IBM To Become Cloud Broker

IBM is in the throes of developing software that will allow organizations to use multiple cloud storage services interchangeably, reducing dependence on any single cloud vendor and ensuring that data remains available even during service outages.

Although the software, called InterCloud Storage (ICStore), is still in development, IBM is inviting its customers to test it. Over time, the company will fold the software into its enterprise storage portfolio, where it can back up data to the cloud. The current test iteration requires an IBM Storewize storage system to operate.

ICStore was developed in response to customer inquiries, said Thomas Weigold, who leads the IBM storage systems research team in IBM’s Zurich, Switzerland, research facility, where the software was created. Customers are interested in cloud storage services but are worried about trusting data with third party providers, both in terms of security and the reliability of the service, he said.

The software provides a single interface that administrators can use to spread data across multiple cloud vendors. Administrators can specify which cloud providers to use through a point-and-click interface. Both file and block storage is supported, though not object storage. The software contains mechanisms for encrypting data so that it remains secure as it crosses the network and resides on the external storage services.

A number of software vendors offer similar cloud storage broker capabilities, all in various stages of completion, notably Red Hat’s DeltaCloud and Hewlett Packard’s Public Cloud.

ICStore is more “flexible,” than other approaches, said Alessandro Sorniotti, an IBM security and cloud system researcher who also worked on the project. “We give customers the ability to select what goes where, depending on the sensitivity and relevance of data,” he said. Customers can store one copy of their data on one provider and a backup copy on another provider.

ICStore supports a number of cloud storage providers, including IBM’s SoftLayer, Amazon S3 (Simple Storage Service), Rackspace, Microsoft Windows Azure and private instances of the OpenStack Swift storage service. More storage providers will be added as the software goes into production mode.

“Say, you are using SoftLayer and Amazon, and if Amazon suffers an outage, then the backup cloud provider kicks in and allows you to retrieve data,” from SoftLayer, Sorniotti said.

ICStore will also allow multiple copies of the software to work together within an enterprise, using a set of IBM patent-pending algorithms developed for data sharing. This ensures that the organization will not run into any upper limits on how much data can be stored.

IBM has about 1,400 patents that relate to cloud computing, according to the company.

Source

Twitter Tightens Security

Twitter Inc said it has put in place a security technology that makes it harder to spy on its users and called on other Internet firms to do the same, as Web providers look to thwart spying by government intelligence agencies.

The online messaging service, which began scrambling communications in 2011 using traditional HTTPS encryption, said on Friday it has added an advanced layer of protection for HTTPS known as “forward secrecy.”

“A year and a half ago, Twitter was first served completely over HTTPS,” the company said in a blog posting. “Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”

Twitter’s move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.

Facebook Inc, Google Inc, Microsoft Corp and Yahoo Inc have publicly complained that the government does not let them disclose data collection efforts. Some have adopted new privacy technologies to better secure user data.

Forward secrecy prevents attackers from exploiting one potential weakness in HTTPS, which is that large quantities of data can be unscrambled if spies are able to steal a single private “key” that is then used to encrypt all the data, said Dan Kaminsky, a well-known Internet security expert.

The more advanced technique repeatedly creates individual keys as new communications sessions are opened, making it impossible to use a master key to decrypt them, Kaminsky said.

“It is a good thing to do,” he said. “I’m glad this is the direction the industry is taking.”

Source

Adobe Data Found Online

A computer security firm has discovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is much larger than Adobe has so far disclosed and is one of the largest on record.

LastPass, a password security firm, said that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals.

Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier.

The maker of Photoshop and Acrobat software confirmed that LastPass had found records stolen from its data center, but downplayed the significance of the security firm’s findings.

While the new findings from LastPass indicate that the Adobe breach is far bigger than previously known, company spokeswoman Heather Edell said it was not accurate to say 152 million customer accounts had been compromised because the database attacked was a backup system about to be decommissioned.

