OnlyHardwareBlog

General discussion, news & views about Hardware

Posts Tagged ‘security’

BlackBerry 10 OS will have multi-layered security model

May 9th, 2012

RIM’s upcoming BlackBerry 10 operating system is intended to be as secure, if not more so, than the OS running on RIM’s current crop of BlackBerry devices. Mobile security could become a major selling point for the new platform, for enterprises, carriers and end users alike.

Essentially, RIM is blending security elements from its BlackBerry heritage with the security architecture of the new OS, which is based on the QNX Neutrino real-time operating system, acquired when RIM bought QNX Software Systems in 2010. While RIM has not revealed BlackBerry 10 security in detail, Scott Totzke, RIM’s senior vice president, BlackBerry security, talked about the topic generally during a briefing at last week’s BlackBerry World conference.

BACKGROUND: RIM CEO vows to wow with BlackBerry 10

“Security is becoming more complex for consumers than for the enterprise,” Totzke says. The enterprise typically has a security infrastructure in place, often with dedicated security staff. The BlackBerry Enterprise Server lets administrators set hundreds of device and data policies for the BlackBerry phones, and forges an encrypted link for the devices through RIM’s Network Operations Center. “The industry has been promising mobile commerce [to consumers] for years: the idea of using your phone as your wallet. But if that happens, it better be secure,” he says. “If the user can’t trust the [mobile] platform, it’s a tough sell.”

BB10 security will have multiple integrated layers, with the tight, cooperating relationship between hardware and software that’s been a BlackBerry hallmark. For mobile users, there will be a permissions-based security model for apps, in plain, understandable English, coupled with a various OS-level security and safety features borrowed from QNX’s experience in the embedded systems market.

At the OS level, QNX has offered a hardened variant of its OS called Neutrino RTOS Secure Kernel for several years. The secure kernel has been certified under the Common Criteria ISO/IEC 15408 Evaluation Assurance Level (EAL) 4+. The Common Criteria is intended to show that a computer security product has been specified, implemented and evaluated in a standard and thorough way. QNX says Neutrino was the first full-featured RTOS certified under this standard.

(In December 2011, QNX announced that Neutrino has also been received a safety certification, under the IEC 61508 standard for Safety Integrity Level 3 (SIL 3). Strictly speaking, this isn’t a security certification, but one intended to reduce the rate of “dangerous failures” to a system.)

But RIM doesn’t appear to be using the Secure Kernel variant. Rather, after RIM acquired QNX, the device maker’s security architects began working closely with the QNX software engineers, according to Totzke. The works seems to be focused on how to exploit the microkernel’s strengths while adding new security features.

This combined group has been focusing on a range of protections, such as:

Blocking root access, which enables a user or hacker to gain administrative access to the OS.
Memory randomization, which in effect “scrambles” where in memory routines may run, making it harder for these to be leveraged by attackers.
Adding security management, including auditing, to the kernel.
It’s a work in progress. Code to jailbreak or root the QNX-based PlayBook OS (so you can load apps apart from BlackBerry App World) is available from DingleBerry.it, specifically Version 3.3, which was a big step up in simplicity and ease of use. A 4.0 version is in development. The PlayBooks will eventually run BlackBerry 10, so if blocking root access is a priority for RIM, then they may be harder to jailbreak with the release of the new OS.

One advance to protect data is already present in the PlayBook OS and will be a key part of BlackBerry 10, according to Totzke. BlackBerry Balance creates separate and secure work and personal “perimeters” at the data level. Corporate apps and data are encrypted in the work perimeter, and can’t be transferred or copied to the personal perimeter. (Encryption for personal data will be available in the next release of the PlayBook OS, he says.)

“But I [as the end user] don’t have to think about this separation,” says Totzke. “There’s a unified presentation to the data [in the user interface], but under the covers, the system separates the data.” There is only one email system and UI, for example, on the device, but work and personal emails are kept separate by the underlying system.

Neutrino’s microkernel architecture keeps an essential set of services in the core, but drivers, applications, protocol stacks, and the file system run outside the microkernel, effectively sandboxed in what’s called memory-protected user space. This means that almost any of these external components can fail and be replaced and restarted without affecting other components or the kernel itself, according to QNX. Presumably malware designed to compromise the kernel likewise will be isolated in these protected spaces.

