14.6 C
London
Tuesday, September 26, 2017
Home Tags Vancouver

Tag: Vancouver

Google says Canadian order is “repugnantrdquo; to the First Amendment.
Vancouver tech company seeks to de-list a website selling alleged counterfeits.
Hack worked by stitching together three separate exploits.
Image Engine VFX reveals the thought process fueling The Thing, District 9, and X-Files.
Or, how to support civil liberties, $5 at a time, with the slap of a hand.
10th anniversary edition of Pwn2Own hacking contest offers over $1M in prize money to security researchers across a long list of targets including Virtual Machines, servers, enterprise applications and web browsers. Over the last decade, the Zero Day Initiative's (ZDI) annual Pwn2Own competition has emerged to become one of the premiere events on the information security calendar and the 2017 edition does not look to be any different. For the tenth anniversary of the Pwn2Own contest, ZDI, now owned and operated by Trend Micro, is going farther than ever before, with more targets and more prize money available for security researchers to claim by successfully executing zero-day exploits.HPE sold its TippingPoint division, which includes ZDI, for $300 million to Trend Micro in 2016 and the Pwn2own event that year was hosted as a joint effort between the two companies. By the end of the two-day event in 2016, $460,000 in prize money was awarded to researchers that demonstrated a total of 21 zero-day vulnerabilities.The Pwn2Own 2017 event is co-located at the CanSecWest conference in Vancouver, Canada, set for March 15-17. The 2017 event is sponsored by Trend Micro and unlike past Pwn2Own events, is not focused on web browsers.Among the targets this year are Virtual Machines, including both VMware and Microsoft Hyper-V systems. Researchers will need to execute a virtualization hypervisor escape from the guest virtual machine, to run arbitrary code on the underlying host operating system. ZDI will pay a $100,000 reward to the security researcher that is able to successfully execute a Virtual Machine escape. "We're always considering new targets for each year," Brian Gorenc, senior manager of vulnerability research with Trend Micro, told eWEEK. Outside of the Pwn2Own event, ZDI is in the business of acquiring security vulnerabilities from researchers. Gorenc added that ZDI is actively acquiring virtual machine escapes through its' program."Hopefully Pwn2Own will raise awareness among researchers, so we see even more of these reports," Gorenc said.While virtual machines are on the target list for Pwn2Own, Docker containers are not. Gorenc noted that containers weren’t really a consideration for this year's contest. Linux Pwn2Own has targeted Apple's macOS and Microsoft Windows based technologies for the past decade, but in 2017, the open-source Linux operating system has finally made the target list.Pwn2Own researchers will specifically be able to target the Ubuntu 16.10 Linux operating system in a pair of separate challenges, one for privilege escalation, the other for server-side web host exploitation.Researchers that target Linux will be awarded $15,000 if they can leverage a kernel vulnerability to escalate privileges. The same feat on Windows will earn a researcher $30,000, while a macOS escalation of privilege will be rewarded with $20,000.Ubuntu Linux systems can be secured with an additional layer of mandatory access control security known as 'AppArmor' that in some cases would limit the risk of a local user privilege escalation exploit. Gorenc noted that for the Pwn2Own contest, ZDI is not setting up any AppArmor profiles for this year's event.On the server side, the ZDI will award a successful exploit against the open-source Apache Web Server running on Ubuntu 16.10 Linux with a $200,000 prize. Web Browsers Once again web browsers are a key target at Pwn2Own, with successful exploitation of Microsoft's Edge browser or Google Chrome worth $80,000. A successful exploit of Apple's Safari will be rewarded with a $50,000 prize.After not being part of the 2016 event, Mozilla's Firefox web browser is back on the Pwn2Own target list of 2017. A successful exploit of Firefox will earn $30,000."Mozilla improved their security enough for us to warrant their re-inclusion in the contest," Gorenc said.Additionally the 2017 Pwn2Own event will award researchers $50,000 for each successful exploit of Adobe Reader, Microsoft Office Word, Excel and PowerPoint. The total prize pool available for researchers is more than any other Pwn2Own event has ever offered."Much of the final tally will depend on how many entries we have," Gorenc said. "We're definitely over $1 million, which is our largest Pwn2Own ever."After 10 years of running Pwn2Own events, it's likely that the hacking challenge will continue for many more years to come."While it would be great to live in a world with perfect security, we know this isn’t really practical," Gorenc said. "A lot of great research has been through the contest and inspired by the contest – research which ended up improving security for everyone."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Enlargeullstein bild / Getty Images News reader comments 54 Share this story Rather than disclose the source code that the FBI used to target a child porn suspect, federal prosecutors in Tacoma, Washington recently dropped their appeal in United States v. Michaud. The case is just one of 135 federal prosecutions nationwide involving the Tor-hidden child porn website Playpen. The vast effort to bust Playpen has raised significant questions about the ethics, oversight, capabilities, and limitations of the government’s ability to hack criminal suspects. In United States v. Michaud, Jay Michaud of Vancouver, Washington allegedly logged on to Playpen in 2015. But unbeknownst to him at that point, federal investigators were temporarily operating the site for 13 days before shutting it down. As authorities controlled Playpen, the FBI deployed a sneaky piece of software (a "network investigative technique (NIT)," dubbed by many security experts as malware), which allowed them to reveal Playpen users’ true IP addresses. With that information in hand, identifying those suspects became trivial. Since being apprehended, some of the Playpen defendants immediately took plea deals. Others have challenged the government's NIT and the single out-of-district warrant that authorized its use. In this case, US District Judge Robert Bryan eventually ordered the government to hand over the NIT's source code. Since that May 2016 order, the government has classified the source code itself, thwarting efforts for criminal discovery in more than 100 Playpen-related cases that remain pending. In June 2016, prosecutors began the appeals process to the 9th US Circuit Court of Appeals, but they ultimately decided to abandon Michaud at the higher court.  