Safari blocking outdated Flash plug-ins due to security holes

Adobe recently issued a security update for Flash Player which patches an exploit that gave hackers the ability to take over a vulnerable system. Not leaving things to chance, Apple is now rolling out a hotfix for Safari that blocks outdated versions of the tainted web plug-in. If your system hasn't been patched yet, you may receive a notification when attempting to access Flash-based content. The prompt will then advise that a new software version is available. If you're running OS X 10.6 (Snow Leopard) or higher and Safari is your browser of choice, you may want to nab this update from Adobe. Otherwise the next time you go online, the internet might be a far cry from what you're used to seeing.

Via: The Loop, MacRumors

Source: Apple

Source

By: Unknown On 11:31 PM

Continue Reading

Dell intros Latitude 10 enhanced security for all your governmental tableting needs

Dell Latitude 10 Enhanced Security Tablet Meets the Security, Manageability and Reliability Needs of Government Agencies, Financial Institutions and Healthcare Organizations

Dell today introduced the Latitude 10 enhanced security configuration, a business-ready tablet designed to address the costly and time consuming management and security challenges faced by organizations deploying tablets. The Dell Latitude 10 is ideal for highly regulated industries such as government agencies, financial institutions and healthcare organizations and builds upon Dell's heritage of delivering trusted business PCs with industry-leading manageability, security and reliability.

Study Reveals Multiple IT Challenges of Deploying Tablets in Enterprise Settings
A recent Dell and Intel-commissioned Harris Interactive online survey [2] of 204 U.S. healthcare IT decision makers highlights the tablet management challenges faced by organizations today. The results show that tablets are increasingly becoming a standard IT device (51 percent of the healthcare organizations surveyed have deployed them). However, other studies show tablets can cost significantly more time and money to manage than other standard Windows-based devices such as laptops and desktops. According to the results of the Harris survey:

On average, those institutions managing tablets spend an estimated $2,235.20 configuring these devices to work within their organizations. These costs are often several times more than the actual expense of acquiring the device.
Fifty-one percent of tablet using institutions report that the devices required additional software or tools beyond what is used to manage laptops and desktops.
Forty-two percent of IT decision makers in tablet using organizations spent between 10 and 29 minutes per tablet to achieve the same level of security inherent in Trusted Platform Module (TPM) chips.
Forty-four percent of those in tablet using organizations reported that there are applications that are currently used in their organization on desktop and laptop computers that cannot currently be accessed on tablets.

These results demonstrate that the introduction of tablets into enterprise environments has created a more expensive and difficult management process for IT managers in multiple industries. The Dell Latitude 10 was designed to overcome these challenges by combining a great user experience with ease of management and deployment by IT. The Latitude 10 fits easily and securely into existing IT environments to help improve IT efficiency and decrease total cost-of-ownership. Because it is managed like any standard Windows-based laptop, the Latitude 10 is significantly easier to deploy and manage than the Apple iPad in large scale enterprise implementations. According to third-party testing performed by Principled Technologies [1], when compared to the iPad the Latitude 10 tablet is:

Up to 17 times faster and 94 percent less expensive to deploy saving approximately 580 hours in system prep and applications installation.
Up to 99 percent faster for software updates, saving approximately 197 hours with automated updates.
Up to 85 percent cheaper per device to maintain over a three-year period.

Industry-Leading Tablet Security
The Latitude 10 tablet, powered by the dual core Intel® Atom™ processor Z2760, delivers more hardware, authentication, data protection, tracking and recovery security features than any other tablet device on the market today and is ideal for organizations that must comply with stringent regulations such as the Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Federal Information Processing Standard (FIPS). The Latitude 10 enhanced security configuration is the only dual-authentication Windows 8 tablet with both an integrated smart card and fingerprint reader, in addition to the Latitude 10's already robust security features that include:

Dell Data Protection|Access providing an integrated end point security management suite that utilizes the fingerprint and smart card reader in the Latitude 10 as well as third-party security devices. A Dell wizard provides simple setup.
Trusted Platform Module (TPM) 1.2 hardware to allow networks to check device integrity and to assign full trust.
Microsoft® BitLocker Drive Encryption.
Computrace Support for stealth tracking software to allow the recovery of lost or stolen devices.
A Noble Lock slot for added hardware security.