Another layer of protection lies in QNX Neutrino conforming to the POSIX standard, which specifies an API, and some shells and interfaces, for software compatibility between POSIX-compliant operating systems. “A POSIX API prevents the use of proprietary interfaces with the potential for insecure behavior and misunderstood results,” among other benefits, according to the QNX website. The RTOS was designed from the outset for POSIX support, an approach that eliminates the need for adding a “complex POSIX adaptation layer” that some rivals RTOSs require. The result is faster performance and lower memory requirements for applications, according to QNX.

Much of this security infrastructure will be invisible to end users. But if mobile payment technologies actually find some traction, security or at least the need for it may become more pressing for end users. RIM been an enthusiastic adopter of near-field communications (NFC) in its BlackBerry smartphones, to support using them for “contactless” mobile payments. U.K.-based The Inquirer reported this week that RIM says it accounted for 80% of NFC phones shipped to U.K. retailers in the first quarter.

“I think that’s where people want to go,” says Totzke. “I sometimes forget my wallet, but I never forget my phone.”

“Security has to become a little more in the forefront for consumers and a lot more in the forefront for device makers and app developers,” he adds.

Source:http://www.computerworld.com.au/article/424018/blackberry_10_os_will_multi-layered_security_model/

Comments Off »

Posted in Hardware News

Tags: blackBerry OS security

Intel and McAfee unveil plans for unified security future

May 7th, 2012

Share

Intel and MacAfee have been talking about the fruits of their merger and their plans for a cloud to computer security network that will be built into new systems.

Jason Waxman, general manager of Intel’s Cloud Infrastructure Group, said that over the last year or so he’d been inundated with questions about what Intel was going to do with McAfee since it lashed out $7.68bn for the security firm, during an industry-wide buying spree on cyber-security companies. Chipzilla’s been intentionally quiet on the subject, but was now ready to talk he said.

What Intel is planning is a cloud to desktop security strategy, mixing hardware and software features in a federated framework designed to make cloud computing safer, locking down the desktop and, coincidentally, giving IT managers another reason to specify Intel’s systems during the next upgrade cycle.

“I think, of the public cloud providers, there are many that are doing an excellent job at security,” he said. “In fact, when I look at how enterprises do they are as good if not better. But the reality is that there’s a perception of poor security.”

Intel wants to mate its Trusted Execution Technology (TET) that’s built into the Xeon E5 processor family with software controls from McAfee. The chipset will work with McAfee’s ePolicy Orchestrator to analyze networks and enforce policy while updating and protecting the larger environment.

The two companies also released a new antivirus tool for the cloud, dubbed McAfee Management for Optimized Virtual Environments AntiVirus. This seeks out malware and uses application controls to limit infection spread and downtime, while pushing out updates as and when. A connections manager also monitors data entering and leaving the datacenter for signs of infection.

At the user end Intel is linking in with features in the Core i3, i5 and i7 processor ranges to try and keep systems clean, and there’ll be some integration with the cloud systems, including a single sign-on mechanism.

Intel’s reaching out to the relevant standards organization to pull in other partners, and has announced talks with the Cloud Security Alliance and Open Data Center Alliance. El Reg suspects a lot of people will wait and see how the architecture stands up in the real world before jumping on board.

Source:http://www.theregister.co.uk/2012/05/05/intel_mcafee_cloud_security/

Comments Off »

Posted in Hardware News

Tags: INTEL McAfee security

Flashback malware exposes big gaps in Apple security response

April 30th, 2012

Share

In one of those great ironies of technology, an increased incidence of malware is a sign that your product has been a success in the market.

Apple’s been astonishingly successful with its Mac hardware in recent years. The dark side of that success is the attention they’ve begun to attract from online criminals.

Apple and its customers got a hint of what was in store with last year’s Mac Defender outbreak. This year, a much larger and more disturbing outbreak has infected more than 600,000 Macs with a piece of malware called Flashback.The entire Flashback episode has in fact exposed Apple’s security weak spots.

Eugene Kaspersky last week argued that Apple is “ten years behind Microsoft in terms of security.”

