Posts tagged Security

How Blackphone Turned A Security Fail Into A Win

Last year, privacy-focused Blackphone got a dubious distinction: It became known as the locked-down phone that supposedly got hacked in just 5 minutes.

Things have changed. Now, it’s a whole mobile product line geared for companies (and perhaps paranoid individuals), a brand-new acquisition for encryption services firm Silent Call, and a multi-million dollar enterprise with nearly $750 million in device sales.

The group introduced its latest devices this week at Mobile World Congress—the Blackphone 2 smartphone and its first tablet, currently dubbed Blackphone+. But what was really on display was the company’s uncanny knack for turning a well-publicized security flub into a win.

Meet Blackphone 2 And Blackphone+

As far as upgrades go, the 5.5-inch Blackphone 2 looks like a decent successor to last year’s original 4.7-inch Blackphone.

Like most second-generation phones, version 2 offers several hardware improvements, including a faster 64-bit 8-core processor, more memory (3GB), a bigger battery and a larger display. The phone also ties into Citrix’s Mobile Device Management, so IT departments can manage employees’ company-supplied or BYO (“bring your own”) phones. Blackphone 2 is priced at $630 (unlocked) and slated for a July release. Soon after, it will be joined by the company’s first tablet, the 7-inch Blackphone+, sometime this fall. 

The original Blackphone (left) and Blackphone 2 exhibition unit (right)

Both run Blackphone’s PrivatOS software, a variation on Android designed as an extra layer of protection between users and the big, bad outside world. When apps unnecessarily ask for personal data, like contacts or location, Blackphone can intercept the request, blocking or obscuring it. The software can even fool the app into thinking the user granted access, even if he or she didn’t.

“You can take an Android device, you can root it, introduce [similar] features, and after months, you can have something like Blackphone,” said Javier Agüera, Blackphone’s founder and now a chief scientist at Silent Call. “Or you can have an out-of-the-box device, with everything set up by security specialists, that’s enterprise ready and configured the way you need it.”

PrivatOS boasts new virtualization feature called “Spaces,” which offers separate “work” and “personal” modes, the ability to add profiles and an app store vetted by Blackphone. The technology’s encryption protocols also save keys on the device itself, not some unknown remote server. The phone’s price includes two years of security services that guards against unsafe WiFi networks, private browsing, and secure cloud file storage.

Sounds like a lot of protection, at least, it’s more than most users are accustomed to getting. It all goes back to Blackphone’s mission: The company wants to safeguard people. It seems sincere—even though a hacker actually did manage to breach those walls last year.

Turning Hackers Into BFs

PrivatOS running on last year’s model

At hacking convention DefCon last year, CTO Jon “Justin” Sawyer of Applied Cybersecurity LLC told Blackphone that he managed to get past its security to root its device. What’s more, he tweeted the exploit, which landed on BlackBerry sites and other tech blogs.

Sawyer found a couple of weak spots in the software, including a hole in the remote wipe feature that let the security expert access the device and grant himself system privileges. He was able to give himself access to core parts of the phone. But what gets less attention, the execs said, is that the company had already patched the hole.

Sawyer essentially attacked an old, outdated version of the software. Even so, the incident and publicity could have humiliated Blackphone right out of the market. It didn’t. Instead, the company is milking it. 

The team thanked Sawyer for the discovery and sent him a bottle of wine. Then it enlisted others to scope out any other vulnerabilities. 

According to Vic Hyder, Silent Call’s chief strategy officer, Blackphone recently launched a bug bounty program to reward people for finding security glitches—from $128 to more, depending on the severity. (Bounties are fairly common in the tech industry; even big companies like Facebook, Google and Microsoft offer rewards to bug hunters.)

“[It] makes them part of the solution, instead of part of the problem,” Hyder said. “It brings everybody in as a participant.” Even Sawyer, now a friend of Blackphone, helps out by looking for other vulnerabilities. The company publishes all of its source code, to help make it easier for people to find holes.

So far, Hyder estimates that the company has paid out about $15,000 to $20,000 in bounties.

Throwing Shade

“Nothing is hack-proof,” admits Daniel Ford, chief security officer.

However, he says his company can help guard against certain types of attacks. “Targeted attacks are completely different than mass surveillance,” he said.” There’s little Blackphone or anyone can do against the former, such as last year’s breach at Sony Pictures—which may have been a specific retaliation for The Interview, a comedy that poked fun at North Korea. 

Sony’s “The Interview” made fun of North Korea’s regime, which may have been responsible for hacking the movie studio. 

