Archive for the ‘Apps’ Category

Google’s Dart language heads for standardization with new Ecma committee

Friday, December 13th, 2013

Ecma, the same organization that governs the standardization and development of JavaScript (or “EcmaScript” as it’s known in standardese), has created a committee to oversee the publication of a standard for Google’s alternative Web language, Dart.

Technical Committee 52 will develop standards for Dart language and libraries, create test suites to verify conformance with the standards, and oversee Dart’s future development. Other technical committees within Ecma perform similar work for EcmaScript, C#, and the Eiffel language.

Google released version 1.0 of the Dart SDK last month and believes that the language is sufficiently stable and mature to be both used in a production capacity and put on the track toward creating a formal standard. The company asserts that this will be an important step toward embedding native Dart support within browsers.

Source:  arstechnica.com

HP: 90 percent of Apple iOS mobile apps show security vulnerabilities

Tuesday, November 19th, 2013

HP today said security testing it conducted on more than 2,000 Apple iOS mobile apps developed for commercial use by some 600 large companies in 50 countries showed that nine out of 10 had serious vulnerabilities.

Mike Armistead, HP vice president and general manager, said testing was done on apps from 22 iTunes App Store categories that are used for business-to-consumer or business-to-business purposes, such as banking or retailing. HP said 97 percent of these apps inappropriately accessed private information sources within a device, and 86 percent proved to be vulnerable to attacks such as SQL injection.

The Apple guidelines for developing iOS apps help developers but this doesn’t go far enough in terms of security, says Armistead. Mobile apps are being used to extend the corporate website to mobile devices, but companies in the process “are opening up their attack surfaces,” he says.

In its summary of the testing, HP said 86 percent of the apps tested lacked the means to protect themselves from common exploits, such as misuse of encrypted data, cross-site scripting and insecure transmission of data.

The same number did not have optimized security built in the early part of the development process, according to HP. Three quarters “did not use proper encryption techniques when storing data on mobile devices, which leaves unencrypted data accessible to an attacker.” A large number of the apps didn’t implement SSL/HTTPS correctly.To discover weaknesses in apps, developers need to involve practices such as app scanning for security, penetration testing and a secure coding development life-cycle approach, HP advises.

The need to develop mobile apps quickly for business purposes is one of the main contributing factors leading to weaknesses in these apps made available for public download, according to HP. And the weakness on the mobile side is impacting the server side as well.

“It is our earnest belief that the pace and cost of development in the mobile space has hampered security efforts,” HP says in its report, adding that “mobile application security is still in its infancy.”

Source:  infoworld.com

Top three indicators of compromised web servers

Thursday, October 24th, 2013

You slowly push open your unusually unlocked door only to find that your home is ransacked. A broken window, missing cash, all signs that someone has broken in and you have been robbed.

In the physical world it is very easy to understand what an indicator of compromise would mean for a robbery. It would simply be all the things that clue you in to the event’s occurrence. In the digital world however, things are another story.

My area of expertise is breaking into web applications. I’ve spent many years as a penetration tester attempting to gain access to internal networks through web applications connected to the Internet. I developed this expertise because of the prevalence of exploitable vulnerabilities that made it simple to achieve my goal.  In a world of phishing and drive-by downloads, the web layer is often a complicated, over-looked, compromise domain.

A perimeter web server is a gem of a host to control for any would-be attacker. It often enjoys full Internet connectivity with minimal downtime while also providing an internal connection to the target network.  These servers are routinely expected to experience attacks, heavy user traffic, bad login attempts, and many other characteristics that allow a real compromise to blend in with “normal” behavior.  The nature of many web applications running on these servers are such that encoding, obfuscation, file write operations, and even interaction with the underlying operating system are all natively supported, providing much of the functionality an attacker needs to do their bidding.  Perimeter web servers can also be used after a compromise has occurred elsewhere in the network to retain remote access so that pesky two-factor VPN’s can be avoided.

With all the reasons an attacker has to go after a web server, it’s a wonder that there isn’t a wealth of information available for detecting a server compromise by way of the application layer.  Perhaps the sheer number of web servers, application frameworks, components, and web applications culminate in a difficult situation for any analyst to approach with a common set of indicators.  While this is certainly no easy task, there are a few common areas that can be evaluated to detect a compromise with a high degree of success.

#1 Web shells

Often the product of vulnerable image uploaders and other poorly controlled file write operations, a web shell is simply a file that has been written to the web server’s file system for the purpose of executing commands. Web shells are most commonly text files with the appropriate extension to allow execution by the underlying application framework, an obvious example being commandshell.php or cmd.aspx.  Viewing the text file generally reveals code that allows an attacker to interact with the underlying operating system via built-in calls such as the ProcessStartInfo() constructor in .net or the system() call in php.  The presence of a web shell on any web server is a clear indicator of compromise in virtually every situation.

Web Shell IOC’s (Indicators of Compromise)

  • Scan all files in web root for operating system calls, given the installed application frameworks
  • Check for the existence of executable files or web application code in upload directories or non-standard locations
  • Parse web server logs to detect commands being passed as GET requests or successive POST requests to suspicious web scripts
  • Flag new processes created by the web server process because when should it ever really launch cmd.exe

#2 Administrative interfaces

Many web application frameworks and custom web applications have some form of administrative interface. These interfaces often suffer from password issues and other vulnerabilities that allow an attacker to gain access to this component. Once inside, an attacker can utilize all of the built-in functionality to further compromise the host or it’s users. While each application will have its own unique logging and available functionality, there are some common IOC’s that should be investigated.

Admin interface IOC’s

  • Unplanned deployment events such as pushing out a .war file in a Java based application
  • Modification of user accounts
  • Creation or editing of scheduled tasks or maintenance events
  • Unplanned configuration updates or backup operations
  • Failed or non-standard login events

#3 General attack activity

The typical web hacker will not fire up their favorite commercial security scanner to try and find ways into your web application as they tend to prefer a more manual approach. The ability for an attacker to quietly test your web application for exploitable vulnerabilities makes this a high reward, low risk activity.  During this investigation the intruder will focus on the exploits that lead them to their goal of obtaining access. A keen eye can detect some of this activity and isolate it to a source.

General attack IOC’s

  • Scan web server logs for (500) errors or errors handled within the application itself.  Database errors for SQL injection, path errors for file write or read operations, and permission errors are some prime candidates to indicate an issue
  • Known sensitive file access via web server process.  Investigate if web configuration files like WEB-INF/web.xml, sensitive operating system files like /etc/passwd, or static location operating system files like C:\WINDOWS\system.ini have been accessed via the web server process.
  • Advanced search engine operators in referrer headers.  It is not common for a web visitor to access your site directly from an inurl:foo ext:bar Google search
  • Large quantities of 404 page not found errors with suspicious file names may indicate an attempt to access un-linked areas of an application

Web application IOC’s still suffer from the same issues as their more traditional counterparts in that the behavior of an attacker must be highly predictable to detect their activity.  If we’re honest with ourselves, an attacker’s ability to avoid detection is only limited by their creativity and skill set.  An advanced attacker could easily avoid creating most, if not all, of the indicators in this article. That said, many attackers are not as advanced as the media makes them out to be; even better, some of them are just plain lazy. Armed with the web-specific IOC’s above, the next time you walk up to the unlocked front door of your ransacked web server, you might actually get to see who has their hand in your cookie jar.

Source:  techrepublic.com

US FDA to regulate only medical apps that could be risky if malfunctioning

Tuesday, September 24th, 2013

The FDA said the mobile platform brings its own unique risks when used for medical applications

The U.S. Food and Drug Administration intends to regulate only mobile apps that are medical devices and could pose a risk to a patient’s safety if they do not function as intended.

Some of the risks could be unique to the choice of the mobile platform. The interpretation of radiological images on a mobile device could, for example, be adversely affected by the smaller screen size, lower contrast ratio and uncontrolled ambient light of the mobile platform, the agency said in its recommendations released Monday. The FDA said it intends to take the “risks into account in assessing the appropriate regulatory oversight for these products.”

The nonbinding recommendations to developers of mobile medical apps only reflects the FDA’s current thinking on the topic, the agency said. The guidance document is being issued to clarify the small group of mobile apps which the FDA aims to scrutinize, it added.

The recommendations would leave out of FDA scrutiny a majority of mobile apps that could be classified as medical devices but pose a minimal risk to consumers, the agency said.

The FDA said it is focusing its oversight on mobile medical apps that are to be used as accessories to regulated medical devices or transform a mobile platform into a regulated medical device such as an electrocardiography machine.

“Mobile medical apps that undergo FDA review will be assessed using the same regulatory standards and risk-based approach that the agency applies to other medical devices,” the agency said.

It also clarified that its oversight would be platform neutral. Mobile apps to analyze and interpret EKG waveforms to detect heart function irregularities would be considered similar to software running on a desktop computer that serves the same function, which is already regulated.

