (NASDAQ: RIMM) and the Toronto Stock Exchange (TSX: RIM). For more information, visit www.rim.com or www.blackberry.com.

###

Forward-looking statements in this news release are made pursuant to the "safe harbor" provisions of the U.S. Private Securities Litigation Reform Act of 1995 and applicable Canadian securities laws. When used herein, words such as "expect", "anticipate", "estimate",  "may",  "will", "should", "intend," "believe", and similar expressions, are intended to identify forward-looking statements. Forward-looking statements are based on estimates and assumptions made by RIM in light of its experience and its perception of historical trends, current conditions and expected future developments, as well as other factors that RIM believes are appropriate in the circumstances. Many factors could cause RIM's actual results, performance or achievements to differ materially from those expressed or implied by the forward-looking statements, including those described in the "Risk Factors" section of RIM's Annual Information Form, which is included in its Annual Report on Form 40-F (copies of which filings may be obtained at www.sedar.com or www.sec.gov). These factors should be considered carefully, and readers should not place undue reliance on RIM's forward-looking statements. RIM has no intention and undertakes no obligation to update or revise any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law.

BlackBerry, RIM, Research In Motion and related trademarks, names and logos are the property of Research In Motion Limited and are registered and/or used in the U.S. and countries around the world. All other brands, names and marks are the property of their respective owners. RIM is not responsible for any third party products or services.

Original Page: http://pocket.co/sG3uR

Shared from Pocket

^ed

Can new smartphones rekindle the BlackBerry fire? - Computerworld

Can new smartphones rekindle the BlackBerry fire?

by Matt Hamblen, m.computerworld.com
January 25th 2013 6:00 AM

Computerworld - "Not dead yet" could well be the new BlackBerry marketing theme, as the world prepares to hear about two new BlackBerry 10 smartphones to be announced next Wednesday.

Days before the announcement, there is fairly wide disagreement among analysts and developers over whether Research In Motion can stop the dramatic decline of its BlackBerry phones. The BlackBerry was the market leader until the iPhone was introduced in 2007 and Android phones after that. Its market share fell to 10% in 2010 and has dwindled to 5% today.

In advance of the event, specifications and photos have been widely leaked of the new touchscreen and qwerty-keyboard versions of BlackBerry smartphones, but RIM hasn't confirmed many of the details.

According to unconfirmed reports, the touchscreen version, dubbed the Z10, will have a 4.2-in. display, 1,280x768 resolution and 16GB of internal storage. It will also include a Snapdragon processor, an 8-megapixel rear camera and Near-Field Communications technology (useful for mobile payments). Moreover, the models available from Verizon Wireless will be able to run on 4G LTE cellular networks.

Less is known about the smaller qwerty version, known as the X10. With this model, RIM is acknowledging its loyal following of users, among 80 million overall globally, who prefer a physical keyboard.

RIM officials confirmed that thousands of prerelease BlackBerry 10 devices have been tested by corporations, which have been the mainstay of the company's customer base, even as BlackBerry's global market share has dwindled to 5%, according to Gartner. Meanwhile Android has captured 65% of the global smartphone market and the iPhone has about 21%.

Analysts who have tried the devices offered some promising predictions. "The new BB10 offers the best [user experience] on the market -- not perfect, but certainly a rival to the iPhone 5, with even greater performance," said Gartner analyst Phillip Redman in a blog post this week entitled "RIM begins its comeback year with BES 10 launch."

In an interview, Redman said that BB10 devices won't surpass Apple or Android devices, but, he added, "I think they will beat Windows Phone." Moreover, he predicted that RIM will "market this like nothing before, [with] much of the future of the company depending on the launch."

In contrast, Citigroup financial analyst Jim Suva reminded clients in a note that the pre-announcement optimism for BlackBerry 10 devices is not necessarily an indicator of how well the phones will sell.

"We remind investors that actual sell-through matters to determine the true financial impact that the new OS and hardware will have on the company's financials, especially in an increasingly competitive environment," Suva said.

Michael Mullany, CEO of Sencha, a company that is an HTML5 development partner of RIM on the BlackBerry 10 platform, remains optimistic. "We think BB 10 has a good shot at re-igniting RIM sales," he said.

In an interview, Mullany said the prerelease Z10 touchscreen model that developers have been testing offers "incredible performance for the browser inside -- it will be a market leader for HTML5."

RIM also said it has seen heavy developer interest in building apps for BlackBerry 10, with 15,000 apps published in the BlackBerry World app store in two days.

Previous browsers in BlackBerry smartphones have been a sore spot for RIM, and Mullany remarked that the BlackBerry Torch smartphone, which was released two years ago was a disappointment. "When we got the Torch," he recalled, "we scratched our heads and said, 'Are they serious?'"

But Mullany also said that RIM has not "irreparably harmed itself," because mobile consumers "have very short memories." He said the Z10 has impressive speeds for scrolling content and responds quickly to touches.

