data encryption software

Hardware giant narrowly averts PC security nightmare

April 6th, 2013

American Megatrends, a company that specializes in PC hardware and firmware, has attempted to calm the rising trend of the panic attacks over the cryptographic signing keys leak as well as the source code for its UEFI (Unified Extensible Firmware Interface) BIOS, the code that starts up millions of computers around the world. On account of the code leak that took place, a security researcher and penetration tester Adam Caudill from United States received a warning from his research partner Brandon Wilson regarding a Taiwanese vendor who had left a FTP (File Transfer Protocol) server open for public browsing and downloading. This called for again new challenge regarding the computer protection which was more baneful after this security leak as by keeping the encryption software they could have easily averted such mishaps.

The take-off also included few more things among internal emails and other data – those were the source code for American Megatrends Incorporated’s UEFI BIOS and cryptographic signing keys used for verification of it. Therefore it was in the keen interest of the American Megatrends company to enable the proper encryption software for their computer protection in order to stop the security leak threatening them, every now and then. The company was afraid to access the source code for the UEFI BIOS and the cryptographic signing keys to verify the absolute binary programs, this led researchers to the development of the fear that attackers might create and/ or disseminate malicious updates which in turn, could be used to compromise and control millions and millions of computers worldwide for a long time to come. According to the researcher Caudill, “this kind of leak is a dream come true for advanced corporate espionage or intelligence operations. The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection,” He continued.

BIOS or the basic input/output system is a code stored in read-only memory which is non-volatile on personal computers as well as on other similar devices. It is assumed to run only when devices start up and loads operating systems, initialising of the hardware such as their keyboard, storage and videos beforehand. The company started developing a Unified Extensible Firmware Interface since 2005 to overcome the limitations of the original Basic Input Output System (BIOS) specifications – which was designed to suit the basic 16-bit computers decades ago, also to provide further features such as the cryptographic security for booting up. The hardware company, American Megatrends claims to the largest BIOS vendor in the world. It said so in response to the researchers Caudill and Wilson’s findings when it was revealed that the security keys on the FTP server were in fact meant for the testing and not used for the production systems.

Chief Executive and Co-founder of the American Megatrends, Subramonian Shankar stated in an interview after the security that “while today’s news is certainly distressing, AMI would like to reassure its customers and partners in no uncertain terms that this should not be a security concern for them.” Security Researcher Caudill after whatever happened noted that while AMI instructed all its vendors regarding the usage of its UEFI BIOS to change the key initially, before building a production environment, and it is not known till now that if the customer with the open FTP server was following that practice or not. Caudill did not reveal that which Taiwanese vendor had leaked the information.

Get your personal as well as office laptops encrypted by Alertsec

With so much vulnerability on public networks Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen. Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Apple App Store Unsecure

March 21st, 2013

In a statement by Google security researcher Elie Bursztein, Apple’s App Store servers didn’t encrypt all the communications with iOS clients, which left users exposed to several potential cyber attacks until late January.

In a blogpost on Friday, Bursztein said that, “The Apple App Store and associated applications, such as the Newsstand, are native applications provided by default with iOS to access and/ or purchase content from the Apple App Store”. He concluded, “While the Apple App Store is a native iOS app, most of its active content, including app pages and the update page, is dynamically rendered from server data.” For the purpose of infusing rogue content into applications, network attackers might have exploited lack of HTTPS (HTTP secure) encryption for specified parts of the communication between Apple’s App Store iOS clients and the servers, he said. With this technique, attackers aim to trick apple users into password exposure by infusing fake password into the App Store app, which in turn force users to install and buy rogue applications with alteration in purchase parameters on the fly, trick users into installing rogue apps by passing them as updates for already installed apps, prevent the users from upgrading and installing specific apps, or check what apps they have already installed on their devices.

When the tech giant enabled HTTPS for app store active content by default, such attacks were possible until Jan 23. Later, the Apple, figured out the change itself in support listing that fixes on its websites and two other researchers along with Bursztein, credited with reporting issues. It is happening because of the fact that users devices’ are not protected with data encryption software which is vital for any device that feeds on technology. So there it calls for a data security.

Google researcher claims to have reported about the cyber attacks to Apple early in July, last year. “I am really happy that my spare-time work pushed Apple to finally enabled HTTPS to protect users,” he said. he also emphasized on using data encryption software.

Like most of the cyber attacks scenarios which are exploiting the data security as well as the lack of full-session HTTPS on websites, the cyber attacks on App Store found by Bursztein could have been easily executed against iOS users who connects to public Wi-Fi networks like those who are found in airports, coffee shops, libraries, filling stations and other public spaces, by encryption process

The researcher interpreted all those cyber attacks in detail in his blog post. Precisely, he also published few video demonstrations for the clients in general, as well as the users, on YouTube showing how the cyber attacks would have appeared to targeted iOS users.

He said, “I decided to render all those attacks public, in hope that it will lead more developers (in particular mobile ones) to enable HTTPS,”. “Enabling HTTPS and ensuring certificates validity is the most important thing you can do to secure your app communication.” Before doing so, always keep data security in mind.

During past few years, major Internet giants like Facebook, Google, and Twitter enabled always-on HTTPS in order to ensure users’ data security for their on-line services.

Paul Ducklin, the head of technology at Sophos (Asia-Pacific) told in a blog post on Saturday, “Apple, it seems, didn’t bother with HTTPS everywhere, even for its own App Store, until 2013,”. “Since there’s no other place to shop when you’re buying or selling iDevice software, and since Apple likes it that way, you might think that Cupertino would have set the bar a bit higher.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta