Host card emulation enables NFC without a secure element

Standard

965blogger-Hostcardemulationandroid

Host card emulation enables NFC without a secure element

Many agree that NFC technology is yet to realize its full potential in the consumer marketplace, but a new piece of Android software could turn the tide and make way for a renewed NFC landscape. The forthcoming Android 4.4 operating system, more commonly referred to as KitKat, will push to Android devices everywhere complete with a technology known as host-card emulation. Host-card emulation is an alternative to standard NFC card emulation – a technology that already exists within a number of NFC-enabled Android devices. NFC emulation leverages a separate chip in the device itself called the secure element. Commonly, these secure elements come in the form of SIM cards provided by wireless carriers, or telcos. When NFC card emulation is conducted, the emulated card is provisioned into the secure element on the device via an Android application. When the user holds their device over an NFC terminal, the NFC controller in the device then routes all data from the reader directly to the secure element. With host-card emulation, however, this premise is taken a step further using a new method that does not involve a secure element at all. Instead, it enables an Android app to emulate a card and talk directly to the NFC reader, circumventing the traditional secure element altogether. “It is a technology built into a device’s operating system that enables a mobile device to emulate a payment or other card, allowing users to make NFC mobile payments and other proximity transactions,” explains Martin Cox, global head of Sales at Bell ID. – Source secureidnews – 2014

Identity and access management policy for the 21st century

Standard

965blogger-Identity and access Mgmt

Identity and access management policy for the 21st century

Gone are the days when securing sensitive business information meant locking up documents in the company filing cabinet. Modern organizations are rapidly recognizing that even user names and passwords aren’t enough to limit access to networks and applications. Businesses and government agencies are struggling to figure out the best way to adapt to these changes and redefine their Identity and Access Management (IAM) policies. As mobile devices and cloud-based access gain momentum, organizations have to rethink these policies for employees who need to access business networks and apps. Additionally they need policies for consumer and vendor access as well. – Source secureidnews- 2014

OpenID Connect enables online identity

Standard

965bloggeropenid

OpenID Connect enables online identity

Identity standards aren’t sexy. Biometrics, encryption apps and systems that enable high-assurance authentication get much of the attention but standards that make all these technologies work across the Internet are a necessity. OpenID is one of these underlying technologies and the latest version of the standard – OpenID Connect – has been ratified as an official standard by the OpenID Foundation members. Internet and mobile companies have implemented OpenID Connect worldwide, including Google, Microsoft, Deutsche Telekom, Salesforce, Ping Identity, Nomura Research Institute, mobile network operators, and other companies and organizations. The standard will be built into commercial products and implemented in open-source libraries for global deployments. The team that has helped create OpenID Connect is one composed of rivals. Google, Microsoft and others, all competitors working to try and solve the digital identity problem, says Don Thibeau, executive director of the OpenID Foundation. The mobile operators are also on board with the GSMA and its 650 mobile network operators endorsing OpenID Connect. – Source -secureidnews-2014.

Heartbleed bug creates confusion on internet

Standard

HeartBleed

Heartbleed bug creates confusion on internet

Heartbleed bug creates confusion on internet

The Heartbleed bug exploits a vulnerability in a version of the OpenSSL security software code that is installed on two-thirds of the active servers connected to the internet

This week it has emerged that a major security flaw at the heart of the internet may have been exposing users’ personal information and passwords to hackers for the past two years.

It is not known how widely the bug has been exploited, if at all, but what is clear is that it is one of the biggest security issues to have faced the internet to date.

Security experts warn there is little Internet users can do to protect themselves from the recently uncovered “Heartbleed” bug that exposes data to hackers, at least not until exploitable websites upgrade their software.

Heartbleed2

Researchers have observed sophisticated hacking groups conducting automated scans of the Internet in search of Web servers running a widely used web encryption program known as OpenSSL that makes them vulnerable to the theft of data, including passwords, confidential communications and credit card numbers.

OpenSSL is used on about two-thirds of all web servers, but the issue has gone undetected for about two years.

Samsung Galaxy S5 Fingerprint Scanner Hacked

Standard

965blogger-Samsung_Galaxy_S5

Samsung Galaxy S5 Fingerprint Scanner Hacked

The Samsung Galaxy S5 hasn’t been on sale for a week, and already a German security firm has hacked its fingerprint reader. The Berlin based firm “SRLabs” employed the exact same trick used to hack the iPhone 5′s own fingerprint reader.

The hack only needs a cameraphone photo of the fingerprint of the S5 owner, a printer, and a type of liquid rubber. SRLabs’ researchers merely inverted the photo colors, then printed out the photo using a thick toner setting, so fingerprint’s indentations would appear as thick black lines.

The researchers then covered the printout with a type of fast-drying liquid rubber, such as pink latex milk or white wood glue, which took the form of the original fingerprint as it dried. The hackers then positioned the mold on their own finger and used it to successfully unlock the S5.

This is the same technique that German hacking group Chaos Computer Club used last September to hack the iPhone 5S, also less than a week after the phone first went on sale.

The Galaxy S5 doesn’t limit the number of times a person can try to enter a fingerprint, meaning any would be hackers can repeat the somewhat gentle process of creating a fingerprint mold and trying it out as many times as needed.

Microsoft warns of Internet Explorer flaw

Standard

965blogger-WindowsXP

Microsoft warns of Internet Explorer flaw

Microsoft has warned consumers that vulnerability in Internet Explorer browser could let hackers advance access and user rights to their computer.

The flaw affects Internet Explorer ver 6 to 11 and Microsoft said it was aware of “limited, targeted attacks” to exploit it.

According to NetMarket Share, the IE versions account for more than 50% of global browser market.

Microsoft says it is investigating the flaw and will take “appropriate” steps.