Mullany said he's not privy to RIM's plans to market the Z10 or X10, but he noted that RIM has faced difficulties in the past in trying to attract consumers to BlackBerry devices after years of serving the needs of working professionals and enterprise IT shops.

In recent years, RIM relied on rock star Bono and the hip-hop group Black Eyed Peas to promote the BlackBerry brand among consumers. But even stellar marketing could not correct a problematic product like the Torch.

"I feel this [Z10] is a very robust consumer device," Mullany said. "It's not a business-only device for sure. It will do well in the consumer and prosumer market."

Mullany said he foresees the user interface of the Z10 working well with professional sports apps favored by the male professionals who make up an important demographic for the BlackBerry. Major League Baseball said this week that it plans to bring its At Bat app to the BlackBerry 10 phones for the start of the 2013 season.

"This is a market-leading device that's as fast as iOS and with more features," Mullany said. "RIM's done a fantastic job of GPU [graphics processing unit] integration. On the HTML5 side, it's a great deployment platform for apps. "

Acceptance of the new BlackBerry 10 phones by consumers is hard to predict, but some enterprise users have come forward. Oliver Bussmann, CIO at business software maker SAP, said in an interview at the International CES trade show earlier this month that he had seen prerelease versions of the X10 qwerty phones. He said the phones will be appreciated by many of the 16,000 BlackBerry users at SAP who like a physical keyboard.

"SAP will continue to offer its employees choice via corporate-owned and personal devices across Android, iOS and BlackBerry platforms and that will include BB 10," Bussmann said via email. "We will test the BB 10 devices and make them available for internal usage soon."

Bussmann said it's important for enterprise IT to be open to BlackBerry 10 and other platforms. "It is imperative that IT decision-makers implement enterprise class apps that replicate the same kind of experience that consumers have become used to -- easy, intuitive and beautiful -- while also granting access from any device platform and adhering to security requirements," he said.

Overall, SAP supports about 50,000 smartphone and tablet users globally.

Enterprises are expected to be interested in a dual personality feature in the BlackBerry 10 operating system called BlackBerry Balance, analysts said. The Balance technology will allow two user profiles to exist separately on the same phone for work and personal data, but it will also allow a user to mingle emails from both profiles in a single stream.

The advantage will be that if an employee leaves a company, the IT shop can use the new BlackBerry Enterprise Service 10 software to wipe off all the mission-critical work data, leaving the user's personal data on the device.

BlackBerry Balance, and the fact that BES 10 allows management of Android and iOS as well as BlackBerry devices, will help "stem some of the flow of BES removals" by enterprises, Redman and other analysts said.

Still, the traditional features that RIM has focused on with enterprises, such as security and management capabilities for IT, are expected to take a back seat to the user interface, browser and overall product appeal of the new phones.

"RIM has a lot riding on next week's announcements -- maybe the future of the company," Redman said. "It will be an interesting year ahead."

Matt Hamblen covers mobile and wireless, smartphones and other handhelds, and wireless networking for Computerworld. Follow Matt on Twitter at @matthamblen, or subscribe to Matt's RSS feed. His email address is mhamblen@computerworld.com.

See more by Matt Hamblen on Computerworld.com.

Read more about Smartphones in Computerworld's Smartphones Topic Center.

Original Page: http://pocket.co/sG3ut

Shared from Pocket

^ed

Anonymous hits US government site, threatens release of secrets - Computerworld

Anonymous hits US government site, threatens release of secrets

by Martyn Williams, m.computerworld.com
January 26th 2013 7:36 PM

IDG News Service - Hackers working under the name of the Anonymous hacktivist collective hit a U.S. government website on Saturday, replacing its home page with a 1,340 word text detailing its frustrations with the way the American legal system works and a threat to release "secrets" gathered from U.S. government websites.

The website of the U.S. Sentencing Commission, which establishes sentencing policies for the federal court system, was offline for much of Saturday as a result of the attack.

"This mornings cyber attack on the Commissions website www.ussc.gov brought it down temporarily, but the site now has been restored," the commission said in a brief statement issued on Saturday evening.A "The Commissions publications, training materials, and federal sentencing statistics are again readily accessible to visitors to the site."

The site and timing of the attack was not random, according to the message that replaced the home page before it was taken offline.

"Two weeks ago today, a line was crossed," the message read. "Two weeks ago today, Aaron Swartz was killed. Killed because he faced an impossible choice. Killed because he was forced into playing a game he could not win -- a twisted and distorted perversion of justice -- a game where the only winning move was not to play."

Swartz committed suicide in New York on Jan. 11, apparently over an upcoming trial on computer intrusion, wire fraud and data theft charges that carried a maximum penalty of 35 years in jail. The charges stem from allegations that Swartz stole millions of scholarly articles and documents from the JSTOR database with the intention of making them available online at no charge.

His suicide sparked outrage among the hacktivist community, much of which blamed the prosecution of the case and potential penalties he faced as directly contributing to his death.

