FTC Pushes For Security Standards

Despite growing resentment from companies and powerful industry groups, the Federal Trade Commission continues to insist that it wants to be the nation’s enforcer of data security standards.

The FTC, over the past years, has gone after companies that have suffered data breaches, citing the authority granted to it under a section of the FTC Act that prohibits “unfair” and “deceptive” trade practices. The FTC extracted stiff penalties from some companies by arguing that their failure to properly protect customer data represented an unfair and deceptive trade practice.

On Thursday, FTC Chairwoman Edith Ramirez called for legislation that would bestow the agency with more formal authority to go after breached entities.

“I’d like to see FTC be the enforcer,” Law360 quoted Ramirez as saying at a privacy event organized by the National Consumers League in Washington. “If you have FTC enforcement along with state concurrent jurisdiction to enforce, I think that would be an absolute benefit, and I think it’s something we’ve continued to push for.”

According to Ramirez, the FTC supports a federal data-breach notification law that would also give it the authority to penalize companies for data breaches. In separate comments at the same event, FTC counsel Betsy Broder reportedly noted that the FTC’s enforcement actions stem from the continuing failure of some companies to adequately protect data in their custody.

“FTC keeps bringing data security cases because companies keep neglecting to employ the most reasonable off-the-shelf, commonly available security measures for their systems,” Law360 quoted Broder as saying.

An FTC spokeswoman was unable to immediately confirm the comments made by Ramirez and Broder but said the sentiments expressed in the Law360 story accurately describe the FTC’s position on enforcement authority.

The comments by the senior officials come amid heightening protests against what some see as the FTC overstepping its authority by going after companies that have suffered data breaches.

Over the past several years, the agency has filed complaints against dozens of companies and extracted costly settlements from many of them for data breaches. In 2006 for instance, the FTC imposed a $10 million fine on data aggregator ChoicePoint, and more recently, online gaming company RockYou paid the agency $250,000 to settle data breach related charges.

Source

IBM To Become Cloud Broker

IBM is in the throes of developing software that will allow organizations to use multiple cloud storage services interchangeably, reducing dependence on any single cloud vendor and ensuring that data remains available even during service outages.

Although the software, called InterCloud Storage (ICStore), is still in development, IBM is inviting its customers to test it. Over time, the company will fold the software into its enterprise storage portfolio, where it can back up data to the cloud. The current test iteration requires an IBM Storewize storage system to operate.

ICStore was developed in response to customer inquiries, said Thomas Weigold, who leads the IBM storage systems research team in IBM’s Zurich, Switzerland, research facility, where the software was created. Customers are interested in cloud storage services but are worried about trusting data with third party providers, both in terms of security and the reliability of the service, he said.

The software provides a single interface that administrators can use to spread data across multiple cloud vendors. Administrators can specify which cloud providers to use through a point-and-click interface. Both file and block storage is supported, though not object storage. The software contains mechanisms for encrypting data so that it remains secure as it crosses the network and resides on the external storage services.

A number of software vendors offer similar cloud storage broker capabilities, all in various stages of completion, notably Red Hat’s DeltaCloud and Hewlett Packard’s Public Cloud.

ICStore is more “flexible,” than other approaches, said Alessandro Sorniotti, an IBM security and cloud system researcher who also worked on the project. “We give customers the ability to select what goes where, depending on the sensitivity and relevance of data,” he said. Customers can store one copy of their data on one provider and a backup copy on another provider.

ICStore supports a number of cloud storage providers, including IBM’s SoftLayer, Amazon S3 (Simple Storage Service), Rackspace, Microsoft Windows Azure and private instances of the OpenStack Swift storage service. More storage providers will be added as the software goes into production mode.

“Say, you are using SoftLayer and Amazon, and if Amazon suffers an outage, then the backup cloud provider kicks in and allows you to retrieve data,” from SoftLayer, Sorniotti said.

ICStore will also allow multiple copies of the software to work together within an enterprise, using a set of IBM patent-pending algorithms developed for data sharing. This ensures that the organization will not run into any upper limits on how much data can be stored.

