Exhibitions

21 – 22 MARCH 2012
Exhibition:Infosecurity World Exhibition & Conference 2012
Location: Lumpur, Malaysia
Booth: 3080/3095

Contact: Marcus  07-3335915/07-338215

A CENTRAL MEETING PLACE FOR INFORMATION SECURITY INDUSTRY 
Infosecurity World Exhibition & Conference 2012 will attract more than 5,000 local and international channel players, buyers and trade visitors. The show is organized in providing industry players with the first hand market information, industry developments and valuable networking opportunities.

Infosecurity World Exhibition & Conference 2012 is incorporating three other dedicated showcases namely Data Storage Showcase 2012, Cloud Computing Showcase 2012, and Software Development Showcase 2012 to make it a more comprehensive platform for the infosecurity industry.

Whilst the exhibition offers market players an unrivalled opportunity to promote brands, and secure million dollars deals, infosecurity professionals will have all the chance to see cutting edge software and technologies demonstrated, and to add more value, participate in InfoSec Asia 2012 Conference which is held concurrently.

Five predictions for security in 2012

This was an exciting/anxious year in the Internet security community, with big tech firms like Sony and RSA getting hacked, putting consumer data and corporate networks at risk, and with reports of attacks on utilities.

Scary things that go bump in the night are actually happening to computer systems that matter and it’s only going to get worse. Here’s what I think will happen in 2012.

Malicious Android apps will increase
As a target for malicious software, Android is the Microsoft of the mobile platform. Android has more than 50 percent of the smartphone market, eclipsing all others, so it’s the most attractive platform for scammers to target. While iPhoneapps get vetted by Apple, Google’s open apps store model, which lacks code signing and a review process, makes it easy to distribute malware in apps.

The numbers bear this out. In the last six months, the number of malicious Android apps has doubled to 1,000, a report from mobile security firm Lookout says. Granted the vast majority of the malware–often disguised as legitimate apps–is found on third-party sites. But some malicious apps have made it to the Android Market. Google yanked about two dozen apps containing malware in May and nearly 60 malicious apps in March. (That’s not counting the nearly 30 apps pulled in December that appeared to be designed for fraud.)

Google moves quickly when problems are reported, but removing apps after-the-fact means there may be users who have downloaded them already. To be fair, the likelihood that the average Android user will encounter malware is very, very slim because most people avoid third-party sites where they are required to allow apps from unknown sources to be downloaded, and are thus assuming the risk. The hot apps market, in general, is problematic because mobile developers typically don’t have experience creating secure software. So keep your eye on this space.

A(nother) utility will get hacked
Hacking of corporate and government networks happens all the time. Now that SCADA (supervisory control and data acquisition) systems used in utilities and other critical infrastructure environments are being connected to the Internet, without the built-in security that traditional information technology networks have, it should come as no surprise that hackers will make their way in to areas where they conceivably could cause real harm to the environment and people.

The first wake-up call for the industry was the Stuxnet malware that emerged last year that appeared to have been designed to sabotage Iran’s nuclear program. Then a leaked report in November appeared to be the first acknowledgement of a cyberattack on a U.S. critical infrastructure system, but the Department of Homeland Security denied that there had been an attack and ultimately it turned out to have been a false alarm.

E-voting machines will have security hiccups
We’re heading into an election year so that means get ready for the quadrennial voting snafus. Previous national elections have seen their share of problems with e-voting machines–votes not being recorded accurately and not allowing for adequate auditing, among other problems.

Even in the last election in 2008, a security flaw deleted votes from a computer database in one county in California, and there were reports of machine malfunctions in Pennsylvania and Virginia and mis-recorded votes in Ohio. Despite the problems , the machines may not be all that much improved by this coming election. Researchers warned in September that it is stillpossible for fraudsters to sneak hardware into an e-voting system that could be used to remotely change votes after they have been cast. If that fails, there’s always the Supreme Court.

People will continue over-sharing despite the privacy ramifications
This next prediction is a no-brainer, but it touches so many of our lives that to ignore it would be silly. We have become a society of sharing to the detriment of our personal privacy.