Those aren’t just self-serving statements from a company that sells security software. Kaspersky’s argument didn’t even mention antivirus solutions. Instead, he said, Apple’s security efforts have been slow, reactive, and generally ineffective:

We now expect to see more and more because cyber criminals learn from success and this was the first successful one. [Apple] will understand very soon that they have the same problems Microsoft had ten or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software. That’s what Microsoft did in the past after so many incidents like Blaster and the more complicated worms that infected millions of computers in a short time. They had to do a lot of work to check the code to find mistakes and vulnerabilities. Now it’s time for Apple [to do that].

Let’s be clear: Both Microsoft and Apple are victims of organized crime in all of these attacks, and they’re in the unenviable position of having to fight legal battles and make substantial engineering investments on behalf of their customers. It is, unfortunately, a cost of doing business.

All complex software has vulnerabilities, even when it’s written with the most disciplined processes. Bad guys make a lucrative business out of finding those vulnerabilities and writing exploits for them. Eliminating malware completely is a pipe dream, especially on relatively open platforms like Windows and OS X. No one seriously believes it’s possible to eliminate street crime, either, but effective policing and attention to the underlying causes of crime can significantly reduce rates.

A lot of what Apple is learning about security today will show up in future editions of OS X and iOS, as the company presumably gets smarter about writing code. But what about the 60 or 70 million current Mac owners?

They have a right to expect much more of a security response from Apple than they’re getting now. As an Apple customer myself, I believe Apple deserves four key criticisms of its current approach to security.

1. Apple is too slow to deliver updates

When the size of this incident first became apparent, I wrote:

What makes this outbreak especially chilling is that the owners of infected Macs didn’t have to fall for social engineering, give away their administrative password, or do something stupid. … The Flashback malware in its current incarnation does not use an installer. It does not require that the user enter a password or click OK in a dialog box. It is a drive-by download that installs itself silently and with absolutely no user action required, and it is triggered by the simple act of viewing a website using a Mac on which Java is installed.

Apple brags that it is quick to respond to security issues. Here, for example, is what you see if you visit Apple’s “Why you’ll love a Mac” page:

Unfortunately, that bold statement is contradicted by the facts.

Apple’s update that fixed the Java security hole was released April 3, 2012. That’s 49 days after Oracle released Java SE 6 Update 31 for all other platforms. During that seven-week period, every Apple customer who had Java installed (and that includes every Mac owner running Leopard and Snow Leopard) was vulnerable to a silent installation of malware. Ultimately, Apple had to release an update that fixed the security hole and removed the malware already installed on its customers’ Macs.

That long gap in Apple’s response is not unusual, as independent security expert Brian Krebs has pointed out:

Apple maintains its own version of Java, and as with this release, it has typically fallen unacceptably far behind Oracle in patching critical flaws in this heavily-targeted and cross-platform application. In 2009, I examined Apple’s patch delays on Java and found that the company patched Java flaws on average about six months after official releases were made available by then-Java maintainer Sun.

Apple’s performance in recent years has been much better in terms of Java updates, but still slow. Oracle has released six security-related updates to Java SE 6 in the past two years. In five of those six updates, it took Apple at least three additional weeks to release its version of the update. Two of Apple’s updates arrived more than 30 days later than those available to other platforms.

So what happens when the next Java vulnerability is discovered and patched by Oracle? How long will Mac users have to wait for their updates? Or, to put it another way, how much of a window of opportunity will malware authors have to attack Macs?

2. Apple offers no automatic update option

Even when updates are available, they’re only effective if they’re applied. And every security researcher knows that a nontrivial percentage of users simply ignore updates.

As Mac expert Glenn Fleishman noted the other day (via Twitter), “Legions of children manage updates for parents and grandparents.” That’s because they know that, left to their own devices, many unsophisticated users will simply postpone those updates by clicking the “Not Now” or “Install Later” button. They see updates as an annoyance that will mean they they can’t use their Mac for 10 minutes to a half-hour.

So how bad is the problem? Based on data collected by Dr. Web, roughly 1 out of every 4 Snow Leopard users are at least six months behind in terms of applying major software updates. Nearly 15% are more than a year behind, meaning they have skipped at least two major OS X updates and are easy prey for any exploit that targets security holes that were fixed in those updates.

User education only goes so far. When you go home for the holidays, you can configure Software Update so that it downloads new updates automatically. But you can’t set up OS X to install those updates automatically, as you can with Windows.

Automatic updates would not, of course, bring the percentage of up-to-date installations anywhere near 100%. But it could make a difference for a few percent. And in a user base of 70 million (and growing), even a 3% improvement means 2 million Macs that are better protected than they are today.