“FDA’s oversight approach to mobile apps is focused on their functionality, just as we focus on the functionality of conventional devices. Our oversight is not determined by the platform,” the agency said in its recommendations.

The FDA has cleared about 100 mobile medical applications over the past decade of which about 40 were cleared in the past two years. The draft of the guidance was first issued in 2011.

Source:  computerworld.com

iOS and Android weaknesses allow stealthy pilfering of website credentials

Thursday, August 29th, 2013

Computer scientists have uncovered architectural weaknesses in both the iOS and Android mobile operating systems that make it possible for hackers to steal sensitive user data and login credentials for popular e-mail and storage services.

Both OSes fail to ensure that browser cookies, document files, and other sensitive content from one Internet domain are off-limits to scripts controlled by a second address without explicit permission, according to a just-published academic paper from scientists at Microsoft Research and Indiana University. The so-called same-origin policy is a fundamental security mechanism enforced by desktop browsers, but the protection is woefully missing from many iOS and Android apps. To demonstrate the threat, the researchers devised several hacks that carry out so-called cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks to surreptitiously download user data from handsets.

The most serious of the attacks worked on both iOS and Android devices and required only that an end-user click on a booby-trapped link in the official Google Plus app. Behind the scenes, a script sent instructions that caused a text-editing app known as PlainText to send documents and text input to a Dropbox account controlled by the researchers. The attack worked against other apps, including TopNotes and Nocs.

“The problem here is that iOS and Android do not have this origin-based protection to regulate the interactions between those apps and between an app and another app’s Web content,” XiaoFeng Wang, a professor in Indiana University’s School of Informatics and Computing, told Ars. “As a result, we show that origins can be crossed and the same XSS and CSRF can happen.” The paper, titled Unauthorized Origin Crossing on Mobile Platforms: Threats and Mitigation, was recently accepted by the 20th ACM Conference on Computer and Communications Security.

All your credentials belong to us

The Plaintext app in this demonstration video was not configured to work with Dropbox. But even if the app had been set up to connect to the storage service, the attack could make it connect to the attacker’s account rather than the legitimate account belonging to the user, Wang said. All that was required was for the iPad user to click on the malicious link in the Google Plus app. In the researchers’ experiments, Android devices were susceptible to the same attack.

A separate series of attacks were able to retrieve the multi-character security tokens Android apps use to access private accounts on Facebook and Dropbox. Once the credentials are exposed, attackers could use them to download photos, documents, or other sensitive files stored in the online services. The attack, which relied on a malicious app already installed on the handset, exploited the lack of same-origin policy enforcement to bypass Android’s “sandbox” security protection. Google developers explicitly designed the mechanism to prevent one app from being able to access browser cookies, contacts, and other sensitive content created by another app unless a user overrides the restriction.

All attacks described in the 12-page paper have been confirmed by Dropbox, Facebook, and the other third-party websites whose apps were tested, Wang said. Most of the vulnerabilities have been fixed, but in many cases the patches were extremely hard to develop and took months to implement. The scientists went on to create a proof-of-concept app they called Morbs that provides OS-level protection across all apps on an Android device. It works by labeling each message with information about its origin and could make it easier for developers to specify and enforce security policies based on the sites where security tokens and other sensitive information originate.

As mentioned earlier, desktop browsers have long steadfastly enforced a same-origin policy that makes it impossible for JavaScript and other code from a domain like evilhacker.com to access cookies or other sensitive content from a site like trustedbank.com. In the world of mobile apps, the central role of the browser—and the gate-keeper service it provided—has largely come undone. It’s encouraging to know that the developers of the vulnerable apps took this research so seriously. Facebook awarded the researchers at least $7,000 in bounties (which the researchers donated to charity), and Dropbox offered valuable premium services in exchange for the private vulnerability report. But depending on a patchwork of fixes from each app maker is problematic given the difficulty and time involved in coming up with patches.

A better approach is for Apple and Google developers to implement something like Morbs that works across the board.

“Our research shows that in the absence of such protection, the mobile channels can be easily abused to gain unauthorized access to a user’s sensitive resources,” the researchers—who besides Wang, included Rui Wang and Shuo Chen of Microsoft and Luyi Xing of Indiana University—wrote. “We found five cross-origin issues in popular [software development kits] and high-profile apps such as Facebook and Dropbox, which can be exploited to steal their users’ authentication credentials and other confidential information such as ‘text’ input. Moreover, without the OS support for origin-based protection, not only is app development shown to be prone to such cross-origin flaws, but the developer may also have trouble fixing the flaws even after they are discovered.”

Source:  arstechnica.com

Amazon and Microsoft, beware—VMware cloud is more ambitious than we thought

Tuesday, August 27th, 2013

http://cdn.arstechnica.net/wp-content/uploads/2013/08/vcloud-hybrid-service-640x327.png

Desktops, disaster recovery, IaaS, and PaaS make VMware’s cloud compelling.

VMware today announced that vCloud Hybrid Service, its first public infrastructure-as-a-service (IaaS) cloud, will become generally available in September. That’s no surprise, as we already knew it was slated to go live this quarter.

What is surprising is just how extensive the cloud will be. When first announced, vCloud Hybrid Service was described as infrastructure-as-a-service that integrates directly with VMware environments. Customers running lots of applications in-house on VMware infrastructure can use the cloud to expand their capacity without buying new hardware and manage both their on-premises and off-premises deployments as one.

That’s still the core of vCloud Hybrid Service—but in addition to the more traditional infrastructure-as-a-service, VMware will also have a desktops-as-a-service offering, letting businesses deploy virtual desktops to employees without needing any new hardware in their own data centers. There will also be disaster recovery-as-a-service, letting customers automatically replicate applications and data to vCloud Hybrid Service instead of their own data centers. Finally, support for the open source distribution of Cloud Foundry and Pivotal’s deployment of Cloud Foundry will let customers run a platform-as-a-service (PaaS) in vCloud Hybrid Service. Unlike IaaS, PaaS tends to be optimized for building and hosting applications without having to manage operating systems and virtual computing infrastructure.

While the core IaaS service and connections to on-premises deployments will be generally available in September, the other services aren’t quite ready. Both disaster recovery and desktops-as-a-service will enter beta in the fourth quarter of this year. Support for Cloud Foundry will also be available in the fourth quarter. Pricing information for vCloud Hybrid Service is available on VMware’s site. More details on how it works are available in our previous coverage.

Competitive against multiple clouds

All of this gives VMware a compelling alternative to Amazon and Microsoft. Amazon is still the clear leader in infrastructure-as-a-service and likely will be for the foreseeable future. However, VMware’s IaaS will be useful to customers who rely heavily on VMware internally and want a consistent management environment on-premises and in the cloud.

VMware and Microsoft have similar approaches, offering a virtualization platform as well as a public cloud (Windows Azure in Microsoft’s case) that integrates with customers’ on-premises deployments. By wrapping Cloud Foundry into vCloud Hybrid Service, VMware combines IaaS and PaaS into a single cloud service just as Microsoft does.

VMware is going beyond Microsoft by also offering desktops-as-a-service. We don’t have a ton of detail here, but it will be an extension of VMware’s pre-existing virtual desktop products that let customers host desktop images in their data centers and give employees remote access to them. With “VMware Horizon View Desktop-as-a-Service,” customers will be able to deploy virtual desktop infrastructure either in-house or on the VMware cloud and manage it all together. VMware’s hybrid cloud head honcho, Bill Fathers, said much of the work of adding and configuring new users will be taken care of automatically.

The disaster recovery-as-a-service builds on VMware’s Site Recovery Manager, letting customers see the public cloud as a recovery destination along with their own data centers.

“The disaster recovery use case is something we want to really dominate as a market opportunity,” Fathers said in a press conference today. At first, it will focus on using “existing replication capabilities to replicate into the vCloud Hybrid Service. Going forward, VMware will try to provide increasing levels of automation and more flexibility in configuring different disaster recovery destinations,” he said.

vCloud Hybrid Service will be hosted in VMware data centers in Las Vegas, NV, Sterling, VA, Santa Clara, CA, and Dallas, TX, as well as data centers operated by Savvis in New York and Chicago. Non-US data centers are expected to join the fun next year.

When asked if VMware will support movement of applications between vCloud Hybrid Service and other clouds, like Amazon’s, Fathers said the core focus is ensuring compatibility between customers’ existing VMware deployments and the VMware cloud. However, he said VMware is working with partners who “specialize in that level of abstraction” to allow portability of applications from VMware’s cloud to others and vice versa. Naturally, VMware would really prefer it if you just use VMware software and nothing else.

Source:  arstechnica.com

Popular download management program has hidden DDoS component, researchers say

Friday, August 23rd, 2013

Recent versions of Orbit Downloader, a popular Windows program for downloading embedded media content and other types of files from websites, turns computers into bots and uses them to launch distributed denial-of-service (DDoS) attacks, according to security researchers.

