Posts Tagged ‘security’

Mobile novelties center around security, water-resistancy

March 4th, 2015

From wearables that can thwart facial recognition software to smartphones that can be doused in water without short-circuiting, DW’s Chris Cottrell presents a look at some of the highlights.

Walking around the sprawling halls of this year’s World Mobile Congress in Barcelona, visitors could not overlook the catchy slogans emblazoned on some companies’ towering stands.

“Tomorrow never waits,” read one. “In search of incredible,” read another.

The words highlighted the level of cutting-edge innovation on display here. From eyeglasses that can cloak a wearer’s identity from facial recognition software, to invisible layers of repolymerized molecules that make electronics water-resistant – the novelties varied in their levels of utility, but very few failed to impress. Here is a look at some of the highlights:

More smartphones for less money

It was also evident this year that major smartphone manufacturers were keen on expanding their foothold in emerging markets in parts of Africa, Asia and South America.

Internet companies and network providers around the world are working hard to entice more people in developing countries to invest in smartphones to access the Internet.

To increase the number of people online, companies like Facebook and Google have begun experimenting with novel ways to beam Internet signals to remote areas via hot air balloons or solar powered drones.

But as some industry experts noted here in Barcelona, oftentimes the price of a smartphone is more prohibitive than paying the phone or data bill. In response, a number of companies are offering a range of low-cost smartphones.

Lenovo, the Chinese manufacturer, will release a budget smartphone around September called the A7000. For approximately $169 (150 euros), customers will get a 64-bit, 1.5 GHz processor, a 5.5-inch HD display and 2 gigabytes of RAM.

Microsoft also has some less expensive models, notably the Lumia 435, 532 and 535, which respectively cost 69, 79 and 89 euros.

Microsoft’s Nokia phones are aimed at consumers who either cannot or do not want to spend more than 100 euros on a smartphone. The Nokia 215 and 225 are both low-end models that cost $29 and between $45 and $48.

“Those are our emerging markets Windows phones,” a company spokesman said

And these aren’t the Nokia phones of yesteryear with the pixely green-and-black screens and the game Snake – these phones have Facebook installed right out of the box and allow the user to set up push notifications. (They do not, however, have WhatsApp.)

Acer also had two budget phones on display. The Liquid M220, which runs Windows and costs 79 euros, has half a gigabyte of RAM. The other model, the Z220, runs Android, costs 89 euros but has a full gigabyte of RAM.

Electronics that can get wet

Manufacturers, it seems, have resigned themselves to the fact that users occasionally drop their phones into puddles, toilets or spill all sorts of liquids on them. To protect their devices from short-circuiting, companies have begun making them water-resistant.

Sony, for instance, was showing off its Xperia M4 Aqua – in a glass display case full of water. The device is mechanically sealed, meaning the smartphone’s “innards” are protected by frontal and rear covers that are closed with gaskets to prevent water from entering.

Kazam, a British smartphone maker, had a similarly water-resistant model, the Tornado 455L.

But simply making the outside of a smartphone able to repel water wasn’t enough for one Belgian company. Europlasma, based in Oudenaarde, can apply a water-repellant plasma coating to every surface within an electronic device. That means water can get inside, but it won’t harm the phone’s processors.

The nano coating is achieved by adding electromagnetic energy to gas inside a special chamber designed to hold dozens of electronic devices – like a big, high-tech dishwasher. Inside the chamber, molecules break apart into negative and positive particles and repolymerize, sticking to the devices and leaving behind an invisibly thin residue between 50 and 500 nanometers thick. (That’s about 1/1,000 as thick as a human hair.) The effect is an object that repels water.

One company representative, Kristof Hoornaert, demonstrated with a tissue that Europlasma had coated with nanoparticles. When held under running water, the liquid just rolled off.

Privacy wearables

Security and privacy also seem to be growing concerns in consumers’ minds and there were a number of innovative solutions to address them.

Qualcomm’s new ultrasonic fingerprint sensor uses soundwaves to detect the grooves in your fingertips and works even if your hands are sweaty or dirty. The technology allows for there to be layer of glass or plastic between a user’s finger and the sensor, setting it apart from the iPhone 5 and 6, which require direct contact. A Qualcomm phone with the new technology will be released in the second half of this year, but a company spokesman declined to say which device that would be or what it would cost.

