Samsung Teams with Absolute Software to Harden Security of GALAXY Mobile Devices

Absolute Software Brings Enterprise Mobility Management and Theft Protection to Samsung GALAXY Devices

Samsung has teamed up with Absolute Software to provide the core enterprise security elements for the next generation of Samsung Galaxy devices.

The layered protection will be bound to the soon-to-be launched KNOX platform, Samsung’s answer to the security needs of IT admins. Samsung will embed Absolute Software’s “Absolute Persistence” technology into the firmware of Samsung GALAXY mobile devices, the company said.

KNOX sits on top of a hardened installation of Android and comes with an application container that splits personal and business software and data.

According to Samsung, KNOX uses a three-pronged strategy to bring added security to its mobile platform: Customizable Secure Boot; ARM TrustZone-based Integrity Measurement Architecture (TIMA), and a kernel with built-in Security Enhanced Android (SE Android) access controls.

Samsung KNOX Diagram

With the addition of Absolute Software’s cloud-based offering, KNOX will offer administrators the ability to secure tablets, handsets, and laptops remotely – no matter where the employee has taken them; or no matter where they were lost or stolen.

“As we expand our position in the enterprise market, our customers are demanding enterprise level security solutions,” states Dr. Injong Rhee, Senior Vice President of the Technology Strategy Group at Samsung Electronics.

Moreover, Samsung’s KNOX will enable admins to secure corporate data, monitor device status, receive alerts and respond pre-emptively in case a device is deemed to be at risk.

Another bonus will be the inclusion of Absolute Investigations and Recovery Services, but it wasn’t clear in the announcement if such a service would come with Samsung’s offering, or at an additional fee.

In the event a device is stolen the AIRS group can help by offering insight and data, and help law enforcement if the need is there. To date, AIRS has helped recover some 28,000 stolen laptops, due in part to their Computrace and LoJack software.

More information on the Samsung/Absolute partnership is available here.


Mocana Enhances Mobile App Protection Solution

Mocana, a San Francisco-based company that focuses on mobile and smart device security solutions, unveiled new capabilities and security features to its security solution for protecting mobile apps from data leaks and other threats.

The latest version of Mocana’s Mobile App Protection (MAP) platform, Mocana MAP 2.4.2, offers new capabilities to make it easier for organizations to integrate with existing network infrastructures, enhanced data sharing between secured apps, and enables bring-your-own-device (BYOD) in compliance-focused environments, Mocana said Tuesday. Mobile App Protection helps enterprises accelerate mobility initiatives by automating iOS and Android app security.

Mocana LogoThe new features include app-level capabilities for access and authentication, secure communications, data protection, and contextual usage to enhance the enterprise’s ability to secure the confidential data on managed and unmanaged Android and iOS devices, Mocana said. Mocana MAP is largely invisible to end-users as the MAP-wrapped apps doesn’t change the user experience.

Mocana MAP Feature DiagramMocana MAP 2.4.4 “demonstrates our ongoing commitment to delivering real-world app security that allows companies to mobilize their business processes in transformative ways,” Kurt Stammberger, CISSP and vice president of market development at Mocana, said in a statement.

This latest MAP release introduces remote data wipe, a smart firewall, geo-fencing, location masking, app expiration, and shared copy-and-paste. Remote data wipe would allow the IT staff to delete application-specific data of wrapped apps on both managed and unmanaged mobile devices when necessary, such as when the employee leaves the company or the device is lost or stolen. The smart firewall allows enterprises to implement a secure app connection to the corporate network using an SSL reverse proxy as an option to the existing per-app IPSec VPN policy, Mocana said.

Geo-fencing refers to a virtual perimeter placed around a geographic location in which an app can be used. Examples include restricting an app to only work on a university campus or military base. Locations masking, on the other hand, protects the user by preventing the app from obtaining the current location.

Shared-copy-and-paste allows users to copy and paste text from one MAP-wrapped app to another wrapped app on the same device.

Administrators can define a start and end date for an app, which controls when users actually have access to an app. This can be used to restrict access for contractors, or as a “failsafe” to ensure the app cannot be used by ex-employees, according to Mocana.