Starting with version 4.1.1.14 released in December, the Orbit Downloader program silently downloads and uses a DLL (Dynamic Link Library) component that has DDoS functionality, malware researchers from antivirus vendor ESET said Wednesday in a blog post.

The rogue component is downloaded from a location on the program’s official website, orbitdownloader.com, the ESET researchers said. An encrypted configuration file containing a list of websites and IP (Internet Protocol) addresses to serve as targets for attacks is downloaded from the same site, they said.

Orbit Downloader has been developed since at least 2006 and judging by download statistics from software distribution sites like CNET’s Download.com and Softpedia.com it is, or used to be, a popular program.

Orbit Downloader was downloaded almost 36 million times from Download.com to date and around 12,500 times last week. Its latest version is 4.1.1.18 and was released in May.

In a review of the program, a CNET editor noted that it installs additional “junk programs” and suggested alternatives to users who need a dedicated download management application.

When they discovered the DDoS component, the ESET researchers were actually investigating the “junk programs” installed by Orbit Downloader in order to determine if the program should be flagged as a “potentially unwanted application,” known in the industry as PUA.

“The developer [of Orbit Downloader], Innoshock, generates its revenue from bundled offers, such as OpenCandy, which is used to install third-party software as well as to display advertisements,” the researchers said, noting that such advertising arrangements are normal behavior for free programs these days.

“What is unusual, though, is to see a popular utility containing additional code for performing Denial of Service (DoS) attacks,” they said.

The rogue Orbit Downloader DDoS component is now detected by ESET products as a Trojan program called Win32/DDoS.Orbiter.A. It is capable of launching several types of attacks, the researchers said.

First, it checks if a utility called WinPcap is installed on the computer. This is a legitimate third-party utility that provides low-level network functionality, including sending and capturing network packets. It is not bundled with Orbit Downloader, but can be installed on computers by other applications that need it.

If WinPcap is installed, Orbit’s DDoS component uses the tool to send TCP SYN packets on port 80 (HTTP) to the IP addresses specified in its configuration file. “This kind of attack is known as a SYN flood,” the ESET researchers said.

If WinPcap is not present, the rogue component directly sends HTTP connection requests on port 80 to the targeted machines, as well as UDP packets on port 53 (DNS).

The attacks also use IP spoofing techniques, the source IP addresses for the requests falling into IP address ranges that are hardcoded in the DLL file.

“On a test computer in our lab with a gigabit Ethernet port, HTTP connection requests were sent at a rate of about 140,000 packets per second, with falsified source addresses largely appearing to come from IP ranges allocated to Vietnam,” the ESET researchers said.

After adding a detection signature for the DLL component, the ESET researchers also identified an older file called orbitnet.exe that had almost the same functionality as the DLL file, but downloaded its configuration from a different website, not orbitdownloader.com.

This suggests that Orbit Downloader might have had DDoS functionality since before version 4.1.1.14. The orbitnet.exe file is not bundled with any older Orbit Downloader installers, but it might have been downloaded post-installation, like the DLL component.

This is a possibility, but it can’t be demonstrated with certainty, Peter Kosinar, a technical fellow at ESET who was involved in the investigation, said Thursday. It might also be distributed though other means, he said.

Adding to the confusion is that an older version of orbitnet.exe than the one found by ESET is distributed with Orbit Downloader 4.1.1.18. The reason for this is unclear since Orbit Downloader 4.1.1.18 also downloads and uses the DLL DDoS component. However, it indicates a clear relationship between orbitnet.exe and Orbit Downloader.

The fact that a popular program like Orbit Downloader is used as a DDoS tool creates problems not only for the websites that it’s used to attack, but also for the users whose computers are being abused.

According to Kosinar, there is no rate limit implemented for the packets sent by the DDoS component. This means that launching these attacks can easily consume the user’s Internet connection bandwidth, affecting his ability to access the Internet through other programs.

Users who install Orbit Downloader expect the program to streamline their downloads and increase their speed, but it turns out that the application has the opposite effect.

Orbit Downloader is developed by a group called Innoshock, but it’s not clear if this is a company or just a team of developers. Attempts to contact Innoshock for comment Thursday via two Gmail addresses listed on its website and the Orbit Downloader site, as well as via Twitter, remained unanswered.

The program’s users also seem to have noticed its DDoS behavior judging by comments left on Download.com and the Orbit Downloader support forum.

Orbit Downloder version 4.1.1.18 is generating a very high amount of DDoS traffic, a user named raj_21er said on the support forum on June 12. “The DDoS flooding is so huge that it just hangs the gateway devices/network switches completely and breaks down the entire network operation.”

“I was using Orbit Downloader for the past one week on my desktop when I suddenly noticed that the internet access was pretty much dead in the last 2 days,” another user named Orbit_User_5500 said. Turning off the desktop system restored Internet access to the other network computers and devices, he said.

Since adding detection of this DDoS component, ESET received tens of thousands of detection reports per week from deployments of its antivirus products, Kosinar said.

Source:  csoonline.com

Next up for WiFi

Thursday, August 22nd, 2013

Transitioning from the Wi-Fi-shy financial industry, Riverside Medical Center’s CSO Erik Devine remembers his shock at the healthcare industry’s wide embrace of the technology when he joined the hospital in 2011.

“In banking, Wi-Fi was almost a no-go because everything is so overly regulated. Wireless here is almost as critical as wired,” Devine still marvels. “It’s used for connectivity to heart pumps, defibrillators, nurse voice over IP call systems, surgery robots, remote stroke consultation systems, patient/guest access and more.”

To illustrate the level of dependence the organization has on Wi-Fi, Riverside Medical Center calls codes over the PA system — much like in medical emergencies — when the network goes down. “Wireless is such a multifaceted part of the network that it’s truly a big deal,” he says.

And getting bigger. Besides the fact that organizations are finding new ways to leverage Wi-Fi, workers have tasted the freedom of wireless, have benefited from the productivity boost, and are demanding increased range and better performance, particularly now that many are showing up with their own devices (the whole bring your own device thing). The industry is responding in kind, introducing new products and technologies, including gigabit Wi-Fi (see “Getting ready for gigabit Wi-Fi“), and it is up to IT to orchestrate this new mobile symphony.

“Traffic from wireless and mobile devices will exceed traffic from wired devices by 2017,” according to the Cisco Visual Networking Index. While only about a quarter of consumer IP traffic originated from non-PC devices in 2012, non-PC devices will account for almost half of consumer IP traffic by 2017, Cisco says.

Cisco Visual Networking IndexIT gets it, says Tony Hernandez, principal in Grant Thornton’s business consulting practice. Wi-Fi is no longer an afterthought in IT build-outs. “The average office worker still might have a wired connection, but they also have the capability to use Wi-Fi across the enterprise,” says Hernandez, noting the shift has happened fast.

“Five years ago, a lot of enterprises were looking at Wi-Fi for common areas such as lobbies and cafeterias and put that traffic on an isolated segment of the network,” Hernandez says. “If users wanted access to corporate resources from wireless, they’d have to use a VPN.”

Hernandez credits several advances for Wi-Fi’s improved stature: enterprise-grade security; sophisticated, software-based controllers; and integrated network management.

Also in the mix: pressure from users who want mobility and flexibility for their corporate machines as well as the ability to access the network from their own devices, including smartphones, tablets and laptops.

Where some businesses have only recently converted to 802.11n from the not-too-distant past of 802.11a/b/g, they now have to decide if their next Wi-Fi purchases will support 802.11ac, the draft IEEE standard that addresses the need for gigabit speed. “The landscape is still 50/50 between 802.11g and 802.11n,” Hernandez says. “There are many businesses with older infrastructure that haven’t refreshed their Wi-Fi networks yet.”

What will push enterprises to move to 802.11ac? Heavier reliance on mobile access to video such as videoconferencing and video streaming, he says.

Crash of the downloads

David Heckaman, vice president of technology development at luxury hospitality chain Mandarin Oriental Hotel Group, remembers the exact moment he knew Wi-Fi had gained an equal footing with wired infrastructure in his industry.A company had booked meeting room space at one of Mandarin Oriental’s 30 global properties to launch its new mobile app and answered all the hotel’s usual questions about anticipated network capacity demands. Not yet familiar with the impact of dense mobile usage, the IT team didn’t account for the fallout when the 200-plus crowd received free Apple iPads to immediately download and launch the new app. The network crashed. “It was a slap in the face: What was good enough before wouldn’t work. This was a whole new world,” Heckaman says.

Seven to eight years ago, Wi-Fi networks were designed to address coverage and capacity wasn’t given much thought. When Mandarin Oriental opened its New York City property in 2003, for example, IT installed two or three wireless access points in a closet on each floor and used a distributed antenna to extend coverage to the whole floor. At the time, wireless only made up 10% of total network usage. As the number climbed to 40%, capacity issues cropped up, forcing IT to rethink the entire architecture.

“We didn’t really know what capacity needs were until the Apple iPhone was released,” Heckaman says. Now, although a single access point could provide signal coverage for every five rooms, the hotel is putting access points in almost every room to connect back to an on-site controller.

