Monthly Archives: October 2014

Verizon Wireless and AT&T are inserting header codes into mobile traffic data that enables them to track customers’ browsing activities over LTE, 4G and 3G networks, according to an online security expert. The “unique identifier header,” or UIDH, can be used to understand customer Web habits and deliver more targeted advertising to them.

AT&T said it is only testing the use of UIDHs, and is not currently running a mobile-relevant advertising program that would use such ID-tracked information. Verizon Wireless, which did not respond to our phone calls or e-mails, has been using the tracking codes for two years, according to a report in Wired.

Described as a “perma-cookie,” the UIDH is a long string of characters that is inserted into users’ mobile Web traffic without their knowledge. Crypto-security expert Kenneth White discovered the use of these codes and has developed a Web page that enables mobile users to test whether their traffic is being labeled in that way.

1M Hits to ‘Sniffer’ Page

Since news of the discovery was first reported in the media, White’s “sniffer” testing page has received nearly one million hits, according to an update White posted Tuesday on Twitter. In an earlier tweet, he noted, “It’s almost as if there’s interest in mobile providers not being creepy and broadcasting tracking beacons to the world.”

ProPublica reported today that the hidden code is also being used by MoPub, a mobile advertising-focused company acquired by Twitter last year. The article linked to a Twitter developer page with information on how UIDHs can be used in apps development.

According to the earlier report in Wired, there is no way for mobile phone users to prevent the insertion of UIDHs into their browsing traffic. A Verizon spokesperson told Wired that if customers choose to opt out, the codes wouldn’t be used to generate targeted ads for them. However, the codes themselves would continue to be added to users’ traffic headers.

Mark Siegel, AT&T’s executive director for media relations, told us that AT&T is changing its numeric test codes on a daily basis. At some point in the future, the company plans to streamline its opt-out process to enable customers to not only prevent targeted ads but the use of UIDHs themselves, he added.

‘Publicly Broadcasting Beacons’

We reached out to White to learn more about his findings on the use of UIDHs by mobile carriers.

He said that even though an individual’s tracking code is supposedly changed on a regular basis, he has observed the same UIDH in use on his Verizon phone for about one week now.

“One of the key issues is that for customers (both enterprise and individuals), these beacons persist across IP address changes and users’ physical location,” White added. “Any site that a person browses or any app accessed over HTTP is publicly broadcasting these beacons, bypassing any privacy preferences or settings.”

Since discovering the use of the UIDHs, White said his biggest surprise from the carriers was, “(C)laims of, ‘We have been doing this for quite some time, so why is this news?’ Other carriers have been confirmed to be using similar technology, most notably Vodaphone, which was actually caught sending customer mobile phone numbers and IMSI (SIM) card numbers.

Via: enterprise-security-today

‘Marketing ploy,’ first and foremost, says analyst, but there’s more to the strategy than keeping up with the Joneses’

Microsoft today abolished space restrictions on its cloud-based OneDrive storage service for subscribers to Office 365, saying per-user allotments are now unlimited.

“Moving forward, all Office 365 customers will get unlimited OneDrive storage at no additional cost,” said Chris Jones, the Microsoft executive who heads the OneDrive and SharePoint teams, in a post on the firm’s blog.

Unlimited OneDrive will be available to any subscriber to Microsoft’s “rent-not-buy” Office 365, including consumers (who can subscribe for as little as $6.99 per month), students and employees of businesses that have deployed Office 365.

Microsoft’s announcement came just three months after it boosted consumers’ and students’ Office 365 OneDrives to one terabyte (1TB) each. At the same time it upped the allowance of those who didn’t use Office 365 from 7GB to 15GB, and cut prices for additional storage by as much as 52%.

The Redmond, Wash. company had increased Office 365 business users’ storage to 1TB in April.

“First, just like everyone else, this is a marketing ploy,” said Wes Miller, analyst with Directions on Microsoft, of the unlimited storage space offer. “Unlimited is all about marketing.”