She said the records include some 25 million records containing invalid email addresses, 18 million with invalid passwords. She added that “a large percentage” of the accounts were fictitious, having been set up for one-time use so that their creators could get free software or other perks.

She also said that the company is continuing to work with law enforcement and outside investigators to determine the cost and scope of the breach, which resulted in the theft of customer data as well as source code to several software titles.

The company has notified some 38 million active Adobe ID users and is now contacting holders of inactive accounts, she said.

Paul Stephens, director of policy and advocacy for the non-profit Privacy Rights Clearinghouse, said information in an inactive database is often useful to criminals.

He said they might use it to engage in “phishing” scams or attempt to figure out passwords using the hints provided for some of the accounts in the database. In some cases, people whose data was exposed might not be aware of it because they have not accessed the out-of-date accounts, he said.

“Potentially it’s the website you’ve forgotten about that poses the greater risk,” he said. “What if somebody set up an account with Adobe ten years ago and forgot about it and they use the same password there that they use on other sites?”

Source

Banks Join Instant Chat

Goldman Sachs Group Inc, JPMorgan Chase & Co and six other financial institutions have agreed to join a new instant messaging network from Markit and Thomson Reuters Corp to connect disparate messaging systems.

The network, called Markit Collaboration Services, launched on Monday and allows members to chat with one another regardless of the proprietary messaging technology that each firm uses.

This open platform differs Bloomberg LP’s messaging system, which is a closed network only for users of Bloomberg terminals.

Bloomberg messaging is the most popular form of chat on Wall Street, and often cited as one of the reasons banks are willing to pay around $20,000 a year for a subscription to a Bloomberg terminal.

Markit and Thomson Reuters said they hoped their open messaging network will attract banks that want to chat with their clients or other financial institutions but cannot currently do so because they are on different messaging systems.

The other banks that have joined the new network are Deutsche Bank, Bank of America Merrill Lynch, Barclays, Citigroup, Credit Suisse and Morgan Stanley, according to a statement from Markit.

The banks collectively employ more than 1 million people worldwide, though it was not immediately clear how many individuals will use the new Markit service.

David Craig, president of Thomson Reuters’ Financial & Risk division, said one of the challenges facing banks is that their messaging systems do not always talk to one another. “That creates costs and complexity,” he said.

Markit and Thomson Reuters said the messages on the new network are encrypted, and the system does not store them.

Representatives from Bank of America, Deutsche Bank, Goldman Sachs and Morgan Stanley were not immediately available to comment on the new messaging system. Representatives from Barclays, Citi, Credit Suisse and JPMorgan also declined to comment.

Source

Google Encrypts Data

Google officially announced it will by default encrypt data warehoused in its Cloud Storage service.

The server-side encryption is now active for all new data written to Cloud Storage, and older data will be encrypted in the coming months, wrote Dave Barth, a Google product manager, in a blog post.

“If you require encryption for your data, this functionality frees you from the hassle and risk of managing your own encryption and decryption keys,” Barth wrote. “We manage the cryptographic keys on your behalf using the same hardened key management systems that Google uses for our own encrypted data, including strict key access controls and auditing.”

The data and metadata around an object stored in Cloud Storage is encrypted with a unique key using 128-bit Advanced Encryption Standard algorithm, and the “per-object key itself is encrypted with a unique key associated with the object owner,” Barth wrote.

“These keys are additionally encrypted by one of a regularly rotated set of master keys,” he wrote. “Of course, if you prefer to manage your own keys then you can still encrypt data yourself prior to writing it to Cloud Storage.”

Data collection programs revealed by former U.S. National Security Agency contractor Edward Snowden have raised questions about U.S. government data requests made to Internet companies such as Google for national security investigations.

A Google spokeswoman said via email the company does not provide encryption keys to any government and provides user data only in accordance with the law.