Ultimately, if a hacker wants your data badly enough—whether it’s a criminal or a NSA agent—he or she has innumerable tools that can help get it. No platform can hold up against that, he explained.

But when it comes to broader mass surveillance, Ford said Blackphone can step in and offer more protection. “This is where our commitment is: If there is a vulnerability that was disclosed publicly, we will fix it in less than 72 hours,” he said. “We have done so every time. That is our goal … the last time, it took only 6 hours.”

“Samsung had two critical vulnerabilities that was released two weeks ago,” he added, calling out one of his archrivals in the enterprise market, albeit for a vulnerability in its TV business. Still, he couldn’t resist poking at Samsung’s overall attitude toward security: “They have not even started to address it,” he said. 

Photos by Adriana Lee for ReadWrite

View full post on ReadWrite

Why An Open-Source Pro Sees His Next Act In Security

Security is boring—at least until you don’t have it anymore. Then it becomes exciting for all the wrong reasons. 

In our increasingly interconnected world, it’s also painfully difficult. How do you secure connections to internal devices and external services that you do not and, indeed, cannot own? For enterprises trying to lock down sensitive corporate data in a world awash in personal devices and cloud computing, it’s an exercise in futility. 

Maybe. Maybe not.

Zack Urlocker

Zack Urlocker was just named COO of Duo Security, a Benchmark and Google Ventures-backed security company that aims to make two-factor authentication omnipresent and painless. Is this Urlocker’s next unicorn? After all, as SVP of products and marketing at MySQL, he helped to drive a $1 billion sale by Sun. Later, he went on to run operations at pre-IPO Zendesk (now worth $2 billion). 

Urlocker clearly knows how to build unicorns, but is security ripe for a unicorn-sized exit? 

To better understand the allure of security to Urlocker, I caught up with him to discuss the shift from databases and help desk software to security.

Security Is Big For All The Wrong Reasons

Security has been a big market for a long time, but for all the wrong reasons. And while we like to think of security as someone else’s problem (at least, until our own data is pilfered), a Ponemon study shows that we all bear the costs:

Source: Ponemon

And while malicious criminal attacks account for 42% of data breaches, human error comes in second place (30%). Lost devices or other errors in human judgment open up corporations to all sorts of security problems. 

Making It Easy

The problem for most people, however, is that securing their devices and, hence, their data, can be a pain. Often we won’t bother until we’re forced to do so.

I remember when I first implemented two-factor authentication. My IT team had been pushing me to do it for nearly a year, and I kept resisting because I didn’t want the bother. It didn’t help that some things (like calendars) were shared with other family members on their devices. The thought of having to constantly update the passwords on their devices, and not merely mine, seemed to not be worth the effort.

That is, until my daughter’s Gmail account was hacked.

In this case, the hacker goaded me as I madly tried to get ahead of him to change her passwords. He used the Gmail account to get into her Facebook and other accounts, and used all of them to send vile messages to her and her friends. As I tried to stop him, he IM’d me to laugh at my efforts. It was frightening.

It was the wake-up call I needed, and I implemented two-factor authentication for myself and my family immediately afterward. We haven’t had a problem since (though I wish I could keep my credit card numbers from getting stolen every few months.) 

Since that time, two-factor authentication has become increasingly easy, thanks to companies like Duo Security, which Facebook, Box, Palantir, Yelp, Whatsapp, Etsy, and over 5,000 other companies use to provide simple security to hundreds of millions of users. In fact, Duo has developed solutions that secure 80% of the ISPs globally. 

As Urlocker told me, 

Duo makes strong security easy to buy, easy to use and easy to roll into production. Usually security means making things hard for people. With a SaaS solution, it’s easy to deploy. You can get Duo Security up in running in 15 minutes or a few days for major rollouts compared to weeks or months with traditional solutions. And it works, too! 

That ease of use is essential. I’m a reasonably savvy technologist. No one in my family is. For them to be comfortable with two-factor authentication, it has to be as simple as typing in a password. (Or, in this case, a code sent to them via SMS.)

Learning From Open Source

So how did Urlocker get here from open source land? Duo, so far as I know, isn’t offering its software free over the Internet and charging for support. What can open source teach us about security?

Security, it turns out, has an equally open community, sharing both code and insights into how to secure code. 

Importantly, as he told me, it’s critical to “know how bad guys operate and where the vulnerabilities hide,” not to mention “how customers behave.” The best open source software makes difficult processes easy for developers. Duo is trying to accomplish the same thing for security. 