3. Apple is too quick to abandon its customers

Although Apple has never said so publicly, it’s common knowledge among Mac experts that Apple provides updates (security and otherwise) only for the current OS X version and the most recent.

That means Macs that are between three and five years old are left unprotected unless their owners pay for an upgrade to a new version of OS X. (Apple charges $29 to upgrade from Leopard to Snow Leopard and another $30 to upgrade from Snow Leopard to Lion.)

According to Dr. Web’s data, 25% of all Flashback-infected Macs are running Mac OS X 10.5 Leopard. Net Market Share statistics suggest that at least 17% of all Macs in use today are running Leopard (or an earlier version of OS X).

Leopard shipped August 25, 2007. It was sold on new Macs for two full years. Customers purchased 5.7 million computers with Leopard installed in the first half of 2009. Those computers are all roughly three years old today, and most can expect to have at least two or three more years of useful life. Apple does not provide updates to these computers unless the customer purchases and installs a new version of OS X.

Snow Leopard (Mac OS X 10.6) shipped August 28, 2009, and was on sale for almost two years, until Lion shipped on July 20, 2011. It is still the most popular version of OS X today, according to these March 2012 Net Market Share figures:

If Apple maintains its current policy, then as soon as OS X Mountain Lion goes on sale, probably in July or August, Apple will drop support for the Macs it sold with Snow Leopard installed. Every one of those unsupported Macs will be three years old or less.

Or, to put it another way:

Apple sold about 27 million Macs in 2009 and 2010. By the end of this summer, in September 2012, every one of those Macs will be unsupported in its original, as-purchased configuration.

Microsoft has a support lifecycle of 10 years for each version of Windows. While that may be too much to expect of Apple, it’s clear that there’s a radical disconnect between the useful life of Apple hardware and the company’s support for the combination of hardware and software that it sells.

Users have many reasons besides cost to avoid the headaches of upgrades. I’ve yet to read an enthusiastic review of OS X Lion, and I’ve heard many people compare Lion to Windows Vista.

But the point is, Apple offers its customers the choice of whether to upgrade to a new OS. The company shouldn’t be allowed to refuse to deliver essential security updates to Macs that are three to five years old. That’s gross negligence.

4. Apple doesn’t communicate well

Apple’s first public statement that mentioned the Flashback malware outbreak came on April 14, with a support bulletin titled “About Flashback malware.” That was more than a week after security researchers and news sites like ZDNet had sounded the alarm. In its Java updates on April 3, Apple did not communicate any sense of urgency, even though they had to have known by that time that exploits were in the wild and wreaking havoc on Mac owners.

Apple doesn’t communicate well with security researchers, either. Boris Sharov, chief executive of the Moscow-based security firm Dr. Web, told Andy Greenberg of Forbes that his researchers were ignored when they tried to contact Apple with their findings: “We’ve given them all the data we have. We’ve heard nothing from them…” The only contact from Apple, in fact, was a demand to take down the “sinkhole” domain that Dr. Web researchers were using to study the distribution and behavior of the Flashback botnet.

To this day, in fact, Apple has not issued any statement aimed at the general public or the mainstream news media. Apple’s dilemma is a painful one here: If they talk to the press in an effort to reach owners of Macs who aren’t aware they’ve been infected, they risk puncturing the “Macs don’t get viruses” image they’ve cultivated through the years. So the company has chosen to remain silent, which is shameful.

Apple’s legendary secrecy is an asset when it comes to product development and launch-day hype. Somehow, the company has to overcome that desire for secrecy when it comes to security.

For its customers’ sake, it desperately needs to think different.

Source:http://www.zdnet.com/blog/bott/flashback-malware-exposes-big-gaps-in-apple-security-response/4904?tag=content;siu-container

Comments Off »

Posted in Hardware News

Tags: Apple security

UK hardware recyclers are rubbish at security

April 26th, 2012

Share

PEOPLE IN THE UK ARE A SOFT TOUCH for online scammers, according to the Information Commissioner’s Office (ICO).

The ICO has warned that people are becoming sponges for the muck put out by online scammers and are in danger of being seen as a “soft touch” because they keep doing stupid things like throwing away hard drives with their personal data on them.