“Our legal team reviews each and every request, and we frequently push back when the requests appear to be fishing expeditions or don’t follow the correct process,” she wrote. “When we are required to comply with these requests, we deliver it to the authorities. No government has the ability to pull data directly from our servers or network.”

Source

Chinese Hackers Go After Dissidents

The “Comment Crew,” a group of China-based hackers whose outing earlier this year in major media outlets caused a conflict with the U.S., have resumed their attacks against dissidents.

FireEye, a security vendor that specializes in trying to stop sophisticated attacks, has noticed attackers using a fresh set of tools and evasion techniques against some of its newer clients, which it can’t name. But Rob Rachwald, director of market research for FireEye, said in an interview Monday that those clients include an organization in Taiwan and others involved in dissident activity.

The Comment Crew was known for many years by security analysts, but its attacks on The New York Times, described in an extensive report in February from vendor Mandiant, thrust them into an uncomfortable spotlight, causing tense relations between the U.S. and China.

Rachwald said it is difficult to determine if the organizations being targeted now were targeted by the Comment Crew previously, but FireEye said last month that the group didn’t appear to be hitting organizations they had compromised before.

Organizations opposing Chinese government policies have frequently been targeted by hackers in what are believed to be politically motivated surveillance operations.

The Comment Crew laid low for about four months following the report, but emerging clues indicate they haven’t gone away and in fact have undertaken a major re-engineering effort to continue spying. The media attention “didn’t stop them, but it clearly did something to dramatically alter their operations,” Rachwald said in an interview.

“If you look at it from a chronological perspective, this malware hasn’t been touched for about 18 months or so,” he said. “Suddenly, they took it off the market and started overhauling it fairly dramatically.”

FireEye researchers Ned Moran and Nart Villeneuve described the new techniques on Monday on FireEye’s blog.

Two malware samples, called Aumlib and Ixeshe, had been used by the Comment Crew but not updated since 2011. Both malware programs have now been altered to change the appearance of their network traffic, Rachwald said.

Many vendors use intrusion detection systems to spot how malware sends data back to an attacker, which helps determine if a network has been compromised. Altering the method and format for how the data is sent can trick those systems into thinking everything is fine.

In another improvement, encryption is now employed to mask certain components of the programs’ networking communication, Rachwald said. The malware programs themselves, which are designed to steal data and log keystrokes, are basically the same.

Mandiant’s report traced the hacking activity to a specific Chinese military unit called “61398.” The company alleged that it waged a seven-year hacking spree that compromised 141 organizations.

Rachwald said it is strongly believed the Comment Crew is behind the new attacks given its previous use of Aumlib and Ixeshe. But the group has also re-engineered its attack infrastructure so much over the last few months that it is difficult to say for sure.

Source

BlackBerry’s Secure Goes To iOS

BlackBerry continues to expand its support for Android and iOS with Secure Work Space, which separates work and personal apps and data, as the device maker tries to hold on to enterprise users by becoming more platform neutral.

Remaining relevant in a world where more than 9 out of 10 smartphones shipped are based on either Google’s Android or Apple’s iOS isn’t easy for BlackBerry. But the company still has fans in enterprise IT departments and hopes to remain an option for users by continuing to embrace the two dominant platforms. The company can already manage devices based on Android and iOS, and support for BlackBerry Messenger is on the way.

BlackBerry announced Secure Work Space in March and has now made good on a promise to ship it before June 30. The software is an add-on to BlackBerry Enterprise Service (BES) 10, and it adds a managed container to protect corporate data and applications running on Android and iOS devices.

Users get integrated email, calendar and contacts, as well as secure browser access to intranets and document editing capabilities. Data is protected both when stored on the device and when transferred to and from enterprise servers, according to BlackBerry.

“The concept is right and very similar to what AT&T offers with Toggle. Creating two different “personas” on mobile devices is becoming a best practice for enterprises. Buying it from BlackBerry is probably most relevant for enterprises that have a major commitment to BlackBerry 10 and BES 10,” said Leif-Olof Wallin, research vice president at Gartner.