The firm, which issued a security advisory over the weekend, said the steps “may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs”.

The US government recommended computer users to consider using substitute web browsers until a security fix is released.

 “If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system”

XP impact

However, the issue may be of special worry to people still using the Windows XP operating system. That is because Microsoft ended official support for that system earlier this month.

It means there will be no more official security updates and bug fixes for XP.

Cyber security firm Symantec said it had carried out tests which confirmed that “the vulnerability crashes Internet Explorer on Windows XP”.

About 30% of all desktops are thought to be still running Windows XP and analysts have previously warned that those users would be vulnerable to attacks from cyber-Attacks.

Microsoft has recommended businesses and consumers still using XP should upgrade to a newer substitute.

Amazon single sign-on service for Web sites and apps

Standard

965blogger-AmazonSinglesignOn

Amazon single sign-on service for Web sites and apps

Amazon announced a small, but significant change to its “Login with Amazon” service which currently offers an alternative method to sign up for and authenticate with mobile applications on both the Android and iOS platforms. Starting today, Amazon Appstore developers taking advantage of this opportunity on apps designed for Kindle Fire will no longer need to ask their customers to sign into apps by entering in their Amazon account information, like their email and password.

Instead, the first time these apps are run, users will only need to agree to share their Amazon account information with the application that one time. From then on, every time the user launches the app, they’ll be automatically logged in using the same account registered to their Kindle Fire device.

Signing up and logging into apps, though a seemingly modest process, is actually a stopping point for many mobile consumers, who initially download an app out of curiosity, wanting only to take a look. But when they launch the application, they’re met with a login box, asking them, at best, to create an account using their email or Facebook login info, and, at worst, they’re stepped through a form that requires several bits of personal information, like a full name, phone number or even a birthdate.

In other words, developers have a very short window to make a good first impression, and requiring an immediate sign-up is not always the best option.

Vulnerabilities in VIBER and fixes

Standard
965blogger.Viber

Vulnerabilities in VIBER and fixes

Vulnerabilities in VIBER and fixes

 

Viber, a messaging and VoIP application similar to WhatsApp, is in the middle of patching a vulnerability that could allow an attacker to view sensitive information shared between users like images, videos and location information.

The problem is that information transferred by Viber is stored in an unencrypted format on its servers and doesn’t require an authentication mechanism to be retrieved from a client.

Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) publicized the vulnerability this week after reportedly failing to hear back from the company when notified. Viber acknowledged this week that they are in the middle of committing fixes for the vulnerability in both its Android and Apple apps.

The vulnerability essentially means that whenever a user sends another user an image, video, location image or doodle – drawings specific to Viber – they could be sniffed or snooped by an attacker who can intercept the traffic. Messages on the app meanwhile appear to be safely encrypted.

In a description of the vulnerability, Ibrahim Baggili, an Assistant Professor of Computer Science at UNH and Jason Moore, a graduate research assistant at the university, point out that not only is the data on Viber’s Amazon servers unencrypted but it’s also not immediately deleted and can be easily accessed without authentication.

The researchers conducted their test by capturing mobile traffic via Windows 7’s virtual WiFi miniport adapter feature. While the host computer is connected to the internet through Ethernet, it shares its internet access with the adapter, turning it into a rogue access point. Researchers went on to capture and analyze the traffic through a handful of tools: NetworkMiner, Wireshark, and NetWitness.

Since the information is unencrypted, it could easily be gleaned via a rogue access point or a man-in-the-middle attack.

Researchers actually found that by simply visiting the intercepted link in a web browser they could secure complete access to the data.

“Anyone, including the service providers will be able to collect this information,” the group warned Tuesday, “Anyone that sets up a rogue AP, or any man-in-the-middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.”

Viber begins fixing image-encryption vulnerability

The Android version of the messaging app no longer sends images and videos without encryption protection, and an iOS fix has been submitted, the company says.

Viber has added encryption measures to its messaging app for Android and iOS so that network eavesdroppers no longer can see or tamper with unprotected images, video, and messages about a user’s location.

The new Android version 4.3.1.21, released Tuesday, includes “enhancements to the way Viber handles photo, video and location messages,” according to the Viber page on the Google Play app store. The iOS version of Viber remains unchanged since its April 23 release, but Viber last week said it’s preparing a fix. On Wednesday, the company said the fix has been submitted to Apple.

Because images and videos are unencrypted by the earlier version of Viber, a user’s private messages aren’t actually private. Somebody with control over the network Viber is using can see and even modify them.

Request for Comments (RFC)

Standard

RFC

Request for Comments (RFC)

A Request for Comments (RFC) is a formal article from the Internet Engineering Task Force ( IETF ) that is the result of committee drafting and consequent review by concerned parties. Some RFCs are informational in nature. Of those that are projected to become Internet standards, the final version of the RFC becomes the standard and no further comments or variations are permitted. Change can occur, however, through subsequent RFCs that succeed or elaborate on all or parts of previous RFCs

An RFC is authored by engineers and computer scientists in the form of a memorandum recitation methods, behaviors, research, or inventions applicable to the working of the Internet and Internet-connected systems. It is submitted either for peer review or simply to convey new concepts. The IETF assumes some of the proposals published as RFCs as Internet standards.

RFCs were first used during the formation of the ARPANET protocols that came to found what today’s Internet became. They continue to be delivered on an ongoing basis as the technology underlying the Internet grows.

A formal Internet standard is formed when an RFC goes through committee drafting and review until the final version of the RFC is ratified, at which time no further comments or changes are allowed. Other RFCs are not ratified, and instead retain an “informational” or “experimental” status. For example, the original File Transfer Protocol standard was published as RFC 114 in April of 1971.