Heckaman’s next plan involves adding centralized Wi-Fi control from headquarters for advanced reporting and policy management. Instead of simply reporting that on-site controllers delivered a certain number of sessions and supported X amount of overall bandwidth, he would be able to evaluate in real-time actual end-device performance. “We would be able to report on the quality of the connection and make adjustments accordingly,” he says.

Where he pinpoints service degradation, he’ll refresh access points with those that are 802.11ac-enabled. As guests bring more and more devices into their rooms and individually stream movies, play games or perform other bandwidth-intensive actions, he predicts the need for 802.11ac will come faster than anticipated.

“We have to make sure that the physical link out of the building, not the guest room access point, remains the weakest point and that the overall network is robust enough to handle it,” he says.

Getting schooled on wireless

Craig Canevit, IT administrator at the University of Tennessee at Knoxville, has had many aha! moments when it comes to Wi-Fi across the 27,000-student campus. For instance, when the team first engineered classrooms for wireless, it was difficult to predict demand. Certain professors would need higher capacity for their lectures than others, so IT would accommodate them. If those professors got reassigned to different rooms the next year, they would immediately notice performance issues.

“They had delays and interruption of service so we had to go back and redesign all classrooms with more access points and more capacity,” Canevit says.

The university also has struggled with the fact that students and faculty are now showing up with numerous devices. “We see at least three devices per person, including smartphones, tablets, gaming consoles, Apple TV and more,” he says. IT has the dual challenge of supporting the education enterprise during the day and residential demands at night.

The school’s primary issue has revolved around IP addresses, which the university found itself low on as device count skyrocketed. “Devices require IP addresses even when sitting in your pocket and we faced a terrible IP management issue,” he says. IT had to constantly scour the network for unused IP addresses to “feed the monster.”

Eventually the team came too close to capacity for comfort and had to act. Canevit didn’t think IPv6 was widely enough supported at the time, so the school went with Network Address Translation instead, hiding private IP addresses behind a single public address. A side effect of NAT is that mapping network and security issues to specific devices becomes more challenging, but Canevit says the effort is worth it.

Looking forward, the university faces the ongoing challenge of providing Wi-Fi coverage to every dorm room and classroom. That’s a bigger problem than capacity. “We only give 100Mbps on the wired network in residence halls and don’t come close to hitting capacity,” he says, so 802.11ac is really not on the drawing board. What’s more, 802.11ac would exacerbate his coverage problem. “To get 1Gbps, you’ll have to do channel bonding, which leaves fewer overlapping channels available and takes away from the density,” he says.

What he is intrigued by is software-defined networking. Students want to use their iPhone to control their Apple TV and other such devices, which is impossible currently because of subnets. “If you allowed this in a dorm, it would degrade quality for everyone,” he says. SDN could give wireless administrators a way around the problem by making it possible to add boatloads of virtual LANs. “Wireless will become more of a provisioning than an engineering issue,” Canevit predicts.

Hospital all-in with Wi-Fi

Armand Stansel, director of IT infrastructure at Houston’s The Methodist Hospital System, recalls a time when his biggest concern regarding Wi-Fi was making sure patient areas had access points. “That was in early 2000 when we were simply installing Internet hotspots for patients with laptops,” he says.

Today, the 1,600-bed, five-hospital system boasts 100% Wi-Fi coverage. Like Riverside Medical Center, The Methodist Hospital has integrated wireless deep into the clinical system to support medical devices such as IV pumps, portable imaging systems for radiology, physicians’ tablet-based consultations and more. The wireless network has 20,000 to 30,000 touches a day, which has doubled in the past few years, Stansel says.

And if IT has its way, that number will continue to ramp up. Stansel envisions a majority of employees working on the wireless network. He wants to transition back-office personnel to tablet-based docking systems when the devices are more “enterprise-ready” with better security and durability (battery life and the device itself).

Already he has been able to reduce wired capacity by more than half due to the rise of wireless. Patient rooms, which used to have numerous wired outlets, now only require a few for the wired patient phone and some telemetry devices.

When the hospital does a renovation or adds new space, Stansel spends as much time planning the wired plant as he does studying the implications for the Wi-Fi environment, looking at everything from what the walls are made of to possible sources of interference. And when it comes to even the simplest construction, such as moving a wall, he has to deploy a team to retest nearby access points. “Wireless does complicate things because you can’t leave access points static. But it’s such a necessity, we have to do it,” he says.

He also has to reassess his access point strategy on an ongoing basis, adding more or relocating others depending on demand and traffic patterns. “We always have to look at how the access point is interacting with devices. A smartphone connecting to Wi-Fi has different needs than a PC and we have to monitor that,” he says.

The Methodist Hospital takes advantage of a blend of 802.11b, .11g and .11n in the 2.4GHz and 5GHz spectrums. Channel bonding, he has found, poses challenges even for .11n, reducing the number of channels available for others. The higher the density, he says, the less likely he can take full advantage of .11n. He does use n for priority locations such as the ER, imaging, radiology and cardiology, where users require higher bandwidth.

Stansel is betting big that wireless will continue to grow. In fact, he believes that by 2015 it will surpass wired 3-to-1. “There may come a point where wired is unnecessary, but we’re just not there yet,” he says.

Turning on the ac

Stansel is, however, onboard with 802.11ac. The Methodist Hospital is an early adopter of Cisco’s 802.11ac wireless infrastructure. To start, he has targeted the same locations that receive 802.11n priority. If a patient has a cardiac catheterization procedure done, the physician who performed the procedure can interactively review the results with the patient and family while he is still in the recovery room, referencing dye images from a wireless device such as a tablet. Normally, physicians have to verbally brief patients just out of surgery, then do likewise with the family, and wait until later to go over high-definition images from a desktop.

Current wireless technologies have strained to support access to real-time 3D imaging (also referred to as 4D), ultrasounds and more. Stansel expects better performance as 802.11ac is slowly introduced.

Riverside Medical Center’s Devine is more cautious about deploying 802.11ac, saying he is still a bit skeptical. “Can we get broader coverage with fewer access points? Can we get greater range than with 802.11n? That’s what is important to us,” he says.

In the meantime, Devine plans to deploy 20% to 25% more access points to support triangulation for location of equipment. He’ll be able to replace RFID to stop high-value items such as Ascom wireless phones and heart pumps from walking out the door. “RFID is expensive and a whole other network to manage. If we can mimic what it does with Wi-Fi, we can streamline operations,” he says.

High-power access points currently are mounted in each hallway, but Devine wants to swap those out with low-power ones and put regular-strength access points in every room. If 802.11ac access points prove to be affordable, he’ll consider them, but won’t put off his immediate plans in favor of the technology.

The future of Wi-Fi

Enterprise Strategy Group Senior Analyst John Mazur says that Wi-Fi should be front and center in every IT executive’s plans. BYOD has tripled the number of Wi-Fi connected devices and new access points offer about five times the throughput and twice the range of legacy Wi-Fi access points. In other words, Mazur says, Wi-Fi is up to the bandwidth challenge.

He warns IT leaders not to be scared off by spending projections, which, according to ESG’s 2013 IT Spending Intentions Survey, will be at about 2012 levels and favor cost-cutting (like Devine’s plan to swap out RFID for Wi-Fi) rather than growth initiatives.

But now is the time, he says, to set the stage for 802.11ac, which is due to be ratified in 2014. “IT should require 802.11ac support from their vendors and get a commitment on the upgrade cost and terms before signing a deal. Chances are you won’t need 802.11ac’s additional bandwidth for a few years, but you shouldn’t be forced to do forklift upgrades/replacements of recent access points to get .11ac. It should be a relatively simple module or software upgrade to currently marketed access points.”

While 802.11ac isn’t even fully supported by wireless clients yet, Mazur recommends keeping your eye on the 802.11 sky. Another spec, 802.11ad, which operates in the 60GHz spectrum and is currently geared toward home entertainment connectivity and near-field HD video connectivity, could be — like other consumer Wi-Fi advances — entering the enterprise space sooner rather than later.

Source:  networkworld.com

“Jekyll” test attack sneaks through Apple App Store, wreaks havoc on iOS

Monday, August 19th, 2013

Like a Transformer robot, Apple iOS app re-assembles itself into attacker

Acting like a software version of a Transformer robot, a malware test app sneaked through Apple’s review process disguised as a harmless app, and then re-assembled itself into an aggressive attacker even while running inside the iOS “sandbox” designed to isolate apps and data from each other.

The app, dubbed Jekyll, was helped by Apple’s review process. The malware designers, a research team from Georgia Institute of Technology’s Information Security Center (GTISC), were able to monitor their app during the review: they discovered Apple ran the app for only a few seconds, before ultimately approving it. That wasn’t anywhere near long enough to discover Jekyll’s deceitful nature.

