Archive for the ‘Security and Compliance’ category

« Older Entries

Why you should insist on UEFI protected devices

March 28th, 2013

Security adviser/journalist/guru Roger Grimes makes a cogent argument for adoption of UEFI protected devices.

An interface layer between an operating system and firmware, UEFI offers much better security than PC BIOS. UEFI is an open standard that makes it harder to manipulate firmware in an unauthorized manner. Any UEFI-enabled component requires firmware updates to be digitally signed by a previously authorized party. UEFI also prevents other types of subversion, such as eavesdropping, boot changes, and so on. The latest version adds secure boot, which requires a unique key for each computer and each OS or low-level application; these keys can be revoked to block both known malware and unauthorised installations.

A novice malware writer could write a worm that could brick a significant amount of the computers in your network. With a little research and more malicious code, they could brick not only your computers, but printers, network devices, and (non-UEFI) mobile devices.

For mission-critical computers, I recommend that companies use UEFI-enabled computers and devices. Most end-users can’t tell the difference between a UEFI-protected computer and one that isn’t.
All new computer hardware that you buy should come UEFI-enabled, for several good security reasons. The original EFI specification didn’t offer much in the way of security. But version 2.3 (now under the UEFI name), and specifically 2.3.1, has solid security. It requires not only digital signatures for code updates, but enables the secure boot firmware-to-OS protection.

Today, UEFI and secure boot are easily the most secure protection firmware can have outside of a physical switch

.

No comments »

Posted in Security and Compliance, Technology

Password storage.

March 16th, 2013

This week Troy Hunt wrote a piece where he called for disclosure by websites (and really all applications) of the password storage mechanism.His explanation of what this might change in terms of Internet security is great, and while this might not actually make applications more secure, I’m not sure that many companies would want to be forced to disclose they are storing passwords in plain text. Consumers are becoming more savvy and realize this is a poor way of managing systems and will quickly learn what are strong and no-so-strong algorithms.

No comments »

Posted in Security and Compliance

Security threats – malicious code

March 3rd, 2013

the CSA (Cloud Security Alliance) has identified “The Notorious Nine,” the top nine cloud computing threats for 2013. The report reflects the current consensus among industry experts surveyed by CSA, focusing on threats specifically related to the shared, on-demand nature of cloud computing – See more at: http://www.infoworld.com/t/cloud-security/9-top-threats-cloud-computing-security-213428#sthash.u37TrqAt.dpuf

 Concern is rising in the security world over sophisticated malicious code that attacks a computer’s RAM. Called “advanced volatile threats,” or ATVs. Once the payload is deployed, it can bury itself in RAM, hide from users, hide from anti-virus, hide from system administrators, and act as a staging point from which other attacks can be launched.”

A Web developer has demonstrated a simple-to-execute exploitFillDisk.comthat  loads an almost unlimited amount of data onto hard drives of people who access the site. It requires no user interaction and works with the Google Chrome, Microsoft Internet Explorer, and Apple Safari browsers. It adds 1GB of data every 16 seconds on a MacBook Pro Retina equipped with a solid state drive, according to Feross Aboukhadijeh, the Web developer and computer science grad student who created the proof-of-concept site.

FillDisk.com manipulates the Web Storage standard included in the HTML5 specification. This standard is designed to make websites easier to use by allowing them to store data on visitors’ hard drives. The functionality can be useful when end users are filling out long forms; if the browser crashes before the form has been completed, the data that’s already been entered will be available when the person visits the site later. The creators of the standard specifically warn that browser developers should take steps to ensure websites can’t abuse the feature by writing unlimited amounts of data.

No comments »

Posted in Security and Compliance, Technology

Mobile device management

January 19th, 2013

Mobile operations via mobile devices provide faster reaction and easier management of activities. However, a mobile device increases the work for IT for support and maintenance, and also introduces more challenges of supervision and security e.g. risk of loss or theft, or misuse.  A mobile management solution is required to address 5 key aspects of device management.

We offer the award winnin , proven, affordable and feature rich Mobi Connect solution.