Some cloud storage rivals have given their customers as much space as they can consume. Four months ago, for example, Google kicked up its Google Drive allowance to unlimited for workers at companies that paid $10 per user per month for Google Apps for Business.

Cloud storage-and-sync service Dropbox, meanwhile, sells the commercial Dropbox for Business, which runs $15 per user per month for unlimited storage. Dropbox for Business requires a minimum of five users.

Microsoft will roll out the expanded storage space for consumers first — those who subscribe to Office 365 Home, Personal or University — and next year begin to do the same for Office 365 enterprise customers.

Miller said that the unlimited storage space will appeal more to consumers than corporations. “For the consumer side, absolutely this is useful,” said Miller. “Consumers don’t have the compliance and privacy concerns that many businesses have.”

The limitless storage is another way Microsoft tempts consumers to join the Office 365 subscription rolls, said Miller. But he also saw a long-term strategy at work, arguing that the company hopes to get all its customers to commit to the Microsoft service ecosystem.

“These moves are trying to make Office 365 more appealing, but they are also trying to make OneDrive your preferred dumping ground so that you don’t go anywhere else,” said Miller.

Consumers who want their OneDrive storage space upgraded as soon as possible — rather than waiting for Microsoft to do it on its schedule — can register with their Microsoft Account at this page.

Via: computerworld

While EMV chip technology continues its roll out in this country, a whitepaper from the Smart Card Alliance Payments Council contends that payment industry stakeholders can better protect against card fraud by layering EMV chip and two other security technologies, encryption and tokenization.

According to the paper (PDF), “Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization,” the three technologies play well together with chip providing cryptographic card authentication that serves as a deterrent for counterfeit cards and tokenization replacing card data with tokens, or surrogate values, that can’t be used by outsiders and, outside of a specific merchant or channel, hold no value. Encryption, of course, encrypts data from the time a card is swiped, tapped or inserted so that it can’t be read or used illicitly.

“These three security technologies protect different aspects of the payments system.  EMV protects against counterfeit cards and tokenization and encryption protects transaction data that is at rest (stored in merchant locations) in motion (while moving through the processing system),” Randy Vanderhoof, executive director of the Smart Card Alliance, told SCMagazine.com in Tuesday email correspondence.
“The combination of tokenization for new payments types like mobile payments and encryption for older magnetic stripe transactions protects data in the payments system that has not been replaced with EMV chip data yet.”

Noting that an uptick in counterfeit card fraud was the catalyst for the global payment industry to develop EMV chip, the paper called out the technology for its “ability to authenticate the card to be sure it’s not a clone or counterfeit of the card.” The EMV specification defines two methods of card authentication—offline and online, with the former offering the merchant an electronic means of authentication and the latter using symmetric key technology to create a unique application cryptogram that is sent to the card issuer and authenticated during the authorization process.

The paper also discussed tokenization, detailing not only the complementary role it plays to chip and encryption, but also the initiatives underway to standardize it. The American National Standards Institute’s Accredited Standards Committee (ASC) X9, EMVCo, PCI Security Standards Council (PCI SSC), and The Clearing House all are developing tokenization specifications for bank card payment industry use. The National Institute of Standards and Technology (NIST), has a set of standards for an identity credentials initiative that closely resembles tokenization and which includes “consideration of levels of assurance,” the paper said.

While the paper said stakeholders should “give careful thought to their approach for layering the three technologies,” based on cost, needs, industry requirements, regulations, and likely trends, it also urged merchants to invest in the technologies that offer the protection they need.

“Every business has a level of risk for fraud that they are willing to take and it varies from business to business,” said Vanderhoof. “These fraud mitigation tools are available but they come with a cost and a level of complexity that must be considered in the context of a business’s tolerance for risk from fraud losses if they only do one without the other.”