Despite ending the appeal on December 23, the case is still technically live: prosecutors could ask the judge to reconsider his May 25, 2016 order suppressing the evidence found on Michaud’s computer as a result of the NIT. But if the government declines to pursue the case further at the district court level, Michaud would become the second Playpen-related case that's been dismissed. Prosecutors did not immediately respond to Ars’ request for comment. Michaud’s federal public defender, Colin Fieman, has been dogged in trying to force the government to reveal more information about how the NIT worked. “We’re not out of the woods yet because they can ask for another motion to reconsider,” Fieman told Ars. “It may not be a dismissal of the indictment at this point, but it would be odd for them to try to pursue further. But we’ll have to wait and see.” Last year, a federal judge in a related case prosecuted out of Oklahoma, United States v. Arterbury, also ruled against the prosecution. The government eventually dropped the appeal and then dismissed the indictment at the district court in October 2016. Yet another Playpen case, United States v. Levin, where the defense prevailed initially, is currently on appeal at the 1st US Circuit Court of Appeals. Beau Croghan, a man in Iowa, was another alleged user hit by this NIT—his case was just one of three in which a judge ruled to suppress the evidence due to a defective warrant. Croghan's case is now pending before the 8th US Circuit Court of Appeals. Beyond Michaud, Fieman is representing another Playpen defendant in the same judicial district (the Western District of Washington) before the very same judge. In the second case, the evidence and legal questions are nearly identical. That case, United States v. Tippens, is set to go to trial on February 27, 2017 in Tacoma.
'Tor pedo' torpedo torpedoed In a surprising and worrying move, the FBI has dropped its case against a man accused of downloading child sex abuse images, rather than reveal details about how they caught him. Jay Michaud, a middle school teacher in Vancouver, Washington, was arrested in July last year after visiting the Playpen, a dark web meeting place tens of thousands of perverts used to swap mountains of vile underage porn. Unbeknown to him at the time, the FBI were, for about a fortnight, running the site after taking over its servers, and managed to install a network investigative technique (NIT) on his computer to get his real public IP address and MAC address. The Playpen was hidden in the Tor anonymizing network, and the spyware was needed to unmask suspects – about 1,300 public IP addresses were collected by agents during the operation. According to the prosecution, a police raid on his home revealed a substantial hoard of pictures and video of child sex abuse on computer equipment. But now, guilty or not, he's now off the hook after the FBI filed a motion to dismiss its own case [PDF] late last month. Why? Because Michaud's lawyer insisted that the FBI hand over a sample of the NIT code so it could be checked to ensure that it didn't breach the terms of the warrant the FBI obtained to install the malware, and to check that it wouldn't throw up any false positives. US District Judge Robert Bryan agreed, saying that unless the prosecution turned over the code, he'd have to dismiss the charges. The FBI has since been arguing against that, but has now decided that it's better to drop the case than reveal its techniques. The Playpen affair has proved to be a legal minefield in more ways than one. For a start, the admission that the FBI had been distributing such images and videos online troubled many. But the agency also only sought a single warrant to distribute its NIT internationally, which may have been illegal at the time. That's no longer the case, since a change in Rule 41 of the Federal Rules of Criminal Procedure was nodded through by the US Supreme Court and came into effect on December 1 last year. Judges in Playpen cases – there have been hundreds of prosecutions similar to Michaud's lined up by the Feds – haven't always agreed that the FBI had the right to introduce evidence gathered without a local warrant. In the past the FBI has dropped cases rather than reveal their investigation techniques, particularly with its cellphone-tracking Stingray equipment. But those were minor cases – nothing so serious as child abuse. ® Sponsored: Customer Identity and Access Management
Bracknell, UK. 29 September 2016 - Computer Products Solutions, a division of Panasonic System Communications Europe (PSCEU) (“Panasonic”), and FusionPipe Software Solutions Inc. (“FusionPipe”), a Vancouver-based developer of authentication & data security solutions for enterprises, today announced a new partnership through which Panasonic will sell and support FusionPipe’s patented QuikID™ authentication solutions to its European customers, resellers and distributors.QuikID™ is patented software, engineered to improve end-user authentication (lock/unlock) for ruggedised PC’s, laptops, tablets and VPN networks.
It eliminates the need for username / password combinations, tokens, smartcards, OTPs (one-time passwords) or USB’s, offering a superior user experience while increasing work force productivity without compromising data and network security. FusionPipe Quick ID Software CF-20 Fusionpipe is one of the latest Independent Software Vendors (ISV’s) to become officially certified and approved for use with Toughbook or Toughpad devices, under Panasonic’s new Certified ISV Programme. John Harris, Head of Engineering at Panasonic Computer Products Solutions, said “I have been working with the FusionPipe team since I first met them at Mobile World Congress 2015 to evaluate QuikID™’s technical merits, security provisions and the potential of their authentication technology.
I have not only been impressed with the FusionPipe team and their technology, but also the opportunity that this innovative solution brings to our existing customer base, prospects and distribution channel.” FusionPipe’s CEO & Chairman David Snell said: “We are honoured and excited to have Panasonic become one of our major Value Added Resellers for our ground-breaking authentication technology.