Social media provides a way for me to share every aspect of my life with people, from where I went to school to what restaurant I’m dining at tonight to who my friends are and what my pet looks like. The ego prompts us to accept all the friend requests and seek more followers, and to bombard them with more details of our lives than anyone needs to know. We also are unknowingly revealing sensitive information, such as when we post photos containing GPS coordinates without realizing that the shot of my home can easily lead strangers’ to my doorstep.

Companies like Facebook are offering increased integration so that my activities on the site and elsewhere are automatically shared with others. So now I can see what music my friends are listening to and what articles they are reading right now. But advertisers are privy to more information about us collectively, and me individually as well. Many people don’t care if they see ads targeted to their tastes and lifestyle, but I doubt most of them really want to be blasting their commuting route, work hours, and up-to-the-minute whereabouts to the world.

Companies need to better explain the privacy implications of the new features they offer, but consumers need to be asking themselves questions before they push “post,” such as “Do I care if people I don’t know or enemies are able to see this?”

Hacktivists will form a new 99 Percent Party
There’s no doubt that 2011 can be called the Year of the Hackers. The Anonymous movement and its offshoots, notably LulzSec, gained fame and notoriety for their denial-of-service attacks and data breaches on a host of targets. From Sony and the CIA to bankers, police officers, and Fox News, the attacks were a daily occurrence for months. With the emergence of the Occupy Wall Street protests, Anonymous actions became more organized and focused on a cause–political protest of financial inequality and corporate influence–and inclusive, online and offline.

The faceless hacktivists in Anonymous joined scores of everyday people to demonstrate in squares throughout the world and put a face, many faces, on the crisis of poverty and economic injustice. The Anons, as they call themselves, have ownership in the larger political movement and could provide the technical skills and online organization needed to create a new party that appeals not just to the tech-savvy Gen Y-ers, but to their parents and grandparents who are struggling to make ends meet.

sources: http://news.cnet.com/8301-1009_3-57347329-83/five-predictions-for-security-in-2012/?tag=txt;title

New NIST Biometric Data Standard Adds DNA, Footmarks and Enhanced Fingerprint Descriptions

The National Institute of Standards and Technology (NIST) published a revised biometric standard in November, 2011, that vastly expands the type and amount of information that forensic scientists can share across their international networks to identify victims or solve crimes. Biometric data is a digital or analog representation of physical attributes that can be used to uniquely identify us.

The new standard is the Data Format for the Interchange of Fingerprint, Facial & Other Biometric Information and is referenced as “ANSI/NIST-ITL 1-2011, NIST Special Publication 500-290.” Earlier versions have been used throughout the UnitedStates and six continents to provide a common language and format for the exchange of biometric data and associated metadata—information about the biometric characteristics or how it was collected. The Department of Defense, the Federal Bureau of Investigation, the Department of Homeland Security, the government of Argentina and others are already in the process of adopting the new standard.

 

 

 

“The additions to this version of the standard represent a great leap forward,” said NIST Biometrics Standards Coordinator Brad Wing. The capabilities of the system have been greatly expanded from that of matching a fingerprint, facial image or iris sample collected directly from a live person and comparing it to samples previously stored in a database. New types of biometric data—DNA and plantars/footprints—were added as well as updates to existing record types.

 

 

 

This is the first international standard for the exchange of DNA data. DNA can be used for criminal case identification, such as in a rape case, or in a forensic setting to identify victims, such as those in a plane crash, where it is necessary to have an original DNA sample from the victim, or establish kinship by taking DNA samples from purported relatives. The standard handles both types of cases.

 

 

 

Another new addition is the Extended Feature Set (EFS) for forensic examiner markups that allow for marking and exchanging a very rich set of latent ridge print—fingerprints, palmprints and footprints—information that ensures analysts use the same terminology, references and procedures to describe details such as pores and linear discontinuities. Also new is the capability to share images of all body parts and anthropometric markups of face and iris images.

 

 

 

The standard now defines how to specify and share the geo-positioning coordinates of biometric sample collection. Information concerning the circumstances surrounding the collection of the biometric data can also be included. This includes pictures of items found around the crime scene and audio and video clips. Data handling logs show chain-of-custody of the biometric data for legal purposes, including the steps necessary to prepare the biometric sample for processing in a matching system.