On BlackBerry 10 smartphones, BlackBerry has tightly integrated a personal and a work environment with the Balance feature.

BlackBerry is far from the only vendor that has adopted this concept. One competitor is Good Technology, which on Tuesday announced a whole host of new applications compatible with its Dynamics Security Mobility platform, which includes support for both app wrapping and encrypted app containers. The list of newcomers includes Mobility for SAP and remote access app Splashtop.

But for those interested in Secure Work Space, which is based on software from OpenPeak, the BES 10 server software is free to download. Annual client access licenses for Secure Work Space are $99 per year and device. For enterprises that want to get their feet wet, the platform is also available as a 60-day free trial bundle that includes device management for BlackBerry 10, iOS and Android devices, as well as Secure Work Space licenses for 50 users.

Source

SecureID CRACKED?

An analyst has come up with a technique that clones the secret software token that RSA’s SecurID uses to generate one-time passwords.

Sensepost senior security analyst Behrang Fouladi said that the discovery has important implications for the safekeeping of the tokens. Fouladi demonstrated another way determined attackers could circumvent protections built into SecurID. By reverse engineering software used to manage the cryptographic software tokens on computers running Windows, he found that the secret “seed” was easy for people with control over the machines to locate and copy. He provided step-by-step instructions for others to follow in order to demonstrate how easy it is to create clones that mimic verbatim the output of a targeted SecurID token.

Source…

Dell Intros Ivy Bridge Xeon Servers

Dell has become the first to announce servers using Intel’s latest Ivy Bridge Xeon E3 processors.

Intel launched its single socket Ivy Bridge Xeon E3 processors a month after it wowed everyone with its dual-core Sandy Bridge Xeon E5 processors, and it has taken Dell only another month to announce the first servers to make use of Intel’s latest nearline server chip. Dell’s Poweredge C5220 microserver uses Xeon E3 1200 series processors that have thermal design power (TDP) down to 17W.

Dell is pitching its Poweredge C5220 servers towards high performance computing, cloud deployments and content delivery networks. While Dell calls the Poweredge C5220 a microserver, that really isn’t a reference to its size or density, but rather the fact that it is a single socket server.

Dell offers the Poweredge C5220 with either 17W or 45W TDP Intel processors supporting DDR3-1600 memory. The firm claims close to double the performance over previous generation single socket servers, mainly due to a 50 per cent increase in density.

Source…

PayPal Wooing SMB’s With Payments Service

PayPal is focusing on small businesses, service providers, and casual sellers on the move with its new PayPal Here service which allows vendors to process a variety of payments including checks and cards using their mobile phones.

The new service unveiled Thursday includes a free app and encrypted thumb-sized card reader, which allows merchants with an iPhone, and later Android smartphones, to process payments.

Merchants can accept payments by swiping cards in the card reader, scanning cards and checks using their phone cameras, or by entering card information manually into the app, the eBay unit said. They can also send an invoice and set payment terms, and accept PayPal payments from the app. The check facility is however only available in the U.S.

An iPhone version of the card reader and merchant app is available from Thursday to select merchants in the U.S., Canada, Australia and Hong Kong, with general availability in those countries scheduled for April. PayPal also plans to have an Android version of the merchant app by then. It will announce the availability of the service in more countries soon, it said.

Merchants pay a flat rate of 2.7 percent for card swipes and PayPal payments, while checks will be processed free of charge. Scanning of cards or typing the card information will be charged extra. PayPal Here merchants will also receive a business debit card for access to cash and 1 percent cash-back on eligible purchases.

PayPal will be competing with mobile payment systems from other providers such as Square and Intuit.

The key differentiator for PayPal Here in comparison to other small business mobile payment services is that it comes from a trusted brand in the online payments industry, with more than 100 million customers globally, David Marcus, vice president of mobile at PayPal said in a blog post.

« Previous Page — Next Page »