The name is a reference to the 1886 novella by Robert Louis Stevenson, called “The Strange Case of Dr Jekyll and Mr Hyde.” The story is about the two personalities within Dr. Henry Jekyll: one good, but the other, which manifests as Edward Hyde, deeply evil.

Jekyll’s design involves more than simply hiding the offending code under legitimate behaviors. Jekyll was designed to later re-arrange its components to create new functions that couldn’t have been detected by the app review. It also directed Apple’s default Safari browser to reach out for new malware from specific Websites created for that purpose.

“Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge,” says Tielei Wang, in a July 31 press release by Georgia Tech. http://www.gatech.edu/newsroom/release.html?nid=225501 Wang led the Jekyll development team at GTISC; also part of the team was Long Lu, a Stony Brook University security researcher.

Some blogs and technology sites picked up on the press release in early August. But wider awareness of Jekyll, and its implications, seems to have been sparked by an August 15 online story in the MIT Technology Review, by Dave Talbot, who interviewed Long Lu for a more detailed account.

Jekyll “even provided a way to magnify its effects, because it could direct Safari, Apple’s default browser, to a website with more malware,” Talbot wrote.

A form of Trojan Horse malware, the recreated Jekyll, once downloaded, reaches out to the attack designers for instructions. “The app did a phone-home when it was installed, asking for commands,” Lu explained. “This gave us the ability to generate new behavior of the logic of that app which was nonexistent when it was installed.”

Sandboxing is a fundamental tenet of secure operating systems, intended to insulate apps and their associated data from each other, and avoid the very attacks and activities that Jekyll was able to carry off. It’s also explicitly used as a technique for detecting malware by running code in a protected space where it can be automatically analyzed for traits indicative of a malicious activity. The problem is that attackers are well aware of sandboxing and are working to exploit existing blind spots. [See “Malware-detecting ‘sandboxing’ technology no silver bullet”]

“The Jekyll app was live for only a few minutes in March, and no innocent victims installed it, Lu says,” according to Talbot’s account. “During that brief time, the researchers installed it on their own Apple devices and attacked themselves, then withdrew the app before it could do real harm.”

“The message we want to deliver is that right now, the Apple review process is mostly doing a static analysis of the app, which we say is not sufficient because dynamically generated logic cannot be very easily seen,” Lu says.

The results of the new attack, in a paper titles “Jekyll on iOS: when benign apps become evil,” was scheduled to be presented in a talk last Friday at the 22nd Usenix Security Symposium, in Washington, D.C. The full paper is available online. In addition to Wang and Lu, the other co-authors are Kangjie Lu, Simon Chung, and Wenke Lee, all with Georgia Tech.

Apple spokesman Tom Neumayr said that Apple “some changes to its iOS mobile operating system in response to issues identified in the paper,” according to Talbot. “Neumayr would not comment on the app-review process.”

Oddly the same July 31 Georgia Tech press release that revealed Jekyll also revealed a second attack vector against iOS devices, via a custom built hardware device masquerading as a USB charger. Malware in the charger was injected into an iOS device. This exploit, presented at the recent Black Hat Conference, was widely covered (including by Network World’s Layer8 blog) while Jekyll was largely overlooked.

Source:  networkworld.com

Mobile malware, mainly aimed at Android devices, jumps 614% in a year

Friday, July 12th, 2013

The threat to corporate data continues to grow as Android devices come under attack

The number of mobile malware apps has jumped 614% in the last year, according to studies conducted by McAfee and Juniper Networks.

The Juniper study — its third annual Mobile Threats Report — showed that the majority of attacks are directed at Android devices, as the Android market continues to grow. Malware aimed specifically at Android devices has increased at a staggering rate since 2010, growing from 24% of all mobile malware that year to 92% by March 2013.

According to data from Juniper’s Mobile Threat Center (MTC) research facility, the number of malicious mobile apps jumped 614% in the last year to 276,259, which demonstrates “an exponentially higher cyber criminal interest in exploiting mobile devices.”

“Malware writers are increasingly behaving like profit-motivated businesses when designing new attacks and malware distribution strategies,” Juniper said in a statement. “Attackers are maximizing their return on investment by focusing 92% of all MTC detected threats at Android, which has a commanding share of the global smartphone market.

In addition to malicious apps, Juniper Networks found several legitimate free applications that could allow corporate data to leak out. The study found that free mobile apps sampled by the MTC are three times more likely to track location and 2.5 times more likely to access user address books than their paid counterparts. Free applications requesting/gaining access to account information nearly doubled from 5.9% in October 2012 to 10.5% in May 2013.

McAfee’s study found that a type of SMS malware known as a Fake Installer can be used to charge a typical premium rate of $4 per message once installed on a mobile device. A “free” Fake Installer app can cost up to $28 since each one can tell a consumer’s device to send or receive up to seven messages from a premium rate SMS number.

Seventy-three percent of all known malware involves Fake Installers, according to the report.

“These threats trick people into sending SMS messages to premium-rate numbers set up by attackers,” the report states. “Based on research by the MTC, each successful attack instance can yield approximately $10 in immediate profit. The MTC also found that more sophisticated attackers are developing intricate botnets and targeted attacks capable of disrupting and accessing high-value data on corporate networks.”

Juniper’s report identified more than 500 third-party Android application stores worldwide, most with very low levels of accountability or oversight, that are known to host mobile malware — preying on unsuspecting mobile users as well as those with jail-broken iOS mobile devices. Of the malicious third-party stores identified by the MTC, 60% originate from either China or Russia.

According to market research firm ComScore, Android now has a 52.4% market share worldwide, up 0.7% from February. As Samsung has been taking market share from Apple, Android use is expected to continue to grow, according to ComScore.

According to market analyst firm Canalys, Android representedalmost 60% of the mobile devices shipped in 2012. Apple accounted for 19.3% of devices shipped last year, while Microsoft had 18.1%.

Source:  computerworld.com

Google: Critical Android security flaw won’t harm most users

Tuesday, July 9th, 2013

A security flaw could affect 99 percent of Android devices, a researcher claims, but the reality is that most Android users have very little to worry about.

Bluebox, a mobile security firm, billed the exploit as a “Master Key” that could “turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.” In a blog post last week, Bluebox CTO Jeff Forristal wrote that nearly any Android phone released in the last four years is vulnerable.

Bluebox’s claims led to a fair number of scary-sounding headlines, but as Google points out, most Android users are already safe from this security flaw.

Speaking to ZDNet, Google spokeswoman Gina Scigliano said that all apps submitted to the Google Play Store get scanned for the exploit. So far, no apps have even tried to take advantage of the exploit, and they’d be shut out from the store if they did.

If the attack can’t come from apps in the Google Play Store, how could it possibly get onto Android phones? As Forristal explained to Computerworld last week, the exploit could come from third-party app stores, e-mailed attachments, website downloads and direct transfer via USB.

But as any Android enthusiast knows, Android phones can’t install apps through those methods unless the user provides explicit permission through the phone’s settings menu. The option to install apps from outside sources is disabled by default. Even if the option is enabled, phones running Android 4.2 or higher have yet another layer of protection through app verification, which checks non-Google Play apps for malicious code. This verification is enabled by default.

In other words, to actually be vulnerable to this “Master Key,” you must enable the installation of apps from outside Google Play, disable Android’s built-in scanning and somehow stumble upon an app that takes advantage of the exploit. At that point, you must still knowingly go through the installation process yourself. When you consider how many people might go through all those steps, it’s a lot less than 99 percent of users.

Still, just to be safe, Google has released a patch for the vulnerability, which phone makers can apply in future software updates. Scigliano said Samsung is already pushing the fix to devices, along with other unspecified OEMs. The popular CyanogenMod enthusiast build has also been patched to protect against the peril.

Android’s fragmentation problem does mean that many users won’t get this patch in a timely manner, if at all, but it doesn’t mean that unpatched users are at risk.

None of this invalidates the work that Bluebox has done. Malicious apps have snuck into Google’s app store before, so the fact that a security firm uncovered the exploit first and disclosed it to Google is a good thing. But there’s a big difference between a potential security issue and one that actually affects huge swaths of users. Frightening headlines aside, this flaw is an example of the former.

Source:  techhive.com

‘Master key’ to Android phones uncovered

Friday, July 5th, 2013

A “master key” that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.

The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.

The loophole has been present in every version of the Android operating system released since 2009.

Google said it currently had no comment to make on BlueBox’s discovery.

Writing on the BlueBox blog, Jeff Forristal, said the implications of the discovery were “huge”.

The bug emerges because of the way Android handles cryptographic verification of the programs installed on the phone.

Android uses the cryptographic signature as a way to check that an app or program is legitimate and to ensure it has not been tampered with. Mr Forristal and his colleagues have found a method of tricking the way Android checks these signatures so malicious changes to apps go unnoticed.

Any app or program written to exploit the bug would enjoy the same access to a phone that the legitimate version of that application enjoyed.

“It can essentially take over the normal functioning of the phone and control any function thereof,” wrote Mr Forristal. BlueBox reported finding the bug to Google in February. Mr Forristal is planning to reveal more information about the problem at the Black Hat hacker conference being held in August this year.