The app-shielding platform allows managers to point-and-click on the management interface to add new security policies to existing mobile apps without writing any new code, according to Mocana. With MAP, business units, IT departments, and app developers can customize security policies while still taking advantage of FIPS 140-2 encryptoin and standards-based communication protocols.

Once wrapped, the app and its data, as well as its connection to the enterprise networks, are secure.

Mocana said the latest version of the software is currently available to customers by a subscription or a perpetual license.

Android Apps from Google Play Used in One-Click Fraud Operation

Researchers at Symantec discovered hundreds of Android applications on Google Play being used as part of fraud scheme targeting Japanese users.

The offending apps have since been taken off the Google Play marketplace, according to Symantec Security Response Manager Satnam Narang, who added that the developers’ accounts have been suspended by Google. The apps – more than 200 in all – are believed to have been part of a one-click fraud scam that may have victimized thousands.

One-click fraud refers to a scam that attempts to lure users interested in adult-related video to a site that attempts to trick them into registering for a paid service,” blogged Joji Hamada, security researcher with Symantec. “For many years, it has been common to see this type of fraud on computers. As smartphone usage has increased, so has the number of these types of scams on smartphone devices.”

Typically, people come across these scam sites when searching for items they are interested in or clicking on links in spam messages, he continued. Symantec researchers spotted the scheme making its way to Google Android devices roughly a year ago.

In this case, entering Japanese words related to pornographic video resulted in one of the apps being at the top of the search results. The apps normally only required the user to accept the “Network communication” permission, though some variants did not require the user to accept any permissions.

“This is because the app is simply used as a vehicle to lure users to the scam by opening fraudulent porn sites,” Hamada noted. “The app itself has no other functionality. This may fool users into feeling safe about the app and catch them off guard when launching the app.”

The ruse apparently worked on some. According to Symantec, more than 200 of the fraudulent applications were published and were downloaded at least 5,000 times during the past two months.

“As far as victims go, we are not aware of how many of these users actually paid money to the scammers; the “service” costs about 99,000 yen (approximately US$1,000),” according to Hamada. “It certainly must be worth the time and effort for the scammers as they have continued doing business for over two months.”

Iran Unblocks Access to Gmail

TEHRAN - Iran on Monday removed online blocks on Gmail but a government Internet filtering committee official said other, additional censorship was being prepared against YouTube, according to reports.

Internet users in Iran found themselves able to freely access their Gmail accounts for the first time since the blocks were suddenly established on September 24.

The secure-protocol HTTPS version of Google search was also made accessible after being blocked at the same time. The unsecure HTTP version of Google search was never blocked.

Abdolsamad Khoramabadi, the secretary of an official group tasked with detecting Internet content deemed illegal, had said in a message last week that “Google and Gmail will be filtered nationwide… until further notice.”

But Mohammad Reza Miri, a member of the telecommunications ministry committee tasked with filtering the Internet in Iran, was quoted on Monday by the Mehr news agency as saying the Gmail block was an “involuntary” consequence of trying to reinforce censorship of Google’s YouTube video-sharing site.

“Unfortunately, we do not yet have enough technical knowhow to differentiate between these two services. We wanted to block YouTube and Gmail was also blocked, which was involuntary,” he said.

“We absolutely do not want YouTube to be accessible. That is why the telecommunications ministry is seeking a solution to fix the problem to block YouTube under the HTTPS protocol while leaving Gmail accessible. That will soon happen.”

Iran has censored YouTube since mid-2009, after opposition demonstrators protesting the re-election victory of President Mahmoud Ahmadinejad in polls they believed rigged started posting videos online of their gatherings.

A Google website which monitors the amount of traffic for its services in each country shows YouTube has been effectively censored in Iran since then.

A member of Iran’s High Council on Cyberspace, which provides policy advice, Kamyar Saghafi, was quoted by Mehr last week suggesting that the action against Google services was “to boycott” the US company over an anti-Islam film available on YouTube that has sparked Muslim protests worldwide.

Iran has an estimated 34 million Internet users, and the restrictions on Gmail and Google search were met with criticism from some quarters.

Hossein Entezami, the representative of newspaper directors on Iran’s press monitoring commission, said they “showed decision-makers have little knowledge of society’s needs today, because you can’t just close a search engine and a form of communication for the people,” Mehr last week reported.

Iran is developing its own, closed version of the Internet for use in the country which it says will be clear of any content deemed un-Islamic. Officials have said that, at least initially, the Iran intranet will exist alongside the filtered Internet and not replace it.

Cisco Highlights Possible Exploit Vector Used in DarkLeech Web Server Attacks

Attackers are exploiting a vulnerability in a popular Website configuration tool to gain remote access to Web servers, Cisco researchers said in an advisory.

A malicious Webmail script exploited the Horde/IMP Plesk Webmail Exploit in vulnerable versions (CVE-2012-1557) of the Parallels Plesk control panel software, Craig Williams, technical leader at Cisco Security, wrote on the company blog. Attackers appear to be using an IRC botnet as part of the payload, Williams said.

Parallels Plesk Panel is a control panel application popular with cloud hosting providers and can be used to manage user websites. Attackers are exploiting a vulnerability, which was patched a year ago, in the control panel to successfully gain access to the Web server and upload malicious Apache modules, Williams said. The exploit allows attackers to inject malicious Perl script into the login page’s username field and successfully bypass authentication, he wrote.

“It is quite surprising how long old, well-known vulnerabilities continue to be exploited,” Williams said, noting that an updated patch for Parallels Plesk Panel had been released a year ago.

The malicious script Williams analyzed could easily be part of a wave of attacks enterprises are currently dealing with. . The malware’s infection and attack vectors mean it is possible researchers have stumbled on the answer of how DarkLeech was infecting Web servers. “These types of attacks could be one avenue used in the DarkLeech compromises,” Williams said.

Earlier this month, there were reports that Darkleech had infected around 20,000 Websitesover a period of few weeks. The number was estimated from almost 2,000 Darkleech infections Cisco Security researchers had identified. Infected machines were gathered into a large botnet capable of spreading more malware and launching denial of service attacks.

The infection takes a fairly simple path. Attackers somehow manage to gain root access to the Web server, and then infect the server with an sshd backdoor which allows attackers to remotely install malicious Apache modules, Cisco Security’s Mary Landesman said at the time. Once on the server, the malware dynamically injects iFrames onto Web pages as they are displayed to site visitors. The malicious iFrames directed users to other sites or loaded malicious content to compromise site visitors.

How the attackers were gaining root– brute-force, social engineering, and exploiting software vulnerabilities are all possibilities—remained a mystery, Landesman said.

The active exploit of this year-old vulnerability serves as an important reminder that website operators and administrators must keep systems up-to-date, Williams said. This means not just the operating system, but every program and add-on for those programs also needs to be kept up-to-date, he added.

This is particularly relevant if the hosting provider is somewhere far away, and not able to get on the network locally.



The Controversial CISPA Is Back in Congress

Lawmakers today announced a new version of the controversial Cyber Intelligence Sharing and Protection Act (CISPA) will be introduced in a House committee this week. This CISPA, they claim, addresses concerns from privacy advocates who slammed the legislation for how users’ private data and browsing histories might be handled in the name of Internet security.

House Intelligence Committee Chairman Mike Rogers (R-Michigan) and Democrat U.S. Rep. C.A. “Dutch” Ruppersberger of Maryland told reporters today they will support at least some of the amendments to the bill when it heads to the committee this week for edits. CISPA last year passed the House but it  was blocked in the U.S. Senate; President Barak Obama also threatened to veto it based on privacy concerns.

“The improvements that we plan to make to the bill at the markup will address several of the administration’s concerns,” Rogers said in a Bloomberg article. “And we plan to keep talking and moving toward a consensus that will allow us to get the bill signed into law.”

The bill is designed to encourage the public and private sectors to share cyber threat data in real time by removing some of the legal hurdles. But opponents of CISPA still say the law doesn’t go far enough to protect citizens’ private data, including emails and financial records, from being misused by law enforcement and by private companies mining data for business intelligence and marketing purposes.

“Congress wants to appear as if it’s doing ‘something’ about Internet security,” wrote the Electronic Frontier Foundation’s Rainey Reitman in a Reddit thread. “But the truth is that the proposals they’re suggesting don’t address most of the major network security issues. From social engineering to two-step authentication, from the broken CA system to encrypting the Web, there are concrete and real issues around network security that can and should be addressed (though a lot of them aren’t legislative solutions). Instead of grappling with these issues, Congress is trying to push an information ‘sharing’ bill that would undermine existing privacy laws.”

Proposed changes to be debated this Wednesday include:

–Stripping identifiable data the government and particularly law enforcement collects from private companies

–Narrowing how law enforcement can use the information it receives

–Removing a broadly written provision that allowed agencies to share data for “national security purposes”

–Establishing there are no legal protections for companies that use shared data to launch a retaliatory strike

–Incorporating a new review process to monitor how data is handled

Rogers and Ruppersberger told reporters the tenor has changed in recent months with growing concern in the United States over cyberattacks believed to come from China. The Chinese, in turn, also claim to be victims of attacks primarily sourced in the United States.

The growing tension prompted Congress to tuck a new review process in a funding bill in February that on Monday drew criticism from a U.S.-Chinese business group claiming the process uses Internet security as a means to discriminate against Chinese technology manufacturers. The new law requires NASA, the U.S. Justice Department, Commerce Department and National Science Foundation to get approval from law enforcement officials prior to buying IT systems “produced, manufactured or assembled by one or more entities that are owned, directed or subsidized” by China.

“Product security is a function of how a product is made, used, and maintained, rather than by whom or where it is made. Imposing a country-specific risk assessment creates a false sense of security if the goal is to improve our nation’s cybersecurity,” U.S.-China Business Council President John Frisbie said in a letter quoted in a Reuters report today.

Darkleech infects 20,000 websites in just a few weeks

US-CERT find leads to concerns across a broad array of industries, including military and hospitals.


CSO - An unreported attack on the energy management system of a New Jersey manufacturer has been revealed by the U.S. Cyber Emergency Response Team (US-CERT).

Intruders successfully exploited a credential storage vulnerability in the manufacturer’s Tridium energy management software made by Honeywell and identified all the company’s Internet facing devices, the agency reported in the latest edition of its quarterly ICS-CERT Monitor.

[ALSO: Securing SCADA systems still a piecemeal affair]

The New Jersey incident occurred around the same time that an intruder exploited the Tridium software at a state government facility and change the system’s temperature settings.

Even simple temperature controls can be a weapon in a hacker’s hands, said Terry McCorkle, technical director for Cylance.

Data centers have air conditioning running 24/7. If the air conditioning system goes down, the data center will quickly follow suit. “The average time from the air conditioning system going down tothe data center going down is five minutes,” he told CSO.

McCorkle and Cylance colleague Billy Rios discovered the credential storage vulnerability before the incidents last year, but Tridium didn’t issue a security patch and recommended steps to mitigate the situation until August 2012.

“Tridium takes cybersecurity issues very seriously,” a company representative said in an email. “The issues outlined in the ICS-CERT story were resolved last year in cooperation with ICS-CERT and the researchers involved. We continue to evaluate and improve the security of our products.”

[In depth: The SCADA security survival guide | Security and vulnerability assessment: Four common mistakes]

However, McCorkle noted that the vulnerabilities fixed by Tridium were just the tip of the iceberg. “There are a lot of vulnerabilities in the product,” he said.

“I know they’re working on them,” he said of Tridium, “but not everything has been publicly released yet.”

The vulnerabilities in the software raise concerns across a broad array of industries. For example, it’s used widely by the military and hospitals to control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities.

“It’s a brilliant piece of software,” McCorkle observed. “It solves a huge need for the industry. It’s just that the software security practices aren’t very good.”

“Now they are looking at security,” he said. “It’s definitely on their radar. But there are some inherent flaws in how they designed it originally that’s going to be very difficult for them to address.”

As industries move more and more control of their real world systems to the Internet, problems like those found with the Tridium software will multiply, said Torsten George, a marketing vice president with Agiliance.

“In today’s world we’re thriving to connect everything with each other and use the Internet as a remote access tool to manage everything,” he told CSO.

“On the one hand, it offers great benefits to the end users,” he continued. “But on the other hand, it really puts our infrastructure at major risk. We’re seeing that across the board.”

That’s why he predicts that over the next two years companies will take a harder look at a  system before they turn the key on it. “Buyers will begin to insist on an independent test of a system prior to procuring the system,” he said.

Companies experience a malware event on their systems every three minutes

Report says Attackers are increasingly using advanced detection evasion techniques to get past traditional defenses, FireEye says

IDG News Service - Organizations face malware-related events that bypass traditional defense technologies on their networks every three minutes, according to a new report released Wednesday by security vendor FireEye.

“This activity can include the receipt of a malicious email, a user clicking a link on an infected website, or an infected machine making a callback to a command and control server,” the company said in its report.

The conclusion is based on data gathered during the second half of 2012 by several thousand FireEye security appliances installed on corporate networks around the world, the company said. These appliances are normally deployed behind network firewalls, intrusion prevention systems and other gateway security products, allowing them to see malicious activity that successfully bypassed those primary defenses, FireEye said.

Malware writers are increasingly focusing on developing methods to evade detection, the FireEye researchers said in the report. One example is malware that lies dormant until it detects human interaction with the target system through the presence of mouse clicks.

This method is used to bypass automated analysis systems, known as sandboxes, which are used by security products to safely execute and analyze the behavior of suspicious files. Since they’re automated, these systems do not trigger mouse commands, the FireEye researchers said.

Another growing trend is that of malware files that are signed with stolen or forged digital certificates. Many security technologies trust digitally signed files and don’t scan them, the FireEye researchers said.

The creators of advanced malware — so-called advanced persistent threats (APTs) — are increasingly distributing their malicious payloads as dynamic link libraries (DLLs) that can be sideloaded via legitimate programs. This is an attempt to bypass traditional defense mechanisms that focus on detecting and analyzing .exe files.

APTs are mostly distributed through spear-phishing emails that carry malicious attachments or include links to exploit-serving websites. Malicious attachments and Web-based exploits are used as infection methods on a regular basis, but certain events can lead to spikes in their usage.

For example, if a new exploit for Adobe Reader is found, organizations will see a spike in emails carrying malicious PDF attachments. Similarly, if a browser-based exploit is discovered, there will be a spike in emails carrying malicious links, FireEye said.

The data analyzed by FireEye, which covers 89 million malicious events, showed that technology companies are the most frequently attacked organizations. “Due to a high concentration of intellectual property, technology firms are hit with an intense barrage of malware campaigns, nearly double compared to the next closest vertical,” the company said. The telecommunications, logistics and transportation, manufacturing and financial services sectors complete the top five most targeted verticals.

Top Three Selection Criteria for Anti-DDoS Vendors

Top Three Selection Criteria for Anti-DDoS Vendors

Many companies claim to provide DDoS protection. However, there are vast differences between vendors’ technology capabilities and level of security protection. How can you evaluate which is best for your customer’s business? Join this webinar to gain an understanding of and get actionable insight for three often-overlooked but critical requirements for anti-DDoS vendor selection:

  1. Threat Coverage – key threats check list a DDoS solution should handle (SSL, low and slow, application level, etc.)
  2. Security Architecture – where is the right place to protect from the key threats? (perimeter, ISP, Cloud, CDN etc.) What is the most effective and efficient security architecture you should look for and why?
  3. “Under Attack” Support – what happens when under attack? What are the recommended procedures and type of service you should expect.
Webcast Details
Date: Wednesday, April 24, 2013
Time: 11:00 AM IL
Event password: 123456
Ronen KenigRonen Kenig
Director, Security Product Marketing