The adoption of mobile devices in business is growing exponentiall . BYOD or ‘bring your own device’ is now the norm for many industries i.e. work across platforms and devices.

Reduce IT’s workload and increase their effectiveness remote management, deployment of patches and isntalls etc.

 Ensure compliance to corporate policies – security lockdown, geofence tracking, disable and wipe rmeotely, alerts, detailed log

Easily synchronise  files with mobile workers

Track who and who is not logged on, and their location.

Track stolen or mislaid devices

Manage shared devices

Ask us about how to better manage your mobile devices, and also about our solutions for extending applications for mobile use e.g.:  mobile CRM or filed service management, mobile inventory and asset counting, mobile alert notifications and workflow approvals,  mobile BI etc

No comments »

Posted in Microsoft Dynamics Ax, Microsoft Dynamics CRM, RFID biometric mobile, Security and Compliance, SharePoint and EPM, Sunsystems and Vision, Technology

Exchange server – SQL, Dynamics Ax, etc – reviews and audits

January 16th, 2013

A system cannot be better than its core components. We are frequently tasked with audits or support for failed projects and usually the first line of inquiry is to check the install configurations and set up and there are always issues discovered with basic set ups

Why? :

The ownership of the tasks is unclear – the application consultant may feel he has only to install the application – next, next next  etc.

Did the RAID and database come preinstalled by the hardware vendor ? Did he have any idea how it was going to be used?

The client does not want to pay also for a DBA or WIndows engineer to be involved in that install, especially where travel and hotel costs are involved

The implementation partner does not want to overquote and the small print says that the server, operating system and database installs and set ups are the client’s responsibility.

 In a smaller company there may be no specific DBA or Windows Engineer- it maybe a duty of a functional user to look after multiple systems  and administration and also the emails, fax and pritners and end user hardware and the phones and part time development and report writing, and consumables mangement etc , with either no formal, or in-depth training, or very out of date skills.

Consultants are also often undertrained or misused – a finance product certification does not make you an installer- completing an install that works does not mean that back ups are set up, that memory, or page sizes  and temporary files are correctly sized, etc.

Systems prerequistes are not considered or referred to and  the configuration  is often not documented.

No use is made of monitoring tools or  scripts.

Often the requisite information comes from many sources beyond most client adminstrators no matter how competent – white papers, knowledge base articles, obscure blog site, tech net, Books on line, Customer source and partner source, implementation manuals but which one the Application, SQL?SSRS? SSAS? Windows? or dependent systems such as Outlook or Office toolsor knowledge of ports or firewalls or anti-virus systems  and which was the last update for the application, operating system and database and are these supported together? and how is this affected by virtualisation or use of Ciitrix or Kerbros and just how many times will an internal IT staff in a medium size company do such an install? Who will provide the guidance or  checklist and review it? Do they have a suitable test environment for testing patches before deployment.

There is often no process for testing patches and keeping security  updated or for  testing recovery of back ups, or system performance or security or…

Many companies spend more on their company cars than they do on their key business systems. They invest in high end motors, use licensed driver,s formally trained and tested,  and undertake regular servicing at registered dealers, but  expect to use tier 3 business solutions and cut price untrained freelance consultants,  uncertified staff, with inappropriate tools and training, no support agreement etc and then blame the system. Sometimes its not the car, its sometimes the driver.

It does not make sense to buy an expensive car and only drive it in first gear due to lack of training. Nor will it look good if it is never cleaned, nor will it run well on with old oil and skimped services, tyres set to the wrong pressure,   etc.

Business systems are an asset, not an expense – like any other asset you should consider how to get the most value out of it and how to extend its life and performance  and that also takes investment and management. the right way is usually the cheapest in the long run and delivers the most value.

Microsoft Exchange Server is the leading messaging platform in the world today, and can be found in SMBs, large enterprises and also behind cloud services of unimaginable scale. Exchange has been with us since its release in April 1996 and from that first version, it has evolved to offer businesses and consumers outstanding features that they have come to heavily rely upon.This is fantastic! Until something happens…. That is, something bad happens, or something really bad happens.

