News

TCG releases TPM 2 specification for improved security

The Trusted Computing Group (TCG) has announced the availability of the Trusted Platform Module (TPM) 2.0 library specification. TPMs are designed to provide a secure root of trust to protect data in computers and mobile devices from digital and physical attacks, theft or loss. According to the TCG, the latest TPM specification provides “a critical vendor-neutral technology response” to the global need for a more secure computing environment. Since 2006, many new computing devices have been sold with a built-in TPM chip, but few enterprises have so far embraced the technology in their information security strategies. But Microsoft’s decision to focus on active embedded hardware security in Windows 8 is expected to bring the TPM into the mainstream for enterprises. The TPM specification is based on contributions and feedback from TCG member companies and security technology experts from silicon makers, device makers, software providers, researchers, governments and academic institutions. The TCG also is making available the PC Client Platform TPM Profile (PTP) specification, the first in a series of specifications to enable developers and manufacturers to design TPMs into their products. Specifications for additional platforms, including mobile devices and embedded systems will follow, the TCG said. Hundreds of millions of TPMs are embedded into PCs, servers, networking gear, embedded systems and other computing devices. They can be used to help protect computers against unauthorised changes from malware, rootkit attacks and similar malicious activities.  TPMs enable more secure processes within the system, such as digital signatures and key exchanges. The TPM can also help ensure that unsafe, unverified or out-of-date systems do not connect to a corporate network by providing a built-in means to authenticate devices and users. The TPM 2.0 specification responds to the exponential explosion of devices that require protection from cyber threats both inside and outside the traditional enterprise system firewalls, the TCG said. With growing market demand for enhanced security and privacy, TPM 2.0 is designed to offer comprehensive protections based on hardware roots of trust.  “Together with support for upgraded cryptographic algorithms, the TPM 2.0 specification is designed with cryptographic agility to allow support for more algorithms in the future,” the TCG said. TPM 2.0 is also designed to offer the flexibility for industry implementations across a broad range of platforms including servers, desktops, embedded systems, mobile devices and network equipment.  To accommodate all of these different platforms, the new specification enables the TCG to develop platform specific specifications using TPM 2.0 to meet the requirements of each platform. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Confusion over conflicting advice over Heartbleed OpenSSL security flaw

Computer users have been left confused over conflicting advice about how to protect themselves from the Heartbleed security flaw. A number of web and security companies have advised individuals to change their passwords as soon as possible before expl...

Police forces still struggling on cyber front

Less than 7% of police forces in England and Wales have a comprehensive plan to deal with a large scale cyber incident, reveals an official report. Cyber incidents are one of just five threats government set as police priorities in 2012. The report notes that the culmination of individual cyber crimes or the commission of a single attack could cause a large scale cyber incident. Only Derbyshire, Lincolnshire and West Midlands police forces have adequate plans, out of a total of 43 police forces, according to the report by Her Majesty's Inspectorate of Constabulary (HMIC). The HMIC report – which looked at how prepared police forces are for the five priority national threats – also found that only 2% of police, across 37 police forces, have been trained to investigate cyber crime. Threats and guidelines The report is the first in a series on how well police forces have responded to government guidelines on cyber crime, terrorism, civil emergencies, organised crime and public order threats. The report said the response to national threats by individual forces has "not changed appreciably” since the threats were set as priorities, by the government’s 2012 Strategic Policing Requirement (SPR). HMIC inspectors said they were "struck by how incomplete the police service's understanding of the national threats was", and that more needs to be done by all forces. They said that, while the capacity and capability of the police to respond to national threats is stronger in some areas than others, the response to the cyber threat was the least well developed. HMIC inspectors found the ability to deal with cyber threats remains "largely absent" in some forces. They said some senior officers are still "unsure of what constituted a large-scale cyber incident". They found forces were "silent" when it came to preventing cyber crime and protecting people from the harm it causes, despite the fact it is "fast becoming a dominant method in the perpetration of crime". The report notes that police will soon have to operate just as well in cyberspace as they do in the physical world. Future of police cyber skills Two further reports, due this year, will provide an in-depth examination of how well the police service has met the requirements of the SPR in relation to public order and a large-scale cyber incident. National policing lead for public order at the Association of Chief Police Officers (Acpo), chief constable Justine Curran said police forces have continued to improve and develop an understanding of cyber threats. However, she said there was "more to do to develop a clear, consistent approach," particularly when it comes to cyber crime, according to the BBC. Curran said police chiefs and the College of Policing will use the HMIC report to enhance capabilities where possible “within the current financial austerity across policing”. Resources and rewards A lack of resources was highlighted by Andy Archibald, head of the National Crime Agency's (NCA) National Cyber Crime Unit (NCCU) at the 2014 e-Crime and Information Security Congress in London. He said that, in a modern crime investigation environment, law enforcement organisations need access to technical skills like writing and reverse engineering code. But Archibald said it is a challenge for law enforcement organisations to attract, retain and reward the best people with these skills in competition with private sector demand and attractive salary packages. “To get access to those skills we have to look at how we can engage with industry through programmes which allow people to work with law enforcement on a part-time voluntary basis,” he said. However, Archibald said the NCCU plans to invest a “considerable amount of money” in future in developing law enforcement officers from officers on the beat all the way up to the high-end skills. Read more about fighting cyber crime in the UK NCA begins major cyber recruitment campaign NCA notches up first phishing conviction NCA changed UK cyber crime fighting, says NCCU head Legitimate users of Tor need not worry, says NCA NCA investigates “deep web” after UK Silk Road arrests BT, GCHQ and NCA set challenge to find UK cyber defenders British man arrested over hacking into US military systems PM says dark web can be policed UK National Cyber Crime Unit becomes operational UK police warn of malware campaign targeting mainly SMEs CERT-UK to drive international cyber security collaboration Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Heartbleed SSL Encryption Vulnerability Requires Quick Attention