IBM has about 1,400 patents that relate to cloud computing, according to the company.

Source

HP Retakes Server Lead

Hewlett-Packard reclaimed its server crown from IBM last quarter as the overall market contracted and Taiwanese vendors made big gains selling directly to Internet giants like Google and Facebook, according to an IDC report.

HP expanded its share of the market only modestly from a year earlier but IBM’s portion declined 4.5 points despite solid mainframe sales, to leave HP in the top spot. HP finished the third quarter with 28.1% of worldwide server revenue to IBM’s 23.4%, IDC said.

But the strongest growth was for the “ODM direct” segment which IDC broke out for the first time this quarter. It stands for original design manufacturers, which are Taiwanese firms like Quanta Computer, Wistron Group, Inventec and Compal, which sell partial and fully-built servers to the big cloud providers.

It’s a growing segment and one that threatens the incumbents. ODM’s accounted for 6.5% of server revenue last quarter, up 45.2% from a year earlier, IDC said. If the ODM category were a single vendor, it would be the third largest ahead of Dell.

Almost 80% of the ODM’s server revenue came from the U.S., primarily from sales to Google, Amazon, Facebook and Rackspace.

Overall, the server market declined 3.7% from a year earlier to $12.1 billion. It was the third consecutive quarter of declining revenue but IDC predicts improvement with a refresh cycle early next year. In terms of units shipped, volumes were about flat year over year, meaning average selling prices dropped.

Volume systems — mostly x86 servers — picked up slightly from last year, with 3.5% revenue growth. But sales of midrange and high-end systems dropped 17.8% and 22.5%, respectively, IDC said.

IBM fared worst of the top 5 vendors, with revenue down 19.4% due to “soft demand for System x and Power Systems,” IDC said. Dell retained third place with 16.2% of revenue, about flat from last year, while Cisco Systems and Oracle tied for fourth.

Cisco saw the most growth of the top vendors, with a nearly 43% revenue jump, IDC said.

Source

App Stores For Supercomputers Enroute

A major problem facing supercomputing is that the firms that could benefit most from the technology, aren’t using it. It is a dilemma.

Supercomputer-based visualization and simulation tools could allow a company to create, test and prototype products in virtual environments. Couple this virtualization capability with a 3-D printer, and a company would revolutionize its manufacturing.

But licensing fees for the software needed to simulate wind tunnels, ovens, welds and other processes are expensive, and the tools require large multicore systems and skilled engineers to use them.

One possible solution: taking an HPC process and converting it into an app.

This is how it might work: A manufacturer designing a part to reduce drag on an 18-wheel truck could upload a CAD file, plug in some parameters, hit start and let it use 128 cores of the Ohio Supercomputer Center’s (OSC) 8,500 core system. The cost would likely be anywhere from $200 to $500 for a 6,000 CPU hour run, or about 48 hours, to simulate the process and package the results up in a report.

Testing that 18-wheeler in a physical wind tunnel could cost as much $100,000.

Alan Chalker, the director of the OSC’s AweSim program, uses that example to explain what his organization is trying to do. The new group has some $6.5 million from government and private groups, including consumer products giant Procter & Gamble, to find ways to bring HPC to manufacturers via an app store.

The app store is slated to open at the end of the first quarter of next year, with one app and several tools that have been ported for the Web. The plan is to eventually spin-off AweSim into a private firm, and populate the app store with thousands of apps.

Tom Lange, director of modeling and simulation in P&G’s corporate R&D group, said he hopes that AweSim’s tools will be used for the company’s supply chain.

The software industry model is based on selling licenses, which for an HPC application can cost $50,000 a year, said Lange. That price is well out of the reach of small manufacturers interested in fixing just one problem. “What they really want is an app,” he said.

Lange said P&G has worked with supply chain partners on HPC issues, but it can be difficult because of the complexities of the relationship.

“The small supplier doesn’t want to be beholden to P&G,” said Lange. “They have an independent business and they want to be independent and they should be.”

That’s one of the reasons he likes AweSim.

AweSim will use some open source HPC tools in its apps, and are also working on agreements with major HPC software vendors to make parts of their tools available through an app.