Which means not foisting silly security policies on users (i.e., forcing them to change passwords every 90 days to equally obscure and hard-to-remember passwords). Duo provides multiple ways for users to authenticate, but the one I like best involves sending push notifications and allowing me to simply to respond.

As the thinking goes, anyone can get my password. But getting my password and my mobile device? That’s hard.

Not surprisingly, then, Urlocker find that certain SaaS categories, like Zendesk, Box, New Relic, HubSpot and Duo Security, “definitely operate at a similar scale” to open-source software, “but with much better conversion rates than we ever had in open source!”

That’s good for Duo, of course, but also for corporate security. Which makes it easier to sleep at night, even if the hackers never do.

Photo by Tim RT

View full post on ReadWrite

An Open Source Exec Tries His Hand At Security

Security is boring—at least until you don’t have it anymore. Then it becomes exciting for all the wrong reasons. 

In our increasingly interconnected world, it’s also painfully difficult. How do you secure connections to internal devices and external services that you do not and, indeed, cannot own? For enterprises trying to lock down sensitive corporate data in a world awash in personal devices and cloud computing, it’s an exercise in futility. 

Maybe. Maybe not.

Zack Urlocker

Zack Urlocker was just named COO of Duo Security, a Benchmark and Google Ventures-backed security company that aims to make two-factor authentication omnipresent and painless. Is this Urlocker’s next unicorn? After all, as SVP of products and marketing at MySQL, he helped to drive a $1 billion sale by Sun. Later, he went on to run operations at pre-IPO Zendesk (now worth $2 billion). 

Urlocker clearly knows how to build unicorns, but is security ripe for a unicorn-sized exit? 

To better understand the allure of security to Urlocker, I caught up with him to discuss the shift from databases and help desk software to security.

Security Is Big For All The Wrong Reasons

Security has been a big market for a long time, but for all the wrong reasons. And while we like to think of security as someone else’s problem (at least, until our own data is pilfered), a Ponemon study shows that we all bear the costs:

Source: Ponemon

And while malicious criminal attacks account for 42% of data breaches, human error comes in second place (30%). Lost devices or other errors in human judgment open up corporations to all sorts of security problems. 

Making It Easy

The problem for most people, however, is that securing their devices and, hence, their data, can be a pain. Often we won’t bother until we’re forced to do so.

I remember when I first implemented two-factor authentication. My IT team had been pushing me to do it for nearly a year, and I kept resisting because I didn’t want the bother. It didn’t help that some things (like calendars) were shared with other family members on their devices. The thought of having to constantly update the passwords on their devices, and not merely mine, seemed to not be worth the effort.

That is, until my daughter’s Gmail account was hacked.

In this case, the hacker goaded me as I madly tried to get ahead of him to change her passwords. He used the Gmail account to get into her Facebook and other accounts, and used all of them to send vile messages to her and her friends. As I tried to stop him, he IM’d me to laugh at my efforts. It was frightening.

It was the wake-up call I needed, and I implemented two-factor authentication for myself and my family immediately afterward. We haven’t had a problem since (though I wish I could keep my credit card numbers from getting stolen every few months.) 

Since that time, two-factor authentication has become increasingly easy, thanks to companies like Duo Security, which Facebook, Box, Palantir, Yelp, Whatsapp, Etsy, and over 5,000 other companies use to provide simple security to hundreds of millions of users. In fact, Duo has developed solutions that secure 80% of the ISPs globally. 

As Urlocker told me, 

Duo makes strong security easy to buy, easy to use and easy to roll into production. Usually security means making things hard for people. With a SaaS solution, it’s easy to deploy. You can get Duo Security up in running in 15 minutes or a few days for major rollouts compared to weeks or months with traditional solutions. And it works, too! 

That ease of use is essential. I’m a reasonably savvy technologist. No one in my family is. For them to be comfortable with two-factor authentication, it has to be as simple as typing in a password. (Or, in this case, a code sent to them via SMS.)

Learning From Open Source

So how did Urlocker get here from open source land? Duo, so far as I know, isn’t offering its software free over the Internet and charging for support. What can open source teach us about security?

Security, it turns out, has an equally open community, sharing both code and insights into how to secure code. 

Importantly, as he told me, it’s critical to “know how bad guys operate and where the vulnerabilities hide,” not to mention “how customers behave.” The best open source software makes difficult processes easy for developers. Duo is trying to accomplish the same thing for security. 

Which means not foisting silly security policies on users (i.e., forcing them to change passwords every 90 days to equally obscure and hard-to-remember passwords). Duo provides multiple ways for users to authenticate, but the one I like best involves sending push notifications and allowing me to simply to respond.