NEWS ANALYSIS: There are steps you can take to make sure that your critical information is protected from the Heartbleed encryption flaw and to confirm whether you were at risk in the first place. According to our report on the discovery of a significant vulnerability to the Secure Sockets Layer (SSL) encryption service as it's implemented in some versions of Linux, an exploit could reveal up to 64 kilobytes of memory in the affected server. The good news is that the OpenSSL Project issued a fix almost immediately, and passed it out as an update to Linux distributors. The bad news is that this vulnerability has been around for two years. There's more good news: There's no evidence that this vulnerability was ever exploited. But there's more bad news, too: Because of the way this vulnerability works, we might not see evidence even if it had been exploited. Just how serious is this? Tatu Ylönen, Inventor of SSH encryption and CEO of the SSH security protocol, said that the problem is potentially bad. "This is an extremely serious vulnerability in OpenSSL," Ylönen said in an email from his home in Helsinki, Finland. "An attacker can use it to obtain the encryption keys used by a web site, allowing an attacker or spy agency to read all communications. It can practically be used to obtain the server private key used for securing the server and communications to it, essentially breaching the certificates used for protecting the web site, which in turn allows decrypting past sessions as well as performing man-in-the-middle attacks (including banking fraud and identity theft) in most cases." Ylönen said that about two-thirds of the world's Websites use the encryption library affected by the vulnerability, which is OpenSSL 1.0.1. Any of those sites could have been compromised. He said that these include major commerce sites, social networking and banking sites. Because the encryption keys themselves may have been stolen from compromised Websites, the importance of keeping keys safe is underscored. Unless the keys were kept secure and encrypted, the chance that they could be stolen during a breach is high, according to Richard Mould, vice president of Strategy for Thales e-Security. "Once again the importance of sound key management has been brought into sharp focus," Mould told eWEEK. "The Heartbleed bug found in OpenSSL, one of the most common means of encrypting data on the internet, increases the risk that encryption keys can be stolen. An attacker that can access these keys can decrypt any data that has been previously encrypted using those keys and probably any future data until each key is changed. Updating keys is expensive and time consuming and the impact of a loss can be very damaging." Ylönen said that once the SSL encryption had been broken, it's likely that passwords normally protected by SSL had also been compromised.

Man behind Carder.su racketeering, other cybercrime, pleading guilty

Eight of 55 connected associates have copped guilty pleas in the $50 million scam.

Supreme Court weighing when online speech becomes illegal threat

High court has never defined online "speech crime."

Franken: Comcast called Time Warner Cable a competitor until they wanted...

Comcast got NBC deal approved after citing competition from Time Warner.

Whitehat hacker goes too far, gets raided by FBI, tells all

Hacker exposed client’s data to teach a lesson, was "tired of being ignored."