 

 

 

 

 

sources: http://www.findbiometrics.com/industry-news/i/9415/

Hospitals Can Finally Put a Finger on Biometrics

Biometric deployments in heakhcare have traditionally been extremely difficult and problematic. Most conventional biometric systems fail to operate reliably in the harsh environments and situations found in most hospitals today. Frequent hand washing, heavy use of chemicals and cleaners, the wearing of latex gloves and a wide range of demographic issues make biometrie enrollment and authentication quite difficult and challenging.

Because dry skin is so prevalent in the healthcare industry, due in part to constant hand washing, traditional fingerprint sensors can produce up to a 20 percent failure rate. In other situations, when the policy allows it, healthcare workers wearing latex gloves do not want to remove them to use the biometrie reader. However, multispectral fingerprint sensors capture fingerprint data beneath the surface of the skin so that dryness or gloves create no problems for reliable reads.

That’s why biometrie implementations using multispectral fingerprint sensors are becoming the solution for hospitals that spend $100 to $200 per employee per year supporting password-based systems – and even more for token- or card-based systems – while trying to ensure the protection and safety of patient information.

Multispectral biometrics play an important role in healthcare applications, especially when there is a need to control access through positive identification of authorized users. HIPAA regulations mandate patient confidentiality and biometrics can help ensure that only authorized personnel gain access to those records. Another application is matching the correct patient to the correct record: a high-performing biometrie verification system can reduce medical errors. Biometrics help minimize insurance fraud and theft of controlled inventories such as pharmaceuticals, and they can secure against the unauthorized use of expensive medical equipment.

In addition to controlling access, multispectral biometrics play a role in facilitating operational efficiency in heakhcare. Most security solutions are, by their nature, designed to block rather than facilitate transactions. However, carefully designed biometrie systems can streamline operations by providing quick and easy access to authorized users. Further, biometrie systems can enforce and document compliance with hospital policies and procedures, enhancing patient and staff safety.

But biometrics is only viable if the technology and solution can be made to work reliably for every user, every time. Today, the cutting-edge biometrie technology multispectral fingerprint, which has the unique ability to “see” beneath the surface layer of skin, is having a dramatic impact on user performance and real-world experience in the healthcare industry. Not only can multispectral fingerprint handle the environmental factors that can affect fingerprints, but it is also the only technology on the market today that can extract a fingerprint image from a gloved hand. Ifs a solution that is now showing up in healthcare facilities worldwide.

source: http://insurancenewsnet.com/article.aspx?id=304056

Biometrics Beyond Fingerprints And Iris Scans

Fingerprint, palm, iris, and retina scans are familiar, as are face and voice recognition technology. But have you heard of these biometric options?

DNA profiling:

DNA, the nucleic acid in nearly all living organisms that carries genetic information, is considered the ultimate biometric measurement. It produces proof-positive identification of a person, except in the case of identical twins. However, unlike other biometrics it compares actual samples rather than templates generated from samples. Its main drawback is that its comparisons can’t be made in real time, so for now its use is limited to forensic applications. Although there will no doubt be advances in DNA capture and analysis, the technology is unlikely to be suitable for anything other than highly secure government environments.

Ear recognition:

Human ears are unique in size, shape, and structure. Obtaining data on users’ ears is very similar to obtaining it for faces, but this form of biometrics will probably never take hold in a big way, as face recognition will always be more palatable and intuitive for users.

Gesture recognition:

Every person has unique mannerisms and body language. Analysis of body movements such as gait can be used to identify people from a distance. Gait is hard to disguise because a person’s musculature limits the variation of motion. This data can be obtained unobtrusively as measuring it doesn’t require personal contact.

Gesture recognition can provide continuous authentication, ensuring that only authorized people are in restricted areas. But a walking person generates lots of data, so this technology requires additional resources to store and analyze the data in real time. In addition, cameras must be set to capture more than just faces. This technology is suitable for organizations that must be kept highly secure on a 24/7 basis.

