uncompiled.com

Automobile giant Ford Motor this year will debut vehicles with built-in WiFi — along with enhanced security features to prevent data breaches via its new cars.

Ford has offered the so-called Sync technology service it co-developed with Microsoft in most of its Ford, Lincoln, and Mercury vehicles since 2008. The technology lets drivers run their Bluetooth-enabled mobile phones and digital media players via their vehicles and use voice commands to operate them, for instance.

The automaker announced today that the second generation of its Sync technology — due out later this year and to include a full Windows CE operating system with a new driver interface called MyFordTouch — will come with a built-in browser and secured WiFi access. It will first debut in the 2011 Ford Edge and 2011 MKX Lincoln, and later, in the 2012 Ford Focus.

“We really began to focus on the security side when we began launching Sync, and it was [originally] for working with phones and media players,” says Jim Buczkowski, director of Ford electronics and electrical systems engineering. “Now we’re extending that system connectivity to include WiFi as another data path for customers in their vehicles … and we’re extending that security model for protecting WiFi.”

The WiFi will be broadcast via Sync using a USB-based modem, and Ford has updated its on-board firewalls to protect both the WiFi network as well as the vehicle’s operations. The WiFi network is set by default to WiFi Protected Access 2 (WPA2) encryption for secured access to the wireless network. It also will provide anti-malware protection for the MyFordTouch system.

Sukhwinder Wadhwa, manager of the Sync platform and technologies at Ford, says Ford doesn’t consider security to be an add-on feature. “We work closely with the Ford enterprise IT security [group] to use basically the same guiding principals for security” as they use for the enterprise security, Wadhwa says.

“Any software is first verified by Ford engineers and signed by Ford enteprise servers before it gets installed [in the vehicles],” he says.

Wadhwa says Ford also uses internal ethical hacking teams as well as third-party consultants to test out the security of the Sync features.

“They are proud that they enable WPA2 and a firewall by default on the access point, perform pairing over Bluetooth, and have some arbitrary DRM for preventing swapping hard drives of MP3s. It all sounds like pretty vanilla stuff, anything a decent home network set-up has,” says Nate Lawson, principal with Root Labs.

Wadhwa says Ford isn’t aware of any car-hacking incidents with its vehicles to date. “We do not want to have any incidents in the first place,” he says. “We are connecting consumer-grade devices [in the vehicle], and we want to make sure out of the chute we are protected from any bad devices out there, like memory sticks or whatever they put [into the vehicle],” he says.

Wadhwa says the hardware-based firewall technology is made up of two “separate entities” so that the consumer side of the firewall that handles what can connect can’t pass information to the vehicle’s processor, or vice versa. ”

All of Ford’s vehicles in the next five years will come with the secure WiFi option, according to Ford.

Meanwhile, the automaker’s Sync service, which comes standard in some higher-end models and for an optional monthly fee in other models, already comes with phone-pairing protection, an encrypted jukebox hard drive for the driver’s music library, a valet-mode option that locks all programmed navigation destinations from view, an engine immobilizer, and keyless entry features.

Source

Quantum cryptography only works if Alice and Bob share their relative positions in advance. Now physicists have worked out how to do it without this information.

The world of cryptography is currently undergoing a quantum revolution. The weird laws of quantum mechanics allow cryptographers to create codes that guarantee perfect secrecy. Until recently, the best cryptographers could aim for was just pretty good secrecy with codes that were always compromised in some way or another. Quantum cryptography, on the other hand, is perfect: theoretically and practically secure.

A few companies have even sprung up to sell the gear that can send perfectly secure messages, mainly to banks and governments (although the gear itself creates some loopholes that eavesdroppers can attack).

But it’s still early days for this technology and naturally it suffers from several drawbacks. For example, one well known limitation is that quantum cryptography can only be used over point-to-point connections and not through networks where data has to be routed. That’s because the routing process destroys the quantum properties of the photons used to secure messages.

A lesser known limitation is that the sender and receiver of quantum encrypted messages–the famous Alice and Bob–must be perfectly aligned so that they can carry out well-defined polarisation measurements on the photons as they arrive. Physicists say that Alice and Bob must share the same reference frame.