"This website was chosen due to the symbolic nature of its purpose -- the federal sentencing guidelines which enable prosecutors to cheat citizens of their constitutionally guaranteed right to a fair trial, by a jury of their peers -- the federal sentencing guidelines which are in clear violation of the 8th amendment protection against cruel and unusual punishments," the message on the hacked website read.

The message went on to say that the group had infiltrated numerous U.S. government websites and gathered material it judged would be embarrassing if released.

"We have enough fissile material for multiple warheads. Today we are launching the first of these. Operation Last Resort has begun..."

The message didn't reveal the nature of the "secrets," but the hackers made available on the site a multi-part encrypted file that was said to contain them. It's impossible to determine what's actually in the files, which were named for judges on the U.S. Supreme Court.

The message went on to demand a number of reforms to the U.S. legal system.

Original Page: http://pocket.co/sG3Ku

Shared from Pocket

^ed

Another critical Java vulnerability puts 1 billion users at risk | Computerworld Blogs

Another critical Java vulnerability puts 1 billion users at risk

blogs.computerworld.com | Oct 16th 2012

Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might “spoil the taste of Larry Ellison's morning…Java.”

If you disabled Java when the last zero-day exploit was spotted in the wild, then you might consider doing so again . . . or dumping Java altogether? According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software.”

Appalled to learn that Oracle/Java has another huge critical hole, I reached out to Adam Gowdiak in an email interview.

Interview with Security Explorations' CEO Adam Gowdiak:

I wanted to clarify that this is yet another new critical Java zero-day that places one billion users at risk (again)?

Gowdiak: That's right. This is a completely new issue (announced today). It has however bigger impact than any previous issue we found as part of our Java security research project as it affects Java 5, 6 and 7. Most of our previous findings were primarily affecting Java version 7.

Unlike the last critical security flaw that Oracle just patched on August 30, this critical Java bug affects all the newest versions of Java since the last patch?

Gowdiak: That's right.

If you have the Java plugin and use any of these browsers, Chrome, Firefox, Internet Explorer, Opera and Safari then you are vulnerable?

Gowdiak: Yes. We tested the latest web browsers with the latest Java SE software.

This is Security Explorations anniversary 50th Java bug discovery? (Issue 50 states: This proof-of-concept is a “complete Java security sandbox bypass.”)

Gowdiak: Yes. We found a total of 50 issues in various Java SE implementations:

  • 31 issues reported to Oracle (17 differentcomplete sandbox bypass exploits)
  • 2 Issues reported to Apple (1 complete sandbox bypass exploit)
  • 17 issues reported to IBM (10 different complete sandbox bypass exploits).

You see the timeline of reporting them here: http://www.security-explorations.com/en/SE-2012-01-status.html

So what did Oracle reply to you?

Gowdiak: We haven't heard from them yet.

Softpedia stated, 'The researchers have confirmed that Java SE 5 – Update 22, Java SE 6 – Update 35, and Java SE 7 Update 7 running on fully patched Windows 7 32-bit operating systems are susceptible to the attack.' Does that imply that fully patched Window 7 64-bit systems are not vulnerable to the attack? Is it only Windows 7?

Gowdiak: No. It's gonna be Windows 7 32-bit and well as 64-bit. We simply did our test on Windows 7 32-bit. But, it does not matter because all operating systems supported by Oracle Java SE (such as Windows, Linux, Solaris, MacOS) are vulnerable as long as they have Java 5, 6 or 7 installed and enabled.

You disclosed that the bug allows attackers to violate a fundamental security constraint of a Java Virtual Machine (type safety). What could an attacker do by exploiting newest Java vulnerability?

Gowdiak: A malicious Java applet or application exploiting this new issue could run unrestricted in the context of a target Java process such as a web browser application. An attacker could then install programs, view, change, or delete data with the privileges of a logged-on user.

What security advice do you have for the one billion Java users at risk?

Gowdiak: Taking into account the risk posed by the bug uncovered, it is the best to disable Java Plugin in the web browser and wait for the patches from Oracle. There are still 3 weeks till the scheduled Java Oct CPU [Critical Patch Update].

To recap, this Java bug is even worse than the last critical Java vulnerability. It puts one billion users of Oracle’s Java SE, Java 5, 6 and 7, at risk. It could be exploited using these browsers: Chrome, Firefox, Internet Explorer, Opera and Safari. If you visit a maliciously crafted website, attackers could gain total control of your PC. Wow, thanks a lot Oracle.

Original Page: http://pocket.co/sG3KI

Shared from Pocket

^ed

Year in review: Most popular 'Security Is Sexy’ posts of 2012 | Computerworld Blogs

Year in review: Most popular 'Security Is Sexy’ posts of 2012

blogs.computerworld.com | Jan 29th 2013 1:00 PM

2012 was another year of heavy hacking and data dumping, giving headaches to security professionals and intelligence agencies alike. Yet just as important were the spy-and-pry privacy and civil liberties concerns that those leaks revealed to We the People. Here are a half dozen of the most popular posts on Security Is Sexy, highlighting those security and privacy topics.