Typing and mouse recognition:

Keystroke length, typing speed, error patterns, and mouse movements all can be used to create a unique template that distinguishes one person’s typing from another’s. These characteristics can be continuously validated against a stored template as a person works in a system. This additional form of authentication will likely become the norm with infrastructures that support large numbers of users, such as customer support desks that regularly access sensitive data.

source: http://informationweek.com/news/security/client/231903309

Global Biometrics Market to Reach US$16.47 Billion by 2017, According to Global Industry Analysts, Inc. Report

Terrorist attacks, plane hijackings and increasing crime rates have underlined the need for greater security measures around the world. Consequently, biometrics is growing in eminence as an essential security measure taken at airports and other critical access sites. The e-passport projects for the US Visa waiver countries, EURODAC, Visa Information System (VIS), and the new generation Schengen Information System (SIS II) are other major drivers that are expected to encourage biometrics usage. Further, the limitations and incontinences with alternative identification methods through photographs, passwords and PIN codes drive the development as well as growth of biometric technologies. Biometrics usage would further increase in public sector owing to criminal and civil security issues, and in commercial sector for cost savings and convenience factors. The process of technology convergence is slated to become critical and virtually inevitable in future for sustaining growth and profitability.

Despite the popular perception that the Security Industry is one of the most recession resilient industries worldwide, capable of providing a positive rate of return to an economy’s GDP, the global biometrics market ironically showed signs of weakening during 2007-2009, in the midst of steady deterioration in business climate. A key factor fingered to have triggered the decline included the collapse of the construction industry, especially new office, commercial and residential building projects, which brought down new installations of biometrics based access control equipment in buildings and commercial spaces. Postponement and delays in government infrastructure- projects, and cost cutting among commercial establishments, and companies also played instrumental roles in negatively impacting new equipment order influx rates. High levels of unemployment and pruning down of workforce, during this period, also softened corporate focus on biometrics based time and attendance, labor management and timekeeping solutions. Widespread postponements, cancellation of security projects and delays in scheduled system replacements in existing facilities, as a result of distortions in economic variables, such as, drying up of debt markets, lack of capital investments, deep corporate budgets cuts, resulted in declines in replacement demand.

However, given the length, breath and duration of the 2007-2009 recession, the cumulative 12.1% decline in growth during the period, in fact highlights the relative resilience of the biometrics market in comparison with other industries, which witnessed acute and prolonged erosion in growth. In other words, despite the aforementioned deceleration in growth momentum, average annual growth when viewed in isolation, was still a healthy, indicating that the slowdown actually doled out its fair share of opportunities in this space in the form of increased crime rates and thereby increased incentive for investments in these technologies. For instance, recession induced consumer loss of confidence in financial institutions, surging crime rates in most urban and private residential areas, shattered confidence in public safety agencies and law enforcement departments, have all necessitated high-level security arrangements.

The trend towards securing valuable physical assets such as printed business records and documents, cash, data storage devices and jewelry at home, as a result of loss of confidence in financial institutions also generated demand for security systems in the residential sector. The complete collapse in public confidence can be thrown into sharp relief by the fact that bank deposits declined at astounding rates, and the stock market shed trillions of dollars in value. The scenario in general created opportunities for security equipment and biometrics solutions like non-AFIS/finger scan, and iris/retinal scan. Barring instances of withdrawals, postponements and delays of privately funded security projects, large-scale public sector projects were relatively stable and the continued investments in the same, helped support the biometrics industry. The market has also largely benefited from the growing frequency of terrorist attacks and the resulting increases in government expenditures on public safety.

With global economy recovering in 2010, Biometrics market also staged a smart recovery proving that a transient disruption in the economic climate like the recession is unlikely to leave an indelible mark on the market as prevention of authorized access and detection of perpetrators will always remain vital in the overall security arrangements. Going further, growth in the biometrics market will be driven by increasing opportunities from emerging niche market segments. For instance, consumer-based wireless applications such as cellular phones, PDAs and portable computers, and laptops are expected to bolster sales in the silicon fingerprint sensors market.

Applications with the potential of short-term, quantifiable returns on investment such as biometrics enabled time and attendance tools will also experience increased demand in the upcoming years, thereby driving market growth further. Government mandates and regulations have and will continue to boost market prospects for biometrics. Security compulsions of government and law enforcement services will continue to encourage governments to enhance their spending on biometric technologies and adopt the same for government projects such as employee and national ID cards. Incremental technology development induced rise in product sophistication and fall in prices will also help expand demand further. With businesses prioritizing safety and security of physical assets, its opportunities galore in the biometrics market in the upcoming years.