That’s not so hard to do when Alice and Bob are both based in labs on the ground. But it’s much harder when one or the other is moving, in a satellite, for example, which would be both spinning and orbiting the Earth.

Today, Anthony Laing from the University of Bristol and a few pals show how to get round this. The trick is to use entangled triplets of photons, so-called qutrits, rather than entangled pairs.

This solves the problem by embedding it in an extra abstract dimension, which is independent of space. So as long as both Alice and Bob know the way in which all these abstract dimensions are related, the third provides a reference against which measurements of the other two can be made.

That allows Alice and Bob to make any measurements they need without having to agree ahead of time on a frame of reference. There is one proviso: Alice and Bob cannot move too quickly during the measurements since this changes their relative orientation and a new qutrit will be needed to establish a reference.

That’ll be useful for quantum encryption over satellite links, the kind of thing that government agencies and the military might want to do. But there’s another, more valuable application.

If quantum encryption is ever to be widely used, it’ll need to work between one microchip and another without the need to share a frame of reference in advance. That’s always been a problem because the chips inside computers are constantly on the move (relative the the wavelength of light) and because photon polarisations drift as they move through optical fibres, introducing another source of error.

That’s why quantum cryptography that is reference frame independent is an enabling technology and so potentially hugely valuable. It means that Laing and co may have made one of the key breakthroughs that will bring quantum cryptography to the masses.

Ref: arxiv.org/abs/1003.1050: Reference Frame Independent Quantum Key Distribution

Source

Despite years of efforts by software security teams at major vendors to harden the operating systems and browsers that are the most common targets of attackers, exploitation of new as well as older vulnerabilities is still simpler than many people might think.

Microsoft, Mozilla, Adobe and even Apple, to some degree, have put in place technologies in their newer products that are designed to make it more difficult for attackers to exploit vulnerabilities, including unknown flaws. However, these technologies, which include DEP, ASLR and SafeSEH, are mitigations, not absolute defenses against exploitation, said Dino Dai Zovi, a researcher and chief scientist at Endgame Systems, in a talk at the RSA Conference here. As effective as some of these technologies can be, they’re not meant to eliminate the possibility of a system being compromised.

“Attack mitigation takes the universe of exploit techniques and narrows it down,” he said.”But preventing the introduction of malicious code isn’t enough to prevent malicious computations.”

Microsoft has been steadily adding memory-protection technologies such as ASLR and DEP to its products over the last few years, and they are now enabled by default in the latest versions of Windows and Internet Explorer. Address Space Layout Randomization (ASLR) is designed to make it more difficult for attackers to overwrite a specific portion of memory by randomizing the location of key areas in a process’s memory. With things in unpredictable locations, it’s much more dfficult for attackers to get their data into the right place for an attack.

However, even with ASLR and Data Execution Prevention (DEP) enabled, it’s still possible to exploit vulnerabilities in the most recent versions of IE and Windows. In his talk, Dai Zovi showed a live demonstration in which he exploited the so-called Aurora IE vulnerability on Windows 7 running IE8. This configuration was thought to be immune to such attacks, but Dai Zovi was able to bypass the memory protections by using a combination of several attack techniques chained together.The presence of DEP and ASLR made the attack more difficult, but not impossible.

Dai Zovi said that while his attack worked in this instance, that’s no guarantee that a similar technique would work in another situation.

“Exploitation in the wild that bypasses DEP is pretty rare,” he said. DEP is specifically designed to prevent attackers from forcing application to execute data from portions of the memory that are designated as non-executable.

In fact, Microsoft has acknowledged the limitations of DEP from the beginning, and says that it is simply one of several tools that can help prevent memory corruption attacks.

“DEP presents a hurdle to attackers as they attempt to successfully exploit security vulnerabilities. In some cases, it is possible for an attacker to evade DEP by using an exploitation technique such as return-to-libc. DEP by itself is generally not a robust mitigation. DEP is a critical part of the broader set of exploit mitigation technologies that have been developed by Microsoft such as ASLR, SeHOP, SafeSEH, and /GS. These mitigation technologies complement one another; for example DEP’s weaknesses tend to be offset by ASLR and vice versa. DEP and ASLR used together are very difficult to bypass. The known bypasses that exist have been tied to specific application contexts (such as the IE7 and earlier bypass from Mark Dowd and Alex Sotirov),” Microsoft’s Robert Hensing wrote last year.

But, as Dai Zovi and others have shown, even with these technologies enabled, exploitation is still possible. Attackers have begun using third-party applications to bypass ASLR and DEP on Windows recently. A researcher named Dionysus Blazakis showed in February how he could use a technique called JIT-spraying to exploit a vulnerability in Adobe Flash and bypass both ASLR and DEP. This scenario is not something that Microsoft security engineers would have contemplated or been able to prevent on their end; it’s a result of the complex interactions among applications in production environments, not test labs.

“Systems fail more because of implementation than theory. The real world is complicated,” Dai Zovi said.

Source

Novell and the Cloud Security Alliance have announced a vendor-neutral “Trusted Cloud Initiative” for developing standards and certification of cloud security, compliance, identity management and other best practices.

While cloud computing is a popular topic, it lacks a set of well-defined terms and standards that tell prospective users concrete information about the environment they’re about to adopt.

Businesses considering adopting cloud computing lack assurances they will be able to continue to control their data, enforce best practices and guarantee security, said Jim Reavis, executive director of the Cloud Security Alliance Monday.

The Cloud Security Alliance is a group of consultants, vendors, and cloud users that formed a non-profit group at the end of 2008 to address the lack of standards for cloud computing.

If a prospective cloud user and a vendor talk about level three security in the cloud, one may have a completely different idea of what the other is saying. There are no defined levels of security in cloud computing, and it’s difficult to get a discussion going when one party can’t be sure of the terms that the other is using. The Trusted Cloud Initiative is aimed in part at creating a shared set of standards that can be verified by neutral third parties.

“By building a consensus security reference guide and certification roadmap, we are creating common ground for both enterprises and cloud providers, and expect to accelerate cloud adoption,” said Alan Boehme, senior VP IT strategy and enterprise architecture at ING Americas, a branch of the Dutch insurance conglomerate, in Monday’s announcement. Boehme is a member of the board of directors of the Cloud Security Alliance.

“Our customers need a visible seal of trust. We strongly believe education, clarity, and industry-approved security guidelines will propel the adoption of clouding computing” said Dipto Chakravarty, VP of engineering, Identity and Security unit at Novell. Reavis said Novell proposed launching the Trusted Cloud Initiative with the alliance.

The initiative will define a roadmap and certification criteria for secure cloud computing. Members of the Cloud Security Alliance include Microsoft, Dell, Rackspace, Qualys, HP, Intel, Cisco, McAfee, Salesforce.com, Symantec, the DMTF (formerly Distributed Management Task Force) standards body, and the Information Systems Audit and Control Association (ISACA).

The initiative is co-chaired by Nick Nikols, VP of product management for Novell’s Identity and Security unit, and Liam Lynch, chief security strategist for eBay.

Nils Puhlmann, chief security officer at Zynga Game Network, a producer of online social games, including FarmVille, said the alliance will pay attention to other standards efforts and adopt them, whenever it can.

“We are committed to aligning the Trusted Cloud Initiative with other standards efforts,” he said in the announcement. But the alliance will be responsible for “assembling the reference model and certification criteria from existing standards, and we we will complete it in 2010,” he said.

Source

The web site cryptome.org is currently online at http://cryptomeorg.siteprotect.net/ until the domain can be transferred away from Network Solutions. The following is from the temporary site:

This is temporary Cryptome address until the Cryptome.org domain is transferred. Network Solutions shut Cryptome.org and has placed a “legal lock” on the domain name, preventing its transfer, until the “dispute” is settled. Some recent files are available now and the full collection is being transferred.

The House today overwhelmingly passed a bill aimed at building up the United States’ cybersecurity army and expertise, amid growing alarm over the country’s vulnerability online.

The bill, which passed 422-5, requires the Obama administration to conduct an agency-by-agency assessment of cybersecurity workforce skills and establishes a scholarship program for undergraduate and graduate students who agree to work as cybersecurity specialists for the government after graduation.

As officials puzzle over how to defend the nation from enemies that are often impossible to pinpoint, the lawmakers behind the bill said education and recruitment are crucial.