#6: Shocker: NSA Chief denies Total Information Awareness spying on Americans

NSA expert James Bamford said, "In secret listening rooms nationwide, NSA software examines every email, phone call, and tweet as they zip by. Everybody's a target; everybody with communication is a target." Then former NSA senior official William Binney "held his thumb and forefinger close together: We are that far from a turnkey totalitarian state'." These revelations freaked out some Congressmen who asked NSA Chief General Keith Alexander if this were true. Alexander denied it; in fact, he answered 'no' 14 times during the Congressional probe.

Yet Bamford insisted, "The NSA has turned its surveillance apparatus on the U.S. and its citizens....The agency has begun building a place to store all the trillions of words and thoughts and whispers captured in its electronic net. And, of course, it's all being done in secret."

A few months later, Binney said the NSA has dossiers on nearly every U.S. citizen. So during the keynote at Def Con, Dark Tangent, aka Jeff Moss, asked Alexander if this domestic spying and dossiers on every American were true. Alexander denied that too; both Binney and Bamford said the NSA Chief is playing word games as the super-secret agency may have missed a few Americans.

#5: 4chan & Anonymous target director of Smiley Halloween horror movie

When director Michael Gallagher chose to make 4chan / Anonymous the villain in the micro-budget slasher flick Smiley, he was on the receiving end of “life-imitates-art.” Gallagher supposedly went to the FBI for help after being bombarded with about 40 harassing calls per minute as well as voicemail, email and text death threats. The moral of this story may point back to an old adage: Never tick off a hacker . . . nevertheless being unwise enough to infuriate hordes of hackers.

#4: AntiSec leaks Symantec PCAnywhere source code after $50k extortion not paid

The feds posed as Symantec employees as a part of a sting operation regarding the stolen and ransomed PCAnywhere source code. If you followed the allegations that Symantec’s PCAnywhere code had been compromised, then you might have suffered whiplash from the drastically changing ‘official’ story put out by Symantec.

At first, the dreaded ‘third party’ was blamed for the "segment of its source code" in the hands of YamaTough and AntiSec hackers who tried to extort $50,000 not to leak it. But then, Symantec backtracked and admitted its network was hacked and its source code was jacked. People using Norton security, antivirus or PCAnywhere products were at "a slightly increased security risk." A week later, the company advised disabling the product until patched. The ping pong pile up of company advice morphed yet again and gave the thumbs-up, all-clear sign that the patched PCAnywhere was safe to use.

#3: Brute force tools crack Wi-Fi security in hours, millions of wireless routers vulnerable

Poor design head-butted with poor implementation when a ‘security strength' turned out to be a huge weakness, leaving millions of business and home wireless routers vulnerable to brute force attacks. The irony is that Wi-Fi Protected Setup (WPS) is enabled by default on most major brands of wireless routers to help the technically clueless setup encryption on their wireless networks. Security researcher Stefan Viehbock reported that Belkin, Buffalo, D-Link, Cisco's Linksys, Netgear and other wireless routers were vulnerable to brute force attacks which could crack the Wi-Fi router's security in two to ten hours.

After the exploit went public, US-CERT issued this advisory, “We are currently unaware of a practical solution to this problem." The recommended workaround was to disable WPS. "Within the wireless router's configuration menu, disable the external registrar feature of Wi-Fi Protected Setup (WPS). Depending on the vendor, this may be labeled as external registrar, router PIN, or Wi-Fi Protected Setup."

#2: Another critical Java vulnerability puts 1 billion users at risk

Several zero-day exploits targeting Java were spotted in the wild during 2012, causing severe headaches and hassles for IT and home users alike. It was so dangerous that security experts advised people to disable Java. Although Oracle eventually patched the critical hole, immediately afterwards Security Explorations researcher Adam Gowdiak disclosed another Java bug that was worse than the first. It put “one billion users” of Oracle Java SE software, Java 5, 6 and 7, at risk. It could be exploited using Chrome, Firefox, Internet Explorer, Opera and Safari web browsers. If users visited maliciously crafted webpages, "attackers could then install programs, view, change, or delete data with the privileges of a logged-on user."

#1: Hacked memo leaked: Apple, Nokia, RIM supply backdoors for gov’t intercept?

Related to YamaTough and the Lords of Dharmaraja AntiSec hackers who ransomed the Symantec source code, the group claimed to have hacked an Indian military intelligence network. They then leaked a memo which revealed that RIM, Nokia, and Apple mobile device manufacturers "agreed to provide backdoor access on their devices" for the government. Security and privacy researcher Christopher Soghoian added that Microsoft is just as evil when it comes to providing “intercept backdoors” for law enforcement and government agencies. Yet Soghoian also suggested, "Instead of worrying about hackers getting access to 5+ year old Norton code we should worry about what NSA/US Military does with recent code."