For example, the paper noted that a low-value-ticket card-present merchant might not be concerned with counterfeit cards but might want to focus on encrypting data in transit, while face-to-face merchants operating in complex environments that use card data beyond just authorization may want to layer the three technologies.

“Each method of security technology has its own complexity and cost to implement,” said Vanderhoof. “Doing all three might be appropriate for some merchants and issuers depending on the fraud risk they are experiencing today or are anticipating in the future.”

Via: scmagazine

The holiday season is fast approaching, meaning a busy time not only for retailers and shoppers but also cyber criminals. According to Damballa’s 2014 Q3 State of Infections report, ‘Backoff’ point-of-sale (POS) malware continues to infect retailers several months after its discovery.

The security firm’s report revealed infections from the malicious software increased 57 percent in August and 27 percent during the month of September.

Additionally, the company reported it detected as many as 138,000 events on a given day in a single enterprise network, with customers experiencing an average of 37 infected devices a day.

“Fundamentally, these figures show that prevention controls cannot stop malware infections,” said Brian Foster, Damaballa’s chief technology officer. “POS malware and other advanced threats can, and will, get through.”

However, researchers also discovered that daily infections diminished significantly (40 percent) among customers who proactively remediated their assets according to the risk each posed.

“Organizations should operate under the assumption they are in a state of continuous breach,” the report said.

Point-of-Sale malware attacks have been highly successful for cybercriminals in 2014 alone – raking in millions for debit and credit card information theft of Target, Home Depot, Jimmy John’s, P.F. Chang’s, Goodwill, Dairy Queen and Kmart customers.

“POS malware offers a high rate of return for criminals, which helps explain the spike,” read the report. “A single POS system may yield tens of thousands of payment card records versus what’s available on one end-user’s computer.”

We’d advise enterprises to be prepared, to get ahead by assuming that they will be compromised, and take practice measures to be ready to remediate, said Foster.

Read More Here…

Via: tripwire

Use of Other Browsers Recommended Until Situation Remediated.

The Department of Homeland Security’s U.S. Computer Emergency Response Team is urging online users to avoid using Internet Explorer, versions 6 through 11, in light of a vulnerability that exposes the Web browser to a zero-day exploit involved in recent targeted attacks. DHS urges users and administrators to “consider employing an alternative Web browser until an official update is available.”

The exploit was first identified by security firm FireEye, which outlined the vulnerability in an April 26 blog post. The company says the exploit is significant because the vulnerable browsers “represent about a quarter of the total browser market.”

US-CERT, in an April 28 statement, says the vulnerability “could lead to the complete compromise of an affected system.”

In addition, Carnegie Mellon University’s CERT program says the vulnerability can allow for a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. “This vulnerability is being exploited in the wild,” Carnegie Mellon’s CERT says. “Although no Adobe Flash vulnerability appears to be at play here, the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser. Note that exploitation without the use of Flash may be possible.”

Carnegie Mellon’s CERT says it’s unaware of a practical solution to this problem. But it recommends the use of the Microsoft Enhanced Mitigation Experience Toolkit to help prevent exploitation of this vulnerability.

The European Network and Information Security Agency issued an alert April 28, saying this exploit is a “serious zero-day attack on society … which demonstrates that there is no 100 percent security.”

ENISA recommends using another browser until the issue has been fixed. “One of the biggest problems with this vulnerability is that the Windows XP users will be exposed since no patch will be released for XP” (see: End of XP Support: Are Banks Really Ready?).

The Internet Explorer vulnerability is a “tremendous risk,” says Tom Kellermann, managing director for cyberprotection at Alvarez and Marsal, a business management firm. “It is akin to leaving your keys in the ignition in a bad neighborhood,” he says. “It is imperative that users move to other browsers until a patch has been released. Passwords should also be immediately changed and anti-virus programs run.”

Microsoft Responds

In an April 26 post, Microsoft acknowledges it’s aware of “limited, targeted attacks that attempt to exploit a vulnerability” in Internet Explorer versions 6 through 11. “The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.” the statement notes.