Researchers at AVG have begun tinkering with glasses that can thwart smartphone cameras’ facial recognition. Known as “privacy glasses,” it’s the next step in wearables that cloak one’s identity from automated facial recognition software. AVG’s prototype uses built-in infrared LEDs to confuse smartphone cameras and obscure the user’s face from automated recognition. The glasses are still in the concept phase.

“It’s not about being invisible to other people, it’s about keeping a level of privacy against automation,” said Michael McKinnon.


Warning over internet security flaw

March 4th, 2015

Millions of people may have been left vulnerable to hackers while surfing the web on Apple and Google devices, thanks to a newly discovered security flaw known as “FREAK attack”.

There is no evidence so far that any hackers have exploited the weakness, which companies are now moving to repair.

Researchers blame the problem on an old US government policy, abandoned over a decade ago, which required American software makers to use weaker security in encryption programs sold overseas due to national security concerns.

Many popular websites and some internet browsers continued to accept the weaker software, or can be tricked into using it, according to experts at several research institutions who reported their findings on Tuesday.

They said that could make it easier for hackers to break the encryption supposed to prevent digital eavesdropping when a visitor types sensitive information into a website.

About a third of all encrypted websites were vulnerable as of Tuesday, including sites operated by American Express, Groupon, Kohl’s, Marriott and some US government agencies, the researchers said.

University of Michigan computer scientist Zakir Durumeric said the vulnerability affects Apple web browsers and the browser built into Google’s Android software, but not Google’s Chrome browser or current browsers from Microsoft or Firefox-maker Mozilla.

Apple and Google both said they have created software updates to fix the “FREAK attack” flaw, which derives its name from an acronym of technical terms.

Apple said its fix will be available next week and Google said it has provided an update to device makers and wireless carriers.

A number of commercial website operators are also taking corrective action after being notified privately in recent weeks, said Matthew Green, a computer security researcher at Johns Hopkins University.

But some experts said the problem shows the danger of government policies that require any weakening of encryption code, even to help fight crime or threats to national security.

They warned those policies could inadvertently provide access to hackers.

“This was a policy decision made 20 years ago and it’s now coming back to bite us,” said Edward Felten, a professor of computer science and public affairs at Princeton, referring to the old restrictions on exporting encryption code.


Top 10 information security technologies listed

July 9th, 2014

Gartnerrecently highlighted the top ten technologies for information security and their implications for security organizations in 2014.

“Enterprises are dedicating increasing resources to security and risk. Nevertheless, attacks are increasing in frequency and sophistication. Advanced targeted attacks and security vulnerabilities in software only add to the headaches brought by the disruptiveness of the Nexus of Forces, which brings mobile, cloud, social, and big data together to deliver new business opportunities,” says Neil MacDonald, vice president and Gartner Fellow. “With the opportunities of the Nexus come risks. Security and risk leaders need to fully engage with the latest technology trends if they are to define, achieve, and maintain effective security and risk management programs that simultaneously enable business opportunities and manage risk.”

The top 10 technologies for information security are:

Cloud Access Security Brokers

Cloud access security brokers are on-premises or cloud-based security policy enforcement points placed between cloud services consumers and cloud services providers to interject enterprise security policies as the cloud-based resources are accessed. In many cases, initial adoption of cloud-based services has occurred outside the control of IT, and cloud access security brokers offer enterprises to gain visibility and control as its users access cloud resources.

Adaptive Access Control

Adaptive access control is a form of context-aware access control that acts to balance the level of trust against risk at the moment of access using some combination of trust elevation and other dynamic risk mitigation techniques. Context awareness means that access decisions reflect current condition, and dynamic risk mitigation means that access can be safely allowed where otherwise it would have been blocked. Use of an adaptive access management architecture enables an enterprise to allow access from any device, anywhere, and allows for social ID access to a range of corporate assets with mixed risk profiles.