At the time, cybersecurity guru Bruce Schneier said 'bad press' was more of worry for Symantec than exposed source code. However Schneier added, "The source code might have huge smoking guns." Some of those smoking guns allegedly pointed to former CIA, U.S. law enforcement and other Intelligence agencies.

You may hear the media claim that We the People don’t care about electronic privacy, but don’t believe it. Instead, think back to defeating SOPA/PIPA and what we can accomplish when we unite under a common civil liberties banner. If law enforcement, intelligence agencies and even businesses don’t tighten their hatches after all the 2012 hacks and leaks, then the forecast for 2013 might be another cluster year which NATO calls ‘Charlie Foxtrot’ and the military calls a ‘SNAFU’ or ‘FUBAR.’

Original Page: http://pocket.co/sG3Wm

Shared from Pocket

^ed

Saturday, 26 January 2013

Your printer is spying on your network !? | Security on steroids

Your printer is spying on your network !?

by John Barrett, cleanbytes.net
January 8th 2012

Ang Cui, a researcher on embedded devices demonstrated at this year’s Chaos Communications Congress (28C3) that is possible to embed malware in a HP printer firmware using the RFU mechanism, a presentation of an extraordinary importance for any corporate or small networks since the printers are ubiquitous in any office . RFU stands for remote firmware update and is an important feature assuring the best performance and security for the printers, sort of update feature for your operating system or antivirus. Because the operating system in a printer is much simpler than Windows for example, it runs from a ROM(read-only memory) as a smart phone or let’s say electronic wash machine, the firmware update is in fact a ROM flash. About embedded operating systems running in a printer, some runs on LynxOS and some on VxWorks(ARM  processors) developed by Wind River Systems and used also by NASA for their space programs(see spaceships)!

Ang Cui reverse engineered the RFU file format and since no digital signatures are used and no encryption either(only compression), he used to modify the file embedding a malware into it. He even automated the process releasing a tool for unpacking-packing the RFU files called HPacker. His presentation at Chaos Communications Congress (28C3) goes further by embedding in the RFU file a WxWorks advanced rootkit 3 KB in size written in a special assembly language for ARM processors with capabilities to communicate over Internet, to perform LAN port scanning, to intercept, monitor and send the print jobs to a specified IP address performing as a true spy in the local network. It was able even to bypass the firewalls using the reverse proxy ability and to spread itself in the network, so we can classify it as a printers worm. Obviously this worm was able to compromise the printer and the entire local network from which the printer was part.

The scary thing in this story is the way how this remote firmware update vulnerability can be triggered simply by sending a specially crafted document to the printer. This make use of LPR(Line Printer Remote) firmware update mechanism. Since the LPR/RAW printing has not an authenticate mechanism, a PJL(Printer Job Language) command can be embedded in PostScript, causing the printer firmware to be updated with a malevolent modification of a RFU file. It worth to mention that several years back, Stuxnet computer worm abused the printing subsystems to spread itself in the corporate networks.

The conclusions of Ang Cui upon RFU files are summarized below:

  • Specific version of compression library has
    known arb-code execution vulnerability.
  •  No memory space separation
  • ? No kernel-level security
  • ? Everything runs as supervisor mode on CPU
  •  Any vulnerability in any (unprivileged) code
    will lead to full compromise

The attacks vectors against a printer are:

  • active — when somebody direct connects to a printer using port 9100 TCP(JetDirect technology developed by Hewlett-Packard that allows computer printers to be directly attached to a Local Area Network;
  • reflexive — by embedding a malicious RFU in a document and send it for printing;

Using a vulnerability scanner, it was revealed that a number of 76,995 of printers worldwide are still vulnerable to this type of attack. What can be done in these circumstances for our defense(according to Ang Cui)?

  • Disable RFU Updates (possible, but not on all models)
  • Apply ACL, passwords (use Web JetAdmin)
  • Filter print-job content on print-server
  • Isolate printers from sensitive networks
  • Use a firewall for your network
  • Update the firmware immediately(to patch this vulnerability)

HP stats that only printers shipped prior to 2009 year are vulnerable to this type of attack because they are using now digital signatures for their RFU files and more secure drivers. They released a firmware update to patch this vulnerability on dec 23, 2011.

It’s a bit strange what HP announced on Nov. 29, 2011, that the speculations about a firmware update that causes some HP printers to get fired are false. In fact it was about unauthorized access inside a network using a printer vulnerability and not about printers in flames. However, it is important they addressed the issue very quickly, this article should not create panic because in the real world nobody reported unauthorized access inside a network using this vulnerability.

Sources:

Original Page: http://pocket.co/sG3WZ

Shared from Pocket

^ed

Pwning printers: Backdoor in Samsung printers via hard-coded admin account |p

Pwning printers: Backdoor in Samsung printers via hard-coded admin account

by Darlene Storm, m.blogs.computerworld.com

Do you have antivirus or malware protection for your printer? Is your printer behind the firewall? Did you change the printer’s default administrative password? Your network is only as secure as its weakest link and most “new” printers have a hard drive, a web interface, email capabilities and are connected to the Internet which makes any device much more exploitable by a remote attacker. A hacker could potentially transmit fake print jobs or faxes, change a printer’s settings, gain access to sensitive documents sent to the printer for espionage or identity theft, eavesdrop on network traffic to spy on you, or even launch a denial of service attack to make it inaccessible and damage the hardware.