As stated by the new market research report on Biometrics, the US continues to remain the largest regional market for biometrics. Asia-Pacific represents one of the fastest growing regional markets for biometrics, with dollar sales from the region waxing at a CAGR of about 23.8% over the analysis period. Characterized by burgeoning economies, increase in foreign investments, rise in business formation activities, presence of large relatively untapped private security markets and increase in crime rates, Asia-Pacific and Latin America have been witnessing increased adoption of security systems, particularly latest biometric technologies like iris scans, facial recognition. Iris/Retinal Scan market is the fastest growing segment, by technology, with dollar sales waxing at a CAGR of about 25.9% over the analysis period.

Major players in the marketplace include 3M Corporation, AcSys Biometrics Corp., AuthenTec, Inc., BIO-key International, Inc., SecureTouch Retail Systems, Biometric Security Limited, Communication Intelligence Corporation, Ivrnet, DigitalPersona, Inc., Fujitsu Limited, i2 Inc., Imprivata, RCG Holdings Limited, SAFRAN Group, Morpho, SecuGen Corporation, NEC Corporation of America, Precise Biometrics AB, Sensory Inc., Atos Origin S.A., TSSI Systems Ltd., ZK Software, among others.

The research report titled “Biometrics: A Global Strategic Business Report” announced by Global Industry Analysts Inc., provides a comprehensive review of market trends, growth opportunities, technology overview, challenges, new product introductions, recent industry activity, and profiles of market players worldwide. Market estimates and projections are presented for technology segments AFIS, Non-AFIS/Finger Scan, Hand Geometry, Iris/Retinal Scan, Facial Recognition, Voice Recognition, Signature Verification, and Keystroke Dynamics/Typing Rhythms across all major geographic markets including the United States, Canada, Japan, Europe (France, Germany, UK and Rest of Europe), Asia-Pacific, Latin America and Middle East. End-use analysis for global Biometrics (excluding AFIS) market is provided for segments Government/Civil; Financial; Computer & Network Security; Access Control/Time & Attendance; Healthcare; and Others.

For full report, visit the following link: http://www.strategyr.com/Biometrics_Market_Report.asp

Global Industry Analysts, Inc., (GIA) is a leading publisher of off-the-shelf market research. Founded in 1987, the company currently employs over 800 people worldwide. Annually, GIA publishes more than 1300 full-scale research reports and analyzes 40,000+ market and technology trends while monitoring more than 126,000 Companies worldwide. Serving over 9500 clients in 27 countries, GIA is recognized today, as one of the world’s largest and reputed market research firms.

How to secure your PC in 10 easy steps

There’s one thing you can do to avoid being the victim of identity theft: follow this 10-step PC security plan.

Encrypt your network connection
Most popular sites offer HTTPS connections at least some of the time. In Gmail, click the gear icon in the top-right corner and select “Always use https” under the General tab.

To select Facebook’s HTTPS setting, click the down arrow in the top-right corner and choose Account settings. Select Security in the left pane and Edit in the Secure Browsing section of the main window. Check “Browse Facebook on a secure connection (https) when possible” and click Save Changes to activate the feature.

Choose Facebook’s HTTPS option by clicking “Browse Facebook on a secure connection (https) when possible.”(Credit: Screenshot by Dennis O’Reilly)

The Electronic Frontier Foundation’s HTTPS Everywhere extension for Firefox doesn’t encrypt every page you browse to, but it automatically requests an encrypted connection for those sites that support HTTPS and that have been added to the program’s rules.

After you install HTTPS Everywhere, the extension’s icon appears in the top-right corner of Firefox. Click it to view the encrypted and nonencrypted content served by the current page.

The Electronic Frontier Foundation’s HTTPS Everywhere extension for Firefox shows the encrypted and nonencrypted content on the current page.(Credit: Screenshot by Dennis O’Reilly)

As the EFF’s HTTPS Everywhere FAQ points out, HTTPS Everywhere doesn’t work with every site and may conflict with some wireless networks, but the free add-on is a handy tool in your browser-security arsenal.

Encrypt sensitive files stored locally
The file-encryption features built into Windows andMac OS leave much to be desired. Microsoft explains how to use Windows 7′s encryption on itsHelp and How-to site.