“The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

Microsoft says once it’s completed its investigation, it will take appropriate action to protect its customers, “which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.”

A cyber-attacker could use the vulnerability to gain the same user rights as the current user, Microsoft says. “If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system,” the company says. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Windows Vulnerabilities

Security experts have warned of the challenges present once Microsoft discontinued support of the Windows XP operating system (see: What Happens When Windows XP Support Ends?).

The issue is critical to all sectors, said Richard Edwards, a principal analyst at the consultancy Ovum. He said there was justified concern that after April 8, when Microsoft stops supporting XP, organizations running the operating system could be targeted by hackers using unforeseen exploits. That’s because Microsoft will no longer be issuing updates and security patches to address XP vulnerabilities.

Pedro Bustamante of anti-malware firm Malwarebytes says vulnerabilities such as this will be an increasing threat for all Internet users. “The interim risk to people and businesses using IE 6 to 11, until MS pushes out a patch, is troubling,” he says. “But the more potentially severe issue is that anyone still using XP will be completely exposed as long as they continue to use the unsupported OS. For them there will never be a patch.”

Via: databreachtoday

“Here is a tale of ransomware that will make your blood run cold,” announced Stu Sjouwerman of security training firm KnowBe4 in a company newsletter this week and he wasn’t exaggerating.

One of his firm’s customers contacted him on Oct. 14 for advice on how to buy Bitcoins after all seven of its servers containing 75GB of data had been encrypted by a recent variant of the hated CryptoWall ransom Trojan.

An admin had clicked on a phishing link which was bad enough. Unfortunately, the infected workstation had mapped drives and permissions to all seven servers and so CryptoWall had quickly jumped on to them to hand the anonymous professional a work day to forget.

The organization, a US-based non-profit with a headcount running into the hundreds, had backups but discovered to their shock that reinstating them would consume days, leaving the entire enterprise twiddling its thumbs. Admins were also unsettled by the possibility that some of those backups had not been verified and might not even work.

Staring at expensive downtime, who did they call? Ironically, the ransom criminals themselves on the assumption that they would supply the decryption key within hours and this would be the quickest way get all the data back.

The problem was that the firm’s IT team knew little about getting hold of Bitcoins, a process that requires signing up to a currency exchange after time-consuming security checks have been carried out. This can take days on its own.

In a stroke of luck, the victim firm had recently taken Kevin Mitnick’s Security Awareness Training course developed by the famous hacker in conjunction with Sjouwerman’s KnowBe4 and this came with the guarantee to pay ransoms should the customer subsequently fall prey to an attack (participants have to undertake regular phishing simulations to qualify).

KnowBe4 had the Bitcoins in its wallet and duly paid the $500 ransom (1.33 Bitcoins), quickly receiving the encryption key the affected firm used to retrieve its data. Even after paying for the decryption key, the whole process still took an exhausting 18 hours.

One database had been corrupted during encryption and that had to be restored from a backup.

When Techworld spoke to Sjouwerman, he admitted that paying malware ransoms is controversial but he described it as a simple business decision for the victim.

“The problem people run into is ‘how am I going to get Bitcoins,” he said. As bad as paying the ransom was, it was still a much lower price than bringing the organization to a standstill for up to a week.

He believes that CryptoWall 2.0 will reliably deliver encryption keys to paying victims but Techworld would like to point out that this can’t be guaranteed. Anecdotally, that has not always been the case for all ransomware and variants.

His advice for defending against this type of threat:

1. Never to take shortcuts such as mapping drives to critical servers from any admin workstation. Use a tool to make remote connections when they are needed.

2. Don’t just make backups but test the restore function too.

3. Consider investing in whitelisting to lock down the software that can run.

4. Enroll staff in a security-awareness program that includes training to defend against phishing attacks. This is obviously KnowBe4’s marketing message in publicizing the incident but it is probably reasonable advice. Many employees have never heard of ransomware.