Chalker said software vendors are interested in working with AweSim because it’s a way to get to a market that’s inaccessible today. The vendors could get some licensing fees for an app and a potential customer for larger, more expensive apps in the future.

AweSim is an outgrowth of the Blue Collar Computing initiative that started at OSC in the mid-2000s with goals similar to AweSim’s. But that program required that users purchase a lot of costly consulting work. The app store’s approach is to minimize cost, and the need for consulting help, as much as possible.

Chalker has a half dozen apps already built, including one used in the truck example. The OSC is building a software development kit to make it possible for others to build them as well. One goal is to eventually enable other supercomputing centers to provide compute capacity for the apps.

AweSim will charge users a fixed rate for CPUs, covering just the costs, and will provide consulting expertise where it is needed. Consulting fees may raise the bill for users, but Chalker said it usually wouldn’t be more than a few thousand dollars, a lot less than hiring a full-time computer scientist.

The AweSim team expects that many app users, a mechanical engineer for instance, will know enough to work with an app without the help of a computational fluid dynamics expert.

Lange says that manufacturers understand that producing domestically rather than overseas requires making products better, being innovative and not wasting resources. “You have to be committed to innovate what you make, and you have to commit to innovating how you make it,” said Lange, who sees HPC as a path to get there.

Source

Researchers Build Flying Robot

Researchers say they have assembled a flying robot. It’s not designed to fly like a bird or an insect, but was built to simulate the movements of a swimming jellyfish.

Scientists at New York University say they built the small, flying vehicle to move like the boneless, pulsating, water-dwelling jellyfish.

Leif Ristroph, a post-doctoral student at NYU and a lead researcher on the project, explained that previous flying robots were based on the flight of birds or insects, such as flies.

Last spring, for example, Harvard University researchers announced that they had built an insect-like robot that flies by flapping its wings. The flying robot is so small it has about 1/30th the weight of a U.S. penny.

Before the Harvard work was announced, researchers at the University of Sheffield and the University of Sussex in England worked together to study thebrains of honey bees in an attempt to build an autonomous flying robot.

By creating models of the systems in a bee’s brain that control vision and sense of smell, scientists hope to build a robot that would be able to sense and act as autonomously as a bee.

The problem with those designs, though, is that the flapping wing of a fly is inherently unstable, Ristroph noted.

“To stay in flight and to maneuver, a fly must constantly monitor its environment to sense every gust of wind or approaching predator, adjusting its flying motion to respond within fractions of a second,” Ristroph said. “To recreate that sort of complex control in a mechanical device — and to squeeze it into a small robotic frame — is extremely difficult.”

To get beyond those challenges, Ristroph built a prototype robot that is 8 centimeters wide and weighs two grams. The robot flies by flapping four wings arranged like petals on a flower that pulsate up and down, resembling the flying motion of a moth.

The machine, according to NYU, can hover and fly in a particular direction.

There is more work still to be done. Ristroph reported that his prototype doesn’t have a battery but is attached to an external power source. It also can’t steer, either autonomously or via remote control.

Source

Twitter Tightens Security

Twitter Inc said it has put in place a security technology that makes it harder to spy on its users and called on other Internet firms to do the same, as Web providers look to thwart spying by government intelligence agencies.

The online messaging service, which began scrambling communications in 2011 using traditional HTTPS encryption, said on Friday it has added an advanced layer of protection for HTTPS known as “forward secrecy.”

“A year and a half ago, Twitter was first served completely over HTTPS,” the company said in a blog posting. “Since then, it has become clearer and clearer how important that step was to protecting our users’ privacy.”

Twitter’s move is the latest response from U.S. Internet firms following disclosures by former spy agency contractor Edward Snowden about widespread, classified U.S. government surveillance programs.

Facebook Inc, Google Inc, Microsoft Corp and Yahoo Inc have publicly complained that the government does not let them disclose data collection efforts. Some have adopted new privacy technologies to better secure user data.

Forward secrecy prevents attackers from exploiting one potential weakness in HTTPS, which is that large quantities of data can be unscrambled if spies are able to steal a single private “key” that is then used to encrypt all the data, said Dan Kaminsky, a well-known Internet security expert.