As the titan in the ruggedized device marketplace, their vision, market strategy and growing user base for their popular devices is key to the success of our mutually advantageous business partnership.” Panasonic will sell FusionPipe’s QuikID™ software as part of its ProServices range of offerings within its existing line of distribution channels across the European Economic Area, Switzerland and Turkey . For details of Panasonic Toughbook and Toughpad solutions visit www.toughbook.eu NDS Press contact:Michael BartleyThe Amber Groupmichael@ambergroup.net+44 (0)118 949 7750 About Panasonic System Communications Company Europe (PSCEU)PSCEU is the European branch of Panasonic Systems Communications Company, the global B2B division of Panasonic. PSCEU’s goal is to improve the working lives of business professionals and help their organisations’ efficiency and performance. We help organisations capture, compute and communicate all sorts of information: image, voice, and textual data. Products include PBX telephone switches, document printers, professional cameras, projectors, large visual displays, rugged mobile PCs and fire alarms solutions. With around 400 staff, engineering design expertise, global project management capability and a large European partner network, PSCEU offers unrivalled capability in its markets. PSCEU is made up of four product categories: Communication Solutions, including professional scanners, multifunctional printers, telephony systems and SIP terminal devices. Visual System Solutions, including projectors and professional displays. Panasonic offers the widest range of Visual products, and leads the European projector market with 28% revenue share (Futuresource B2B market tracking, Q1/2014). Professional Camera Solutions, including Broadcast & ProAV products, security, fire alarm systems and industrial medical vision (IMV) technology. Panasonic is one of the top two professional camera vendors in Europe. Computer Product Solutions helps mobile workers improve productivity with its range of Toughbook rugged notebooks, Toughpad business tablets and electronic point of sales (EPOS) systems.

As European market leaders, Panasonic Toughbook had a 66% revenue share of sales of rugged and durable notebooks and Panasonic Toughpad held a 59% revenue share of sales of rugged business tablets in 2015 (VDC Research, March 2016). About FusionPipeFusionPipe Software is a dynamic, rapidly growing technology company whose mission is to replace passwords, smart cards and tokens using smartphones and wearables to enable more convenient and secure end user authentication. We are the leader in world-class authentication and advanced data security solutions for Enterprises. Our patented technology addresses the growing global need for convenient yet secure authentication and identity management.