The Apple Support site describes Mac OS X 10.6′s FileVault encryption feature, and Macworld’s Roman Loyola provides a primer on Mac OS Lion’s FileVault 2.

These are far from your only encryption choices. In the past I have recommended the free TrueCrypt utility, but the program can be difficult to use. The Tech Support Alert site lists the best free encryption programs for Windows, many of which integrate with Windows Explorer.

Encrypt private information stored in the cloud
Is the data you store in the cloud safe? If you ask cloud-storage vendors, it is. But earlier this year The Economist took a critical look at the security of the popular Dropbox online-storage service. The article concludes that while the service may have overstated its security policies, it is safe enough for “casual” users.

In June 2009 I reviewed three free encrypted online storage services, and last April I comparedAmazon’s Cloud Drive and Box.net.

Use a free VPN service to protect public Wi-Fi connections
Even if you only occasionally sign in to Web accounts over a public Wi-Fi link, you can prevent lurking snoops by using a free VPN service to secure the connection. In a post from last February I wrote about the SecurityKISS VPN service that’s easy to use and registration-free. The people commenting on that post recommended several other free VPN alternatives.

Prevent keystroke loggers, other data snoops
Computer criminals look for that path of least resistance, so they tend to attack the most vulnerable systems. To avoid being one of their victims, make sure your firewall and real-time antivirus software are working, and keep all your software up-to-date.

To ensure your Windows 7 PC’s defenses are raised, run through the security checklist on the Microsoft Help and How-to site. The company’s free Security Essentials program provides the real-time malware protection your system requires.

Last May I described three free services that automatically scan your system for outdated programs. My choice is Secunia’s Personal Software Inspector, which provides an overall system score and a threat rating for each unpatched program on your PC.

Perform a manual virus scan with the free Malwarebytes Anti-Malware
Even with automatic software updates and regularly scheduled malware scans, viruses can sneak through your defenses. That’s why it’s a good idea to use Malwarebytes’ free Anti-Malware program to scan your system manually. The utility was one of the security tools I covered in last September’s post titled ”How to prevent identity theft.”

Disable images in e-mail
The people who send you e-mail may know when you open their messages and click links they contain. Programs such as Zendio, which I reviewed last month, pose a serious security threat, especially considering that the program also discloses your general location (via your IP address) when the message is opened.

To thwart e-mail snoops, disable images in your received messages. This prevents the HTML beacons used by the spies from being activated.

In October 2008 I described how to “View HTML mail from trusted senders, plain text from others.” A month later I explained how to send and receive plain text mail in Outlook–one of the tips in “Four essential tweaks keep Outlook safe and simple.”

In Gmail, click the settings icon in the top-right corner, choose Mail settings, and select “Ask before displaying external content.”

Block spying beacons embedded in the messages you receive by setting Gmail to ask before displaying external content.(Credit: Screenshot by Dennis O’Reilly)

Be wary of e-mail attachments
The recent increase in spear phishing has made it more difficult to trust that an e-mail was actually sent by the person whose name appears in the From: field. A post in April titled “E-mail security: Back on the front burner” described the safe way to open e-mail attachments: right-click downloaded files and choose the option to scan the file manually with whatever security program you use.

Use a standard (nonadministrator) account in Windows
Nine times out of ten you use your Windows PC without installing a new program, changing any settings, or performing some other action that requires an administrator account. Yet few people use a standard Windows account, which is one of the best ways to keep malware from infecting your system.

To create a standard account in Windows 7, press the Windows key, type user accounts, press Enter, click “Manage another account,” and choose “Create new account.” Give the account a name, select the “Standard user” option, and click Create Account. The account will appear on the Welcome screen the next time you start Windows.

The Microsoft Help and How-to site provides more information about the benefits of using a standard user account (in Vista and in Windows 7).

Destroy old data
The last time you donated an old computer or recycled a storage device, you probably didn’t worry about someone stealing your identity by lifting sensitive data off the machine. It may not happen often, but it happens.

In a post from March 2009 I described “The right way to destroy an old hard drive.” As one commenter to that article pointed out, most people don’t need to resort to drill presses, sledgehammers, or sandpaper on the drive platter.