Marc Rogers, principal security researcher at mobile security firm Lookout said it had replicated the attack and its ability to compromise Android apps.

Mr Rogers added that Google had been informed about the bug by Mr Forristal and had added checking systems to its Play store to spot and stop apps that had been tampered with in this way.

The danger from the loophole remains theoretical because, as yet, there is no evidence that it is being exploited by cyber-thieves.

Source:  BBC

‘Containerization’ is no BYOD panacea: Gartner

Tuesday, June 25th, 2013

Gartner notes it’s an important IT application development question

Companies adopting BYOD policies are struggling with the thorny problem of how they might separate corporate and personal data on an employee’s device.

One technology approach to this challenge involves separating out the corporate mobile apps and the data associated with these into “containers” on the mobile device, creating a clear division as to what is subject to corporate security policies such as wiping. But one Gartner analyst delving into the “containerization” subject recently noted the current array of technology choices each have advantages and disadvantages.

“BYOD means my phone, my tablet, my pictures, my music — it’s all about the user,” said analyst Eric Maiwald at the recent Gartner Security and Risk Management Summit.

But if IT security managers want to place controls on the user device to separate out and manage corporate e-mail, applications and data, it’s possible to enforce security such as authentication, encryption, data leakage, cut-and-paste restrictions and selective content wiping through various types of container technologies.

However, the ability of containers to detect “jailbreaking” of Apple iOS devices, which strips out Apple’s security model completely, remains “nearly zero,” Maiwald added. “If you have a rooted device, a container will not protect you.”

There are many choices for container technology. The secure “container” can be embedded in the operating system itself, such as Samsung’s Knox smartphone or the Blackberry 10, Maiwald noted. And the mobile-device management (MDM) vendors such as AirWatch, MobileIron and WatchDocs also have taken a stab at containers, though Gartner sees some of what the MDM vendors are doing as more akin to “tags” available to do things like tag a mailbox and message as corporate.

Companies that include, Enterproid, Excitor, Fixmo, Good Technology, LRW Technologies, NitroDesk, VMware and Citrix also have approaches to containerization that get attention from Gartner as possible ways to containerize corporate apps.

But selecting a container vendor is not necessarily simple because what you are doing is making an important IT decision about enterprise development of apps, says Maiwald. “Container vendors provide mechanisms for linking a customized app to the container,” he said. It typically means choosing an API as part of your corporate mobile-device strategy.

For example, Citrix’s containerization software is called XenMobile, and Kurt Roemer, Citrix chief security strategist, says to make use of it, apps have to be developed using the Citrix API and SDK for this. However, there are several app developers that already do that through what Citrix calls its Worx-enabled program for XenMobile. These include Adobe, Cisco, Evernote, Egnyte and Concur, to name a few. The Citrix containerization approach, which includes an app-specific VPN, will let IT managers do many kinds of tasks, such as automating SharePoint links to mobile devices for specific apps or easily control provisioning of corporate apps on BYOD mobile devices, Roemer says.

Source:  networkworld.com

iPhones can auto-connect to rogue Wi-Fi networks, researchers warn

Friday, June 14th, 2013

Attackers can exploit behavior to collect passwords and other sensitive data.

Security researchers say they’ve uncovered a weakness in some iPhones that makes it easier to force nearby users to connect to Wi-Fi networks that steal passwords or perform other nefarious deeds.

The weakness is contained in configuration settings installed by AT&T, Vodafone, and more than a dozen other carriers that give the phones voice and Internet services, according to a blog post published Wednesday. Settings for AT&T iPhones, for instance, frequently instruct the devices to automatically connect to a Wi-Fi network called attwifi when the signal becomes available. Carriers make the Wi-Fi signals available in public places as a service to help subscribers get Internet connections that are fast and reliable. Attackers can take advantage of this behavior by setting up their own rogue Wi-Fi networks with the same names and then collecting sensitive data as it passes through their routers.

“The takeaway is clear,” the researchers from mobile phone security provider Skycure wrote. “Setting up such Wi-Fi networks would initiate an automatic attack on nearby customers of the carrier, even if they are using an out-of-the-box iOS device that never connected to any Wi-Fi network.”

The researchers said they tested their hypothesis by setting up several Wi-Fi networks in public areas that used the same SSIDs as official carrier networks. During a test at a restaurant in Tel Aviv, Israel on Tuesday, 60 people connected to an imposter network in the first minute, Adi Sharabani, Skycure’s CEO and cofounder, told Ars in an e-mail. During a presentation on Wednesday at the International Cyber Security Conference, the Skycure researchers set up a network that 448 people connected to during a two-and-a-half-hour period. The researchers didn’t expose people to any attacks during the experiments; they just showed how easy it was for them to connect to networks without knowing they had no affiliation to the carrier.

Sharabani said the settings that cause AT&T iPhones to automatically connect to certain networks can be found in the device’s profile.mobileconfig file. It’s not clear if phones from other carriers also store their configurations in the same location or somewhere else.

“Moreover, even if you take another iOS device and put an AT&T sim in it, the network will be automatically defined, and you’ll get the same behavior,” he said. He said smartphones running Google’s Android operating system don’t behave the same way.

Once attackers have forced a device to connect to a rogue network, they can run exploit software that bypasses the secure sockets layer Web encryption. From there, attackers can perform man-in-the-middle (MitM) attacks that allow them to observe passwords in transit and even forge links and other content on the websites users are visiting.

The most effective way to prevent iPhones from connecting to networks without the user’s knowledge is to turn off Wi-Fi whenever it’s not needed. Apps are also available that give users control over what SSIDs an iPhone will and won’t connect to. It’s unclear how iPhones running the upcoming iOS 7 will behave. As Ars reported Monday, Apple’s newest OS will support the Wi-Fi Alliance’s Hotspot 2.0 specification, which is designed to allow devices to hop from one Wi-Fi hotspot to another.

Given how easy it for attackers to abuse Wi-Fi weaknesses, the Skycure research isn’t particularly shocking. Still, the ability of iPhones to connect to networks for the first time without requiring users to take explicit actions could be problematic, said Robert Graham, an independent security researcher who reviewed the Skycure blog post.

“A lot of apps still send stuff in the clear, and other apps don’t check the SSL certificate chain properly, meaning that Wi-Fi MitM is a huge problem,” said Graham, who is CEO of Errata Security. “That your phone comes pre-pwnable without your actions is a bad thing. Devices should come secure by default, not pwnable by default.”

Source:  arstechnica.com

OpenDaylight: A big step toward the software-defined data center

Monday, April 8th, 2013

A who’s-who of industry players, including Cisco, launches open source project that could make SDN as pervasive as server virtualization

Manual hardware configuration is the scourge of the modern data center. Server virtualization and pooled storage have gone a long way toward making infrastructure configurable on the fly via software, but the third leg of the stool, networking, has lagged behind with fragmented technology and standards.

The OpenDaylight Project — a new open source project hosted by the Linux Foundation featuring every major networking player — promises to move the ball forward for SDN (software-defined networking). Rather than hammer out new standards, the project aims to produce an extensible, open source, virtual networking platform atop such existing standards as OpenFlow, which provides a universal interface through which either virtual or physical switches can be controlled via software.

The approach of OpenDaylight is similar to that of Hadoop or OpenStack, where industry players come together to develop core open source bits collaboratively, around which participants can add unique value. That roughly describes the Linux model as well, which may help explain why the Linux Foundation is hosting OpenDaylight.

“The Linux Foundation was contacted based on our experience and understanding of how to structure and set up an open community that can foster innovation,” said Jim Zemlin, executive director of the Linux Foundation, in an embargoed conference call last week. He added that OpenDaylight, which will be written in Java, will be available under the Eclipse Public License.

Collaboration or controversy?
It must be said that the politics of the OpenDaylight Project are mind-boggling. Cisco is on board despite the fact that SDN is widely seen as a threat to the company’s dominant position — because, when the network is virtualized, switch hardware becomes more commoditized. A cynic might be forgiven for wondering whether Cisco is there to rein things in rather than accelerate development.

Along with Cisco, the cavalcade of coopetition includes Arista Networks, Big Switch Networks, Brocade, Citrix, Dell, Ericsson, Fujitsu, HP, IBM, Intel, Juniper Networks, Microsoft, NEC, Nuage Networks, PLUMgrid, Red Hat, and VMware. BigSwitch, perhaps the highest-profile SDN upstart, is planning to donate a big chunk of its Open SDN Suite, including controller code and distributed virtual routing service applications. Although VMware has signed on, it’s unclear how the proprietary technology developed by Nicira, the SDN startup acquired for $1.2 billion by VMware last summer, will fit in.