Linked In Twitter You TubeRadware Blog

No Organization Is Ready for BYOD

The Risks Are Not Worth the Reward

Android is cool, iPhone is cutting-edge and carrying a tablet is convenient. What’s not so cool, cutting-edge or convenient, however, are data breaches, which as everyone already knows lead to millions of dollars in damages year after year. The odd thing about data breaches, though, is that despite the fact that enterprises, SMBs and government agencies are more aware of them, they continue to allow the use of BYOD technologies, which increase the likelihood of a breach occurring. Although no one has come up with a “Moore’s Law” type of equation that demonstrates how data breach risk increases in direct correlation to BYOD, the evidence is clear that it does increase.

BYOD RisksHow do we know BYOD adoption increases the risk of a breach? Great question. There is an unending chain of headlines, reports and opinions indicating that it does, many based on factual research and on incidents that have occurred. A few of the more recent studies on the topic revealed that nearly half of the organizations allowing employees to connect to their corporate networks via BYOD have experienced a related breach — staggering when you consider the number of breaches that occurred before BYOD hit the market.

Despite the overwhelming risk that BYOD brings, prevailing winds suggest that organizations are convinced they must allow employees to use their own devices to conduct business communications and access data. Whether or not this trend represents a triumph of BYOD providers’ marketing genius or signals that businesses have lost control of the ability to establish basic security rules remains to be determined, although it is probably a combination of both.

Regardless of where an organization stands on the BYOD issue, there are a few basic facts it needs to consider before adoption:

• BYOD has created increased risk exposure that no organization is prepared to handle

• Visibility and monitoring are security essentials that BYOD and MDM can’t provide

• Security-aware organizations do not have to allow BYOD

• You don’t have to trade the promise of sales and productivity for decreased security

Let’s explore these notions further.

BYOD has created increased risk exposure that no organization is prepared to handle

There simply is no way to deal with the risk that BYOD brings. Between Android and iOS alone, there are millions of apps readily available for download, countless numbers of which open up doors in BYOD technologies that hackers and cybercriminals can easily stroll through. Even iOS, long believed to be highly secure, is proving to be vulnerable. As recently as December 2012, researcher Carlos Reventlov identified a vulnerability in Instagram’s iPhone application that could allow an attacker to execute a man-in-the-middle attack on iOS.

Visibility and monitoring are security essentials that BYOD and MDM can’t provide

When it comes to data security, visibility and monitoring are essentials. When it comes to BYOD, even the most advanced MDM solutions cannot provide a comprehensive, granular picture of how employees are accessing and sharing corporate data. Organizations that don’t have visibility into employee activities have no way to determine how, when and where their information is being exposed.

Security-aware organizations do not have to allow BYOD

Mobile Device Security RisksAny organization that is serious about security does not have to allow BYOD. Most enterprise-class organizations have sophisticated physical security systems that include state-of-the-art surveillance cameras, pin-pad door locks, and ID and access cards. None would allow employees to remove surveillance cameras and replace them with their own, install their own pin-pad locks or issue their own ID cards. In these cases, Bring Your Own Security simply would not work and would never be allowed. The same could be said of BYOD; in the name of security, organizations do not have to allow it.

You don’t have to trade the promise of sales and productivity for decreased security

There is age-old adage in business: “Nothing happens until somebody sells something.” When it comes to BYOD, organizations need to take a hard look at whether or not the security trade-offs are actually worth the assumed productivity and sales rewards. Organizations that dive deep into this issue will probably discover that sales reps using corporate-issued devices are likely closing as many deals as those who are using BYOD, that they are able to respond to emails as fast on a BlackBerry as they can on an iPhone, and that they can access business applications with efficiency.

At this point in the evolution of consumerized mobile devices and smartphones, security is simply too far behind the curve and cannot provide any real defense against data breaches, data theft and compliance violations. Corporate-issued and controlled devices are able to provide not only security but also the functionality needed to enable secure business communications and access to data and applications. There is simply no reason for an organization committed to security, productivity and sales to take on the risks inherent in BYOD.