RSA SecurID tokens compromised

The EMC Corp. unit openly acknowledged for the first time that intruders had breached its 
security systems at defense contractor Lockheed Martin Corp. using data stolen from RSA.


What is a Secure ID token ?


SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.

RSA Security will replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.

This admission puts paid to RSA's initial claims that the hack would not allow any "direct attack" on SecurID tokens; wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.

As a result, SecurID offered no defense against the hackers that broke into RSA in March. For those hackers, SecurID was rendered equivalent to basic password authentication, with all the vulnerability to keyloggers and password reuse that entails.

RSA Security Chairman Art Coviello said that the reason RSA had not disclosed the full extent of the vulnerability because doing so would have revealed to the hackers how to perform further attacks. RSA's customers might question this reasoning; the Lockheed Martin incident suggests that the RSA hackers knew what to do anyway—failing to properly disclose the true nature of the attack served only to mislead RSA's customers about the risks they faced.

RSA is working with other customers believed to have been attacked as a result of the SecurID compromise, though it has not named any. Defense contractors Northrop Grumman and L-3 Communications are both rumored to have faced similar attacks, with claims that Northrop suspended all remote access to its network last week.

Facebook facial recognition technology : A controversy

"We should've been more clear" on face-scanning tech :Facebook

Facebook applied its new facial recognition technology to users' accounts without notifying them

This social networking site also posted an updated blog post explaining that its Tag Suggestions function had been switched on by default for the majority of its users.

It seems as if Facebook's problems with security are never-ending. New social networking features roll out and appear to cross the line almost every time, and now, Facebook users are expressing concern for its new facial recognition technology.

Facial recognition technology can be found in different programs, such as Apple's iPhoto and Google's Picasa. But the facial recognition feature can be turned off, giving users the option to use it or not. Unfortunately, this is not the case with Facebook's facial recognition feature.

Facebook announced the release of the facial recognition feature back in December, saying it would speed up the process of tagging friends in photos. Facebook also noted that it would only be released in theUnited States, but in an email statement yesterday, Facebook admitted that the technology had become available to users internationally without telling them about it.

"We should have been more clear with people during the roll-out process when this became available to them," said Facebook in an email statement.

The Facebook response also added that photo-tagging suggestions using the facial recognition technology were only offered when new photos were uploaded to Facebook, and it only suggested friends. In addition, the message mentioned that the feature can be disabled in a user's privacy settings.

But it's difficult to turn these settings off when people do not know they even have the feature.

This new feature presents privacy problems because Facebook has over 500 million users, and applying this technology unknowingly could raise questions about whether certain personally identifiable information would become associated with the photos within the database.

"Yet again, it feels like Facebook is eroding the online privacy of its users by stealth," said Graham Cluley, a senior technology consultant at Sophos.

Nintendo will launch its new Wii console in 2012

Nintendo Unveild its new Wii console and will launch it in 2012

Gaming giant Nintendo has been showing off its next-generation Wii game console, at the E3 games show in Los Angeles.

The much-anticipated console, dubbed Wii U, comes with a controller that features a touchscreen and camera.

The original Wii console was hugely popular but Nintendo has faced pressure from rivals with similar devices.

Nintendo hopes the new console will create a new genre of gaming.

Wii U will feature a set-top box similar to the first generation console.

But the 6.2-inch touchscreen controller comes with a front-facing camera as well as the more traditional buttons of a Wii remote and a motion detector.

It will broadcast high-definition video and can be used to make video calls and browse the web.

Privacy In demos, the Japanese gaming giant showed off some of the things the controller will allow - including offering users a private screen to view gameplay information that is not shared on the big screen.

It will also allow users of games such as Wii Fit to weigh themselves and get a read-out via the controller rather than the TV.

Users can also swap game play between the big screen and the controller, for instance if someone else wants to watch TV.

Wii U is "an interesting new concept" thinks Dan Pearson, a staff writer at Gamesindustry.biz.

"It is a hybrid between a handheld with elements of tablet design but also has all the traditional controller elements," he said.

"Initially people may be confused by the controller but so were they when the first Wii was unveiled," he said.

Nintendo was also keen to show off the processing power of the new console.

"Nintendo has been under fire for chasing casual gamers and it is good to see them trying to win back core gamers," said Mr Pearson.

Wii U will work with older games and controllers and will be available from spring 2012.

There was no indication of the price of the new console.

Web giants to trial new IPv6 system for one day

And finally its here !

The biggest ever test of the internet's new address system is taking place.

Google, Yahoo, Microsoft Bing and Facebook are among the companies switching-on IPv6 versions of their websites for the one day trial.
The technology is gradually being introduced because the world is running out of older IPv4 addresses as more devices come online.
Companies and home users may need new networking equipment, however the transition is likely to take years.
World IPv6 day is partly a technical exercise by internet companies to see how the technology works, and partly an awareness-raising initiative.
For the small percentage of users already set up to access IPv6, they will be able to connect through the usual URLs - such as Google.com or Yahoo.com.
Behind the scenes, their browsers will be pointed to the new, much longer IP address.
New equipment Groups involved in IPv6 day say that everyone will have to make the change eventually, but users should not worry at this stage if they are not switched over.