Quotes
"Other tablets being deployed in business environments can cause more harm than good in the long run with unforeseen management costs and unsecure data protection and access," said Neil Hand, Vice President of Tablets and Performance PCs, End User Computing, Dell. "With Latitude 10 enhanced security configuration, our customers will be able to give their workers the mobility and productivity they want while having the peace of mind they can easily enforce and adhere to some of the most rigorous security regulations."
"While tablets can improve access to patient information for clinicians at the point of care, healthcare IT decision-makers should be informed about potential side-effects," said Andrew Litt, M.D., Dell's Chief Medical Officer. "The time and expense to connect, manage and secure these devices could be nearly five times the device's purchase price2, which can be a significant concern for most healthcare institutions. Dell's Latitude 10 tablet and integrated solutions like Mobile Clinical Computing address these concerns by simplifying device management and ensuring that information is both secure and accessible for patient care."

"In our testing and analysis we found substantial advantages in managing the Dell Latitude 10 over an Apple iPad in an enterprise SCCM environment," said Bill Catchings, co-founder of Principled Technologies. "Our analysis found that these advantages would translate to significant cost savings, especially when managing large numbers of these devices."

Source

By: Unknown On 6:18 PM

Continue Reading

Scout security system monitors your pad without compromising your feng shui (video)

While home security systems are definitely making strides towards modernization, we haven't seen many that look the part. However, Sandbox Industries' Scout might be the first home protection option that manages to gel with even the most swanky digs. Available in three stylish trims (black, white and wood), this wireless setup uses a base receiver that communicates with its security sensor panels by way of your home's network. Like most home protection systems, Scout offers remote control and monitoring via computer or mobile device, but the big draw here is its aesthetically pleasing equipment and simplified installation process.

Set to ship in August, packages start at $120 with additional à la carte purchase options depending on your household's needs. For those of you looking to further secure your bunker, Scout's hardware packs backup batteries in the event of a power outage as well as an optional 3G-powered monitoring service with plans starting at $10 per month. Of course, if you're not feeling such a high-tech setup, you could always place toy cars and Christmas ornaments beneath your doorways and window seals. Hey, it worked for Kevin McCallister.

Via: TechCrunch

Source: Scout

Source

By: Unknown On 8:51 PM

Continue Reading

Firms neglect security threat of BYOD

'Bring you own device' is increasingly popular, but it raises new threats

A mere 8% of UK firms have a formal bring your own device (BYOD) policy in place, according to a survey conducted by Zenprise.

The mobile device management firm said that its survey of more than 500 IT decision makers revealed that while 39% of respondents said employees were allowed to use their own devices for work, far fewer put policies in place to govern how they are used.

It said this leaves companies dangerously exposed to the malicious or accidental leakage of sensitive corporate data.

Even when BYOD policies are in place, businesses are not always convinced these procedures offer adequate protection against breaches, with only 31% of respondents with a policy stating they had no concerns about security.

Of everyone surveyed, only 7% said their company was able to lock down app usage, while just 5% have the means to track devices by GPS.

Matt Peachey, vice president and general manager EMEA at Zenprise, said that businesses should make it a priority to address the issue in the new year.

"With so much to gain from effective BYOD initiatives – which, when done right, can deliver many measurable business benefits as well as supporting growth and innovation – organisations cannot afford to cuts any corners when it comes to security," he said.

"Comprehensive security processes should be absolutely top-of-the-agenda for any firm looking to enable BYOD, and businesses would be wise to take a holistic approach which focuses on securing data and applications in use, as well as on the mobile devices connecting to the network.

"With the best available tools in place, incidents such as the loss of an executive's tablet can be easily mitigated by instantly wiping it clean, reducing the headache for IT and preventing the potential fall-out from a breach of corporate data."