As the thinking goes, anyone can get my password. But getting my password and my mobile device? That’s hard.

Not surprisingly, then, Urlocker find that certain SaaS categories, like Zendesk, Box, New Relic, HubSpot and Duo Security, “definitely operate at a similar scale” to open-source software, “but with much better conversion rates than we ever had in open source!”

That’s good for Duo, of course, but also for corporate security. Which makes it easier to sleep at night, even if the hackers never do.

Photo by Tim RT

View full post on ReadWrite

How A Linux “Ghost” Spooked The Security World

A vulnerability in a widely used component of many Linux distributions could allow remote attackers to take control of a system. Researchers at Qualys have dubbed it Ghost since it can be triggered by the “gethost” functions in Linux.

See also: How To Protect Yourself Against The Internet “Poodle” Attack

The vulnerability can be found in the in the GNU C Library, known as glibc for short. Without glibc, a Linux system couldn’t function. The flaw is found in __nss_hostname_digits_dots(), a glibc function that’s invoked by the gethostbyname() and gethostbyname2() function calls. An attacker able to access either function could take remote control of the entire Linux system.

A series of misfortunes have helped Ghost to slip through the cracks. First of all, the bug had been previously identified and fixed back on May 21, 2013, as Qualys CTO Wolfgang Kandek writes. However, at the time it was seen only as a flaw, not a threat, and no further patching was done:

Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.”

Secondly, since Ghost affects a code library that’s integral to the Linux system, patching it is no simple fix. Patching the GNU C Library will mean that the Linux core functions, or the entire affected server, will have to be rebooted. Companies will have to schedule that downtime, which means affected servers could stay vulnerable for some time longer.

With all the worlds’ Linux distributions to choose from, it’s unlikely your homebrew Linux server is anywhere near high risk. And now that Red Hat, Debian, Ubuntu and Novell have all issued patches, Linux server operators have the resources to stay in the clear. 

Photo by Jon Feinstein

View full post on ReadWrite

Obama To Propose National Data Security Policy

If your credit card or personal data is compromised, it should be the law for companies to let you know. On Monday, President Obama will call for legislation to make it happen.

The Personal Data Notification and Protection Act would ensure that American companies quickly and succinctly inform customers about data breaches according to an established national standard for dealing with just that. The President will call for companies to inform consumers within a deadline of 30 days, White House officials said Sunday.

See also: Box And Dropbox Are Going To War Over Corporate Data Security

The President’s speech, which is scheduled for Monday at the Federal Trade Commission, will also propose the Student Data Privacy Act, which would prevent technology companies from selling the data they collect from schools as teachers increasingly utilize laptops, tablets, and software for their curriculums.

Currently, an uneven range of state laws are in place to protect people from technological data breaches and privacy overreach, something the President is expect to say is insufficient where a consistent national standard could address citizen’s concerns.

“As cybersecurity threats and identity theft continue to rise, recent polls show that nine in 10 Americans feel they have in some way lost control of their personal information—and that can lead to less interaction with technology, less innovation and a less productive economy,” said a White House briefing document on the proposed legislation.

Photo via  Everett Collection / Shutterstock

View full post on ReadWrite

UK Is Ready For Apple Pay, But Security Remains A Concern

Apple Pay is set to travel across the pond to the United Kingdom in the first half of 2015. However, the Telegraph reports that one of the UK’s biggest banks is concerned about “the amount of personal and financial information Apple wants to collect about its customers.”

The bank’s objection goes against Apple executive Eddy Cue’s insistence that “we are not in the business of collecting your data,” as he announced at the keynote in September. Cue explained that during and after an Apple Pay transaction, “Apple doesn’t know what you bought, where you bought it, or how much you paid for it.”

Of course, it wouldn’t be the first time Apple has given reason for users to be concerned about security. In September, a major photo theft revealed vulnerabilities in Apple’s iCloud security.

See also: Apple To Increase iCloud Security Following Celebrity Photo Theft

The UK bank may be stalling, but the Telegraph reports that sources say “no major bank will want to miss out on Apple Pay,” given the amount of success it has had in the United States. Even if consumers still have cold feet, companies certainly do not. As of mid December, Apple Pay supported 90% of U.S. credit cards in terms of purchase volume.