Although ReadWrite suggested a tech nightmare would be when “your 3D printer starts making copies of itself; which start making copies of themselves,” not everyone is fortunate enough to own a 3D printer. Most businesses and homes do have a regular printer, but do not remember to patch it. Hacking a person via the printer is often viewed as a geeky urban legend, a prank or a hoax, yet experts claim the threat is real regarding laser printers and digital photocopiers, so much so that pwning a printer might be considered a “pot of gold.”

The latest printer backdoor vulnerability could allow an attacker to take control of a Samsung printer, as well as some Dell printers manufactured by Samsung, that were released before October 31, 2012. These printers have a hardcoded Simple Network Management Protocol (SNMP) account programmed into the firmware that has “full read-write community string that remains active even when SNMP is disabled in the printer management utility.” SNMP allows administrators to manage connected devices like routers, servers, switches, workstations, and printers. According to US Computer Emergency Response Team (US-CERT):

A remote, unauthenticated attacker could access an affected device with administrative privileges. Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information (e.g., device and network information, credentials, and information passed to the printer), and the ability to leverage further attacks through arbitrary code execution.”

Although Samsung plans to release a patch tool before the end of 2012, how many admins or home users will actually patch the hole?

A year ago, researchers at Columbia University discovered security flaws in some Hewlett-Packard LaserJet printers, leaving “millions of businesses, consumers, and even government agencies” open to “a devastating hack attack” via their printers. The news was full of headlines about how a hacker on the other side of the globe could remotely take control of an HP printer and set it on fire. Not only could printers be destroyed, but an attacker might exploit it to propagate malware inside the firewall. “Print me if you dare” was presented at the Chaos Computing Congress (28c3) hacker conference.

HP was named in class action lawsuit, then responded by releasing 56 firmware updates. Yet this summer, the same researchers said that only 1 - 2% of HP laser jet printers had been patched, meaning one in four HP printers were still open to attack. That might be due to lax security or due to faulty firmware update functions. Columbia University professor Salvatore Stolfo told the Guardian that some of the vulnerabilities are in the Linux operating system used by some printers.

These include more than 100 known vulnerabilities in versions of the OpenSSL encryption protocols that – for example – could be used to turn them into "reconnaissance devices that operate behind corporate firewalls, spread malware to internal systems, and even exfiltrate printed documents outside of a protected site".

Drupal has a module that allows for generating printer-friendly versions of email, PDFs and webpages, but it is exploitable. Just last week, the National Cyber-Alert System released a US-CERT vulnerability summary about “Cross-site scripting (XSS) vulnerability in the Printer, email and PDF versions module 6.x-1.x before 6.x-1.15 and 7.x-1.x before 7.x-1.0 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, probably the PATH_INFO.”

A recent question submitted to Seclists asked if the security vulnerabilities in Oki CUPS printer drivers were “fixed” by the files being removed from the FTP server. This summer, Symantec reported that if a printer starts spitting out pages that are “garbage” and printed with gobbly-gook, then that printer might be infected with a new worm called W32.Printlove. Microsoft released a security update and discussed the attack scenario to help “you assess the risk of this ‘sort of wormable’ issue in your environment.” Then HP jumped into the ring to protect printers in the healthcare environment.

Codenomicon, the same security testing company that fuzzed to find vulnerabilities that an attacker could use to hack smart TVs, also fuzzed six network printers [PDF]. “All tested printers failed.” This indicated “that the test devices contain several potentially exploitable vulnerabilities. These vulnerabilities could provide attackers with a backdoor into the organization network, enabling data theft and further attacks from inside the network.”

Printer vulnerabilities exist, even if they do not make headlines. As "printer security, hidden hard disks and other terrifying tales" pointed out, the smarter a printer gets, the more vulnerable it is. You might be thinking, yes but who really hacks a printer? If you doubt that it happens, then you really need to read about “extra fun” pwning the printer on Security StackExchange, such as “attack an office printer” and how “you can have some serious fun playing with printers, photocopiers and other such devices - even UPSes.”

How should you protect yourself? Update firmware. Change the default password and the default SNMP if you can to add authentication and encryption. Windows Networking adds, "To prevent network eavesdropping of print jobs, use a printer or print server that encrypts connections to and from the PCs. You may find a proprietary solution or those that support the IEEE Standard 2600.” You can also have your network scanned for vulnerabilities.