Another question is how OpenDaylight will affect other projects. Some have voiced frustration over the Open Network Foundation’s stewardship of the OpenFlow, so OpenDaylight could be a way to work around that organization. Also, OSI president and InfoWorld contributor Simon Phipps wonders why Project Crossbow, an open source network virtualization technology built into Solaris, appears to have no role in OpenDaylight. You can be sure many more questions will emerge in the coming days and weeks.

The architecture of OpenDaylight
Zemlin described OpenDaylight as an extensible collection of technologies. “This project will focus on software and will deliver several components: an SDN controller, protocol plug-ins, applications, virtual overlay network, and the architectural and the programmatic interfaces that tie those things together.”

This list is consistent with the basic premise of SDN, where the control and data planes are separated, with a central controller orchestrating the data flows of many physical or virtual switches (the latter running on generic server hardware). OpenFlow currently provides the only standardized interface supported by many switch vendors, but OpenDaylight also plans to support other standards as well as proprietary interfaces as the project evolves.

More exciting are the “northbound” REST APIs to the controller, atop which developers will be able to build new types of applications that run on the network itself for specialized security, network management, and so on. In support of this, Cisco is contributing an application framework, while Citrix is throwing in “an application controller that integrates Layer 4-7 network services for enabling application awareness and comprehensive control.”

Although the embargoed OpenDaylight announcement was somewhat short on detail, a couple of quick conclusions can be drawn. One is that — on the model of Hadoop, Linux, and OpenStack — the future is now being hashed out in open source bits rather than standards committees. The rise in the importance of open source in the industry is simply stunning, with OpenDaylight serving as the latest confirmation.

More obviously, the amazing breadth of support for OpenDaylight signals new momentum for SDN. To carve up data center resources with the flexibility necessary for a cloud-enabled world where many tenants must coexist, the network needs to have the same software manageability as the rest of the infrastructure. OpenDaylight leaves no doubt the industry recognizes that need.

If the OpenDaylight Project can avoid getting bogged down in vendor politics, it could complete the last mile to the software defined data center in an industry-standard way that lowers costs for everyone. It could do for networking what OpenStack is doing for cloud computing.

Source:  infoworld.com

Miami hospital turns to Wi-Fi triangulation for smartphone mapping app

Thursday, April 4th, 2013

Childrens Hospital may eventually use the app to guide telemedicine robots

Miami Children’s Hospital recently launched a free iPhone app that uses Wi-Fi triangulation to help patients and their families navigate through the center.

The Fit4KidsCare app, which will be ported to other smartphone platforms, presents the user on a smartphone display as a dot on a two-dimensional map of the hospital. It even detects vertical distance for when a person is on an elevator, said Edward Martinez, CIO of the 280-bed hospital with branch facilities in Florida.

“We have pretty good signage in the hospital, but one of the biggest concerns we face is people asking for directions, so this app adds a level of customer service,” he said in an interview.

Mapping apps are not new, but using triangulation with Wi-Fi access points is fairly rare and possibly unique in a hospital setting, Martinez said. Most mapping apps rely on GPS from a satellite to a cell phone or other device, which can give accuracy to within three to five meters. Cell phone carriers also rely on triangulation from three cell phone towers to enhance GPS signals.

Miami Children’s used software from Cisco to set up triangulation that relies on hundreds of Wi-Fi access points, Martinez said. According to Cisco officials, the indoor Wi-Fi triangulation has been used in some museums and can bring accuracy to within one meter.

Martinez said he actually got the idea for the hospital app from a similar service at the Museum of Natural History in New York City. “It’s a huge museum, so you use the same model to triangulate to get from the dinosaurs to the whales, so I figured the same business model could be used to go from a hospital bed to a lab,” he said.

The hospital used internal and external developers working with a Cisco Application Programming Interface to build the app during the past year. After several weeks of testing with 30 users, the app went live last week.

The total cost was about $30,000. “We don’t view this as a revenue generator; it is really focused toward better customer service,” he said.

Eventually, Martinez hopes to connect the app to telemedicine robots that roam the hospital hallways. Today, the robots are guided by doctors and other healthcare professionals who remotely use cameras on the robots to navigate hallways turn-by-turn before the robots consult with patients.

With the Fit4KidsCare app, a doctor could direct a robot to a patient’s room without having to “ride” along remotely the entire way. Eventually, robots could be used to carry lab specimens or food trays. In another future phase of development, robots could control the elevators and virtually push the buttons.

“All of these are cool things that have a significant impact on healthcare and don’t require another body to do it,” he said. “We’ve had nothing but positive results so far.”

Source:  computerworld.com

VMware’s hybrid cloud gambit will rely on its public cloud partners

Friday, March 22nd, 2013

VMware has been rather cagey about its plans to launch its own hybrid cloud service, announced at a recent Strategic Forum for Institutional Investors. Companies are usually more than happy to talk journalists’ ears off about a new product or service, but when InfoWorld reached out to VMware about this one, a spokesman said the company had nothing further to share beyond what it presented in a sparse press release and a two-hour, multi-topic webcast.

In a nutshell, here’s what VMWare has revealed: It will offer a VMware vCloud Hybrid Service later this year, designed to let customers seamlessly extend their private VMware clouds to public clouds run by the company’s 220 certified vCloud Services Providers. Although the public component would run on partners’ hardware, VMware employees would manage the hybrid component and the underlying software.

For example, suppose Company X is running a critical cloud application on its own private, VMware-virtualized cloud. The company unexpectedly sees a massive uptick in demand for the service. Rather than having to hustle to install new hardware, Company X could leverage VMware’s hybrid service to consume public-cloud resources on the fly. In the process, Company X would not have to make any changes to the application, the networking architecture, or any of the underlying policies, as VMWare CEO Pat Gelsinger described the service.

“[T]he power of what we’ll uniquely be delivering, is this ability to not change the app, not change the networking, not change the policies, not change the security, and be able to run it private or public. That you could burst through the cloud, that you could develop in the cloud, deploy internally, that you could DR in the cloud, and do so without changing the apps, with that complete flexibility of a hybrid service” he said.

One of the delicate points in this plan is the question of how it will impact the aforementioned 220 VSPP partners, which include such well-known companies as CDW, Dell, and AT&T as well as lesser-known providers likeLokahi and VADS. Would VMware inserting itself into the mix result in the company stepping on its partners’ toes and eating up some of their cloud-hosting revenue?

Gelsinger did take pains to emphasize that the hybrid service would be “extremely partner-friendly,” adding that “every piece of intellectual property that we’re developing here we’re making available to VSPP partners,” he said. “Ultimately, we see this as another tool for business agility.”

451 Research Group analyst Carl Brooks took an optimistic view on the matter. “Using VSPP partner’s data centers and white-labeling existing infrastructure would both soothe hurt feelings and give VMware an ability to source and deploy new cloud locations extremely quickly, with minimal investment,” he said.

Gartner Research VP Chris Wolf, however, had words of caution for VMware as well as partner providers. “VMware needs to be transparent with provider partners about where it will leave them room to innovate. Of course, partners must remember that VMware reserves the right to change its mind as the market evolves, thus potentially taking on value adds that it originally left to its partners. SP partners are in a tough spot. VMware has brought many of them business, and they have to consider themselves at a crossroads,” he wrote.

Indeed, VMware’s foray into the hybrid cloud world isn’t sitting well with all of its partners. Tom Nats, managing partner at VMware service provider Bit Refinery, told CRN that the vCloud Hybrid Service is not a welcome development. “Many partners have built up [their infrastructure] and stayed true to VMware, and now all of a sudden we are competing with them,” he said.

As to customers: Will they feel comfortable with entrusting their cloud efforts in part to VMware and in part to one or more VMWare partners? Building and managing a cloud is complex enough without adding new parties into the mix. One reason Amazon Web Services has proven such a successful public cloud offering is that they fall under the purview of one entity. When a problem arises, there’s just one entity to call and one throat to choke. Under VMWare’s hybrid cloud model, customers may need to scrutinize SLAs carefully to determine which party would be responsible for which instances of downtime. Meanwhile, VMWare would have to be vigilant in ensuring that its partners were all running their respective clouds properly.

Source:  infoworld.com

Sensors lead to burst of tech creativity in government

Thursday, March 7th, 2013

Human and mechanical sensors are creating excitement in offices of government IT executives

LAS VEGAS — Here at an IBM conference, City of Boston CIO Bill Oates was telling the audience how citizens are using apps to improve city operations. But it was one of Boston’s latest apps, called Street Bump, that got the interest of one attendee, Gary Gilot, an engineer who heads the public works board in South Bend, Ind.

Information collected by the new app, which uses a smartphone’s accelerometer to record road conditions and send the data to public works workers, has already helped utilities to do a better job at making manhole covers even with the road, Oates said.

Street Bump will be the subject of a citywide publicity campaign this summer in an effort to attract more users, he added.

Gilot was struck by the app’s use of crowdsourcing to assess Boston roads.

South Bend has taken different approaches to same problem.

It once had a half-dozen city supervisors spend six weeks each year driving every street in the city and rating them using a standard road condition measures. It’s latest effort was to hire a vendor to drive all South Bend streets and produce digital video for an analysis of pavement conditions.