FusionPipe provides Enterprises with disruptive technology, that is easy to use and implement, increases productivity and lowers the total cost of ownership.

For more information on FusionPipe’s innovative authentication technology solutions, visit: www.fusionpipe.com. Disclaimer: All brand names shown are the registered trademarks of the relevant companies.

All rights reserved.
All working conditions, times and figures quoted are optimum or ideal levels and may differ as a result of individual and local circumstances. Specifications, product availability and price given herein may be changed at any time without prior notice.
A new iteration of the P2wn2Own mobile hacking contest takes aim at iOS and Android. The mobile Pwn2Own hacking contest is back for 2016, this time offering top prize of $250,000 to any security researcher who forces an Apple iPhone to unlock.The Pwn2Own contest has undergone a bit of a transition as Hewlett Packard Enterprise sold the Zero Day Initiative (ZDI) group that sponsors the event to Trend Micro earlier this year.

The browser edition of the Pwn2Own event was held in March and was jointly sponsored by HPE and Trend Micro.

The mobile Pwn2Own 2016 contest being held next month will be the first time a Pwn2Own event doesn't benefit from HPE sponsorship."To us, it's still Pwn2Own," Brian Gorenc, senior manager of vulnerability research at Trend Micro, told eWEEK. "We always hope each contest brings us something new we haven't seen before, but if you've seen the contest, it should look very familiar."During the 2016 Pwn2Own browser event, which was held at the CanSecWest conference in Vancouver, ZDI awarded a total of $460,000 in prize money to researchers for publicly demonstrating new zero-day exploits in web browsers. The mobile Pwn2Own event will be held Oct. 26-27 at the PacSec Security Conference in Tokyo, and the total available prize pool is set to top $500,000.

For the 2016 mobile event, ZDI is asking researchers to target three specific mobile devices: the Apple iPhone 6x, the Google Nexus 6p and the Samsung Galaxy Note7. Across all of the targeted devices, ZDI is tasking researchers with a number of challenges.

The first is to obtain sensitive information from a device. ZDI is awarding $50,000 to those who exploit a device to get access to sensitive information on the iPhone or the Google Nexus.

A researcher who is able to get sensitive information off a Galaxy will be awarded $35,000.Another challenge at mobile Pwn2Own 2016 is to install a rogue application on a targeted device.

A $125,000 prize will be awarded for the installation of a rogue app on the iPhone; on the Google Nexus, the reward is $100,000; and on the Samsung Galaxy, $60,000."Each phone will be running the latest operating system available at the time of the contest, and all available patches will also be applied," Gorenc said. "This can lead to some late nights as ZDI researchers update phones in the days leading up to the contest, but we feel it's best to have the latest and greatest targeted."Gorenc said all of the targeted devices will be in their default configuration. On iOS, that means Pwn2Own contestants must target Safari, as this is the default browser and most common, realistic scenario for users of that device.
In the past, Pwn2Own contestants have demonstrated many WebKit browser rendering engine related vulnerabilities. WebKit is the core rendering engine behind Safari and has many components that are also used in Google's Chrome."The threat landscape shifts so much from contest to contest that it's hard to predict what component will be targeted," he said. "WebKit will likely make an appearance, but we're hoping to see some new techniques and research as well."For the installation of the rogue application, Gorenc said that ZDI has no requirements for the app. "We will leave it up to the contestant to express their creativity during the public demonstration," he said.iPhone UnlockThe biggest single prize at the mobile Pwn2Own 2016 event goes to the researcher who is able to successfully force an iPhone to unlock.

The challenge of unlocking an iPhone has been a hot topic in recent months.

The FBI reportedly paid as much as $1.3 million to bypass the iPhone lock screen.

And Apple started its own bug bounty program, with a $200,000 prize, while security firm Exodus Intelligence will pay a top prize of $500,000 for an iOS zero-day flaw.Gorenc believes offering $250,000 for an iPhone unlock exploit is a good size prize."We feel this amount is not a bad payday for what will clearly be a significant amount of research needed to accomplish this hack," he said. "Along with the money, the researcher will get the recognition that comes with winning Pwn2Own."In the end, Gorenc said, it's the marketplace that will let ZDI know if $250,000 is a fair price; he's optimistic that someone will actually attempt to publicly force an iPhone to unlock."Finally, by reporting this through ZDI, the bugs will actually get fixed by the vendor," Gorenc said. "That's better than some of the alternatives."Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
Today’s financial technology startups (“fintech” for short) are taking on some of today’s greatest security challenges.