“Investing in cybersecurity is the Manhattan Project of our generation,” Representative Michael Arcuri, Democrat of New York, a sponsor of the bill said on the House floor Wednesday. “But this time around we are facing far greater threat. Nearly every high school hacker has the potential to hamper our unfettered access to the Internet. Just imagine what a rogue state could do.”

Mr. Arcuri said that the federal government will need to hire between 500 and 1,000 more “cyber warriors” each year to keep up with potential enemies. Troops online “are every bit as important to our security as a soldier in our field,” he said.

The Cybersecurity Enhancement Act, H.R. 4061, a major information security bill, closely follows a warning by Dennis Blair, the director of National Intelligence, who told lawmakers this week that computer-related attacks were becoming increasingly malicious.

The government’s four-year review of Defense Department strategies, also issued this week, stated that large-scale cyberattacks could massively disable or hurt international financial, commercial and physical infrastructure.

Mr. Obama has said cybersecurity is one of his top priorities and between the fallout from the attack on Google’s computers in January and the more modest hacking of Web sites of 49 House members and committees last week, the risk is felt acutely in Washington.

Still, the budget proposal the administration delivered to Congress Monday cut funding for the Homeland Security Department’s cybersecurity division.

There is no companion bill in the Senate, but senators are working on several unrelated information security bills.

The bill is based on a review of Mr. Obama’s review of cyberspace policies across the federal government in May, 2009. It authorizes one single entity, the director of the National Institute of Standards and Technology, to represent the government in negotiations over international standards and orders the White House office of technology to convene a cybersecurity university-industry task force to guide the direction of future research.

It also directs the National Science Foundation to research the social and behavioral aspects of cybersecurity, like how people interact with their computers and manage their online identities, in order to establish a new, more accessible awareness and education campaign.

Source

Jonathan Schwartz, the last chief executive of Sun Microsystems, has become the first Fortune 200 boss to tweet his resignation.

Late Wednesday night, Mr. Schwartz used Twitter to publish a haiku about his exit from Oracle, which just completed its purchase of Sun last week.

“Financial crisis/Stalled too many customers/CEO no more,” Mr. Schwartz wrote.

Mr. Schwartz has been fond of using the Internet as a soapbox. At Sun, he became the first chief executive of a major company to put up his own blog. Mr. Schwartz also pushed the Securities and Exchange Commission to put blogs on equal footing with press releases and filings when it comes to disclosing critical business matters to investors.

Mr. Schwartz replaced Sun’s co-founder, Scott McNealy, as chief executive in 2006, inheriting a company that had been suffering from declining sales ever since the dot-com bust.

One of the most dramatic moves made during Mr. Schwartz’s tenure as chief executive was Sun’s decision to release the vast majority of its top software products under open-source licenses. The company hoped that broad developer interest in its software products would help attract new customers and translate into sales of other products like computer servers and storage systems.

However, Sun struggled to post consistent results and its sales continued to decline. The recession only exacerbated matters, as Sun depended on sales to many of the financial companies that were pummeled by the downturn.

I.B.M. moved to acquire Sun, only to have negotiations stall, opening the door for Oracle.

Oracle’s chief executive, Larry Ellison, is not especially fond of Mr. Schwartz. In an interview last week, Mr. Ellison said he fully expected Mr. Schwartz to resign rather than play a role in the combined company.

As for what’s next, Mr. Schwartz said in an e-mail: “In the short run, I’m planning to spend some long overdue time with my family. Longer run, with a few million businesses and a few billion consumers on the Web, rumor has it there are some interesting opportunities to be had.”

Source

The Apache HTTP Server developers have released version 1.3.42 of the popular web server, noting that this will be the last update for the 1.3 series. The release of 1.3.42 is a bug fix and security release, with one moderate security flaw in mod_proxy fixed by preventing integer overflow on platforms where the size of an integer variable in memory was less than that of a long variable.

The developers strongly recommend that users of all earlier releases upgrade to the current series, Apache HTTP Server 2.2, as soon as possible. The latest version of the 2.2 series is 2.2.14 which was released in October 2009. Although this is the last full release of Apache HTTP Server 1.3, critical security updates may be made available as patches on the Apache site in the future.