"With all this in mind, it really is vital that organisations urgently re-address the security of enterprise mobility. Indeed, with so much at stake, this must become a top priority for modern businesses as we move into 2013."

Tech. is the essential weekly iPad magazine from the makers of TechRadar. Celebrate the best technology of 2012: the Gold List issue is out now.

Learn more

See more roundup news Add comment

View the original article here

By: Dilusha On 9:37 AM

Continue Reading

Interview: How Linux reads your fingerprints, helps national security

Gunnar Hellekson has many awesome-sounding job titles.

He's the chief technology strategist for Red Hat's US Public Sector group, where he works with government departments to show them how open source can meet their needs, and with systems integrators to show them what they can do to provide the government with what it needs.

He's co-chair of Open Source for America, which campaigns for software that has been funded by the tax-payer to be open sourced, so that all Americans can benefit from it. He's also on the boards of the Military Open Source Working Group, Civic Commons and the SIIA Software Division.

He's a clever chap with the ear of some pretty influential people, so we sar down with him for a chat.

Linux Format: First thing: Is the US government in favour of open source, or does it see it as stealing food from Microsoft's children?

Gunnar Hellekson: The government was actually an early user of open source, going back to 1978. You had the US government funding the development of things like the BSD TCP/IP stack; the ping tool was developed by the army research lab, and at some point in the 90s people started to wonder more, look more carefully at open source; and the government started passing rules like the Clinger-Cohen Act of 1996, which formalised the rules around IP acquisition. Suddenly, there were rules, which meant that there were concerns about whether people were following the rules or not.

When we had no rules, open source made sense. When the rules came in, people started to ask: "Wait, can we do open source?" And it wasn't until about 2003–4, when the Department of Defense [DOD] and the Office of Management and Budget said: "Actually, open source is fine. Don't worry about it, open source is just like any commercial software licence."

The irony of this is that while the slow gears of policy were moving, the Department of Energy and DOD, and the NSA [the National Security Agency] were all releasing source code out to the public, uninterrupted. So to say that the government has one position or another on open source is not only inaccurate, but it's impossible to describe, because the government is 12 million people. Some of them are great open source advocates and some of them aren't.

LXF: Didn't the NSA come up with SELinux, which is in the kernel now?

GH: Security Enhanced Linux, in 2001. And the reason why they did that is the classic story, right? They did it for a number of reasons. First, they wanted to relieve themselves of the technical debt of having developed the technology. If they had developed it and kept it to themselves, only they could have maintained it, and that's expensive.

So by putting it out to the open source community, into the Linux kernel, they could get some help, which was nice for them.

More importantly, the part of the mission that everyone forgets is that the NSA is also responsible for protecting the country's information infrastructure and making commercial products more secure. And so by making SELinux highly available – it's in every copy of Linux – it's actually improved the overall security of the country. So there were a bunch of reasons to do it.

LXF: What does your role with Red Hat entail? Are you trying to push this agenda to various government departments?

GH: In part, that's what it is. The best way to describe my job is telling the government what's happening in open source, and telling open source communities what the government is after.

LXF: Right, kind of like a community manager for those 12 million people who work in government?

GH: More like a hostage negotiator.

LXF: Have you seen any of the IT projects that are going on in the UK? Like the NHS IT project, for instance. That's an enormous project, and a black hole for tax-payers' money. Do you think there's anything inherent in a government that makes them think along such large lines?

GH: Well that's interesting, because in the United States we're heading in the opposite direction. The federal CIO has declared an end to large procurements, so rather than having one $500 million contract, we have 100 $5 million contracts. And it was the reason for the change, not just because it's more efficient and because there's less risk, but also because the current procurement system can literally not keep up with advances in technology.

At the DOD, the lead-in time for a top-level program takes 48 months to get from initiation to requirements. You haven't even put a bid out, you haven't even made a tender yet, but you've spent four years developing requirements. And in those four years, the entire world has changed. And so it's just not practical to run an IT project like that.

And so, in 2012 in the Appropriations Bill for the Defence Department, Congress ordered the DOD to come up with alternative acquisition strategies specifically for IT to fix this problem. They were asking for things like continual involvement of the user, an iterative, evolutionary approach... and what they were describing was that they wanted an agile IT project.