Adidas shuts down sites after cyber attack

Some Adidas Web sites remain offline today as a result of a “sophisticated” cyber attack discovered last week, the German sportswear company said.

“On November 3, 2011, the adidas Group found out that it was the target of a sophisticated, criminal cyber-attack. Our preliminary investigation has found no evidence that any consumer data is impacted,” the company said in a statement on its news stream site. “But, while we continue our thorough forensic review, we have taken down affected sites, including adidas.com, reebok.com, miCoach.com, adidas-group.com and various local eCommerce shops, in order to protect visitors to our sites.”

The company has put in place additional security measures, the statement added, without going into details. The company also did not say what happened

As of this afternoon, adidas.com and miCoach.com were still inaccessible. “Due to technical difficulties our website is currently not available,” the Adidas site said.

“We are working to restore the site as soon as possible. As the site was also scheduled for a number of exciting updates, we will use the current down time to make those changes,” the miCoach.com site said. “This way the site will launch again with the latest and greatest developments already in place.”

source: http://news.cnet.com/security/?tag=hdr;brandnav

Online social networks: Malware launch pads

With the advent of social networks, the online world has become a virtual society. Social networks serve as seamless communication channels, but at the same time they are ideal launch pads for malware infections. As a result there has been a tremendous increase in the dissemination of malware infections through social networks.

The security and privacy mechanisms of social networks such as Twitter and Facebook have proven insufficient to prevent exploitation. As we know “To Err is Human,” and human errors lead to exploitation and manipulation whether the social network is online or offline.

Exploiting human trust, curiosity and ignorance

Social networks hold a plethora of personal information on the users that form the network. Individual connections between users collectively form a web of connections. To build each link between users an implicit trust is required between the two users and implicitly across the entire network. Any information provided by an individual user through chained connections becomes a part of the full network. If an attacker is able to exploit one user in the social network, they have the potential to be able to push malicious content (such as malicious URL’s) into the network. The connectivity of the network enables the spread of the exploitation. That is, the attacker exploits the weakest link in the chain. This exploitation process is aided by the inability of users (and their stored objects) to determine the legitimacy of content flowing through the social network. The infection process begins with the exploitation of human ignorance and curiosity followed by spreading of the infection through the trust upon which the network is based.

In order to start the exploitation process, an attacker can pick any issue that affects human emotions to drive the user in a social network to follow the path generated by the attacker. Topics such as weather calamities, political campaigns, national affairs, medical outbreaks and financial transactions are used for initiating infections. Phishing and spamming are used extensively for spreading messages on these topics with malicious intent. Basically, it is a trapping mechanism used by attackers to infect an entire online social network.

Exploit mechanisms: The art of infection

Since social network exploitation begins by exploiting an individual user’s trust, curiosity, or ignorance common attack strategies have emerged.

One of the simplest infection techniques is the injection of malicious URLs into a user’s message wall. Since it can be difficult to differentiate between the legitimate URLs and illegitimate ones even a careful user can be tempted to click on the link. Unfortunately for the user, clicking the hyperlink can result in automatic download of malware from a malicious domain through the browser.

• Browser Exploit Packs (BEP) hold a number of browser-based exploits that are bundled together to customize the response to a victim. When a user visits a malicious domain, the BEP fingerprints the browser version and the related environment of the user machine. Based on this information, a suitable exploit is served to the user which exploits the integrity of that particular browser.
• Drive-by-Download attacks are triggered by visiting a malicious page. They exploit browser vulnerabilities in plugins and built-in components. Successful exploitation of the vulnerability results in the execution of shell code that in turn downloads the malware into the system. A variation of the Drive-by-Download attack is the Drive-by-Cache attack that can exploit browser cache functionality in order to execute malware.
• Malicious advertisements (malvertisements) are yet another technique to spread malware infections through online social networks. When an attacker injects the malicious link in a user message board, it is linked to a third party website which has malicious advertisements embedded in it. These advertisements are further linked to malicious JavaScripts which are retrieved by the browser that executes the malicious content in the context of running browser with the user’s privileges.