When people are unable to access the services that they have become dependent upon, then there are multiple preventative steps that we can take to help ensure that bad things don’t happen.

Are you are an IT or business professional who needs to ensure:

  • that your organisation’s Exchange environment meets the needs of its user base
  • that Exchange is available
  • and (if that’s not enough) that Exchange performance is also excellent?

What about SQL  issues?:

  •  Security Updates not applied
  • SQL is running under an administrative account
  • Database integrity checks not scheduled
  • SQL Server has not been updated to the current service pack
  • The usage of NOLOCK
  • Large growth values (1GB+) for data / log files
  • Weak and blank passwords for SQL logins
  • Disaster Recovery Plan is not documented or does not exist
  • Clustered MSDTC configuration issues
  • Transaction log on the same drive as the database
  • No monitoring of databse growth
  • No back up of master database
  • Incorrect collation
  • No reidnexing or other maintenance tasks
  • No tests of back up restore

etc

Do you need help?  Ask us about audits and reviews and training,  we can involve Microsoft premier support engineers for complex sites if needed. Does your IT administrator need an introduction to some key system mangement tasks? What about Power Shell skills this has become a must have skill formanageent of  SQL, Windows and Exchange Server. Let us train you.

There are many utilities to make your life easier –  many are free or low cost. 

If you are changing systems, or  have system perfomance or security issues or  compliance worries for ITI,  SOX, ITAM, Basel accord, ISO 14000 etc then we may be able to help. You don’t need to be a qualified motor mechanic to drive a car –  but it helps to know the highway code and to have the right licence to drive. A HGV1 needs a little more skills than a  bicycle. and as your business and system grows and technology changes it may be necessary for a fresh look at your system set up and support. A small investment at install and an annual review will usually have lasting benefits.

1 comment »

Posted in Project Management, Security and Compliance, Technology

Is there more to choosing an erp system than keeping the CFO happy??

December 12th, 2012

We are used to to the idea that erp systems will handle financials and inventory but new technology creates new business processes, new opportuntities and new competition. These are some of the features you might also want to check on before selecting a solution a modern ERP solution:

Mobility. In our personal lives we are more mobile and connected. Sales of tablets, netbooks, mobiles etc continue to exceed projections as does the use and prolfieration of social media. We expect the same tools at work. Organizations large and small are becoming ever more mobile, to drive down costs,and  improve service.  Mobile alerts, mobile reports,  and mobile BI are now expected.   By 2013, 1.2 billion workers will be mobile—that’s 1/3 of the overall workforce. By 2014, 50% of devices used to access business solutions are expected to be smartphones. Will the solution you’re considering accommodate mobile workers?

 IT Costs. Some people claim 84% of organizations have a remote workforce – Typically true of the sales team, installation and service engieers, meter readers, delivery men, consultants trainers, etc.  But on average 85% of datacenter capacity is idle, and 70% of IT budgets are spent maintaining datacenter operations. What are inefficiencies like these costing your company?  It’s not just the software it’s the server room rental, the energy, the A/c , the hardware depreciation and obsolesence, inusrance, cleaning etc.

3. Access. Think about how people can interact with their solutions. Employees struggle when they can’t collaborate with people who don’t have full access to important data. Can people outside the solution or organization be given web and mobile access to specific reports, charts, graphs, and KPIs? Is the data real-time? Marketing these days is frequently a  self service activity, as in many case are business processes like booking on-line or checking in for a flight via  kiosk with a bar code on your mobile for a boarding pass, or searching a knowledgebase for help. Project teams are geographically remote but need to uodate each other and to share plans.

4. Simplicity. Workers at home use laptops, phones, tablets—all their preferred devices—with a common experience, to make those all easier to use. What do your staff really need?