Screenshot of Apple Pay via September Apple keynote

View full post on ReadWrite

SEO poisoning campaign ensares several thousand websites, security expert finds – SC Magazine


SC Magazine
SEO poisoning campaign ensares several thousand websites, security expert finds
SC Magazine
The attack method, called SEO poisoning, was observed by Jay Wind, an Arlington, Va.-based webmaster who manages several non-profit and business sites. In September, he first stumbled across the issue after seeing numerous GoDaddy domains being …

View full post on SEO – Google News

Box Matches Dropbox With New Security Partnerships

Cloud storage and file-sharing company Box announced Box Trust, an initiative that includes a partnership with several computer security companies and the launch of an application designed for enterprise customers.

The Tuesday announcement, of which there were whisperings last week, comes days after competitor Dropbox unleashed its new Dropbox for Business API, also in partnership with several companies, also aimed at increasing the security of its cloud.

The Box Trust consists of 19 different companies, including Splunk, Symantec, and OpenDNS. The partnerships come with the goal of each company making Box more secure and therefore attractive to more corporate customers.

See also: Box And Dropbox Are Going To War Over Corporate Data Security

“Our partnership with the security ecosystem is incredibly important to the successful delivery of Box into the enterprise, and our work here is just beginning,” wrote Box CEO Aaron Levie in a blog post about Box Trust.

Each of the partners brings something different to the table.

“We are excited to be a founding partner in the Box Trust security initiative to bring our Data Loss Prevention (DLP) technology to Box customers,” said Chandra Rangan, vice president, product marketing, Symantec, in a Box press release. “With data in the cloud quickly becoming ubiquitous, we share a common mission and responsibility to make access, sharing and collaboration within and across organizations safe and secure.”

A more tangible representation of this new emphasis on cloud security comes in the form of a new mobile app for iOS and Android, Box for Enterprise Mobility Management. The app is designed for Box Enterprise users, and allows businesses greater control over their mobile cloud use. Box for EMM can be wiped remotely. 

View full post on ReadWrite

Box And Dropbox Are Going To War Over Corporate Data Security

On Wednesday, Dropbox plans to unveil a new API (see our API explainer) intended to let large corporate clients tie third-party security tools into Dropbox ‘s cloud storage. Next week, its rival Box plans its own security announcement aimed at helping employees at big organization collaborate and manage their cloud-based information in a secure way.

It’s the latest skirmish between the leading independent providers of cloud storage. Dropbox, which claims more than 300 million users, dominates among consumers. But it has struggled in its attempts to take on Box, which focused on big-company customers from its inception. (Both companies face additional competition from increasingly cheap Google and Microsoft cloud-storage services.)

See also: Dropbox For Teams Isn’t Ready To Take On Box

Dropbox first debuted its business service, then known as Dropbox for Teams, in 2011. In early 2013 it launched a more serious foray into the corporate world with its renamed Dropbox for Business service. Its most recent upgrades to that service added security features and made it much easier for users to keep business and personal files separate on Dropbox, but still fell short on collaboration features and the use of third-party corporate-grade apps.

See also: All Your Files Are Belong To Dropbox

The new API—dubbed, naturally, the Dropbox for Business API—goes part of the way toward closing that gap. It already offers more than 20 enterprise integrations, many with a heavy emphasis on security, according to Dropbox.

The new API is launching with several integrated corporate applications related to security—for instance, ones that cover legal functions such as electronic discovery and “legal hold,” data loss prevention, management of digital rights for copyrighted material, identity management and so on.

Box says it will fire back next week with an announcement detailing new ways companies can secure their cloud data. Tellingly, Box plans to emphasize secure-collaboration features, an area where Dropbox for Business has traditionally been weak.

The new API is unlikely to affect present Dropbox for Business pricing, which is $15 per user with a minimum of five users. Some current Dropbox for Business customers include News Corp, Spotify, Under Armour, and the Massachusetts Institute of Technology. 

Lead photo by Rupert Ganzer

View full post on ReadWrite

Google Enhances User Security With Release Of Devices And Activity Dashboard by @mattsouthern

In today’s multi-device world there’s no doubt that you have accessed your Google account on a number of different devices, maybe some you don’t even use anymore. For example, maybe you recently sold your smartphone in order to upgrade to a new one. Or perhaps a phone or tablet of yours was recently lost or stolen. Those old devices may still be able to access your Google account. Now there’s a tool that will help you manage which devices have access to your Google account and revoke access to any devices you no longer use. A new security dashboard released […]

The post Google Enhances User Security With Release Of Devices And Activity Dashboard by @mattsouthern appeared first on Search Engine Journal.

View full post on Search Engine Journal

Go to Top
Copyright © 1992-2015, DC2NET All rights reserved