And so, subsequently, we've seen this model all over the government, with a more iterative approach and projects broken down into tiny chunks.

LXF: Our secretary of state has said that should happen, that you should break down contracts in to small chunks, but as yet, that's all that has happened: that he has said that it should happen.

GH: Well, from what I understand, since the early 2000s the UK Government put out a number of very large contracts with very long performance terms, like 10-year engagements.

I'm thinking specifically of the MOD, which visibly took most of its IT organisation and threw it up for ransom to a consortium of five companies... what were they called? Fujistu Siemens, those kinds of people. And you're getting exactly what you paid for, right?

Not only was it a huge amount of cash up-front, but also the government has no negotiating position, because any change they want to make translates into more money that you have to pay the consortium.

And so that's what agile IT combats: not only is it more iterative, but there's more competition for each iteration.

LXF: Do you see that agile, more responsive development... do you think that's a key advantage of open source in big government projects, as compared with open file formats, for example.

GH: Yeah, so, what's more important? Open source or open standards, right? I think they both solve a different set of problems. When you have an open standard, you're creating a market. You're creating the opportunity for many people to perform the same task.

So if I'm using a standard like, say, IMAP for email, then I can ask any number of IMAP servers, and I don't have to change clients every time I change my server, because if I'm on IMAP I can compete all my IMAP servers against each other, which will drive down the cost.

With open source, what I'm giving myself is a vendor of first resort or of last resort, and I always have that option. So that even if... you can have an open standard and if only one company implements it you're just as locked-in as you were before.

But with open source, you always have an alternative. I can use the code unsupported, or I can find a clever open source hacker who can support it for me.

LXF: What about the argument that free software is crowding out commercially-made software, and stopping companies from making money?

GH: The government has always been concerned about... the Clinger-Cohen act, passed in the 90s, created a preference for commercial software in government, and what they meant by that was software that the government didn't make. What they wanted to do was to make sure that the government didn't end up doing itself something that could be done more effectively by the private sector.

So the rules say that before you go and build something, you have to look outside and make sure that nobody has already built one. So when government starts writing software, there's an immediate gut reaction that it's duplicative.

But, of course, there are cases where it makes sense for the government to be writing its own software, and Accumulo is a great example because Accumulo has features that didn't exist in any other project at the time.

The way they do charting, the way they do document storage, the way they do cell-level security, so I can determine for each individual piece of data who's allowed to talk to it or not. These features were unique to the Accumulo project, and the government did the right thing, because they open-sourced it.

And when you open-source it, it becomes a commercial item, because it's released under a commercial licence, which is the Apache licence. So it's under the Apache licence, which means that it's a commercial product. The senate is rightly concerned about crowding stuff out, but we have a case where it's not government-owned software anymore.

LXF: And rather than crowding out private enterprise, they've actually created a market for support services.

GH: There's a company called SQRRL, which closed its first round of funding a few months ago, wanting to be the Red Hat for Accumulo. So, here's an example of a government technology transfer that works. So I think that the senate concerns are valid, but in this case they're conflating government software with government-produced open source software, which are two very different things.

LXF: The other thing that we're always pushing as an advantage of open source is that it costs less, because you're not paying a licence fee. Is that an important factor, or is it irrelevant at government level? Because I imagine that the number of hackers you'd need to employ would be pretty expensive.

GH: Writing software is expensive, and it's even more expensive to maintain software. We've spent a lot of money writing code. Cost is often a factor in open source software for all the reasons you mentioned. It's often cheaper.

But I always caution people against saying that open source is always cheaper, or always more expensive, because although there are a number of advantages to the open source process it's always possible that a project is going to be very expensive to run.

Or bring it to your IT shop. So when we talk about saving money, it's important to look at what purpose you're using it for. So the economic value of open source is going to be very specific to which software project we're talking about.

All that said, there are a number of second-order effects to using open source that are definitely advantages.

