Saturday, December 16, 2017

MiNiT Financial Services launches new world-class FinTech products at Money 20/20

SPARX GATEWAY LLC and CardNet Alliance exhibited at leading FinTech eventLas Vegas, USA, 23 October 2017: Macate Group Corporation, an American multinational corporation, and its affiliate MiNiT Financial Services, Inc. today announced the launch of tw...

Robotic bee goes for a fly and a swim

Enlarge Image RoboBee goes for a swim. Harvard Microrobotics Lab/SEAS A robot that can move through both water and air is exponentially more useful than a robot restricted to one or the other. Yet, it's not an easy feat. In nature, there are very f...

Fingerprint tech makes ATMs super secure, say banks. Crims: Bring it...

All those unchangeable PINs, up for easy swiping Cybercriminals are hawking their claimed ability to exploit newly introduced biometric-based ATM authentication technologies. Many banks view biometric-based technologies such as fingerprint recognition to be one of the most promising additions to current authentication methods, if not a complete replacement to chip and PIN. Crooks, however, regard biometrics as a new opportunity to steal sensitive information, research by Kaspersky Lab shows. Credit card-related financial fraud against ATMs started many years ago with primitive skimmers – homemade devices attached to an ATM and capable of stealing information from the card’s magnetic strip and PIN with help of a fake ATM pin pad or a web camera.

This information was subsequently used to make counterfeit cards. Over many years, the design of such skimmers has been improved to make them less visible.

Following the introduction of much harder (but not impossible) to clone chip-and-pin payment cards, the devices evolved into so-called “shimmers”.

These shimmers added the ability to gather information from the card’s chip, giving sufficient information to conduct an online relay attack.

The banking industry is responding with new authentication solutions, some of which are based on biometrics. Crooks have recently begun boasting about the ability to offer next generation ATM skimmers that circumvent these additional biometric-based authentication controls. According to a Kaspersky Lab investigation into underground cybercrime, there are already at least twelve sellers offering skimmers capable of stealing victims’ fingerprints. Moreover, at least three underground sellers are already researching devices that could illegally obtain data from palm vein and iris recognition systems. Researchers at the Russian security software firm spotted the first wave of biometric skimmers in “presale testing” last September.

Evidence collected by Kaspersky Lab researchers since suggests that during this prototype development process, developers discovered several bugs.

The main problem was the use of GSM modules for biometric data transfer – they were too slow to transfer the large volume of data obtained.

As a result, new versions of skimmers will use other, faster data transfer technologies. Ongoing discussions in underground communities cover the development of mobile applications based on placing masks over a human face. With such an app, attackers might be able to take a person’s photo posted on social media and use it to fool a facial recognition system. “The problem with biometrics is that, unlike passwords or pin codes which can be easily modified in the event of compromise, it is impossible to change your fingerprint or iris image,” said Olga Kochetova, a security expert at Kaspersky. “Thus, if your data is compromised once, it won’t be safe to use that authentication method again.

That is why it is extremely important to keep such data secure and transmit it in a secure way.” “Biometric data is also recorded in modern passports – called e-passports -- and visas.
So, if an attacker steals an e-passport, they don’t just possess the document, but also that person’s biometric data,” she added. The use of tools capable of compromising biometric data is not the only potential cyber-threat facing ATMs, according to the Kaspersky Lab researchers. Hackers will continue to conduct malware-based attacks, blackbox attacks and network attacks to seize data that can later be used to steal money from banks and their customers. More on Kaspersky’s research into the latest generation of threats against cash machines in general, together with possible countermeasure, can be found in a blog post on Kaspersky Lab’s blog here. ®

Augmented reality wins big in 1st Amendment legal flap

Pokemon Go craze prompted a Wisconsin county to regulate AR game play.

