Posts Tagged ‘security’

Cisco kicks off security kit/software/cloud combo

April 23rd, 2014

Cisco has added threat management to its portfolio, announcing Managed Threat Defense which it says brings realtime security to its customers.

Since “cloud everywhere” is the base assumption of practically every new launch, the Borg feels constrained to stipulate that Managed Threat Defense includes an “on-premise” solution, meaning there’s a box you can drop on your foot. It includes hardware, software and analytics (which The Register supposes are also software).

The customer-side kit is supported by Cisco’s security operations centres, which monitor the service and provide “incident response analysis, escalation, and remediation recommendations”, the company says.

Cisco says the MTD telemetry helps protect against unknown threats, and its use of Hadoop makes the system fully big-data compliant, allowing the system to identify anomalous traffic from a customer’s network.

Other Cisco technologies in the solution include Cisco’s Advanced Malware Protection, Sourcefire’s FirePOWER for threat detection, and Cisco Cloud Web Security for email and Web filtering.

The customer’s subscription includes incident tracking and reporting.

“Managed Threat Defense uses machine learning algorithms and predictive analytics to detect possible threats in real-time. This approach assumes the cyber-attacks today will not look like those yesterday, and employs heuristics designed to spot anomalous traffic patterns,” Cisco’s SVP for security solutions Bryan Palma blogs here.

Currently, the service is offered in the US, Canada, Australia, New Zealand, Singapore, Hong Kong and Japan.


Heartbleed: Security flaw you need to know

April 23rd, 2014

The Internet is an amazing thing, but being so big and accessed by so many people, it is never really 100 percent secure. There are always security issues being uncovered that could put your business and systems at risk. One of the latest flaws is possibly one of the biggest to be uncovered in years and could affect nearly every person and company on the Internet. Codenamed Heartbleed, this bug makes stealing data and viewing secure communication incredibly easy.

Most sites on the Internet rely on Secure Sockets Layer (SSL) technology to ensure that information is transmitted securely from a computer to server. SSL and the slightly older Transport Layer Security (TLS) are the main technology used to essentially verify that the site you are trying to access is indeed that site, and not a fake one which could contain malware or any other form of security threat. They essentially ensure that the keys needed to confirm that a site is legitimate and communication can be securely exchanged.

You can tell sites are using SSL/TLS by looking at the URL bar of your browser. If there is a padlock or HTTPS:// before the Web address, the site is likely using SSL or TLS verifications to help ensure that the site is legitimate and communication will be secure. These technologies work well and are an essential part of the modern Internet. The problem is not actually with this technology but with a software library called OpenSSL. This breach is called Heartbleed, and has apparently been open for a number of years now.


Microsoft patent victor Ric Richardson working on no-password security breakthrough

April 22nd, 2014

Ric Richardson, the Byron Bay inventor who went toe-to-toe with Microsoft in a massive patent battle and won, is raising funds for a computer security solution he says could be “much bigger” than his last one.

Mr Richardson was one of the largest shareholders in Singapore’s Uniloc when Microsoft reportedly paid it about $300 million in 2012 to settle claims that the software giant made billions infringing Uniloc’s anti-piracy technology patents. Microsoft had been using the technology as the basis for its Office and Windows software activation.

The final settlement was never disclosed. However, a patent jury had ordered Microsoft to pay US$388 million before the software maker succeeded in appealing the decision. Had it been upheld, it would have been one of the largest awarded in US patent history.

Mr Richardson said he was currently working closely with intellectual property experts in the US and a major capital investment provider in Australia to raise funds to commercialise security technology that would eliminate the need to use passwords for online transactions.

“My first patent has expired and it’s now time to get on and use the lessons learned,” he said.

Mr Richardson said he had been working on the security system on and off for about two years but had a breakthrough three months ago.

“When I spoke to the right guys about it – people that I trust down in Sydney – they looked to me and asked ‘is this it?’ and I had to make a decision about whether it was close enough to be something that’s going to make a difference, and it’s turned out that it is, so far,” he said.

“It’s turned into something that feels as big as software activation when I started working on that back in 1992.”

The two-factor security system uses a combination of proven private-public key encryption technology and local authentication in a way that eliminates the need for servers to store passwords or biometric information.

Users log on to their device using a PIN or biometric which is used to generate a private key. The key then generates a string of public keys that becomes the basis for communication with the server. The server then only accepts the next public key expected from the device for the next session, he said.

“It’s an exchange of secrets between the machines that doesn’t require a human to intervene where the machines know each other and recognise each other.”

The system also allowed for “session sharing” – letting a smartphone be used to authenticate another computer, such as one in an internet cafe, without the need to divulge sensitive information.

The beauty of the system was that it left hackers without an avenue to steal private user information stored on a central server, he said, pointing to the recent Heartbleed vulnerability in OpenSSL.

“It underscores the fact that people are imperfect and they make mistakes and hackers can rely on that.”

Ty Miller, founder of computer security consultancy Threat Intelligence said any system that left passwords less vulnerable to theft would help overcome security problems caused when individuals used the same passwords on multiple services.

However, he expressed concerns that Mr Richardson’s system might draw hackers’ attention to local devices.

“If the source of truth comes back to your own machine and storing a private key there, if that becomes compromised then all of your accounts become compromised,” Mr Miller said.

Mr Richardson was reluctant to the name his business advisers but said “we’re certainly working to and obeying all the rules that they would require to be eligible” to work with them later on.

He had some lingering concerns that the simplicity of the concept behind his system could leave it vulnerable to accusations that it lacked novelty to warrant patenting – just as the Uniloc’s software activation patents had.

However, he did not want to be left with any regrets for not taking a punt on the idea.

“I’m not saying that this will change the world. But I have had some experience with things that have changed the world so, if I don’t have a go at it, I’m a mug,” he said.


Get Adobe Flash player