And it's stuff like: you can always compete for maintenance; you can always fix it if it breaks; and the most important thing for me is that it gives you access to a whole bunch of innovation that would not be available to you otherwise.

LXF: Which you don't get if you're locked in to a ten-year contract with Capgemini.

GH: The way we look at it is this: take your favourite software vendor and draw a circle around all those developers. In the world, are there more smart people inside or outside that circle? And that's true of any organisation.

If you're buying from a proprietary vendor, your software is only as good as how many smart people they can hire, which doesn't seem like a very good risk proposition to me. You want to use software and software vendors that have access to as many smart people as possible.

LXF: How's Red Hat doing?

GH: Well great, you just saw the press today. I heard the number three and I heard the number 12, but we're one of the few pure software companies to go over $1bn revenue.

One thing that's exciting for me about Red Hat right now, I love working for Red Hat, I love my job, I've been here for seven years. And I've never been as excited about anything as I am about OpenShift.

I know it's not on your beat, but having an open-source platform for a server is a complete game changer for my customers to the way they plan on procuring software. Giving them a way to control all of their technology going forward from that point of view is to start looking at platforms as a server.

And I'm going to be blogging a bunch about that. It's a huge deal, and it's really exciting.

LXF: Is that related to OpenStack?

GH: It lies on top of OpenStack. So OpenStack will give you a VM; OpenShift will let you say, "give me a Python environment, give me a PHP environment and put WordPress on it".

And then it will automatically create these things we call cartridges; cartridges for Mongo, PHP, Perl, Ruby, Java... so all the building blocks have already been laid out, already secure. And you're not even looking at the virtualisation layer.

In fact, you don't even know where the stuff is running. As a developer, all you're working with is Git. You write your code, then you do a Git push, and once you've pushed it, it's running inside the environment. It's really cool.

LXF: It sounds kind of like Ubuntu's Juju thingamibob, the cloud as a service product they launched earlier this year.

GH: I sat in front of a Juju session two days ago, and I'm still trying to figure out what it is. But Juju is coming at a similar problem from a different angle. OpenShift has a bunch of other stuff. Juju is a way of helping sysadmins; what OpenShift does is, it lets you create these Linux containers so you can confine applications inside. One container, one jail, and nobody can talk to anybody else.

We've got it running on EC2; it'll spin up VMs, then spin up containers within those VMs, so we can get 400 customers on one box, which is awesome. OpenShift is a way to manage who owns what.

The way we make money is that you can spin up three cartridges for free, but if you want extra stuff, if you want management tools and all the rest of it, then you sign up for the service and you pay for additional space. The navy are looking at it, the air force...

LXF: Did you see that Linux is being used in one of the US navy drones now?

GH: Uh-huh. The Firescout. We actually made fun of that article. If you look at the timeline of government use of open source, you see that there are all these data points going back to 1978 all the way up to 2012, there's this mass of articles all calling for advocacy and adoption of open source projects.

Then you get this one $26 million contract to put Linux on a Firescout, which is like an insignificant dot, right? The thing we were talking about in the session was, "when do we get to stop talking about open source in government?"

What I said was: "Every time we talk about open source being a big deal in government, that's us not winning". We want open source to be totally unremarkable. It should just be part of the infrastructure.

And so when someone is surprised that the US government is using Linux... you know, governments have been using Linux for a very long time. The government has been contributing to the Linux kernel since at least 2000. It's kind of funny to see people say "Ooh, Linux is in the Firescout". It's as if it's going to force cataclysmic changes in the GPL. No! It's not a cataclysmic event, it's a contract.

LXF: Are there any particularly awesome Red Hat adoptions in the US government?

GH: Sure. The FAA, their traffic flow management system, since 2001 has been running on Linux. So, every time you take a civilian flight in the United States, there's a Linux workstation managing it. US Census is a Red Hat user.

Every week, the government puts out employment numbers. If they are even five minutes late announcing it that is an apocalyptic event on Wall Street. They're running Linux.

The Patent and Trademark office, what else... the national weather service, every weather forecast comes off a Linux box.