Pervasive Sandboxing (Content Detonation) and Inversion-of-Control Confirmation

Some attacks will inevitably bypass traditional blocking and prevention security protection mechanisms, in which case it is key to detect the intrusion in as short a time as possible to minimize the hacker’s ability to inflict damage or exfiltrate sensitive information. Many security platforms now include embedded capabilities to run (“detonate”) executables and content in virtual machines (VMs) and observe the VMs for indications of compromise. This capability is rapidly becoming a feature of a more-capable platform, not a stand-alone product or market. Once a potential incident has been detected, it needs to be confirmed by correlating indicators of compromise across different entities—for example, comparing what a network-based threat detection system sees in a sandboxed environment to what is being observed on actual endpoints in terms of processes, behaviors, registry entries and so on.

Endpoint Detection and Response Solutions

The endpoint detection and response market is an emerging market created to satisfy the need for continuous protection from advanced threats at endpoints (desktops, servers, tablets and laptops)—most notably significantly improved security monitoring, threat detection and incident response capabilities. These tools record numerous endpoint and network events and store this information in a centralized database. Analytics tools are then used to continually search the database to identify tasks that can improve the security state to deflect common attacks, to provide early identification of ongoing attacks (including insider threats), and to rapidly respond to those attacks. These tools also help with rapid investigation into the scope of attacks, and provide remediation capability.

Big Data Security Analytics at the Heart of Next-generation Security Platforms

Going forward, all effective security protection platforms will include domain-specific embedded analytics as a core capability. An enterprise’s continuous monitoring of all computing entities and layers will generate a greater volume, velocity, and variety of data than traditional security information and event management systems can effectively analyze. Gartner predicts that by 2020, 40% of enterprises will have established a “security data warehouse” for the storage of this monitoring data to support retrospective analysis. By storing and analyzing the data over time, and by incorporating context and including outside threat and community intelligence, patterns of “normal” can be established and data analytics can be used to identify when meaningful deviations from normal have occurred.

Machine-readable Threat Intelligence, Including Reputation Services

The ability to integrate with external context and intelligence feeds is a critical differentiator for next-generation security platforms. Third-party sources for machine-readable threat intelligence are growing in number and include a number of reputation feed alternatives. Reputation services offer a form of dynamic, real-time “trustability” rating that can be factored into security decisions. For example, user and device reputation as well as URL and internet protocol address reputation scoring can be used in end-user access decisions.

Containment and Isolation as a Foundational Security Strategy

In a world where signatures are increasingly ineffective in stopping attacks, an alternative strategy is to treat everything that is unknown as untrusted and isolate its handling and execution so that it cannot cause permanent damage to the system it is running on and cannot be used as a vector for attacks on other enterprise systems. Virtualization, isolation, abstraction, and remote presentation techniques can be used to create this containment so that, ideally, the end result is similar to using a separate “air-gapped” system to handle untrusted content and applications. Virtualization and containment strategies will become a common element of a defense-in-depth protection strategy for enterprise systems, reaching 20% adoption by 2016 from nearly no widespread adoption in 2014.

Software-defined Security

“Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security, and so on. Like networking, compute, and storage, the impact on security will be transformational. Software-defined security doesn’t mean that some dedicated security hardware isn’t still needed—it is. However, like software-defined networking, the value and intelligence moves into software.

Interactive Application Security Testing

Interactive application security testing (IAST) combines static application security testing (SAST) and dynamic application security testing (DAST) techniques. This aims to provide increased accuracy of application security testing through the interaction of the SAST and DAST techniques. IAST brings the best of SAST and DAST into a single solution. This approach makes it possible to confirm or disprove the exploitability of the detected vulnerability and determine its point of origin in the application code.

Security Gateways, Brokers, and Firewalls to Deal with the Internet of Things

Enterprises, especially those in asset-intensive industries like manufacturing or utilities, have operational technology (OT) systems provided by equipment manufacturers that are moving from proprietary communications and networks to standards-based, internet protocol-based technologies. More enterprise assets are being automated by OT systems based on commercial software products. The end result is that these embedded software assets need to be managed, secured, and provisioned appropriately for enterprise-class use. OT is considered to be the industrial subset of the “Internet of Things,” which will include billions of interconnected sensors, devices, and systems, many of which will communicate without human involvement and that will need to be protected and secured.


Get Adobe Flash player