Forcepoint combines Raytheon, Websense and Stonesoft

Newly formed security firm Forcepoint combines technology and expertise from Raytheon, Websense and Stonesoft to focus on defending users, data and networks from internal and external threats. The move follows the successful integration of the technologies after a series of acquisitions, first of Websense by Raytheon in May 2015 and then of Stonesoft’s next-generation firewall business and Sidewinder proxy firewall technologies and teams from Intel Security in January 2016.   Forcepoint is a joint venture of the Raytheon Company and Vista Equity Partners, with the stated mission of enabling organisations to embrace transformative technologies such as cloud, mobility, internet of things (IoT) and others using a unified, cloud-centric platform with unified management and threat intelligence for faster, better decision making.   “Although the company already has 22,000 enterprise customers, we decided to rebrand to forge a new identity for the innovative things we plan to do,” Mike Siegel, vice-president of product management at Forcepoint, told Computer Weekly. The platform is designed to safeguard users, networks and data, while at the same time eliminating the inefficiencies involved in managing a collection of point security products. “We have set out to solve the intractable problem of securing users, data and networks in a world of escalating threat and dramatically changing infrastructure, compounded by the fact that most organisations have deployed dozens of disparate point products that do not communicate with each other, do not have an integrated understanding of threats, and do not share information to better piece together the full story,” said Siegel. A key object of the Forcepoint Triton security platform is to minimise the time between compromise and remediation, known as “dwell time”, and to stop theft by focusing on insider threat protection, cloud data protection and network security. Making security investments pay off The company, based in Austin, Texas, is also aiming to simplify compliance, enable better decision-making and streamline security. “Organisations need a system that doesn’t just create tens of thousands of new alerts that they somehow have to figure out what to do with, because they don’t have the people to chase each one of these alerts; they need a system that does a lot of that work for them,” said Siegel. Forcepoint’s platform is designed to correlate disparate events over time that may be part of a single, multi-vector attack to ensure that organisations apply limited resources only where necessary. “We have the expertise, financial commitment and ongoing access to unique, defence-grade security technology necessary to deliver this, said Forcepoint chief executive John McCormack. “Defend, detect, decide, defeat – this is our vision for Forcepoint 4D Security,” he said. Siegel said Forcepoint’s platform will be able to tap into third-party security systems with a set of application programming interfaces (APIs) to enable organisations to get more value out of their existing security investments. “This is a multi-year endeavour. It will take more than one quarter to accomplish, but we believe we have the necessary financial backing and the team that can do this,” he said. Three new security products The company launch coincides with the release of three new products to provide insider threat protection, cloud-based protection of Office 365 and security for highly distributed networks. Forcepoint’s SureView Insider Threat provides an early warning system to identify the riskiest users in an organisation, based on their behaviour and information from Forcepoint’s Triton AP-Data data loss prevention (DLP) system. According to Forcepoint, its Triton platform is now natively hosted in Microsoft Azure, enforcing DLP for Microsoft Exchange Online in Office 365, directly from Microsoft’s own cloud. “Forcepoint’s Triton security solutions enforce consistent policy across the cloud, on-premises and at endpoints, providing a unified, hybrid defence for distributed, highly mobile organisations,” a company statement said. Siegel said Forcepoint has built capability it its AP-Data and AP-Email products to make them applicable in an Offce 365 world. The Forcepoint Stonesoft firewall, it said, is designed to deliver the most resilient and distributed next-generation firewall to make strong network security easy for highly distributed organisations. “Stonesoft provides consistent visibility, responsiveness and policy enforcement across hundreds or thousands of locations with a single management console,” the company stated.  Siegel said once integration with the Stonesoft technologies is complete, existing Raytheon, Websense and Stonesoft customers will all “benefit from higher security efficacy and capability because of the shared, distributed network”. Forcepoint, he said, will continue to support all existing products and will provide the integration hooks to ensure that when Forcepoint’s products are used together, customers will be able to “extract more value”. Complementary technologies According to Siegel, there is no redundancy or overlap as occurs with some acquisitions, with all the technologies brought together by Forcepoint being entirely complementary. Asked about the cost implications of the move for existing customers, he said the total cost of ownership will remain the same, with no plans for changes to current licensing. However, he said, those customers which choose to consolidate on the Forcepoint platform will benefit from a reduced total cost of ownership. “Our main focus will be on helping customers to see the benefit of acquiring additional capabilities, such as those provided by our three newly launched products,” said Siegel Although some of these already have customers, he said the Sureview Insider Threat product has not been available before outside government contracts, and provides a capability that relatively few organisations have despite concerns about insider threats. “For existing customers, we are bringing new technology to help them address new problems such as the insider threat and moving to cloud that integrate with what they already have installed,” said Siegel. For entirely new customers, he said, Forcepoint’s strategy is to solve a problem that is meaningful and novel rather than expecting companies to rip out existing products and replace them with Forcepoint. “Once we have solved a problem well, we will focus on showing that other products in the portfolio mesh very well with the product they have just acquired from Forcepoint, and that because of the integrations we have built in, one plus one really equals three,” said Siegel. In this way, he said, the company hopes to win new business by proving that deploying Forcepoint’s Firewall, web gateway or other security product will save money, provide a better security experience, and consolidate the operational requirements for managing security products. “We are going to invest heavily in showing customers that owning multiple products under the Forcepoint platform is going to be in their best interest.”