Oh, the FBI, this is kind of fun. Every time you see a fingerprint check or a background check on somebody, that is all going back to a system that is running on... I think they're using every Red Hat product that there is.

They have 16 million records, and they run every background check, every fingerprint, all the biometric data, and when you crossed the border they took a fingerprint, right? That fingerprint went back to a data centre running all that stuff and came back in under 15 seconds to make sure that you weren't flagged. That's all Red Hat.

View the original article here

By: Dilusha On 10:33 PM

Continue Reading

You should have Cain & Abel in your security toolbox

There’s a sort of cruel irony to passwords. The legitimate passwords people need to use to access crucial applications or data are often forgotten, and yet the bad guys seem to be able to crack passwords without breaking a sweat. Thankfully, there’s a free tool available that can help you in either of these cases—Cain & Abel.

What is Cain & Abel? It’s described as a Windows-based password recovery tool, but it does much, much more than just password recovery. The software can capture and monitor network traffic for passwords, crack encrypted passwords using various methods, record Voice over IP (VoIP) conversations, recover wireless network keys, and more.

Passwords are the keys to almost everything.

If you’ve forgotten a crucial password, and don’t have any password reset capability in place, you can use Cain & Abel to try and crack the password for you. Cain & Abel can perform a dictionary attack—essentially trying every word in the dictionary—to guess the password. It can also do a brute force attack, which attempts every possible combination of uppercase and lowercase letters, numbers, and symbols until it finds the right one, or cryptanalysis attacks that attempt to circumvent password encryption techniques. It could take hours, or possibly days, but given enough time Cain & Abel should be able to recover the password for you.

There’s another way to put a tool like Cain & Abel to use for password security. You can run Cain & Abel against your password database to test the strength of your password policies. You might have a password policy in place, but you’d be surprised how easily some passwords that meet the password policy requirements can be cracked.

In one security assessment I participated in, the client had given us network access that allowed us to access the SAM (Security Account Manager) database, which stores all of the hashed passwords of users. The client had a reasonably strict password policy that met or exceeded the best practice guidelines at the time. But, we ran Cain & Abel against the SAM file, and within a couple of hours we were able to successfully crack most of the passwords—including the passwords of executive managers.

Cain & Abel does not exploit vulnerabilities to crack passwords. It simply takes advantage of weaknesses in general operating system security, network protocols, authentication methods, and caching mechanisms.

  Use Cain & Abel to see just how
secure your password policy really is.

The latest version is capable of analyzing encrypted network traffic such as SSH-1 or HTTPS, and has a new feature called APR. APR stands for ARP (Address Resolution Protocol) Poison Routing, and enables Cain & Abel to sniff traffic on switched LANs, or simulate MitM (Man-in-the-Middle) attacks.

Cain & Abel is a useful, valuable security tool, and you can’t beat the price—its free. The developers do warn that there is a possibility that the software could cause damage or loss of data, and they assume no liability. Basically, you get what you pay for, but mature tools like Cain & Abel have been tested and refined over time, and the risk is probably not any greater than with any commercial software product.

Cain & Abel could potentially be used by attackers, but it was developed as a security tool. Illegal activity using Cain & Abel is neither supported nor condoned by its developers.

View the original article here

By: Dilusha On 2:18 PM

Continue Reading

Developing security protocols for BYOD

Allowing employees to use their own smartphones and tablet PCs for work is proving increasingly popular, encouraged by the promise of worker satisfaction and higher productivity. But it places new demands on the management of mobile data and communications platforms, and demands that IT managers look hard at their existing security policies.

"BYOD is another battle in the war between security and usability," says security appliance provider Fortinet in its Enabling Secure BYOD report. "End users from the CEO down to line workers want the ability to use personal devices for work purposes, their belief being that personal devices are more powerful, flexible, and usable than those offered by corporate.

"On the opposite side of this discussion is security. BYOD opens up numerous challenges around network, data, and device security along with blurring the lines of privacy and accessibility. Many organizations have tried a variety of approaches to allow for BYOD in their organizations, with limited success."