Original Page: http://pocket.co/sG3WQ

Shared from Pocket

^ed

(U//FOUO) DHS-FBI Bulletin: Indicators of Suspicious Chemical, Biological, and Radiological Activity | Public Intelligence

(U//FOUO) DHS-FBI Bulletin: Indicators of Suspicious Chemical, Biological, and Radiological Activity

by Biological Warfare, publicintelligence.net
December 27th 2010

ROLL CALL RELEASE

(U//FOUO) Law enforcement and first responders may encounter chemical, biological, or radiological (CBR) related material or equipment at private residences, businesses, or other sites not normally associated with such activities. There are legitimate reasons for possessing such material or equipment, but in some cases their presence can indicate intent or capability to build CBR weapons, particularly when other suspicious circumstances exist.

(U//FOUO) Potential Indicators of Suspicious Activity: A single indicator of CBR activity may not be conclusive, but combinations of indicators, including those associated with other suspicious activity, warrant thorough and careful investigation. Law enforcement and first responders should be vigilant for suspicious activities and report them to a Joint Terrorism Task Force via a Suspicious Activity Report, or contact the nearest state and major urban area fusion center.

— (U//FOUO) Unusual or unpleasant odors, chemical fires, brightly colored stains, or corroded or rusted metal fixtures in apartments, hotel or motel rooms, self-storage units, or garages.
— (U//FOUO) Unexplained presence of equipment, containers, or material that could be used for radiation shielding or protection, such as lead, concrete, or steel.
— (U//FOUO) Unexplained presence of radiation detection or identification equipment.
— (U//FOUO) Damage to clothing, evidence of serious illness, or injuries such as burns, skin lesions, infections, or missing hands or fingers.
— (U//FOUO) Presence of potential precursors for biological agent production, such as castor beans or bacterial growth materials.
— (U//FOUO) Laboratory equipment such as Bunsen burners, microscopes, and scientific glassware; personal protective equipment such as masks, goggles, and gloves; household items such as plant seeds, strainers, coffee grinders, and filters; and common household chemicals such as acetone located together in places that are unusual, hidden, or disguised.
— (U//FOUO) An individual’s reluctance or inability to explain the presence of toxic chemicals, radioactive materials, biological organisms, or related equipment.
— (U//FOUO) Presence of CBR training manuals, such as The Mujahideen Poisons Handbook or The Anarchist Cookbook.
— (U//FOUO) Chemical containers discarded in dumpsters.
— (U//FOUO) Evidence of unexplained animal deaths.
— (U//FOUO) Security measures that appear inappropriate for the location they protect.

Original Page: http://pocket.co/sG3Dv

Shared from Pocket

^ed

That's one way to deal with a security breach | Computerworld Blogs

That's one way to deal with a security breach

by Sharky, m.blogs.computerworld.com

Head of plant engineering hires a maintenance superintendent from a pool of several candidates -- and he's not the best choice, reports a pilot fish who's in the loop.

"Within weeks, the new guy has established himself as a wingnut, making bad decisions and also proving to have an obnoxious personality," says fish. "In-plant scuttlebutt indicates the plant engineer has made a mistake."

And within a few months, that assessment proves true: Mr. Obnoxious manages to post a confidential document containing the salaries of his direct reports on a public share of the network.

It's soon spotted by some of the hourly workers, and word spreads like wildfire that the salaries of their supervisors are available in a convenient, easy-to-access form.

And for the next week there's plenty of snickering over exactly how much the company believes those supervisors are actually worth.

Finally upper management gets wind of the mess. What would they do about this misfit who just revealed confidential info?

"He was called in and told to be more careful," fish says. "Then the hourlies had their computer access revoked, except for a few who were tasked with maintaining preventative maintenance forms and the like.

"This adversely affected me as an intranet developer, because now email could no longer be used as a communication tool among the maintenance personnel.

"But at least the plant engineer didn't look foolish for having to fire his hand-picked subordinate."

Sharky never reveals your identity. So send me your true tale of IT life today at sharky@computerworld.com. You'll score a sharp Shark shirt if I use it. Add your comments below, and read some great old tales in the Sharkives.

The Best of Shark Tank includes more than 70 tales of IT woe submitted by you, our readers, since 1999. Which all goes to prove, conclusively, that hapless users and idiotic bosses are indeed worldwide phenomena. Free registration is all that's needed to download The Best of Shark Tank (PDF).

Original Page: http://pocket.co/sG3Dw

Shared from Pocket

^ed

Psychological warfare in the name of security: Is DHS funding the decimation of privacy? | Computerworld Blogs

Psychological warfare in the name of security: Is DHS funding the decimation of privacy?

by Darlene Storm, m.blogs.computerworld.com

Since 9/11 and the “War on Terror” could America’s citizens be under a PSYOPS warfare attack made possible by grant money from the Department of Homeland Security’s Urban Areas Security Initiative (UASI)? After reading numerous different documents on Public Intelligence and adopting the feds’ favorite “connect the dots” theory, it seems the whole world may have been under a psychological warfare (PSYWAR) attack, also known as “Psy Ops, Political Warfare, ‘Hearts and Minds’ and propaganda." Here’s why it seems probable, but buckle your seatbelt as we are about to jump all over the place.