What’s New in iOS 5

The latest version of iOS 5 has finally been announced, and it has a bundle of new features — more than 200, by Apple’s count.

Several of the new features were poached from the best of Apple’s own app store, including reading queue apps like Instapaper, group messaging apps like GroupMe and photo editing apps. There’s also a lot of integration with Apple’s new cloud service iCloud.

The iOS 5 beta software won’t be available to users — at least, those who aren’t in the iOS Developer program — until this fall. At that point, it will be free to download for owners of the iPhone 4, iPhone 3GS, iPad 2, iPad, or the iPod touch (third and fourth generations). We’ve highlighted the most exciting new features below.

---

Notification Center

---

With iOS 5, Apple has essentially added a personalized news feed to all of its devices. The feed, which Apple calls the “Notification Center,” can be customized to display things like the current weather, a stock ticker, new emails, texts and friend requests. The feed can be accessed by swiping the top of the screen. You’ll be able to view it while the device is lock mode, much as iOS 4 displays the time and push notifications while locked.

---

iMessage

---

iMessage is BBM for Apple products. Like BlackBerry’s once distinguishing feature, it allows you to send unlimited instant messages to other users and to see whether recipients have read them or are typing a response. The new feature allows group messaging as well as photo, video, location and contact sharing. It’s expected to put a dent into the thriving group messaging app startups. The advantage that those apps still have is the ability to instant message phones with multiple operating systems. For now, Apple’s messages can only be sent to others who are using iOS, on iPhones and iPads.

---

Newsstand

---

Newsstand is a folder that holds your magazine and newspaper app subscriptions. All purchases go directly to that folder, which displays them on a virtual newsstand, and new issues are automatically downloaded and delivered there. Your newspaper subscriptions will arrive in time for breakfast.

---

Reminders

---

Reminders is iOS 5′s to-do list app. The feature includes an option to make items location based. Your phone will, for instance, remind you to pick up the milk when you are at the grocery store. You can sync reminders with iCal, Outlook and iCloud so that a change in one program automatically updates the others.

---

Deep Twitter Integration

---

On iOS 5, you can directly tweet from Safari, Photos, Camera, YouTube or maps. Twitter will also work together with contacts in the operating system, making it easy to find a friend’s Twitter handles when you start typing a name. This level of integration is still notably missing for Facebook.

---

Camera and Photos

---

Apple iOS makes the iPhone a better camera. You can now open the Camera app directly from the lock screen, which makes it easier to point and click quickly. The app also has more of the features of a regular digital camera: grid lines, single-tap focus and exposure locks. The volume-up button now works as a shutter button.

Apple has also built photo-editing capabilities into its Photos app. This means you can crop, rotate, enhance, and remove red-eye without leaving your camera roll. With iCloud, it’s also possible to automatically load new photos to your desktop, if you prefer to edit them there.

---

Safari

---

Apple’s mobile web browser now includes a feature that mimics the capabilities of popular reading queue appInstapaper. Its “Reading List” lets you save articles you want to read later. iCloud pushes these articles to all of your iOS devices, much as Instapaper’s separate desktop and mobile apps allow you to read articles that you save on the go.

Top 10 dangerous Android Security Risks

As we all know of  Google faced new trouble from Android malware 

Last year, Android became the world's second favorite mobile OS, racing past BlackBerry and Apple. 67 million of the nearly 300 million smartphones sold in 2010 were Android-powered devices like the Samsung Galaxy S, Motorola Droid X, and HTC EVO. New Android 3.0 ("Honeycomb") tablets will spur even more growth this year.

As a result, approximately half of enterprises are working to embrace Android devices. One of IT's biggest challenges: Android's consumer roots mean minimal support for enterprise-class security. Here, we consider today's biggest Android security risks and what can be done to mitigate them.

1. AWOL Androids: The top concern about any mobile device is loss. In a Juniper survey, 58 percent of smartphone and tablet users feared not being able to recover lost content. Apple iPhone users can restore nearly everything from iTunes, but Androids are not managed via desktop sync. Data loss can be avoided in two ways. First, install an auto-backup app (e.g., WaveSecure, MyBackup) to enable quick restoration of all that matters to you. Second, enroll your Android with one of the many available "find me" services to locate and recover lost devices.

2. Flimsy passwords: If your Android falls into the wrong hands, more is needed to prevent thieves from stealing broadband service, ringing up SMS fees, reading your email, or abusing VPN connections. In Juniper's survey, 3 out of 4 users locked their smartphones. This is an excellent first line of defense, but users need to understand Android's limitations

3. Naked data: A major business risk posed by Android is lack of hardware data encryption. Fortunately, Android 3.0 ("Honeycomb") adds an API to let manufacturers offer encryption and IT enforce use. Unfortunately, existing Androids cannot yet perform hardware encryption. Until self-encrypting Androids appear, stored data can be protected in two ways. First, those remote lock apps and APIs can request remote wipe as well, resetting the device to factory defaults – but only when reachable, without wiping SD card data. For more rigorous protection, enterprises should scramble sensitive data such as email and contacts using self-encrypted apps (e.g., Good for Enterprise,Exchange Touchdown)

4. SMShing: This phishing variant uses texting to trick smartphone users into visiting fraudulent or malicious links. Hackers are now being drawn to Android's popularity and openness. For example, last summer, unlucky SMS recipients were invited to download Trojan-SMS.AndroidOS.FakePlayer, a free Movie Player. Once installed, FakePlayer started texting premium-rate numbers, without user knowledge, ringing up huge bills. To block potentially-costly texts, users can add SMS controls such as SMSLinkGuard. Enterprises may also consider using a Mobile Device Manager (MDM) that can monitor Android wireless expenses (e.g., SMS, roaming).