5. Assume something like CryptoWall will happen eventually and develop a security culture to cope.

“CryptoWall is in full swing,” said Sjouwerman, matter-of-factly.

With good timing, Dell SecureWorks this week reported that CryptoWall infections have carried on rising through September and October despite greater awareness, reaching 830,000 worldwide, including 40,000 in the UK.

Via: csoonline

© Angela Jimenez for The New York Times Carole Hinders at her modest, cash-only Mexican restaurant in Arnolds Park, Iowa. Last year tax agents seized her funds.

For almost 40 years, Carole Hinders has dished out Mexican specialties at her modest cash-only restaurant. For just as long, she deposited the earnings at a small bank branch a block away — until last year, when two tax agents knocked on her door and informed her that they had seized her funds, almost $33,000.

The Internal Revenue Service agents did not accuse Ms. Hinders of money laundering or cheating on her taxes — in fact, she has not been charged with any crime. Instead, the money was seized solely because she had deposited less than $10,000 at a time, which they viewed as an attempt to avoid triggering a required government report.

“How can this happen?” Ms. Hinders said in a recent interview. “Who takes your money before they prove that you’ve done anything wrong with it?”

The federal government does.

Using a law designed to catch drug traffickers, racketeers and terrorists by tracking their cash, the government has gone after run-of-the-mill business owners and wage earners without so much as an allegation that they have committed serious crimes. The government can take the money without ever filing a criminal complaint, and the owners are left to prove they are innocent. Many give up and settle the case for a portion of their money.

“They’re going after people who are really not criminals,” said David Smith, a former federal prosecutor who is now a forfeiture expert and lawyer in Virginia. “They’re middle-class citizens who have never had any trouble with the law.”

On Thursday, in response to questions from The New York Times, the I.R.S. announced that it would curtail the practice, focusing instead on cases where the money is believed to have been acquired illegally or seizure is deemed justified by “exceptional circumstances.”

Richard Weber, the chief of Criminal Investigation at the I.R.S., said in a written statement, “This policy update will ensure that C.I. continues to focus our limited investigative resources on identifying and investigating violations within our jurisdiction that closely align with C.I.’s mission and key priorities.” He added that making deposits under $10,000 to evade reporting requirements, called structuring, is still a crime whether the money is from legal or illegal sources. The new policy will not affect seizures that have already occurred.

© Bryan Thomas for The New York Times Jeff Hirsch, an owner of Bi-County Distributors on Long Island.

The government seized $447,000 from the business, a candy and cigarette distributor run by one family for 27 years.

The I.R.S. is one of several federal agencies that pursue such cases and then refer them to the Justice Department. The Justice Department does not track the total number of cases pursued, the amount of money seized or how many of the cases were related to other crimes, said Peter Carr, a spokesman.

But the Institute for Justice, a Washington-based public interest law firm that is seeking to reform civil forfeiture practices, analyzed structuring data from the I.R.S., which made 639 seizures in 2012, up from 114 in 2005. Only one in five were prosecuted as a criminal case.

The practice has swept up dairy farmers in Maryland, an Army sergeant in Virginia saving for his children’s college education and Ms. Hinders, 67, who has borrowed money, strained her credit cards and taken out a second mortgage to keep her restaurant going.

Her money was seized under an increasingly controversial area of law known as civil asset forfeiture, which allows law enforcement agents to take property they suspect of being tied to crime even if no criminal charges are filed. Law enforcement agencies get to keep a share of whatever is forfeited.

Owners who are caught up in structuring cases often cannot afford to fight. The median amount seized by the I.R.S. was $34,000, according to the Institute for Justice analysis, while legal costs can easily mount to $20,000 or more.