But after hearing Oates explain how the Street Bump data was producing “big data” about road conditions by people who launched the app in their cars, Gilot had an admiring smile.

“We are behind them by a bunch,” said Gilot, who sees Boston’s app as a possible alternative to costly road surveys.

“I love the idea of the future — that you can avoid the expense by crowdsourcing,” said Gilot.

South Bend is not behind in the trend of using sensors to improve other operations.

For instance, the city has worked with IBM to create a wireless sensor system that detects changes in the sewer flow, and alerts the city to any problems detected. The system, which includes automated valves that can respond to issues, has reduced overflows and backups, said Gilot.

Improving municipal operations is a major theme at the IBM conference. The company’s Smarter Planet initiative combines sensors, asset management, big data, mobile and cloud services into systems for managing government operations.

Boston and South Bend share in the use of sensors, one human-based and the other mechanical. The adoption of sensors, mobile apps and otherwise, appears to be leading to a burst of creativity in state and local governments.

Boston’s chief vehicle for connecting with residents is its Citizens Connect app. The city will release version 4.0 this summer, with changes that will make it easier for city workers to connect directly with residents.

Citizens Connect allows residents to report issues that need government action. Those issues might be a broken street light, trash, graffiti. The reports are public.

Oates said the app encourages participation. To find out why people used the app, the city asked app users why they didn’t call the city about maintenance issues in the pre-app days.

The response, said Oates, was this: “When we call the city we feel like we’re complaining, but when we use this (the app), we feel like we’re helping.”

In discussing Street Bump, he says it’s entirely possible that analysis of the data may lead to new sources of information. Similarly, Gilot said the sewer data collection was making it possible to determine what “normal” was.

“You really don’t know what’s normal until have you have this kind of modeling,” said Gilot.

The changes in Citizens Connect 4.0 will help personalize the connections that city residents make with government.

For instance, today a citizen sends in a pothole repair request and the city fills the pothole. With the update, the worker will be able to take a picture of the completed work and send it back to constituent who sent the request.

The person who drew attention to the maintenance problem will be informed that “the case is closed, and here’s a picture and this is who did it for me,” said Oates.

The citizen will be able to respond with a “great job” acknowledgement, although Oats realizes negative feedback is also possible. “We think it puts pressure on the quality of the service delivery,” he said.

Boston gets about 20% of its maintenance “quality of life” requests via the app.

Boston’s effort is the forerunner of a Massachusetts state-wide initiative called Commonwealth Connect that was announced in December.

This state-wide app is being built by SeeClickFix, a startup whose app is already used in many cities and towns. The app is free. The firm offers a “premium dashboard” used by municipalities. It also has a free Web-based tool that is used by smaller towns, said Zack Beatty, head of media and content partnerships for the New Haven, Conn.-based firm.

Beatty said the app will be deployed in more than 50 Massachusetts communities, its first state-led deployment.

SeeClickFix uses cloud-based services to host its app, something South Bend is doing as well for a sewer sensor system as well to manage its IBM system.

Authorizing an in-house deployment would have required an authorization for hardware, said Gilot. From a budgeting perspective, it was easier to move money from other accounts for cloud-based services. In any event, running IT equipment is not the city’s core competence.

Source:  computerworld.com

Wireless LAN vendors target surging carrier Wi-Fi market

Monday, February 25th, 2013

Ruckus, Aruba products aim at large-scale, integrated Wi-Fi services

Two wireless LAN vendors are targeting the next big explosion in Wi-Fi growth: hotspots and hotzones created by carriers and other services providers.

Both Ruckus Wireless and Aruba Networks this week at the Mobile World Congress Show in Barcelona outlined products aimed at this provider market. The goal is to be part of a crystallizing of hardware and software that can integrate Wi-Fi with core mobile networks.

As part of its reference design for carrier-based Wi-Fi services, Ruckus announced a new family of outdoor 802.11n access points, the ZoneFlex 7782 series. Four models offer different internal and external antenna configuration options. All have three transmit and three receive antennas supporting three data streams for a maximum data rate of 900Mbps. All three have Ruckus’ patented BeamFlex adaptive antenna technology, designed to boost gain and reduce interference. There’s also a GPS receiver, which service providers can leverage for location-based services.

Image Alt Text

Deliberately bland in design, the new Ruckus ZoneFlex 7782 outdoor access point aims at high-performance carrier Wi-Fi networks: dual-band, 3-stream 802.11n with a data rate of nearly 1Gbps.

The company also unveiled a Wi-Fi traffic analysis application for carriers, called the SmartCell Insight analytics engine, which runs on Ruckus’ Smartcell 2000 Gateway, which bridges Wi-Fi and cellular networks. The software sifts out a wealth of data about access point usage, bandwidth, subscriber activity and other metrics, and packs them into a data warehouse. Pre-written and custom reports translate the raw data into information about how well the Wi-Fi network is performing. A battery of standard APIs let carriers export the information to existing data-mining tools and interface with core network applications.

Finally, Ruckus announced SmartPoint, which adds to the ZoneFlex 7321-U access point a USB port that can accept a 3G, 4G, or WiMAX external dongle. The idea is to quickly and easily create a wireless backhaul option where a cable isn’t possible (such as a city bus). Ruckus automatically pushes to the access point the needed driver software for specific 3G/4G/WiMAX dongles. KDDI in Japan, with an extensive WiMAX network, can offer shop owners a Ruckus access point for hotspot Wi-Fi, with a WiMAX dongle for easy backhaul to the Internet.

Both the 7782 outdoor access point, priced at $3,000, and Smartpoint, at $400 are available now; the analytics application, with pricing based on the size of the network, will ship in the second quarter.

Aruba’s carrier play

Aruba, too, is recasting its WLAN architecture via software updates to address carrier requirements for creating a high-capacity, secure and reliable Wi-Fi service for mobile subscribers.

Dubbed Aruba HybridControl, the new code gives Aruba’s 7200 Mobility Controller massive scalability. Aruba says the software update will let the 7200 manage over 32,000 hotspots. That translates into over 100,000 individual access points, because each hotspot can have several of the vendor’s Aruba Instant access points. The scaling lowers carriers’ backend capital costs, cuts data center power demand, and needs less rack space, according to Aruba. The Aruba Instant model offloads cellular traffic locally to the Internet, while centralizes selected traffic such as billing and legal intercept via an IPSec connection to the 7200 controllers at the core.

HybridControl offers “zero-touch activation” for factory-default access points, with no need for any manual pre-provisioning. Switched on, these access points interface with the Aruba Activate cloud service to discover the carrier’s configuration management system and download it. Then, the access points use an assigned X.509 certificate to authenticate with an Aruba controller and set up an IPSec tunnel.

The HybridControl architecture leverages existing Aruba features such as:

  • AppRF, to identify and prioritize real-time applications, such as Microsoft Lync, to create different classes of service;
  • ClearPass Policy Management, a server application to authenticate new access points joining the mobile core network.

The carrier-focused HybridControl offering includes several products: the Aruba 7200 Mobility Controller, available now with prices starting at $38,000; Aruba Instant access points, available now with prices starting at about $400; Aruba Activate, available now and free of charge for Aruba customers. The software update for the 7200 will be available as a free Aruba OS upgrade in the second quarter.

Source:  networkworld.com

Ericsson: Cellular data demand doubled annually the last five years – Are you ready for ’13?

Tuesday, February 19th, 2013

Global cellular data traffic has doubled in the past year, according to a report released by Ericsson, attributable in particular to an increase in 4G and LTE devices.

This increased demand for mobile signal is expected to at least double again this year, as it has in each of the past five years (see Ericsson graph above), which begs the question:  Is your facility equipped to deal with the continued surge in cellular signal demand?

Knowledge workers, sales staff, and others have come to rely almost exclusively on cell phones as they spend less and less time at their desks, to say nothing of clients and visitors who expect a reasonable level of mobile connectivity at your site.  Additionally, new workspace philosophies such as activity-based workplaces, mobility centers, hotelling and hot desking will only increase reliance on cellular connectivity.

Yet, even within the same office, hospital or university campus, warehouse or other facility, cellular signal can be drastically different, allowing some users to maintain acceptable mobile voice and data connections while other frustrated users drop calls and apps fail to connect to data sources.  Whether the fault lies with structural interference or inadequate cell network coverage in your area is irrelevant to your end users, as decreased productivity and morale can often result from an inability to communicate as expected.

These problems can be identified and remedied, however, with a cellular repeater/amplifier solution created specifically for your facility by qualified Gyver Networks RF engineers.

Gyver Networks will survey the location to create a complete picture of your RF environment, then engineer and install the optimal system to provide 3G, 4G, and LTE cellular signal to your building or campus, whether you require a DAS (distributed antenna system) or cellular base station.

Ensure that the continued increase in mobile demand doesn’t have a negative impact on your continued growth.  Contact Gyver Networks today for a free consultation.