The scale of the issue is made clear in Symantec's 2012 State of Information Report, which reveals that 46% of business information is now stored outside firewalls, and if it is not on mobile devices, it is often accessed through smartphones and tablets. Globally, 28% of business information is accessed through these devices.

There a strong view that BYOD activity can deliver a competitive advantage, but CIOs and IT managers need to tread carefully to ensure their businesses do not have their security integrity compromised. The main security challenges include:

•educating users to maintain high levels of security when using their devices;

•working out how established IT and security policies can be applied to the BYOD environment;

•the implications of losing devices with highly sensitive information;

•responding to malicious attacks on devices, which are on the increase as hackers realise that valuable data could be saved to a smartphone or tablet;

•whether access to online content will be allowed or filtered;

•how BYOD devices will be protected when used in remote Wi-Fi environments;

•ensuring that apps used on the devices do not compromise security systems;

•deciding which operating systems are to be allowed within a BYOD environment. This will determine the security protocols and future patches that will be needed;

•maintaining an accurate inventory, as employees may replace their devices yearly or even over shorter time frames.

IT managers and CIOs need to look at how their existing security policies can be amended to maintain high levels of data security with BYOD. A policy can be modified in several ways:

1.A virtual desktop infrastructure (VDI) can be used to allow BYOD devices to securely access business servers without any cross-pollination of data that could include malicious code.

2.Decisions should be made on the level of access that devices will have to a corporate network. Businesses want to allow BYOD, but limits should be set and communicated to users.

3.The storage of sensitive data on personal devices can be allowed, but within limits set after consultation across users to strike a balance between day-to-day needs for data access, and the overall business security policy that includes compliance with data protection regulations.

4.Mobile device management (MDM) may at first glance seem to be the solution to security issues, but IT managers and CIOs should look closely at how MDM can be used to control a device environment that includes BYOD.

5.It is important to maintain endpoint security within a BYOD environment. Remote wiping of data, and on-board anti-virus protection become essential, as it is easy for an infection to spread from a user's home network.

6.Using a private cloud environment to protect BYOD users and provide a single management console for IT managers should also be considered.

There is evidence that many IT managers have not yet got to grips with BYOD security. Research by system engineering company Decisive Analytics revealed that 83% of the companies questioned require employees to install software to secure and manage their personal devices when used for work purposes. The reasons given by those that did not included: "We only allow trusted users to connect to the network," (25.7%); and "We are not concerned about security on these devices," (15.6%).

Some said they had not had a security software solution (13.8%) or were still researching one (12.8%), while other reasons were user rejection (11%), perceived high cost (10%), and perceived complexity (3.7%).

Business security policies tend to be rooted in traditional desktop deployments, with notebook VPNs providing robust security for employees who work remotely. But the rapid expansion of BYOD has opened a whole new set of security challenges, and there has to be a balance between employers' needs to prevent disruption to business and compliance with data protection regulations, and ease of use of devices for employees.

CIOs and IT managers need to think through how their businesses are integrating BYOD into overall security systems. In most cases change will have to be made now to ensure data security is maintained. But the real challenge is that the BYOD layer is continuously changing.

Security vendors are slowly getting to grips with this brave new world, but until security platforms specifically for BYOD are available, existing systems will have to provide some level of security when these devices are used. It's likely that a hybrid approach that uses the private cloud, installed security apps and MDM will deliver a robust set of security tools that CIOs and IT managers can comfortably roll out across their organisations.

View the original article here

By: Dilusha On 6:49 PM

Continue Reading

RIM's BlackBerry 10 platform wins coveted U.S. security clearance

Research In Motion CEO Thorsten Heins displays features of the Blackberry 10 during his keynote address during the Blackberry Jam Americas in San Jose, California September 25, 2012.

Credit: Reuters/Robert Galbraith

By Euan Rocha

TORONTO | Thu Nov 8, 2012 9:06am EST

TORONTO (Reuters) - Research In Motion Ltd said on Thursday it won a much-coveted U.S. government security clearance for its yet-to-be-launched platform for BlackBerry 10 devices, due to hit store shelves in the first quarter of 2013.