WordPress Customers Receive Automatic Security Updates

The WordPress 3.8.2 update provides additional checks to limit the risk of pingback attacks. WordPress blogs around the world began to receive an automatic security update late on April 8 to fix security vulnerabilities. The WordPress 3.8.2 and 3.7.2 updates each provide five security fixes, as well as multiple non-security bug updates. The open-source WordPress content management system is widely deployed around the world and is used to power many of the world's leading technology media sites. In October 2013, the company released WordPress 3.7, which provided users with an automatic update capability for important security and bug fixes. WordPress 3.8 was first released in December 2013 and received an automatic update to version 3.8.1 in January for 31 bug fixes. The WordPress 3.8.2 and 3.7.2 updates include a fix for CVE-2014-0165, which is a privilege-escalation vulnerability that could have potentially enabled unauthorized contributors to publish posts. The other important security fix is identified as CVE-2014-0166  and is a cookie forgery issue. Cookies are used in WordPress and across the Web as a mechanism for authentication and session features. The CVE-2014-0166 flaw could have potentially enabled an attacker to gain unauthorized access to a WordPress site by way of forged authentication cookies. WordPress is also providing three security-hardening capabilities to further reduce the risk of attack. Among the hardening fixes is one for a low-impact SQL injection risk that could have come from trusted users. The new WordPress update also includes a code-hardening fix to limit the potential risk of a cross-domain scripting flaw in the Plupload library used by WordPress for uploading files. Perhaps the biggest security-hardening impact, however, is likely to come from a new mechanism to help reduce the impact of pingback attacks from WordPress installations.   A pingback attack takes advantage of the XML-RPC (remote procedure call) pingback functionality in WordPress to launch DDoS attacks. XML-RPC is legitimately used within WordPress to allow content owners to track where their content is getting linked. WordPress developer Andrew Nacin wrote in the WordPress 3.8.2 release announcement  that the new update will "pass along additional information when processing pingbacks to help hosts identify potentially abusive requests." In March, WordPress was implicated in a widespread distributed denial-of-service (DDoS) attack that leveraged the pingback trackback feature in WordPress. The feature was being abused by attackers across 162,000 WordPress sites for a DDoS attack, according to security firm Sucuri. While WordPress is updating existing users, the open-source project is also moving forward toward its next release. WordPress 3.9 is set to debut next week with new image-editing and live-theme preview features. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.  

Is the US headed toward a cyber Cold War with China?

Harvard scholar suggests the superpowers are locked in a "cool war."

‘Heartbleed’ OpenSSL Flaw May Lead to Leaked Passwords, Encryption Keys

The vulnerability in the widely used OpenSSL library used to secure Web transmissions allows attackers to scrape memory from servers, grabbing sensitive information. A widespread vulnerability in OpenSSL, the software library used to secure communications on the Web, has undermined the security on hundreds of thousands of Web servers and services and has left online companies scrambling to close the security hole. The vulnerability—officially dubbed the "TLS Heartbeat Read Overrun" issue and unofficially named "Heartbleed" by the firm that found it—allows attackers to scrape the memory of Web servers, grabbing up to 64 kilobytes of the last data communicated. While the issue only affects Linux servers, those computers are the most commonly used for Web servers and services on the Internet. The vulnerability puts users' passwords at risk, but also could reveal the private keys used in the encryption that secures the Secure HTTP, or HTTPS, protocol. "The leaked memory areas might contain a lot of different content ranging from leftover data from previous communication over log messages up to private key material employed by the service/daemon," Mark Schloesser, security researcher for Rapid7, a vulnerability management firm, said in a statement sent to eWEEK. "For this reason, there are lots of possible attack scenarios that can result from the vulnerability." The attack affects a limited number of OpenSSL releases—those published by the project in the last two years—but the vulnerable code is already fairly widespread. The issue was introduced into the codebase in December 2011 and released to the public in March 2012. The company that discovered the vulnerability, security firm Codenomicon, estimated that two-thirds of Web servers could be vulnerable to the theft of information. On April 9, however, Web analytics firm Netcraft used data collected on the usage of the vulnerable software to estimate that a lower fraction, 17.5 percent, was actually at risk. Yet, among those affected are the largest Web services, those that take security seriously. "All affected systems should be updated immediately—this is essential," Schloesser said. "Also, to mitigate attacks resulting from any potentially leaked keying material, any SSL keys from affected systems should be replaced and revoked." To estimate the danger, the company that revealed the flaw attacked its own systems. The impact was eye-opening, Codenomicon stated in a blog post. "We attacked ourselves from outside, without leaving a trace," Codenomicon researchers stated. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication." While the attack is sure to reignite the debate over the security merits of closed-source software versus open-source software, such as OpenSSL, either development methodology could have had a similar flaw, David Shearer, chief operating officer of (ISC)2, said in a statement sent to eWEEK. "The arguments over the virtues of open-source software versus proprietary software have been around for a long time," Shearer said. "The recent OpenSSL vulnerability may justify some rethinking of the open-source development life cycle, but the widespread problem of insecure software is not an open source versus proprietary source argument." The TLS Heartbeat Read Overrun vulnerability has been assigned CVE-2014-0160, according to the OpenSSL Project.

Handheld quantum key generators are on the way

Simple client, complex server herald quantum security in the future.