I might throw in;

  •  Cross platform, cross company workflows – for both centralised and decentralised services, faster responses and automation
  •  Seamless integration with other applications, e.g. messaging and social media, or SharePoint or office
  • Scalable architecture- businesses and technology both change fast and your systeme should enable not constrain your growth
  • Compliance and collaboration tools – why have expensive offices, why waste staff time on travel,  mobility, internet presentation tools, collaboration portal workspaces, and cross supply chain collaboration are all factors but you also have to think about security and compliance – what support do you have for these?
  • Competitive edge – you will not outstrip your competition just with new back office systems - can your solution provide vertical specific features, can you adapt it to streamline your specific processes
  • Can you easily handle data imports? new budgets, forecasts costs
  • Can you easily handle new reporting requirements?
  • Can you easily handle new subsidiaries and acquisitions – language, currency, vertical requirements, localised statutory compliance?

Does it matter? Watch your competitors and see what they are doing but don’t wait too long!

Year end is a good time to rethink your strategies and your systems. if there are aspects of your business or systems that are not delivering or you are not sure what is possible then why not undertake a mini business review and let us help you understand how technology can help you to cut cost or add value or reduce risk and to evaluate whether there is a business case.

No comments »

Posted in Corporate Perfomance Management, HR and Payroll, Infor Financial solutions, Lean Concepts, Microsoft Dynamics Ax, Microsoft Dynamics CRM, Project Management, Security and Compliance, SharePoint and EPM, Sunsystems and Vision

Ingersoll Rand eVAYO Time and Attendance and Access Control systems

November 29th, 2012

 Synergy Software Systems implements and support the Schlage hand punch solution, which attracted a lot of interest at our Stand in Gitex.

Interflex is a  powerful T@A and Access control software that has been used by major clients such as ports and airports, olympic events, football stadiums, construction sites, offices etc and extends to rostering, visitor management etc.

The new eVAYO product family consists of the IF-800 terminal for access control, the IF-5735 terminal for time & attendance recording, and PegaSys Office, an electronic lock for offline access control. With these three solutions, Interflex sets new standards in time & attendance recording and access control. The result: Maximum reliability and unlimited securityhttp://www.youtube.com/watch?v=4Udt4oXBGVU&feature=plcp

No comments »

Posted in RFID biometric mobile, Security and Compliance

Synergy Software Gitex 2012

October 16th, 2012

What a great start to the conference – literally hundreds of visitors to our stand. Some of the solutions that are creating a lot of interest:

  • Schlage Handpunch  for Access control together with Interflex software for exceptional Time and Attendance management and other new access control options kept the team busy as visitors queued up to try. Many features that cannot be matched. and of course we integrate to our HR, Payroll  and Sunsystems financial solutions.
  • Microsoft Dynamics CRM-  The many enhancements in Dynamics CRM 2011 and the familiar Microsoft ease of use and integation has delivered huge growth in users over the last year and this year adoption  is expected to grow even faster. Transactional business systems and sales analysis do not deliver the same bottom line business benefits as a system with business processes configured to  work the way you do, to provide better customer service,  more informed and targetted marketing, and that focuses on understanding and strengthening customer relationships rather than just focus on financial analysis of transactions.
  • Prophix Corporate Performance Management; automate and manage the budget process, close your month and year end faster, simplify and automate consolidation, undertake detailed planning, ensure compliance.  All built on Microsoft technologies that leverage SSAS, SQL, Excel,  SharePoint. Understand the significant  difference between the structured presentation of information delivered by Prophix Corporate Performance Management and traditional BI tools. Register for our seminars next month.
  • Asset Management: More functional and easier to use and lower cost  than most erp FA registers, with more flexible depreciation options, and ability to configure the system to hold additional data relevant to your business.  The solution has addiitonal modules for mobile asset count, integration to RFID readers for auto tracking of assets, Planned maintenance, Project Managment Accounting for Capital Projects
  • IT Policy , Enforecment Audit and Compliance. Government pharmaceuticals, financial services, health care are such some of the sectors where robust and compliant systems are essential. We offer a unique set of monitoring and control solutions, as well as unmatched failover disaster recovery.
  • Intralinks is a  solution for encrypted document sharing and collaborationin a secure workspace. It is used by around 2 million users at any given time. The SaaS model lets you use  it for just as long as you need, with just the right number of users for the task in hand  maybe a merger or an acquisiton, or a new product launch or a sensitive large tender, or contract.  Vary the number of users by project etc  and set precise rules on who can see and do what, when.

Still time to meet with us and we have not run out of coffee yet!

No comments »

Posted in Corporate Perfomance Management, Dubai and regional news, Events, General Synergy News, Infor Financial solutions, Microsoft Dynamics CRM, RFID biometric mobile, Security and Compliance, Sunsystems and Vision, Uncategorized

Access control

October 1st, 2012

The simple truth is, security is complicated. In any given facility there are multiple openings to secure, and multiple people who need access. Varied layers of clearance, employee turnover rates, and a long list of other factors play a role in dictating exactly which credential solutions make the most sense. The variables are infinite. Fortunately, so is our commitment to you. We leverage our  security knowhow – and our incredible breadth of products – to build solutions that meet your needs. When you work with us, you’ll get all the support and information you need to make informed choices. That’s the essence of real security.

Multi-factor authentication,encryption, multi purpose smart cards, biometrics, keys. codes,  

aptiQTM and XceedID® Readers are the newest line of forward-thinking products from Ingersoll Rand Security Technologies. Designed specifically to simplify your transition from older security platforms—these readers are versatile enough to interface with many systems, providing you the security you need now and into the future.

No comments »

Posted in RFID biometric mobile, Security and Compliance

Passwords -Beware!

September 30th, 2012

Beware: The next time you get an email from privacy@microsoft.com in your inbox, just click Delete.

You’re likely to be the target of a phishing scam designed to steal Gmail, Yahoo, Windows Live and AOL passwords, according to Naked Security, a blog by IT security firm Sophos.

The emails are Titled, “Microsoft Windows Update,” and urges recipients to verify their email accounts by entering personal login information.

Dear Windows User,

It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.

This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click in the Verify button below and enter your login information on the following page to Confirm your records.

VERIFY

Thank you,
Microsoft Windows Team.

While the hoax is pretty slick, eagle-eye Internet users will notice odd instances of capitalization and grammar that betray the email’s insidious intentions.Clicking on the “verify” link leads you to a third-party website that purports to be Microsoft.com, but  isn’t , . Here, users are warned that their computers are out-of-date and at high risk; they are then “required” to select one of four email providers and enter their username and password. Naturally, this information is sent directly to the scammers — putting recipients at risk of online identity theft.

Meanwhile last week the world’s largest professional organization for computer engineers exposed user names, plaintext passwords, and website activity for almost 100,000 of its members, some of whom are employees of Apple, Google, IBM, and other large companies.

 The exposure provides outsiders with a candid view of the password choices of some of the world’s most influential software and hardware engineers. Many Internet users employ the same or a similar password for multiple accounts, with the average person using just 6.5 passcodes to access 25 separate accounts, according to one study.

 Dragusin anlysis revealed that  a statistically significant sample of the exposed passwords are so overused that those typically take less than a second to be cracked by freely available programs such as Hashcat and John the Ripper. The password “123456″ (minus the quotes) was used 271 times, while “ieee2012″, “12345678″, “123456789″, and “password” were used 270, 246, 222, and 109 times respectively. Domain names in some of the exposed e-mail addresses included uspto.gov and ieee.org, among others.

No comments »

Posted in Microsoft, Security and Compliance, Technology

Oracle password vulnerability

September 23rd, 2012

A researcher warned that a weakness in an Oracle login system—used in the company’s databases which grant access to sensitive information—makes it trivial for attackers to crack user passwords and gain entry without authorization, Tthe problem stems from a session key the Oracle Database 11g Releases 1 and 2 sends to users each time they attempt to log on, according to Threatpost. The key leaks information about a cryptographic hash used to obscure the plaintext password. The hash, in turn, can be cracked using off-the-shelf hardware, free software, and a variety of attack methods that have grown increasingly powerful over the past decade. Proof-of-concept code exploiting the weakness can crack an eight-character alphabetic password in about five hours using standard CPUs.

Oracle engineers  corrected the problem in Oracle Database version 12 of the authentication protocol, but apparently they have no plans to fix it in version 11.1,  Even in version 12, the vulnerability isn’t removed until an administrator changes the configuration of a server to use only the new version of the authentication system. There are no overt signs when an outsider has targeted the weakness, the session key is sent whenever a remote user sends a few network packets or uses standard Oracle desktop software to contact the database server. All an attacker needs is a valid username on the system and a rudimentary background in password cracking.

The best way to prevent attacks that exploit the vulnerability is to install the patch and make the necessary configuration changes. Even those who continue to use vulnerable systems can take precautions that will go a long way. Passwords for all users should be randomly generated and contain a minimum of nine characters, although 13 or even 20 characters is better. The strategy here is to create a passcode that will take months or years to crack using brute-force methods, which systematically guess every possible combination of letters, numbers, and symbols.

No comments »

Posted in Security and Compliance

New Poison Ivy attack on IE – critical patch released

September 23rd, 2012

Redmond on late Monday   urged users to download the Enhanced Mitigation Experience Toolkit if they are using IE version 6 through 9.  IE 10, which is set to debut with the new Windows  8 operating system, is not affected.

Microsoft is aware of targeted attacks that attempt to exploit this vulnerability. A remote code execution vulnerability exists in the way that Internet Explorer accesses an object that has been deleted or has not been properly allocated,” Microsoft said in its advisory.

“The vulnerability may corrupt memory  in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted Web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the Web site.”

 French security Web site ZATAZ.com reveals the exploit was discovered when analyzing a batch of files hosted on one of the servers the Nitro gang used to distribute attacks that exploited the Java vulnerability..html and Flash files were used to identify proper targets (Windows XP systems running IE 7 and 8) and use a common technique called a ‘heap spray’ to lay the groundwork for a successful iFrame attack against the systems that exploited the vulnerability and used it to install a malicious program, 111.exe. That malware  has been identified as a new variant of the Poison Ivy Trojan horse program,

If Microsoft, issues a snap fix then it means the threat is serious and you should patch immediately,

“Patch Tuesday was designed to introduce the least amount of disruptions, so to break that cycle it means Microsoft thinks is a very real and serious threat where somebody can do damage. Microsoft is moving aggressively to halt the damage

 When you have a complex product there’s always a chance that somebody is going to discover a hole. The process should be that you fix the hole before somebody exploits it. One of Microsoft’s strengths is to respond so quickly to the threat. Not only will there be a patch, Microsoft will also attempt to identify the attacker and get him locked up.

5 comments »

Posted in Security and Compliance, Technology

iTunes massive patch but worry about old Java installations.

September 18th, 2012

To fix 163 issues a massive patch was recently published  to WebKit, an open source technology for rendering HTML used by iTunes and many other applications, including Safari, Google’s Chrome, and Yahoo Messenger.

The major incidents that have impacted users of the Mac OS X operating system target vulnerabilities in the Java platform.  The good news is Qualys did not find any issues that seemed particularly critical. 

The latest security update moves iTunes to version 10.7. The company announced on Wednesday that in October it would update the program with user interface changes to put the content front and center.

The most exploited attack vectors,areoutdated PDF readers and old Java installations.

Recent attacksfocused on exploiting Javae,g this month, , Oracle rushed out a patch to fix a flaw in the Java runtime environment that allows an attacker to take control of a Windows, Mac, or Linux system with no actions on the part of the user, aside from visiting a website with a Java-enabled browser. Earlier this year, the Flashback trojan infected some 600,000 Mac OS X systems using a vulnerability in Java.

No comments »

Posted in Security and Compliance

RFID – Synergy Software Systems, Dubai- many succesful projects

September 11th, 2012

This blog tends to focus on erp, technology etc

So, for many readers it may be a surprise to learn that Synergy has been implementing mobility and RFID solutions since the early 1990′s. This includes Access control,  and T@A systems as well as large scale Asset tracking solutions, loyalty cards, etc. For exampe we have implemented solutiions for s shopping mall, an IT department, Hotel groups, a University etc.