The biggest problem with the online social networks is that they do not have sufficient built-in protection against malware. For example, current social networks do not scan the URL’s and embedded content coming from third party servers such as Content Delivery Networks. Therefore, there is no mechanism to detect the authenticity of URL’s that are passed as message content among the user objects in the online social networks. In addition, it is easy to upload malvertisements, and social networks fail to raise any warning. Online social networks are not harnessing the power of Safe Browsing API’s from Google or similar services to instantiate a verification procedure before posting a URL back to a user profile. Lack of such basic protections is a key factor in making the social networks vulnerable to exploitation.

Finally, many social network users are not knowledgeable enough to differentiate between real and malicious entities. Ignorance not only results in exploitation, but also greatly impacts the overall security of online social networks. Because of the high connectivity and need for trust in a social network users are particularly dependent on the built-in security features of online social networks, but the security features are not tough enough to thwart many malware attacks.

Conclusion

Robust security and privacy mechanisms are indispensable for safe online social networking. Built-in security is necessary because attackers exploit the trust, curiosity and ignorance to garner maximum profit. User awareness regarding security concerns is important but can only spread gradually, so social networks should be proactive and develop more sophisticated and stringent mechanisms to thwart malware infections. Safe and secure transmission of the information and robust user’s privacy should be the paramount concern of the social networking companies.

Authors: Aditya K Sood and Richard J Enbody.

Police data leaked as cop confab kicks off

Hacking collective Anonymous says it has once again leaked sensitive law enforcement information, in time for the National Day of Action Against Police Brutality as well as the opening of the annual conference of the International Association of Chiefs of Police.

According to a report in VentureBeat, Anonymous posted a notice on Pastebin late Friday claiming it had leaked more than 600MB of information gained by hacking into Web sites associated with the International Chiefs of Police (IACP), the Boston Police Patrolmens’ Association, and law enforcement agencies in Alabama’s Birmingham and Jefferson counties.

The leaked information includes internal documents, membership rosters, Social Security numbers, addresses, passwords, and other data, Anonymous says in today’s release. The group, and other hackers involved in its Antisec movement, said that in addition to being a statement of support for the police brutality protest and a jab at the IACP’s conference kickoff (both events happen today), the leak and associated Web site defacements were performed in solidarity with the Occupy Wall Street protests currently taking place in New York, Boston, and elsewhere.

“The IACP thought they could hold their 2011 annual conference in Chicago unfettered by the clutches of insurrection,” today’s notice reads. “They must not have known their conference starts on the Day of Action Against Police Brutality. They must not have known that all over the world people are in the streets demonstrating discontent with capitalism and the state. They also had no idea that for the past few months black hat hackers have been owning their Web sites and databases. They should have expected us.”

Of course, it’s not the first time Anonymous has leaked such information. In June, the collective released data pertaining to the Arizona Department of Public Safety, a move that led the department to express concern about the safety of its officers.

Anonymous was also involved in protests earlier this year against the Bay Area Rapid Transit system, a San Francisco area subway and rail network. BART police officers were responsible for two high-profile shooting deaths, and the system had also quashed wireless access in subway stations during a protest over one of the killings. As part of the protest, Anonymous defaced myBART, a Web-based rewards program for BART riders that, according to BART, also provides a way for the system “to support the venues, independent theaters, and community groups surrounding BART stations.” Anonymous leaked some customer e-mail and street addresses, as well as some customer passwords and phone numbers.

In today’s Pastebin document, the group said it had little concern for the safety of those whose information it had made available with this most recent leak.

“We are attacking the police because they are the vicious boot boys of the 1% whose role in society is to protect the interests and assets of the rich ruling class,” the document says. “They are not part of the 99%–they are working class traitors who are paid to intimidate, harass, and repress political movements that would possibly stand a threat to the power structure of the 1%. We have no problem targeting police and releasing their information even if it puts them at risk because we want them to experience just a taste of the brutality and misery they serve us on an everyday basis.

” The group said its latest actions were also meant as a show of support for those arrested and charged with being members of the collective. Arrests of people accused of being part of Anonymous or related group LulzSec have taken place around the world, including several rounds of apprehensions in the U.S., as well as detainments in the United Kingdom and Spain.

Source: http://news.cnet.com/8301-1009_3-20124208-83/police-data-leaked-as-cop-confab-kicks-off/?tag=txt;title