Source

Three quarters of small to mid-sized hospitals in the U.S. plan to increase their IT budgets this year, with clinical point-of-care systems being the top IT priority, says a new survey.

The U.S. government’s health IT stimulus programs are apparently driving many of these hospitals’ IT plans.

Government regulatory matters, followed by financial incentives, were named as the top issues driving healthcare over the next two years, said the respondents to a survey conducted by the Healthcare Information and Management Systems Society (HIMSS) last October and released Wednesday.

HIMSS’ phone survey of 202 IT executives at small to mid-sized hospitals included 125 CIOs, CTOs, VPs and directors of IT in the U.S. and 77 in other countries, including Canada, the U.K., Germany, France and China.

The hospitals ranged from 100 to 400 beds and did not include U.S. hospitals run by the federal government, such as VA facilities.

About 76% of U.S. hospital IT executives surveyed said they planned to increase IT spending this year, while 17% expected no change in spending and only 8% predicted reduced budgets.

While this particular survey of small to mid-sized hospitals is new for HIMSS, an annual HIMSS leadership survey early last year found that only 55% of IT executives in a wider pool of U.S. hospitals of varying sizes expected to increase their budgets, said Jennifer Horowitz senior director at HIMSS Analytics, the research arm of HIMSS .

Overwhelming, hospitals in the U.S. are focused on an explosion in clinical data, including images, over the next two years.

Much of that data is expected to come from deployments of e-medical record systems as these hospitals race to participate in the U.S. federal government’s $20 billion stimulus program that rewards healthcare providers for their meaningful use of health IT systems starting in 2011.

In the U.S., 55% of respondents named point-of-care systems as their top priority, followed by data exchange (14%), leveraging data (12%), infrastructure (10%), administrative efficiency (2%), with the rest answering “other” or “don’t know.”

Answers from hospital IT executives from other countries overall were similar to U.S. hospitals’ priorities, although the biggest differences were in how other countries ranked priorities such data exchange (lower at 4%) and administrative efficiency (higher at 14%). Outside the U.S., 48% of hospital IT executives named point-of-care as their biggest IT priority.

Overall, U.S. hospitals have more complex IT hardware environments than hospitals in other countries. U.S. survey respondents have an average 75 servers in their hospitals and one-third of U.S hospitals have not yet begun to virtualize their data centers.

Often, there is one server per applications at U.S. hospitals, said Jamie Coffin, VP and general manager of Dell Computer’s healthcare and life sciences business, which sponsored the HIMSS survey. As hospitals plan for the explosion of data and storage needs, virtualization can help the proliferation of multiple underutilized servers and storage devices and reduce costs, he said.

Source

Google today said that a “highly sophisticated and targeted” attack against its network last month originated in China, and tried to access the Gmail accounts of Chinese human rights activists.

In a blog post Tuesday, David Drummond, Google’s chief legal officer, said that attacks have forced the company to “review the feasibility of our business operations in China.” Google, continued Drummond, is “no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all.”

The end result of those discussions, said Drummond, may be that Google shuts down its search engine and close its offices in the People’s Republic of China.

“This is a bold and a very difficult move on [Google's] part,” said Leslie Harris, the president and CEO of the Center for Democracy & Technology (CDT), a Washington, D.C.-based civil liberties group. “But with the revelations that there have been major cyber attacks aimed at human rights activists, both in China and in the West, it’s hard to see how Google could have remained silent.”

According to Drummond, Google was one of at least 20 large companies that were targeted by massive attacks in December. In Google’s case, the attacks resulted in the theft of some company intellectual property.

More troubling, said Drummond, was that the attacks were aimed at accessing the Gmail accounts of human rights activists in China. Gmail is officially unavailable in the country, but activists and others use anonymous proxies to circumvent that rule.

“We have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists,” said Drummond, who added that with the exception of two accounts, those attacks had been unsuccessful. The message content of those accounts was not compromised, Drummond claimed; instead, only some information, such as subject lines and the date the account was created, was accessed.

Drummond also said Google had discovered that the Gmail accounts of dozens of U.S.- and Europe-based advocates of human rights in China had been “routinely” accessed by unauthorized users.

“We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech,” said Drummond.

Source