In an investigation the ICO found that one in ten secondhand drives sold on the internet could contain personal information. It used the term “residual” here, suggesting that some attempts may have been made to delete data.

It’s not just hard drives either, and the ICO said that two-thirds of people hand over their old phones, computers and laptops to other users, and around one in five sell theirs.

In a study the ICO and a computer forensics company looked at 200 hard drives, 20 memory sticks and 10 mobiles phones that they sourced via online auction sites and computer trade fairs.

Devices were searched on two levels, once basically and then again with freely available forensic tools. While pretty much all of the information on mobile phones and thumbsticks was gone, the same could not be said of the other devices, and the ICO warned that anyone that is parting with theirs should do so with caution.

A staggering 34,000 files with personal or corporate information were recovered from the devices, including information about the employees and clients of four organisations.

“We live in a world where personal and company information is a highly valuable commodity. It is important that people do everything they can to stop their details from falling into the wrong hands,” said Information Commissioner, Christopher Graham.

“Many people will presume that pressing the delete button on a computer file means that it is gone forever. However this information can easily be recovered.

The ICO has published guidance to help individuals securely delete information from their devices.

Source:http://www.theinquirer.net/inquirer/news/2170098/uk-hardware-recyclers-rubbish-security

Comments Off »

Posted in Hardware News

Tags: Hardware Recyclers security

Ten Commandments of Windows Security

April 25th, 2012

Share

With the introduction of Windows 7, many PC and notebook users may feel more secure than they did using older versions of the Microsoft operating system. Newer OSs have more security features, offer better out-of-the-box security settings and have closed many of the historical security holes. Windows 7, for example, has changed the default User Account Control level so that it’s harder for rogue programs to run without first explicitly gaining the user’s permission.

[Also read 3 steps to protect your personal data]

However, feeling too secure can be dangerous. With that in mind, here are 10 tips–commandments, if you will–for ensuring your desktop or notebook computer can be used productively as well as safely. Many of the recommended tools are free, and all are affordable–and certainly less expensive than the potential problems of an unsecured computer. Similarly, many will take you only a minute or two to perform–again, far less time than you’d spend recovering from a security problem.

Yes, Windows 8 is on the way; it’ll be many years before that version runs on a majority of the installed base. So these tips are focused at the computers you are actually using today–especially Windows 7 computers, though most of the advice also applies to Windows Vista or XP machines.

1st commandment: Start with new hardware

Today’s new hardware–motherboards, BIOS, CPUs, hard drives, and the system as a whole–includes more security “baked in,” even before the operating system is installed. Examples include Trusted Platform Modules (TPM), which embed cryptographic security directly into the hard drive or other component, Unified Extensible Hardware Interface (UEFI) firmware instead of the traditional BIOS, and Intel’s vPro security and management technologies. For example, machines with UEFI and TPM will, as part of each boot-up, check the computer’s firmware and boot-up binaries to confirm they have not been infected with malware.

If you are working with an existing machine, consider doing a fresh install of the operating system, after completing one (or several) full backup. Ideally, the operating system would be the newest version rather than what was previously installed. (Products like LapLink’s PC-Mover can reduce the effort of saving and migrating settings and even application software–although applications should be freshly installed if possible, as well.)

Even if you’re working with an existing machine, consider swapping in new hard drives that include built-in encryption. Drives that support the OPAL Storage Specification standard enable companies to manage encrypted drives from multiple vendors–and have also helped reduce the extra cost for an encrypted drive from $100 to nearly zero. After-market drives often include migration tools to speed and simplify a drive swap.

If a self-encrypted drive isn’t an option, look at using full-disk encryption software, such as Windows’ BitLocker (available only on Enterprise or Ultimate Windows Vista, 7 or or a third-party tool.

2nd commandment: Use current OS versions and automatically get OS and application updates

If you aren’t using the most current commercial version of the operating system, it’s time to upgrade. Additionally, make sure you set the software to automatically apply updates (not just the OS, but all applications) and periodically turn off the computer, which is when many updates are auto-applied. An appalling number of security breaches occur because applications lack important security fixes that have been available for a year or more.

The computer vendor may also include helpful update tools. For example, Lenovo includes an update process that is designed to show all BIOS and driver updates available for that particular model. You can also manually start the update-check apps process. This may take several cycles, particularly for the first time around, if some updates require other updates.