The more advanced technique repeatedly creates individual keys as new communications sessions are opened, making it impossible to use a master key to decrypt them, Kaminsky said.

“It is a good thing to do,” he said. “I’m glad this is the direction the industry is taking.”

Source

Did Stuxnet Infect A Russian Nuclear Plant?

Kaspersky has claimed that the infamous Stuxnet computer worm “badly infected” the internal network of an unnamed Russian nuclear plant after it caused chaos in Iran’s nuclear facilities.

Speaking at a keynote presentation given at the Canberra Press Club 2013, Kaspersky CEO Eugene Kaspersky said a staffer at the unnamed nuclear plant informed him of the infection.

“[The staffer said] their nuclear plant network which was disconnected from the internet was badly infected by Stuxnet,” Kaspersky said.

“So unfortunately these people who were responsible for offensive technologies, they recognise cyber weapons as an opportunity.”

Stuxnet was discovered to have spread throughout industrial software and equipment in 2010 and is believed to have been created by the United States and Israel to attack Iran’s nuclear facilities. According to Kaspersky’s source, the malware was carried into the Russian nuclear plant and installed on a physically separated “air-gapped” network.

Kaspersky also made a rather outlandish joke during his speech, saying that all data is subject to theft. “All the data is stolen,” Kaspersky said. “At least twice.”

“If the claim of the Russian nuclear plant infection is true, then it’s easy to imagine how this “collateral damage” could have turned into a very serious incident indeed, with obvious diplomatic repercussions,” said security expert Graham Cluley.

“There is no way to independently verify the claim, of course. But it is a fact that Stuxnet managed to infect many computer systems outside of its intended target in Iran,” Cluley added. “Indeed, the very fact that it spread out of control, was what lead to its discovery by security firms.”

Earlier this year, Symantec claimed that the Stuxnet computer worm could date back further than 2010 and was more widespread than originally believed.

Symantec’s report called “The Missing Link” found a build of the Stuxnet attack tool, dubbed Stuxnet 0.5, which it said dated back to 2005 and used different techniques to sabotage industrial facilities.

Source

Google Expands Malware Blocker

Google has expanded malware blocking in an early development build of Chrome to sniff out a wider range of threats than the browser already recognizes.

Chrome’s current “Canary” build — the label for very-early versions of the browser, earlier than even Chrome’s Dev channel — will post a warning at the bottom of the window when it detects an attempted download of malicious code.

Features added to the Canary build usually, although not always, eventually make it into the Dev channel — the roughest-edged of the three distributed to users — and from there into the Beta and Stable channels. Google did not spell out a timetable for the expanded malware blocking.

Chrome has included malware blocking for more than two years, since version 12 launched in June 2011, and the functionality was extended in February 2012with Chrome 17.

Chrome is now at version 30.

Canary’s blocking, however, is more aggressive on two fronts: It is more assertive in its alerts and detects more malware forms, including threats that pose as legitimate software and monkey with the browser’s settings.

“Content.exe is malicious, and Chrome has blocked it,” the message in Canary reads. The sole visible option is to click the “Dismiss” button, which makes the warning vanish. The only additional option, and that only after another click, is to “Learn more,” which leads to yet another warning.

In Canary, there is no way for the user to contradict the malware blocking.

That’s different than in the current Stable build of Chrome, which relies on a message that says, “This file is malicious. Are you sure you want to continue?” and gives the user a choice between tossing the downloaded file or saving it anyway.

As it has for some time, Chrome will show such warnings on select file extensions, primarily “.exe,” which in Windows denotes an executable file, and “.msi,” an installation package for Windows applications. Canary’s expansion, said Google, also warns when the user tries to download some less obvious threats, including payloads masquerading as legitimate software — it cited screen savers and video plug-ins in a  blog posting — that hijack browser settings to silently change the home page or insert ads into websites to monetize the malware.

Google’s malware blocking is part of its Safe Browsing API (application programming interface) and service, which Chrome, Apple’s Safari and Mozilla’s Firefox all access to warn customers of potentially dangerous websites before they reach them.