Uber’s “Greyball” tool helped company evade authorities in Portland, Paris

Uber says the tool helps drivers avoid dangerous riders, potential competitors.

Most FCC commenters favor net neutrality—but you wouldn’t know it from...

Facing extensive net neutrality support, FCC is ready to gut open Internet rules.

Appeals Court: No stingrays without a warrant, explanation to judge

Josh Koonce On Wednesday, the Maryland Court of Special Appeals published a legal opinion finding that state police must not only obtain a warrant before deploying a cell-site simulator, but are required to also fully explain to the court what exactly the device does and how it is used. As Ars has long reported, cell-site simulators—known colloquially as stingrays, can be used to determine a mobile phone’s location by spoofing a cell tower.
In some cases, stingrays can intercept calls and text messages. Once deployed, the devices intercept data from a target phone along with information from other phones within the vicinity.

At times, police have falsely claimed the use of a confidential informant when they have actually deployed these particularly sweeping and intrusive surveillance tools.In recent years, stingray use has come under increasing scrutiny, with several states including California, Washington, Virginia, Minnesota, and Utah now mandating a warrant be issued for their use. Last year, the Department of Homeland Security and the Department of Justice also imposed new policies that require a warrant for stingray use in most cases. In an e-mail to Ars, American Civil Liberties Union attorney Nathan Wessler called Wednesday's opinion the "first appellate opinion in the country to fully address the question of whether police must disclose their intent to use a cell site simulator to a judge and obtain a probable cause warrant." "The court’s opinion is a resounding defense of Fourth Amendment rights in the digital age," he continued. "The court’s withering rebuke of secret and warrantless use of invasive cell phone tracking technology shows why it is so important for these kinds of privacy invasions to be subjected to judicial review. Other courts will be able to look to this opinion as they address rampant use of cell site simulators by police departments across the country." The case, known as State of Maryland v.

Andrews, involves a Baltimore man, Kerron Andrews, who was accused of attempted murder in connection to a shooting in April 2014.

As part of his legal defense, his lawyers pressed the government to disclose exactly how he was located inside a home and arrested on May 5, 2014.
It later came out that Baltimore police detectives used a "Hailstorm," a specific model of cell-site simulator. In August 2015, Maryland Circuit Court Judge Kendra Ausby ruled in favor of the defense’s request to suppress all evidence obtained as a result of the use of the stingray. Prosecutors then appealed the case up to the Court of Special Appeals, which has now upheld that ruling.

Absent the evidence obtained via the stingray, further prosecution of this case will be nearly impossible, unless the Maryland Court of Appeals takes up the case. As the Maryland Court of Special Appeals concluded: We determine that cell phone users have an objectively reasonable expectation that their cell phones will not be used as real-time tracking devices through the direct and active interference of law enforcement. We hold, therefore, that the use of a cell site simulator, such as Hailstorm, by the government, requires a search warrant based on probable cause and describing with particularity the object and manner of the search, unless an established exception to the warrant requirement applies. “We are troubled” The court also concluded that the government could not rely on a pen register application, which it had obtained.

Authorities often opt for pen registers because, under federal law, these are granted under a very low standard.

Authorities must simply show that information obtained from the pen register is "relevant to an ongoing criminal investigation"; they don't need the probable cause required for a warrant.
In this case, police appear to have taken the permission to use a pen register as permission to also deploy a stingray, which has far more capability than the simple "trap and trace" functionality offered by a pen register. As the three-judge panel found: Here, the State inserted language into its application and proposed order attempting to, without being specific, obtain court authorization for more than a pen register trap & trace order.

Although the application does request authorization to use a "Cellular Tracking Device," it fails to name or describe any cell site simulator.
In fact, there is absolutely nothing in the application or order that identifies the Hailstorm device, or provides even a rudimentary description of cell site simulator technology.

The application also failed to identify any geographical limitation to the BPD’s use of the undisclosed surveillance technology, and did not explain what was to be done with the information collected. Nor did the application disclose the possibility that the technology employed may capture the cell phone information (unique serial numbers) of innocent third parties in range of the target area.

Finally, we are troubled that the application for a pen register trap & trace order did not fully apprise the circuit court judge from whom it was sought of the information that it would yield.