Under the Bank Secrecy Act, banks and other financial institutions must report cash deposits greater than $10,000. But since many criminals are aware of that requirement, banks also are supposed to report any suspicious transactions, including deposit patterns below $10,000. Last year, banks filed more than 700,000 suspicious activity reports, which are reviewed by over 100 multiagency task forces.

There is nothing illegal about depositing less than $10,000 unless it is done specifically to evade the reporting requirement. But often a mere bank statement is enough for investigators to obtain a seizure warrant. In one Long Island case, the police submitted almost a year’s worth of daily deposits by a business, ranging from $5,550 to $9,910. The officer wrote in his warrant affidavit that based on his training and experience, the pattern “is consistent with structuring.” The government seized $447,000 from the business, a cash-intensive candy and cigarette distributor that has been run by one family for 27 years.

There are often legitimate business reasons for keeping deposits below $10,000, said Larry Salzman, a lawyer with the Institute for Justice who is representing Ms. Hinders and the Long Island family pro bono. For example, he said, some grocery store owners in Fraser, Mich., had an insurance policy that covered only up to $10,000 cash. When they neared the limit, they would make a deposit.

Ms. Hinders said that she did not know about the reporting requirement and that for decades, she thought she had been doing everyone a favor.

“My mom had told me if you keep your deposits under $10,000, the bank avoids paperwork,” she said. “I didn’t actually think it had anything to do with the I.R.S.” Lawyers say it is not unusual for depositors to be advised by financial professionals, or even bank tellers, to keep their deposits below the reporting threshold. In the Long Island case, the company, Bi-County Distributors, had three bank accounts closed because of the paperwork burden of its frequent cash deposits, said Jeff Hirsch, the eldest of three brothers who own the company. Their accountant then recommended staying below the limit, so the company began using the excess cash to pay vendors, and carried on for more than a decade.

More than two years ago, the government seized $447,000, and the brothers have been unable to retrieve it. Mr. Salzman, who has taken over legal representation of the brothers, has argued that prosecutors violated a strict timeline laid out in the Civil Asset Forfeiture Reform Act, passed in 2000 to curb abuses. The office of the federal attorney for the Eastern District of New York said the law’s timeline did not apply in this case. The federal attorney’s office said that parties often voluntarily negotiated to avoid going to court, and that Joseph Potashnik, the Hirsches’ first lawyer, had been engaged in talks until just a few months ago. But Mr. Potashnik said he had spent that time trying, to no avail, to show that the brothers were innocent. They even paid a forensic accounting firm $25,000 to check the books.

“I don’t think they’re really interested in anything,” Mr. Potashnik said of the prosecutors. “They just want the money.”

Bi-County has survived only because longtime vendors have extended credit — one is owed almost $300,000, Mr. Hirsch said. Twice, the government has made settlement offers that would require the brothers to give up an “excessive” portion of the money, according to a new court filing.

“We’re just hanging on as a family here,” Mr. Hirsch said. “We weren’t going to take a settlement, because I was not guilty.”

Army Sgt. Jeff Cortazzo of Arlington, Va., began saving for his daughters’ college costs during the financial crisis, when many banks were failing. He stored cash first in his basement and then in a safe deposit box. All of the money came from his paychecks, he said, but he worried that when he finally deposited it in a bank, he would be forced to pay taxes on the money a second time. So he asked the bank teller what to do.

“She said: ‘Oh, that’s easy. You just have to deposit less than $10,000.'”

The government seized $66,000; settling cost Sergeant Cortazzo $21,000. As a result, the eldest of his three daughters had to delay college by a year.

“Why didn’t the teller tell me that was illegal?” he said. “I would have just plopped the whole thing in the account and been done with it.”

Via: msn

Apple has posted a new security warning for users of its iCloud online storage service amid reports of a concerted effort to steal passwords and other data from people who use the popular service in China.

“We’re aware of intermittent organized network attacks using insecure certificates to obtain user information, and we take this very seriously,” the computer-maker said in a post Tuesday on its support website. The post said Apple’s own servers have not been compromised.