In Chrome’s case, the malware warning stems not only from the Safe Browsing “blacklist” of dodgy websites, but according to NSS Labs, a security software testing company, also from the Content Agnostic Malware Protection (CAMP) technology that Google has baked into its implementation of Safe Browsing.

Source

ATM Malware Found In Mexico

A malicious software program identified in ATMs in Mexico has been improved and translated into English, which suggests it may be used elsewhere, according to security vendor Symantec.

Two versions of the malware, called Ploutus, have been discovered, both of which are engineered to empty a certain type of ATM, which Symantec has not identified.

In contrast to most malware, Ploutus is installed the old-fashioned way — by inserting a CD boot disk into the innards of an ATM machine running Microsoft Windows. The installation method suggests that cybercriminals are targeting standalone ATMs where access is easier.

The first version of Ploutus displays a graphical user interface after the thief enters a numerical sequence on an ATM’s keypad, although the malware can be controlled by a keyboard, wrote Daniel Regalado, a Symantec malware analyst, on Oct. 11.

Ploutus is programmed for a specific ATM model since it assumes there is a maximum of four cassettes per dispenser in the ATM. It then calculates the amount of money that should be dispensed based on the number of bills. If any of the cassettes have less than the maximum number of 40 bills, it releases whatever is left, repeating that process until the ATM is empty.

Kevin Haley, director of Symantec Security Response, said in an interview earlier this month that the attackers have deep knowledge of the software and hardware of the particular ATM model.

“They clearly know how this machine worked,” he said.

The source code of Ploutus “contains Spanish function names and poor English grammar that suggests the malware may have been coded by Spanish-speaking developers,” Regalado wrote.

In a new blog post, Regalado wrote that the attackers made Ploutus more robust and translated it into English, indicating the same ATM software can be exploited in countries other than Mexico.

The “B” variant of Ploutus has some differences. It only accepts commands through the keypad but will display a window showing the money available in the machine along with a transaction log as it dispenses cash. An attacker cannot enter a specific number of bills, so Ploutus withdraws money from the cassette with the most available bills, Regalado wrote.

Symantec advised those with ATMs to change the BIOS boot order to only boot from the hard disk and not CDs, DVDs or USB sticks. The BIOS should also be password protected so the boot options can’t be changed, Regalado wrote.

Source

SalesForce Goes Hacking

Salesforce.com really wants to attract lots of developers to its Dreamforce conference next month in San Francisco. As in, really.

Last Friday, the cloud software vendor announced a “hackathon” would be held at the conference, with US$1 million going to the developer or team who creates the top prize-winning mobile application with Salesforce.com technology.

“It’s not going to be easy — $1 million is going to bring out the best of the best,” Salesforce.com said in Friday’s announcement. “So don’t wait until Dreamforce! You’re going to want to get started now. With Force.com, Heroku, ExactTarget Fuel, Mobile Services and more — you’ve got a killer array of platform technology to use.”

Salesforce.com will also be providing some “pretty amazing new technology” for use at the show, the announcement adds.

In order to participate, developers have to either register for a full conference pass or a special $99 hacker pass.

The hackathon reflects Salesforce.com’s long courtship of developers to its development technologies, its AppExchange marketplace and recent efforts to build out more tooling for mobile application development.

Developers taking part in the hackathon will have plenty of competition, with some 20,000 programmers expected to attend Dreamforce overall. A “Hack Central” area will be open around the clock, supporting coders who want to work until the wee hours on their application.

In order to qualify, an application can’t have been previously released. The entries will be judged on four criteria counting 25 percent each: innovation, business value, user experience and use of Salesforce.com’s platform.

The second-place finisher will receive $50,000, with $25,000 going to the third-place winner. Fourth and fifth place will get $10,000 and $5,000, respectively.

Some 120,000 people are expected to register for Dreamforce this year. While some of that total will be watching online rather than in person, Dreamforce is now operating at a scale rivaling Oracle’s OpenWorld event, which happened last month.

Source

« Previous Page — Next Page »