“Third-party software is usually the vector that security intrusions come through, not the operating system,” says Ed Bott, a Windows expert and ZDNet blogger. Flash, Adobe Reader and Java are three of the biggest targets, Bott says. While many programs include their own automatic update checker, Bott urges using a tool like Ninite or Secunia Personal Software Inspector, which automate update checking for all the applications on your computer.

3rd commandment: Use Windows’ new security tools (and/or third party software)

Windows 7 includes a number of security controls and tools through its Actions Center (which replaces the Security Center), and other tools are available via the Control Panel, including:

Windows Firewall: With its basic settings, this wards off basic attacks, and you can use its advanced settings for more specific control. There are also third-party firewall programs available.
Microsoft’s Microsoft Security Essentials and Windows Defender. These tools secure your computer against viruses, spyware and other malware.

Obviously another option is to invest in third-party security software, like individual anti-virus, anti-spam and other programs, or a security suite, such as Symantec’s.

4th commandment: Set up (or remove) user accounts

Historically in Windows, the default account had administrator privileges–meaning that programs capable of taking unwanted insecure actions wouldn’t have to first ask the user if they could run. Starting with Vista, Microsoft added User Account Control (UAC), which asked non-administrator users for permission to run certain programs or actions. With Windows 7, UAC still protects systems but less intrusively.

[Can you guess the 15 worst data breaches?]

Even so, managing which user accounts are–and aren’t–available contributes to security in the following ways:

Establishes non-administrative user account(s) for each user.
Disables or removes user accounts that aren’t used or shouldn’t be there.
Disables the “guest” account, unless it’s needed. If it is needed, a password should be required for elevating privileges, to prevent unauthorized changes to the system.

Consider renaming the administrator account so that it’s not obvious to an intruder. Since this account can’t be “locked out,” password attacks can be performed indefinitely; changing the name makes the account less of a target.

5th commandment: Set passwords

Set the main Windows password, as well as the Power/Time to lock the system, with a screen saver, and require a password to resume activity.

Also, depending on the sensitivity of information on your system (did someone say “online banking”?), consider password alternatives, such as:

Fingerprint reader
Smartcard reader (contact or contactless)
Biometric facial recognition
RSA software and external token
Password “gesture” (e.g., Android tablets)

Another option is two-factor authentication, such as requiring both a fingerprint and a password.

6th commandment: Add/activate anti-theft tools

Invest in, install and activate anti-theft tools that can either lock the system; conduct an IP trace; report, take and send pictures; and even wipe the computer when a lost or stolen computer reconnects to the Internet. An example is Absolute Software’s Lojack for Laptops.

Vendors like Lenovo are embedding Absolute’s CompuTrace Agent into the BIOS, so even if somebody erases or replaces the hard drive, the agent is automatically re-installed.

Computers that include Intel Anti-Theft technology in their hardware let you add additional security services, such as automatically locking the main board until it receives the “unlock” password, lock or wipe if a machine goes too long without connecting to the Internet or if a user fails the login process too many times. Intel Anti-Theft is typically part of third-party security products like CompuTrace, adding perhaps $3/year, and as the anti-theft option on WinMagic’s full disk encryption product.

7th commandment: Turn off sharing and other unneeded services

Windows allows you to share resources that are on your computer, like file-sharing (Shared Folders) and print sharing. Your computer’s Internet connection management utility (Windows includes one, but many systems have their own) lets you define each network as either Public, Home or Work. If you mis-set a connection, your Shared Folders will be visible to other computers on the network.

ARM to Bake On-Die Security Into Next Gen Smartphone, Tablet, PC Cores

April 4th, 2012

Share

Many were surprised when Intel Corp. (INTC), the world’s largest chipmaker, scooped up veteran security firm McAfee in August 2010. While the fit of hardware company plus software vendor seemed an odd equation, it began to make sense when put in the context of growing interest in hardware-based security solutions.

Even as Intel has moved to put some of those designs on-die with technologies like Trusted Execution, one of the chipmaker’s top rivals — architecture and intellectual property (IP) core licenser ARM Holdings plc (LON:ARM) — has announced a brand new hardware security initiative of its own.

