Identity and access management policy for the 21st century


965blogger-Identity and access Mgmt

Identity and access management policy for the 21st century

Gone are the days when securing sensitive business information meant locking up documents in the company filing cabinet. Modern organizations are rapidly recognizing that even user names and passwords aren’t enough to limit access to networks and applications. Businesses and government agencies are struggling to figure out the best way to adapt to these changes and redefine their Identity and Access Management (IAM) policies. As mobile devices and cloud-based access gain momentum, organizations have to rethink these policies for employees who need to access business networks and apps. Additionally they need policies for consumer and vendor access as well. – Source secureidnews- 2014

Samsung Galaxy S5 Fingerprint Scanner Hacked



Samsung Galaxy S5 Fingerprint Scanner Hacked

The Samsung Galaxy S5 hasn’t been on sale for a week, and already a German security firm has hacked its fingerprint reader. The Berlin based firm “SRLabs” employed the exact same trick used to hack the iPhone 5′s own fingerprint reader.

The hack only needs a cameraphone photo of the fingerprint of the S5 owner, a printer, and a type of liquid rubber. SRLabs’ researchers merely inverted the photo colors, then printed out the photo using a thick toner setting, so fingerprint’s indentations would appear as thick black lines.

The researchers then covered the printout with a type of fast-drying liquid rubber, such as pink latex milk or white wood glue, which took the form of the original fingerprint as it dried. The hackers then positioned the mold on their own finger and used it to successfully unlock the S5.

This is the same technique that German hacking group Chaos Computer Club used last September to hack the iPhone 5S, also less than a week after the phone first went on sale.

The Galaxy S5 doesn’t limit the number of times a person can try to enter a fingerprint, meaning any would be hackers can repeat the somewhat gentle process of creating a fingerprint mold and trying it out as many times as needed.

Microsoft warns of Internet Explorer flaw



Microsoft warns of Internet Explorer flaw

Microsoft has warned consumers that vulnerability in Internet Explorer browser could let hackers advance access and user rights to their computer.

The flaw affects Internet Explorer ver 6 to 11 and Microsoft said it was aware of “limited, targeted attacks” to exploit it.

According to NetMarket Share, the IE versions account for more than 50% of global browser market.

Microsoft says it is investigating the flaw and will take “appropriate” steps.

The firm, which issued a security advisory over the weekend, said the steps “may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs”.

The US government recommended computer users to consider using substitute web browsers until a security fix is released.

 “If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system”

XP impact

However, the issue may be of special worry to people still using the Windows XP operating system. That is because Microsoft ended official support for that system earlier this month.

It means there will be no more official security updates and bug fixes for XP.

Cyber security firm Symantec said it had carried out tests which confirmed that “the vulnerability crashes Internet Explorer on Windows XP”.

About 30% of all desktops are thought to be still running Windows XP and analysts have previously warned that those users would be vulnerable to attacks from cyber-Attacks.

Microsoft has recommended businesses and consumers still using XP should upgrade to a newer substitute.

Amazon single sign-on service for Web sites and apps



Amazon single sign-on service for Web sites and apps

Amazon announced a small, but significant change to its “Login with Amazon” service which currently offers an alternative method to sign up for and authenticate with mobile applications on both the Android and iOS platforms. Starting today, Amazon Appstore developers taking advantage of this opportunity on apps designed for Kindle Fire will no longer need to ask their customers to sign into apps by entering in their Amazon account information, like their email and password.

Instead, the first time these apps are run, users will only need to agree to share their Amazon account information with the application that one time. From then on, every time the user launches the app, they’ll be automatically logged in using the same account registered to their Kindle Fire device.

Signing up and logging into apps, though a seemingly modest process, is actually a stopping point for many mobile consumers, who initially download an app out of curiosity, wanting only to take a look. But when they launch the application, they’re met with a login box, asking them, at best, to create an account using their email or Facebook login info, and, at worst, they’re stepped through a form that requires several bits of personal information, like a full name, phone number or even a birthdate.