Armed with drive and a need for innovation, these companies have created new services and security approaches that are changing the financial industry. Here’s how three such companies are competing based on security. Know your client Proving personal identity is a key component of security for the financial industry. Most major financial institutions require customers to open accounts in person, present government-issued identity documents and wait hours or days to open an account.

But customers today expect faster services — including the account opening process. Founded in 2010, Vancouver, British Columbia-based Trulioo, whose customer base includes well-known technology firms such as eBay, Kickstarter, Square and PayPal, has pioneered a new approach to verifying identity.
REVIEW: Sophos has melded together the best features of their end point security systems with the acquired intellectual property of firewall vendors Astaro and Cyberoam. IT security vendor Sophos has raised the bar on unified security by orchestrating an array of security technologies in package that melds firewall intelligence with endpoint analytics.The company brought its new security platform to market under the moniker of “Sophos Security Heartbeat”, which to describe a unifying technology that allows endpoints running Sophos security products to collaborate with the company’s security appliances to create a comprehensive system that's all about keeping things secure.Perhaps a better explanation lies in what security unification between the endpoint and a Unified Threat Management system means in the context of Sophos’s offering.
It all comes down to an endpoint having its own local security application, (anti-malware, anti-rootkit, etc.) which helps to protect the endpoint, while also communicating with a central security appliance.The two-way conversation excels in detecting anomalies, where the endpoint can inform the security appliance of something suspicious and the security appliance can then vet that suspicious traffic, while also executing policy to contain the traffic. What’s more, the security appliance can further analyze the traffic to measure the impact of suspicious traffic on the network, applications and services before using those results to detect suspicious behavior on other endpoints or other parts of the network.
Simply put, the security appliance’s unified view of traffic and activity across the network gives the integrated machine learning capabilities to quickly identify anomalies and more importantly, actually do something about those anomalies in real-time. Going Hands On with the Sophos XG Series Sophos XG is actually a family of NGFWs (Next Generation FireWalls) which share a common core feature set and include capabilities such as traffic shaping, policy based rule execution, traffic anomaly detection, web filtering, intrusion detection, intrusion prevention and so forth.In essence, any member of the Sophos XG family functions as a UTM appliance and is designed around the concepts of ease of use and automation.
Sophos acquired the firewall and related threat-management technology through its acquisitions of Astaro and Cyberoam.While there are many different models in the Sophos XG family, the primary differences in the devices all add up to a question of scale.

For example, the entry level XG85 is designed for small offices and offers just four GbE copper ports and is rated at 2 Gbps throughput but.In contrast the top of the line XG750 is rated for 140 Gbps throughput and sports as many as 64 GigE ports, as well as support for 10Gbps Ethernet. While the raw processing power and connectivity is vastly different between those two extremes, the underlying software is much the same, meaning that feature sets are universal across the whole product line.I visited Sophos’s Vancouver office to test the XG’s capabilities and evaluate the feature set of the product line. Most of my testing was done on a Sophos XG 125W, which is rated for 5 Gbps raw throughput, sports 8 GbE copper ports and incorporates an 802.11b/g/n/ac 2.4/5 GHz WiFi AP.It is interesting to note that XG series devices that come with integrated WiFi offer a complete set of WiFi security controls and fully integrates NGFW capabilities into the WiFi AP.
I was able to test connectivity to a variety of endpoints, both wired and wireless, to evaluate how the XG 125W functioned in a simulated small enterprise environment. Installation and Setup: Within just a few minutes of unpacking the device it became apparent that ease of use has been heavily injected into the XG product line, making the device almost plug and play simple to setup.
I say almost only because any one installing the device must have some basic understanding of network cabling and be adept at knowing how to change their management systems IP address to launch the browser based setup wizard.That said it is important to note that the XG family of devices default to an initial IP address of 172.16.16.16, instead of the all too common 192.168.0.1 that so many appliances do today.That caveat aside, all setup and management of the device is accomplished using a browser based GUI, which incorporates setup wizards to keep things surprisingly simple.