Based on the application that he received, the circuit judge was entitled to expect that the results would be a list of telephone numbers that Andrews called and that called Andrews—not a real-time fix on his location. We determine that the pen register trap & trace order in this case failed to meet the requirements of a warrant. The 74-page opinion also excoriated what the Baltimore Police Department, like many other law enforcement agencies nationwide have done: concealed the use stingrays via a nondisclosure agreement signed between them and manufacturer Harris Corporation. The analytical framework requires analysis of the functionality of the surveillance device and the range of information potentially revealed by its use.

A nondisclosure agreement that prevents law enforcement from providing details sufficient to assure the court that a novel method of conducting a search is a reasonable intrusion made in a proper manner and "justified by the circumstances," obstructs the court’s ability to make the necessary constitutional appraisal. The court added that this nondisclosure agreement remains "inimical to the constitutional principles we revere." A related case examining the warrantless use of stingrays, known as United States v. Patrick, is currently pending before the 7th Circuit Court of Appeals in Chicago.

That ruling, which could come down at any time this year, would be the first such ruling in a federal appeals court. The Maryland State’s Attorney’s Office did not immediately respond to Ars’ question as to whether it would be appealing this ruling further, to the Maryland Court of Appeals, the state's highest court..

IPv6 router bug: Juniper spins out hotfix to thwart DDoS attacks

reader comments 7 Share this story Juniper Networks has found and mostly patched a flaw in the way the firmware on its routers process IPv6 traffic, which allowed malicious users to simulate Direct Denial of Service attacks.The vulnerability, which seems to be common to all devices processing IPv6 address, meant that purposely crafted neighbour discovery packets could be used to flood the routing engine from a remote or unauthenticated source, causing it to stop processing legitimate traffic, and leading to a DDoS condition. According to Juniper's advisory report: The crafted packet, destined to the router, will then be processed by the routing engine (RE).  A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out. Note that this is similar to the router's response to any purposeful malicious IPv6 ND flood destined to the router.

The difference is that the crafted packet identified in the vulnerability is such that the forwarding controllers/ASICs should disallow this traffic from reaching the RE for further processing.

Additionally, due to the routable nature of the crafted IPv6 ND packet, the attack may be launched from beyond the local broadcast domain. The bug was first spotted in late May, when it was isolated in the firmware Cisco deploys to run IPv6 routers.

Cisco released workarounds and a partial fix in July, though these are still marked as being on an "interim" basis. Juniper's hotfixes, meanwhile, were made available yesterday evening.

Both firms have reported the issue, and a fix should be forthcoming in a future release of IPv6. According to Cisco, "any IPv6 processing unit not capable of dropping such packets early in the processing path or in hardware is affected by this vulnerability." The 20-year-old IPv6 protocol is slowly catching on around the world as the system it was designed to replace, IPv4, is rapidly running out of unused public addresses.

There's much still to be done, however, with the UK only 10.5 percent migrated onto the newer 128-bit system, putting it in 15th place overall in the world. Belgium is the only major country to have made significant inroads, with 42.1 percent of its traffic now using IPv6; the US has just over a fifth of its addresses migrated, but China, which has more than 710 million Internet users, is nowhere, with just 0.4 percent of its traffic using it.
Sky and BT have major plans to bring the bulk of their user bases onto the new architecture by the end of 2016. This post originated on Ars Technica UK

HotDocs announces keynote speaker at HUG 2017

HotDocs, the industry leader in document automation technology, has today announced that Dave Coplin, author and technology visionary, will deliver the keynote address at the HotDocs User Group (HUG) in June 2017.With over 25 years in the technology in...

Hyde selects 1st Touch Mobile to deliver mobile working solutions

The Hyde Group, one of London's leading social housing providers, has chosen the enterprise mobile workforce software solution from 1st Touch ( to help deliver mobile working solutions to staff. This forms part of a wider investment by...

IDG Contributor Network: Orchestration tools enable companies to fully exploit Linux...

Companies that need to deliver applications quickly and efficiently — and today, what company doesnrsquo;t need to do this?— are turning to Linux containers. What they are also finding is that once they get past the “letrsquo;s see how these container things workrdquo; stage, they are going to end up with a lot of containers running in a lot of different places.Linux container technology is not new, but it has increased in popularity due to factors including the innovative packaging format (now Open Container Initiative (OCI) format) originally invented by Docker, as well as the competitive requirement for continual development and deployment of new applications.
In a May 2016 Forrester study commissioned by Red Hat, 48 percent of respondents said they were already using containers in development, a figure projected to rise to 53 percent this year. Only one-fifth of respondents said that they wouldnrsquo;t leverage containers in development processes in 2017.To read this article in full or to leave a comment, please click here