“We know that to defend the homeland, we must start by defending the hometown. We must defend our cities across America,” wrote Senator Tom Coburn in “Safety at Any Price: Assessing the Impact of Department of Homeland Security Spending in U.S. Cities” [PDF]. “The balancing act between liberty and security has been tenuous throughout the history of our nation, founded upon basic freedoms granted by our Creator and protected from government infringement within the Bill of Rights of our Constitution.” Sen. Coburn was talking about Homeland Security’s Urban Areas Security Initiative (UASI) grants when he said, “A new element has been added to this equation over the past decade that threatens to undermine both our liberty and security—excessive government spending and insurmountable debt.”

The American people recognize and understand the limits we face. They understand that we should never sacrifice all of our freedoms in the name of security.

While the senator’s report focused on ridiculous $7.144 billion ‘security’ expenditures, one such recent example was when the New Jersey City’s Office of Emergency Management & Homeland Security used $100,000 of UASI money to purchase “Eye in the Sky, a three-story high, mobile tower equipped with 360-degree views and streaming surveillance cameras to give police a bird’s-eye view of high-crime areas.”  Although crime was used in that sentence, Sen. Colburn said UASI is a “risk-based program targeting security gaps” and is most often used under the guise of counterterrorism.

NYPD uses this same ‘Eye in the Sky’ but tossed in potentially using .50 caliber rifles for even more anti-terror capabilities as well as the use of drones. The EFF has put together an interactive drone map which shows where military, police and other organizations currently are authorized to fly drones. They are used to surveil “people of interest.”

Since everyone knows terrorists are stealthy skateboarders (yes sarcasm), New Jersey also spent $55,000 for a skateboard park surveillance system. San Antonio is spending $20 million for an elementary school surveillance project. Those rolled through my newsfeed just today. The ACLU has long warned about the surveillance society created by CCTV and more are installed each day in the USA despite the fact that surveillance “camera systems have little effect on crime rates.”

So hey, thought the government with money to burn, let’s find a new way instead of just watching and eavesdrop via the installation of microphones on public buses and iconic streetcars. What’s more, the passenger conversations can be collected and stored. One such example of the bus audio surveillance capabilities is that it can distill “clear conversations from the background noise of other voices, wind, traffic, windshields wipers and engines.” Ashkan Soltani, an independent security consultant, told The Daily, “Given the resolution claims, it would be trivial to couple this system to something like facial or auditory recognition systems to allow identification of travelers. This technology is sadly indicative of a trend in increased surveillance by commercial and law enforcement entities, under the guise of improved safety.”

“Government surveillance today manifests in many forms,” wrote the EFF. “Cloud communication, which centralizes massive amounts of data in one place, allows governments ‘one-stop access’ to our data and introduces complex new questions regarding who has jurisdiction over citizens’ personal information.” That’s not enough for the FBI which claims it needs back doors into everything to keep it from “going dark” in fight against terrorism.

The U.S. Department of Defense uses propaganda and counterpropaganda to influence “the opinions, emotions, attitudes, and behavior of hostile foreign groups in such a way as to support the achievement of national objectives.” However, according to a NATO technical report, “The emphasis of military operations is shifting more and more towards non-kinetic activities, such as Psychological Operations and Information Operations, which are geared towards influencing attitudes and behaviors of specific target audiences.”

In section 2.2.7 in the NATO report titled, “How to Improve your Aim: Measuring the Effectiveness of Activities that Influence Attitudes and Behaviors” [PDF], the “psychological objective all aim to affect attitudes and behaviors of a target population in a desired way. Attitudes and behaviors are key concepts in the planning and evaluation of influence activities. Attitudes are the perceptions and feelings of a target audience (for example the local population) towards a defined object (for example NATO troops or an adversary). Behaviors are the (potentially) observable patterns of actions among the target audience.” So NATO wrote that “knowing how to influence attitudes in a target audience increases the likelihood of being able to induce desired behaviors in that target audience.”

Before it was replaced with a new 'National Terror Alert' system, the DHS terrorist alert system of old never went below "yellow" for elevated risk. As we hear the same reasoning over and over again since 9/11, about why more public surveillance or backdoors into the web are needed to fight against terrorism in our homeland, and the endless lists of innocent behaviors regarded as "suspicious activity," what is that if not brainwashing with the fear factor? Isn’t that a form of psychological warfare to change the “hearts and minds” of Americans into accepting this as needed to 'keep us safe'?

FEMA & Department of Homeland Security Psyops Campaign

See Video:

The Institute for Economics and Peace Global Terrorism Index [PDF] says “North America is the least likely region to suffer from terrorism,” yet still the USA adds more ways to 'spy' on us. While I surely hope all this surveillance made possible through DHS grants is not PSYOPS for us to 'willingly' give up more of our privacy, freedoms and civil liberties, it seems prossible.

Original Page: http://pocket.co/sG3DE

Shared from Pocket

^ed