5. Unsafe surfing: Think web browsing on your Android is safe? Last fall, M.J. Keith showed that a known WebKit browser vulnerability could be exploited on Android 2.0 or 2.1. Thomas Cannon reported an Android 2.2 browser flaw that could give hackers full SD card access. Recently, Google fixed an Android Market cross-site scripting (XSS) vulnerability that enables arbitrary code execution, found by John Oberheide. Unfortunately, Android users cannot quickly patch around bugs, because OS updates are deployed infrequently by carriers. One work-around: Using an app like BadLink Check or TrendMicro to avoid known-malicious websites.

6. Nosy apps: Speaking of the Android Market, telling friend from foe can be hard. According to the App Genome Project, Android Market apps more than doubled in the past 6 months. A whopping 28 percent of those apps now access device location, while 7.5 percent access stored contacts. Do these apps really need to know that info and what are they doing with it? Android apps must request permissions during installation – users need to seriously review those requests, exercise caution, and avoid apps that seem too nosy. To flag intrusive apps already installed on your Android, check out Lookout Mobile Security's Privacy Advisor or Webroot.

7. Repackaged and fraudulent apps: Some apps aren't what they appear to be. Many repackaged apps found on third-party Android markets are legitimate free apps, repackaged to generate ad revenue. But repackaging is also used to implant Android trojans, such as the Android.Pjapps trojan (included in modified versions of the Steamy Windows app) and the Android.Geinimi trojan (turns infected phones into bots). Most of these can be avoided by installing apps only from the Google Android Market. Don't frequent unregulated third-party markets or manually install Android packages from untrusted sources.

But even apps distributed by the Google Android Market receive no official review. Last year, "09Droid" sold about 40 different mobile banking apps at the Android Market. Unfortunately, none were affiliated with those banks. It is unclear whether 09Droid intended to phish for banking passwords, but when banks complained, those fraudulent apps were pulled from the Market. Be very careful when downloading apps that access sensitive accounts. Check with banks or other institutions to confirm apps are distributed by an authorized developer and beware of look-alikes.

8. Android malware: According to traffic analysis by AdaptiveMobile, Android malware spike 400 percent last year. The total is still miniscule compared to other platforms, but more malware is likely to target Android's rapidly-expanding pool of potential victims. When Coverity assessed the Android kernel, it identified 359 code vulnerabilities, 88 of which posed "high risk" of exploitation. Because Android is an open development platform, hackers have ample opportunity to find and learn how to take advantage of these kinds of flaws.

Fortunately, application sandboxing is built into Android to limit potential damage by malicious apps – unless malware breaks out of that sandbox. That is apparently what DroidDream did last month. Hidden inside about 50 Android Market apps, including Sexy Girls, Advanced File Manager, Task Killer Pro, and Advanced Sound Manager, DroidDream "rooted" infected phones, sending IMEI/IMSI and OS version back to a command-and-control server. The "nature of this exploit" so concerned Google that it remotely removed installed apps from an estimated 50K phones. This "kill switch" was a fail-safe measure of last resort, but users can proactively defend themselves using Android anti-malware apps (e.g., Kaspersky, F-Secure).

9. Fake anti-malware: Alas, the fake anti-virus trend sweeping the PC world has now emerged for Android as well. When Google killed DroidDream, it installed a clean-up app called "Android Market Security Tool 2011." Android.Bgserv soon appeared on a third-party Chinese market, pretending to be Google's tool but carrying an SMS trojan. The lesson: Hackers prey on user emotions like fear – don't assume that security apps are legitimate. Check out sellers and read reviews. Enterprises should go further by testing apps in a lab environment, then using an MDM to suggest or auto-install verified safe apps on employee Androids. For example, Sybase Afaria now provides over-the-air app management for Android.

10. Lack of visibility and control: Ultimately, enterprises must embrace Androids – even employee-purchased Androids – so that IT can regain visibility into and control over business activities on these devices. Unlike iOS, Android does not yet offer native MDM to enable third-party device management. However, Android does provide APIs that MDM agent apps can use to read/write settings (e.g., password complexity), query attributes (e.g., installed apps, GPS location), and invoke remote lock or wipe. A bit of this can also be done via Exchange ActiveSync. Either way, IT can enroll Android devices, track their use, and enforce (at least limited) policies. Configurable settings are limited but rapidly expanding – more so for some manufacturers than others. But putting a management framework in place can help you leverage new Android security capabilities as they emerge