ARM already has baked a Trusted Execution Environment (TEE) solution dubbed “ARM TrustZone” into every one of its ARM Cortex A-Series cores, such as those found in Apple, Inc.’s (AAPL) iPhone or the Samsung Electronics Comp., Ltd. (KS:005930) Galaxy Nexus. The key now is to enable the hardware capabilities with supported software and operating system solutions.

To that end ARM is pairing with Giesecke & Devrient, makers of a custom heavily sandboxed, remotely manageable TEE operating system dubbed “Mobicore”. As an alternative to iOS or Android, companies could flash employee handsets with Mobicore, which is now being accelerated and enabled directly by hardware, thanks to the new partnership.

ARM has also paired with Gemalto NV (EPA:GTO), another security-oriented service provider. Gemalto will aim to enable secure transactions for “traditional” mobile operating systems, such as Android. Using the TEE hardware, Gemalto can deliver encrypted key validated movie or TV show rentals to a smartphone, tablet, or ARM laptop.

By fighting mobile malware and making it easier to establish secure wireless data connections, ARM’s new security muscle is helping make its smartphones and tablets safer for IT businesses. It will also open new capabilities for ARM as it races to challenge Intel in the personal computer space later this year.

ARM describes the new effort writing:

Devices with a TEE will provide consumers with more secure, user-friendly experiences that simplify and speed up how they interact with their digital world. This will enable them to use their smart, connected devices more frequently to access an increasing range of applications and services in a secure way. This includes mobile payment, enterprise productivity and mobile banking applications, as well as online commerce and premium content services.

Warren East, CEO of ARM stated, “The integration of the hardware, software and services necessary for system-wide security has been slow. I am confident that this new joint venture will accelerate the adoption of a common security standard, enabling a vibrant ecosystem of secure service providers to emerge. This will be of significant step in terms of improved consumer trust in secure transactions on connected devices.”

The three companies (Gi-De, Gemalto, and ARM Holdings) will operate a joint venture together, to develop new kinds of ARM core security solutions.

Source:http://www.dailytech.com/ARM+to+Bake+OnDie+Security+Into+Next+Gen+Smartphone+Tablet+PC+Cores/article24372.htm

Comments Off »

Posted in Hardware News

Tags: ARM Next Gen PC Cores security

Chrome 18 delivered with nine security fixes

March 31st, 2012

Share

Google has released Chrome 18 to its Stable channel complete with several new features and fixes for nine security vulnerabilities.

Officially named version18.0.1025.142, the new version of Google’s open source browser offers improved graphics performance on both new and older hardware as well as closing numerous security holes, including three high-severity ones.

“Today’s web brings beautiful, rich experiences right into your browser,” wrote Vangelis Kokkevis, Google’s “Chrome Graphics Olympian,” in a blog post on Wednesday announcing the new release. “With Chrome’s most recent Stable channel release, we’ve sped up graphics and drawing performance for users on capable hardware, and enabled fancier 3D content for other users on older computers.”

An Extra $8,000 Awarded

Included among the security fixes incorporated into the stable version of Chrome 18 are measures being taken to address the exploits submitted in the recent Pwnium competition, Google blogger Karen Grunberg noted in a separate post.

Teenage researcher “PinkiePie” is among those credited for uncovering the vulnerabilities, which included five medium-severity and one low-severity bug along with the three high-severity problems.

Specifics about the individual vulnerabilities are being withheld until the majority of users are updated, but in the meantime Google has awarded an extra $8,000 to researchers involved during the development cycle to help make sure the bugs didn’t make it through to the stable version, Grunberg said.

Also included in the stable Chrome 18 is the new Adobe Flash Player 11.2, she added.

A New Software Rasteriser

As for the graphics improvements included in Chrome 18, two key changes have been added to enable them, as we already saw back in February, when the software’s beta version was released.

First, there’s the fact that the browser has enabled GPU-accelerated Canvas2D on capable Windows and Mac computers, “which should make Web applications like games perform even better than a pure software implementation,” wrote developers John Bauman and Brian Salomon, in another blog post.

Then, too, there’s TransGaming’s SwiftShader, a software rasteriser that gives users with older hardware configurations access to basic 3D content on the Web.

Chrome 18 is now available as a free download for Windows, Linux, and Mac OS X, but users already running Chrome can upgrade using the browser’s automatic update function.

Source:http://www.computerworlduk.com/news/applications/3348029/chrome-18-delivered-with-nine-security-fixes/