Apple’s post did not mention China or provide any details on the attacks. But several news outlets reported Tuesday that some Chinese Internet users have begun seeing warnings that indicate they had been diverted to an unauthorized website when they attempted to sign into their iCloud accounts.

That kind of diversion, known to computer security experts as a “man in the middle” attack, could allow a third party to copy and steal the passwords that users enter when they think they are signing into Apple’s service. Hackers could then use the passwords to collect other data from the users’ accounts.

Chinese activists blamed the attacks on that country’s government, according to news reports and the Chinese activist website GreatFire.org, which suggested the campaign was spurred by the fact that Apple recently began selling its newest iPhone models, the iPhone 6 and 6 Plus, in China. The new smartphones have software with enhanced encryption features to protect Apple users’ data.

Apple, which is based in Cupertino, California, said in its post that the attacks have not affected users who sign into iCloud from their iPhones or iPads, or on Mac computers while using the latest Mac operating system and Apple’s Safari browser. But the company suggested users should verify they are connecting to a legitimate iCloud server by using the security features built into Safari and other browsers such as Firefox and Google’s Chrome. The browsers will show a message that warns users when they are connecting to a site that doesn’t have a digital certificate verifying that it is authentic.

“If users get an invalid certificate warning in their browser while visiting www.icloud.com , they should pay attention to the warning and not proceed,” Apple said in the post.

The attacks appear unrelated to an episode last month in which hackers stole nude photos from the iCloud accounts of several U.S. celebrities. In that case, Apple said its investigation concluded the hackers had obtained the users’ passwords through so-called “phishing attacks” or by guessing at the answers to security questions that allowed access. The company said its servers were not breached in that case.

Via: enterprise-security-today

Sure, you can get a one-time code sent to your mobile phone and use that code, with your password, to try to fend off takeovers of Google, Yahoo or iCloud accounts, among others.

But can you be assured that a sophisticated phisher hasn’t spoofed a site to trick you into handing over your one-off code?

No, you can’t, and that’s why Google’s decided to ratchet up the security of two-step verification (2SV) even tighter.

On Tuesday, it announced that it’s adding support for a physical USB second factor that will first verify the login site as being a true Google website, not a fake site pretending to be Google, before it hands over a cryptographic signature.

What this means is that instead of typing in a code from their mobile phones, users who opt for the USB approach will just insert a USB enabled by the FIDO Universal 2nd Factor (U2F) standard – or what Google’s calling a Security Key – into their computers’ USB port, then tap a button on the USB at Chrome’s prompt.

That should block sites trying to phish your credentials away, says Nishit Shah, Product Manager at Google Security:

Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website, not a fake site pretending to be Google.

We write about two-step verification often. We urge companies to offer it, and we advise users to take advantage of it whenever possible.

That’s because we think it’s the easiest and most effective way for web properties and other internet services to raise the bar against stolen passwords.

Google’s offering Security Key free on its end, but given that the USB drives themselves will be coming from third parties, yes, it does mean that you’ll have to buy yet another drive to add to your collection.

Google’s Security Key is actually the first deployment of FIDO. Google says it’s hoping that other browsers besides Chrome get on board, but for now, that means that your new stick will only work with Chrome.

Hopefully, Google says, at some point, that one Security Key USB drive will unlock your online self all over the place, as opposed to having your pockets bulge with a key ring bogged down with a clanking collection of drives:

Security Key and Chrome incorporate the open Universal 2nd Factor (U2F) protocol from the FIDO Alliance, so other websites with account login systems can get FIDO U2F working in Chrome today. It’s our hope that other browsers will add FIDO U2F support, too. As more sites and browsers come onboard, security-sensitive users can carry a single Security Key that works everywhere FIDO U2F is supported.

A few other good things about a USB 2SV device: unlike your phone, neither a dead battery nor lack of a data connection will thwart it.