RFID technology is making major advances, year on year, and delivering bottom line results in many new ways.

 JC Penney’s CEO announced the company’s plans to RFID-tag 100% of merchandise by February 2013,

 American Apparel reported sales growth in the second quarter and cited their use of RFID as a significant tactic  to improve profitability

We have been seeing more companies benefiting from embedding RFID into their products. We are excited about the new capabilities that are emerging and innovative applications that are enabled when Monza and Indy chips are embedded. The next version of the UHF Gen2 protocol  includes loss identification/prevention, item anti-counterfeiting, security and machine-to-machine interfacing.

 A recent annoucment is the availability of the world’s first RFID reader network application for the Apple iPhone.

One of our partners has just announced an advanced fuel distribution RFID system, in addition to their established solutions like Jewellery tagging etc.

Synergy also provdes asset tags, and tagging services and mobile data collection services e.g for annual count. Our solutions  work with integrated modules for Fixed Financial management and Planned maintenance, Capital project accounting etc.

Expect to see more innovative applications as the technology advances and mass production of tags reduces costs.

No comments »

Posted in Lean Concepts, RFID biometric mobile, Security and Compliance, Technology

Security security security

September 8th, 2012

Hackers got their hands on a database of 12 million Apple Unique Device Identifiers (UDIDs) apparently by hacking an FBI laptop.

 Why does an FBI agent have user identification information about 12 million iPhone users on his laptop? How did the FBI get their hands on this data in the first place?

FBI said, “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.”

Apple also denies giving the database to the FBI.

So form where did the database come from? And are there really 12 million, or only one million.  Lots of honeypot and conspirator speculations on the blogs about this.

another recent repoet is that Fingerprint-reading software preinstalled on laptops sold by Dell, Sony, and at least 14 other PC makers contains a serious weakness that makes it trivial for hackers with physical control of the machine to quickly recover account passwords, security researchers said.

The UPEK Protector Suite, which was acquired by Melbourne, Florida-based Authentec two years ago, is marketed as a secure means for logging into Windows computers using an owner’s unique fingerprint, rather than a user-memorized password. In reality, using the software seesm to make users less secure than they otherwise would be. When activated, the software writes Windows account passwords to the registry and encrypts those with a key that is easy for hackers to retrieve. Once the key is acquired, it takes seconds to decrypt the password.

Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted,  said an advisory issued by Elcomsoft, a Russia-based developer of password-cracking software. When Protector Suite isn’t activated, Windows doesn’t store account passwords in the registry unless users have specifically configured an account to automatically log in. Security experts have long counseled people not to use automatic login.

. The most obvious disadvantage is for those computers that have a Windows feature known as Encrypting File System enabled to prevent third parties from accessing sensitive files or folders. The key that unlocks that encrypted data is controlled by a Windows account password. Once the password is retrieved, the EFS-encrypted data stored on the computer can quickly be decrypted.

The account password could unlock other data that might otherwise be harder to obtain. The Windows Data Protection application programming interface, for example, is also closely tied to account passwords and controls access to credentials used by Outlook, Internet Explorer, and possibly other applications.

any time a PC is physically controlled by a hacker, its passwords are vulnerable to cracking attacks but without the use of the UPEK Protector Suite, hackers have access only to one-way password hashes, which, depending on the complexity of the underlying passcode, can take years or centuries to recover using brute-force methods. Use of the fingerprint software almsot guarantees the success of the cracking operation, and it can also significantly reduce the time it takes.

The easily cracked passwords are stored in the Windows registry even after the Protector Suite software has been deactivated, and it is only removed when a user manually deletes it. The precise registry location of the encrypted password is not yet known. .

Authentec no longer actively markets Protector Suite, but according to archived data from the UPEK website, the app ships—or used to ship—on laptops manufactured by 16 different companies. In addition to Dell and Acer, other PC makers include Amoi, Asus, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC, Sager, Samsung, Sony, and Toshiba.

Biometric readers are only as secure as the software that implements with those readers. That is why we sell hand punch readers with 13 bit encyrption.

1 comment »

Posted in Security and Compliance