In other words, developers have a very short window to make a good first impression, and requiring an immediate sign-up is not always the best option.

Vulnerabilities in VIBER and fixes


Vulnerabilities in VIBER and fixes

Vulnerabilities in VIBER and fixes


Viber, a messaging and VoIP application similar to WhatsApp, is in the middle of patching a vulnerability that could allow an attacker to view sensitive information shared between users like images, videos and location information.

The problem is that information transferred by Viber is stored in an unencrypted format on its servers and doesn’t require an authentication mechanism to be retrieved from a client.

Researchers from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG) publicized the vulnerability this week after reportedly failing to hear back from the company when notified. Viber acknowledged this week that they are in the middle of committing fixes for the vulnerability in both its Android and Apple apps.

The vulnerability essentially means that whenever a user sends another user an image, video, location image or doodle – drawings specific to Viber – they could be sniffed or snooped by an attacker who can intercept the traffic. Messages on the app meanwhile appear to be safely encrypted.

In a description of the vulnerability, Ibrahim Baggili, an Assistant Professor of Computer Science at UNH and Jason Moore, a graduate research assistant at the university, point out that not only is the data on Viber’s Amazon servers unencrypted but it’s also not immediately deleted and can be easily accessed without authentication.

The researchers conducted their test by capturing mobile traffic via Windows 7’s virtual WiFi miniport adapter feature. While the host computer is connected to the internet through Ethernet, it shares its internet access with the adapter, turning it into a rogue access point. Researchers went on to capture and analyze the traffic through a handful of tools: NetworkMiner, Wireshark, and NetWitness.

Since the information is unencrypted, it could easily be gleaned via a rogue access point or a man-in-the-middle attack.

Researchers actually found that by simply visiting the intercepted link in a web browser they could secure complete access to the data.

“Anyone, including the service providers will be able to collect this information,” the group warned Tuesday, “Anyone that sets up a rogue AP, or any man-in-the-middle attacks such as ARP poisoning will be able to capture this unencrypted traffic and view the images and videos received as well as the locations being sent or received by a phone.”

Viber begins fixing image-encryption vulnerability

The Android version of the messaging app no longer sends images and videos without encryption protection, and an iOS fix has been submitted, the company says.

Viber has added encryption measures to its messaging app for Android and iOS so that network eavesdroppers no longer can see or tamper with unprotected images, video, and messages about a user’s location.

The new Android version, released Tuesday, includes “enhancements to the way Viber handles photo, video and location messages,” according to the Viber page on the Google Play app store. The iOS version of Viber remains unchanged since its April 23 release, but Viber last week said it’s preparing a fix. On Wednesday, the company said the fix has been submitted to Apple.

Because images and videos are unencrypted by the earlier version of Viber, a user’s private messages aren’t actually private. Somebody with control over the network Viber is using can see and even modify them.

Request for Comments (RFC)



Request for Comments (RFC)

A Request for Comments (RFC) is a formal article from the Internet Engineering Task Force ( IETF ) that is the result of committee drafting and consequent review by concerned parties. Some RFCs are informational in nature. Of those that are projected to become Internet standards, the final version of the RFC becomes the standard and no further comments or variations are permitted. Change can occur, however, through subsequent RFCs that succeed or elaborate on all or parts of previous RFCs

An RFC is authored by engineers and computer scientists in the form of a memorandum recitation methods, behaviors, research, or inventions applicable to the working of the Internet and Internet-connected systems. It is submitted either for peer review or simply to convey new concepts. The IETF assumes some of the proposals published as RFCs as Internet standards.

RFCs were first used during the formation of the ARPANET protocols that came to found what today’s Internet became. They continue to be delivered on an ongoing basis as the technology underlying the Internet grows.

A formal Internet standard is formed when an RFC goes through committee drafting and review until the final version of the RFC is ratified, at which time no further comments or changes are allowed. Other RFCs are not ratified, and instead retain an “informational” or “experimental” status. For example, the original File Transfer Protocol standard was published as RFC 114 in April of 1971.