Heck, one of the third-party USB drives is also apparently rugged enough to go through the spin-cycle when caught up in one Amazon reviewer’s laundry:

Great hardware! (My little token has survived an accidental run through the washer & dryer!)

Is there anything potentially bad about this? Well, as commenter Chris Drake noted on Google’s post, some of us might be constrained, in security-sensitive workplaces, not to plug arbitrary USB keys into workstations.

Interesting point, particularly given that it was just a few months ago that BadUSB had us wondering if we could ever trust a USB device again, what with their newfound ability to be turned into covert keyloggers, malware spreaders or boobytrappers of backup files.

Hopefully, the third-party USB drive makers using FIDO are on top of that, but we’ll let you know if we learn otherwise.

As for plugging drives in at your workstation, please do check with your IT department first.

Via: sophos

In partnership with Dell, Microsoft is launching its Azure cloud in a box offering, codenamed ‘San Diego.’

Microsoft is teaming with Dell to create an Azure cloud in a box offering for customers who want to run their own, on-premises datacenters.

Microsoft executives took the wraps off the new offering, known officially as the “Microsoft Cloud Platform System,” during an October 20 event in San Francisco about Microsoft’s cloud futures.

I had heard rumblings earlier this summer that Microsoft was going to make another attempt to deliver a “cloud in a box” offering with a product codenamed “San Diego.”

With Dell as its hardware partner, Microsoft will offer customers pre-assembled racks of servers running Windows Server 2012 R2, System Center 2012 R2 and Windows Azure Pack. Azure Pack, originally known as “Windows Azure Services for Windows Server,” provides users with the on-premises equivalents of a number of Azure technologies, including a self-service portal for managing services like Web sites, virtual machines and Service Bus; a portal for administrators to manage “resource clouds”; scalable Web hosting and more.

The Microsoft Cloud Platform System will be available starting next month, said Microsoft executives.

Today’s announcement isn’t the first time Microsoft is attempting to provide a cloud in a box solution. Back in 2010, Microsoft officials announced the company was readying Windows Azure Appliances, meant to function as “private clouds in a box” along with a few different hardware partners. But that plan fizzled over the next three years, with Microsoft eventually discontinuing work on the project.

Update: Microsoft Executive Vice President of Cloud & Enterprise Scott Guthrie said even though Dell is currently the only hardware vendor with whom Microsoft is working on the Cloud Platform System, Microsoft is open to adding others. But it’s the integration and certification involving Microsoft and Dell that he believes will make the offering of interest to large enterprise, government and service provider customers.

Pricing and licensing information about the Cloud Platform System is not yet available, from what I can tell. Update: A Microsoft spokesperson said pricing is “confidential.” Update (October 21): The pricing isn’t completely confidential. There is a white paper published by Value Prism Consulting and sponsored by Microsoft that outlines the cost of a typical Cloud Platform System configuration (which clocks in at more than $2.6 million, including hardware, software and services.)

Guthrie also announced at today’s Microsoft event that the company is adding the CoreOS Linux distribution to the handful of Linux variants it offers customers who want to run Linux in a virtual machine on Azure. Guthrie said he expects CoreOS to be of particular interest to startups using containerization technology.

Microsoft also is rolling its various Azure stores into a single new marketplace, Guthrie said, and allowing third-party software and service vendors to monetize their offerings through the marketplace however they’d want. The new marketplace is replacing the Azure Store, virtual machine gallery and Azure Data Marketplace with a single entity.

Update (October 21): As to who is selling and supporting the new Cloud Platform System — a topic where there’s been some conflicting public information —  here’s the official word from a Microsoft spokesperson:

“Customers will buy hardware through Dell and software and services through Microsoft. Microsoft will be the first point of contact for all support requests. If there is a hardware issue, Microsoft will orchestrate the resolution of issues together with Dell, so the customer does not get sent between vendors.”

Via: zdnet