The company said its BlackBerry 10 platform has received the FIPS 140-2 certification that would allow government agencies to deploy the devices, along with the new enterprise management platform on which they run, as soon as the new smartphones are launched.

Waterloo, Ontario-based RIM said this is the first time BlackBerry products have been FIPS certified ahead of launch.

"Achieving FIPS certification for an entirely new platform in a very short period of time, and before launch, is quite remarkable," RIM's head of security certifications, David MacFarlane, said in a statement.

The fortunes of RIM, a one-time pioneer in the smartphone industry, have faded in recent years as nimbler rivals such as Apple Inc and Samsung Electronics Co have come up with faster and snazzier devices.

RIM's fate now depends almost entirely on the long-awaited line of so-called BB 10 devices.

Last month, RIM said it had begun carrier tests on the new line of devices, which the company hopes will help it regain some market share it has ceded to Apple's iPhone and a slew of other devices that run on Google Inc's Android operating system.

FIPS certification, given by the National Institute of Standards and Technology, is one of the minimum criteria required for products used by U.S. government agencies and regulated industries that collect, store, transfer, share and disseminate sensitive information.

The stamp of approval gives confidence to security-conscious organizations - including some of RIM's top clients like U.S. and Canadian government agencies - that the data stored on smartphones running BlackBerry 10 can be properly secured and encrypted.

Despite winning the coveted security clearance, RIM still faces the tough task of convincing government agencies to stick with RIM and deploy the new BB 10 devices. Some U.S. government agencies have begun to look at other options.

Last month, the U.S. Immigration and Customs Enforcement agency (ICE) said it would end its contract with the BlackBerry maker in favor of Apple's iPhone. The agency said it intends to buy iPhones for more than 17,000 employees.

The Pentagon recently said it will continue to support "large numbers" of BlackBerry phones, even as it moves forward with plans that would allow the U.S. military to begin using Apple's iPhone and other devices.

MIXED RECEPTION

RIM promises that BlackBerry 10 will be much smoother and faster than its existing line of devices and have the ability to separately manage corporate and personal data on the same device.

The company is attempting to lure developers onto its BB 10 platform. It has been showcasing the new devices to developers at BlackBerry Jam sessions across the globe as the company needs a critical mass of highly sought after apps for its new devices to succeed.

While the devices have been well received by the developer community, financial analysts on Wall Street and Bay Street have mixed views on the reception the smartphones will get from consumers in an ultra-competitive market.

Earlier this week, Pacific Crest analyst James Faucette warned that BlackBerry 10 is likely to be "DOA," or dead on arrival.

Faucette said he expects "the new operating system to be met with a lukewarm response at best," due to the new and unfamiliar user interface and a general reticence on the part of developers to create apps for the platform.

But Paradigm Capital analyst Gabriel Leung is much more optimistic and believes the devices could help potentially mitigate RIM's market share losses in such crucial markets as North America.

"We believe the company has significantly improved its ability to attract developers to build apps for the BB10 ecosystem," said Leung. He has a "buy" rating and a $14 price target on the shares.

RIM closed at $8.24 on the Nasdaq on Wednesday and were up 3 percent at $8.49 in trade before the morning bell on Thursday.

(Reporting by Euan Rocha; Editing by Chris Gallagher and Jeffrey Benkoe)

View the original article here

By: Dilusha On 6:36 PM

Continue Reading

Mastercard previewing smartphone web payment system with in-person security strength

MasterCard and ING Launch EMV Internet Payments Trial
Trial demonstrates convergence of physical and digital commerce
PURCHASE, N.Y. & AMSTERDAM--(BUSINESS WIRE)--MasterCard and ING Group today announced a joint trial underway in the Netherlands that is demonstrating a new way to pay online using mobile phones. The trial extends the functionality of the Mobile MasterCard® PayPass™ application, already used to support contactless payments at point of sale, to deliver a highly secure and easy to use payment experience at internet merchants. By using the Secure Element in the mobile device, a comparable level of security can be achieved whether a purchase is being made in-store or online.

By: Dilusha On 10:16 AM

Continue Reading